CN117319987A - Method and device for limiting separation of machine and card, system, storage medium and electronic device - Google Patents

Method and device for limiting separation of machine and card, system, storage medium and electronic device Download PDF

Info

Publication number
CN117319987A
CN117319987A CN202210726336.0A CN202210726336A CN117319987A CN 117319987 A CN117319987 A CN 117319987A CN 202210726336 A CN202210726336 A CN 202210726336A CN 117319987 A CN117319987 A CN 117319987A
Authority
CN
China
Prior art keywords
identifier
target terminal
network element
terminal
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210726336.0A
Other languages
Chinese (zh)
Inventor
朱永梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202210726336.0A priority Critical patent/CN117319987A/en
Priority to PCT/CN2023/090594 priority patent/WO2023246286A1/en
Publication of CN117319987A publication Critical patent/CN117319987A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method, a device, a system, a storage medium and an electronic device for limiting the separation of a machine card, wherein the method comprises the following steps: receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal; judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier; and if the target terminal is an illegal terminal, limiting the target terminal to access the network. The invention solves the technical problem that the related technology can not limit the separation of the machine card, and can assist operators to realize the binding of the machine card, thereby limiting the separation of the machine card of a contract, limiting the access of an illegal copying terminal to a 5G network, and prohibiting the insertion of the mobile phone cards of other operators in the contract after the sale of the contract.

Description

Method and device for limiting separation of machine and card, system, storage medium and electronic device
Technical Field
The present invention relates to the field of communications, and in particular, to a method and apparatus for limiting separation of a set card, a system, a storage medium, and an electronic device.
Background
In the related art, the 3GPP introduced a 5G network as a fifth generation mobile communication network. The 5G-EIR is used for storing identification information of the mobile communication terminal and is responsible for validity check of the mobile terminal so that illegal equipment cannot access the network, and therefore safety of the system is guaranteed. Like everyone has a unique identification number, each mobile device also has a unique identification (PEI) indicating the type, manufacturer, serial number, etc. of the mobile device.
In the related art, some operators sell a contract machine bound by a machine card, so that a specified terminal can only use the specified mobile phone card, and in the related art, the scheme can only limit the mobile phone card to access to the network of the specified operator, but can not limit the terminal to access to the network of the specified operator.
In view of the above problems in the related art, an effective solution has not been found.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a system, a storage medium and an electronic device for limiting the separation of a machine card, which are used for at least solving the problems in the related art.
According to an embodiment of the present invention, there is provided a method for limiting set-card separation, applied to a first network element, including: receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal; judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier; and if the target terminal is an illegal terminal, limiting the target terminal to access the network.
Optionally, after determining whether the target terminal is a legal terminal according to the first identifier and the second identifier, the method further includes: and if the target terminal is a legal terminal, allowing the target terminal to access the network.
Optionally, determining whether the target terminal is a legal terminal according to the first identifier and the second identifier includes: generating a device check request using the first identifier and the second identifier; sending the equipment checking request to a second network element, wherein the second network element is used for checking whether the first identifier and the second identifier have a binding relationship in a database; receiving a verification result returned by the second network element based on the equipment verification request, wherein the verification result is used for indicating whether a binding relationship exists between the first identifier and the second identifier; if the verification result indicates that the binding relationship exists between the first identifier and the second identifier, determining that the target terminal is a legal terminal; and if the verification result indicates that the first identifier and the second identifier have no binding relation, determining that the target terminal is an illegal terminal.
Optionally, if the target terminal is an illegal terminal, restricting the target terminal from accessing the network includes: if the target terminal is a blacklist terminal, completely limiting the target terminal from accessing a network; and if the target terminal is a gray list terminal, determining a restricted access strategy matched with the gray list, and restricting the target terminal to access the network according to the restricted access strategy.
According to an embodiment of the present invention, there is provided another method for limiting set-card separation, applied to a second network element, including: receiving an equipment checking request sent by a first network element, wherein the equipment checking request carries a first identifier and a second identifier, the first identifier is an equipment identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged in the target terminal; inquiring whether a binding relation exists between the first identifier and the second identifier in a database to obtain a checking result, wherein the checking result is used for indicating whether the binding relation exists between the first identifier and the second identifier; and returning the check result to the first network element.
Optionally, querying whether the binding relationship exists between the first identifier and the second identifier in the database, and obtaining the verification result includes: inquiring the first identifier in a white list, and if the white list hits the first identifier; judging whether the first mark and the second mark are hit or not in a preset machine card combination; if the first identifier and the second identifier are hit in a preset machine card combination, a first check result is generated, wherein the first check result is used for indicating that a binding relationship exists between the first identifier and the second identifier.
Optionally, before receiving the device check request sent by the first network element, the method further includes: receiving a binding request sent by a third network element, wherein the binding request carries the first identifier and the second identifier; and responding to the binding request, and writing the binding relation between the first identifier and the second identifier in the database.
According to another embodiment of the present invention, there is provided an apparatus for limiting separation of a set card, applied to a first network element, including: the receiving module is used for receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal; the judging module is used for judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier; and the limiting module is used for limiting the target terminal to access the network if the target terminal is an illegal terminal.
Optionally, the apparatus further comprises: and the permission module is used for permitting the target terminal to access the network if the target terminal is a legal terminal after the judging module judges whether the target terminal is the legal terminal according to the first identifier and the second identifier.
Optionally, the judging module includes: a generating unit, configured to generate a device check request using the first identifier and the second identifier; a sending unit, configured to send the device checking request to a second network element, where the second network element is configured to check whether a binding relationship exists between the first identifier and the second identifier in a database; the receiving unit is used for receiving a verification result returned by the second network element based on the equipment verification request, wherein the verification result is used for indicating whether the first identifier and the second identifier have a binding relationship or not; the determining unit is used for determining that the target terminal is a legal terminal if the verification result indicates that the first identifier and the second identifier have a binding relationship; and if the verification result indicates that the first identifier and the second identifier have no binding relation, determining that the target terminal is an illegal terminal.
Optionally, the limiting module includes: the first limiting unit is used for completely limiting the target terminal to access the network if the target terminal is a blacklist terminal; and the second limiting unit is used for determining a limiting access strategy matched with the gray list if the target terminal is the gray list terminal, and limiting the target terminal to access the network according to the limiting access strategy.
According to another embodiment of the present invention, there is provided another apparatus for limiting card separation, applied to a second network element, including: the device comprises a first receiving module, a second receiving module and a first network element, wherein the first receiving module is used for receiving a device checking request sent by the first network element, the device checking request carries a first identifier and a second identifier, the first identifier is a device identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal; the query module is used for querying whether the first identifier and the second identifier have a binding relationship in a database to obtain a verification result, wherein the verification result is used for indicating whether the first identifier and the second identifier have the binding relationship; and the return module is used for returning the check result to the first network element.
Optionally, the query module includes: the first query unit is used for querying the first identifier in a white list, and if the white list hits the first identifier; the second query unit is used for judging whether the first identifier and the second identifier are hit or not in a preset machine-card combination; the generation unit is used for generating a first check result if the first identifier and the second identifier are hit in a preset machine card combination, wherein the first check result is used for indicating that a binding relationship exists between the first identifier and the second identifier.
Optionally, the apparatus further comprises: the second receiving module is configured to receive a binding request sent by a third network element before the first receiving module receives an equipment checking request sent by a first network element, where the binding request carries the first identifier and the second identifier; and the writing module is used for responding to the binding request and writing the binding relation between the first identifier and the second identifier in the database.
There is also provided, in accordance with yet another embodiment of the present invention, a system for restricting card separation, including: the first network element is connected with the target terminal and the second network element and is used for executing the steps in the method embodiment of any one of the above steps; the second network element is connected with the first network element and the third network element, and is used for executing the steps in any method embodiment; the third network element is connected with the second network element and is used for sending a binding request to the second network element so that the second network element writes the binding relation between the first identifier and the second identifier in a database.
According to a further embodiment of the invention, there is also provided a storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, a network registration request sent by a target terminal is received, the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of an SIM card, the SIM card is arranged on the target terminal, and whether the target terminal is a legal terminal is judged according to the first identifier and the second identifier; if the target terminal is an illegal terminal, the target terminal is restricted from accessing the network, the technical problem that the related technology can not restrict the separation of the machine and the card is solved, and the method can assist an operator to realize the binding of the machine and the card, thereby restricting the separation of the machine and the card of a contract, restricting the illegal copying terminal from accessing the 5G network, and prohibiting the insertion of the mobile phone cards of other operators into the contract machine after the sale of the contract machine.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a block diagram of a hardware architecture of a base station for limiting set-card separation according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of limiting card separation according to an embodiment of the invention;
FIG. 3 is a flow chart of another method of limiting card separation according to an embodiment of the invention;
FIG. 4 is a block diagram of a network architecture in an embodiment of the invention;
FIG. 5 is an interactive flow diagram of an embodiment of the present invention;
FIG. 6 is a block diagram of an apparatus for limiting card separation according to an embodiment of the present invention;
FIG. 7 is a block diagram of another apparatus for limiting card separation according to an embodiment of the present invention;
fig. 8 is a block diagram of another system for limiting card separation according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the drawings in conjunction with embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
Example 1
The method embodiment provided in the first embodiment of the present application may be performed in a base station, a server, a base station controller, or a similar communication network element. Taking the operation on the base station as an example, fig. 1 is a block diagram of a hardware structure of a base station for limiting the separation of machine cards according to an embodiment of the present invention. As shown in fig. 1, a base station may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and is not intended to limit the structure of the base station described above. For example, the base station may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a method for limiting separation of a card in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the above-mentioned method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located with respect to the processor 102, which may be connected to the base station via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the base station. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, a method for limiting separation of a set card is provided, and fig. 2 is a flowchart of a method for limiting separation of a set card according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S202, a network registration request sent by a target terminal is received, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
the network registration request of the present embodiment is that the target terminal requests registration and access to the network of the operator, and uses various communication services provided by the operator, such as call, surfing the internet, subscription, and the like.
Alternatively, the SIM card (mobile phone card/subscriber identity card) of the present embodiment may be an entity card or a virtual card, may be a mobile phone card that is not detachable and is built in the target terminal, or may be a mobile phone card that is detachable and is built in the target terminal.
In one example, the first identity is PEI (permanent device identity, permanent Equipment Identifier), such as a mobile device international identity (International Mobile Equipment Identity, IMEI), and the second identity is SUPI (globally unique permanent identity of a 5G user, subscription Permanent Identifier), such as an international mobile subscriber identity (IMSI, international Mobile Subscriber Identification Number).
Step S204, judging whether the target terminal is a legal terminal according to the first identifier and the second identifier;
the legal terminal in this embodiment refers to a terminal that can legally access the operator network, and makes a judgment by using the first identifier and the second identifier at the same time.
Step S206, if the target terminal is an illegal terminal, the target terminal is restricted from accessing the network.
In this embodiment, restricting the target terminal from accessing the network includes: and prohibiting or rejecting the target terminal from accessing the base station of the operator corresponding to the SIM card, and/or sending alarm information to the target terminal, wherein the alarm information is used for indicating that the target terminal is not matched with the SIM card and the target terminal or the SIM card needs to be replaced.
In another aspect, after determining whether the target terminal is a legal terminal according to the first identifier and the second identifier, the method further includes: and if the target terminal is a legal terminal, allowing the target terminal to access the network. In one example, after allowing the target terminal to access the network, the method further includes sending a binding instruction to the target terminal, after receiving the binding instruction, the target terminal locally generates a binding control instruction of the first identifier and the second identifier at the target terminal, prohibits the target terminal from being separated from the SIM card, and if the target terminal detects that the terminal device of the target terminal is separated from the SIM card, the target terminal outputs early warning information, indicating that the user is performing illegal operations, possibly resulting in the unavailability of the target terminal and/or the unavailability of the SIM card.
Through the steps, a network registration request sent by a target terminal is received, the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of an SIM card, the SIM card is arranged on the target terminal, and whether the target terminal is a legal terminal is judged according to the first identifier and the second identifier; if the target terminal is an illegal terminal, the target terminal is restricted from accessing the network, the technical problem that the related technology can not restrict the separation of the machine and the card is solved, and the method can assist an operator to realize the binding of the machine and the card, thereby restricting the separation of the machine and the card of a contract, restricting the illegal copying terminal from accessing the 5G network, and prohibiting the insertion of the mobile phone cards of other operators into the contract machine after the sale of the contract machine.
Alternatively, the main body of execution of the above steps may be a base station, a communication network element, or the like, such as an AMF (access mobility management function, access And Mobility Management Function), but is not limited thereto.
In one implementation manner of this embodiment, determining whether the target terminal is a legal terminal according to the first identifier and the second identifier includes: generating a device check request by adopting the first identifier and the second identifier; sending a device checking request to a second network element, wherein the second network element is used for checking whether a binding relationship exists between the first identifier and the second identifier in the database; receiving a verification result returned by the second network element based on the equipment verification request, wherein the verification result is used for indicating whether a binding relationship exists between the first identifier and the second identifier; if the verification result indicates that the binding relationship exists between the first identifier and the second identifier, determining that the target terminal is a legal terminal; if the verification result indicates that the first identifier and the second identifier have no binding relation, determining that the target terminal is an illegal terminal.
Optionally, the second network element is a 5G-EIR (5G-Equipment Identity Register,5G device identifier register), and when checking whether the first identifier and the second identifier have a binding relationship in the database, the second network element may use a preset list policy to perform verification, for example, a plurality of sets of machine card combinations are pre-stored in the database, where each set of machine card combinations includes at least two fields, and each set of machine card combination corresponds to a device identifier of the terminal device and a card identifier of the SIM card respectively, and may also correspond to an effective period of time and so on.
In some examples, the database includes a white list including a plurality of sets of PEI, and if the first identifier is within the white list and the first identifier has a binding relationship with the second identifier, a verification result indicating that the first identifier has a binding relationship with the second identifier is generated; in still other examples, the database includes a blacklist including a plurality of sets of PEIs, and if the first identification is within the blacklist, a check result is generated indicating that the first identification is illegal.
Optionally, if the target terminal is an illegal terminal, restricting the target terminal from accessing the network includes: if the target terminal is a blacklist terminal, the target terminal is completely limited to access the network; if the target terminal is a gray list terminal, determining a restricted access strategy matched with the gray list, and restricting the target terminal to access the network according to the restricted access strategy.
In this embodiment, the blacklist and the gray list refer to a PEI list, and in addition to the whitelist, when PEI and SUPI exist in the 5G-EIR database in a binding relationship, their PEI must be in the list, and if the first identifier is in the whitelist, but does not have a binding relationship, the target terminal is considered as an illegal terminal, so as to limit the target terminal to access to the network.
In some other examples, the database further includes a gray list, the gray list includes a plurality of sets of PEI accessing the network according to the restricted access policy, if the first identifier is not in the white list or the black list and is in the gray list, a verification result corresponding to the gray list is generated, the PEI in the gray list in this embodiment refers to the PEI that can access the network under a certain restriction condition, for example, in a certain time, under a network speed limiting condition, the user or the operator performs a specific binding operation, moves the PEI into the white list, after the configuration of the binding relationship between the first identifier and the second identifier is completed, the access restriction can be released, and the target terminal can normally access the network. In some cases, if the first identity is not within the PEI of the white list or the black list, nor within the PEI of the gray list, then the device is considered an unknown device and the same processing policy as the black list or the gray list may be performed.
In this embodiment, another method for limiting the separation of a set card is provided, and fig. 3 is a flowchart of another method for limiting the separation of a set card according to an embodiment of the present invention, applied to a second network element, as shown in fig. 3, where the flowchart includes the following steps:
Step S302, receiving a device check request sent by a first network element, wherein the device check request carries a first identifier and a second identifier, the first identifier is a device identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
step S304, inquiring whether a binding relation exists between the first identifier and the second identifier in the database to obtain a checking result, wherein the checking result is used for indicating whether the binding relation exists between the first identifier and the second identifier;
step S306, returning the check result to the first network element.
Alternatively, the main body of execution of the above steps may be a base station, a communication network element, or the like, such as a 5G-EIR (5G device identification register, 5G-Equipment Identity Register), but is not limited thereto.
In one implementation manner of this embodiment, querying, in the database, whether a binding relationship exists between the first identifier and the second identifier, and obtaining the verification result includes: inquiring the first identifier in a white list, and if the white list hits the first identifier; judging whether the first mark and the second mark are hit or not in a preset machine card combination; if the first identifier and the second identifier are hit in a preset machine card combination, a first check result is generated, wherein the first check result is used for indicating that a binding relationship exists between the first identifier and the second identifier. Wherein the white list and the preset set card combination are stored in the data.
In one example, two mobile phones are purchased in legal way, one mobile phone is an village mobile phone, the two mobile phones have the same PEI, after a mobile phone owner purchased in legal way binds PEI and own SUPI to a business hall, the village mobile phone of the other person uses PEI, and the PEI and the SUPI are not bound, so that the network cannot be accessed.
In some examples, the database includes a white list, the white list includes a plurality of sets of PEI with binding relation (and possibly also includes PEI without binding relation), if the first identifier is in the white list and whether the first identifier and the second identifier hit in the preset machine card combination, a checking result indicating that the first identifier and the second identifier have binding relation is generated, otherwise, a checking result indicating that the first identifier and the second identifier do not have binding relation is generated; in other examples, the database includes a blacklist including a plurality of sets of illegal PEIs, and if the first identification is within the blacklist, a check result is generated indicating that the first identification is illegal, access to the network is not allowed or only restricted.
In some other examples, the database further includes a gray list, the gray list includes a plurality of sets of PEI accessing the network according to the restricted access policy, if the first identifier is not in the white list or the black list and is in the gray list, a verification result corresponding to the gray list is generated, the PEI in the gray list in this embodiment refers to the PEI that can access the network under a certain restriction condition, for example, in a certain time, under a network speed limiting condition, the user or the operator performs a specific binding operation, moves the PEI into the white list, after the configuration of the binding relationship between the first identifier and the second identifier is completed, the access restriction can be released, and the target terminal can normally access the network. In some cases, if the first identity is not within the PEI of the white list or the black list, nor within the PEI of the gray list, then the device is considered an unknown device and the same processing policy as the black list or the gray list may be performed.
Optionally, before receiving the device check request sent by the first network element, the method further includes: receiving a binding request sent by a third network element, wherein the binding request carries a first identifier and a second identifier; and responding to the binding request, and writing the binding relation between the first identifier and the second identifier in the database.
Optionally, the third network element is a BOSS (Business & Operation Support System, service operation support system/acceptance system).
Fig. 4 is a block diagram of a network architecture in an embodiment of the present invention, taking a scenario applied to a 5GNR terminal (UE) as an example, including the following network elements: 5G EIR, AMF, NRF (Network Repository Function, network warehouse function), BOSS, wherein 5G EIR is device identification register, is user equipment management center in mobile communication network, and provides validity check function based on mobile terminal identification for mobile communication network; the functions provided by the AMF comprise functions of registration management, connection management, accessibility management, mobility management and the like of the UE under 5G; the NRF supports a service discovery function, receives an NF discovery request initiated by an NF instance, and provides NF instance information to be discovered for the NF instance. NRF maintains available NF instance configurations and supported services; the BOSS is used for accepting a black, white and gray list of PEI number segments to an EIR (such as 5G EIR), and accepting a binding relationship between PEI and SUPI to the EIR.
And adding the binding relation between the mobile Phone (PEI) and the card (SUPI) in the 5G-EIR database. When a user registers in a 5G network, judging whether the machine card combination is a legal combination or not according to PEI+SUPI information in a registration request: if the combination is legal, returning to a white list, and allowing the mobile phone to access a network by adopting the card if the combination of the machine and the card passes the verification; and if the combination is illegal, selecting a processing mode according to the operator policy.
First, the binding relationship between the mobile Phone (PEI) and the card (SUPI) is put into a 5G-EIR database through a BOSS instruction. Then, when the user tries to register with the 5G network, the AMF initiates a device check request to the 5G-EIR according to the PEI and SUPI in the registration request. The 5G-EIR queries a database according to PEI and SUPI in the request, and checks whether the machine card combination is in a binding relationship: if the binding relationship is in, the legal device is identified, and a white list is returned. If the binding relation is not in the binding relation, the binding verification is determined to fail, and a response is returned according to the policy of the operator. The operator's policy is selected as follows: white list, gray list, black list, unknown devices. When the policy selects "blacklist", "unknown device", restricting the user's access to the 5G network may be achieved.
Fig. 5 is an interactive flow chart of an embodiment of the invention, comprising a network element AMF,5G EIR,BOSS, the flow comprising a first phase and a second phase.
The first stage: binding the machine card through the BOSS, and writing the binding relation into a 5G-EIR database:
s11, the BOSS sends a binding PEI and SUPI request to the 5G-EIR through a receiving instruction;
and S12, after the 5G-EIR receives the binding request, writing the binding relation into a database.
And a second stage: when registering the user, the illegal user is restricted from accessing the network:
s21, starting up a user, and initiating a registration process to a 5G network;
s22, AMF receives the registration request, and initiates a device check request to 5G-EIR according to PEI and SUPI in the registration request;
s23, the 5G-EIR receives a device checking request, queries a database according to PEI and SUPI in the request, and checks whether the machine card combination is in a binding relation or not:
if the network is in the binding relationship, the network is identified as legal equipment, a white list is returned, and the network is allowed to be accessed.
If the user is not in the binding relationship, the user is determined to be failed in the binding check, a response is returned according to the policy of the operator, and the illegal user access network is limited.
The scheme of the embodiment can assist operators to realize machine-card binding, thereby limiting separation of the machine-card of the contract, limiting the illegal copy terminal to access to the 5G network, and prohibiting the mobile phone cards of other operators from being inserted into the contract after the sale of the contract.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
The embodiment also provides a device for limiting the separation of the machine and the card, which is used for realizing the above embodiment and the preferred implementation, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 6 is a block diagram of an apparatus for limiting card separation according to an embodiment of the present invention, applied to a first network element, as shown in fig. 6, where the apparatus includes:
a receiving module 60, configured to receive a network registration request sent by a target terminal, where the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is built in the target terminal;
a judging module 62, configured to judge whether the target terminal is a legal terminal according to the first identifier and the second identifier;
and a limiting module 64, configured to limit the target terminal to access the network if the target terminal is an illegal terminal.
Optionally, the apparatus further includes: and the permission module is used for permitting the target terminal to access the network if the target terminal is a legal terminal after the judging module judges whether the target terminal is the legal terminal according to the first identifier and the second identifier.
Optionally, the judging module includes: a generating unit, configured to generate a device check request using the first identifier and the second identifier; a sending unit, configured to send the device checking request to a second network element, where the second network element is configured to check whether a binding relationship exists between the first identifier and the second identifier in a database; the receiving unit is used for receiving a verification result returned by the second network element based on the equipment verification request, wherein the verification result is used for indicating whether the first identifier and the second identifier have a binding relationship or not; the determining unit is used for determining that the target terminal is a legal terminal if the verification result indicates that the first identifier and the second identifier have a binding relationship; and if the verification result indicates that the first identifier and the second identifier have no binding relation, determining that the target terminal is an illegal terminal.
Optionally, the limiting module includes: the first limiting unit is used for completely limiting the target terminal to access the network if the target terminal is a blacklist terminal; and the second limiting unit is used for determining a limiting access strategy matched with the gray list if the target terminal is the gray list terminal, and limiting the target terminal to access the network according to the limiting access strategy.
Fig. 7 is a block diagram of another device for limiting card separation according to an embodiment of the present invention, applied to a second network element, as shown in fig. 7, where the device includes:
a first receiving module 70, configured to receive an equipment checking request sent by a first network element, where the equipment checking request carries a first identifier and a second identifier, the first identifier is an equipment identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is built in the target terminal;
a query module 72, configured to query a database for whether a binding relationship exists between the first identifier and the second identifier, to obtain a verification result, where the verification result is used to indicate whether a binding relationship exists between the first identifier and the second identifier;
a return module 74, configured to return the verification result to the first network element.
Optionally, the query module includes: the first query unit is used for querying the first identifier in a white list, and if the white list hits the first identifier; the second query unit is used for judging whether the first identifier and the second identifier are hit or not in a preset machine-card combination; the generation unit is used for generating a first check result if the first identifier and the second identifier are hit in a preset machine card combination, wherein the first check result is used for indicating that a binding relationship exists between the first identifier and the second identifier.
Optionally, the apparatus further comprises: the second receiving module is configured to receive a binding request sent by a third network element before the first receiving module receives an equipment checking request sent by a first network element, where the binding request carries the first identifier and the second identifier; and the writing module is used for responding to the binding request and writing the binding relation between the first identifier and the second identifier in the database.
FIG. 8 is a block diagram of another system for limiting card separation according to an embodiment of the invention, the system comprising: a first network element 80, a second network element 82 and a third network element 84, wherein the first network element 80 is connected to a target terminal and the second network element 82, and is configured to perform the steps in any of the method embodiments above; the second network element 82 is connected to the first network element 80 and the third network element 84, and is configured to perform the steps in any of the method embodiments described above; the third network element 84 is connected to the second network element 82, and is configured to send a binding request to the second network element, so that the second network element writes the binding relationship between the first identifier and the second identifier in the database.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Example 3
An embodiment of the invention also provides a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
Alternatively, in the present embodiment, the above-described storage medium may be configured to store a computer program for performing the steps of:
s1, receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
s2, judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier;
s3, if the target terminal is an illegal terminal, limiting the target terminal to access the network.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:
s1, receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
S2, judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier;
s3, if the target terminal is an illegal terminal, limiting the target terminal to access the network.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments and optional implementations, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module for implementation. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. A method for limiting card separation, applied to a first network element, comprising:
receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier;
and if the target terminal is an illegal terminal, limiting the target terminal to access the network.
2. The method of claim 1, wherein after determining whether the target terminal is a legitimate terminal based on the first and second identifications, the method further comprises:
and if the target terminal is a legal terminal, allowing the target terminal to access the network.
3. The method of claim 1, wherein determining whether the target terminal is a legitimate terminal based on the first and second identifications comprises:
generating a device check request using the first identifier and the second identifier;
sending the equipment checking request to a second network element, wherein the second network element is used for checking whether the first identifier and the second identifier have a binding relationship in a database;
receiving a verification result returned by the second network element based on the equipment verification request, wherein the verification result is used for indicating whether a binding relationship exists between the first identifier and the second identifier;
if the verification result indicates that the binding relationship exists between the first identifier and the second identifier, determining that the target terminal is a legal terminal; and if the verification result indicates that the first identifier and the second identifier have no binding relation, determining that the target terminal is an illegal terminal.
4. The method of claim 1, wherein restricting access of the target terminal to the network if the target terminal is an illegitimate terminal comprises:
if the target terminal is a blacklist terminal, completely limiting the target terminal from accessing a network;
And if the target terminal is a gray list terminal, determining a restricted access strategy matched with the gray list, and restricting the target terminal to access the network according to the restricted access strategy.
5. A method for limiting set-card separation, characterized by being applied to a second network element, comprising:
receiving an equipment checking request sent by a first network element, wherein the equipment checking request carries a first identifier and a second identifier, the first identifier is an equipment identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged in the target terminal;
inquiring whether a binding relation exists between the first identifier and the second identifier in a database to obtain a checking result, wherein the checking result is used for indicating whether the binding relation exists between the first identifier and the second identifier;
and returning the check result to the first network element.
6. The method of claim 5, wherein querying a database for whether a binding relationship exists between the first identifier and the second identifier, and obtaining a verification result comprises:
inquiring the first identifier in a white list, and if the white list hits the first identifier;
Judging whether the first mark and the second mark are hit or not in a preset machine card combination;
if the first identifier and the second identifier are hit in a preset machine card combination, a first check result is generated, wherein the first check result is used for indicating that a binding relationship exists between the first identifier and the second identifier.
7. The method of claim 5, wherein prior to receiving the device check request sent by the first network element, the method further comprises:
receiving a binding request sent by a third network element, wherein the binding request carries the first identifier and the second identifier;
and responding to the binding request, and writing the binding relation between the first identifier and the second identifier in the database.
8. The device for limiting the separation of the machine card is characterized by being applied to a first network element and comprising the following components:
the receiving module is used for receiving a network registration request sent by a target terminal, wherein the network registration request carries a first identifier and a second identifier, the first identifier is a device identifier of the target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
The judging module is used for judging whether the target terminal is a legal terminal or not according to the first identifier and the second identifier;
and the limiting module is used for limiting the target terminal to access the network if the target terminal is an illegal terminal.
9. A device for limiting card separation, the device being applied to a second network element, comprising:
the device comprises a first receiving module, a second receiving module and a first network element, wherein the first receiving module is used for receiving a device checking request sent by the first network element, the device checking request carries a first identifier and a second identifier, the first identifier is a device identifier of a target terminal, the second identifier is a card identifier of a SIM card, and the SIM card is arranged on the target terminal;
the query module is used for querying whether the first identifier and the second identifier have a binding relationship in a database to obtain a verification result, wherein the verification result is used for indicating whether the first identifier and the second identifier have the binding relationship;
and the return module is used for returning the check result to the first network element.
10. A system for limiting card separation, comprising: a first network element, a second network element and a third network element, wherein,
the first network element, connected to the target terminal and the second network element, for performing the method of any of claims 1 to 4;
The second network element, connected to the first network element and the third network element, for performing the method of any of the claims 5 to 7;
the third network element is connected with the second network element and is used for sending a binding request to the second network element so that the second network element writes the binding relation between the first identifier and the second identifier in a database.
11. A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when run.
12. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of the claims 1 to 7.
CN202210726336.0A 2022-06-23 2022-06-23 Method and device for limiting separation of machine and card, system, storage medium and electronic device Pending CN117319987A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210726336.0A CN117319987A (en) 2022-06-23 2022-06-23 Method and device for limiting separation of machine and card, system, storage medium and electronic device
PCT/CN2023/090594 WO2023246286A1 (en) 2022-06-23 2023-04-25 Method, apparatus and system for restricting set-card separation, and storage medium and electronic apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210726336.0A CN117319987A (en) 2022-06-23 2022-06-23 Method and device for limiting separation of machine and card, system, storage medium and electronic device

Publications (1)

Publication Number Publication Date
CN117319987A true CN117319987A (en) 2023-12-29

Family

ID=89241326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210726336.0A Pending CN117319987A (en) 2022-06-23 2022-06-23 Method and device for limiting separation of machine and card, system, storage medium and electronic device

Country Status (2)

Country Link
CN (1) CN117319987A (en)
WO (1) WO2023246286A1 (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103781058A (en) * 2012-10-18 2014-05-07 中国电信股份有限公司 Method and device for detecting legality of mobile terminal in CDMA network
CN106304056A (en) * 2015-05-19 2017-01-04 中兴通讯股份有限公司 The inspection method of a kind of device identification and system, equipment
CN106686585A (en) * 2016-12-07 2017-05-17 深圳市金立通信设备有限公司 Binding method and system
EP3968570A1 (en) * 2020-09-09 2022-03-16 Hewlett Packard Enterprise Development LP Controlling equipment access to slices in a 5g network
CN112261717B (en) * 2020-09-15 2024-06-21 深圳市广和通无线股份有限公司 Network registration method, device, user terminal and storage medium
CN113225323B (en) * 2021-04-23 2023-09-12 Oppo广东移动通信有限公司 IMS network registration method and terminal equipment

Also Published As

Publication number Publication date
WO2023246286A1 (en) 2023-12-28

Similar Documents

Publication Publication Date Title
CN101577908B (en) User equipment verification method, device identification register and access control system
US8463258B2 (en) Extended wireless device activation
US9706395B2 (en) Intersystem mobility security context handling between different radio access networks
EP3337219B1 (en) Carrier configuration processing method, device and system, and computer storage medium
EP2708069B1 (en) Sim lock for multi-sim environment
CN105338515B (en) Data service transmission method and mobile communication equipment
CN111148088B (en) Method, device, equipment and storage medium for managing mobile terminal and system
CN109716805B (en) Installation method of subscription data set, terminal and server
CN108200568B (en) Mobile communication electronic SIM card data processing method and device
CN111163467B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN111885585A (en) Communication service opening method and communication device
WO2018010480A1 (en) Network locking method for esim card, terminal, and network locking authentication server
US9900446B2 (en) Information processing method using virtual subscriber identification card information, electronic apparatus and server
CN113055952B (en) Network type setting method, user equipment and computer readable storage medium
CN105991730A (en) Information processing method, server, and mobile terminal
US10820200B2 (en) Framework for securing device activations
CN101237678B (en) Activation and registration method, system and device for personal management circuit domain terminal
CN117319987A (en) Method and device for limiting separation of machine and card, system, storage medium and electronic device
JP6485973B2 (en) Method and apparatus for realizing virtual communication card
CN112235784B (en) vSIM-based code number management method, device and equipment
US20240236646A1 (en) METHOD AND APPARATUS FOR MANAGING eSIM PROFILES
CN117119458A (en) Equipment access processing method and device, storage medium and electronic device
CN114945173A (en) PLMN signaling forwarding method, electronic equipment and storage medium
CN116866880A (en) User terminal management method, device, storage medium and server
CN118803786A (en) Method, device, equipment, medium and program product for intercepting illegal terminal access to network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication