CN115474195A - Authentication method and device of communication system - Google Patents

Authentication method and device of communication system Download PDF

Info

Publication number
CN115474195A
CN115474195A CN202110649164.7A CN202110649164A CN115474195A CN 115474195 A CN115474195 A CN 115474195A CN 202110649164 A CN202110649164 A CN 202110649164A CN 115474195 A CN115474195 A CN 115474195A
Authority
CN
China
Prior art keywords
sim card
value
imei
authentication
verified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110649164.7A
Other languages
Chinese (zh)
Inventor
邵起明
常亚星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New Singularity International Technical Development Co ltd
Original Assignee
New Singularity International Technical Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New Singularity International Technical Development Co ltd filed Critical New Singularity International Technical Development Co ltd
Priority to CN202110649164.7A priority Critical patent/CN115474195A/en
Publication of CN115474195A publication Critical patent/CN115474195A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules

Abstract

The application discloses an authentication method and device of a communication system. The authentication method comprises the following steps: when the SIM card accesses the authentication, judging whether a KI value stored at the SIM card side needs to be updated according to the IMEI of the terminal bound by the SIM card; if the KI value needs to be updated, updating the KI value according to the IMEI of the terminal once bound by the SIM card, and obtaining the KI value to be verified; verifying the KI value to be verified according to the authentication parameters received from the network side; and determining the state of the SIM card according to the verification result, and finishing final authentication according to the state of the SIM card. According to the technical scheme, the access authentication of the SIM card can be perfected by updating the KI value, and the illegal network access of the illegal SIM card is avoided.

Description

Authentication method and device of communication system
Technical Field
The present application relates to the field of communications security technologies, and in particular, to an authentication method and apparatus for a communications system.
Background
With the coverage of mobile systems becoming larger and larger, the number of user access systems becoming larger and larger, and the service provided by service providers being developed in a diversified manner, the load of the network is continuously increased, and how to ensure the security of the network and the service information is a problem that needs to be solved urgently at present.
In a mobile communication system, in order to ensure the security of an operation service, a network side needs to authenticate an accessed User Equipment (UE), so that an illegal UE cannot obtain a service provided by the network side, and the benefit of an operator is guaranteed; meanwhile, the UE also needs to verify whether the authentication information sent by the network side is valid, that is, the UE performs authentication processing on the network side, so as to prevent an illegal network side from performing replay attack on the UE by using the authentication information that has been used by a legal network side, and make the UE believe that the illegal network side is legal.
In an existing Long Term Evolution (LTE) network System, an air interface link between a UE and an Evolved base station (E-UTRAN Node B, eNB) is a single hop, and an Evolved Packet System (EPS) Authentication and Key Agreement (AKA) protocol is used to complete an Authentication process between the user and the network side, that is, a process including identity Authentication and Key Agreement is performed, which is based on the fact that the user and the network side share a permanent symmetric Key in advance. The whole authentication process is carried out in an authentication process, and authentication is carried out by adopting an authentication tuple. The authentication tuple includes: random Number (RAND), expected Response (XRES), encryption Key (CK), integrity Key (IK), and Authentication token (AUTN), where XRES, CK, and IK are derived from a Key Identifier (KI) corresponding to a user Permanent Identifier (SUPI), and AUTN further includes three parts of an Authentication Sequence Number (SQN), an Authentication Management Field (AMF), and a Message Authentication Code (MAC).
In the authentication processing flow of the SIM card accessing to the network side, related technologies need to use the KI value to complete the bidirectional authentication between the SIM card and the network side. However, when a manufacturer manufactures a SIM card, authentication information including KI, operator variable Algorithm Configuration Field (OP), international Mobile Subscriber Identity (IMSI) and the like is written into the network side and the SIM card, respectively, and these written authentication information are not updated. Once the SIM card is illegally cloned, the KI value may be broken, and the cloned card may complete access authentication, thereby causing damage to the personal privacy and property of the user and affecting the service quality of the operator.
Disclosure of Invention
The objective of the present application is to solve at least one of the above technical drawbacks, and to provide a technical solution for improving the access authentication of the SIM card by updating the KI value, so as to avoid illegal access of the SIM card.
The embodiment of the application adopts the following technical scheme:
one aspect of the present application provides an authentication method for a communication system, which is applied to an SIM card side, and the authentication method includes: when the SIM card accesses the authentication, judging whether a KI value stored at the SIM card side needs to be updated or not according to the IMEI of the terminal bound by the SIM card; if the KI value needs to be updated, updating the KI value according to the IMEI of the terminal once bound by the SIM card, and obtaining the KI value to be verified; verifying the KI value to be verified according to the authentication parameters received from the network side; and determining the state of the SIM card according to the verification result, and finishing final authentication according to the state of the SIM card.
In another aspect of the present application, an authentication method for a communication system is provided, where the authentication method is applied to a network side, and the authentication method includes: after the SIM card passes the access authentication, judging whether a KI value stored at a network side needs to be updated or not according to the IMEI of the terminal bound with the SIM card; if the KI value needs to be updated, updating the KI value according to the IMEI of the terminal once bound by the SIM card, and obtaining the KI value to be verified; verifying the KI value to be verified according to the authentication parameters received from the SIM card side; and finishing the final authentication of the SIM card access according to the verification result and the SIM card state received from the SIM card side.
In another aspect of the present application, an authentication apparatus for a communication system is provided, which is applied to a SIM card side, and includes: the first judgment unit is used for judging whether a KI value stored at the SIM card side needs to be updated according to the IMEI of the terminal bound by the SIM card when the SIM card accesses the authentication; the first updating unit is used for updating the KI value according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal if the KI value needs to be updated, so as to obtain the KI value to be verified; the first verification unit is used for verifying the KI value to be verified according to the authentication parameters received from the network side; and the first authentication unit is used for determining the state of the SIM card according to the verification result and finishing final authentication according to the state of the SIM card.
In another aspect of the present application, an authentication apparatus of a communication system is provided, which is applied to a network side, and includes: the second judgment unit is used for judging whether the KI value stored at the network side needs to be updated or not according to the IMEI of the terminal bound by the SIM card after the SIM card passes the access authentication; the second updating unit is used for updating the KI value according to the IMEI of the SIM card bound with the terminal if the KI value needs to be updated, and obtaining the KI value to be verified; the second verification unit is used for verifying the KI value to be verified according to the authentication parameters received from the SIM card side; and the second authentication unit is used for finishing the final authentication of the SIM card access according to the verification result and the SIM card state received from the SIM card side.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:
according to the embodiment of the application, after the SIM card passes the access authentication, whether the KI value needs to be updated or not is judged, when the KI value needs to be updated is judged, the KI value is updated according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal once, the IMEI of the SIM card bound with the terminal once cannot be acquired by illegal means, the current effective KI value cannot be obtained, the clone card can be prevented from passing the access authentication fundamentally, the consistency judgment is further carried out on the updated KI value, the possibility that the clone card illegally enters the network is further avoided through the consistency judgment, the access authentication of the SIM card is judged and perfected based on the KI value updating and the KI value consistency, the illegal SIM card cannot enter the network, and the user experience is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart illustrating an authentication method applied to a SIM card side according to an embodiment of the present application;
fig. 2 is a flowchart of an authentication method applied to a network side according to an embodiment of the present application
Fig. 3 is a schematic view illustrating an access authentication process of a SIM card according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a process for updating KI values according to an embodiment of the application;
fig. 5 is a block diagram of an authentication apparatus applied to a SIM card side according to an embodiment of the present application;
fig. 6 is a block diagram of an authentication apparatus applied to a network side according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Aiming at the hidden danger in the authentication processing process of the SIM card leaving factory based on the unmodifiable KI value in the related technology, the SIM card and the terminal are bound through the IMEI queue stored in the SIM card, once the SIM card updates the terminal, the updating of the KI value is triggered, the updating of the KI value depends on the IMEI stored in the IMEI queue, and even if the clone card acquires the initial KI value, the clone card cannot acquire the IMEI queue, and the current KI value cannot be acquired, so that the authentication of the clone card is completed. The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of an authentication method applied to a SIM card side according to an embodiment of the present application, and as shown in fig. 1, the method of the present embodiment includes the following steps:
and step S110, when the SIM card accesses the authentication, judging whether the KI value stored at the SIM card side needs to be updated according to the IMEI of the terminal bound by the SIM card.
Generally, when a terminal inserted with an SIM card is restarted and a service area is switched, or the SIM card is inserted into the terminal, access authentication of the SIM card is started, and the started access authentication is performed on the SIM card side based on a KI value locally stored in the SIM card.
It should be understood that: judging whether the KI value needs to be updated or not when the SIM card is authenticated, wherein the judgment on whether the KI value needs to be updated or not can be started before the SIM card is authenticated, the judgment on whether the KI value needs to be updated or not can also be started in the access authentication process, and obviously, the judgment on whether the KI value needs to be updated or not can also be started after the SIM card passes the access authentication.
And step S120, if the KI value needs to be updated, updating the KI value according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal once, and obtaining the KI value to be verified.
The method for updating the KI value is basically the same as the method for generating the initial KI value in the prior art, and only when the KI value is updated, the KI value is updated by using the IMEI of the terminal once bound by the SIM card as a key word in the embodiment. Therefore, the updating of the KI value depends on the IMEI of the terminal once bound by the SIM card, the IMEI of the terminal once bound by the SIM card cannot be obtained by the clone card, and the clone card cannot finish the access authentication.
Step S130, verifying the KI value to be verified according to the authentication parameters received from the network side.
Since the KI value cannot be issued or uploaded, the consistency of the KI value is verified by an indirect method in this embodiment, for example, the KI value to be verified is verified by a consistency verification method for the initial KI value in the prior art.
And step S140, determining the state of the SIM card according to the verification result, and finishing the final authentication according to the state of the SIM card.
If the consistency verification is passed, the SIM card is in a normal state, and if the consistency verification is not passed, the SIM card is in an abnormal state, possibly in a clone state, and at this time, the SIM card can be forbidden to access the network and the SIM card is forbidden.
As shown in fig. 1, when the SIM card accesses the authentication, it is further determined whether the KI value needs to be updated, and when it is determined that the KI value needs to be updated, the KI value is updated according to the IMEI to which the SIM card has been bound to the terminal.
Fig. 2 is a flowchart of an authentication method applied to a SIM card side according to an embodiment of the present application, and as shown in fig. 2, the method of the present embodiment includes the following steps:
and step S210, after the SIM card passes the access authentication, judging whether the KI value stored at the network side needs to be updated according to the IMEI of the terminal bound with the SIM card.
Generally, when a terminal into which an SIM card is inserted is rebooted, a service area is switched, or the SIM card is inserted into the terminal, access authentication of the SIM card is started, and the started access authentication performs authentication processing on a network side based on a KI value locally stored on the network side.
In this embodiment, the updating and determining operation for the KI value is executed only after the SIM card passes the access authentication, so that the network side can acquire the relevant data of the terminal to which the SIM card is bound only after the access authentication passes, and if the access authentication fails, the network side cannot acquire the relevant data of the terminal to which the SIM card is bound, and therefore the updating process for the KI value cannot be executed.
And step S220, if the KI value needs to be updated, updating the KI value according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal once, and obtaining the KI value to be verified.
And step S230, verifying the KI value to be verified according to the authentication parameters received from the SIM card side.
Since the KI value cannot be issued or uploaded, the consistency of the KI value is verified by an indirect method in this embodiment, for example, the KI value to be verified is verified by a consistency verification method for the initial KI value in the prior art.
Step S240, according to the verification result and the SIM card state received from the SIM card side, the final authentication of the SIM card access is completed.
If the consistency verification is passed and the SIM card is received from the SIM card side and is in a normal state, allowing the terminal bound with the SIM card to access to the network to obtain the network service, if the consistency verification is not passed or the SIM card is received from the SIM card side and is in an abnormal state, not allowing the terminal bound with the SIM card to access to the network to obtain the network service, and forbidding the SIM card.
As shown in fig. 2, after the SIM card passes the access authentication, it is further determined whether the KI value stored on the network side needs to be updated, when it is determined that the KI value needs to be updated, the KI value is updated according to the IMEI to which the terminal was bound by the SIM card, and the consistency determination is performed on the updated KI value, and based on the consistency between the KI value and the KI value, it is determined that the access authentication of the SIM card is completed, so that the terminal bound with an illegal SIM card cannot access the network, and user experience is improved. In some embodiments, an IMEI sequence is stored in a SIM card, an IMEI sequence that the SIM card has bound a terminal is stored by the IMEI sequence, and similarly, an IMEI sequence is stored in a network side, in this embodiment, the IMEI sequence is stored in an ARPF of the network side, an IMEI that the SIM card has bound the terminal is stored by the sequence, and the IMEI sequences have the same IMEI storage method for the SIM card that has bound the terminal, so that a KI value updated by the SIM card side based on the IMEI in the IMEI-1 sequence and a KI value updated by the network side based on the IMEI in the IMEI-2 sequence can satisfy a consistency requirement, where in order to distinguish the two IMEI sequences, the IMEI sequence stored in the SIM card is abbreviated as an IMEI-1 sequence, and the IMEI sequence stored in the network side is abbreviated as an IMEI-2 sequence.
Therefore, in the embodiment, the IMEI of the terminal bound by the SIM card is matched with the IMEI-1 sequence stored in the SIM card, that is, whether the IMEI of the terminal bound by the SIM card exists in the IMEI-1 sequence is determined, if so, the matching is successful, at this time, it is determined that the KI value stored at the SIM card side does not need to be updated, if not, the matching is unsuccessful, and at this time, it is determined that the KI value stored at the SIM card side needs to be updated.
Similarly, the IMEI of the bound terminal is matched with the IMEI-2 sequence stored in the network side, that is, whether the IMEI of the terminal bound by the SIM card exists in the IMEI-2 sequence is judged, if so, the matching is successful, at this moment, the KI value stored in the network side is judged not to be updated, if not, the matching is unsuccessful, and at this moment, the KI value stored in the network side is judged to be updated.
It should be noted that, in this embodiment, it is considered that the first terminal bound after the SIM card leaves the factory is legal, the first terminal is bound to the SIM card, and after the authentication processing is completed based on the initial KI value, the IMEI of the first terminal is written into the IMEI-1 sequence and the IMEI-2 sequence, respectively, so that after the terminal is replaced by the SIM card, the KI value can be updated based on the IMEI sequence.
As mentioned above, the access authentication of the SIM card is based on the current KI value, i.e. the first access authorization after the SIM card leaves the factory is based on the initial KI value, and then the KI value is updated every time the terminal is legally replaced, and thereafter the access authentication of the SIM card is based on the updated KI value. Referring to fig. 3, the UE in fig. 3 is the SIM card side, AMF (Access and Mobility Management Function)/SEAF (Security Anchor Function), AUSF (Authentication Server Function), UDM (Unified Data Management )/ARPF (Authentication and Processing Function) are the network side, and the Access Authentication process of the SIM card is as follows:
UE initiates an access network Request Initial Registration Request to a base station gNB, the Initial Registration Request carries SUCI (Subscription managed Identifier) or GUTI (global Unique temporal UE Identifier), the base station gNB forwards the received Initial Registration Request to SEAF of a core network, the SEAF receives the Request and analyzes the Request to obtain GUTI or SUCI, if GUTI is matched with corresponding SUPI (Subscription managed Identifier, user Permanent Identifier), if SUCI is not decrypted, the UE continues to initiate an Authentication application Nu _ Authenticate _ Get Request, the Nudm _ UEDM _ Get Request carries corresponding network service information SN, and convenient SF call corresponding Authentication Vector AV (Audio managed, authentication Vector); the AUSF determines whether the UE is in the network service range by analyzing the SN-Name, stores the network service information required by the UE, and then continuously forwards the SUCI or the SUPI and the SN-Name to the UDM; a SIDF (Subscription identifier de-signing function) is called in the UDM to decrypt the SUCI into SUPI, and then AV required for the terminal is configured by the SUPI.
Wherein, the generation process of AV includes: UDM/ARPF generates RAND, KI corresponding to SUPI generates XRES, CK and IK, MAC-A is generated according to RAND, SQNHE, KI and AMF (Access and Mobility Management Function, authentication Management domain), and AUTN is obtained according to MAC-A, SQNHE, AK and AMF (Authentication Management domain). The method comprises the steps that an Authentication quintuple is formed by RAND, XRES, CK, IK and AUTN, the UDM/ARPF returns a Response Nudm _ UEAutothenate _ Get Response to AUSF, the Nudm _ UEAutothenate _ Get Response carries the Authentication quintuple, the AUSF stores the Authentication quintuple and calculates a key parameter, an Authentication Response Nausf _ UEAutothenate _ Automation Response carrying the key parameter is generated and sent to AMF, and the AUSF further calculates a key parameter XRES according to AV.
AMF generates Authentication Request and sends it to UE, UE analyzes key parameters RAND, AUTN from received Authentication Request, based on RAND, AUTN to check, concretely, calculating MAC-A according to KI value stored locally in UE and SQN in RAND, AUTN, and comparing whether MAC-A is consistent with MAC-A released from received AUTN, if so, UE passes Authentication to network side, at this time, using RAND and KI to calculate se:Sub>A RES value, sending Authentication Response carrying RES value to AMF, AMF executes corresponding operation, then sending Nausf _ UEauthentication _ Authentication Request to AUSF, AUSF carries out consistency check from received RES and XRES calculated before, if so, network side Authentication passes.
After the two-side authentication is passed, if the KI value is judged to need to be updated, obtaining the IMEI of the last terminal bound by the SIM card from the IMEI-1 sequence, updating the KI value by taking the IMEI of the last terminal as a keyword to obtain the KI value to be verified on the SIM card side, obtaining the IMEI of the last terminal bound by the SIM card from the IMEI-2 sequence, updating the KI value by taking the IMEI of the last terminal as a keyword to obtain the KI value to be verified on the network side, and calculating the KI value to be verified by adopting a summary algorithm.
It should be noted that, in this embodiment, the IMEI of the last terminal bound by the SIM card is used as a key to update the KI value, and in some scenarios, it is obvious that the IMEI of any terminal or a combination of the IMEIs of multiple terminals bound by the SIM card may be used as the key to update the KI value, as long as the KI value is updated based on the IMEI of the terminal bound by the SIM card as the key.
After obtaining the KI value to be verified, the consistency verification process of the SIM card side comprises the following steps: calculating a message authentication code based on a KI value to be verified of the SIM card side and authentication parameters received from the network side, and performing consistency verification on the message authentication code and message verification codes analyzed from the authentication parameters received from the network side, wherein if the two message verification codes are equal, the SIM card side passes consistency verification, and if the two message verification codes are not equal, the SIM card side does not pass consistency verification. After the KI value to be verified at the SIM card side passes consistency verification, the SIM card is determined to be in a normal state, at the moment, the KI value stored at the SIM card side is updated to the KI value to be verified, and the IMEI of the terminal bound by the SIM card is written into an IMEI-1 sequence.
The network side consistency verification process comprises the following steps: and calculating a message check code based on the KI value to be verified at the network side, performing consistency verification on the message check code and the message check code obtained from the authentication parameter received from the SIM card side, if the two message check codes are equal, the network side passes consistency verification, and if the two message check codes are not equal, the network side does not pass consistency verification.
If the KI value to be verified of the network side passes consistency verification and the SIM card is received from the SIM card side and is in a normal state, updating the KI value stored in the network side into the KI value to be verified, writing the IMEI of the terminal bound by the SIM card acquired by the network side into an IMEI-2 sequence, and allowing the terminal bound with the SIM card to access the network; if the KI value to be verified on the network side fails to pass the consistency verification, or the SIM card is received from the SIM card side and is in an abnormal state, the KI value stored on the network side is not updated, the obtained IMEI of the terminal bound by the SIM card is not written into the IMEI-2 sequence, the terminal bound with the SIM card is forbidden to access the network, and the SIM card is locked.
The consistency verification process of the to-be-verified KI value in the embodiment is described in detail below with reference to FIG. 4:
after passing the access authentication, the UE side acquires the IMEI of the terminal currently bound by the SIM card, records the state of the SIM card as a non-updating state if the IMEI exists in an IMEI-1 queue, and records the state of the SIM card as an updating state if the IMEI does not exist in the IMEI-1 queue.
The consistency verification process shown in FIG. 4 is performed next: the AMF/SEAF of se:Sub>A network side initiates user equipment to express se:Sub>A request identity request, IMEI of se:Sub>A terminal is obtained, the UE side, namely an SIM card side, returns IMEI of the terminal currently bound by an SIM to UDM/ARPF of the network side, the UDM/ARPF compares whether the IMEI is stored in an IMEI-2 queue, if the IMEI does not exist, the KI is updated by taking the received IMEI as se:Sub>A key word to obtain se:Sub>A KI value to be verified, an authentication quintuple is generated based on the KI value to be verified, AV is generated based on the authentication quintuple and comprises RAND, AUTX, XRES and Kause, the UDM/ARPF sends an authentication parameter distributed by the IMEI value to be verified to the UE side, the UE side reads the SIM card state, if the SIM card state is an updated state, the KI value is updated by taking the IMEI of the terminal currently bound by the SIM card as se:Sub>A key word, the updated KI value, the received authentication parameter RAND and SQNHE in AUTN are used to generate MAC-A, then the MAC-A generated by comparing the MAC-A generated by the SIM card with the MAC-TN analyzed by the MAC-A, and the authentication parameter, if the authentication parameter is equal to be stored in the IMEI-2 queue, the original IMEI-A, the authentication value can be written in the authentication value to be verified, and the authentication parameter to be stored in the original IMEI-A queue.
And the UE side also returns an authentication result to the UDM/ARPF of the network side, the authentication result carries an authentication parameter RES, the UDM/ARPF compares the XRES generated by the UDM/ARPF with the received RES, if the XRES and the RES are equal, the consistency verification of the network side is completed, the received IMEI is written into the IMEI-2 queue, the stored KI value of the network side is replaced by the temporarily stored KI value to be verified, if the KI value and the KI value to be verified are not equal, the temporarily stored IMEI and the KI value to be verified are removed, the network access connection of the UE is disconnected, and the SIM card is locked to be unavailable.
It should be noted that, in the above embodiment of the present application, after the SIM card side completes the consistency verification of the KI value to be verified, the KI value stored in the SIM card side is updated to the KI value to be verified, and the IMEI of the current binding terminal is written into the IMEI-1 sequence, and in the above embodiment, after the network side completes the consistency verification of the KI value to be verified, the KI value stored in the network side is updated to the KI value to be verified, and the IMEI of the current binding terminal is written into the IMEI-2 sequence.
In some embodiments, after the SIM card side and the network side both complete the consistency verification of the KI value to be verified, that is, after the SIM card side and the network side both pass the consistency verification, the KI value stored in the SIM card side is updated to the KI value to be verified, the KI value stored in the network side is updated to the KI value to be verified, the IMEI of the current binding terminal is written into the IMEI-1 sequence, and the IMEI of the current binding terminal is written into the IMEI-2 sequence.
In summary, the method of the present embodiment has at least the following advantages:
firstly, an IMEI sequence is stored in an SIM card side and a network side in advance, whether KI values are updated or not is determined by judging whether IMEIs exist in IMEI queues or not on the two sides, and the KI values can be automatically updated without manual intervention.
Secondly, the IMEI queue is stored in the SIM card to complete the actual binding of the SIM card and the practical terminal, once the SIM replaces the terminal, the KI value is triggered to be updated, the IMEI of the terminal needs to be bound once for updating the KI value, even if the clone card obtains the initial KI, the IMEI sequence cannot be obtained, the normal updating of the KI value cannot be completed, the network access of the terminal cannot be completed, and the influence of the network access of the clone card on the service quality of an operator and the user experience can be avoided.
Thirdly, signaling used in the KI value updating process in this embodiment, for example, signaling of a Registration Request, an Authentication Response, and an identity Request, is signaling that already exists in the existing communication system, and does not involve changing of services between the terminal and the base station, that is, the method of this embodiment is more convenient to implement, low in implementation cost, and simple in implementation method.
Fig. 5 is a block diagram of an authentication apparatus applied to a SIM card side according to an embodiment of the present disclosure, and as shown in fig. 5, an authentication apparatus 500 according to the present embodiment includes:
a first determining unit 510, configured to determine, when the SIM card accesses authentication, whether a KI value stored at the SIM card side needs to be updated according to an IMEI of the terminal to which the SIM card is bound;
a first updating unit 520, configured to update the KI value according to the IMEI of the terminal once bound to the SIM card if the KI value needs to be updated, so as to obtain a KI value to be verified;
a first verification unit 530, configured to verify the KI value to be verified according to the authentication parameter received from the network side;
the first authentication unit 540 is configured to determine a state of the SIM card according to the verification result, and complete final authentication according to the state of the SIM card.
In some embodiments, the first determining unit 510 is further configured to match the IMEI of the bound terminal with the IMEI sequence stored in the SIM card, and if the matching is successful, determine that the KI value stored on the SIM card side does not need to be updated, and if the matching is unsuccessful, determine that the KI value stored on the SIM card side needs to be updated.
In some embodiments, the first updating unit 520 is further configured to, if the KI value needs to be updated, obtain the IMEI of the last terminal bound by the SIM card from the IMEI sequence, and update the KI value using the IMEI of the last terminal as a keyword, so as to obtain the KI value to be verified.
In some embodiments, the first verification unit 530 is further configured to calculate a message authentication code according to the KI value to be verified and the authentication parameter; carrying out consistency verification on the message authentication code and a message verification code analyzed from the authentication parameter; if the two message verification codes are equal, the consistency verification is passed, and if the two message verification codes are not equal, the consistency verification is not passed.
In some embodiments, the first authentication unit 540 is further configured to, if the SIM card passes the consistency verification, determine that the SIM card is in a normal state, update the KI value stored at the SIM card side to a KI value to be verified, and write the IMEI of the terminal to which the SIM card is bound into the IMEI sequence; if the SIM card does not pass the consistency verification, determining that the SIM card is in an abnormal state, not updating the KI value stored at the SIM card side to the KI value to be verified, and not writing the IMEI of the terminal bound by the SIM card into the IMEI sequence; and sending the SIM card state to a network side.
Fig. 6 is a block diagram of an authentication apparatus applied to a network side according to an embodiment of the present disclosure, and as shown in fig. 6, an authentication apparatus 600 according to the present embodiment includes:
a second judging unit 610, configured to judge whether the KI value stored at the network side needs to be updated according to the IMEI of the terminal to which the SIM card is bound after the SIM card passes the access authentication;
the second updating unit 620 is used for updating the KI value according to the IMEI of the terminal once bound by the SIM card if the KI value needs to be updated, so as to obtain the KI value to be verified;
the second verification unit 630 is configured to verify the KI value to be verified according to the authentication parameter received from the SIM card side;
the second authentication unit 640 is configured to complete the final authentication of the SIM card access according to the verification result and the SIM card status received from the SIM card side.
In some embodiments, the second determining unit 610 is further configured to obtain an IMEI of the terminal to which the SIM card is bound, perform matching processing on the obtained IMEI and an IMEI sequence stored in the network side, determine that the KI value stored in the network side does not need to be updated if matching is successful, and determine that the KI value stored in the network side needs to be updated if matching is unsuccessful.
In some embodiments, the second updating unit 620 is further configured to, if the KI value needs to be updated, obtain the IMEI of the last terminal bound by the SIM card from the IMEI sequence, and update the KI value using the IMEI of the last terminal as a keyword, so as to obtain the KI value to be verified.
In some embodiments, the second verification unit 630 is further configured to calculate, by the network side, a message check code based on the KI value to be verified, perform consistency verification on the message check code and a message check code obtained from the authentication parameter, where if the two message check codes are equal, the consistency verification is passed, and if the two message check codes are not equal, the consistency verification is not passed.
In some embodiments, the second authentication unit 640 is further configured to, if the verification is passed and the SIM card received from the SIM card side is in a normal state, update the KI value stored on the network side to a KI value to be verified, write the obtained IMEI of the terminal to which the SIM card is bound into the IMEI sequence, and allow the terminal to which the SIM card is bound to access the network; if the verification is not passed, or the SIM card is received from the SIM card side and is in an abnormal state, the KI value stored by the network side is not updated, the obtained IMEI of the terminal bound by the SIM card is not written into the IMEI sequence, the terminal bound with the SIM card is forbidden to access the network, and the SIM card is locked.
It can be understood that the above-mentioned authentication device can implement the steps of the authentication method provided in the foregoing embodiments, and the explanations related to the authentication method are applicable to the authentication device, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. An authentication method of a communication system, which is applied to a SIM card side, the method comprising:
when the SIM card accesses the authentication, judging whether a KI value stored at the SIM card side needs to be updated or not according to the IMEI of the terminal bound by the SIM card;
if the KI value needs to be updated, updating the KI value according to the IMEI of the terminal once bound by the SIM card, and obtaining the KI value to be verified;
verifying the KI value to be verified according to the authentication parameters received from the network side;
and determining the state of the SIM card according to the verification result, and finishing final authentication according to the state of the SIM card.
2. The method as claimed in claim 1, wherein determining whether the KI value stored at the SIM card side needs to be updated according to the IMEI of the terminal to which the SIM card is bound, comprises:
matching the IMEI of the bound terminal with the IMEI sequence stored in the SIM card, if the matching is successful, judging that the KI value stored at the SIM card side does not need to be updated, and if the matching is unsuccessful, judging that the KI value stored at the SIM card side needs to be updated;
if the KI value needs to be updated, updating the KI value according to the IMEI of the SIM card bound with the terminal once, and obtaining the KI value to be verified, wherein the steps comprise:
and obtaining the IMEI of the last terminal bound by the SIM card from the IMEI sequence, and updating the KI value by taking the IMEI of the last terminal as a keyword to obtain the KI value to be verified.
3. The method as claimed in claim 2, wherein verifying the KI value to be verified based on authentication parameters received from the network side comprises:
calculating a message authentication code according to the KI value to be verified and the authentication parameter;
carrying out consistency verification on the message authentication code and a message verification code analyzed from the authentication parameters;
if the two message verification codes are equal, the consistency verification is passed, and if the two message verification codes are not equal, the consistency verification is not passed.
4. The method as claimed in claim 3, wherein the determining the status of the SIM card according to the verification result, and the performing the final authentication according to the status of the SIM card comprises:
if the SIM card passes the consistency verification, determining that the SIM card is in a normal state, updating a KI value stored at the SIM card side into a KI value to be verified, and writing the IMEI of the terminal bound by the SIM card into the IMEI sequence;
if the SIM card does not pass the consistency verification, determining that the SIM card is in an abnormal state, not updating the KI value stored at the SIM card side to the KI value to be verified, and not writing the IMEI of the terminal bound by the SIM card into the IMEI sequence;
and sending the SIM card state to a network side.
5. An authentication method of a communication system, which is applied to a network side, the method comprising:
after the SIM card passes the access authentication, judging whether a KI value stored at a network side needs to be updated or not according to the IMEI of the terminal bound with the SIM card;
if the KI value needs to be updated, updating the KI value according to the IMEI of the terminal once bound by the SIM card, and obtaining the KI value to be verified;
verifying the KI value to be verified according to the authentication parameters received from the SIM card side;
and finishing the final authentication of the SIM card access according to the verification result and the SIM card state received from the SIM card side.
6. The method as claimed in claim 5, wherein the determining whether the KI value stored in the network side needs to be updated according to the IMEI of the terminal to which the SIM card is bound comprises:
obtaining an IMEI of a terminal bound by an SIM card, matching the obtained IMEI with an IMEI sequence stored on a network side, if the matching is successful, judging that a KI value stored on the network side does not need to be updated, and if the matching is unsuccessful, judging that the KI value stored on the network side needs to be updated;
if the KI value needs to be updated, updating the KI value according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal once to obtain the KI value to be verified, wherein the steps of:
and obtaining the IMEI of the last terminal bound by the SIM card from the IMEI sequence, and updating the KI value by taking the IMEI of the last terminal as a keyword to obtain the KI value to be verified.
7. The method as claimed in claim 6, wherein verifying the value for KI to be verified based on authentication parameters received from the SIM card side comprises:
the network side calculates a message check code based on the KI value to be verified;
carrying out consistency verification on the message check code and a message check code obtained from the authentication parameter;
if the two message check codes are equal, the consistency verification is passed, and if the two message check codes are not equal, the consistency verification is not passed.
8. The method as claimed in claim 7, wherein the performing of the final authentication of the SIM card access based on the verification result and the SIM card status received from the SIM card side comprises:
if the verification is passed and the SIM card is received from the SIM card side and is in a normal state, updating the KI value stored in the network side into the KI value to be verified, writing the obtained IMEI of the terminal bound by the SIM card into the IMEI sequence, and allowing the terminal bound with the SIM card to access the network;
if the verification is not passed, or the SIM card is received from the SIM card side and is in an abnormal state, the KI value stored by the network side is not updated, the obtained IMEI of the terminal bound by the SIM card is not written into the IMEI sequence, the terminal bound with the SIM card is forbidden to access the network, and the SIM card is locked.
9. An authentication apparatus of a communication system, applied to a SIM card side, the apparatus comprising:
the first judgment unit is used for judging whether a KI value stored at the SIM card side needs to be updated according to the IMEI of the terminal bound by the SIM card when the SIM card accesses the authentication;
the first updating unit is used for updating the KI value according to the IMEI (international mobile equipment identity) of the SIM card bound with the terminal if the KI value needs to be updated, so as to obtain the KI value to be verified;
the first verification unit is used for verifying the KI value to be verified according to the authentication parameters received from the network side;
and the first authentication unit is used for determining the state of the SIM card according to the verification result and finishing final authentication according to the state of the SIM card.
10. An authentication apparatus of a communication system, applied to a network side, the apparatus comprising:
the second judgment unit is used for judging whether the KI value stored at the network side needs to be updated or not according to the IMEI of the terminal bound by the SIM card after the SIM card passes the access authentication;
the second updating unit is used for updating the KI value according to the IMEI of the terminal once bound by the SIM card if the KI value needs to be updated, and obtaining the KI value to be verified;
the second verification unit is used for verifying the KI value to be verified according to the authentication parameters received from the SIM card side;
and the second authentication unit is used for finishing the final authentication of the SIM card access according to the verification result and the SIM card state received from the SIM card side.
CN202110649164.7A 2021-06-10 2021-06-10 Authentication method and device of communication system Pending CN115474195A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110649164.7A CN115474195A (en) 2021-06-10 2021-06-10 Authentication method and device of communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110649164.7A CN115474195A (en) 2021-06-10 2021-06-10 Authentication method and device of communication system

Publications (1)

Publication Number Publication Date
CN115474195A true CN115474195A (en) 2022-12-13

Family

ID=84363808

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110649164.7A Pending CN115474195A (en) 2021-06-10 2021-06-10 Authentication method and device of communication system

Country Status (1)

Country Link
CN (1) CN115474195A (en)

Similar Documents

Publication Publication Date Title
US11223947B2 (en) Enhanced registration procedure in a mobile system supporting network slicing
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
US20190182654A1 (en) Preventing covert channel between user equipment and home network in communication system
US10171993B2 (en) Identity request control for user equipment
US10462667B2 (en) Method of providing mobile communication provider information and device for performing the same
EP3485624B1 (en) Operation related to user equipment using secret identifier
US8539607B2 (en) Method for validating user equipment, a device identity register and an access control system
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
WO2018202284A1 (en) Authorizing access to user data
US11895487B2 (en) Method for determining a key for securing communication between a user apparatus and an application server
JP6962432B2 (en) Communication method, control plane device, method for control plane device or communication terminal, and communication terminal
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN113615124A (en) Methods and apparatus related to authentication of wireless devices
JP6581221B2 (en) Method for replacing at least one authentication parameter for authenticating a security element and corresponding security element
CN115474195A (en) Authentication method and device of communication system
US20210306347A1 (en) Offline scripting for remote file management
CN110351726B (en) Terminal authentication method and device
WO2020178046A1 (en) User equipment-initiated request for type of authentication and key agreement exchange in a communication system
US20240154803A1 (en) Rekeying in authentication and key management for applications in communication network
CN111464482B (en) Authentication processing method, authentication processing device, storage medium, and electronic device
CN112637848B (en) Method, device and system for managing authentication application certificate
US20230209343A1 (en) Network-assisted attachment for hybrid subscribers
WO2023142102A1 (en) Security configuration update in communication networks
CN116264688A (en) Key generation method, device, equipment and readable storage medium
CN115514502A (en) Block chain-based edge computing platform identity authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination