Access authentication method and system in mobile communication network

Abstract

An access authentication method in a mobile communication network is provided by the present invention. The method comprises an access authentication process for a user terminal performed by an identification location register in the mobile communication network. The present invention also provides a corresponding system. The system comprises a user terminal, an access server and an identification location register. The present invention also provides a corresponding apparatus. The present invention effectively avoids man-in-the-middle attack caused by passing through unreliable networks, ensures the access point to be a real access point of the user by binding the route information of the access point with the authentication result.

Description

technical field [0001] The invention relates to the field of mobile communication, in particular to a method and system for access authentication in a mobile communication network. Background technique [0002] Access authentication is a basic requirement for the safe and normal operation of a communication network. Using access authentication, the network can correctly identify user identities, and endow legitimate users with contracted service capabilities, prevent other users from stealing services, and ensure the correctness of billing . [0003] At present, the AKA (Authentication and Key Agreement) authentication method adopted by WCDMA (Wideband Code Division Multiple Access) is one of the relatively complete authentication methods, and WCDMA authentication adopts the shared key method , there is a shared key K between the USIM (Universal Subscriber Identity Module) card of the user terminal and the HLR (Home Location Register, home location register). At the same ti...

AI Technical Summary

Problems solved by technology

However, if this kind of authentication is used in a network based on IP interconnection, since there may be multiple paths connected between the two networks of the IP network, if an intermediate node of one path is not safe enough, as the intermediate forwarding node in the path is modified Passed authentication parameters may form a man-in-the-middle attack, such as figure 1 shown

[0006] exist figure 1 If IP network transmission is used between SGSN and HLR, during the transmission process, if one of the intermediate nodes MN (such as a router) is a malicious node, the intermediate node MN intercepts the authentication message sent by SGSN to HLR, and sends the SGSN’s The SGSN routing information in the UE registration message sent to the HLR is changed to the route of the malicious node SGSN_mal, so that after the modification of the intermediate node MN, although the user registration can still succeed, the user access location recorded by the HLR is SGSN_mal instead of SGSN, In this way, if other users send data to the UE, the access server where the other users are located needs to query the HLR for the current location of the UE, but the routing information of the UE access point returned by the HLR is the information of the malicious node SGSN_mal, so it should have been forwarded to the SGSN The data packet for UE is sent to SGSN_mal, which leads to a typical man-in-the-middle attack

[0007] It can be seen from the above that under the WCDMA authentication mechanism, because the AKA authentication does not protect the routing information of the access point SGSN, the HLR, the terminal, and even the ASN do not know whether there is a man-in-the-middle attack, so reasonable prevention cannot be done.

Images