CN111182534B - Mobile terminal and method for serial authentication of mobile terminal in WCDMA network - Google Patents
Mobile terminal and method for serial authentication of mobile terminal in WCDMA network Download PDFInfo
- Publication number
- CN111182534B CN111182534B CN201911320368.5A CN201911320368A CN111182534B CN 111182534 B CN111182534 B CN 111182534B CN 201911320368 A CN201911320368 A CN 201911320368A CN 111182534 B CN111182534 B CN 111182534B
- Authority
- CN
- China
- Prior art keywords
- authentication
- mobile terminal
- parameter
- network
- network side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 102000018059 CS domains Human genes 0.000 claims abstract description 26
- 108050007176 CS domains Proteins 0.000 claims abstract description 26
- 230000001360 synchronised effect Effects 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims description 45
- 230000008569 process Effects 0.000 claims description 20
- 238000004458 analytical method Methods 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 11
- 238000004846 x-ray emission Methods 0.000 claims description 3
- CSRZQMIRAZTJOY-UHFFFAOYSA-N trimethylsilyl iodide Substances C[Si](C)(C)I CSRZQMIRAZTJOY-UHFFFAOYSA-N 0.000 claims 2
- 238000004891 communication Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
Abstract
The application discloses a method for serial authentication of a mobile terminal in a WCDMA network. The network side sends an authentication request to the mobile terminal through the PS domain or the CS domain. And if the first network parameter is equal to the first local parameter, the USIM card judges the second network parameter and the second local parameter according to the synchronous check rule. If the check is passed, the mobile terminal sends an authentication success message to the network side. If the check fails, the mobile terminal replies an authentication failure message with a specific failure reason and parameters to the network side. After receiving the authentication failure message of the first authentication, the network side recalculates the authentication quintuple and then initiates a second authentication request through the same domain. The authentication request of the PS domain and the CS domain is processed in a serial mode, and the success rate of the authentication of the mobile terminal to the network side is greatly improved.
Description
Technical Field
The application relates to a method for authenticating a WCDMA (Wideband Code Division multiple access) network side by a mobile terminal.
Background
A 3G mobile communication network represented by WCDMA employs bidirectional authentication, in which, on one hand, a network side authenticates a mobile terminal (UE), and, on the other hand, the mobile terminal authenticates the network side.
A mobile terminal supporting a WCDMA mobile communication network has a UICC (Universal integrated circuit Card) Card, and a usim (umts subscriber identity module) application is built in the mobile terminal. For convenience of description, a USIM card will be taken in this document to mean a USIM application in a UICC card of a mobile terminal.
Referring to fig. 1, a conventional method for authenticating a mobile terminal in a WCDMA network includes the following steps.
Step S110: the MSC (Mobile Switching Center) on the network side sends an Authentication request to the Mobile terminal, where the Authentication request carries RAND (Random Number) and AUTN (Authentication Token). The AUTN contains SQNNET(Sequence number) and MACNET(message authentication Code), the subscript NET indicates that it was generated by the network side.
According to 3GPP technical specification TS33.102 annex c.1, HLR (Home Location Register) and/or HLR of network sideIn the AuC (authentication center), a counter SQN is maintained for each USIM cardHEFor generating SQNs, each comprising a preceding SEQ part and a following IND (index) part. If a time independent SQN is generated, then the SEQ portion is automatically incremented by one. If the SQN is generated based on time, then the SEQ portion is the current count value of GLC (Global Counter) taken from the timestamp.
Step S120: after receiving an authentication request sent by a network side through a PS (Packet Switch) domain or a CS (Circuit Switch) domain, the mobile terminal transmits the RAND and the AUTN to the USIM card, and the USIM card parses the MAC according to the received AUTNNETAnd SQNNET。
Step S130: the USIM card calculates and obtains the MAC according to the authentication key K stored by the USIM card, the received RAND and the AUTNMSUSIM card compares its own calculated MACMSAnd resolved MACNET. If the two are equal, the USIM card considers that the network is legal, and proceeds to step S140. This step is that the USIM card performs authentication check on the network to authenticate the network.
Further, in step S130, if the MACMSAnd MACNETIf the two are not equal, the mobile terminal replies an authentication FAILURE message carrying a MAC FAILURE reason value to the network side. After receiving the authentication failure message, the network side determines whether the initial message sent to the network side by the Mobile terminal carries a TMSI (Temporary Mobile subscriber identity) or an IMSI (International Mobile subscriber identity). If the message carries TMSI, the network side inquires IMSI and judges whether the inquired IMSI is the same as the IMSI calculated based on TMSI. If the queried IMSI is different from the IMSI derived based on the TMSI, the method returns to step S110, and the network side initiates a second authentication request through the same domain. If the inquired IMSI is the same as the IMSI deduced based on the TMSI or the IMSI is carried in the message, the network side judges that the authentication is failed.
Step S140: USIM card compares SQN stored by itselfMSResolved SQNNETAnd judging according to the synchronous check rule. If the check is passed, the flow proceeds to step S150. If the check is not passed, the flow proceeds to step S160. This step is the USIM card performs a synchronization check on the network to verify that the AUTN is "fresh" and to prevent Replay attacks (Replay attach).
The USIM card has a storage matrix for storing the SQN which is received recently from the network side and successfully authenticated. The memory matrix comprises 33 memory areas, for example, 32 memory areas are used for storing 32 SQNs which are received recently and successfully authenticated, and the other memory area is used for storing SQNsMS。SQNMSRefers to the SQN with the largest value of the SEQ part of the 32 SQNs, and the corresponding largest value of the SEQ part of the 32 SQNs is called SEQMS。
According to 3GPP technical specification TS33.102, annex c.2, the synchronization check rule includes three conditions that must be satisfied simultaneously in order to be determined as a check pass. If any condition is not met, the inspection is judged not to pass.
The first condition is as follows: SEQ ID NONET-SEQMSDelta is less than or equal to delta. This means that the mobile terminal receives a new SEQ from the network sideNETExceeds the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSCannot be larger than delta to ensure that the HLR and/or AuC on the network side function properly.
And a second condition: SEQ ID NOMS-SEQNET< L. This means the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSBeyond the newly received SEQ by the mobile terminal from the network sideNETThe range of the SEQ portion in (a) must be less than L.
And (3) carrying out a third condition: SEQ ID NONETSEQ (IND). This means that the mobile terminal receives a new SEQ from the network sideNETThe SEQ part in (a) must be larger than the SEQ part of sqn (ind) with the same index value in the memory matrix of the USIM card.
Step S150: the mobile terminal sends an authentication success message to the network side. Then, SMC (Security Mode Control) flow is performed between the mobile terminal and the network side.
Step S160: mobile terminal toAnd the network side replies an authentication FAILURE message carrying a SYNC FAILURE reason value and an AUTS parameter. The AUTS parameter is represented by SQNMSFor resynchronization (re-synchronization).
Step S170: after receiving the authentication FAILURE message with the "SYNC FAILURE" cause value and the AUTS parameter for the first authentication, the network side recalculates the authentication quintuple, and then returns to step S110, and initiates a second authentication request through the same domain. After the network side receives the authentication FAILURE message with the SYNC FAILURE reason value and the AUTS parameter of the second authentication, the network side judges that the authentication fails.
The authentication quintuple includes RAND, XRES (Expected Response), CK (ciphering key), IK (integrity key), AUTH. The network side calculates SEQ stored in USIM of the mobile terminal during the first authentication according to AUTS parameter in authentication failure message of the first authenticationMSTo ensure SQN in recalculated AUTNNETsGN stored in USIM card when authentication synchronization fails last timeMSAnd the larger the size, the resynchronization success in the second authentication can be ensured, and the success probability of the second authentication is improved to a great extent.
In the method for authenticating the network side by the mobile terminal, if the authentication synchronization check performed in step S140 fails for the first time, the resynchronization in step S170 is automatically triggered, and after the resynchronization, the authentication will be passed at a high probability, so that the user does not perceive the failure of the authentication synchronization for the first time. However, if the secondary authentication synchronization fails, the network side will reject the access request of the mobile terminal, and the USIM card in the mobile terminal will be regarded as an invalid card unless the mobile terminal is restarted or the USIM card is replaced, which may have a relatively bad influence on the user.
Careful analysis of the three conditions of the authentication synchronization check in step S140 can be found. In the first condition, the value of Δ is generally very large, so the first condition is easily satisfied. In condition three, since most HLR and AuC equipment manufacturers are separated from each other in terms of index assignment to PS domain and CS domain, condition three is also difficult to satisfyAnd (4) a foot. The second condition is the one most likely to cause synchronization check failure. When the network side generates the SQN based on time, the value of the SEQ part is derived from the GLC based on the time stamp. GLC unit is 1 second, and if L value in USIM card is small, e.g. L =32, then newly received SQNNETIs generated at a time longer than the SQN stored in the USIMMSThe generation time of (2) is within 32 seconds to satisfy the second condition. Because the authentication of the CS domain and the authentication of the PS domain are independently and parallelly generated, the authentication frequency is different according to different services. When the CS domain and the PS domain independently generate SEQ based on timeNETMeanwhile, because the mobile terminal receives the authentication requests of two domains at the same time, in the domain with slow authentication frequency, the network side generates the SEQNETSEQ stored in the authentication process of another domain faster than the mobile terminal can quickly authenticateMSIf the size is much smaller, the condition two is easy to fail.
For example, the mobile terminal processes the authentication request sent by the network side through the CS domain, and sends the SEQ ID after one authentication failure occursMSBrought to the network side by AUTS parameters, the network side according to SEQMSValue calculation of New SEQNET_CSEnsuring newly generated SEQNET_CSLarger than SEQ previously saved by the mobile terminal as known by the AUTS parameterMS. In the process, the mobile terminal processes the authentication request sent by the network side through the PS domain, and after the authentication is successful, the SEQ in the mobile terminalMSUpdating SEQ for PS DomainNET_PS. The authentication frequency of the PS domain is faster, SEQNET_PSMuch larger. When the mobile terminal processes the second authentication request sent by the network side through the CS domain, the received SEQ IDNET_CSOr more current SEQMSMuch smaller, resulting in a secondary authentication failure of the CS domain.
Disclosure of Invention
The technical problem to be solved by the application is to provide a method for performing serial authentication on a mobile terminal in a WCDMA network, and to control the authentication request and processing process of a CS domain and a PS domain by the mobile terminal, so as to avoid the generation of secondary authentication synchronization failure. Therefore, the application also provides a corresponding mobile terminal.
In order to solve the above technical problem, the present application provides a method for performing serial authentication of a mobile terminal in a WCDMA network, comprising the following steps. Step S210: the network side sends an authentication request to the mobile terminal through the PS domain or the CS domain. Step S220: after receiving an authentication request sent by a network side through a PS domain or a CS domain, if the authentication request of another domain is processed, the mobile terminal caches the newly received authentication request, and after the processing of the authentication request in the processing is finished, the mobile terminal starts to process the cached authentication request; otherwise, the mobile terminal starts to process the newly received authentication request. Step S230: and the USIM card in the mobile terminal analyzes the first network parameter and the second network parameter from the authentication request. Step S240: the USIM calculates a first local parameter according to the authentication request, and proceeds to step S250 if the first network parameter is equal to the first local parameter. Step S250: the USIM card compares the second network parameter with a second local parameter stored by the USIM card and judges according to a synchronous check rule; if the check is passed, go to step S260; if the check does not pass, the flow proceeds to step S270. Step S260: the mobile terminal sends an authentication success message to the network side. Step S270: the mobile terminal replies an authentication failure message with specific failure reasons and parameters to the network side. Step S280: after receiving the authentication failure message with specific failure reason and parameters for the first authentication, the network side recalculates the authentication quintuple, and then returns to the step S210, and initiates a second authentication request through the same domain; after the network side receives the authentication failure message with the specific failure reason and parameters for the second authentication, the network side judges that the authentication fails. The method adopts a serial processing mode for the authentication requests of the PS domain and the CS domain, greatly improves the success rate of the authentication of the mobile terminal to the network side, and basically avoids authentication failure caused by secondary synchronization failure.
Further, the first network parameter and the second network parameter are respectively the MAC included in the AUTN in the authentication requestNETAnd SQNNET. This is the normal way of handling the communication protocol.
Further, the first local parameter is received according to the authentication key K stored by the mobile terminalThe RAND and AUTN in the authentication request are calculated to obtain the MACMS. This is the normal way of handling the communication protocol.
Further, in step S240, if the first network parameter is not equal to the first local parameter, the mobile terminal replies an authentication FAILURE message carrying a cause value of "MAC FAILURE" to the network side. This is the normal way of handling the communication protocol.
Further, after receiving the authentication FAILURE message carrying the cause value of MAC FAILURE, if the initial message sent to the network by the mobile terminal carries TMSI, the network queries IMSI and determines whether the queried IMSI is the same as the IMSI derived based on TMSI; if not, returning to step S210, and the network side initiates a second authentication request through the same domain; if the same or the IMSI is carried in the initial message sent to the network side by the mobile terminal, the network side judges that the authentication fails. This is a normal handling method after network authentication fails.
Further, the second local parameter is SQNMS. This is the normal way of handling the communication protocol.
Further, the synchronization check rule includes three conditions that are satisfied simultaneously, and the synchronization check rule is determined as a check pass, otherwise, the synchronization check rule is determined as a check fail. The first condition is as follows: SEQ ID NONET-SEQMSDelta is less than or equal to delta; this means that the mobile terminal receives a new SEQ from the network sideNETExceeds the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSCannot be greater than Δ. And a second condition: SEQ ID NOMS-SEQNET< L; this means the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSBeyond the newly received SEQ by the mobile terminal from the network sideNETThe range of the SEQ portion in (a) must be less than L. And (3) carrying out a third condition: SEQ ID NONETSEQ (IND); this means that the mobile terminal receives a new SEQ from the network sideNETThe SEQ part in (a) must be larger than the SEQ part of sqn (ind) with the same index value in the memory matrix of the USIM card. This is the normal way of handling the synchronization check condition.
Further, the authentication failure message with the specific failure reason and parameters refers to an authentication failure message carrying a "syncrule" reason value and AUTS parameters. This is the normal way of handling the communication protocol.
Further, the authentication quintuple comprises RAND, XRES, CK, IK and AUTH. This is the normal way of handling the communication protocol.
Further, the step S210 includes, before step S205: the mobile terminal sets a first parameter and a second parameter; the first parameter is used to indicate which domain's authentication request the mobile terminal is handling; the second parameter is used for recording the number of times of synchronization check failure, and the value is 0 or 1. In step S220, after receiving the authentication request sent by the network side, the mobile terminal determines whether there is an authentication request of another domain being processed according to the first parameter. In step S260, after the mobile terminal finishes processing the authentication request of the current domain, the value of the first parameter is modified according to whether there is a cached authentication request of another domain, and the value of the second parameter is changed to 0. In step S270, the mobile terminal changes the value of the second parameter to 1. In step S280, after the network side determines that the authentication fails, the mobile terminal changes the value of the second parameter to 0. This is an embodiment two of the present application, and the authentication procedure is made clearer by the indication of the first parameter and the second parameter.
The application also provides a mobile terminal which comprises a receiving unit, a serial processing unit, an analysis unit, a network authentication unit and a synchronous checking unit. The receiving unit is used for receiving an authentication request sent by the network side to the mobile terminal through the PS domain or the CS domain. The serial processing unit is used for caching the authentication request newly received by the receiving unit when the mobile terminal is processing the authentication request sent by the network side through another domain, and sending the cached authentication request to the analysis unit after the authentication request processed by the mobile terminal is processed; the serial processing unit is also used for sending the authentication request newly received by the receiving unit to the analysis unit when the mobile terminal does not process the authentication request sent by the network side through another domain. The analysis unit is used for analyzing a first network parameter and a second network parameter from the authentication request and sending the first network parameter to the network authentication unit; when the network authentication unit considers that the network is legal, the analysis unit sends the second network parameter to the synchronous check unit. The network authentication unit is used for calculating to obtain a first local parameter according to the authentication request, and if the first network parameter is equal to the first local parameter, the network authentication unit considers that the network is legal. The synchronous checking unit is used for comparing the second network parameter with a second local parameter stored by the synchronous checking unit and judging according to a synchronous checking rule; if the check is passed, the synchronous check unit sends an authentication success message to the network side; if the check fails, the synchronous check unit replies an authentication failure message with specific failure reasons and parameters to the network side; when the synchronous check unit replies an authentication failure message with a specific failure reason and parameters to the network side through two continuous authentication requests sent from the same domain, the network side judges that the authentication fails. The authentication request of the mobile terminal to the PS domain and the CS domain adopts a serial processing mode, so that the authentication success rate of the mobile terminal to the network side is greatly improved, and authentication failure caused by secondary synchronization failure basically cannot occur.
Further, the serial processing unit is also used for setting a first parameter and a second parameter; the first parameter is used to indicate which domain's authentication request the mobile terminal is handling; the second parameter is used for recording the number of times of synchronization check failure, and the value is 0 or 1 or 2. This is an embodiment two of the present application, and the authentication procedure is made clearer by the indication of the first parameter and the second parameter.
The method has the technical effects that the serial processing mode is adopted for the authentication requests from the PS domain and the CS domain, the success rate of the authentication of the mobile terminal to the network side is greatly improved, and the authentication failure caused by secondary synchronization failure basically cannot occur. In addition, the method and the device do not need to modify equipment on the network side or the sent USIM card, and are low in implementation cost and simpler and more convenient to implement.
Drawings
Fig. 1 is a flowchart of a method for authenticating a conventional mobile terminal in a WCDMA network.
Fig. 2 is a flowchart of a first embodiment of a method for performing serial authentication by a mobile terminal in a WCDMA network.
Fig. 3 is a schematic structural diagram of a first embodiment of a mobile terminal provided in the present application.
Fig. 4 is a flowchart of a second embodiment of a method for performing serial authentication by a mobile terminal in a WCDMA network.
Fig. 5 is a schematic structural diagram of a second embodiment of the mobile terminal provided in the present application.
The reference numbers in the figures illustrate: 300 is a mobile terminal; 310 is a receiving unit; 320 is a serial processing unit; 330 is a parsing unit; 340 is a network authentication unit; 350 is a sync check unit.
Detailed Description
Referring to fig. 2, an embodiment of a method for performing serial authentication in a WCDMA network by a mobile terminal according to the present application includes the following steps.
Step S210: the network side sends an authentication request to the mobile terminal through the PS domain or the CS domain. Carrying RAND and AUTN. The AUTN contains SQNNETAnd MACNETThe subscript NET indicates generation by the network side.
Step S220: after receiving the authentication request sent by the network side through the PS domain or the CS domain, the mobile terminal judges whether there is an authentication request of another domain being processed. If yes, caching the newly received authentication request, and after the authentication request of another domain in the current processing is finished, the mobile terminal starts to process the cached authentication request. If not, the mobile terminal starts to process the newly received authentication request.
Step S230: the mobile terminal transmits the RAND and the AUTN in the authentication request to the USIM card, and the USIM card resolves the MAC according to the received AUTNNETAnd SQNNET。
Step S240: the USIM card calculates and obtains the MAC according to the authentication key K stored by the USIM card, the received RAND and the AUTNMSUSIM card compares its own calculated MACMSAnd resolved MACNET. If the two are equal, the USIM card considers that the network is legal, and proceeds to step S250. This step is that the USIM card performs authentication check on the network to authenticate the network.
Further, in step (b)In step S240, if the MACMSAnd MACNETAnd if the two are not equal, the mobile terminal replies an authentication FAILURE message carrying the MAC FAILURE reason value to the network side. After receiving the authentication failure message, the network side judges whether the initial message sent to the network side by the mobile terminal carries TMSI or IMSI. If the message carries TMSI, the network side inquires IMSI and judges whether the inquired IMSI is the same as the IMSI calculated based on TMSI. If the queried IMSI is different from the IMSI derived based on the TMSI, the method returns to step S210, and the network side initiates a second authentication request through the same domain. If the inquired IMSI is the same as the IMSI deduced based on the TMSI or the IMSI is carried in the message, the network side judges that the authentication is failed.
Step S250: USIM card compares SQN stored by itselfMSResolved SQNNETAnd judging according to the synchronous check rule. The SQNMSAnd three conditions for the synchronization check rule are as described in step S140. If the check is passed, the flow proceeds to step S260. If the check does not pass, the flow proceeds to step S270. This step is that the USIM card performs synchronization check on the network to verify that AUTN is "fresh" and prevent replay attacks.
Step S260: the mobile terminal sends an authentication success message to the network side. Then, the SMC flow is carried out between the mobile terminal and the network side. At this time, the mobile terminal finishes processing the authentication request of the current domain. If there is a cached authentication request of another domain, the mobile terminal will return to step S230 to start processing the cached authentication request of another domain.
Step S270: the mobile terminal replies an authentication FAILURE message carrying a SYNC FAILURE reason value and an AUTS parameter to the network side. The AUTS parameter is represented by SQNMSAnd (5) forming for resynchronization.
Step S280: after receiving the authentication FAILURE message with the "SYNC FAILURE" cause value and the AUTS parameter for the first authentication, the network side recalculates the authentication quintuple, and then returns to step S210, and initiates a second authentication request through the same domain. The authentication quintuple is as described in step S170. After the network side receives the authentication failure message with the 'SYNCFAILURE' cause value and the AUTS parameter for the second authentication, the network side judges that the authentication fails. At this time, the mobile terminal finishes processing the authentication request of the current domain. If there is a cached authentication request of another domain, the mobile terminal will return to step S230 to start processing the cached authentication request of another domain.
The first embodiment of the method for performing serial authentication by the mobile terminal in the WCDMA network has a major improvement compared with the prior art in that step S220 is added. The newly added step S220 enables the mobile terminal to change the authentication processing flow of the CS domain and the PS domain from the existing parallel processing mode to the serial processing mode of the present application, and according to the principle of processing first, after the authentication request is processed in one domain, the authentication request in the other domain is processed. When processing the authentication request of a domain, the mobile terminal comprises a second authentication processing process after the first authentication synchronization check fails, and the mobile terminal ensures that the SEQ stored in the USIM card in the processMSAnd does not change, the second condition of the authentication synchronization check (i.e., resynchronization) must be passed. Therefore, the situation that the 'SYNC FAILURE' fails in resynchronization when the authentication requests of the two domains are processed in a crossing way is avoided, and the success probability of the second authentication is greatly increased.
Referring to fig. 3, the present application further provides a first embodiment of a mobile terminal corresponding to the first embodiment of the method for performing serial authentication by the mobile terminal in the WCDMA network shown in fig. 2. The mobile terminal 300 includes a receiving unit 310, a serial processing unit 320, a parsing unit 330, a network authentication unit 340, and a synchronization checking unit 350.
The receiving unit 310 is configured to receive an authentication request sent by the network side to the mobile terminal through the PS domain or the CS domain.
The serial processing unit 320 is configured to buffer the authentication request newly received by the receiving unit 310 when the mobile terminal 300 is processing the authentication request sent from another domain by the network side, and send the buffered authentication request to the parsing unit 330 after the authentication request currently processed by the mobile terminal 300 is processed. The serial processing unit 320 is further configured to send the authentication request newly received by the receiving unit 310 to the parsing unit 330 when the mobile terminal 300 does not process the authentication request sent by the network side through another domain.
The parsing unit 330 is configured to transmit the RAND and the AUTN in the currently processed authentication request to the USIM card, and parse the MAC according to the AUTN thereinNETAnd SQNNET. The parsing unit 330 is further configured to forward the currently processed authentication request and the MACNETTo the network authentication unit 340. When the network authentication unit 340 determines that the network is legal, the parsing unit 330 further processes the currently processed authentication request and SQNNETProcessing continues with the sync check unit 350.
The network authentication unit 340 is configured to calculate and obtain the MAC according to the authentication key K stored by the USIM card, the received RAND, and the AUTNMSAnd comparing the calculated MACMSAnd MAC parsed by the parsing unit 330NET. If the two are equal, the network authentication unit 340 considers the network to be legitimate.
Further, if MACMSAnd MACNETWhen the MAC FAILURE cause value is not equal to the MAC FAILURE cause value, the network authentication unit 340 replies an authentication FAILURE message carrying the MAC FAILURE cause value to the network side. After receiving the authentication failure message, the network side judges whether the initial message sent to the network side by the mobile terminal carries TMSI or IMSI. If the message carries TMSI, the network side inquires IMSI and judges whether the inquired IMSI is the same as the IMSI calculated based on TMSI. If the inquired IMSI is different from the IMSI calculated based on the TMSI, the network side initiates a second authentication request through the same domain. If the inquired IMSI is the same as the IMSI deduced based on the TMSI or the IMSI is carried in the message, the network side judges that the authentication is failed.
The synchronization checking unit 350 is used for comparing SQN stored in USIM cardMSAnd SQN analyzed by the analysis unit 330NETAnd judging according to the synchronous check rule.
If the check is passed, the synchronization check unit 350 sends an authentication success message to the network side. Then, the SMC flow is carried out between the mobile terminal and the network side. At this time, the mobile terminal finishes processing the authentication request of the current domain. If there is a cached authentication request of another domain, the mobile terminal will start to process the cached authentication request of another domain.
If the check fails, the synchronization check unit 350 replies an authentication FAILURE message carrying a "SYNC FAILURE" cause value and an AUTS parameter to the network side. The AUTS parameter is represented by SQNMSAnd (5) forming for resynchronization. When the synchronization check unit 350 replies an authentication FAILURE message with a "SYNC FAILURE" cause value and an AUTS parameter to the network side through two consecutive authentication requests sent from the same domain, the network side determines that the authentication has failed. At this time, the mobile terminal finishes processing the authentication request of the current domain. If there is a cached authentication request of another domain, the mobile terminal will start to process the cached authentication request of another domain.
Referring to fig. 4, an embodiment of a method for performing serial authentication in a WCDMA network by a mobile terminal provided by the present application includes the following steps.
Step S205: the mobile terminal sets a first parameter and a second parameter. The first parameter is used to indicate whether the mobile terminal is currently processing an authentication request sent by the network side through the PS domain or the CS domain, and the values, for example, NO _ AUTH, PS _ AUTH, and CS _ AUTH, respectively indicate that the authentication request is not currently processed, the authentication request is being processed in the PS domain, and the authentication request is being processed in the CS domain. The value of the first parameter is defaulted to NO _ AUTH. The second parameter is used for representing the authentication failure times of the authentication request of a certain domain which is being processed by the mobile terminal, and the value is 0 or 1 or 2. The value of the second parameter is defaulted to 0.
Steps S210 to S280 are the same as the first embodiment shown in fig. 2.
In step S220, after receiving the authentication request from the network side, the mobile terminal determines whether there is an authentication request of another domain being processed according to the first parameter. If there is no authentication request being processed, the first parameter is changed to a corresponding value. If there is an authentication request of the same domain being processed, the first parameter remains unchanged and processing of the newly received authentication request starts. If there is an authentication request of another domain in process, the first parameter is kept unchanged and the newly received authentication request is buffered.
In step S260, after the mobile terminal finishes processing the authentication request of the current domain, if there is NO cached authentication request of another domain, the value of the first parameter is changed to NO _ AUTH. If the authentication request of the other cached domain exists, the authentication request of the other cached domain is processed, the first parameter is changed into a corresponding value, and the value of the second parameter is changed into 0.
In step S270, the mobile terminal changes the value of the second parameter to 1 after replying the authentication failure message with the specific failure reason and parameter to the network side for the first time; and the mobile terminal changes the value of the second parameter into 2 after replying the authentication failure message with the specific failure reason and the parameters to the network side for the second time. When two authentication synchronization failures occur, the network side does not try to send an authentication request again and sends authentication refusal. Theoretically, the situation of two authentication synchronization failures cannot occur in the present application, but the situation of two authentication synchronization failures is still included in the implementation.
In step S280, after the network side determines that the authentication fails, the mobile terminal changes the value of the second parameter to 0.
The second embodiment of the method for performing serial authentication on the mobile terminal in the WCDMA network indicates which domain the currently processed authentication request comes from through the first parameter, and indicates the processing times of the currently processed authentication request of the same domain through the second parameter on the basis of the first embodiment, which is more clear and can be regarded as a more specific implementation manner of the first embodiment.
Referring to fig. 5, the present application further provides a second embodiment of a mobile terminal corresponding to the second embodiment of the method for performing serial authentication on a mobile terminal in a WCDMA network shown in fig. 4. The mobile terminal 300 includes a receiving unit 310, a serial processing unit 320, a parsing unit 330, a network authentication unit 340, and a synchronization checking unit 350. The main difference between the second embodiment and the first embodiment is that the serial processing unit 320 is also used to set the first parameter and the second parameter. The first parameter is used for indicating which domain authentication request is currently carried out by the mobile terminal; NO AUTH indicates NO authentication request is being processed; CS _ AUTH indicates that an authentication request from the CS domain is being processed; PS AUTH indicates that an authentication request from the PS domain is being processed. The second parameter is used for recording the number of times of synchronization check failure, and the value is 0 or 1 or 2. When the authentication request from a certain domain fails to be checked for the first authentication synchronization, the second parameter is set to 1, and the authentication request from the same domain for the second time is waited. When receiving a second authentication request from the same domain, if the second authentication synchronous check is passed, setting a second parameter as 0; if the second authentication synchronization check fails, the second parameter is set to 2.
The mobile terminal and the method for performing serial authentication in the WCDMA network have the following advantages.
Firstly, the authentication request is processed in series by the PS domain and the CS domain, so that the success rate of the authentication of the mobile terminal to the network side is greatly improved, and the authentication failure caused by the secondary synchronization failure basically cannot occur.
Secondly, the method and the device do not need to modify equipment on the network side or modify the sent USIM card, so the realization cost is low and the realization is simpler and more convenient.
The above are merely preferred embodiments of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (12)
1. A method for serial authentication of a mobile terminal in a WCDMA network is characterized by comprising the following steps:
step S210: the network side sends an authentication request to the mobile terminal through the PS domain or the CS domain;
step S220: after receiving an authentication request sent by a network side through a PS domain or a CS domain, if the authentication request of another domain is processed, the mobile terminal caches the newly received authentication request, and after the processing of the authentication request in the processing is finished, the mobile terminal starts to process the cached authentication request; otherwise, the mobile terminal starts to process the newly received authentication request;
step S230: the USIM card in the mobile terminal analyzes a first network parameter and a second network parameter from the authentication request;
step S240: the USIM card calculates a first local parameter according to the authentication request, and enters step S250 if the first network parameter is equal to the first local parameter;
step S250: the USIM card compares the second network parameter with a second local parameter stored by the USIM card and judges according to a synchronous check rule; if the check is passed, go to step S260; if the check is not passed, go to step S270;
step S260: the mobile terminal sends an authentication success message to the network side;
step S270: the mobile terminal replies an authentication failure message with a specific failure reason and parameters to the network side;
step S280: after receiving the authentication failure message with specific failure reason and parameters for the first authentication, the network side recalculates the authentication quintuple, and then returns to the step S210, and initiates a second authentication request through the same domain; after the network side receives the authentication failure message with the specific failure reason and parameters for the second authentication, the network side judges that the authentication fails.
2. The method as claimed in claim 1, wherein the first network parameter and the second network parameter are MAC included in AUTN of the authentication request respectivelyNETAnd SQNNET。
3. The method as claimed in claim 1, wherein the first local parameter is MAC calculated from authentication key K stored in the mobile terminal itself, RAND and AUTN in the received authentication requestMS。
4. The method as claimed in claim 1, wherein in step S240, if the first network parameter is not equal to the first local parameter, the mobile terminal replies an authentication failure message carrying a cause value of "mac failure" to the network side.
5. The method as claimed in claim 1, wherein the method for serial authentication of a mobile terminal in a WCDMA network, is characterized in that after receiving an authentication FAILURE message carrying a cause value of "MAC FAILURE", if the initial message sent to the network by the mobile terminal carries TMSI, the network side queries IMSI and determines whether the queried IMSI is the same as the IMSI derived based on TMSI; if not, returning to step S210, and the network side initiates a second authentication request through the same domain; if the same or the IMSI is carried in the initial message sent to the network side by the mobile terminal, the network side judges that the authentication fails.
6. The method as claimed in claim 1, wherein the second local parameter is SQNMS。
7. The method of serial authentication of mobile terminal in WCDMA network as claimed in claim 2 or 6, wherein said synchronization check rule includes following three conditions, if satisfied, it is determined that the check passes, otherwise it is determined that the check does not pass;
the first condition is as follows: SEQ ID NONET-SEQMSDelta is less than or equal to delta; this means that the mobile terminal receives a new SEQ from the network sideNETExceeds the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSCannot be greater than Δ;
and a second condition: SEQ ID NOMS-SEQNET< L; this means the maximum value SEQ of the SEQ part in the memory matrix of the USIM cardMSBeyond the newly received SEQ by the mobile terminal from the network sideNETThe range of the SEQ portion in (a) must be less than L;
and (3) carrying out a third condition: SEQ ID NONETSEQ (IND); this means that the mobile terminal receives a new SEQ from the network sideNETIn (1)The SEQ portion must be larger than the SEQ portion of sqn (ind) with the same index value in the memory matrix of the USIM card.
8. The method as claimed in claim 1, wherein the authentication FAILURE message with specific FAILURE reason and parameters is an authentication FAILURE message carrying a "SYNC FAILURE" reason value and an AUTS parameter.
9. The method as claimed in claim 1, wherein the authentication quintuple includes RAND, XRES, CK, IK, AUTH.
10. The method for serial authentication of a mobile terminal under a WCDMA network as claimed in claim 1, wherein said step S210 is preceded by the step S205 of: the mobile terminal sets a first parameter and a second parameter; the first parameter is used to indicate which domain's authentication request the mobile terminal is handling; the second parameter is used for recording the number of times of synchronous check failure, and the value is 0 or 1 or 2;
in step S220, after receiving the authentication request sent by the network side, the mobile terminal determines whether there is an authentication request of another domain being processed according to the first parameter;
in step S260, after the mobile terminal finishes processing the authentication request of the current domain, the value of the first parameter is modified according to whether there is a cached authentication request of another domain, and the value of the second parameter is changed to 0;
in step S270, the mobile terminal changes the value of the second parameter to 1 after replying the authentication failure message with the specific failure reason and the parameter to the network side for the first time, and changes the value of the second parameter to 2 after replying the authentication failure message with the specific failure reason and the parameter to the network side for the second time;
in step S280, after the network side determines that the authentication fails, the mobile terminal changes the value of the second parameter to 0.
11. A mobile terminal is characterized by comprising a receiving unit, a serial processing unit, an analysis unit, a network authentication unit and a synchronous check unit;
the receiving unit is used for receiving an authentication request sent by the network side to the mobile terminal through the PS domain or the CS domain;
the serial processing unit is used for caching the authentication request newly received by the receiving unit when the mobile terminal is processing the authentication request sent by the network side through another domain, and sending the cached authentication request to the analysis unit after the authentication request processed by the mobile terminal is processed; the serial processing unit is also used for sending the authentication request newly received by the receiving unit to the analysis unit when the mobile terminal does not process the authentication request sent by the network side through another domain;
the analysis unit is used for analyzing a first network parameter and a second network parameter from the authentication request and sending the first network parameter to the network authentication unit; when the network authentication unit considers that the network is legal, the analysis unit sends the second network parameter to the synchronous check unit;
the network authentication unit is used for calculating to obtain a first local parameter according to the authentication request, and if the first network parameter is equal to the first local parameter, the network authentication unit considers that the network is legal;
the synchronous checking unit is used for comparing the second network parameter with a second local parameter stored by the synchronous checking unit and judging according to a synchronous checking rule; if the check is passed, the synchronous check unit sends an authentication success message to the network side; if the check fails, the synchronous check unit replies an authentication failure message with specific failure reasons and parameters to the network side; when the synchronous check unit replies an authentication failure message with a specific failure reason and parameters to the network side through two continuous authentication requests sent from the same domain, the network side judges that the authentication fails.
12. The mobile terminal of claim 11, wherein the serial processing unit is further configured to set a first parameter and a second parameter; the first parameter is used to indicate which domain's authentication request the mobile terminal is handling; the second parameter is used for recording the number of times of synchronization check failure, and the value is 0 or 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911320368.5A CN111182534B (en) | 2019-12-20 | 2019-12-20 | Mobile terminal and method for serial authentication of mobile terminal in WCDMA network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911320368.5A CN111182534B (en) | 2019-12-20 | 2019-12-20 | Mobile terminal and method for serial authentication of mobile terminal in WCDMA network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111182534A CN111182534A (en) | 2020-05-19 |
| CN111182534B true CN111182534B (en) | 2020-10-13 |
Family
ID=70650312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911320368.5A Active CN111182534B (en) | 2019-12-20 | 2019-12-20 | Mobile terminal and method for serial authentication of mobile terminal in WCDMA network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111182534B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113630776B (en) * | 2021-09-29 | 2022-02-08 | 荣耀终端有限公司 | Method and terminal for reducing call drop rate |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1848995A (en) * | 2005-04-11 | 2006-10-18 | 华为技术有限公司 | Right discriminating method between mobile terminal and network equipment |
| CN101466096A (en) * | 2007-12-17 | 2009-06-24 | 大唐移动通信设备有限公司 | Method and system for triggering synchronous failure of authentication process |
| CN102196439A (en) * | 2010-03-17 | 2011-09-21 | 中兴通讯股份有限公司 | Authenticator relocation request processing method and system |
| CN104333864A (en) * | 2014-11-05 | 2015-02-04 | 中国联合网络通信集团有限公司 | Authentication resynchronization method and device |
| EP2887717A1 (en) * | 2013-12-17 | 2015-06-24 | Teleena Holding B.V. | Provisioning method and apparatus |
| CN106982432A (en) * | 2017-03-29 | 2017-07-25 | 中国联合网络通信集团有限公司 | It is a kind of to authenticate synchronous method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1515507A1 (en) * | 2003-09-09 | 2005-03-16 | Axalto S.A. | Authentication in data communication |
-
2019
- 2019-12-20 CN CN201911320368.5A patent/CN111182534B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1848995A (en) * | 2005-04-11 | 2006-10-18 | 华为技术有限公司 | Right discriminating method between mobile terminal and network equipment |
| CN101466096A (en) * | 2007-12-17 | 2009-06-24 | 大唐移动通信设备有限公司 | Method and system for triggering synchronous failure of authentication process |
| CN102196439A (en) * | 2010-03-17 | 2011-09-21 | 中兴通讯股份有限公司 | Authenticator relocation request processing method and system |
| EP2887717A1 (en) * | 2013-12-17 | 2015-06-24 | Teleena Holding B.V. | Provisioning method and apparatus |
| CN104333864A (en) * | 2014-11-05 | 2015-02-04 | 中国联合网络通信集团有限公司 | Authentication resynchronization method and device |
| CN106982432A (en) * | 2017-03-29 | 2017-07-25 | 中国联合网络通信集团有限公司 | It is a kind of to authenticate synchronous method and device |
Non-Patent Citations (1)
| Title |
|---|
| 3G Security;Security architecture;3GPP;《3GPP TS 33.102 V12.2.0》;20141231;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111182534A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10595198B2 (en) | Communication method and device | |
| US11089479B2 (en) | Signaling attack prevention method and apparatus | |
| US10237729B2 (en) | Identity privacy in wireless networks | |
| US9189632B2 (en) | Method for protecting security of data, network entity and communication terminal | |
| US7773973B2 (en) | Method for authentication between a mobile station and a network | |
| US11432139B2 (en) | System and method for combined network-side and off-air monitoring of wireless networks | |
| WO2019213946A1 (en) | Subscriber identity privacy protection against fake base stations | |
| US8881235B2 (en) | Service-based authentication to a network | |
| CN101060712B (en) | Wireless connecting establishment method | |
| US10681546B2 (en) | Processing method for sim card equipped terminal access to 3GPP network and apparatus | |
| CN109788480B (en) | Communication method and device | |
| CN110392998B (en) | Data packet checking method and equipment | |
| US10582378B2 (en) | Message protection method, user equipment, and core network device | |
| CN107005842B (en) | Authentication method, related device and system in wireless communication network | |
| CN111182534B (en) | Mobile terminal and method for serial authentication of mobile terminal in WCDMA network | |
| WO2020147856A1 (en) | Authentication processing method and device, storage medium, and electronic device | |
| WO2016087398A1 (en) | Methods, nodes and devices for ensuring security of service requests | |
| RU2704717C1 (en) | Processing method for terminal access to 3gpp network and device | |
| WO2008034359A1 (en) | Method, communication system and device for identifying and authenticating an authentication device | |
| Kumar et al. | Enhanced Attach Procedure for Prevention of Authentication Synchronisation Failure Attack | |
| US20220182832A1 (en) | Wireless Device and Network Node for Verification of a Device Category as Well as Corresponding Methods in a Wireless Communication System | |
| CN116782222A (en) | 5G user equipment access authentication method and system | |
| CN101193424A (en) | An authentication method, communication system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 201203 No. 399, Keyuan Road, Zhangjiang High-tech Park, Pudong New Area, Shanghai Applicant after: Aojie Technology Co., Ltd Address before: 201203 No. 399, Keyuan Road, Zhangjiang High-tech Park, Pudong New Area, Shanghai Applicant before: Aojie Technology (Shanghai) Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 201203 Floor 9, building 10, No. 399, Keyuan Road, China (Shanghai) free trade pilot zone, Pudong New Area, Shanghai Applicant after: Aojie Technology Co., Ltd Address before: 201203 No. 399, Keyuan Road, Zhangjiang High-tech Park, Pudong New Area, Shanghai Applicant before: Aojie Technology Co., Ltd |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |