CN104038937A - Network access authentication method applicable to satellite mobile communication network - Google Patents
Network access authentication method applicable to satellite mobile communication network Download PDFInfo
- Publication number
- CN104038937A CN104038937A CN201410285979.1A CN201410285979A CN104038937A CN 104038937 A CN104038937 A CN 104038937A CN 201410285979 A CN201410285979 A CN 201410285979A CN 104038937 A CN104038937 A CN 104038937A
- Authority
- CN
- China
- Prior art keywords
- user
- ncc
- authentication
- information
- tid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a network access authentication method applicable to a satellite mobile communication network. The network access authentication method comprises four steps of user registration, user management, mobile authentication and update of authentication; an effective network access authentication protocol is of great importance for the security of the satellite mobile communication network. The network access authentication method is characterized in that the authentication role of a gateway station is emphasized and the authentication calculation load of an NCC (Network Control Center) is reduced; common attacks such as masquerading, tampering and replay of any party can be resisted, and meanwhile, integrity protection on the transmitted data is realized, and therefore, the security of the satellite mobile communication network is greatly improved.
Description
Technical field
The present invention relates to a kind of networking authentication method that is applicable to satellite mobile communication network, belong to satellite network safe authentication techniques field.
Background technology
Along with the Developing Mobile Satellite Communication network of the communication technology is more and more concerned, its tool has the following advantages: direct access, Internet service, multimedia application and high rate data transmission etc. that connection, network between remote ground network can be provided.Typical case's satellite mobile communication network is made up of satellite, gateway station, mobile subscriber, the network control center (NCC) and satellite control center (SCC), as shown in Figure 1.
The space segment of satellite mobile communication network is made up of satellite, and space segment is one or more satellite constellations, and the connection between mobile subscriber and gateway station is provided.Gateway station is a part for satellite mobile communication network, is distributed in all over the world, is mainly responsible for call treatment, exchange and with the interface of ground communication network etc., mobile subscriber is connected to gateway station via satellite.The network control center (NCC) is connected to customer information control system to coordinate the access of satellite resource, and carries out network management and control relevant logic function, can communicate by network and gateway station.The performance of satellite control center (SCC) surveillance satellite constellation is also controlled the skyborne position of satellite.Satellite mobile communication development in recent years is remarkable, as Inmarsat GEO system, and Cospas-Sarsat LEO and GEO system, Globalstar, Iridium and Orbcomm system etc.These satellite mobile communication systems provide abundant voice, the business such as broadcast broadband and the Internet.
Although satellite mobile communication network demonstrates huge advantage, but still there is the challenge of secure context.Due to the radio broadcasting character of satellite, satellite network is fixed than ground or mobile network more easily eavesdrops unwarranted user.In order to ensure the safety of user in satellite network, design is a kind of, and access authentication scheme is extremely important efficiently.Cruichshank has proposed a kind of Verification System of satellite network, in the scheme proposing, can guarantee the mutual certification between mobile subscriber and satellite network, and by a session key, data are encrypted by the cryptographic system that uses public-key at him.But the operation that this encrypt/decrypt relates to is quite complicated.The people such as Hwang have proposed a kind of for the checking of mobile satellite communication system mobile subscriber identifier and Data Encryption Scheme.In the scheme proposing people such as Hwang, do not adopt public key cryptography mechanism.But shared key needs to upgrade in the time that mobile subscriber carries out authentication.The people such as Chang have proposed a kind of mutual authentication protocol for mobile satellite communication system, in the scheme of the people's such as Chang proposition, Hash function and xor operation are used, and NCC does not need, for user selects a new key and temporary identity, therefore to have improved efficiency in each authen session.But because NCC has participated in the session each time in each mobile subscriber's access authentication, it still has sizable computational load.In addition, analyse in depth two kinds of certificate schemes of Hwang and Chang, find that NCC is the bottleneck in network security.Because NCC need to verify some mobile subscribers and participate in these users' session each time, therefore NCC becomes tender spots potential in satellite mobile communication network.If NCC certificate server runs into attack, network will be tending towards working.Therefore, design the certificate scheme that more reasonably networks most important, need to reduce the computational load of NCC and improve authentication efficiency.
In satellite mobile communication network, gateway station is presided over the communication between NCC and satellite.In addition, they are connected diversification communication service are provided with ground communication network.When integrated with ground network, gateway station provides the function of base station controller (BSC) and mobile switching centre (MSC).When user's access communications network, this BSC and MSC are very important certified components.In land mobile communication network, such as global mobile communication (GSM) system, GPRS (GPRS) system, 3G cellular network etc., certification is important part, can guarantee that any unwarranted user cannot gain required service by cheating from wireless network.
Summary of the invention
The technology of the present invention is dealt with problems: overcome the deficiencies in the prior art; a kind of networking authentication method that is applicable to satellite mobile communication network is provided; the calculated load that has reduced NCC alleviates; also can resist the attack to NCC; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
The technology of the present invention solution: a kind of networking authentication method that is applicable to satellite mobile communication network, comprises 4 steps respectively: user's registration, user management, mobile authentication and renewal certification;
(1) user registers implementation procedure
User U, using before network, first needs to go to register to the NCC of the network control center, and is its distributing user information by NCC; The information that NCC distributes to new user U comprises: user's permanent identity ID
u; Shared authenticate key K between user and NCC
aand permission K
athe maximum times N using
u, K
ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID
u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S
ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U
ufield value TURE, otherwise, S
ufield value FALSE; User authenticates the certification number of times of counter m record move user U in satellite mobile communication network; After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U;
(2) user management implementation procedure
If NCC finds or suspects user U no longer credible (such as its user profile is revealed), can forbid this user, if user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it; If no longer need the information of user U, can delete this user;
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication; User successfully passes through after mobile authentication, and gateway station G trusts this user, between user U and gateway station G, has encryption key K
e=K'
e, K
e, K'
ebe respectively user side and gateway station end decruption key, can use this key to be encrypted protection to the data of transmitting below;
Described mobile authentication realization flow is as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates
wherein R is a random number,
h () represents crash-resistant one-way hash function, then returns to result of calculation and TID to satellite
uvalue; Satellite is received after the information from user U, adds ID
satinformation sends to gateway station G corresponding information, wherein ID again
satit is the identity numbering of current satellite; || represent attended operation;
Step2:
Gateway station G receives information, first checks ID
satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC
g, TID
u), wherein ID
git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID
usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
Gateway station G calculates
With
if H (P') and H
inconsistent, send the authentication failure notification of " authentication failed " to U, stop; Otherwise G sends [TID to U
u, H (R'||P')], user profile the computation key K' of renewal U
e;
Step6:
If U receives authentication failure notification, record failure information, termination procedure; Otherwise U receives [TID
u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P); If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure;
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently, upgrades verification process and is:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates
then return to result of calculation and TID to satellite
uvalue; Satellite is received after the information from user U, adds ID
satinformation sends to gateway station G corresponding information again;
Step2:
Gateway station G receives information, first checks ID
satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC
g, TID
u);
Step3:
NCC receives after information, first passes through TID
usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to satellite and U; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information, if H (P') and H
2(K
a|| ID
u|| TID
u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G;
Otherwise NCC produces a new temporary identity TID' at random
u, and calculate new authenticate key and encryption key, then NCC sends to G
and upgrade the TID of user profile
ufield is TID'
u;
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite; Otherwise G sends [TID to U after receiving message
u, TID'
u, H (R'||P'||TID'
u)], upgrade the information of user U and preserve encryption key K'
e;
Step8:
If U receives authentication failure notification, termination procedure;
Otherwise U calculates H (R||P||TID' after receiving message
u), with the H (R'||P'||TID' receiving
u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile;
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K
e=K'
e, available this shared key is encrypted protection to the data of transmitting below.
(1) user's registration
User U, using before network, first needs to go to register to NCC, and is its distributing user information by NCC.After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U.
(2) user management
If NCC finds or suspects user U no longer credible (such as its user profile is revealed), can forbid this user.If user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it.If no longer need the information of user U, can delete this user.
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication.User successfully passes through after mobile authentication, and gateway station G trusts this user.Between user U and gateway G, have encryption key K
e=K'
e, can use this key to be encrypted protection to the data of transmitting below.
Described mobile authentication process is as follows:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, calculates
with
then return to result of calculation and TID to LEO
uvalue.LEO receives after the information from U, adds ID
satinformation sends to gateway station G corresponding information again.
Step2:
Gateway station G mono-receives information, first checks ID
satwhether legal, legal user profile of searching U, as find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC
g, TID
u).
Step3:
NCC receives after information, first passes through TID
usearch the information of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G'.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives user profile the storage of U.
Step5:
Gateway station G calculates R' and P'.If H (P') with
inconsistent, send the authentication failure notification of " authentication failed " to U, termination procedure; Otherwise G sends [TID to U
u, H (R'||P')], user profile the computation key K' of renewal U
e.
Step6:
If U receives authentication failure notification, record failure information, termination procedure.Otherwise U receives [TID
u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P).If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure.
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication process, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently.Renewal verification process is specific as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates
(providing symbol implication), wherein R is a random number,
h () represents crash-resistant one-way hash function.Then return to result of calculation and TID to satellite
uvalue, satellite is received after the information from user U, adds ID
satinformation sends to gateway station G corresponding information, wherein ID again
satit is the identity numbering of current satellite;
Step2:
Gateway station G receives information, first checks ID
satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC
g, TID
u), wherein ID
git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID
usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information.If H (P') and H
2(K
a|| ID
u|| TID
u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G.
Otherwise NCC produces a new temporary identity TID' at random
u, and calculate new authenticate key and encryption key.Then, NCC sends to G
and upgrade the TID of user profile
ufield is TID'
u.
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to U via satellite, termination protocol process.Otherwise G sends [TID to U after receiving message
u, TID'
u, H (R'||P'||TID'
u)], upgrade the information of user U and preserve encryption key K'
e.
Step8:
If U receives authentication failure notification, termination procedure.
Otherwise U calculates H (R||P||TID' after receiving message
u), with the H (R'||P'||TID' receiving
u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile.
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K
e=K'
e, available this shared key is encrypted protection to the data of transmitting below.
The present invention's advantage is compared with prior art: method of the present invention, mainly based on hash function and XOR, has advantages of that amount of calculation is little, can be used for the weak equipment of the computing capabilitys such as handheld device.The present invention has also used for reference the certificate scheme of land mobile communication network, and verification process is mainly to carry out between user terminal and gateway station, but NCC also will participate in verification process as required.Whole networking verification process is coordinated to carry out by user terminal, satellite, gateway station and the network control center jointly.Therefore the beneficial effect that the present invention brings is the authentication calculations load that has reduced NCC; and can resist pretending to be, distort and the common attack such as playback of any one party; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
Brief description of the drawings
Fig. 1 is the inventive method satellite mobile communication network structure chart;
Fig. 2 is that the inventive method step realizes schematic diagram;
This inventive method satellite mobile communication network mobile authentication flow chart of Fig. 3;
Fig. 4 is that the inventive method satellite mobile communication network upgrades identifying procedure figure.
Embodiment
Inspired from land mobile communication network, the present invention introduces gateway station as a Verification Components, therefore, the present invention proposes a kind of effectively certificate scheme.The scheme proposing comprises four-stage: mobile subscriber's registration phase, mobile subscriber's management phase, mobile authentication stage and renewal authentication phase.In this scheme, Hash function and xor operation are only used.Hash function is more and more easier for mobile subscriber terminal, and Hash function day by day becomes popular in network security application, as for mobile and embedded system platform, adopts SHA512 algorithm throughput can reach 1.8Gbps on FPGA device.The access authentication scheme that the present invention proposes is by mobile subscriber, and gateway station and NCC have worked in coordination with jointly, and therefore the calculated load of NCC alleviates, and also can resist the attack to NCC simultaneously.
Therefore the beneficial effect that the present invention brings is the authentication calculations load that has reduced NCC; and can resist pretending to be, distort and the common attack such as playback of any one party; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
As shown in Figure 2, mobile subscriber's networking authentication method of the present invention's design is mainly made up of four steps: user's registration, user management, mobile authentication and renewal certification.The execution mode that each step is concrete is as follows:
(1) user's registration
User U, using before network, first needs to go to register to NCC, and is its distributing user information by NCC.The information that NCC distributes to new user U comprises: user's permanent identity ID
u; Shared authenticate key K between user and NCC
aand permission K
athe maximum times N using
u, K
ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID
u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S
ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U
ufield value TURE, otherwise, S
ufield value FALSE.User authenticates the certification number of times of counter m record move user U in satellite mobile communication network.After user has registered, m is made as 0, and user U has private information (ID
u, N
u, TID
u, K
a, N
u-m), NCC has the information (ID relevant to U
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g, N
u-m), wherein ID
satthe identity numbering of current satellite, ID
git is the identity numbering of the accessible gateway station G of user.Gateway station G stores information simultaneously
wherein H () represents crash-resistant one-way hash function, || represent attended operation.
(2) user management
As shown previously, NCC coordinates the access of satellite resource and carries out network management and control.If NCC finds or suspects that user U is no longer credible, can forbid this user, simultaneously by the user profile (ID of the U of storage
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g) in S
ufield value is set to FALSE, and notifies gateway station G to delete the user profile of U.
If user U finds oneself to be forbidden by NCC, can go application to lift a ban to regain authentication service to NCC.Pass through as application, NCC is S in user profile
ufield value resets to TRUE, distributes to the new temporary identity TID' of user
uwith authentication password K'
a, upgrade the private information (ID that user U has
u, S
u, N
u, TID'
u, ID
sat, K'
a, ID
g, N
u-m), and in gateway station G, insert the information that user U is new
wherein m is made as 0.
If user U is illegal or be removed, NCC can delete its user profile (ID
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g, N
u-m), the user profile of the U of gateway station G storage simultaneously
also delete, wherein m is the number of times that user U has authenticated in satellite mobile network.
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication.
User U is (j < N in the time carrying out the j time networking certification
u), U has information (ID
u, N
u, TID
u, K
a, N
u-(j-1)), gateway station G has information
nCC has user profile (ID
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g, N
u-(j-1)).Mobile authentication process as shown in Figure 3.
Details are as follows for detailed process:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, selects a random number R, and calculates
wherein
then, U sends result of calculation and TID to LEO
uvalue.LEO receives the information from U
after, add ID
satinformation sends to gateway station G corresponding information again
Step2:
Gateway station G mono-receives information
first check ID
satwhether legal, legal according to TID
usearch the user profile of U, if find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC
g, TID
u).
Step3:
NCC receives information (ID
g, TID
u), first pass through TID
usearch the information [ID of user U
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g', N
u-(j-1)], wherein G' is the registration gateway station of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane
and by safe lane, user profile is transferred to gateway station G from registration gateway station G', upgrade gateway station id field in user profile is ID simultaneously
g.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives the user profile of U
and the user profile of storing U.
Step5:
Gateway station G calculates
With
if H (P') and H
inconsistent, send the authentication failure notification of " authentication failed " to U, termination procedure; Otherwise G sends [TID to U
u, H (R'||P')], the user profile of upgrading U is (TID
u, N
u-j, P'), and computation key K'
e=f
e((N
u-(j-1)) || P'||R'), wherein, f
eit is session key derivative function.
Step6:
If U receives authentication failure notification, record failure information, termination procedure.Otherwise U receives [TID
u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P).If consistent, the j time networking authentication success of U, it is (ID that U upgrades user profile
u, N
u, TID
u, K
a, N
u-j), and calculating K
e=f
e((N
u-(j-1)) || P||R); Otherwise authentification failure, termination protocol process.
After mobile authentication successfully finishes, gateway station G trusts this user by certification.Between user U and gateway G, have encryption key K
e=K'
e, can use this key to be encrypted protection to the data of transmitting below.
(4) upgrade certification
U carries out N
uwhen inferior certification, U has information (ID
u, N
u, TID
u, K
a, 1), G has information [TID
u, 1, H
2(K
a|| ID
u|| TID
u)], NCC has information (ID
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g, 1).Upgrade verification process as shown in Figure 4.
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication agreement, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently.Details are as follows to upgrade verification process:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, selects a random number R, and calculates
wherein
then, U sends result of calculation and TID to LEO
uvalue.LEO receives the information from U
after, add ID
satinformation sends to gateway station G corresponding information again
Step2:
Gateway station G mono-receives information
first check ID
satwhether legal, legal according to TID
usearch the user profile of U, if find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC
g, TID
u).
Step3:
NCC receives information (ID
g, TID
u), first pass through TID
usearch the information [ID of user U
u, S
u, N
u, TID
u, ID
sat, K
a, ID
g', N
u-(j-1)], wherein G' is the registration gateway station of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane
and by safe lane, user profile is transferred to gateway station G from registration gateway station G', upgrade gateway station id field in user profile is ID simultaneously
g.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives the user profile of U
and the user profile of storing U.
Step5:
G sends information to NCC
Step6:
NCC receives information
and calculate
With
If H (P') and H
2(K
a|| ID
u|| TID
u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G.
Otherwise NCC produces a new temporary identity TID' at random
u, and calculate new authenticate key K'
a=f
a(TID'
u|| P'||R') and encryption key K'
e=f
e(K'
a|| TID'
u|| P'||R'), wherein f
aand f
eit is authenticate key derivative function.Then, NCC sends to G
and upgrade the TID of user profile
ufield is TID'
u.
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite.Otherwise G receives
g sends [TIDU, TID'U, H (R'||P'||TID'U)] to U, and the information of upgrading user U is
and preserve encryption key K'
e.
Step8:
If U receives authentication failure notification, termination procedure.
Otherwise U receives [TID
u, TID'
u, H (R'||P'||TID'
u)], and calculate H (R||P||TID'
u), with the H (R'||P'||TID' receiving
u) relatively, if inconsistent, authentification failure, termination protocol process; Otherwise authentication success, U calculates new authenticate key K "
a=f
a(TID'
u|| P||R) and encryption key K
e=f
e(K "
a|| TID'
u|| P||R), and upgrade user profile for (ID
u, N
u, TID'
u, K "
a, N
u).
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K
e=K'
e, available this shared key is encrypted protection to the data of transmitting below.
The method that the present invention proposes has further been carried out safety analysis in concrete enforcement:
The mobile authentication method that the present invention proposes has been realized the bidirectional identity authentication of user terminal and gateway station, the attack of pretending to be that can resist either party; The agreement that the present invention proposes utilizes XOR mechanism to carry out integrity protection to the data of transmission, can resist Tampering attack; The agreement that the present invention proposes all can be upgraded the authentication information of user and gateway station after each execution certification, therefore also can resist Replay Attack.
In the time that the present invention realizes, can make mobile authentication consistent with the data packet format that upgrades certification, can further strengthen like this attack difficulty.In this packet that need return at mobile authentication, add the TID' of a camouflage
ucan realize.
The maximum times N that user authenticates
u, have three kinds of optional schemes: (1) adopts a fixed value to all users; (2) each user is adopted to a fixed value, different user allows different values, and this is the scheme that this agreement adopts; (3) allow to dynamically arrange N
u, this scheme is more flexible, but agreement also will be more complicated.If employing scheme (2) (scheme that namely the present invention adopts), determines N so
uvalue need to be considered two factors: the one, consider the computing capability of user terminal, and can consideration bear N
uinferior Hash calculates; The 2nd, consider from user security, the user who easily exposes should use less N
uvalue, can change key so quickly, in case by the possibility of successful attack.If N
ube chosen to be 1, can realize the disposable encryption of authenticate key.
Provide above embodiment to be only used to describe object of the present invention, and do not really want to limit the scope of the invention.Scope of the present invention is defined by the following claims.The various substitutions and modifications that are equal to that do not depart from spirit of the present invention and principle and make, all should contain within the scope of the present invention.
Claims (1)
1. be applicable to a networking authentication method for satellite mobile communication network, it is characterized in that comprising 4 steps respectively: user's registration, user management, mobile authentication and renewal certification;
(1) user registers implementation procedure
User U, using before network, first needs to go to register to the NCC of the network control center, and is its distributing user information by NCC; The information that NCC distributes to new user U comprises: user's permanent identity ID
u; Shared authenticate key K between user and NCC
aand permission K
athe maximum times N using
u, K
ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID
u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S
ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U
ufield value TURE, otherwise, S
ufield value FALSE; User authenticates the certification number of times of counter m record move user U in satellite mobile communication network; After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U;
(2) user management implementation procedure
If NCC finds or suspects that user U is no longer credible, can forbid this user, if user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it; If no longer need the information of user U, can delete this user;
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication; User successfully passes through after mobile authentication, and gateway station G trusts this user, between user U and gateway station G, has encryption key K
e=K'
e, K
e, K'
ebe respectively user side and gateway station end decruption key, can use this key to be encrypted protection to the data of transmitting below;
Described mobile authentication realization flow is as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates
wherein R is a random number,
h () represents crash-resistant one-way hash function, then returns to result of calculation and TID to satellite
uvalue; Satellite is received after the information from user U, adds ID
satinformation sends to gateway station G corresponding information, wherein ID again
satit is the identity numbering of current satellite; || represent attended operation;
Step2:
Gateway station G receives information, first checks ID
satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC
g, TID
u), wherein ID
git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID
usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
Gateway station G calculates
With
if H (P') with
inconsistent, send the authentication failure notification of " authentication failed " to U, stop; Otherwise G sends [TID to U
u, H (R'||P')], user profile the computation key K' of renewal U
e;
Step6:
If U receives authentication failure notification, record failure information, termination procedure; Otherwise U receives [TID
u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P); If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure;
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently, upgrades verification process and is:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates
then return to result of calculation and TID to satellite
uvalue; Satellite is received after the information from user U, adds ID
satinformation sends to gateway station G corresponding information again;
Step2:
Gateway station G receives information, first checks ID
satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC
g, TID
u);
Step3:
NCC receives after information, first passes through TID
usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S
ufield value, if S
uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S
uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to satellite and U; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information, if H (P') and H
2(K
a|| ID
u|| TID
u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G;
Otherwise NCC produces a new temporary identity TID' at random
u, and calculate new authenticate key and encryption key, then NCC sends to G
and upgrade the TID of user profile
ufield is TID'
u;
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite; Otherwise G sends [TID to U after receiving message
u, TID'
u, H (R'||P'||TID'
u)], upgrade the information of user U and preserve encryption key K'
e;
Step8:
If U receives authentication failure notification, termination procedure;
Otherwise U calculates H (R||P||TID' after receiving message
u), with the H (R'||P'||TID' receiving
u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile;
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K
e=K'
e, available this shared key is encrypted protection to the data of transmitting below.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410285979.1A CN104038937A (en) | 2014-06-24 | 2014-06-24 | Network access authentication method applicable to satellite mobile communication network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410285979.1A CN104038937A (en) | 2014-06-24 | 2014-06-24 | Network access authentication method applicable to satellite mobile communication network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104038937A true CN104038937A (en) | 2014-09-10 |
Family
ID=51469495
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410285979.1A Pending CN104038937A (en) | 2014-06-24 | 2014-06-24 | Network access authentication method applicable to satellite mobile communication network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104038937A (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105827304A (en) * | 2016-03-21 | 2016-08-03 | 南京邮电大学 | Gateway station-based satellite network anonymous authentication method |
CN106850674A (en) * | 2016-12-02 | 2017-06-13 | 中国电子科技集团公司第三十研究所 | A kind of satellite in orbit identity identifying method |
CN107204847A (en) * | 2017-06-20 | 2017-09-26 | 西安电子科技大学 | Empty overhead traveling crane ground track dedicated network access authentication and key agreement protocol and method |
CN108282779A (en) * | 2018-01-24 | 2018-07-13 | 中国科学技术大学 | Incorporate Information Network low time delay anonymous access authentication method |
CN109150290A (en) * | 2018-10-23 | 2019-01-04 | 中国科学院信息工程研究所 | A kind of satellite lightweight data transmission protection and ground safety service system |
CN111431586A (en) * | 2020-04-17 | 2020-07-17 | 中国电子科技集团公司第三十八研究所 | Satellite network safety communication method |
CN112087750A (en) * | 2020-08-05 | 2020-12-15 | 西安电子科技大学 | Access and switching authentication method and system under satellite network intermittent communication scene |
CN112564775A (en) * | 2020-12-18 | 2021-03-26 | 江苏省未来网络创新研究院 | Spatial information network access control system and authentication method based on block chain |
CN112615721A (en) * | 2020-12-18 | 2021-04-06 | 江苏省未来网络创新研究院 | Access authentication and authority management control flow method of spatial information network based on block chain |
CN112968765A (en) * | 2020-12-18 | 2021-06-15 | 江苏省未来网络创新研究院 | Parameter initialization registration process method of spatial information network based on block chain |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
WO2022135382A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus |
CN115460595A (en) * | 2022-11-11 | 2022-12-09 | 北京数盾信息科技有限公司 | Data transmission method based on satellite network, central gateway station and system |
CN116249226A (en) * | 2022-12-23 | 2023-06-09 | 中国电信股份有限公司卫星通信分公司 | Method and device for accessing terminal to network and communication system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020138757A1 (en) * | 2001-03-23 | 2002-09-26 | Motorola, Inc. | Method for securely distributing software components on a computer network |
CN101977073A (en) * | 2010-10-28 | 2011-02-16 | 中国华录集团有限公司 | Bidirectional authentication system for satellite receiving terminal and receiving antenna |
CN103259655A (en) * | 2012-05-07 | 2013-08-21 | 中国交通通信信息中心 | User management system based on satellite communication service |
-
2014
- 2014-06-24 CN CN201410285979.1A patent/CN104038937A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020138757A1 (en) * | 2001-03-23 | 2002-09-26 | Motorola, Inc. | Method for securely distributing software components on a computer network |
CN101977073A (en) * | 2010-10-28 | 2011-02-16 | 中国华录集团有限公司 | Bidirectional authentication system for satellite receiving terminal and receiving antenna |
CN103259655A (en) * | 2012-05-07 | 2013-08-21 | 中国交通通信信息中心 | User management system based on satellite communication service |
Non-Patent Citations (2)
Title |
---|
G.ZHENG ET AL: "Design and logical analysis on the access authentication scheme for satellite mobile communication networks", 《IET INFORMATION SECURITY》 * |
张小亮等: "一种适用于卫星通信网络的端到端认证协议", 《计算机研究与发展》 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105827304A (en) * | 2016-03-21 | 2016-08-03 | 南京邮电大学 | Gateway station-based satellite network anonymous authentication method |
CN105827304B (en) * | 2016-03-21 | 2018-11-09 | 南京邮电大学 | Satellite network anonymous authentication method based on gateway station |
CN106850674A (en) * | 2016-12-02 | 2017-06-13 | 中国电子科技集团公司第三十研究所 | A kind of satellite in orbit identity identifying method |
CN106850674B (en) * | 2016-12-02 | 2019-07-16 | 中国电子科技集团公司第三十研究所 | A kind of satellite in orbit identity identifying method |
CN107204847A (en) * | 2017-06-20 | 2017-09-26 | 西安电子科技大学 | Empty overhead traveling crane ground track dedicated network access authentication and key agreement protocol and method |
CN108282779A (en) * | 2018-01-24 | 2018-07-13 | 中国科学技术大学 | Incorporate Information Network low time delay anonymous access authentication method |
CN108282779B (en) * | 2018-01-24 | 2020-05-12 | 中国科学技术大学 | Space-ground integrated space information network low-delay anonymous access authentication method |
CN109150290A (en) * | 2018-10-23 | 2019-01-04 | 中国科学院信息工程研究所 | A kind of satellite lightweight data transmission protection and ground safety service system |
CN109150290B (en) * | 2018-10-23 | 2020-09-15 | 中国科学院信息工程研究所 | Satellite lightweight data transmission protection method and ground safety service system |
CN111431586A (en) * | 2020-04-17 | 2020-07-17 | 中国电子科技集团公司第三十八研究所 | Satellite network safety communication method |
CN112087750A (en) * | 2020-08-05 | 2020-12-15 | 西安电子科技大学 | Access and switching authentication method and system under satellite network intermittent communication scene |
CN112564775A (en) * | 2020-12-18 | 2021-03-26 | 江苏省未来网络创新研究院 | Spatial information network access control system and authentication method based on block chain |
CN112615721A (en) * | 2020-12-18 | 2021-04-06 | 江苏省未来网络创新研究院 | Access authentication and authority management control flow method of spatial information network based on block chain |
CN112968765A (en) * | 2020-12-18 | 2021-06-15 | 江苏省未来网络创新研究院 | Parameter initialization registration process method of spatial information network based on block chain |
CN112968765B (en) * | 2020-12-18 | 2022-07-22 | 江苏省未来网络创新研究院 | Parameter initialization registration process method of spatial information network based on block chain |
WO2022135382A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus |
CN114584975A (en) * | 2022-02-23 | 2022-06-03 | 重庆邮电大学 | Anti-quantum satellite network access authentication method based on SDN |
CN114584975B (en) * | 2022-02-23 | 2023-09-15 | 重庆邮电大学 | SDN-based anti-quantum satellite network access authentication method |
CN115460595A (en) * | 2022-11-11 | 2022-12-09 | 北京数盾信息科技有限公司 | Data transmission method based on satellite network, central gateway station and system |
CN115460595B (en) * | 2022-11-11 | 2023-03-24 | 北京数盾信息科技有限公司 | Data transmission method based on satellite network, central gateway station and system |
CN116249226A (en) * | 2022-12-23 | 2023-06-09 | 中国电信股份有限公司卫星通信分公司 | Method and device for accessing terminal to network and communication system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104038937A (en) | Network access authentication method applicable to satellite mobile communication network | |
US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
Jan et al. | Design and analysis of lightweight authentication protocol for securing IoD | |
Chaudhry et al. | A lightweight authentication scheme for 6G-IoT enabled maritime transport system | |
CN109547213B (en) | Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network | |
CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
CN109327313A (en) | A kind of Bidirectional identity authentication method with secret protection characteristic, server | |
CN111935714B (en) | Identity authentication method in mobile edge computing network | |
CN102685749B (en) | Wireless safety authentication method orienting to mobile terminal | |
CN101094065B (en) | Method and system for distributing cipher key in wireless communication network | |
CN108282779B (en) | Space-ground integrated space information network low-delay anonymous access authentication method | |
CN102594555A (en) | Security protection method for data, entity on network side and communication terminal | |
CN104660605A (en) | Multi-factor identity authentication method and system | |
CN112564775B (en) | Spatial information network access control system and authentication method based on block chain | |
CN109688583B (en) | Data encryption method in satellite-ground communication system | |
Shashidhara et al. | A robust user authentication protocol with privacy-preserving for roaming service in mobility environments | |
CN107612949B (en) | Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint | |
CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
CN103906052A (en) | Mobile terminal authentication method, service access method and equipment | |
Liu et al. | A secure and efficient authentication protocol for satellite-terrestrial networks | |
CN114466318B (en) | Method, system and equipment for realizing multicast service effective authentication and key distribution protocol | |
Kumar et al. | Blockchain-enabled secure communication for unmanned aerial vehicle (UAV) networks | |
Saxena et al. | BVPSMS: A batch verification protocol for end-to-end secure SMS for mobile users | |
CN110572392A (en) | Identity authentication method based on HyperLegger network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140910 |
|
WD01 | Invention patent application deemed withdrawn after publication |