Access authentication method and system in mobile communication network

Abstract

The invention discloses an access authentication method in a mobile communication network. The method comprises the following steps that: a user terminal generates a random number RANDUE, and acquires a random number RANDILR generated by route identification (RID) and an identity location register (ILR) of an access service node (ASN) in a network when needing to perform authentication; the user terminal calculates to obtain an authentication result RES2ILR by using a pre-shared key K1 and sends the RES2ILR to the ASN; the ASN generates a random number RANDASN and sends the RES2ILR and the random number RANDASN to the ILR; and the ILR calculates to obtain an authentication result XRES2ILR by using the pre-shared key K1 and compares the XRES2ILR with the received RES2ILR; and if the XRES2ILR is consistent with the RES2ILR, the access authentication is successful. Correspondingly, the invention also provides a system for implementing the method. Through the method and the system, Man-in-the-Middle attacks caused by an unreliable network can be effectively avoided.

Description

technical field [0001] The invention relates to the field of mobile communication, in particular to a method and system for access authentication in a mobile communication network. Background technique [0002] Access authentication is a basic requirement for the safe and normal operation of a communication network. Using access authentication, the network can correctly identify user identities, and endow legitimate users with contracted service capabilities, prevent other users from stealing services, and ensure the correctness of billing . [0003] At present, the AKA (Authentication and Key Agreement) authentication method adopted by WCDMA (Wideband Code Division Multiple Access, Wideband Code Division Multiple Access) is one of the relatively complete authentication methods, and WCDMA authentication adopts the shared key method , there is a shared key K between the USIM (Universal Subscriber Identity Module) card of the user terminal and the HLR (Home Location Register,...

AI Technical Summary

Problems solved by technology

However, if this kind of authentication is used in a network based on IP interconnection, since there may be multiple paths connected between the two networks of the IP network, if an intermediate node of one path is not safe enough, as the intermediate forwarding node in the path is modified Passed authentication parameters may form a man-in-the-middle attack, such as figure 1 shown

[0006] exist figure 1 Among them, if the IP network is used for transmission between the SGSN and the HLR, during the transmission process, if one of the intermediate nodes MN (such as a router) is a malicious node, the intermediate node MN intercepts the authentication message sent by the SGSN to the HLR, and sends the SGSN’s authentication message to the HLR. The SGSN routing information in the UE registration message sent to the HLR is changed to the route of the malicious node SGSN_mal, so that after the modification of the intermediate node MN, although the user registration can still succeed, the user access location recorded by the HLR is SGSN_mal instead of SGSN, In this way, if other users send data to the UE, the access server where the other users are located needs to query the HLR for the current location of the UE, but the routing information of the UE access point returned by the HLR is the information of the malicious node SGSN_mal, so it should have been forwarded to the SGSN The data packet for UE is sent to SGSN_mal, which leads to a typical man-in-the-middle attack

[0007] It can be seen from the above that under the WCDMA authentication mechanism, because the AKA authentication does not protect the routing information of the access point SGSN, the HLR, the terminal, and even the ASN do not know whether there is a man-in-the-middle attack, so reasonable prevention cannot be done.

Images