CN102883325B - Authentication server, mobile terminal and end to end authentication communication channel method for building up - Google Patents

Authentication server, mobile terminal and end to end authentication communication channel method for building up Download PDF

Info

Publication number
CN102883325B
CN102883325B CN201210421349.3A CN201210421349A CN102883325B CN 102883325 B CN102883325 B CN 102883325B CN 201210421349 A CN201210421349 A CN 201210421349A CN 102883325 B CN102883325 B CN 102883325B
Authority
CN
China
Prior art keywords
message
callee
common parameter
calling party
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210421349.3A
Other languages
Chinese (zh)
Other versions
CN102883325A (en
Inventor
钟焰涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Dongguan Yulong Telecommunication Technology Co Ltd
Original Assignee
Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Dongguan Yulong Telecommunication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yulong Computer Telecommunication Scientific Shenzhen Co Ltd, Dongguan Yulong Telecommunication Technology Co Ltd filed Critical Yulong Computer Telecommunication Scientific Shenzhen Co Ltd
Priority to CN201210421349.3A priority Critical patent/CN102883325B/en
Publication of CN102883325A publication Critical patent/CN102883325A/en
Application granted granted Critical
Publication of CN102883325B publication Critical patent/CN102883325B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention provides a kind of authentication server, be positioned at core net, comprising: authentication unit, when caller calls callee, verify the identity of calling party and generate the identity of the first Message Authentication Code and checking callee and generate the second Message Authentication Code; Common parameter determining unit, according to the first Message Authentication Code and the second Message Authentication Code determination common parameter, and distributes to calling party and described calling party by common parameter.Correspondingly, present invention also offers a kind of mobile terminal and a kind of end to end authentication communication channel method for building up.According to technical scheme of the present invention, can realize the end-to-end encrypted communication between mobile phone terminal, encryption key is only grasped by two mobile phone terminals participating in communication, effectively improves the fail safe of encryption key.

Description

Authentication server, mobile terminal and end to end authentication communication channel method for building up
Technical field
The present invention relates to communication technical field, in particular to a kind of authentication server, a kind of mobile terminal and a kind of end to end authentication communication channel method for building up.
Background technology
In existing mobile communication system, the voice call between mobile phone only achieves encryption when wireless transmission, and is not encrypted when core network.This present situation causes voice call and there is the possibility be ravesdropping, and needs moving speech communication to have higher fail safe in the occasion that some security requirement is higher, therefore needs to set up end-by-end security communication channel.
The method of end-to-end enciphoring voice telecommunication in a kind of mobile communication system is proposed in correlation technique, when caller mobile phone terminal sends call encryption request in the method, after encryption qualification authentication, encryption key is generated by KDC (KDC), and encryption key is sent to calling terminal and terminal called respectively, set up safe enciphoring voice telecommunication channel for both sides.There is a security vulnerabilities in the program, namely key is generated by (KDC) in the key distribution in core net completely, and this likely causes the security breaches of two aspects.First, if the data leak of KDC, or key sends in the way of mobile terminal monitored by KDC, then this key has no fail safe and can say; Meanwhile, also there is man-in-the-middle attack and the assailant KDC that disguises oneself as and generate the possibility of key.
A kind of method setting up safety authentication channel is also proposed in correlation technique, in the method, two peer-entities being equivalent to voice call both sides all hold digital certificate, two peer-entities will choose a temporary transient private key respectively, and calculate a temporary transient PKI, then temporary transient PKI, digital certificate, identify label are sent to the other side; Both sides all calculate ephemeral shared key by the temporary transient PKI of the other side and the temporary transient private key of one's own side, and by digital certificate, Hash operation certification the other side identity; Last both sides all obtain final session key by carrying out Hash operation to ephemeral shared key; Final utilization session key is encrypted communication, realizes the fail safe of communication.But the authentication property of communicating pair is realized by digital certificate in the program, before setting up key at every turn, communicating pair all must arrive the authenticity of certificate center CA place checking the other side digital certificate, this brings very large communication overhead, also mean when applying in mobile communication system, will experience larger delay before setting up call, this is unacceptable in the voice call occasion that requirement of real-time is higher.This depending on before PKIX PKI verifies the type order of mobile terminal also cannot realize in mobile communication system simultaneously.In fact, in mobile communication system, the mobile terminal of core net to access has done authentication, and this verification process is that the authentication parameter by using the AUC AUC of core net to store realizes.Another problem is how the open parameter in the program is chosen and do not explained, and communicating pair should be consensus before setting up key for open parameter.
Therefore, need a kind of end-by-end security set up authentication communication channel of easy realization, the fail safe of key can be improved.
Summary of the invention
Consider above-mentioned background technology, the invention provides a kind of End-to-End Security authentication communication channel establishing techniques, the fail safe of key can be improved.
According to an aspect of the present invention, provide a kind of authentication server, be positioned at core net, comprising: authentication unit, when caller calls callee, verify the identity of described calling party and generate the first Message Authentication Code and verify the identity of described callee and generate the second Message Authentication Code; Common parameter determining unit, according to described first Message Authentication Code and described second Message Authentication Code determination common parameter, and distributes to described calling party and described calling party by described common parameter.
Common parameter to generate common parameter, and is sent to calling both sides by the Message Authentication Code that this authentication server can utilize the identity of checking calling both sides and produce, thus completes the authentication to both call sides, and without the need to relying on PKI and digital certificate.
In technique scheme, preferably, described common parameter determining unit determines described common parameter according to following formula: g=h (MAC a, MAC b), wherein, g represents described common parameter, and h represents hash function, MAC arepresent described first Message Authentication Code, MAC brepresent described second Message Authentication Code.
According to a further aspect in the invention, additionally provide a kind of mobile terminal, comprising: Transmit-Receive Unit, receive the common parameter from authentication server, and the first message that Key generating unit generates is sent to the other-end with described communication of mobile terminal; Described Key generating unit, generates described first message according to described common parameter, and according to the second message generation encryption key that described other-end sends over; Ciphering unit, is encrypted to sent data according to described encryption key, and the data after encryption are sent to described other-end via described Transmit-Receive Unit.
Generate an encryption key by a message exchange procedure between two mobile phone terminals, thus complete the foundation of secure authenticated communication channel, only have these two mobile phone terminals of participation just to know this encryption key, ensure that the fail safe of encryption.
In technique scheme, preferably, can also comprise: verification unit, verify whether described mobile terminal and described other-end use same described common parameter, when judging to use same described common parameter, order described Transmit-Receive Unit that described first message is sent to described other-end.Only ensureing that both call sides uses on the basis of same common parameter, guarantee both call sides generates identical encryption key.
In technique scheme, preferably, the first validation value L of described Transmit-Receive Unit also for described authentication unit is calculated abe sent to described other-end, and receive the second validation value L from described other-end b, described second validation value L bbased on formula calculate; Described verification unit is also for based on formula calculate described first validation value L a, and verify described second validation value L bwhether correct, when the result is correct, determine that described mobile terminal and described other-end use same described common parameter, wherein, n bthe identification code of described other-end, n abe the identification code of described mobile terminal, q is pre-stored in the modulus in described mobile terminal and described other-end.
In above-mentioned arbitrary technical scheme, preferably, described Transmit-Receive Unit is also for receiving the second message K from described other-end b, described second message K bbased on formula generate, and the first message K that described ciphering unit is generated abe sent to described other-end; Described ciphering unit is according to formula generate the first message K a, and according to formula with the second message K from described other-end bcalculate described encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.This default integer value is relevant with the maximum message value that hash function exports.
According to another aspect of the invention, additionally provide a kind of end to end authentication communication channel method for building up, comprise the following steps: when caller calls callee, the second Message Authentication Code determination common parameter that the first Message Authentication Code that core net generates according to the identity of the described calling party of checking generates with the identity of the described callee of checking, and described common parameter is distributed to described calling party and described calling party; Described calling party and described callee generate respective message according to described common parameter, and mutually exchange described respective message; The encryption key that the message generation that described calling party and described callee send over according to the other side is respectively identical, described calling party and described callee are encrypted to sent data according to described encryption key respectively, to set up the end to end authentication communication channel between described calling party and described callee.
Common parameter to generate common parameter, and is sent to calling both sides by the Message Authentication Code that core net can utilize the identity of checking calling both sides and produce, thus completes the authentication to both call sides, and without the need to relying on PKI and digital certificate.Generate an encryption key by a message exchange procedure between two mobile phone terminals, thus complete the foundation of secure authenticated communication channel, only have these two mobile phone terminals participating in cipher key change just to know this encryption key, ensure that the fail safe of encryption.
In technique scheme, preferably, described core net determines described common parameter according to following formula: g=h (MAC a, MAC b), wherein, g is described common parameter, and h is hash function, MAC athe Message Authentication Code of described calling party, MAC bfor the Message Authentication Code of described callee.
In technique scheme, preferably, can also comprise the following steps: verify whether described calling party and described callee use same described common parameter; If use same described common parameter, then mutually exchange described respective message.
In technique scheme, preferably, proof procedure specifically comprises: described calling party is based on formula calculate the first validation value L a, and by described first validation value L abe sent to described callee; Described callee is based on formula calculate the second validation value L b, and by described second validation value L bbe sent to described calling party; Described calling party verifies described second validation value L bwhether correct, described callee verifies described first validation value L awhether correct, if described first validation value L awith described second validation value L ball correct, then determine that described calling party and described callee use same described common parameter, wherein, n bthe identification code of described callee, n abe the identification code of described calling party, q is pre-stored in the modulus in described calling party and described callee.
In technique scheme, preferably, the generative process of described encryption key specifically comprises: described calling party is according to formula generate the first message K a, and by the first message K abe sent to described callee, described callee is according to formula generate the second message K b, and by the second message K bbe sent to described calling party; Described calling party is according to formula with the second message K from described callee bcalculate described encryption key, described callee is according to formula with the first message K from described calling party acalculate described encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.This default integer value is relevant with the maximum message value that hash function exports.
Accompanying drawing explanation
Fig. 1 shows the block diagram of authentication server according to an embodiment of the invention;
Fig. 2 shows the block diagram of mobile terminal according to an embodiment of the invention;
Fig. 3 shows End-to-End Security authenticated channel according to an embodiment of the invention and sets up the block diagram of system;
Fig. 4 shows the flow chart of end to end authentication communication channel method for building up according to an embodiment of the invention;
Fig. 5 shows the flow chart of end to end authentication communication channel method for building up according to still another embodiment of the invention.
Embodiment
In order to more clearly understand above-mentioned purpose of the present invention, feature and advantage, below in conjunction with the drawings and specific embodiments, the present invention is further described in detail.
Set forth a lot of detail in the following description so that fully understand the present invention; but; the present invention can also adopt other to be different from other modes described here and implement, and therefore, protection scope of the present invention is not by the restriction of following public specific embodiment.
Below in conjunction with drawings and Examples, the present invention will be further described.It should be noted that, when not conflicting, the feature in the embodiment of the application and embodiment can combine mutually.
Fig. 1 shows the block diagram of authentication server according to an embodiment of the invention.
As shown in Figure 1, authentication server 100, is positioned at core net according to an embodiment of the invention, comprising: authentication unit 102, when caller calls callee, verify the identity of calling party and generate the identity of the first Message Authentication Code and checking callee and generate the second Message Authentication Code; Common parameter determining unit 104, according to the first Message Authentication Code and the second Message Authentication Code determination common parameter, and distributes to calling party and calling party by common parameter.
Common parameter to generate common parameter, and is sent to calling both sides by the Message Authentication Code that this authentication server 100 can utilize the identity of checking calling both sides and produce, thus completes the authentication to both call sides, and without the need to relying on PKI and digital certificate.
Preferably, common parameter determining unit 104 is according to following formula determination common parameter: g=h (MAC a, MAC b), wherein, g represents common parameter, and h represents hash function, MAC arepresent the first Message Authentication Code, MAC brepresent the second Message Authentication Code.
Fig. 2 shows the block diagram of mobile terminal according to an embodiment of the invention.
As shown in Figure 2, mobile terminal 200 according to an embodiment of the invention, comprising: Transmit-Receive Unit 202, receives the common parameter from authentication server, and the first message that Key generating unit generates is sent to the other-end with communication of mobile terminal; Key generating unit 204, generates the first message according to common parameter, and according to the second message generation encryption key that other-end sends over; Ciphering unit 206, is encrypted to sent data according to encryption key, and the data after encryption are sent to other-end via Transmit-Receive Unit.
Generate an encryption key by a message exchange procedure between two mobile phone terminals, thus complete the foundation of secure authenticated communication channel, only have these two mobile phone terminals of participation just to know this encryption key, ensure that the fail safe of encryption.
Preferably, mobile terminal 200 can also comprise: verification unit 208, and whether checking mobile terminal and other-end use same common parameter, and when judging to use same common parameter, the first message is sent to other-end by order Transmit-Receive Unit.Only ensureing that both call sides uses on the basis of same common parameter, guarantee both call sides generates identical encryption key.
Preferably, the first validation value L of Transmit-Receive Unit 202 also for authentication unit is calculated abe sent to other-end, and receive the second validation value L from other-end b, the second validation value L bbased on formula calculate; Verification unit 208 is also for based on formula calculate described first validation value L a, and verify described second validation value L bwhether correct, when the result is correct, determine that described mobile terminal and described other-end use same described common parameter, wherein, n bthe identification code of described other-end, n abe the identification code of described mobile terminal, q is pre-stored in the modulus in described mobile terminal and described other-end.
In above-mentioned arbitrary technical scheme, preferably, described Transmit-Receive Unit 202 is also for receiving the second message K from described other-end bdescribed second message K bbased on formula generate, and the first message K that described ciphering unit is generated abe sent to described other-end; Described ciphering unit 206 is according to formula generate the first message K a, and according to formula with the second message K from described other-end bcalculate described encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.This default integer value is relevant with the maximum message value that hash function exports.
Fig. 3 shows End-to-End Security authenticated channel according to an embodiment of the invention and sets up the block diagram of system.
As shown in Figure 3, be distributed to two mobile terminals (mobile terminal A and mobile terminal B) after common parameter g is selected by the authentication server 100 being positioned at core-network side, so guarantee that both sides use same parameter g by one-time authentication data interaction between latter two mobile terminal.
After guaranteeing that mobile terminal A and mobile terminal B uses same parameter g, an encryption key is generated by a key exchange process between two mobile terminals, thus complete the foundation of secure authenticated communication channel, finally utilize this encryption key to be encrypted to sent data.Generative process due to encryption key only has mobile terminal A and mobile terminal B participate in and produce in exchange process, does not have third party to know this encryption key, therefore effectively improves the fail safe of encryption key.
Secure authenticated communication channel is used for mutual certification the other side identity between two communication equipments, and exchange session encryption key, so that both sides realize coded communication.Can realize the end-to-end encrypted communication between mobile phone terminal by this safety authentication channel, the present invention relies on existing mobile communication system mechanism, easily realizes.Encryption key is set up by mutual by two mobile terminals communicated, and avoids the grasp of core network entity to encryption key, effectively improves the fail safe of encryption key, and then improve the fail safe of enciphoring voice telecommunication; Meanwhile, the authentication property in the present invention is realized the authentication of mobile terminal by core net, again carries out certification, reduce communication overhead without the need to communicating pair.
Fig. 4 shows the flow chart of end to end authentication communication channel method for building up according to an embodiment of the invention.
As shown in Figure 4, end to end authentication communication channel method for building up according to an embodiment of the invention, comprise the following steps: step 402, when caller calls callee, the second Message Authentication Code determination common parameter that the first Message Authentication Code that core net generates according to the identity of checking calling party generates with the identity of checking callee, and common parameter is distributed to calling party and calling party; Step 404, calling party and callee generate respective message according to common parameter, and mutually exchange respective message; Step 406, the encryption key that the message generation that calling party and callee send over according to the other side is respectively identical, calling party and callee are encrypted to sent data according to encryption key respectively, to set up the end to end authentication communication channel between calling party and callee.
Common parameter to generate common parameter, and is sent to calling both sides by the Message Authentication Code that core net can utilize the identity of checking calling both sides and produce, thus completes the authentication to both call sides, and without the need to relying on PKI and digital certificate.Generate an encryption key by a message exchange procedure between two mobile phone terminals, thus complete the foundation of secure authenticated communication channel, only have these two mobile phone terminals participating in cipher key change just to know this encryption key, ensure that the fail safe of encryption.
In technique scheme, preferably, core net is according to following formula determination common parameter: g=h (MAC a, MAC b), wherein, g is common parameter, and h is hash function, MAC athe Message Authentication Code of calling party, MAC bfor the Message Authentication Code of callee.
In technique scheme, preferably, can also comprise the following steps: whether checking calling party and callee use same common parameter; If use same common parameter, then mutually exchange respective message.
In technique scheme, preferably, proof procedure specifically comprises: calling party is based on formula calculate the first validation value L a, and by the first validation value L abe sent to callee; Callee is based on formula calculate the second validation value L b, and by the second validation value L bbe sent to calling party; Calling party verifies the second validation value L bwhether correct, callee verifies the first validation value L awhether correct, if the first validation value L awith the second validation value L ball correct, then determine that calling party and callee use same common parameter, wherein, n bthe identification code of callee, n abe the identification code of calling party, q is pre-stored in the modulus in calling party and callee.
In technique scheme, preferably, the generative process of encryption key specifically comprises: calling party is according to formula generate the first message K a, and by the first message K abe sent to callee, callee is according to formula generate the second message K b, and by the second message K bbe sent to calling party; Calling party is according to formula with the second message K from callee bcalculate encryption key, callee is according to formula with the first message K from calling party acalculate encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.This default integer value is relevant with the maximum message value that hash function exports.
End to end authentication communication channel method for building up is according to an embodiment of the invention further illustrated below in conjunction with Fig. 5.Authentication property in this method is realized the authentication of mobile terminal by core net, and core net can guarantee the entity authentication of mobile phone terminal to the authentication that mobile phone terminal carries out.Key exchange process in this method is realized by an IKE, wherein, the open parameter of IKE comprises an a modulus q and Montgomery Algorithm truth of a matter g, and modulus q is a Big prime and is contained in advance in mobile phone terminal memory, and truth of a matter g then dynamically generates.Convenient in order to describe, in describing, core net is abstracted into an entity below, no longer distinguishes each network element in core net.
In step 502, between mobile phone terminal, carry out normal call flow process.Call flow in call flow herein and mobile communication system, for setting up call link between mobile phone terminal.
In step 504, determine common parameter g.In the authentication process of normal call flow process, core network is in order to verification terminal identity meeting generating messages identifying code MAC.The corresponding Message Authentication Code participating in setting up two mobile phone terminals of safety authentication channel is designated as MACa and MACb respectively.
Make hash function h such as, for { 0,1}* → Zp, wherein, { 0, the 1}* message representing the random length of input, Zp represents any one integer between 1 to p-1, Z 100represent any one integer between 1 to 99, core net calculates common parameter g=h (MACa, MACb) according to the Message Authentication Code of hash algorithm and two mobile phone terminals.
Suppose that two mobile phone terminals participating in setting up safety authentication channel are designated as terminal A and terminal B respectively, the common parameter g calculated is sent to terminal A and terminal B by core net respectively.
Wherein, use same common parameter in order to ensure two mobile phone terminals, need to verify.Suppose that the cell-phone number of terminal A be the cell-phone number of na, terminal B is nb.In order to verify whether both sides use same parameter g, and terminal A is based on formula calculate L aand by L asend to terminal B, and terminal B is based on formula calculate L band by L bsend to terminal A.
Terminal A and terminal B verifies the correctness of the other side's sending value respectively, if correctly, then continues the cipher key change performing step 506; If incorrect, then stop this flow process.
In step 506, cipher key change.
Terminal A selects random number r a∈ Zp, calculates and the first message Ka is sent to terminal B.
Terminal B selects random number r b∈ Zp, calculates and the second message Kb is sent to terminal A.
Terminal A calculates encryption key terminal B calculates encryption key final both sides generate the same encryption key for session, so far establish End-to-End Security authentication communication channel.Both sides utilize this encryption key to be encrypted to sent data, achieve coded communication.
More than be described with reference to the accompanying drawings according to technical scheme of the present invention, proposed a kind of technology setting up End-to-End Security authenticated channel between mobile phone terminal, only need increase several interaction messages on existing mobile communication system basis, easily realize.Secondly, the encryption key in the technical program is only grasped by two mobile phone terminals participating in communication, effectively improves the fail safe of key; In this programme, the certification of mobile phone terminal is completed by the authentication mechanism of core net simultaneously, without the need to depending on PKIX and digital certificate, use the coded communication that the technical program realizes, setting up, the delay of communication channel stage is less, can be applicable to the voice call occasion that requirement of real-time is higher, can meet the real-time requirement of user very well, the experience sense improving user is subject to.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. an authentication server, is characterized in that, is positioned at core net, comprising:
Authentication unit, when caller calls callee, verifies the identity of described calling party and generates the first Message Authentication Code and verify the identity of described callee and generate the second Message Authentication Code;
Common parameter determining unit, according to described first Message Authentication Code and described second Message Authentication Code determination common parameter, and distributes to described calling party and described callee by described common parameter;
Described common parameter determining unit determines described common parameter according to following formula:
G=h (MAC a, MAC b), wherein, g represents described common parameter, and h represents hash function, MAC arepresent described first Message Authentication Code, MAC brepresent described second Message Authentication Code.
2. a mobile terminal, is characterized in that, comprising:
Transmit-Receive Unit, receives the common parameter from authentication server, and the first message that Key generating unit generates is sent to the other-end with described communication of mobile terminal;
Described Key generating unit, generates described first message according to described common parameter, and according to the second message generation encryption key that described other-end sends over;
Ciphering unit, be encrypted to sent data according to described encryption key, and the data after encryption are sent to described other-end via described Transmit-Receive Unit, wherein, described common parameter is generated by the identity of described authentication server according to the identity of described terminal and described other-end;
Wherein, described authentication server determines described common parameter according to following formula:
G=h (MAC a, MAC b), wherein, g represents described common parameter, and h represents hash function, MAC arepresent the first Message Authentication Code of described first message, MAC brepresent the second Message Authentication Code of described second message.
3. mobile terminal according to claim 2, it is characterized in that, also comprise: verification unit, verify whether described mobile terminal and described other-end use same described common parameter, when judging to use same described common parameter, order described Transmit-Receive Unit that described first message is sent to described other-end.
4. mobile terminal according to claim 3, is characterized in that, the first validation value L of described Transmit-Receive Unit also for being calculated by described authentication unit abe sent to described other-end, and receive the second validation value L from described other-end b, described second validation value L bbased on formula L b = g n a mod q Calculate;
Described verification unit is also for based on formula calculate described first validation value L a, and verify described second validation value L bwhether correct, when the result is correct, determine that described mobile terminal and described other-end use same described common parameter, wherein, n bthe identification code of described other-end, n abe the identification code of described mobile terminal, q is pre-stored in the modulus in described mobile terminal and described other-end.
5. the mobile terminal according to any one of claim 2 to 4, is characterized in that, described Transmit-Receive Unit is also for receiving the second message K from described other-end b, described second message K bbased on formula generate, and the first message K that described ciphering unit is generated abe sent to described other-end;
Described ciphering unit is according to formula generate the first message K a, and according to formula with the second message K from described other-end bcalculate described encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.
6. an end to end authentication communication channel method for building up, is characterized in that, comprises the following steps:
When caller calls callee, the second Message Authentication Code determination common parameter that the first Message Authentication Code that core net generates according to the identity of the described calling party of checking generates with the identity of the described callee of checking, and described common parameter is distributed to described calling party and described callee;
Described calling party and described callee generate respective message according to described common parameter, and mutually exchange described respective message;
The encryption key that the message generation that described calling party and described callee send over according to the other side is respectively identical, described calling party and described callee are encrypted to sent data according to described encryption key respectively, to set up the end to end authentication communication channel between described calling party and described callee;
Wherein, described core net determines described common parameter according to following formula:
G=h (MAC a, MAC b), wherein, g is described common parameter, and h is hash function, MAC athe Message Authentication Code of described calling party, MAC bfor the Message Authentication Code of described callee.
7. end to end authentication communication channel method for building up according to claim 6, is characterized in that, also comprise:
Verify whether described calling party and described callee use same described common parameter;
If use same described common parameter, then mutually exchange described respective message.
8. end to end authentication communication channel method for building up according to claim 7, it is characterized in that, proof procedure specifically comprises:
Described calling party is based on formula calculate the first validation value L a, and by described first validation value L abe sent to described callee;
Described callee is based on formula calculate the second validation value L b, and by described second validation value L bbe sent to described calling party;
Described calling party verifies described second validation value L bwhether correct, described callee verifies described first validation value L awhether correct, if described first validation value L awith described second validation value L ball correct, then determine that described calling party and described callee use same described common parameter, wherein, n bthe identification code of described callee, n abe the identification code of described calling party, q is pre-stored in the modulus in described calling party and described callee.
9. the end to end authentication communication channel method for building up according to any one of claim 6 to 8, it is characterized in that, the generative process of described encryption key specifically comprises:
Described calling party is according to formula generate the first message K a, and by the first message K abe sent to described callee, described callee is according to formula generate the second message K b, and by the second message K bbe sent to described calling party;
Described calling party is according to formula with the second message K from described callee bcalculate described encryption key, described callee is according to formula with the first message K from described calling party acalculate described encryption key, wherein, r aand r bbe more than or equal to 1 to be less than or equal to default integer-valued integer respectively.
CN201210421349.3A 2012-10-29 2012-10-29 Authentication server, mobile terminal and end to end authentication communication channel method for building up Active CN102883325B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210421349.3A CN102883325B (en) 2012-10-29 2012-10-29 Authentication server, mobile terminal and end to end authentication communication channel method for building up

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210421349.3A CN102883325B (en) 2012-10-29 2012-10-29 Authentication server, mobile terminal and end to end authentication communication channel method for building up

Publications (2)

Publication Number Publication Date
CN102883325A CN102883325A (en) 2013-01-16
CN102883325B true CN102883325B (en) 2015-09-30

Family

ID=47484427

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210421349.3A Active CN102883325B (en) 2012-10-29 2012-10-29 Authentication server, mobile terminal and end to end authentication communication channel method for building up

Country Status (1)

Country Link
CN (1) CN102883325B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066080B (en) * 2014-06-05 2017-12-08 天地融科技股份有限公司 A kind of data processing method of voice call
CN104144051B (en) * 2014-07-24 2018-04-06 上海斐讯数据通信技术有限公司 A kind of remote speech encipher-decipher method
CN104301567B (en) * 2014-08-25 2017-01-11 宇龙计算机通信科技(深圳)有限公司 Network communication method and system
CN104869570B (en) * 2015-04-10 2018-08-28 电子科技大学 A kind of terminal check method of speaking based on voice channel
CN106548059A (en) * 2015-09-23 2017-03-29 中兴通讯股份有限公司 The method of teacher, head of a family's mobile terminal and head of a family's authentication
CN112787709B (en) * 2021-01-26 2022-12-09 兴唐通信科技有限公司 End-to-end identity authentication method suitable for satellite mobile communication system
CN115022024B (en) * 2022-05-31 2023-09-29 中国电信股份有限公司 Method and device for encrypting call, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183938A (en) * 2007-10-22 2008-05-21 华中科技大学 Wireless network security transmission method, system and equipment
CN101527905A (en) * 2009-04-08 2009-09-09 刘建 Wireless local area network identification and privacy infrastructure unicast key agreement method and system thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010031600A1 (en) * 2008-09-16 2010-03-25 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183938A (en) * 2007-10-22 2008-05-21 华中科技大学 Wireless network security transmission method, system and equipment
CN101527905A (en) * 2009-04-08 2009-09-09 刘建 Wireless local area network identification and privacy infrastructure unicast key agreement method and system thereof

Also Published As

Publication number Publication date
CN102883325A (en) 2013-01-16

Similar Documents

Publication Publication Date Title
CN102883325B (en) Authentication server, mobile terminal and end to end authentication communication channel method for building up
US11563565B2 (en) System and method for computing private keys for self certified identity based signature schemes
CN106209369B (en) A kind of communication means of ID-based cryptosystem system
US5222140A (en) Cryptographic method for key agreement and user authentication
US8447036B2 (en) Multi-party key agreement method using bilinear map and system therefor
WO2009065356A1 (en) A method, system and network device for mutual authentication
Cao et al. Identity-based anonymous remote authentication for value-added services in mobile networks
CN104270249A (en) Signcryption method from certificateless environment to identity environment
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN101145913B (en) A method and system for network security communication
CN110278088A (en) A kind of SM2 collaboration endorsement method
Azad et al. Authentic caller: Self-enforcing authentication in a next-generation network
US11044081B2 (en) System and method for obtaining a common session key between devices
CN104753937A (en) SIP (System In Package)-based security certificate registering method
WO2018169489A1 (en) System and method for computing common session keys in a forward secure identity-based authenticated key exchange scheme
CN105790942A (en) Method and system for secure call and terminals
Luo et al. Cross-domain certificateless authenticated group key agreement protocol for 5G network slicings
CN105162585A (en) Efficient privacy protecting session key agreement method
CN110809000B (en) Service interaction method, device, equipment and storage medium based on block chain network
CN116074019A (en) Identity authentication method, system and medium between mobile client and server
CN106559402B (en) User terminal and identity authentication method and device for encrypted voice telephone service thereof
Ni et al. A pairing-free identity-based authenticated key agreement mechanism for sip
CN101938491A (en) Password-based three-party key exchange method
CN106571912B (en) A kind of two side's authentication methods towards electric system
Yijun et al. A secure key exchange and mutual authentication protocol for wireless mobile communications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant