CN114143016A - Authentication method based on general guide architecture GBA and corresponding device - Google Patents

Authentication method based on general guide architecture GBA and corresponding device Download PDF

Info

Publication number
CN114143016A
CN114143016A CN202010819512.6A CN202010819512A CN114143016A CN 114143016 A CN114143016 A CN 114143016A CN 202010819512 A CN202010819512 A CN 202010819512A CN 114143016 A CN114143016 A CN 114143016A
Authority
CN
China
Prior art keywords
key algorithm
access node
wireless access
application layer
suite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010819512.6A
Other languages
Chinese (zh)
Inventor
刘小军
缪永生
张宝健
李如俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202010819512.6A priority Critical patent/CN114143016A/en
Priority to PCT/CN2021/101804 priority patent/WO2022033186A1/en
Publication of CN114143016A publication Critical patent/CN114143016A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Abstract

The embodiment of the invention provides an authentication method based on a General Bootstrapping Architecture (GBA). A, a secret key algorithm suite used by a user terminal is confirmed by carrying out secure transport layer protocol negotiation with the user terminal; applying the secret key algorithm suite to the wireless access node of the wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite; in some implementation processes, after the UE and the AP establish the TLS tunnel with the ALG, the AP side and the UE side calculate to obtain the authentication parameters by using the same key algorithm suite to perform authentication, so that the problem that the authentication of the AP to the UE is affected due to the failure of the authentication caused by using different key algorithm suites after the UE and the AP establish the TLS tunnel with the ALG is avoided, and the user experience is improved.

Description

Authentication method based on general guide architecture GBA and corresponding device
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to an authentication method based on a General Bootstrapping Architecture (GBA) and a corresponding device.
Background
With the development of communication technology, in many communication services, many applications require interaction between a UE (User Equipment) and an AS (Access Stratum), such AS service activation, service setting, service Access, and the like. In order to ensure the security of the service application, bidirectional authentication between the UE and the AS is required, and if the UE and the AS interact directly, two serious problems exist: the UE and each AS need to carry out independent authentication, including negotiation of an authentication mechanism and management of a secret key; the UE needs to input the secret key every time the UE logs in different AS, and the user experience is poor. Therefore, The 3GPP (third generation Partnership Project) standards organization proposes The concept of generic authentication Architecture, in which GBA (generic Bootstrapping Architecture) is a generic authentication Architecture based on shared keys. The GBA uses Authentication and Key Agreement (AKA, Authentication and Key Agreement protocol of the third generation mobile communication network) to provide a mechanism of Key sharing, mutual Authentication and service protection between the UE and the network, and has higher security and universality.
The GBA provides a public network service address to the outside, and in consideration of factors such as Security, an ALG (Application Layer Gateway), also called an Application Layer Gateway, is introduced into the actual networking, and the ALG implements access control, such as functions of firewall, anti-virus, intrusion detection, user access active authentication, and the like, so as to provide an all-around access Security management scheme for the GBA.
Disclosure of Invention
The authentication method and the corresponding device based on the GBA mainly solve the technical problems that after the UE and the AP establish a TLS tunnel with the ALG respectively, different secret key algorithm kits are used, so that authentication failure is caused, and authentication of the AP on the UE is influenced.
To solve the above technical problem, an embodiment of the present invention provides an authentication method based on a generic bootstrapping architecture GBA applied to a terminal side, including:
carrying out protocol negotiation of a secure transmission layer with an application layer gateway, and confirming a used secret key algorithm suite;
and applying the secret key algorithm suite to the wireless access node through the application layer gateway, so that the wireless access node performs authentication by using the secret key algorithm suite.
Based on the same inventive concept, an embodiment of the present invention further provides an authentication method based on a generic bootstrapping architecture GBA applied to a gateway side, including:
carrying out protocol negotiation with a secure transport layer with a user terminal, and confirming a secret key algorithm suite used by the user terminal;
and applying the secret key algorithm suite to a wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite.
Based on the same inventive concept, an embodiment of the present invention further provides an authentication method based on a generic bootstrapping architecture GBA applied to a wireless access node side, including:
authenticating by using a secret key algorithm suite applied to the wireless access node by an application layer gateway;
the key algorithm suite is a key algorithm suite used by the user terminal and confirmed by the security transport layer protocol negotiation between the application layer gateway and the user terminal.
The embodiment of the invention also provides a terminal, which comprises a first processor, a first memory and a first communication bus;
the first communication bus is used for realizing connection communication between the first processor and the first memory;
the first processor is configured to execute one or more computer programs stored in the first memory to implement the steps of the GBA-based authentication method applied to terminal side as described above;
the embodiment of the invention also provides a gateway, which comprises a second processor, a second memory and a second communication bus;
the second communication bus is used for realizing connection communication between the second processor and the second memory;
the second processor is configured to execute one or more computer programs stored in the second memory to implement the steps of the method for authentication based on generic bootstrapping architecture GBA applied on the gateway side as described above.
The embodiment of the invention also provides a wireless access node, which comprises a third processor, a third memory and a third communication bus;
the third communication bus is used for realizing connection communication between the third processor and the third memory;
the third processor is configured to execute one or more computer programs stored in the third memory to implement the steps of the method for generic bootstrapping architecture GBA based authentication applied to the radio access node side as described above
Embodiments of the present invention also provide a computer storage medium, which stores one or more programs that are executable by one or more processors to implement the steps of the method for authentication based on generic bootstrapping architecture GBA as described above and applied to a terminal side, a gateway side, or a wireless access node side.
According to the authentication method and the corresponding device based on the GBA provided by the embodiment of the invention, a secret key algorithm suite used by a user terminal is confirmed by carrying out safe transport layer protocol negotiation with the user terminal; applying the secret key algorithm suite to the wireless access node of the wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite; in some implementation processes, after the UE and the AP establish the TLS tunnel with the ALG, the AP side and the UE side calculate to obtain the authentication parameters by using the same key algorithm suite to perform authentication, so that the problem that the authentication of the AP to the UE is affected due to the failure of the authentication caused by using different key algorithm suites after the UE and the AP establish the TLS tunnel with the ALG is avoided, and the user experience is improved.
Additional features and corresponding advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic diagram of a GBA basic architecture according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a basic authentication flow of GBA according to a first embodiment of the present invention;
fig. 3 is a flowchart illustrating an authentication method of a generic bootstrapping architecture GBA according to a first embodiment of the invention;
fig. 4 is a schematic basic flowchart illustrating a process of applying a key algorithm suite to a wireless access node through an application layer gateway according to a first embodiment of the present invention;
fig. 5 is a schematic basic flowchart illustrating a procedure of applying a key algorithm suite to a wireless access node through an application layer gateway according to a first embodiment of the present invention;
fig. 6 is a schematic basic flowchart illustrating a procedure of applying a key algorithm suite to a wireless access node through an application layer gateway according to another embodiment of the present invention;
fig. 7 is a schematic basic flowchart illustrating another basic flowchart for applying a key algorithm suite to a wireless access node through an application layer gateway according to a first embodiment of the present invention;
fig. 8 is a schematic basic flow chart of an authentication method of a generic bootstrapping architecture GBA according to a second embodiment of the present invention;
fig. 9 is a schematic diagram of a basic structure of a terminal according to a third embodiment of the present invention;
fig. 10 is a schematic diagram of a basic structure of a gateway according to a third embodiment of the present invention;
fig. 11 is a schematic diagram of a basic structure of a wireless access node according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention are described in detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The first embodiment is as follows:
in the related art, as shown in fig. 1, fig. 1 is a schematic diagram of a GBA basic architecture, which includes: HSS (Home subscriber Server), BSF (Bootstrapping Server Function), NAF (Network Application Function), or AP (Access Point) Function, ALG, it is to be understood that NAF is used to perform the same Function as AP, that is, one of AP and NAF may exist; wherein, the ALG establishes TLS channel with UE and AP respectively, and authenticates, as shown in FIG. 2, UE negotiates TLS connection with ALG, confirms the used cirer suite, the final used cirer suite is "yzzz", UE sends service request (HTTP GET) to ALG, ALG negotiates TLS connection with AP, confirms the used cirer suite, the final used cirer suite is "aabb", ALG forwards HTTP GET to AP, AP responds 401 Unauuthorized to UE, UE generates first Ks _ NAF/Ks _ int _ NAF according to the negotiated TLS suite "yzzz" and other parameters, then calculates first NAF/Ks _ NAF/NAF as NAFh, and sends the first response to ALG AP, negotiates TLS suite "yzz" and other parameters as NAF _ Apf _ NAF, and calculates second NAF _ BSKs _ aF as NAF _ NA, the AP compares the second response calculated by the AP with the first response sent by the UE, if the second response is consistent with the first response, the authentication is successful, because the TLS cipher suite used by the AP is inconsistent with the TLS cipher suite used by the UE, the calculated Ks _ NAF/Ks _ int _ NAF and the responses are also inconsistent, and the AP authentication is failed.
In order to solve the problem in the related art that the authentication fails and the authentication and authorization of the AP to the UE are affected due to the fact that the UE and the AP use different key algorithm kits after establishing the TLS tunnel with the ALG, an embodiment of the present invention provides an authentication method based on a generic bootstrapping architecture GBA, which is applied to a user terminal side, please refer to fig. 3, which includes but is not limited to:
s301, carrying out secure transport layer protocol negotiation with an application layer gateway, and confirming a used secret key algorithm suite;
s302, the secret key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node performs authentication by using the secret key algorithm suite.
In some embodiments, a user equipment UE negotiates a security transport layer protocol TLS connection with an application layer gateway ALG, and confirms a Cipher key Suite Cipher Suite used by the UE and the ALG; it should be understood that, in this embodiment, a manner in which the ue and the application layer gateway negotiate the security transport layer protocol is not limited, and finally, an available key algorithm suite between the ue and the application layer gateway may be determined.
In this embodiment, applying the key algorithm suite determined by the ue and the application layer gateway to the AP includes, but is not limited to, the following two ways:
the first mode is as follows: forwarding the key algorithm suite to the wireless access node through the application layer gateway, thereby applying the key algorithm suite to the wireless access node;
the second mode is as follows: and performing secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite through the application layer gateway, thereby applying the key algorithm suite to the wireless access node.
In some embodiments, the first manner includes, but is not limited to: sending a service request to an application layer gateway; and forwarding the service request to the wireless access node through the application layer gateway, wherein the application layer gateway carries the secret key algorithm suite when forwarding the service request to the wireless access node. The method comprises the steps that a user terminal sends a service request to an application layer gateway, the application layer gateway sends a secret key algorithm suite used by the user terminal to a wireless access node through an expansion parameter, and the wireless access node authenticates according to the secret key algorithm suite sent by an ALG (access gateway group) during authentication; for example, as shown in FIG. 4,
step 1-2, a user terminal UE and an application layer gateway ALG negotiate a TLS (security transport layer protocol), and after confirming that a Cipher key algorithm Suite Cipher Suite used by the UE and the ALG is yyzz;
step 3, the user terminal initiates a service request (HTTP GET) to the application layer gateway;
step 4-5, the application layer gateway and the AP negotiate TLS connection, confirm the cirer suite used by the AP side, and confirm the final cirter suite used by the AP side as 'aabb';
step 6, the ALG forwards the HTTP GET request of the UE, and brings the cipher suite "yyzz" used by the UE side to the AP through the extended parameters, so that the AP performs authentication according to the key algorithm suite "yyzz" used by the ALG and the UE carried by the ALG, that is, the application layer gateway applies the key algorithm suite to the wireless access node, so that the wireless access node uses the key algorithm suite "yzz" identical to that of the user terminal to implement authentication;
specifically, enabling the wireless access node to use a secret key algorithm suite "yyzz" identical to that of the user terminal to realize authentication comprises the following steps:
7-8, after receiving the cipher suite 'yyzz' used by the UE side, the AP sends a 401unauthorized response to the ALG, and the response is forwarded to the UE through the ALG;
step 9, the UE generates a first Ks _ NAF/KS _ int _ NAF according to the UE side chopper suite 'yyzz' negotiated with the ALG and other parameters, then calculates a first response by using the first Ks _ NAF/KS _ int _ NAF as a key, and sends the first response to the ALG to be forwarded to the AP;
step 10, the AP acquires a second KS _ NAF/KS _ int _ NAF from the BSF according to the cirer suite ("yzzz") used by the UE side carried by the ALG and other parameters, and then calculates a second response by using the second KS _ NAF/KS _ int _ NAF as a key, and the AP compares the first response and the second response, and if the two responses are the same, the authentication is successful because the cirer suite used by the AP is consistent with the cirer suite used by the UE, the calculated KS _ NAF/KS _ int _ NAF and the second response are also consistent, and finally the AP authentication is successful.
In some embodiments, the first manner includes, but is not limited to: sending a service request to an application layer gateway, wherein the service request carries a secret key algorithm suite; the service request is forwarded to the wireless access node through the application layer gateway. When the user terminal sends a service request to the application layer gateway, the user terminal carries a secret key algorithm suite used by the user terminal side in the service request through the expansion parameters and sends the service request to the application layer gateway, the application layer gateway forwards the service request to the wireless access node, and the wireless access node carries out authentication according to the secret key algorithm suite in the service request sent by the UE during authentication; for example, as shown in FIG. 5,
step 1-2, a user terminal UE and an application layer gateway ALG negotiate a TLS (security transport layer protocol), and after confirming that a Cipher key algorithm Suite Cipher Suite used by the UE and the ALG is yyzz;
step 3, the UE initiates a service request (HTTP GET) to the ALG, wherein the (HTTP GET) request carries the determined key algorithm suite ('yyzz') through the expansion parameter;
step 4-5, the application layer gateway and the AP negotiate TLS connection, confirm the cirer suite used by the AP side, and confirm the cirter suite used by the AP side as 'aabb';
step 6, when the ALG forwards the HTTP GET request of the UE, transparently transmitting the cirpher suite (yyzz) extended parameters sent by the UE to the AP; the AP authenticates according to a secret key algorithm suite 'yyzz' used by the UE and the ALG carried by the ALG, namely the secret key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node realizes authentication by using the secret key algorithm suite 'yyzz' same as that of the user terminal;
it should be understood that in some examples, after transparently transmitting the cipher suite ("yyzzz") extended parameter sent by the UE to the AP, enabling the wireless access node to perform authentication by using the same key algorithm suite "yzzz" as the user terminal includes the following steps:
7-8, the AP sends a 401unauthorized response to the ALG and sends the response to the UE through the ALG;
step 9, the UE generates a first Ks _ NAF/Ks _ int _ NAF according to the UE side cirer suite negotiated with the ALG and other parameters, and then calculates a first response by using the first Ks _ NAF/Ks _ int _ NAF as a key, and at this time, the first response can be sent to the ALG by carrying the cirer suite ("yzzz") through the extended parameter at the first response,
step 10, the ALG forwards the HTTP GET request of the UE, specifically, when the ALG forwards the HTTP GET request of the UE, transparently transmits a cipher suite ("yyzzz") extended parameter sent by the UE to the AP; the AP acquires a second KS _ NAF/KS _ int _ NAF from the BSF according to the cirer suite ("yzzz") used by the UE side carried by the ALG and other parameters, then the second KS _ NAF/KS _ int _ NAF is used as a key to calculate a second response, the AP compares the first response and the second response, if the two responses are the same, the authentication is successful, because the cirer suite used by the AP is consistent with the cirer suite used by the UE, the calculated Ks _ NAF/Ks _ int _ NAF and the response are also consistent, and finally the AP authentication is successful.
In some embodiments, in the second way, the secure transport layer protocol negotiation is performed with the wireless access node by the application layer gateway using the key algorithm suite, so as to apply the key algorithm suite to the wireless access node; for example, as shown in FIG. 6,
step 1-2, UE and ALG negotiate TLS connection, confirm the cirer suite used by the UE side, and confirm that the final cirer suite used is 'yyzz';
step 3, UE initiates a service request (HTTP GET) to the ALG;
and 4-5, when the ALG and the AP negotiate TLS connection, only carrying the cipher suite 'yyzz' used by the UE side, ensuring that the AP side can only use the cipher suite 'yyzz' same as the UE side, enabling the cipher suite 'yzz' used by the AP side to be 'yzz', and enabling the wireless access node AP to use a secret key algorithm suite 'yyzz' same as the user terminal UE to realize authentication.
Specifically, the step of enabling the cipher suite used by the AP side to be "yyzz", and the step of enabling the wireless access node AP to use the same key algorithm suite "yyzz" as the user terminal UE to implement authentication includes:
step 6, the ALG forwards the HTTP GET request of the UE;
7-8, the AP sends a 401unauthorized response to the UE through the ALG;
step 9-10, the UE generates a first Ks _ NAF/KS _ int _ NAF according to the UE side chopper suite 'yyzz' negotiated by the ALG and other parameters, then calculates a first response by using the first Ks _ NAF/KS _ int _ NAF as a key, and sends the response to the ALG to forward to the AP;
step 11, the AP acquires a second KS _ NAF/KS _ int _ NAF from the BSF according to the TLS cipher suite ("yzzz") used by the AP side and other parameters, and then calculates a second response using the second KS _ NAF/KS _ int _ NAF as a key, the AP compares the first response and the second response, if the two responses are the same, the authentication is successful, because the TLS cipher suite used by the AP is consistent with the TLS cipher suite used by the UE, the calculated KS _ NAF/KS _ int _ NAF and the second response are also consistent, and finally the AP authentication is successful.
In some embodiments, the secure transport layer protocol negotiation with the application layer gateway confirms that the key algorithm suite used comprises: carrying out protocol negotiation with a secure transport layer gateway, and confirming a supported key algorithm suite set, wherein the key algorithm suite set comprises at least two key algorithm suites capable of being used; the negotiation of the secure transport layer protocol with the wireless access node by the application layer gateway using the key algorithm suite comprises: and performing secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite set through the application layer gateway to determine the key algorithm suite used by the application layer gateway and the wireless access node. For example, as shown in FIG. 7,
step 1, UE initiates TLS negotiation of ALG, and a Client Hello carries a cipher key algorithm suite set cipher suite list (0xC030,0x0035,0x002D) supported by the UE side;
step 2, the ALG initiates a TLS negotiation to the AP, and specifically, the Client Hello uses a cirer suite list intersection (0xC030,0x002D) supported by the UE and the ALG, so that the cirer suite used by the AP side is definitely the cirer suite that can be used by the UE side.
And 3, the ALG receives the Server Hello of the AP and confirms the shader suite (0xC030) used by the AP side.
And 4, returning the ALG to the Server Hello to the UE, and using the cipher suite (0xC030) used by the AP side to ensure that the UE side uses the cipher suite which is the same as the AP side.
And 5-6, the UE initiates a service request (HTTP GET), and the ALG forwards the HTTP GET request of the UE.
And 7-8, the AP sends a 401unauthorized response to the UE through the ALG.
Step 9, the UE generates a first Ks _ NAF/KS _ int _ NAF according to the UE side pointer suite (0xC030) negotiated with the ALG and other parameters, then calculates a first response by using the first Ks _ NAF/KS _ int _ NAF as a key, and sends the response to the ALG to be forwarded to the AP;
and step 10, the AP forwards the first response request of the UE to the AP.
And step 11, the AP acquires a second KS _ NAF/KS _ int _ NAF from the BSF according to the cirpher suite (0xC030) and other parameters used by the AP side, and then calculates a second response by taking the second KS _ NAF/KS _ int _ NAF as a key. The AP compares the second response calculated by itself with the first response sent by the UE, and if the two responses are the same, the authentication is successful, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, the calculated Ks _ NAF/Ks _ int _ NAF and response are also consistent, and finally the AP authentication is successful.
The authentication method based on the general bootstrapping architecture GBA, which is applied to the user terminal side, provided by the embodiment of the invention, confirms the used secret key algorithm suite by carrying out the protocol negotiation of a safe transmission layer with an application layer gateway; applying the secret key algorithm suite to the wireless access node through the application layer gateway, so that the wireless access node performs authentication by using the secret key algorithm suite; that is, after the TLS tunnel is established between the UE and the AP and the ALG, the key algorithm suite used by the UE side is applied to the AP side through the ALG, so that the AP side and the UE side calculate to obtain the authentication parameters using the same key algorithm suite, and perform authentication, thereby avoiding that after the TLS tunnel is established between the UE and the AP and the ALG, the UE and the AP use different key algorithm suites, which causes authentication failure, affects the authentication of the AP to the UE, and improves user experience.
Example two:
the embodiment of the present invention further provides an authentication method based on a generic bootstrapping architecture GBA, applied to an application layer gateway side, please refer to fig. 8, where the method includes, but is not limited to:
s801, carrying out protocol negotiation with a secure transport layer with a user terminal, and confirming a key algorithm suite used by the user terminal;
s802, the secret key algorithm suite is applied to the wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite.
In some embodiments, an application layer gateway ALG negotiates a security transport layer protocol, TLS, connection with a user equipment, UE, and confirms a Cipher key Suite, Cipher Suite, used by the UE and the ALG; it should be understood that, in this embodiment, a manner in which the ue and the application layer gateway negotiate the security transport layer protocol is not limited, and finally, an available key algorithm suite between the ue and the application layer gateway may be determined.
In some embodiments, the key algorithm suite is applied to the wireless access node, so that the method for the wireless access node to perform authentication by using the key algorithm suite is the same as the method in the above example, and is not described in detail here.
The authentication method based on the general bootstrapping architecture GBA, which is applied to the application layer gateway side, performs secure transport layer protocol negotiation with the user terminal to confirm a secret key algorithm suite used by the user terminal; applying the secret key algorithm suite to the wireless access node of the wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite; that is, after the TLS tunnel is established between the UE and the AP and the ALG, the AP side and the UE side calculate the authentication parameters using the same key algorithm suite to authenticate, so that the problem that the authentication of the AP to the UE is affected due to the fact that the authentication fails when the UE and the AP use different key algorithm suites after the TLS tunnel is established between the UE and the AP and the ALG is avoided, and user experience is improved.
The embodiment of the invention also provides an authentication method based on the GBA, which is applied to the wireless access node side, and the method comprises but is not limited to the following steps: and authenticating by using a secret key algorithm suite applied to the wireless access node by the application layer gateway, wherein the secret key algorithm suite is used for carrying out secure transport layer protocol negotiation on the application layer gateway and the user terminal and confirming the user terminal.
In some embodiments, an application layer gateway ALG negotiates a security transport layer protocol TLS connection with a user equipment UE, and after confirming a key algorithm Suite Cipher Suite used by the UE and the ALG, applies the key algorithm Suite to a wireless access node, so that the wireless access node performs authentication according to the key algorithm Suite; it should be understood that, in this embodiment, a manner in which the ue and the application layer gateway negotiate the security transport layer protocol is not limited, and finally, an available key algorithm suite between the ue and the application layer gateway may be determined.
In some embodiments, the key algorithm suite is applied to the wireless access node, so that the method for the wireless access node to perform authentication by using the key algorithm suite is the same as the method in the above example, and is not described in detail here.
The authentication method based on the General Bootstrapping Architecture (GBA) applied to the wireless access node side provided by the embodiment of the invention uses the secret key algorithm suite applied to the wireless access node by the application layer gateway for authentication; the secret key algorithm suite is a secret key algorithm suite used by the confirmed user terminal by the application layer gateway and the user terminal to perform secure transport layer protocol negotiation; that is, after the TLS tunnel is established between the UE and the AP and the ALG, the AP side calculates the authentication parameters by using the same key algorithm suite as the UE side to perform authentication, thereby avoiding the problem that the authentication of the AP to the UE is affected due to the authentication failure caused by using different key algorithm suites after the TLS tunnel is established between the UE and the AP and the ALG, and improving the user experience.
Example three:
the embodiment also provides a terminal, which includes a first processor 901, a first memory 902, and a first communication bus 903;
the first communication bus 903 is used for realizing connection communication between the first processor 901 and the first memory 902;
the first processor 901 is configured to execute one or more computer programs stored in the first memory 902 to implement the steps of the authentication method based on the GBA as performed by the user terminal in the first embodiment and the second embodiment.
The embodiment further provides a gateway, which includes a second processor 1001, a second memory 1002 and a second communication bus 1003;
the second communication bus 1003 is used for realizing connection communication between the second processor 1001 and the second memory 1002;
the second processor 1001 is configured to execute one or more computer programs stored in the second memory 1002 to implement the steps of the authentication method based on the GBA as performed by the application layer gateway side in the first and second embodiments.
The embodiment further provides a wireless access node, which includes a third processor 1101, a third memory 1102 and a third communication bus 1103;
the third communication bus 1103 is used for realizing connection communication between the third processor 1101 and the third memory 1102;
the third processor 1101 is configured to execute one or more computer programs stored in the third memory 1102 to implement the steps of the GBA-based authentication method as performed by the radio access node side in the first and second embodiments.
The present embodiments also provide a computer-readable storage medium including volatile or non-volatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media include, but are not limited to, RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact disk Read-Only Memory), Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
The computer-readable storage medium in this embodiment may be used to store one or more computer programs, and the stored one or more computer programs may be executed by the processor to implement at least one step of the authentication method based on the GBA in the first and second embodiments, which is applied to the terminal side, the gateway side, or the radio access node side.
It will be apparent to those skilled in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software (which may be implemented in computer program code executable by a computing device), firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit.
In addition, communication media typically embodies computer readable instructions, data structures, computer program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to one of ordinary skill in the art. Thus, the present invention is not limited to any specific combination of hardware and software.
The foregoing is a more detailed description of embodiments of the present invention, and the present invention is not to be considered limited to such descriptions. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (11)

1. An authentication method based on a Generic Bootstrapping Architecture (GBA), comprising:
carrying out protocol negotiation of a secure transmission layer with an application layer gateway, and confirming a used secret key algorithm suite;
and applying the secret key algorithm suite to the wireless access node through the application layer gateway, so that the wireless access node performs authentication by using the secret key algorithm suite.
2. The GBA-based authentication method according to claim 1, wherein applying the set of keying algorithms to a wireless access node through the application layer gateway comprises:
forwarding, by the application layer gateway, the set of key algorithms to the wireless access node, thereby applying the set of key algorithms to the wireless access node;
and/or the presence of a gas in the gas,
and performing secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite through the application layer gateway, thereby applying the key algorithm suite to the wireless access node.
3. The GBA-based authentication method according to claim 2, wherein forwarding the set of key algorithms to the radio access node through the application layer gateway comprises:
sending a service request to the application layer gateway;
and forwarding the service request to the wireless access node through the application layer gateway, wherein the application layer gateway carries the secret key algorithm suite when forwarding the service request to the wireless access node.
4. The GBA-based authentication method according to claim 2, wherein the forwarding the set of key algorithms to the radio access node through the application layer gateway comprises:
sending a service request to the application layer gateway, wherein the service request carries the secret key algorithm suite;
forwarding, by the application layer gateway, the service request to the wireless access node.
5. The GBA-based authentication method according to claim 2, wherein the performing a security transport layer protocol (ssl) negotiation with an app-layer gateway (app-layer gateway), and confirming the used key algorithm suite comprises:
carrying out secure transport layer protocol negotiation with the application layer gateway, and confirming a supported secret key algorithm suite set, wherein the secret key algorithm suite set comprises at least two secret key algorithm suites capable of being used;
the negotiating, by the application layer gateway, a secure transport layer protocol with the wireless access node using the key algorithm suite includes:
and performing secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite set through the application layer gateway, and determining the key algorithm suite used by the application layer gateway and the wireless access node.
6. An authentication method based on a Generic Bootstrapping Architecture (GBA), comprising:
carrying out protocol negotiation with a secure transport layer with a user terminal, and confirming a secret key algorithm suite used by the user terminal;
and applying the secret key algorithm suite to a wireless access node, so that the wireless access node performs authentication by using the secret key algorithm suite.
7. An authentication method based on a Generic Bootstrapping Architecture (GBA), comprising:
authenticating by using a secret key algorithm suite applied to the wireless access node by an application layer gateway;
the key algorithm suite is a key algorithm suite used by the user terminal and confirmed by the security transport layer protocol negotiation between the application layer gateway and the user terminal.
8. A terminal comprising a first processor, a first memory, and a first communication bus;
the first communication bus is used for realizing connection communication between the first processor and the first memory;
the first processor is configured to execute one or more computer programs stored in the first memory to implement the steps of the generic bootstrapping architecture GBA based authentication method according to any one of claims 1 to 5.
9. A gateway comprising a second processor, a second memory, and a second communication bus;
the second communication bus is used for realizing connection communication between the second processor and the second memory;
the second processor is configured to execute one or more computer programs stored in the second memory to implement the steps of the GBA-based authentication method according to claim 6.
10. A wireless access node comprising a third processor, a third memory, and a third communication bus;
the third communication bus is used for realizing connection communication between the third processor and the third memory;
the third processor is configured to execute one or more computer programs stored in the third memory to implement the steps of the GBA-based authentication method according to claim 7.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium
Stored with one or more computer programs executable by one or more processors for implementing the steps of the generic bootstrapping architecture GBA based authentication method according to any one of claims 1-5, claim 6 or claim 7.
CN202010819512.6A 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device Pending CN114143016A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010819512.6A CN114143016A (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device
PCT/CN2021/101804 WO2022033186A1 (en) 2020-08-14 2021-06-23 General bootstrapping architecture-based authentication method and corresponding device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010819512.6A CN114143016A (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device

Publications (1)

Publication Number Publication Date
CN114143016A true CN114143016A (en) 2022-03-04

Family

ID=80247635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010819512.6A Pending CN114143016A (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device

Country Status (2)

Country Link
CN (1) CN114143016A (en)
WO (1) WO2022033186A1 (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005055518A1 (en) * 2003-12-08 2005-06-16 Huawei Technologies Co., Ltd. A method for establishment of the service tunnel in wlan
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework
CN1929371A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method for negotiating key share between user and peripheral apparatus
CN1977514A (en) * 2004-06-28 2007-06-06 诺基亚公司 Authenticating users
CN101005701A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Connection set-up method
CN101156412A (en) * 2005-02-11 2008-04-02 诺基亚公司 Method and apparatus for providing bootstrapping procedures in a communication network
CN102625306A (en) * 2011-01-31 2012-08-01 电信科学技术研究院 Method, system and equipment for authentication
WO2015072899A1 (en) * 2013-11-15 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Methods and devices for bootstrapping of resource constrained devices
WO2016166529A1 (en) * 2015-04-13 2016-10-20 Vodafone Ip Licensing Limited Security improvements in a cellular network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2586549B (en) * 2013-09-13 2021-05-26 Vodafone Ip Licensing Ltd Communicating with a machine to machine device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005055518A1 (en) * 2003-12-08 2005-06-16 Huawei Technologies Co., Ltd. A method for establishment of the service tunnel in wlan
CN1977514A (en) * 2004-06-28 2007-06-06 诺基亚公司 Authenticating users
CN101156412A (en) * 2005-02-11 2008-04-02 诺基亚公司 Method and apparatus for providing bootstrapping procedures in a communication network
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework
CN1929371A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method for negotiating key share between user and peripheral apparatus
CN101005701A (en) * 2006-01-18 2007-07-25 华为技术有限公司 Connection set-up method
CN102625306A (en) * 2011-01-31 2012-08-01 电信科学技术研究院 Method, system and equipment for authentication
WO2015072899A1 (en) * 2013-11-15 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Methods and devices for bootstrapping of resource constrained devices
WO2016166529A1 (en) * 2015-04-13 2016-10-20 Vodafone Ip Licensing Limited Security improvements in a cellular network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DAVID KHOURY等: "Generic hybrid methods for secure connections based on the integration of GBA and TLS/CA", 《2017 SENSORS NETWORKS SMART AND EMERGING TECHNOLOGIES (SENSET)》, 30 November 2017 (2017-11-30) *
党荣娟: "无线传感器网络接入3GPP的安全性研究与分析", 《万方学术论文数据库》, 31 July 2012 (2012-07-31) *
缪永生等: "通用引导架构在IMS网络中的应用研究", 《中兴通讯技术》, 10 August 2014 (2014-08-10) *
赵川斌等: "基于GBA的MBMS终端安全体系研究", 《电视技术》, 17 July 2008 (2008-07-17) *

Also Published As

Publication number Publication date
WO2022033186A1 (en) 2022-02-17

Similar Documents

Publication Publication Date Title
JP4643657B2 (en) User authentication and authorization in communication systems
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
US7529933B2 (en) TLS tunneling
US8321670B2 (en) Securing dynamic authorization messages
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
CN110299996B (en) Authentication method, equipment and system
CN106788989B (en) Method and equipment for establishing secure encrypted channel
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
CN112714053B (en) Communication connection method and device
AU2020396746B2 (en) Provisioning method and terminal device
US20180069836A1 (en) Tiered attestation for resource-limited devices
JP2015065677A (en) Method and apparatus for interworking authorization of dual stack operation
CN112929881A (en) Machine card verification method applied to extremely simple network and related equipment
US11316670B2 (en) Secure communications using network access identity
CN114143016A (en) Authentication method based on general guide architecture GBA and corresponding device
US9602493B2 (en) Implicit challenge authentication process
WO2019099456A1 (en) System and method for securely activating a mobile device and storing an encryption key
WO2019141135A1 (en) Trusted service management method and apparatus capable of supporting wireless network switching
KR20140095050A (en) Method and apparatus for supporting single sign-on in a mobile communication system
CN115314278B (en) Trusted network connection identity authentication method, electronic equipment and storage medium
WO2020041933A1 (en) Methods and devices for a secure connection
KR20070058861A (en) Method for identifying universally using sasl

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination