CN113938887A - 5G core network user identity authentication process - Google Patents
5G core network user identity authentication process Download PDFInfo
- Publication number
- CN113938887A CN113938887A CN202111301732.0A CN202111301732A CN113938887A CN 113938887 A CN113938887 A CN 113938887A CN 202111301732 A CN202111301732 A CN 202111301732A CN 113938887 A CN113938887 A CN 113938887A
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- key
- seaf
- base station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a 5G core network user identity authentication process, which comprises the following steps: the terminal side sends an authentication request; the core network generates an authentication vector; encrypting the key information in the authentication vector and generating an authentication response message; the authentication response is returned to the terminal side, and the terminal calculates the authentication request; the core network distinguishes whether the authentication is passed or not according to the authentication request. According to the safety enhancement type 5G core network user identity authentication process based on the private power network communication, the key information transmitted by the core network is encrypted by using the push key, so that the key information is effectively prevented from being leaked, the push protection of the key information in the core network is realized, the key information is online, the user feels noninductive, the cost is low, the efficiency is high, the system is low, and the safety measure invalidation caused by the leakage of the key transmitted in a plaintext is avoided.
Description
Technical Field
The invention relates to the technical field of mobile communication, in particular to a 5G core network user identity authentication process.
Background
In a mobile communication system, information transmitted in a core network is transmitted in a clear text mode, and no protective measures are taken. For the scene of the safety requirement of the private power network, the safety of information transmission in the core network, especially sensitive information and safety related information, should be ensured. According to the standard specification of the user authentication process of the mobile communication system, the authentication network element needs to generate a secret key and push the secret key to the core network to generate an air interface secret key, and the user information safety protection can only take effect. Once the security key is maliciously cracked or leaked during transmission in the core network, the risk of user information leakage is caused.
In 5G, RRC signaling between the terminal and the base station, user plane data, and NAS signaling between the terminal and the core network are also protected, which means that both the base station and the AMF can correctly acquire the corresponding key. Based on the flexibility of 5G network deployment, the key system of 5G is more complex, the intermediate key includes KAUSF of the user authentication service entity of the terminal base station and KSEAF of the security anchor point entity of the visited network, as shown in fig. 1, in the 5G AKA authentication process, a unified data management center (UDM) of the terminal base station transfers KAUSF to AUSF according to an authentication mode, the AUSF transfers the generated KSEAF to SEAF of the terminal base station, the SEAF transfers the generated KAMF to AMF after authentication is successful, the transfer of all keys is plaintext transfer, and the risk that subsequent security protection faces cracking due to the fact that any one section of transmitted key is stolen will be caused.
Disclosure of Invention
Aiming at the technical problem, the invention provides a 5G core network user identity authentication process.
A5G core network user identity authentication process comprises the following steps:
(1) the terminal side sends an authentication request;
(2) the core network generates an authentication vector;
(3) encrypting the key information in the authentication vector and generating an authentication response message;
(4) the authentication response is returned to the terminal side, and the terminal calculates the authentication request;
(5) the core network distinguishes whether the authentication is passed or not according to the authentication request.
Further, the encryption in the step (3) adopts a block encryption algorithm to encrypt the key information in the authentication vector.
Further, the network elements at the terminal side are AUSF and UDM, and the operation is as follows:
AUSF receives terminal authentication request and sends it to UDM; UDM generates attribution authentication vector (RAND | | | XRES | | | KAUSF | | AUTN);
b. encrypting the AUSF security key KAUSF by using a key KT1 to obtain an encrypted AUSF security key KAUSF';
the UDM replaces the KAUSF in the authentication vector with an encrypted security key KAUSF' to obtain a protected authentication vector, and sends the protected authentication vector to the AUSF;
AUSF receives protected authentication vector from UDM, and decrypts KAUSF' in the authentication vector by using key KT 1;
e. generating SEAF security keys KSEAF and HXRES from the AUSF;
AUSF utilizes key KT2 to encrypt the generated SEAF security key KSEAF to obtain an encrypted security key KSEAF ', generates protected authentication vector RAND | | | XRES | | | KSEAF ' | AUTN, and puts the protected authentication vector RAND | | XRES | | | KSEAF ' | AUTN into the authentication response message;
AUSF sends the authentication response message to the terminal base station side so that the terminal base station side can judge whether the authentication is passed;
AUSF receives terminal authentication request sent by terminal base station side, and judges authentication result:
and if the XRES is consistent with RES in the terminal authentication request, judging that the authentication is passed.
Further, in the normal terminal authentication process, the SN name field is represented as: "service identification: SNId ", where the service identification is" 5G "; when the keys KT1 and KT2 need to be acquired, the service identifier of the SN name is set to be an agreed update code number nepher in advance, and the SN name field is expressed as: "nepher: SN Id ".
Further, the network element on the terminal base station side includes an SEAF and a UE, and the following operations are performed inside the terminal base station side:
the SEAF receives the registration of the terminal UE and sends an authentication request to the terminal base station side so that the terminal base station side can generate an authentication vector and an authentication response message according to the authentication request;
the SEAF receives an authentication response message sent by the terminal base station side, wherein the message comprises RAND | | | XRES | | KSEAF '| | AUTN, the SEAF decrypts KSEAF' by using a key KT2 to obtain KSEAF, and meanwhile, the SEAF is stored to send an authentication request to the UE;
UE carries on authentication calculation;
h. if the UE passes the user authentication, sending the calculated RES to the SEAF;
the SEAF receives feedback information RES sent by the terminal UE, calculates XRES and compares with HXRES, and if the XRES is consistent with HXRES, the authentication of the terminal base station side is judged to be passed;
and j, sending a terminal authentication request to the terminal base station side after the SEAF judges that the terminal base station side passes the authentication, wherein the terminal authentication request comprises feedback information RES so that the terminal base station side can judge whether the terminal base station side passes the authentication according to the terminal authentication request.
Further, the terminal authentication process comprises the following steps:
step S1: after receiving the registration of the terminal user UE, the SEAF judges that the key of the current network needs to be updated, and executes: step S1-1: generating a local temporary public and private key pair TPK1 and TSK 1;
step S1-2: locally storing the TSK1, replacing the SN Id in the SN name field with the TPK1, setting the service identifier in the SN name field as an agreed update code number in advance, and generating the SN name with a special structure;
step S2: the SEAF sends an authentication request to the terminal base station side, wherein the authentication request carries the SN name with the special structure, so that the terminal base station side can generate a secret key according to the SN name with the special structure;
step S3: the SEAF receives an authentication response message sent by a terminal base station side, detects an AMF field in an authentication vector as an update code, and executes: extracting TPK4 in AUTN, calculating a new key KT2 between the SEAF and the AUSF with TSK1, and storing;
step S4: the SEAF sends an authentication request to the terminal UE;
step S5: and the terminal verifies the AUTN field in the authentication vector according to the 3GPP standard, the verification fails, the authentication failure is judged, and the authentication process is ended.
The invention has the beneficial effects that: according to the safety enhancement type 5G core network user identity authentication process based on the private power network communication, the key information transmitted by the core network is encrypted by using the push key, so that the key information is effectively prevented from being leaked, the push protection of the key information in the core network is realized, the key information is online, the user feels noninductive, the cost is low, the efficiency is high, the system is low, and the safety measure invalidation caused by the leakage of the key transmitted in a plaintext is avoided.
Drawings
Fig. 1 is a 5G AKA authentication procedure;
FIG. 2 is a flowchart illustrating authentication according to the present invention;
FIG. 3 is a flow chart of encryption transmission of key information of a core network when the authentication mode is 5G AKA;
fig. 4 is a reference flow chart for negotiation and update of push keys KT1 and KT 2.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
Example 1
As shown in fig. 2, a 5G core network user identity authentication procedure includes the following steps:
(1) the terminal side sends an authentication request;
(2) the core network generates an authentication vector;
(3) encrypting the key information in the authentication vector and generating an authentication response message;
(4) the authentication response is returned to the terminal side, and the terminal calculates the authentication request;
(5) the core network distinguishes whether the authentication is passed or not according to the authentication request.
And (4) encrypting in the step (3) by adopting a block encryption algorithm to encrypt the key information in the authentication vector.
Compared with the prior art, the security enhancement type 5G core network user identity authentication process based on the private power network communication provided by the embodiment encrypts the key information transmitted by the core network by using the push key, thereby effectively preventing the key information from being leaked, realizing the push protection of the key information in the core network, which is online, noninductive to users, low in cost, high in efficiency and low in system transformation, and avoiding the invalidation of security measures caused by the leakage of the key transmitted in a plaintext.
Example 2
The network elements at the terminal side are AUSF and UDM, and the operation is as follows:
AUSF receives terminal authentication request and sends it to UDM; UDM generates attribution authentication vector (RAND | | | XRES | | | KAUSF | | AUTN);
b. encrypting the AUSF security key KAUSF by using a key KT1 to obtain an encrypted AUSF security key KAUSF';
the UDM replaces the KAUSF in the authentication vector with an encrypted security key KAUSF' to obtain a protected authentication vector, and sends the protected authentication vector to the AUSF;
AUSF receives protected authentication vector from UDM, and decrypts KAUSF' in the authentication vector by using key KT 1;
e. generating SEAF security keys KSEAF and HXRES from the AUSF;
AUSF utilizes key KT2 to encrypt the generated SEAF security key KSEAF to obtain an encrypted security key KSEAF ', generates protected authentication vector RAND | | | XRES | | | KSEAF ' | AUTN, and puts the protected authentication vector RAND | | XRES | | | KSEAF ' | AUTN into the authentication response message;
AUSF sends the authentication response message to the terminal base station side so that the terminal base station side can judge whether the authentication is passed;
AUSF receives terminal authentication request sent by terminal base station side, and judges authentication result:
and if the XRES is consistent with RES in the terminal authentication request, judging that the authentication is passed.
In the normal terminal authentication process, the SN name field is represented as: "service identification: SNId ", where the service identification is" 5G "; when the keys KT1 and KT2 need to be acquired, the service identifier of the SN name is set to be an agreed update code number nepher in advance, and the SN name field is expressed as: "nepher: SN Id ".
By giving a key information encryption transmission process between the terminal base station side network element AUSF and the UDM when the authentication mode is 5G AKA, the safety of the transmission process can be effectively ensured, and the problem that air interface information is stolen can be effectively relieved or solved.
Example 3
The network element of the terminal base station side comprises a SEAF and a UE, and the following operations are executed in the terminal base station side:
the SEAF receives the registration of the terminal UE and sends an authentication request to the terminal base station side so that the terminal base station side can generate an authentication vector and an authentication response message according to the authentication request;
the SEAF receives an authentication response message sent by the terminal base station side, wherein the message comprises RAND | | | XRES | | KSEAF '| | AUTN, the SEAF decrypts KSEAF' by using a key KT2 to obtain KSEAF, and meanwhile, the SEAF is stored to send an authentication request to the UE;
the UE carries out authentication calculation;
d. if the UE passes the user authentication, sending the calculated RES to the SEAF;
the SEAF receives feedback information RES sent by the terminal UE, calculates XRES and compares with HXRES, and if the XRES is consistent with HXRES, the authentication of the terminal base station side is judged to be passed;
and f, the SEAF judges that the authentication of the terminal base station side is passed and then sends a terminal authentication request to the terminal base station side, wherein the terminal authentication request comprises feedback information RES, so that the terminal base station side can judge whether the terminal base station side is passed or not according to the terminal authentication request.
The terminal authentication process comprises the following steps:
step S1: after receiving the registration of the terminal user UE, the SEAF judges that the key of the current network needs to be updated, and executes: step S1-1: generating a local temporary public and private key pair TPK1 and TSK 1;
step S1-2: locally storing the TSK1, replacing the SN Id in the SN name field with the TPK1, setting the service identifier in the SN name field as an agreed update code number in advance, and generating the SN name with a special structure;
step S2: the SEAF sends an authentication request to the terminal base station side, wherein the authentication request carries the SN name with the special structure, so that the terminal base station side can generate a secret key according to the SN name with the special structure;
step S3: the SEAF receives an authentication response message sent by a terminal base station side, detects an AMF field in an authentication vector as an update code, and executes: extracting TPK4 in AUTN, calculating a new key KT2 between the SEAF and the AUSF with TSK1, and storing;
step S4: the SEAF sends an authentication request to the terminal UE;
step S5: and the terminal verifies the AUTN field in the authentication vector according to the 3GPP standard, the verification fails, the authentication failure is judged, and the authentication process is ended.
In the normal terminal authentication process, the SN name field is represented as: "service identification: SNId ", where the service identification is" 5G "; when the keys KT1 and KT2 need to be acquired, the service identifier of the SN name is set to be an agreed update code number nepher in advance, and the SN name field is expressed as: "nepher: SN Id ".
By giving the information transmission process between the SEAF and the UE of the terminal base station side network element when the authentication mode is 5G AKA, the safety of the transmission process can be effectively ensured, and the problem that air interface information is stolen can be effectively relieved or solved.
Example 4
As shown in fig. 3, a core network key information encryption transmission flow is disclosed when the authentication mode is 5G AKA, and the steps are as follows:
step S1: according to the 3GPP standard flow, the SEAF receives the registration of the terminal user UE, sends an authentication request to a terminal base station side network element AUSF of the terminal user, and sends information such as SUPI (Subscription Permanent Identifier) and a service network name (SN name) to the AUSF;
step S2: according to the 3GPP standard flow, AUSF sends the authentication request information to UDM;
step S3: the UDM generates an authentication vector and encrypts key information therein:
step S3-1: according to the 3GPP standard flow, the 5G home Authentication vector generated by the UDM includes RAND (random number), XRES (Expected Response), KAUSF (AUSF secure key), AUTN (Authentication Token), specifically expressed as RAND | | | XRES | | | KAUSF | | AUTN, where "| |" indicates that they are spliced together end to end;
step S3-2: the UDM encrypts the KAUSF by using a block encryption algorithm to obtain an encrypted AUSF security key KAUSF', wherein the key used for encryption is a pre-negotiated push key KT 1;
step S4: the UDM replaces KAUSF in the original authentication vector with an encrypted AUSF security key KAUSF' to obtain a protected 5G attribution authentication vector, and sends the protected 5G attribution authentication vector to the AUSF;
step S5: AUSF receives the protected 5G attribution authentication vector sent by UDM, and processes it:
step S5-1: AUSF uses the pre-negotiated push key KT1 to decrypt the KAUSF' in the protected 5G attribution authentication vector;
step S5-2: according to the 3GPP standard flow, generating a SEAF security key KSEAF from the AUSF, and calculating HXRES (Hash eXpected RESponse Hash value derived by XRES) by using XRES in the 5G home authentication vector);
step S5-3: encrypting the SEAF security key KSEAF by AUSF to obtain an encrypted SEAF security key KSEAF ', wherein the encryption key is a pre-negotiated push key KT2, and generating a protected 5G authentication vector RAND | | | XRES | | | KSEAF' | AUTN by combining with KSEAF ', and putting the protected 5G authentication vector RAND | | | XRES | | | KSEAF' | AUTN into an authentication response message;
step S6: according to the 3GPP standard flow, AUSF sends an authentication response to the SEAF of the terminal base station side, and the response carries a protected 5G authentication vector;
step S7: the SEAF decrypts KSEAF in the 5G authentication vector by using a pre-negotiated push key KT2, and simultaneously stores HXRES;
step S8: according to the 3GPP standard flow, the SEAF sends an authentication request to the terminal UE;
step S9: according to the 3GPP standard flow, the terminal UE carries out authentication calculation;
step S10: if the terminal UE passes the user authentication, sending the calculated RES to the SEAF;
step S11: according to the 3GPP standard flow, the SEAF receives feedback information RES sent by the terminal UE, calculates XRES and compares with HXRES, if the XRES is consistent with HXRES, the authentication of the terminal base station side is judged to be passed;
step S12: according to the 3GPP standard flow, the SEAF sends a terminal authentication request to the AUSF;
step S13: according to the 3GPP standard flow, after AUSF receives the terminal authentication request, the authentication result is judged: AUSF compares XRES and RES, if they are consistent, it judges that the authentication of terminal base station side is successful;
step S14: according to the 3GPP standard flow, the AUSF sends an authentication response to the SEAF.
Example 5
As shown in fig. 4, a negotiation and update reference flow of the push keys KT1 and KT2 is disclosed, taking flows between the SEAF and the AUSF and between the AUSF and the UDM as an example, when the SEAF determines that the current network has not negotiated the push keys KT1 and KT2 or the currently used KT1 and KT2 need to be replaced, the negotiation and update of the push keys are completed by using a flow of terminal authentication, and an ecc D H (elliptic-curvilinear cryptography) algorithm is adopted for generation of the push keys in the reference implementation scheme. The method comprises the following steps:
step S1: after receiving the registration of the terminal user UE, the SEAF judges that the current network push key needs to be updated, and executes:
step S1-1: generating a local temporary public and private key pair TPK1 and TSK 1;
step S1-2: locally saving the TSK1, replacing the SN Id in the SN name field with the TPK1, setting the service identifier in the SN name field as an update code, namely a specific field agreed in advance, such as 'cirher'; in the normal terminal authentication process, the SN name field is represented as: "service identification: SN Id ", with service identification" 5G "; when the push keys KT1 and KT2 need to be obtained, the service identifier of the SN name is set to be an update code number nepher agreed in advance, which is expressed as: "nepher: the service identity of the SN Id' is maintained as the update code number;
step S4: according to the 3GPP standard flow, AUSF requests authentication information from UDM, and the carried SN name is a special structure;
step S5: after receiving the request authentication information, the UDM discovers that the service identifier of the SN name is an update code number, and executes:
step S5-1: generating a local temporary public and private key pair TPK3 and TSK 3;
step S5-2: extracting TPK2 in the SN name, and calculating a new push key KT1 between the AUSF and the UDM with TSK 3;
step S5-3: generating an authentication vector according to a 3GPP standard, putting TPK3 into AUTN in the authentication vector, and setting an AMF field in the AUTN as an update code, namely a value which is agreed in advance and can be distinguished from a 5G standard, such as 0 xfe;
step S6: the UDM sends the specially constructed authentication vector to the AUSF;
step S7: after receiving the authentication vector transmitted by the UDM, the AUSF finds that an AMF field in the authentication vector is an update code, judges that the AMF field is an update flow of a push key, and executes:
step S7-1: extracting TPK3 in AUTN, and calculating a new push key KT1 between AUSF and UDM with TSK 2;
step S7-2: generating a local temporary public and private key pair TPK4 and TSK 4;
step S7-3: calculating a push key KT2 between the SEAF and the AUSF through the TSK4 and the previously saved TPK 1;
step S7-4: putting TPK4 into AUTN in the authentication vector, and keeping an AMF field in the AUTN to be set as an updating code;
step S8: according to the 3GPP standard flow, AUSF sends an authentication response to a terminal base station SEAF, and the response carries a processed authentication vector;
step S9: after the SEAF receives the authentication response, the AMF field in the authentication vector is found to be an update code, the AMF field is judged to be an update flow of the push key, and the following steps are executed:
extracting TPK4 in AUTN, calculating a new push key KT2 between the SEAF and the AUSF with TSK1, and storing;
step S10: according to the 3GPP standard flow, the SEAF sends an authentication request to the terminal;
step S11: the terminal checks AUTN field in the authentication vector according to the 3GPP standard, the checking fails, and the authentication fails to be judged;
step S12: and re-initiating authentication between the terminal and the network, wherein the authentication process is the scheme which is described before and is protected by transmission encryption.
In the 4G mobile communication system, the HSS in the core network side needs to push the generated KASME to the MME, and the key may also be protected using a method consistent with the scheme of the present invention.
The process of protecting the generated key push by the 4G core network comprises the following steps: and the MME sends an authentication request to the HSS after the user registration, the HSS generates an authentication vector, the KASME in the authentication vector is encrypted by using a push key KT, then the authentication vector is sent to the MME through an authentication response message, and the MME decrypts the KAMSE and executes subsequent operation.
Since the information carried in the authentication request is required to be the SN Id instead of the SN name in the 4G mobile communication standard, the service identification field in the SN name cannot be used as a special value as in the 5G network scheme, and therefore, the SN Id needs to be constructed and extracted as a characteristic value.
Example 6
In summary, the key points of the 5G core network user identity authentication process provided by the present invention are:
(1) keys transferred between core networks (such as UDM, AUSF, SEAF and AMF in 5G, HSS and MME in 4G) may be transferred after confidentiality protection.
(2) The push protection of the core network (e.g. between UDM and AUSF in 5G, between AUSF and SEAF, between SEAF and AMF, between HSS and MME in 4G) is segmented, each segment may use completely different algorithms, keys and packet lengths, or may selectively protect a certain segment.
(3) The negotiation and generation of the push key of the core network (such as between UDM and AUSF in 5G, between AUSF and SEAF, between SEAF and AMF, and between HSS and MME in 4G) are completed by using the standard authentication flow between the terminal and the network, and only the fields required in the standard flow are partially modified.
(4) The network elements participating in the key push protection can initiate the negotiation and replacement processes of the push key, and the replacement time can be flexibly selected according to the strategy.
(5) The network elements participating in the key push protection negotiate out key push resources in the operation process, do not need to prefabricate keys, and support flexible deployment.
(6) The push protection of the key information of the core network and the negotiation and replacement processes of the push key are not sensed by the terminal, and the terminal does not need to be modified.
(7) Other sensitive information (including but not limited to the transmission of key information) in the mobile communication network can also realize the encrypted transmission and key negotiation and updating of the information by the scheme.
The present invention is not limited to the above embodiments, and any changes or substitutions that can be easily made by those skilled in the art within the technical scope of the present invention are also within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (6)
1. A5G core network user identity authentication process is characterized in that: the method comprises the following steps:
(1) the terminal side sends an authentication request;
(2) the core network generates an authentication vector;
(3) encrypting the key information in the authentication vector and generating an authentication response message;
(4) the authentication response is returned to the terminal side, and the terminal calculates the authentication request;
(5) the core network distinguishes whether the authentication is passed or not according to the authentication request.
2. The subscriber identity authentication procedure of the 5G core network according to claim 1, wherein: and (4) encrypting in the step (3) by adopting a block encryption algorithm to encrypt the key information in the authentication vector.
3. The subscriber identity authentication procedure of the 5G core network according to claim 1, wherein: network elements at the terminal side are AUSF and UDM, and the operation is as follows:
AUSF receives terminal authentication request and sends it to UDM; UDM generates attribution authentication vector (RAND | | | XRES | | | KAUSF | | AUTN);
b. encrypting the AUSF security key KAUSF by using a key KT1 to obtain an encrypted AUSF security key KAUSF';
the UDM replaces the KAUSF in the authentication vector with an encrypted security key KAUSF' to obtain a protected authentication vector, and sends the protected authentication vector to the AUSF;
AUSF receives protected authentication vector from UDM, and decrypts KAUSF' in the authentication vector by using key KT 1;
e. generating SEAF security keys KSEAF and HXRES from the AUSF;
AUSF utilizes key KT2 to encrypt the generated SEAF security key KSEAF to obtain an encrypted security key KSEAF ', generates protected authentication vector RAND | | | XRES | | | KSEAF ' | AUTN, and puts the protected authentication vector RAND | | XRES | | | KSEAF ' | AUTN into the authentication response message;
AUSF sends the authentication response message to the terminal base station side so that the terminal base station side can judge whether the authentication is passed;
AUSF receives terminal authentication request sent by terminal base station side, and judges authentication result:
and if the XRES is consistent with RES in the terminal authentication request, judging that the authentication is passed.
4. The subscriber identity authentication procedure of the 5G core network according to claim 3, wherein: in the normal terminal authentication process, the SN name field is represented as: "service identification: SNId ", where the service identification is" 5G "; when the keys KT1 and KT2 need to be acquired, the service identifier of the SN name is set to be an agreed update code number nepher in advance, and the SN name field is expressed as: "nepher: SN Id ".
5. The subscriber identity authentication procedure of the 5G core network according to claim 1, wherein: the network element of the terminal base station side comprises a SEAF and a UE, and the following operations are executed in the terminal base station side:
the SEAF receives the registration of the terminal UE and sends an authentication request to the terminal base station side so that the terminal base station side can generate an authentication vector and an authentication response message according to the authentication request;
the SEAF receives an authentication response message sent by the terminal base station side, wherein the message comprises RAND | | | XRES | | KSEAF '| | AUTN, the SEAF decrypts KSEAF' by using a key KT2 to obtain KSEAF, and meanwhile, the SEAF is stored to send an authentication request to the UE;
the UE carries out authentication calculation;
d. if the UE passes the user authentication, sending the calculated RES to the SEAF;
the SEAF receives feedback information RES sent by the terminal UE, calculates XRES and compares with HXRES, and if the XRES is consistent with HXRES, the authentication of the terminal base station side is judged to be passed;
and f, the SEAF judges that the authentication of the terminal base station side is passed and then sends a terminal authentication request to the terminal base station side, wherein the terminal authentication request comprises feedback information RES, so that the terminal base station side can judge whether the terminal base station side is passed or not according to the terminal authentication request.
6. The subscriber identity authentication procedure of the 5G core network according to claim 5, wherein: the terminal authentication process comprises the following steps:
step S1: after receiving the registration of the terminal user UE, the SEAF judges that the key of the current network needs to be updated, and executes: step S1-1: generating a local temporary public and private key pair TPK1 and TSK 1;
step S1-2: locally storing the TSK1, replacing the SN Id in the SN name field with the TPK1, setting the service identifier in the SN name field as an agreed update code number in advance, and generating the SN name with a special structure;
step S2: the SEAF sends an authentication request to the terminal base station side, wherein the authentication request carries the SN name with the special structure, so that the terminal base station side can generate a secret key according to the SN name with the special structure;
step S3: the SEAF receives an authentication response message sent by a terminal base station side, detects an AMF field in an authentication vector as an update code, and executes: extracting TPK4 in AUTN, calculating a new key KT2 between the SEAF and the AUSF with TSK1, and storing;
step S4: the SEAF sends an authentication request to the terminal UE;
step S5: and the terminal verifies the AUTN field in the authentication vector according to the 3GPP standard, the verification fails, the authentication failure is judged, and the authentication process is ended.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111301732.0A CN113938887A (en) | 2021-11-04 | 2021-11-04 | 5G core network user identity authentication process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111301732.0A CN113938887A (en) | 2021-11-04 | 2021-11-04 | 5G core network user identity authentication process |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113938887A true CN113938887A (en) | 2022-01-14 |
Family
ID=79285775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111301732.0A Pending CN113938887A (en) | 2021-11-04 | 2021-11-04 | 5G core network user identity authentication process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113938887A (en) |
-
2021
- 2021-11-04 CN CN202111301732.0A patent/CN113938887A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109041057B (en) | Method for enhancing security of authentication process between network elements of core network based on 5G AKA | |
| CN109104727B (en) | EAP-AKA' based security enhancement method for authentication process between network elements of core network | |
| Cao et al. | Fast authentication and data transfer scheme for massive NB-IoT devices in 3GPP 5G network | |
| CN108848502B (en) | Method for protecting SUPI (supl interconnection) by using 5G-AKA (alkyl ketene dimmer) | |
| US11228442B2 (en) | Authentication method, authentication apparatus, and authentication system | |
| US10931445B2 (en) | Method and system for session key generation with diffie-hellman procedure | |
| KR101009330B1 (en) | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network | |
| JP4688808B2 (en) | Enhanced security configuration for encryption in mobile communication systems | |
| WO2020221252A1 (en) | Method and apparatus for sending terminal sequence number and authentication method and apparatus | |
| US8724816B2 (en) | Security service control method and wireless local area network terminal | |
| WO1999027678A2 (en) | Security of data connections | |
| CN107294937A (en) | Data transmission method, client and server based on network service | |
| WO2017188895A1 (en) | Method and system for authentication with asymmetric key | |
| CN111641498B (en) | Key determination method and device | |
| CN113228721B (en) | Communication method and related product | |
| CN108809903B (en) | Authentication method, device and system | |
| CN101600204A (en) | A kind of document transmission method and system | |
| CN112235799B (en) | Network access authentication method and system for terminal equipment | |
| WO2017080142A1 (en) | Key distribution, generation and reception method, and related apparatus | |
| Khedr et al. | Enhanced inter‐access service network handover authentication scheme for IEEE 802.16 m network | |
| CN113938887A (en) | 5G core network user identity authentication process | |
| CN108271154B (en) | Authentication method and device | |
| WO2020029075A1 (en) | Method and computing device for carrying out data integrity protection | |
| CN114339740B (en) | AKA authentication method and system for 5G communication | |
| CN110536289A (en) | Key providing method and device thereof, mobile terminal, communication equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |