WO2006069536A1 - Procede servant a valider la securite d'un terminal mobile de reseau amdc - Google Patents

Procede servant a valider la securite d'un terminal mobile de reseau amdc Download PDF

Info

Publication number
WO2006069536A1
WO2006069536A1 PCT/CN2005/002340 CN2005002340W WO2006069536A1 WO 2006069536 A1 WO2006069536 A1 WO 2006069536A1 CN 2005002340 W CN2005002340 W CN 2005002340W WO 2006069536 A1 WO2006069536 A1 WO 2006069536A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile terminal
skey
setting information
random number
hlr
Prior art date
Application number
PCT/CN2005/002340
Other languages
English (en)
Chinese (zh)
Inventor
Kunyang Dong
Zhengwei Wang
Tianzhen Huang
Chunyan Zhou
Jie Kong
Zhiming Zhu
Ping Guo
Bei Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2006069536A1 publication Critical patent/WO2006069536A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • the present invention relates to a mobile communication security technology, and in particular to a code division multiple access method (a face authentication method for mobile terminal security in a CDMA communication network).
  • the use of the separation of the machine card brings great convenience to the user, and at the same time, the phenomenon that the mobile terminal is stolen and robbed occurs, so that in some places, people dare not hang the mobile terminal at the waist. Because in the machine card separation mode, as long as a new UIM card is replaced on the stolen mobile terminal, it can be used without any hindrance. In this way, the thief can sell the stolen mobile terminal for profit. In this way, the user not only has a great impact on the economic interests, but also needs to go through a series of procedures at the communication operator, such as changing the subscription data, which brings great inconvenience to the user.
  • a more common method is to set password protection on the mobile terminal. For example, if the power-on password is set on the mobile terminal, the correct power-on password needs to be input every time the power is turned on, and the mobile terminal can perform subsequent operations such as registering with the network. If the power-on password is not entered correctly, the mobile terminal cannot be used normally. Such a thief Even if the user's mobile terminal is obtained, it will not be able to use the correct password and cannot be used and sold. Therefore, this method solves the problem that the mobile terminal is easily stolen to some extent.
  • EIR Equipment Identification Register
  • MEI International Mobile Equipment Identity
  • this method requires a large amount of EIR equipment to be built, and it is necessary to increase the construction of network equipment and increase the network construction cost of the communication carrier.
  • the method also requires different communication operators to uniformly carry out the anti-theft service at the same time, so as to avoid the mobile terminal lost by one communication carrier network being used in another communication carrier network, thus greatly increasing the communication carrier.
  • the cumbersome business coordination work increases the operating costs of the communication carriers and brings inconvenience to the communication operators.
  • the current illegal copying of UIM cards has also occurred from time to time.
  • the maintenance personnel can easily copy the UM card in the mobile terminal and insert the copied UIM card into other terminals for use.
  • the person who obtains the duplicate UIM card can steal the call or use other mobile communication services without the knowledge of the legitimate user, and these charges are calculated on the account of the legitimate user, thereby causing the legitimate user to suffer economic loss. For example, get The person who copied the UIM card made a call late at night, when the legitimate user had already taken a break, but lost a huge communication fee without knowing it.
  • the network will reject the connection request of the mobile terminal with the original UIM' card installed, so that the legitimate user cannot use his own mobile communication service, thereby possibly giving the legitimate user Cause greater economic losses and other losses.
  • the main object of the present invention is to provide a method for verifying the security of a mobile terminal in a CDMA network, so as to effectively prevent the mobile terminal from being stolen and improve the security of the mobile terminal.
  • a mobile terminal security verification method in a CDMA network includes at least:
  • SKEY security key
  • the network device 4 When the mobile terminal needs to perform security verification, the network device 4 generates verification information according to the SKEY corresponding to the mobile terminal, and sends the verification information to the mobile terminal;
  • the mobile terminal determines whether the SKEY saved by the network device matches the SKEY of the mobile terminal stored by the network device according to the positive information received from the network device. If yes, it determines that it is legal; otherwise, it determines that it is illegal.
  • Step S Setting the SKEY in the mobile terminal and the network device includes:
  • the mobile terminal sends a request message for setting a SKEY to the network device;
  • the network device generates a random number, generates setting information according to the random number, and sends the random number to the mobile terminal; A3.
  • the mobile terminal generates the setting information by using the random number, obtains S EY according to the setting information, saves, and sends the setting information to the network device;
  • the network device obtains the SKEY according to the setup information generated by itself and saves it.
  • the network device may be a home location register/authentication center (HLR/AC), and the setting information includes first setting information and second setting information, and step al includes:
  • the mobile terminal transmits a specific service opcode as a request message for setting the SKEY to the mobile switching center/visit location register MSC/VLR in the CDMA network;
  • the MSC/VLR analyzes the service opcode and then sends a service request message to the HLR/AC;
  • the network device sends the random number to the mobile terminal in step a2.
  • the HLR/AC sends an authentication indication message to the MSC/VLR, where the random number and the first setting information are included in the message; the MSC/VLR saves the reception. First setting information, and then sending a unique query request message containing the random number to the mobile terminal;
  • SKEY and saving includes: the mobile terminal obtains SKEY according to the second setting information and saves the SKEY;
  • Sending the setting information to the network device in step a3 includes: the mobile terminal sends the first setting information to the MSC VLR through the unique query response message, and the MSC/VLR compares whether the two first setting information matches, and compares the comparison result through the authentication state.
  • the report is sent to the HLR/AC; Step a4.
  • the network device obtains the SKEY according to the setting information generated by itself when the two setting information is consistent and saves: HLR/AC determines whether the authentication status report indicates that the comparison result matches, and if so, according to the second setting generated by itself The information gets SKEY and is saved; otherwise SKEY is not saved.
  • the mobile terminal may further include a security chip and a UM card.
  • the mobile terminal generates the first setting information and the second setting information by using the random number and the original shared encrypted data SSD through the CAVE algorithm, including:
  • the mobile terminal program sends the received random number to the UIM card, requesting a unique query and returning the setting information;
  • the UIM card calculates the received random number and the original SSD using the CAVE algorithm to obtain the first setting information and the second setting information, and then transmits the first setting information and the second setting information to the mobile terminal program;
  • Step a3 The mobile terminal obtains the SKEY according to the second setting information and saves the SKEY.
  • the mobile terminal program sends the second setting information to the security chip, and the security chip generates the SKEY according to the second setting information and saves.
  • the first setting information may be an authentication result of the unique query, and the second setting information may be a voice encryption mask; the mobile terminal and the HLR/AC generate the SKEY according to the second setting information to use 64 bits of the same position of the voice encryption mask as SKEY.
  • the network device in step b generates the positive information according to the SKEY corresponding to the mobile terminal, including: the network device generates a random number, and uses the saved SKEY corresponding to the mobile terminal and the generated random number to obtain a calculation result by calculation. And then obtaining verification information according to the calculation result; in step b, the network device further sends the random number while transmitting the verification information to the mobile terminal;
  • step c the mobile terminal determines whether the two SKEYs match: the mobile terminal parses the received verification information to obtain a calculation result, and then uses the saved SKEY and The random number received from the network device is calculated by a corresponding calculation to compare whether the two calculation results match.
  • the network device may be an HLR/AC, and the network device sends the authentication information and the random number to the mobile terminal in step b.
  • the HLR/AC sends a point-to-point short message including the random number and the verification information to the MSC/VLR; the MSC/VLR points the point to the point.
  • the short message is sent to the mobile terminal.
  • the mobile terminal may further include a security chip, the SKEY is set and saved on the security chip, and the mobile terminal uses the SKEY saved by itself and the random number received from the network device to perform CAVE calculation to obtain an authentication result, from the positive
  • the authentication result is extracted from the information, and comparing whether the two authentication results match includes:
  • the mobile terminal program sends the random number and verification information received from the MSC/VLR to the security heart,
  • the security chip extracts the authentication result from the received verification information
  • the security chip uses its saved SKEY and the received random number to perform CAVE calculation to obtain an authentication result
  • the security chip compares whether the two authentication results match.
  • the network side since the same SKEY is set and saved on the mobile terminal and the network side, when the security of the mobile terminal needs to be verified, the network side generates a random number and uses SKEY and The random number generates verification information, and then the random number and the verification information are transmitted to the mobile terminal.
  • the mobile terminal determines, according to the received verification information, whether the SKEY saved by itself and the SKEY saved by the network device match, and if so, determines that it is legal, otherwise it determines that it is illegal. After determining that it is illegal, the mobile terminal can be disabled by normal use.
  • the SKEY corresponding to the UM card and the SKEY saved by the mobile terminal may cause the final ⁇ to fail, thereby illegally stealing.
  • the mobile terminal cannot be used normally. In this way, the mobile terminal can be effectively improved. safety.
  • the present invention can further set "machine card mutual binding", so that a new authentication key (AKEY) and shared encrypted data (SSD) are saved by the mobile terminal and the network side, so that if the mobile terminal uses the clone card
  • the authentication of the cloned card cannot be passed because the AKEY and SSD on the clone card are different from the AKEY saved on the network side, so that the cloned UIM card cannot be used normally, and the purpose of preventing the use of the cloned UIM card is achieved.
  • the invention can further set a password, and requires the user to input the correct password to perform the operation when setting the SKEY or canceling the SKEY setting, thereby further preventing the illegal user from achieving the purpose of stealing the mobile terminal by using the SKEY setting.
  • the mobile terminal determines that it is illegal by the verification operation of the present invention, the user may be required to input a password. If the password input by the user is correct, the user may be considered as a legitimate user, thereby providing more convenience to the legitimate user, thereby making the present invention more convenient. Easy to use in practice. BRIEF DESCRIPTION OF THE DRAWINGS
  • Figure 1 is a general flow chart of the present invention.
  • FIG. 2 is a message flow diagram of setting a SKEY in accordance with a first embodiment of the present invention.
  • Figure 3 is a message flow diagram of unbinding after the user sets the card to be mutually bound.
  • FIG. 4 is a flow diagram of authenticating a network using SKEY in accordance with the present invention. Mode for carrying out the invention
  • a consistent security key SKEY is separately set and saved in advance on the mobile terminal and the CDMA network side.
  • the mobile terminal uses the verification information corresponding to the SKEY sent by the network side and the verification information generated by the SKEY according to the SKEY to determine whether the status is legal and verified.
  • Legal In the case of, for example, shutdown, etc., the use of the mobile terminal is stopped, so that the person who illegally acquires the mobile terminal cannot use the mobile terminal normally, thereby effectively eliminating the motive of illegally acquiring the mobile terminal, and improving the security of the mobile terminal.
  • FIG. 1 shows a general flow chart of the present invention. As shown in FIG. 1, the present invention includes the following steps:
  • Step 101 Set and save the SKEY corresponding to the mobile terminal in the mobile terminal and the HLR/AC on the CDMA network side in advance.
  • HLR/AC since the HLR and AC are often integrated in one network device, they are collectively referred to as HLR/AC. Those skilled in the art will recognize that HLR and AC are essentially two different devices and can be used separately in the present invention.
  • Step 102 When the security of the mobile terminal needs to be authenticated, the HLR/AC generates verification information according to the SKEY corresponding to the mobile terminal, and sends the verification information to the mobile terminal.
  • Step 103 After receiving the verification information, the mobile terminal determines, according to the verification information, whether the SKEY saved by itself and the SKEY of the network setting match, and if yes, determines that the status of the user is legal in step 104; otherwise, determines in step 105. The status is illegal.
  • determining that your status is legal means that you are being used legally, or that your current user is a legitimate user.
  • Determining that your status is illegal means that you are being illegally used, or that your current user is an illegal user, such as a person who steals the mobile terminal or who obtains the mobile terminal from an illegal channel.
  • a security chip may be disposed in the mobile terminal, and the setting and saving of the SKEY by the mobile terminal may be to set and save the SKEY in the security chip, and the determining operation of step 103 is also performed by the security chip. To compare and judge.
  • step 101 will be described below by way of a specific embodiment, that is, how to set and save the SKEY in the mobile terminal and the HLR/AC.
  • the mobile terminal registers with the mobile switching center/visiting location.
  • the device (MSC/VLR) sends a specific service opcode (FEATURE CODE).
  • the specific service operation code is different from the existing service operation code and is used to indicate a service operation request for setting the SKEY.
  • MSC/VLR since the MSC and the VLR are often integrated together, they are collectively represented here as MSC/VLR.
  • the specific business operation code here can be *7877, which means "the terminal is limited to this card”.
  • the mobile terminal records the switch value as a value representing the "terminal limited use card” in a preset configuration switch, and saves the configuration switch value to the security chip in the mobile terminal.
  • the MSC/VLR analyzes the service opcode and sends a Service Request message (FEATURE REQUEST) to the HLR/AC.
  • FEATURE REQUEST Service Request message
  • the HLR/AC determines, according to the service operation code, that a service operation to set the SKEY is to be performed, generates a 24-bit unique query random number (RANDU), and then uses the RANDU and the original shared encrypted data (SSD).
  • the setup information is generated by a CAVE algorithm.
  • the setting information here includes an 18-bit unique query authentication result and a 520-bit voice encryption mask, which are respectively referred to as AUTHU-1 and VPM-1.
  • the HLR/AC sends an authentication indication message to the MSC/VLR, which includes the unique query random number RANDU and the unique query authentication result AUTHU-1.
  • step 204 the MSC/VLR saves the received AUTHU-1 and then sends a unique query request message to the mobile terminal, in which the random number RANDU is included.
  • step 205 after receiving the RANDU from the MSC/VLR, the mobile terminal program of the mobile terminal sends the RANDU to the UIM card for unique inquiry and requests a voice mask.
  • the UM card calculates the setup information for the received RANDU and SSD using the same CAVE algorithm as in step 203.
  • the setting information here also includes two parts, that is, an authentication result of an 18-bit unique query as the first setting information and a 520-bit voice encryption mask as the second setting information, and setting information generated for the HLR/AC. In contrast, they are referred to as AUTHU-2 and VPM-2, respectively. 'The above AUTHU-2 and VPM-2 are then transmitted to the mobile terminal.
  • step 207 the mobile terminal transmits the VPM-2 to the security chip, and the security chip saves 64 bits in the VPM-2 as the security key SKEY, for example, saves the last 64 bits as SKEY.
  • the security chip initializes a counter COUNTSK indicating the number of times the terminal authenticates the network, and its number of bits is 14, and its initial value can be set to zero.
  • the mobile terminal transmits AUTHU-2 to the MSC/VLR via a unique inquiry response message.
  • the MSC/VLR compares whether AUTHU-1 and AUTHU-2 match. In the case where the same CAVE algorithm is used in the HLR/AC and UIM cards, that is, whether AUTHU-1 and AUTHU-2 are the same. The MSC/VLR will then compare the results, that is, match or no match, to the HLR/AC via the authentication status report.
  • step 210 after receiving the authentication status report, the HLR/AC returns an authentication status report response message to the MSC/VLR.
  • step 211 the HLR/AC determines whether the authentication is successful according to the authentication status report. If the authentication succeeds, that is, the comparison result is a match, in step 212, the HLR/AC will corresponding 64 bits in VPM-1, for example, and finally. 64 bits are saved as the SKEY corresponding to the mobile terminal.
  • the counter COUNTSK indicating the number of times of the terminal authentication network is initialized, and the number of bits is 14, and its initial value can be set to 0.
  • the HLR/AC then sends a service request response message to the MSC/VLR, which instructs the MSC to prompt the mobile terminal to succeed.
  • the HLR/AC marks the preset configuration switch value corresponding to the mobile terminal as the value representing the "terminal limited use card", and saves the configuration switch value to the record associated with the user data in the database. If the authentication fails, in step 213, the HLR/AC sends a Service Request Response message to the MSC/VLH, instructing the MSC to indicate to the mobile terminal that the operation has failed.
  • step 214 the MSC/VLR broadcasts the voice to the user through the mobile terminal, and informs the user of the industry. The operation succeeds or fails, and then the call is released. Of course, it is not possible to play the music here, but to notify the user by other means such as short messages.
  • setting SKEY is complete.
  • the SKEY is saved on both the security chip in the mobile terminal and the HLR/AC on the network side.
  • the HLR/AC does not save the new SKEY, instead it performs the unique query failure handling in the prior art.
  • the mobile terminal will not be able to use normally, and the legitimate user can contact the service provider to solve the problem.
  • the present invention modifies the SKEY setting method shown in FIG. 2, and the modifications will be described below, and the same processing will be performed. Omitted here. .
  • step 201 the mobile terminal sends a specific service opcode to the MSC/VLR.
  • the mobile terminal records the switch value as a value indicating "the card is mutually bound” in the preset configuration switch, and saves the configuration switch value to the security chip in the mobile terminal.
  • step 207 in addition to setting SKEY and COI TSK, the security chip of the mobile terminal further saves another 64 bits of VPM-2, for example, 64 bits from the last to the last 128 bits to the network to authenticate the user.
  • the authentication key (AKEY) used replaces the AKEY in the UM card.
  • the mobile terminal will also be a UIM card for the convenience of calculation.
  • the IMSI information is saved to the security chip, so that all subsequent authentication processes will be performed in the security chip, and the security chip also stores the SKEY for the terminal authentication network and the AKEY for the network authentication terminal.
  • step 211 after the HLR/AC determines that the authentication succeeds according to the authentication status report, in addition to setting SKEY and COU TSK, further 64 bits of VPM-2, for example, the last 65th to the last 128th A total of 64 bits are saved as AKEY for network authentication for users, and the original saved AKEY is saved as AKEY-0 and is not used.
  • HLR/AC The preset configuration switch value corresponding to the mobile terminal is marked as a value representing "the card is mutually bound", instead of the value representing the "terminal limited use card" in FIG. 2, and the configuration switch value is saved to In the database associated with the user data in the record. '
  • HLR7AC uses the new AKEY to initiate a standard SSD update process.
  • the mobile terminal performs the SSD update on the security chip, and the newly generated SSD is also stored in the security chip.
  • the authentication of the terminal by the subsequent network uses the SSD on the security chip.
  • a new AKEY and SSD are saved by the security chip of the mobile terminal and the HLR7AC on the network side, so that if the mobile terminal uses the clone card, the clone card will be different because the AKEY and SSD' on the clone card are different from the AKEY saved on the network side.
  • the authentication cannot be passed, so the cloned UM card will not be used normally, and the purpose of preventing the use of the cloned UIM card is achieved.
  • terminal limited use card and “machine card mutual binding” are realized by selecting a menu provided by the mobile terminal's mobile terminal program.
  • the mobile terminal will provide the following menus: “Set password” and “machine card binding,”, and under the “machine card binding”, the following submenu is included: "The terminal is limited to the card”, “the machine card Binding to each other and “unbinding”.
  • "Set Password” the user can set the user password.
  • there are two types of passwords one is a super password, which is set by the mobile terminal manufacturer.
  • the user cannot change, and the other is the user password as described above, and the mobile terminal manufacturer can set an initial value and the user can make a change through the mobile terminal program.
  • the user selects "set password", that is, the modification has been preset.
  • the initial password is the user password required by the user, or a new user password is set.
  • the two passwords can be pre-stored in the mobile terminal, preferably in the security chip. In the case where the verification fails and the user is indeed a legitimate user Under the user, the user can input the super password or the user password to use the mobile terminal normally.
  • the password has various uses to improve the security of the mobile terminal.
  • the mobile terminal replaces another UIM card, and after the mobile terminal is powered off and the new card is inserted, the mobile terminal prompts the user to input the user password.
  • the mobile terminal can The user is re-bound. If the user binds, the user password is not required to be turned on, off, or called. Otherwise, the user is required to enter the password each time the phone is turned on.
  • the mobile terminal may be turned on in an area where there is no signal or the mobile terminal enters an area where there is no signal for more than a predetermined time and In both cases before receiving the network signal again, the user is required to input the user password, and the user can use the mobile terminal normally if the password entered by the user is correct.
  • the user password is a 6-8 digit number for easy recall and change.
  • the super password is longer, at least 16 digits.
  • the user may be further required to input the super password, and the mobile terminal program allows the user to modify or set the user password if it is determined that the super password entered by the user is correct.
  • the present invention may further include: if the user selects "the terminal is limited to the card” or "the card is mutually bound”, the user may be further required to input the user password, and the process of setting the SKEY is performed after determining that the password entered by the user is correct. .
  • the user can enter the user password or enter the super password.
  • the verification operation described in the present invention can be stopped. If the preset is "Terminal limit this card”, then only need to modify the configuration switch value in the security chip. Specifically, after receiving the instruction of the user, the mobile terminal program instructs the security chip to modify the configuration switch value to be empty, and the security chip performs modification according to the instruction of the mobile terminal program, so that the configuration switch value is changed from the "terminal to the local card”. Change to a null value.
  • the same mobile terminal program will instruct the security chip to change the configuration switch value to null, and the security chip will follow the instructions of the mobile terminal program. to modify.
  • the mobile terminal also initiates the following process as shown in FIG.
  • step 301 after receiving the user's unbinding command, the mobile terminal program sends a specific service operation to the MSC/VLR: code *7870.
  • step 302 the MSC/VLR analyzes the service opcode and sends a service request message (FEATUTUB REQUEST) to the HLR/AC.
  • FEATUTUB REQUEST a service request message
  • step 303 the HLR/AC determines the service operation to be unbound according to the service operation code, replaces the current AKEY with the original AKEY-0, and then sends a service request response message to the MSC/VLR.
  • step 304 the MSC/VLR broadcasts the voice to the user through the mobile terminal, informing the user that the service operation is successful, and then placing the current call.
  • the MSC/VLR broadcasts the voice to the user through the mobile terminal, informing the user that the service operation is successful, and then placing the current call.
  • the HLR/AC actively initiates an SSD update process, through which the UM card in the HLR and the mobile terminal will save the new SSD.
  • the UIM card of the mobile terminal can be authenticated according to the existing authentication process.
  • the mobile terminal program can further request that the user enter the user password and determine that the password entered by the user is correct before performing the process of unbinding.
  • the user can enter the user password or enter the super password.
  • step 401 when it is required to verify the security of the mobile terminal, the mobile terminal first sends a location update request message to the MSC/VLR.
  • the case where the security of the mobile terminal needs to be verified is that the mobile terminal reaches a specific state, for example, after the mobile terminal is powered on, or when the mobile terminal enters the signaled area after being located in the area with no signal for a long time, or is long. After the time continues to boot.
  • the time in the area where there is no signal can be set to 10 minutes, and the time to continue the power on can be set to 20 hours.
  • the mobile terminal determines whether the configuration switch value in the security chip indicates "terminal limit" Use the card “or” card to bind to each other, and if so, special processing is performed on the location update request message in the prior art. If the configuration switch value is null, the location update request message in the prior art is not specially processed, so that it will be processed according to the existing authentication process flow without performing the verification operation of the mobile terminal to the network of the present invention.
  • the network side broadcasts a 32-bit random number (RAND) to the mobile terminal, and the location update request message sent by the mobile terminal to the network carries a part of the AND, for example, 8 bits, and an authentication response ( AUTHR) and other authentication parameters.
  • RAND 32-bit random number
  • AUTHR authentication response
  • the mobile terminal needs to perform special processing in the operation of transmitting the location update to the network, and the purpose of the special processing is to make the authentication fail to pass smoothly, thereby performing the terminal-to-network authentication processing of the present invention.
  • the above special operation may be a random number filled in and broadcasted: a new RANDC of a part of the RAND, so that the network side will consider that the RANDC does not match at the time of authentication, thereby determining that the authentication fails.
  • special operations can be missing parameters, or incorrect AUTHR and so on.
  • step 402 after receiving the specially processed location update request message from the mobile terminal, the MSC/VLR performs authentication, determines the authentication failure, and then sends an Authentication Failure Report to the HLR/AC. And bring the report type, such as RANDC does not match.
  • the HLR/AC checks the report type, for example, determines that the RANDC does not match, and then checks whether the preset configuration switch value corresponding to the user indicates "terminal limited use card” or "machine card” Binding to each other", if yes, the HLR/AC determines to further operate the local authentication, thereby returning an authentication failure report response message to the MSC/VLR, instructing the MSC/VLR to allow the current access; if not, according to the existing Authentication failure process processing.
  • the MSC/VLR allows access by the mobile terminal and sends a bit to the mobile terminal. Set the update accept message.
  • the HLR/AC initiates a standard unique query procedure for compensating for this access without authenticating the user.
  • the standard unique query flow herein is the content of the prior art and is well known to those skilled in the art. The present invention will not be described in detail herein. '
  • step 411 after the unique query is successful, the HLR/AC generates a 32-bit random number (RA DSK ), and uses the saved SKEY corresponding to the mobile terminal and the RA DSK to generate an 18-bit method through the CAVE algorithm.
  • the weight result AUTH is combined with the value of the counter COUNTSK of the recorded terminal authentication network to form an authentication calculation result AUTHSK. Since the COI TSK is 14 bits, AUTHSK is 32 bits.
  • the HLR/AC then sends a point-to-point short message to the MSC/VLR.
  • the short message has a specific identifier, such as a two-byte OxFEFE, and the content of the short message includes RANDSK and AUTHSK.
  • the MSC/VLR sends the point-to-point short message to the mobile terminal.
  • the mobile terminal returns a point-to-point short message confirmation to the MSC/VLR.
  • the MSC/VLR confirms
  • the HLR/AC sends a point-to-point short message response.
  • the mobile terminal performs special processing on the received point-to-point short message. Specifically, the special identifier of the short message is checked, and then ANDSK is extracted therefrom.
  • the security chip parses out COUNTSK from AUTHSK, and then compares whether the COUNTSK and the COUNTSK saved by itself satisfy predetermined conditions, for example, two. Whether the values are close enough, the absolute value of the difference between the two values is required to be less than 2. If the requirements are not met, the data received this time is rejected. If the security chip receives RANDSK and AUTHSK again within the predetermined time, then the security chip 'will perform step 416 again until it meets the requirements. The mobile terminal is powered off until the predetermined time is reached. If the requirements are met, perform the steps
  • the security chip each time the security chip receives the RA DSK and AUTHSK from the network side, it will add 1 to its saved COU TSK.
  • the HLR/AC on the network side adds 1 to its saved COUNTSK each time it sends RANDSK and AUTHSK to the MSC/VLR.
  • the security chip uses the received CRAND algorithm to obtain the 18-bit authentication result AUTH using the received CRAND algorithm, and then compares the obtained AUTH with the AUTH received in the AUTHSK of the mobile terminal to determine two. Whether the match matches, and if so, the decision ⁇ is passed, allowing the terminal to be used normally. Also update your saved COUNTSK with the received COUNTSK. If the two do not match, it is determined that the verification fails, and the security chip controls the mobile terminal to be powered off, so that the mobile terminal cannot be used normally.
  • the mobile terminal may further prompt the user to input a password, and determine whether the password input by the user is correct. If correct, the user is allowed to use the mobile terminal, otherwise the security chip controls the mobile terminal to be powered off.
  • the password here can be pre-stored in the mobile terminal, preferably in a secure chip. When the user is prompted to enter a password, the user can enter any of the super password and the user password.
  • the security chip can set a period of time during which the verification operation is completed, and the security chip starts timing after the mobile terminal is powered on. If the verification is successful during this time period, the security chip allows the mobile terminal to operate normally. If the verification is still successful after the elapse of the time period, the security chip turns off the power of the mobile terminal, so that the mobile terminal is turned off and cannot be used.
  • the present invention can set an encryption and decryption function, for example, can save the mobile terminal The phone number information or the short message is encrypted, and the decryption is allowed only after the security chip insurance is successful, so that the security of the data information stored in the mobile terminal can be further ensured.
  • the network side since the same SKEY is separately set and saved on the mobile terminal and the network side, when the security of the mobile terminal needs to be verified, the network side generates a random number and uses SKEY and The random number generates verification information, and then the random number and the verification information are transmitted to the mobile terminal.
  • the mobile terminal generates the verification information according to the received random number and the SKEY saved by itself, and compares whether the two are consistent. If yes, it determines that it is legal, otherwise it determines that it is illegal. After determining that it is illegal, the mobile terminal can be disabled due to power failure or the like.
  • the final authentication will not pass because the SKEY corresponding to the UIM card and the SKEY saved by the mobile terminal are inconsistent, thereby illegally stealing.
  • the mobile terminal cannot be used normally. In this way, the security of the mobile terminal can be effectively improved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Procédé servant à valider la sécurité d'un terminal mobile dans un réseau AMDC, ce qui consiste à définir et à sauvegarder une clé de sécurité (SKEY) correspondant au terminal mobile et au dispositif du réseau AMDC. Quand il est nécessaire de valider la sécurité du terminal mobile, ce dispositif de réseau génère des informations de validation en fonction de SKEY correspondant au terminal mobile et transmet ces informations à ce terminal mobile. Ce dernier détermine si SKEY qui a été sauvegardé correspond au dispositif de réseau. Si c'est le cas, le terminal mobile se définit en tant que licite et si ce n'est pas le cas, il se détermine en tant qu'illicite. Dans ce dernier cas, il peut être mis hors service directement, de façon à en empêcher l'utilisation. Ceci permet d'empêcher le vol d'un terminal mobile d'AMDC et d'en optimise la sécurité.
PCT/CN2005/002340 2004-12-28 2005-12-28 Procede servant a valider la securite d'un terminal mobile de reseau amdc WO2006069536A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200410103470.7 2004-12-28
CNB2004101034707A CN100441036C (zh) 2004-12-28 2004-12-28 码分多址网络中移动终端安全性的验证方法

Publications (1)

Publication Number Publication Date
WO2006069536A1 true WO2006069536A1 (fr) 2006-07-06

Family

ID=36614502

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/002340 WO2006069536A1 (fr) 2004-12-28 2005-12-28 Procede servant a valider la securite d'un terminal mobile de reseau amdc

Country Status (2)

Country Link
CN (1) CN100441036C (fr)
WO (1) WO2006069536A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013084172A2 (fr) 2011-12-05 2013-06-13 Instituto Tecnológico De Buenos Aires Dispositif et procédé de transmission sécurisée de données sur des canaux z par accès multiple à répartition par codes (cdma)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577907B (zh) * 2009-06-02 2011-12-07 中兴通讯股份有限公司 一种移动终端的管理方法及装置
CN101635920B (zh) * 2009-08-19 2012-07-04 中兴通讯股份有限公司 服务提供客户端、无线终端以及实现绑定的方法
CN104243152B (zh) * 2013-06-06 2018-01-12 中国银联股份有限公司 安全性信息交互系统、设备和方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1395407A (zh) * 2001-07-05 2003-02-05 致福股份有限公司 移动电话防盗窃的设定及其运作方法
CN1429043A (zh) * 2001-12-28 2003-07-09 致福股份有限公司 以短讯息锁住用户识别卡及移动电话的方法
CN1455609A (zh) * 2003-05-19 2003-11-12 海信集团有限公司 手机的自动助寻和自动关闭方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2555220B2 (ja) * 1990-12-17 1996-11-20 日本電信電話株式会社 ディジタル移動通信における認証方法
SE506584C2 (sv) * 1996-05-13 1998-01-19 Ericsson Telefon Ab L M Förfarande och anordning vid övervakning av mobilkommunikationsenhet
JP2000276247A (ja) * 1999-03-26 2000-10-06 Mitsubishi Electric Corp 携帯端末セキュリティ方式及び携帯端末
JP3350012B2 (ja) * 1999-12-24 2002-11-25 埼玉日本電気株式会社 移動端末認証方式
FI20000760A0 (fi) * 2000-03-31 2000-03-31 Nokia Corp Autentikointi pakettidataverkossa
JP3761477B2 (ja) * 2002-03-04 2006-03-29 エヌイーシーシステムテクノロジー株式会社 移動体セキュリティシステム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1395407A (zh) * 2001-07-05 2003-02-05 致福股份有限公司 移动电话防盗窃的设定及其运作方法
CN1429043A (zh) * 2001-12-28 2003-07-09 致福股份有限公司 以短讯息锁住用户识别卡及移动电话的方法
CN1455609A (zh) * 2003-05-19 2003-11-12 海信集团有限公司 手机的自动助寻和自动关闭方法

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013084172A2 (fr) 2011-12-05 2013-06-13 Instituto Tecnológico De Buenos Aires Dispositif et procédé de transmission sécurisée de données sur des canaux z par accès multiple à répartition par codes (cdma)

Also Published As

Publication number Publication date
CN100441036C (zh) 2008-12-03
CN1798437A (zh) 2006-07-05

Similar Documents

Publication Publication Date Title
EP1758417B1 (fr) Procede d'authentification
US8238880B2 (en) Method and apparatus for processing authentication of mobile terminal
US8001615B2 (en) Method for managing the security of applications with a security module
US7266364B2 (en) Wireless communications unauthorized use verification system
US20020187808A1 (en) Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network
CN101272301B (zh) 一种无线城域网的安全接入方法
WO2013174185A1 (fr) Procédé, système et dispositif associé destinés à réaliser une carte sim virtuelle
CN109714769B (zh) 信息绑定方法、装置、设备及存储介质
JP2007519308A (ja) アプリケーションの認証方法
CN101272616A (zh) 一种无线城域网的安全接入方法
CN107454035B (zh) 一种身份认证的方法及装置
CN112995137B (zh) 一种智能锁的绑定方法及智能锁系统
WO2006024216A1 (fr) Procede pour mettre en oeuvre la certification et systemes correspondants
WO2006047938A1 (fr) Procede permettant a un equipement de reseau de produire un nombre aleatoire d'authentification de carte d'abonne et procede d'authentification
WO2011124051A1 (fr) Procédé et système d'authentification de terminal
JP2006033780A (ja) コールバックによる本人確認を利用したネットワーク認証システム
WO2006069536A1 (fr) Procede servant a valider la securite d'un terminal mobile de reseau amdc
WO2012055297A1 (fr) Procédé et dispositif d'authentification de terminal mobile
CN105792204A (zh) 网络连接的鉴权方法及装置
JP2000184448A (ja) パーソナル通信システム及びその通信方法
WO2006024224A1 (fr) Procede de protection securisee de la carte utilisateur
CN1705263B (zh) 移动终端用户的合法性验证方法及其移动终端
WO2011144129A2 (fr) Procédé d'interverrouillage machine-carte, carte de module d'identité d'utilisateur (uim) et terminal
US8296575B2 (en) Method for protecting electronic device, and electronic device
KR101645414B1 (ko) 클라이언트 단말 장치 및 클라이언트 단말 장치가 모바일 서비스 서버에 접속하기 위한 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05824251

Country of ref document: EP

Kind code of ref document: A1