WO2012163203A1 - Method and device for updating dynamic authentication parameters of user equipment and aaa - Google Patents

Method and device for updating dynamic authentication parameters of user equipment and aaa Download PDF

Info

Publication number
WO2012163203A1
WO2012163203A1 PCT/CN2012/074603 CN2012074603W WO2012163203A1 WO 2012163203 A1 WO2012163203 A1 WO 2012163203A1 CN 2012074603 W CN2012074603 W CN 2012074603W WO 2012163203 A1 WO2012163203 A1 WO 2012163203A1
Authority
WO
WIPO (PCT)
Prior art keywords
dynamic
authentication parameter
authentication
aaa
update
Prior art date
Application number
PCT/CN2012/074603
Other languages
French (fr)
Chinese (zh)
Inventor
邱永庆
詹亚军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012163203A1 publication Critical patent/WO2012163203A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data

Definitions

  • the present invention relates to a user equipment (UE, User Equipment) anti-duplication technology, and more particularly to a method and device for updating a user equipment dynamic authentication parameter, an authentication, authorization, and accounting server (AAA, Authentication, Authorization, Accounting). Background technique
  • the relevant information of the user identification card is directly written in the card, and the user identification card is collectively produced by the operator, and the card is bound with the user number, and the user purchases the card through the operation network. , insert the card into the UE, you can complete the account opening and use the services provided by the operator.
  • OTA over-the-air technology
  • OTA is classified from the initiators and can be divided into two categories, namely:
  • OTASP Over the Air Service Provisioning
  • the OTAPA (Over the Air Parameter Administration) is initiated by the network side to complete the delivery of the required parameters.
  • the main object of the present invention is to provide a method and apparatus for updating a user equipment dynamic authentication parameter, a verification, authorization, and accounting server, which can effectively prevent copying of a UE user identification number.
  • a method for updating a dynamic authentication parameter of a user equipment includes:
  • the AAA authenticates the authentication parameter of the UE sent by the received packet network, and determines whether the dynamic authentication parameter of the UE satisfies the update condition after the authentication succeeds, updates the dynamic authentication parameter of the UE when it is satisfied, and triggers the OTAF to update.
  • the subsequent dynamic authentication parameters are updated to the UE.
  • the authentication parameter includes at least one of the following parameters:
  • NAI Network Access Identifier
  • CHP Challenge Handshake Authentication Protocol
  • CHAP CHAP warfare
  • IP packet network access IP
  • the dynamic authentication parameter includes at least one of the following parameters:
  • the dynamic authentication parameter of the UE satisfies an update condition, which is:
  • the dynamic NAI or dynamic password of the UE is empty; Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
  • the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
  • the dynamic AAA NAI includes a user identifier format and domain name information; and the dynamic authentication parameter of the UE is updated, as follows:
  • the authentication parameter of the UE sent by the AAA to the received packet network is: the UE accesses the packet network by using a packet domain service, and performs a point-to-point protocol PPP and a link control protocol with the access network AN. LCP negotiation;
  • the AN obtains the authentication parameter of the UE, and sends the authentication parameter of the UE to the AN AAA through an access request message defined by the A12 interface.
  • the authentication parameter of the UE sent by the AAA to the received packet network is: after the UE is authenticated by the access network, performing LCP negotiation with the packet data serving node PDSN;
  • the PDSN obtains the UE authentication parameter, and sends the authentication parameter of the UE to the AAA by using a remote dial-up user authentication service RADIUS access request message.
  • An apparatus for updating a dynamic authentication parameter of a user equipment comprising: a receiving unit, an authentication unit, a determining unit, and an updating unit, where
  • a receiving unit configured to receive an authentication parameter of a UE sent by a packet network
  • An authentication unit configured to authenticate the authentication parameter of the UE
  • a determining unit configured to determine whether the dynamic authentication parameter of the UE meets an update condition after the authentication is passed, and trigger an update unit when satisfied;
  • an updating unit configured to update the dynamic authentication parameter of the UE, and trigger the OTAF to update the updated dynamic authentication parameter to the UE.
  • the authentication parameter includes at least one of the following parameters:
  • the dynamic authentication parameter includes at least one of the following parameters:
  • the dynamic authentication parameter of the UE satisfies an update condition, which is:
  • the dynamic NAI or dynamic password of the UE is empty
  • the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
  • the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
  • the dynamic AAA NAI includes a user identifier format and domain name information; the update unit is further configured to: update a user identifier format and/or a domain name of the dynamic NAI of the UE, and/or The dynamic password of the UE is updated.
  • a verification, authorization, and accounting server includes the foregoing updating device for dynamic authentication parameters of user equipment.
  • the AAA updates the dynamic authentication parameters of the UE by performing authentication and authorization on the UE, and then, after the update, triggers the OTAF to send the updated dynamic authentication parameters to the UE, thereby completing the UE authentication parameters (NAI and password).
  • Dynamic update Even if the UE user is hacked, because some parameters of the UE dynamically change, the hacked UE cannot pass the AAA authentication because it cannot receive the dynamic authentication parameter, and cannot access the network, thereby maximally avoiding the UE user being hacked. Possibly, even if it is stolen, it can minimize the loss of hacked UE users.
  • FIG. 1 is a schematic structural diagram of an application network according to the present invention.
  • FIG. 2 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 2 of the present invention
  • FIG. 5 is a schematic structural diagram of a device for updating a user equipment dynamic authentication parameter according to the present invention. detailed description
  • AAA updates the dynamic authentication parameters of the UE by performing authentication and authorization on the UE, and then sends the updated dynamic authentication parameters to the UE by triggering the OTAF, thereby completing the UE authentication parameters (NAI and Dynamic update of the password).
  • FIG. 1 is a schematic structural diagram of an application network according to the present invention. As shown in FIG. 1, the figure shows a schematic diagram of a UE accessing a packet data network in a Code Division Multiple Access (CDMA) system.
  • CDMA Code Division Multiple Access
  • the network elements in the figure and their networking modes are clearly defined in the relevant protocols.
  • the network elements that are not closely related to the implementation of the technical solution of the present invention will not describe their functions. Only the network elements related to the present invention and their functions will be described accordingly.
  • the technical solution of the present invention is mainly for the machine-integrated UE to complete the user opening work through the OTASP, and the authentication information of the UE user is also stored in the AAA.
  • the basic information of the UE user is stored in each related network element.
  • parameters such as MIN, ESN, MDN, OTAPWD of the UE user, and NAM, PRL, Validation, 3GPD of the user terminal are stored.
  • HLR Home Location Register
  • parameters such as the MIN, ESN, MDN, and AKey of the UE user, and the location information of the terminal in the circuit domain are included.
  • AN AAA In AN AAA, it includes the user's IMSI, MDN, original AN-AAA NAI and original PWD, dynamic AN-AAANAI and dynamic PWD (dynamic password), ESN, MEID and other parameters.
  • AAA contains the user's original account NAIUSERNAME, original PASSWORD, dynamic account NAIUSERNAME, dynamic password PASSWORD, IMSI, MDN, CDMANAI service Identification and other parameters.
  • AN-AAA refers to the AAA on the access network side, and usually does not charge a fee
  • AAA is the AAA on the core network side.
  • the functions implemented in the present invention are the same, except that the network to which they belong is different. In the following embodiments, different application scenarios are distinguished. Based on the above network structure, the essence of the technical solution of the present invention is further elaborated.
  • FIG. 2 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 1 of the present invention. As shown in FIG. 2, the method for updating a dynamic authentication parameter of a user equipment in this example specifically includes the following steps:
  • Step 101 The UE user uses the packet domain service (such as accessing the Internet, sending and receiving multimedia messages, and accessing the wireless application protocol (WAP)) to enable the UE to access the wireless network; the UE and the access network (AN, Access Network) Establish a point-to-point protocol (PPP, Point to Point Protocol) and link control protocol (LCP) negotiation.
  • PPP Point to Point Protocol
  • LCP link control protocol
  • Step 102 The AN obtains the AN AAA Network Access Identifier (NAI) of the UE user, and the Challenge Handshake Authentication Protocol (CHP Password) and CHAP in the process of performing PPP interaction with the UE. Access authentication parameters such as CHAP-Challenge.
  • NAI Network Access Identifier
  • CHP Password Challenge Handshake Authentication Protocol
  • CHAP-Challenge Access authentication parameters
  • Step 103 The AN sends an access request message defined by the A12 interface to the AN-AAA, including
  • Authentication parameters such as AN-AAANAL CHAP Password, CHAP-Challenge and AN-IP.
  • Step 104 The AN-AAA performs an authentication check according to the authentication parameter in the access request message. If the verification succeeds, the AN is returned successfully and the related information is authorized. Otherwise, the access rejection is returned, and the process is terminated.
  • Step 105 The AN-AAA determines whether the user's NAI or password has reached the update condition.
  • Some update conditions can be:
  • AN-AAA generates new dynamics according to the rules AN-AAA NAI and dynamic PWD. These rules are determined according to the actual application and can be:
  • the dynamic NAI it includes the identity information and domain information of the NAI, so that the identity information of the NAI can be changed, or the domain information of the NAI can be changed, or the identity information and domain information of the NAI can be changed at the same time;
  • a new encrypted password can be calculated using the corresponding password generation algorithm, usually using the MD5 algorithm.
  • MD5 algorithm any other encryption algorithm can be implemented.
  • the AN-AAA sends a dynamic AN-AAA NAI and a dynamic PWD update request (ie, sends an UpAuthParaReq message) to the OTAF (Over the Air Service Provisioning Function), and the UpAuthParaReq message carries the relevant parameters of the UE, including the international mobile subscriber identity.
  • IMSI International Mobile Subscriber Identification Number
  • MDN Mobile Directory Number
  • New AN-AAA NAI New PWD
  • Old AN-AAA NAI Old PWD, etc.
  • the update flag is set to the status of the authentication parameter to be updated.
  • Step 106 The OTAF receives the AN-AAA authentication parameter update request, initiates an OTAPA process, and performs an air update of the UE authentication parameter (AN-AAA NAI or PWD).
  • Step 107 the OTAF returns the update result to the AN-AAA (eg, by UpAuthParaAck)
  • the message carries the update result.
  • the AN-AAA determines that if the update is successful, the new AN-AAA NAI and PWD take effect, and the UE user update flag is set as the authentication parameter to complete the update.
  • FIG. 3 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 2 of the present invention. As shown in FIG. 3, the method for updating a dynamic authentication parameter of a user equipment in this example includes the following steps:
  • Step 201 After the UE is authenticated by the access network, the UE performs LCP negotiation with the Packet Data Serving Node (PDSN), and the access authentication parameters such as CHAP Password and CHAP-Challenge.
  • PDSN Packet Data Serving Node
  • Step 203 The PDSN sends a Radius access request message to the AAA, where the authentication parameters include AAANAI, CHAP Password, CHAP-Challenge, and PDSN-IP.
  • Step 204 The AAA performs authentication verification according to the authentication parameter in the RADIUS (Remote Authentication Dial In User Service) access request message. If the verification succeeds, the PDSN returns success and authorizes related information, otherwise returns Access denied, the process is terminated.
  • RADIUS Remote Authentication Dial In User Service
  • Step 205 the AAA determines whether the user's NAI or password has reached the update condition, and the update conditions may be:
  • AAA generates new dynamic AAA NAI and dynamic PWD according to rules. These rules are determined according to the actual application, and can be: 1) For NAI, the identity information of the NAI may be changed, or the domain information of the NAI may be changed, or the identity information and domain information of the NAI may be changed at the same time;
  • a new encrypted password can be calculated using a certain cryptographic algorithm, usually using the MD5 algorithm.
  • AAA sends dynamic AAA NAI and dynamic PWD update requests to OTAF
  • the parameters carried in the UpAuthParaReReq message include IMSI, MDN, new AAANAI, new PWD, old AAANAI, old PWD, etc., and the UE user update flag is set to the authentication parameter to be updated.
  • Step 206 The OTAF receives the AAA authentication parameter update request, initiates an OTAPA process, and performs an air update of the UE authentication parameter (AAA NAI or PWD).
  • Step 207 The OTAF returns the update result to the AAA (the update result is carried by the UpAuthParaAck message), and the AAA determines that if the update is successful, the new AAANAI, the new PWD takes effect, and the UE user update flag is set as the authentication parameter. Update.
  • the preconditions of the implementation of the application example are as follows:
  • the machine-integrated UE completes the user activation work through the OTASP, wherein the local number parameter of the UE is set to the IMSI format, so that the NAI of the UE is composed of the following: IMSI format] @domain name.
  • the basic information of the user is stored in the corresponding network element.
  • the user's mobile identification number MIN, Mobile Identification Number
  • ESN Electronic Serial Number
  • MDN electronic serial number
  • OTPWD Over the Air PWD
  • Parameters such as the Number Assignment Module (NAM), Preferred Roaming List (PRL), and so on.
  • parameters such as the user's MIN, ESN, MDN, authentication code (AKey), and UE location information in the circuit domain are included.
  • AKey authentication code
  • UE location information in the circuit domain.
  • AN-AAA parameters such as the IMSI, the MDN, the original AN-AAA NAI, the dynamic ⁇ -AAANAL ⁇ ESN, and the Mobile Equipment Identifier (MEID) of the user are included.
  • FIG. 4 is a flowchart of a method for updating a user equipment authentication code according to an application example of the present invention. As shown in FIG. 4, the method for updating a user equipment authentication code according to an application example of the present invention specifically includes the following steps:
  • Step 301 The UE user uses the packet domain service or the like, the UE accesses the wireless network, and establishes PPP and LCP negotiation with the AN.
  • Step 302 The AN obtains access authentication parameters such as AN-AAA NAI, CHAP Password, and CHAP-Challenge of the UE by performing PPP interaction with the UE.
  • access authentication parameters such as AN-AAA NAI, CHAP Password, and CHAP-Challenge of the UE by performing PPP interaction with the UE.
  • Step 303 The AN sends an access request message defined by the A12 interface to the AN-AAA, where the access request message carries AN-AAANAI (for [IMSI format]@domain name), CHAP Password, CHAP-Challenge, and AN-IP, Authentication parameters such as ESN.
  • AN-AAANAI for [IMSI format]@domain name
  • CHAP Password for [IMSI format]@domain name
  • CHAP-Challenge for Authentication parameters such as ESN.
  • Step 304 The AN-AAA performs an authentication check according to the authentication parameter in the access request message. If the verification succeeds, the AN is returned successfully and the related information is authorized. Otherwise, the access rejection is returned, and the process is terminated.
  • Step 305 The AN-AAA determines whether the user's NAI or password has reached the update condition.
  • the update conditions are:
  • AN-AAA generates new dynamics by rules AN-AAANAI (Dynamic Access Identifier):
  • Identity information Select an unused one from the dynamic IMSI pool to update the user's identity Information
  • AN-AAA sends a dynamic AN-AAA NAI update request (UpAuthParaReq message) to the OTAF.
  • the parameters include IMSI, MDN, new AN-AAA NAI, old PWD, old AN-AAA NAI, old PWD, and the UE.
  • the user update flag is set to the status of the authentication parameter to be updated.
  • Step 306 The OTAF receives the AN-AAA authentication parameter update request, initiates an OTAPA process, and sets the UE local number parameter to a new IMSI format for over-the-air update.
  • Step 307 the OTAF returns the update result to the AN-AAA (implemented by the UpAuthParaAck message), and the AN-AAA determines, according to the update result, if the update is successful, the new AN-AAA NAI takes effect, and the user update flag is set as the authentication parameter. This update is completed.
  • FIG. 5 is a schematic structural diagram of a device for updating a dynamic authentication parameter of a user equipment according to the present invention.
  • the apparatus for updating a dynamic authentication parameter of a user equipment of the present invention includes a receiving unit 50, an authentication unit 51, a determining unit 52, and an updating unit 53. , among them,
  • the receiving unit 50 is configured to receive an authentication parameter of the UE sent by the packet network.
  • the authentication unit 51 is configured to authenticate the authentication parameter of the UE.
  • Determining unit 52 configured to determine whether the dynamic authentication parameter of the UE satisfies an update condition after the authentication is passed, and triggers the update unit 53 when satisfied;
  • the updating unit 53 is configured to update the dynamic authentication parameter of the UE, and trigger the OTAF to update the updated dynamic authentication parameter to the UE.
  • the above authentication parameters include at least one of the following parameters:
  • the dynamic authentication parameter includes at least one of the following parameters:
  • the dynamic authentication parameters of the UE meet the update conditions, which are: The dynamic NAI or dynamic password of the UE is empty;
  • the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
  • the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
  • the dynamic AAA NAI includes a user identifier format and domain name information.
  • the updating unit 53 is further configured to: update a user identifier format and/or a domain name of the dynamic NAI of the UE, and/or a dynamic password for the UE. Update.
  • the present invention also describes a verification, authorization, and accounting server, including the update device for the user equipment dynamic authentication parameters shown in FIG.
  • the technical solution of the present invention updates the dynamic authentication parameter of the UE by performing authentication and authorization on the UE, and then sends the updated dynamic authentication parameter to the UE by triggering the OTAF, thereby completing the UE authentication parameter (NAI and password). Dynamic update. In this way, even if the UE user is hacked, because some parameters of the UE dynamically change, the hacked UE cannot access the network because it cannot receive the dynamic authentication parameter, and cannot access the network, thereby maximally protecting the rights of the UE user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed is a method for updating dynamic authentication parameters of a user equipment, comprising: an authentication, authorization, accounting server (AAA) authenticating received authentication parameters of a user equipment (UE), which are sent by a packet-based network, determining whether the dynamic authentication parameters of the UE meet an updating condition after successful authentication, updating the dynamic authentication parameters of the UE when the dynamic authentication parameters meet the updating condition, and triggering an over-the-air activation entity OTAF to update the updated dynamic authentication parameters to the UE. Also disclosed are a device, for realizing the method, for updating dynamic authentication parameters of a user equipment and an AAA. According to the present invention, the possibility that the account of a UE user is stolen is maximally reduced, and even if the account is stolen, the loss of the UE user whose account is stolen can be maximally lowered.

Description

用户设备动态认证参数的更新方法及装置、 AAA 技术领域  User equipment dynamic authentication parameter updating method and device, AAA technical field
本发明涉及一种用户设备(UE, User Equipment )防复制技术, 尤其涉 及一种用户设备动态认证参数的更新方法及装置、 验证、 授权和计费服务 器 ( AAA, Authentication, Authorization, Accounting )。 背景技术  The present invention relates to a user equipment (UE, User Equipment) anti-duplication technology, and more particularly to a method and device for updating a user equipment dynamic authentication parameter, an authentication, authorization, and accounting server (AAA, Authentication, Authorization, Accounting). Background technique
对于机卡分离的用户设备 ( UE, User Equipment ), 直接将用户识别卡 的相关信息写在卡中, 用户识别卡由运营商集中制作, 卡与用户号码进行 绑定, 用户通过运营网点购买卡, 将卡插入 UE, 即可完成开户并使用运营 商提供的服务。  For the user equipment (UE, User Equipment) with separate card, the relevant information of the user identification card is directly written in the card, and the user identification card is collectively produced by the operator, and the card is bound with the user number, and the user purchases the card through the operation network. , insert the card into the UE, you can complete the account opening and use the services provided by the operator.
对于机卡一体化的 UE, 其营销不受运营商的控制, 运营商无法对 UE 进行集中参数设置。 通过引入空中下载技术 ( OTA , Over the Air Technology ), 用户在购买 UE后, 再购买一个开户卡, 利用 UE拨打特服中 心号码, 在语音的提示下, 通过自助服务完成开户, 使用运营商提供的服 务。  For UEs with integrated machine cards, their marketing is not controlled by the operator, and the operator cannot set centralized parameters for the UE. By introducing the over-the-air technology (OTA), after purchasing the UE, the user purchases an account opening card, uses the UE to dial the special service center number, and at the prompt of the voice, completes the account opening through self-service, and provides the service provider. Service.
OTA从发起方来分类, 可分为两类, 分别为:  OTA is classified from the initiators and can be divided into two categories, namely:
1、 空中业务提供 ( OTASP , Over the Air Service Provisioning ), 由用户 侧发起, 通过拨打 OTA功能码来触发;  1. OTASP (Over the Air Service Provisioning), initiated by the user side, triggered by dialing the OTA function code;
2、 空中参数管理 ( OTAPA, Over the Air Parameter Administration ) 由 网络侧发起, 完成所需参数的下发。  2. The OTAPA (Over the Air Parameter Administration) is initiated by the network side to complete the delivery of the required parameters.
当前, 一些不法分子通过各种途径获取 UE的用户识别卡的相关参数, 并复制到一些 UE或用户识别卡中,并利用所复制的 UE或用户识别卡盗用 被复制用户的业务, 这样, 合法 UE所使用的业务被盗用, 给合法 UE用户 和运营商造成极大的损失。 At present, some criminals obtain relevant parameters of the UE's subscriber identity card through various channels, and copy it to some UEs or subscriber identity cards, and use the copied UE or subscriber identity card to steal the service of the copied subscriber. The service used by the UE is stolen, giving the legitimate UE user And the operator caused great losses.
在没有较好的防护机制的当下,通常只能通过 UE用户的业务记录,或 UE用户的费用异常来确定 UE用户是否被盗用, 这样, 即使确定出 UE用 户被盗用了相关业务, 对 UE用户造成的损失也已相当巨大。 目前, 针对盗 号问题, 尚无较佳的防护手段。 特别是机卡一体化的 UE, 由于并非通过运 营商统一设定用户识别卡的相关参数信息, 因此被盗用的可能性更大, 也 更难控制。 发明内容  In the current situation where there is no better protection mechanism, it is usually only possible to determine whether the UE user is stolen by the UE user's service record or the UE user's cost abnormality. Thus, even if it is determined that the UE user has stolen the related service, the UE user is The damage caused is also quite large. At present, there is no better means of protection against hacking. In particular, UEs with integrated machine cards are more likely to be stolen and more difficult to control because they do not uniformly set the relevant parameter information of the subscriber identity card through the operator. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种用户设备动态认证参数的 更新方法及装置、验证、授权和计费服务器, 能有效防止对 UE用户识别号 码的复制。  In view of this, the main object of the present invention is to provide a method and apparatus for updating a user equipment dynamic authentication parameter, a verification, authorization, and accounting server, which can effectively prevent copying of a UE user identification number.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种用户设备动态认证参数的更新方法, 包括:  A method for updating a dynamic authentication parameter of a user equipment includes:
AAA对接收到的分组网络发送的 UE的认证参数进行认证, 认证通过 后确定所述 UE的动态认证参数是否满足更新条件,满足时对所述 UE的动 态认证参数进行更新, 并触发 OTAF将更新后的动态认证参数更新到所述 UE。  The AAA authenticates the authentication parameter of the UE sent by the received packet network, and determines whether the dynamic authentication parameter of the UE satisfies the update condition after the authentication succeeds, updates the dynamic authentication parameter of the UE when it is satisfied, and triggers the OTAF to update. The subsequent dynamic authentication parameters are updated to the UE.
优选地, 所述认证参数包括以下参数的至少一种:  Preferably, the authentication parameter includes at least one of the following parameters:
网络接入标识(NAI, Network Access Identifier ), 询问握手认证协议密 码 ( CHAP, Challenge Handshake Authentication Protocol ) 密码、 CHAP 战和分组网络接入 IP。  Network Access Identifier (NAI), Challenge Handshake Authentication Protocol (CHP) password, CHAP warfare, and packet network access IP.
优选地, 所述动态认证参数包括以下参数的至少一种:  Preferably, the dynamic authentication parameter includes at least one of the following parameters:
动态 AAA NAI和动态密码。  Dynamic AAA NAI and dynamic passwords.
优选地, UE的动态认证参数满足更新条件, 为:  Preferably, the dynamic authentication parameter of the UE satisfies an update condition, which is:
所述 UE的动态 NAI或动态密码为空; 或者, 所述 UE的动态 AAANAI为原始 AAANAI, 或所述 UE的动态 密码为原始密码; The dynamic NAI or dynamic password of the UE is empty; Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
或者,所述 UE的动态 AAANAI或动态 PWD达到了设定的使用次数; 或者,所述 UE的动态 AAANAI或动态 PWD达到了使用的设定期限; 或者, 所述 UE处于动态认证参数的更新状态, 但未更新成功。  Or the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
优选地, 所述动态 AAA NAI包括用户识别码格式及域名信息; 对所述 UE的动态认证参数进行更新, 为:  Preferably, the dynamic AAA NAI includes a user identifier format and domain name information; and the dynamic authentication parameter of the UE is updated, as follows:
对所述 UE的动态 NAI的用户识别码格式和 /或域名进行更新, 和 /或, 对所述 UE的动态密码进行更新。  Updating the user identifier format and/or domain name of the dynamic NAI of the UE, and/or updating the dynamic password of the UE.
优选地, 所述 AAA对接收到的分组网络发送的 UE的认证参数, 为: 所述 UE通过分组域业务接入所述分组网络,并与接入网络 AN进行点 对点协议 PPP和链路控制协议 LCP协商;  Preferably, the authentication parameter of the UE sent by the AAA to the received packet network is: the UE accesses the packet network by using a packet domain service, and performs a point-to-point protocol PPP and a link control protocol with the access network AN. LCP negotiation;
所述 AN获取所述 UE的认证参数, 并通过 A12接口定义的接入请求 消息将所述 UE的认证参数发送给 AN AAA。  The AN obtains the authentication parameter of the UE, and sends the authentication parameter of the UE to the AN AAA through an access request message defined by the A12 interface.
优选地, 所述 AAA对接收到的分组网络发送的 UE的认证参数, 为: 所述 UE通过接入网认证后, 与分组数据服务节点 PDSN进行 LCP协 商;  Preferably, the authentication parameter of the UE sent by the AAA to the received packet network is: after the UE is authenticated by the access network, performing LCP negotiation with the packet data serving node PDSN;
所述 PDSN 获取所述 UE认证参数, 并通过远程拨号用户认证服务 RADIUS接入请求消息将所述 UE的认证参数发送给 AAA。  And the PDSN obtains the UE authentication parameter, and sends the authentication parameter of the UE to the AAA by using a remote dial-up user authentication service RADIUS access request message.
一种用户设备动态认证参数的更新装置, 包括接收单元、 认证单元、 确定单元和更新单元, 其中,  An apparatus for updating a dynamic authentication parameter of a user equipment, comprising: a receiving unit, an authentication unit, a determining unit, and an updating unit, where
接收单元, 用于接收分组网络发送的 UE的认证参数;  a receiving unit, configured to receive an authentication parameter of a UE sent by a packet network;
认证单元, 用于对所述 UE的认证参数进行认证;  An authentication unit, configured to authenticate the authentication parameter of the UE;
确定单元,用于在认证通过后确定所述 UE的动态认证参数是否满足更 新条件, 满足时触发更新单元; 更新单元, 用于对所述 UE 的动态认证参数进行更新, 并触发 OTAF 将更新后的动态认证参数更新到所述 UE。 a determining unit, configured to determine whether the dynamic authentication parameter of the UE meets an update condition after the authentication is passed, and trigger an update unit when satisfied; And an updating unit, configured to update the dynamic authentication parameter of the UE, and trigger the OTAF to update the updated dynamic authentication parameter to the UE.
优选地, 所述认证参数包括以下参数的至少一种:  Preferably, the authentication parameter includes at least one of the following parameters:
NAI、 CHAP密码、 CHAP挑战和分组网络接入 IP;  NAI, CHAP password, CHAP challenge, and packet network access IP;
所述动态认证参数包括以下参数的至少一种:  The dynamic authentication parameter includes at least one of the following parameters:
动态 AAA NAI和动态密码。  Dynamic AAA NAI and dynamic passwords.
优选地, UE的动态认证参数满足更新条件, 为:  Preferably, the dynamic authentication parameter of the UE satisfies an update condition, which is:
所述 UE的动态 NAI或动态密码为空;  The dynamic NAI or dynamic password of the UE is empty;
或者, 所述 UE的动态 AAANAI为原始 AAANAI, 或所述 UE的动态 密码为原始密码;  Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
或者,所述 UE的动态 AAANAI或动态 PWD达到了设定的使用次数; 或者,所述 UE的动态 AAANAI或动态 PWD达到了使用的设定期限; 或者, 所述 UE处于动态认证参数的更新状态, 但未更新成功。  Or the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
优选地, 所述动态 AAA NAI包括用户识别码格式及域名信息; 所述更新单元还用于, 对所述 UE的动态 NAI的用户识别码格式和 /或 域名进行更新, 和 /或, 对所述 UE的动态密码进行更新。  Preferably, the dynamic AAA NAI includes a user identifier format and domain name information; the update unit is further configured to: update a user identifier format and/or a domain name of the dynamic NAI of the UE, and/or The dynamic password of the UE is updated.
一种验证、 授权和计费服务器, 包括前述的用户设备动态认证参数的 更新装置。  A verification, authorization, and accounting server includes the foregoing updating device for dynamic authentication parameters of user equipment.
本发明中 , AAA通过对 UE进行认证授权时对 UE的动态认证参数进 行更新, 更新后通过触发 OTAF将更新后的动态认证参数下发至 UE, 从而 完成对 UE认证参数 ( NAI和密码)的动态更新。 这样即便是 UE用户被盗 号, 由于 UE的某些参数会动态变化, 被盗号 UE由于无法接收动态认证参 数而无法通过 AAA认证, 也不能接入网络, 从而最大限度地避免了 UE用 户被盗号的可能, 即使被盗号也能最大限度地降低被盗号 UE用户的损失。 附图说明 In the present invention, the AAA updates the dynamic authentication parameters of the UE by performing authentication and authorization on the UE, and then, after the update, triggers the OTAF to send the updated dynamic authentication parameters to the UE, thereby completing the UE authentication parameters (NAI and password). Dynamic update. In this way, even if the UE user is hacked, because some parameters of the UE dynamically change, the hacked UE cannot pass the AAA authentication because it cannot receive the dynamic authentication parameter, and cannot access the network, thereby maximally avoiding the UE user being hacked. Possibly, even if it is stolen, it can minimize the loss of hacked UE users. DRAWINGS
图 1为本发明应用网络结构示意图;  1 is a schematic structural diagram of an application network according to the present invention;
图 2为本发明实施例一的用户设备动态认证参数的更新方法的流程图; 图 3为本发明实施例二的用户设备动态认证参数的更新方法的流程图; 图 4为本发明应用例的用户设备鉴权码的更新方法的流程图; 图 5为本发明用户设备动态认证参数的更新装置的组成结构示意图。 具体实施方式  2 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 1 of the present invention; FIG. 3 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 2 of the present invention; A flowchart of a method for updating a user equipment authentication code; FIG. 5 is a schematic structural diagram of a device for updating a user equipment dynamic authentication parameter according to the present invention. detailed description
本发明的基本思想为: AAA通过对 UE进行认证授权时对 UE的动态 认证参数进行更新, 更新后通过触发 OTAF将更新后的动态认证参数下发 至 UE, 从而完成对 UE认证参数 ( NAI和密码 ) 的动态更新。  The basic idea of the present invention is: AAA updates the dynamic authentication parameters of the UE by performing authentication and authorization on the UE, and then sends the updated dynamic authentication parameters to the UE by triggering the OTAF, thereby completing the UE authentication parameters (NAI and Dynamic update of the password).
图 1为本发明应用网络结构示意图, 如图 1所示, 图中示出了码分多 址( CDMA, Code Division Multiple Access ) 系统中 UE接入分组数据网的 示意图。 图中各网元及其组网方式在相关协议中均有明确规定, 与本发明 技术方案的实现相关性不甚密切的网元, 将不再对其功能进行描述。 仅将 与本发明相关的网元及其功能进行相应描述。  FIG. 1 is a schematic structural diagram of an application network according to the present invention. As shown in FIG. 1, the figure shows a schematic diagram of a UE accessing a packet data network in a Code Division Multiple Access (CDMA) system. The network elements in the figure and their networking modes are clearly defined in the relevant protocols. The network elements that are not closely related to the implementation of the technical solution of the present invention will not describe their functions. Only the network elements related to the present invention and their functions will be described accordingly.
本发明的技术方案主要是针对机卡一体化 UE通过 OTASP完成了用户 开通工作, AAA中也已存储有 UE用户的认证信息, 此时 UE用户的基本 信息已存储于各相关网元中。具体的,在 OTAF中,存储有 UE用户的 MIN、 ESN、 MDN, OTAPWD, 以及用户终端的 NAM、 PRL、 Validation, 3GPD 等参数。 在归属位置寄存器(HLR, Home Location Register ) 中, 包含 UE 用户的 MIN、 ESN、 MDN、 AKey、 终端在电路域位置信息等参数。 在 AN AAA中, 包含用户的 IMSI, MDN、 原始 AN-AAA NAI和原始 PWD, 动 态 AN-AAANAI和动态 PWD (动态密码), ESN, MEID等参数。 在 AAA 中, 包含用户的原始账号 NAIUSERNAME, 原始 PASSWORD, 动态账号 NAIUSERNAME, 动态密码 PASSWORD, IMSI, MDN, CDMANAI服务 标识等参数。本发明中, AN- AAA是指接入网侧的 AAA,通常不作计费用, AAA为核心网侧的 AAA。 本发明中, 无论是 AN- AAA还是 AAA, 在本发 明中所实现的功能相同, 只是, 其所属的网络不同。 以下实施例中, 针对 不同的应用场景进行了区分。 基于上述网络结构, 对本发明的技术方案的 实质作进一步阐述。 The technical solution of the present invention is mainly for the machine-integrated UE to complete the user opening work through the OTASP, and the authentication information of the UE user is also stored in the AAA. At this time, the basic information of the UE user is stored in each related network element. Specifically, in the OTAF, parameters such as MIN, ESN, MDN, OTAPWD of the UE user, and NAM, PRL, Validation, 3GPD of the user terminal are stored. In the Home Location Register (HLR), parameters such as the MIN, ESN, MDN, and AKey of the UE user, and the location information of the terminal in the circuit domain are included. In AN AAA, it includes the user's IMSI, MDN, original AN-AAA NAI and original PWD, dynamic AN-AAANAI and dynamic PWD (dynamic password), ESN, MEID and other parameters. In AAA, contains the user's original account NAIUSERNAME, original PASSWORD, dynamic account NAIUSERNAME, dynamic password PASSWORD, IMSI, MDN, CDMANAI service Identification and other parameters. In the present invention, AN-AAA refers to the AAA on the access network side, and usually does not charge a fee, and AAA is the AAA on the core network side. In the present invention, whether AN-AAA or AAA, the functions implemented in the present invention are the same, except that the network to which they belong is different. In the following embodiments, different application scenarios are distinguished. Based on the above network structure, the essence of the technical solution of the present invention is further elaborated.
为使本发明的目的、 技术方案和优点更加清楚明白, 以下举实施例并 参照附图, 对本发明进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
实施例一  Embodiment 1
图 2为本发明实施例一的用户设备动态认证参数的更新方法的流程图, 如图 2所示, 本示例的用户设备动态认证参数的更新方法具体包括以下步 驟:  FIG. 2 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 1 of the present invention. As shown in FIG. 2, the method for updating a dynamic authentication parameter of a user equipment in this example specifically includes the following steps:
步驟 101 , UE用户使用分组域业务(如接入 Internet, 收发彩信、 无线 应用协议 ( WAP, Wireless Application Protocol )接入)等, 使 UE接入无 线网络; UE与接入网 (AN, Access Network )之间建立点对点协议(PPP, Point to Point Protocol )和链路控制协议 ( LCP, Link Control Protocol )协商。  Step 101: The UE user uses the packet domain service (such as accessing the Internet, sending and receiving multimedia messages, and accessing the wireless application protocol (WAP)) to enable the UE to access the wireless network; the UE and the access network (AN, Access Network) Establish a point-to-point protocol (PPP, Point to Point Protocol) and link control protocol (LCP) negotiation.
步驟 102 , AN在与 UE进行 PPP交互过程中,获得 UE用户的 AN AAA 网络接入标识( NAI, Network Access Identifier ),询问握手认证协议( CHAP, Challenge Handshake Authentication Protocol ) 密码 ( CHAP Password )和 CHAP挑战( CHAP-Challenge )等接入认证参数。  Step 102: The AN obtains the AN AAA Network Access Identifier (NAI) of the UE user, and the Challenge Handshake Authentication Protocol (CHP Password) and CHAP in the process of performing PPP interaction with the UE. Access authentication parameters such as CHAP-Challenge.
步驟 103 , AN向 AN-AAA发送 A12接口定义的接入请求消息, 包含 Step 103: The AN sends an access request message defined by the A12 interface to the AN-AAA, including
AN-AAANAL CHAP Password, CHAP-Challenge和 AN-IP等认证参数。 Authentication parameters such as AN-AAANAL CHAP Password, CHAP-Challenge and AN-IP.
步驟 104, AN-AAA根据接入请求消息中的认证参数进行鉴权校验, 若检验成功, 则向 AN返回成功并授权相关信息, 否则返回接入拒绝, 流 程终止。  Step 104: The AN-AAA performs an authentication check according to the authentication parameter in the access request message. If the verification succeeds, the AN is returned successfully and the related information is authorized. Otherwise, the access rejection is returned, and the process is terminated.
步驟 105 , AN-AAA确定用户的 NAI或密码是否达到了更新条件, 这 些更新条件可以是: Step 105: The AN-AAA determines whether the user's NAI or password has reached the update condition. Some update conditions can be:
1 )动态 AN-AAANAI和动态密码( PWD ) 为空;  1) Dynamic AN-AAANAI and dynamic password (PWD) are empty;
2 )动态AN-AAANAI=原始AN-AAANAI, 或动态 PWD=原始 PWD;2) Dynamic AN-AAANAI = original AN-AAANAI, or dynamic PWD = original PWD;
3 )动态 AN-AAANAI或动态 PWD达到了使用次数; 3) Dynamic AN-AAANAI or dynamic PWD has reached the number of uses;
4 )动态 AN-AAANAI或动态 PWD达到了使用的规定期限;  4) Dynamic AN-AAANAI or dynamic PWD has reached the specified period of use;
5 ) 已经处于更新状态, 但是上次没有更新成功, 处于认证参数待更新 状态。  5) Already in the update state, but the last update was not successful, and the authentication parameters are pending update status.
AN- AAA按规则产生新的动态 AN- AAA NAI和动态 PWD, 这些规则 依据实际应用来确定, 可以是:  AN-AAA generates new dynamics according to the rules AN-AAA NAI and dynamic PWD. These rules are determined according to the actual application and can be:
1 )对于动态 NAI, 其包括 NAI的身份信息和域信息, 这样, 可以改变 NAI的身份信息, 或改变 NAI的域信息, 或同时改变 NAI的身份信息和域 信息;  1) For the dynamic NAI, it includes the identity information and domain information of the NAI, so that the identity information of the NAI can be changed, or the domain information of the NAI can be changed, or the identity information and domain information of the NAI can be changed at the same time;
2 )对于动态密码, 可以用相应的密码生成算法算出新的加密的密码, 通常用 MD5算法。 本领域技术人员应当理解, 使用其他的任何的加密算法 也能实现。  2) For dynamic passwords, a new encrypted password can be calculated using the corresponding password generation algorithm, usually using the MD5 algorithm. Those skilled in the art will appreciate that any other encryption algorithm can be implemented.
AN- AAA向空中激活实体(OTAF, Over the Air Service Provisioning Function ) 发送动态 AN-AAA NAI 和动态 PWD 更新请求 (即发送 UpAuthParaReq消息), UpAuthParaReq消息中携带 UE的相关参数, 包含 国际移动用户识别码 ( IMSI, International Mobile Subscriber Identification Number ), 移动用户号码簿号码( MDN, Mobile Directory Number )、 新的 AN-AAA NAI , 新的 PWD、 旧的 AN-AAA NAI、 旧的 PWD等 , 同时将该 用户更新标志置为认证参数待更新状态。  The AN-AAA sends a dynamic AN-AAA NAI and a dynamic PWD update request (ie, sends an UpAuthParaReq message) to the OTAF (Over the Air Service Provisioning Function), and the UpAuthParaReq message carries the relevant parameters of the UE, including the international mobile subscriber identity. (IMSI, International Mobile Subscriber Identification Number), Mobile Directory Number (MDN, Mobile Directory Number), New AN-AAA NAI, New PWD, Old AN-AAA NAI, Old PWD, etc. The update flag is set to the status of the authentication parameter to be updated.
步驟 106, OTAF收到 AN-AAA认证参数更新请求,发起 OTAPA流程, 进行 UE认证参数( AN-AAA NAI或 PWD ) 的空中更新。  Step 106: The OTAF receives the AN-AAA authentication parameter update request, initiates an OTAPA process, and performs an air update of the UE authentication parameter (AN-AAA NAI or PWD).
步驟 107, OTAF将更新结果返回给 AN-AAA (如通过 UpAuthParaAck 消息携带更新结果), AN- AAA确定如果本次更新成功, 则新的 AN-AAA NAI及 PWD生效, 将该 UE用户更新标志置为认证参数本次完成更新。 Step 107, the OTAF returns the update result to the AN-AAA (eg, by UpAuthParaAck) The message carries the update result. The AN-AAA determines that if the update is successful, the new AN-AAA NAI and PWD take effect, and the UE user update flag is set as the authentication parameter to complete the update.
实施例二  Embodiment 2
图 3为本发明实施例二的用户设备动态认证参数的更新方法的流程图, 如图 3 所示, 本示例的用户设备动态认证参数的更新方法具体包括以下步 驟:  FIG. 3 is a flowchart of a method for updating a dynamic authentication parameter of a user equipment according to Embodiment 2 of the present invention. As shown in FIG. 3, the method for updating a dynamic authentication parameter of a user equipment in this example includes the following steps:
步驟 201 , UE通过接入网认证后, UE和分组数据服务节点 (PDSN, Packet Data Serving Node )之间进行 LCP协商; CHAP Password和 CHAP-Challenge 等接入认证参数;  Step 201: After the UE is authenticated by the access network, the UE performs LCP negotiation with the Packet Data Serving Node (PDSN), and the access authentication parameters such as CHAP Password and CHAP-Challenge.
步驟 203 , PDSN向 AAA发送 Radius接入请求消息, 包含 AAANAI、 CHAP Password, CHAP-Challenge和 PDSN-IP等认证参数;  Step 203: The PDSN sends a Radius access request message to the AAA, where the authentication parameters include AAANAI, CHAP Password, CHAP-Challenge, and PDSN-IP.
步驟 204 , AAA 根据远程拨号用户认证服务 (RADIUS , Remote Authentication Dial In User Service )接入请求消息中的认证参数进行鉴权校 验, 若检验成功, 则向 PDSN返回成功并授权相关信息, 否则返回接入拒 绝, 流程终止。  Step 204: The AAA performs authentication verification according to the authentication parameter in the RADIUS (Remote Authentication Dial In User Service) access request message. If the verification succeeds, the PDSN returns success and authorizes related information, otherwise returns Access denied, the process is terminated.
步驟 205, AAA确定用户的 NAI或密码是否达到了更新条件, 这些更 新条件可以是:  Step 205, the AAA determines whether the user's NAI or password has reached the update condition, and the update conditions may be:
1 )动态 AAANAI和动态 PWD ( Password ) 为空;  1) Dynamic AAANAI and dynamic PWD (Password) are empty;
2 )动态 AAA NAI=原始 AAA NAI , 或动态?^0=原始 PWD;  2) Dynamic AAA NAI=Original AAA NAI, or dynamic? ^0=Original PWD;
3 )动态 AAANAI或动态 PWD达到了使用次数;  3) Dynamic AAANAI or Dynamic PWD has reached the number of uses;
4 )动态 AAANAI或动态 PWD达到了规定的期限;  4) Dynamic AAANAI or Dynamic PWD has reached the specified deadline;
5 ) 已经处于更新状态, 但是上次没有更新成功。  5) Already in the update state, but the last update was not successful.
AAA按规则产生新的动态 AAA NAI和动态 PWD , 这些规则依据实际 应用来确定, 可以是: 1 )对于 NAI, 可以改变 NAI的身份信息, 或改变 NAI的域信息, 或 者同时改变 NAI的身份信息及域信息; AAA generates new dynamic AAA NAI and dynamic PWD according to rules. These rules are determined according to the actual application, and can be: 1) For NAI, the identity information of the NAI may be changed, or the domain information of the NAI may be changed, or the identity information and domain information of the NAI may be changed at the same time;
2 )对于密码, 可以用一定的密码算法算出新的加密的密码, 通常用 MD5算法。  2) For passwords, a new encrypted password can be calculated using a certain cryptographic algorithm, usually using the MD5 algorithm.
AAA 向 OTAF 发送动态 AAA NAI 和动态 PWD 更新请求 AAA sends dynamic AAA NAI and dynamic PWD update requests to OTAF
( UpAuthParaReReq 消息), UpAuthParaReReq 消息中携带的参数包含 IMSI, MDN, 新的 AAANAI, 新的 PWD, 旧的 AAANAI, 旧的 PWD等, 同时将该 UE用户更新标志置为认证参数待更新状态。 (UpAuthParaReReq message), the parameters carried in the UpAuthParaReReq message include IMSI, MDN, new AAANAI, new PWD, old AAANAI, old PWD, etc., and the UE user update flag is set to the authentication parameter to be updated.
步驟 206, OTAF收到 AAA认证参数更新请求, 发起 OTAPA流程, 进 行 UE认证参数 ( AAA NAI或 PWD ) 的空中更新。  Step 206: The OTAF receives the AAA authentication parameter update request, initiates an OTAPA process, and performs an air update of the UE authentication parameter (AAA NAI or PWD).
步驟 207, OTAF将更新结果返回给 AAA (通过 UpAuthParaAck消息 携带更新结果), AAA确定如果本次更新成功,则新的 AAANAI,新的 PWD 生效, 将该 UE用户更新标志置为认证参数本次完成更新。  Step 207: The OTAF returns the update result to the AAA (the update result is carried by the UpAuthParaAck message), and the AAA determines that if the update is successful, the new AAANAI, the new PWD takes effect, and the UE user update flag is set as the authentication parameter. Update.
以下介绍某类 UE通过 AN- AAA动态更新 NAI的实际使用场景, 以进 一步阐明本发明技术方案的实质。  The following describes the actual usage scenarios in which a certain type of UE dynamically updates the NAI through AN-AAA to further clarify the essence of the technical solution of the present invention.
本应用例的实现的前置条件为: 机卡一体化 UE通过 OTASP完成了用 户开通工作, 其中该型 UE 的本机号码参数被设置成 IMSI格式, 这样该 UE的 NAI就是由以下组成: [IMSI格式] @域名。用户的基本信息已存储于 上述对应的网元中。 具体的, 在 OTAF中, 包含用户的移动标识号 ( MIN, Mobile Identification Number )、电子序歹 'J号 ( ESN , Electronic Serial Number )、 MDN、 空中密码( OTAPWD, Over the Air PWD ), 以及 UE的号码分配模 块(NAM, Number Assignment Module )、 优选漫游列表(PRL, Preferred Roaming List )等参数。  The preconditions of the implementation of the application example are as follows: The machine-integrated UE completes the user activation work through the OTASP, wherein the local number parameter of the UE is set to the IMSI format, so that the NAI of the UE is composed of the following: IMSI format] @domain name. The basic information of the user is stored in the corresponding network element. Specifically, in the OTAF, the user's mobile identification number (MIN, Mobile Identification Number), electronic serial number 'J number (ESN, Electronic Serial Number), MDN, air password (OTAPWD, Over the Air PWD), and UE are included. Parameters such as the Number Assignment Module (NAM), Preferred Roaming List (PRL), and so on.
在 HLR中, 包含用户的 MIN、 ESN、 MDN、 鉴权码 ( AKey )、 UE在 电路域位置信息等参数。 在 AN-AAA中, 包含用户的 IMSI、 MDN、 原始 AN-AAA NAI、 动态 ΑΝ-AAANAL· ESN、移动设备标识号( MEID, Mobile Equipment Identifier ) 等参数。 In the HLR, parameters such as the user's MIN, ESN, MDN, authentication code (AKey), and UE location information in the circuit domain are included. In the AN-AAA, parameters such as the IMSI, the MDN, the original AN-AAA NAI, the dynamic ΑΝ-AAANAL·ESN, and the Mobile Equipment Identifier (MEID) of the user are included.
图 4 为本发明应用例的用户设备鉴权码的更新方法的流程图, 如图 4 所示, 本发明应用例的用户设备鉴权码的更新方法具体包括以下步驟:  FIG. 4 is a flowchart of a method for updating a user equipment authentication code according to an application example of the present invention. As shown in FIG. 4, the method for updating a user equipment authentication code according to an application example of the present invention specifically includes the following steps:
步驟 301 , UE用户使用分组域业务等, UE接入无线网络, 和 AN之间 建立 PPP和 LCP协商。  Step 301: The UE user uses the packet domain service or the like, the UE accesses the wireless network, and establishes PPP and LCP negotiation with the AN.
步驟 302 , AN通过与 UE进行的 PPP交互, 获得 UE用户的 AN-AAA NAI、 CHAP Password和 CHAP-Challenge 等接入认证参数。  Step 302: The AN obtains access authentication parameters such as AN-AAA NAI, CHAP Password, and CHAP-Challenge of the UE by performing PPP interaction with the UE.
步驟 303 , AN向 AN-AAA发送 A12接口定义的接入请求消息, 接入 请求消息中携带有 AN-AAANAI (为 [IMSI格式] @域名)、 CHAP Password, CHAP-Challenge, 以及 AN-IP、 ESN等认证参数。  Step 303: The AN sends an access request message defined by the A12 interface to the AN-AAA, where the access request message carries AN-AAANAI (for [IMSI format]@domain name), CHAP Password, CHAP-Challenge, and AN-IP, Authentication parameters such as ESN.
步驟 304, AN-AAA根据接入请求消息中的认证参数进行鉴权校验, 若检验成功, 则向 AN返回成功并授权相关信息, 否则返回接入拒绝, 流 程终止。  Step 304: The AN-AAA performs an authentication check according to the authentication parameter in the access request message. If the verification succeeds, the AN is returned successfully and the related information is authorized. Otherwise, the access rejection is returned, and the process is terminated.
步驟 305 , AN-AAA确定用户的 NAI或密码是否达到了更新条件, 这 些更新条件是:  Step 305: The AN-AAA determines whether the user's NAI or password has reached the update condition. The update conditions are:
1 )动态 AN-AAANAI为空;  1) Dynamic AN-AAANAI is empty;
2 )动态 AN-AAA NAI=原始 AN-AAA NAI;  2) Dynamic AN-AAA NAI = original AN-AAA NAI;
3 )动态 AN-AAANAI达到了使用次数;  3) Dynamic AN-AAANAI has reached the number of uses;
4 )动态 AN-AAANAI达到了使用的规定期限;  4) Dynamic AN-AAANAI has reached the specified period of use;
5 ) 已经达到更新状态, 但是上次没有更新成功, 处于认证参数待更新 状态。  5) The update status has been reached, but the last update was not successful and the authentication parameters are pending.
AN-AAA按规则产生新的动态 AN-AAANAI (动态接入标识符): AN-AAA generates new dynamics by rules AN-AAANAI (Dynamic Access Identifier):
1 ) 身份信息: 从动态 IMSI池中选一个未使用的, 来更新用户的身份 信息; 1) Identity information: Select an unused one from the dynamic IMSI pool to update the user's identity Information
2 )域名保持不变。  2) The domain name remains unchanged.
这样 NAI就变成 [新 IMSI格式] @域名。  This way NAI becomes [new IMSI format] @domain name.
AN-AAA向 OTAF发送动态 AN-AAA NAI更新请求( UpAuthParaReq 消息 ) ,参数包含 IMSI , MDN ,新的 AN-AAA NAI,旧的 PWD,旧的 AN-AAA NAI, 旧的 PWD, 同时将该 UE用户更新标志置为认证参数待更新状态。  AN-AAA sends a dynamic AN-AAA NAI update request (UpAuthParaReq message) to the OTAF. The parameters include IMSI, MDN, new AN-AAA NAI, old PWD, old AN-AAA NAI, old PWD, and the UE. The user update flag is set to the status of the authentication parameter to be updated.
步驟 306, OTAF收到 AN-AAA认证参数更新请求,发起 OTAPA流程, 将该 UE本机号码参数设置为新的 IMSI格式, 进行空中更新。  Step 306: The OTAF receives the AN-AAA authentication parameter update request, initiates an OTAPA process, and sets the UE local number parameter to a new IMSI format for over-the-air update.
步驟 307, OTAF将更新结果返回给 AN-AAA (通过 UpAuthParaAck 消息实现), AN-AAA根据更新结果, 如果本次更新成功, 则新的 AN-AAA NAI生效, 将该用户更新标志置为认证参数本次完成更新。  Step 307, the OTAF returns the update result to the AN-AAA (implemented by the UpAuthParaAck message), and the AN-AAA determines, according to the update result, if the update is successful, the new AN-AAA NAI takes effect, and the user update flag is set as the authentication parameter. This update is completed.
图 5 为本发明用户设备动态认证参数的更新装置的组成结构示意图, 如图 5所示, 本发明用户设备动态认证参数的更新装置包括接收单元 50、 认证单元 51、 确定单元 52和更新单元 53 , 其中,  FIG. 5 is a schematic structural diagram of a device for updating a dynamic authentication parameter of a user equipment according to the present invention. As shown in FIG. 5, the apparatus for updating a dynamic authentication parameter of a user equipment of the present invention includes a receiving unit 50, an authentication unit 51, a determining unit 52, and an updating unit 53. , among them,
接收单元 50, 用于接收分组网络发送的 UE的认证参数;  The receiving unit 50 is configured to receive an authentication parameter of the UE sent by the packet network.
认证单元 51 , 用于对所述 UE的认证参数进行认证;  The authentication unit 51 is configured to authenticate the authentication parameter of the UE.
确定单元 52, 用于在认证通过后确定所述 UE的动态认证参数是否满 足更新条件, 满足时触发更新单元 53;  Determining unit 52, configured to determine whether the dynamic authentication parameter of the UE satisfies an update condition after the authentication is passed, and triggers the update unit 53 when satisfied;
更新单元 53 ,用于对所述 UE的动态认证参数进行更新,并触发 OTAF 将更新后的动态认证参数更新到所述 UE。  The updating unit 53 is configured to update the dynamic authentication parameter of the UE, and trigger the OTAF to update the updated dynamic authentication parameter to the UE.
上述认证参数包括以下参数的至少一种:  The above authentication parameters include at least one of the following parameters:
NAI、 CHAP密码、 CHAP挑战和分组网络接入 IP;  NAI, CHAP password, CHAP challenge, and packet network access IP;
所述动态认证参数包括以下参数的至少一种:  The dynamic authentication parameter includes at least one of the following parameters:
动态 AAA NAI和动态密码。  Dynamic AAA NAI and dynamic passwords.
UE的动态认证参数满足更新条件, 为: 所述 UE的动态 NAI或动态密码为空; The dynamic authentication parameters of the UE meet the update conditions, which are: The dynamic NAI or dynamic password of the UE is empty;
或者, 所述 UE的动态 AAANAI为原始 AAANAI, 或所述 UE的动态 密码为原始密码;  Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
或者,所述 UE的动态 AAANAI或动态 PWD达到了设定的使用次数; 或者,所述 UE的动态 AAANAI或动态 PWD达到了使用的设定期限; 或者, 所述 UE处于动态认证参数的更新状态, 但未更新成功。  Or the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
上述动态 AAA NAI包括用户识别码格式及域名信息; 更新单元 53还 用于, 对所述 UE的动态 NAI的用户识别码格式和 /或域名进行更新, 和 / 或, 对所述 UE的动态密码进行更新。  The dynamic AAA NAI includes a user identifier format and domain name information. The updating unit 53 is further configured to: update a user identifier format and/or a domain name of the dynamic NAI of the UE, and/or a dynamic password for the UE. Update.
本领域技术人员应当理解, 本发明的用户设备动态认证参数的更新装 置中的上述处理单元的功能可通过相应的硬件电路, 或处理器及相应的执 行软件的方式而实现。 上述各处理单元的相关功能, 可参见前述实施例的 相关描述而理解。  It should be understood by those skilled in the art that the functions of the above processing unit in the updating device of the user equipment dynamic authentication parameter of the present invention can be implemented by means of corresponding hardware circuits, or processors and corresponding execution software. The related functions of the above processing units can be understood by referring to the related description of the foregoing embodiments.
本发明还记载了一种验证、 授权和计费服务器, 包括图 5 所示的用户 设备动态认证参数的更新装置。  The present invention also describes a verification, authorization, and accounting server, including the update device for the user equipment dynamic authentication parameters shown in FIG.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.
工业实用性  Industrial applicability
本发明的技术方案,通过对 UE进行认证授权时对 UE的动态认证参数 进行更新, 更新后通过触发 OTAF将更新后的动态认证参数下发至 UE, 从 而完成对 UE认证参数 ( NAI和密码 )的动态更新。 这样, 即便 UE用户被 盗号, 由于 UE的某些参数会动态变化, 被盗号 UE由于无法接收动态认证 参数而无法通过 AAA认证, 也不能接入网络, 从而最大限度地保护了 UE 用户的权益。  The technical solution of the present invention updates the dynamic authentication parameter of the UE by performing authentication and authorization on the UE, and then sends the updated dynamic authentication parameter to the UE by triggering the OTAF, thereby completing the UE authentication parameter (NAI and password). Dynamic update. In this way, even if the UE user is hacked, because some parameters of the UE dynamically change, the hacked UE cannot access the network because it cannot receive the dynamic authentication parameter, and cannot access the network, thereby maximally protecting the rights of the UE user.

Claims

权利要求书 Claim
1、 一种用户设备动态认证参数的更新方法, 其中, 所述方法包括: 验证、 授权和计费服务器 AAA对接收到的分组网络发送的用户设备 A method for updating a dynamic authentication parameter of a user equipment, where the method includes: a user equipment that is sent by the authentication, authorization, and accounting server AAA to the received packet network.
UE的认证参数进行认证, 认证通过后确定所述 UE的动态认证参数是否满 足更新条件, 满足时对所述 UE的动态认证参数进行更新, 并触发空中激活 实体 OTAF将更新后的动态认证参数更新到所述 UE。 The authentication parameter of the UE is authenticated. After the authentication is passed, it is determined whether the dynamic authentication parameter of the UE meets the update condition. When the content is satisfied, the dynamic authentication parameter of the UE is updated, and the air activation entity OTAF is triggered to update the updated dynamic authentication parameter. To the UE.
2、 根据权利要求 1所述的方法, 其中, 所述认证参数包括以下参数的 至少一种:  2. The method according to claim 1, wherein the authentication parameter comprises at least one of the following parameters:
网络接入标识 NAI、 询问握手认证协议密码 CHAP密码、 CHAP挑战 和分组网络接入 IP。  Network access identity NAI, challenge handshake authentication protocol password CHAP password, CHAP challenge, and packet network access IP.
3、 根据权利要求 1所述的方法, 其中, 所述动态认证参数包括以下参 数的至少一种:  3. The method according to claim 1, wherein the dynamic authentication parameter comprises at least one of the following parameters:
动态 AAA NAI和动态密码。  Dynamic AAA NAI and dynamic passwords.
4、 根据权利要求 3所述的方法, 其中, UE的动态认证参数满足更新 条件, 为:  4. The method according to claim 3, wherein the dynamic authentication parameter of the UE satisfies an update condition, which is:
所述 UE的动态 NAI或动态密码为空;  The dynamic NAI or dynamic password of the UE is empty;
或者, 所述 UE的动态 AAANAI为原始 AAANAI, 或所述 UE的动态 密码为原始密码;  Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
或者,所述 UE的动态 AAANAI或动态 PWD达到了设定的使用次数; 或者,所述 UE的动态 AAANAI或动态 PWD达到了使用的设定期限; 或者, 所述 UE处于动态认证参数的更新状态, 但未更新成功。  Or the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
5、 根据权利要求 3所述的方法, 其中, 所述动态 AAA NAI包括用户 识别码格式及域名信息;  5. The method according to claim 3, wherein the dynamic AAA NAI comprises a user identification code format and domain name information;
对所述 UE的动态认证参数进行更新, 为:  Updating the dynamic authentication parameters of the UE is:
对所述 UE的动态 NAI的用户识别码格式和 /或域名进行更新, 和 /或, 对所述 UE的动态密码进行更新。 Updating the user identification code format and/or domain name of the dynamic NAI of the UE, and/or, Updating the dynamic password of the UE.
6、 根据权利要求 1所述的方法, 其中, 所述 AAA对接收到的分组网 络发送的 UE的认证参数, 为:  The method according to claim 1, wherein the authentication parameter of the UE sent by the AAA to the received packet network is:
所述 UE通过分组域业务接入所述分组网络,并与接入网络 AN进行点 对点协议 PPP和链路控制协议 LCP协商;  The UE accesses the packet network by using a packet domain service, and performs peer-to-peer protocol PPP and link control protocol LCP negotiation with the access network AN;
所述 AN获取所述 UE的认证参数, 并通过 A12接入请求消息将所述 UE的认证参数发送给 AN AAA。  The AN obtains the authentication parameter of the UE, and sends the authentication parameter of the UE to the AN AAA by using an A12 access request message.
7、 根据权利要求 1所述的方法, 其中, 所述 AAA对接收到的分组网 络发送的 UE的认证参数, 为:  The method according to claim 1, wherein the authentication parameter of the UE sent by the AAA to the received packet network is:
所述 UE通过接入网认证后, 与分组数据服务节点 PDSN进行 LCP协 商;  After the UE is authenticated by the access network, the UE performs LCP negotiation with the packet data serving node PDSN;
所述 PDSN 获取所述 UE认证参数, 并通过远程拨号用户认证服务 RADIUS接入请求消息将所述 UE的认证参数发送给 AAA。  And the PDSN obtains the UE authentication parameter, and sends the authentication parameter of the UE to the AAA by using a remote dial-up user authentication service RADIUS access request message.
8、 一种用户设备动态认证参数的更新装置, 所述装置包括接收单元、 认证单元、 确定单元和更新单元, 其中,  8. An apparatus for updating a dynamic authentication parameter of a user equipment, where the apparatus includes a receiving unit, an authentication unit, a determining unit, and an updating unit, where
接收单元, 用于接收分组网络发送的 UE的认证参数;  a receiving unit, configured to receive an authentication parameter of a UE sent by a packet network;
认证单元, 用于对所述 UE的认证参数进行认证;  An authentication unit, configured to authenticate the authentication parameter of the UE;
确定单元,用于在认证通过后确定所述 UE的动态认证参数是否满足更 新条件, 满足时触发更新单元;  a determining unit, configured to determine, after the authentication is passed, whether the dynamic authentication parameter of the UE satisfies an update condition, and if yes, trigger an update unit;
更新单元, 用于对所述 UE 的动态认证参数进行更新, 并触发 OTAF 将更新后的动态认证参数更新到所述 UE。  And an updating unit, configured to update the dynamic authentication parameter of the UE, and trigger the OTAF to update the updated dynamic authentication parameter to the UE.
9、 根据权利要求 8所述的装置, 其中, 所述认证参数包括以下参数的 至少一种:  9. The apparatus according to claim 8, wherein the authentication parameter comprises at least one of the following parameters:
NAI、 CHAP密码、 CHAP挑战和分组网络接入 IP;  NAI, CHAP password, CHAP challenge, and packet network access IP;
所述动态认证参数包括以下参数的至少一种: 动态 AAA NAI和动态密码。 The dynamic authentication parameter includes at least one of the following parameters: Dynamic AAA NAI and dynamic password.
10、 根据权利要求 9所述的装置, 其中, UE的动态认证参数满足更新 条件, 为:  10. The apparatus according to claim 9, wherein the dynamic authentication parameter of the UE satisfies an update condition, which is:
所述 UE的动态 NAI或动态密码为空;  The dynamic NAI or dynamic password of the UE is empty;
或者, 所述 UE的动态 AAANAI为原始 AAANAI, 或所述 UE的动态 密码为原始密码;  Or the dynamic AAANAI of the UE is the original AAANAI, or the dynamic password of the UE is the original password;
或者,所述 UE的动态 AAANAI或动态 PWD达到了设定的使用次数; 或者,所述 UE的动态 AAANAI或动态 PWD达到了使用的设定期限; 或者, 所述 UE处于动态认证参数的更新状态, 但未更新成功。  Or the dynamic AAANAI or the dynamic PWD of the UE reaches the set usage count; or the dynamic AAANAI or the dynamic PWD of the UE reaches the set duration of use; or the UE is in the update state of the dynamic authentication parameter. , but not updated successfully.
11、 根据权利要求 9所述的装置, 其中, 所述动态 AAANAI包括用户 识别码格式及域名信息;  11. The apparatus according to claim 9, wherein the dynamic AAANAI includes a user identification code format and domain name information;
所述更新单元还用于, 对所述 UE的动态 NAI的用户识别码格式和 /或 域名进行更新, 和 /或, 对所述 UE的动态密码进行更新。  The updating unit is further configured to: update a user identifier format and/or a domain name of the dynamic NAI of the UE, and/or update a dynamic password of the UE.
12、 一种验证、 授权和计费服务器, 其中, 包括权利要求 8至 11中任 一项所述的装置。  12. A verification, authorization and accounting server, comprising the apparatus of any one of claims 8 to 11.
PCT/CN2012/074603 2011-05-31 2012-04-24 Method and device for updating dynamic authentication parameters of user equipment and aaa WO2012163203A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110144096.5 2011-05-31
CN2011101440965A CN102202305A (en) 2011-05-31 2011-05-31 Method and device for updating dynamic authentication parameters of user equipment, and AAA (Authentication, Authorization and Accounting) server

Publications (1)

Publication Number Publication Date
WO2012163203A1 true WO2012163203A1 (en) 2012-12-06

Family

ID=44662622

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/074603 WO2012163203A1 (en) 2011-05-31 2012-04-24 Method and device for updating dynamic authentication parameters of user equipment and aaa

Country Status (2)

Country Link
CN (1) CN102202305A (en)
WO (1) WO2012163203A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202305A (en) * 2011-05-31 2011-09-28 中兴通讯股份有限公司 Method and device for updating dynamic authentication parameters of user equipment, and AAA (Authentication, Authorization and Accounting) server
CN102904888A (en) * 2012-09-28 2013-01-30 华为技术有限公司 Authentication method and communication device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020094974A (en) * 2001-06-12 2002-12-20 엘지전자 주식회사 Method of transmitting packet data, and system for the same
CN101711022A (en) * 2009-11-18 2010-05-19 卓望数码技术(深圳)有限公司 Wireless local area network (WLAN) access terminal, WLAN authentication server and WLAN authentication method
CN102202305A (en) * 2011-05-31 2011-09-28 中兴通讯股份有限公司 Method and device for updating dynamic authentication parameters of user equipment, and AAA (Authentication, Authorization and Accounting) server

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040043788A1 (en) * 2002-08-28 2004-03-04 Guarav Mittal Management of parameters in a removable user identity module
CN1885770B (en) * 2005-06-24 2010-07-28 华为技术有限公司 Authentication method
CN100571203C (en) * 2006-02-23 2009-12-16 中兴通讯股份有限公司 A kind of data business routing method
CN100442940C (en) * 2006-06-15 2008-12-10 华为技术有限公司 Method for eliminating same wireless terminal
CN101222679B (en) * 2008-01-23 2012-09-26 中兴通讯股份有限公司 EV-DO system for updating terminal parameter through midair port and implementing method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020094974A (en) * 2001-06-12 2002-12-20 엘지전자 주식회사 Method of transmitting packet data, and system for the same
CN101711022A (en) * 2009-11-18 2010-05-19 卓望数码技术(深圳)有限公司 Wireless local area network (WLAN) access terminal, WLAN authentication server and WLAN authentication method
CN102202305A (en) * 2011-05-31 2011-09-28 中兴通讯股份有限公司 Method and device for updating dynamic authentication parameters of user equipment, and AAA (Authentication, Authorization and Accounting) server

Also Published As

Publication number Publication date
CN102202305A (en) 2011-09-28

Similar Documents

Publication Publication Date Title
US9788209B2 (en) Apparatus and methods for controlling distribution of electronic access clients
RU2391796C2 (en) Limited access to functional sets of mobile terminal
KR101611773B1 (en) Methods, apparatuses and computer program products for identity management in a multi-network system
JP5579938B2 (en) Authentication of access terminal identification information in roaming networks
KR101047641B1 (en) Enhance security and privacy for security devices
JP5629788B2 (en) Facilitating authentication of access terminal identification information
JP6033291B2 (en) Service access authentication method and system
TWI592051B (en) Network assisted fraud detection apparatus and methods
US20080003980A1 (en) Subsidy-controlled handset device via a sim card using asymmetric verification and method thereof
JP5674174B2 (en) Method and apparatus for network personalization of subscriber devices
EP2445242A1 (en) Method, system, server, and terminal for authentication in wireless local area network
WO2009135367A1 (en) User device validation method, device identification register and access control system
TW200952424A (en) Authenticating a wireless device in a visited network
WO2006128364A1 (en) Method and system for updating a secret key
TW200526056A (en) Method for managing the security of applications with a security module
WO2006060943A1 (en) Authentication method
JP2011141877A (en) Authentication in communication system
JP2023162296A (en) Non-3GPP device access to core network
WO2013185709A1 (en) Call authentication method, device, and system
WO2012163203A1 (en) Method and device for updating dynamic authentication parameters of user equipment and aaa
US8887310B2 (en) Secure consumer programming device
JPH11161618A (en) Mobile computer management device, mobile computer device, and mobile computer registering method
WO2012000313A1 (en) Method and system for home gateway certification
JP5165725B2 (en) Method and apparatus for authenticating a mobile device
WO2012163142A1 (en) Method and system for updating authentication key of user equipment, and user equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12792421

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12792421

Country of ref document: EP

Kind code of ref document: A1