CN116489639A - Identity authentication method, equipment and storage medium - Google Patents
Identity authentication method, equipment and storage medium Download PDFInfo
- Publication number
- CN116489639A CN116489639A CN202210042083.5A CN202210042083A CN116489639A CN 116489639 A CN116489639 A CN 116489639A CN 202210042083 A CN202210042083 A CN 202210042083A CN 116489639 A CN116489639 A CN 116489639A
- Authority
- CN
- China
- Prior art keywords
- imsi
- encrypted
- terminal
- usim card
- card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 238000012545 processing Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/35—Protecting application or service provisioning, e.g. securing SIM application provisioning
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an identity authentication method, equipment and a storage medium, comprising the following steps: the USIM card receives an IMSI reading instruction sent by the terminal; the USIM card encrypts the IMSI; the USIM card returns the encrypted IMSI for identity authentication to the terminal. The network element receives an IMSI (International Mobile subscriber identity) for identity authentication sent by the terminal, wherein the IMSI is encrypted by a USIM card; after decrypting the IMSI, the network element sends the IMSI to the switch and the HSS to acquire an authentication vector. By adopting the invention, the mobile phone terminal can be prevented from acquiring the real IMSI, the IMSI leakage is prevented from the source, the potential safety hazard is eliminated, and the privacy protection of the user is realized.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an identity authentication method, device, and storage medium.
Background
The user card (U) SIM (subscriber identity module ) card is an important physical identifier of the mobile identity of the user and is also an important resource for the operator to master.
IMSI (international mobile subscriber identity ) is an identity that is not repeated in all cellular networks for distinguishing between different users in the cellular network.
The IMSI consists of a string of decimal numbers with a maximum length of 15 digits. Most of the IMSIs actually used are 15 digits long, examples shorter than 15 digits are rare, for example, some older IMSIs still in use in the network in south africa MTNs are 14 digits. The IMSI is formed by connecting MCC (mobile country code ), MNC (mobile network code, mobile Network Code) and MSIN (mobile subscriber identity code, mobile subscription identification number) in order. The MCC length is 3 digits, the MNC length is determined by the value of the MCC, which can be 2 digits (european standard) or 3 digits (north american standard), and the value of MSIN is self-assigned by the operator. Such as:
IMSI:460001357924680
MCC 460 the people's republic of China
MNC 00 China Mobile
MSIN 1357924680
The prior art has the following defects: the mobile phone terminal can obtain the IMSI on the USIM (universal subscriber identity module ) card in a clear text manner, which can cause potential safety hazard.
Disclosure of Invention
The invention provides an identity authentication method, equipment and a storage medium, which are used for solving the problem of potential safety hazard caused by the fact that a mobile phone terminal can obtain an IMSI on a USIM card in a clear text manner.
The invention provides the following technical scheme:
an identity authentication method, comprising:
the USIM card receives an IMSI reading instruction sent by the terminal;
the USIM card encrypts the IMSI;
the USIM card returns the encrypted IMSI for identity authentication to the terminal.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits after encrypting the MSIN field is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
In an implementation, when the IMSI cannot be identified by the IMSI number as an encrypted IMSI, the method further includes:
returning the encrypted IMSI to the terminal when the terminal is on the network;
and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
An identity authentication method, comprising:
the network element receives an IMSI (International Mobile subscriber identity) for identity authentication sent by the terminal, wherein the IMSI is encrypted by a USIM card;
after decrypting the IMSI, the network element sends the IMSI to the switch and the HSS to acquire an authentication vector.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits of the MSIN after encryption is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
A USIM card, comprising:
a processor for reading the program in the memory, performing the following process:
receiving an IMSI reading instruction sent by a terminal;
encrypting the IMSI;
returning the encrypted IMSI for identity authentication to the terminal;
and a transceiver for receiving and transmitting data under the control of the processor.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits after encrypting the MSIN field is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
In an implementation, when the IMSI cannot be identified by the IMSI number as an encrypted IMSI, the method further includes:
returning the encrypted IMSI to the terminal when the terminal is on the network;
and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
A USIM card, comprising:
the card receiving module is used for receiving an IMSI reading instruction sent by the terminal;
the card encryption module is used for encrypting the IMSI;
and the card sending module is used for returning the encrypted IMSI for identity authentication to the terminal.
In an implementation, the card encryption module is further configured to encrypt the IMSI, and encrypt the MSIN field.
In an implementation, the card encryption module is further configured to encrypt the MSIN field with the same field bit number as the MSIN field bit number before encryption.
In implementation, the card encryption module is further configured to identify, through the IMSI number segment, whether the IMSI is an encrypted IMSI; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
In implementation, the card sending module is further configured to, when the terminal is on the network, return the encrypted IMSI to the terminal when the IMSI cannot be identified by the IMSI number segment as whether the IMSI is the encrypted IMSI; and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
A network element, comprising:
a processor for reading the program in the memory, performing the following process:
receiving an IMSI (International Mobile subscriber identity) for identity authentication sent by a terminal, wherein the IMSI is encrypted by a USIM card;
after decrypting the IMSI, sending the IMSI to a switch and an HSS to obtain an authentication vector;
and a transceiver for receiving and transmitting data under the control of the processor.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits of the MSIN after encryption is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
A network element, comprising:
the network element receiving module is used for receiving the IMSI used for identity authentication and sent by the terminal, wherein the IMSI is encrypted by the USIM card;
and the network element sending module is used for decrypting the IMSI and then sending the IMSI to the switch and the HSS to obtain the authentication vector.
In an implementation, the network element sending module is further configured to decrypt the IMSI, where the decryption is a MSIN field.
In implementation, the number of field bits of the MSIN field used for decryption by the network element sending module is the same as the number of field bits of the MSIN before encryption.
In implementation, the network element sending module is further configured to identify, through the IMSI number segment, whether the IMSI is an encrypted IMSI; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
A computer readable storage medium storing a computer program which when executed by a processor implements the identity authentication method described above.
The invention has the following beneficial effects:
in the technical scheme provided by the embodiment of the invention, because the terminal obtains the IMSI which is encrypted by the USIM card instead of the plaintext IMSI, the mobile phone terminal can be prevented from obtaining the real IMSI, the IMSI leakage is prevented from the source, the potential safety hazard is eliminated, and the privacy protection of the user is realized.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
fig. 1 is a schematic flow chart of an implementation of an identity authentication method of a USIM card in an embodiment of the present invention;
fig. 2 is a schematic flow chart of an implementation of an identity authentication method at a network side in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a communication authentication implementation network according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a USIM card structure according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a network element structure in an embodiment of the present invention.
Detailed Description
The inventors noted during the course of the invention that:
in a 2/3/4G network, an attacker can acquire your location through a very inexpensive device. The method is that the mobile phone needs to report own information every time the mobile phone needs to be connected with the network, and an attacker can determine the approximate position of the mobile phone through the information reported by the mobile phone. The information broadcast by the mobile phone is the IMSI code of the mobile phone and is unique globally.
The 5G decides the mechanism to introduce the public key, the private key, which is used for disclosure and encryption, and the private key for retention and decryption. The public key is stored in the mobile phone end, and the private key is stored in the operator, so that only the operator can decrypt the real identity information of the mobile phone, an attacker can only take the encrypted information, and the IMSI cannot be solved without the private key.
However, the IMSI encryption mechanism in 5G is only air interface-proof, not mobile phone-proof, and only 5G mobile phone-proof, and 4G/3G/2G mobile phone-proof, so there are still cases where the IMSI is read by plaintext and transmitted in plaintext, and there is still a risk of illegal use of the IMSI.
Although 5G introduces an IMSI encryption mechanism, the mobile phone terminal can still obtain the IMSI on a USIM (universal subscriber identity module ) card in a clear text manner, and the mechanism cannot be effective for a 4G/3G/2G mobile phone, so that potential safety hazards cannot be radically stopped.
In the technical scheme provided by the embodiment of the invention, a USIM card capable of realizing omnibearing protection of IMSI is designed based on the cryptography technology. When the terminal executes a Read command (Read Binary) for reading the IMSI file, the USIM card returns an IMSI value which meets the requirement of the IMSI format and is subjected to cryptographic processing, and the IMSI value output by the USIM card changes each time the IMSI file Read command is executed, so that the terminal cannot acquire the real IMSI value, and the protection of the user identity is realized. In order to cooperate with the USIM card to realize IMSI protection, the network side and the USIM card side use matched cryptography technology to realize decoding of the IMSI to obtain a real IMSI value, thereby completing network authentication.
The following describes specific embodiments of the present invention with reference to the drawings.
In the description process, the implementation of the USIM card and the implementation of the network side will be described separately, and then an example of the implementation of the USIM card and the network side will be given to better understand the implementation of the scheme given in the embodiment of the present invention. Such an illustration means that the two must not be implemented cooperatively or separately, and in fact, when the USIM card and the network are implemented separately, they solve the problem on one side of each of them, and when the two are combined, a better technical effect is obtained.
Fig. 1 is a schematic diagram of an implementation flow of an identity authentication method of a USIM card, and as shown in the drawing, may include:
step 101, a USIM card receives an IMSI reading instruction sent by a terminal;
102, encrypting the IMSI by using a USIM card;
and step 103, the USIM card returns the encrypted IMSI for identity authentication to the terminal.
Fig. 2 is a schematic flow chart of an implementation of an identity authentication method at a network side, and as shown in the drawing, may include:
step 201, a network element receives an IMSI (International Mobile subscriber identity) for identity authentication sent by a terminal, wherein the IMSI is an IMSI encrypted by a USIM card;
step 202, after decrypting the IMSI, the network element sends the IMSI to a switch and an HSS to obtain an authentication vector.
For convenience of description, the encrypted IMSI will be referred to as pseudo IMSI in the embodiment; the encrypted MSIN is referred to as a dummy MSIN.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
Specifically, in the pseudo IMSI, MCC and MNC may be the same as existing standards for identifying country and operator, and MSIN may be generated by cryptographic processing of the original MSIN.
In a specific implementation, the field bit number after encrypting the MSIN field is the same as the field bit number of the MSIN before encryption.
In particular, the dummy MSIN may be the same number of MSIN bits.
In practice, the method may further comprise:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
Correspondingly, the network side includes: further comprises:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
Specifically, since it is impossible for an operator to change a USIM card in a user's hand to a new card capable of generating a pseudo IMSI (hereinafter referred to as a new card), the network side needs to have the capability of distinguishing an old card from a new card, that is, distinguishing whether the acquired IMSI is a true IMSI or a pseudo IMSI.
When the identification is a pseudo IMSI, the auxiliary information required to decrypt the pseudo IMSI is also accepted.
In an implementation, when the IMSI cannot be identified by the IMSI number as an encrypted IMSI, the method further includes:
returning the encrypted IMSI to the terminal when the terminal is on the network;
and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
Specifically, for the case that the new card cannot be identified by using the new IMSI number segment, the USIM card needs to upload auxiliary information synchronously, and when the USIM card processes the IMSI reading instruction, the network state of the terminal needs to be determined, if the terminal is on the network, the pseudo IMSI is returned (still generated in a stream encryption manner), and auxiliary information such as a random number and the like required for decryption is sent to the network side synchronously; if the terminal is found not to be on the network, the true IMSI needs to be returned at this time.
The following is an example.
Fig. 3 is a schematic diagram of a communication authentication implementation network, in which at least one communication authentication network capable of implementing identity authentication is shown, in this example, identity authentication is implemented by decrypting IMSI by adding a network element to a network side, and a pseudo IMSI value is generated on a USIM card side.
USIM card: the main functions meet the requirements of communication specifications, but when the terminal reads the content of the IMSI file, the terminal needs to have the following two functions.
(1) For the IMSI reading instruction sent by the terminal, the pseudo IMSI value is returned to the terminal, and the value returned each time may be different.
(2) And actively sending auxiliary information and the like required for decrypting the pseudo IMSI to the newly added network element.
Pseudo IMSI: the MCC and MNC are the same as the existing standard, and are used for identifying the country and the operator, and the MSIN is generated by the original MSIN through cryptographic processing. The following comparative illustrations:
| MCC | MNC | MSIN |
| MCC | MNC | pseudo MSIN |
Pseudo MSIN: the same number of bits as MSIN.
Newly added network element/module functionality:
(1) Because the operator cannot change the USIM card in the hand of the user into a new card capable of generating a pseudo-IMSI at the same time, the newly added network element/module needs to have the capability of distinguishing the old card from the new card, i.e. distinguishing whether the acquired IMSI is a true IMSI or a pseudo-IMSI;
(2) Receiving auxiliary information required for decrypting the pseudo IMSI;
(3) The real IMSI value is obtained by processing, and then the real IMSI value is sent to a switch and an HSS (home subscriber server ) to obtain an authentication vector.
The implementation flow can be as follows:
1. the terminal sends an IMSI reading instruction to the SIM card;
2. after the IMSI is processed by the USIM card, returning a pseudo IMSI to the terminal, and if auxiliary information required for decrypting the pseudo IMSI is needed, actively transmitting the pseudo IMSI to a newly added network element by the USIM card;
pseudo IMSIs may be generated in several ways:
a. a new IMSI number field is enabled for the new card to distinguish between a new card and an old card, in which case a pseudo-IMSI may be generated using stream encryption. In practice, the stream encryption key of each card should be different, i.e. one card is one secret;
b. for the situation that the new IMSI number segment cannot be used for identifying the new card, the USIM card needs to synchronously upload auxiliary information, and when the USIM card processes an IMSI reading instruction, the network state of the terminal needs to be judged, if the terminal is on the network, a pseudo IMSI (still can be generated in a stream encryption mode) is returned, and auxiliary information such as a random number and the like required for decryption is synchronously sent to the newly added network element; if the terminal is found not to be on the network, the true IMSI needs to be returned at this time. The uploaded auxiliary information comprises: pseudo IMSI value, encrypted IMSI (algorithms such as AES (advanced encryption standard, advanced Encryption Standard), 3DES (triple data encryption algorithm ), RSA (ronad-li-vister (Ron Rivest), addi-samer (Adi Shamir), and lenard Adleman), ECC (elliptic curve encryption algorithm), etc., which are mainstream, random numbers used in the encryption process, etc.
3. The terminal sends the pseudo IMSI to a core network through a wireless network;
4. the new network element in the core network processes the pseudo IMSI to obtain a real IMSI value, and then sends the real IMSI value to the switch and the HSS to obtain an authentication vector;
5. the HSS sends the random number, the network authentication value, the expected USIM card authentication value and the session key (CK, IK) to the switch;
6. the switch sends the random number and the network authentication value to the terminal, and the terminal sends the random number and the network authentication value to the USIM card for authentication;
7. after the USIM card authenticates the network, generating a USIM card authentication value and sending a session key (CK, IK) to the terminal;
8. and the terminal sends the USIM card authentication value to the core side through the wireless side, and the core network completes verification of the USIM card authentication value. After the two-way authentication is passed, the terminal normally logs on the network.
The USIM card needs to detect the networking state of the terminal, if the terminal is not networked, the plaintext IMSI needs to be returned to the terminal, after the newly added network element receives the plaintext IMSI, the terminal can be in the networking state, but in the networking state, the terminal can only accept the pseudo IMSI auxiliary related information sent by the USIM card, and then the subsequent authentication flow is carried out.
Based on the same inventive concept, the embodiment of the invention also provides a USIM card, a network element and a computer readable storage medium, and because the principle of solving the problems of the devices is similar to that of the identity authentication method, the implementation of the devices can refer to the implementation of the method, and the repetition is omitted.
In implementing the technical scheme provided by the embodiment of the invention, the method can be implemented as follows.
Fig. 4 is a schematic diagram of a USIM card, as shown in the drawing, the USIM card includes:
the processor 400 is configured to read the program in the memory 420, and execute the following procedures:
receiving an IMSI reading instruction sent by a terminal;
encrypting the IMSI;
returning the encrypted IMSI for identity authentication to the terminal;
a transceiver 410 for receiving and transmitting data under the control of the processor 400.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits after encrypting the MSIN field is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
In an implementation, when the IMSI cannot be identified by the IMSI number as an encrypted IMSI, the method further includes:
returning the encrypted IMSI to the terminal when the terminal is on the network;
and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
Wherein in fig. 4, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 400 and various circuits of memory represented by memory 420, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. Transceiver 410 may be a number of elements, including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 400 is responsible for managing the bus architecture and general processing, and the memory 420 may store data used by the processor 400 in performing operations.
The embodiment of the invention also provides a USIM card, which comprises:
the card receiving module is used for receiving an IMSI reading instruction sent by the terminal;
the card encryption module is used for encrypting the IMSI;
and the card sending module is used for returning the encrypted IMSI for identity authentication to the terminal.
In an implementation, the card encryption module is further configured to encrypt the IMSI, and encrypt the MSIN field.
In an implementation, the card encryption module is further configured to encrypt the MSIN field with the same field bit number as the MSIN field bit number before encryption.
In implementation, the card encryption module is further configured to identify, through the IMSI number segment, whether the IMSI is an encrypted IMSI; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
In implementation, the card sending module is further configured to, when the terminal is on the network, return the encrypted IMSI to the terminal when the IMSI cannot be identified by the IMSI number segment as whether the IMSI is the encrypted IMSI; and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
For convenience of description, the parts of the above apparatus are described as being functionally divided into various modules or units, respectively. Of course, the functions of each module or unit may be implemented in the same piece or pieces of software or hardware when implementing the present invention.
Fig. 5 is a schematic diagram of a network element, where as shown in the drawing, the network element includes:
the processor 500, configured to read the program in the memory 520, performs the following procedures:
receiving an IMSI (International Mobile subscriber identity) for identity authentication sent by a terminal, wherein the IMSI is encrypted by a USIM card;
after decrypting the IMSI, sending the IMSI to a switch and an HSS to obtain an authentication vector;
a transceiver 510 for receiving and transmitting data under the control of the processor 500.
In practice, the IMSI is encrypted, and the MSIN field is encrypted.
In practice, the number of field bits of the MSIN after encryption is the same as the number of field bits of the MSIN before encryption.
In practice, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
Wherein in fig. 5, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 500 and various circuits of memory represented by memory 520, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 510 may be a number of elements, i.e., including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 500 is responsible for managing the bus architecture and general processing, and the memory 520 may store data used by the processor 500 in performing operations.
The embodiment of the invention also provides a network element, which comprises:
the network element receiving module is used for receiving the IMSI used for identity authentication and sent by the terminal, wherein the IMSI is encrypted by the USIM card;
and the network element sending module is used for decrypting the IMSI and then sending the IMSI to the switch and the HSS to obtain the authentication vector.
In an implementation, the network element sending module is further configured to decrypt the IMSI, where the decryption is a MSIN field.
In implementation, the number of field bits of the MSIN field used for decryption by the network element sending module is the same as the number of field bits of the MSIN before encryption.
In implementation, the network element sending module is further configured to identify, through the IMSI number segment, whether the IMSI is an encrypted IMSI; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
For convenience of description, the parts of the above apparatus are described as being functionally divided into various modules or units, respectively. Of course, the functions of each module or unit may be implemented in the same piece or pieces of software or hardware when implementing the present invention.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the identity authentication method when being executed by a processor.
In summary, in the technical solution provided in the embodiment of the present invention, a technical architecture and a workflow for IMSI protection are provided;
the USIM card is newly added with an IMSI protection function and a newly added network element/module function at the core network side;
pseudo IMSI format.
The scheme can prevent the mobile phone from acquiring the real IMSI, prevent IMSI leakage from the source, eliminate potential safety hazards and realize privacy protection of the user.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (14)
1. An identity authentication method, comprising:
a Universal Subscriber Identity Module (USIM) card receives an IMSI reading instruction sent by a terminal;
the USIM card encrypts the IMSI;
the USIM card returns the encrypted IMSI for identity authentication to the terminal.
2. The method of claim 1, wherein encrypting the IMSI encrypts a mobile subscriber identification code MSIN field.
3. The method of claim 2, wherein the number of field bits after encrypting the MSIN field is the same as the number of field bits of the MSIN before encryption.
4. A method as claimed in any one of claims 1 to 3, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and when the IMSI cannot be identified to be the encrypted IMSI through the IMSI number segment, sending information required for decrypting the encrypted IMSI to a network side.
5. The method of claim 4, wherein when the IMSI cannot be identified by an IMSI number as an encrypted IMSI, further comprising:
returning the encrypted IMSI to the terminal when the terminal is on the network;
and when the terminal is not in the network, returning the unencrypted IMSI to the terminal.
6. An identity authentication method, comprising:
the network element receives an IMSI (International Mobile subscriber identity) for identity authentication sent by the terminal, wherein the IMSI is encrypted by a USIM card;
after decrypting the IMSI, the network element sends the IMSI to a switch and a Home Subscriber Server (HSS) to obtain an authentication vector.
7. The method of claim 6, wherein the IMSI is encrypted and the MSIN field is encrypted.
8. The method of claim 7, wherein the number of field bits of the MSIN after encryption is the same as the number of field bits of the MSIN before encryption.
9. The method of any one of claims 6 to 8, further comprising:
identifying whether the IMSI is an encrypted IMSI through an IMSI number segment; or alternatively, the first and second heat exchangers may be,
and according to whether the USIM card sends information required for decrypting the encrypted IMSI to a network side, identifying whether the IMSI is the encrypted IMSI.
10. A USIM card, comprising:
a processor for reading the program in the memory, performing the following process:
receiving an IMSI reading instruction sent by a terminal;
encrypting the IMSI;
returning the encrypted IMSI for identity authentication to the terminal;
and a transceiver for receiving and transmitting data under the control of the processor.
11. A USIM card, comprising:
the card receiving module is used for receiving an IMSI reading instruction sent by the terminal;
the card encryption module is used for encrypting the IMSI;
and the card sending module is used for returning the encrypted IMSI for identity authentication to the terminal.
12. A network element, comprising:
a processor for reading the program in the memory, performing the following process:
receiving an IMSI (International Mobile subscriber identity) for identity authentication sent by a terminal, wherein the IMSI is encrypted by a USIM card;
after decrypting the IMSI, sending the IMSI to a switch and an HSS to obtain an authentication vector;
and a transceiver for receiving and transmitting data under the control of the processor.
13. A network element, comprising:
the network element receiving module is used for receiving the IMSI used for identity authentication and sent by the terminal, wherein the IMSI is encrypted by the USIM card;
and the network element sending module is used for decrypting the IMSI and then sending the IMSI to the switch and the HSS to obtain the authentication vector.
14. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210042083.5A CN116489639A (en) | 2022-01-14 | 2022-01-14 | Identity authentication method, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210042083.5A CN116489639A (en) | 2022-01-14 | 2022-01-14 | Identity authentication method, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116489639A true CN116489639A (en) | 2023-07-25 |
Family
ID=87223750
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210042083.5A Pending CN116489639A (en) | 2022-01-14 | 2022-01-14 | Identity authentication method, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116489639A (en) |
-
2022
- 2022-01-14 CN CN202210042083.5A patent/CN116489639A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5889861A (en) | Identity confidentiality method in radio communication system | |
| CN104852925B (en) | Mobile intelligent terminal anti-data-leakage secure storage, backup method | |
| CN105553951A (en) | Data transmission method and data transmission device | |
| JPH10191459A (en) | Method for sending security protection message in communication system | |
| CN103533539A (en) | Virtual SIM (subscriber identity module) card parameter management method and device | |
| CN101247356B (en) | DHCP message passing method and system | |
| US8230218B2 (en) | Mobile station authentication in tetra networks | |
| CN109194473B (en) | Data transmission method, system, device, terminal and storage medium | |
| CN103458400A (en) | Key management method for voice encryption communication system | |
| CN110234102B (en) | Communication method and apparatus | |
| CN105208028A (en) | Data transmission method and related device and equipment | |
| CN106778285A (en) | For method, the device upgraded to equipment | |
| CN111884802B (en) | Media stream encryption transmission method, system, terminal and electronic equipment | |
| CN105376059A (en) | Method and system for performing application signature based on electronic key | |
| CN113228720A (en) | Method and apparatus for ensuring secure attachment in a size-constrained authentication protocol | |
| CN104270380A (en) | End-to-end encryption method and system based on mobile network and communication client side | |
| CN109756451B (en) | Information interaction method and device | |
| CN106487761B (en) | Message transmission method and network equipment | |
| CN115344848B (en) | Identification acquisition method, device, equipment and computer readable storage medium | |
| CN108513272B (en) | Short message processing method and device | |
| CN116684156A (en) | Password-free login authentication method, device, equipment, medium and product | |
| CN109756884B (en) | Method, device and system for batch configuration of communication card and terminal | |
| CN105516083A (en) | Data security management method, apparatus, and system | |
| CN116489639A (en) | Identity authentication method, equipment and storage medium | |
| KR101311310B1 (en) | Encryption system and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |