CN113923658A - APN-based adaptive terminal authentication method and system - Google Patents

APN-based adaptive terminal authentication method and system Download PDF

Info

Publication number
CN113923658A
CN113923658A CN202111159393.7A CN202111159393A CN113923658A CN 113923658 A CN113923658 A CN 113923658A CN 202111159393 A CN202111159393 A CN 202111159393A CN 113923658 A CN113923658 A CN 113923658A
Authority
CN
China
Prior art keywords
terminal
aka
encryption algorithm
apn
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111159393.7A
Other languages
Chinese (zh)
Other versions
CN113923658B (en
Inventor
张松磊
贾强
陈爽
倪文书
刘刚
陈人楷
林昱
陈均
陈小倩
詹璇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Original Assignee
State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Fujian Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd filed Critical State Grid Fujian Electric Power Co Ltd
Priority to CN202111159393.7A priority Critical patent/CN113923658B/en
Publication of CN113923658A publication Critical patent/CN113923658A/en
Application granted granted Critical
Publication of CN113923658B publication Critical patent/CN113923658B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to an APN-based adaptive terminal authentication method, which is based on APN adaptive selection of an AKA core encryption algorithm Ek and bidirectional authentication. After the self-adaptive terminal authentication method is adopted, the flexibility of terminal authentication can be effectively enhanced, and the use scene is expanded.

Description

APN-based adaptive terminal authentication method and system
Technical Field
The invention relates to the field of adaptive terminal authentication, in particular to an APN-based adaptive terminal authentication method and system.
Background
Before the terminal accesses the wireless network, the SIM card unit in the terminal and the core network need to carry out bidirectional authentication based on the cryptographic technology so as to ensure the validity of the identities of the two parties. At present, the wireless public network 3G/4G/5G terminal of the domestic operator adopts an AES algorithm to realize the authentication process. But has a great disadvantage in safety performance.
Under certain specific industrial application scenes and in certain private networks, a domestic security algorithm is required to be adopted to realize the security authentication of the terminal side and the network side so as to enhance the isolation strength between virtual networks and improve the information security protection level of the system.
Disclosure of Invention
In view of the above, the present invention provides a method. The APN-based adaptive terminal authentication method realizes adaptive AKA authentication, effectively improves the service safety deployment efficiency and saves the deployment cost of service safety.
In order to achieve the purpose, the invention adopts the following technical scheme:
an APN-based adaptive terminal authentication method comprises the following steps:
step S1, anchoring an AKA core encryption algorithm Ek adopted by the terminal UE to the terminal signing APN;
step S2, the terminal UE encapsulates the pre-configured APN and AKA core encryption algorithm Ek in NAS message and transmits the NAS message to MME/AMF;
step S3, MME/AMF encapsulates APN and proposed AKA core encryption algorithm Ek in Authentication message and transmits to HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek reported by terminal based on subscription information
Step S4, if the signing APN and AKA core encryption algorithm are the same as the terminal report value, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate Authentication Vector (AV), otherwise, HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA Authentication flow defined by 3GPP standard;
step S5, MME/AMF transmits AV and actually adopted AKA core encryption algorithm Ek to MME/AMF through Authentication message, MME/AMF transmits AV and actually adopted AKA core encryption algorithm Ek to terminal UE through NAS message;
step S6, calculating by the terminal UE to obtain f series function based on the actually used AKA core encryption algorithm Ek, calculating to obtain XMAC and RES based on the f series function, comparing the XMAC with the MAC carried by the AV, and verifying the network validity; and sending RES to MME/AMF, comparing RES with XRES carried by AV by MME/AMF, verifying terminal UE validity, and finishing bidirectional authentication of terminal UE and network.
Further, the step S4 is specifically:
step S41, the HSS/UDM adopts the terminal UE to suggest an AKA core encryption algorithm Ek to generate f1, f1, f2, f3, f4, f5 and f5 series functions; wherein, the OPc is derived from a user root key K and an operator personality OP, and the calculation mode is as follows: OPc = OP a ek (OP), representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\ r2\ r3\ r4\ r5 are five fixed cyclic constants, and c1 … c5 is five fixed constants;
step S42, the HSS/UDM uses f series function to generate authentication vector AV, the AV is formed by connecting RAND, XRES, CK, IK and AUTN in series, the AUTN is formed by connecting SQN A AK, AMF and MAC in series, and in the step, the message authentication code MAC is generated by f1 and is used for terminal authentication network legality; XRES is generated by f2 and is used for the network to authenticate the terminal to be legal; integrity protection key IK is generated by f 4; the anonymity key AK is generated by f5 to hide SQN information.
An adaptive terminal authentication system based on an APN comprises a processor, a memory and a computer program stored on the memory, wherein when the processor executes the computer program, the steps in the adaptive terminal authentication method are specifically executed.
Compared with the prior art, the invention has the following beneficial effects:
the invention can effectively enhance the flexibility of terminal authentication, expand the use scene, realize self-adaptive AKA authentication, effectively improve the efficiency of service safety deployment and save the deployment cost of service safety.
Drawings
FIG. 1 is a schematic diagram illustrating the message passing of step S2 according to an embodiment of the present invention;
FIG. 2 is a message passing diagram of step S3 according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a series of functions generated based on an AKA core encryption algorithm Ek according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating the generation of an authentication vector using an f-series function in one embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating the message passing of step S5 according to an embodiment of the present invention;
fig. 6 is a schematic illustration of authentication in a unitary embodiment of the invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
In this embodiment, an adaptive terminal authentication method based on an APN is provided, which includes the following steps:
step S1, anchoring an AKA core encryption algorithm Ek adopted by the terminal UE to the terminal signing APN;
step S2, the terminal UE encapsulates the pre-configured APN and AKA core encryption algorithm Ek in NAS message and transmits the NAS message to MME/AMF;
step S3, MME/AMF encapsulates APN and proposed AKA core encryption algorithm Ek in Authentication message and transmits to HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek reported by the terminal based on the subscription information;
step S4, if the signing APN and AKA core encryption algorithm are the same as the terminal report value, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate Authentication Vector (AV), otherwise, HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA Authentication flow defined by 3GPP standard;
in this embodiment, step S4 specifically includes:
and step S41, the HSS/UDM adopts the terminal UE to suggest an AKA core encryption algorithm Ek (such as a cryptographic algorithm SM4 or SM 1) to generate f1, f1, f2, f3, f4, f5 and f5 series functions. Wherein, the OPc is derived from a user root key K and an operator personality OP, and the calculation mode is as follows: OPc = OP a ek (OP), representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\ r2\ r3\ r4\ r5 are five fixed cyclic constants, and c1 … c5 is five fixed constants.
And step S42, the HSS/UDM generates an authentication vector AV by using f series functions, the AV is formed by connecting RAND, XRES, CK, IK and AUTN in series, and the AUTN is formed by connecting SQN A AK, AMF and MAC in series. Wherein, the message Authentication code MAC (message Authentication code) is generated by f1 and is used for the terminal to authenticate the network legality; xres (expected response) is generated by f2 for the network to authenticate the terminal as legitimate. The encryption key CK is generated by f 3; integrity protection key IK is generated by f 4; the anonymity key AK is generated by f5 to hide SQN information.
Step S5, MME/AMF transmits AV and actually adopted AKA core encryption algorithm Ek to MME/AMF through Authentication message, MME/AMF transmits AV and actually adopted AKA core encryption algorithm Ek to terminal UE through NAS message;
step S6, calculating by the terminal UE to obtain f series function based on the actually used AKA core encryption algorithm Ek, calculating to obtain XMAC and RES based on the f series function, comparing the XMAC with the MAC carried by the AV, and verifying the network validity; and sending RES to MME/AMF, comparing RES with XRES carried by AV by MME/AMF, verifying terminal UE validity, and finishing bidirectional authentication of terminal UE and network.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.

Claims (3)

1. An APN-based adaptive terminal authentication method is characterized by comprising the following steps:
step S1, anchoring an AKA core encryption algorithm Ek adopted by the terminal UE to the terminal signing APN;
step S2, the terminal UE encapsulates the pre-configured APN and AKA core encryption algorithm Ek in NAS message and transmits the NAS message to MME/AMF;
step S3, MME/AMF encapsulates APN and proposed AKA core encryption algorithm Ek in Authentication message and transmits to HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek reported by terminal based on subscription information
Step S4, if the signing APN and AKA core encryption algorithm are the same as the terminal report value, the HSS/UDM adopts the AKA core encryption algorithm Ek suggested by the UE to generate an Authentication Vector, otherwise, the HSS/UDM ignores the APN and AKA core encryption algorithm Ek reported by the terminal and uses the AKA Authentication flow defined by the 3GPP standard;
step S5, MME/AMF transmits Authentication Vector and AKA core encryption algorithm Ek actually adopted to MME/AMF through Authentication message, MME/AMF transmits AV and AKA core encryption algorithm Ek actually adopted to terminal UE through NAS message;
step S6, calculating by the terminal UE to obtain f series function based on the actually used AKA core encryption algorithm Ek, calculating to obtain XMAC and RES based on the f series function, comparing the XMAC with the MAC carried by the AV, and verifying the network validity; and sending RES to MME/AMF, comparing RES with XRES carried by AV by MME/AMF, verifying terminal UE validity, and finishing bidirectional authentication of terminal UE and network.
2. The APN-based adaptive terminal authentication method of claim 1, wherein step S4 specifically comprises:
step S41, the HSS/UDM adopts the terminal UE to suggest an AKA core encryption algorithm Ek to generate f1, f1, f2, f3, f4, f5 and f5 series functions; wherein, the OPc is derived from a user root key K and an operator personality OP, and the calculation mode is as follows: OPc = OP a ek (OP), representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\ r2\ r3\ r4\ r5 are five fixed cyclic constants, and c1 … c5 is five fixed constants;
step S42, the HSS/UDM uses f series function to generate authentication vector AV, the AV is formed by connecting RAND, XRES, CK, IK and AUTN in series, the AUTN is formed by connecting SQN A AK, AMF and MAC in series, and in the step, the message authentication code MAC is generated by f1 and is used for terminal authentication network legality; XRES is generated by f2 and is used for the network to authenticate the terminal to be legal; integrity protection key IK is generated by f 4; the anonymity key AK is generated by f5 to hide SQN information.
3. An APN based adaptive terminal authentication system comprising a processor, a memory and a computer program stored on said memory, said processor when executing said computer program specifically performing the steps in the adaptive terminal authentication method according to any of claims 1-2.
CN202111159393.7A 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system Active CN113923658B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111159393.7A CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111159393.7A CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Publications (2)

Publication Number Publication Date
CN113923658A true CN113923658A (en) 2022-01-11
CN113923658B CN113923658B (en) 2023-06-23

Family

ID=79237412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111159393.7A Active CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Country Status (1)

Country Link
CN (1) CN113923658B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110004762A1 (en) * 2008-04-02 2011-01-06 Nokia Siemens Networks Oy Security for a non-3gpp access to an evolved packet system
CN104754581A (en) * 2015-03-24 2015-07-01 河海大学 Public key password system based LTE wireless network security certification system
CN107454045A (en) * 2016-06-01 2017-12-08 宇龙计算机通信科技(深圳)有限公司 A kind of method, apparatus and system of the certification of user's IMS registration
US20180083782A1 (en) * 2015-04-13 2018-03-22 Vodafone Ip Licensing Limited Security improvements in a cellular network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110004762A1 (en) * 2008-04-02 2011-01-06 Nokia Siemens Networks Oy Security for a non-3gpp access to an evolved packet system
CN104754581A (en) * 2015-03-24 2015-07-01 河海大学 Public key password system based LTE wireless network security certification system
US20180083782A1 (en) * 2015-04-13 2018-03-22 Vodafone Ip Licensing Limited Security improvements in a cellular network
CN107454045A (en) * 2016-06-01 2017-12-08 宇龙计算机通信科技(深圳)有限公司 A kind of method, apparatus and system of the certification of user's IMS registration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘渊峰: "电力***视频监控网络安全接入协议研究" *
周玮;雒江涛;: "IMS终端AKA认证过程的研究与实现" *

Also Published As

Publication number Publication date
CN113923658B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
US10187202B2 (en) Key agreement for wireless communication
WO2020177768A1 (en) Network verification method, apparatus, and system
JP4772959B2 (en) Secure processing for authentication of wireless communication devices
US9088408B2 (en) Key agreement using a key derivation key
JP2011254512A5 (en)
JP2011522494A (en) Encryption key generation
US20220046003A1 (en) Parameter sending method and apparatus
CN112235799B (en) Network access authentication method and system for terminal equipment
CN113923658B (en) APN-based self-adaptive terminal authentication method and system
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN113449286B (en) Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
CN106411513B (en) Cryptographic key negotiation method and device in local area network communication
CN109586913B (en) Security authentication method, security authentication device, communication device, and storage medium
Chen et al. Enhanced security and pairing-free handover authentication scheme for mobile wireless networks
CN118138253B (en) Electric power internet of things intelligent terminal authentication method and system based on PUF
CN112788596A (en) Method and system for generating security encryption information and method and system for authenticating 5G terminal
CN118200912A (en) Authentication method, authentication device, authentication equipment and readable storage medium
CN106612205B (en) Node authentication method, system and proxy node
CN114461592A (en) File storage method and system based on block chain and storage medium
CN117353928A (en) Authentication method, authentication system, UDM and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant