KR19990025776A - Authentification device for mobile telecommunication - Google Patents

Abstract

The present invention relates to an authentication processing apparatus in mobile communication, and when providing a mobile communication service, to reduce the economic loss of the operator due to illegal use of the service or duplication of the terminal, and to ensure the privacy of the subscriber by encrypting the voice and signal To this end, an authentication key is assigned to a subscriber at the time of service subscription, authentication is performed using the authentication key assigned at the time of providing a service, and the service use and terminal duplication are detected using the result of the authentication. By presenting a solution from the above, it is a technology that is economical and involves the effect of increasing the number of mobile subscribers.

Description

Authentication processing device in mobile communication

The present invention relates to an authentication processing apparatus in mobile communication, and when providing a mobile communication service, to reduce the economic loss of the operator due to illegal use of the service or duplication of the terminal, and to ensure the privacy of the subscriber by encrypting the voice and signal To this end, the subscriber assigns an authentication key to the subscriber at the time of service subscription, performs authentication using the authentication key assigned at the time of providing the service, detects the illegal use of the service and the duplication of the terminal by using the authentication result. It relates to an Authentication Center (AC) which presents a solution from illegal use.

Currently, subscribers are provided with inexpensive, various and convenient services by providing mobile communication services.

However, this causes a new problem, which is illegal use of the service and tapping of the call using the characteristics of wireless.

Unlawful use of the service causes a problem of unreasonable billing notice for the subscriber, and serious problems such as image loss and waste of radio resources due to charge disputes with the service provider. In addition, eavesdropping is a privacy violation on the part of the subscriber.

In order to solve this problem, the existing mobile telecommunication operators have been searching for and using various solutions, but ultimately, the use of the authentication processing device has emerged as the most desirable solution.

This authentication processing device should have the capability to minimize the impact on the service by processing the authentication request presented online as quickly as possible, and securely protect the subscriber's private key and authentication algorithm from being exposed to the outside. It should be configured so that subscribers can not redistribute their private keys due to the leakage of information that may be in the network, and furthermore, they do not have the inconvenience of replacing their terminals.

In addition to the simple authentication function as described above, data generated by the authentication process should be audited, and illegal functions and illegal terminals should be detected and a function for solving them.

In addition, it should have easy expansion and modularity so that it can be applied well when system expansion and roaming with other service providers are allowed.

In view of the above-mentioned problems and requirements, the present invention applies each component constituting an authentication processing apparatus configured to be integrated into one hardware (platform) while using an IS-41C communication protocol when allowing service extension and roaming. It is an object of the present invention to provide an authentication processing apparatus that is modularized for each function so as to facilitate this, and which is suitable for high speed authentication processing and secret data security maintenance.

1 is a signal showing a mobile communication network function structure to which the present invention is applied.

2 is a view schematically illustrating an authentication method according to the present invention.

Figure 3 is a block diagram of the authentication processing device implemented by the present invention.

FIG. 4 is a detailed block diagram of the authentication request processing unit shown in FIG.

FIG. 5 is a detailed block diagram of the registration processing unit shown in FIG. 3; FIG.

FIG. 6 is a detailed block diagram of the key management unit shown in FIG. 3; FIG.

FIG. 7 is an internal detailed block diagram of the security policy / audit unit shown in FIG.

8 is a detailed block diagram of the operation management unit shown in FIG.

FIG. 9 is a detailed block diagram of the service management unit shown in FIG. 3; FIG.

FIG. 10 is a detailed block diagram of the system manager shown in FIG. 3; FIG.

FIG. 11 is a detailed detailed block diagram of a database system (DBMS) connection shown in FIG. 3; FIG.

FIG. 12 is a detailed block diagram of the operator connection unit shown in FIG. 3; FIG.

FIG. 13 is an internal detailed block diagram of a subscriber information processing system (HLR) connection shown in FIG.

FIG. 14 is a detailed block diagram of a subscription management system (CIS) connection shown in FIG. 3; FIG.

* Explanation of symbols for main parts of the drawings

100: authentication processing apparatus, 200: terminal, 300: base station / base station controller, 400: exchange / visitor information processing system, 500: subscriber information processing system, 600: subscriber management system, 10: subscriber information processing system connection, 101: message Transmission function unit, 102: signal connection control function unit, 103: question and answer processing function unit, 104: seventh signal management function unit, 11: authentication request processing unit, 110: decomposition function unit, 111: authentication processing function unit, 112: authentication Failure handling function, 113: authentication status management function, 114: network authentication processing function, 115: authentication status change function, 116: authentication-related processing traffic collection function, 12: subscriber management system connection, 121: information transmission / Receiving function unit, 122: subscriber management system connection management unit function unit, 13: registration processing unit, 131: subscriber information management function unit, 132: subscriber secret key reallocation function unit, 14: key management unit, 141: key registration function unit, 142: key processing function, 15: Security policy / audit unit, 151: security policy / audit data initialization function unit, 152: authentication result audit function unit, 153: authentication response report processing unit, 154: count report processing unit, 16: operation management unit, 161: collection Function unit, 162: control function unit, 163: information analysis function unit, 17: service management unit, 171: operation information statistics function unit, 172: operation information search function unit, 18: system management unit, 181: system installation management function unit, 182: fore path management function, 183: configuration management function, 19: database system management connection, 191: database system connection function, 192: database system initialization function, 193: database system backup and recovery function 194: database system management function, 20: operator connection, 201: login function, 202: operator screen control function, 203: command processing and file function, 204: system security function, 205: FIG. End function unit, 21: Database management system 22: feature function storage unit

In order to achieve the above object, the configuration of the authentication processing apparatus implemented in the present invention enables the exchange of information with the subscriber information processing system through a common channel signal channel and transmits / receives a message necessary for authentication processing with the subscriber information processing system. A subscriber information processing system connection unit;

An authentication request processing unit for processing various messages received through the subscriber information processing system connection unit, and performing an authentication state change procedure according to an internal decision of an authentication processing device, and outputting an authentication state change message;

A subscriber management system access unit which accesses the subscriber management system to transmit information and collects traffic information according to information transmission / reception processing;

A registration processing unit which manages subscriber information necessary for performing authentication;

A key management unit that manages a subscriber secret key used to perform authentication;

A security policy / auditing unit for auditing the security status of the terminal using the authentication processing record obtained in the authentication processing certificate and determining processing for each authentication success / failure from the audit data;

An operation management unit which performs operation management for hardware and authentication processing of the authentication processing apparatus;

A service manager for searching the records and providing the control to the information stored in the database;

A system manager which performs installation, initialization, start-up and stop of application software, shape management of hardware and application software, and performs process management functions for the application software;

A database system management connection unit for initializing, backing up, and restoring a subscriber database, which is a database in the authentication processing apparatus, and an operation management database;

An operator connection unit for providing an environment in which an operator requests an internal function of an authentication processing apparatus and checks a screen of an execution result;

A database system manager comprising a subscriber database and an operation management database; And

And a function function storage unit which is a collection of authentication and secretion related algorithms to be stored in the authentication processing device.

The above objects, features, and advantages will become more apparent from the following detailed description taken in conjunction with the accompanying drawings. Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram showing the functions of a mobile communication service network to which the present invention is applied and shows a processing flow related to an authentication service providing procedure.

In addition to the basic call processing and location registration functions, the terminal 200 stores a subscriber secret key (A-Key) for authentication processing, a shared secret data (SSD), and a signaling message encryption key (SMEKEY). ) Create / store voice secret key (CDMAPLCM), and store / update call history count (COUNT), and store / perform authentication and secret algorithm.

The base station / base station controller 300 allows the terminal 200 to access the network using the wireless protocol between the terminal 200 and the switch, and directly performs a secretion function with respect to security.

The exchange / visitor information processing system (PCX / VLR) 400 generates a random number (RAND) for authentication and performs a function of broadcasting in a network.

The subscriber information processing system (HLR) 500 relays the authentication related message from the exchange / visitor information processing system 400 to the authentication processing apparatus 100 for authentication, and also from the authentication processing apparatus 100. Location tracking the authentication-related messages to relay to the corresponding exchange / visitor information processing system (400).

The authentication processing apparatus 400 generates / stores the subscriber secret key and temporary secret key and distributes them to the subscriber, generates a random number (RANDU) for unique attempts, and checks the authentication response (AUTHR) from the terminal 200. Create / save signal secret key and voice secret key.

It also stores / updates the call history count (COUNT), and stores and performs the authentication and secreting algorithms. In addition to these authentication-related functions that are processed online, it also performs overall security management to determine and enforce in-network authentication policies and to audit authentication-related data.

The Customer Information System (CIS) 600 is connected to the authentication processing device by X.25, and transmits the subscriber information to the authentication processing device when registering a new subscriber so that the subscriber can be assigned a secret key. Allow subscribers to receive authentication services.

2 is a diagram illustrating a terminal authentication procedure in a mobile communication network, wherein the terminal 200 and the authentication processing device 100 have the same subscriber authentication secret key (A-key) (a) immediately after joining, before the authentication procedure is performed. Distribution and storage in a secure manner;

The temporary secret key (SSD) renewal procedure also stores the same temporary secret key;

Then, when the terminal 200 accesses the network, the random number (b) and the temporary secret key sent from the network,

And generates an authentication response (AUTHR) (c) using other parameters and sends it to the authentication processing apparatus;

The authentication processing apparatus 100 calculates the authentication response d through the same generation process using the corresponding terminal-related information stored therein and checks whether the authentication response c sent by the terminal 200 is the same ( e);

In addition, at this time, it is checked whether the call history count COUNT sent by the terminal 200 is the same as the count in the authentication processing apparatus 200 (f);

In the two comparison processes as described above, if the calculation results of the terminal 200 and the authentication processing device 100 are the same, authentication is successful. If not, the authentication is failed.

3 is a block diagram showing an internal configuration of an authentication processing apparatus implemented by the present invention, which is a connection apparatus for accessing the subscriber information processing system 500. The subscriber information processing system 500 is connected through a common line signal channel. It is possible to exchange information with the subscriber to transmit / receive messages necessary for authentication processing with the subscriber information processing system 500, and also to measure and manage the state of traffic and common line signals transmitted / received by common line signals. A subscriber information processing system connection unit (10) provided to the management unit (16) and performing a function of controlling the common line signal by a control request of the operation management unit (16);

Processes the authentication request, the authentication status report, the authentication failure report, and the base station attempt message received through the subscriber information processing system access unit 10, and performs the authentication status change procedure by the authentication processing device 100 internal decision to perform subscriber information. An authentication request processing unit 11 for sending an authentication state change message through the processing system connection unit 10;

A subscriber management system access unit (12) for accessing the subscriber management system (600) to transmit information and collecting traffic information according to information transmission / reception processing;

A registration processing unit 13 for managing subscriber information necessary for performing authentication;

A key manager 14 for managing a subscriber secret key (A-key) used to perform authentication;

A security policy / auditing unit 15 for auditing the security state of the terminal 200 using the authentication processing record obtained during the authentication process and determining processing for each authentication success / failure from the audit data;

An operation management unit 16 which performs operation management for hardware and authentication processing of the authentication processing apparatus 100;

A service management unit (17) for retrieving statistics and records consisting of a combination of data fields from all database tables constructed in the database system management unit (21) and providing them to the operator;

A system manager 18 for installing, initializing, starting, and stopping application software, configuration management of hardware and application software, and performing process management functions for the application software;

A database system management connection unit 19 for initializing, backing up, and restoring a subscriber database, which is a database in the authentication processing apparatus 100, and an operation management database;

An operator connection unit 20 for providing an environment in which an operator requests an internal function of the authentication processing apparatus 100 and checks a result of the execution on a screen;

A database system manager 21 comprising a subscriber database (including subscriber secret key) and an operation management database; And

And a function function storage unit 22 which is a collection of authentication and secretion related algorithms to be stored in the authentication processing apparatus 100.

In addition, the registration processing unit 13 performs new subscriber registration processing, deletion and change processing of existing subscriber information, and performs a subscriber secret key reassignment function for an existing subscriber at the request of the operator connection unit 20, and registered The subscriber secret key sending procedure for allowing the subscriber to input the subscriber secret key into the terminal 200 is also performed.

The key manager 14 generates a subscriber secret key, encrypts the subscriber secret key, provides a new subscriber registration and reassigns the subscriber secret key, and deletes, retrieves, and discards the subscriber secret key. It also serves to provide the subscriber secret key to the authentication request processing unit (11).

The security policy / audit unit 15 may take appropriate measures when the possibility of illegal use of a particular terminal is very high, and then send an alert to the operator, and may output the related data of the terminal.

The operation management unit 16 receives traffic from the subscriber information processing system connection unit 10, the authentication desire processing unit 11, the subscriber management system connection unit 12, the system management unit 18, the database system management connection unit 19, and the hardware operating system. Measurement information such as information and status information is collected periodically or at the request of an operator, and analyzed and stored in the database system manager 21.

It also has functions for setting operation management parameters and controlling system signals (No. 7) at the request of the operator. In addition, the information necessary for real-time output is transmitted to the operator connection unit 20 so that the operator can know the operation management information in real time.

The service manager 17 may provide the operator with statistical processing and operation information retrieval (history, details) for various measurement information (traffic, status, etc.) stored in the database system manager 21 through the operation manager 20. To help.

The database system management connection unit 19 performs the request of the system management unit 18 at the time of database initialization, and the rest of the functions are performed by commands entered by the operator in the work seat.

In addition, it provides a function that allows the operator to directly access the database in the event of an operation management function failure, and collects the status information provided by the database system management unit 21 to provide it when the operation management unit 16 requests it. Sometimes.

The operator connection unit 20 processes not only the command execution request input by the operator in the form of a screen, but also a request in the form of a command, and provides a function of executing a plurality of commands in a command file at one time.

When entering a command, the command is requested to the corresponding function block after grammar / meaning of the command itself.

In addition, it provides the function for the operator to log in to the system. It also provides the function to add / delete / search / change the operator-related accounts.When the operator executes commands, he adds the executed commands to the system access history file. Provide the history of access to the system, if desired by the operator.

It also provides help for command execution requests.

Finally, when looking at the library components in the function function storage unit 21, it is a cryptographic / decryption algorithm, subscriber authentication key generation algorithm, temporary secret key generation algorithm, signal secret key generation algorithm, voice secret key generation algorithm The authentication request processing unit 11 uses each algorithm when necessary.

4 is a detailed internal configuration diagram of the authentication request processing unit 11, and receives all the question-processing processing (TCAP) primitives received by the authentication processing device 100 and converts it into a suitable 'PAP (PCS Application Part)' message for distribution. A functional unit 110;

A unit for processing the authentication request received from the distribution function unit 110, by generating an authentication result value through the authentication algorithm to determine whether the authentication success / failure, and then for the specific subscriber identification number (MIN) When the security management policy of the authentication center is determined, an authentication processing function unit generates data for performing this, then sends the generated data along with an authentication response to the terminal, and then requests the authentication status management function 113 to perform subsequent work. 111;

A function unit that processes the authentication failure report received from the distribution function unit 110, and reports the details to the security policy / audit unit 15 according to the type reported using the authentication failure report, and then the policy decision result therefor. Receiving the authentication failure processing function 112 to perform subsequent operations;

An authentication state management function unit 113 for processing an authentication state report received from the distribution function unit 110;

A unit for processing a network authentication request received from the distribution function unit 110. After performing an authentication algorithm using a random access point (RANDBS) stored in the network authentication request, a base station authentication response (AUTHBS) is obtained. A network authentication processing unit 114 for outputting a network authentication request response including the distribution function unit 110;

An authentication state change function unit 115 for processing an authentication state change request from the security policy / audit unit 15; And

An authentication related processing traffic collection function 116.

In addition, the distribution function unit 110 checks the error of the message received by the authentication processing device 100, and adjusts the load between the authentication process-related application process, and the PAP message to the application process corresponding to the received TCAP primitive If there is a request to change the authentication state, the corresponding TCAP primitive is output to the subscriber information processing system connection unit 10.

The authentication failure processing function unit 113 generates corresponding data by using an authentication algorithm to perform the subsequent work, outputs the data to the distribution function unit 110 by using an authentication failure report response, and then performs an authentication state management function. The unit 113 requests authentication status management.

The authentication status management function 113 is specified by the authentication processing function 111, the authentication failure processing function 112, and the authentication status change function 115 by the policy decision of the security policy / audit part 15. The result of the work performed on the subscriber identification number and the equipment serial number (ESN) is reported, and the success / failure of the reported result is determined and reported to the security policy / audit department. If further needed, follow up with the security / auditor's policy decision.

When the authentication status change function 115 receives a request for changing the authentication status of a particular subscriber, the security policy / audit unit 15 uses an authentication algorithm to process the authentication status change of the specific subscriber identification number and the device serial number. After generating the data corresponding to the desired job, the authentication state change request is output to the subscriber information processing system connection unit 10.

And it collects the success / failure of the messages performed by the authentication request processing unit 11 and the processing history and performs the function to provide this if desired by the operation management unit 16.

5 is a detailed internal configuration diagram of the registration processing unit 13, and a subscriber information management function unit 131 for performing a function of adding a new subscriber and deleting or changing existing subscriber information at the request of the subscriber management system 600; ;

A subscriber secret key reassignment function unit 132 for reallocating subscriber secret keys at the request of the operator connection unit 20;

The subscriber information management function 131 allocates one subscriber secret key per subscriber information received through the subscriber management system connection unit 12 to register in the subscriber database when a subscriber addition request is made, and there is a change in subscription information. If this is the case. In addition, it performs subscriber secret key management function required during initial authentication period to provide authentication service even before subscriber private key is injected into new subscriber terminal.

FIG. 6 is a detailed internal configuration diagram of the key manager 14, which is used to assign a subscriber secret key to a new subscriber or an existing subscriber, and generates, deletes, recovers, and initializes a subscriber secret key at the request of the registration processor 13. As shown in FIG. A key registration function unit 141 for performing an activation function;

A key processing function unit 142 is provided to the authentication request processing unit 11 to provide a subscriber secret key necessary for generating a temporary secret key, and to perform subscriber secret key retrieval and revocation processing at the request of the operator connection unit 20.

7 is a detailed internal configuration of the security policy / audit unit 15. In the case of new subscriber registration or subscriber private key reassignment, the security policy / audit unit receives notification of creation, regeneration, or activation from the registration processing unit 13. (15) a security policy / audit data initialization function unit 151 for initializing data such as flags, counters, etc. used by other functions inside, and performing proper recovery processing when a recovery request is received from the operator connection unit 20;

Periodically retrieves the authentication result processed by the authentication request processing unit 11 from the database system management unit 21, performs a security audit on a terminal that fails authentication due to an authentication response or a count mismatch, and succeeds or fails in authentication of the terminal. An authentication result audit function unit 152 which sets in advance the authentication processing principle to be followed by the authentication request processing unit 11 and manages a temporary temporary secret key update;

The authentication request processing unit 11 reports the terminal's authentication response match or inconsistency directly, notifies the appropriate authentication processing principle, and detects the occurrence of various replications (MIN / ESN replication, SSD replication, subscriber secret key replication) and the operator connection unit. An authentication response report processing function unit 153 for reporting to the terminal 20 and automatically detecting that the subscriber secret key has been input to the terminal 200;

The count request processing unit 154 receives the count mismatch of the terminal 200 directly from the authentication request processing unit 11, instructs the temporary secret key update, and informs the proper authentication processing principle according to the result.

8 is a detailed internal configuration diagram of the operation management unit 16, a collection function unit 161 for collecting various measurement information required for operation management of the authentication processing device 100;

A control function unit 162 for controlling control of operation management parameters, manual collection of operation management information, and control of 'No 7' signal processing according to an operator's request;

System alerts are extracted by comparing the information collected and transmitted through the collection function unit 161 with respective limit values, and the extracted alerts are immediately stored in the database system manager 21 and immediately delivered to the operator. It consists of an information analysis function unit 163.

At this time, the collection function unit 161 collects the state information of the hardware, collects traffic and state information for the 'No 7' signal processing from the subscriber information processing system connection unit 10, and the application process from the system manager 18 Collect status information about.

Further, traffic information on authentication processing is collected from the authentication request processing unit 11 and the subscriber management system connection unit 12, and state information about the database is collected from the database system management connection unit 19.

The collection of information is done on a regular basis by the collection function, but can be collected at irregular intervals at the request of the operator. The collected information is stored in the database system management unit 21 and also transmitted to the information analysis function unit 163.

At this time, the information necessary for real-time display of the collected information is delivered to the operator connection unit 20 and output.

The control function unit 162 receives and processes an operator's manual collection request, an operation management parameter change request, and a control request from the operator connecting unit 20, and transmits the result to the operator through the operator connecting unit 20. . It also saves control results and changes in operation management parameters in the operation management database.

9 is a detailed internal configuration diagram of the service management unit 17, service measurement information, subscriber management system measurement information, No. 7 traffic, No. 7 status information, hardware status information, application process status information, control information, database A system management unit for calculating statistics on status information and alarms, the operation information statistics function unit 171 providing statistics for each statistical object by time, type, and cause;

History of service measurement information, subscriber management system measurement information, No.7 traffic, No.7 status information, hardware status information, application process status information, database system management part status information, control information, alarm and operation management parameter change and It consists of an operation information search function unit 172 that provides details.

In this case, the contents of the statistics in the operation information statistics function unit 171 are provided in a combination of statistical categories such as time, type, time, and cause, as well as time, type, and cause.

FIG. 10 is a detailed internal configuration diagram of the system management unit 18, in which application software, hardware specification data, and hardware and application software shape data existing in an installation medium such as a tape are installed in a system to establish a basic operating environment of the system. A system installation management function unit 181;

A process management function unit 182 which starts and stops various application processes of the authentication processing apparatus 100 and collects and transmits state information collection requests of processes required by operation management;

The authentication processing apparatus 100 includes a configuration management function unit 183 that is responsible for adding / deleting / changing configuration data and retrieving the configuration data.

The system installation management function unit 181 is divided into initial installation and partial reinstallation.

In this case, the initial installation includes installation of application software for performing the authentication processing device 100 function, creation of a basic environment of the database, and installation and generation of basic data. This is done by calling the base initialization function.

Partial reinstallation is to install and modify the existing application software by changing the version of the application software.

In addition, the installation completes the initialization required for system startup.

The process start and stop of the process management function unit 182 includes a total system stop and a column and stop for each process unit.

When the shape change occurs, the shape management function unit 183 changes the shape data with this function. When the shape control is required (No. 7 link number change, etc.), the control function unit 162 of the operation management unit 16 is used. Shape change control is performed through.

11 is a detailed internal configuration of the database system management connection unit 19, which includes a database system connection function unit 191 for allowing an operator to access a database and directly search, add, delete, and change database contents;

A database system initialization function unit 192 for generating a database table in the authentication processing apparatus 100 and receiving necessary initial data from a data file and storing the received initial data in a database;

The role of backing up the contents of the database to tape periodically or at the request of the operator in case the database on disk is destroyed or damaged, and to restore the contents of the backed up tape to the database if the database is destroyed or damaged. A database system backup and restore function unit 193;

The database system management function unit 194 collects state information on transaction processing from the database system manager 21 and provides a request when the operation manager 16 requests it.

The database system connection function unit 191 may access the database system manager 21 through a query SQL.

12 is an internal detailed configuration diagram of the operator connection unit 20. When the operator attempts to perform a function of the authentication processing apparatus 100, the first accessing unit is performed by using an operator's name and password. A login function unit 201 that checks the recognition and grants the access right corresponding to the operator's level, and executes a command corresponding to the access right until the operator logs out;

An operator screen control function unit 202 for controlling a screen for operation and controlling a transition between screens;

Analyzes the syntax and semantics of the command input through the task seat to request the command to be executed if it is normal, and provides an error message for an input error, and also provides immediate and scheduled execution as a command execution method. A command processing and file function unit 203 for storing in a history database after the processing so that the system access history can be retrieved later;

A system security function unit 204 for managing information on itself to an operator using the system and managing a history of operation commands performed by the operator;

Help function unit 205 for outputting a guide and a brief text on the command of the operator.

The system security function unit 204 stores a history of command execution in a system access history table so that an operator can search for it. A function of modifying, searching, and deleting new registration and operator information of an operator who uses the system is also provided. Do this.

FIG. 13 is a detailed internal configuration diagram of the subscriber information processing system (HLR) connection unit 10. The message transfer (MTP) function unit performs lower layer functions (parts of layers 1, 2, and 3) of No. 7 signaling. 101;

Function to transfer user part information by signal point code and subsystem number without forming signal connection with specific signal point on the signal network, and manage status of own station's subsystem and other signal point and subsystem for block management A signal connection control (SCCP) function unit 102 that performs a function;

TCAP function that manages TCAP related protocols and functions to receive transaction messages, manage transaction number and status for exchange of transaction messages with subscriber information processing system, and form or restore dialogs for component exchange. 103;

And a No. 7 management function 104 which performs traffic measurement, status information retrieval, and control command transfer functions for the functions of the functional units 101, 102, and 103.

Here, the MTP function unit 101 is responsible for the function processing of the 'Q.701-709' of the 'ITU-T' White Book Specification of Signaling System No. 7, and the signal connection control (SCCP) function. The unit 202 processes the functions of 'Q.711-714 and Q.716' of the 'ITU-T' white-book Specification of Signaling System No.7, and the TCAP function unit 203 processes the 'ITU-T'. Processes the function of 'Q.771-775' in White-Book Specification of Signaling System No.7.

FIG. 14 is a detailed configuration diagram of the subscriber management system (CIS) connection unit 12. The subscription information transmitted from the subscriber management system 600 to the authentication processing device 100 is received and transmitted to the internal device. An information transmission / reception function unit 121 for receiving a message and transmitting the received message to the subscriber management system 600;

It performs the function of reporting the information transmission / reception traffic between the authentication processing device 100 and the subscriber management system to the operation management device, and is a function for determining the performance of the information transmission / reception function. It consists of a subscriber management system connection management function 122 for collecting the total number of processing, the number of successes, and transmits the total number of processing, success.

Referring to the operation of the authentication processing device configured as described above, when the subscriber inputs information on the terminal 200 to be newly registered to the subscriber management system 600 to apply for subscription, the subscriber management system 600 is The information required for authentication among the information is transmitted to the authentication processing device 100.

In the authentication processing apparatus 100, a key is distributed through a registration processing unit 13 which is in charge of adding a new subscriber and a key manager 14 which generates and assigns a subscriber secret key to be assigned to the new subscriber.

This is transmitted to the terminal 200 through the subscriber management system 600.

When the key is injected as described above, the terminal 200 attempts communication while storing the same subscriber authentication secret key between the authentication processing apparatuses 100 and the same temporary secret key generated through the temporary secret key update procedure. In addition, while operating the power-key, the terminal 200 generates an authentication response using a random number, a temporary secret key, and other parameters sent from the network, and sends it to the authentication processing device 100.

The authentication processing apparatus 100 performs authentication of the terminal 200 through the authentication request processing unit 11 and transmits the result to the subscriber information processing system 500.

The subscriber information processing system 500 tracks the authentication-related message and transmits it to the corresponding exchange / visitor information processing system 400 to inform that the current terminal 200 is registered.

Accordingly, the location of the current terminal 200 is registered in the exchange, and the call with the other party is started according to the telephone number transmitted by the subscriber.

The operator may manage the security state of the terminal 200 and information on each subscriber through the security policy / audit unit 15, the service manager 17, and the operation manager 16 of the authentication processing device.

By detecting the illegal subscriber and the illegal terminal through the authentication processing device of the present invention configured as described above, it is possible to prevent economic loss of the operator, protect the privacy of the subscriber by preventing illegal eavesdropping, security policy and audit function Through various types of security management can be collectively performed, and key management function can be separated from authentication processing to effectively maintain secret key security, thereby preventing the leakage of secret information and integrating system separation into a service expansion structure. It is possible to flexibly cope with the problem, and the investment cost can be reduced when the service is expanded. As a result, the economic efficiency and the number of mobile subscribers are increased.

In addition, preferred embodiments of the present invention are disclosed for the purpose of illustration, those skilled in the art will be able to various modifications, changes, additions, etc. within the spirit and scope of the present invention, such modifications and modifications belong to the following claims You will have to look.

Claims (31)

A subscriber information processing system access unit which enables information exchange with the subscriber information processing system through a common line signal channel and transmits / receives a message necessary for authentication processing with the subscriber information processing system; An authentication request processing unit for processing various messages received through the subscriber information processing system connection unit, and performing an authentication state change procedure according to an internal decision of an authentication processing device, and outputting an authentication state change message; A subscriber management system access unit which accesses the subscriber management system to transmit information and collects traffic information according to information transmission / reception processing; A registration processing unit which manages subscriber information necessary for performing authentication; A key management unit that manages a subscriber secret key used to perform authentication; A security policy / auditing unit for auditing the security status of the terminal using the authentication processing record obtained in the authentication processing certificate and determining processing for each authentication success / failure from the audit data; An operation management unit which performs operation management for hardware and authentication processing of the authentication processing apparatus; A service manager for searching for statistics and records of information stored in a database and providing the same to an operator; A system manager which performs installation, initialization, start-up and stop of application software, shape management of hardware and application software, and performs process management functions for the application software; A database system management connection unit for initializing, backing up, and restoring a subscriber database, which is a database in the authentication processing apparatus, and an operation management database; An operator connection unit for providing an environment in which an operator requests an internal function of the authentication processing device and checks a result of the execution on a screen; A database system manager comprising a subscriber database and an operation management database; And An authentication processing device for mobile communication, comprising: a function function storage unit which is a collection of authentication and secretion related algorithms to be stored in the authentication processing device; The method according to claim 1, The subscriber information processing system access unit includes a message transfer function unit that performs a lower layer function of a seventh (No. 7) signaling method; A signal connection control function unit for transmitting user part information by the signal point encoding subsystem number, and performing a state management function of a sub-system of the local station and other signal points and subsystems for block management; Receives transaction message and manages transaction number and status for exchange of transaction message with subscriber information processing system, forms and restores dialog for component exchange, and manages Q & A related protocol A processing function unit; And a seventh signal management function unit for performing traffic measurement, status information retrieval, and control command transfer functions for the functions of the respective function units. The method according to claim 1, The authentication request processing unit includes: a distribution function unit for converting and processing all the question and answer primitives received by the authentication processing device into corresponding personal communication application messages; In order to process the authentication request received from the distribution function unit, the authentication result is generated through an authentication algorithm to determine whether authentication succeeds or fails, and when the security management policy of the authentication center for the specific subscriber identification number is determined, it is determined. An authentication processing function for generating data for performing, then sending the generated data to the terminal with an authentication response, and then requesting to perform subsequent work to the authentication status management function; An authentication failure processing function unit which reports the details to the security policy / auditing unit according to the reported type by using the authentication failure report received from the distribution function unit, and receives a policy decision result for the subsequent operation; An authentication state management function unit for processing an authentication state report received from the distribution function unit; A unit for processing a network authentication request received from the distribution function unit, performing an authentication algorithm using a random number for the base station stored in the network authentication request, and outputting the network authentication request response including the base station authentication response as a result to the distribution function unit. A network authentication processing unit; An authentication state change function unit for processing an authentication state change request from the security policy / audit unit; And Authentication processing device in a mobile communication, characterized in that it comprises an authentication-related processing traffic collection function. The method according to claim 3, The distribution function unit checks an error of a message received by the authentication processing device, sends a personal communication application message to an application process corresponding to the received question processing primitive while adjusting the load between the authentication processing related application processes, and requests to change the authentication state. If there is a authentication processing device for mobile communication, characterized in that for outputting the corresponding question and answer processing primitive to the subscriber information processing system connection. The method according to claim 3, The authentication failure processing function generates a corresponding data by using an authentication algorithm and outputs the data to the distribution function by using the authentication failure report response, and then requests authentication status management by the authentication status management function. Authentication processing device for mobile communication, characterized in that. The method according to claim 3, The authentication state management function unit determines the result of the operation performed on the specific subscriber identification number and the device serial number by the authentication processing function unit, the authentication failure processing function unit, and the authentication state change function unit by the policy decision of the security policy / audit unit. After receiving the report and determining the success / failure of the reported result, reporting it to the security policy / audit department, and performing further work according to the policy decision of the security policy / audit department when further work is needed. Authentication processing device for mobile communication. The method according to claim 3, When the authentication status change function receives a request for changing the authentication status of a specific subscriber, the authentication status change function uses an authentication algorithm to handle the change of the authentication status of the specific subscriber identification number and the device serial number. After generating the data, the authentication status change request is output to the subscriber information processing system access unit, and the operation management unit collects the success / failure and processing details of the messages performed by the authentication request processing unit and provides it if desired. An authentication processing device for mobile communication. The method according to claim 1, The subscriber management system access unit includes: an information transmission / reception function unit for receiving subscription information transmitted from the subscriber management system to the authentication processing device and transmitting the subscription information to the internal device, and receiving and transmitting a message from the internal device to the subscriber management system; This function reports the information transmission / reception traffic between the authentication processing device and the subscriber management system to the operation management unit. It is a function to determine the performance of the information transmission / reception function. And a subscriber management system access management function for collecting and transmitting the number of successes to the operation management device. The method according to claim 1, The registration processing unit includes a subscriber information management function unit for performing a function of adding a new subscriber and deleting or changing existing subscriber information at the request of the subscriber management system; And a subscriber secret key reassignment function unit for reassigning a subscriber secret key at the request of the operator connection unit. The method according to claim 9, The subscriber information management function allocates one subscriber's private key per subscriber information received through the subscriber management system access unit when the subscriber addition request is made, registers it in the subscriber database, and handles any change in subscription information, and processes the new subscriber. And a subscriber secret key management function required during an initial authentication period for providing an authentication service even before a subscriber secret key is injected into a terminal of the terminal. The method according to claim 1, A key registration function for performing subscriber secret key generation, deletion, recovery, and initialization activation at the request of the registration processing unit to perform assignment of a subscriber secret key for the key management unit, a new subscriber or an existing subscriber; In the mobile communication, comprising a key processing function for providing a subscriber secret key required for generating a temporary secret key to the authentication request processing unit, and performing subscriber secret key search and revocation processing at the request of an operator connection unit. Authentication processing device. The method according to claim 1, The security policy / audit unit, when the possibility of illegal use of a particular terminal is very high, take an appropriate action and then alert the operator, and outputs the security-related data of the terminal. The method according to claim 1, In case of new subscriber registration or subscriber private key reallocation, the security policy / auditing unit receives a key generation, regeneration or activation notification from the registration processing unit, and displays data such as flags and counters used by other functions in the security policy / auditing unit. A security policy / audit data initialization function for initializing and performing proper recovery processing when a recovery request is received from an operator connection unit; Periodically retrieves the authentication result processed by the authentication request processor from the database system manager, performs a security audit on a terminal that fails authentication due to an authentication response or counter mismatch, and upon authentication success or failure of the terminal, the authentication request processor An authentication result auditing function which sets in advance the authentication processing principle to be followed and manages periodic temporary secret key updates; Receives a report of the authentication response match or discrepancy of the terminal directly from the authentication request processing unit, notifies the appropriate authentication processing principle, detects the occurrence of various duplications, reports it to the operator connection unit, and automatically detects the completion of the subscriber secret key input to the terminal. An authentication response report processing function unit; Authentication processing in a mobile communication, comprising a count report processing function for receiving a report of the discrepancy of the terminal directly from the authentication request processing unit, instructing the temporary secret key update, and informing the appropriate authentication processing principle according to the result. Device. The method according to claim 1, The operation management unit, a collection function unit for collecting a variety of measurement information necessary for operation management of the authentication processing device; A control function unit for changing operation management parameters at the request of an operator, manually collecting operation management information, and controlling the seventh signal processing; Comprising and analyzing the information collected and delivered through the collection function with each limit value to extract the system alarm, and comprises an information analysis function that stores the extracted alarm to the database system management unit and also immediately delivers to the operator Authentication processing device for mobile communication, characterized in that. The method according to claim 14, The collection function unit collects the state information of the hardware, collects the traffic and state information for the seventh signal processing from the subscriber information processing system access unit, collects the state information of the application process from the system manager, and also the authentication request processing unit, Collecting traffic information for authentication processing from the subscriber management system connection unit, and collecting status information for the database from the database system management connection unit. The method according to claim 15, The collection of the information can be collected regularly by a collection function, and can be collected at regular intervals at the request of the operator, and the collected information is stored in the database system management unit and simultaneously transferred to the information analysis function unit. An authentication processing device for mobile communication. The method according to claim 16, Authentication information in the mobile communication, characterized in that for transmitting the information required for the real-time display of the collected information to the operator connection. The method according to claim 14, The control function receives and processes the operator's manual collection request, operation management parameter change request, and control request from the operator connection unit, and transmits the result to the operator through the operator connection unit. Authentication processing device for mobile communication, characterized in that stored in the operation management database. The method according to claim 1, The service management unit includes a function of calculating statistics for various types of information and information, and an operation information statistics function unit for providing statistics for each statistical object by time, type, and cause; And an operation information retrieval function for providing a variety of information and a history and details of alarm and operation management parameter changes. The method according to claim 19, The contents of the statistics in the operation information statistics function unit is provided not only for each time, type, cause, each, but also a combination of statistical classification such as time-type or time-cause, etc. . The method according to claim 1, The system management unit includes a system installation management function unit which installs application software, hardware specification data, and shape data of hardware and application software existing in an installation medium such as a tape in the system to establish a basic operating environment of the system; A process management function unit which starts and stops various application processes of the authentication processing apparatus and collects and transmits state information collection requests of processes required by the operation management apparatus; Authentication processing device An authentication processing device for mobile communication, comprising a configuration management function that is responsible for adding / deleting / changing configuration data and retrieval of shape data. The method according to claim 21, The system installation management function is divided into initial installation and partial reinstallation; Initial installation includes the installation of application software to perform the function of authentication processing device, creation of basic environment of database and installation and creation of basic data. By calling; Partial reinstallation is the installation of an existing application software by changing an application software version, etc., and installing only the corresponding application software, and at the same time, completing the initialization required for system startup. The method according to claim 21, The process start and stop of the process management function unit is the authentication processing device in the mobile communication, characterized in that for performing the whole system stop and start and stop for each process unit. The method according to claim 21, And the shape management function changes shape data by this function when a shape change occurs, and performs shape change control through a control function of the operation management part when shape control is required. The method according to claim 1, The database system management connection unit includes: a database system connection function unit for directly accessing, adding, deleting, and changing database contents by an operator accessing the database; A database system initialization function unit for creating a database table in the authentication processing device and receiving necessary initial data from a data file and storing the data in a database; The role of backing up the contents of the database to tape periodically or at the request of the operator in case the database on disk is destroyed or damaged, and to restore the contents of the backed up tape to the database if the database is destroyed or damaged. A database system backup and restore function; And a database system management function unit which collects state information on transaction processing from the database system manager and provides a request when the operation manager requests. The method according to claim 25, And a method of accessing the database system management unit from the database system connection function unit is to connect through a query word. The method according to claim 1, The operator connection unit is a first access unit when an operator attempts to perform a function of an authentication processing apparatus. The operator connection unit checks whether an operator is registered in an account file using an operator's name and password, and checks an access authority corresponding to an operator's level. A login function unit configured to execute a command corresponding to access authority until the operator logs out; An operator screen control function unit controlling a screen for operation and controlling a transition between screens; Analyzes the syntax and semantics of the command input through the task seat to request the command to be executed if it is normal, and provides an error message for an input error, and also provides immediate and scheduled execution as a command execution method. A command processing and file function unit for storing the data in a history database after the processing and later searching the system access history; A system security function unit that manages information on itself to an operator using the system and manages a history of operation commands performed by the operator; Authentication processing device in a mobile communication, characterized in that it comprises a help function for outputting a guide and a brief text on the command at the request of the operator. The method of claim 27, The system security function unit stores a history of command execution in a system access history table so that an operator can search and performs a function of modifying, searching, and deleting new registrations and operator information of an operator who uses the system. An authentication processing device for mobile communication. The method according to claim 1, The library components in the function function storage unit are encryption / decryption algorithms for security of subscriber secret keys, authentication response generation algorithms, temporary secret key generation algorithms, signal secret key generation algorithms, and voice secret key generation algorithms. An authentication processing device for mobile communication, characterized in that used by a request processing unit. The method according to claim 1, The terminal stores the same subscriber authentication secret key as the authentication processing device and the same temporary secret key generated through the temporary secret key renewal procedure for authentication processing with the authentication processing device. Processing unit. The method of claim 30, When the terminal accesses the network, the terminal and the authentication processing device generate an authentication response using a random number, a temporary secret key, and other parameters sent from the network, and transmit the authentication response to the authentication processing device. The authentication processing device calculates the authentication response through the same generation process using the terminal-related information stored by the terminal, checks whether it is the same as the authentication response sent by the terminal, and at the same time, the call history count sent by the terminal is authenticated. Check that it is equal to the count in the processing unit, The authentication processing device for mobile communication, characterized in that the authentication is successful if the same.