WO2007051406A1 - A control system and method for terminal using network and device therefore - Google Patents

A control system and method for terminal using network and device therefore Download PDF

Info

Publication number
WO2007051406A1
WO2007051406A1 PCT/CN2006/002908 CN2006002908W WO2007051406A1 WO 2007051406 A1 WO2007051406 A1 WO 2007051406A1 CN 2006002908 W CN2006002908 W CN 2006002908W WO 2007051406 A1 WO2007051406 A1 WO 2007051406A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
network
authentication information
terminal device
identifier
Prior art date
Application number
PCT/CN2006/002908
Other languages
French (fr)
Chinese (zh)
Inventor
Shufeng Shi
Xuexia Yan
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007051406A1 publication Critical patent/WO2007051406A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • the present invention relates to security technologies in mobile communications, and in particular to a control system and control method and apparatus for a terminal using a network.
  • the device identification number is used to manage the mobile terminal.
  • a public land mobile network PLMN
  • EIR Equipment Identity Register
  • the device identifier refers to the International Mobile Equipment Identification (IMEI), in the CDMA (Code Division Multiple Access) network.
  • IMEI International Mobile Equipment Identification
  • CDMA Code Division Multiple Access
  • ESN electronic serial number
  • the IMEI code in the GSM network is a unique identifier of a mobile terminal and is immutable. Its main purpose is to prevent unauthorized (eg, stolen or faulty, non-model-certified) mobile devices from being used in the network. .
  • a list of three terminal device identifiers is stored in the device identification register: whitelist, blacklist, and graylist.
  • the whitelist stores the terminal identifiers that are allowed to use the network.
  • the blacklist stores the terminal identifiers that are not allowed to use the network.
  • the graylist stores the terminal identifiers that the network may need to track or otherwise process. Is it allowed to use the carrier? Decide.
  • the network may require IMEI check on the mobile terminal whenever it is needed (including during access or calling), if the device identification register returns the terminal IMEI as an illegal number (If it is in the blacklist or not in the whitelist:), the mobile terminal is denied to use the network.
  • FIG. 1 shows the location of the device identification register in a commonly used mobile network (such as the GSM network) reference model.
  • the structure mainly includes three parts: a base station subsystem (BSS) 110, a network subsystem (NSS) 120, and an operation support subsystem (OSS). 130.
  • the base station subsystem 110 further includes a plurality of base station transceiver stations (BTS, Base Station Transceiver System) 111 and a base station controller (BSC) 112;
  • BTS Base Station Transceiver System
  • BSC base station controller
  • the network subsystem 120 includes a mobile service switching center (MSC, Mobile Switching).
  • MSC Mobile Switching
  • the operation support subsystem 130 includes a Network Management Center (NMC) 131, a Data Post Processing System (DPPS) 132, and a Security Management Center. (SEMC, Security Management Center) 133 and User Identification Center for Subscriber (PCS) 134.
  • NMC Network Management Center
  • DPPS Data Post Processing System
  • SEMC Security Management Center
  • PCS User Identification Center for Subscriber
  • the mobile terminal as a mobile station (MS, Mobile Station) 140 can interact with the base transceiver station 111; the mobile service switching center 121 can be connected to a public data network (PDN), a public telephone network (PSTN, Public) Switching Telephone Network) Network 150 such as Integrated Service Digital Network (ISDN).
  • PDN public data network
  • PSTN public telephone network
  • PSTN Public
  • Switching Telephone Network Network 150
  • ISDN Integrated Service Digital Network
  • the network operator since the network operator does not verify the IMEI code of the mobile terminal when the user enters the network, there are some cases where the unauthorized user uses the network. For example, after the mobile terminal is stolen, the thief can generally use the card replacement method. The mobile terminal.
  • the whitelist and blacklist in the device identification register The gray list needs to be set by the manager.
  • the user registers the stolen terminal with the management center of the device identification register, and adds the IMEI code of the stolen terminal to the blacklist, thereby preventing the stolen terminal from reusing the network.
  • the mobile switching center and the visitor location register can be directed to the mobile station terminal.
  • the device identification register compares the received IMEI code with the white list, the black list and the number in the gray list, and sends the comparison result to
  • the mobile switching center/visitor location register determines whether the mobile station device is allowed to access the network based on the result of the comparison, or can track related information of the terminal, such as location information.
  • the original user of the terminal needs to register with the device identification register management center, and the network can prevent the stolen terminal from reusing the network after the stolen terminal is added to the blacklist. If the user loses the terminal and does not go to the device identification register management center for registration, the thief can still use the stolen terminal after the card is exchanged. Therefore, the existing method cannot prevent the unauthorized terminal from using the network completely and timely. .
  • the present invention provides a control system, method and apparatus for a terminal to use a network.
  • the network can automatically detect the unauthorized terminal and prevent it from using the network.
  • a method for controlling a terminal to use a network includes: transmitting, by a terminal, a terminal device identifier and authentication information of the terminal to a network switching center; and after receiving the foregoing information sent by the terminal, the network switching center The terminal device identification center queries the preset authentication information corresponding to the identifier of the terminal device;
  • the network switching center allows the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
  • a control system for a terminal using a network includes a network switching center and a terminal device identification center, where the terminal device identification center stores a terminal device identifier and preset authentication information of the network subscription terminal;
  • the network switching center is configured to receive the terminal device identifier and the authentication information from the terminal, and query the terminal device to query the preset authentication information corresponding to the identifier of the terminal device, where the preset information returned by the terminal device identification center is returned.
  • the terminal is allowed to access the network.
  • a network switching center includes:
  • An information receiving unit configured to receive terminal device identifier and authentication information from the terminal;
  • the query unit is configured to: after receiving the foregoing information sent by the terminal, query the terminal device to query the preset authentication information corresponding to the identifier of the terminal device;
  • the access control unit is configured to allow the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
  • a terminal includes:
  • An information sending unit configured to send, to the network switching center, the terminal device identifier and the authentication information of the terminal;
  • a feedback receiving unit configured to receive a feedback from the network switching center whether access is allowed.
  • the invention stores relevant information (terminal device identification and authentication information) of the network access terminal in the terminal device identification center in advance, and when the terminal needs to be controlled, the terminal device identification and authentication information of the terminal and the terminal device identification are stored.
  • the relevant information of the center is compared, and the unauthorized terminal can be detected in time and effectively, and the unauthorized terminal (such as the stolen terminal after the card is replaced) is prevented from accessing the network.
  • FIG. 1 is a schematic diagram of a reference model of a prior art mobile communication network
  • Figure 2 is a schematic illustration of a first embodiment of the control system of the present invention
  • FIG. 3 is a schematic illustration of a second embodiment of the control system of the present invention.
  • FIG. 4 is a flow chart of an embodiment of a method for controlling a terminal using a network according to the present invention
  • Figure 5 is a block diagram of an embodiment of a network switching center and terminal used in the present invention.
  • the present invention provides a control system and a control method for a terminal using a network, and a corresponding device.
  • the network can automatically detect whether the terminal is an unauthorized terminal, and if it is an unauthorized terminal, it can prevent its use.
  • the network can automatically detect whether the terminal is an unauthorized terminal, and if it is an unauthorized terminal, it can prevent its use.
  • the terminal 210 involved in the embodiment of the present invention refers to a terminal that has a unique terminal device identifier and can obtain a network identifier assigned by an operator, such as with a SIM.
  • Subscribers Identity Module Subscribers Identity Module , User Identity Module Card , USIM ( Universal Subscribers Identity Module ) Card and ISIM ( IP Multimedia Core Network Subsystem Subscribers Identity Module, IMS User Identity Module)
  • Mobile phones such as cards, PDAs (Personal Digital Assistants), laptops and other terminal devices, or even fixed terminals (eg, IMS terminals for next-generation networks).
  • the network refers to a mobile network, such as a PLMN (Public Land Mobile Network) network (including a GSM network and a CDMA network), and is applicable to TISPAN.
  • PLMN Public Land Mobile Network
  • NTN Next Generation Network
  • 3GPP 3 rd Generation partnership Project, third Generation partnership Project
  • 3GPP2 3 rd Generation partnership Project 2, third Generation partnership Project 2
  • WCDMA Wideband Code Division Multiple Access
  • CDMA2000 Code Division Multiple Access 2000 network, etc.
  • the network switching center 220 is an entity capable of processing a user's call and performing authentication processing (in the present invention, the network switching center may also be another functional entity capable of session processing), wherein the terminal device identification center 230 Essentially, it is a database that pre-stores the authentication information of the network operator's subscription user.
  • the management of the terminal device identification is similar to the management of the EIR to the terminal device identification. It also has a blacklist and is blacklisted. There are stored terminal device identifiers that are not allowed to access the network.
  • the interaction between the network switching center 220 and the terminal identification center 230 includes: the network switching center 220 sends the inquiry information to the terminal identification center 230, and the terminal identification center 230 feeds back the inquiry result to the network switching center 220.
  • the interface protocol between the network switching center 220 and the terminal device identification center 230 may be, for example, a MAP protocol, a Diameter protocol, and a Radius protocol.
  • the terminal device identification center 230 can maintain its internal data through the input device 240.
  • the authentication information of the network operator subscription user is pre-stored in the terminal device identification center 230.
  • the terminal device identification center 230 For example, when each user purchases the terminal 210, the network operator is contracted, and the selection is made by The authentication information has been sent to the terminal identification center 230 by the operator of the network for registration.
  • the authentication information to be registered mainly includes: a terminal device identifier, a network identifier allocated by the subscription network to the user, and the terminal verification authentication information.
  • the terminal device identifier may be stored in the terminal device identification center 230 in advance. For example, when the terminal is shipped from the factory, the terminal device is identified to register with the terminal device.
  • the terminal verification authentication information may be a verification password or other information with biometrics, such as fingerprint information of the user, personal signature information, retina information, and the like. Among them, the verification password is most commonly used. If the password is used, it can be notified by the operator first, or can be set by the user, and the user can change the verification password of the terminal.
  • the manual mode or the automatic mode is used. The manual mode may be changed by using a business hall such as a network operator or a terminal device identification center.
  • the automatic mode may be, for example, an operator or a terminal device identification center provides a voice service for voice dialing. Or the WEB (Web) service provided by it is changed by the login operation interface.
  • the terminal device identification center 230 transparently stores the user network identifier sent by the operator, and the user network identifier may be encrypted by the operator.
  • the terminal identification center 230 can be used to assist in authenticating the terminal devices in the carrier network.
  • the terminal device identification center 330 is located at an independent third party supervision office. For example, a unified management terminal device identification center can be established for the same network terminal nationwide or globally. Only two carrier networks are shown in the figure, and the present invention is not limited thereto. Similar to the first embodiment, the terminal device identification center 330 pre-stores authentication information of terminals of all carrier networks.
  • a terminal device identification center that can interact with a network switching center in an operator network is set, and authentication information of a contracted terminal user of the network is pre-stored in the terminal device identification center.
  • the network switching center authenticates the terminal, compares the related information in the registration information of the terminal with the authentication information stored in the terminal device identification center, to determine whether the terminal can be Allow access to the network.
  • the registration initiated by the terminal to the network includes: registration of the terminal to the network when the terminal is used for the first time; registration of the terminal to the network every time the terminal is turned on; or periodic access to the network during use of the terminal Registration of the network (such as registering with the network every few hours).
  • step S30 when a terminal initiates registration in the network, the network switching center obtains the terminal device identifier in the registration information sent by the terminal, and the registration information further carries the network identifier of the terminal.
  • step S31 the network switching center transmits the terminal device identifier to the terminal device identification center, and the terminal device identification center determines whether the terminal device identifier is in its blacklist.
  • step S31 If it is determined in step S31 that the terminal device identifier is in its blacklist, a message is returned to the network switching center. After the network switching center learns that the terminal device is blacklisted according to the message, the registration failure process in step 35 is performed. , blocking the device from accessing the network.
  • the control function is not supported, and the process of not querying the terminal device identifier is performed according to the operator's policy. If the anti-theft function is only used, the terminal authentication should be successfully processed to continue the normal registration process in the original network.
  • step S31 If it is determined in step S31 that the terminal device identifier is not in the blacklist of the terminal device identification center, then in step S33, the terminal device identification center returns the user network identifier and terminal face authentication information corresponding to the terminal stored therein. Give the network switching center.
  • step S34 the network switching center compares whether the user network identifier stored in the terminal device identification center and the user network identifier from the terminal registration information report are consistent. If the user network identifier stored in the terminal device identification center is encrypted by the operator, a corresponding decryption operation is also required in the network switching center.
  • step S34 If it is determined in step S34 that the two are consistent, the step proceeds to step S390, and the terminal authentication passes.
  • step S36 the user is required to input terminal verification authentication information (such as a check password).
  • terminal verification authentication information such as a check password
  • the user may be required to input other information such as including biometrics.
  • biometrics As a fingerprint, this requires the terminal to have a fingerprint scanning function.
  • the network switching center compares whether the terminal verification authentication information input by the user is the same as the terminal authentication information returned by the terminal device identification center.
  • step S37 If the two terminal verification authentication information is the same in step S37, then go to step 390 to continue the registration process.
  • step S38 If the two terminal verification authentication information is different in step S37, it is determined in step S38 whether the user has input the terminal verification authentication information for a predetermined number of times, if not, then go to step S36 to repeat the comparison terminal verification authentication. The steps of the information.
  • the network switching center considers that the terminal is an illegal terminal, and if the registration fails, the terminal device identifier may be added to the blacklist of the terminal device identification center (step S39).
  • the terminal device identifies the blacklist of the center, and then determines whether the user network identifier from the terminal device identification center and the user network identifier registered by the terminal are consistent. If not, the network switching center requires the terminal to use.
  • the terminal enters the terminal to verify the authentication information. If the input is correct, the terminal is successfully authenticated. After the authentication succeeds, the subsequent normal registration process is continued; otherwise, the failure occurs.
  • the user is allowed to enter the terminal verification authentication information (for example, three times), and if it fails, the terminal is placed in the blacklist of the terminal identification center (according to the operator policy).
  • the setting of the terminal verification authentication information here mainly considers that the user temporarily replaces the SIM, USIM, ISIM card with the user network identifier, or replaces the information in the terminal device identification center for a long time, but the terminal device is not updated in time.
  • the user network identifier stored in the identification center and the user network identifier sent from the terminal registration report will be inconsistent, but it is allowed to register successfully through the terminal verification authentication information.
  • the above process can be performed after or before the original terminal registration process, or it can be merged into the original registration process.
  • the terminal authentication process is only performed when the terminal registers, and does not affect the connection of the normal call of the user.
  • the present invention proposes a universal scheme for automatically detecting unauthorized terminals (e.g., stolen terminals after card replacement) and preventing them from using the network, thereby preventing unauthorized terminals from being connected to the network in a timely and effective manner.
  • unauthorized terminals e.g., stolen terminals after card replacement
  • FIG. 5 is a block diagram of an embodiment of a network switching center and terminal used in the present invention.
  • the network switching center includes: an information receiving unit 511, configured to receive the terminal device identifier and the authentication information from the terminal; the querying unit 512 is configured to: after receiving the foregoing information sent by the terminal, identify the center query corresponding to the terminal device The preset authentication information of the terminal device identifier; the access control unit 513 is configured to allow the terminal to be connected when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal Into the network.
  • the network switching center further includes a matching confirmation unit 514, configured to determine, in the current network identifier that is allocated to the user by the subscription network in the authentication information sent by the terminal, and the preset authentication information. Whether the network identifier assigned to the user by the pre-stored subscription network is consistent.
  • the match confirming unit 514 is configured to determine, in the authentication information sent by the terminal, the current network identifier allocated by the subscription network to the user and the pre-stored subscription in the preset authentication information. Whether the network identifiers assigned to the user by the network are consistent. When the packets are inconsistent, it is determined whether the terminal verification authentication information provided by the terminal and the terminal verification authentication information returned by the terminal identification center are consistent.
  • the information receiving unit 511 is a registration message receiving unit, configured to receive a registration message carrying the terminal device identifier and the authentication information.
  • the terminal includes: an information sending unit 521, configured to send the terminal device identifier and the authentication information of the terminal to the network switching center; and a feedback receiving unit 522, configured to receive whether the network switching center is received from the network switching center Feedback that allows access.
  • the information sending unit is a registration message sending unit, configured to send a registration message carrying the terminal device identifier and the authentication information.
  • each of the foregoing units may be an independent logical entity, and may be combined according to actual conditions and requirements, and details are not described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A control system for terminal using network includes at least network switch center (NSC) with registered terminal and terminal device identification center in which the authentication information of terminal user registering network is prestored; the NSC received the register information of terminal user and the the authentication information of terminal user requested to the terminal device identification center, and determine whether the terminal should be accessed in the network according to the return result. A control method for terminal using network is provided in the invention, and the relative NSC as well as. In the invention, when terminal registers a network, comparing the relative information of the terminal with the authentication information prestored in the terminal device identification center, and determining whether it is authenticated, which could prevent the unauthentic user to use network effectively.

Description

一种终端使用网络的控制系统及控制方法和设备  Control system and control method and device for terminal using network
本申请要求于 2005 年 10 月 31 日提交中国专利局、 申请号为 200510100913.1、 发明名称为 "一种终端使用网络的控制系统及其控制方 法"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 This application claims priority to Chinese Patent Application No. 200510100913.1, entitled "Control System for Terminal Use Network and Control Method" thereof, filed on October 31, 2005, the entire contents of which are incorporated by reference. Combined in this application.
技术领域 本发明涉及移动通信中的安全技术, 具体来说, 涉及一种终端使用网 络的控制系统及控制方法和设备。 TECHNICAL FIELD The present invention relates to security technologies in mobile communications, and in particular to a control system and control method and apparatus for a terminal using a network.
背景技术 Background technique
在移动通信中, 是采用设备识别号来对移动终端进行管理的。 例如, 在公共陆地移动通信网(Public land Mobile Network, PLMN )中设有一个 功能单元, 称作设备识别寄存器(Equipment Identity Register, EIR ), 主 要负责管理网络中移动终端的设备标识。在 GSM( Global System for Mobile Communications, 全球移动通信系统) 网络中该设备标识是指国际移动设 备标识 ( IMEI, International Mobile Equipment Identification ), 在 CDMA ( Code Division Multiple Access , 宽带码分多址) 网络中该设备标识是指 电子序列号( ESN, Electronic Serial Number )。 下述以 GSM网络为例来进 行叙述。  In mobile communication, the device identification number is used to manage the mobile terminal. For example, a public land mobile network (PLMN) is provided with a functional unit called an Equipment Identity Register (EIR), which is mainly responsible for managing the device identification of mobile terminals in the network. In the GSM (Global System for Mobile Communications) network, the device identifier refers to the International Mobile Equipment Identification (IMEI), in the CDMA (Code Division Multiple Access) network. The device identifier refers to an electronic serial number (ESN). The following is a description of the GSM network as an example.
在 GSM网络中的 IMEI码, 是一个移动终端的唯一标识, 且是不可 更改的,其主要目的是防止未授权 (如,被盗的或者有故障未经型号认证 ) 的移动设备在网络中使用。  The IMEI code in the GSM network is a unique identifier of a mobile terminal and is immutable. Its main purpose is to prevent unauthorized (eg, stolen or faulty, non-model-certified) mobile devices from being used in the network. .
在设备识别寄存器中存储有三种终端设备标识的清单表: 白名单、 黑 名单及灰名单。 白名单中存储的是允许使用网络的终端标识, 黑名单中存 储的是不允许使用网络的终端标识,灰名单中存储的是网络可能需要跟踪 或其它处理的终端标识, 是否允许使用由运营商决定。  A list of three terminal device identifiers is stored in the device identification register: whitelist, blacklist, and graylist. The whitelist stores the terminal identifiers that are allowed to use the network. The blacklist stores the terminal identifiers that are not allowed to use the network. The graylist stores the terminal identifiers that the network may need to track or otherwise process. Is it allowed to use the carrier? Decide.
网络可以在任意需要的时候(包括接入或呼叫过程中), 要求对移动 终端进行 IMEI的检查,如果设备识别寄存器返回该终端 IMEI为非法号码 (如在黑名单中或不在白名单中:), 则拒绝该移动终端使用网络。 The network may require IMEI check on the mobile terminal whenever it is needed (including during access or calling), if the device identification register returns the terminal IMEI as an illegal number (If it is in the blacklist or not in the whitelist:), the mobile terminal is denied to use the network.
图 1显示了一种常用的移动网络(如 GSM网络)参考模型中, 该设 备识别寄存器所在的位置。 在该 GSM网络参考模型中, 主要包括三部份 的结构:基站子系统(BSS, Base Station Subsystem ) 110、网路子系统(NSS, Network Subsystem ) 120 及操作支持子系统 (OSS , Operation Support Systems ) 130。 其中, 基站子系统 110中又包括多个基站收发信台 (BTS, BaseStation Transceiver System ) 111 及基站控制器 (BSC , BaseStation Controller ) 112; 网路子系统 120中包括移动业务交换中心(MSC, Mobile Switching Center ) /访客位置寄存器( VLR, Visited Location Register ) 121、 归属用户位置寄存器(HLR, Home Location Register ) /鉴权中心(AUC, Authentication Center ) 122、操作维护中心( OMC, Operation & Maintenance Center ) 123及移动设备识别寄存器( EIR, Equipment Identifier Register ) 124;操作支持子系统 130包括网络管理中心( NMC, Network Management Center ) 131、 数据后处理系统(DPPS, Data Post Processing System ) 132、 安全性管理中心( SEMC, Security Management Center ) 133及用户识别卡 个人化中心(PCS, Personalization Center for Subscriber ) 134。 其中, 移动 终端作为移动台 (MS, Mobile Station ) 140, 可以与基站收发信台 111进 行交互; 移动业务交换中心 121 可连接公用数据网 (PDN, Public Data Network )、 公用电话网 (PSTN, Public Switching Telephone Network ) 综 合业务数字网 ( ISDN, Integrated Service Digital Network )等网絡 150。  Figure 1 shows the location of the device identification register in a commonly used mobile network (such as the GSM network) reference model. In the GSM network reference model, the structure mainly includes three parts: a base station subsystem (BSS) 110, a network subsystem (NSS) 120, and an operation support subsystem (OSS). 130. The base station subsystem 110 further includes a plurality of base station transceiver stations (BTS, Base Station Transceiver System) 111 and a base station controller (BSC) 112; the network subsystem 120 includes a mobile service switching center (MSC, Mobile Switching). Center ) / Visited Location Register (VLR, Visited Location Register) 121, Home Location Register (HLR, Home Location Register) / Authentication Center (AUC, Authentication Center) 122, Operation and Maintenance Center (OMC, Operation & Maintenance Center) 123 And an Equipment Identifier Register (EIR) 124; the operation support subsystem 130 includes a Network Management Center (NMC) 131, a Data Post Processing System (DPPS) 132, and a Security Management Center. (SEMC, Security Management Center) 133 and User Identification Center for Subscriber (PCS) 134. The mobile terminal as a mobile station (MS, Mobile Station) 140 can interact with the base transceiver station 111; the mobile service switching center 121 can be connected to a public data network (PDN), a public telephone network (PSTN, Public) Switching Telephone Network) Network 150 such as Integrated Service Digital Network (ISDN).
目前, 由于网络运营商在用户入网时并没有对移动终端的 IMEI码实 行验证, 存在有一些未授权用户使用网络的情况, 如当移动终端失窃后, 盗用者一般可通过换卡的方法重新使用该移动终端。  At present, since the network operator does not verify the IMEI code of the mobile terminal when the user enters the network, there are some cases where the unauthorized user uses the network. For example, after the mobile terminal is stolen, the thief can generally use the card replacement method. The mobile terminal.
现在也出现了一些方法以防止未授权的移动终端(下面以被盗的终端 为例进行说明)的使用网络: 例如, 在现有的一种方法中, 设备识别寄存 器中的白名单、 黑名单及灰名单需要管理人员来设置。 用户到设备识别寄 存器的管理中心登记其被盗的终端, 将被盗终端的 IMEI码加入黑名单, 从而达到阻止该被盗终端重新使用网络的目的。 当有用户用该被盗终端进 行注册或发起呼叫时, 移动交换中心和访客位置寄存器可以向移动台终端 (如手机)请求 IMEI, 并把该请求到的 IMEI码发送给设备识别寄存器, 设备识别寄存器将收到的 IMEI码与白清单、 黑清单及灰清单中的号码进 行比较, 将比较结果发送给移动交换中心 /访客位置寄存器, 移动交换中 心 /访客位置寄存器根据比较的结果决定是否允许该移动台设备接入网 络, 或者可以追踪该终端的相关信息, 例如位置信息。 There are also some ways to prevent unauthorized mobile terminals (described below as examples of stolen terminals): For example, in an existing method, the whitelist and blacklist in the device identification register The gray list needs to be set by the manager. The user registers the stolen terminal with the management center of the device identification register, and adds the IMEI code of the stolen terminal to the blacklist, thereby preventing the stolen terminal from reusing the network. When a user registers or initiates a call with the stolen terminal, the mobile switching center and the visitor location register can be directed to the mobile station terminal. (eg mobile phone) request IMEI, and send the IMEI code of the request to the device identification register, the device identification register compares the received IMEI code with the white list, the black list and the number in the gray list, and sends the comparison result to The mobile switching center/visitor location register, the mobile switching center/visitor location register determines whether the mobile station device is allowed to access the network based on the result of the comparison, or can track related information of the terminal, such as location information.
在该种方法中, 终端被盗后需要终端的原始使用者到设备识别寄存器 管理中心登记, 将被盗终端人为加入黑名单后, 网络才能阻止被盗终端重 新使用网络。如果用户丟失终端后不去或暂时无法去设备识别寄存器管理 中心登记, 盗用者换卡后仍可使用被盗的终端, 故现有的这种方法仍不能 完全、 及时地防止未授权终端使用网络。  In this method, after the terminal is stolen, the original user of the terminal needs to register with the device identification register management center, and the network can prevent the stolen terminal from reusing the network after the stolen terminal is added to the blacklist. If the user loses the terminal and does not go to the device identification register management center for registration, the thief can still use the stolen terminal after the card is exchanged. Therefore, the existing method cannot prevent the unauthorized terminal from using the network completely and timely. .
发明内容 Summary of the invention
本发明提供一种终端使用网络的控制系统及方法和设备, 当未授权终 端企图使用网络时, 网络可自动检测到该未授权终端, 并可阻止其使用网 络。  The present invention provides a control system, method and apparatus for a terminal to use a network. When an unauthorized terminal attempts to use the network, the network can automatically detect the unauthorized terminal and prevent it from using the network.
根据本发明的一个方面, 一种终端使用网络的控制方法, 包括: 终端向网络交换中心发送所述终端的终端设备标识和鉴权信息; 所述网络交换中心接收终端发送的前述信息后, 向终端设备识别中心 查询对应所述终端设备标识的预设鉴权信息;  According to an aspect of the present invention, a method for controlling a terminal to use a network includes: transmitting, by a terminal, a terminal device identifier and authentication information of the terminal to a network switching center; and after receiving the foregoing information sent by the terminal, the network switching center The terminal device identification center queries the preset authentication information corresponding to the identifier of the terminal device;
在确认所述终端设备识别中心返回的预设鉴权信息和所述终端发送 的鉴权信息匹配时, 所述网络交换中心允许所述终端接入网络。  The network switching center allows the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
根据本发明的另一方面, 一种终端使用网絡的控制系统, 包括网络交 换中心和终端设备识别中心, 所述终端设备识别中心存储有网络签约终端 的终端设备标识和预设鉴权信息;  According to another aspect of the present invention, a control system for a terminal using a network includes a network switching center and a terminal device identification center, where the terminal device identification center stores a terminal device identifier and preset authentication information of the network subscription terminal;
所述网络交换中心用于接收来自终端的终端设备标识和鉴权信息, 向 终端设备识别中心查询对应所述终端设备标识的预设鉴权信息, 在所述终 端设备识别中心返回的预设鉴权信息和所述终端发送的鉴权信息匹配时, 允许所述终端接入网络。  The network switching center is configured to receive the terminal device identifier and the authentication information from the terminal, and query the terminal device to query the preset authentication information corresponding to the identifier of the terminal device, where the preset information returned by the terminal device identification center is returned. When the right information matches the authentication information sent by the terminal, the terminal is allowed to access the network.
根据本发明的又一方面, 一种网络交换中心, 包括:  According to still another aspect of the present invention, a network switching center includes:
信息接收单元, 用于接收来自终端的终端设备标识和鉴权信息; 查询单元, 用于在接收终端发送的前述信息后, 向终端设备识别中心 查询对应所述终端设备标识的预设鉴权信息; An information receiving unit, configured to receive terminal device identifier and authentication information from the terminal; The query unit is configured to: after receiving the foregoing information sent by the terminal, query the terminal device to query the preset authentication information corresponding to the identifier of the terminal device;
接入控制单元, 用于在确认所述终端设备识别中心返回的预设鉴权信 息和所述终端发送的鉴权信息匹配时, 允许所述终端接入网络。  The access control unit is configured to allow the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
根据本发明的再一方面, 一种终端, 包括:  According to still another aspect of the present invention, a terminal includes:
信息发送单元, 用于向网络交换中心发送所述终端的终端设备标识和 鉴权信息;  An information sending unit, configured to send, to the network switching center, the terminal device identifier and the authentication information of the terminal;
反馈接收单元, 用于接收来自所述网络交换中心的是否允许接入的反 馈。  And a feedback receiving unit, configured to receive a feedback from the network switching center whether access is allowed.
本发明通过预先在终端设备识别中心存储有入网终端的相关信息(终 端设备标识和鉴权信息), 当需要对终端控制时, 对该终端的终端设备标 识及鉴权信息与存储在终端设备识别中心的相关信息进行比较, 能够及时 有效地检测出未授权终端, 防止未授权终端(如换卡后的被盗终端)接入 网络。  The invention stores relevant information (terminal device identification and authentication information) of the network access terminal in the terminal device identification center in advance, and when the terminal needs to be controlled, the terminal device identification and authentication information of the terminal and the terminal device identification are stored. The relevant information of the center is compared, and the unauthorized terminal can be detected in time and effectively, and the unauthorized terminal (such as the stolen terminal after the card is replaced) is prevented from accessing the network.
附图说明 DRAWINGS
图 1是现有技术移动通信网络的参考模型示意图;  1 is a schematic diagram of a reference model of a prior art mobile communication network;
图 2是本发明的控制系统的第一实施例的示意图;  Figure 2 is a schematic illustration of a first embodiment of the control system of the present invention;
图 3是本发明的控制系统的第二实施例的示意图;  Figure 3 is a schematic illustration of a second embodiment of the control system of the present invention;
图 4是本发明终端使用网络的控制方法的实施例的流程图;  4 is a flow chart of an embodiment of a method for controlling a terminal using a network according to the present invention;
图 5是本发明中使用的网络交换中心和终端的实施例的框图。  Figure 5 is a block diagram of an embodiment of a network switching center and terminal used in the present invention.
具体实施方式 detailed description
本发明提供一种终端使用网络的控制系统及控制方法和相应的设备, 当终端企图接入网络时, 网络可自动检测该终端是否为未授权终端, 如果 为未授权终端, 则可阻止其使用该网络。  The present invention provides a control system and a control method for a terminal using a network, and a corresponding device. When the terminal attempts to access the network, the network can automatically detect whether the terminal is an unauthorized terminal, and if it is an unauthorized terminal, it can prevent its use. The network.
如图 2所示, 是本发明的第一实施例的示意图。 其中, 仅是示意性地 画出了一种运营商的网络。 本发明实施例所涉及到的终端 210, 是指具有 唯一终端设备标识且可获得运营商分配的网络标识的终端, 如带有 SIM 2 is a schematic view of a first embodiment of the present invention. Among them, only one operator's network is schematically drawn. The terminal 210 involved in the embodiment of the present invention refers to a terminal that has a unique terminal device identifier and can obtain a network identifier assigned by an operator, such as with a SIM.
( Subscribers Identity Module , 用户标识模块) 卡、 USIM ( Universal Subscribers Identity Module,通用用户标识模块 )卡及 ISIM ( IP Multimedia Core Network Subsystem Subscribers Identity Module, IMS用户标识模块 ) 卡等的手机、 PDA ( Personal Digital Assistant, 个人数字助理)、 笔记本电 脑及其他终端设备, 甚至是固定终端 (如, 下一代网络的 IMS终端)。 而 所述网络是指移动网络, 诸如 PLMN ( Public Land Mobile Network, 公用 陆地移动通信网) 网络(包括 GSM网和 CDMA网), 及适用于 TISPAN( Subscribers Identity Module , User Identity Module ) Card , USIM ( Universal Subscribers Identity Module ) Card and ISIM ( IP Multimedia Core Network Subsystem Subscribers Identity Module, IMS User Identity Module) Mobile phones such as cards, PDAs (Personal Digital Assistants), laptops and other terminal devices, or even fixed terminals (eg, IMS terminals for next-generation networks). And the network refers to a mobile network, such as a PLMN (Public Land Mobile Network) network (including a GSM network and a CDMA network), and is applicable to TISPAN.
( Telecommunications and Internet Converged Services and Protocols for Advanced Networking, 电信和互联网融合业务及高级网络协议组)及国际 电联 ( ITU-T, International Telecommunication Union-Telephone )定义的下 一代网络 (NGN, Next Generation Network ) 和 3GPP ( 3rd Generation Partnership Project , 第三代合作伙伴计划)、 3GPP2 ( 3rd Generation Partnership Project 2 , 第三代合作伙伴计划 2 ) 定义的宽带码分多址(Telecommunication and Internet Converged Services and Protocols for Advanced Networking, Telecommunications and Internet Convergence Services and Advanced Network Protocol Group) and ITU-T (International Telecommunication Union-Telephone) defined Next Generation Network (NGN) and 3GPP (3 rd Generation partnership Project, third Generation partnership Project), 3GPP2 (3 rd Generation partnership Project 2, third Generation partnership Project 2) defined WCDMA
( WCDMA, Wideband Code Division Multiple Access ), CDMA2000网络 等。 (WCDMA, Wideband Code Division Multiple Access), CDMA2000 network, etc.
其中, 在该运营商的网络中, 至少设有一个网络交换中心(图中仅画 出一个) 220, 并设有一个终端设备识別中心 230。 而网络交换中心 220 是指能处理用户的呼叫及进行鉴权处理的实体(在本发明中, 该网络交换 中心也可以是其他的能进行会话处理的功能实体), 其中, 终端设备识别 中心 230本质上是一个资料库,其预先存储有该网络运营商签约用户的鉴 权信息, 其对终端设备标识的管理与 EIR对终端设备标识的管理类似, 其 也设有一个黑名单, 在黑名单里面存储有不允许接入该网络的终端设备标 识。  Among them, in the network of the operator, at least one network switching center (only one is shown) 220 is provided, and a terminal device identification center 230 is provided. The network switching center 220 is an entity capable of processing a user's call and performing authentication processing (in the present invention, the network switching center may also be another functional entity capable of session processing), wherein the terminal device identification center 230 Essentially, it is a database that pre-stores the authentication information of the network operator's subscription user. The management of the terminal device identification is similar to the management of the EIR to the terminal device identification. It also has a blacklist and is blacklisted. There are stored terminal device identifiers that are not allowed to access the network.
网络交换中心 220与终端设备识别中心 230之间的交互包括: 网络交 换中心 220向终端设备识别中心 230发送查询信息, 而终端设备识别中心 230向网络交换中心 220回馈查询结果。 其中, 网络交换中心 220与终端 设备识别中心 230之间的接口协议可以是诸如 MAP协议、 Diameter协议 及 Radius协议等。 另外, 该终端设备识别中心 230可以通过输入装置 240 来对其内部的资料进行维护。  The interaction between the network switching center 220 and the terminal identification center 230 includes: the network switching center 220 sends the inquiry information to the terminal identification center 230, and the terminal identification center 230 feeds back the inquiry result to the network switching center 220. The interface protocol between the network switching center 220 and the terminal device identification center 230 may be, for example, a MAP protocol, a Diameter protocol, and a Radius protocol. In addition, the terminal device identification center 230 can maintain its internal data through the input device 240.
网絡运营商签约用户的鉴权信息是预先存储在终端设备识别中心 230 中的。 例如, 当每个用户购买终端 210时, 签约网络运营商, 并选择由自 己或由该网络的运营商将其鉴权信息送到终端设备识别中心 230 进行登 记。 此时, 进行登记的鉴权信息主要包括有: 终端设备标识、 签约网络分 配给用户的网络标识及该终端校验鉴权信息。其中终端设备标识可以提前 存储在终端设备识别中心 230, 例如, 在终端出厂时, 向终端设备识别中 心登记。 该终端校验鉴权信息可以是校验密码或其他一些带有生物特征的 信息, 例如用户的指紋信息、 个人签名信息、 视网膜信息等。 其中以校验 密码最为常用, 如果采用校 ¾密码的形式, 可以先由运营商设定后告知用 户, 也可由用户自己设定的, 且用户可以对该终端校验密码进行更改, 该 更改可以是人工方式或自动方式进行,人工方式可以采用诸如到网络运营 商或终端设备识别中心的营业厅登记更改; 自动方式可以是, 例如由运营 商或终端设备识别中心提供语音服务进行语音拨入, 或者其提供的 WEB (网页)服务进行登录操作界面进行更改。 终端设备识别中心 230对运营 商送来的用户网络标识透明存储, 该用户网络标识可以是经过运营商加密 的。 The authentication information of the network operator subscription user is pre-stored in the terminal device identification center 230. For example, when each user purchases the terminal 210, the network operator is contracted, and the selection is made by The authentication information has been sent to the terminal identification center 230 by the operator of the network for registration. At this time, the authentication information to be registered mainly includes: a terminal device identifier, a network identifier allocated by the subscription network to the user, and the terminal verification authentication information. The terminal device identifier may be stored in the terminal device identification center 230 in advance. For example, when the terminal is shipped from the factory, the terminal device is identified to register with the terminal device. The terminal verification authentication information may be a verification password or other information with biometrics, such as fingerprint information of the user, personal signature information, retina information, and the like. Among them, the verification password is most commonly used. If the password is used, it can be notified by the operator first, or can be set by the user, and the user can change the verification password of the terminal. The manual mode or the automatic mode is used. The manual mode may be changed by using a business hall such as a network operator or a terminal device identification center. The automatic mode may be, for example, an operator or a terminal device identification center provides a voice service for voice dialing. Or the WEB (Web) service provided by it is changed by the login operation interface. The terminal device identification center 230 transparently stores the user network identifier sent by the operator, and the user network identifier may be encrypted by the operator.
上述图 2所示的实施例中,该终端设备识别中心 230可用于辅助对该 运营商网络中的终端设备进行鉴权。  In the embodiment shown in Figure 2 above, the terminal identification center 230 can be used to assist in authenticating the terminal devices in the carrier network.
如图 3所示, 是本发明的第二实施例的示意图, 其适用于对不同的运 营商网络中的所有终端设备进行统一鉴权。该终端设备识别中心 330设在 独立的第三方监管处, 例如可以在全国或全球对于同一种网络终端建立一 个统一管理的终端设备识别中心。 图中仅画出了两个运营商网络, 本发明 不限于此。 与第一实施例类似, 该终端设备识别中心 330预先存储有所有 运营商网络的终端的鉴权信息。  3 is a schematic diagram of a second embodiment of the present invention, which is suitable for unified authentication of all terminal devices in different operator networks. The terminal device identification center 330 is located at an independent third party supervision office. For example, a unified management terminal device identification center can be established for the same network terminal nationwide or globally. Only two carrier networks are shown in the figure, and the present invention is not limited thereto. Similar to the first embodiment, the terminal device identification center 330 pre-stores authentication information of terminals of all carrier networks.
本发明实施例的原理简述如下: 设置可与运营商网络中网络交换中心 交互的终端设备识别中心,且在该终端设备识別中心中预先存储有网络的 签约终端用户的鉴权信息。 当终端向该网络发起注册时, 网络交换中心对 该终端进行鉴权, 将该终端的注册信息中的相关信息与存储在终端设备识 别中心的鉴权信息进行比较, 以确定该终端是否可以被允许接入该网络。 其中所述终端向网络发起的注册, 包括: 当该终端第一次使用时向网络的 注册; 该终端每次开机时向网络的注册; 或者该终端在使用中定期的向网 络的注册(如每隔数小时向网络发起一次注册)。 The principle of the embodiment of the present invention is briefly described as follows: A terminal device identification center that can interact with a network switching center in an operator network is set, and authentication information of a contracted terminal user of the network is pre-stored in the terminal device identification center. When the terminal initiates registration with the network, the network switching center authenticates the terminal, compares the related information in the registration information of the terminal with the authentication information stored in the terminal device identification center, to determine whether the terminal can be Allow access to the network. The registration initiated by the terminal to the network includes: registration of the terminal to the network when the terminal is used for the first time; registration of the terminal to the network every time the terminal is turned on; or periodic access to the network during use of the terminal Registration of the network (such as registering with the network every few hours).
下面结合图 4 , 对本发明的实施例的流程图进行详细说明。  The flowchart of the embodiment of the present invention will be described in detail below with reference to FIG.
在本发明的实施例中, 首先需要将终端用户的鉴权信息向终端设备识 别中心进行登记(可参见上面的叙述)。  In the embodiment of the present invention, it is first necessary to register the authentication information of the terminal user with the terminal device identification center (refer to the above description).
在步骤 S30中, 当一个终端在网络中发起注册时, 网絡交换中心会获 得终端所发送的注册信息中的终端设备标识, 该注册信息中还携带有该终 端的网络标识。  In step S30, when a terminal initiates registration in the network, the network switching center obtains the terminal device identifier in the registration information sent by the terminal, and the registration information further carries the network identifier of the terminal.
在步骤 S31中, 该网絡交换中心将该终端设备标识传送给终端设备识 别中心 , 终端设备识别中心判断该终端设备标识是否在其黑名单中。  In step S31, the network switching center transmits the terminal device identifier to the terminal device identification center, and the terminal device identification center determines whether the terminal device identifier is in its blacklist.
如果步驟 S31判断该终端设备标识在其黑名单中, 则返回一消息给给 网络交换中心, 网络交换中心根据该消息获知该终端设备处于黑名单之 歹' j , 则进行步骤 35的注册失败流程, 阻止该设备接入该网络。  If it is determined in step S31 that the terminal device identifier is in its blacklist, a message is returned to the network switching center. After the network switching center learns that the terminal device is blacklisted according to the message, the registration failure process in step 35 is performed. , blocking the device from accessing the network.
需要说明的是, 对于终端设备识别中心中没有登记的终端不支持该控 制功能, 查询不到其终端设备标识的处理按运营商的策略进行。 如果仅就 防盗功能来说, 应该按终端鉴权成功处理, 继续原有网络中的正常注册流 程。  It should be noted that, for the terminal that is not registered in the terminal device identification center, the control function is not supported, and the process of not querying the terminal device identifier is performed according to the operator's policy. If the anti-theft function is only used, the terminal authentication should be successfully processed to continue the normal registration process in the original network.
如果步骤 S31判断该终端设备标识未在终端设备识别中心的黑名单 中, 则在步骤 S33中, 终端设备识别中心返回存储于其内的与该终端对应 的用户网络标识和终端校脸鉴权信息给网络交换中心。  If it is determined in step S31 that the terminal device identifier is not in the blacklist of the terminal device identification center, then in step S33, the terminal device identification center returns the user network identifier and terminal face authentication information corresponding to the terminal stored therein. Give the network switching center.
在步骤 S34中, 网络交换中心比较终端设备识别中心中存储的用户网 络标识和终端注册信息报上来的用户网络标识是否一致。如果终端设备识 別中心中存储的用户网络标识是运营商加密过的, 则在网絡交换中心中还 需要进行相应的解密操作。  In step S34, the network switching center compares whether the user network identifier stored in the terminal device identification center and the user network identifier from the terminal registration information report are consistent. If the user network identifier stored in the terminal device identification center is encrypted by the operator, a corresponding decryption operation is also required in the network switching center.
如果步骤 S34中判断两者为一致, 则步骤转至步骤 S390, 该终端鉴权 通过。  If it is determined in step S34 that the two are consistent, the step proceeds to step S390, and the terminal authentication passes.
如果步驟 S34中判断两者不一致, 则在步骤 S36中, 要求用户输入终端 校验鉴权信息(如一校验密码) , 在另外一些实施例中, 可以要求用户输 入其他的诸如包括生物特征的信息, 如指纹, 这需要所述的终端具有指纹 扫描的功能。 并在步骤 S37中, 该网络交换中心比较该用户输入的终端校验鉴权信 息与终端设备识别中心返回的终端校脸鉴权信息是否相同。 If it is determined in step S34 that the two are inconsistent, in step S36, the user is required to input terminal verification authentication information (such as a check password). In other embodiments, the user may be required to input other information such as including biometrics. As a fingerprint, this requires the terminal to have a fingerprint scanning function. And in step S37, the network switching center compares whether the terminal verification authentication information input by the user is the same as the terminal authentication information returned by the terminal device identification center.
如果步骤 S37中两个终端校验鉴权信息相同, 则转至步骤 390, 继续注 册流程。  If the two terminal verification authentication information is the same in step S37, then go to step 390 to continue the registration process.
如果步骤 S37中两个终端校验鉴权信息不同,则在步骤 S38中判断是否 用户已经输入了预定次数的终端校验鉴权信息,如果没有,则转至步骤 S36 重复比较终端校验鉴权信息的步骤。  If the two terminal verification authentication information is different in step S37, it is determined in step S38 whether the user has input the terminal verification authentication information for a predetermined number of times, if not, then go to step S36 to repeat the comparison terminal verification authentication. The steps of the information.
如果已经达到了预定次数, 则网络交换中心会认为该终端是非法终 端, 则会注册失败, 则可选择将该终端设备标识加入终端设备识别中心的 黑名单中 (步骤 S39 ) 。  If the predetermined number of times has been reached, the network switching center considers that the terminal is an illegal terminal, and if the registration fails, the terminal device identifier may be added to the blacklist of the terminal device identification center (step S39).
本发明的实施例中, 先对照终端设备识别中心的黑名单, 再判断来自 终端设备识别中心的用户网络标识和终端注册艮上来的用户网络标识是 否一致, 如果不一致, 则网络交换中心要求终端使用者输入终端校验鉴权 信息, 输入正确则终端鉴权成功, 鉴权成功后, 继续后续的正常的注册流 程; 否则失败。 允许用户输入若干次终端校验鉴权信息(例如三次) , 如 果都失败则把该终端放进终端设备识别中心的黑名单(根据运营商策略可 选) 。  In the embodiment of the present invention, the terminal device identifies the blacklist of the center, and then determines whether the user network identifier from the terminal device identification center and the user network identifier registered by the terminal are consistent. If not, the network switching center requires the terminal to use. The terminal enters the terminal to verify the authentication information. If the input is correct, the terminal is successfully authenticated. After the authentication succeeds, the subsequent normal registration process is continued; otherwise, the failure occurs. The user is allowed to enter the terminal verification authentication information (for example, three times), and if it fails, the terminal is placed in the blacklist of the terminal identification center (according to the operator policy).
此处设定终端校验鉴权信息主要是考虑用户临时更换带有用户网絡 标识的 SIM、 USIM、 ISIM卡, 或长久更换但还没有及时更新终端设备识 别中心中信息的情况, 这时终端设备识别中心中存储的用户网络标识和终 端注册报上来的用户网络标识将不一致,但允许其通过终端校验鉴权信息 注册成功。  The setting of the terminal verification authentication information here mainly considers that the user temporarily replaces the SIM, USIM, ISIM card with the user network identifier, or replaces the information in the terminal device identification center for a long time, but the terminal device is not updated in time. The user network identifier stored in the identification center and the user network identifier sent from the terminal registration report will be inconsistent, but it is allowed to register successfully through the terminal verification authentication information.
以上过程可以在原有终端注册流程之后或之前进行, 也可合并进原有 注册流程中。 该终端鉴权过程只在终端注册时进行, 不影响用户正常呼叫 的接续。  The above process can be performed after or before the original terminal registration process, or it can be merged into the original registration process. The terminal authentication process is only performed when the terminal registers, and does not affect the connection of the normal call of the user.
综上所述, 本发明提出了一个通用的由网络自动检测未授权终端(如 换卡后的被盗终端)并阻止其使用网络的方案, 可以及时有效地防止未授 权终端连入网絡。  In summary, the present invention proposes a universal scheme for automatically detecting unauthorized terminals (e.g., stolen terminals after card replacement) and preventing them from using the network, thereby preventing unauthorized terminals from being connected to the network in a timely and effective manner.
请参阅图 5,是本发明中使用的网络交换中心和终端的实施例的框图。 所述网络交换中心包括: 信息接收单元 511 , 用于接收来自终端的终 端设备标识和鉴权信息; 查询单元 512, 用于在接收终端发送的前述信息 后, 向终端设备识别中心查询对应所述终端设备标识的预设鉴权信息; 接 入控制单元 513 , 用于在确认所述终端设备识别中心返回的预设鉴权信息 和所述终端发送的鉴权信息匹配时, 允许所述终端接入网络。 Please refer to FIG. 5, which is a block diagram of an embodiment of a network switching center and terminal used in the present invention. The network switching center includes: an information receiving unit 511, configured to receive the terminal device identifier and the authentication information from the terminal; the querying unit 512 is configured to: after receiving the foregoing information sent by the terminal, identify the center query corresponding to the terminal device The preset authentication information of the terminal device identifier; the access control unit 513 is configured to allow the terminal to be connected when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal Into the network.
在一个实施例中, 所述网络交换中心还包括匹配确认单元 514, 用于 判断所述终端发送的鉴权信息中的签约网络分配给用户的当前网络标识 和所述预设鉴权信息中的预先存储的签约网絡分配给用户的网络标识是 否一致。  In an embodiment, the network switching center further includes a matching confirmation unit 514, configured to determine, in the current network identifier that is allocated to the user by the subscription network in the authentication information sent by the terminal, and the preset authentication information. Whether the network identifier assigned to the user by the pre-stored subscription network is consistent.
或者, 在另一个实施例中, 该匹配确认单元 514用于判断所述终端发 送的鉴权信息中的签约网络分配给用户的当前网络标识和所述预设鉴权 信息中的预先存储的签约网络分配给用户的网络标识是否一致; 在不一致 时, 继续判断终端提供的终端校验鉴权信息和终端设备识别中心返回的终 端校验鉴权信息是否一致。  Or, in another embodiment, the match confirming unit 514 is configured to determine, in the authentication information sent by the terminal, the current network identifier allocated by the subscription network to the user and the pre-stored subscription in the preset authentication information. Whether the network identifiers assigned to the user by the network are consistent. When the packets are inconsistent, it is determined whether the terminal verification authentication information provided by the terminal and the terminal verification authentication information returned by the terminal identification center are consistent.
在一个实施例中, 所述信息接收单元 511为注册消息接收单元, 用于 接收携带所述终端设备标识和鉴权信息的注册消息。  In an embodiment, the information receiving unit 511 is a registration message receiving unit, configured to receive a registration message carrying the terminal device identifier and the authentication information.
本发明的实施例中, 终端包括: 信息发送单元 521 , 用于向网络交换 中心发送所述终端的终端设备标识和鉴权信息; 反馈接收单元 522, 用于 接收来自所述网络交换中心的是否允许接入的反馈。  In the embodiment of the present invention, the terminal includes: an information sending unit 521, configured to send the terminal device identifier and the authentication information of the terminal to the network switching center; and a feedback receiving unit 522, configured to receive whether the network switching center is received from the network switching center Feedback that allows access.
在一个具体实施例中, 所述信息发送单元为注册消息发送单元, 用于 发送携带所述终端设备标识和鉴权信息的注册消息。  In a specific embodiment, the information sending unit is a registration message sending unit, configured to send a registration message carrying the terminal device identifier and the authentication information.
需要说明的是, 上述各单元可以是独立的逻辑实体, 也可以根据实际 情况和需求进行组合, 此不赘述。  It should be noted that each of the foregoing units may be an independent logical entity, and may be combined according to actual conditions and requirements, and details are not described herein.

Claims

权 利 要 求 Rights request
1、 一种终端使用网络的控制方法, 其特征在于, 包括: A control method for a terminal using a network, comprising:
终端向网络交换中心发送所述终端的终端设备标识和鉴权信息; 所述网络交换中心接收终端发送的前述信息后, 向终端设备识别中心 查询对应所述终端设备标识的预设鉴权信息;  The terminal sends the terminal device identifier and the authentication information of the terminal to the network switching center; after receiving the foregoing information sent by the terminal, the network switching center queries the terminal to identify the preset authentication information corresponding to the identifier of the terminal device;
在确认所述终端设备识别中心返回的预设鉴权信息和所述终端发送 的鉴权信息匹配时, 所述网络交换中心允许所述终端接入网络。  The network switching center allows the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
2、 如权利要求 1所述的终端使用网络的控制方法, 其特征在于, 所述 终端发送的鉴权信息为签约网络分配给用户的当前网络标识; 所述预设鉴 权信息为预先存储的签约网络分配给用户的网络标识。  2. The method for controlling a terminal to use a network according to claim 1, wherein the authentication information sent by the terminal is a current network identifier assigned to the user by the subscription network; and the preset authentication information is pre-stored. The network identifier assigned to the user by the contracted network.
3、 如权利要求 1所述的终端使用网络的控制方法, 其特征在于, 所述 终端发送的鉴权信息为签约网络分配给用户的当前网络标识; 所述预设鉴 权信息包括预先存储的签约网络分配给用户的网络标识和终端校验鉴权 信息; 所述终端设备识别中心返回的预设鉴权信息和所述终端发送的鉴权 信息匹配包括: 所述签约网络分配给用户的当前网络标识与预先存储的签 约网絡分配给用户的网络标识一致。  The method for controlling a terminal to use a network according to claim 1, wherein the authentication information sent by the terminal is a current network identifier assigned to the user by the subscription network; and the preset authentication information includes pre-stored information. The network identifier and the terminal verification authentication information allocated by the network to the user; the matching of the preset authentication information returned by the terminal identification center and the authentication information sent by the terminal includes: the current distribution of the subscription network to the user The network identifier is consistent with the network identifier assigned to the user by the pre-stored subscription network.
4、 如权利要求 3所述的终端使用网络的控制方法, 其特征在于, 还包 括:  4. The method for controlling a terminal usage network according to claim 3, further comprising:
在所述签约网络分配给用户的当前网络标识与先存储的签约网络分 配给用户的网络标识不一致时, 所述网络交换中心通知终端提供终端校验 鉴权信息, 并将其与终端设备识别中心返回的终端校验鉴权信息相比较; 如果比较结果为相同, 则所述终端设备识别中心返回的预设鉴权信息 和所述终端发送的鉴权信息匹配;  When the current network identifier assigned to the user by the subscription network is inconsistent with the network identifier assigned to the user by the previously stored subscription network, the network switching center notifies the terminal to provide terminal verification authentication information, and identifies the terminal with the terminal device. The returned terminal verification authentication information is compared; if the comparison result is the same, the preset authentication information returned by the terminal device identification center and the authentication information sent by the terminal are matched;
如果比较结果为不相同, 则所述网络交换中心阻止该终端接入网络。 If the comparison result is different, the network switching center prevents the terminal from accessing the network.
5、 如权利要求 4所述的终端使用网络的控制方法, 其特征在于, 在比 较结果为不相同时, 还包括: The method for controlling a network for using a terminal according to claim 4, wherein when the comparison result is different, the method further includes:
判断终端提供终端校验鉴权信息的次数是否达到预设值;  Determining whether the number of times the terminal provides the terminal to verify the authentication information reaches a preset value;
如果未达预设值, 通知终端再次提供终端校验鉴权信息; 如果达到预设值, 则网络交换中心阻止该终端接入网络。 If the preset value is not reached, the terminal is notified to provide the terminal verification authentication information again; If the preset value is reached, the network switching center prevents the terminal from accessing the network.
6、 如权利要求 4所述的终端使用网络的控制方法, 其特征在于, 在 网络交换中心阻止该终端接入网络时, 还包括将该终端设备标识加入终端 设备识别中心的黑名单中。  The method for controlling a terminal to use a network according to claim 4, wherein when the network switching center blocks the terminal from accessing the network, the method further includes adding the terminal device identifier to the blacklist of the terminal device identification center.
7、 如权利要求 3所述的终端使用网络的控制方法, 其特征在于, 如 果终端设备识别中心所返回的用户网络标识为加密的,还包括网络交换中 心对该加密的用户网络标识进行解密。  7. The method for controlling a terminal usage network according to claim 3, wherein if the user network identifier returned by the terminal device identification center is encrypted, the network switching center further decrypts the encrypted user network identifier.
8、 如权利要求 1 所述的终端使用网络的控制方法, 其特征在于, 所 述终端发送的鉴权信息为终端校验鉴权消息; 所述预设鉴权信息为预先存 储的终端校验鉴权信息; 所述终端设备识别中心返回的预设鉴权信息和所 述终端发送的鉴权信息匹配包括: 所述终端发送的终端校验婆权消息与预 先存储的终端校验鉴权信息一致。  The method for controlling a terminal to use a network according to claim 1, wherein the authentication information sent by the terminal is a terminal verification authentication message; and the preset authentication information is a pre-stored terminal verification. The authentication information is: the terminal authentication information returned by the terminal identification center and the authentication information sent by the terminal are matched by: the terminal verification rights message sent by the terminal and the pre-stored terminal verification authentication information Consistent.
9、 如权利要求 3至 8任一项所述的终端使用网絡的控制方法, 其特 征在于, 所述终端校验鉴权信息为校验密码或具有生物特征的信息。  The method for controlling a terminal usage network according to any one of claims 3 to 8, wherein the terminal verification authentication information is a verification password or information having biometric characteristics.
10、 如权利要求 1至 8任一项所述的终端使用网络的控制方法, 其特 征在于, 所述终端发送的终端设备标识和鉴权信息携带在注册消息中。  The method for controlling a terminal-used network according to any one of claims 1 to 8, wherein the terminal device identifier and the authentication information sent by the terminal are carried in a registration message.
11、 如权利要求 1至 8任一项所述的终端使用网络的控制方法, 其特 征在于,在向终端设备识別中心查询对应所述终端设备标识的预设鉴权信 息之后,还包括:如果该终端设备标识已在终端设备识别中心的黑名单中, 则终端设备识别中心返回消息给网络交换中心, 网络交换中心根据该消息 阻止该终端接入网络。  The method for controlling the terminal usage network according to any one of claims 1 to 8, further comprising: after the terminal identification center is queried to the preset authentication information corresponding to the identifier of the terminal device, the method further includes: If the terminal device identifier is already in the blacklist of the terminal device identification center, the terminal device identifies the center return message to the network switching center, and the network switching center blocks the terminal from accessing the network according to the message.
12、 一种终端使用网络的控制系统, 包括网络交换中心和终端设备识 别中心, 其特征在于, 所述终端设备识別中心存储有网络签约终端的终端 设备标识和预设鉴权信息;  12. A control system for a terminal to use a network, comprising a network switching center and a terminal device identification center, wherein the terminal device identification center stores a terminal device identifier and preset authentication information of the network subscription terminal;
所述网络交换中心用于接收来自终端的终端设备标识和鉴权信息, 向 终端设备识别中心查询对应所述终端设备标识的预设鉴权信息,在所述终 端设备识别中心返回的预设鉴权信息和所述终端发送的鉴权信息匹配时, 允许所述终端接入网络。  The network switching center is configured to receive the terminal device identifier and the authentication information from the terminal, and query the terminal device to query the preset authentication information corresponding to the identifier of the terminal device, where the preset information returned by the terminal device identification center is returned. When the right information matches the authentication information sent by the terminal, the terminal is allowed to access the network.
13、 如权利要求 12所述的终端使用网络的控制系统, 其特征在于, 所述签约终端的预设鉴权信息包括: 终端设备标识、 签约网絡分配给用户 的网络标识及终端校验鉴权信息。 13. The control system for a terminal use network according to claim 12, wherein: The preset authentication information of the subscription terminal includes: a terminal device identifier, a network identifier allocated by the subscription network to the user, and terminal verification authentication information.
14、 如权利要求 12所述的终端使用网络的控制系统, 其特征在于, 所述终端设备识别中心中设有用于存储不允许接入网络的终端的终端设 备标识的黑名单。  The control system of the terminal-use network according to claim 12, wherein the terminal device identification center is provided with a blacklist for storing the terminal device identifier of the terminal that is not allowed to access the network.
15、 如权利要求 12所述的终端使用网络的控制系统, 其特征在于, 所述来自终端的终端设备标识和鉴权信息携带在注册消息中。  The control system of the terminal using the network according to claim 12, wherein the terminal device identifier and the authentication information from the terminal are carried in a registration message.
16、 如权利要求 12所述的终端使用网络的控制系统, 其特征在于, 还包括连接所述终端设备识别中心的输入装置, 用于更改所述终端设备识 别中心存储的信息。  16. The control system for a terminal-used network according to claim 12, further comprising input means for connecting to said terminal device identification center for modifying information stored by said terminal device identification center.
17、 如权利要求 12至 16任一项所述的终端使用网络的控制系统, 其 特征在于, 所述网络交换中心与终端设备识别中心之间具有采用 Map协 议、 Diameter协议或 Radius协议的接口。  The control system of the terminal-use network according to any one of claims 12 to 16, wherein the network switching center and the terminal device identification center have an interface using a Map protocol, a Diameter protocol or a Radius protocol.
18、 一种网络交换中心, 其特征在于, 包括:  18. A network switching center, characterized by comprising:
信息接收单元, 用于接收来自终端的终端设备标识和鉴权信息; 查询单元, 用于在接收终端发送的前述信息后, 向终端设备识别中心 查询对应所述终端设备标识的预设鉴权信息;  The information receiving unit is configured to receive the terminal device identifier and the authentication information from the terminal, and the querying unit is configured to: after receiving the foregoing information sent by the terminal, identify, to the terminal device, the center to query the preset authentication information corresponding to the identifier of the terminal device ;
接入控制单元, 用于在确认所述终端设备识别中心返回的预设鉴权信 息和所述终端发送的鉴权信息匹配时, 允许所述终端接入网络。  The access control unit is configured to allow the terminal to access the network when it is confirmed that the preset authentication information returned by the terminal device identification center matches the authentication information sent by the terminal.
19、 根据权利要求 18所述的网络交换中心, 其特征在于, 还包括: 匹配确认单元, 用于判断所述终端发送的鉴权信息中的签约网络分配给用 户的当前网络标识和所述预设鉴权信息中的预先存储的签约网络分配给 用户的网络标识是否一致。  The network switching center according to claim 18, further comprising: a matching confirmation unit, configured to determine a current network identifier and the pre-assigned to the user by the subscription network in the authentication information sent by the terminal It is determined whether the pre-stored subscription network in the authentication information is consistent with the network identifier assigned to the user.
20、 根据权利要求 18所述的网絡交换中心, 其特征在于, 还包括: 匹配确认单元, 用于判断所述终端发送的鉴权信息中的签约网络分配给用 户的当前网络标识和所述预设鉴权信息中的预先存储的签约网络分配给 用户的网络标识是否一致; 在不一致时, 继续判断终端提供的终端校验鉴 权信息和终端设备识别中心返回的终端校验鉴权信息是否一致。 The network switching center according to claim 18, further comprising: a matching confirmation unit, configured to determine a current network identifier assigned to the user by the subscription network in the authentication information sent by the terminal, and the pre-determination Whether the network identifiers assigned to the user by the pre-stored subscription network in the authentication information are consistent; if not, the terminal verification authentication information provided by the terminal and the terminal verification authentication information returned by the terminal identification center are consistent. .
21、根据权利要求 18至 20任一项所述的网絡交换中心,其特征在于, 所述信息接收单元为注册消息接收单元, 用于接收携带所述终端设备标识 和鉴权信息的注册消息。 The network switching center according to any one of claims 18 to 20, wherein the information receiving unit is a registration message receiving unit, configured to receive a registration message carrying the terminal device identifier and the authentication information.
22、 一种终端, 其特征在于, 包括:  22. A terminal, comprising:
信息发送单元, 用于向网络交换中心发送所述终端的终端设备标识和 鉴权信息;  An information sending unit, configured to send, to the network switching center, the terminal device identifier and the authentication information of the terminal;
反馈接收单元, 用于接收来自所述网络交换中心的是否允许接入的反 馈。  And a feedback receiving unit, configured to receive a feedback from the network switching center whether access is allowed.
23、 根据权利要求 22所述的终端, 其特征在于, 所述信息发送单元 为注册消息发送单元, 用于发送携带所述终端设备标识和鉴权信息的注册 消息。  The terminal according to claim 22, wherein the information sending unit is a registration message sending unit, configured to send a registration message carrying the terminal device identifier and the authentication information.
PCT/CN2006/002908 2005-10-31 2006-10-30 A control system and method for terminal using network and device therefore WO2007051406A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510100913.1 2005-10-31
CNB2005101009131A CN100459799C (en) 2005-10-31 2005-10-31 Control system and control method for terminal to use network

Publications (1)

Publication Number Publication Date
WO2007051406A1 true WO2007051406A1 (en) 2007-05-10

Family

ID=37484801

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002908 WO2007051406A1 (en) 2005-10-31 2006-10-30 A control system and method for terminal using network and device therefore

Country Status (2)

Country Link
CN (1) CN100459799C (en)
WO (1) WO2007051406A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102651786A (en) * 2011-02-25 2012-08-29 鸿富锦精密工业(深圳)有限公司 Network telephone set and network telephone registering method

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101132403B (en) * 2007-08-08 2012-09-05 华为技术有限公司 Business authorization method and its server
US9055511B2 (en) * 2007-10-08 2015-06-09 Qualcomm Incorporated Provisioning communication nodes
CN101552999A (en) * 2009-04-03 2009-10-07 厦门敏讯信息技术股份有限公司 Method for realizing anti-false machine
CN101990204B (en) * 2009-08-07 2014-03-26 中国移动通信集团公司 Method and device for accessing service by using card inserted terminal
CN102056169A (en) * 2009-11-05 2011-05-11 中兴通讯股份有限公司 Method and system for preventing illegal terminal from accessing as well as terminal
CN102271314B (en) * 2010-06-07 2015-04-01 中兴通讯股份有限公司 Method and system for realizing terminal communication and method for realizing terminal position update
CN102523213B (en) * 2011-12-13 2014-09-17 华为终端有限公司 Server and terminal authenticating method and server and terminal
CN102638797B (en) * 2012-04-24 2016-08-03 华为技术有限公司 Access the method for wireless network, terminal, access network node and authentication server
CN102833815A (en) * 2012-08-21 2012-12-19 南京智达康无线通信科技股份有限公司 AP (access point) accessing control method for AC (access controller)
CN104320412B (en) * 2014-11-11 2018-04-17 福建联迪商用设备有限公司 A kind of method and device of Bluetooth POS, Bluetooth POS secure connection
CN108550366B (en) * 2018-04-24 2021-04-06 青岛海尔科技有限公司 Household appliance control method and device, readable storage medium and equipment
CN110851891B (en) * 2019-11-08 2020-10-09 北京金茂绿建科技有限公司 Method, device, system, equipment and medium for guaranteeing safety after terminal loss

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification
CN1628472A (en) * 2002-02-06 2005-06-15 意大利电信股份公司 System for managing the identity of mobile stations roaming between mobile radio networks
WO2005084069A1 (en) * 2004-02-20 2005-09-09 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus to reduce mobile switching center involvement in packet data call support

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0931430B1 (en) * 1996-09-11 2006-06-28 Yang Li Method of using fingerprints to authenticate wireless communications
US7383035B2 (en) * 2002-07-04 2008-06-03 Lg Electronics Inc. Method of furnishing illegal mobile equipment user information
CN1274169C (en) * 2003-01-03 2006-09-06 华为技术有限公司 Method for limiting illegal mobile telephone

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1628472A (en) * 2002-02-06 2005-06-15 意大利电信股份公司 System for managing the identity of mobile stations roaming between mobile radio networks
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification
WO2005084069A1 (en) * 2004-02-20 2005-09-09 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus to reduce mobile switching center involvement in packet data call support

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102651786A (en) * 2011-02-25 2012-08-29 鸿富锦精密工业(深圳)有限公司 Network telephone set and network telephone registering method

Also Published As

Publication number Publication date
CN1874595A (en) 2006-12-06
CN100459799C (en) 2009-02-04

Similar Documents

Publication Publication Date Title
WO2007051406A1 (en) A control system and method for terminal using network and device therefore
US8327435B2 (en) Techniques for managing security in next generation communication networks
US8626708B2 (en) Management of user data
EP2548390B1 (en) Facilitating authentication of access terminal identity
CN100596084C (en) Method for accessing IMS network to mobile circuit domain user and its registering method
US7970380B2 (en) User authentication in a communications system
US8887235B2 (en) Authentication interworking
US20100064344A1 (en) Method and device for updating a key
US7885640B2 (en) Authentication in communication networks
US20080091824A1 (en) Providing Mobile Core Services Independent of a Mobile Device
WO2009135367A1 (en) User device validation method, device identification register and access control system
US20110122813A1 (en) Method and system for preventing use of stolen terminal through forced location re-registration
US20070192838A1 (en) Management of user data
US8983457B2 (en) Policy control architecture comprising an independent identity provider
CN115769611A (en) System and method for operating a user device having a personalized identity module profile
US8655318B2 (en) Method and system for anonymous operation of a mobile node
US20020042820A1 (en) Method of establishing access from a terminal to a server
CN114024693A (en) Authentication method, authentication device, session management function entity, server and terminal
KR20050090561A (en) The method and system for authenticating user terminal in hrpd network
CN115412912A (en) Method for registering terminal equipment, related equipment, system and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06805112

Country of ref document: EP

Kind code of ref document: A1