KR20180071022A - METHOD FOR SUBSCRIBER AUTHENTICATION IN CELLUAR IoT DEVICE, IoT DEVICE FOR SUBSCRIBER AUTHENTICATION, AND BASE STATION APPARATUS FOR SUBSCRIBER AUTHENTICATION - Google Patents

Abstract

The present invention provides a subscriber authenticating method without using a SIM card or a USIM card in a 3GPP mobile communication system-based IoT/IosT service, an IoT device, and a base station. The subscriber authenticating method includes the steps of authenticating the subscriber using a measurement value that is a unique feature of the IoT device. The subscriber is authenticated by using the measurement value that is the unique feature of the IoT device without using the subscriber identity module (SIM) card or the universal subscriber identity module (USIM) card. Accordingly, the present invention can authenticate the subscriber with high security.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a subscriber authentication method for a mobile Internet-based object Internet device, an object Internet device for subscriber authentication, and a base station device for subscriber authentication,

The present invention relates to subscriber authentication, and more specifically, to subscriber authentication of a mobile communication-based Internet device.

The Internet of Things (IoT) or Internet of Things (IOST) is a network of objects that carry a small amount of data without batteries at all times. Low-power, low-cost transmission technology is required, and service is possible even if it is not a high-speed and high-cost network.

The Internet or the Internet has a structure in which thousands to tens of thousands of terminals / devices / devices are connected to a central device such as a single base station, and a communication system for the Internet of objects optimized for this characteristic is developed variously come. A communication system for the Internet of things can basically provide a competitive object Internet service since it is a communication system capable of supporting features such as low power, low complexity, low cost, low transmission rate, wide coverage, and many simultaneous connection devices .

The 3GPP mobile communication standardization body establishes a standard for the Internet of things called 'LTE-M' similar to Long Term Evolution (LTE) and a standard for Internet of 'NB-LTE'. LTE-M and NB-LTE are 3GPP-based technologies that are global standards.

LTE-M uses Category 1 terminal defined in 3GPP Release 8 and added Power Saving Mode (PSM) function defined in Release 12. LTE-M uses nationwide LTE network and can be used for nationwide service. Because it uses licensed band frequency, there is no deterioration of communication quality due to frequency interference, and global expansion is possible through roaming.

3GPP has standardized Category 0 in Release 12 for more efficient Internet communications, and standardized Category M in Release 13, while standardizing NB-IoT with a clean-slate solution.

Unlike LTE-M or NB-IoT based on the 3GPP standard, which use carrier's licensed bands, there are SIGFOX, LoRa, and others on the Internet that use license-exempt bands. The Internet of matter requires a low power wide area network. LTE-M and NB-IoT are becoming narrowband and low-speed to support things / small things in LTE networks aiming at high-speed broadband wireless networks. SIGFOX and LoRa aim to transmit a small amount of information from the beginning to low power It is a technology.

(IoT) service such as car control service and CCTV, but the internet can be applied to much smaller and cheaper objects, and the power consumption is very small, so the built-in battery can be used for a long time (target: more than 10 years) . Tracking such as parts management, metering such as electricity / water / gas meters, and so on.

All of the mobile communication systems for wireless Internet service including the Internet of things or the Internet of goods have a star topology type in which a base station and a plurality of terminals are connected to each other, have. These base stations and terminals form a Radio Access Network (RAN) or AS layer in the entire mobile communication network. The base station is connected to the upper core network (CN), and the CN includes a server for converting subscriber information into a DB to perform authentication.

In a mobile communication system, when a terminal is connected to a new base station, the terminal must be authenticated as a terminal that is entitled to receive a service from the mobile communication network through a kind of authentication. The authentication procedure is based on the subscriber unique ID called International Mobile Subscriber Identity (IMSI) stored in the SIM card or USIM card of the terminal although there are various methods depending on the situation.

For the sake of security, the current 3GPP LTE mobile communication system does not directly send the IMSI unless the subscriber's IMSI is directly requested from the CN, and the derived value is exchanged with the IMSI as a parameter. This value is used not only as the IMSI value but also various other parameters according to the situation.

Therefore, in order to use services in the 3GPP mobile communication system, it is necessary to use a SIM (subscriber identity module) card / a universal subscriber identity module (USIM) card. For the specificity and security of the mobile communication business, Are independently separated from each other. For reference, a permanent ID called IMEI exists independently as a unique ID of a terminal device. In the case of IMEI, the user can easily find the correct value, but in the case of IMSI, the serial number of the SIM card / USIM card is disclosed only to the subscriber. For this reason, the SIM card / USIM card must have a separate memory and an interface with the terminal device must be provided.

Therefore, the price of SIM card / USIM card itself reaches several US dollars, which leads to a large price increase due to the purchase of additional SIM card / USIM card unconditionally in the purchase of Internet equipment.

Currently, the subscriber authentication method not based on the SIM card or the USIM card is not established in the 3GPP standard.

Among the Internet communication systems of the objects, especially, the Internet communication system has a terminal type in which a small amount of small data such as a sensor is transmitted to the battery only without power supply at all times. The unit prices of these terminal devices are expected to be in the range of USD $ 1 ~ $ 2, because they are very inexpensive. This low price and the ability to operate for up to several years with a single battery can only expand the bottom line of the Internet communication system of goods, opening the door to a full-scale Internet of things.

However, in the case of the Internet Internet commerce system based on the 3GPP mobile communication system, all terminals of the Internet must be equipped with a SIM card for subscriber authentication. Since the price of the SIM card itself is already close to $ 10 and it is cheap, it is $ 5. Therefore, when the SIM card is loaded into the Internet terminal of the goods, the whole unit price increases greatly, exceeding the target price of $ 1 ~ $ 2. Therefore, the loss of competitiveness in the market has led to a problem that the Internet service of the products based on the 3GPP mobile communication network is inevitably failed.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a subscriber authentication method for a mobile communication-based object Internet device that does not use a subscriber identity module (SIM) or a universal subscriber identity module (USIM) card, And to provide a base station apparatus for authentication. More particularly, it is an object of the present invention to provide a mobile communication system and a mobile communication system, which are capable of generating a random code by using a random number that can be simultaneously generated at the same time after time and frequency synchronization are performed, A subscriber authenticating method of the apparatus, an object Internet apparatus for subscriber authentication, and a base station apparatus for subscriber authentication.

It is also an object of the present invention to provide a method and apparatus for improving security of a random code by adjusting a timing adjustment value for measuring a base station and indicating to a corresponding terminal device in an initial base station connection process using a PRACH (Physical Random Access Channel) A subscriber authentication method of a mobile communication-based object Internet device for identifying and authenticating a subscriber by generating a random code using external factors such as a frequency offset and a frequency offset, an object Internet device for subscriber authentication, and a base station device for subscriber authentication .

In one aspect, the present invention provides a subscriber authentication method for a mobile communication-based Internet device. Wherein the subscriber identity authentication is performed using a subscriber identity module (SIM) card or a universal subscriber identity module (USIM) card And performs the subscriber authentication using a measurement value that is a characteristic characteristic of the object Internet apparatus.

The measured values may be mutually shared by the object Internet apparatus, the base station, and the authentication server, and the object Internet apparatus may generate the random code for the subscriber authentication using the measured values.

The measured value may include at least one of a timing adjustment value, a frequency offset, and a traffic volume measurement.

The step of performing the subscriber authentication includes the steps of the object Internet device generating the first random code using the measured value as a generation factor of the first random code, And transmitting the data.

Wherein the step of performing subscriber authentication comprises the steps of: restoring a unique ID of the object Internet device using a generation factor of the first random code and the first random code received by the base station; And transmitting information for link transmission.

The step of performing the subscriber authentication includes the step of generating the second random code by using a measurement value that is a characteristic characteristic of the Internet appliance as a factor of occurrence of a second random code, And transmitting the second random code to the authentication server through the base station.

The first random code and the second random code generate a hash value having a length equal to the unique ID of the object Internet apparatus by singly or in combination of the occurrence factors and then generate a unique ID of the object Internet apparatus and the hash value Can be generated by an XOR operation.

Wherein the step of performing the subscriber authentication comprises the steps of restoring the unique ID of the object Internet device using the second random code received by the authentication server and the step of authenticating the object Internet device using the unique ID And a step of processing the data.

The unique ID of the Internet device of interest may be generated by generating a hash value having the same length as the first random code or the second random code either singly or in combination with the occurrence factors, And can be restored by an XOR operation of the hash value.

Wherein the object Internet apparatus, the base station, and the authentication server store the unique ID of the object Internet apparatus before performing the subscriber authentication, matching time synchronization between the object internet apparatus and the base station, The random access procedure may be started and the base station may calculate the timing adjustment value and transmit the calculated timing adjustment value to the object Internet apparatus and the authentication server.

The subscriber authentication method may automatically change the generation factor of the random code by updating the timing offset even after the initial authentication when the timing offset is used as a generation factor of the first random code or the second random code.

The subscriber authentication method may block a connection with the object Internet device or the mobile communication network when an authentication request is generated more than a predetermined number of times after the connection between the object Internet device and the mobile communication network is completed.

According to another aspect of the present invention, there is provided a mobile communication-based Internet device for subscriber authentication. The object Internet apparatus includes a memory for storing a unique ID of the object Internet apparatus, a transceiver for transmitting and receiving a radio signal, and a processor operating in conjunction with the transceiver, wherein the processor is a subscriber identity module (SIM) and a measurement value that is a characteristic characteristic of the object Internet device without using a universal subscriber identity module card is used for the subscriber authentication.

According to another aspect of the present invention, there is provided a base station apparatus for subscriber authentication of a mobile communication-based Internet apparatus. Wherein the base station device comprises a transceiver for transmitting and receiving radio signals, and a processor operatively associated with the transceiver, wherein the processor is configured to receive the object Internet And a measurement value which is a characteristic characteristic of the apparatus is used for the subscriber authentication.

According to the subscriber authentication method of the mobile Internet object Internet device, the object Internet device for subscriber authentication and the base station device for subscriber authentication according to the embodiments of the present invention, a central device such as a base station and a plurality of object Internet terminals or objects A mobile communication system having a network in the form of a star topology to which Internet devices are connected - for example, in a communication system similar to a 3GPP mobile communication system - It is possible to perform subscriber authentication that maintains high security without using a SIM card / USIM card including authentication information. As a result, it is possible to solve a problem of a small increase in unit price due to the installation of a SIM card / USIM card of a Internet / Internet Internet terminal device, which is expected to be a major obstacle to expansion of Internet / Internet Internet services based on the existing 3GPP mobile communication system. It is possible to establish a successful business by expanding the bases of Internet / Internet services.

1 is a block diagram of an Internet device according to an embodiment of the present invention.
2 is a configuration diagram of a base station apparatus according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating an example of an authentication procedure in an initial connection of a mobile communication-based Internet device according to an embodiment of the present invention.
FIG. 4 illustrates a process of converting a UE ID into a random code according to an embodiment of the present invention. Referring to FIG.
5 is a diagram illustrating a process of deriving a UE ID (User Equipment ID) from a random code according to an embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terms including the first, second, etc. may be used to describe various elements, but the elements are not limited to these terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The term " and / or " includes any combination of a plurality of related entry items or any of a plurality of related entry items.

When an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may be present in between. On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the term "includes" Or "have." , Etc. are intended to designate the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, in combination with one or more other features, integers, steps, operations, Quot; or " an " or < / RTI > combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

The terminal may be a mobile station (MS), a user equipment (UE), a user terminal (UT), a wireless terminal, an access terminal (AT), a terminal, a fixed or mobile subscriber unit, A cellular phone, a wireless device, a wireless communication device, a wireless transmit / receive unit (WTRU), a mobile node, a mobile, a mobile station, a personal digital assistant ), A smart phone, a laptop, a netbook, a personal computer, a wireless sensor, a consumer electronics (CE) or other terminology.

Various embodiments of the terminal may be used in various applications such as cellular telephones, smart phones with wireless communication capabilities, personal digital assistants (PDAs) with wireless communication capabilities, wireless modems, portable computers with wireless communication capabilities, Device, a wearable device having a wireless communication function, a gaming device having a wireless communication function, a music storage and playback appliance having a wireless communication function, an Internet appliance capable of wireless Internet access and browsing, as well as a combination of such functions But are not limited to, portable units or terminals.

A base station generally refers to a fixed point in communication with a terminal and includes a base station, a Node-B, an eNode-B, an advanced base station (ABS) But is not limited to, an HR-BS, a site controller, a base transceiver system (BTS), an access point (AP), or any other type of interfacing device capable of operating in a wireless environment.

A base station may also include other base stations and / or network elements (not shown), such as a base station controller (BSC), a radio network controller (RNC), relay nodes, (radio access network). The base station may be configured to transmit and / or receive wireless signals within a particular geographic area, which may be referred to as a cell (not shown).

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The description will be omitted.

A subscriber authentication method and apparatus of a mobile communication-based Internet device for mobile communication according to the present invention is characterized in that the base station and the Internet terminal (including the Internet terminal of the object) have the same concept as the random code The subscriber is identified and authenticated by including a particular number sequence or signal in the outsider or by generating the measurements (e.g., timing adjustments, frequency offsets, etc.) defined in the 3GPP standards without such external factors.

Since the SIM card / USIM card is not used, the object Internet terminal devices must store a UE (User Equipment) ID which is a unique ID (for example, IMSI, IMEI or serial number) in the device itself. These numbers should be stored in a software - like manner that can not be deleted or changed, providing strong security.

The mobile communication provider stores information on the UE ID in the authentication server.

The object Internet terminal device synchronizes with the base station through synchronization process with the base station.

Once synchronized with the base station, the object Internet terminal must perform a Random Access Channel (RACH) procedure to receive access authorization from the base station. The latter part of this RACH process corresponds to the process of obtaining authorization to use.

Since direct transmission of the UE ID in the authentication process is vulnerable to hacking, instead of directly transmitting the UE ID, a random code composed of letters or numbers with the UE ID as an input factor is generated, transmitted to the base station, and transmitted to the authentication server .

A hash function can be used to maximize the security of the generated random code.

In the authentication server, UE ID is generated by the method of generating the random code in the object Internet terminal and the same method as that of the random code and the UE Id only for the input factor and the output factor, respectively, and authentication is performed through the existing 3GPP authentication procedure.

In order to generate the same random code between the authentication server and the object Internet terminal device, the time synchronization must be correct. Since the base station and the authentication server are already synchronized by their own time management scheme and the object Internet terminal device performs cell synchronization process between the base station and the object Internet terminal device and the synchronization is already performed before the RACH process, It is possible to generate the numbers at the same time.

Even if the mutual time synchronization is correct, there is a certain amount of time synchronization error. Therefore, the generated random code is maintained for a predetermined fixed time (short time) to secure a certain time synchronization margin. Also, if authentication for the same random code is requested again within that time, the authentication of the relevant object Internet terminal device is rejected and the UE ID of the specific object internet terminal device connected to the random code is changed to the disabled state, do. In some cases, you can specify an unusable ID for a single attempt to duplicate, but you can also set it to a specific number of attempts.

Nevertheless, the above-described method and apparatus basically use a code generated by a random code generation method predefined by a hash function associated with a UE ID that is an internal unique ID, so that the main information acquisition and random code If the generation method is leaked to the outside, it is vulnerable to external hacking.

In order to cope with such a problem, a characteristic (e.g., a timing adjustment value, a frequency offset, etc.) unique to each object Internet terminal device is added as an external factor necessary for random code generation. For successful authentication, the authentication server also needs external factors that can be shared with the base station and the authentication server because it must be able to obtain a common value for the external factors that are used in addition to the random code generation.

There has been a method of generating a random code based on the inherent characteristics of individual terminal devices. However, this method has a problem in that it is necessary to test all the characteristics of individual terminal devices before selling the terminal device. In addition, since all of the obtained information must be stored in a server or a system related to authentication, it is necessary to store thousands of thousands of object Internet terminal devices in one base station. There is a problem that a large amount of memory is required and the implementation complexity is also increased.

In order to overcome this, the present invention uses various measurement values specified in the 3GPP standard as an external factor for random code generation. For example, in the case of the timing offset (timing adjustment value), the base station can measure the distance from the object Internet terminal device through the delay time value in the RACH process. Based on such a time delay, a timing offset to be adjusted to adjust the transmission time is transmitted to the object Internet terminal. The information is protected through link protection or ciphering for the control message of 3GPP, and it is strong against external hacking. Since timing offset is transmitted, it may be vulnerable to hacking in radio section. In order to overcome this drawback, the timing offset used as a random code generation factor can be enhanced by increasing the resolution of the timing adjustment value transmitted and received.

As a first step for normal communication between a base station and a CN (Core Network), a mobile communication system must perform synchronization with a base station in time synchronization, whether it is a synchronous system or an asynchronous system. In the case of 3GPP LTE, it is possible to use a primary synchronization signal (SSS), a secondary synchronization signal (SSS) signal, a system frame number (SFN) included in a PBCH (Physical Broadcast Channel) / MIB It is synchronized. Therefore, the CN (Core Network), the BS, and the UE can know the offset with respect to the reference time of each device or the same time synchronization, so that the UEs can operate at the same time. Of course, there is a certain amount of timing offset, but the value is not large.

After synchronizing the time, the UE grasps the most basic parameters of the corresponding base station through a System Information Block (SIB) data demodulation and finally notifies the base station of its existence through an uplink RACH (Random Access Channel) . When the UE attempts to access the base station for the first time, the UE receives authentication from the base station / CN (Core Network) in the RACH process.

 The UE does not transmit its own IMSI in one step during the RACH process but transmits the associated value or random value to be authenticated. If a random value is transmitted, an additional process is added to the general authentication process.

Random code generation using a timing offset and a base station ID can be used as a random code generation factor in addition to external factors that can be shared by a base station and a mobile station . For example, there are Traffic Volume Measurement, Frequency Offset, and so on. Since the timing offset value is protected by the control message, only the object Internet terminal device, the base station, and the authentication server can know the timing offset value, thereby providing strong security. In the case of frequency offsets, the information is not directly transmitted and received, and therefore, it is more secure. Therefore, it is possible to maximize security by using these measured values as a random code generation factor.

According to an embodiment of the present invention, an IMSI is embedded in an IoT terminal in order to eliminate a SIM card / USIM card from the Internet, particularly, a NB-IoT Internet. In order to enhance security, a frequency offset and a timing offset And transmits the IMSI once again by using the values measured by the actual terminal and the base station. In particular, in the case of the frequency offset, since the information is not directly exchanged between the base station and the mobile station, the security can be maximized. That is, in the case of the frequency offset, as a hardware characteristic, the base station and the terminal know almost the same value even if they do not exchange with each other.

Specifically, all UEs measure a frequency offset between the Node B and the UE in the time synchronization process, and the base station also estimates a frequency offset using a PRACH (Physical Random Access Channel) preamble. Therefore, when the UE transmits the PRACH preamble without frequency offset correction, the BS estimates the frequency offset to a value approximate to the frequency offset measured by the UE itself. The granularity of the frequency offset considering the estimation error is introduced, it is displayed as a certain number, and the corresponding value is used as the generation factor generating the random code.

In the case of the timing offset, since the timing offset between the base station and the UE is measured, it is difficult for the third party to measure the corresponding value. In the case of the timing offset, since the base station must measure and report the timing offset to the UE, You may lose your sex. To improve this aspect, the random code is continuously updated by updating the timing offset change occasionally due to the movement of the terminal or the like.

According to embodiments of the present invention, it is possible to generate a mutual duplication that is a generation factor of a random code (CN) / base station and a terminal without installing a SIM card / USIM card in the object Internet terminal device in the time synchronization and RACH process The present invention proposes a subscriber authentication method and apparatus that performs authentication based on a random number or an external factor (e.g., a timing adjustment value, a frequency offset, and the like) to maintain the same level of security as the existing one. In addition, the security of the authentication process is maximized by reflecting the unique hardware characteristics or other characteristics of each terminal device in the generation of the random code. According to the embodiments of the present invention, the IMSI is embedded in the Internet (IoT) terminal in order to eliminate the SIM card / USIM card in the Internet of objects, particularly, the Internet of objects such as the NB-IoT, And IMSI can be encoded once again using the values measured by the actual terminal and the base station, such as the timing offset.

FIG. 1 is a configuration diagram of a thing Internet device (including a goods Internet device) according to an embodiment of the present invention. 1, the Internet apparatus 100 includes a transceiver 120 for transmitting and receiving a radio signal, a processor 110 for operating in conjunction with the transceiver, and a transmitting and receiving antenna 130.

The transceiver 120 transmits or receives a radio frequency signal to or from a base station via the antenna 130 and receives data and control signals through a downlink from the base station via the antenna 130, And transmits data and control signals through an uplink. The transceiver 120 may be configured to modulate the signals to be transmitted by the antenna 130 and to demodulate the signals received by the antenna 130.

The processor 110 may control the transceiver 120 to determine when to transmit the control signal. In addition, the processor 110 performs a random code generation process for subscriber authentication.

The processor 110 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), a microprocessor, one or more microprocessors in conjunction with a DSP core, a controller, a microcontroller, specific integrated circuits (ASICs), field programmable gate array (FPGA) circuits, integrated circuits (IC), state machines, and the like. The processor 110 may perform signal coding, data processing, power control, input / output processing, and / or any other function that enables the terminal to operate in a wireless environment. The processor 110 may be coupled to the transceiver 120.

The antenna 130 may be an antenna configured to transmit and / or receive RF signals. The antenna 130 may be configured to transmit and / or receive any combination of wireless signals.

2 is a configuration diagram of a base station apparatus according to an embodiment of the present invention. Referring to FIG. 2, the base station apparatus 200 includes a transceiver 220, a processor 210, and an antenna 230.

The transceiver 220 transmits or receives a radio frequency signal through the antenna 230 to the object Internet apparatus 100 and transmits the downlink signal to the object Internet apparatus 100 through the antenna 230. [ And receives data and control signals from the object Internet apparatus 100 through an uplink. The transceiver 220 may be configured to modulate the signals to be transmitted by the antenna 230 and to demodulate the signals received by the antenna 230.

The processor 210 may control the transceiver 220 to determine when to transmit the control signal. The processor 210 may generate a User Equipment (UE) ID from the random code generated at the object Internet device 100. [

The processor 210 may be a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), a microprocessor, one or more microprocessors associated with a DSP core, a controller, a microcontroller, specific integrated circuits (ASICs), field programmable gate array (FPGA) circuits, integrated circuits (IC), state machines, and the like. The processor 210 may perform signal coding, data processing, power control, input / output processing, and / or any other function that enables the terminal to operate in a wireless environment. Processor 210 may be coupled to transceiver 220.

Hereinafter, a subscriber authentication method using a timing offset as a factor of generating a random code in the Internet of things, particularly the Internet of goods, will be described step by step.

FIG. 3 is a diagram illustrating an example of an authentication procedure in an initial connection of a mobile communication-based Internet device (including a small-size Internet device) according to an exemplary embodiment of the present invention. Referring to FIG. 3, in step 1, the object Internet terminal (UE) 100 stores a UE ID (User Equipment ID), which is a terminal unique ID, in the internal memory of the apparatus. At this time, the UE ID has the same bit length as the International Mobile Subscriber Identity (IMSI). The Home Subscriber Server (HSS) 400, which is an authentication server of the CN (Core Network), also stores the same UE ID.

In step S210, the terminal 100 synchronizes with the base station (eNB) 200 through a time synchronization process (S101).

In step 3, the UE 100 randomly selects a PRACH preamble code and starts a RACH process (S102).

The base station 200 calculates the timing adjustment value TA by measuring the timing offset between the base station 200 and the terminal 100 based on the PRACH preamble transmitted from the object Internet apparatus 100 in step 4, .

In step 5, the base station 200 stores the calculated timing adjustment value TA and transmits this value to the corresponding terminal 100 together with the provisional C-RNTI using RAR (Random Access Response) (S104). Likewise, the base station also transmits the timing adjustment value to the CN (Core Network) (not shown in FIG. 3).

In step 6, the terminal 100 uses the received timing adjustment value TA as a random code generation factor together with the currently synchronized various time display values including the stored terminal unique ID (UE ID) and the system frame number, And generates a first random code (RAND ID) by a method promised with the server (HSS) The first random code (RAND ID) may be generated using a hash value as shown in FIG. 4 for security (S 105).

In step 7, the UE 100 transmits the first random code generated using the unique ID (UE ID) of the corresponding UE to the base station 200 as the UE ID using the temporary C-RNTI received from the Node B 200 S106).

In step 8, the base station 200 restores the UE's unique ID (UE ID) as shown in FIG. 5 using the received first random code and the timing adjustment value TA (S107).

In step 9, the base station 200 transmits information required for uplink transmission including the final C-RNTI to the terminal 100 that has transmitted the provisional C-RNTI (RRC connection setup) (S108).

In step S109, the terminal 100 generates a second random code (RAND ID) using a hash value as shown in FIG. 4 according to a method promised by the authentication server (HSS) 400 (S109). At this time, security can be enhanced by generating new random code by using additional information obtained in data transmission / reception with a previous base station such as C-RNTI as a factor for generating random code. When additional information such as C-RNTI is used as a generation factor of random code generation, it should be used according to existing LTE GUTI (Globally Unique Temporary Identifier) structure such as Mobility Management Entity (MME) ID.

That is, a random code is generated and used so as to have the same number of bits in the place used for the existing UE ID so that the authentication can be successfully performed even within the standard without changing the standard of the existing 3GPP LTE mobile communication system. It is also possible to newly generate a random code having the same number of bits every time a permanent or temporary UE ID is required or to reuse the random code generated in the initial connection, thereby solving the compatibility problem with the standard.

In step 11, the AT 100 transmits an Attach Request message to the MME (Mobility Management Entity) 300 (S110). Initial authentication of 3GPP begins when MME 300 receives an Attach Request message. The Attach Request message includes information such as UE ID (User Equipment ID) and SN ID (Serving Network ID). At this time, the UE ID is transmitted in a state in which the second random code is used and the encryption and the integrity protection are not performed.

In step 12, the MME 300 transmits an Authentication Data Request message to the HSS 400 together with the received second random ID (S111).

In step 13, in step 13, the HSS 400 generates the random code in the terminal 100, and generates the random code and the output ID using the same generating factor value, And derives a unique ID (UE ID) of the UE from the received second random code (S112).

In step 14, the HSS 400 accesses an authentication center (AuC) using the unique ID of the terminal to find the unique key of the terminal and performs an AKA (Authentication and Key Agreement) algorithm. Then, an Authentication Data Response message is transmitted to the MME 300 together with an AV (Authentication Vector) which is a result of performing the AKA algorithm (S113). The AV includes an Expected Response (XRES) value required for authentication and an Authentication Token (AUTN).

In step 15, the MME 300 transmits an Authentication Request message to the AT 100 together with the AUTN which is a part of the AV (S114). AUTN includes a Message Authentication Code (MAC) value to be used for authentication, a Sequence Number (SQN), and an Authentication Management Field (AMF).

In operation S115, the terminal 100 performs an AKA algorithm using the received AUTN and compares the generated Expected Message Authentication Code (XMAC) value with the MAC value of the received AUTN (S115).

If the XMAC value matches the MAC value in step 17, the network authentication is successfully completed and the MS 100 transmits an Authentication Response message together with the RES value as a result of performing the AKA algorithm to the MME 300 (S116).

Finally, in operation 18, the MME 300 compares the RES value received from the terminal 100 with the XRES value received from the HSS 400 to perform terminal authentication (S117). If RES value matches XRES value, terminal authentication is completed successfully.

FIG. 4 illustrates a process of converting a UE ID into a random code according to an embodiment of the present invention. Referring to FIG. Referring to FIG. 4, the object Internet apparatus transmits a UE ID (User Equipment ID) 420 alone or in combination with the random code generation factors (e.g., external factors such as a random number and a timing adjustment value, a frequency offset, The random code 440 may be generated by performing an XOR operation on the UE ID 410 and the hash value 430. [

5 is a diagram illustrating a process of deriving a UE ID (User Equipment ID) from a random code according to an embodiment of the present invention.

5, in the base station and the authentication server, the random code generation factors (for example, external factors such as a random number, a timing adjustment value, and a frequency offset) 520 may be used alone or in combination, A hash value 530 of the same length is generated and then a UE ID (User Equipment ID) (a unique ID) of the UE is obtained by performing an XOR operation between the random code 510 and the hash value 530 transmitted from the object Internet apparatus 540).

Since there is a certain timing offset between the authentication server, the base station, and the Internet terminal, although there is some time offset between them, the validity period of the generated random code is defined in advance, and authentication is performed with the same code within the validity period. Also, if authentication for the same random code occurs in duplicate, it is regarded as authentication failure and the service provision can be rejected.

An authentication method using a frequency offset is also possible. In this case, since the frequency offset value is not actually exchanged between the base station and the terminal, it can be said that the security is higher than when the timing offset is used.

In the embodiment of the authentication method using the frequency offset, the terminal measures the frequency offset of the base station and the terminal in the step 2, and the base station measures the frequency offset of the base station and the terminal in the step 4 described above. Since the frequency offset values measured by the base station and the UE are almost the same, frequency offset transmission is not required in step 5. From step 6, the frequency offset values that are measured and used mutually are used instead of the timing adjustment values. Of course, it is also possible to use both values in combination.

In the case of the Internet, most of them are sensor type terminal devices, so it is hard to say that they are actually mobile. Therefore, it is difficult to change the connected base station except for the case where the Internet connection device connected to the specific base station can be moved to another base station, so the base station ID can also be used as a generation factor in the random code generation algorithm. When the base station ID is changed, the authentication server may add a process of confirming that the connection with the corresponding object Internet terminal is released through the existing base station to the authentication process.

In the 3GPP standard, the timing offset with the UE can be measured intermittently or periodically even after successful connection between the initial base station and the UE. Therefore, it is possible to maximize the security by automatically changing the occurrence factor of the random code generation while updating the timing offset even after the initial authentication.

In addition, when a frequency offset, which is another embodiment of the present invention, is used as a generation factor of a random code, three problems can be assumed.

만큼의 횟수만 full search를 진행하면 원하는 값을 얻을 확률이 50퍼센트가 넘어가게 된다. 이동통신을 이용한 사물인터넷 통신의 경우 대역폭이 200kHz이기 때문에 추정 오차를 고려하여, 발생되는 랜덤 코드의 길이는 대략적으로 8비트로 나올 수 있는 경우의 수는

이다. 이는 생일 공격에 의해 충분히 추정 가능하다는 취약점을 가지게 된다. 따라서 상기 취약점을 극복하기 위해 본 발명에서는 단말과 망 사이의 연결이 완료된 후에도 망에 인증을 하고자 하는 접근이 감지되면 연결을 차단하고 새로운 기지국을 통해서 인증을 해야만 사용 가능하도록 할 수 있다.First, there is a case where an attempt is made to attack with a birthday attack. A birthday attack is an attack based on birthday paradox,

If you do a full search for as many times as possible, you will get more than 50 percent chance of getting the desired value. Since the bandwidth is 200kHz, the number of cases where the random code length can be estimated to be approximately 8 bits considering the estimation error is

to be. This is a vulnerability that can be estimated by birthday attack. Accordingly, in order to overcome the above-mentioned weakness, according to the present invention, if access to the network is detected after the connection between the terminal and the network is completed, the connection can be blocked and the new terminal can be used only after authentication through the new base station.

Second, frequency offset can be estimated using SDR (Software Defined Radio) equipment. SDR equipment is a software based wireless transceiver that can access mobile communication services by software control of signals of desired frequency band. Therefore, this equipment is required to have security for access to both the terminal and the base station. In order to solve the above problem, after the connection between the terminal and the network is completed, if an access request for another authentication is detected in the terminal or the network, the connection is blocked and authentication is performed through the new base station as in the above- .

Finally, the accuracy of the estimable frequency offset is 1/1000 of the bandwidth and the error can be about 200Hz. If the frequency offset is smaller than 200 Hz, there is a problem in accuracy of the frequency offset between the terminal and the base station. In the present invention, the above problem can be solved by giving frequency offsets intentionally larger than the error in the RACH process.

In the present invention, in addition to the timing offset (timing adjustment value) and the frequency offset described above, all other measurement values that can be characteristics of only each terminal that can be shared by the base station and the terminal are used as a random code generation factor . In addition, these factors may be implemented alone or in combination.

A number of embodiments of the present invention have been described. Nevertheless, the foregoing description is for the purpose of illustration and is not intended to limit the scope of the invention, which is defined by the scope of the following claims. Accordingly, other embodiments may be within the scope of the following claims, and various modifications may be made without departing from the scope of the present invention. Additionally, some of the steps described above may be performed in a different order than described, since they are order independent.

100: object Internet device 110: processor
120: transceiver 130: antenna
200: base station 210: processor
220: transceiver 230: antenna
300: Mobility Management Entity (MME) 400: Home Subscriber Server (HSS)
410: UE ID (User Equipment ID) 420: Generation factor of random code
430: hash value 440: random code
510: random code 520: random code generation factor
530: Hash Function 540: UE ID (User Equipment ID)

Claims (14)

A subscriber authentication method for a mobile communication infrastructure Internet device,
And performing the subscriber authentication using a measurement value that is a characteristic characteristic of the Internet appliance,
Characterized in that the subscriber authentication performs a subscriber authentication using a measure that is a characteristic characteristic of the thing Internet device without using a subscriber identity module (SIM) card or a universal subscriber identity module (USIM) card. Authentication method. The method according to claim 1,
The measured values are mutually shared in the object Internet device, the base station, and the authentication server,
Characterized in that the thing Internet device uses the measurement value to generate a random code for the subscriber authentication. 3. The method of claim 2,
Wherein the measurement comprises at least one of a timing adjustment value, a frequency offset, and a traffic volume measurement. The method according to claim 2 or 3,
The step of performing the subscriber authentication comprises:
Generating a first random code by using the measured value as a factor of occurrence of a first random code; And
And the thing Internet device sending the first random code to the base station. 5. The method of claim 4,
The step of performing the subscriber authentication comprises:
Restoring a unique ID of the Internet device using the first random code received by the base station and the occurrence factor of the first random code; And
Further comprising the step of the base station transmitting information for uplink transmission to the object Internet device. 6. The method of claim 5,
The step of performing the subscriber authentication comprises:
Generating a second random code by using a measurement value that is a characteristic characteristic of the Internet appliance as a factor of occurrence of a second random code; And
Further comprising the step of the object Internet device sending the second random code to the authentication server via the base station. The method according to claim 6,
The first random code and the second random code generate a hash value having a length equal to the unique ID of the object Internet apparatus by singly or in combination of the occurrence factors and then generate a unique ID of the object Internet apparatus and a hash value XOR operation. ≪ / RTI > 8. The method of claim 7,
The step of performing the subscriber authentication comprises:
Restoring a unique ID of the object Internet device using the second random code received by the authentication server; And
Further comprising the step of the authentication server processing the authentication of the Internet appliance using the unique ID. 9. The method of claim 8,
The unique ID of the Internet device of interest may be generated by generating a hash value having the same length as the first random code or the second random code either singly or in combination with the occurrence factors, Wherein the hash value is restored by an XOR operation of the hash value. 10. The method of claim 9,
Before the subscriber authentication step
Storing the unique ID of the object Internet device, the object Internet device, the base station, and the authentication server;
Synchronizing time synchronization between the Internet device and the base station;
The object Internet apparatus starting a random access procedure; And
Wherein the base station further calculates the timing adjustment value and transmits the calculated timing adjustment value to the object Internet device and the authentication server. 11. The method of claim 10,
Wherein when the timing offset is used as a generation factor of the first random code or the second random code, the generation offset of the random code is automatically updated by updating the timing offset even after the initial authentication. 12. The method of claim 11,
And after the connection between the object Internet device and the mobile communication network is completed, the connection to the object Internet device or the mobile communication network is blocked if an authentication request is generated more than a predetermined number of times. A mobile communication-based object Internet device for subscriber authentication,
A memory for storing a unique ID of the object Internet device;
A transceiver for transmitting and receiving a wireless signal;
And a processor operatively coupled to the transceiver, wherein the processor
Characterized in that a measure, which is a characteristic characteristic of the thing Internet device, is used for the subscriber identity without using a subscriber identity module (SIM) card or a universal subscriber identity module (USIM) card. A base station apparatus for subscriber authentication of a mobile Internet object Internet device,
A transceiver for transmitting and receiving a wireless signal;
And a processor operatively coupled to the transceiver, wherein the processor
Characterized in that a measurement value which is a characteristic characteristic of the object Internet device is used for the subscriber identity without using a subscriber identity module (SIM) card or a universal subscriber identity module (USIM).

Images