TWI451783B - A gsm roaming authentication method - Google Patents

Description

GSM roaming authentication method

The invention relates to a GSM communication authentication method, in particular to a GSM roaming authentication method for an open channel.

Since the Global System for Mobile Communication (GSM) adopts mechanisms such as digital modulation, identity authentication and message encryption, it has high confidentiality, increased system service capacity, and can be transmitted compared to a communication system using analog modulation. Data and other advantages, therefore, have been widely used in Europe and other parts of the world.

Please refer to FIG. 1 , which is a schematic diagram of a system of the conventional GSM architecture. The conventional GSM communication system 9 includes a mobile station 91 and a new visitor register (New VLR) 92a. An Old Visitor Location Register (Old VLR) 92b and a Home Location Register (HLR) 93. The new access terminal 92a is coupled to the user terminal 91 and the old access terminal 92b. The home terminal 93 The old access end 92b is coupled to the old access end 92b, and the transmission channel between the new access end 92a and the old access end 92b is assumed to be a secure channel SC, and the old access end 92b and the home end 93 are The transmission channel is a secure channel SC, and the new access terminal 92a and the old access terminal 92b are mutually trusted parties.

When the user end 91 moves from the communication range of the old access terminal 92b to the communication range of the new access terminal 92a, the use terminal 91 will redirect to the access terminal 92a to request roaming service. In the GSM roaming authentication method, the user 91 first requests the new access terminal 92a to provide a service, and the new access terminal 92a must obtain an authentication data (ie, n groups {RAND, SRES, Kc}) from the old access terminal 92b. And the illegible digital RAND is selected from the authentication data and sent to the user terminal 91. After the user terminal 91 generates an authentication sign code SRES' by the garbled digital RAND, the authentication signing code SRES' is transmitted to the new access terminal. 92a confirms. Thereby, the new access terminal 92a can authenticate the identity of the user 91 and provide the roaming service required by the legitimate user 91.

The information between the new access terminal 92a and the old access terminal 92b and the old access terminal 92b (for example, the authentication data) is required to be satisfied between the new access terminal 92a and the old access terminal 92b. The data is transmitted in a clear text. When the data between the user terminal 91, the new access terminal 92a, and the old access terminal 92b is transmitted through an open channel (or a public channel), the above-mentioned mutually trusted parties cannot be satisfied. As well as the assumption of a secure channel, the conventional GSM roaming authentication method cannot be used for open channels, and the transmitted data may face threats from other communication systems, such as interference, interception, eavesdropping or fraud.

Furthermore, the conventional GSM roaming authentication method must satisfy the assumptions of mutual trust and secure channel. The above assumptions are not compatible with heterogeneous communication systems (for example, different communication systems); and the increase of communication distance will increase the data to face the above threats. Therefore, when the new access terminal 92a authenticates the user terminal 91, it is only applicable to the homogenous communication system (for example, the same GSM communication system) and short-distance communication, and therefore cannot be heterogeneous communication system and long. Distance communication limits the scope of application of the conventional GSM roaming authentication method.

In addition, since the computing power of the user terminal 91 is limited, when the conventional GSM roaming authentication method is improved, the computing amount of the using terminal 91 must be reduced, and at the same time, it must be compatible with the conventional GSM communication protocol roaming authentication method. .

In summary, the conventional GSM roaming authentication method not only needs to satisfy the assumptions of mutual trust and secure channel, but also has many limitations and shortcomings in actual use. It is inconvenient and needs further improvement to improve its practicability. .

The object of the present invention is to improve the above-mentioned shortcomings, and to provide a GSM roaming authentication method, in which a new access terminal and an old access terminal jointly share a shared key as a basis for data authentication of both parties, and is suitable for an open channel transmission data. .

A second object of the present invention is to provide a GSM roaming authentication method, in which a new access terminal and an old access terminal jointly share a shared key as a basis for data authentication of both parties, and is applicable to a heterogeneous communication system.

Another object of the present invention is to provide a GSM roaming authentication method, in which a new access terminal and an old access terminal jointly share a shared key as a basis for data authentication of both parties, and is applicable to long-distance correspondents.

A GSM roaming authentication method includes: a requesting procedure, wherein a temporary identity code is transmitted by a user to a new access terminal for requesting a roaming service to the new accessing end; an inquiry procedure is performed by the new The access terminal generates a challenge code, and transmits the challenge code and the temporary identity code to an old access terminal; in a response procedure, the old access terminal confirms the temporary identity code, and then uses the challenge code, an authentication data, An international identity code and a shared key generate a response code, and transmit the response code to the new access terminal; a notification procedure, the new access terminal confirms the response code with the shared key, and the mess One of the digital sequences is transmitted to the user terminal; and an authentication program is generated by the user end by using an encryption key and the random number to generate an authentication signature code, and transmitting the authentication signature code to the new access terminal. The new signing code is confirmed by the new accessor as a basis for providing roaming services.

The challenge code is a randomly generated random number, a time stamp generated over time, or a serial number sequentially generated.

The notification procedure is performed by the new access end to confirm whether the challenge code in the response code corresponds to the challenge code transmitted by the new access terminal.

The notification program stores the authentication data and the international identity code after the new access terminal confirms that the challenge code is correct.

A GSM roaming authentication method includes: a requesting procedure, wherein a first challenge code is generated by a user, and the first challenge code and a temporary identity code are transmitted to a new access terminal for accessing the new access The end requesting to provide a roaming service; a query procedure, the second access code is generated by the new access terminal, and the first challenge code, the second challenge code and the temporary identity code are transmitted to an old access terminal; The program confirms the temporary identity code by the old access terminal, and generates a response code by using the second challenge code, an authentication data, an international identity code, an authentication key and a shared key, and then the response code Transmitting to the new access terminal; a notification procedure, the new access terminal confirms the response code with the shared key, and then generates an authentication code by using the first challenge code and the authentication key, and then the authentication code and One of the chaotic digital sequences is transmitted to the user terminal; and an authentication program is generated by the user terminal, and the authentication key is confirmed by the authentication key, and the encryption key and the mess are used. Digital generation and certification And the signing of the new authentication code is transmitted to the access terminal, confirmed by the end of the certification signed new access code as a basis of providing roaming services.

The first challenge code is a randomly generated random number, a time stamp generated over time, or a sequence number sequentially generated.

The second challenge code is a randomly generated random number, a time stamp generated over time, or a sequence number sequentially generated.

The notification procedure is to confirm, by the new access terminal, whether the second challenge code in the response code corresponds to the second challenge code transmitted by the new access terminal.

The user end generates the authentication key by using the first challenge code and the encryption key.

The use end generates the authentication key by operating the first challenge code and the encryption key according to a hash function.

After the new access terminal confirms that the second challenge code is correct, the authentication data, the international identity code, and the authentication key are stored.

The old access terminal stores the authentication data, the international identity code, and the authentication key.

The use end generates the authentication signature code by computing the chaotic digital and the encryption key according to a hash function.

The notification step is to select an unused random number from the random number sequence.

The above and other objects, features and advantages of the present invention will become more <RTIgt; "Mobile Station" (MS) refers to an action transceiver device (ie, a mobile phone) that can be carried by a user in a GSM communication system, which can be understood by those of ordinary skill in the art to which the present invention pertains.

The "New Visitor Location Register" (New VLR) as used throughout the present invention refers to a visitor location temporary storage system or network that provides new roaming related service content in the GSM communication system. It will be understood by those of ordinary skill in the art to which the invention pertains.

The Old Visitor Location Register (Old VLR) in the GSM communication system refers to a visitor location temporary storage system or network that provides the original roaming related service content of the user terminal. It will be understood by those of ordinary skill in the art to which the invention pertains.

The "Home Location Register" (HLR) described in the full text of the present invention refers to a MME communication system, which can provide a subscriber location registration system or network for registering or logging in to the relevant service content, which belongs to the present invention. Those of ordinary skill in the art will understand.

The term "coupling" as used throughout the scope of the present invention means that the data of the two devices can be transmitted to each other by means of a wired entity, a wireless medium, or a combination thereof, and the technical field to which the present invention pertains. Those with ordinary knowledge can understand.

The International Mobile Subscriber Identity (IMSI) as described in the full text of the present invention refers to the identity specified by the home end when the user applies for registration, and the identity of the user is recognized by the home end, which is the technical field to which the present invention pertains. Those with ordinary knowledge can understand.

The term "Temporary Mobile Subscriber Identity" (TMSI) as used throughout the present invention refers to the identity specified by the old access terminal after the user completes the identity authentication, and the identity of the used end is recognized by the old access terminal. Those of ordinary skill in the art will understand.

The "ciphering key" as used throughout the present invention refers to a key shared by the user end and the home end for data encryption/decryption, which can be understood by those having ordinary knowledge in the technical field to which the present invention pertains.

The "sharing key" in the text of the present invention refers to a key shared by the new access terminal and the old access terminal for data encryption/decryption, which is common to those skilled in the art to which the present invention pertains. understanding.

The "authenticating key" as used throughout the present invention refers to a key that can be generated by both the user end and the home end to authenticate the identity of the user, and is a person having ordinary knowledge in the technical field to which the present invention pertains. Can understand.

Please refer to FIG. 2, which is a schematic diagram of a system for GSM roaming authentication according to the present invention, including a mobile station 1, a new visitor register (New VLR) 2a, and an old access terminal ( The Old Visitor Location Register (Old VLR) 2b, the new access terminal 2a is coupled to the user terminal 1 and the old access terminal 2b. The old access terminal 2b is coupled to a Home Location Register (HLR) 3. The configuration of the terminal 1, the new access terminal 2a, the old access terminal 2b, and the home terminal 3 is understood by those of ordinary skill in the art to which the present invention pertains, and is not described herein.

Please refer to FIG. 3 and FIG. 4 together, which is a flowchart of the GSM roaming authentication method of the present invention and a schematic diagram of the steps of the first embodiment, including a request procedure S1, an inquiry procedure S2, a response procedure S3, and a notification. Program S4 and an authentication program S5. among them:

The requesting program S1 transmits a temporary identity code (TMSI) to the new access terminal 2a by the user terminal 1 for requesting the new access terminal 2a to provide the roaming service, and then performs the inquiry procedure S2. In detail, since the user terminal 1 is located in the communication range of the old access terminal 2b, the old access terminal 2b has previously designated the temporary identity code to the user terminal 1, and therefore, when the user terminal 1 moves to the new terminal 1, When the access terminal 2a is in the communication range, the user terminal 1 may request to provide the roaming service to the new access terminal 2a. At this time, since the new access terminal 2a does not have the information for authenticating the user terminal 1, the The new access terminal 2a cannot confirm whether the identity of the user terminal 1 is legal, but obtains the information about the user terminal 1 from the old access terminal 2b to authenticate the identity of the user terminal 1, and the user terminal 1 is confirmed to be legal. After the identity, the new access terminal 2a can provide the roaming service content required by the user terminal 1.

The inquiry program S2 generates a challenge code from the new access terminal 2a, and transmits the challenge code and the temporary identity code to the old access terminal 2b, and then performs the response procedure S3. The inquiry program S2 sequentially performs a step S21 and a step S22 from the new access terminal 2a.

In step S21, the temporary identity code is received by the new access terminal 2a and the challenge code is generated. In detail, when the new access terminal 2a receives the temporary identity code, it knows that the user 1 requests the new access terminal 2a to provide the roaming service. At this time, the new access terminal 2a stores the temporary identity code. And obtaining information about authenticating the user 1 to the old access terminal 2b. Therefore, in order to ensure the validity of the data obtained by the old access terminal 2b, the new access terminal 2a will generate the challenge code and store it. The challenge code is a randomly generated, non-repeatable, and single-use value, such as a randomly generated random number, a time stamp generated over time, or a sequentially generated serial number.

In step S22, the challenge code and the temporary identity code are transmitted by the new access terminal 2a to the old access terminal 2b. In detail, since the user terminal 1 and the old access terminal 2b simultaneously store the temporary identity code, the old access terminal 2b can obtain the information about authenticating the user terminal 1 by virtue of the temporary identity code. Whether the challenge code or the corresponding value of the challenge code is correctly transmitted back by the old access terminal 2b ensures the validity of the data of the user terminal 1.

The response procedure S3 confirms the temporary identity code by the old access terminal 2b, and generates a response code by using the challenge code, an authentication data, an international identity code (IMSI) and a shared key, and the response code is generated. Transfer to the new access terminal 2a. Thereafter, the notification program S4 is performed. The response program S3 performs a step S31, a step S32, and a step S33 in sequence from the old access terminal 2b.

In step S31, the temporary identity code is received by the old access terminal 2b, and it is confirmed whether the temporary identity code is correct. In detail, since the old access terminal 2b and the user terminal 1 share the same temporary identity code, the old access terminal 2b can store the stored temporary identity code with the temporary identity code received from the new access terminal 2a. If the comparison result is correct (that is, the two are the same), the step S32 is continued, otherwise, the subsequent steps are stopped.

The step S32 is that the old access terminal 2b generates the response code by using the challenge code, the authentication data, the international identity code and the shared key, wherein the authentication data and the international identity code are pre-stored in the old access. End, the authentication data includes a random number sequence, a signed code sequence, and a communication key sequence, and the random number sequence includes a plurality of chaotic numbers (for example, _m chaotic numbers such as r ₁ , . . . , r _{m ,} etc.) The signed code sequence includes a plurality of signature codes (eg, _m sign codes such as s ₁ , . . . , s _m ), and the communication key sequence includes a plurality of communication keys (eg, k ₁ , . . . , k _m, etc. m chaotic digital). In detail, the data is encrypted and decrypted by the shared key to ensure the security of the data. When the old access terminal 2b transmits the data to the new access terminal 2a, the threat from other communication systems can be prevented, for example: Interference, interception, eavesdropping or deception. Furthermore, the old access terminal 2b may choose to transmit the challenge code back to the new access terminal 2a, or generate a corresponding value from the challenge code, for example, the corresponding value is the binary complement of the challenge code, etc., and then The corresponding value is transmitted back to the new access terminal 2a as a mechanism for the new access terminal 2a to recognize the old access terminal 2b. In this embodiment, the challenge code is transmitted back to the new access terminal 2a by the old access terminal 2b as an implementation aspect. Then, the old access terminal 2b encrypts the challenge code, the authentication data, and the international identity code by using the shared key, and generates the response code, wherein the response code is generated by a conventional method. The method of encrypting the data by the key is as shown in the following formula (1):

Wherein, C is the response code: E is an encryption function, for example, a symmetric encryption algorithm such as DES or 3DES: K _{2a2b is} a shared key shared by the new access terminal 2a and the old access terminal 2b; N is the challenge code Or the corresponding value generated by the challenge code; B is the authentication data; the IMSI is the international identity code.

The step S33 is to transmit the response code to the new access terminal 2a by the old access terminal 2b. In detail, the response code is transmitted by the old access terminal 2b to the new access terminal 2a via the open channel.

The notification program S4 confirms the response code by the new access terminal 2a with the shared key, and transmits one of the random number sequences to the user terminal 1. Thereafter, the authentication procedure S5 is performed. The notification program S4 sequentially performs a step S41 and a step S42 by the new access terminal 2a.

In step S41, the response code is received by the new access terminal 2a, and the response code is confirmed by the shared key. In detail, since the new access terminal 2a shares the shared key with the old access terminal 2b, the new access terminal 2a can decrypt the response code by the shared key, and the decryption method is the old access terminal. The corresponding decryption mode of the 2b encryption mode is not described here. The new access terminal 2a can confirm the response code by including the data decrypted by the response code (for example, the challenge code, the authentication data, and the international identity code). The challenge code transmitted by the new access terminal 2a or the corresponding value of the challenge code, that is, whether the challenge code in the response code corresponds to the challenge code transmitted by the new access terminal 2a, and if the confirmation result is "Yes", The new access terminal 2a stores the authentication data and the international identity code. Otherwise, the subsequent steps are stopped, thereby confirming whether the response code is returned by the legitimate old access terminal 2b.

In step S42, the new access terminal 2a transmits a random number of the random number sequence of the authentication data to the user terminal 1. In detail, the new access terminal 2a selects an unused random number from the random number sequence, for example, selects the first random number (r ₁ ) of the random number sequence during the first authentication, and subsequently performs authentication. When the second, third, ... chaotic digital (r _{2, 3, ...} ) is selected in sequence, after the selected random digital record is transmitted to the use end 1, for use by the use end 1 Whether the signature code corresponding to the chaotic digital is correctly returned is used as the basis for authenticating the user terminal 1.

The authentication program S5 generates an authentication signature code by the user terminal 1 with the encryption key and the chaotic digital number, and transmits the authentication signature code to the new access terminal 2a, and the new access terminal 2a confirms the authentication signature. Code as the basis for providing roaming services. The authentication program S5 performs a step S51 and a step S52 from the user terminal 1, and then performs a step S53 by the new access terminal 2a.

In step S51, the user 1 receives the random number transmitted by the new access terminal 2a, and performs the operation according to the hash function and the encryption key according to a hash function (for example, an A3 one-way hash function). Certification signing code. In detail, since the user 1 and the home terminal 3 share the encryption key, and the user 1 has the ability to generate the signature code, for example, using an A3 one-way hash function, the use is performed. The terminal 1 can be operated by the chaotic digital and the encryption key to generate the authentication signature code.

In step S52, the authentication end code is transmitted by the user terminal 1 to the new access terminal 2a. In detail, since the authentication signature code is generated by the user terminal 1 in the same manner as the signature code of the home terminal 3, the authentication signature code can be used by the new access terminal 2a as the authentication terminal 1 data of.

This step S53 confirms the authentication signature code by the new access terminal 2a. In detail, since the new access terminal 2a has previously stored the authentication data, and the new access terminal 2a has recorded the random number transmitted to the user terminal 1, the information can be found and transmitted from the authentication data. A chaotic number (for example: r ₁ ) has a signature code (eg, s ₁ ) in the same order as a basis for confirming the authentication signature code, and if the authentication signature code matches the signature code corresponding to the transmitted chaotic digit, the new The access terminal 2a authenticates that the user 1 is classified into a legal identity and provides the content of the roaming service required by the user.

In summary, the first embodiment of the GSM roaming authentication method of the present invention can provide a one-way authentication method, by which the new access terminal 2a and the old access terminal 2b jointly share the shared key, as the basis for data authentication of both parties. Therefore, data can be transmitted in open channels, heterogeneous communication systems, and long-distance communication, and data security can be ensured to prevent data from being interfered, intercepted, eavesdropped, or deceived.

Please refer to FIG. 3 and FIG. 5 , which are flowcharts of the GSM roaming authentication method of the present invention and the steps of the second embodiment. The second embodiment of the present invention provides a two-way authentication method, including a request procedure S1 ′. An inquiry program S2', a response program S3', a notification program S4', and an authentication program S5'. among them:

The requesting program S1' includes a step S11' and a step S12'. The first challenge code is generated by the user terminal 1, and the first challenge code and a temporary identity code are transmitted to the new access terminal 2a. The request for providing the roaming service to the new access terminal 2a, wherein the function of the first challenge code is to verify the identity of the new access terminal 2a; the first challenge code is generated in a manner similar to the challenge code of the first embodiment. The same, I will not repeat them here.

The inquiry program S2' includes a step S21' and a step S22'. Receiving and storing the first challenge code and the international identity code by the new access terminal 2a, and generating a second challenge code, and transmitting the first challenge code, the second challenge code, and the temporary identity code to an old The access terminal 2b, wherein the second challenge code is substantially the same as the function and the generation manner of the challenge code of the first embodiment, is not described herein.

The response program S3' includes a step S31', a step S32' and a step S33'. The old access terminal 2b confirms the temporary identity code, and then uses the second challenge code, an authentication data, an international identity code, A certificate key and a shared key generate a response code, and the response code is transmitted to the new access terminal 2a. The authentication key is previously generated by the home terminal 3 and transmitted to the old access terminal 2b. After the identity of the user terminal 1 is authenticated by the old access terminal 2b, the authentication key is stored in the old access terminal. 2b. In addition, the manner of confirming the temporary identity code, the manner of composition of the authentication data, and the transmission mode of the response code are substantially the same as those of the first embodiment, and are not described herein. The response code is generated as shown in the following formula (2):

Where C is the response code; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K _{2a2b is} a shared key shared by the new access terminal 2a and the old access terminal 2b; N _{2 is} the first The second challenge code or the corresponding value generated by the second challenge code; B is the authentication data; the IMSI is the international identity code; and K _auth is the authentication key pre-stored on the old access terminal 2b.

The notification program S4' includes a step S41', a step S42' and a step S43'. The new access terminal 2a receives the response code and decrypts the data contained in the response code with the shared key (for example: Determining, by the second challenge code or the corresponding value generated by the second challenge code, the authentication data, the international identity code, the authentication key, to confirm that the data included in the response code is transmitted by the new access terminal 2a Whether the second challenge code corresponds to, for example, confirming whether the second challenge code in the response code is the same as the second challenge code transmitted by the new access terminal 2a, and if the confirmation is correct, the new access terminal 2a stores the identification. Data, the international identity code and the authentication key, and then generating an authentication code by using the first challenge code and the authentication key, wherein the authentication code is generated by means of data encryption by a key The mode is as shown in the following formula (3):

Where D is the authentication code; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES: K _auth is the authentication key included in the response code: N _{1 is} the first challenge code. Then, the new access terminal 2a transmits the authentication code and one of the random number sequences to the use terminal _{1 by a} random number (for example, r ₁ ).

The authentication program S5' includes a step S51', a step S52', a step S53', a step S54' and a step S55'. The first challenge code and the encryption key are used by the user terminal 1 according to the A hash function (for example, an A8 one-way hash function, etc.) generates the authentication key, and generates the authentication code with the authentication key to confirm whether the authentication code transmitted by the new access terminal 2a is correct, and confirms the first challenge. The code is the same as the first challenge code transmitted by the user terminal 1, as the mechanism for the user terminal 1 to authenticate the new access terminal 2a, and then the user terminal 1 uses the encryption key and the chaotic digital ( For example: r ₁ ) generates an authentication signing code, and transmits the authentication signing code to the new accessing end 2a, and the new accessing end 2a confirms the authentication signing code as a basis for providing roaming service, wherein the authentication signing The generation and confirmation of the code are substantially the same as those of the first embodiment, and are not described herein.

In summary, the second embodiment of the GSM roaming authentication method of the present invention can provide a two-way authentication method, wherein the new access terminal 2a and the old access terminal 2b jointly share the shared key, as the basis for data authentication between the two parties. Therefore, data can be transmitted in open channels, heterogeneous communication systems, and long-distance communication, and data security can be ensured to prevent data from being interfered, intercepted, eavesdropped, or deceived.

The main features of the GSM roaming authentication method disclosed by the present invention are as follows: The user 1 and the home terminal 3 jointly own the encryption key, the new access terminal 2a and the old The access terminal 2b shares the shared key, and the user 1 and the old access terminal 2b jointly own the authentication key as a basis for data authentication, wherein the authentication key is generated by the home terminal 3 and transmitted to the old The access terminal 2b, after the identity authentication of the user terminal 1 is passed, the authentication key is stored in the old access terminal 2b. Therefore, data can be transmitted in open channels, heterogeneous communication systems, and long-distance communication, and data security can be ensured to prevent data from being interfered, intercepted, eavesdropped, or deceived.

While the invention has been described in connection with the preferred embodiments described above, it is not intended to limit the scope of the invention. The technical scope of the invention is protected, and therefore the scope of the invention is defined by the scope of the appended claims.

[this invention]

1. . . Use side

2a. . . New access

2b. . . Old access

3. . . Home

S1, S1’. . . Request procedure

S2, S2’. . . Inquiry procedure

S3, S3’. . . Response procedure

S4, S4’. . . Notifier

S5, S5’. . . Certification procedure

[知知]

9. . . Conventional GSM communication system

91. . . Use side

92a. . . New access

92b. . . Old access

93. . . Home

SC. . . Exit

Figure 1: Schematic diagram of the system of the conventional GSM architecture.

Figure 2 is a schematic diagram of the system of the GSM roaming authentication method of the present invention.

Figure 3 is a flow chart of the GSM roaming authentication method of the present invention.

Figure 4 is a diagram showing the steps of the first embodiment of the GSM roaming authentication method of the present invention.

Figure 5 is a schematic diagram showing the steps of a second embodiment of the GSM roaming authentication method of the present invention.

1. . . Use side

2a. . . New access

2b. . . Old access

3. . . Home

S1, S1’. . . Request procedure

S2, S2’. . . Inquiry procedure

S3, S3’. . . Response procedure

S4, S4’. . . Notifier

S5, S5’. . . Certification procedure

Claims (11)

A GSM roaming authentication method includes: a requesting procedure, wherein a temporary identity code is transmitted by a user to a new access terminal for requesting a roaming service to the new accessing end; an inquiry procedure is performed by the new The access terminal generates a challenge code, and transmits the challenge code and the temporary identity code to an old access terminal, the challenge code is a time stamp generated over time; and a response procedure is performed by the old access terminal to confirm the temporary identity code And generating a response code by using the challenge code, an authentication data, an international identity code and a shared key, and transmitting the response code to the new access terminal; a notification procedure is performed by the new access terminal The key confirms the response code, and transmits a random number sequence to the user terminal; and an authentication program, wherein the user generates an authentication code by using an encryption key and the random number, and The authentication signature code is transmitted to the new access terminal, and the new access terminal confirms the authentication signature code as a basis for providing roaming services. The GSM roaming authentication method according to claim 1, wherein the notification procedure is to confirm, by the new access terminal, whether the challenge code in the response code corresponds to a challenge code transmitted by the new access terminal. The GSM roaming authentication method according to claim 1, wherein the notification program stores the authentication data and the international identity code after the new access terminal confirms that the challenge code is correct. A GSM roaming authentication method includes: a requesting program, which generates a first challenge code by a user, and then The first challenge code and a temporary identity code are transmitted to a new access terminal for requesting the new access terminal to provide a roaming service, the first challenge code is a time stamp generated over time; an inquiry procedure is performed by the new access The terminal generates a second challenge code, and then transmits the first challenge code, the second challenge code, and the temporary identity code to an old access terminal, where the second challenge code is a time stamp generated over time; a response procedure, Confirming the temporary identity code by the old access terminal, and generating a response code by using the second challenge code, an authentication data, an international identity code, an authentication key, and a shared key, and transmitting the response code to the a new access terminal; a notification procedure, wherein the new access terminal confirms the response code by using the shared key, and then generates an authentication code by using the first challenge code and the authentication key, and then the authentication code and the mess One of the digital sequences is transmitted to the user terminal; and an authentication program is generated by the user terminal, and the authentication key is confirmed by the authentication key, and then generated by an encryption key and the chaotic digital a certification signing code, and will recognize The signing of the new access code to the end, confirmed by the end of the certification signed new access code as a basis of providing roaming services. The GSM roaming authentication method according to claim 4, wherein the notification procedure is that the new access terminal confirms whether the second challenge code in the response code corresponds to the second challenge code transmitted by the new access terminal. . The GSM roaming authentication method according to claim 4, wherein the user end generates the authentication key by using the first challenge code and the encryption key. The GSM roaming authentication method according to claim 4, wherein the user end operates the first challenge code and the encryption key according to a hash function to generate the authentication key. The GSM roaming authentication method according to claim 4, wherein the new access terminal confirms that the second challenge code is correct, and stores the authentication data, the international identity code, and the authentication key. The GSM roaming authentication method according to claim 1 or 4, wherein the old access terminal stores the authentication data, the international identity code, and the authentication key. The GSM roaming authentication method according to claim 1 or 4, wherein the user terminal operates the chaotic digital and the encryption key according to a hash function to generate the authentication signature code. The GSM roaming authentication method according to claim 1 or 4, wherein the notifying step selects an unused random number from the random number sequence.