WO2007025484A1 - Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe - Google Patents

Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe Download PDF

Info

Publication number
WO2007025484A1
WO2007025484A1 PCT/CN2006/002257 CN2006002257W WO2007025484A1 WO 2007025484 A1 WO2007025484 A1 WO 2007025484A1 CN 2006002257 W CN2006002257 W CN 2006002257W WO 2007025484 A1 WO2007025484 A1 WO 2007025484A1
Authority
WO
WIPO (PCT)
Prior art keywords
control parameter
terminal
network side
authentication key
random number
Prior art date
Application number
PCT/CN2006/002257
Other languages
English (en)
Chinese (zh)
Inventor
Zhengwei Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN200680012329.3A priority Critical patent/CN101160784B/zh
Publication of WO2007025484A1 publication Critical patent/WO2007025484A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present invention relates to communication security technologies, and in particular, to an authentication key update negotiation method and apparatus.
  • the International Mobile Subscriber Identification (IMSI) is stored in the mobile terminal, and the authentication key KI is in the home location register/authentication center (HLR).
  • HLR home location register/authentication center
  • IMSI and KI are saved for the mobile terminal for mutual authentication of the mobile terminal and the network. Among them, IMSI and KI remain unchanged throughout the life of the user card.
  • the international mobile subscriber identity IMSI, the authentication key KI and the serial number SQNMS are stored in the mobile terminal, and the IMIR is saved corresponding to the mobile terminal in the HLR/AUC. , KI and serial number SQNHE for mutual authentication of mobile terminals and networks.
  • IMSI and KI remain unchanged throughout the life of the user card.
  • the existing authentication procedures for 3G communication systems are mainly:
  • the HLR/AUC generates a random number RAND, generates an expected response XRES, an encryption key CK, an integrity key IK according to the random numbers RAND and KI, and generates a message authentication code according to the RAND, the serial number SQNHE, the KI, and the authentication management domain AMF.
  • MAC-A according to MAC-A. SQNHE, the anonymous key AK and AMF get the authentication token AUTN (Authentication Token).
  • the authentication quintuple is composed of RAND and XRES, CK, IK and AUTN, and the quintuple is sent to the mobile switching center/visit location register (MSC VLR, Mobile Switch Center/Visit Location Register) for saving.
  • MSC VLR Mobile Switch Center/Visit Location Register
  • HLR/AUC sends the corresponding one or more quintuaries to the MSC/VLR at the request of the MSC/VLR.
  • the MSC/VLR sends the RAND and AUTN corresponding to the quintuple to the terminal;
  • the terminal verifies the consistency of the AUTN according to the KI saved by itself, and if the consistency certificate fails, the authentication failure information is returned to the MSC/VLR; if the consistency verification is passed, it is determined whether the SQNHE belongs to the acceptable range: Then, the terminal determines that the network authentication is passed, the terminal returns its own authentication response to the MSC/VLR, and updates the SQNMS according to the SQNHE in the AUTN; the MSC/VLR compares the authentication response returned by the terminal with the corresponding quintuple Whether XRES is consistent to determine the legitimacy of the terminal.
  • the terminal If it is determined that the SQNHE is not within the acceptable range, the terminal generates a resynchronization token (AUTS) according to the SQNMS, returns a resynchronization request or a synchronization failure (Synchronisation Failure) message to the MSC/VLR, and attaches the generated resynchronization flag AUTS. , that is, the message contains AUTS.
  • AUTS resynchronization token
  • the MSC VLR When receiving the resynchronization flag AUTS, the MSC VLR sends the AUTS and the RAND in the corresponding quintuple to the HLR/AUC, and the HLR/AUC determines the legality of the AUTS according to the corresponding saved KI and the received RAM; Then, the HLR AUC returns AUTS invalid information to the MSC/VLR; if it is determined that the AUTS is legal, the HLR/AUC updates the SQNHE according to the SQNMS in the AUTS, and generates a new authentication quintuple to send to the MSC/VLR; MSC/ After receiving the new quintuple, the VLR deletes the corresponding quintuple of the day and re-authenticates the terminal with the new quintuple. 1
  • the terminal determines whether the SQNHE is acceptable by comparing whether the SQNHMS in the saved SQNMS and the AUTN meet the predetermined condition, and the predetermined condition may be that the difference between the SQNHE and the SQNMS is within a predetermined range, for example, whether (SQNHE - SQNMS) ) is greater than 0, or whether (SQNHE - SQNMS) is greater than 0 and less than 256. If the difference between the SQNHE and the SQNMS is within the predetermined range, it is determined that the SQNHE is acceptable; otherwise, it is determined that the SQNHE is unacceptable.
  • the predetermined condition may be that the difference between the SQNHE and the SQNMS is within a predetermined range, for example, whether (SQNHE - SQNMS) ) is greater than 0, or whether (SQNHE - SQNMS) is greater than 0 and less than 256. If the difference between the SQNHE and the S
  • WCDMA Wideband Code Division Multiple Access
  • the phenomenon of cloning a user card not only causes losses to legitimate users, but also affects the service quality of operators.
  • One of the most effective means of anti-user card cloning in the prior art is to continuously update the authentication key of the user card, and by updating the authentication key, the purpose of preventing the illegal user card from continuing to be used can be achieved. For example, by constantly updating the authentication key of the user card, it is possible to avoid or find that the legitimate user card is cloned. According to this method, by using the authentication key update, it is possible to effectively prevent the legitimate user card and the cloned user card from being used at the same time. For example, a legitimate user card can update the authentication key, so that the cloned user card cannot pass the authentication, and thus cannot be used.
  • the problem with this scheme is that it is impossible to prevent the illegal user card from updating the authentication key by the same method. For example, before the legitimate user card updates the authentication key, the user card and the legal user card are clamped. When the right key is the same, the cloned user card preemptively initiates the negotiation process of updating the authentication key, so that the authentication key stored in the HLR/AUC and the authentication key in the cloned user card are updated synchronously, the legal user Since the authentication key of the card is not updated, it becomes an invalid authentication key, and the legitimate user card cannot be used.
  • the legitimate user finds that his user card cannot be used, he can realize that the user card is cloned, and can change the authentication key in the HLR/AUC to the business hall and refresh the user card at the same time.
  • the authentication key makes the authentication key in the HLR/AUC and the authentication key of the user card again consistent, so that the legitimate user card can continue to be used, and the illegally cloned user card can no longer be used, but this processing
  • the process can cause problems for the user and also increase the workload of the staff of the business hall.
  • the present invention provides a key update negotiation method and apparatus, which can prevent an illegal user from updating an authentication key through a clone user card, thereby causing a legitimate user card to continue to be used.
  • a key update negotiation method is configured to preset a control parameter for controlling an authentication key update on a network side; the method includes:
  • the terminal sends a key update request message and a control for controlling the authentication key update to the network side.
  • the network side After receiving the key update request message, the network side determines whether the related information of the control parameter from the terminal is legal according to the control parameter saved by the network side, and performs the check when the related information of the control parameter is legal.
  • the right key is updated.
  • the related information of the control parameter used to control the update of the authentication key is the control parameter itself, and is carried in the key update request message;
  • the related information of the control parameter used to control the update of the authentication key is calculated according to the control parameter
  • Determining whether the control parameter related information from the terminal is legal according to the control parameter saved by the network side is specifically: the network side performs corresponding calculation according to the control parameter saved by the network side, and compares the calculated calculation result with the Whether the related information of the control parameter of the terminal is consistent; if the information is consistent, the related information is considered to be legal; otherwise, the related information is considered to be illegal.
  • the calculating according to the control parameter is specifically: the terminal calculates the related information according to the control parameter and the authentication key used to control the authentication key update;
  • the network side performs corresponding calculation according to the control parameter saved by the network side. Specifically, the network side performs corresponding calculation according to the control parameter saved by the network side and the authentication key of the corresponding terminal user.
  • the calculating according to the control parameter is specifically: the terminal calculates, according to the control parameter and the random number used to control the authentication key update, the related information;
  • the network side performs corresponding calculation according to the control parameter saved by the network side, and specifically: performing corresponding calculation according to the control parameter saved by the network side and the random number;
  • the random number is saved or generated by the terminal and sent to the network side, or generated by the network side and sent to the terminal.
  • the calculating according to the control parameter is specifically: the terminal is used according to the control The control parameter and the authentication key of the weight key update and the random number are calculated to obtain the related information;
  • the network side performs corresponding calculation according to the control parameter saved by the network side, and specifically: performing corresponding calculation according to the control parameter and the authentication key saved by the network side and the random number;
  • the random number is saved or generated by the terminal and sent to the network side, or generated by the network side and sent to the terminal.
  • the terminal further includes performing an authentication key update;
  • the terminal and the network side performing the key update are: the terminal and the network side respectively perform calculation according to the authentication key and the random number, and generate a new test by using a consistent algorithm.
  • Right key is: the terminal and the network side respectively perform calculation according to the authentication key and the random number, and generate a new test by using a consistent algorithm.
  • the method further includes: when the terminal sends a key update request message to the network side, carrying the first random number generated by the terminal;
  • the network side After receiving the key update request message sent by the terminal, the network side calculates a second calculation result according to the authentication key of the corresponding terminal user and the first random number, and sends the second calculation result to the terminal;
  • the terminal After receiving the second calculation result sent by the network side, the terminal calculates the first calculation result according to the authentication key saved by the terminal and the first random number, and the terminal compares whether the second calculation result and the first calculation result are consistent. If they are inconsistent, the network side is considered to be illegal, and the key update process is ended; otherwise, the related information of the control parameters for controlling the authentication key update is sent to the network side.
  • the network side after receiving the key update request message sent by the terminal, the network side further generates a second random number and sends the second random number to the terminal;
  • the calculating according to the control parameter is specifically: the terminal calculates, according to the obtained control parameter, the saved authentication key, the first random number, and the second random number, the related information of the obtained control parameter;
  • the network side performs corresponding calculation according to the control parameter saved by the network side, where the network side saves the control parameter saved by the network side, the authentication key of the corresponding terminal user, and the first random number and the second random number. Performing a calculation to obtain a fourth calculation result, and the network side compares whether the fourth calculation result calculated by itself and the related information are consistent; if not, the phase is considered The information is illegal; otherwise, the network side generates a new authentication key according to the authentication key of the corresponding terminal user and the at least one random number of the first random number and the second random number.
  • the method further includes: the terminal performing an authentication key update.
  • the terminal includes a user equipment and a user card, where the preset control parameter refers to a control parameter set in the user equipment or a control parameter set in the user card.
  • control parameter is a password, or an identity of the terminal, or any user-defined value.
  • an apparatus for implementing key update negotiation is used to implement key update negotiation between a terminal and a network side;
  • a key update request message generating unit configured to generate a key update request message requesting to update the authentication key
  • An authentication key saving unit configured to save an authentication key of the terminal
  • control parameter obtaining unit configured to acquire a control parameter for controlling the update of the authentication key
  • a related information generating unit of the control parameter configured to generate related information according to the control parameter acquired by the control parameter acquiring unit when requesting the update of the authentication key .
  • the method further includes: a random number obtaining unit, configured to acquire a random number and provide the related information generating unit of the control parameter;
  • the related information generating unit of the control parameter generates related information according to the control parameter acquired by the control parameter acquiring unit, specifically: generating the control parameter itself, or generating according to the control parameter calculation, or calculating according to the control parameter and the authentication key. Generated, or generated based on control parameters, authentication keys, and random numbers.
  • the method further includes: the device is located in the terminal; the terminal includes a user equipment and a user card; the key update request message generating unit, the authentication key holding unit, the related information generating unit of the control parameter, and the random The number acquisition unit is located in the user card; the control parameter acquisition unit is located in the user equipment or the user card.
  • an apparatus for implementing a key update negotiation is used to implement key update negotiation between a terminal and a network side;
  • An authentication key saving unit configured to save an authentication key of the terminal;
  • a control parameter storage unit configured to store a control parameter for controlling the update of the authentication key;
  • a key update request message receiving unit configured to receive a key update request message from the terminal requesting to update the authentication key;
  • a related information parsing unit of the control parameter configured to parse relevant information of the control parameter updated by the control authentication key of the terminal
  • the related information verification unit of the control parameter is configured to determine, according to the control parameter stored by the control parameter storage unit, whether the related information from the terminal is legal after receiving the key update request message.
  • the method further includes: a random number unit, configured to obtain a random number and provide the related information verification unit of the control parameter.
  • the terminal when transmitting a key update request, the terminal is required to carry a related information of a control parameter, and the network side verifies the validity of the related information of the control parameter, thereby determining that the key is updated. Whether the request message is legal, so that the network side avoids the problem of incorrectly responding to the key update request of the illegally cloned user card and the resulting normal user card being unusable. Therefore, even if the illegal user clones the user card, the authentication key cannot be updated by the cloned user card, thereby preventing the illegal user from updating the authentication key through the illegally cloned user card.
  • the method can ensure that the legitimate user effectively performs the negotiation operation of the authentication key.
  • the legitimate user card updates the authentication key continuously or periodically, which not only improves the security of the authentication key, but also prevents the normal use of the cloned user card.
  • FIG. 1 is a flow chart of a specific embodiment of the present invention.
  • FIG. 2 is a flow chart of a first embodiment of a specific embodiment of the present invention.
  • FIG. 3 is a flow chart of a second embodiment of a specific embodiment of the present invention.
  • FIG. 4 is a flow chart of a third embodiment of a specific embodiment of the present invention.
  • the key update control parameter is set on the network side HLR/AUC, and the terminal transmits the relevant information of the control parameter to the HLR/AUC when requesting the key update.
  • the network side HLR/AUC distinguishes whether the user card requesting the key update is a legitimate user card through the related information transmitted by the terminal, thereby ensuring that the HLR/AUC does not incorrectly respond to the key initiated by an illegal clone user card. Update the request to ensure that the cloned user card cannot be used for a long time.
  • control parameters for controlling the authentication key update can be set in the contract data of the HLR/AUC terminal user.
  • the terminal needs to negotiate with the HLR/AUC to update the authentication key, it sends a key update request message to the HLR/AUC, and carries related information of the control parameter used to control the authentication key update, and the network side saves the information according to the self.
  • the control parameter for controlling the authentication key update is used to verify whether the related information of the control parameter for controlling the authentication key update carried in the request key update message of the terminal is legal, thereby determining whether to perform the key update operation.
  • the HLR/AUC determines the control parameter carried in the request key update message of the terminal for controlling the update of the authentication key.
  • the relevant information is legal.
  • the cloned user card since the cloned user card does not know the control parameter information corresponding to the legal user card setting in the HLR7AUC, the cloned user card requests the authentication key update when negotiating with the HLR/AUC to update the authentication key.
  • the message cannot carry the correct information about the control parameters used to control the authentication key update. Therefore, the HLR/AUC determines the control for controlling the authentication key update carried in the message requesting the key update.
  • the information about the parameters is invalid. In this way, the cloned user card cannot effectively negotiate the update of the authentication key with the HLR/AUC.
  • the message transmission for negotiating the key update between the terminal and the HLR/AUC may be implemented by unstructured supplementary (additional) service data (USSD, Unstructured Supplementary Services Data), or may be implemented by a short message, or This is achieved by adding special signaling messages.
  • USB unstructured Supplementary Services Data
  • the control parameter used to control the key update of the present invention may be a password, such as a user PIN code (SPIN, Subscriber Personal Identification Number), or may be an identity of a terminal, such as an international mobile station device of the terminal. Identification (IMEI,
  • a control parameter for controlling the authentication key update is set in the subscription data of the corresponding end user in the HLR/AUC.
  • the user can save the control parameters in the HLR/AUC's own subscription data through the business hall, or through the service telephone interface or the service website provided by the business hall.
  • the control parameter can also be randomly generated by the HLR/AUC, and This control parameter is provided to the corresponding end user.
  • the terminal includes a user equipment UE and a user card.
  • step 100 the HLR/AUC pre-stores the control parameters of the corresponding terminal user for controlling the authentication key update.
  • Step 101 The terminal acquires a control parameter, and obtains related information of the control parameter according to the control parameter.
  • Step 103 The terminal sends a key update request message to the network side, where the request message carries related information of a control parameter used to control the authentication key update.
  • Step 105 After receiving the key update request message, the network side determines whether the related information of the control parameter in the key update request message is legal according to the control parameter saved by itself; if it is legal, step 107 is performed; otherwise, End the key update process.
  • Step 107 The HLR/AUC generates a new authentication key.
  • the authentication of the terminal can be performed by replacing the original authentication key with the new authentication key. That is, the HLR/AUC generates an authentication tuple with a new authentication key.
  • the authentication tuple includes a random number RAND, an expected response XRES, an encryption key CK, a integrity key IK, and an authentication token AUTN.
  • the HLR/AUC calculates XRES, CK, and IK using the RAND generated by the random number generator and the new authentication key KI stored by itself.
  • AUTN is also generated based on RAND, KI, serial number SQNHE, and authentication management domain AMF.
  • the terminal may also generate a new authentication key. Only when the terminal and the HLR/AUC respectively generate a new authentication key, the two parties can pass the authentication when they use the new authentication key for mutual authentication. In practice, it may happen that the terminal updates the authentication key, but the HLR/AUC does not update the authentication key, for example, due to some kind of The reason is that the HLR/AUC determines that the request message for updating the key of the terminal is illegal. At this time, the HLR/AUC does not update the authentication key. At this time, the terminal will not authenticate the network by using the newly generated authentication key. By this, the terminal can also use the original authentication key to authenticate the network. Therefore, after updating the authentication key, the terminal should also save the old authentication key before using the new authentication key to authenticate the network, and use the new authentication key to authenticate the network. , then delete the old authentication key.
  • the terminal includes a user equipment UE and a user card.
  • the terminal acquiring the control parameter may be a UE corresponding to the storage control parameter, and the terminal directly acquiring the control parameter saved by the UE; or the user card may save the control parameter, and the terminal directly acquiring the control parameter saved by the user card;
  • the terminal may prompt the user to input a control parameter, and the terminal acquires the control parameter according to the user input.
  • the user may need to update the authentication key, that is, when the related information needs to be generated according to the control parameter, the UE prompts the user to input the control parameter, and the UE obtains the location according to the user input.
  • the control parameters are described. The advantage of saving the control parameters in the UE or user card of the terminal is: It is not necessary to have the user enter the control parameters each time the authentication key is updated, which will have a better user experience.
  • the related information of the control parameter obtained according to the control parameter may be the control parameter itself.
  • the related information of the control parameter in the key update request message is determined according to the control parameter saved by itself. Whether it is legal or not means: The network side compares the control parameters saved by the network with the control parameters in the key update request message. If they are consistent, the related information is considered to be legal; otherwise, the related request information is considered illegal.
  • the related information of the control parameter obtained according to the control parameter may be obtained by calculating the related information according to the control parameter, and correspondingly, determining, in step 105, the key update request message according to the control parameter saved by itself.
  • Whether the relevant information of the control parameter is legal means that: the network side HLR/AUC performs corresponding calculation according to the control parameter saved by itself, and obtains a calculation result, and compares the calculation result calculated by the self and the control parameter in the key update request message. Whether the related information is consistent. If they are consistent, the related information is considered to be legal; otherwise, the related information is considered illegal.
  • FIG. 2 shows a first embodiment of a specific embodiment of the present invention.
  • the terminal performs calculation according to the authentication key when calculating the related information, that is, the terminal calculates the related information according to the obtained control parameter and the authentication key; correspondingly, the network side HLR/AUC is based on itself.
  • the saved control parameter and the authentication key of the corresponding terminal user are correspondingly calculated, and a calculation result is obtained, and the HLR/AUC compares the calculation result calculated by the self and the related information in the key update request message. To determine whether the request message is legal.
  • the HLR/AUC pre-stores the control parameters of the corresponding end user for controlling the authentication key update.
  • Step 201 The terminal acquires a control parameter, and calculates related information of the control parameter according to the control parameter and the authentication key.
  • Step 203 The terminal sends a key update request message to the network side, where the request message carries related information of a control parameter used to control the authentication key update.
  • Step 205 After receiving the key update request message, the network side HLR/AUC calculates a calculation result according to the control parameter saved by the user and the authentication key of the corresponding terminal user.
  • Step 207 The HLR/AUC compares the calculation result calculated by the self and the related information of the control parameter in the key update request message. If they are consistent, the HLR/AUC is considered to be legal, and step 209 is performed; otherwise, the key update process is ended.
  • Step 209 the HLR/AUC generates a new authentication key.
  • the control parameter is set in the user equipment UE, when the user card needs to calculate the related information according to the control parameter, the UE needs to transmit the control parameter to the user card. If the control parameter is set in the user card, when the user card needs to calculate the related information according to the control parameter, the control parameter saved by the user may be directly obtained, and the UE does not need to transmit the control parameter to the user card.
  • the terminal may use a random number instead of the authentication key to generate the related information.
  • the HLR/AUC may calculate the calculation result according to the control parameter saved by itself and the random number, to For consistency comparison of the relevant information of the control parameters in the key update request message in step 207.
  • the random number may be saved or generated by the terminal and sent to the HLR/AUC, or may be generated by the HLR/AUC and sent to the terminal.
  • the terminal may save the random number sent by the network side when the terminal is last authenticated.
  • the terminal before transmitting the request key update message to the HLR/AUC, the terminal first sends a request message requesting a random number to the HLR/AUC, and the HLR/AUC sends the generated random number to the terminal through the message response. Or the terminal sends an update key preparation message to the HLR/AUC before sending the request key update message to the HLR/AUC, and carries the random number saved or generated by the terminal, and the HLR/AUC receives the message. After that, the random number is saved for subsequent processing of the key update request message.
  • the random number and the authentication key may be simultaneously used, and at the same time, the authentication key is generated. It can be done according to a random number.
  • FIG. 3 shows a second embodiment of a specific embodiment of the present invention.
  • the terminal when the terminal generates the related information according to the acquired control parameter, the terminal performs not only according to the authentication key but also according to the random number, that is, the terminal calculates according to the obtained control parameter, the authentication key, and the random number.
  • the network side HLR/AUC performs corresponding calculation according to the control parameter saved by itself and the authentication key of the corresponding terminal user and the random number, and obtains a calculation result, and the HLR/AUC is compared by Whether the calculation result obtained by the self-calculation and the related information carried in the key update request message are consistent to determine whether the request message is legal or not, to determine whether to perform a key update operation.
  • the random number is saved or generated by the terminal and sent to the network side, or generated by the network side and sent to the terminal. In this embodiment, the random number is generated by the network side and sent to the terminal.
  • the HLR/AUC pre-stores the control parameters of the corresponding end user for controlling the authentication key update.
  • Step 301 The terminal sends a key update request message to the network side HLR/AUC.
  • Step 303 After receiving the key update request message sent by the terminal, the HLR/AUC generates a random number and sends the message to the terminal.
  • Step 305 The terminal calculates, according to the obtained control parameter, the authentication key, and the random number, information about the control parameter, and generates a new data according to the random number and the authentication key. The right to raise the key.
  • the terminal acquiring the control parameter may be the UE corresponding to the storage control parameter, and the terminal directly acquiring the control parameter saved by the UE; or the user card may save the control parameter, and the terminal directly acquiring the control parameter saved by the user card;
  • the terminal prompts the user to input a control parameter, and the terminal acquires the control parameter according to the user input.
  • the user may need to update the authentication key, that is, when the related information needs to be generated according to the control parameter, the UE prompts the user to input the control parameter, and the UE obtains the location according to the user input.
  • the control parameters are described. The advantage of storing control parameters in the UE or user card of the terminal is that the user is not required to enter control parameters each time the authentication key is updated, which results in a better user experience.
  • Step 307 The terminal sends the related information to the network side.
  • Step 309 After receiving the key update request message, the network side HLR/AUC calculates a calculation result according to the control parameter saved by the HLR/AUC and the authentication key of the corresponding terminal user and the random number.
  • Step 311 The HLR/AUC compares the calculation result calculated by the HLR/AUC with the related information, and if it is consistent, it is considered to be legal, and then proceeds to step 313; otherwise, the key update process ends.
  • Step 313 The HLR/AUC generates a new authentication key according to an algorithm that matches the authentication key of the corresponding terminal user and the random number by using a method consistent with the terminal to calculate a new authentication key.
  • the control parameter is set in the user equipment UE, when the user card needs to calculate the related information according to the control parameter, the UE needs to transmit the control parameter to the user card. If the control parameter is set in the user card, when the user card needs to calculate the related information according to the control parameter, the control parameter saved by the user may be directly obtained, and the UE does not need to transmit the control parameter to the user card.
  • the terminal may further generate a random number, and use the random number and the random number generated by the network side to participate in the calculation of the related information, and the new authentication key. Calculation; It is also possible to increase the terminal's authentication of the HLR AUC.
  • FIG. 4 shows a third embodiment of a specific embodiment of the present invention.
  • This implementation when the terminal generates the related information according to the obtained control parameter, not only the authentication key but also two random numbers are used, wherein the first random number is generated by the terminal and sent to the HLR/AUC, and the second The random number is generated by the HLR/AUC and sent to the terminal.
  • the terminal calculates the related information according to the obtained control parameter, the authentication key, the first random number, and the second random number; correspondingly, the network side HLR/AUC according to the control parameter saved by itself, the corresponding terminal user
  • the authentication key, the first random number and the second random number are correspondingly calculated to obtain a calculation result
  • the HLR/AUC compares the calculation result calculated by the self and the related information carried in the key update request message. Consistently determine whether the request message is legal to determine whether to perform a key update operation.
  • both the terminal and the HLR/AUC perform calculations based on the first random number and the second random number.
  • the HLR/AUC pre-stores the control parameters of the corresponding end user for controlling the authentication key update.
  • Step 401 The terminal generates a first random number, sends a key update request message to the network side HLR/AUC, and carries the random number.
  • Step 403 After receiving the key update request message sent by the terminal, the HLR/AUC generates a second random number, according to the authentication key of the corresponding terminal user, the control parameter saved in advance by itself, the first random number, and the second random number. Calculating according to the first algorithm to obtain a second calculation result, and then transmitting the second random number and the second calculation result to the terminal.
  • Step 405 After receiving the second random number and the second calculation result sent by the HLR/AUC, the terminal according to the first algorithm according to the saved authentication key, the obtained control parameter, the first random number, and the second random number. The calculation is performed to obtain the first calculation result.
  • Step 407 The terminal compares whether the second calculation result and the first calculation result are consistent. If yes, the HLR/AUC is considered to be legal, and step 409 is performed; otherwise, the HLR/AUC is considered illegal, and the key update process is ended.
  • Step 409 The terminal calculates, according to the acquired control parameter, the saved authentication key, the first random number, and the second random number, the second algorithm to obtain related information of the control parameter, and according to the first random number, the second The random number and the authentication key are calculated to generate a new authentication key, and the terminal sends the generated related information to the HLR/AUC.
  • the terminal acquiring control parameter may be a UE corresponding to the storage control parameter of the terminal, and the terminal The control parameter saved by the UE may be directly obtained.
  • the control parameter may be saved by the user card, and the terminal directly obtains the control parameter saved by the user card.
  • the terminal may prompt the user to input the control parameter, and the terminal acquires the control parameter according to the user input.
  • the user may need to update the authentication key, that is, when the related information needs to be generated according to the control parameter, the UE prompts the user to input the control parameter, and the UE obtains the control parameter according to the user input.
  • the control parameters The advantage of storing control parameters in the UE or user card of the terminal is that the user is not required to enter control parameters each time the authentication key is updated, which results in a better user experience.
  • Step 411 After receiving the related information sent by the terminal, the network side HLR/AUC according to the control parameter saved by itself, the authentication key of the corresponding terminal user, the first random number, and the second random number according to the second The algorithm performs calculation to obtain the fourth calculation result.
  • Step 413 The HLR/AUC compares the calculated fourth calculation result with the related information received from the terminal. If they are consistent, the related information is considered to be legal, and step 415 is performed; otherwise, the key update process is ended. .
  • Step 415 The HLR/AUC calculates, according to an authentication key, a first random number, and a second random number of the corresponding terminal user, an algorithm that is consistent with the terminal to calculate a new authentication key, to generate a new authentication key.
  • the terminal may also calculate based on only one of the corresponding authentication key and the two random numbers.
  • the operation of the terminal to generate the new authentication key may not be performed in step 409, but is performed in step 401.
  • a corresponding simplified application can be obtained by a person skilled in the art according to the embodiment and the simplified indication, and thus the simplified embodiment will not be described in detail herein.
  • the HLR/AUC calculates the second calculation result in step 403, it may be performed only according to the corresponding authentication key, the control parameter saved by itself and the first random number, and the second random number does not participate.
  • the terminal may perform the first calculation result only according to the saved authentication key, the acquired control parameter, and the first random number, and the second random number does not participate in the calculation.
  • a corresponding simplified application can be obtained by a person skilled in the art according to the embodiment and the simplified indication. Therefore, the present invention will not repeat the description. Embodiments.
  • the HLR/AUC calculates the second calculation result in step 403, it may be performed only according to the corresponding authentication key and the first random number, and the saved control parameter and the second random number are performed.
  • the terminal may perform the first calculation result only according to the saved authentication key and the first random number, and the acquired control parameter and the second random number are not Participate in the calculation.
  • the terminal when the terminal generates the related information in step 409, the terminal may calculate the related information of the control parameter based on the obtained control parameter, the saved authentication key, and the second random number, and the A random number does not participate in the calculation; correspondingly, when the fourth calculation result is calculated in step 411, the HLR7AUC calculates only the control parameter saved by itself, the authentication key of the corresponding terminal user, and the second random number to obtain the fourth The result is calculated and the first random number does not participate in the calculation.
  • a corresponding simplified application can be obtained by those skilled in the art according to the embodiment and the simplified indication. Therefore, the present invention will not be described in detail.
  • step 411 the operation of calculating the fourth calculation result in step 411 can also be completed in step 403.
  • the first algorithm and the second algorithm may be the same.
  • the calculation result may be changed by adjusting the parameter order. For example, when calculating the first calculation result and the second calculation result, performing the calculation according to the authentication key and the first random number, and then combining the calculation with other operation parameters; calculating the related information and the fourth calculation The result is first calculated according to the authentication key and the control parameter, and then combined with other operational parameters.
  • the algorithm design will ensure that after adjusting the parameter order, different output results will be obtained.
  • the MSC/VLR is a circuit domain device.
  • the corresponding MSC/VLR device is a Serving General Packet Radio Service Support Node (SGSN), so the present invention can be equally applied to a packet domain. .
  • SGSN Serving General Packet Radio Service Support Node
  • the terminal and the HLR/AUC generate a new authentication key, and calculate a first calculation result, a second calculation result, calculate related information of the control parameter, calculate a fourth calculation result, and the like.
  • the calculation can be done using a mature digest algorithm, corresponding to The algorithm can be found in the book "Applied Cryptography" or related algorithm papers or reports; in particular, for the second and third embodiments, when generating a new key, the random number RAND mentioned in the 3GPP protocol can also be used.
  • the algorithm that the authentication key KI generates the encryption key CK or the integrity key IK.
  • the control parameter used to control the key update of the present invention may be a password, for example, a user PI code SPIN; or an identity of a terminal, such as an IMEI of the terminal; or, of course, a user-defined one.
  • the value for example, the user's alias, the user's avatar information, or a summary of the user's avatar data, and so on.
  • an apparatus for implementing key update negotiation for implementing a key update negotiation between a terminal and a network side includes:
  • a key update request message generating unit configured to generate a key update request message requesting to update the authentication key
  • An authentication key saving unit configured to save an authentication key of the terminal
  • control parameter obtaining unit configured to acquire a control parameter for controlling the update of the authentication key
  • a related information generating unit of the control parameter configured to generate related information according to the control parameter acquired by the control parameter acquiring unit when requesting the update of the authentication key .
  • the apparatus may further include a random number acquisition unit for acquiring a random number and providing the related information generating unit of the control parameter.
  • the related information generating unit of the control parameter generates related information according to the control parameter acquired by the control parameter acquiring unit, specifically: generating the control parameter itself, or generating according to the control parameter calculation, or calculating according to the control parameter and the authentication key. Generated, or generated based on control parameters, authentication keys, and random numbers.
  • the device is located in the terminal; the terminal includes a user equipment and a user card; the key update request message generating unit, the authentication key holding unit, the related information generating unit of the control parameter, and the random number obtaining unit are located in the user card.
  • the control parameter acquisition unit is located in the user equipment or the user card.
  • an apparatus for implementing key update negotiation for implementing key update negotiation between a terminal and a network side includes: An authentication key saving unit, configured to save an authentication key of the terminal;
  • control parameter storage unit configured to store a control parameter for controlling the update of the authentication key
  • key update request message receiving unit configured to receive a key update request message from the terminal requesting to update the authentication key
  • a related information parsing unit of the control parameter configured to parse relevant information of the control parameter updated by the control authentication key of the terminal
  • the related information verification unit of the control parameter is configured to determine, according to the control parameter stored by the control parameter storage unit, whether the related information from the terminal is legal after receiving the key update request message.
  • the apparatus may further include: a random number unit, a correlation information verification unit for acquiring the random number and providing the control parameter.
  • the apparatus of this embodiment may be located in the HLR/AUC on the network side.
  • each unit may be an independent entity, and may be combined and split according to needs and actual conditions, and details are not described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Ce procédé de négociation de mise à jour pour clé d'autorisation et dispositif associé trouve une application dans le réseau de communication. Dans le réseau, le paramètre de contrôle destiné à contrôler la mise à jour de clé d'autorisation est configuré; le terminal transmet le message de demande pour la mise à jour de la clé sur le réseau, portant l'information correspondant au paramètre de contrôle destiné à contrôler la mise à jour de la clé d'autorisation; le réseau reçoit le message de demande pour la mise à jour de la clé, puis détermine si l'information correspondant au paramètre de contrôle est valable d'après le paramètre de contrôle réservé. Le cas échéant, il traite la mise à jour de la clé et sinon, il met un terme à la procédure. Selon l'invention, on évite des mises à jours illégales de la clé d'autorisation par une carte d'utilisateur clonée illégalement.
PCT/CN2006/002257 2005-09-02 2006-09-01 Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe WO2007025484A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200680012329.3A CN101160784B (zh) 2005-09-02 2006-09-01 一种密钥更新协商方法及装置

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200510037046 2005-09-02
CN200510037046.1 2005-09-02
CN200510113030.4 2005-09-29
CNB2005101130304A CN100346668C (zh) 2005-09-02 2005-09-29 一种密钥更新协商方法

Publications (1)

Publication Number Publication Date
WO2007025484A1 true WO2007025484A1 (fr) 2007-03-08

Family

ID=37003199

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002257 WO2007025484A1 (fr) 2005-09-02 2006-09-01 Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe

Country Status (2)

Country Link
CN (2) CN100346668C (fr)
WO (1) WO2007025484A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8023658B2 (en) 2007-09-28 2011-09-20 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8737616B2 (en) 2008-11-13 2014-05-27 Huawei Technologies Co., Ltd. Method and apparatus for identifying CGA public key, and method, apparatus, and system for determining CGA public key

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103442012B (zh) * 2013-09-02 2016-06-22 中国联合网络通信集团有限公司 物联网设备间实现签约信息迁移的方法及装置
CN103607277B (zh) * 2013-11-18 2016-08-03 中国联合网络通信集团有限公司 密钥更新的处理方法、系统和密钥管理平台
CN114500150A (zh) * 2022-01-11 2022-05-13 上海三一重机股份有限公司 基于can总线的通信方法、装置及作业机械

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1209939A (zh) * 1996-01-24 1999-03-03 诺基亚电信公司 移动通信系统中鉴权密钥的管理
US6907239B1 (en) * 1999-11-22 2005-06-14 Nokia Mobile Phones Ltd. Charging for telecommunications download services

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1457173A (zh) * 2002-05-08 2003-11-19 英华达股份有限公司 更新网络加密钥匙码的方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1209939A (zh) * 1996-01-24 1999-03-03 诺基亚电信公司 移动通信系统中鉴权密钥的管理
US6907239B1 (en) * 1999-11-22 2005-06-14 Nokia Mobile Phones Ltd. Charging for telecommunications download services

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8023658B2 (en) 2007-09-28 2011-09-20 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8144877B2 (en) 2007-09-28 2012-03-27 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8300827B2 (en) 2007-09-28 2012-10-30 Huawei Technologies Co., Ltd. Method and apparatus for updating key in an active state
US9031240B2 (en) 2007-09-28 2015-05-12 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US10057769B2 (en) 2007-09-28 2018-08-21 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US10999065B2 (en) 2007-09-28 2021-05-04 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8737616B2 (en) 2008-11-13 2014-05-27 Huawei Technologies Co., Ltd. Method and apparatus for identifying CGA public key, and method, apparatus, and system for determining CGA public key

Also Published As

Publication number Publication date
CN101160784B (zh) 2010-10-27
CN100346668C (zh) 2007-10-31
CN1835633A (zh) 2006-09-20
CN101160784A (zh) 2008-04-09

Similar Documents

Publication Publication Date Title
US9065641B2 (en) Method and device for updating a key
US8122250B2 (en) Authentication in data communication
JP4643657B2 (ja) 通信システムにおけるユーザ認証及び認可
US7773973B2 (en) Method for authentication between a mobile station and a network
JP4965671B2 (ja) 無線通信ネットワークにおけるユーザ・プロファイル、ポリシー及びpmipキーの配布
US20190149990A1 (en) Unified authentication for heterogeneous networks
US20060059344A1 (en) Service authentication
US20210092603A1 (en) Subscriber identity privacy protection against fake base stations
WO2019019736A1 (fr) Procédé de mise en œuvre de sécurité, et appareil et système associés
JP2017126987A (ja) ホットスポットネットワークにおける未知のデバイスに対する制限付き証明書登録
KR102456280B1 (ko) 원격 통신 네트워크의 단말 내에서 모바일 장비와 협력하는 보안 엘리먼트를 인증하기 위한 방법
US20050271209A1 (en) AKA sequence number for replay protection in EAP-AKA authentication
WO2012174959A1 (fr) Procédé, système et passerelle d'authentification de groupe dans une communication entre machines
WO2010091563A1 (fr) Procédé, dispositif et système de gestion destinés à un certificat de terminal wapi
EP1698197B1 (fr) Authentification dans un reseau de communication
WO2007041933A1 (fr) Procédé de mise à jour de clés secrètes contrôlées et appareil idoine
WO2007025484A1 (fr) Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe
CN112235799B (zh) 终端设备入网鉴权方法及系统
WO2012000313A1 (fr) Procédé et système de certification de passerelle de rattachement
US7813718B2 (en) Authentication in a communication network
WO2018222133A2 (fr) Procédé, appareil, et système de protection de données
WO2008034359A1 (fr) Procédé, système de communication et dispositif permettant d'identifier et d'authentifier un dispositif d'authentification
WO2006050663A1 (fr) Procede de definition de code de securite
Parne et al. PASE-AKA: Performance and Security Enhanced AKA Protocol for UMTS Network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 200680012329.3

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 1118/KOLNP/2008

Country of ref document: IN

122 Ep: pct application non-entry in european phase

Ref document number: 06775574

Country of ref document: EP

Kind code of ref document: A1