CN102149079B

Movatterモバイル変換

Info

Publication number: CN102149079B
Application number: CN201010109136.8A
Authority: CN
Inventors: 常辉; 郭毅峰; 卢山; 封令隽
Original assignee: China Mobile Communications Group Co Ltd
Current assignee: China Mobile Communications Group Co Ltd
Priority date: 2010-02-08
Filing date: 2010-02-08
Publication date: 2014-01-29
Anticipated expiration: 2030-02-08
Also published as: CN102149079A

Abstract

本发明实施例公开了一种获取用户身份标识的方法，包括：设置有用户识别模块的终端接收用户身份请求；所述设置有用户识别模块的终端作为有卡终端；所述有卡终端生成与所述用户身份请求对应的用户身份标识，并发送所述用户身份标识。本发明实施例可以向无卡终端提供用户身份标识，节省了SIM卡资源。本发明实施例同样公开了一种应用上述方法的装置和系统。

The embodiment of the present invention discloses a method for obtaining a user identity, including: a terminal equipped with a user identification module receives a user identity request; the terminal equipped with a user identification module is used as a terminal with a card; The user identity requests a corresponding user identity, and sends the user identity. The embodiment of the present invention can provide a user identity mark to a cardless terminal, saving SIM card resources. The embodiment of the present invention also discloses a device and a system for applying the above method.

Description

Translated fromChinese

一种获取用户身份标识的方法、装置和系统A method, device and system for obtaining user identity

技术领域technical field

本发明涉及通信技术领域，尤其涉及一种获取用户身份标识的方法、装置和系统。The present invention relates to the technical field of communication, and in particular to a method, device and system for acquiring user identification.

背景技术Background technique

随着移动通信技术的快速发展，作为最常用的移动通信设备，手机已经非常普及，成为人们生活中不可或缺的一部分。无论是2G(2nd Generation，第二代移动通讯技术)的GSM(Global System for Mobile Communications，全球移动通讯系统)手机和CDMA(Code Division Multiple Access，码分多址)手机还是3G(3rd Generation，第三代移动通讯技术)的手机，都需要使用一张SIM(Subscriber Identity Module，用户识别模块)卡或USIM(UniversalSubscriber Identity Module，通用用户标识模块)卡。在手机迅速发展的同时，也出现其他形态的无线带卡终端，比如上网本、无线上网数据卡、无线网关等，上述带卡终端和手机一样，也需要使用一张运营商的SIM卡或USIM卡。With the rapid development of mobile communication technology, as the most commonly used mobile communication device, mobile phones have become very popular and become an indispensable part of people's lives. Whether it is 2G (2nd Generation, second generation mobile communication technology) GSM (Global System for Mobile Communications, Global System for Mobile Communications) mobile phones and CDMA (Code Division Multiple Access, code division multiple access) mobile phones or 3G (3rd Generation, the first Three generations of mobile communication technology) mobile phones need to use a SIM (Subscriber Identity Module, Subscriber Identity Module) card or USIM (Universal Subscriber Identity Module, Universal Subscriber Identity Module) card. With the rapid development of mobile phones, other forms of wireless card terminals also appear, such as netbooks, wireless data cards, wireless gateways, etc. The above-mentioned card terminals, like mobile phones, also need to use an operator's SIM card or USIM card .

SIM卡也称为智能卡、用户身份识别卡，数字移动电话必须装上该卡方能使用。SIM卡通过芯片存储了数字移动电话客户的信息，加密的密钥等内容，可供移动网络对客户身份进行鉴别，并对客户通话时的语音信息进行加密。USIM卡是SIM卡的升级，应用于UMTS(Universal MobileTelecommunication System，通用无线通信系统)网络中。SIM卡或USIM卡是移动运营商对用户的唯一标识。任何移动业务都需要SIM卡或USIM卡的相关信息来认证和鉴权。另外，在IMS(IP Multimedia Subsystem，IP多媒体系统)网络中，可以通过ISIM(IMS Subscriber Identity Module，IMS用户标识模块)卡完成相似的功能。在本申请文件中，如果没有特别强调，SIM卡是对普通SIM卡、USIM以及ISIM卡的统称。A SIM card is also called a smart card, a user identification card, and a digital mobile phone must be equipped with this card before it can be used. The SIM card stores digital mobile phone customer information, encrypted keys and other content through the chip, which can be used by the mobile network to identify the customer's identity and encrypt the voice information when the customer calls. The USIM card is an upgrade of the SIM card and is used in the UMTS (Universal MobileTelecommunication System, Universal Wireless Communication System) network. SIM card or USIM card is the unique identification of mobile operators for users. Any mobile service needs relevant information of the SIM card or USIM card for authentication and authentication. In addition, in an IMS (IP Multimedia Subsystem, IP Multimedia System) network, similar functions can be accomplished through an ISIM (IMS Subscriber Identity Module, IMS Subscriber Identity Module) card. In this application document, if there is no special emphasis, SIM card is a general term for common SIM card, USIM and ISIM card.

SIM卡中存储的用户数据可分为四类：第一类是固定存放的数据，该类数据在ME(Mobile Equipment，移动设备)被出售之前由SIM卡中心写入，包括国际移动用户识别号(IMSI)、鉴权密钥(KI)等；第二类是暂时存放的有关网络的数据，例如位置区域识别码(LAI)、移动用户暂时识别码(TMSI)、禁止接入的公共电话网代码等；第三类是相关的业务代码，如个人识别码(PIN)、解锁码(PUK)、计费费率等；第四类是电话号码簿，是手机用户随时输入的电话号码。SIM卡利用卡中的相关信息对用户身份鉴权，确认用户身份是否合法，鉴权过程是在网络和SIM卡之间进行的，而鉴权时间一般是在移动终端登记入网和呼叫时。鉴权开始时，网络产生一个128比特的随机数RAND，经无线电控制信道传送到移动台，SIM卡依据卡中的密钥Ki和算法A3，对接收到的RAND计算出应答信号SRES，并将SRES发回网络端。而网络端在鉴权中心查明该用户的密钥Ki，用同样的RAND和算法A3算出SRES，并与收到的SRES进行比较，如比较结果为一致，则鉴权通过。The user data stored in the SIM card can be divided into four categories: the first category is fixed storage data, which is written by the SIM card center before the ME (Mobile Equipment, mobile device) is sold, including the International Mobile Subscriber Identification Number (IMSI), authentication key (KI), etc.; the second category is temporarily stored data about the network, such as location area identification code (LAI), mobile subscriber temporary identification code (TMSI), prohibited access to the public telephone network Codes, etc.; the third category is related business codes, such as personal identification number (PIN), unlock code (PUK), billing rate, etc.; the fourth category is telephone directory, which is the phone number that mobile phone users input at any time. The SIM card uses the relevant information in the card to authenticate the user's identity and confirm whether the user's identity is legal. The authentication process is carried out between the network and the SIM card, and the authentication time is generally when the mobile terminal registers to the network and calls. At the beginning of the authentication, the network generates a 128-bit random number RAND and transmits it to the mobile station through the radio control channel. The SIM card calculates the response signal SRES to the received RAND according to the key Ki in the card and the algorithm A3, and sends SRES is sent back to the network side. The network side finds out the key Ki of the user at the authentication center, uses the same RAND and algorithm A3 to calculate the SRES, and compares it with the received SRES. If the comparison result is consistent, the authentication is passed.

目前，SIM卡与设备之间采用一机一卡的连接方式，即每个终端中都要带一张SIM卡，用于用户认证、业务鉴权等。只有带SIM卡的终端才能得到移动运营商提供的业务，比如，基于彩信/短信的增值业务。对于其他不带SIM卡的终端，无法得到移动运营商提供的业务。Currently, the SIM card is connected to the device in a one-device-one-card connection mode, that is, each terminal must carry a SIM card for user authentication and service authentication. Only terminals with SIM cards can obtain services provided by mobile operators, for example, value-added services based on MMS/SMS. For other terminals without SIM cards, services provided by mobile operators cannot be obtained.

发明人在实现本发明的过程中，发现现有技术至少存在以下缺陷：In the process of realizing the present invention, the inventor finds that the prior art has at least the following defects:

一机一卡的方式在某些场景下会出现SIM卡资源的浪费和APRU(Average Monthly Revenue Per Unit，平均每个用户每月贡献的业务收入)值的降低，比如，在家庭网络中，既有带卡的无线家庭网关、数据卡，也有上网本。家庭中的用户利用上述设备通过移动网络进行某种业务，由于用户都是来自同一个家庭，但是由于采用独立的SIM卡，从业务角度来说是完全独立的，不利用于家庭业务的开展，以及用户的业务体验的提升。In some scenarios, the one-device-one-card method will waste SIM card resources and reduce the value of APRU (Average Monthly Revenue Per Unit, the average service income contributed by each user per month). For example, in a home network, both There are wireless home gateways with cards, data cards, and netbooks. The users in the family use the above-mentioned equipment to carry out certain services through the mobile network. Since the users are all from the same family, but due to the use of independent SIM cards, they are completely independent from the perspective of business, which is not suitable for the development of home services. and improve user experience.

移动运营商开展的业务都是需要SIM卡来标识的，只有带卡的终端设备才能使用移动运营商提供的业务。对于没有SIM卡的设备，比如普通的笔记本电脑、台式机、数码相框，是无法使用移动运营商的业务的。但是在某些场合下，比如家庭网络里有许多设备，有带SIM卡，也有不带卡的，家庭成员也想利用不同的终端来使用移动运营商提供的业务。而现有技术则无法满足上述需求。All the services provided by the mobile operator need to be identified by the SIM card, and only the terminal equipment with the card can use the services provided by the mobile operator. For devices without SIM cards, such as ordinary notebook computers, desktop computers, and digital photo frames, they cannot use the services of mobile operators. But in some occasions, for example, there are many devices in the home network, some with SIM cards and some without cards, and family members also want to use different terminals to use services provided by mobile operators. However, the prior art cannot satisfy the above-mentioned demands.

发明内容Contents of the invention

本发明实施例提供了一种获取用户身份标识的方法、装置和系统，用于向无卡终端提供用户身份标识。Embodiments of the present invention provide a method, device and system for acquiring a user identity, which are used to provide the user identity to a cardless terminal.

本发明实施例提供了一种获取用户身份标识的方法，包括：An embodiment of the present invention provides a method for obtaining a user identity, including:

设置有用户识别模块的终端接收用户身份请求；所述设置有用户识别模块的终端作为有卡终端；The terminal provided with the user identification module receives the user identity request; the terminal provided with the user identification module is used as a terminal with a card;

所述有卡终端生成与所述用户身份请求对应的用户身份标识，并发送所述用户身份标识。The card-present terminal generates a user identity corresponding to the user identity request, and sends the user identity.

本发明实施例还提供了一种获取用户身份标识的装置，包括：The embodiment of the present invention also provides a device for acquiring a user identity, including:

接收模块，用于接收用户身份请求；A receiving module, configured to receive a user identity request;

用户识别模块，用于生成与所述用户身份请求对应的用户身份标识；A user identification module, configured to generate a user identity corresponding to the user identity request;

发送模块，用于发送所述用户识别模块生成的用户身份标识。A sending module, configured to send the user identity generated by the user identification module.

本发明实施例还提供了一种获取用户身份标识的系统，包括：The embodiment of the present invention also provides a system for obtaining user identity, including:

有卡终端，设置有用户识别模块，用于接收用户身份请求，生成与所述用户身份请求对应的用户身份标识，并发送所述用户身份标识；The terminal with a card is provided with a user identification module for receiving a user identity request, generating a user identity corresponding to the user identity request, and sending the user identity;

无卡终端，没有设置用户识别模块，用于向所述有卡终端发送用户身份请求，并接收所述有卡终端返回的用户身份标识。The terminal without a card is not provided with a user identification module, which is used to send a user identity request to the terminal with a card and receive the user identity returned by the terminal with a card.

与现有技术相比，本发明实施例具有以下优点：本发明实施例通过以太网交换技术为无卡终端提供用户身份标识，可以为多个设备提供有效的用户身份标识，降低了设备的成本，节省了SIM卡资源。Compared with the prior art, the embodiment of the present invention has the following advantages: the embodiment of the present invention provides user identification for cardless terminals through Ethernet switching technology, can provide effective user identification for multiple devices, and reduces the cost of equipment , saving SIM card resources.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对本发明实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments of the present invention or the prior art. Obviously, the accompanying drawings in the following description These are only some embodiments of the present invention, and those skilled in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本发明实施例中的一种获取用户身份标识的方法流程图；Fig. 1 is a flow chart of a method for acquiring a user identity in an embodiment of the present invention;

图2为本发明实施例中的用户身份标识中心组网示意图；FIG. 2 is a schematic diagram of a user identity identification center network in an embodiment of the present invention;

图3为本发明实施例中的用户身份标识中心结构示意图；FIG. 3 is a schematic structural diagram of a user identity identification center in an embodiment of the present invention;

图4为本发明实施例应用场景中的获取用户身份标识流程图；Fig. 4 is a flow chart of obtaining user identity in the application scenario of the embodiment of the present invention;

图5为本发明实施例中的一种获取用户身份标识的装置结构示意图；Fig. 5 is a schematic structural diagram of a device for obtaining user identity in an embodiment of the present invention;

图6为本发明实施例应用场景中的一种获取用户身份标识的装置结构示意图；FIG. 6 is a schematic structural diagram of a device for acquiring a user identity in an application scenario of an embodiment of the present invention;

图7为本发明实施例中的一种获取用户身份标识的系统结构示意图。Fig. 7 is a schematic structural diagram of a system for acquiring user identity in an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供的技术方案中，其核心思想为提出一种为无卡设备提供用户身份标识的携带SIM卡的装置，即有卡终端。有卡终端和无卡终端组成局域网，无卡终端利用以太网交换的方式和用户身份标识中心连接，利用有卡终端的SIM卡对业务进行标识。以太网内的无卡终端可以通过有卡终端返回的用户身份标识访问移动运营商提供的业务，利用用户身份标识来进行用户身份识别和业务鉴权等，从而使原来只为一个终端上的业务提供用户身份标识的SIM卡，为多个终端多个业务提供用户身份标识。In the technical solutions provided by the embodiments of the present invention, the core idea is to propose a device carrying a SIM card that provides a user identity for a device without a card, that is, a terminal with a card. The terminal with the card and the terminal without the card form a local area network, and the terminal without the card uses the way of Ethernet switching to connect with the user identification center, and uses the SIM card of the terminal with the card to identify the service. The cardless terminal in the Ethernet can access the services provided by the mobile operator through the user identity returned by the terminal with the card, and use the user identity to perform user identity identification and service authentication, etc., so that the original service only for one terminal The SIM card that provides user identification, provides user identification for multiple services of multiple terminals.

下面将结合本发明实施例中的附图，对本发明实施例的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The following will clearly and completely describe the technical solutions of the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

如图1所示，为本发明实施例中的一种获取用户身份标识的方法流程图，包括以下步骤：As shown in Figure 1, it is a flow chart of a method for obtaining a user identity in an embodiment of the present invention, including the following steps:

步骤101，设置有用户识别模块的终端接收用户身份请求；该设置有用户识别模块的终端作为有卡终端。Step 101, a terminal equipped with a user identification module receives a user identity request; the terminal equipped with a user identification module is used as a terminal with a card.

其中，所述有卡终端接收到的用户身份请求由没有设置用户识别模块的无卡终端发送，用户识别模块可以是普通SIM卡、USIM卡以及ISIM卡的统称，用户身份请求中携带所述无卡终端的设备标识ID和业务ID。Wherein, the user identity request received by the terminal with a card is sent by a terminal without a card without a user identification module. The device identification ID and service ID of the card terminal.

上述有卡终端生成与所述用户身份请求对应的用户身份标识的方法，具体包括：有卡终端根据所述设备ID和所述业务ID对所述无卡终端进行设备身份认证和业务权限认证；在所述设备身份认证和所述业务权限认证通过后，所述有卡终端根据所述设备ID、所述业务ID和所述用户识别模块中存储的鉴权密钥生成所述用户身份标识。The above-mentioned method for the terminal with a card to generate a user identity corresponding to the user identity request specifically includes: the terminal with a card performs device identity authentication and service authority authentication on the terminal without a card according to the device ID and the service ID; After the device identity authentication and the service authority authentication pass, the card-present terminal generates the user identity according to the device ID, the service ID, and the authentication key stored in the user identification module.

上述无卡终端向设置有用户识别模块的有卡终端发送用户身份请求之前，有卡终端可以向所述无卡终端下发临时密钥，以便于所述无卡终端在发送所述用户身份请求之前使用所述临时密钥与所述有卡终端建立安全连接。Before the aforementioned cardless terminal sends a user identity request to a cardless terminal equipped with a user identification module, the cardless terminal can issue a temporary key to the cardless terminal, so that the cardless terminal can send the user identity request The temporary key was previously used to establish a secure connection with the card-present terminal.

步骤102，有卡终端生成与用户身份请求对应的用户身份标识，并发送该用户身份标识。Step 102, the terminal with a card generates a user identity corresponding to the user identity request, and sends the user identity.

具体地，向有卡终端发送用户身份请求的无卡终端还可以向业务平台发送携带所述用户身份标识的业务请求；所述无卡终端接收来自所述业务平台的用户身份验证请求，该用户身份验证请求中携带业务平台为所述用户身份标识分配的验证信息；将携带所述用户身份标识和所述验证信息的用户身份验证请求发送到所述有卡终端；所述有卡终端根据所述用户身份标识和所述验证信息获取对所述用户身份标识的验证结果，并将所述验证结果返回给所述无卡终端；所述无卡终端将所述验证结果发送到所述业务平台，以便于所述业务平台根据所述验证结果验证所述用户身份标识。Specifically, the non-card terminal that sends the user identity request to the card-bearing terminal can also send a service request carrying the user identity to the service platform; the card-free terminal receives the user identity verification request from the service platform, and the user The identity verification request carries the verification information assigned by the service platform for the user identity; sends the user identity verification request carrying the user identity and the verification information to the terminal with the card; the terminal with the card according to the The user identity and the verification information obtain the verification result of the user identity, and return the verification result to the card-free terminal; the card-free terminal sends the verification result to the service platform , so that the service platform can verify the user identity according to the verification result.

其中，上述有卡终端根据所述用户身份标识和所述验证信息获取对所述用户身份标识的验证结果的方法，具体包括：有卡终端根据所述用户身份标识和所述验证信息计算所述用户身份标识的摘要结果，并将所述摘要结果作为所述验证结果。Wherein, the above-mentioned method for the terminal with a card to obtain the verification result of the user identity according to the user identity and the verification information specifically includes: the terminal with a card calculates the user identity according to the user identity and the verification information. A summary result of the user identity identification, and use the summary result as the verification result.

上述携带用户身份标识和所述验证信息的用户身份验证请求还携带设备ID和业务ID；所述有卡终端根据所述用户身份标识和所述验证信息计算所述用户身份标识的摘要结果具体包括：所述有卡终端根据所述设备ID和所述业务ID对所述无卡终端进行设备身份认证和业务权限认证；在所述设备身份认证和所述业务权限认证通过后，所述有卡终端根据所述验证信息、所述用户身份标识和所述用户识别模块中存储的业务密钥，使用信息摘要算法计算所述用户身份标识的摘要结果。The above-mentioned user identity verification request carrying the user identity and the verification information also carries a device ID and a service ID; the summary result of calculating the user identity by the terminal with the card according to the user identity and the verification information specifically includes : The terminal with the card performs device identity authentication and service authority authentication on the terminal without the card according to the device ID and the service ID; after the device identity authentication and the service authority authentication are passed, the The terminal uses an information digest algorithm to calculate a summary result of the user identity according to the verification information, the user identity and the service key stored in the user identification module.

本发明实施例通过以太网交换技术为无卡终端提供用户身份标识，可以为多个设备提供有效的用户身份标识，降低了设备的成本，节省了SIM卡资源。The embodiment of the present invention provides a user ID for a cardless terminal through an Ethernet switching technology, and can provide effective user IDs for multiple devices, thereby reducing device costs and saving SIM card resources.

本发明实施例中的获取用户身份标识的方法，可以通过用户身份标识中心实现，即上述实施例中的设置有用户识别模块的有卡终端为用户身份识别中心，无卡终端为用户设备。如图2所示，为本发明实施例中的用户身份标识中心组网示意图。其中，用户身份标识中心和用户设备组成局域网，可以通过有线连接，也可以通过无线WIFI(Wireless Fidelity，无线保真)连接。用户身份标识中心携带一张SIM卡，用户设备可以是无卡终端。局域网内的用户身份标识中心和用户设备可以相互访问。每个用户设备访问业务时，需要到用户身份标识中心获取用户身份标识。该局域网可以通过一个有线或者无线网关设备与外部网络相连。The method for obtaining the user identity in the embodiment of the present invention can be realized by the user identity center, that is, the terminal with the card provided with the user identification module in the above embodiment is the user identity center, and the terminal without the card is the user equipment. As shown in FIG. 2 , it is a schematic diagram of networking of the user identity identification center in the embodiment of the present invention. Wherein, the user identity identification center and the user equipment form a local area network, which can be connected through a wired connection or through a wireless WIFI (Wireless Fidelity, Wireless Fidelity) connection. The user identity identification center carries a SIM card, and the user equipment can be a terminal without a card. The user identity center and user equipment in the local area network can visit each other. When each user device accesses the service, it needs to obtain the user identity from the user identity center. The LAN can be connected to the external network through a wired or wireless gateway device.

具体地，用户身份标识中心主要用于根据SIM卡存储的鉴权密钥，以及来自无卡终端的设备ID和业务ID，生成与该无卡终端对应的用户身份标识，向该无卡终端上的业务提供该用户身份标识，并进行设备身份认证管理、业务权限认证管理、用户身份标识管理和用户身份完整性保护。其中，设备认证管理主要是对接入用户身份标识管理中心的设备进行验证，保证其是合法的设备，只有合法的设备才能从用户身份标识中心获取用户身份标识；业务权限认证管理是对用户要访问的业务权限进行认证，只有合法的设备访问合法的业务才可以获取正确的用户身份标识；用户身份标识管理是指用户身份标识中心为合法终端访问合法业务时分发用户身份标识，终端将带着从用户身份标识中心获取的用户身份标识去访问业务平台，业务平台为了验证用户身份的合法性，将对用户身份标识进行确认；用户身份标识完整性保护是指业务平台为了验证用户的合法性，将向终端发出用户身份确认的请求，终端收到该请求之后转发到用户身份标识中心进行用户身份完整性保护，用户身份标识中心将完整性保护后的用户身份标识返回终端，终端利用经过完整性保护的用户身份标识访问业务。Specifically, the user identity center is mainly used to generate a user identity corresponding to the cardless terminal based on the authentication key stored in the SIM card, and the device ID and service ID from the cardless terminal, and send the user identity to the cardless terminal. The business provides the user identity, and performs device identity authentication management, business authority authentication management, user identity management, and user identity integrity protection. Among them, the device authentication management is mainly to verify the equipment connected to the user identity management center to ensure that it is a legal device. Only legal devices can obtain the user identity from the user identity center; The access business authority is authenticated, and only legitimate devices accessing legal services can obtain the correct user ID; user ID management means that the user ID center distributes user IDs for legitimate terminals when they access legitimate services, and the terminal will carry The user identity obtained from the user identity center accesses the business platform. In order to verify the legitimacy of the user identity, the service platform will confirm the user identity; the integrity protection of the user identity means that the service platform verifies the legitimacy of the user. A request for user identity confirmation will be sent to the terminal. After receiving the request, the terminal will forward it to the user identity center for user identity integrity protection. The user identity center will return the integrity-protected user identity to the terminal, and the terminal will use the integrity Protected user identities to access services.

为验证接入设备的合法性，用户身份标识中心在对用户设备注册成功后，还可以采用证书分发的机制，通过安全网络接口或者USB接口将设备证书分发到用户设备中，接收到设备证书的用户设备向用户身份标识中心请求用户身份标识时，不需要再进行注册。In order to verify the legitimacy of the access device, after the user identity center successfully registers the user device, it can also use the certificate distribution mechanism to distribute the device certificate to the user device through a secure network interface or USB interface. When the user equipment requests the user identity identification from the user identity identification center, it does not need to register again.

具体地，当利用安全网络接口分发设备证书时，可以将五类线显式地连接在用户身份标识中心和用户设备之间，指明授权的两个端点，表达用户的授权意愿；在用五类线连接上述两个设备后，显式按下用户身份标识中心的授权按钮，用户身份标识中心向用户设备下发设备证书，对用户设备进行授权，授权结束后，用户身份标识中心显示授权执行结果。Specifically, when using a secure network interface to distribute device certificates, the Category 5 line can be explicitly connected between the user identity center and the user device, specifying the two endpoints of authorization, and expressing the user's willingness to authorize; After the above two devices are connected by cable, press the authorization button of the user identification center explicitly, and the user identification center will issue a device certificate to the user device to authorize the user device. After the authorization is completed, the user identification center will display the authorization execution result .

当利用USB接口分发证书时，可以将U盘插入用户身份标识中心中，用户身份标识中心将临时密钥作为设备证书写入U盘，再将U盘插入用户设备中，通过U盘承载的临时密钥进行相互认证和建立起加密信道，利用该加密信道，实现对用户设备的授权。When using the USB interface to distribute certificates, the U disk can be inserted into the user identity center, the user identity center will write the temporary key as a device certificate into the U disk, and then insert the U disk into the user device, and the temporary The keys are mutually authenticated and an encrypted channel is established, and the encrypted channel is used to realize the authorization of the user equipment.

如图3所示，为本发明实施例中的用户身份标识中心结构示意图，包括发送/接收模块、终端认证模块、业务识别模块、业务身份标识模块、SIM卡操作模块、证书分发模块以及认证信息数据库。其中，发送模块用于从以太网接收其他终端发起的业务用户身份标识请求；终端认证模块利用认证信息数据库中的认证信息对发起请求的终端进行合法性验证，如果是合法终端发起的请求，则进入业务识别模块来提取业务标识，然后将业务标识送到SIM卡操作模块；业务身份标识模块根据SIM卡信息对访问指定业务的用户信息进行完整性保护，然后将该用户身份标识通过发送模块返回给终端；证书分发模块用于向其他终端分发设备证书，可以通过网络接口进行分发，也可以通过USB接口来分发。As shown in Figure 3, it is a schematic structural diagram of the user identity identification center in the embodiment of the present invention, including a sending/receiving module, a terminal authentication module, a service identification module, a service identity identification module, a SIM card operation module, a certificate distribution module and authentication information database. Wherein, the sending module is used to receive the service user identity request initiated by other terminals from the Ethernet; the terminal authentication module uses the authentication information in the authentication information database to verify the legitimacy of the terminal initiating the request, if it is a request initiated by a legal terminal, then Enter the service identification module to extract the service identification, and then send the service identification to the SIM card operation module; the service identification module performs integrity protection on the user information for accessing the specified service according to the SIM card information, and then returns the user identification through the sending module To the terminal; the certificate distribution module is used to distribute the device certificate to other terminals, which can be distributed through the network interface or through the USB interface.

以下结合上述应用场景对本发明实施例中的获取用户身份标识的方法进行详细、具体的描述。The method for acquiring a user identity in the embodiment of the present invention will be described in detail below in combination with the above application scenarios.

如图4所示，为本发明实施例应用场景中的获取用户身份标识流程图，具体包括以下步骤：As shown in Figure 4, it is a flow chart of obtaining a user identity in the application scenario of the embodiment of the present invention, which specifically includes the following steps:

步骤401，用户身份标识中心与用户设备进行设备注册。Step 401, the user identity identification center performs device registration with the user device.

具体地，用户身份标识中心接收来自用户设备的设备注册请求，根据该设备注册请求对用户设备进行注册。在对用户设备注册成功后，用户身份标识中心还可以向该用户设备下发设备证书，用户设备可以使用该设备证书接入用户身份标识中心。Specifically, the user identity center receives the device registration request from the user equipment, and registers the user equipment according to the device registration request. After successfully registering the user equipment, the user identity center can also issue a device certificate to the user equipment, and the user equipment can use the device certificate to access the user identity center.

步骤402，用户设备向用户身份标识中心发送用户身份请求。Step 402, the user equipment sends a user identity request to the user identity identification center.

具体地，当局域网中的某个终端要访问业务平台时，首先要向用户身份标识中心请求用户身份标识，向用户身份标识中心发送用户身份请求，该用户身份请求中携带设备ID和业务ID。Specifically, when a certain terminal in the local area network wants to access the service platform, it first needs to request a user identity from the user identity center, and then sends a user identity request to the user identity center, and the user identity request carries a device ID and a service ID.

步骤403，用户身份标识中心对用户设备进行设备身份认证和业务权限认证。Step 403, the user identity identification center performs device identity authentication and service authority authentication on the user equipment.

具体地，用户身份标识中心根据设备ID对用户设备进行设备身份认证，根据业务ID对用户设备进行业务权限认证。Specifically, the user identity identification center performs device identity authentication on the user equipment according to the device ID, and performs service authority authentication on the user equipment according to the service ID.

步骤404，用户身份标识中心向用户设备返回用户身份请求响应。Step 404, the user identity identification center returns a user identity request response to the user equipment.

具体地，当设备身份认证和业务权限认证均通过时，用户身份标识中心根据设备ID、业务ID以及SIM卡存储的数据中的鉴权密钥，生成用户身份标识，并向用户设备返回携带该用户身份标识的用户身份请求响应；否则，用户身份标识中心拒绝用户设备的用户身份请求。Specifically, when both the device identity authentication and the service authority authentication pass, the user identity center generates the user identity according to the device ID, service ID, and the authentication key in the data stored in the SIM card, and returns the user identity to the user equipment. The user identity request of the user identity is responded to; otherwise, the user identity center rejects the user identity request of the user equipment.

步骤405，用户设备向业务平台发送业务请求。Step 405, the user equipment sends a service request to the service platform.

其中，业务请求中携带用户身份标识和业务ID。Wherein, the service request carries the user identity and service ID.

步骤406，业务平台对用户身份标识进行验证。Step 406, the service platform verifies the user identity.

步骤407，业务平台向用户设备发送用户身份验证请求。Step 407, the service platform sends a user identity verification request to the user equipment.

其中，用户身份验证请求中携带验证信息Nonce。Wherein, the authentication information Nonce is carried in the user identity authentication request.

步骤408，用户设备向用户身份标识中心发送用户身份验证请求。Step 408, the user equipment sends a user identity verification request to the user identity identification center.

其中，用户身份验证请求中携带设备ID、业务ID、用户身份标识和验证信息Nonce(随机数)。Wherein, the user identity verification request carries device ID, service ID, user identity and verification information Nonce (random number).

步骤409，用户身份标识中心对用户设备进行设备身份认证和业务权限认证，并在验证通过后，根据验证信息对用户身份标识进行完整性保护。In step 409, the user identity center performs device identity authentication and service authority authentication on the user equipment, and after the authentication is passed, performs integrity protection on the user identity according to the verification information.

具体地，用户身份标识中心根据设备ID对用户设备进行设备身份认证，根据业务ID对用户设备进行业务权限认证。当设备身份认证和业务权限认证均通过时，用户身份标识中心可以利用MD(Message-Digest Algorithm，信息-摘要算法)5，根据业务密钥和用户身份验证请求中的验证信息Nonce获取完整性保护后的用户身份标识，即用户身份标识的摘要结果。其中，业务密钥是根据用户身份标识中心的SIM卡中存储的鉴权密钥派生得到的，可以预先存储在用户身份标识中心的SIM卡中，也可以在接收到用户身份验证请求后生成。Specifically, the user identity identification center performs device identity authentication on the user equipment according to the device ID, and performs service authority authentication on the user equipment according to the service ID. When both device identity authentication and service authority authentication pass, the user identity center can use MD (Message-Digest Algorithm, information-digest algorithm)5 to obtain integrity protection according to the service key and the verification information Nonce in the user identity authentication request The final user ID, which is the summary result of the user ID. Wherein, the service key is derived from the authentication key stored in the SIM card of the user identity center, and can be pre-stored in the SIM card of the user identity center, or can be generated after receiving the user identity verification request.

步骤410，用户身份标识中心将完整性保护后的用户身份标识返回给用户设备。Step 410, the user identity center returns the integrity-protected user identity to the user equipment.

步骤411，用户设备向业务平台发送业务请求。Step 411, the user equipment sends a service request to the service platform.

其中，业务请求中携带业务ID和完整性保护后的用户身份标识。Wherein, the service request carries the service ID and the user identity after integrity protection.

步骤412，业务平台向用户设备返回业务请求响应。Step 412, the service platform returns a service request response to the user equipment.

本发明实施例通过以太网交换技术为无卡终端提供用户身份标识并进行身份认证，可以为多个设备提供有效的用户身份标识，降低了设备的成本，节省了SIM卡资源，提高了ARPU值，便于终端设备的部署，可以使无卡终端能够访问移动运营商开展的业务，并利用用户身份标识中心进行用户身份标识和业务鉴权；此外，由于基于统一的用户身份标识中心分发用户身份标识，便于运营商对业务进行统一认证与管理。The embodiment of the present invention provides user identity identification and identity authentication for cardless terminals through Ethernet switching technology, can provide effective user identification identification for multiple devices, reduces the cost of equipment, saves SIM card resources, and improves ARPU value , which facilitates the deployment of terminal equipment, enables cardless terminals to access the services carried out by mobile operators, and uses the user identity center to perform user identity identification and service authentication; , which is convenient for operators to perform unified authentication and management on services.

本发明实施例在上述实施方式中提供了获取用户身份标识的方法和应用场景，相应地，本发明实施例还提供了应用上述获取用户身份标识的方法的装置和系统。Embodiments of the present invention provide methods and application scenarios for obtaining user IDs in the above implementation manners. Correspondingly, embodiments of the present invention also provide devices and systems for applying the above method for obtaining user IDs.

如图5所示，为本发明实施例中的一种获取用户身份标识的装置结构示意图，包括：As shown in FIG. 5, it is a schematic structural diagram of a device for obtaining a user identity in an embodiment of the present invention, including:

接收模块510，用于接收用户身份请求。The receivingmodule 510 is configured to receive a user identity request.

用户识别模块520，用于生成与所述用户身份请求对应的用户身份标识。Theuser identification module 520 is configured to generate a user identity corresponding to the user identity request.

发送模块530，用于发送用户识别模块520生成的用户身份标识。The sendingmodule 530 is configured to send the user identity generated by theuser identification module 520 .

如图6所示，为本发明实施例应用场景中的一种获取用户身份标识的装置结构示意图，包括：As shown in FIG. 6, it is a schematic structural diagram of a device for obtaining a user identity in the application scenario of the embodiment of the present invention, including:

接收模块610，用于接收用户身份请求。The receiving module 610 is configured to receive a user identity request.

其中，上述用户身份请求由没有设置用户识别模块的无卡终端发送；所述用户身份请求中携带所述无卡终端的设备标识ID和业务ID。Wherein, the above-mentioned user identity request is sent by a cardless terminal without a user identification module; the user identity request carries the device identification ID and service ID of the cardless terminal.

上述接收模块610，还用于接收来自所述无卡终端的用户身份验证请求，所述用户身份验证请求携带所述用户身份标识和业务平台为所述用户身份标识分配的验证信息。The above-mentioned receiving module 610 is further configured to receive a user identity verification request from the card-less terminal, where the user identity verification request carries the user identity and verification information assigned by the service platform to the user identity.

用户识别模块620，用于生成与所述用户身份请求对应的用户身份标识。Theuser identification module 620 is configured to generate a user identity corresponding to the user identity request.

上述用户识别模块620，具体用于根据所述设备ID和所述业务ID对所述无卡终端进行设备身份认证和业务权限认证；在所述设备身份认证和所述业务权限认证通过后，根据所述设备ID、所述业务ID和所述用户识别模块中存储的鉴权密钥生成所述用户身份标识。The above-mentioneduser identification module 620 is specifically configured to perform device identity authentication and service authority authentication on the cardless terminal according to the device ID and the service ID; after the device identity authentication and the service authority authentication pass, according to The user identity is generated by the device ID, the service ID and the authentication key stored in the user identification module.

获取模块630，用于根据所述用户身份标识和所述验证信息获取对所述用户身份标识的验证结果。An obtainingmodule 630, configured to obtain a verification result of the user identity according to the user identity and the verification information.

具体地，上述获取模块630，具体用于根据所述用户身份标识和所述验证信息计算所述用户身份标识的摘要结果，并将所述摘要结果作为所述验证结果。Specifically, theacquisition module 630 is specifically configured to calculate a summary result of the user ID according to the user ID and the verification information, and use the summary result as the verification result.

其中，上述用户身份验证请求还携带设备ID和业务ID；Wherein, the above-mentioned user identity verification request also carries a device ID and a service ID;

上述获取模块630，具体用于根据所述设备ID和所述业务ID对所述无卡终端进行设备身份认证和业务权限认证；在所述设备身份认证和所述业务权限认证通过后，根据所述验证信息、所述用户身份标识和所述用户识别模块中存储的业务密钥，使用信息摘要算法计算所述用户身份标识的摘要结果。Theabove acquisition module 630 is specifically configured to perform device identity authentication and service authority authentication on the cardless terminal according to the device ID and the service ID; after the device identity authentication and the service authority authentication pass, according to the The verification information, the user identity and the service key stored in the user identification module are used to calculate the summary result of the user identity using an information digest algorithm.

发送模块640，用于发送用户识别模块620生成的用户身份标识。The sendingmodule 640 is configured to send the user identity generated by theuser identification module 620 .

上述发送模块640，还用于向所述无卡终端下发临时密钥，以便于所述无卡终端在发送所述用户身份请求之前使用所述临时密钥与所述有卡终端建立安全连接。The sendingmodule 640 is further configured to issue a temporary key to the cardless terminal, so that the cardless terminal can use the temporary key to establish a secure connection with the carded terminal before sending the user identity request .

上述发送模块640，还用于将获取模块630获取的验证结果返回给所述无卡终端。The sendingmodule 640 is further configured to return the verification result obtained by the obtainingmodule 630 to the cardless terminal.

如图7所示，为本发明实施例中的一种获取用户身份标识的系统结构示意图，包括：As shown in FIG. 7 , it is a schematic structural diagram of a system for obtaining a user identity in an embodiment of the present invention, including:

有卡终端710，设置有用户识别模块，用于接收用户身份请求，生成与所述用户身份请求对应的用户身份标识，并发送所述用户身份标识。The card-present terminal 710 is provided with a user identification module, configured to receive a user identity request, generate a user identity corresponding to the user identity request, and send the user identity.

无卡终端720，没有设置用户识别模块，用于向有卡终端710发送用户身份请求，并接收所述有卡终端返回的用户身份标识。Thenon-card terminal 720 is not equipped with a user identification module, and is used to send a user identity request to the card-bearingterminal 710 and receive the user identity returned by the card-bearing terminal.

上述有卡终端710，还用于向无卡终端720下发临时密钥。The card-present terminal 710 is also used to issue a temporary key to thecard-less terminal 720 .

相应地，上述无卡终端720，还用于在发送所述用户身份请求之前，使用所述临时密钥与有卡终端710建立安全连接。Correspondingly, the above-mentionedcardless terminal 720 is further configured to use the temporary key to establish a secure connection with the card-present terminal 710 before sending the user identity request.

上述无卡终端720，还用于向业务平台发送携带所述用户身份标识的业务请求；接收来自所述业务平台的用户身份验证请求，所述用户身份验证请求中携带所述业务平台为所述用户身份标识分配的验证信息；将携带所述用户身份标识和所述验证信息的用户身份验证请求发送到有卡终端710，并接收有卡终端710对所述用户身份标识的验证结果，将所述验证结果发送到所述业务平台，以便于所述业务平台根据所述验证结果验证所述用户身份标识。The above-mentionedcardless terminal 720 is also used to send a service request carrying the user identity to the service platform; receive a user identity verification request from the service platform, and the user identity verification request carries the service platform as the Verification information assigned by the user identity; sending the user identity verification request carrying the user identity and the verification information to thecard terminal 710, and receiving the verification result of the user identity by thecard terminal 710, and sending the The verification result is sent to the service platform, so that the service platform verifies the user identity according to the verification result.

相应地，上述有卡终端710，还用于根据所述用户身份标识和所述验证信息获取对所述用户身份标识的验证结果，并将所述验证结果返回给所述无卡终端。Correspondingly, the card-present terminal 710 is further configured to obtain a verification result for the user identity according to the user identity and the verification information, and return the verification result to the card-less terminal.

本发明实施例通过以太网交换技术为无卡终端提供用户身份标识并进行身份认证，可以为多个设备提供有效的用户身份标识，降低了设备的成本，节省了SIM卡资源，提高了ARPU值，便于终端设备的部署，可以使无卡终端能够访问移动运营商开展的业务，并利用用户身份标识中心进行用户身份标识和业务鉴权；此外，由于基于统一的用户身份标识中心分发用户身份标识，便于运营商对业务进行统一认证与管理。The embodiment of the present invention provides user identity identification and identity authentication for cardless terminals through Ethernet switching technology, can provide effective user identity identification for multiple devices, reduces the cost of equipment, saves SIM card resources, and improves the ARPU value , which facilitates the deployment of terminal equipment, enables cardless terminals to access the services carried out by mobile operators, and uses the user identity center to perform user identity identification and service authentication; , which is convenient for operators to perform unified authentication and management on services.

通过以上的实施方式的描述，本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现，当然也可以通过硬件，但很多情况下前者是更佳的实施方式。基于这样的理解，本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台终端设备(可以是手机，个人计算机，服务器，或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is a better implementation Way. Based on this understanding, the technical solution of the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a terminal device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) execute the methods described in various embodiments of the present invention.

以上所述仅是本发明的优选实施方式，应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明实施例原理的前提下，还可以做出若干改进和润饰，这些改进和润饰也应视本发明的保护范围。The above descriptions are only preferred implementations of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications can be made without departing from the principle of the embodiments of the present invention. These improvements and Retouching should also be considered within the protection scope of the present invention.

本领域技术人员可以理解实施例中的装置中的模块可以按照实施例描述进行分布于实施例的装置中，也可以进行相应变化位于不同于本实施例的一个或多个装置中。上述实施例的模块可以集成于一体，也可以分离部署；可以合并为一个模块，也可以进一步拆分成多个子模块。Those skilled in the art can understand that the modules in the device in the embodiment can be distributed in the device in the embodiment according to the description in the embodiment, or can be located in one or more devices different from the embodiment according to corresponding changes. The modules in the above embodiments can be integrated or deployed separately; they can be combined into one module, or further split into multiple sub-modules.

上述本发明实施例序号仅仅为了描述，不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

以上公开的仅为本发明的几个具体实施例，但是，本发明并非局限于此，任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosures are only a few specific embodiments of the present invention, however, the present invention is not limited thereto, and any changes conceivable by those skilled in the art shall fall within the protection scope of the present invention.