CN1297155C - Authentication method for user of global mobile communication system when roaming to CDMA network - Google Patents

Authentication method for user of global mobile communication system when roaming to CDMA network Download PDF

Info

Publication number
CN1297155C
CN1297155C CN 03141257 CN03141257A CN1297155C CN 1297155 C CN1297155 C CN 1297155C CN 03141257 CN03141257 CN 03141257 CN 03141257 A CN03141257 A CN 03141257A CN 1297155 C CN1297155 C CN 1297155C
Authority
CN
China
Prior art keywords
authentication
rand
cdma
gsm
sres
Prior art date
Application number
CN 03141257
Other languages
Chinese (zh)
Other versions
CN1568037A (en
Inventor
邹锋哨
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 03141257 priority Critical patent/CN1297155C/en
Publication of CN1568037A publication Critical patent/CN1568037A/en
Application granted granted Critical
Publication of CN1297155C publication Critical patent/CN1297155C/en

Links

Abstract

本发明公开了一种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法,该方法中,互通和互操作功能实体(ⅡF)保存需要漫游到CDMA网络的GSM用户移动台(MS)的身份密钥(Ki);通过一定算法进行适配,将CDMA鉴权参数与GSM鉴权参数进行互相转换,使用CDMA鉴权流程和GSM的鉴权算法进行鉴权。 The present invention discloses a Global System for Mobile Communications (GSM), code division multiple access subscriber roams to (CDMA) network authentication method, the method of interworking and interoperability function entity (IIF) needs to save the roaming to the CDMA network for GSM user of the mobile station (MS) of the identity key (of Ki); by some adaptation algorithm, the authentication parameter CDMA and GSM authentication parameters for mutual conversion, an authentication process using CDMA and GSM authentication algorithm for authentication. 本发明的鉴权方法在开展GSM用户漫游到CDMA网络的新业务时,使用原有GSM用户的SIM卡进行鉴权,避免了运营商向GSM用户发放新的用户识别模块,同时,不需要修改现有的GSM网络设备和CDMA网络设备,实现简便,增强了业务的可运营性。 Authentication method of the present invention is carried out when the user roams to a GSM network the new CDMA service using the existing GSM SIM card user authentication, operators avoid the issuance of new subscriber identification module to the GSM users while no need to modify existing GSM and CDMA network equipment network equipment, easy to implement, and enhance the business can running.

Description

全球移动通信系统用户漫游到码分多址网络的鉴权方法 GSM subscriber roams to a CDMA network authentication method

技术领域 FIELD

本发明涉及移动通信系统的鉴权技术,特别涉及一种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法。 The present invention relates to a mobile communication system authentication technology, in particular to a Global System for Mobile Communications (GSM), code division multiple access subscriber roams to a method of authentication (CDMA) network.

背景技术 Background technique

在移动通信系统中,移动台要接入系统,首先要进行鉴权,通过鉴权的合法用户才能接入网络。 In the mobile communication system, a mobile station to access the system, must first be authenticated by the legitimate users can access the network authentication.

其中,GSM网络对GSM用户的鉴权,包括通用鉴权算法A3/A8以及对MS和网络唯一的参数身份密钥(Ki);当SIM卡生成时,将生成Ki并写在卡中;在HLR/AuC中对GSM用户开户时,需保存与SIM卡中保存相同的Ki;Ki不能通过空口传递。 Wherein, GSM network GSM user authentication, comprising a general authentication algorithm A3 / A8 and the only parameter the MS and the network identity key (Ki); When the SIM card is generated, and the generated write Ki in the card; in when the HLR / AuC of the GSM user account, should be kept the same Ki stored in the SIM card; Ki can not be transmitted through an air interface.

网络侧通过以下步骤对MS进行鉴权:1、HLR/AuC将生成随机数RAND,并根据Ki和RAND经过A3/A8算法计算出符号响应(SRES)和密钥C(Kc);2、网络例通过鉴权请求消息,将随机数RAND发送给MS;3、MS收到RAND后,同样根据RAND和Ki经过A3/A8算法计算出SRES和Kc,并将SRES返回给网络侧,Kc不需要在空口传递;SRES=A3(RAND,Ki);Kc=A8(RAND,Ki);其中SRES为32位(bit),Kc为64位(bit),RAND为128位(bit),Ki为32位(bit)。 MS authenticate the network by the following steps: 1, HLR / AuC generates a random number RAND, Ki and RAND accordance through A3 / A8 algorithm in response to the symbol (the SRES) and a key C (Kc); 2, network EXAMPLE by authentication request message, transmits the random number RAND to the MS;. 3, the MS receives RAND, likewise through A3 / A8 algorithm according to the RAND and the SRES and Kc Ki, and returns the SRES to the network side, Kc need not transfer air interface; SRES = A3 (RAND, Ki); Kc = A8 (RAND, Ki); where SRES is 32 bits (bit), Kc is 64 bits (bit), RAND is 128 bits (bit), Ki 32 bit (bit).

4、网络侧收到MS发送的SRES后,将其与自身计算的SRES进行比较,相同则MS为合法用户,否则非法。 4, after the network side receives the transmitted SRES MS, which itself SRES calculated by comparing the MS the same as a legitimate user, or illegal.

另外,CDMA网络对CDMA用户鉴权的方法,包括一个通用的用户鉴权与语音加密算法(CAVE)以及对移动台(MS)和网络唯一的参数鉴权密钥(AKey);当R-UIM卡生成时,生成AKey并写在卡中;在HLR/AC中对CDMA用户开户时,需保存与R-UIM卡中保存相同的AKey;通过共享加密数据(SSD)更新流程,可根据AKey和鉴权随机数(RANDSSD)生成SSD,而SSD是CDMA鉴权最重要的参数之一,只能动态生成。 Further, CDMA CDMA network user authentication method, comprising a common user authentication and voice encryption algorithm (the CAVE) and the mobile station (MS) and the network authentication key unique parameters (AKEY); if R-UIM card generation, generating AKEY and written on the card; when CDMA user account in the HLR / AC, the need to save the R-UIM card stored in the same AKEY; by sharing the encrypted data (SSD) update process, according to the AKEY and authentication random number (RANDSSD) generation SSD, the SSD is one of the most important parameters CDMA authentication, can only be generated dynamically. AKey和SSD不能通过空口传递。 AKey SSD and can not pass through an air interface.

当用户第一次接入系统时,必须首先进行SSD更新,以保证HLR/AC与R-UIM卡中的SSD保持一致;否则,鉴权将无法成功;在SSD更新成功之后,用户再次接入系统时,网络需对用户进行鉴权;由于HLR/AC与R-UIM卡中的鉴权参数完全一致,经过同样的算法,应能计算出相同的结果;否则,表明该用户为非法用户。 When users first access system, SSD must first be updated to ensure the HLR / AC and R-UIM card SSD consistent; otherwise, the authentication will not succeed; after the SSD update is successful, the user again access system, the network needs to authenticate the user; as authentication parameters HLR / AC and the R-UIM card is exactly the same, through the same algorithm should be able to calculate the same result; otherwise, indicates that the user is an illegal user.

网络对用户的鉴权有两种方式:一种是广播查询鉴权,该方式要求基站(BS)系统支持广播查询鉴权,其对MS进行鉴权的过程为:1、网络侧通过控制/寻呼信道向本小区下所有MS周期性地广播RAND。 Network authentication of the user in two ways: one is to broadcast queries authentication, the embodiment requires the base station (BS) broadcasting system supports authentication queries that authenticate the MS procedure: 1, by controlling the network side / paging channel periodically broadcast the RAND to all MS the present cell.

2、MS需要接入系统时,如位置登记、始呼、寻呼响应等,使用当前控制/寻呼信道上RAND计算鉴权结果(AUTHR),并在初始接入消息中发送给网络侧。 2, when the MS needs to access the system, such as location registration, origination, page response, etc., the current control / paging channel RAND calculated authentication result (AUTHR is), and transmits to the network side in an initial access message.

3、网络侧根据RAND计算出AUTHR,并与MS发送上来的AUTHR进行比较,相同则MS为合法用户,否则非法。 3, the network side is calculated according to the RAND AUTHR, and AUTHR sent up compared with the MS, the MS the same as a legitimate user, or illegal.

网络侧计算AUTHR的算法与MS计算AUTHR的算法相同,为:AUTHR=CAVE(RAND,SSD_A,ESN,AUTHDATA);其中AUTHR为18位(bit),RAND为32位(bit),SSD_A为SSD前64位(bit),ESN为电子序列号,AUTHDATA为鉴权数据,接入类型不同时使用的数据也不同,如在呼叫时根据移动识别号码(MIN)与被叫号码计算,在位置登记或寻呼响应时则仅根据MIN计算。 The network-side calculating AUTHR algorithm and the MS The same calculation AUTHR algorithm is: AUTHR = CAVE (RAND, SSD_A, ESN, AUTHDATA); wherein AUTHR 18 bits (bit), RAND is a 32-bit (bit), SSD_A is a front SSD 64 (bit), ESN is an electronic serial number, is authData authentication data, the access type does not use the same time different data, computing the called number when calling a mobile identification number (MIN), the location registration or the MIN is calculated only when the paging response.

另一种是独特查询鉴权方式,用该方式对MS进行鉴权的过程为:1、网络侧生成独特查询随机数(RANDU),并用该RANDU计算出该用户的鉴权结果(AUTHU);并将向MS发送独特查询随机数(RANDU)。 Another unique query authentication manner, the process of authenticating the MS in this manner is: 1, the network side generates a random number unique query (the RANDU), and calculates the authentication result of the user (AUTHU) with which the RANDU; unique random number and transmits the query (the RANDU) to the MS.

2、MS收到RANDU后也根据RANDU计算AUTHU并返回给网络侧。 2, MS after receiving RANDU be calculated in accordance with RANDU and AUTHU to the network side returns.

3、最后,网络侧将自身计算的AUTHU与MS发送的AUTHU进行比较,相同则MS为合法用户,否则非法。 3, finally, the network side with its own AUTHU calculated AUTHU transmitted MS comparison, the same as the MS for legitimate users, or illegal.

这种鉴权方式可由MSC在控制信道或业务信道上发起;其算法如下:AUTHU=CAVE(RANDU,SSD_A,ESN,MIN);其中AUTHU为18位(bit),RANDU为32位(bit),SSD_A为SSD前64位(bit),ESN为电子序列号,MIN为移动识别号码。 This way authentication MSC may initiate a control channel or traffic channel; the algorithm is as follows: AUTHU = CAVE (RANDU, SSD_A, ESN, MIN); where AUTHU is 18 (bit), RANDU 32-bit (bit), SSD_A is a 64-bit SSD front (bit), ESN is an electronic serial number, MIN is the mobile identification number.

目前,通过网络侧增加一个互通和互操作功能实体(IIF)可以支持GSM注册用户使用CDMA网络中的业务以及CDMA注册用户使用GSM网络中的业务,IIF主要完成GSM网络和CDMA网络之间的互通和互操作功能;参见图1,图1为IIF与GSM网络和CDMA网络的连接结构示意图。 Currently, the network side adding a interworking and interoperability function entity (the IIF) supports GSM registered user in a CDMA network, and CDMA service users registered in a GSM network traffic, mainly to complete the IIF interworking between GSM and CDMA networks and interworking function; see FIG. 1, FIG. 1 is a schematic structural IIF connection with the GSM network and CDMA network.

其中,CDMA的美国国家标准学会41系列协议(ANSI-41)核心网110中,CDMA鉴权中心(AC)111通过H接口与归属位置寄存器(HLR)113相连,短消息中心(MC)112通过N接口与HLR相连,MC112、HLR113、访问位置寄存器(VLR)114、移动交换中心(MSC)115分别通过Q接口、D接口、D接口、和E接口与IIF相连。 Wherein, the American National Standards Institute 41 family of CDMA protocol (ANSI-41) core network 110, CDMA Authentication Center (AC) 111 is connected to interface 113 via a home location register H (the HLR), a short message center (MC) 112 by N HLR interface is connected, MC112, HLR113, Visitor location register (VLR) 114, a mobile switching center (MSC) 115 are connected via the Q-interface, D interfaces, D interfaces, and the interface E with the IIF.

GSM移动应用部分(MAP)核心网130中,GSM短消息业务中心(SMS-SC)132与GSM短消息业务-互通MSC(SMS-IWMSC)131、GSM短消息业务-关口MSC(SMS-GMSC)133分别相连,GSM鉴权中心(AuC)135通过H接口与HLR134相连,SMS-IWMS131、CSMS-GMSC133、HLR134、VLR136、MSC137、服务GPRS支持节点(SGSN)138分别通过E接口、E接口、D接口、D接口、E接口、Gr接口与IIF相连。 GSM Mobile Application Part (MAP) core network 130, GSM Short Message Service Center (SMS-SC) 132 and GSM short message service - Interworking MSC (SMS-IWMSC) 131, GSM Short Message Service - Gateway MSC (SMS-GMSC) 133 are connected, GSM authentication Center (AuC) 135 is connected via interface H HLR134, SMS-IWMS131, CSMS-GMSC133, HLR134, VLR136, MSC137, serving GPRS support node (SGSN) 138 through the E interface, respectively, E interfaces, D an interface, the interface is connected to D, E interfaces, Gr interface IIF.

IIF120处于GSM MAP核心网和ANSI-41核心网之间,执行ANSI-41信令和GSM MAP信令的转换。 IIF120 GSM MAP core network in between, and ANSI-41 core network, performing signaling conversion ANSI-41 and GSM MAP signaling.

当GSM注册用户使用双模终端漫游到CDMA网络,称GSM注册用户处于CDMA外地模式;此时,对于CDMA网络,IIF可看作该GSM注册用户的CDMA HLR;而对于GSM网络,IIF可看作为服务于这个GSM注册用户的GSM VLR。 When the dual-mode GSM registered user terminal roams to the CDMA network, said user is registered CDMA GSM foreign mode; In this case, a CDMA network, the IIF can be regarded as the registered user of the CDMA GSM the HLR; and for the GSM network, the IIF can be seen as serve this GSM registered users of GSM VLR.

处于CDMA外地模式的GSM用户需要被CDMA网络鉴权,鉴权成功后,GSM用户才被允许接入CDMA网络,获得使用网络资源的权利。 GSM foreign mode users in CDMA CDMA network needs to be authenticated, the authentication succeeds, GSM subscribers are allowed access to the CDMA network, the right to use the network resources. 对于允许GSM用户使用CDMA网络资源的业务,鉴权是最关键的设计之一。 For GSM-CDMA network users to use the resources of business, authentication is one of the most critical design.

上述的GSM网络鉴权方法和CDMA网络鉴权方法,在GSM网络通过IIF与CDMA网络连接时,都不能对漫游到CDMA网络的GSM用户进行鉴权。 The above-described GSM network and CDMA network authentication method, authentication method, in a GSM network and a CDMA network through IIF is connected, it can not be a GSM subscriber roaming to a CDMA network for authentication. 因此,出现了GSM用户漫游到CDMA网络的鉴权方法,该方法为:由于IIF具备CDMA HLR功能,所以,需在IIF或AC上需注册GSM用户的CDMA鉴权签约数据A-Key,一般通过在GSM终端上插入标准CDMA R-UIM卡,或在终端使用能同时存储Ki和A-Key的新类型双模卡来实现。 Thus, appearances of the GSM subscriber roams to a CDMA network authentication method, the method is: Since CDMA IIF includes the HLR function, therefore, needs to be registered user CDMA GSM subscription authentication data on the A-Key IIF or AC, typically by into a standard CDMA R-UIM card in the GSM terminal, simultaneously or a-Key and Ki storage of new types of dual mode card implemented in the terminal. 这样,CDMA外地模式下的GSM用户使用CDMA标准鉴权流程,包括SSD更新和鉴权;鉴权过程中不需要与归属网络GSM HLR参与交互。 Thus, GSM foreign mode users in a CDMA authentication process using the CDMA standard, comprising a SSD update and authentication; authentication process does not need to participate in the home network GSM HLR interaction.

参见图2,图2为现有技术GSM用户漫游到CDMA网络鉴权的流程示意图。 Referring to FIG. 2, FIG. 2 is a schematic flow diagram of the prior art GSM subscriber roams to a CDMA network authentication. GSM用户终端插入了CDMA R-UIM卡,该用户同时也是CDMA用户。 GSM user terminal inserted CDMA R-UIM card, the user is also a CDMA users. 在HLR/AC中对CDMA用户开户时,保存与R-UIM卡中保存相同的AKey;通过SSD更新流程,可根据AKey和RAND生成SSD。 When the user account in CDMA HLR / AC, the same AKey Saved the R-UIM card; by SSD update procedure, may be generated according AKey SSD and RAND. 当用户第一次接入系统时,必须首先进行SSD更新,以保证HLR/AC与R-UIM卡中的SSD保持一致。 When the user first access system, SSD must first be updated to ensure that HLR / AC and the R-UIM card SSD consistent. 这样,GSM用户漫游到CDMA网络时鉴权的基本流程包括以下步骤:步骤201,MS根据SSD和RAND计算AUTHR;步骤202,MS将AUTHR发送给CDMA网络的MSC/VLR;步骤203,MSC/VLR向IIF发送鉴权请求(AUTHREQ)消息; Thus, when the authentication network GSM subscriber roams to a CDMA base comprises the following steps: Step 201, MS calculates the RAND and AUTHR The SSD; Step 202, MS will send AUTHR to the CDMA network MSC / VLR; step 203, MSC / VLR IIF sends an authentication request (AUTHREQ) message;

步骤204,IIF收到鉴权请求消息后,向CDMA网络的AC转发鉴权请求;步骤205,CDMA网络的AC根据SSD、RAND计算AUTHR,并与IIF送上来的AUTHR进行比较;若不相同,则表明为非法用户,否则为合法用户;步骤206,CDMA网络的AC向IIF返回包含鉴权结果的鉴权响应(authreq)消息;步骤207,IIF将鉴权结果转发给CDMA网络的MSC/VLR;步骤208,MSC/VLR根据鉴权结果进行处理,将合法用户接入,非法用户清除。 Step 204, IIF receives an authentication request message, forwards the authentication request to the AC CDMA network; Step 205, AC CDMA network AUTHR calculated according SSD, RAND, and the IIF to compare the AUTHR sent; if not identical, it indicates that an illegal user, or as a legitimate user; step 206, AC CDMA network IIF returns the authentication response to the authentication result comprising (AuthReq) message; step 207, forwards the authentication result to the IIF MSC CDMA network / VLR ; step 208, MSC / VLR for processing according to the authentication result, access to the legitimate user, the user clears the illegal.

上述GSM用户漫游到CDMA网络的鉴权方法中,需要在GSM终端上发放新用户识别模块,一般通过在GSM终端上插入标准CDMA R-UIM卡,或在终端使用能同时存储Ki和A-Key的新类型双模卡来实现。 Above GSM subscriber roams to a CDMA network authentication method requires a GSM terminal in issuing new subscriber identification module, typically by inserting a standard CDMA R-UIM card in the GSM terminal, or simultaneously stored in the A-Key and Ki terminal the new type of dual-mode card to achieve. 因此,运营商需要再次发放用户识别模块给申请了漫游到CDMA网功能的GSM用户。 Therefore, operators need to re-paid subscriber identity module applied to the CDMA network roaming feature of GSM users. 这种使用户享受新业务的业务分发方式比较复杂,需要用户配合,不利于业务的推广。 This enables users to enjoy the new service distribution business way more complex and requires the user with, is not conducive to the promotion of business.

发明内容 SUMMARY

有鉴于此,本发明的目的在于提供一种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法,在开展GSM用户漫游到CDMA网络的新业务时,避免运营商向GSM用户发放新的用户识别模块,增强业务的可运营性。 In view of this, object of the present invention is to provide a global system for mobile communications (GSM), code division multiple access subscriber roams to (CDMA) network authentication method, in carrying out a new GSM service subscriber roams to a CDMA network, to avoid operating business issuance of new GSM subscriber identity module to the user, can enhance the operations of the business.

为达到上述目的,本发明的技术方案具体是这样实现的:一种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法,该方法包括:1)互通和互操作功能实体(IIF)保存需要漫游到CDMA网络的GSM用户移动台(MS)的身份密钥(Ki);CDMA网络对GSM用户的鉴权方式包括:广播查询鉴权和独特查询鉴权,其中, To achieve the above object, the technical solution of the present invention is particularly achieved: a global mobile communications system (GSM) subscriber roams to a Code Division Multiple Access (CDMA) network authentication method, the method comprising: 1) interworking and interoperability operation function entity (the IIF) needs to save the roaming user to the CDMA network for GSM mobile station (MS) of the identity key (of Ki); a CDMA network to a GSM subscriber authentication mode comprises: broadcasting a query unique authentication and authentication query, wherein ,

2)广播查询鉴权过程,包括以下步骤:21)MS接收CDMA的基站控制器(BSC)广播的CDMA鉴权随机数(C-RAND),将该鉴权随机数(C-RAND)转换为GSM鉴权随机数(G-RAND),再根据G-RAND和MS中保存的Ki计算出符号响应(SRES)和密钥C(Kc);再将SRES转换为CDMA鉴权结果,发送给BSC;22)BSC将鉴权随机数(C-RAND)和CDMA鉴权结果发送给CDMA的移动交换中心(MSC)/拜访位置寄存器(VLR);23)MSC/VLR向IIF发送包含鉴权随机数(C-RAND)和CDMA鉴权结果的鉴权请求;24)IIF将收到的鉴权随机数(C-RAND)转换为GSM鉴权随机数(G-RAND),再根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果,将转换出的CDMA鉴权结果和收到的CDMA鉴权结果进行比较,完成广播查询鉴权;3)独特查询鉴权过程,包括以下步骤:31)CDMA的MSC/VLR为没有带鉴权参数的GSM的MS向IIF发送鉴权请求;32)IIF根据鉴权请求,生成鉴权随机数(C-RAND) 2) an authentication procedure broadcast queries, comprising the steps of: 21) MS the base station controller (BSC) receives the broadcasted CDMA CDMA authentication random number (C-RAND), the authentication random number (C-RAND) is converted to GSM authentication random number (G-RAND), and then calculate the Signed response (SRES) and a key C (Kc) in accordance with G-RAND and stored in the MS of Ki; then convert the CDMA authentication result SRES is transmitted to the BSC ; 22) BSC sends the authentication random number (C-RAND) and an authentication result to the CDMA CDMA mobile switching center (MSC) / Visitor location register (VLR); 23) MSC / VLR transmits a random number to the authentication IIF (C-RAND) and the CDMA authentication result of the authentication request; 24) IIF receives authentication random number (C-RAND) is converted to GSM authentication random number (G-RAND), and then according to G-RAND IIF stored in the MS calculates the SRES and Kc Ki; then convert the CDMA authentication result SRES, converting a CDMA authentication result and the authentication result received CDMA comparing broadcast queries the authentication is completed; 3 ) query unique authentication process, comprising the steps of: 31) CDMA the MSC / VLR of the GSM authentication parameters with the MS does not send an authentication request to the IIF; 32) IIF according to the authentication request, the authentication random number generated (C -RAND) ,并转换为GSM鉴权随机数(G-RAND),再根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果;33)IIF向MSC/VLR返回包含鉴权随机数(C-RAND)和CDMA鉴权结果的鉴权响应;34)MSC/VLR保存CDMA鉴权结果,并通过BSC向MS发送包含鉴权随机数(C-RAND)的独特查询鉴权请求;35)MS将收到的鉴权随机数(C-RAND)转换为GSM鉴权随机数(G-RAND),再根据G-RAND和MS中保存的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果,并将鉴权结果随鉴权响应通过BSC返回给MSC/VLR;36)MSC/VLR将收到的CDMA鉴权结果和步骤34)中保存的CDMA鉴权结果进行比较,完成独特查询鉴权。 And convert the GSM authentication random number (G-RAND), and then calculates the SRES and Kc according to the G-RAND Ki stored in the MS and IIF; then convert the CDMA authentication result SRES; 33 is) to the MSC IIF / VLR returns the authentication contains a random number (C-RAND) and the CDMA authentication result of the authentication response; 34) MSC / VLR save CDMA authentication result, and sends an authentication random number (C-RAND to the MS by the BSC) the unique query authentication request; 35) MS will receive authentication random number (C-RAND) is converted to GSM authentication random number (G-RAND), and then save the MS according to the G-RAND and the SRES calculated Ki and Kc; then convert the CDMA authentication result SRES, and authentication result with the authentication response back to the MSC / VLR via the BSC; in 36) and the step of authentication result CDMA MSC / VLR receives 34) saved CDMA authentication results were compared with complete unique query authentication.

其中,所述的步骤34)可以进一步包括:MSC/VLR收到IIF返回的鉴权响应后,先通过BSC指配业务信道,业务信道指配成功后,再发送独特查询鉴权请求。 Wherein said step 34) may further comprise: MSC / VLR after receiving the authentication response returned by the IIF, assigned to a traffic channel by the BSC, the traffic channel with success, and then transmits unique authentication request query.

所述的指配业务信道的方法可以为:MSC/VLR向BSC发送指配请求;BSC根据该指配请求指配业务信道;并向MSC/VLR返回指配响应。 The method of assigning the traffic channel may be: MSC / VLR transmits assignment request to the BSC; assignment request to the BSC according to assign a traffic channel; return to MSC / VLR assignment response.

步骤21)-步骤24)中所述的CDMA鉴权随机数可以为广播鉴权随机数;步骤32)-步骤36)中所述的CDMA鉴权随机数可以为独特查询鉴权随机数。 Step 21) - step 24) the CDMA authentication random number may be broadcast authentication random number; step 32) - step 36) the random number CDMA authentication query may be unique authentication random number.

所述的将C-RAND转换为G-RAND的方法可以为:将C-RAND进行运算后填入G-RAND;或将C-RAND和国际移动用户识别码(IMSI)或/和电子序列号(ESN)进行运算后填入G-RAND。 The C-RAND will be converted to G-RAND method may be: a C-RAND fill operation after G-RAND; or C-RAND and the international mobile subscriber identity (IMSI) and / or an electronic serial number (ESN) calculation after fill G-RAND. 例如,该方法可以为:将C-RAND填入G-RAND的固定位置,将G-RAND剩余位置用预定数字或/和国际移动用户识别码(IMSI)填满;或将G-RAND的剩余位置用预定数字或/和电子序列号(ESN)填满。 For example, the method may be: a C-RAND G-RAND fill a fixed position, the position of the remaining G-RAND predetermined number or / and the international mobile subscriber identity (IMSI) filled with; or G-RAND remaining filled with a predetermined position of the digital and / or electronic serial number (ESN).

所述的根据G-RAND和MS中保存的Ki计算出RES和Kc的方法,可以与所述的根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc的方法相同,为:用G-RAND和Ki通过A3/A8算法计算出SRES和Kc。 The RES and Kc calculated according to the method of preservation of the G-RAND and Ki in MS, may be calculated from the G-RAND Ki stored in the MS and IIF same SRES and Kc according to the method, is: with G-RAND and SRES and Kc Ki is calculated by the A3 / A8 algorithm.

所述的将SRES转换为CDMA鉴权结果的方法可以为:将在SRES的固定位置取出CDMA鉴权结果;或将SRES进行运算后,在固定位置取出CDMA鉴权结果;或将SRES和Kc或/和国际移动用户识别码(IMSI)或/和电子序列号(ESN)进行运算后,在固定位置取出CDMA鉴权结果。 Converting the authentication result SRES to CDMA method may be as follows: Remove the CDMA authentication result SRES is in a fixed position; or after the operation, remove the CDMA authentication result SRES in a fixed position; or SRES and Kc or after / and international mobile subscriber identity (IMSI) and / or an electronic serial number (ESN) calculates removed CDMA authentication result in a fixed position.

由本发明的技术方案可见,本发明的这种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法在开展GSM用户漫游到CDMA网络的新业务时,使用原有GSM用户的SIM卡进行鉴权,避免了运营商向GSM用户发放新的用户识别模块,同时,不需要修改现有的GSM网络设备和CDMA网络设备,实现简便,增强了业务的可运营性。 Aspect of the present invention can be seen from this GSM system of the invention (GSM) subscriber roams to a CDMA authentication method (CDMA) network is carried out when the GSM subscriber roams to a new CDMA network service using the original GSM SIM card to authenticate a user to avoid the issuance of new operators to the GSM subscriber identity module users, and does not require modification of existing GSM and CDMA network equipment network equipment, easy to implement, and enhance the business can running.

附图说明 BRIEF DESCRIPTION

图1为IIF与GSM网络和CDMA网络的连接结构示意图;图2为现有技术GSM用户漫游到CDMA网络鉴权的流程示意图;图3为本发明第一较佳实施例的广播鉴权流程示意图;图4为图3所示实施例中MS生成AUTHR的示意图;图5为本发明第二较佳实施例的独特查询鉴权流程示意图。 Broadcasting a first authentication process schematic preferred embodiment of the present invention. FIG. 3; FIG. 1 is a schematic structural IIF connection with the GSM network and CDMA network; FIG. 2 is a schematic flowchart of an authentication roams into a CDMA network to a GSM subscriber prior art ; FIG. 4 is a schematic diagram of FIG. 3 MS generated AUTHR embodiment; FIG. 5 is a schematic view of a second unique queries an authentication process of the preferred embodiment of the invention.

具体实施方式 Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下面结合实施例和附图,对本发明进一步详细说明。 For purposes of the present invention, technical scheme and advantages clearer, the following Examples and accompanying drawings, the present invention is further described in detail.

本发明是根据GSM网络鉴权参数与CDMA网络鉴权参数比较的结果,通过一定算法进行适配,将CDMA鉴权参数与GSM鉴权参数进行互相转换,进行鉴权。 The present invention is based on the result of the GSM network and CDMA network authentication parameters the authentication parameters, must be adapted by the algorithm, the authentication parameter CDMA and GSM authentication parameters for each conversion, for authentication.

参见表一,表一GSM网络鉴权参数与CDMA网络鉴权参数比较。 See Table I. Table I the GSM network and CDMA network authentication parameters the authentication parameter comparison.

表一由表一可见,若使用CDMA鉴权流程,无法完全承载GSM鉴权参数;因此,可考虑通过一定算法进行适配,通过算法Fa将CDMA的32bit的RAND或RANDU(简称C-RAND)转换为128bitRAND(简称G-RAND);并通过算法Fb将GSM的32bitSRES转换为CDMA的18bit的AUTHR或AUTHU(简称C-AUTH);对应关系表示如下:G-RAND=Fa(C-RAND)C-AUTH=Fb(SRES)算法Fa和Fb还可以用户信息作为入参,如MIN、ESN、被叫号码中某几个字节(无被叫号码时可用全1表示),但不仅限于这几个参数;其中,算法Fa可以将C-RAND进行运算后填入G-RAND;或将C-RAND和国际移动用户识别码(IMSI)或/和电子序列号(ESN)进行运算后填入G-RAND。 Table eleven seen from the table, if the authentication process using CDMA, GSM authentication parameters can not be completely carried; therefore, may be considered by some adaptation algorithm, RAND or RANDU The algorithm Fa of 32bit CDMA (abbreviated C-RAND) convert 128bitRAND (abbreviated G-RAND); and by the algorithm Fb to the GSM 32bitSRES convert the CDMA AUTHR or AUTHU 18bit (abbreviated C-AUTH); a correspondence relationship expressed as follows: G-RAND = Fa (C-RAND) C -AUTH = Fb (SRES) algorithm Fa and Fb may also be used as parameters into the user information, such as the MIN, ESN, the called number in a few bytes (either in full called number 1 indicates no), but is not limited to these parameter; wherein algorithm Fa may be C-RAND G-RAND be filled after calculation; or after the C-RAND and the international mobile subscriber identity (IMSI) and / or an electronic serial number (ESN) calculates filled G -RAND.

例如:将C-RAND填入G-RAND的固定位置,将G-RAND剩余位置用预定数字或/和国际移动用户识别码(IMSI)填满;或将G-RAND的剩余位置用预定数字或/和电子序列号(ESN)填满。 For example: The C-RAND G-RAND fill a fixed position, the position of the remaining G-RAND predetermined number or / and the international mobile subscriber identity (IMSI) filled with; or G-RAND the remaining positions with a predetermined number or / and electronic serial number (ESN) fill.

算法Fb可以将在SRES的固定位置取出CDMA鉴权结果;或将SRES进行运算后,在固定位置取出CDMA鉴权结果;或将SRES和Kc或/和国际移动用户识别码(IMSI)或/和电子序列号(ESN)进行运算后,在固定位置取出CDMA鉴权结果。 Fb algorithm can be removed in a fixed position a CDMA authentication result SRES; The SRES after operation or taken out in a fixed position CDMA authentication result; or SRES and Kc and / or international mobile subscriber identity (IMSI) and / or an electronic serial number (ESN) after operation, remove CDMA authentication result in a fixed position.

本发明中,IIF作为GSM注册用户在CDMA外地模式下的HLR/AC,其中保存Ki和鉴权算法A3/A8。 In the present invention, IIF as a registered user in GSM foreign mode CDMA HLR / AC, where Ki and authentication algorithm stored A3 / A8. 在IIF中对需要漫游到CDMA网络的GSM用户开户时,将国际移动用户识别码(IMSI)和Ki的关系保存在IIF的数据库中。 IIF need in the GSM subscriber roams to a CDMA network account, the relations international mobile subscriber identity (IMSI) and Ki is stored in a database IIF.

本发明的鉴权方法包括:广播查询鉴权过程和独特查询鉴权过程。 Authentication method according to the present invention comprises: a broadcast query queries an authentication process and the authentication process unique. 以下对两个鉴权过程分别举一个较佳实施例进行详细说明。 Hereinafter, an authentication process, respectively two lifting a preferred embodiment described in detail.

第一较佳实施例为一个广播查询鉴权始呼流程。 The first preferred embodiment of a broadcast query originating call authentication process. 本实施例在鉴权流程上与普通CDMA广播鉴权流程没有差别,但在鉴权算法上采用GSM的鉴权算法,并新增了Fa和Fb两个函数。 This embodiment does not on the conventional CDMA authentication process with the authentication process different broadcast, but the use of the GSM authentication algorithm on the authentication algorithm, and adds two functions Fa and Fb. 参见图3,图3为本发明第一较佳实施例的广播鉴权流程示意图;该流程包括以下步骤:步骤301,BSC通过寻呼/控制信道广播广播鉴权随机数C-RAND。 Referring to FIG. 3, FIG. 3 is a schematic diagram of broadcasting a first authentication process of the preferred embodiment of the invention; the process comprising the following steps: Step 301, BSC via the paging / broadcast channel broadcasting the authentication random number C-RAND.

步骤302,MS对于收到的C-RAND先通过算法Fa将C-RAND转换为G-RAND,并用G-RAND和MS保存的Ki通过MS的SIM卡中A3/A8算法计算出SRES和Kc,然后用算法Fb将SRES转换为鉴权结果AUTHR。 Step 302, MS for C-RAND received first by the algorithm Fa the C-RAND is converted to G-RAND, and saved with G-RAND and MS of Ki calculated SRES and Kc by MS, SIM card A3 / A8 algorithm, Fb algorithm then converts into an authentication result SRES AUTHR.

步骤303,MS向BSC发送包含AUTHR的始呼请求。 Step 303, MS transmits an origination request containing AUTHR to the BSC.

步骤304,BSC收到始呼请求后,向MSC/VLR发送业务请求(CM ServiceRequest),其中包含C-RAND和AUTHR。 Step 304, BSC, after receiving an origination request, sends a service request (CM ServiceRequest) to the MSC / VLR, which comprises a C-RAND and AUTHR.

步骤305,MSC/VLR收到业务请求后,向IIF发送鉴权请求AUTHREQ,其中包含C-RAND和AUTHR。 Step 305, MSC / VLR after receiving the service request, the IIF sends an authentication request to the AUTHREQ, which comprises a C-RAND and AUTHR.

步骤306,IIF收到鉴权请求消息后,首先通过Fa算法将C-RAND转换为G-RAND,并用G-RAND和IIF中保存的该MS的Ki通过A3/A8算法计算出SRES和Kc,然后通过算法Fb将SRES转换为AUTHR,并比较计算出来的AUTHR与MSC/VLR在鉴权请求中送上来的AUTHR是否相等;若相等,则表明为合法用户,允许接入;否则,为非法用户,拒绝接入。 Step 306, IIF receives an authentication request message by first algorithm Fa converted to the C-RAND G-RAND, and saved by the IIF G-RAND and Ki of the MS is calculated by the SRES and Kc A3 / A8 algorithm, Fb algorithm then converted to AUTHR SRES, calculated by comparing AUTHR and the MSC / VLR in an authentication request is sent to the AUTHR is equal; if equal, it indicates that a legitimate user is allowed to access; otherwise, illegal users , deny access.

步骤307,IIF向MSC/VLR返回包含是否允许用户接入信息的鉴权响应(authreq)。 Step 307, IIF returns to the MSC / VLR contains the user whether to allow the access authentication response message (authreq).

步骤308,MSC/VLR收到鉴权响应消息后,根据是否允许用户接入信息继续呼叫处理或清除呼叫。 Step 308, MSC / VLR receives an authentication response message according to whether to allow the user access to the call processing information to continue or clear the call.

其中,步骤302是MS生成AUTHR的过程;步骤306中包含了IIF生成AUTHR的过程。 Wherein, the process of step 302 is generated AUTHR MS; a process step 306 includes the IIF generated AUTHR. 图4为图3所示实施例中MS生成AUTHR的示意图;其包含三个算法:先在MS中的移动设备(ME)中通过算法Fa将32位的C-RAND转换为128位的G-RAND、然后用该G-RAND和Ki通过SIM卡中的算法A3/A8计算出32位和Kc、最后在ME中通过算法Fb将32位的SRES转换为18位的AUTHR。 FIG 4 is a schematic diagram of the MS generates AUTHR embodiment shown in FIG. 3; which comprises three algorithms: the first MS in a mobile equipment (ME) Fa by the algorithm of the 32 C-RAND 128 is converted to the G- RAND, then the G-RAND 32 and the Ki is calculated by the SIM card Kc and an algorithm A3 / A8, and finally in the ME algorithm Fb by converting a 32-bit SRES is 18 bits AUTHR. IIF中生成AUTHR的算法与图4所示相同,只是所用的Ki和A3/A8算法是预先存储在IIF中的。 The same as shown in FIG. 4 IIF in FIG algorithm generated AUTHR, Ki and the A3 / A8 algorithm used is only stored in advance in the IIF.

本实施例中Fa采用了一种较简单的算法:将C-RAND填入G-RAND前32位,G-RAND其他位可填写为全1。 Fa present embodiment uses a relatively simple algorithm: the C-RAND filled before G-RAND 32 bits, G-RAND other bits may be filled in as a whole. Fb的算法也比较简单:从32位的SRES中,取出前18位作为AUTHR。 Fb algorithm is relatively simple: the SRES from the 32-bit, 18 withdrawn as before AUTHR. 在实际应用中,算法Fa、Fb可以将MIN、ESN、被叫号码中某几个字节(无被叫号码时可用全1表示)作为入参,使用较复杂的算法进行转换。 In practical applications, the algorithm Fa, Fb may be MIN, ESN, the called number in a few bytes (either in full called number 1 indicates no) as the reference, the use of more complex algorithms for the conversion.

本实施例为始呼流程,位置登记、寻呼响应的鉴权处理流程与此类似。 This embodiment is an origination process, the location registration, paging response authentication process flow is similar.

第二较佳实施例为一个独特查询鉴权始呼流程。 Second preferred embodiment of a unique authentication query originating call process. 本实施例在鉴权流程上与普通CDMA独特鉴权流程没有差别,但在鉴权算法上采用GSM的鉴权算法,并新增了Fa和Fb两个函数。 This embodiment does not on the conventional CDMA authentication process and an authentication process different unique, but using the GSM authentication algorithm on the authentication algorithm, and adds two functions Fa and Fb. 参见图5,图5为本发明第二较佳实施例的独特鉴权流程示意图;该流程包括以下步骤:步骤501,MS接入,且未带鉴权参数,MSC/VLR为该MS向IIF发送鉴权请求(AUTHREQ)。 Unique authentication process schematic see FIG. 5, FIG. 5 shows a second preferred embodiment of the invention; the process comprising the following steps: Step 501, MS access, and not with authentication parameters, MSC / VLR for the IIF to the MS sends an authentication request (AUTHREQ).

步骤502,IIF收到鉴权请求消息后,发现无鉴权参数,则生成随机数RANDU(C-RAND),并通过Fa算法将C-RAND转换为G-RAND,用G-RAND和IIF中保存的该MS的Ki通过A3/A8算法计算出SRES和Kc;再通过Fb算法将SRES转换为CDMA鉴权结果(AUTHU)。 Step 502, IIF receives an authentication request message, found no authentication parameters, then generates a random number RANDU (C-RAND), and by the C-RAND algorithm Fa is converted to G-RAND, with G-RAND and the IIF Ki stored in the MS calculates the SRES and Kc through the A3 / A8 algorithm; Fb through the algorithm converts the CDMA authentication result SRES (AUTHU).

步骤503,IIF向MSC/VLR返回鉴权响应(authreq),其中包含RANDU、AUTHU,指示MSC/VLR发起独特查询鉴权;步骤504,MSC/VLR收到鉴权响应消息后,发现包含RANDU和AUTHU,则保存AUTHU。 Step 503, IIF returns to the MSC / VLR authentication response (AuthReq), which comprises RANDU, AUTHU, indicating the MSC / VLR initiates an authentication query unique; After step 504, MSC / VLR receives the authentication response message, and found to contain RANDU AUTHU, then save AUTHU.

步骤505,MSC/VLR向BSC发送指配请求(Assignment Request)指配业务信道步骤506,BSC收到指配请求后,指配业务信道,并返回指配响应(Assignment Response);步骤507,业务信道指配成功之后,MSC/VLR向BSC发送独特查询鉴权请求(Authentication Request),其中包含RANDU。 Step 505, MSC / VLR transmits refers to the BSC assignment request (Assignment Request) After the assignment traffic channel in step 506, BSC receives assignment request, assigning a traffic channel, and returns assignment response (Assignment Response); a step 507, business after a successful channel assignment, MSC / VLR transmits unique authentication request query (authentication request) to the BSC, which comprises RANDU.

步骤508,BSC将收到的独特查询鉴权请求(Authentication Request)发送给MS。 Unique authentication request query step 508, BSC will receive (Authentication Request) transmitted to the MS.

步骤509,MS收到独特查询鉴权请求消息后,获得随机数RANDU(C-RAND),并通过算法Fa将C-RAND转换为G-RAND,并通过SIM卡中A3/A8算法计算出SRES和Kc,然后通过算法Fb将SRES转换为AUTHU。 Step 509, MS unique query received authentication request message, obtains the random number RANDU (C-RAND), by the algorithm and converting the C-RAND Fa as G-RAND, and SRES calculated by the SIM card A3 / A8 algorithm and Kc, then the algorithm Fb SRES converted to AUTHU.

步骤510,MS向BSC返回独特鉴权响应,其中包含AUTHU。 Step 510, MS returns a response to the unique authentication BSC, which comprises AUTHU.

步骤511,BSC将收到的包含AUTHU的独特查询鉴权响应返回给MSC/VLR。 Step 511, BSC will receive a unique authentication query comprising AUTHU response is returned to the MSC / VLR.

步骤512,MSC/VLR收到独特查询鉴权请求响应后,获得AUTHU,并与在步骤504)保存的AUTHU进行比较,判断结果是否一致,若一致,则表明为合法用户;否则,为非法用户。 Step 512, MSC / VLR receives unique authentication inquiry response to the request, AUTHU obtained, stored and compared in step 504) AUTHU, whether the same determination result, if they are consistent, it indicates that the user is legitimate; otherwise, illegal users .

步骤513,MSC/VLR将判断结果通过鉴权状态报告(ASREPORT)上报给IIF。 Step 513, MSC / VLR determination result is reported to the IIF via the authentication status report (ASREPORT).

步骤514,IIF收到鉴权状态报告后,根据判断结果决定是否允许用户接入,并将包含是否允许接入信息的鉴权状态报告响应(asreport)中返回给MSC/VLR。 Step 514, the IIF receives authentication status report according to the determination result of the decision whether to allow user access, and whether to allow the access information comprises an authentication status report response (asreport) returns to the MSC / VLR.

步骤515,MSC/VLR收到鉴权状态报告响应消息后,根据是否允许接入信息继续接入处理或清除用户接入。 After step 515, MSC / VLR receives an authentication status report response message, depending on whether the access information to allow processing to continue or clear the access to user access.

其中,步骤502是IIF生成AUTHU的过程;步骤509是MS生成AUTHU的过程。 Wherein, the process of step 502 is generated AUTHU IIF; a process step 509 is generated AUTHU the MS. 本实施例中,步骤509的MS生成AUTHU的过程,与图3中步骤302的MS生成AUTHR的过程相同;步骤502中IIF生成AUTHU的过程,与图3中步骤306的IIF生成AUTHR的过程相同;算法Fa和Fb也可以与第一较佳实施例相同。 The same procedure as in Example, the procedure for an MS in step 509 the generated AUTHU to the present embodiment generates AUTHR with MS. 3 in step 302 of FIG.; Step IIF generated AUTHU process 502, the same process of generating the AUTHR and IIF. 3 step 306 of FIG. ; algorithm Fa and Fb may be same as the first preferred embodiment.

本实施例为始呼流程,寻呼响应的鉴权处理流程与此相似。 This embodiment is an origination process, the authentication process flow is similar to this paging response.

上述两个实施例中,对于漫游到CDMA网络的GSM用户,IIF禁止进行SSD更新操作。 In the above two embodiments, the user roaming to the CDMA network GSM, the IIF prohibited SSD update.

另外,本发明还可以有以下的实施方法:和上述两个实施例相同,首先,IIF中保存需要漫游到CDMA网络的GSM用户移动台(MS)的身份密钥(Ki),IIF也具备执行GSM A3/A8算法运算的能力。 Further, the present invention can also be implemented in the following methods: the above-described two embodiments and the same, first of all, the need to save the IIF GSM user roams to a CDMA network in a mobile station (MS) identification key (Ki), IIF also includes performing GSM A3 / A8 algorithm for computing capacity. 然后,在SSD更新流程中,利用Ki产生SSD。 Then, in the SSD update procedure, SSD is generated using Ki. 最后,在广播查询鉴权和独特查询鉴权流程中,GSM的MS象一个普通CDMA终端一样被CMSC或AuC鉴权。 Finally, the unique broadcast queries and authentication queries the authentication process, GSM as the conventional CDMA MS as a terminal is CMSC authentication or AuC.

其中,利用Ki产生SSD的方法与上述两个鉴权流程中,利用Ki产生AUTHR或AUTHU的方法相似。 Wherein Ki is generated using the SSD method as the above-described two authentication processes, using a similar method to generate Ki's AUTHR or AUTHU.

利用Ki产生SSD的过程包括以下步骤:1、IIF产生随机数RANDSSD,并通过Fa算法转换为G-RAND,用G-RAND和IIF中保存的进行SSD更新的GSM MS的Ki,通过A3/A8算法计算出SRES和Kc;再通过Fb算法将SRES转换为SSD。 Using Ki generate the SSD process comprising the following steps: 1, IIF generates a random number RANDSSD, and by Fa algorithm is converted to G-RAND, with G-RAND and IIF, one stored in the SSD update GSM MS of Ki, through the A3 / A8 algorithm to calculate SRES and Kc; Fb through the algorithm converts SRES to SSD.

2、IIF将RANDSSD通过CDMA的MSC/VLR发送给GSM的MS。 2, IIF to the MS GSM RANDSSD sent via the CDMA MSC / VLR.

3、GSM的MS用通过算法Fa将RANDSSD转换为G-RAND,并通过SIM卡中A3/A8算法计算出SRES和Kc,然后通过算法Fb将SRES转换为SSD。 3, GSM MS is used by the algorithm Fa RANDSSD converted to G-RAND, and SRES and Kc calculated by the SIM card A3 / A8 algorithm, and then converting the SRES Fb by the algorithm to SSD.

4、GSM的MS产生确认SSD更新信息通过CDMA的MSC/VLR发送给IIF。 4, GSM MS to confirm the SSD update information generated by the CDMA MSC / VLR transmits to the IIF.

这样,GSM的MS就可以象一个普通CDMA终端一样用SSD参数,被CMSC或AuC鉴权了。 Thus, GSM as the MS may use the same as a conventional CDMA terminal SSD parameter is a CMSC authentication or AuC.

由上述三个实施例可见,本发明的这种全球移动通信系统(GSM)用户漫游到码分多址(CDMA)网络的鉴权方法在开展GSM用户漫游到CDMA网络这个新业务时,不针对GSM外地模式用户增加新鉴权流程,不更换或修改GSM用户识别模块SIM,使用原有GSM用户的SIM卡进行鉴权,避免了运营商向GSM用户发放新的用户识别模块,同时,不需要修改现有的GSM网络设备和CDMA网络设备,实现简便,增强了业务的可运营性。 Seen from the above three embodiments, the GSM system of the invention (GSM) subscriber roams to a CDMA authentication method (CDMA) network in the GSM subscriber roams to carry out the new CDMA network services, not for GSM foreign mode users to add new authentication process, not replace or modify the GSM subscriber identity module SIM, using the existing GSM SIM card authenticates the user, to avoid the issuance of new operators to the GSM subscriber identity module users, while not required modification of existing GSM and CDMA network equipment network equipment, easy to implement, and enhance the business can running.

Claims (8)

1.一种全球移动通信系统GSM用户漫游到码分多址CDMA网络的鉴权方法,其特征在于,该方法包括:1)互通和互操作功能实体IIF保存需要漫游到CDMA网络的GSM用户移动台MS的身份密钥Ki;CDMA网络对GSM用户的鉴权方式包括:广播查询鉴权和独特查询鉴权,其中,2)广播查询鉴权过程,包括以下步骤:21)MS接收CDMA的基站控制器BSC广播的CDMA鉴权随机数C-RAND,将C-RAND转换为GSM鉴权随机数G-RAND,再根据G-RAND和MS中保存的Ki计算出符号响应SRES和密钥C Kc;再将SRES转换为CDMA鉴权结果,发送给BSC;22)BSC将C-RAND和CDMA鉴权结果发送给CDMA的移动交换中心MSC/拜访位置寄存器VLR;23)MSC/VLR向IIF发送包含C-RAND和CDMA鉴权结果的鉴权请求;24)IIF将收到的C-RAND转换为G-RAND,再根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果,将转换出的CDMA鉴权结果和收到的CDMA鉴权结 A Global System for Mobile Communications GSM subscriber roams to a CDMA authentication method for a CDMA network, wherein the method comprises: 1) interworking and interoperability function entity needs to save IIF roams to a CDMA network for GSM mobile user station MS identity key of Ki; CDMA network to a GSM subscriber authentication mode comprises: broadcasting a query unique authentication and authentication query, wherein, 2) broadcast queries an authentication process, comprising the steps of: 21 is) MS receiving the CDMA base station CDMA broadcast controller BSC authentication random number C-RAND, is converted to the C-RAND GSM authentication random number G-RAND, and then stored under G-RAND and Ki MS calculated in response SRES and the key symbol C Kc ; then convert the CDMA authentication result SRES is sent to the BSC; 22) BSC C-RAND and the authentication result sent to the CDMA CDMA mobile switching center MSC / visitor location register VLR; 23) MSC / VLR transmits to the IIF comprising C-RAND and the CDMA authentication result of the authentication request; 24) the IIF converts the received C-RAND to G-RAND, SRES and Kc is calculated again according to the G-RAND Ki stored in the MS and IIF; then converting a CDMA authentication result SRES, converts the authentication result and the received CDMA CDMA authentication junction 进行比较,完成广播查询鉴权;3)独特查询鉴权过程,包括以下步骤:31)CDMA的MSC/VLR为没有带鉴权参数的GSM的MS向IIF发送鉴权请求;32)IIF根据鉴权请求,生成C-RAND,并转换为G-RAND,再根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果;33)IIF向MSC/VLR返回包含C-RAND和CDMA鉴权结果的鉴权响应;34)MSC/VLR保存CDMA鉴权结果,并通过BSC向MS发送包含C-RAND的独特查询鉴权请求;35)MS将收到的C-RAND转换为G-RAND,再根据G-RAND和MS中保存的Ki计算出SRES和Kc;再将SRES转换为CDMA鉴权结果,并将鉴权结果随鉴权响应通过BSC返回给MSC/VLR;36)MSC/VLR将收到的CDMA鉴权结果和步骤34)中保存的CDMA鉴权结果进行比较,完成独特查询鉴权。 Comparing the authentication complete broadcast queries; 3) unique authentication inquiry process, comprising the steps of: 31) CDMA the MSC / VLR to the MS has no GSM authentication parameters with an authentication request is transmitted to the IIF; 32) IIF The KAM right requests, generating C-RAND, and converted to G-RAND, SRES and Kc is calculated again according to the G-RAND Ki stored in the MS and IIF; then convert the CDMA authentication result SRES; 33 is) to the MSC IIF / VLR returns the authentication response comprising C-RAND and the CDMA authentication result; 34) MSC / VLR save CDMA authentication result, and transmits the authentication request comprises a query unique C-RAND to the MS by the BSC; 35) MS will receive to convert C-RAND G-RAND, SRES and Kc is calculated again based on the stored G-RAND and the MS of Ki; SRES then converted to CDMA authentication result and the authentication response with the authentication result returned by the BSC to the MSC / VLR; 36) and the step of authentication result CDMA MSC / VLR receives the 34 stored) in the CDMA authentication result compared to complete unique authentication query.
2.如权利要求1所述的鉴权方法,其特征在于,所述的步骤34)进一步包括:MSC/VLR收到IIF返回的鉴权响应后,先通过BSC指配业务信道,业务信道指配成功后,再发送独特查询鉴权请求。 2. The authentication method according to claim 1, wherein said step 34) further comprises: MSC / VLR after receiving the authentication response returned by the IIF, assigned to a traffic channel by the BSC, the traffic channel after success with, then sending a query unique authentication request.
3.如权利要求2所述的鉴权方法,其特征在于,所述的指配业务信道的方法为:MSC/VLR向BSC发送指配请求;BSC根据该指配请求指配业务信道;并向MSC/VLR返回指配响应。 3. The authentication method according to claim 2, wherein said method of assigning a traffic channel to: MSC / VLR transmits assignment request to the BSC; assignment request to the BSC according to assign a traffic channel; and to the MSC / VLR returns assignment response.
4.如权利要求1所述的鉴权方法,其特征在于:步骤21)-步骤24)中所述的CDMA鉴权随机数为广播鉴权随机数;步骤32)-步骤36)中所述的CDMA鉴权随机数为独特查询鉴权随机数。 4. The authentication method according to claim 1, wherein: step 21) - step 24) the random number as authentication in CDMA broadcast authentication random number; step 32) - step 36) the the CDMA authentication random number for the unique query authentication random number.
5.如权利要求1所述的鉴权方法,其特征在于:所述的将C-RAND转换为G-RAND的方法为:将C-RAND进行运算后填入G-RAND;或将C-RAND和国际移动用户识别码IMSI或/和电子序列号ESN进行运算后填入G-RAND。 5. The authentication method according to claim 1, wherein: according to the method of converting C-RAND G-RAND is: after the C-RAND calculates filled G-RAND; or C- RAND and the international mobile subscriber identity IMSI or / and an electronic serial number ESN calculates filled G-RAND.
6.如权利要求5所述的鉴权方法,其特征在于:所述的将C-RAND转换为G-RAND的方法为:将C-RAND填入G-RAND的固定位置,将G-RAND剩余位置用预定数字或/和IMSI填满;或将G-RAND的剩余位置用预定数字或/和ESN填满。 6. The authentication method according to claim 5, wherein: according to the method of converting C-RAND G-RAND is: C-RAND fill the fixed position of the G-RAND, the G-RAND remaining positions filled with a predetermined number and / or the IMSI; or the remaining positions G-RAND is filled with a predetermined number and / or ESN.
7.如权利要求1所述的鉴权方法,其特征在于:所述的根据G-RAND和MS中保存的Ki计算出SRES和Kc的方法,与所述的根据G-RAND和IIF中保存的该MS的Ki计算出SRES和Kc的方法相同,为:用G-RAND和Ki通过A3/A8算法计算出SRES和Kc。 7. The authentication method according to claim 1, wherein: the SRES and Kc is calculated according to the method of preservation of the G-RAND and MS of Ki, and preservation of the G-RAND and according to the IIF MS calculated the Ki of the same SRES and Kc method is: with G-RAND and SRES and Kc Ki is calculated by the A3 / A8 algorithm.
8.如权利要求1所述的鉴权方法,其特征在于:所述的将SRES转换为CDMA鉴权结果的方法为:将在SRES的固定位置取出CDMA鉴权结果;或将SRES进行运算后,在固定位置取出CDMA鉴权结果;或将SRES和Kc或/和IMSI或/和ESN进行运算后,在固定位置取出CDMA鉴权结果。 After or computes SRES; taken out in a fixed position CDMA authentication result SRES is: 8. The authentication method according to claim 1, wherein: the SRES conversion method according to the CDMA authentication result is remove CDMA authentication result in a fixed position; the SRES and Kc or or and / or IMSI / ESN and after operation, remove the CDMA authentication result in a fixed position.
CN 03141257 2003-06-10 2003-06-10 Authentication method for user of global mobile communication system when roaming to CDMA network CN1297155C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03141257 CN1297155C (en) 2003-06-10 2003-06-10 Authentication method for user of global mobile communication system when roaming to CDMA network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03141257 CN1297155C (en) 2003-06-10 2003-06-10 Authentication method for user of global mobile communication system when roaming to CDMA network

Publications (2)

Publication Number Publication Date
CN1568037A CN1568037A (en) 2005-01-19
CN1297155C true CN1297155C (en) 2007-01-24

Family

ID=34470861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03141257 CN1297155C (en) 2003-06-10 2003-06-10 Authentication method for user of global mobile communication system when roaming to CDMA network

Country Status (1)

Country Link
CN (1) CN1297155C (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100843072B1 (en) 2005-02-03 2008-07-03 삼성전자주식회사 Wireless network system and communication method using wireless network system
CN100471314C (en) 2005-12-07 2009-03-18 华为技术有限公司 Method and system for providing digital broadcast to roaming users
US7630711B2 (en) 2006-01-05 2009-12-08 Qualcomm Incorporated Method and system for mapping provisioning information of different communications networks
CN100562167C (en) * 2006-04-24 2009-11-18 中兴通讯股份有限公司 Method for authentication of CDMA user roaming to GSM network
CN101631309B (en) 2008-07-17 2013-03-20 上海华为技术有限公司 Method, device and system for authenticating terminal based on home base station network

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (en) * 1998-05-07 2000-07-12 朗迅科技公司 Method and device used for secret in communication system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (en) * 1998-05-07 2000-07-12 朗迅科技公司 Method and device used for secret in communication system

Also Published As

Publication number Publication date
CN1568037A (en) 2005-01-19

Similar Documents

Publication Publication Date Title
US6876747B1 (en) Method and system for security mobility between different cellular systems
FI107486B (en) Authentication and encryption organizing mobile communication system
EP1878285B1 (en) Fast user plane establishment in a telecommunications network
JP4047580B2 (en) The key conversion system and method
US6556820B1 (en) Mobility management for terminals with multiple subscriptions
US6766160B1 (en) Apparatus, and associated method, for facilitating authentication of communication stations in a mobile communication system
JP4911480B2 (en) Method and system for cellular assisted secure communications of a plurality of ad hoc devices
US8122249B2 (en) Method and arrangement for providing a wireless mesh network
US5537474A (en) Method and apparatus for authentication in a communication system
JP4880108B2 (en) The key update method
US7904072B2 (en) Method and apparatus for secure immediate wireless access in a telecommunications network
CA2267589C (en) Method and apparatus for performing authentication in communication systems
US20060050680A1 (en) Method and system for providing authentication of a mobile terminal in a hybrid network for data and voice services
CN101183938B (en) Wireless network security transmission method, system and equipment
US7461248B2 (en) Authentication and authorization in heterogeneous networks
US20060104234A1 (en) Method for establishment of a service tunnel in a WLAN
US20050154909A1 (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
KR101258898B1 (en) Integrity protection and/or ciphering for ue registration with a wireless network
US20030236980A1 (en) Authentication in a communication system
US5799084A (en) System and method for authenticating cellular telephonic communication
US7969934B2 (en) System and method for transferring wireless network access passwords
JP5072963B2 (en) Method of operating a dual sim wireless communication device
US8413215B2 (en) System and method for extending secure authentication using unique session keys derived from entropy
US7593717B2 (en) Authenticating access to a wireless local area network based on security value(s) associated with a cellular system
US6853729B1 (en) Method and apparatus for performing a key update using update key

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted