CN111163470B - Core network element communication method and device, computer storage medium and electronic equipment - Google Patents

Core network element communication method and device, computer storage medium and electronic equipment Download PDF

Info

Publication number
CN111163470B
CN111163470B CN201911413926.2A CN201911413926A CN111163470B CN 111163470 B CN111163470 B CN 111163470B CN 201911413926 A CN201911413926 A CN 201911413926A CN 111163470 B CN111163470 B CN 111163470B
Authority
CN
China
Prior art keywords
network element
end network
sending
key
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911413926.2A
Other languages
Chinese (zh)
Other versions
CN111163470A (en
Inventor
唐宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201911413926.2A priority Critical patent/CN111163470B/en
Publication of CN111163470A publication Critical patent/CN111163470A/en
Application granted granted Critical
Publication of CN111163470B publication Critical patent/CN111163470B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a communication method, a device, a computer storage medium and electronic equipment of a core network element, wherein the method comprises the following steps: generating a sending end network element self-signature and a first service interaction security key according to a sending end network element initialization parameter obtained from a server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end; encrypting a network element root signature of a sending end according to a first service interaction security key; generating a first authentication certificate according to the self signature of the sending end network element and the encrypted sending end network element root signature, and sending the first authentication certificate to the receiving end network element; receiving a second authentication certificate from the receiving terminal network element, and authenticating the receiving terminal network element according to the second authentication certificate; and when the authentication of the network element at the sending end to the network element at the receiving end is successful and the authentication of the network element at the receiving end to the network element at the sending end is successful, encrypting and transmitting the service data interacted with the network element at the receiving end according to the service interaction security key.

Description

Core network element communication method and device, computer storage medium and electronic equipment
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to a core network element communication method and apparatus, a computer storage medium, and an electronic device.
Background
The 5G core network defined by the third Generation Partnership Project (3 GPP) is divided into different network elements according to functions, such as an access and mobility management function (AMF) network element, an authentication server function (AUSF) network element, and the like, and Service Based Interface (SBI) communication is adopted between the network elements, and the SBI Interface is Based on a hypertext transfer protocol (HTTP). Communication messages between network elements can pass through a complex network environment, and are possibly unsafe, and potential attackers can steal and see message contents or arbitrarily tamper with the message contents, so that the security of a 5G core network system is threatened.
In order to ensure the communication security between network elements of the 5G core network, 3GPP defines a Certificate-based TLS security mechanism, which is a transport layer security mechanism: the network element needs to have its own certificate, and the identity legitimacy of both communication parties is ensured by certificate authentication, and security parameters such as a secret key are negotiated by a TLS protocol to ensure the confidentiality and integrity of transmission data. In this way, because the certificate needs to be transmitted on the communication link, each network element is required to maintain the certificate of itself and the certificate of the other network element, and mechanisms such as certificate revocation are involved, the overhead requirement on the 5G core network system is high, and potential safety hazards also exist.
Disclosure of Invention
In view of the above, the present invention provides a core network element communication method, a computer storage medium and an electronic device, so as to at least solve the above technical problems in the prior art.
The invention provides a core network element communication method, which is applied to a sending end network element, wherein the sending end network element is communicated with a server end and a receiving end network element, and the method comprises the following steps:
generating a self-signature of the sending end network element and a first service interaction security key according to the sending end network element initialization parameter obtained from the server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end;
encrypting the network element root signature of the sending end according to the first service interaction security key;
generating a first authentication certificate according to the self-signature of the sending end network element and the encrypted sending end network element root signature, and sending the first authentication certificate to the receiving end network element for the receiving end network element to authenticate the sending end network element;
receiving a second authentication certificate sent by the receiving terminal network element, and authenticating the receiving terminal network element according to the second authentication certificate;
and when the authentication of the sending end network element to the receiving end network element is successful and the authentication of the receiving end network element to the sending end network element is successful, encrypting and transmitting the service data interacted with the receiving end network element according to the first service interaction security key.
In an implementation manner, the initialization parameter of the sending-end network element further includes: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained;
the generating the self-signature of the sending end network element according to the sending end network element initialization parameter obtained from the server end comprises:
generating a sending end network element self-signature based on a preset signature algorithm according to the sending end network element identity information, the sending end network element private key and the security parameter set of the communication;
the security parameter set of the communication is composed of at least one security parameter selected by the sending end network element from the initial security parameter set; the security parameter set of the communication is uniquely identified by a security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the sending end network element.
In an implementation manner, the generating a first service interaction security key according to the sending-end network element initialization parameter obtained from the server end includes:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the sending end network element private key and the receiving end network element public key and based on a preset symmetric key derivation algorithm;
generating a random number;
generating the first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; wherein the first service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, the encrypting the sending-end network element root signature according to the first service interaction security key includes: and encrypting the network element root signature of the sending end based on a preset root signature encryption algorithm according to the first encryption key.
In one embodiment, the first authentication credential includes: the system comprises sending end network element identity information, a security parameter set ID of the communication, a sending end self-signature, an encrypted sending end network element root signature, a sending end network element root signature effective stop time and the random number.
In one embodiment, the second authentication credential includes: receiving end network element identity information, a security parameter set ID of the communication, a receiving end network element self-signature, an encrypted receiving end network element root signature and a receiving end network element root signature effective time;
the authenticating the receiving end network element according to the second authentication credential includes:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
verifying the self-signature of the receiving end network element according to the public key of the receiving end network element;
when the self-signature verification of the receiving end network element is successful, generating a second symmetric key according to the public key of the receiving end network element and the private key of the sending end network element and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the service interaction security key comprises a second encryption key and a second integrity protection key;
verifying whether the expiration validity time of the receiving end network element root signature is valid or not;
when the validity time of the receiving end network element root signature is verified to be valid, decrypting the encrypted receiving end network element root signature in the second authentication certificate according to the second encryption key;
verifying whether the network element root signature of the receiving end is legal or not;
and when the receiving end network element root signature is verified to be legal, the successful authentication of the receiving end network element is confirmed.
Another aspect of the present invention provides a core network element communication apparatus, which is applied to a sending-end network element, where the sending-end network element communicates with a server-end network element and a receiving-end network element, and the apparatus includes:
a first generating unit, configured to generate a self-signature of the sending-end network element and a first service interaction security key according to the sending-end network element initialization parameter obtained from the server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end;
the encryption unit is used for encrypting the network element root signature of the sending end according to the first service interaction security key;
a second generating unit, configured to generate a first authentication credential according to the self-signature of the sending-end network element and the encrypted sending-end network element root signature, and send the first authentication credential to the receiving-end network element, so that the receiving-end network element authenticates the sending-end network element;
the authentication unit is used for receiving a second authentication certificate sent by the receiving terminal network element and authenticating the receiving terminal network element according to the second authentication certificate;
and the encryption interaction unit is used for carrying out encryption transmission on the service data interacted with the receiving end network element according to the first service interaction security key when the authentication of the sending end network element on the receiving end network element is successful and the authentication of the receiving end network element on the sending end network element is successful.
In an implementation manner, the initialization parameter of the sending-end network element further includes: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained; the security parameter set is uniquely identified by a security parameter set ID;
the first generating unit is further configured to generate a sending-end network element self-signature based on a preset signature algorithm according to the sending-end network element identity information, the sending-end network element private key and the security parameter set of the current communication;
the security parameter set of the communication is composed of at least one security parameter selected by the sending end network element from the initial security parameter set; the security parameter set of the communication is uniquely identified by a security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the sending end network element.
In an embodiment, the first generating unit is further configured to generate the first service interaction security key by:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the sending end network element private key and the receiving end network element public key and based on a preset symmetric key derivation algorithm;
generating a random number;
generating the first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; the service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, the encryption unit is further configured to encrypt the network element root signature of the sending end according to the first encryption key and based on a preset root signature encryption algorithm.
In one embodiment, the first authentication credential includes: the system comprises sending end network element identity information, a security parameter set ID of the communication, a sending end self-signature, an encrypted sending end network element root signature, a sending end network element root signature effective stop time and the random number.
In one embodiment, the second authentication credential includes: receiving end network element identity information, a security parameter set ID of the communication, a receiving end network element self-signature, an encrypted receiving end network element root signature and a receiving end network element root signature effective time;
the authentication unit is further configured to authenticate the receiving-side network element by:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
verifying the self-signature of the receiving end network element according to the public key of the receiving end network element;
when the self-signature verification of the receiving end network element is successful, generating a second symmetric key according to the public key of the receiving end network element and the private key of the sending end network element and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the service interaction security key comprises a second encryption key and a second integrity protection key;
verifying whether the expiration validity time of the receiving end network element root signature is valid or not;
when the validity time of the receiving end network element root signature is verified to be valid, decrypting the encrypted receiving end network element root signature in the second authentication certificate according to the second encryption key;
verifying whether the network element root signature of the receiving end is legal or not;
and when the receiving end network element root signature is verified to be legal, the successful authentication of the receiving end network element is confirmed.
The embodiment of the present invention further provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program is used to execute the communication method according to the embodiment of the present invention.
An embodiment of the present invention further provides an electronic device, including:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instruction from the memory and executing the instruction to realize the communication method of the embodiment of the invention.
By implementing the core network element communication method, the core network element communication device, the computer-readable storage medium and the electronic equipment of the embodiment of the invention, the bidirectional authentication process between the sending end network element and the receiving end network element is realized based on the network element self-signature and the root signature, and the service interaction security key generated based on the public key and the private key of the sending end network element and the receiving end network element protects the service data interaction transmission process after the authentication is successful. The method does not need to transmit the certificate on a communication link, thereby avoiding potential safety hazard caused by online transmission of the certificate; the network element does not need to maintain the certificates of the network element and other network elements, so that the burden of maintaining the certificates of the network element is greatly reduced; in addition, the embodiment of the invention simplifies the deployment and maintenance work of the core network element, the system deployment is convenient, only one group of initialization parameters needs to be introduced when the network element is established, and the expense of the core network system is also saved.
Drawings
FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a core network element communication method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another core network element communication method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a core network element communication device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Exemplary application scenarios
As shown in fig. 1, an exemplary application scenario according to an embodiment of the present invention is shown, where the application scenario is based on a 5G core network architecture, and includes a sending-end network element, a receiving-end network element, and a server-end, and the three may communicate with each other. The sending end network element and the receiving end network element are used for realizing the interaction of service data according to the established communication connection; the server serves as a server in a 5G core network architecture, and is configured to provide support for service data interaction between a sending-end network element and a receiving-end network element, where specific functions of the server will be described in detail later. The sending end network element and the receiving end network element are concepts divided from the sending and receiving roles of the service data, and in practice, any network element in a 5G core network architecture can be used as both the sending end network element and the receiving end network element; similarly, when the network element is used as a receiving end network element, the network element has the receiving end network element function described in the embodiment of the present invention.
In addition, the network elements of the 5G core network in the embodiment of the present invention are of various types, such as AMF network elements, AUSF network elements, and the like, and the embodiment of the present invention is not limited too much, and all the network elements of the core network to which the communication method described in the embodiment of the present invention is applied should belong to the network element category described in the present invention.
Exemplary method
With reference to the application scenario shown in fig. 1 and the flowchart shown in fig. 2, a core network element communication method provided in an embodiment of the present invention is applied to a sending-end network element, and the method includes:
step 201, generating a sending end network element self-signature and a first service interaction security key according to a sending end network element initialization parameter obtained from a server end; the initialization parameter of the network element at the sending end comprises a network element root signature of the sending end.
The sending-end network element may obtain the sending-end network element initialization parameter from the server end offline.
Step 202, encrypting the network element root signature of the sending terminal according to the first service interaction security key.
Step 203, generating a first authentication certificate according to the self-signature of the sending-end network element and the encrypted sending-end network element root signature, and sending the first authentication certificate to the receiving-end network element for the receiving-end network element to authenticate the sending-end network element.
And step 204, receiving a second authentication certificate from the receiving end network element, and authenticating the receiving end network element according to the second authentication certificate.
The second authentication voucher generation process of the receiving end network element is as follows:
the receiving end network element generates a receiving end network element self-signature and a second service interaction security key according to the receiving end network element initialization parameter obtained from the server end; the receiving end network element initialization parameter comprises a receiving end network element root signature; the receiving end network element can be a receiving end network element initialization parameter obtained from a server end in an off-line manner;
the receiving end network element encrypts a receiving end network element root signature according to the second service interaction security key;
and the receiving end network element generates a second authentication certificate according to the self signature of the receiving end network element and the encrypted receiving end network element root signature.
It can be seen that the generation process of the second authentication credential in the receiving-side network element is similar to the generation process of the first credential in the sending-side network element.
Step 205, when the authentication of the sending-end network element to the receiving-end network element is successful and the authentication of the receiving-end network element to the sending-end network element is successful, encrypting and transmitting the service data interacted with the receiving-end network element according to the first service interaction security key.
In an implementation manner, the initiating parameter of the sending-end network element further includes: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained;
the step of generating the self-signature of the sending end network element according to the sending end network element initialization parameter obtained from the server end comprises the following steps:
generating a sending end network element self-signature based on a preset signature algorithm according to the sending end network element identity information, a sending end network element private key and the security parameter set of the communication;
the security parameter set of the communication is composed of at least one security parameter selected by a sending terminal network element from an initial security parameter set; the security parameter set of the communication is uniquely identified by the security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the transmitting end network element.
Correspondingly, the receiving end network element initialization parameter further includes: receiving end network element identity information, a receiving end network element private key and an initial security parameter set;
the receiving end network element generating the receiving end network element self-signature according to the receiving end network element initialization parameter obtained from the server end comprises the following steps:
generating a receiving terminal network element self-signature based on a preset signature algorithm according to the receiving terminal network element identity information, the receiving terminal network element private key and the security parameter set of the communication;
the security parameter set of the communication is composed of at least one security parameter selected by a sending terminal network element from an initial security parameter set; the security parameter set of the communication is uniquely identified by the security parameter set ID, and the security parameter set of the communication is notified to the receiving end network element by the transmitting end network element.
In an implementation manner, the generating, by a sending-end network element, a first service interaction security key according to a sending-end network element initialization parameter obtained from a server includes:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the private key of the network element at the sending end and the public key of the network element at the receiving end and based on a preset symmetric key derivation algorithm;
generating a random number;
generating a first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; the first service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, encrypting the network element root signature of the sending end according to the first service interaction security key comprises the following steps: and encrypting the network element root signature of the sending end based on a preset root signature encryption algorithm according to the first encryption key.
Correspondingly, the receiving-end network element generates a second service interaction security key according to the receiving-end network element initialization parameter obtained from the server end, including:
generating a sending end network element public key according to the sending end network element identity information and based on a preset network element public key derivation algorithm;
generating a second symmetric key according to the private key of the network element at the receiving end and the public key of the network element at the sending end and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the second service interaction security key comprises a second encryption key and a second integrity protection key; the random number is sent to the receiving terminal network element by the sending terminal network element through the first authentication certificate;
correspondingly, encrypting the receiving end network element root signature according to the second service interaction security key comprises: and encrypting the root signature of the network element at the receiving end based on a preset root signature encryption algorithm according to the second encryption key.
In one embodiment, the first authentication credential includes: the system comprises sending end network element identity information, a security parameter set ID of the communication, a sending end self-signature, an encrypted sending end network element root signature, a sending end network element root signature effective stop time and the random number. The effective time of the sending end network element root signature is carried in the initialization parameters of the sending end network element by the server end and sent to the sending end network element, namely, the effective time is led into the sending end network element along with the sending end network element root signature during the network element initialization.
The receiving end network element authenticates the sending end network element according to the first authentication certificate, and the method comprises the following steps:
generating a sending end network element public key according to sending end network element identity information and based on a preset network element public key derivation algorithm;
verifying the self-signature of the sending end network element according to the public key of the sending end network element;
when the self-signature verification of the sending end network element is successful, generating a first symmetric key according to the public key of the sending end network element and the private key of the receiving end network element and based on a preset symmetric key derivation algorithm;
generating a first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; the service interaction security key comprises a first encryption key and a first integrity protection key;
verifying whether the net element root signature expiration validity time of the sending end is valid;
when the validity time of the net element root signature of the sending end is verified to be valid, the net element root signature of the sending end encrypted in the first authentication certificate is decrypted according to the first encryption key;
verifying whether the network element root signature of the sending end is legal or not;
and when the network element root signature of the sending end is verified to be legal, the successful authentication of the network element of the sending end is confirmed.
In one embodiment, the second authentication credential includes: receiving end network element identity information, a security parameter set ID of the communication, a receiving end network element self-signature, an encrypted receiving end network element root signature and a receiving end network element root signature effective time; the effective time of the receiving end network element root signature is carried in the receiving end network element initialization parameters by the server end and is sent to the receiving end network element, namely, the effective time of the receiving end network element root signature is led into the receiving end network element together with the receiving end network element root signature during the network element initialization.
Authenticating the receiving end network element according to the second authentication certificate, comprising:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
verifying the self-signature of the receiving end network element according to the public key of the receiving end network element;
when the self-signature verification of the receiving end network element is successful, generating a second symmetric key according to the public key of the receiving end network element and the private key of the sending end network element and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the service interaction security key comprises a second encryption key and a second integrity protection key;
verifying whether the expiration validity time of the network element root signature of the receiving end is valid;
when the validity time of the receiving end network element root signature is verified to be valid, decrypting the encrypted receiving end network element root signature in the second authentication certificate according to the second encryption key;
verifying whether the network element root signature of the receiving end is legal or not;
and when the receiving end network element root signature is verified to be legal, the successful authentication of the receiving end network element is confirmed.
After the sending-end network element successfully authenticates the receiving-end network element and the receiving-end network element successfully authenticates the sending-end network element, the sending-end network element and the receiving-end network element can start the safe transmission of the service data, wherein the service data transmitted to the receiving-end network element by the sending-end network element is protected by a first encryption key and a first integrity protection key, and the service data transmitted to the sending-end network element by the receiving-end network element is protected by a second encryption key and a second integrity protection key.
By the method of the embodiment of the invention, the bidirectional authentication process between the sending end network element and the receiving end network element is realized based on the network element self-signature and the root signature, and the service interaction security key generated based on the public key and the private key of the sending end network element and the receiving end network element protects the service data interaction transmission process after the authentication is successful. The method does not need to transmit the certificate on a communication link, thereby avoiding potential safety hazard caused by online transmission of the certificate; the network element does not need to maintain the certificates of the network element and other network elements, so that the burden of maintaining the certificates of the network element is greatly reduced; in addition, the embodiment of the invention simplifies the deployment and maintenance work of the core network element, the system deployment is convenient, only one group of initialization parameters needs to be introduced when the network element is established, and the expense of the core network system is also saved.
The communication method according to the embodiment of the present invention is further described in detail below with reference to fig. 3, which takes a sending-end network element Sender, a receiving-end network element Receiver, and a Server-end ROOT Server as examples. The communication method flow between the Sender network element and the Receiver network element comprises the following steps:
step 301a, the Sender network element obtains the Sender network element initialization parameter imported by the ROOT Server.
Step 301b, the Receiver network element obtains the initialization parameter of the Receiver network element imported by the ROOT Server.
The ROOT Server is used for issuing a ROOT signature and importing security parameters to the network element, and the ROOT Server holds a ROOT private key and a ROOT public key. The actual operator of the ROOT Server may be regarded as the administrator of the network deployment, and sets the Identity, key parameters, and the like of each network element installed and deployed for secure communication.
The Root public key is a public parameter, while the Root private key and the Km parameter are private to the Root Server, which must be stored privately. Root private key is used for Root signature, Km is used for network element private key generation.
The network element initialization parameters include: the network element identity information, the network element private key (private key), the security parameter set, the root signature expiration validity time, and the like.
The network element Identity information may be a network element Identity (Identity), and the Identity of the Sender network element is denoted as ID-Sender. The network element identity is a unique identity of the network element, and the format may be defined as follows:
Identity=<Domain>:<NF-type>:<Name>
domain represents a Domain Name, NF-type represents a network element type, and Name represents a network element Name. Such as: the identity of a certain AMF network element is: www.lenovo.com AMF AMF-instance 1. "www.lenovo.com" represents < Domain >, "AMF" represents < NF-type >, and "AMF-instance 1" represents < Name >.
The generation process of the network element private key is executed on the ROOT Server, which needs the ROOT Server to have a private security parameter Km, and the generation method of the network element private key is as follows:
network element private key ═ (network element public key)Km
Because the Km parameter is private to the ROOT Server, the corresponding private key cannot be deduced from the outside through the public key of the network element, and thus the safety is ensured. For convenience of description, the private key of the Sender network element is denoted as PRIV-Sender.
The security parameter sets include, but are not limited to: security parameter set ID, Elliptic Curve domain parameter (such as secp256r1), mac (message Authentication codes) algorithm identification (such as HMAC-SHA-256), ENC encryption algorithm identification (such as AES), Key Derivation Function (KDF, Key Derivation Function) algorithm identification (such as ANSI-X9.63-KDF), HASH algorithm identification (SHA-256), network element public Key Derivation algorithm identification, ECDH private (such as elastic current factor Diffie-Hellman private), signature algorithm identification (such as ECDSA), and the like. The number of the security parameter sets can be multiple, and all the network elements need to support all the security parameter sets in principle by being imported into the network elements during network element initialization and by using globally unique ID identification.
The negotiation of the security parameter set is initiated by the Sender network element, the Sender network element tells the Receiver network element the security parameter set adopted by the communication, and the ID of the security parameter set and the content of the ID of the security parameter set are added into the calculation of the self-signature, so that the ID of the security parameter set negotiated by the Sender network element and the Receiver network element can be ensured not to be tampered by a man-in-the-middle.
The ROOT signature refers to a digital signature which is made by the ROOT Server to the Sender network element by using a private key of the ROOT Server, and any other network element can verify whether the ROOT signature is signed by the ROOT Server to the Sender network element through a public ROOT public key parameter, so that whether the network element is legally deployed is verified and proved. The root signature method is briefly described as follows:
root signature ═ signature algorithm (Root private key, Root Identity, network element Identity, Root signature expiration time);
the root signature is one for each security parameter set, since the signature algorithm may differ from security parameter set to security parameter set.
The ROOT Server adds the ROOT signature valid time when calculating the ROOT signature, and after the time, the network element identity can be considered to be not accepted by the ROOT Server, and a receiver should consider that the ROOT signature authentication fails during the bidirectional authentication.
The effective time of the root signature is imported into the network element along with the root signature during the initialization of the network element, and the root signature need to be mutually transmitted to each other for verification in the bidirectional authentication stage. Even if someone intentionally extends this time, the peer is still not verified when the root signature is verified.
Step 302, the Sender network element calculates a self-signature.
The self-signature is used for a Receiver network element to authenticate a Sender network element.
The self-signature means that the network element makes a digital signature on the related public information by using a private key of the network element, the other party uses the public key information disclosed by the network element and verifies the public key information by using a signature algorithm, and if the signature passes the verification, the network element is the claimed identity of the network element and is not impersonated.
The calculation method of the self-signature is briefly described as follows:
the self-signature is a signature algorithm (a private key of the network element, an identity ID of the network element, a security parameter set ID, and content corresponding to the security parameter set ID).
Step 303, the Sender network element generates a public key PUB-Receiver of the opposite-end Receiver network element.
The Identity of the network element is a character string, and needs to be mapped to a point on the elliptic curve defined by the elliptic curve domain parameter, which is a public key (public key) of the network element, such as the public key PUB-sender of the network element at the sending end and the public key PUB-receiver of the network element at the receiving end. The public key derivation algorithm of the network element is preset to the network element, and each network element can derive the corresponding public key according to the Identity of the opposite network element.
Step 304, the Sender network element generates a symmetric key Shared-key.
The Sender network element uses an ECDH (explicit currents Diffie-Hellman) algorithm and calculates a symmetric key Shared-key according to the private key PRIV-Sender of the Sender network element and the public key PUB-Receiver of the opposite-end Receiver network element.
If the two sides of the Sender network element and the opposite-end Receiver network element are successfully authenticated, the respectively calculated Shared-key is the same, so that the continuously derived ENC-key and MAC-key are also the same. Subsequent traffic data is protected using the symmetric key.
Step 305, the Sender network element generates a random number RAND.
Because public keys and private keys of the Sender network element and the Receiver network element are not changed frequently, the generated Share-keys are also fixed, and if the keys are directly used for encrypting the message and are unsafe, random numbers are introduced to ensure that the keys actually used for protecting the message each time are changed and are not easy to crack.
And step 306, the Sender network element generates an encryption key ENC-key and an integrity protection key MAC-key.
The Sender network element uses KDF algorithm, and generates corresponding ENC-key and MAC-key according to the generated random number RAND and the symmetric key Shared-key, and the two keys can be used as the protection key of the subsequent service interaction.
Step 307, the Sender network element encrypts the Sender root signature.
The Sender network element encrypts the Sender root signature imported in step 301 using the ENC-key generated in step 306.
Step 308, the Sender network element sends an authentication credential to the Receiver network element, i.e. the first authentication credential described in the foregoing embodiment, which is used for the Receiver network element to authenticate the Sender network element.
The sent authentication credentials include: ID-Sender, Security parameter set ID, Sender self-signature, encrypted Sender root signature, Sender root signature expiration validity time, RAND.
Step 309, the Receiver network element authenticates the Sender network element. The authentication process mainly comprises the following steps:
3091, the Receiver network element generates a public key PUB-Sender of the Sender network element according to the ID-Sender;
3092, the Receiver network element verifies the self-signature of the Sender network element according to the PUB-Sender, if the self-signature verification fails, the Receiver network element fails to authenticate the Sender network element, an error result is returned, and the process is ended; if the self-signature verification is successful, continuing to execute the subsequent flow;
3093, the Receiver network element generates a symmetric key Shared-key based on the ECDH algorithm according to the private key PRIV-Receiver of the Receiver network element and the public key PUB-Sender of the Sender network element;
3094, the Receiver network element generates an encryption key ENC-key and an integrity protection key MAC-key based on a KDF algorithm according to the random number RAND sent by the Sender network element and the Shared-key generated in the step 3093;
3095, the Receiver network element verifies the root signature expiration validity time of the Sender network element, if the time expires inefficiently, the Receiver network element fails to authenticate the Sender network element, an error result is returned, and the process is ended; if the time is valid, the root signature is successfully verified, and the subsequent process is continued;
3096, decrypting the encrypted Sender root signature in the message by the Receiver network element;
3097, the Receiver network element verifies the Sender root signature, if the verification fails, the Receiver network element fails to authenticate the Sender network element, an error result is returned, and the process is ended; if the verification is successful, the subsequent flow is continued. The Sender root signature is verified in order to confirm that the Sender network element is legitimately deployed.
In step 310, the Receiver network element generates its own authentication credential, i.e. the second authentication credential described in the foregoing embodiment, which is used for the Sender network element to authenticate the Receiver network element. The specific implementation process is as follows:
the Receiver network element calculates a self-signature, the self-signature is used for authenticating the Receiver network element by the Sender network element, the calculation method is similar to the calculation method of the self-signature, and the description is omitted here;
the Receiver network element encrypts the Receiver root signature using the encryption key ENC-key generated in step 309.
In step 311, the Receiver network element sends an authentication credential to the Sender network element, so that the Sender network element authenticates the Receiver network element.
The sent authentication credentials include: ID-Receiver, security parameter set ID, Receiver self-signature, encrypted Receiver root signature, Receiver root signature expiration validity time.
And step 312, the Sender network element authenticates the Receiver network element. The specific implementation process is as follows:
3121, the Sender network element uses the PUB-Receiver to verify the Receiver self-signature, if the verification fails, the Sender network element fails to authenticate the Receiver network element, an error result is returned, and the process is ended; if the verification is successful, continuing the subsequent operation;
3122, the Sender network element verifies the root signature expiration validity time of the Receiver network element, if the time expires inefficiently, the Sender network element fails to authenticate the Receiver network element, an error result is returned, and the process is ended; if the verification is successful, continuing the subsequent operation;
step 3123, the Sender network element decrypts the encrypted Receiver root signature in the Receiver authentication credential using the ENC-key generated by the method similar to the step 306;
3124, the Sender network element verifies the Receiver root signature, if the verification fails, the Sender network element fails to authenticate the Receiver network element, an error result is returned, and the process is ended; and if the verification is successful, continuing the subsequent operation. The Receiver root signature is verified to ensure that the Receiver network element is legally deployed.
Step 313a, 313b, the mutual authentication between the Sender network element and the Receiver network element is successful, the key generation is successful, and the safe transmission of the service data can be started.
And step 314, the Sender network element and the Receiver network element protect service data interaction between the Sender network element and the Receiver network element based on the ENC-key and the MAC-key.
The bidirectional authentication between the Sender network element and the Receiver network element means that both sides verify the self-signature and the root signature information of the other side, and if both the signatures pass the verification, the authentication is considered to be successful.
By implementing the method of the embodiment of the invention, the service interaction security key generated by the public key and the private key of the Sender network element and the Receiver network element which are bidirectionally authenticated between the Sender network element and the Receiver network element is used for protecting the service data interaction transmission process after the authentication is successful based on the network element self-signature and the root signature. The certificate does not need to be transmitted on a communication link, so that potential safety hazards caused by online transmission of the certificate are avoided; the network element does not need to maintain the certificates of the network element and other network elements, so that the burden of maintaining the certificates of the network element is greatly reduced; in addition, the deployment and maintenance work of the core network element are simplified, the system deployment is convenient, only one group of initialization parameters needs to be introduced when the network element is created, and the expense of the core network system is also saved.
Exemplary devices
An embodiment of the present invention further provides a communication apparatus for a core network element, which is applied to a sending-end network element, and as shown in fig. 4, the apparatus includes:
a first generating unit 10, configured to generate a self-signature of the sending-end network element and a first service interaction security key according to the sending-end network element initialization parameter obtained from the server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end;
an encrypting unit 20, configured to encrypt the sending-end network element root signature according to the first service interaction security key;
a second generating unit 30, configured to generate a first authentication credential according to the self-signature of the sending-end network element and the encrypted sending-end network element root signature, and send the first authentication credential to the receiving-end network element, so that the receiving-end network element authenticates the sending-end network element;
the authentication unit 40 is configured to receive a second authentication credential sent by the receiving-end network element, and authenticate the receiving-end network element according to the second authentication credential;
and an encryption interaction unit 50, configured to perform encryption transmission on service data interacted with the receiving-end network element according to the first service interaction security key when the authentication of the sending-end network element to the receiving-end network element is successful and the authentication of the receiving-end network element to the sending-end network element is successful.
In an implementation manner, the initiating parameter of the sending-end network element further includes: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained; the security parameter set is uniquely identified by a security parameter set ID;
the first generating unit 10 is further configured to generate a sending-end network element self-signature based on a preset signature algorithm according to the sending-end network element identity information, the sending-end network element private key, and the security parameter set of the current communication;
the security parameter set of the communication is composed of at least one security parameter selected by a sending terminal network element from an initial security parameter set; the security parameter set of the communication is uniquely identified by the security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the transmitting end network element.
In an embodiment, the first generating unit 10 is further configured to generate the first service interaction security key by:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the private key of the network element at the sending end and the public key of the network element at the receiving end and based on a preset symmetric key derivation algorithm;
generating a random number;
generating a first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; the service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, the encryption unit 20 is further configured to encrypt the sending-end network element root signature based on a preset root signature encryption algorithm according to the first encryption key.
In one embodiment, the first authentication credential includes: the method comprises the steps of sending end network element identity information, a security parameter set ID of the communication, sending end self-signature, encrypted sending end network element root signature, sending end network element root signature effective stop time and random numbers.
In one embodiment, the second authentication credential includes: receiving end network element identity information, a security parameter set ID of the communication, a receiving end network element self-signature, an encrypted receiving end network element root signature and a receiving end network element root signature effective time;
the authentication unit 40 is further configured to authenticate the receiving-side network element by:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
verifying the self-signature of the receiving end network element according to the public key of the receiving end network element;
when the self-signature verification of the receiving end network element is successful, generating a second symmetric key according to the public key of the receiving end network element and the private key of the sending end network element and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the service interaction security key comprises a second encryption key and a second integrity protection key;
verifying whether the expiration validity time of the network element root signature of the receiving end is valid;
when the validity time of the receiving end network element root signature is verified to be valid, decrypting the encrypted receiving end network element root signature in the second authentication certificate according to the second encryption key;
verifying whether the network element root signature of the receiving end is legal or not;
and when the receiving end network element root signature is verified to be legal, the successful authentication of the receiving end network element is confirmed.
Exemplary computer program product and computer-readable storage Medium
In addition to the above-described methods and apparatus, embodiments of the present application may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in the communication method according to the various embodiments of the present application described in the "exemplary methods" section of this specification above.
The computer program product may be written with program code for performing the operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform steps in a communication method according to various embodiments of the present application described in the "exemplary methods" section above of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present application in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present application are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present application. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the foregoing disclosure is not intended to be exhaustive or to limit the disclosure to the precise details disclosed.
The block diagrams of devices, apparatuses, systems referred to in this application are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
It should also be noted that in the devices, apparatuses, and methods of the present application, the components or steps may be decomposed and/or recombined. These decompositions and/or recombinations are to be considered as equivalents of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, the description is not intended to limit embodiments of the application to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (10)

1. A communication method of a core network element is applied to a sending end network element, the sending end network element is communicated with a server end network element and a receiving end network element, and the method comprises the following steps:
generating a self-signature of the sending end network element and a first service interaction security key according to the sending end network element initialization parameter obtained from the server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end;
encrypting the network element root signature of the sending end according to the first service interaction security key;
generating a first authentication certificate according to the self-signature of the sending end network element and the encrypted sending end network element root signature, and sending the first authentication certificate to the receiving end network element for the receiving end network element to authenticate the sending end network element;
receiving a second authentication certificate sent by the receiving terminal network element, and authenticating the receiving terminal network element according to the second authentication certificate;
and when the authentication of the sending end network element to the receiving end network element is successful and the authentication of the receiving end network element to the sending end network element is successful, encrypting and transmitting the service data interacted with the receiving end network element according to the first service interaction security key.
2. The core network element communication method of claim 1, wherein the initialization parameters of the sending-end network element further comprise: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained;
the generating the self-signature of the sending end network element according to the sending end network element initialization parameter obtained from the server end comprises:
generating a sending end network element self-signature based on a preset signature algorithm according to the sending end network element identity information, the sending end network element private key and the security parameter set of the communication;
the security parameter set of the communication is composed of at least one security parameter selected by the sending end network element from the initial security parameter set; the security parameter set of the communication is uniquely identified by a security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the sending end network element.
3. The core network element communication method of claim 2, wherein the generating a first service interaction security key according to the sending-end network element initialization parameter obtained from the server end comprises:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the sending end network element private key and the receiving end network element public key and based on a preset symmetric key derivation algorithm;
generating a random number;
generating the first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; wherein the first service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, the encrypting the sending-end network element root signature according to the first service interaction security key includes: and encrypting the network element root signature of the sending end based on a preset root signature encryption algorithm according to the first encryption key.
4. The core network element communication method of claim 3, wherein the first authentication credentials comprise: the system comprises sending end network element identity information, a security parameter set ID of the communication, a sending end self-signature, an encrypted sending end network element root signature, a sending end network element root signature effective stop time and the random number.
5. The core network element communication method according to claim 3 or 4, wherein the second authentication credential comprises: receiving end network element identity information, a security parameter set ID of the communication, a receiving end network element self-signature, an encrypted receiving end network element root signature and a receiving end network element root signature effective time;
the authenticating the receiving end network element according to the second authentication credential includes:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
verifying the self-signature of the receiving end network element according to the public key of the receiving end network element;
when the self-signature verification of the receiving end network element is successful, generating a second symmetric key according to the public key of the receiving end network element and the private key of the sending end network element and based on a preset symmetric key derivation algorithm;
generating a second service interaction security key based on a preset security key derivation algorithm according to the random number and the second symmetric key; the service interaction security key comprises a second encryption key and a second integrity protection key;
verifying whether the expiration validity time of the receiving end network element root signature is valid or not;
when the validity time of the receiving end network element root signature is verified to be valid, decrypting the encrypted receiving end network element root signature in the second authentication certificate according to the second encryption key;
verifying whether the network element root signature of the receiving end is legal or not;
and when the receiving end network element root signature is verified to be legal, the successful authentication of the receiving end network element is confirmed.
6. A communication device of a core network element is applied to a sending end network element, the sending end network element is communicated with a server end network element and a receiving end network element, and the device comprises:
a first generating unit, configured to generate a self-signature of the sending-end network element and a first service interaction security key according to the sending-end network element initialization parameter obtained from the server end; the initialization parameters of the network element at the sending end comprise a network element root signature of the sending end;
the encryption unit is used for encrypting the network element root signature of the sending end according to the first service interaction security key;
a second generating unit, configured to generate a first authentication credential according to the self-signature of the sending-end network element and the encrypted sending-end network element root signature, and send the first authentication credential to the receiving-end network element, so that the receiving-end network element authenticates the sending-end network element;
the authentication unit is used for receiving a second authentication certificate sent by the receiving terminal network element and authenticating the receiving terminal network element according to the second authentication certificate;
and the encryption interaction unit is used for carrying out encryption transmission on the service data interacted with the receiving end network element according to the first service interaction security key when the authentication of the sending end network element on the receiving end network element is successful and the authentication of the receiving end network element on the sending end network element is successful.
7. The core network element communication device of claim 6, wherein the sending-end network element initialization parameter further comprises: the method comprises the steps that identity information of a sending end network element, a private key of the sending end network element and an initial security parameter set are obtained; the security parameter set is uniquely identified by a security parameter set ID;
the first generating unit is further configured to generate a sending-end network element self-signature based on a preset signature algorithm according to the sending-end network element identity information, the sending-end network element private key and the security parameter set of the current communication;
the security parameter set of the communication is composed of at least one security parameter selected by the sending end network element from the initial security parameter set; the security parameter set of the communication is uniquely identified by a security parameter set ID, and the security parameter set of the communication is also notified to the receiving end network element by the sending end network element.
8. The core network element communication apparatus of claim 7, wherein the first generating unit is further configured to generate the first service interaction security key by:
generating a receiving end network element public key based on a preset network element public key derivation algorithm according to the receiving end network element identity information;
generating a first symmetric key according to the sending end network element private key and the receiving end network element public key and based on a preset symmetric key derivation algorithm;
generating a random number;
generating the first service interaction security key based on a preset security key derivation algorithm according to the random number and the first symmetric key; the service interaction security key comprises a first encryption key and a first integrity protection key;
correspondingly, the encryption unit is further configured to encrypt the network element root signature of the sending end according to the first encryption key and based on a preset root signature encryption algorithm.
9. A computer-readable storage medium storing a computer program for executing the communication method according to any one of claims 1 to 5.
10. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the communication method of any one of claims 1 to 5.
CN201911413926.2A 2019-12-31 2019-12-31 Core network element communication method and device, computer storage medium and electronic equipment Active CN111163470B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911413926.2A CN111163470B (en) 2019-12-31 2019-12-31 Core network element communication method and device, computer storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911413926.2A CN111163470B (en) 2019-12-31 2019-12-31 Core network element communication method and device, computer storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN111163470A CN111163470A (en) 2020-05-15
CN111163470B true CN111163470B (en) 2021-06-08

Family

ID=70560040

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911413926.2A Active CN111163470B (en) 2019-12-31 2019-12-31 Core network element communication method and device, computer storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN111163470B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835514A (en) * 2020-07-23 2020-10-27 上海英方软件股份有限公司 Method and system for realizing safe interaction of front-end and back-end separated data
CN113342653B (en) * 2021-06-07 2022-11-29 星汉智能科技股份有限公司 5G smart card testing method, device and medium based on key agreement
CN114760079B (en) * 2022-06-16 2022-08-23 鹏城实验室 Identification network terminal authentication method and related equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447873A (en) * 2008-12-25 2009-06-03 杭州东信金融技术服务有限公司 Safe authentication and encrypted communication method
CN101807997A (en) * 2010-04-28 2010-08-18 中国工商银行股份有限公司 Device and method for generating transmission key
CN102594563A (en) * 2012-02-20 2012-07-18 南京中通电气有限公司 Source authentication method for secure multicast
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method
CN103491540A (en) * 2013-09-18 2014-01-01 东北大学 Wireless local area network two-way access authentication system and method based on identity certificates
FI124424B (en) * 2006-10-23 2014-08-29 Valimo Wireless Oy A method and system for using PKCS registration in a mobile communication environment
CN110474930A (en) * 2019-09-29 2019-11-19 国家计算机网络与信息安全管理中心 A kind of safety interacting method and device based on information transmission

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299791B (en) * 2008-08-28 2014-12-24 华为技术有限公司 Autonomous management method, system and equipment for public key certificate
CN108881126B (en) * 2017-05-15 2021-08-31 阿里巴巴集团控股有限公司 Method, device and system for verifying verification code, storage medium and computer terminal

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI124424B (en) * 2006-10-23 2014-08-29 Valimo Wireless Oy A method and system for using PKCS registration in a mobile communication environment
CN101447873A (en) * 2008-12-25 2009-06-03 杭州东信金融技术服务有限公司 Safe authentication and encrypted communication method
CN101807997A (en) * 2010-04-28 2010-08-18 中国工商银行股份有限公司 Device and method for generating transmission key
CN102594563A (en) * 2012-02-20 2012-07-18 南京中通电气有限公司 Source authentication method for secure multicast
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method
CN103491540A (en) * 2013-09-18 2014-01-01 东北大学 Wireless local area network two-way access authentication system and method based on identity certificates
CN110474930A (en) * 2019-09-29 2019-11-19 国家计算机网络与信息安全管理中心 A kind of safety interacting method and device based on information transmission

Also Published As

Publication number Publication date
CN111163470A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
CN108390851B (en) Safe remote control system and method for industrial equipment
CN107277061B (en) IOT (Internet of things) equipment based end cloud secure communication method
US9847882B2 (en) Multiple factor authentication in an identity certificate service
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
US8130961B2 (en) Method and system for client-server mutual authentication using event-based OTP
CN107040513B (en) Trusted access authentication processing method, user terminal and server
CN106603485A (en) Secret key negotiation method and device
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
CN111163470B (en) Core network element communication method and device, computer storage medium and electronic equipment
JP6471112B2 (en) COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND PROGRAM
KR101549034B1 (en) Method for guarantying the confidentiality and integrity of a data in Controller Area Networks
CN104702611A (en) Equipment and method for protecting session key of secure socket layer
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN102868531B (en) Networked transaction certification system and method
KR101706117B1 (en) Apparatus and method for other portable terminal authentication in portable terminal
CN108809633B (en) Identity authentication method, device and system
KR20120047972A (en) Method, device and network system for negotiating encryption information
KR102020898B1 (en) Session key establishment method based on trusted execution environment
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN113225352B (en) Data transmission method and device, electronic equipment and storage medium
CN112637136A (en) Encrypted communication method and system
CN108599926B (en) HTTP-Digest improved AKA identity authentication system and method based on symmetric key pool
CN104243452A (en) Method and system for cloud computing access control
JP2016522637A (en) Secured data channel authentication that implies a shared secret
WO2022135391A1 (en) Identity authentication method and apparatus, and storage medium, program and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant