WO2011124051A1 - Method and system for terminal authentication - Google Patents

Method and system for terminal authentication Download PDF

Info

Publication number
WO2011124051A1
WO2011124051A1 PCT/CN2010/075640 CN2010075640W WO2011124051A1 WO 2011124051 A1 WO2011124051 A1 WO 2011124051A1 CN 2010075640 W CN2010075640 W CN 2010075640W WO 2011124051 A1 WO2011124051 A1 WO 2011124051A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
terminal
personal information
authentication data
user
Prior art date
Application number
PCT/CN2010/075640
Other languages
French (fr)
Chinese (zh)
Inventor
王斌
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011124051A1 publication Critical patent/WO2011124051A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • the present invention relates to the field of mobile communications, and in particular to a terminal authentication method and system.
  • BACKGROUND With the rapid development and popularization of mobile communication technologies, the security of communication technologies has become a hot topic of concern. The security of communication is crucial to protect the privacy and interests of end users. At present, the following methods are mainly used to enhance the security of end users: 1. Signaling and data (voice, interaction) between the terminal and the mobile communication system. SMS, etc.) Encryption is performed by a specific security algorithm to prevent plaintext transmission from being monitored. 2. Use the International Mobile Station Identity (IMSI) or the Electronic Serial Number (ESN) as the identifier of the mobile station. Third, the terminal authentication mechanism was introduced.
  • IMSI International Mobile Station Identity
  • ESN Electronic Serial Number
  • the normal process of authentication is that the base station sends a random number to the mobile station on the forward channel, and the mobile station according to the received random number and the stored confidential data related to the authentication and the identification code (such as ESN, IMSI, etc.), and The specific prefabricated network parameters (such as Key in Code Division Multiple Access CDMA System or Ki in Global Mobile Communication GSM System) are used to calculate an authentication result through the authentication algorithm, and the authentication result is reverse channel.
  • the authentication center AC Authentication Centre
  • the operator usually uses the card separation scheme to solidify some specific network parameters into the user identification card (such as the customer identification module SIM card) or in the non-volatile storage unit of the terminal before the terminal is sold. Therefore, when the user uses the network, as long as the parameters in the user identification card are legal, the terminal can use the system monthly service normally.
  • the security of the user ID card is also protected by a specific encryption algorithm, and the security algorithm of the card itself is constantly being updated. However, there are many tools for copying stolen cards on the market.
  • the SIM card is cracked and the data in the card is completely copied to another card. All parameters are copied, including the authentication algorithm and all the important parameters required for voice encryption. Thus, if the user's SIM card is accidentally lost or stolen, the privacy and interests of the individual (illegally stealing the user's credit) may be violated. If the user has acquired such a tool, he or she can copy the card at will, such as a "" multi-number function (currently moving a card with this function, but for an additional fee), or copying a card into multiple cards, It also brings harm to the management and interests of operators. In summary, the existing terminal authentication mechanism is insufficient to ensure the security of the end user to use the network and the legitimate rights and interests of the operator.
  • a primary object of the present invention is to provide a terminal authentication method and system, so as to at least solve the problem that the existing terminal authentication mechanism is insufficient to ensure the security of the end user to use the network and the legitimate rights and interests of the operator.
  • a terminal authentication method including: the authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is based on the terminal The user authentication information is generated; the authentication server performs the second authentication according to the second authentication data sent by the terminal, where the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter; If both authentication rights are successful, the authentication server determines that the terminal authentication is successful.
  • a terminal authentication system including a terminal and an authentication server, where the terminal includes: a first authentication data module, configured to generate first authentication data, and authenticate The server sends the first authentication data, where the first authentication data is generated according to the user characteristic information of the terminal; the second authentication data module is configured to generate the second authentication data, and send the second authentication data to the authentication server.
  • the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter;
  • the authentication server includes a first authentication module, configured to perform first authentication on the terminal according to the first authentication data, and output the first An authentication result; a second authentication module, configured to perform second authentication on the terminal according to the second authentication data, and output a second authentication result; an authentication success judging module, respectively, and the first authentication module and the first
  • the second authentication module is connected to determine the input first authentication result and the second authentication result. When both the first authentication result and the second authentication result are successful, determining the terminal Authentication is successful.
  • the authentication server can determine the authentication success of the terminal, thereby enhancing the security of the user using the network, and enhancing the security. It protects the privacy of users and protects the legitimate rights and interests of operators.
  • FIG. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a terminal authentication method according to an embodiment of the present invention
  • FIG. 4 is a flowchart of performing first authentication on the terminal by using the encrypted first authentication data according to an embodiment of the present invention
  • FIG. 5 is a flowchart according to the present invention.
  • FIG. 6 is a flowchart of terminal authentication according to Embodiment 2 of the present invention;
  • FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention;
  • FIG. 8 is a schematic diagram of a terminal authentication system according to an embodiment of the present invention;
  • FIG. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a terminal authentication method according to an embodiment of the present invention
  • FIG. 4 is a flowchart of performing first authentication on the terminal by using the
  • FIG. 9A is a schematic structural diagram of a first authentication module according to an embodiment of the present invention
  • FIG. 9B is a schematic structural diagram of a preferred first authentication module according to an embodiment of the present invention
  • BEST MODE FOR CARRYING OUT THE INVENTION the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
  • 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention. As shown in FIG. 1, the network system includes a terminal 10, a base station 20, and an authentication server 30. In the authentication process, the terminal 10 sends the first authentication to the authentication server through the base station 20.
  • the data and the second authentication data after the authentication server receives the two authentication data, perform two authentications respectively, and if the two authentications are successful, the user is allowed to use the current service, and it should be noted that
  • the above mobile communication network may be any current mobile communication network, such as GSM, CDMA, Wideband Code Division Multiple Access (WCDMA) or Time Division Synchronous Code Division Multiple Access (Time Division- Synchronous Code Division Multiple Access (referred to as TD-SCDMA).
  • TD-SCDMA Time Division Synchronous Code Division Multiple Access
  • FIG. 2 is a flowchart of a terminal authentication method according to an embodiment of the present invention.
  • the method includes: Step S202: The authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is generated according to user characteristic information of the terminal; Step S204, the authentication server is based on the terminal Sending the second authentication data to perform second authentication, where the second authentication data is based on the authentication key, the terminal parameter, and the network Step S206: In the case that both the first authentication and the second authentication are successful, the authentication server determines that the terminal is successfully authenticated.
  • the existing terminal authentication mechanism authenticates the terminal. The important parameters are fixed by the operator in the user identification card, or sold in the terminal before the terminal is sold. Once the user accidentally loses the user identification card or terminal, the illegal user can crack the authentication data in the user identification card or the terminal.
  • the user's card or terminal is stolen.
  • the present invention focuses on the security problem that may be caused by the user identification card or the authentication data of the terminal being cracked, and the terminal authentication mechanism is improved.
  • the authentication of the information that is, the authentication server authenticates the user characteristic information by using the first authentication data, and the authentication server uses the second authentication data to perform key authentication on the terminal by using the existing authentication mechanism. Using the above two authentications, even if an illegal user obtains a cracked user identification card or terminal, the copied user identification card or The spoofed terminal performs normal network aging.
  • step S202 there is no sequence of execution between the foregoing step S202 and step S204, as long as the first authentication and the second authentication are implemented, If the authentication succeeds, the authentication of the terminal fails if any of the two authentications fails.
  • the operator can choose to perform the first authentication according to the characteristics or requirements of the service.
  • the first authentication succeeds in triggering the second authentication again; the second authentication may be performed first, and the second authentication succeeds in triggering the first authentication; the first authentication and the second authentication may also be selected concurrently.
  • the terminal does not have a sequence of sending the first authentication data and the second authentication data. According to the service characteristics or the agreement of the operator, the terminal may first send the first authentication data, or may first send the second authentication data.
  • the first authentication data and the second authentication data may also be simultaneously transmitted in the same data packet.
  • the terminal authentication when the network is registered, the call, the short message, and the data service, the terminal authentication may be involved.
  • the first authentication may be performed in the following cases: 1. Each time the network is authenticated. Need to perform; Second, according to the setting of the communication network, optimize control, randomly or according to the specified requirements when the need-risk is carried out, which can reduce the number of risks and the system overhead.
  • the foregoing terminal authentication method provided by the embodiment of the present invention adds an existing authentication mechanism, and adds user identification information preset by the user, so that the terminal user also becomes the terminal authentication. A decisive factor that protects the legitimate rights and interests of users and enhances the security of user terminals.
  • the user characteristic information includes: personal information preset by the user to which the terminal belongs and identification information of the user.
  • the user can preset personal information according to personal preference, for example, setting the personal information into a document number, name, birthday or other character sequence.
  • the identification information of the user may select the identification information of the identification card on the terminal (for example, the integrated circuit card identification code ICCID, UMID or the user's telephone number), or may select the identification information of the terminal (for example, IMSI or ESN) or, in order to be more secure,
  • the identification information of the user includes the identification information of the identification card and the identification information of the terminal.
  • the identification information of the identification card or the identification information of the terminal can conveniently use the existing resources to set the identification information of the user.
  • FIG. 3 is a first authentication flowchart according to an embodiment of the present invention.
  • the first authentication of the terminal by the authentication server according to the first authentication data sent by the terminal includes: Step S302 Receiving first authentication data from the terminal; Step S304: Obtain identification information of the user by using the first authentication data.
  • Step S305 Obtain personal information by using the first authentication data, and use the personal information as the first personal information of the user.
  • Step S306, in the authentication server The second personal information corresponding to the identification information is obtained in the database.
  • the first authentication is performed by using the foregoing process, and it is determined whether the first personal information sent by the terminal and the second personal information corresponding to the same user identifier saved by the authentication server are the same, so that the user of the current terminal is legal. If the illegal user has copied the user identification card, but the lack of correct personal information, the first authentication is not passed, thereby ensuring the legitimate rights and interests of the legitimate user.
  • the first authentication data may be generated by: encrypting the personal information preset by the user and the identification information of the user by using a predetermined encryption rule to generate the first authentication data. Since the first authentication data may also be obtained by an illegal user during the transmission process, if the first authentication data is transmitted in a clear text manner, there is a great security risk. Therefore, in a specific implementation process, the user may be pre- The set personal information and the user's identification information are encrypted to generate first authentication data. Operators and terminal manufacturers can agree on specific encryption rules, or a more secure method. In a specific business process, the terminal negotiates specific encryption rules with the authentication server. Therefore, by obtaining the first authentication data in the encryption mode, the security of the user using the terminal is further ensured.
  • FIG. 4 is a first authentication data pair that is encrypted according to an embodiment of the present invention.
  • the flowchart of the first authentication is performed by the terminal.
  • the process includes: Step S402: Receive first authentication data from the terminal; Step S403, parse the first authentication by using a predetermined decryption rule.
  • Step S406 Obtain a second person corresponding to the identification information of the user in the database of the authentication server.
  • Step S408 Comparing the first personal information with the second personal information. If they are the same, the first authentication succeeds, otherwise, the first authentication fails.
  • the decryption rule corresponds to the above-mentioned encryption rule, and is agreed by the operator and the terminal manufacturer together, or the terminal negotiates with the authentication server.
  • the user characteristics information is transmitted by encrypting and decrypting, thereby further ensuring the security of the user using the terminal.
  • the authentication server obtains the personal information and the identification information corresponding to the personal information; the authentication server stores the personal information and the identification information corresponding to the personal information in the database. .
  • the authentication server In order to implement the above first authentication, the authentication server must pre-establish a user characteristic information database before performing terminal authentication, store the personal information of the registered user in the database, and store the user personal information and the user identifier - tied set.
  • the user needs to report the user characteristic information to the operator, and the manner of reporting is various. For example, but not limited to, when the terminal accesses the network, the user characteristic information is submitted. Or log in to the operator's website and enter user feature information. Once the information is entered into the network side system, the user's personal information is associated with the user identification card or terminal used by the user—as long as the user identification information and user information are not tied. The relationship is considered illegal.
  • the user may also update the user characteristic information in a specific manner, for example, by SMS, logging in to the operator's website, or directly changing through the operator's business outlet.
  • the authentication server obtains and maintains the user feature information provided by the user before the terminal authenticates, which is the premise of performing the first authentication. Only the authentication server saves the binding relationship between the correct personal information and the user identification information, and the first authentication. Only then can it be implemented smoothly.
  • the identifier information includes at least one of the following: identifier information of the smart card of the terminal, and identifier information of the terminal.
  • the identification information of the user, and the identification information of the identification card on the terminal may also select the terminal's identification information (such as IMSI or ESN) or, for more security, the user's identification information includes both the identity card identification information and the terminal identification information, the identification card
  • the identification information or the identification information of the terminal can conveniently set the identification information of the user by using existing resources.
  • the personal information preset by the user may be stored in a memory of the terminal or other storage medium connected to the terminal. Since the user's personal information is not stored on the terminal's identification card (such as a SIM card), the user's personal information will not be leaked even if the identification card is lost.
  • the terminal may send the first authentication data to the authentication server by using a short message or communication signaling.
  • the authentication server can receive and perform the first authentication operation and the multiple transmission modes, which makes the terminal authentication more flexible and convenient for the operator to implement. .
  • the above terminal authentication method will be described in detail below in combination with other embodiments.
  • Embodiment 1 the authentication server is selected to perform the first authentication first, and in the case that the first authentication is successful, the second authentication is triggered.
  • FIG. 5 is a flowchart of terminal authentication according to Embodiment 1 of the present invention. As shown in FIG. 5, the process includes: Step S501: The terminal is powered on.
  • Step S502 The terminal uses a communication network service (network registration, voice, short message, data, etc.).
  • Step S503 According to the returned system message, the terminal determines whether to confirm the first authentication.
  • Step S504 If the network requires the terminal to perform the first authentication, the personal information preset by the terminal includes the information of the terminal, and the information of the card is combined with a specific encryption algorithm to generate the first authentication data, and step S 505 is performed; otherwise, , step S510 is performed.
  • Step S505 The terminal sends the first authentication data to the authentication server.
  • Step S506 The authentication server receives the first authentication data fed back by the terminal, parses the user personal information and the user identification information, and compares the personal information reported by the terminal with the personal information stored in the database to generate a first authentication result. .
  • Step S507 The authentication server sends the first authentication result to the terminal.
  • Step S508 The terminal determines the first authentication result. If it fails, step 4 is performed, S509. Otherwise, step 4 is performed.
  • Step S509 The terminal prompts the user to prohibit using the network service, and ends the operation process.
  • Step S510 The terminal sends the second authentication data, and the authentication server performs the second authentication operation. If the second authentication succeeds, the user normally uses the network service. Otherwise, the user is prompted to prohibit the use of the network service.
  • FIG. 6 is a flowchart of terminal authentication according to Embodiment 2 of the present invention. As shown in FIG. 6, the process includes: Step S601: The terminal is powered on. Step S602: The terminal uses a communication network service (network registration, voice, short message, data, etc.). Step S603: The terminal sends the second authentication data, and the authentication server performs the second authentication operation. If the second authentication succeeds, step S604 is performed. Otherwise, the user is prompted to prohibit the use of the network service.
  • a communication network service network registration, voice, short message, data, etc.
  • Step S604 According to the returned system message, the terminal determines whether to confirm whether the first authentication is to be performed.
  • Step S605 If the network requires the terminal to perform the first authentication, the personal information preset by the terminal includes the information of the terminal, and the information of the card is combined with a specific encryption algorithm to generate the first authentication data; Right, the terminal authentication succeeds, and the user normally uses the network service.
  • Step S606 The terminal sends the first authentication data to the authentication server.
  • Step S607 The authentication server receives the first authentication data fed back by the terminal, parses the user personal information and the user identification information, and compares the personal information reported by the terminal with the personal information stored in the database to generate a first authentication result. .
  • Step S608 The authentication server sends the first authentication result to the terminal.
  • Step 4: S609 the terminal determines the first authentication result. If the terminal fails, the terminal prompts the user to prohibit the use of the network monthly service, and ends the operation process. Otherwise, the terminal authentication passes, and the user normally uses the network monthly subscription. Business.
  • a terminal authentication system is further provided.
  • FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention. As shown in FIG. 7, the system includes: a terminal 71, an authentication server 72. .
  • the terminal 71 includes: a first authentication data module 711 and a second authentication data module 712.
  • the first authentication data module 711 is configured to generate first authentication data, and send the first authentication data to the authentication server 72, where the first authentication data is generated according to user characteristic information of the terminal.
  • the second authentication data module 711 is configured to generate the second authentication data, and send the second authentication data to the authentication server 72, where the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter.
  • the authentication server 72 includes: a first authentication module 721, a second authentication module 722, and an authentication success judging module 723.
  • the first authentication module 721 is configured to perform first authentication on the terminal according to the first authentication data, and output a first authentication result.
  • the second authentication module 722 is configured to perform second authentication according to the second authentication data.
  • FIG. 8 is a schematic structural diagram of a first authentication data module according to an embodiment of the present invention.
  • the first authentication data module 711 includes: a storage submodule 801, a generation submodule 802, and a transmission submodule. 803.
  • the storage submodule 801 is configured to store personal information preset by a user to which the terminal belongs and identification information of the user.
  • the generating submodule 802 is connected to the storage submodule 801, and is configured to acquire personal information and generate identification information of the user.
  • the first authentication data is sent to the authentication server 72.
  • the sending submodule 803 is connected to the generating submodule 802, and configured to send the first authentication data to the authentication server 72.
  • FIG. 9A is a schematic structural diagram of a first authentication module according to an embodiment of the present invention.
  • the first authentication module 721 includes: a data storage submodule 901, a receiving submodule 902, and a first obtaining subroutine.
  • the data storage module 901 is configured to store the personal information provided by the user; the receiving submodule 902 is configured to receive the first authentication data from the terminal; the first obtaining submodule 903 is connected to the receiving submodule 902, and is configured to use the first
  • the authentication data is obtained by acquiring the identification information of the user of the first authentication data, and outputting to the second obtaining submodule 904, and acquiring the personal information of the first authentication data by using the first authentication data, and using the personal information as the user
  • the first personal information is output to the comparison sub-module 905; the second acquisition sub-module 904 is respectively associated with the data storage module 901, the first acquisition sub-module 903, and the comparison sub-module 905.
  • the connection is used to obtain personal information corresponding to the input identification information of the user in the data storage module 901 as the second personal information, and output to the comparison sub-module 905; the comparison sub-module 905 is respectively associated with the first acquisition sub-module 903 and The second obtaining submodule 904 is connected to compare the input first personal information and the second personal information, and generate a first authentication result.
  • the first authentication module 721 further includes: a parsing submodule 906, and a receiving submodule 902 and a first obtaining submodule.
  • the 903 connection is configured to parse the first authentication data received by the receiving submodule 902, and output the parsed first authentication data to the first obtaining submodule 903.
  • the foregoing identification information includes at least one of the following: identification information of the smart card of the terminal, and identification information of the terminal.
  • the identification information of the user may select identification information of the identification card on the terminal (for example, ICCID, UMID or user's telephone number;), or may select identification information of the terminal (for example, IMSI or ESN) or, for more security, the identification information of the user.
  • the identification information of the identification card and the identification information of the terminal, the identification information of the identification card or the identification information of the terminal can conveniently use the existing resources to set the identification information of the user.
  • the technical solution provided by the present invention uses a dual authentication mechanism, and on the basis of inheriting the existing authentication method, the authentication operation of the user characteristic information set by the user is added, which not only enhances The security of the user's use of the network also enhances the protection of the user's personal privacy and protects the legitimate rights and interests of the operator.
  • the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention discloses a method and system for terminal authentication, in the method, an authentication server implements first authentication for a terminal according to first authentication data sent by the terminal, wherein the first authentication data is generated according to user feature information of the terminal; the authentication server implements second authentication according to second authentication data sent by the terminal, wherein the second authentication data is generated according to an authentication key, terminal parameters and network parameters; under the condition of the success of the first authentication and the second authentication, the authentication server determines the terminal authentication is successful. The technical solution of the present invention not only enhances the security of a network used by a user, and enhances the protection to the user personal privacy, but also protects legal rights and interests of operators.

Description

终端鉴权方法及系统 技术领域 本发明涉及移动通信领域, 具体而言, 涉及一种终端鉴权方法及系统。 背景技术 随着移动通讯技术的飞速发展和普及, 通讯技术的安全性越来越成为人 们关注的热点话题。 通讯的安全性, 对保护终端用户的个人隐私及利益不受 侵害至关重要, 目前主要釆用以下方法加强终端用户的安全性: 一、 终端和移动通信系统交互的信令和数据 (语音, 短信等) 通过特定 的安全算法进行加密, 防止明文传送被监听。 二、 釆用国际移动台识别码 IMSI ( International Mobile Station Identity ) 或者电子序列号 ESN ( Electronic Serial Number )作为移动台的标识。 三、 引入了终端鉴权机制。 鉴权通常的过程是基站在前向信道给移动台 发送一个随机数, 移动台根据收到的随机数和自己存储的与鉴权相关的保密 数据以及标识码 (例如 ESN、 IMSI等), 以及特定预制的网络参数 (如码分 多址接入 CDMA系统中的 Key, 或者全球移动通信 GSM系统中的 Ki )通过 鉴权算法计算出一个鉴权结果, 并把这个鉴权结果由反向信道发给基站。 鉴 权中心 AC ( Authentication Centre )根据存储的移动台保密数据, 用相同的 方法计算出鉴权结果, 并对上述两个鉴权结果进行比较, 确定终端鉴权是否 成功。 鉴权实际上是一种基于保密数据的算法, 只要保密数据不被泄漏, 即 使盗用者获取了移动台的标识, 也无法计算出正确的鉴权结果, 从而无法接 入网络。 为了方便用户, 运营商通常釆用机卡分离方案, 把一些特定的网络参数 固化到用户身份识别卡(例如客户识别模块 SIM卡)中或在终端销售前固化 到终端的非易失存储单元中, 这样用户在使用网络时, 只要用户身份识别卡 中的参数合法, 终端就可以正常使用系统月艮务。 用户身份识别卡的安全性, 也是通过特定的加密算法来保护的,卡本身的安全算法也不断的在升级更新。 但是, 目前市场上已经出现了很多复制盗卡的工具, 通过这类工具, 可 以很简单的实现, 破解 SIM卡并把卡中的数据完整的复制到另外一张卡上。 所有的参数都会被复制, 包括了鉴权算法以及语音加密所需要的所有重要参 数。这样如果用户的 SIM卡不小心遗失或者被人窃取,个人的隐私及利益(非 法窃取用户话费) 就可能被侵犯。 如果用户获取了这种工具, 自己随意的复 制卡,比如一"" ^多号功能(目前移动有这种功能的卡,但要收取额外的费用), 或者将一个卡复制成多张卡, 也给运营商的管理和利益带来危害。 综上所述, 现有的终端鉴权机制不足以保证终端用户使用网路的安全性 以及运营商的合法权益和利益。 发明内容 本发明的主要目的在于提供一种终端鉴权方法及系统, 以至少解决现有 的终端鉴权机制不足以保证终端用户使用网路的安全性以及运营商的合法权 益和利益的问题。 才艮据本发明的一个方面, 提供了一种终端鉴权方法, 包括: 鉴权服务器 根据终端发送的第一鉴权数据对终端进行第一鉴权, 其中, 第一鉴权数据根 据终端的用户特征信息生成; 鉴权服务器根据终端发送的第二鉴权数据进行 第二鉴权, 其中, 第二鉴权数据根据鉴权密钥、 终端参数以及网络参数生成; 在第一鉴权及第二鉴权均成功的情况下, 鉴权服务器确定终端鉴权成功。 根据本发明的另一方面, 提供了一种终端鉴权系统, 包括终端以及鉴权 服务器, 其中, 该终端包括: 第一鉴权数据模块, 用于生成第一鉴权数据, 并向鉴权服务器发送第一鉴权数据, 其中, 第一鉴权数据根据终端的用户特 征信息生成; 第二鉴权数据模块, 用于生成第二鉴权数据, 并向鉴权服务器 发送第二鉴权数据, 其中, 第二鉴权数据根据鉴权密钥、 终端参数以及网络 参数生成; 鉴权服务器包括第一鉴权模块, 用于根据第一鉴权数据对终端进 行第一鉴权, 并输出第一鉴权结果; 第二鉴权模块, 用于根据第二鉴权数据 对终端进行第二鉴权, 并输出第二鉴权结果; 鉴权成功判断模块, 分别与第 一鉴权模块和第二鉴权模块连接, 用于判断输入的第一鉴权结果和第二鉴权 结果, 在第一鉴权结果和第二鉴权结果均成功的情况下, 确定终端的鉴权成 功。 通过本发明提供的技术方案, 移动终端在正常使用网络业务时, 比如在 进行注册, 呼叫, 短信, 数据业务等操作, 在现有的鉴权机制上, 增加一个 用户特征信息鉴权,对终端的两次进行鉴权, 并且两次鉴权均成功的情况下, 鉴权服务器才能确定该终端的鉴权成功,从而增强了用户使用网络的安全性, 也增强了对用户个人隐私的保护, 并且可以保护运营商的合法权益和利益。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是根据本发明实施例的用于终端鉴权的移动通信网路系统结构示意 图; 图 2是才艮据本发明实施例的终端鉴权方法流程图; 图 3是根据本发明实施例的第一鉴权流程图; 图 4是根据本发明实施例的釆用加密的第一鉴权数据对所述终端进行第 一鉴权的流程图; 图 5是根据本发明实施例一的终端鉴权的流程图; 图 6是才艮据本发明实施例二的终端鉴权流程图; 图 7是根据本发明实施例的终端鉴权系统的结构示意图; 图 8是根据本发明实施例的第一鉴权数据模块的结构示意图; 图 9A是根据本发明实施例的第一鉴权模块的结构示意图; 图 9B是根据本发明实施例的优选第一鉴权模块的结构示意图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 1是根据本发明实施例的用于终端鉴权的移动通信网路系统结构示意 图, 如图 1所示, 该网络系统中包括, 终端 10、 基站 20以及鉴权服务器 30, 在对终端进行鉴权过程中 , 终端 10通过基站 20向鉴权服务器发送第一鉴权 数据和第二鉴权数据, 鉴权服务器接收到上述两个鉴权数据后, 分别进行两 次鉴权, 在两次鉴权均成功的情况下, 允许用户使用当前业务, 需要说明的 是, 上述移动通信网络可以是目前任意一种移动通信网络, 例如 GSM、 CDMA, 宽带码分多址接入 ( Wideband Code Division Multiple Access, 简称 为 WCDMA ) 或时分同步码分多址接入 ( Time Division- Synchronous Code Division Multiple Access, 简称为 TD-SCDMA )„ 根据本发明实施例, 提供了一种终端鉴权方法。 图 2是根据本发明实施 例的终端鉴权方法流程图, 如图 2所示, 该方法包括: 步骤 S202、鉴权服务器根据终端发送的第一鉴权数据对终端进行第一鉴 权, 其中, 第一鉴权数据根据终端的用户特征信息生成; 步骤 S204、 鉴权服务器根据终端发送的第二鉴权数据进行第二鉴权, 其 中, 第二鉴权数据根据鉴权密钥、 终端参数以及网络参数生成; 步骤 S206、 在第一鉴权及第二鉴权均成功的情况下, 鉴权服务器确定终 端鉴权成功。 如前文所述, 现有的终端鉴权机制, 对终端进行鉴权的重要参数是由运 营商固化在用户标识卡中, 或在终端前销售固化在终端内的, 一旦用户不慎 遗失用户标识卡或终端, 非法用户就可以破解用户标识卡或终端中的鉴权数 据, 盗用用户的卡或终端。 本发明着重考虑由于用户标识卡或终端的鉴权数据被破解, 可能带来的 安全性问题, 对终端鉴权机制进行了改进。 增加对用户预先设置的用户特征 信息的验证。 即鉴权服务器利用第一鉴权数据对终端进行用户特征信息的鉴 权, 鉴权服务器利用第二鉴权数据, 釆用现有的鉴权机制对终端进行密钥鉴 权。 釆用上述两次鉴权, 即使非法用户获得了破解了用户标识卡或终端, 也 无法使用复制的用户标识卡或破解的终端进行正常的网络月艮务。 在具体实施过程中, 上述步骤 S202与步骤 S204之间不存在执行的先后 顺序, 只要保证上述第一鉴权和第二鉴权均得到执行, 即可根据两次鉴权结 果确定终端是否鉴权成功, 如果上述两次鉴权中的任一项失败, 则该终端的 鉴权失败。 运营商可以根据业务的特点或需求, 选择先执行第一鉴权, 第一 鉴权成功再触发第二鉴权; 也可以选择先执行第二鉴权, 第二鉴权成功再触 发第一鉴权; 也可以选择第一鉴权和第二鉴权并发执行。 同样, 终端在发送第一鉴权数据和第二鉴权数据也不存在先后顺序, 根 据运营商的业务特点或协定, 终端可以先发送第一鉴权数据, 也可以先发送 第二鉴权数据, 也可以以同一个数据包同时发送第一鉴权数据和第二鉴权数 据。 在具体的实施过程中, 在网络注册, 通话, 短信, 数据业务的时候, 都 可能涉及终端鉴, 上述第一鉴权可以但不限于在以下情况执行: 一、 每次网 络鉴权的时候都需要执行; 二、 可以根据通信网络的设置, 进行优化控制, 随机或者按指定的要求在需要-险证的时候进行,这样可以减少-险证次数过多, 带来的系统开销。 釆用本发明实施例提供的上述终端鉴权方法, 在集成了现有的鉴权机制 的基础上, 增加了对用户预先设定的用户特征信息进行鉴权, 使得终端用户 也成为终端鉴权的一个决定因素, 从而保护了用户的合法权益和利益, 增强 了用户终端的安全性。 优选地, 用户特征信息包括: 终端所属的用户预先设置的个人信息以及 用户的标识信息。 在具体实施过程中, 用户可以根据个人喜好预先设置个人信息, 例如将 个人信息设置成证件号码、 姓名、 生日或其他字符序列。 用户的标识信息, 可以选择终端上标识卡的标识信息 (例如集成电路卡识别码 ICCID、 UMID 或用户的电话号码 ),也可以选择终端的标识信息(例如 IMSI或 ESN )或者, 为了更加安全, 用户的标识信息既包括标识卡的标识信息, 也包括终端的标 识信息, 标识卡的标识信息或终端的标识信息可以方便地利用现有资源设定 用户的标识信息。 通过在用户特征信息中设置个人信息以及用户的标识信息, 相当于设置 了用户的标识信息和个人信息的绑定关系, 方便鉴权服务器在接收到第一鉴 权数据之后, 根据其中的用户标识信息到数据库中获取与该用户标识信息对 应的预先存储鉴权数据, 通过对上述两个鉴权数据的比较判定用户特征信息 的合法性。 图 3是根据本发明实施例的第一鉴权流程图, 优选地, 如图 3所示, 鉴 权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴权包括: 步骤 S302、 接收来自终端的第一鉴权数据; 步骤 S304、 使用第一鉴权数据, 获取用户的标识信息; 步骤 S305、 使用第一鉴权数据, 获取个人信息, 并将个人信息作为用户 的第一个人信息; 步骤 S306、在鉴权服务器的数据库中获取与标识信息对应的第二个人信 息; 步骤 S308、 比较第一个人信息和第二个人信息, 如果相同, 则第一鉴权 成功, 否则, 第一鉴权失败。 釆用上述流程进行第一鉴权, 判断终端发送的第一个人信息和鉴权艮务 器保存的对应于同一用户标识的第二个人信息是否相同, 就可以确定当前终 端的用户是否合法。 如果非法用户了复制的用户标识卡, 但由于缺少正确的 个人信息, 导致无法通过第一鉴权, 从而保证合法用户的个人权益和利益。 优选地, 可以通过以下方式生成第一鉴权数据: 釆用预定的加密规则, 对用户预先设置的个人信息以及用户的标识信息进行加密生成所述第一鉴权 数据。 由于第一鉴权数据在传输过程中, 也可能被非法用户获得, 如果以明文 的方式传输第一鉴权数据将存在很大的安全隐患, 因此, 在具体的实施过程 中, 可以对用户预先设置的个人信息以及用户的标识信息进行加密处理生成 第一鉴权数据。 运营商和终端制造商可以协定具体的加密规则, 或者更安全 的方法, 在具体的业务过程中, 由终端与鉴权服务器协商具体的加密规则。 因此, 通过对加密方式获得第一鉴权数据, 进一步保证了用户使用终端的安 全性。 如果第一鉴权数据釆用加密方式生成, 则鉴权服务器进行第一鉴权的流 程会有所不同, 图 4是才艮据本发明实施例的釆用加密的第一鉴权数据对所述 终端进行第一鉴权的流程图, 优选地, 如图 4所示, 该流程包括: 步骤 S402、 接收来自终端的第一鉴权数据; 步骤 S403、 居预定的解密规则解析第一鉴权数据; 步骤 S404、 使用解析后的第一鉴权数据, 获取用户的标识信息; 步骤 S405、 使用解析后的第一鉴权数据, 获取个人信息, 并将该个人信 息作为第一个人信息; 步骤 S406、在鉴权服务器的数据库中获取与用户的标识信息对应的第二 个人信息; 步骤 S408、 比较第一个人信息和第二个人信息, 如果相同, 则第一鉴权 成功, 否则, 第一鉴权失败。 在具体的实施过程中, 解密规则与上述加密规则对应, 一起由运营商和 终端制造商协定, 或者由终端与鉴权艮务器协商。 通过对加密、 解密方式传 输用户特征信息, 进一步保证了用户使用终端的安全性。 优选地, 在鉴权艮务器进行第一鉴权之前, 鉴权艮务器获取个人信息以 及该个人信息对应的标识信息; 鉴权服务器在数据库中存储个人信息以及该 个人信息对应的标识信息。 为实现上述第一鉴权, 鉴权艮务器必须在进行终端鉴权之前预先建立用 户特征信息数据库, 在该数据库中保存注册用户的个人信息, 并且存储的用 户个人信息与用户标识——绑定。 在具体的实施过程中, 需要用户向运营商上报用户特征信息, 上报方式 有多种, 例如可以但不限于在终端入网时, 提交用户特征信息。 或者登陆运 营商网站, 录入用户特征信息, 一旦信息录入网络侧系统, 用户的个人信息 就和用户使用的用户标识卡或终端实现——对应的绑定, 只要判断用户标识 信息和用户信息不是绑定的关系, 就认为用户非法。 在具体的实施过程中, 用户也可以通过特定的方式更新用户特征信息, 例如, 以短信的方式、登录运营商网站或直接通过运营商营业网点进行更改。 鉴权服务器在终端鉴权之前获取并维护用户提供的用户特征信息, 是进 行第一鉴权的前提, 只有鉴权服务器保存了正确的个人信息与用户标识信息 的绑定关系, 第一鉴权才可以顺利实施。 优选地, 所述标识信息包括至少以下之一: 所述终端的智能卡的标识信 息、 所述终端的标识信息。 用户的标识信息, 可以选择终端上标识卡的标识信息 (例如 ICCID、 UMID或用户的电话号码;),也可以选择终端的标识信息(例如 IMSI或 ESN ) 或者, 为了更加安全, 用户的标识信息既包括标识卡的标识信息, 也包括终 端的标识信息, 标识卡的标识信息或终端的标识信息可以方便地利用现有资 源设定用户的标识信息。 优选地, 用户预先设置的个人信息可以存储于终端的内存或与终端连接 的其他存储介质上。由于用户个人信息不存储在终端的标识卡(例如 SIM卡) 上, 因此, 即使标识卡遗失, 用户个人信息也不会泄露。 优选地, 终端可以通过短消息或通信信令将第一鉴权数据发送至鉴权服 务器。 在具体的实施过程中, 无论釆用哪种方式发送第一鉴权数据, 鉴权服务 器均可以接收并进行第一鉴权操作, 多样的发送方式, 使得终端鉴权更加灵 活, 方便运营商实施。 下面结合其他实施例对上述终端鉴权方法进行详细介绍。 实施例一 在本实施例中, 选择鉴权服务器先执行第一鉴权, 第一鉴权成功的情况 下, 触发第二鉴权。 图 5是 居本发明实施例一的终端鉴权流程图, 如图 5 所示, 该流程包括: 步骤 S501、 终端开机。 步骤 S502、 终端使用通信网络业务(网络注册, 语音, 短信, 数据等)。 步骤 S503、 根据返回的系统消息, 终端判断确认是否要进行第一鉴权。 步骤 S504、 如果网络要求终端进行第一鉴权, 终端 居用户预置的个人 信息包括终端的信息,卡的信息并结合特定的加密算法, 生成第一鉴权数据, 并执行步骤 S 505; 否则, 执行步骤 S510。 步骤 S505、 终端发送第一鉴权数据给鉴权月艮务器。 步骤 S506、 鉴权服务器接收终端反馈的第一鉴权数据, 解析出用户个人 信息和用户标识信息, 并根据终端上报的用户个人信息, 与数据库中存储的 个人信息比较, 生成第一鉴权结果。 步骤 S507、 鉴权服务器下发第一鉴权结果给终端。 步骤 S508、 终端判断第一鉴权结果, 如果失败, 执行步 4聚 S509, 否则, 执行步 4聚 S510。 步骤 S509、 终端提示用户禁止使用网络服务, 结束本次操作过程。 步骤 S510、 终端发送第二鉴权数据, 鉴权服务器执行第二鉴权操作, 如 果第二鉴权成功, 用户正常使用网络业务, 否则, 提示用户禁止使用网络业 务。 实施例二 在本实施例中, 选择鉴权服务器先执行第二鉴权, 第二鉴权成功的情况 下, 触发第一鉴权。 图 6是 居本发明实施例二的终端鉴权流程图, 如图 6 所示, 该流程包括: 步骤 S601、 终端开机。 步骤 S602、 终端使用通信网络业务(网络注册, 语音, 短信, 数据等)。 步骤 S603、 终端发送第二鉴权数据, 鉴权服务器执行第二鉴权操作, 如 果第二鉴权成功, 执行步骤 S604, 否则, 提示用户禁止使用网络业务。 步骤 S604、 根据返回的系统消息, 终端判断确认是否要进行第一鉴权。 步骤 S605、 如果网络要求终端进行第一鉴权, 终端 居用户预置的个人 信息包括终端的信息,卡的信息并结合特定的加密算法, 生成第一鉴权数据; 如果不需要进行第一鉴权, 则终端鉴权成功, 用户正常使用网络业务。 步骤 S606、 终端发送第一鉴权数据给鉴权服务器。 步骤 S607、 鉴权服务器接收终端反馈的第一鉴权数据, 解析出用户个人 信息和用户标识信息, 并根据终端上报的用户个人信息, 与数据库中存储的 个人信息比较, 生成第一鉴权结果。 步骤 S608、 鉴权服务器下发第一鉴权结果给终端。 步 4聚 S609、 终端判断第一鉴权结果, 如果失败, 终端提示用户禁止使用 网络月艮务, 结束本次操作过程, 否则, 终端鉴权通过, 用户正常使用网络月艮 务。 根据本发明实施例, 还提供了一种终端鉴权系统, 图 7是根据本发明实 施例的终端鉴权系统的结构示意图, 如图 7所示, 该系统包括: 终端 71 , 鉴 权服务器 72。 其中, 终端 71包括: 第一鉴权数据模块 711、 第二鉴权数据模块 712。 第一鉴权数据模块 711 , 用于生成第一鉴权数据, 并向鉴权服务器 72发送第 一鉴权数据, 其中, 第一鉴权数据根据终端的用户特征信息生成。 第二鉴权 数据模块 711 , 用于生成第二鉴权数据, 并向鉴权服务器 72发送第二鉴权数 据, 其中, 第二鉴权数据根据鉴权密钥、 终端参数以及网络参数生成。 鉴权服务器 72包括: 第一鉴权模块 721、 第二鉴权模块 722、 鉴权成功 判断模块 723。 第一鉴权模块 721 , 用于根据第一鉴权数据对终端进行第一 鉴权, 并输出第一鉴权结果; 第二鉴权模块 722 , 用于根据第二鉴权数据进 行第二鉴权, 并输出第二鉴权结果; 鉴权成功判断模块 723 , 分别与第一鉴 权模块 721和第二鉴权模块 722连接, 用于判断输入的第一鉴权结果和第二 鉴权结果, 在第一鉴权结果和第二鉴权结果均成功的情况下, 确定终端 71 的鉴权成功。 图 8是根据本发明实施例的第一鉴权数据模块的结构示意图, 优选地, 如图 8所示, 第一鉴权数据模块 711包括: 存储子模块 801、 生成子模块 802 以及发送子模块 803 , 其中, 存储子模块 801 , 用于存储终端所属的用户预 先设置的个人信息以及用户的标识信息; 生成子模块 802 , 与存储子模块 801 连接, 用于获取个人信息以及用户的标识信息生成第一鉴权数据; 发送子模 块 803 , 与生成子模块 802连接, 用于将第一鉴权数据发送至鉴权服务器 72。 图 9A是根据本发明实施例的第一鉴权模块的结构示意图, 优选地, 如 图 9A所示, 第一鉴权模块 721包括: 数据存储子模块 901、接收子模块 902、 第一获取子模块 903、 第二获取子模块 904 以及比较子模块 905。 数据存储 模块 901 , 用于存储用户提供的个人信息; 接收子模块 902 , 用于接收来自 终端的第一鉴权数据; 第一获取子模块 903 , 与接收子模块 902连接, 用于 使用第一鉴权数据, 获取第一鉴权数据的用户的标识信息, 并输出至第二获 取子模块 904 , 以及使用第一鉴权数据, 获取第一鉴权数据的个人信息, 并 将个人信息作为用户的第一个人信息输出至比较子模块 905; 第二获取子模 块 904, 分别与数据存储模块 901、 第一获取子模块 903 和比较子模块 905 连接, 用于在数据存储模块 901中获取与输入的用户的标识信息对应的个人 信息作为第二个人信息, 并输出至比较子模块 905; 比较子模块 905 , 分别 与第一获取子模块 903和第二获取子模块 904连接, 用于比较输入的第一个 人信息和第二个人信息, 并生成第一鉴权结果。 优选地, 如图 9Β 所示, 如果第一鉴权数据釆用预定的加密规则加密生 成, 则第一鉴权模块 721还包括: 解析子模块 906 , 与接收子模块 902和第 一获取子模块 903连接, 用于解析接收子模块 902接收的第一鉴权数据, 并 将解析后的第一鉴权数据输出至第一获取子模块 903。 优选地, 上述标识信息包括至少以下之一: 终端的智能卡的标识信息、 终端的标识信息。 用户的标识信息, 可以选择终端上标识卡的标识信息 (例如 ICCID、 UMID或用户的电话号码;),也可以选择终端的标识信息(例如 IMSI或 ESN ) 或者, 为了更加安全, 用户的标识信息既包括标识卡的标识信息, 也包括终 端的标识信息, 标识卡的标识信息或终端的标识信息可以方便地利用现有资 源设定用户的标识信息。 综上所述, 本发明提供的技术方案, 釆用双重鉴权机制, 在继承了现有 的鉴权方法的基础上, 增加了对用户自己设置的用户特征信息的鉴权操作, 不仅增强了用户使用网络的安全性, 也增强了对用户个人隐私的保护, 并且 可以保护运营商的合法权益和利益。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 并 且在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤, 或者 将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作 成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件 结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 ^"神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 The present invention relates to the field of mobile communications, and in particular to a terminal authentication method and system. BACKGROUND With the rapid development and popularization of mobile communication technologies, the security of communication technologies has become a hot topic of concern. The security of communication is crucial to protect the privacy and interests of end users. At present, the following methods are mainly used to enhance the security of end users: 1. Signaling and data (voice, interaction) between the terminal and the mobile communication system. SMS, etc.) Encryption is performed by a specific security algorithm to prevent plaintext transmission from being monitored. 2. Use the International Mobile Station Identity (IMSI) or the Electronic Serial Number (ESN) as the identifier of the mobile station. Third, the terminal authentication mechanism was introduced. The normal process of authentication is that the base station sends a random number to the mobile station on the forward channel, and the mobile station according to the received random number and the stored confidential data related to the authentication and the identification code (such as ESN, IMSI, etc.), and The specific prefabricated network parameters (such as Key in Code Division Multiple Access CDMA System or Ki in Global Mobile Communication GSM System) are used to calculate an authentication result through the authentication algorithm, and the authentication result is reverse channel. Send to the base station. The authentication center AC (Authentication Centre) calculates the authentication result in the same way according to the stored mobile station confidential data, and compares the two authentication results to determine whether the terminal authentication is successful. Authentication is actually an algorithm based on confidential data. As long as the confidential data is not leaked, even if the thief acquires the identity of the mobile station, the correct authentication result cannot be calculated and the network cannot be accessed. In order to facilitate the user, the operator usually uses the card separation scheme to solidify some specific network parameters into the user identification card (such as the customer identification module SIM card) or in the non-volatile storage unit of the terminal before the terminal is sold. Therefore, when the user uses the network, as long as the parameters in the user identification card are legal, the terminal can use the system monthly service normally. The security of the user ID card is also protected by a specific encryption algorithm, and the security algorithm of the card itself is constantly being updated. However, there are many tools for copying stolen cards on the market. In a very simple implementation, the SIM card is cracked and the data in the card is completely copied to another card. All parameters are copied, including the authentication algorithm and all the important parameters required for voice encryption. Thus, if the user's SIM card is accidentally lost or stolen, the privacy and interests of the individual (illegally stealing the user's credit) may be violated. If the user has acquired such a tool, he or she can copy the card at will, such as a "" multi-number function (currently moving a card with this function, but for an additional fee), or copying a card into multiple cards, It also brings harm to the management and interests of operators. In summary, the existing terminal authentication mechanism is insufficient to ensure the security of the end user to use the network and the legitimate rights and interests of the operator. SUMMARY OF THE INVENTION A primary object of the present invention is to provide a terminal authentication method and system, so as to at least solve the problem that the existing terminal authentication mechanism is insufficient to ensure the security of the end user to use the network and the legitimate rights and interests of the operator. According to an aspect of the present invention, a terminal authentication method is provided, including: the authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is based on the terminal The user authentication information is generated; the authentication server performs the second authentication according to the second authentication data sent by the terminal, where the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter; If both authentication rights are successful, the authentication server determines that the terminal authentication is successful. According to another aspect of the present invention, a terminal authentication system is provided, including a terminal and an authentication server, where the terminal includes: a first authentication data module, configured to generate first authentication data, and authenticate The server sends the first authentication data, where the first authentication data is generated according to the user characteristic information of the terminal; the second authentication data module is configured to generate the second authentication data, and send the second authentication data to the authentication server. The second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter; the authentication server includes a first authentication module, configured to perform first authentication on the terminal according to the first authentication data, and output the first An authentication result; a second authentication module, configured to perform second authentication on the terminal according to the second authentication data, and output a second authentication result; an authentication success judging module, respectively, and the first authentication module and the first The second authentication module is connected to determine the input first authentication result and the second authentication result. When both the first authentication result and the second authentication result are successful, determining the terminal Authentication is successful. Through the technical solution provided by the present invention, when the mobile terminal normally uses the network service, for example, performs operations such as registration, calling, short message, and data service, adding one to the existing authentication mechanism. If the user feature information is authenticated and the terminal is authenticated twice, and the two authentications are successful, the authentication server can determine the authentication success of the terminal, thereby enhancing the security of the user using the network, and enhancing the security. It protects the privacy of users and protects the legitimate rights and interests of operators. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention; FIG. 2 is a flowchart of a terminal authentication method according to an embodiment of the present invention; FIG. 4 is a flowchart of performing first authentication on the terminal by using the encrypted first authentication data according to an embodiment of the present invention; FIG. 5 is a flowchart according to the present invention. FIG. 6 is a flowchart of terminal authentication according to Embodiment 2 of the present invention; FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention; FIG. 8 is a schematic diagram of a terminal authentication system according to an embodiment of the present invention; FIG. 9A is a schematic structural diagram of a first authentication module according to an embodiment of the present invention; and FIG. 9B is a schematic structural diagram of a preferred first authentication module according to an embodiment of the present invention; . BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention. As shown in FIG. 1, the network system includes a terminal 10, a base station 20, and an authentication server 30. In the authentication process, the terminal 10 sends the first authentication to the authentication server through the base station 20. The data and the second authentication data, after the authentication server receives the two authentication data, perform two authentications respectively, and if the two authentications are successful, the user is allowed to use the current service, and it should be noted that The above mobile communication network may be any current mobile communication network, such as GSM, CDMA, Wideband Code Division Multiple Access (WCDMA) or Time Division Synchronous Code Division Multiple Access (Time Division- Synchronous Code Division Multiple Access (referred to as TD-SCDMA). According to the embodiment of the present invention, a terminal authentication method is provided. FIG. 2 is a flowchart of a terminal authentication method according to an embodiment of the present invention. The method includes: Step S202: The authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is generated according to user characteristic information of the terminal; Step S204, the authentication server is based on the terminal Sending the second authentication data to perform second authentication, where the second authentication data is based on the authentication key, the terminal parameter, and the network Step S206: In the case that both the first authentication and the second authentication are successful, the authentication server determines that the terminal is successfully authenticated. As described above, the existing terminal authentication mechanism authenticates the terminal. The important parameters are fixed by the operator in the user identification card, or sold in the terminal before the terminal is sold. Once the user accidentally loses the user identification card or terminal, the illegal user can crack the authentication data in the user identification card or the terminal. The user's card or terminal is stolen. The present invention focuses on the security problem that may be caused by the user identification card or the authentication data of the terminal being cracked, and the terminal authentication mechanism is improved. The authentication of the information, that is, the authentication server authenticates the user characteristic information by using the first authentication data, and the authentication server uses the second authentication data to perform key authentication on the terminal by using the existing authentication mechanism. Using the above two authentications, even if an illegal user obtains a cracked user identification card or terminal, the copied user identification card or The spoofed terminal performs normal network aging. In the specific implementation process, there is no sequence of execution between the foregoing step S202 and step S204, as long as the first authentication and the second authentication are implemented, If the authentication succeeds, the authentication of the terminal fails if any of the two authentications fails. The operator can choose to perform the first authentication according to the characteristics or requirements of the service. The first authentication succeeds in triggering the second authentication again; the second authentication may be performed first, and the second authentication succeeds in triggering the first authentication; the first authentication and the second authentication may also be selected concurrently. . Similarly, the terminal does not have a sequence of sending the first authentication data and the second authentication data. According to the service characteristics or the agreement of the operator, the terminal may first send the first authentication data, or may first send the second authentication data. The first authentication data and the second authentication data may also be simultaneously transmitted in the same data packet. In the specific implementation process, when the network is registered, the call, the short message, and the data service, the terminal authentication may be involved. The first authentication may be performed in the following cases: 1. Each time the network is authenticated. Need to perform; Second, according to the setting of the communication network, optimize control, randomly or according to the specified requirements when the need-risk is carried out, which can reduce the number of risks and the system overhead. The foregoing terminal authentication method provided by the embodiment of the present invention adds an existing authentication mechanism, and adds user identification information preset by the user, so that the terminal user also becomes the terminal authentication. A decisive factor that protects the legitimate rights and interests of users and enhances the security of user terminals. Preferably, the user characteristic information includes: personal information preset by the user to which the terminal belongs and identification information of the user. In the specific implementation process, the user can preset personal information according to personal preference, for example, setting the personal information into a document number, name, birthday or other character sequence. The identification information of the user may select the identification information of the identification card on the terminal (for example, the integrated circuit card identification code ICCID, UMID or the user's telephone number), or may select the identification information of the terminal (for example, IMSI or ESN) or, in order to be more secure, The identification information of the user includes the identification information of the identification card and the identification information of the terminal. The identification information of the identification card or the identification information of the terminal can conveniently use the existing resources to set the identification information of the user. The setting of the personal information and the identification information of the user in the user characteristic information is equivalent to setting the binding relationship between the identification information of the user and the personal information, so that the authentication server can obtain the first authentication data after receiving the first authentication data according to the user identification. The information is stored in the database to obtain pre-stored authentication data corresponding to the user identification information, and the validity of the user characteristic information is determined by comparing the two authentication data. FIG. 3 is a first authentication flowchart according to an embodiment of the present invention. Preferably, as shown in FIG. 3, the first authentication of the terminal by the authentication server according to the first authentication data sent by the terminal includes: Step S302 Receiving first authentication data from the terminal; Step S304: Obtain identification information of the user by using the first authentication data. Step S305: Obtain personal information by using the first authentication data, and use the personal information as the first personal information of the user. Step S306, in the authentication server The second personal information corresponding to the identification information is obtained in the database. Step S308: Comparing the first personal information with the second personal information. If the same, the first authentication succeeds, otherwise, the first authentication fails. The first authentication is performed by using the foregoing process, and it is determined whether the first personal information sent by the terminal and the second personal information corresponding to the same user identifier saved by the authentication server are the same, so that the user of the current terminal is legal. If the illegal user has copied the user identification card, but the lack of correct personal information, the first authentication is not passed, thereby ensuring the legitimate rights and interests of the legitimate user. Preferably, the first authentication data may be generated by: encrypting the personal information preset by the user and the identification information of the user by using a predetermined encryption rule to generate the first authentication data. Since the first authentication data may also be obtained by an illegal user during the transmission process, if the first authentication data is transmitted in a clear text manner, there is a great security risk. Therefore, in a specific implementation process, the user may be pre- The set personal information and the user's identification information are encrypted to generate first authentication data. Operators and terminal manufacturers can agree on specific encryption rules, or a more secure method. In a specific business process, the terminal negotiates specific encryption rules with the authentication server. Therefore, by obtaining the first authentication data in the encryption mode, the security of the user using the terminal is further ensured. If the first authentication data is generated by using an encryption method, the process of the first authentication by the authentication server may be different. FIG. 4 is a first authentication data pair that is encrypted according to an embodiment of the present invention. The flowchart of the first authentication is performed by the terminal. Preferably, as shown in FIG. 4, the process includes: Step S402: Receive first authentication data from the terminal; Step S403, parse the first authentication by using a predetermined decryption rule. Step S404: Obtain identification information of the user by using the parsed first authentication data; Step S405: Obtain personal information by using the parsed first authentication data, and use the personal information as the first personal information. Step S406: Obtain a second person corresponding to the identification information of the user in the database of the authentication server. Information: Step S408: Comparing the first personal information with the second personal information. If they are the same, the first authentication succeeds, otherwise, the first authentication fails. In a specific implementation process, the decryption rule corresponds to the above-mentioned encryption rule, and is agreed by the operator and the terminal manufacturer together, or the terminal negotiates with the authentication server. The user characteristics information is transmitted by encrypting and decrypting, thereby further ensuring the security of the user using the terminal. Preferably, before the authentication server performs the first authentication, the authentication server obtains the personal information and the identification information corresponding to the personal information; the authentication server stores the personal information and the identification information corresponding to the personal information in the database. . In order to implement the above first authentication, the authentication server must pre-establish a user characteristic information database before performing terminal authentication, store the personal information of the registered user in the database, and store the user personal information and the user identifier - tied set. In a specific implementation process, the user needs to report the user characteristic information to the operator, and the manner of reporting is various. For example, but not limited to, when the terminal accesses the network, the user characteristic information is submitted. Or log in to the operator's website and enter user feature information. Once the information is entered into the network side system, the user's personal information is associated with the user identification card or terminal used by the user—as long as the user identification information and user information are not tied. The relationship is considered illegal. In a specific implementation process, the user may also update the user characteristic information in a specific manner, for example, by SMS, logging in to the operator's website, or directly changing through the operator's business outlet. The authentication server obtains and maintains the user feature information provided by the user before the terminal authenticates, which is the premise of performing the first authentication. Only the authentication server saves the binding relationship between the correct personal information and the user identification information, and the first authentication. Only then can it be implemented smoothly. Preferably, the identifier information includes at least one of the following: identifier information of the smart card of the terminal, and identifier information of the terminal. The identification information of the user, and the identification information of the identification card on the terminal (for example, ICCID, UMID or the user's phone number;), may also select the terminal's identification information (such as IMSI or ESN) or, for more security, the user's identification information includes both the identity card identification information and the terminal identification information, the identification card The identification information or the identification information of the terminal can conveniently set the identification information of the user by using existing resources. Preferably, the personal information preset by the user may be stored in a memory of the terminal or other storage medium connected to the terminal. Since the user's personal information is not stored on the terminal's identification card (such as a SIM card), the user's personal information will not be leaked even if the identification card is lost. Preferably, the terminal may send the first authentication data to the authentication server by using a short message or communication signaling. In a specific implementation process, the authentication server can receive and perform the first authentication operation and the multiple transmission modes, which makes the terminal authentication more flexible and convenient for the operator to implement. . The above terminal authentication method will be described in detail below in combination with other embodiments. Embodiment 1 In this embodiment, the authentication server is selected to perform the first authentication first, and in the case that the first authentication is successful, the second authentication is triggered. FIG. 5 is a flowchart of terminal authentication according to Embodiment 1 of the present invention. As shown in FIG. 5, the process includes: Step S501: The terminal is powered on. Step S502: The terminal uses a communication network service (network registration, voice, short message, data, etc.). Step S503: According to the returned system message, the terminal determines whether to confirm the first authentication. Step S504: If the network requires the terminal to perform the first authentication, the personal information preset by the terminal includes the information of the terminal, and the information of the card is combined with a specific encryption algorithm to generate the first authentication data, and step S 505 is performed; otherwise, , step S510 is performed. Step S505: The terminal sends the first authentication data to the authentication server. Step S506: The authentication server receives the first authentication data fed back by the terminal, parses the user personal information and the user identification information, and compares the personal information reported by the terminal with the personal information stored in the database to generate a first authentication result. . Step S507: The authentication server sends the first authentication result to the terminal. Step S508: The terminal determines the first authentication result. If it fails, step 4 is performed, S509. Otherwise, step 4 is performed. Step S509: The terminal prompts the user to prohibit using the network service, and ends the operation process. Step S510: The terminal sends the second authentication data, and the authentication server performs the second authentication operation. If the second authentication succeeds, the user normally uses the network service. Otherwise, the user is prompted to prohibit the use of the network service. Embodiment 2 In this embodiment, the selection authentication server first performs the second authentication, and in the case that the second authentication succeeds, the first authentication is triggered. FIG. 6 is a flowchart of terminal authentication according to Embodiment 2 of the present invention. As shown in FIG. 6, the process includes: Step S601: The terminal is powered on. Step S602: The terminal uses a communication network service (network registration, voice, short message, data, etc.). Step S603: The terminal sends the second authentication data, and the authentication server performs the second authentication operation. If the second authentication succeeds, step S604 is performed. Otherwise, the user is prompted to prohibit the use of the network service. Step S604: According to the returned system message, the terminal determines whether to confirm whether the first authentication is to be performed. Step S605: If the network requires the terminal to perform the first authentication, the personal information preset by the terminal includes the information of the terminal, and the information of the card is combined with a specific encryption algorithm to generate the first authentication data; Right, the terminal authentication succeeds, and the user normally uses the network service. Step S606: The terminal sends the first authentication data to the authentication server. Step S607: The authentication server receives the first authentication data fed back by the terminal, parses the user personal information and the user identification information, and compares the personal information reported by the terminal with the personal information stored in the database to generate a first authentication result. . Step S608: The authentication server sends the first authentication result to the terminal. Step 4: S609, the terminal determines the first authentication result. If the terminal fails, the terminal prompts the user to prohibit the use of the network monthly service, and ends the operation process. Otherwise, the terminal authentication passes, and the user normally uses the network monthly subscription. Business. According to an embodiment of the present invention, a terminal authentication system is further provided. FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention. As shown in FIG. 7, the system includes: a terminal 71, an authentication server 72. . The terminal 71 includes: a first authentication data module 711 and a second authentication data module 712. The first authentication data module 711 is configured to generate first authentication data, and send the first authentication data to the authentication server 72, where the first authentication data is generated according to user characteristic information of the terminal. The second authentication data module 711 is configured to generate the second authentication data, and send the second authentication data to the authentication server 72, where the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter. The authentication server 72 includes: a first authentication module 721, a second authentication module 722, and an authentication success judging module 723. The first authentication module 721 is configured to perform first authentication on the terminal according to the first authentication data, and output a first authentication result. The second authentication module 722 is configured to perform second authentication according to the second authentication data. And the second authentication result is output; the authentication success judging module 723 is respectively connected to the first authentication module 721 and the second authentication module 722, and is configured to determine the input first authentication result and the second authentication result. If the first authentication result and the second authentication result are both successful, the authentication of the terminal 71 is determined to be successful. FIG. 8 is a schematic structural diagram of a first authentication data module according to an embodiment of the present invention. Preferably, as shown in FIG. 8, the first authentication data module 711 includes: a storage submodule 801, a generation submodule 802, and a transmission submodule. 803. The storage submodule 801 is configured to store personal information preset by a user to which the terminal belongs and identification information of the user. The generating submodule 802 is connected to the storage submodule 801, and is configured to acquire personal information and generate identification information of the user. The first authentication data is sent to the authentication server 72. The sending submodule 803 is connected to the generating submodule 802, and configured to send the first authentication data to the authentication server 72. FIG. 9A is a schematic structural diagram of a first authentication module according to an embodiment of the present invention. Preferably, as shown in FIG. 9A, the first authentication module 721 includes: a data storage submodule 901, a receiving submodule 902, and a first obtaining subroutine. The module 903, the second acquisition submodule 904, and the comparison submodule 905. The data storage module 901 is configured to store the personal information provided by the user; the receiving submodule 902 is configured to receive the first authentication data from the terminal; the first obtaining submodule 903 is connected to the receiving submodule 902, and is configured to use the first The authentication data is obtained by acquiring the identification information of the user of the first authentication data, and outputting to the second obtaining submodule 904, and acquiring the personal information of the first authentication data by using the first authentication data, and using the personal information as the user The first personal information is output to the comparison sub-module 905; the second acquisition sub-module 904 is respectively associated with the data storage module 901, the first acquisition sub-module 903, and the comparison sub-module 905. The connection is used to obtain personal information corresponding to the input identification information of the user in the data storage module 901 as the second personal information, and output to the comparison sub-module 905; the comparison sub-module 905 is respectively associated with the first acquisition sub-module 903 and The second obtaining submodule 904 is connected to compare the input first personal information and the second personal information, and generate a first authentication result. Preferably, as shown in FIG. 9A, if the first authentication data is generated by using a predetermined encryption rule, the first authentication module 721 further includes: a parsing submodule 906, and a receiving submodule 902 and a first obtaining submodule. The 903 connection is configured to parse the first authentication data received by the receiving submodule 902, and output the parsed first authentication data to the first obtaining submodule 903. Preferably, the foregoing identification information includes at least one of the following: identification information of the smart card of the terminal, and identification information of the terminal. The identification information of the user may select identification information of the identification card on the terminal (for example, ICCID, UMID or user's telephone number;), or may select identification information of the terminal (for example, IMSI or ESN) or, for more security, the identification information of the user. The identification information of the identification card and the identification information of the terminal, the identification information of the identification card or the identification information of the terminal can conveniently use the existing resources to set the identification information of the user. In summary, the technical solution provided by the present invention uses a dual authentication mechanism, and on the basis of inheriting the existing authentication method, the authentication operation of the user characteristic information set by the user is added, which not only enhances The security of the user's use of the network also enhances the protection of the user's personal privacy and protects the legitimate rights and interests of the operator. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modification, equivalent substitution, improvement, etc. made within the "God and Principles" of the present invention shall be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 Claim
1. 一种终端鉴权方法, 其特征在于, 包括: A terminal authentication method, comprising:
鉴权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴 权, 其中, 所述第一鉴权数据 居所述终端的用户特征信息生成; 所述鉴权服务器根据所述终端发送的第二鉴权数据进行第二鉴权, 其中, 所述第二鉴权数据根据鉴权密钥、 终端参数以及网络参数生成; 在所述第一鉴权及所述第二鉴权均成功的情况下, 所述鉴权服务器 确定所述终端鉴权成功。  The authentication server performs the first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is generated by the user feature information of the terminal; and the authentication server is configured according to the terminal. The second authentication data is sent to perform second authentication, where the second authentication data is generated according to the authentication key, the terminal parameter, and the network parameter; and the first authentication and the second authentication are both In case of success, the authentication server determines that the terminal authentication is successful.
2. 根据权利要求 1所述的方法, 其特在在于, 所述用户特征信息包括: 所 述终端所属的用户预先设置的个人信息以及所述用户的标识信息。 The method according to claim 1, wherein the user characteristic information comprises: personal information preset by a user to which the terminal belongs, and identification information of the user.
3. 根据权利要求 2所述的方法, 其特征在于, 所述鉴权服务器根据所述终 端发送的所述第一鉴权数据对所述终端进行所述第一鉴权包括: The method according to claim 2, wherein the performing, by the authentication server, the first authentication to the terminal according to the first authentication data sent by the terminal comprises:
接收来自所述终端的所述第一鉴权数据;  Receiving the first authentication data from the terminal;
使用所述第一鉴权数据, 获取所述标识信息;  Acquiring the identification information by using the first authentication data;
使用所述第一鉴权数据, 获取所述个人信息, 并将所述个人信息作 为所述用户的第一个人信息;  Using the first authentication data, acquiring the personal information, and using the personal information as the first personal information of the user;
在所述鉴权艮务器的数据库中获取与所述标识信息对应的第二个人 信息;  Obtaining second personal information corresponding to the identification information in a database of the authentication server;
比较所述第一个人信息和所述第二个人信息, 如果相同, 则所述第 一鉴权成功, 否则, 所述第一鉴权失败。  Comparing the first personal information with the second personal information, if the same, the first authentication succeeds, otherwise, the first authentication fails.
4. 居权利要求 2所述的方法, 其特征在于, 通过以下方式生成所述第一 鉴权数据: 釆用预定的加密规则, 对所述个人信息以及所述标识信息进 行加密生成所述第一鉴权数据。 4. The method of claim 2, wherein the first authentication data is generated by: encrypting the personal information and the identification information by using a predetermined encryption rule to generate the first An authentication data.
5. 根据权利要求 4所述的方法, 其特征在于, 所述鉴权服务器根据所述终 端发送的所述第一鉴权数据对所述终端进行所述第一鉴权包括: The method according to claim 4, wherein the performing, by the authentication server, the first authentication to the terminal according to the first authentication data sent by the terminal comprises:
接收来自所述终端的所述第一鉴权数据;  Receiving the first authentication data from the terminal;
才艮据预定的解密规则解析所述第一鉴权数据; 使用解析后的所述第一鉴权数据, 获取所述标识信息; Parsing the first authentication data according to a predetermined decryption rule; Acquiring the identification information by using the parsed first authentication data;
使用解析后的所述第一鉴权数据, 获取所述个人信息, 并将所述个 人信息作为所述用户的第一个人信息;  Acquiring the personal information by using the parsed first authentication data, and using the personal information as the first personal information of the user;
在所述鉴权艮务器的数据库中获取与所述标识信息对应的第二个人 信息;  Obtaining second personal information corresponding to the identification information in a database of the authentication server;
比较所述第一个人信息和所述第二个人信息, 如果相同, 则所述第 一鉴权成功, 否则, 所述第一鉴权失败。  Comparing the first personal information with the second personal information, if the same, the first authentication succeeds, otherwise, the first authentication fails.
6. 根据权利要求 3或 5所述的方法, 其特征在于, 在所述鉴权服务器进行 所述第一鉴权之前, 所述方法还包括: The method according to claim 3 or 5, wherein before the authenticating server performs the first authentication, the method further includes:
所述鉴权月艮务器获取所述个人信息以及所述个人信息对应的所述标 识信息;  The authentication server obtains the personal information and the identification information corresponding to the personal information;
所述鉴权服务器在所述数据库中存储所述个人信息以及所述个人信 息对应的所述标识信息。  The authentication server stores the personal information and the identification information corresponding to the personal information in the database.
7. 根据权利要求 2至 5中任一项所述的方法, 其特征在于, 所述标识信息 包括至少以下之一: 所述终端的标识卡的标识信息、 所述终端的标识信 息。 The method according to any one of claims 2 to 5, wherein the identification information comprises at least one of the following: identification information of the identification card of the terminal, and identification information of the terminal.
8. 根据权利要求 2至 5中任一项所述的方法, 其特征在于, 所述个人信息 存储于所述终端的内存或与所述终端连接的其他存储介质上。 The method according to any one of claims 2 to 5, wherein the personal information is stored in a memory of the terminal or other storage medium connected to the terminal.
9. 居权利要求 1至 5任一项所述的方法, 其特征在于, 所述终端通过短 消息或通信信令将所述第一鉴权数据发送至所述鉴权服务器。 The method according to any one of claims 1 to 5, characterized in that the terminal transmits the first authentication data to the authentication server by short message or communication signaling.
10. —种终端鉴权系统, 包括终端和鉴权服务器, 其特征在于, 包括: 所述终端包括: 第一鉴权数据模块, 用于生成第一鉴权数据, 并向所述鉴权服务器 发送所述第一鉴权数据, 其中, 所述第一鉴权数据根据所述终端的用户 特征信息生成; A terminal authentication system, comprising a terminal and an authentication server, comprising: the terminal comprising: a first authentication data module, configured to generate first authentication data, and to the authentication server Sending the first authentication data, where the first authentication data is generated according to user characteristic information of the terminal;
第二鉴权数据模块, 用于生成第二鉴权数据, 并向所述鉴权服务器 发送所述第二鉴权数据, 其中, 所述第二鉴权数据根据鉴权密钥、 终端 参数以及网络参数生成; 所述鉴权服务器包括 a second authentication data module, configured to generate second authentication data, and send the second authentication data to the authentication server, where the second authentication data is based on an authentication key, a terminal parameter, and Network parameter generation; The authentication server includes
第一鉴权模块, 用于根据所述第一鉴权数据对所述终端进行第一鉴 权, 并输出第一鉴权结果;  a first authentication module, configured to perform first authentication on the terminal according to the first authentication data, and output a first authentication result;
第二鉴权模块, 用于根据所述第二鉴权数据对所述终端进行第二鉴 权, 并输出第二鉴权结果;  a second authentication module, configured to perform second authentication on the terminal according to the second authentication data, and output a second authentication result;
鉴权成功判断模块, 分别与所述第一鉴权模块和所述第二鉴权模块 连接, 用于判断输入的所述第一鉴权结果和所述第二鉴权结果, 在所述 第一鉴权结果和第二鉴权结果均成功的情况下, 确定所述终端的鉴权成 功。  The authentication success judging module is respectively connected to the first authentication module and the second authentication module, and is configured to determine the input of the first authentication result and the second authentication result, where If both the authentication result and the second authentication result are successful, the authentication of the terminal is determined to be successful.
11. 根据权利要求 10所述的系统,其特征在于,所述第一鉴权数据模块包括: 存储子模块, 用于存储所述终端所属的用户预先设置的个人信息以 及用户的标识信息; The system according to claim 10, wherein the first authentication data module comprises: a storage submodule, configured to store personal information preset by a user to which the terminal belongs, and identification information of the user;
生成子模块, 与所述存储子模块连接, 用于获取所述个人信息以及 所述标识信息生成第一鉴权数据;  Generating a submodule, connected to the storage submodule, for acquiring the personal information and the identifier information to generate first authentication data;
发送子模块, 与所述生成子模块连接, 用于将所述第一鉴权数据发 送至所述鉴权服务器。  And a sending submodule, connected to the generating submodule, configured to send the first authentication data to the authentication server.
12. 根据权利要求 10所述的系统, 其特征在于, 所述第一鉴权模块包括: 数据存储子模块, 用于存储用户提供的个人信息; The system according to claim 10, wherein the first authentication module comprises: a data storage sub-module, configured to store personal information provided by a user;
接收子模块, 用于接收来自所述终端的所述第一鉴权数据; 第一获取子模块, 与所述接收子模块连接, 用于使用所述第一鉴权 数据, 获取所述标识信息, 以及使用所述第一鉴权数据, 获取所述个人 信息, 并将所述个人信息作为所述用户的第一个人信息;  a receiving submodule, configured to receive the first authentication data from the terminal, where the first obtaining submodule is connected to the receiving submodule, configured to acquire the identifier information by using the first authentication data And acquiring the personal information using the first authentication data, and using the personal information as the first personal information of the user;
第二获取子模块, 分别与所述数据存储子模块、 所述第一获取子模 块连接, 用于在所述数据存储子模块中获取与所述标识信息对应的个人 信息作为第二个人信息;  The second obtaining sub-module is connected to the data storage sub-module and the first acquiring sub-module, respectively, for acquiring personal information corresponding to the identification information in the data storage sub-module as the second personal information;
比较子模块, 分别与所述第一获取子模块和所述第二获取子模块连 接, 用于比较所述第一个人信息和所述第二个人信息, 并生成所述第一 鉴权结果。 Comparing the submodule, the first obtaining submodule and the second obtaining submodule, respectively, for comparing the first personal information and the second personal information, and generating the first authentication result .
3. 根据权利要求 12所述的系统, 其特征在于, 如果所述第一鉴权数据釆用 预定的加密规则加密生成, 则所述第一鉴权模块还包括: 解析子模块, 与所述接收子模块和所述第一获取子模块连接, 用于解析所述接收子模 块接收的所述第一鉴权数据, 并将解析后的第一鉴权数据输出至所述第 一获取子模块。 根据权利要求 10至 13中任一项所述的系统, 其特征在于, 所述标识信 息包括至少以下之一: 所述终端的智能卡的标识信息、 所述终端的标识 信息。 The system according to claim 12, wherein, if the first authentication data is encrypted and generated by using a predetermined encryption rule, the first authentication module further includes: a parsing submodule, and the The receiving submodule is connected to the first obtaining submodule, configured to parse the first authentication data received by the receiving submodule, and output the parsed first authentication data to the first acquiring submodule . The system according to any one of claims 10 to 13, wherein the identification information comprises at least one of the following: identification information of the smart card of the terminal, and identification information of the terminal.
PCT/CN2010/075640 2010-04-06 2010-08-02 Method and system for terminal authentication WO2011124051A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010145176.8A CN101841814B (en) 2010-04-06 2010-04-06 Terminal authentication method and system
CN201010145176.8 2010-04-06

Publications (1)

Publication Number Publication Date
WO2011124051A1 true WO2011124051A1 (en) 2011-10-13

Family

ID=42744856

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075640 WO2011124051A1 (en) 2010-04-06 2010-08-02 Method and system for terminal authentication

Country Status (2)

Country Link
CN (1) CN101841814B (en)
WO (1) WO2011124051A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469451B (en) * 2010-11-16 2015-06-17 深圳市雄帝科技股份有限公司 Method and system for phone card real-name authentication
CN102158863B (en) * 2011-02-18 2016-04-13 惠州Tcl移动通信有限公司 Based on the mobile terminal authentication system and method for JAVA, server and terminal
CN102158856B (en) * 2011-02-21 2015-06-17 惠州Tcl移动通信有限公司 Mobile terminal identification code authentication system and method, server and terminal
CN104378203B (en) * 2013-08-15 2018-04-27 腾讯科技(深圳)有限公司 Information authentication method, apparatus and terminal
CN105873059A (en) * 2016-06-08 2016-08-17 中国南方电网有限责任公司电网技术研究中心 United identity authentication method and system for power distribution communication wireless private network
CN106897631B (en) * 2017-02-03 2020-01-17 Oppo广东移动通信有限公司 Data processing method, device and system
CN108616511B (en) * 2018-04-03 2021-02-05 深圳市宝尔爱迪科技有限公司 Communication method of terminal equipment with encryption system and third-party application installation method
CN116203442A (en) * 2021-11-30 2023-06-02 北京小米移动软件有限公司 Battery authentication method and device of terminal, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050289643A1 (en) * 2004-06-28 2005-12-29 Ntt Docomo, Inc. Authentication method, terminal device, relay device and authentication server
CN101521886A (en) * 2009-01-21 2009-09-02 北京握奇数据系统有限公司 Method and device for authenticating terminal and telecommunication smart card
CN101656958A (en) * 2009-08-13 2010-02-24 北京握奇数据系统有限公司 Telecommunication intelligent card in Code Division Multiple Access (CDMA) network and authentication method thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1684411B (en) * 2004-04-13 2010-04-28 华为技术有限公司 Method for verifying user's legitimate of mobile terminal
CN100362880C (en) * 2003-11-21 2008-01-16 华为技术有限公司 Identification method of mobile terminal user legalness

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050289643A1 (en) * 2004-06-28 2005-12-29 Ntt Docomo, Inc. Authentication method, terminal device, relay device and authentication server
CN101521886A (en) * 2009-01-21 2009-09-02 北京握奇数据系统有限公司 Method and device for authenticating terminal and telecommunication smart card
CN101656958A (en) * 2009-08-13 2010-02-24 北京握奇数据系统有限公司 Telecommunication intelligent card in Code Division Multiple Access (CDMA) network and authentication method thereof

Also Published As

Publication number Publication date
CN101841814B (en) 2014-07-02
CN101841814A (en) 2010-09-22

Similar Documents

Publication Publication Date Title
JP5579938B2 (en) Authentication of access terminal identification information in roaming networks
JP4263384B2 (en) Improved method for authentication of user subscription identification module
US8726019B2 (en) Context limited shared secret
CN101641976B (en) An authentication method
WO2011124051A1 (en) Method and system for terminal authentication
US20050188219A1 (en) Method and a system for communication between a terminal and at least one communication equipment
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
WO2006060943A1 (en) Authentication method
CN102318386A (en) Service-based authentication to a network
CN101926188A (en) Security policy distribution to communication terminals
CN106304264B (en) Wireless network access method and device
WO2019109640A1 (en) Method and device for locking sim card
WO2014177076A1 (en) Terminal, network locking and network unlocking method for same, and storage medium
TW201729562A (en) Server, mobile terminal, and internet real name authentication system and method
WO2018010480A1 (en) Network locking method for esim card, terminal, and network locking authentication server
KR101281099B1 (en) An Authentication method for preventing damages from lost and stolen smart phones
CN105657702A (en) Authentication method, authentication system, authentication method of mobile terminal and mobile terminal
WO2013185709A1 (en) Call authentication method, device, and system
CN105763517A (en) Router security access and control method and system
CN101895885B (en) Method and system for protecting key file
EP3550765A1 (en) Service provisioning
WO2011144129A2 (en) Machine-card interlocking method, user identity model card and terminal
KR101329789B1 (en) Encryption Method of Database of Mobile Communication Device
CN111432404B (en) Information processing method and device
WO2006050663A1 (en) Method of setting security key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10849288

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10849288

Country of ref document: EP

Kind code of ref document: A1