WO2005018146A1 - Apparatus and method of authentication for user of fixed network terminal - Google Patents

Apparatus and method of authentication for user of fixed network terminal Download PDF

Info

Publication number
WO2005018146A1
WO2005018146A1 PCT/CN2004/000382 CN2004000382W WO2005018146A1 WO 2005018146 A1 WO2005018146 A1 WO 2005018146A1 CN 2004000382 W CN2004000382 W CN 2004000382W WO 2005018146 A1 WO2005018146 A1 WO 2005018146A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
smart card
fixed network
network terminal
Prior art date
Application number
PCT/CN2004/000382
Other languages
French (fr)
Chinese (zh)
Inventor
Zhongyi Fan
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005018146A1 publication Critical patent/WO2005018146A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a user authentication device and method for a fixed network terminal. Background technique
  • IP network Internet Protocol
  • IP network is an open network structure. Network services that can be enjoyed after users obtain corresponding rights by paying corresponding fees are easily stolen by other fixed network end users. Therefore, strict and effective fixed network end users are provided.
  • the authentication and authentication mechanism is particularly important for voice terminals, multimedia terminals, Ephone terminals, IAD terminals, and intelligent terminal equipment. At the same time, effective authentication and authentication of fixed network terminal users can also provide good protection to the network. Serving the interests of network operators.
  • the current user authentication and authentication mechanisms provided by various fixed network terminals usually include the following: Two types:
  • the first type the user identification code and the authentication key are directly stored in the non-volatile memory inside the fixed network terminal device, and the user or the operator can modify it as needed; a certain user of the fixed network terminal device reports to the management device During registration, the internally stored user identification code and authentication key are used to perform data interaction with the management device to implement user authentication and authentication for fixed network terminal devices. For users who pass the authentication, they can use the network to provide various items Service
  • the second type The user identification code and authentication key are not retained on the fixed network terminal.
  • the user under the fixed network terminal device registers with the management device, the user is first prompted to enter the identification code and user password (that is, the authentication key). Then, the fixed network terminal uses the information to perform data interaction with the management device to implement authentication and authentication processing for the user, and for the authenticated user, the network can be used to provide various services.
  • the above-mentioned two types of authentication and authentication methods realize the authentication and authentication processing for the end users of the fixed network, so as to ensure that only the users who pass the authentication and authentication can normally use the services provided by the network.
  • the above two methods of authentication also have the following disadvantages:
  • the user identification code and the authentication key are stored in a non-volatile memory inside the fixed network terminal device, the user identification code and the authentication key are easier to read, Rewriting and misappropriation cannot guarantee the security of network communication; at the same time, it also affects the mobility of users, that is, when users use other terminals, they need to reset the user identification code and the authentication key.
  • the two authentication methods also have the disadvantage of poor scalability, that is, it is inconvenient to update and upgrade the authentication algorithm, and it is not convenient to provide a more effective authentication algorithm for fixed network terminal users;
  • the above two methods of authentication and authentication also make the services provided by the network operator limited to the functions provided by the fixed network terminal itself, and cannot conveniently carry out various new types of services. Summary of the invention
  • an object of the present invention is to provide a user authentication device and method for a fixed network terminal, so as to effectively prevent the theft of user accounts and provide operators with management of the fixed network terminal and corresponding users. It's convenient.
  • a user authentication device for a fixed network terminal includes: a smart card processing module: configured to store authentication information of a user of the fixed network terminal, and perform data according to the saved user authentication information and the authentication and authentication processing module. Interaction; authentication and authentication processing module: calling the authentication information of the user of the fixed network terminal stored in the smart card processing module, and exchanging data with the smart card processing module, and Data interaction with the management device authenticates the fixed network terminal.
  • the smart card processing module includes:
  • Smart card Built-in computing unit and storage unit, used to store the authentication information of the user of the fixed network terminal and complete the authentication operation;
  • Authentication information processing sub-module It is used to send the user's authentication information in the smart card to the authentication and authentication processing module, or to the smart card to process the authentication information according to the information sent by the authentication and authentication processing module. The information is sent to the authentication and authentication processing module.
  • the authentication information in the smart card is stored in a storage component, and the storage component also serves as a carrier of a user application program for providing value-added services.
  • the authentication information processing sub-module includes a CPU (Central Processing Unit) chip.
  • the smart card and the authentication information processing sub-module are detachably movable connections.
  • the smart card processing module is built in or external to the fixed network terminal device, and is connected to the authentication and authentication processing module in the fixed network terminal device.
  • the smart card processing module When the smart card processing module is externally connected to a fixed network terminal device, the smart card processing module communicates with the fixed network terminal through a wired or wireless interface such as a USB (Universal Serial Bus) interface, a serial interface, an infrared interface, and a Bluetooth interface.
  • a wired or wireless interface such as a USB (Universal Serial Bus) interface, a serial interface, an infrared interface, and a Bluetooth interface.
  • USB Universal Serial Bus
  • the present invention further provides a user authentication method for a fixed network terminal based on the apparatus of claim 1, comprising: A.
  • the authentication and authentication processing module of the fixed network terminal obtains the user's authentication information from the smart card processing module, and sends the authentication information to the management device;
  • the management device generates a corresponding challenge word based on the user's authentication information and sends it back to the smart card processing module through the authentication and authentication processing module;
  • the smart card processing module sends the challenge word received to the smart card, and the smart card uses the internally saved user authentication information to perform arithmetic processing to generate the corresponding authentication word and return it to the management device;
  • the management device performs user identity authentication according to the received authentication word, and returns the authentication result to the fixed network terminal.
  • the authentication information includes a user identification code, an authentication key, and an authentication algorithm.
  • the step A is: the authentication and authentication processing module of the fixed network terminal obtains the user identification code from the smart card processing module, and applies the The user identification code is sent to the management device.
  • the step C is: the smart card processing module sends the received challenge word to the smart card, and the smart card uses the internally stored user's authentication key and authentication algorithm to perform arithmetic processing to generate corresponding Authentication word and return it to the management device.
  • the step C further includes:
  • the smart card can generate an encryption key for encrypting business communication data and send it to the fixed network terminal based on the challenge word received and the user authentication information stored internally.
  • the present invention uses a smart card to store the corresponding user identification code and authentication key.
  • the fixed network terminal can obtain the user identification code through the smart card and send it to the management device for user authentication. And authentication processing. Therefore, compared with the prior art solutions, the present invention has the following advantages: 1. Since the user's identification code and authentication key are stored in the smart card, others cannot get it, and the smart card is not designed to read the authentication key, so it can effectively prevent the user account from being stolen, impersonated, and guaranteed. The interests of users are not infringed;
  • the present invention realizes perfect authentication, authentication, and data encryption technologies through cooperation with smart cards, so that fixed network terminals can be operated, managed, and the interests of operators can be well protected;
  • the smart card processing module can more conveniently provide a better authentication and authentication mechanism in network communication; and, it can also directly in the smart card
  • Corresponding improvements are made in the processing module to implement a variety of services, such as high-performance CPUs and large-capacity memories can be integrated in smart cards, and electronic banking can be implemented on terminals by running corresponding programs, thus ensuring IAD / intelligence Fixed network terminals such as terminals do not need to be upgraded and provided richer services in the network, which facilitates network operators to better expand their services.
  • Fig. 1 is a schematic structural diagram 1 of a user authentication device for a fixed network terminal according to the present invention
  • Fig. 2 is a schematic structural diagram of a user authentication device for a fixed network terminal according to the present invention
  • the core of the user authentication device and method of the fixed network terminal according to the present invention is In order to ensure the security of user identification codes and authentication keys to ensure that the interests of network operators and users are not infringed, for this reason, the reliable storage and application of user identification codes and authentication keys ensure that they are not arbitrarily rewritten, Misappropriation has become an important prerequisite and guarantee for the operation and management of fixed network terminals.
  • the invention adopts a user authentication device and method for a fixed network terminal combining a fixed network terminal and a smart card.
  • the smart card stores a user identification code and an authentication key
  • the used smart card includes a commonly used SIM (Subscr iber) Identity Module (user identification module) card, user (identifier module) card, IC (Integrated Circuit) card, memory card, microprocessor card, etc., using smart cards and corresponding authentication information processing
  • SIM Subscribescr iber
  • Identity Module user identification module
  • identifier module user (identifier module) card
  • IC Integrated Circuit
  • FIG. 1 and FIG. 2 The specific implementation of the device according to the present invention is shown in FIG. 1 and FIG. 2, and includes an authentication and authentication processing module and a smart card processing module, where:
  • the authentication and authentication processing module is set in a fixed network terminal.
  • the fixed network terminal obtains user authentication information, that is, a user identification code, and initiates an authentication process to a management device to verify whether the identity of the user is legal.
  • the authentication and authentication processing module is used to transfer data information involved in the authentication process between the management device responsible for the user's authentication and authentication processing and the smart card processing module;
  • the smart card processing module further includes a smart card and an authentication information processing sub-module, wherein:
  • the smart card has a built-in computing component and a storage component for storing user authentication information and performing authentication operations.
  • the authentication information usually includes a user identification code, an authentication key, and an authentication algorithm, and the user identification code in the smart card
  • Authentication information such as authentication keys, authentication keys, and algorithms can be processed using methods stored in the smart card storage component. The design makes it impossible for any user to steal or modify the authentication information.
  • the authentication information processing sub-modules use removable removable connections, that is, connections such as SIM cards and mobile phones;
  • the authentication information processing sub-module is used to send the user's authentication information in the smart card to the authentication and authentication processing module. If the user needs to perform identity authentication, the authentication information processing sub-module calls up the user's authentication information and sends it. Process the authentication information to the authentication or authentication processing module, or according to the information sent by the authentication and authentication processing module (usually, the authentication operation based on the authentication algorithm stored in the smart card), and process the obtained information.
  • the information is sent to the authentication and authentication processing module, and the authentication and authentication processing module sends the information that needs to be sent to the management device to the management device, that is, the authentication information processing submodule is used to implement the driving of the smart card, the reading and writing of authentication information, and data. Encryption and other functions.
  • the specific implementation manner of the device according to the present invention may include two specific implementation schemes: As shown in FIG. 1, a scheme is adopted in which a smart card processing module is combined with a fixed network terminal such as an IAD terminal and a smart terminal, that is, the smart card is processed.
  • the authentication information processing module in the module which is used to complete the user's authentication information reading and writing function, is directly integrated into the fixed network terminal, and the CPU in the fixed network terminal can be used to implement the corresponding function of the authentication information processing module.
  • the clock line, the reset line and the data line are connected, and the smart card and the fixed network terminal adopt a removable removable connection, and the user can
  • the smart card socket is installed inside the smart terminal.
  • the size can refer to the size of the SIM card socket, and the I / O (input / output) interface of the CPU in the fixed network terminal is directly or indirectly connected to the contact on the smart card.
  • a smart card processing module is externally installed on a fixed network terminal, that is, the smart card processing module is connected to the fixed network terminal through a wire or wirelessly, and is connected with the fixed network terminal
  • the authentication or authentication processing module communicates.
  • the wired or wireless connection includes connection with a fixed network terminal through a USB interface, a serial port, an infrared interface, a Bluetooth interface, etc., and the corresponding function of the authentication information processing module in the smart card processing module can be passed through the CPU.
  • the chip is implemented.
  • the authentication information processing module further includes an interface driver for communicating with the authentication and authentication processing module.
  • the smart card and the authentication information processing module are detachable. Active connection, that is, the smart card can be removed from the authentication information processing module to facilitate use in other fixed network terminals.
  • the user can easily replace the fixed network terminal used by himself after a physical location change, and can also ensure that the user's own interests and the interests of the network operator are equal. Will not be harmed.
  • the present invention proposes a highly secure authentication and authentication mechanism for fixed network terminals such as voice terminals, multimedia terminals, IAD (integrated access device) terminals, and intelligent terminals;
  • the present invention utilizes the perfect authentication, authentication, and data encryption technologies of smart cards such as SIM cards to relatively easily implement operability and management of fixed network terminals and the like.
  • the fixed network terminal includes, but is not limited to, various voice terminals, multimedia terminals, Ephone terminals, IAD terminals, MTA terminals, intelligent terminals, computer terminals, and the like.
  • the smart card of the present invention includes, but is not limited to, various IC (Integrated Circuit) cards, memory cards, microprocessor cards, SIM cards, UIM cards, and the like.
  • IC Integrated Circuit
  • the present invention also provides a user authentication method for a fixed network terminal.
  • the specific implementation of the method is shown in FIG. 3 and includes the following steps: Step 31: When a user needs to obtain through a communication network
  • the management device of the communication network first needs to authenticate the identity of the user.
  • the fixed network terminal device needs to read the user identification code from the smart card of the smart card processing module in order to perform the corresponding operation. Authentication processing.
  • Step 32 The fixed network terminal initiates an authentication request to the management device according to the user identification code.
  • Step 33 After receiving the user's identification code, the management device sends a randomly generated challenge word or random number back to the fixed network terminal.
  • Step 34 The fixed network terminal sends the challenge word to the authentication information processing module of the smart card processing module for the next authentication operation processing.
  • Step 35 The authentication information processing module sends the challenge word to the smart card after receiving the challenge word, and the smart card uses the challenge word and the internally stored authentication key, authentication algorithm, etc. to perform internal operations to obtain Corresponding authentication words and encryption keys, and And the encryption key are returned to the fixed network terminal; the authentication word is used to send to the management device to complete user authentication, and the encryption key can be used for data encryption during subsequent business communications.
  • Step 36 The fixed network terminal sends the authentication word to the management device, and the management device compares the authentication words calculated by using the same authentication algorithm and the authentication key according to itself, so as to implement user authentication and authentication. deal with.
  • Step 37 The authentication result is sent back to the fixed network terminal.
  • the authentication result includes two types of authentication success and failure.
  • the fixed network terminal can be used to carry out corresponding services, such as voice.
  • the terminal can then use the communication network to carry out voice services.
  • the user identification code and the authentication key in the smart card are unknowable to the user, so it can effectively ensure that the corresponding authentication information is not stolen or modified; moreover, the smart card rights can only be provided to
  • the use of a certain user can effectively prevent the use of a single identity and multiple users, ensuring the interests of network operators and users; at the same time, only random numbers, authentication words, and encrypted data are transmitted on the public network, so During the transmission process, the user's authentication information is also impossible to be stolen.

Abstract

The invention provides an apparatus and a method of user authentication of fixed network terminal. The invention is that keep the user identification code in smart card, and the fixed network terminal gets the user identification code from the smart card, and completes the user authentication process. Because the user cannot see the user identification code and authentication key stored in smart card, it can efficiently keep the user account out of being embezzled and imitated, and can surely guarantee the advantage of runners and user. In addition, the invention more conveniently provides a better authentication mechanism in the network communication by improving the technique of the smart card processing module, and updating the user authentication information stored in the smart card, and can directly get corresponded improvement in the smart card processing module to realize many kinds of service, it is conveniently for the network runners to expand their service.

Description

固定网络终端的用户认证装置及其方法 技术领域  User authentication device of fixed network terminal and method thereof
本发明涉及网络通信技术领域,尤其涉及一种固定网络终端的用 户认证装置及其方法。 背景技术  The present invention relates to the field of network communication technologies, and in particular, to a user authentication device and method for a fixed network terminal. Background technique
在网络通信中, 语音终端、 多媒体终端、 Ephone 终端、 IAD ( Integra ted Acces s Device,综合接入设备)终端、 MTA ( Mul t imedi a Termina l Adapter )终端及智能终端设备等固定网络终端设备由于成 本相对低廉, 用户很容易获得, 所以逐渐被网络用户广泛应用, 且主 要应用于接入 IP (互联网协议) 网络, 并通过 IP网络获取相应的服 务。 IP 网络是一个开放式的网络结构, 对于用户通过支付相应的费 用等方式获取相应的权限后才可以享有的网络服务很容易被其他固 定网络终端用户窃取, 因此, 提供严格有效的固定网络终端用户的认 证、 鉴权机制, 对于语音终端、 多媒体终端、 Ephone终端、 IAD终端 及智能终端设备而言显得特别重要, 同时, 有效地对固定网络终端用 户进行鉴权认证还可以很好地保护提供网络服务的网络运营商的利 益。  In network communication, fixed network terminal devices such as voice terminals, multimedia terminals, Ephone terminals, IAD (Integrated Acces s Device) terminals, MTA (Mul timedi a Termina l Adapter) terminals, and intelligent terminal devices The cost is relatively low and users can easily obtain it, so it is gradually widely used by network users, and is mainly used to access IP (Internet Protocol) networks and obtain corresponding services through IP networks. IP network is an open network structure. Network services that can be enjoyed after users obtain corresponding rights by paying corresponding fees are easily stolen by other fixed network end users. Therefore, strict and effective fixed network end users are provided. The authentication and authentication mechanism is particularly important for voice terminals, multimedia terminals, Ephone terminals, IAD terminals, and intelligent terminal equipment. At the same time, effective authentication and authentication of fixed network terminal users can also provide good protection to the network. Serving the interests of network operators.
通常为了有效地对用户的身份进行认证、鉴权处理, 首先需要在 Generally, in order to effectively perform user authentication and authentication processing, first of all,
I AD/智能终端等固定网络终端设备向管理设备注册的过程中,不能被 其他人有意或无意获取用户关键的认证信息, 因此用户的鉴权密钥 (即用户密码)和鉴权算法等信息不在网上传送, 而是通过独特的鉴 权流程在终端和管理设备之间交互用户识别码、挑战字和鉴权字, 来 完成用户的鉴权、 认证, 并最大限度的防止用户信息被盗用。 同时, 为了进一步保证用户识别码和鉴权密钥的安全,还需要对其保存方式 进行相应的安全处理, 基于这一需要, 目前各种固定网络终端提供的 用户认证、 鉴权机制通常包括以下两种: During the process of registering a fixed network terminal device such as an AD / smart terminal with a management device, other users cannot intentionally or unintentionally obtain the user's key authentication information, so the user's authentication key (I.e. user password) and authentication algorithms are not transmitted on the Internet. Instead, user identification codes, challenge words, and authentication words are exchanged between the terminal and the management device through a unique authentication process to complete user authentication and authentication. And to prevent the theft of user information. At the same time, in order to further ensure the security of the user identification code and the authentication key, it is also necessary to perform corresponding security treatment on its storage method. Based on this need, the current user authentication and authentication mechanisms provided by various fixed network terminals usually include the following: Two types:
第一种:将用户识别码和鉴权密钥直接存储在固定网络终端设备 内部的非易失存储器内, 且用户或运营商可以根据需要进行修改; 固 定网络终端设备的某一用户向管理设备注册时,使用内部存储的用户 识别码和鉴权密钥等与管理设备间进行数据交互,实现对固定网络终 端设备下用户的认证和鉴权,对于通过认证的用户可以正常使用网络 提供各项服务;  The first type: the user identification code and the authentication key are directly stored in the non-volatile memory inside the fixed network terminal device, and the user or the operator can modify it as needed; a certain user of the fixed network terminal device reports to the management device During registration, the internally stored user identification code and authentication key are used to perform data interaction with the management device to implement user authentication and authentication for fixed network terminal devices. For users who pass the authentication, they can use the network to provide various items Service
第二种: 在固定网络终端上不保留用户识别码和鉴权密钥, 固定 网络终端设备下的用户在向管理设备注册时,首先提示用户输入识别 码和用户密码(即鉴权密钥), 然后固定网络终端使用该信息与管理 设备进行数据交互来实现对该用户的认证和鉴权处理,对于通过认证 的用户可以正常使用网络提供各项服务。  The second type: The user identification code and authentication key are not retained on the fixed network terminal. When the user under the fixed network terminal device registers with the management device, the user is first prompted to enter the identification code and user password (that is, the authentication key). Then, the fixed network terminal uses the information to perform data interaction with the management device to implement authentication and authentication processing for the user, and for the authenticated user, the network can be used to provide various services.
上述两种鉴权认证方法实现了对固定网络终端用户的认证、鉴权 处理, 以保证只有认证、 鉴权通过的用户方可以正常使用网络提供的 服务。 但上述两种鉴权认证方法还存在以下缺点:  The above-mentioned two types of authentication and authentication methods realize the authentication and authentication processing for the end users of the fixed network, so as to ensure that only the users who pass the authentication and authentication can normally use the services provided by the network. However, the above two methods of authentication also have the following disadvantages:
1、 如果采用将用户识别码和鉴权密钥存储于固定网络终端设备 内部的非易失存储器中, 则用户的识别码和鉴权密钥较容易被读取、 改写和盗用, 而无法保证网络通信的安全性; 同时, 也影响用户的可 移动性, 即当用户使用其它终端时, 需要重新设置用户识别码和鉴权 密钥。 1. If the user identification code and the authentication key are stored in a non-volatile memory inside the fixed network terminal device, the user identification code and the authentication key are easier to read, Rewriting and misappropriation cannot guarantee the security of network communication; at the same time, it also affects the mobility of users, that is, when users use other terminals, they need to reset the user identification code and the authentication key.
2、 如果采用用户输入相应的用户识别码和鉴权密钥的方法, 则 由于用户知道识别码和鉴权密钥, 导致同一用户识别码可以多人、 多 地使用, 而无法实现对用户身份的标识, 同时导致运营商利益受损。  2. If the user enters the corresponding user identification code and authentication key, because the user knows the identification code and the authentication key, the same user identification code can be used by multiple people and multiple places, and the user identity cannot be achieved. Identification, and at the same time, the interests of operators are impaired.
3、 同时, 两种鉴权认证方法还共同存在着可扩展性差的缺点, 即对鉴权算法的更新升级不方便,而无法方便地为固定网络终端用户 提供更为有效的鉴权算法; 另外, 上述两种鉴权认证方法还使得网络 运营商提供的业务受限于固定网络终端自身提供的功能,而无法方便 地开展各种新的业务种类。 发明内容  3. At the same time, the two authentication methods also have the disadvantage of poor scalability, that is, it is inconvenient to update and upgrade the authentication algorithm, and it is not convenient to provide a more effective authentication algorithm for fixed network terminal users; The above two methods of authentication and authentication also make the services provided by the network operator limited to the functions provided by the fixed network terminal itself, and cannot conveniently carry out various new types of services. Summary of the invention
鉴于上述现有技术存在的问题,本发明的目的是提供一种固定网 络终端的用户认证装置及其方法, 以有效防止用户帐号被盗用, 并为 运营商对固定网络终端及相应用户的管理提供了方便。  In view of the problems existing in the prior art, an object of the present invention is to provide a user authentication device and method for a fixed network terminal, so as to effectively prevent the theft of user accounts and provide operators with management of the fixed network terminal and corresponding users. It's convenient.
本发明的目的是通过以下技术方案实现的:  The object of the present invention is achieved by the following technical solutions:
本发明所述的一种固定网络终端的用户认证装置, 包括: 智能卡处理模块: 用于存储固定网络终端的用户的认证信息, 并 根据保存的用户的认证信息与认证、 鉴权处理模块进行数据交互; 认证、鉴权处理模块: 调用智能卡处理模块中存储的固定网络终 端的用户的认证信息, 并通过与智能卡处理模块间的数据交互, 以及 与管理设备间的数据交互对固定网络终端进行认证。 A user authentication device for a fixed network terminal according to the present invention includes: a smart card processing module: configured to store authentication information of a user of the fixed network terminal, and perform data according to the saved user authentication information and the authentication and authentication processing module. Interaction; authentication and authentication processing module: calling the authentication information of the user of the fixed network terminal stored in the smart card processing module, and exchanging data with the smart card processing module, and Data interaction with the management device authenticates the fixed network terminal.
所述的智能卡处理模块包括:  The smart card processing module includes:
智能卡: 内置有运算部件和存贮部件, 用于存储固定网络终端的 用户的认证信息、 和完成鉴权运算;  Smart card: Built-in computing unit and storage unit, used to store the authentication information of the user of the fixed network terminal and complete the authentication operation;
认证信息处理子模块:用于将智能卡中的用户的认证信息发送给 认证、 鉴权处理模块, 或根据认证、 鉴权处理模块发送来的信息交给 智能卡进行认证信息的处理, 并将处理后的信息发送给认证、鉴权处 理模块。  Authentication information processing sub-module: It is used to send the user's authentication information in the smart card to the authentication and authentication processing module, or to the smart card to process the authentication information according to the information sent by the authentication and authentication processing module. The information is sent to the authentication and authentication processing module.
所述的智能卡中的认证信息保存于存贮部件中,且所述的存贮部 件还作为用于提供增值业务的用户应用程序的载体。  The authentication information in the smart card is stored in a storage component, and the storage component also serves as a carrier of a user application program for providing value-added services.
所述的认证信息处理子模块包括 CPU (中央处理单元) 芯片。 所述的智能卡与认证信息处理子模块间为可拆装式活动连接。 所述的智能卡处理模块内置于固定网络终端设备中或外接于固 定网络终端设备上, 且与固定网络终端设备中的认证、鉴权处理模块 相连。  The authentication information processing sub-module includes a CPU (Central Processing Unit) chip. The smart card and the authentication information processing sub-module are detachably movable connections. The smart card processing module is built in or external to the fixed network terminal device, and is connected to the authentication and authentication processing module in the fixed network terminal device.
当所述的智能卡处理模块外接于固定网络终端设备上时,所述的 智能卡处理模块通过 USB (通用串行总线)接口、 串行接口、 红外接 口、 蓝牙接口等有线或无线接口与固定网络终端设备中的认证、鉴权 处理模块相连。  When the smart card processing module is externally connected to a fixed network terminal device, the smart card processing module communicates with the fixed network terminal through a wired or wireless interface such as a USB (Universal Serial Bus) interface, a serial interface, an infrared interface, and a Bluetooth interface. The authentication and authentication processing modules in the device are connected.
本发明还提供了一种基于权利要求 1所述的装置的固定网络终端 的用户认证方法, 包括: A、 固定网络终端的认证、 鉴权处理模块从智能卡处理模块获取 用户的认证信息, 并将所述的认证信息发送给管理设备; The present invention further provides a user authentication method for a fixed network terminal based on the apparatus of claim 1, comprising: A. The authentication and authentication processing module of the fixed network terminal obtains the user's authentication information from the smart card processing module, and sends the authentication information to the management device;
B、 管理设备^^据发来的用户的认证信息产生相应的挑战字, 并 通过认证、 鉴权处理模块返回给智能卡处理模块;  B. The management device generates a corresponding challenge word based on the user's authentication information and sends it back to the smart card processing module through the authentication and authentication processing module;
C、 智能卡处理模块将收到的挑战字发送给智能卡, 智能卡使用 内部保存的用户的认证信息进行运算处理,以生成相应的鉴权字并返 回给管理设备;  C. The smart card processing module sends the challenge word received to the smart card, and the smart card uses the internally saved user authentication information to perform arithmetic processing to generate the corresponding authentication word and return it to the management device;
D、 管理设备根据收到的鉴权字对进行用户身份的认证, 并将认 证结果返回给固定网络终端。  D. The management device performs user identity authentication according to the received authentication word, and returns the authentication result to the fixed network terminal.
所述的认证信息包括用户识别码、 鉴权密钥和鉴权算法; 所述的步骤 A为: 固定网络终端的认证、 鉴权处理模块从智能卡 处理模块获取用户识别码, 并将所述的用户识别码发送给管理设备; 所述的步骤 C为:智能卡处理模块将收到的挑战字发送给智能卡, 智能卡使用内部保存的用户的鉴权密钥和鉴权算法进行运算处理,以 生成相应的鉴权字并返回给管理设备。  The authentication information includes a user identification code, an authentication key, and an authentication algorithm. The step A is: the authentication and authentication processing module of the fixed network terminal obtains the user identification code from the smart card processing module, and applies the The user identification code is sent to the management device. The step C is: the smart card processing module sends the received challenge word to the smart card, and the smart card uses the internally stored user's authentication key and authentication algorithm to perform arithmetic processing to generate corresponding Authentication word and return it to the management device.
所述的步骤 C还包括:  The step C further includes:
智能卡可以才艮据收到的挑战字及内部保存的用户的认证信息,生 成用于对业务通信数据进行加密的加密密钥发送给固定网络终端。  The smart card can generate an encryption key for encrypting business communication data and send it to the fixed network terminal based on the challenge word received and the user authentication information stored internally.
由上述本发明提供的技术方案可以看出,本发明采用了智能卡存 储相应的用户识别码及鉴权密钥, 固定网络终端可以通过智能卡获取 用户识别码, 并发送给管理设备进行用户的鉴权和认证处理, 因此, 与现有技术方案相比本发明具有以下优点: 1、 由于用户的识别码和鉴权密钥保存于智能卡中, 其他人无法 获取, 而且智能卡在设计上不允许读取鉴权密钥, 因此, 可以有效地 防止用户帐户被盗用、 冒充, 保证用户的利益不被侵害; It can be seen from the technical solution provided by the present invention that the present invention uses a smart card to store the corresponding user identification code and authentication key. The fixed network terminal can obtain the user identification code through the smart card and send it to the management device for user authentication. And authentication processing. Therefore, compared with the prior art solutions, the present invention has the following advantages: 1. Since the user's identification code and authentication key are stored in the smart card, others cannot get it, and the smart card is not designed to read the authentication key, so it can effectively prevent the user account from being stolen, impersonated, and guaranteed. The interests of users are not infringed;
2、 本发明通过与智能卡配合实现完善的鉴权、 认证、 数据加密 技术, 使得固定网络终端可运营、 可管理, 并可很好地保障运营商的 利益;  2. The present invention realizes perfect authentication, authentication, and data encryption technologies through cooperation with smart cards, so that fixed network terminals can be operated, managed, and the interests of operators can be well protected;
3、 通过对智能卡处理模块的技术改进, 以及对其中的智能卡中 保存的用户的认证信息的更新,可以在网络通信中较为方便地提供更 好的鉴权认证机制; 并且, 还可以直接在智能卡处理模块内进行相应 的改进来实现多种多样的业务,如在智能卡中可以集成高性能 CPU和 大容量存储器, 通过运行相应程序, 可以在终端上实现电子银行业务 等, 从而保证在 IAD/智能终端等固定网络终端本身不需升级改造的 情况下, 在网络中提供更丰富的业务, 方便了网络运营商更好地进行 业务的拓展。 附图说明  3. Through the technical improvement of the smart card processing module and the update of the user's authentication information stored in the smart card therein, it can more conveniently provide a better authentication and authentication mechanism in network communication; and, it can also directly in the smart card Corresponding improvements are made in the processing module to implement a variety of services, such as high-performance CPUs and large-capacity memories can be integrated in smart cards, and electronic banking can be implemented on terminals by running corresponding programs, thus ensuring IAD / intelligence Fixed network terminals such as terminals do not need to be upgraded and provided richer services in the network, which facilitates network operators to better expand their services. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为本发明所述的固定网络终端的用户认证装置结构示意图 1; 图 2为本发明所述的网络终端固定的用户认证装置结构示意图 2: 图 3为本发明所述的网络终端固定的用户认证的方法的流程图。 具体实施方式  Fig. 1 is a schematic structural diagram 1 of a user authentication device for a fixed network terminal according to the present invention; Fig. 2 is a schematic structural diagram of a user authentication device for a fixed network terminal according to the present invention; A flowchart of a method of user authentication. detailed description
本发明所述的固定网络终端的用户认证装置及其方法的核心是 为了保证用户识别码和鉴权密钥的安全,以保证网络运营商和用户的 利益不被侵害, 为此, 用户识别码、 鉴权密钥的可靠存储及应用, 保 证其不被随意改写、 盗用, 便成为固定网络终端可运营、 可管理的重 要前提和保证。 The core of the user authentication device and method of the fixed network terminal according to the present invention is In order to ensure the security of user identification codes and authentication keys to ensure that the interests of network operators and users are not infringed, for this reason, the reliable storage and application of user identification codes and authentication keys ensure that they are not arbitrarily rewritten, Misappropriation has become an important prerequisite and guarantee for the operation and management of fixed network terminals.
本发明采用了固定网络终端与智能卡结合的固定网络终端的用户认 证装置及其方法, 所述的智能卡中保存着用户识别码和鉴权密钥, 所 采用的智能卡包括目前常用的 SIM ( Subscr iber Ident i ty Modu l e , 用户识别模块)卡、 画 ( User Ident i ty Module , 用户识别模块) 卡、 IC (集成电路)卡、 存储器卡、 微处理器卡等, 利用智能卡及相 应的认证信息处理模块与固定网络终端配合进行鉴权、认证、数据加 密技术处理, 很好地解决了现有技术所存在的诸多问题, 方便了网络 运营商对固定网络终端的运营和管理, 并可保证用户的利益不被侵 害。 The invention adopts a user authentication device and method for a fixed network terminal combining a fixed network terminal and a smart card. The smart card stores a user identification code and an authentication key, and the used smart card includes a commonly used SIM (Subscr iber) Identity Module (user identification module) card, user (identifier module) card, IC (Integrated Circuit) card, memory card, microprocessor card, etc., using smart cards and corresponding authentication information processing The module cooperates with the fixed network terminal to perform authentication, authentication, and data encryption technology processing, which solves many problems existing in the existing technology, facilitates network operators' operation and management of the fixed network terminal, and guarantees the user's Interests are not violated.
本发明所述的装置的具体实施方式如图 1和图 2所示,包括认证、 鉴权处理模块和智能卡处理模块, 其中:  The specific implementation of the device according to the present invention is shown in FIG. 1 and FIG. 2, and includes an authentication and authentication processing module and a smart card processing module, where:
所述的认证、鉴权处理模块设置于固定网络终端中, 固定网络终 端通过该模块获取用户的认证信息, 即用户识别码, 并向管理设备发 起认证过程, 以认证用户的身份是否合法, 即认证、 鉴权处理模块用 于在负责用户的认证鉴权处理的管理设备与智能卡处理模块间进行 认证过程涉及的数据信息的传递;  The authentication and authentication processing module is set in a fixed network terminal. The fixed network terminal obtains user authentication information, that is, a user identification code, and initiates an authentication process to a management device to verify whether the identity of the user is legal. The authentication and authentication processing module is used to transfer data information involved in the authentication process between the management device responsible for the user's authentication and authentication processing and the smart card processing module;
所述的智能卡处理模块进一步包括智能卡和认证信息处理子模 块, 其中: 智能卡内置运算部件和存贮部件,用于存储用户的认证信息和进 行鉴权运算, 所述的认证信息通常包括用户识别码、 鉴权密钥和鉴权 算法等, 而且智能卡中的用户识别码、鉴权密钥和鉴权算法等认证信 息可以采用保存于智能卡存贮部件中的方法进行处理,在设计上使得 任何用户均无法盗取或修改其中的认证信息,且通常所述的智能卡与 认证信息处理子模块间采用可拆装式的活动连接,即采用如 SIM卡与 手机间的连接方式进行连接; The smart card processing module further includes a smart card and an authentication information processing sub-module, wherein: The smart card has a built-in computing component and a storage component for storing user authentication information and performing authentication operations. The authentication information usually includes a user identification code, an authentication key, and an authentication algorithm, and the user identification code in the smart card Authentication information such as authentication keys, authentication keys, and algorithms can be processed using methods stored in the smart card storage component. The design makes it impossible for any user to steal or modify the authentication information. The authentication information processing sub-modules use removable removable connections, that is, connections such as SIM cards and mobile phones;
认证信息处理子模块则用于将智能卡中的用户的认证信息发送 给认证、 鉴权处理模块, 如当用户需要进行身份认证时, 则由认证信 息处理子模块将用户的认证信息调出并发送给认证、 鉴权处理模块, 或根据认证、鉴权处理模块发送来的信息进行认证信息的处理(通常 为根据智能卡内部保存的鉴权算法进行的鉴权运算的处理), 并将处 理获得的信息发送给认证、 鉴权处理模块, 由认证、 鉴权处理模块将 需要发送给管理设备的信息发送给管理设备,即认证信息处理子模块 用于实现智能卡的驱动、 认证信息的读写及数据加密等功能。  The authentication information processing sub-module is used to send the user's authentication information in the smart card to the authentication and authentication processing module. If the user needs to perform identity authentication, the authentication information processing sub-module calls up the user's authentication information and sends it. Process the authentication information to the authentication or authentication processing module, or according to the information sent by the authentication and authentication processing module (usually, the authentication operation based on the authentication algorithm stored in the smart card), and process the obtained information. The information is sent to the authentication and authentication processing module, and the authentication and authentication processing module sends the information that needs to be sent to the management device to the management device, that is, the authentication information processing submodule is used to implement the driving of the smart card, the reading and writing of authentication information, and data. Encryption and other functions.
本发明所述的装置的具体实现方式可以包括两种具体实现方案: 一种方案如图 1所示, 采用的是将智能卡处理模块与 IAD终端、 智能终端等固定网络终端结合设置,即将智能卡处理模块中的用于完 成用户的认证信息读写功能的认证信息处理模块直接集成到固定网 络终端中,并可以采用固定网络终端中的 CPU实现认证信息处理模块 的相应功能, CPU和智能卡之间通过时钟线、 复位线和数据线相连, 所述的智能卡则与固定网络终端间采用可拆装式的活动连接,用户可 以将自己的智能卡安装于某一固定网络终端中,并在通过相应的身份 认证后,便可以正常地使用网络运营商通过通信网络向用户提供的各 项服务; 因此, 在该方案中, 需要在智能终端内部安装智能卡插座, 尺寸可以参照 SIM卡插座的尺寸, 并利用固定网络终端中的 CPU 的 I /O (输入 /输出)接口直接或间接与智能卡上的触点相连, 通过固定 网絡终端本身的 CPU 实现智能卡的驱动、 读写和数据加密处理等功 能; The specific implementation manner of the device according to the present invention may include two specific implementation schemes: As shown in FIG. 1, a scheme is adopted in which a smart card processing module is combined with a fixed network terminal such as an IAD terminal and a smart terminal, that is, the smart card is processed. The authentication information processing module in the module, which is used to complete the user's authentication information reading and writing function, is directly integrated into the fixed network terminal, and the CPU in the fixed network terminal can be used to implement the corresponding function of the authentication information processing module. The clock line, the reset line and the data line are connected, and the smart card and the fixed network terminal adopt a removable removable connection, and the user can In order to install your own smart card in a fixed network terminal and pass the corresponding identity authentication, you can normally use the services provided by the network operator to the user through the communication network; therefore, in this solution, you need The smart card socket is installed inside the smart terminal. The size can refer to the size of the SIM card socket, and the I / O (input / output) interface of the CPU in the fixed network terminal is directly or indirectly connected to the contact on the smart card. Through the fixed network terminal Its own CPU implements the functions of smart card driving, reading and writing, and data encryption processing;
另一种方案如图 2所示,采用的是将智能卡处理模块外置于固定 网络终端的方案,即将所述的智能卡处理模块通过有线或无线连接于 固定网络终端上, 并与固定网络终端中的认证、 鉴权处理模块通信, 所述的有线或无线连接包括通过 USB接口、 串口、 红外线接口、 蓝牙 接口等与固定网络终端连接,智能卡处理模块中的认证信息处理模块 的相应功能可以通过 CPU芯片实现, 同时, 认证信息处理模块还包括 接口驱动, 用于与所述的认证、 鉴权处理模块通信; 在该方案中, 所 述的智能卡则与认证信息处理模块间采用可拆装式的活动连接,即可 以将智能卡从认证信息处理模块上拆下,以方便在其他固定网络终端 中使用。  As shown in FIG. 2, another solution is a solution in which a smart card processing module is externally installed on a fixed network terminal, that is, the smart card processing module is connected to the fixed network terminal through a wire or wirelessly, and is connected with the fixed network terminal The authentication or authentication processing module communicates. The wired or wireless connection includes connection with a fixed network terminal through a USB interface, a serial port, an infrared interface, a Bluetooth interface, etc., and the corresponding function of the authentication information processing module in the smart card processing module can be passed through the CPU. The chip is implemented. At the same time, the authentication information processing module further includes an interface driver for communicating with the authentication and authentication processing module. In this solution, the smart card and the authentication information processing module are detachable. Active connection, that is, the smart card can be removed from the authentication information processing module to facilitate use in other fixed network terminals.
由上述两种具体实现方案可以看出, 本发明中, 用户既可以在发 生了物理位置的改变后方便地更换自己使用的固定网络终端,还可以 保证用户自身的利益及网络运营商的利益均不会受到侵害。  As can be seen from the above two specific implementation schemes, in the present invention, the user can easily replace the fixed network terminal used by himself after a physical location change, and can also ensure that the user's own interests and the interests of the network operator are equal. Will not be harmed.
因此,本发明提出了一种高安全性的语音终端、多媒体终端、 IAD (综合接入设备)终端、智能终端等固定网络终端的认证、鉴权机制; 而且, 本发明利用了 SIM卡等智能卡完善的鉴权、 认证、 数据加密技 术, 较为简便地实现了固定网络终端等的可运营、 可管理。 Therefore, the present invention proposes a highly secure authentication and authentication mechanism for fixed network terminals such as voice terminals, multimedia terminals, IAD (integrated access device) terminals, and intelligent terminals; In addition, the present invention utilizes the perfect authentication, authentication, and data encryption technologies of smart cards such as SIM cards to relatively easily implement operability and management of fixed network terminals and the like.
本发明所述的固定网络终端, 包括但不限于目前各种语音终端、 多媒体终端、 Ephone终端、 IAD终端、 MTA终端、 智能终端、 计算机终 端等。  The fixed network terminal according to the present invention includes, but is not limited to, various voice terminals, multimedia terminals, Ephone terminals, IAD terminals, MTA terminals, intelligent terminals, computer terminals, and the like.
本发明所述的智能卡, 包括但不限于目前各种 IC (集成电路) 卡、 存储器卡、 微处理器卡、 SIM卡、 UIM卡等。  The smart card of the present invention includes, but is not limited to, various IC (Integrated Circuit) cards, memory cards, microprocessor cards, SIM cards, UIM cards, and the like.
基于上述本发明所述的装置,本发明还提供了一种固定网络终端 的用户认证方法,该方法的具体实现方式如图 3所示,包括以下步骤: 步骤 31 : 当用户需要通过通信网络获取网络运营商提供的各项 服务时,首先通信网络的管理设备需要对用户的身份进行认证,此时, 需要由固定网络终端设备从智能卡处理模块的智能卡上读出用户识 别码, 以便于进行相应的认证处理。  Based on the above-mentioned device of the present invention, the present invention also provides a user authentication method for a fixed network terminal. The specific implementation of the method is shown in FIG. 3 and includes the following steps: Step 31: When a user needs to obtain through a communication network When providing various services provided by the network operator, the management device of the communication network first needs to authenticate the identity of the user. At this time, the fixed network terminal device needs to read the user identification code from the smart card of the smart card processing module in order to perform the corresponding operation. Authentication processing.
步骤 32 : 固定网络终端根据用户识别码向管理设备发起认证请 求。  Step 32: The fixed network terminal initiates an authentication request to the management device according to the user identification code.
步骤 33: 管理设备收到用户的识别码后, 将随机产生的挑战字 或随机数发回固定网络终端。  Step 33: After receiving the user's identification code, the management device sends a randomly generated challenge word or random number back to the fixed network terminal.
步骤 34: 固定网络终端将挑战字发给智能卡处理模块的认证信 息处理模块以进行下一步的鉴权运算处理。  Step 34: The fixed network terminal sends the challenge word to the authentication information processing module of the smart card processing module for the next authentication operation processing.
步骤 35: 认证信息处理模块收到所述的挑战字后将其发送给智 能卡, 由智能卡使用所述的挑战字, 以及内部存贮的鉴权密钥、 鉴权 算法等进行内部运算, 以获取相应的鉴权字和加密密钥, 并将筌权字 和加密密钥返回给固定网络终端;鉴权字用于发给管理设备完成用户 鉴权, 加密密钥可以用于后续业务通信时的数据加密。 Step 35: The authentication information processing module sends the challenge word to the smart card after receiving the challenge word, and the smart card uses the challenge word and the internally stored authentication key, authentication algorithm, etc. to perform internal operations to obtain Corresponding authentication words and encryption keys, and And the encryption key are returned to the fixed network terminal; the authentication word is used to send to the management device to complete user authentication, and the encryption key can be used for data encryption during subsequent business communications.
步骤 36 : 固定网络终端将鉴权字发送给管理设备, 并由管理设 备根据自己使用相同的鉴权算法和鉴权密钥计算得出的鉴权字进行 比较, 以实现对用户认证、 鉴权处理。  Step 36: The fixed network terminal sends the authentication word to the management device, and the management device compares the authentication words calculated by using the same authentication algorithm and the authentication key according to itself, so as to implement user authentication and authentication. deal with.
步骤 37 : 将认证结果发回固定网络终端, 所述的认证结果包括 认证成功和失败两种, 对于认证通过(即认证成功)的用户, 便可以 利用该固定网络终端开展相应的业务,如语音终端便可以利用通信网 络开展语音业务等。  Step 37: The authentication result is sent back to the fixed network terminal. The authentication result includes two types of authentication success and failure. For a user who has passed the authentication (that is, the authentication is successful), the fixed network terminal can be used to carry out corresponding services, such as voice. The terminal can then use the communication network to carry out voice services.
本发明中,智能卡中的用户识别码和鉴权密钥对用户而言是不可 知的, 所以可以有效地保证相应的认证信息不被盗用或修改; 而且, 所述的智能卡权可以只提供给某一个用户使用,可有效地防止一身份 多用户使用的现象发生, 保证了网络运营商和用户的利益; 同时, 在 公共网络上传递的只有随机数、 鉴权字和加密后的数据, 因此, 在传 输过程中, 用户的认证信息同样不可能被盗用。  In the present invention, the user identification code and the authentication key in the smart card are unknowable to the user, so it can effectively ensure that the corresponding authentication information is not stolen or modified; moreover, the smart card rights can only be provided to The use of a certain user can effectively prevent the use of a single identity and multiple users, ensuring the interests of network operators and users; at the same time, only random numbers, authentication words, and encrypted data are transmitted on the public network, so During the transmission process, the user's authentication information is also impossible to be stolen.

Claims

权 利 要 求 Rights request
1、 一种固定网络终端的用户认证装置, 其特征在于包括: 智能卡处理模块: 用于存储固定网络终端的用户的认证信息, 并 根据保存的用户的认证信息与认证、 鉴权处理模块进行数据交互; 认证、鉴权处理模块: 调用智能卡处理模块中存储的固定网络终 端的用户的认证信息, 并通过与智能卡处理模块间的数据交互, 以及 与管理设备间的数据交互对固定网络终端进行认证。 在于, 所述的智能卡处理模块包括:  1. A user authentication device for a fixed network terminal, comprising: a smart card processing module: configured to store authentication information of a user of the fixed network terminal, and perform data according to the saved user authentication information and the authentication and authentication processing module. Interaction; Authentication and authentication processing module: Call the authentication information of the user of the fixed network terminal stored in the smart card processing module, and authenticate the fixed network terminal through data interaction with the smart card processing module and data interaction with the management device . The smart card processing module includes:
智能卡: 内置有运算部件和存贮部件, 用于存储固定网络终端的 用户的认证信息、 和完成鉴权运算;  Smart card: Built-in computing unit and storage unit, used to store the authentication information of the user of the fixed network terminal and complete the authentication operation;
认证信息处理子模块:用于将智能卡中的用户的认证信息发送给 认证、 鉴权处理模块, 以及根据认证、 鉴权处理模块发送来的信息交 给智能卡进行认证信息的处理, 并将处理后的信息发送给认证、鉴权 处理模块。  Authentication information processing submodule: It is used to send the user's authentication information in the smart card to the authentication and authentication processing module, and to the smart card to process the authentication information according to the information sent by the authentication and authentication processing module. The information is sent to the authentication and authentication processing module.
3、根据权利要求 2所述的固定网络终端的用户认证装置,其特征 在于, 所述的智能卡中的认证信息保存于存贮部件中, 且所述的存贮 部件还作为用于提供增值业务的用户应用程序的载体。  3. The user authentication device for a fixed network terminal according to claim 2, wherein the authentication information in the smart card is stored in a storage component, and the storage component is also used to provide value-added services. User application vector.
4、根据权利要求 2所述的固定网络终端的用户认证装置,其特征 在于, 所述的认证信息处理子模块包括 CPU (中央处理单元) 芯片。  4. The user authentication device for a fixed network terminal according to claim 2, wherein the authentication information processing sub-module includes a CPU (Central Processing Unit) chip.
5、根据权利要求 2所述的固定网络终端的用户认证装置,其特征 在于, 所述的智能卡与认证信息处理子模块间为可拆装式活动连接。 6、 根据权利要求 1或 2所述的固定网络终端的用户认证装置, 其 特征在于,所述的智能卡处理模块内置于固定网络终端设备中或外接 于固定网络终端设备上, 且与固定网络终端设备中的认证、 鉴权处理 模块相连。 5. The user authentication device for a fixed network terminal according to claim 2, wherein the smart card and the authentication information processing sub-module are detachably movable connections. 6. The user authentication device for a fixed network terminal according to claim 1 or 2, wherein the smart card processing module is built in or external to the fixed network terminal device, and communicates with the fixed network terminal. The authentication and authentication processing modules in the device are connected.
7、根据权利要求 6所述的固定网络终端的用户认证装置,其特征 在于:  7. A user authentication device for a fixed network terminal according to claim 6, characterized in that:
当所述的智能卡处理模块外接于固定网络终端设备上时,所述的 智能卡处理模块通过 USB (通用串行总线)接口、 串行接口、 红外接 口、 蓝牙接口等有线或无线接口与固定网络终端设备中的认证、 鉴权 处理模块相连。  When the smart card processing module is externally connected to a fixed network terminal device, the smart card processing module communicates with the fixed network terminal through a wired or wireless interface such as a USB (Universal Serial Bus) interface, a serial interface, an infrared interface, and a Bluetooth interface. The authentication and authentication processing modules in the device are connected.
8、一种基于权利要求 1所述的装置的固定网络终端的用户认证方 法, 其特征在于包括: 8. A user authentication method for a fixed network terminal based on the device according to claim 1, comprising:
A、 固定网络终端的认证、 鉴权处理模块从智能卡处理模块获取 用户的认证信息, 并将所述的认证信息发送给管理设备; 通过认证、 鉴权处理模块返回给智能卡处理模块;  A. The authentication and authentication processing module of the fixed network terminal obtains the user's authentication information from the smart card processing module, and sends the authentication information to the management device; returns the authentication and authentication processing module to the smart card processing module;
C、 智能卡处理模块将收到的挑战字发送给智能卡, 智能卡使用 内部保存的用户的认证信息进行运算处理,以生成相应的鉴权字并返 回给管理设备;  C. The smart card processing module sends the challenge word received to the smart card, and the smart card uses the internally saved user authentication information to perform arithmetic processing to generate the corresponding authentication word and return it to the management device;
D、 管理设备根据收到的鉴权字进行用户身份的认证, 并将认证 结果返回给固定网络终端。 9、根据权利要求 8所述的固定网络终端的用户认证方法, 其特征 在于: D. The management device performs user identity authentication according to the received authentication word, and returns the authentication result to the fixed network terminal. 9. The user authentication method for a fixed network terminal according to claim 8, wherein:
所述的认证信息包括用户识别码、 鉴权密钥和鉴权算法; 所述的步骤 A为: 固定网络终端的认证、 鉴权处理模块从智能卡 处理模块获取用户识别码, 并将所述的用户识别码发送给管理设备; 所述的步骤 C为:智能卡处理模块将收到的挑战字发送给智能卡, 智能卡使用内部保存的用户的鉴权密钥和鉴权算法进行运算处理,以 生成相应的鉴权字并返回给管理设备。 征在于所述的步骤 C还包括:  The authentication information includes a user identification code, an authentication key, and an authentication algorithm. The step A is: the authentication and authentication processing module of the fixed network terminal obtains the user identification code from the smart card processing module, and applies the The user identification code is sent to the management device. The step C is: the smart card processing module sends the received challenge word to the smart card, and the smart card uses the internally stored user's authentication key and authentication algorithm to perform arithmetic processing to generate corresponding Authentication word and return it to the management device. It is characterized in that the step C further includes:
智能卡根据收到的挑战字及内部保存的用户的认证信息,生成用 于对业务通信数据进行加密的加密密钥发送给固定网络终端。  The smart card generates an encryption key for encrypting business communication data and sends it to the fixed network terminal based on the challenge word received and the user's authentication information stored internally.
PCT/CN2004/000382 2003-08-19 2004-04-21 Apparatus and method of authentication for user of fixed network terminal WO2005018146A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN03155212.9 2003-08-19
CNB031552129A CN100449990C (en) 2003-08-19 2003-08-19 User centrificating apparatus and method for fixed network terminal

Publications (1)

Publication Number Publication Date
WO2005018146A1 true WO2005018146A1 (en) 2005-02-24

Family

ID=34156830

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/000382 WO2005018146A1 (en) 2003-08-19 2004-04-21 Apparatus and method of authentication for user of fixed network terminal

Country Status (3)

Country Link
CN (1) CN100449990C (en)
HK (1) HK1074936A1 (en)
WO (1) WO2005018146A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210187A (en) * 2019-04-24 2019-09-06 西安中力科技有限公司 Have and prevents counterfeit APP weight discriminating method

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1870770B (en) * 2006-01-10 2012-03-21 华为技术有限公司 System and method for identifying user terminal capacity
US7930554B2 (en) * 2007-05-31 2011-04-19 Vasco Data Security,Inc. Remote authentication and transaction signatures
CN101170765B (en) * 2007-11-23 2012-08-08 东信和平智能卡股份有限公司 Generation and authentication method for telecommunication intelligent card
CN101316446B (en) * 2008-07-30 2012-01-11 中国电信股份有限公司 Method and system for implementing authentication with fixed network access
CN102098675A (en) * 2010-12-29 2011-06-15 大唐微电子技术有限公司 Smart card and service authentication method thereof
DE102013021158A1 (en) * 2013-12-10 2015-06-11 Fresenius Medical Care Deutschland Gmbh Method for updating and / or upgrading the operating software of an electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0969347A1 (en) * 1998-06-30 2000-01-05 Bull S.A. Authentication method for protected access in a networked computer system
CN1355501A (en) * 2000-11-24 2002-06-26 香港中文大学 Intelligent card system with fingerprint matching ability
US20030005289A1 (en) * 2001-06-29 2003-01-02 Dominique Gougeon System and method for downloading of files to a secure terminal
CN2566365Y (en) * 2002-06-11 2003-08-13 上海华申智能卡应用系统有限公司 Hand-held intelligent label read-write terminal with safe module
CN1456006A (en) * 1999-10-22 2003-11-12 艾利森电话股份有限公司 Methods and arrangements in a telecommunications system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE9803569L (en) * 1998-10-19 2000-04-20 Ericsson Telefon Ab L M Authentication procedure and system
CN1437125A (en) * 2002-02-07 2003-08-20 朱栋雄 Interactive confirmation process

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0969347A1 (en) * 1998-06-30 2000-01-05 Bull S.A. Authentication method for protected access in a networked computer system
CN1456006A (en) * 1999-10-22 2003-11-12 艾利森电话股份有限公司 Methods and arrangements in a telecommunications system
CN1355501A (en) * 2000-11-24 2002-06-26 香港中文大学 Intelligent card system with fingerprint matching ability
US20030005289A1 (en) * 2001-06-29 2003-01-02 Dominique Gougeon System and method for downloading of files to a secure terminal
CN2566365Y (en) * 2002-06-11 2003-08-13 上海华申智能卡应用系统有限公司 Hand-held intelligent label read-write terminal with safe module

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110210187A (en) * 2019-04-24 2019-09-06 西安中力科技有限公司 Have and prevents counterfeit APP weight discriminating method

Also Published As

Publication number Publication date
HK1074936A1 (en) 2005-11-25
CN100449990C (en) 2009-01-07
CN1585331A (en) 2005-02-23

Similar Documents

Publication Publication Date Title
JP5154401B2 (en) Transaction facilitation and authentication
JP4442795B2 (en) Portable device to protect packet traffic on host platform
US9240891B2 (en) Hybrid authentication
CN100362786C (en) Method and apparatus for executing secure data transfer in wireless network
US7689250B2 (en) Method, apparatus and system for partitioning and bundling access to network services and applications
JP2004166215A (en) Method of locking mobile communication terminal
US20100062744A1 (en) Retrieving data wirelessly from a mobile device
US20070150736A1 (en) Token-enabled authentication for securing mobile devices
US20190087814A1 (en) Method for securing a payment token
JP2003018148A (en) Radio data communication device and data communication method therefor
KR20030076625A (en) Method for enabling pki functions in a smart card
US20080091604A1 (en) Method for the Compartmented Provisioning of an Electronic Service
CN100459786C (en) Method and system for controlling resources via a mobile terminal, related network and its computer program product
JP2001308850A (en) Method and device for connecting to network by communication terminal device
JP4972555B2 (en) Wireless USB network adapter with smart card
CN104700270A (en) Payment request processing method, payment request processing device and terminal
WO2019093808A1 (en) Method, apparatus, and computer-readable recording medium for safe storage of mnemonic of hardware bitcoin wallet
US20050195778A1 (en) Method and device for setting up connections between communication terminals and data and/or communication networks having wireless transmission links, such as, for example, wireless local area networks (WLAN) and/or mobile telephone networks, and a corresponding computer program and a corresponding computer-readable storage medium
WO2005018146A1 (en) Apparatus and method of authentication for user of fixed network terminal
US20100161979A1 (en) Portable electronic entity for setting up secured voice over ip communication
CN103621125A (en) Systems and methods of integrating openid with a telecommunications network
EP1675076A1 (en) System and related kit for personal authentication and managing data in integrated networks
EP1715437A2 (en) Controlling data access
EP2271146A1 (en) Authentication method and system
CN100429957C (en) Indentifying method for telecommunication smart card and terminal

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase