CN109845215A - A kind of network safety protection method and equipment - Google Patents
A kind of network safety protection method and equipment Download PDFInfo
- Publication number
- CN109845215A CN109845215A CN201680090081.6A CN201680090081A CN109845215A CN 109845215 A CN109845215 A CN 109845215A CN 201680090081 A CN201680090081 A CN 201680090081A CN 109845215 A CN109845215 A CN 109845215A
- Authority
- CN
- China
- Prior art keywords
- rff
- terminal
- base station
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
Abstract
A kind of network safety protection method and equipment, after being replicated to avoid SIM card, the illegal operation bring of pseudo-terminal endangers.When this method includes the corresponding relationship for the radio-frequency fingerprint RFF that equipment of the core network determines the mark module and terminal that do not save terminal, the instruction of RFF initial acquisition is sent to base station, RFF initial acquisition indicates the identification information of carried terminal;Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, saves the corresponding relationship of the mark module of terminal and the RFF of terminal;When equipment of the core network initiates to authenticate to terminal, equipment of the core network sends RFF acquisition instruction, the identification information of RFF acquisition instruction carried terminal to base station;Equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, and acquires information according to RFF and judge whether the RFF certification of terminal succeeds.
Description
The present embodiments relate to field of communication technology more particularly to a kind of network safety protection method and equipment.
With the development of mobile payment field and network technology, there is higher security requirement to the identification of terminal.Existing terminal identity identification technology relies on subscriber identification module (Subscriber Identity Module, SIM) the digital forms such as card and fuselage sequence, and with the promotion of the technical capabilities such as physical attacks and bypass attack, these terminal identity identification technologies become less reliable.Attacker may be by operating pseudo-terminal, the operation implementing finance theft or endangering public security, as shown in Figure 1, current long term evolution (Long Term Evolution, LTE) network can not identify terminal and pseudo-terminal with identical SIM card.
Specifically, refering to shown in Fig. 2, authentication process of the existing network to terminal are as follows: equipment of the core network (Evolved Packet Core, EPC) to user equipment (User Equipment, UE authentication request) is initiated, terminal calculates number of responses (RES) value according to the parameter saved in the parameter and itself SIM card in authentication request and returns to EPC.Whether number of responses (XRES) value that EPC checks that the parameter in local parameter and authentication request according in the SIM card deposited calculates is consistent with the RES value that terminal reports, and authenticates success if consistent.
It can thus be appreciated that, network is based on SIM card to the authentication of terminal, when being inserted into another terminal after SIM card is replicated, enabling the corresponding terminal of former SIM card is target terminal, the corresponding terminal of SIM card after duplication is pseudo-terminal, which, can be with the authentication is passed due to identical as the SIM card information of target terminal, the legal identity completely the same with target terminal is obtained, implementable transfer accounts waits financial operations after pseudo-terminal accesses network.
Therefore, existing network can not resist after SIM card is replicated the authentication process of terminal, and the illegal operation of pseudo-terminal brings harm.
Summary of the invention
The embodiment of the present invention provides a kind of network safety protection method and equipment, and after being replicated to avoid SIM card, the illegal operation bring of pseudo-terminal endangers.
First aspect, a kind of network safety protection method is provided, it include: that equipment of the core network is indicated to base station transmission radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal, then the base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal.The RFF for entering network termination for the first time is obtained by the above method.Later when the equipment of the core network initiates to authenticate to the terminal, RFF acquisition instruction is sent to the base station, the RFF acquisition instruction carries the identification information of the terminal, then it receives the base station and information is acquired according to the RFF that the RFF acquires indication feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it is compared using the RFF saved with freshly harvested RFF, judge whether the RFF certification of terminal succeeds, after avoiding SIM card from being replicated, pseudo-terminal is successfully accessed network, implements illegal operation and endangers to user's bring.Since network only identifies whether SIM is legal in compared to the prior art, the physical layer attributes of perception terminal have not increased the extraction to terminal radio frequency fingerprint and analysis authentication newly using method provided in an embodiment of the present invention in terminal authentication procedure.Due to increasing the certification of terminal physical layer feature, true terminal and pseudo-terminal can be distinguished, therefore the deficiency of current scheme can be solved, significantly improve network side to the security protection ability of terminal.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.Therefore, method provided in an embodiment of the present invention is not limited to the type of identification module, can also be the following possible identification module.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;At this time, the equipment of the core network receives the RFF acquisition information of the base station feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it include: that the equipment of the core network receives the RFF acquisition information that the base station acquires indication feedback according to the RFF, the RFF acquisition information carries RFF comparison information, the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries, i.e., completes to have protected by base station
The comparison of RFF and new acquisition RFF are deposited, and comparison result is fed back into equipment of the core network.If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, the equipment of the core network judges that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
In one possible implementation, the equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds, it include: the RFF acquisition information that the equipment of the core network receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;The equipment of the core network judges whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.Therefore, method provided in an embodiment of the present invention provides a variety of implementations being compared for having saved RFF with new acquisition RFF.
In one possible implementation, further includes: when the equipment of the core network judges the RFF authentification failure of the terminal, start the user identity identification of the terminal;The equipment of the core network determines that the user identity identification result of the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.Therefore, using method provided in an embodiment of the present invention when RFF authentification failure, it is contemplated that may be that user replaces mobile phone, execute user identity identification process at this time and resurvey the RFF of current identification module counterpart terminal when being identified by.
It should be understood that, when equipment of the core network judges the RFF authentification failure of terminal, showing terminal not is to network for the first time, it at this time may be that user has been mounted in other terminals using the mark module of former mark module or the mark module or bootlegging newly made up, it is thus possible to which the scene of illegal operation will be carried out by pseudo-terminal occur.
If the user identity identification result of terminal is to be identified by, the mark module for being shown to be former mark module or newly making up has been mounted in other terminals, is not that the mark module of bootlegging has been mounted on other
In terminal.Therefore, since mark module has been mounted in other terminals, i.e. mark module is not in former terminal, it has been mounted on new terminal, so former terminal needs to release with mark module binding relationship, RFF certification can not pass through, and need the corresponding relationship of the mark module of more new terminal and the RFF of terminal, at this time to establish mark module and new terminal binding relationship.
If the user identity identification result of terminal is that identification does not pass through, the mark module for being then shown to be bootlegging has been mounted in other terminals, RFF certification can not pass through, at this time, equipment of the core network refusal provides follow-up service for the terminal, the illegal operation bring harm that mark module is copied illegally rear terminal is avoided, improves network side to the security protection ability of terminal.
Second aspect, a kind of network safety protection method, comprising: base station receives the RFF initial acquisition instruction that the equipment of the core network is sent, the identification information of the RFF initial acquisition instruction carried terminal;The base station is according to the identification information of the terminal, acquire the RFF of the identification information counterpart terminal, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;;Base station receives the RFF that equipment of the core network is sent and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;The base station acquires the RFF of the identification information counterpart terminal according to the identification information of the terminal;The base station generates RFF acquisition information according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.Therefore, base station executes the RFF initial acquisition instruction that equipment of the core network is sent, so that equipment of the core network saves the mark module of the terminal and the RFF corresponding relationship of the terminal, base station subsequent execution RFF acquisition instruction, so that equipment of the core network judges whether the RFF and RFF deposited of this acquisition is consistent, RFF certification is carried out to terminal.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;The base station generates RFF according to collected RFF and acquires information, comprising: the base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the base station generates RFF acquisition letter according to collected RFF
Breath, comprising: collected RFF is acquired information by the base station.Therefore, base station can acquire information to equipment of the core network feedback RFF using various ways.
The third aspect, a kind of network safety prevention equipment, comprising: transceiver and the processor with the transceiver couples;The processor, is used for: sending the instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal to base station by the transceiver;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;The processor, it is specifically used for: information is acquired by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, the base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor, it is specifically used for: the base station is received by the transceiver, information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;Judge the collected RFF in base station terminal corresponding with the mark module of storage
RFF it is whether consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor, is also used to: when judging the RFF authentification failure of the terminal, starting the user identity identification of the terminal;The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
Fourth aspect, a kind of network safety prevention equipment, comprising: transceiver and the processor with the transceiver couples;The processor, is used for: the RFF initial acquisition that the equipment of the core network is sent received by the transceiver and is indicated, the identification information of the RFF initial acquisition instruction carried terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;The processor, is specifically used for: when generating RFF acquisition information according to collected RFF, generating RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the processor, is specifically used for: generating RFF according to collected RFF and acquires information, acquires information for collected RFF as RFF.
Fig. 1 is the schematic diagram that attacker implements illegal operation using pseudo-terminal in background of invention;
Fig. 2 is network in background of invention to the authentication process schematic diagram of terminal;
Fig. 3 is the general introduction flow chart of network safety protection method in the embodiment of the present invention;
Fig. 4 is that the schematic diagram that base station acquisition terminal RFF stores mark module and RFF corresponding relationship is crossed by core Netcom in the embodiment of the present invention;
Fig. 5 (a) is core net in the embodiment of the present invention to one of the RFF verification process schematic diagram of terminal;
Fig. 5 (b) be in the embodiment of the present invention core net to the two of the RFF verification process schematic diagram of terminal;
Fig. 6 is the detailed process of RFF verification process in the embodiment of the present invention;
Fig. 7 is one of the structural schematic diagram of network safety prevention equipment in the embodiment of the present invention;
Fig. 8 is the second structural representation of network safety prevention equipment in the embodiment of the present invention.
Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.
Radio-frequency fingerprint (the Radio Frequency Fingerprint mentioned in the embodiment of the present invention, RFF) refer to according to the analog devices such as circuit trace, RF power amplification, antenna in wireless terminal radio circuit unique and unique radio frequency features of the different model extracted there are intrinsic tolerance by receiver and the corresponding transmitting electromagnetic wave of same model different radio terminal.
Wherein, existing radio-frequency fingerprint extraction algorithm is more, can be roughly divided into (frequency hopping) algorithm for extracting transient response feature, extracts the algorithm of steady-state response feature and based on constellation trajectory diagram distortion algorithm etc..
As shown in fig.3, the embodiment of the present invention provides a kind of network safety protection method, this method comprises:
Step 300: when equipment of the core network determines the corresponding relationship of the radio-frequency fingerprint RFF of the mark module and the terminal that do not save terminal, sending the instruction of radio-frequency fingerprint RFF initial acquisition to base station, RFF initial acquisition indicates the identification information of carried terminal.
Step 310: base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal.
Step 320: base station indicates the RFF to equipment of the core network feedback terminal according to RFF initial acquisition.
Step 330: equipment of the core network saves the corresponding relationship of the mark module of terminal and the RFF of terminal.
Specifically, for 300~step 330 of above-mentioned steps, when equipment of the core network determines the mark module of not stored terminal corresponding RFF, show that terminal is to network for the first time, that is the mark module of terminal has not been used, at this point, refering to shown in Fig. 4, equipment of the core network needs to send the instruction of RFF initial acquisition to base station, and RFF initial acquisition indicates the identification information of carried terminal.Base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal, and collected RFF is fed back to equipment of the core network.Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, and save the corresponding relationship of the RFF of the mark module and terminal that save terminal, i.e. when terminal is to network for the first time, the RFF of terminal where needing to acquire current identification module by base station establishes the mark module and installs the binding relationship of the mark module terminal.
Optionally, mark module is SIM or Global Subscriber identification module Global Subscriber identification module (Universal Subscriber Identity Module, USIM).
It is alternatively possible to which cell ID is added identification information of the terminal iidentification as terminal, in addition, identification information of the other information of unique identification terminal as terminal also may be selected, it is not specifically limited here.
Step 340: equipment of the core network initiates to authenticate to terminal.
It should be understood that equipment of the core network to the RFF verification process of terminal, can carry out simultaneously with authentication process of the equipment of the core network to terminal, or start to execute after equipment of the core network is to terminal authentication success.
Equipment of the core network is consistent with the prior art to the authentication process of terminal, and details are not described herein again.
Step 350: equipment of the core network sends RFF acquisition instruction, the identification information of RFF acquisition instruction carried terminal to base station.
Specifically, equipment of the core network has stored the corresponding relationship of the mark module of terminal and the RFF of terminal, showing terminal not is to network for the first time, that is the mark module of terminal had used, the RFF of the mark module counterpart terminal was acquired via base station, and the corresponding relationship of the mark module of terminal and RFF is stored in equipment of the core network, since the RFF of each terminal is only, therefore the mark module and the installation mark module terminal are with binding relationship, equipment of the core network utilizes this binding relationship, is adopted again by base station
The RFF of collection terminal analyzes whether present terminal is pseudo-terminal to determine whether to meet former binding relationship.
Step 360: base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal.
Specifically, terminal during being communicated with base station, can send uplink signal to base station, base station can be based on the uplink signal, obtain RFF by radio-frequency fingerprint extraction algorithm.
Step 370: base station generates RFF acquisition information according to collected RFF and feeds back to equipment of the core network.
Refering to shown in Fig. 5 (a) and Fig. 5 (b), when executing step 370, base station, which can use but be not limited to following two mode, generates RFF acquisition information:
First way: when RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module, base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
The second way: collected RFF is acquired information directly as RFF by base station.
Step 380: equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, and acquires information according to RFF and judge whether the RFF certification of terminal succeeds.
Refering to shown in Fig. 5 (a) and Fig. 5 (b), corresponding step 380 can use when equipment of the core network executes step 370 but be not limited to following two mode:
First way: when RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module, equipment of the core network receives base station and acquires information according to the RFF that RFF acquires indication feedback, RFF acquires information and carries RFF comparison information, and RFF comparison information is that base station is generated according to the RFF that the collected RFF in base station and RFF acquisition instruction carries.
If RFF comparison information indicates that the collected RFF in base station is consistent with the RFF that RFF acquires instruction carrying, equipment of the core network judges that the RFF of terminal is authenticated successfully, otherwise, judges the RFF authentification failure of terminal.
The second way: the RFF that equipment of the core network receives base station feedback acquires information, and RFF acquires information and carries the collected RFF in base station, wherein the collected RFF in base station is the RFF that RFF acquisition instruction carries the corresponding terminal of identification information.
Equipment of the core network judges whether the collected RFF in base station RFF corresponding with the mark module of storage be consistent, if unanimously, judging that the RFF of terminal is authenticated successfully, otherwise, judges the RFF authentification failure of terminal.
In addition, when equipment of the core network judges the RFF authentification failure of terminal, starting the user identity identification of terminal after executing the step 340.
It should be understood that, user identity identification process for terminal can be existing process, such as, user identity identification is carried out to current end user according to information reserved before terminal user, here reserved information can be the answer for default problem, for example, the title of primary school, most likes fruit eaten etc..The application is not specifically limited user identity identification process.
Equipment of the core network determines that the user identity identification result of terminal is to send the instruction of RFF initial acquisition to base station, RFF initial acquisition indicates the identification information of carried terminal when being identified by.Base station acquires the RFF of identification information counterpart terminal according to the identification information of terminal, and collected RFF is fed back to equipment of the core network.Equipment of the core network receives base station according to the RFF of the terminal of RFF initial acquisition indication feedback, and the corresponding relationship of the RFF of the mark module and terminal of more new terminal.Here consistent with process as shown in Figure 4.
It should be understood that, when equipment of the core network judges the RFF authentification failure of terminal, showing terminal not is to network for the first time, it at this time may be that user has been mounted in other terminals using the mark module of former mark module or the mark module or bootlegging newly made up, it is thus possible to which the scene of illegal operation will be carried out by pseudo-terminal occur.
If the user identity identification result of terminal is to be identified by, the mark module for being shown to be former mark module or newly making up has been mounted in other terminals, is not that the mark module of bootlegging has been mounted in other terminals.Therefore, since mark module has been mounted in other terminals, i.e. mark module is not in former terminal, it has been mounted on new terminal, so former terminal needs to release with mark module binding relationship, RFF certification can not pass through, and need the corresponding relationship of the mark module of more new terminal and the RFF of terminal, at this time to establish mark module and new terminal binding relationship.
If the user identity identification result of terminal is that identification does not pass through, the mark module for being then shown to be bootlegging has been mounted in other terminals, RFF certification can not pass through, at this time, equipment of the core network refusal provides follow-up service for the terminal, the illegal operation bring harm that mark module is copied illegally rear terminal is avoided, improves network side to the security protection ability of terminal.
As shown in fig.6, the detailed process of RFF verification process are as follows:
S601:EPC starts the authentication process to UE.
S602:EPC judges whether UE is to network for the first time.
EPC is by whether the RFF of the corresponding UE of the SIM for being stored with UE judges whether UE is to network for the first time, if otherwise execution S603 executes S608.
S603:EPC sends RFF acquisition instruction to eNB.
The RFF acquires the identification information that UE is carried in instruction, the mark of mark and cell where UE including UE in the identification information.
The RFF acquisition instruction acquisition RFF that S604:eNB is sent according to EPC, generates RFF acquisition information and feeds back to EPC.
Specifically, RFF of the eNB according to the EPC RFF acquisition instruction acquisition identification information corresponding UE sent, and EPC is fed back to using collected RFF as RFF acquisition information.
Whether S605:EPC acquires information judgement according to RFF and succeeds for the RFF certification of UE.
If so, executing S606, S607 is otherwise executed.
S606:EPC continues to provide service after authenticating successfully for the authentication process of UE for UE, process terminates.
S607:EPC starting is directed to the user identity identification process of UE.Judge whether user identity identification result is to be identified by, if executing S608, otherwise executes S611.
Such as, EPC sends reserved problem to UE, and receive the answer for reserved problem of UE reply, when being directed to of having deposited that the answer for reserved problem and UE reply reserve the answer of problem it is consistent when, then EPC determines that user identity identification result is to be identified by, when the answer for reserved problem replied for the answer of reserved problem and UE deposited is inconsistent, then EPC determines that user identity identification result does not pass through for identification.
S608:EPC sends the instruction of RFF initial acquisition to eNB.
The identification information of UE is carried in RFF initial acquisition instruction.
S609:eNB indicates acquisition RFF according to RFF initial acquisition, and reports to EPC.
S610:EPC receives the RFF of eNB feedback, and stores the corresponding relationship of the SIM Yu the collected RFF of eNB, and process terminates.
S611:EPC determines that the RFF certification of the UE does not pass through, and refuses to provide follow-up service for the UE,
Process terminates.
As shown in fig.7, the embodiment of the present invention provides a kind of network safety prevention equipment, for example, equipment of the core network, comprising: transceiver 701 and the processor 702 with the transceiver couples;
The processor 702, is used for: sending the instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal to base station by the transceiver;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;
The processor 702, it is specifically used for: information is acquired by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, the base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor 702, it is specifically used for: the base station is received by the transceiver, information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;Judge the collected RFF in base station terminal corresponding with the mark module of storage
RFF it is whether consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
In one possible implementation, the processor 702, is also used to: when judging the RFF authentification failure of the terminal, starting the user identity identification of the terminal;The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
As shown in fig.8, the embodiment of the present invention provides a kind of network safety prevention equipment, such as base station, comprising: transceiver 801 and the processor 802 with the transceiver couples;
The processor 802, is used for: the RFF initial acquisition that the equipment of the core network is sent received by the transceiver and is indicated, the identification information of the RFF initial acquisition instruction carried terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
In one possible implementation, the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;
The processor 802, is specifically used for: when generating RFF acquisition information according to collected RFF, generating RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
In one possible implementation, the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
In one possible implementation, the processor 802, is specifically used for: according to collected
RFF generates RFF and acquires information, acquires information for collected RFF as RFF.
In conclusion the physical layer attributes of perception terminal have not increased the extraction to terminal radio frequency fingerprint and analysis authentication newly using method provided in an embodiment of the present invention in terminal authentication procedure since network only identifies whether SIM is legal in compared to the prior art.Due to increasing the certification of terminal physical layer feature, true terminal and pseudo-terminal can be distinguished, therefore the deficiency of current scheme can be solved, significantly improve network side to the security protection ability of terminal.
Those of ordinary skill in the art will appreciate that implementing the method for the above embodiments is that can be completed by program come instruction processing unit, the program can store in computer readable storage medium, the storage medium is non-transitory (English: non-transitory) medium, such as random access memory, read-only memory, flash memory, hard disk, solid state hard disk, tape (English: magnetic tape), floppy disk (English: floppy disk), CD (English: optical disc) and any combination thereof.
The present invention is described referring to the method and apparatus respective flow chart and block diagram of the embodiment of the present invention.It should be understood that the combination of each process in flow chart and block diagram and the process in box and flow chart and block diagram and box can be realized by computer program instructions.These computer program instructions be can provide to the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate a machine, so that generating by the instruction that computer or the processor of other programmable data processing devices execute for realizing the device for the function of specifying in one or more flows of the flowchart and one or more blocks of the block diagram.
It is described above; it is merely preferred embodiments of the present invention, but scope of protection of the present invention is not limited thereto, anyone skilled in the art is in the technical scope disclosed by the present invention; any changes or substitutions that can be easily thought of, should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (18)
- A kind of network safety protection method characterized by comprisingWhen equipment of the core network determines the corresponding relationship of the radio-frequency fingerprint RFF of the mark module and the terminal that do not save terminal, the instruction of RFF initial acquisition is sent to base station, the RFF initial acquisition instruction carries the identification information of the terminal;The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When the equipment of the core network initiates to authenticate to the terminal, the equipment of the core network sends RFF acquisition instruction to the base station, and the RFF acquisition instruction carries the identification information of the terminal;The equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds.
- The method as described in claim 1, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
- It is method according to claim 1 or 2, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;The equipment of the core network receives the RFF acquisition information of the base station feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds, comprising:The equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, the equipment of the core network judges that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
- It is method according to claim 1 or 2, which is characterized in that the equipment of the core network receives the base station and acquires information according to the RFF that the RFF acquires indication feedback, and acquires information according to the RFF and judge whether the RFF certification of the terminal succeeds, comprising:The equipment of the core network receives the RFF acquisition information of the base station feedback, and the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;The equipment of the core network judges whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
- The method as claimed in claim 3 or 4, which is characterized in that further include:When the equipment of the core network judges the RFF authentification failure of the terminal, start the user identity identification of the terminal;The equipment of the core network determines that the user identity identification result of the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The equipment of the core network receives the base station according to the RFF of the terminal of the RFF initial acquisition indication feedback, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
- A kind of network safety protection method characterized by comprisingBase station receives the RFF initial acquisition instruction that the equipment of the core network is sent, the identification information of the RFF initial acquisition instruction carried terminal;The base station is according to the identification information of the terminal, acquire the RFF of the identification information counterpart terminal, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;Base station receives the RFF that equipment of the core network is sent and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;The base station acquires the RFF of the identification information counterpart terminal according to the identification information of the terminal;The base station generates RFF acquisition information according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
- Method as claimed in claim 6, which is characterized in that the RFF acquisition instruction also carries mark Know the RFF of the corresponding terminal of module;The base station generates RFF according to collected RFF and acquires information, comprising:The base station generates RFF comparison information as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
- The method of claim 7, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
- Method as claimed in claim 6, which is characterized in that the base station generates RFF according to collected RFF and acquires information, comprising:Collected RFF is acquired information by the base station.
- A kind of network safety prevention equipment characterized by comprising transceiver and the processor with the transceiver couples;The processor, is used for:The instruction of radio-frequency fingerprint RFF initial acquisition, the identification information of the RFF initial acquisition instruction carried terminal are sent to base station by the transceiver;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;When initiating to authenticate to the terminal, RFF acquisition instruction is sent to the base station by the transceiver, the RFF acquisition instruction carries the identification information of the terminal;Information is acquired according to the RFF that the RFF acquires indication feedback by receiving the base station, and information is acquired according to the RFF and judges whether the RFF certification of the terminal succeeds.
- Equipment as claimed in claim 10, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
- Equipment as described in claim 10 or 11, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of the mark module;The processor, is specifically used for:Acquire information by the RFF that the transceiver receives the base station feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, pass through the transceiver and receive the base station Information is acquired according to the RFF that the RFF acquires indication feedback, the RFF acquisition information carries RFF comparison information, and the RFF comparison information is that the base station is generated according to the RFF that the collected RFF in the base station and RFF acquisition instruction carries;If the RFF comparison information indicates that the collected RFF in the base station is consistent with the RFF that the RFF acquires instruction carrying, judges that the RFF of the terminal is authenticated successfully, otherwise, judge the RFF authentification failure of the terminal.
- Equipment as described in claim 10 or 11, which is characterized in that the processor is specifically used for:The base station is received by the transceiver, and information is acquired according to the RFF that the RFF acquires indication feedback, and according to the RFF acquire information judge the terminal RFF certification it is whether successful when, information is acquired by the RFF that the transceiver receives the base station feedback, the RFF acquisition information carries the collected RFF in base station, and the collected RFF in base station is the RFF of the corresponding terminal of identification information for the terminal that RFF acquisition instruction carries;Judge whether the RFF of the collected RFF in base station terminal corresponding with the mark module of storage is consistent, if unanimously, judging that the RFF of the terminal is authenticated successfully, otherwise, judges the RFF authentification failure of the terminal.
- Equipment as described in claim 12 or 13, which is characterized in that the processor is also used to:When judging the RFF authentification failure of the terminal, start the user identity identification of the terminal;The user identity identification result for determining the terminal is when being identified by, and the base station Xiang Suoshu sends the instruction of RFF initial acquisition, and the RFF initial acquisition instruction carries the identification information of the terminal;The base station is received according to the RFF of the terminal of the RFF initial acquisition indication feedback by the transceiver, and updates the mark module of the terminal and the RFF corresponding relationship of the terminal.
- A kind of network safety prevention equipment characterized by comprising transceiver and the processor with the transceiver couples;The processor, is used for:The RFF initial acquisition instruction that the equipment of the core network is sent is received by the transceiver, it is described The identification information of RFF initial acquisition instruction carried terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired, and collected RFF is fed back into the equipment of the core network, so that the equipment of the core network saves the corresponding relationship of the mark module of the terminal and the RFF of the terminal;The RFF that equipment of the core network is sent is received by the transceiver and acquires instruction, and the RFF acquisition instruction carries the identification information of the terminal;According to the identification information of the terminal, the RFF of the identification information counterpart terminal is acquired;RFF acquisition information is generated according to collected RFF and feeds back to the equipment of the core network, so that the equipment of the core network, which acquires information according to the RFF, judges whether the RFF certification of the terminal succeeds.
- Equipment as claimed in claim 15, which is characterized in that the RFF acquisition instruction also carries the RFF of the corresponding terminal of mark module;The processor, is specifically used for:When generating RFF acquisition information according to collected RFF, RFF comparison information is generated as RFF according to the RFF that collected RFF and RFF acquisition instruction carries and acquires information.
- Equipment as claimed in claim 16, which is characterized in that the mark module is subscriber identification module SIM or Global Subscriber identification module USIM.
- Equipment as claimed in claim 15, which is characterized in that the processor is specifically used for:RFF is generated according to collected RFF and acquires information, acquires information for collected RFF as RFF.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2016/107756 WO2018098641A1 (en) | 2016-11-29 | 2016-11-29 | Network security protection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109845215A true CN109845215A (en) | 2019-06-04 |
Family
ID=62241028
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201680090081.6A Pending CN109845215A (en) | 2016-11-29 | 2016-11-29 | A kind of network safety protection method and equipment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109845215A (en) |
WO (1) | WO2018098641A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112383958A (en) * | 2020-11-11 | 2021-02-19 | 武汉虹信科技发展有限责任公司 | Host, individual soldier and system for wireless positioning and wireless positioning method |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101174873A (en) * | 2006-10-30 | 2008-05-07 | 华为技术有限公司 | Relay station equipment and communication forwarding method |
CN102056293A (en) * | 2010-12-10 | 2011-05-11 | 北京星网锐捷网络技术有限公司 | Radio frequency fingerprint positioning method and system as well as access controller (AC) and positioning server |
CN103945428A (en) * | 2013-01-21 | 2014-07-23 | 华为技术有限公司 | Radio frequency fingerprint database updating method, device and system |
CN104838680A (en) * | 2012-11-12 | 2015-08-12 | 东莞宇龙通信科技有限公司 | Realizing method, system and communication terminal for virtual subscriber identity module |
CN104935575A (en) * | 2015-04-29 | 2015-09-23 | 努比亚技术有限公司 | Login method, and authentication method and device |
CN105162778A (en) * | 2015-08-19 | 2015-12-16 | 电子科技大学 | Radio frequency fingerprint based cross-layer authentication method |
CN105631472A (en) * | 2015-12-24 | 2016-06-01 | 东南大学 | Wireless device identity identification method based on constellation locus diagram |
-
2016
- 2016-11-29 CN CN201680090081.6A patent/CN109845215A/en active Pending
- 2016-11-29 WO PCT/CN2016/107756 patent/WO2018098641A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101174873A (en) * | 2006-10-30 | 2008-05-07 | 华为技术有限公司 | Relay station equipment and communication forwarding method |
CN102056293A (en) * | 2010-12-10 | 2011-05-11 | 北京星网锐捷网络技术有限公司 | Radio frequency fingerprint positioning method and system as well as access controller (AC) and positioning server |
CN104838680A (en) * | 2012-11-12 | 2015-08-12 | 东莞宇龙通信科技有限公司 | Realizing method, system and communication terminal for virtual subscriber identity module |
CN103945428A (en) * | 2013-01-21 | 2014-07-23 | 华为技术有限公司 | Radio frequency fingerprint database updating method, device and system |
CN104935575A (en) * | 2015-04-29 | 2015-09-23 | 努比亚技术有限公司 | Login method, and authentication method and device |
CN105162778A (en) * | 2015-08-19 | 2015-12-16 | 电子科技大学 | Radio frequency fingerprint based cross-layer authentication method |
CN105631472A (en) * | 2015-12-24 | 2016-06-01 | 东南大学 | Wireless device identity identification method based on constellation locus diagram |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112383958A (en) * | 2020-11-11 | 2021-02-19 | 武汉虹信科技发展有限责任公司 | Host, individual soldier and system for wireless positioning and wireless positioning method |
CN112383958B (en) * | 2020-11-11 | 2022-07-19 | 武汉虹信科技发展有限责任公司 | Host, individual soldier and system for wireless positioning and wireless positioning method |
Also Published As
Publication number | Publication date |
---|---|
WO2018098641A1 (en) | 2018-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10887318B2 (en) | Method and apparatus for downloading profile on embedded universal integrated circuit card of terminal | |
KR101504855B1 (en) | Method for exporting on a secure server data comprised on a uicc comprised in a terminal | |
CN105933888B (en) | A kind of eSIM card method for burn-recording and device based on NFC | |
CN108881296B (en) | Block chain real-name authentication method, device, equipment and storage medium | |
CN102711110A (en) | Wi-Fi (wireless fidelity) network management method and wireless router | |
EP2343852A1 (en) | Key distribution method and system | |
CN104168557A (en) | Upgrading method for operating systems and upgrading device for operating systems | |
CN106209900B (en) | A kind of method that smart lock is registered to repeater | |
CN107835204A (en) | The security control of configuration file policing rule | |
US10397001B2 (en) | Secure mechanism for subsidy lock enforcement | |
CN102892104B (en) | The binding method of multiple Subscriber Identity Module and system | |
CN103679000A (en) | Apparatus and method for remotely deleting critical information | |
KR20160143333A (en) | Method for Double Certification by using Double Channel | |
WO2016134587A1 (en) | Wifi connection verification method, wifi hotspot device and terminal | |
US11963261B2 (en) | Method and apparatus for recovering profile in case of device change failure | |
CN107508784B (en) | Application login method and terminal equipment | |
CN108055692A (en) | A kind of radio network extending method and wearable device | |
CN108123918A (en) | A kind of account authentication login method and device | |
CN107241714B (en) | Method, device and storage medium for establishing communication | |
CN109845215A (en) | A kind of network safety protection method and equipment | |
CN106856465B (en) | For realizing the methods, devices and systems of mobile authentication | |
CN104918244A (en) | Terminal and terminal communication method | |
CN105704705A (en) | Method for switching terminals with shared eSIM information, terminal and server | |
EP2982185B1 (en) | Soft activation of cellular modems in tablets | |
CN103281693A (en) | Wireless communication authentication method, network translation equipment and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190604 |
|
WD01 | Invention patent application deemed withdrawn after publication |