CN110944329A - Information processing method, terminal and server - Google Patents

Information processing method, terminal and server Download PDF

Info

Publication number
CN110944329A
CN110944329A CN201911193298.1A CN201911193298A CN110944329A CN 110944329 A CN110944329 A CN 110944329A CN 201911193298 A CN201911193298 A CN 201911193298A CN 110944329 A CN110944329 A CN 110944329A
Authority
CN
China
Prior art keywords
imsi
terminal
identity module
server
subscriber identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911193298.1A
Other languages
Chinese (zh)
Inventor
王志红
邬亮
邢雨
王俊
张力
戴英杰
张才普
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chu Tianlong Co Ltd
CETC 30 Research Institute
China Mobile Chengdu ICT Co Ltd
Original Assignee
Chu Tianlong Co Ltd
CETC 30 Research Institute
China Mobile Chengdu ICT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chu Tianlong Co Ltd, CETC 30 Research Institute, China Mobile Chengdu ICT Co Ltd filed Critical Chu Tianlong Co Ltd
Priority to CN201911193298.1A priority Critical patent/CN110944329A/en
Publication of CN110944329A publication Critical patent/CN110944329A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Abstract

The invention discloses an information processing method, a terminal and a server, which are used for improving the safety of terminal information. In the information processing method of the embodiment of the invention, the terminal sends the first IMSI currently used by the user identity module to the server so that the server acquires the second IMSI from the data pool according to the first IMSI. The user identity module is arranged on the terminal. Then, the terminal acquires the second IMSI sent by the server. And when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module so that the user identity module uses the second IMSI. Therefore, the user identity module realizes the updating of the used IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the safety of the terminal information is improved.

Description

Information processing method, terminal and server
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an information processing method, a terminal, and a server.
Background
The International Mobile Subscriber Identity (IMSI) is a unique Subscriber identifier of an end user in 2/3/4/G Mobile communication network, the IMSI is stored in a Subscriber Identity Module (SIM)/Universal Subscriber Identity Module (USIM), and the IMSI is used for performing network authentication in a Mobile communication network to obtain network services.
In order to protect the IMSI and reduce the exposure of the IMSI to the air interface, in the prior art, the processing method is to allocate a Temporary Mobile Subscriber Identity (TMSI) to the terminal by the network side device after the terminal successfully logs in the network. After the terminal is started, the TMSI allocated by the previous session is read from the SIM/USIM, and the TMSI is sent to the base station to request to access the network. After receiving the message, the base station forwards the TMSI to a Mobility management node (MME) of the core network, and if the MME can query the real identity corresponding to the TMSI, the base station allows the terminal to access the MME. If the MME fails to query, the MME needs to initiate a Request "Identity Request" for verifying the real Identity to the terminal again, that is, the MME requires the terminal to provide the IMSI of the real Identity.
However, the illegal party can utilize the loopholes of the prior art to continuously send an Identity Request (identification Request) to the terminal by using the pseudo base station or the tracker, so that the real Identity information of the terminal can be acquired, and further, the position information of the terminal can be tracked and the communication content can be monitored. This results in poor security of the terminal information.
Disclosure of Invention
The invention aims to provide an information processing method, a terminal and a server, which are used for improving the safety of terminal information.
To achieve the purpose, the embodiment of the invention adopts the following technical scheme:
an information processing method comprising:
a terminal sends a first IMSI currently used by a user identity module to a server so that the server obtains a second IMSI from a data pool according to the first IMSI, wherein the user identity module is arranged on the terminal;
the terminal acquires the second IMSI sent by the server;
and when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the subscriber identity module so that the subscriber identity module uses the second IMSI.
Optionally, the sending, by the terminal, the first IMSI currently used by the subscriber identity module to the server includes:
when the terminal applies for authentication, the terminal sends a first IMSI currently used by a user identity module to a server;
the terminal acquiring the second IMSI sent by the server includes:
the terminal acquires authentication data sent by the server, wherein the authentication data comprises the second IMSI;
and the terminal analyzes the authentication data to obtain the second IMSI.
Optionally, the preset replacement condition is that the user identity module monitors an UpdateBinary instruction for updating the security context.
Optionally, the server pre-stores a mapping table, where the mapping table includes a mapping relationship between the first IMSI and an identity identifier, and the identity identifier is an identifier of the subscriber identity module;
after the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI, the method further includes:
and the terminal sends the second IMSI currently used by the user identity module to the server so that the server uses the second IMSI to replace the first IMSI in the mapping relation.
In order to achieve the purpose, the embodiment of the invention also adopts the following technical scheme:
an information processing method comprising:
the method comprises the steps that a server obtains a first IMSI currently used by a user identity module sent by a terminal, wherein the user identity module is arranged on the terminal;
when the first IMSI accords with a preset updating condition, the server acquires a second IMSI from a data pool;
the server sends the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, and the subscriber identity module uses the second IMSI.
Optionally, the preset update condition is that the time of the first IMSI used in the subscriber identity module reaches a preset update interval time.
Optionally, the server pre-stores a mapping table, where the mapping table includes a mapping relationship between the first IMSI and an identity identifier, and the identity identifier is an identifier of the subscriber identity module;
after the server sends the second IMSI to the terminal, the method further includes:
the server acquires the second IMSI currently used by the user identity module sent by the terminal;
the server replaces the first IMSI in the mapping relationship with the second IMSI.
Optionally, the obtaining, by the server, a first IMSI currently used by a user identity module sent by a terminal includes:
when a terminal applies for authentication, a server acquires a first IMSI currently used by a user identity module sent by the terminal;
the server sends the second IMSI to the terminal, including:
the server encapsulates the second IMSI into authentication data;
and the server sends the authentication data to the terminal.
In order to achieve the purpose, the embodiment of the invention also adopts the following technical scheme:
a terminal, comprising:
a sending unit, configured to send a first IMSI currently used by a subscriber identity module to a server, so that the server obtains a second IMSI from a data pool according to the first IMSI, where the subscriber identity module is disposed on the terminal;
an obtaining unit, configured to obtain the second IMSI sent by the server;
and the replacing unit is used for replacing the first IMSI with the second IMSI on the subscriber identity module when the preset replacing condition is met so as to enable the subscriber identity module to use the second IMSI.
In order to achieve the purpose, the embodiment of the invention also adopts the following technical scheme:
a server, comprising:
an obtaining unit, configured to obtain a first IMSI currently used by a user identity module sent by a terminal, where the user identity module is set on the terminal;
the information acquisition unit is used for acquiring a second IMSI from a data pool when the first IMSI accords with a preset updating condition;
a sending unit, configured to send the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI.
The invention has the beneficial effects that:
in the information processing method of the embodiment of the invention, the terminal sends the first IMSI currently used by the user identity module to the server so that the server acquires the second IMSI from the data pool according to the first IMSI. The user identity module is arranged on the terminal. Then, the terminal acquires the second IMSI sent by the server. And when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module so that the user identity module uses the second IMSI. Therefore, the user identity module realizes the updating of the used IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the safety of the terminal information is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present invention;
fig. 2 is a flowchart of an information processing method according to an embodiment of the present invention;
fig. 3 is a flowchart of an information processing method according to an embodiment of the present invention;
fig. 4 is a signaling flowchart of an information processing method according to an embodiment of the present invention;
fig. 5 is a signaling flowchart of an information processing method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides an information processing method, a terminal and a server, which are used for improving the safety of terminal information.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical scheme of the invention is further explained by the specific implementation mode in combination with the attached drawings.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present invention. The information processing method of the embodiment of the invention can be applied to the network architecture shown in fig. 1.
Referring to fig. 1, the network architecture of the embodiment of the present invention includes a terminal 101 and a server 102, and the terminal 101 and the server 102 are connected in communication.
The server 102 is a server on the mobile communication network, such as a Home Location Register (HLR) or an AUthentication Center (AUC). The aforementioned mobile communication network may be a 2G, 3G, 4G, or 5G mobile communication network.
The terminal 101 is provided with a Subscriber Identity Module 103, where the Subscriber Identity Module 103 includes, but is not limited to, a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), or an Embedded chip Subscriber Identity Module (eSIM). An international mobile Subscriber Identity Number (IMSI) may be stored on the Subscriber Identity module 103.
The terminal 101 of the embodiment of the present invention includes, but is not limited to, an electronic device such as a mobile phone, a tablet computer, or a smart watch.
It should be understood that the network architecture shown in fig. 1 is only an exemplary illustration, and does not specifically limit the information processing method, the terminal, the server, and the like according to the embodiment of the present invention.
Fig. 2 is a flowchart of an information processing method according to an embodiment of the present invention. The information processing method shown in fig. 2 can be applied to the terminal shown in fig. 1.
Referring to fig. 2, the information processing method according to the embodiment of the present invention includes:
step 201: the terminal sends the first IMSI currently used by the user identity module to the server.
The user identity module is arranged on the terminal. For specific implementation of the user identity module and the terminal, reference may be made to the above detailed description of the embodiment shown in fig. 1, which is not described herein again.
The terminal sends the first IMSI currently used by the user identity module to the server. The user identity module stores the IMSI, and the user identity module currently uses the first IMSI. And the terminal sends the first IMSI to the server so that the server acquires the second IMSI from the data pool according to the first IMSI.
There are various occasions when the terminal sends the first IMSI currently used by the subscriber identity module to the server, for example, the terminal sends the first IMSI currently used by the subscriber identity module to the server when the authentication application is performed. Or, at preset intervals, the terminal sends the first IMSI currently used by the subscriber identity module to the server, or, under other preset conditions, the terminal executes step 201.
Step 202: and the terminal acquires the second IMSI sent by the server.
The server acquires a first IMSI sent by the terminal, and acquires a second IMSI from the data pool according to the first IMSI. The data pool stores a plurality of IMSIs.
Then, the server sends the second IMSI to the terminal, and the terminal can acquire the second IMSI.
Step 203: and when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module.
And when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module so that the user identity module uses the second IMSI.
And after the terminal acquires the second IMSI sent by the server, when the second IMSI meets the preset replacement condition, the user identity module replaces the first IMSI with the second IMSI, so that the user identity module can use the second IMSI.
The preset replacement condition has various specific implementation manners.
For example, the preset replacement condition is that the user identity module monitors an Update Binary (Update Binary) command for updating the security context.
For another example, the preset replacement condition is an interval reaching a preset time, or the preset replacement condition is that the terminal detects some preset time in a day, for example, 9 o 'clock, 12 o' clock, and the like. Or, the preset replacement condition is that the terminal detects an instruction for updating the IMSI triggered by the user.
The embodiment of the present invention does not specifically limit the specific implementation manner of the preset replacement condition.
In summary, in the information processing method according to the embodiment of the present invention, the terminal sends the first IMSI currently used by the subscriber identity module to the server, so that the server obtains the second IMSI from the data pool according to the first IMSI. The user identity module is arranged on the terminal. Then, the terminal acquires the second IMSI sent by the server. And when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the subscriber identity module so that the subscriber identity module uses the second IMSI to replace the first IMSI with the second IMSI so as to use the second IMSI. Therefore, the user identity module realizes the updating of the used IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the safety of the terminal information is improved.
Fig. 3 is a flowchart of an information processing method according to an embodiment of the present invention. The information processing method shown in fig. 3 can be applied to the server shown in fig. 1.
Referring to fig. 3, the information processing method according to the embodiment of the present invention includes:
step 301: the server acquires a first IMSI currently used by a user identity module sent by the terminal.
The user identity module is arranged on the terminal. For the specific implementation of the user identity module and the terminal, reference may be made to the detailed description of the embodiment shown in fig. 1, and for the specific implementation of the server, reference may be made to the detailed description of the embodiment shown in fig. 1, which is not described herein again.
The terminal sends the first IMSI currently used by the user identity module to the server. The user identity module stores the IMSI, and the user identity module currently uses the first IMSI. And the terminal sends the first IMSI to a server, and the server acquires the first IMSI.
Step 302: and when the first IMSI accords with the preset updating condition, the server acquires a second IMSI from the data pool.
The server acquires the first IMSI. The server can determine whether the first IMSI meets a preset update condition.
And when the first IMSI accords with the preset updating condition, the server acquires a second IMSI from the data pool. When the first IMSI does not comply with the preset update condition, the server may not perform the following steps.
The data pool stores a plurality of IMSIs. The data pool may be set locally in the server, or may be set on other devices, which is not specifically limited in this embodiment of the present invention.
The preset updating condition of the embodiment of the present invention may have various specific implementation manners, for example, the preset updating condition is that the time of the first IMSI used in the subscriber identity module reaches a preset updating interval time. Or, the preset updating condition is that the terminal uses the first IMSI to perform authentication application for a preset number of times. Or, the preset updating condition is that the first IMSI stores a preset duration on the server. The embodiment of the present invention does not specifically limit the preset update condition.
Step 303: the server sends the second IMSI to the terminal.
And after obtaining the second IMSI, the server sends the second IMSI to the terminal so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, and the subscriber identity module uses the second IMSI.
In summary, in the information processing method according to the embodiment of the present invention, the server obtains the first IMSI currently used by the subscriber identity module sent by the terminal. The user identity module is arranged on the terminal. And when the first IMSI accords with the preset updating condition, the server acquires a second IMSI from the data pool. Then, the server sends the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI. Therefore, the server can assist the terminal to update the IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the security of the terminal information is improved.
Fig. 4 is a signaling flowchart of an information processing method according to an embodiment of the present invention. The information processing method shown in fig. 4 can be implemented based on the information processing methods shown in fig. 2 and 3. The information processing method shown in fig. 4 can be applied to the network architecture shown in fig. 1.
Referring to fig. 4, the information processing method according to the embodiment of the present invention includes:
step 401: when the terminal applies for authentication, the terminal sends a first IMSI currently used by the user identity module to the server.
The user identity module is arranged on the terminal. The subscriber identity module includes, but is not limited to, a SIM, USIM, eSIM, or the like. For specific implementation of the user identity module and the terminal, reference may be made to the above detailed description of the embodiment shown in fig. 1, which is not described herein again.
The terminal performs an authentication application, for example, the terminal is powered on and restarted, roams, or is not updated for a long time, the network determines that the terminal performs authentication, and at this time, the terminal initiates an authentication application to acquire a network service.
When the authentication is applied, the terminal sends the first IMSI currently used by the user identity module to the server. The user identity module stores the IMSI, and the user identity module currently uses the first IMSI.
It should be understood that step 401 is one of specific implementation manners in which the terminal sends the first IMSI currently used by the subscriber identity module to the server.
Step 402: and when the first IMSI accords with the preset updating condition, the server acquires a second IMSI from the data pool.
When the terminal applies for authentication, the terminal sends a first IMSI currently used by a user identity module to the server, and the server acquires the first IMSI, so that the server acquires a second IMSI from the data pool according to the first IMSI. The data pool stores a plurality of IMSIs. The data pool may be set locally in the server, or may be set on other devices, which is not specifically limited in this embodiment of the present invention.
Specifically, when the first IMSI meets a preset update condition, the server obtains the second IMSI from the data pool. When the first IMSI does not comply with the preset update condition, the server may not perform the following steps.
Optionally, the preset update condition is that the time of the first IMSI used in the subscriber identity module reaches a preset update interval time.
For example, the server obtains a first IMSI currently used by a subscriber identity module sent by the terminal, and when the server does not find a mapping relationship including the first IMSI in a pre-stored mapping table according to the first IMSI, the server establishes a mapping relationship between the first IMSI and an identification number, where the identification number is an identification number of the subscriber identity module on the terminal, such as a Mobile Station Integrated Service Digital Network (MSISDN). If the mapping relation between the first IMSI and the identity identification code is found in the pre-stored mapping table, the time of the first IMSI used in the user identity module is judged to reach the preset updating interval time. The specific implementation manner may be that the establishment time of the mapping relationship between the first IMSI and the identification code is recorded in the mapping relationship, after the establishment time is obtained, the interval between the establishment time and the current time is compared with a preset update interval time, if the interval between the establishment time and the current time is greater than the preset update interval time, it is determined that the time used by the first IMSI in the subscriber identity module reaches the preset update interval time, and the server obtains the second IMSI from the data pool. The second IMSI may then be added to the mapping, with the first IMSI in the mapping marked as an in-use IMSI and the second IMSI marked as an allocated IMSI.
It should be understood that the server of the embodiments of the present invention may be an HLR or an AUC.
It should be understood that, when the terminal applies for authentication, the step of the server acquiring the first IMSI currently used by the subscriber identity module sent by the terminal is one of specific implementation manners of the step of the server acquiring the first IMSI currently used by the subscriber identity module sent by the terminal.
Step 403: the server encapsulates the second IMSI into authentication data.
In the authentication process, the terminal acquires authentication data sent by the server. The server may encapsulate the obtained second IMSI into the authentication data, so that the second IMSI is transmitted to the terminal along with the authentication data.
The authentication data is, for example, RAND or AUTN. Where RAND is an unpredictable random number provided by the network to the terminal and is 16octets long, and RAND is an unpredictable random number provided by the network to the terminal and is 16octets long.
Step 404: the server sends the authentication data to the terminal.
And after the server encapsulates the second IMSI into the authentication data, the server sends the authentication data to the terminal.
It should be understood that steps 403 and 404 are one of specific implementations of the step of the server sending the second IMSI to the terminal.
The server sends the second IMSI to the terminal so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, and the subscriber identity module uses the second IMSI. Details are as follows.
Step 405: and the terminal analyzes the authentication data to obtain a second IMSI.
And the terminal acquires authentication data sent by the server, wherein the authentication data comprises the second IMSI. Thus, the terminal analyzes the authentication data to obtain the second IMSI. Therefore, the terminal can acquire the second IMSI sent by the server.
For example, the terminal parses the authentication data, specifically, the user identity module of the terminal parses the authentication data, and obtains the second IMSI. And the terminal stores the second IMSI in a nonvolatile memory temporarily. Then, the terminal continues to execute the authentication application, and the terminal returns RES to the network. The network initiates a detach procedure.
Step 406: and when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module.
The terminal detects whether preset replacement conditions are met. And when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the user identity module so that the user identity module uses the second IMSI. And when the preset replacement condition is not met, the terminal continuously stores the second IMSI, and the user identity module continuously uses the first IMSI.
Optionally, the preset replacement condition is that the user identity module monitors an Update Binary instruction for updating the security context.
Specifically, after the terminal acquires the second IMSI sent by the server, the terminal stores the second IMSI. And when the user identity module monitors an Update Binary instruction for updating the security context related file, the user identity module stores the second IMSI into the IMSI file and removes the local security context on the user identity module. In this way, the subscriber identity module may use the second IMSI.
Optionally, the server pre-stores a mapping table, where the mapping table includes a mapping relationship between the first IMSI and an identity, and the identity is an identity of the subscriber identity module. The mapping relationship between the first IMSI and the identification code may be established in such a manner that after the server obtains the first IMSI currently used by the subscriber identity module sent by the terminal, the server does not find the mapping relationship between the first IMSI and the identification code in the mapping table, and then the server establishes the mapping relationship between the first IMSI and the identification code by using the first IMSI and the identification code obtained from the terminal. At this time, after step 406, the method of the embodiment of the present invention further includes step 407.
Step 407: and the terminal sends the second IMSI currently used by the user identity module to the server.
After the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, in order to inform the server of the generation of the event, the terminal sends the second IMSI currently used by the subscriber identity module to the server, so that the server replaces the first IMSI in the mapping relationship with the second IMSI.
For example, after the subscriber identity module stores the second IMSI to the IMSI file and clears the local security context on the subscriber identity module, the subscriber identity module requests the terminal to restart the subscriber identity module by using a Refresh instruction. And after restarting, the user identity module uses the second IMSI for authentication, and at the moment, the terminal sends the second IMSI currently used by the user identity module to the server.
Step 408: the server replaces the first IMSI in the mapping with the second IMSI.
And after the server acquires a second IMSI currently used by the user identity module sent by the terminal, the server uses the second IMSI to replace the first IMSI in the mapping relation.
The mapping table originally comprises a mapping relation between the first IMSI and an identification code, and the identification code is an identification code of the user identity module. After the server uses the second IMSI to replace the first IMSI in the mapping relationship, the mapping table comprises the mapping relationship between the second IMSI and the identification code.
And the server judges that the IMSI is successfully updated by the user identity module, replaces the first IMSI in the mapping relation by the second IMSI and establishes the mapping relation between the second IMSI and the identity code. Therefore, a scheme of multi-IMSI change available for the terminal is realized.
For example, the server establishes a target mapping relationship of a first IMSI, a second IMSI, and an identity, where the first IMSI is marked as an in-use IMSI, and the second IMSI is marked as an allocated IMSI. When the server obtains a second IMSI currently used by a user identity module sent by the terminal, the server detects that the first IMSI is marked as the IMSI in use in the target mapping relation, and the second IMSI is marked as the allocated IMSI. The server marks the second IMSI as an in-use IMSI and deletes the first IMSI. Thereby obtaining the mapping relation between the second IMSI and the identification code.
It should be understood that step 407 and step 408 are optional steps.
When the terminal uses the IMSI such as the first IMSI or the second IMSI, the IMSI is stored in the user identity module, and the used IMSI is used for carrying out network authentication in the mobile communication network so as to acquire network service. After the terminal logs in the network successfully, the network side can allocate the temporary identity TMSI for the terminal.
In some scenarios, an attacker continuously sends an "identity request" (identification request) to a terminal by using a pseudo base station or a tracker, so that the true identity of the terminal can be acquired, and further, mobile phone position information is tracked and communication content is monitored. The tracker is a device capable of acquiring the true Identity of the terminal by using the Identity Request. Even though the 5G protocol introduces the concept of user Permanent Identifier (SUPI, equivalent to IMSI) and user hidden Identifier (SUCI), SUPI is effectively protected by using PKI architecture without completely disclosing SUPI. But the attacker still sends DDoS (distributed denial of service) or GSM (Global System for Mobile Communications) attacks to the 5G device, thereby capturing the IMSI.
In the method of the embodiment of the invention, the terminal uses the second IMSI to replace the first IMSI on the user identity module so that the user identity module uses the second IMSI. The user identity module realizes the updating of the used IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the security of the terminal information is improved.
Specifically, the method of the embodiment of the invention changes the IMSI by using the server and the terminal through multiple IMSI changes, and breaks the mapping relation between the mobile phone number of the user and the fixed IMSI, so that the pseudo base station or the tracker cannot continuously track the terminal user by using the IMSI before updating, the IMSI is prevented from being attacked by continuous hijacking, the attack difficulty of the pseudo base station or the tracker is increased, and the user privacy information such as the position information of the terminal is effectively protected. In addition, the method of the embodiment of the invention has little influence on the existing 4G/5G network, does not relate to the transformation of the terminal, is easy to implement and has wide applicability.
Fig. 5 is a signaling flowchart of an information processing method according to an embodiment of the present invention. The information processing method shown in fig. 5 can be implemented based on the information processing methods shown in fig. 2, 3, and 4.
In order to more intuitively understand the information processing method according to the embodiment of the present invention, an example of the information processing method according to the embodiment of the present invention is described below with a subscriber identity module as a SIM/USIM as an example.
Referring to fig. 5, the SIM/USIM is provided at the terminal, and transmits the first IMSI to the server on the network side through the terminal. The server can be HLR/AUC, and an IMSI data pool is arranged on the server. And when the terminal logs in the network for the first time for authentication, the server establishes a mapping relation between the MSISDN and the first IMSI in the mapping table. If the terminal is not the first network-accessing authentication, at this time, the server stores the mapping relationship between the MSISDN and the first IMSI which is established before. And when the terminal is not authenticated by the first network login, the server acquires the first IMSI sent by the terminal, judges whether the first IMSI reaches the preset updating interval time, and if so, acquires the second IMSI from the IMSI data pool, marks the second IMSI as the allocated IMSI and temporarily stores the allocated IMSI in the mapping relation. The server encapsulates the second IMSI into authentication data and sends the authentication data to the terminal, and the SIM/USIM of the terminal analyzes the received authentication data to obtain the second IMSI, temporarily stores the second IMSI in the nonvolatile memory and returns Response (RES) data to the server. And the network side equipment initiates a detachment process to the terminal, when the SIM/USIM monitors an Update Binary instruction for updating the security context related file, the second IMSI is stored in the IMSI file, and after the local security context of the SIM/USIM is cleared, the terminal is required to restart the SIM/USIM by utilizing an Update (Refresh) instruction. And after restarting, the terminal uses the second IMSI to authenticate, the server acquires the second IMSI from the terminal, and the server judges that the second IMSI is marked as the allocated IMSI, if the SIM/USIM successfully updates the IMSI, the server uses the second IMSI to replace the first IMSI in the mapping relation, so as to obtain the mapping relation between the second IMSI and the MSISDN. In this way, multiple IMSI changes may be implemented.
Fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention, where the terminal shown in fig. 6 may be used to execute the methods executed by the terminals shown in fig. 2, fig. 3, fig. 4, and fig. 5.
Referring to fig. 6, the terminal according to the embodiment of the present invention includes:
a sending unit 601, configured to send a first IMSI currently used by a subscriber identity module to a server, so that the server obtains a second IMSI from a data pool according to the first IMSI, where the subscriber identity module is set on the terminal;
an obtaining unit 602, configured to obtain the second IMSI sent by the server;
a replacing unit 603, configured to replace, when a preset replacing condition is met, the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI.
Optionally, the obtaining unit 602 includes an obtaining module 604 and an analyzing module 605;
the sending unit 601 is further configured to send a first IMSI currently used by the user identity module to the server when applying for authentication;
the obtaining module 604 is configured to obtain authentication data sent by the server, where the authentication data includes the second IMSI;
the analyzing module 605 is configured to analyze the authentication data to obtain the second IMSI.
Optionally, the preset replacement condition is that the user identity module monitors an UpdateBinary instruction for updating the security context.
Optionally, the server pre-stores a mapping table, where the mapping table includes a mapping relationship between the first IMSI and an identity identifier, and the identity identifier is an identifier of the subscriber identity module;
the sending unit 601 is further configured to send the second IMSI currently used by the subscriber identity module to the server, so that the server uses the second IMSI to replace the first IMSI in the mapping relationship.
To sum up, the sending unit 601 sends the first IMSI currently used by the subscriber identity module to the server, so that the server obtains the second IMSI from the data pool according to the first IMSI, and the subscriber identity module is set on the terminal. The obtaining unit 602 obtains the second IMSI sent by the server. When a preset replacement condition is met, the replacing unit 603 replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI. Therefore, the user identity module realizes the updating of the used IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the safety of the terminal information is improved.
Fig. 7 is a schematic structural diagram of a server according to an embodiment of the present invention. The server shown in fig. 7 may be used to perform the methods performed by the server of the embodiments shown in fig. 2, 3, 4, and 5 described above.
Referring to fig. 7, a server according to an embodiment of the present invention includes:
an obtaining unit 701, configured to obtain a first IMSI currently used by a user identity module sent by a terminal, where the user identity module is set on the terminal;
an information obtaining unit 702, configured to obtain a second IMSI from a data pool when the first IMSI meets a preset update condition;
a sending unit 703 is configured to send the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI.
Optionally, the preset update condition is that the time of the first IMSI used in the subscriber identity module reaches a preset update interval time.
Optionally, the server pre-stores a mapping table, where the mapping table includes a mapping relationship between the first IMSI and an identity identifier, and the identity identifier is an identifier of the subscriber identity module;
the server further comprises a replacement unit 704;
the obtaining unit 701 is further configured to obtain the second IMSI currently used by the subscriber identity module sent by the terminal;
the replacing unit 704 is configured to replace the first IMSI in the mapping relationship with the second IMSI.
Optionally, the obtaining unit 701 is further configured to obtain, when the terminal applies for authentication, a first IMSI currently used by the user identity module sent by the terminal;
the sending unit 703 includes an encapsulation module 705 and a sending module 706;
the encapsulating module 705 is configured to encapsulate the second IMSI into authentication data;
the sending module 706 is configured to send the authentication data to the terminal.
In summary, in the server according to the embodiment of the present invention, the obtaining unit 701 obtains the first IMSI currently used by the user identity module sent by the terminal, where the user identity module is set on the terminal. When the first IMSI meets a preset update condition, the information obtaining unit 702 obtains the second IMSI from the data pool. The sending unit 703 sends the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI. Therefore, the server can assist the terminal to update the IMSI, when the pseudo base station or the tracker acquires the old first IMSI, but the user identity module of the terminal uses the second IMSI, the pseudo base station or the tracker cannot track the terminal by using the first IMSI, and the privacy information of the terminal cannot be acquired, so that the security of the terminal information is improved.
The embodiment of the invention also provides a communication system which comprises the terminal and the server. The terminal may be the terminal in the embodiment shown in fig. 6, and the server may be the server in the embodiment shown in fig. 7.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An information processing method characterized by comprising:
a terminal sends a first International Mobile Subscriber Identity (IMSI) currently used by a subscriber identity module to a server so that the server acquires a second IMSI from a data pool according to the first IMSI, wherein the subscriber identity module is arranged on the terminal;
the terminal acquires the second IMSI sent by the server;
and when the preset replacement condition is met, the terminal replaces the first IMSI with the second IMSI on the subscriber identity module so that the subscriber identity module uses the second IMSI.
2. The information processing method according to claim 1,
the terminal sends a first IMSI currently used by a user identity module to a server, and the method comprises the following steps:
when the terminal applies for authentication, the terminal sends a first IMSI currently used by a user identity module to a server;
the terminal acquiring the second IMSI sent by the server includes:
the terminal acquires authentication data sent by the server, wherein the authentication data comprises the second IMSI;
and the terminal analyzes the authentication data to obtain the second IMSI.
3. The information processing method according to claim 1,
the preset replacement condition is that the user identity module monitors a binary update binary instruction for updating the security context.
4. The information processing method according to claim 1,
the server prestores a mapping table, wherein the mapping table comprises a mapping relation between the first IMSI and an identification code, and the identification code is an identification code of the user identity module;
after the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI, the method further includes:
and the terminal sends the second IMSI currently used by the user identity module to the server so that the server uses the second IMSI to replace the first IMSI in the mapping relation.
5. An information processing method characterized by comprising:
the method comprises the steps that a server obtains a first International Mobile Subscriber Identity (IMSI) currently used by a user identity module sent by a terminal, wherein the user identity module is arranged on the terminal;
when the first IMSI accords with a preset updating condition, the server acquires a second IMSI from a data pool;
the server sends the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, and the subscriber identity module uses the second IMSI.
6. The information processing method according to claim 5,
the preset updating condition is that the time of the first IMSI used in the user identity module reaches a preset updating interval time.
7. The information processing method according to claim 5,
the server prestores a mapping table, wherein the mapping table comprises a mapping relation between the first IMSI and an identification code, and the identification code is an identification code of the user identity module;
after the server sends the second IMSI to the terminal, the method further includes:
the server acquires the second IMSI currently used by the user identity module sent by the terminal;
the server replaces the first IMSI in the mapping relationship with the second IMSI.
8. The information processing method according to claim 5,
the server acquires a first IMSI currently used by a user identity module sent by a terminal, and the method comprises the following steps:
when a terminal applies for authentication, a server acquires a first IMSI currently used by a user identity module sent by the terminal;
the server sends the second IMSI to the terminal, including:
the server encapsulates the second IMSI into authentication data;
and the server sends the authentication data to the terminal.
9. A terminal, comprising:
a sending unit, configured to send a first international mobile subscriber identity IMSI currently used by a subscriber identity module to a server, so that the server obtains a second IMSI from a data pool according to the first IMSI, where the subscriber identity module is disposed on the terminal;
an obtaining unit, configured to obtain the second IMSI sent by the server;
and the replacing unit is used for replacing the first IMSI with the second IMSI on the subscriber identity module when the preset replacing condition is met so as to enable the subscriber identity module to use the second IMSI.
10. A server, comprising:
an obtaining unit, configured to obtain a first international mobile subscriber identity IMSI currently used by a subscriber identity module sent by a terminal, where the subscriber identity module is arranged on the terminal;
the information acquisition unit is used for acquiring a second IMSI from a data pool when the first IMSI accords with a preset updating condition;
a sending unit, configured to send the second IMSI to the terminal, so that the terminal replaces the first IMSI with the second IMSI on the subscriber identity module, so that the subscriber identity module uses the second IMSI.
CN201911193298.1A 2019-11-28 2019-11-28 Information processing method, terminal and server Pending CN110944329A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911193298.1A CN110944329A (en) 2019-11-28 2019-11-28 Information processing method, terminal and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911193298.1A CN110944329A (en) 2019-11-28 2019-11-28 Information processing method, terminal and server

Publications (1)

Publication Number Publication Date
CN110944329A true CN110944329A (en) 2020-03-31

Family

ID=69908344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911193298.1A Pending CN110944329A (en) 2019-11-28 2019-11-28 Information processing method, terminal and server

Country Status (1)

Country Link
CN (1) CN110944329A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113126026A (en) * 2019-12-31 2021-07-16 中移(成都)信息通信科技有限公司 Positioning system, method and storage medium
CN114569416A (en) * 2020-12-01 2022-06-03 中移(成都)信息通信科技有限公司 Blind guiding system and method
CN114980116A (en) * 2022-05-17 2022-08-30 中移互联网有限公司 Target number identification method based on 5G message and electronic equipment
CN113126026B (en) * 2019-12-31 2024-04-19 中移(成都)信息通信科技有限公司 Positioning system, method and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011153714A1 (en) * 2010-06-12 2011-12-15 华为终端有限公司 Method, device and system for supporting multiple international mobile subscriber identities (imsis)
CN103781045A (en) * 2012-10-17 2014-05-07 中国电信股份有限公司 One-card multi-number service system and communication method
CN105491550A (en) * 2015-11-30 2016-04-13 广州慧睿思通信息科技有限公司 Method and system for obtaining mobile user identification code
CN107105385A (en) * 2011-12-05 2017-08-29 杰士伯技术有限公司 Global platform for management of subscriber sign module
CN110351721A (en) * 2018-04-08 2019-10-18 中兴通讯股份有限公司 Access method and device, the storage medium, electronic device of network slice

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011153714A1 (en) * 2010-06-12 2011-12-15 华为终端有限公司 Method, device and system for supporting multiple international mobile subscriber identities (imsis)
CN107105385A (en) * 2011-12-05 2017-08-29 杰士伯技术有限公司 Global platform for management of subscriber sign module
CN103781045A (en) * 2012-10-17 2014-05-07 中国电信股份有限公司 One-card multi-number service system and communication method
CN105491550A (en) * 2015-11-30 2016-04-13 广州慧睿思通信息科技有限公司 Method and system for obtaining mobile user identification code
CN110351721A (en) * 2018-04-08 2019-10-18 中兴通讯股份有限公司 Access method and device, the storage medium, electronic device of network slice

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113126026A (en) * 2019-12-31 2021-07-16 中移(成都)信息通信科技有限公司 Positioning system, method and storage medium
CN113126026B (en) * 2019-12-31 2024-04-19 中移(成都)信息通信科技有限公司 Positioning system, method and storage medium
CN114569416A (en) * 2020-12-01 2022-06-03 中移(成都)信息通信科技有限公司 Blind guiding system and method
CN114569416B (en) * 2020-12-01 2024-03-12 中移(成都)信息通信科技有限公司 Blind guiding system and method
CN114980116A (en) * 2022-05-17 2022-08-30 中移互联网有限公司 Target number identification method based on 5G message and electronic equipment
CN114980116B (en) * 2022-05-17 2023-09-19 中移互联网有限公司 Target number identification method based on 5G message and electronic equipment

Similar Documents

Publication Publication Date Title
US11089479B2 (en) Signaling attack prevention method and apparatus
JP6732948B2 (en) Virtual user identification module authentication method and apparatus
CN106028331B (en) Method and equipment for identifying pseudo base station
US8886183B2 (en) Attaching to an access network
EP3528591B1 (en) Dual-sim card dual-call connection communication method, terminal, network and system
EP2403283A1 (en) Improved subscriber authentication for unlicensed mobile access signaling
CN113940106A (en) Method and system for processing closed access group related procedures
EP3347849B1 (en) Method, device and system for authenticating to a mobile network and a server for authenticating devices to a mobile network
US11528604B2 (en) Method for transmitting to a physical or virtual element of a telecommunications network an encrypted subscription identifier stored in a security element, corresponding security element, physical or virtual element and terminal cooperating with this security element
CN109922474B (en) Method for triggering network authentication and related equipment
EP3737032B1 (en) Key updating method and apparatus
CN112073979B (en) Channel descriptor transmission method and related device
EP3761590B1 (en) Method for controlling terminal to access network, and network element
CN110419248A (en) Method and apparatus for the secret protection in paging user equipment
WO2013185709A1 (en) Call authentication method, device, and system
CN110944329A (en) Information processing method, terminal and server
WO2004015968A9 (en) Mobile terminal identity protection through home location register modification
EP3622736B1 (en) Privacy key in a wireless communication system
WO2016020012A1 (en) Authentication procedure in a control node
US20020042820A1 (en) Method of establishing access from a terminal to a server
EP3241374A1 (en) Method for accessing a roaming device and corresponding proxy network
KR100983653B1 (en) Apparatus and method for authenticating mobile communication terminal
WO2015036022A1 (en) Paging procedure in a control node
WO2012097693A1 (en) Registration method, system and device
US20110035482A1 (en) Method for Disconnecting Multiple Hosts from Network, and Network Management Device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200331

RJ01 Rejection of invention patent application after publication