CN104038937A - Network access authentication method applicable to satellite mobile communication network - Google Patents

Network access authentication method applicable to satellite mobile communication network Download PDF

Info

Publication number
CN104038937A
CN104038937A CN201410285979.1A CN201410285979A CN104038937A CN 104038937 A CN104038937 A CN 104038937A CN 201410285979 A CN201410285979 A CN 201410285979A CN 104038937 A CN104038937 A CN 104038937A
Authority
CN
China
Prior art keywords
user
ncc
authentication
information
tid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410285979.1A
Other languages
Chinese (zh)
Inventor
马恒太
刘小霞
朱登科
吴晓慧
张楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201410285979.1A priority Critical patent/CN104038937A/en
Publication of CN104038937A publication Critical patent/CN104038937A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a network access authentication method applicable to a satellite mobile communication network. The network access authentication method comprises four steps of user registration, user management, mobile authentication and update of authentication; an effective network access authentication protocol is of great importance for the security of the satellite mobile communication network. The network access authentication method is characterized in that the authentication role of a gateway station is emphasized and the authentication calculation load of an NCC (Network Control Center) is reduced; common attacks such as masquerading, tampering and replay of any party can be resisted, and meanwhile, integrity protection on the transmitted data is realized, and therefore, the security of the satellite mobile communication network is greatly improved.

Description

A kind of networking authentication method that is applicable to satellite mobile communication network
Technical field
The present invention relates to a kind of networking authentication method that is applicable to satellite mobile communication network, belong to satellite network safe authentication techniques field.
Background technology
Along with the Developing Mobile Satellite Communication network of the communication technology is more and more concerned, its tool has the following advantages: direct access, Internet service, multimedia application and high rate data transmission etc. that connection, network between remote ground network can be provided.Typical case's satellite mobile communication network is made up of satellite, gateway station, mobile subscriber, the network control center (NCC) and satellite control center (SCC), as shown in Figure 1.
The space segment of satellite mobile communication network is made up of satellite, and space segment is one or more satellite constellations, and the connection between mobile subscriber and gateway station is provided.Gateway station is a part for satellite mobile communication network, is distributed in all over the world, is mainly responsible for call treatment, exchange and with the interface of ground communication network etc., mobile subscriber is connected to gateway station via satellite.The network control center (NCC) is connected to customer information control system to coordinate the access of satellite resource, and carries out network management and control relevant logic function, can communicate by network and gateway station.The performance of satellite control center (SCC) surveillance satellite constellation is also controlled the skyborne position of satellite.Satellite mobile communication development in recent years is remarkable, as Inmarsat GEO system, and Cospas-Sarsat LEO and GEO system, Globalstar, Iridium and Orbcomm system etc.These satellite mobile communication systems provide abundant voice, the business such as broadcast broadband and the Internet.
Although satellite mobile communication network demonstrates huge advantage, but still there is the challenge of secure context.Due to the radio broadcasting character of satellite, satellite network is fixed than ground or mobile network more easily eavesdrops unwarranted user.In order to ensure the safety of user in satellite network, design is a kind of, and access authentication scheme is extremely important efficiently.Cruichshank has proposed a kind of Verification System of satellite network, in the scheme proposing, can guarantee the mutual certification between mobile subscriber and satellite network, and by a session key, data are encrypted by the cryptographic system that uses public-key at him.But the operation that this encrypt/decrypt relates to is quite complicated.The people such as Hwang have proposed a kind of for the checking of mobile satellite communication system mobile subscriber identifier and Data Encryption Scheme.In the scheme proposing people such as Hwang, do not adopt public key cryptography mechanism.But shared key needs to upgrade in the time that mobile subscriber carries out authentication.The people such as Chang have proposed a kind of mutual authentication protocol for mobile satellite communication system, in the scheme of the people's such as Chang proposition, Hash function and xor operation are used, and NCC does not need, for user selects a new key and temporary identity, therefore to have improved efficiency in each authen session.But because NCC has participated in the session each time in each mobile subscriber's access authentication, it still has sizable computational load.In addition, analyse in depth two kinds of certificate schemes of Hwang and Chang, find that NCC is the bottleneck in network security.Because NCC need to verify some mobile subscribers and participate in these users' session each time, therefore NCC becomes tender spots potential in satellite mobile communication network.If NCC certificate server runs into attack, network will be tending towards working.Therefore, design the certificate scheme that more reasonably networks most important, need to reduce the computational load of NCC and improve authentication efficiency.
In satellite mobile communication network, gateway station is presided over the communication between NCC and satellite.In addition, they are connected diversification communication service are provided with ground communication network.When integrated with ground network, gateway station provides the function of base station controller (BSC) and mobile switching centre (MSC).When user's access communications network, this BSC and MSC are very important certified components.In land mobile communication network, such as global mobile communication (GSM) system, GPRS (GPRS) system, 3G cellular network etc., certification is important part, can guarantee that any unwarranted user cannot gain required service by cheating from wireless network.
Summary of the invention
The technology of the present invention is dealt with problems: overcome the deficiencies in the prior art; a kind of networking authentication method that is applicable to satellite mobile communication network is provided; the calculated load that has reduced NCC alleviates; also can resist the attack to NCC; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
The technology of the present invention solution: a kind of networking authentication method that is applicable to satellite mobile communication network, comprises 4 steps respectively: user's registration, user management, mobile authentication and renewal certification;
(1) user registers implementation procedure
User U, using before network, first needs to go to register to the NCC of the network control center, and is its distributing user information by NCC; The information that NCC distributes to new user U comprises: user's permanent identity ID u; Shared authenticate key K between user and NCC aand permission K athe maximum times N using u, K ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U ufield value TURE, otherwise, S ufield value FALSE; User authenticates the certification number of times of counter m record move user U in satellite mobile communication network; After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U;
(2) user management implementation procedure
If NCC finds or suspects user U no longer credible (such as its user profile is revealed), can forbid this user, if user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it; If no longer need the information of user U, can delete this user;
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication; User successfully passes through after mobile authentication, and gateway station G trusts this user, between user U and gateway station G, has encryption key K e=K' e, K e, K' ebe respectively user side and gateway station end decruption key, can use this key to be encrypted protection to the data of transmitting below;
Described mobile authentication realization flow is as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates wherein R is a random number, h () represents crash-resistant one-way hash function, then returns to result of calculation and TID to satellite uvalue; Satellite is received after the information from user U, adds ID satinformation sends to gateway station G corresponding information, wherein ID again satit is the identity numbering of current satellite; || represent attended operation;
Step2:
Gateway station G receives information, first checks ID satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC g, TID u), wherein ID git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
Gateway station G calculates R ′ = H N U + 1 - ( j - 1 ) ( K A | | ID U | | TID U ) ⊕ ( H ( P ) ⊕ R ) With if H (P') and H inconsistent, send the authentication failure notification of " authentication failed " to U, stop; Otherwise G sends [TID to U u, H (R'||P')], user profile the computation key K' of renewal U e;
Step6:
If U receives authentication failure notification, record failure information, termination procedure; Otherwise U receives [TID u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P); If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure;
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently, upgrades verification process and is:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates then return to result of calculation and TID to satellite uvalue; Satellite is received after the information from user U, adds ID satinformation sends to gateway station G corresponding information again;
Step2:
Gateway station G receives information, first checks ID satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC g, TID u);
Step3:
NCC receives after information, first passes through TID usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to satellite and U; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information, if H (P') and H 2(K a|| ID u|| TID u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G;
Otherwise NCC produces a new temporary identity TID' at random u, and calculate new authenticate key and encryption key, then NCC sends to G and upgrade the TID of user profile ufield is TID' u;
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite; Otherwise G sends [TID to U after receiving message u, TID' u, H (R'||P'||TID' u)], upgrade the information of user U and preserve encryption key K' e;
Step8:
If U receives authentication failure notification, termination procedure;
Otherwise U calculates H (R||P||TID' after receiving message u), with the H (R'||P'||TID' receiving u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile;
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K e=K' e, available this shared key is encrypted protection to the data of transmitting below.
(1) user's registration
User U, using before network, first needs to go to register to NCC, and is its distributing user information by NCC.After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U.
(2) user management
If NCC finds or suspects user U no longer credible (such as its user profile is revealed), can forbid this user.If user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it.If no longer need the information of user U, can delete this user.
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication.User successfully passes through after mobile authentication, and gateway station G trusts this user.Between user U and gateway G, have encryption key K e=K' e, can use this key to be encrypted protection to the data of transmitting below.
Described mobile authentication process is as follows:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, calculates with then return to result of calculation and TID to LEO uvalue.LEO receives after the information from U, adds ID satinformation sends to gateway station G corresponding information again.
Step2:
Gateway station G mono-receives information, first checks ID satwhether legal, legal user profile of searching U, as find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC g, TID u).
Step3:
NCC receives after information, first passes through TID usearch the information of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G'.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives user profile the storage of U.
Step5:
Gateway station G calculates R' and P'.If H (P') with inconsistent, send the authentication failure notification of " authentication failed " to U, termination procedure; Otherwise G sends [TID to U u, H (R'||P')], user profile the computation key K' of renewal U e.
Step6:
If U receives authentication failure notification, record failure information, termination procedure.Otherwise U receives [TID u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P).If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure.
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication process, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently.Renewal verification process is specific as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates (providing symbol implication), wherein R is a random number, h () represents crash-resistant one-way hash function.Then return to result of calculation and TID to satellite uvalue, satellite is received after the information from user U, adds ID satinformation sends to gateway station G corresponding information, wherein ID again satit is the identity numbering of current satellite;
Step2:
Gateway station G receives information, first checks ID satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC g, TID u), wherein ID git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information.If H (P') and H 2(K a|| ID u|| TID u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G.
Otherwise NCC produces a new temporary identity TID' at random u, and calculate new authenticate key and encryption key.Then, NCC sends to G and upgrade the TID of user profile ufield is TID' u.
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to U via satellite, termination protocol process.Otherwise G sends [TID to U after receiving message u, TID' u, H (R'||P'||TID' u)], upgrade the information of user U and preserve encryption key K' e.
Step8:
If U receives authentication failure notification, termination procedure.
Otherwise U calculates H (R||P||TID' after receiving message u), with the H (R'||P'||TID' receiving u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile.
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K e=K' e, available this shared key is encrypted protection to the data of transmitting below.
The present invention's advantage is compared with prior art: method of the present invention, mainly based on hash function and XOR, has advantages of that amount of calculation is little, can be used for the weak equipment of the computing capabilitys such as handheld device.The present invention has also used for reference the certificate scheme of land mobile communication network, and verification process is mainly to carry out between user terminal and gateway station, but NCC also will participate in verification process as required.Whole networking verification process is coordinated to carry out by user terminal, satellite, gateway station and the network control center jointly.Therefore the beneficial effect that the present invention brings is the authentication calculations load that has reduced NCC; and can resist pretending to be, distort and the common attack such as playback of any one party; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
Brief description of the drawings
Fig. 1 is the inventive method satellite mobile communication network structure chart;
Fig. 2 is that the inventive method step realizes schematic diagram;
This inventive method satellite mobile communication network mobile authentication flow chart of Fig. 3;
Fig. 4 is that the inventive method satellite mobile communication network upgrades identifying procedure figure.
Embodiment
Inspired from land mobile communication network, the present invention introduces gateway station as a Verification Components, therefore, the present invention proposes a kind of effectively certificate scheme.The scheme proposing comprises four-stage: mobile subscriber's registration phase, mobile subscriber's management phase, mobile authentication stage and renewal authentication phase.In this scheme, Hash function and xor operation are only used.Hash function is more and more easier for mobile subscriber terminal, and Hash function day by day becomes popular in network security application, as for mobile and embedded system platform, adopts SHA512 algorithm throughput can reach 1.8Gbps on FPGA device.The access authentication scheme that the present invention proposes is by mobile subscriber, and gateway station and NCC have worked in coordination with jointly, and therefore the calculated load of NCC alleviates, and also can resist the attack to NCC simultaneously.
Therefore the beneficial effect that the present invention brings is the authentication calculations load that has reduced NCC; and can resist pretending to be, distort and the common attack such as playback of any one party; the data of transmission are carried out to integrity protection simultaneously, greatly strengthened the fail safe of satellite mobile communication network.
As shown in Figure 2, mobile subscriber's networking authentication method of the present invention's design is mainly made up of four steps: user's registration, user management, mobile authentication and renewal certification.The execution mode that each step is concrete is as follows:
(1) user's registration
User U, using before network, first needs to go to register to NCC, and is its distributing user information by NCC.The information that NCC distributes to new user U comprises: user's permanent identity ID u; Shared authenticate key K between user and NCC aand permission K athe maximum times N using u, K ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U ufield value TURE, otherwise, S ufield value FALSE.User authenticates the certification number of times of counter m record move user U in satellite mobile communication network.After user has registered, m is made as 0, and user U has private information (ID u, N u, TID u, K a, N u-m), NCC has the information (ID relevant to U u, S u, N u, TID u, ID sat, K a, ID g, N u-m), wherein ID satthe identity numbering of current satellite, ID git is the identity numbering of the accessible gateway station G of user.Gateway station G stores information simultaneously wherein H () represents crash-resistant one-way hash function, || represent attended operation.
(2) user management
As shown previously, NCC coordinates the access of satellite resource and carries out network management and control.If NCC finds or suspects that user U is no longer credible, can forbid this user, simultaneously by the user profile (ID of the U of storage u, S u, N u, TID u, ID sat, K a, ID g) in S ufield value is set to FALSE, and notifies gateway station G to delete the user profile of U.
If user U finds oneself to be forbidden by NCC, can go application to lift a ban to regain authentication service to NCC.Pass through as application, NCC is S in user profile ufield value resets to TRUE, distributes to the new temporary identity TID' of user uwith authentication password K' a, upgrade the private information (ID that user U has u, S u, N u, TID' u, ID sat, K' a, ID g, N u-m), and in gateway station G, insert the information that user U is new wherein m is made as 0.
If user U is illegal or be removed, NCC can delete its user profile (ID u, S u, N u, TID u, ID sat, K a, ID g, N u-m), the user profile of the U of gateway station G storage simultaneously also delete, wherein m is the number of times that user U has authenticated in satellite mobile network.
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication.
User U is (j < N in the time carrying out the j time networking certification u), U has information (ID u, N u, TID u, K a, N u-(j-1)), gateway station G has information nCC has user profile (ID u, S u, N u, TID u, ID sat, K a, ID g, N u-(j-1)).Mobile authentication process as shown in Figure 3.
Details are as follows for detailed process:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, selects a random number R, and calculates wherein then, U sends result of calculation and TID to LEO uvalue.LEO receives the information from U after, add ID satinformation sends to gateway station G corresponding information again
Step2:
Gateway station G mono-receives information first check ID satwhether legal, legal according to TID usearch the user profile of U, if find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC g, TID u).
Step3:
NCC receives information (ID g, TID u), first pass through TID usearch the information [ID of user U u, S u, N u, TID u, ID sat, K a, ID g', N u-(j-1)], wherein G' is the registration gateway station of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane and by safe lane, user profile is transferred to gateway station G from registration gateway station G', upgrade gateway station id field in user profile is ID simultaneously g.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives the user profile of U and the user profile of storing U.
Step5:
Gateway station G calculates R &prime; = H N U + 1 - ( j - 1 ) ( K A | | ID U | | TID U ) &CirclePlus; ( H ( P ) &CirclePlus; R ) With if H (P') and H inconsistent, send the authentication failure notification of " authentication failed " to U, termination procedure; Otherwise G sends [TID to U u, H (R'||P')], the user profile of upgrading U is (TID u, N u-j, P'), and computation key K' e=f e((N u-(j-1)) || P'||R'), wherein, f eit is session key derivative function.
Step6:
If U receives authentication failure notification, record failure information, termination procedure.Otherwise U receives [TID u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P).If consistent, the j time networking authentication success of U, it is (ID that U upgrades user profile u, N u, TID u, K a, N u-j), and calculating K e=f e((N u-(j-1)) || P||R); Otherwise authentification failure, termination protocol process.
After mobile authentication successfully finishes, gateway station G trusts this user by certification.Between user U and gateway G, have encryption key K e=K' e, can use this key to be encrypted protection to the data of transmitting below.
(4) upgrade certification
U carries out N uwhen inferior certification, U has information (ID u, N u, TID u, K a, 1), G has information [TID u, 1, H 2(K a|| ID u|| TID u)], NCC has information (ID u, S u, N u, TID u, ID sat, K a, ID g, 1).Upgrade verification process as shown in Figure 4.
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication agreement, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently.Details are as follows to upgrade verification process:
Step1:
First satellite sends authentication request to mobile subscriber as LEO, and user U receives after request, selects a random number R, and calculates wherein then, U sends result of calculation and TID to LEO uvalue.LEO receives the information from U after, add ID satinformation sends to gateway station G corresponding information again
Step2:
Gateway station G mono-receives information first check ID satwhether legal, legal according to TID usearch the user profile of U, if find the user profile of U, turn Step5; Otherwise G sends (ID by safe lane to NCC g, TID u).
Step3:
NCC receives information (ID g, TID u), first pass through TID usearch the information [ID of user U u, S u, N u, TID u, ID sat, K a, ID g', N u-(j-1)], wherein G' is the registration gateway station of user U.If the user profile of not finding, returns to the authentication failure notification of " nonregistered user " to G.Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane and by safe lane, user profile is transferred to gateway station G from registration gateway station G', upgrade gateway station id field in user profile is ID simultaneously g.
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, termination protocol process.Otherwise G receives the user profile of U and the user profile of storing U.
Step5:
G sends information to NCC
Step6:
NCC receives information and calculate R &prime; = H 2 ( K A | | ID U | | TID U ) &CirclePlus; ( H ( P ) &CirclePlus; R ) With P &prime; = H ( R &prime; ) &CirclePlus; ( P &CirclePlus; H ( R ) ) . If H (P') and H 2(K a|| ID u|| TID u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G.
Otherwise NCC produces a new temporary identity TID' at random u, and calculate new authenticate key K' a=f a(TID' u|| P'||R') and encryption key K' e=f e(K' a|| TID' u|| P'||R'), wherein f aand f eit is authenticate key derivative function.Then, NCC sends to G and upgrade the TID of user profile ufield is TID' u.
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite.Otherwise G receives g sends [TIDU, TID'U, H (R'||P'||TID'U)] to U, and the information of upgrading user U is and preserve encryption key K' e.
Step8:
If U receives authentication failure notification, termination procedure.
Otherwise U receives [TID u, TID' u, H (R'||P'||TID' u)], and calculate H (R||P||TID' u), with the H (R'||P'||TID' receiving u) relatively, if inconsistent, authentification failure, termination protocol process; Otherwise authentication success, U calculates new authenticate key K " a=f a(TID' u|| P||R) and encryption key K e=f e(K " a|| TID' u|| P||R), and upgrade user profile for (ID u, N u, TID' u, K " a, N u).
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K e=K' e, available this shared key is encrypted protection to the data of transmitting below.
The method that the present invention proposes has further been carried out safety analysis in concrete enforcement:
The mobile authentication method that the present invention proposes has been realized the bidirectional identity authentication of user terminal and gateway station, the attack of pretending to be that can resist either party; The agreement that the present invention proposes utilizes XOR mechanism to carry out integrity protection to the data of transmission, can resist Tampering attack; The agreement that the present invention proposes all can be upgraded the authentication information of user and gateway station after each execution certification, therefore also can resist Replay Attack.
In the time that the present invention realizes, can make mobile authentication consistent with the data packet format that upgrades certification, can further strengthen like this attack difficulty.In this packet that need return at mobile authentication, add the TID' of a camouflage ucan realize.
The maximum times N that user authenticates u, have three kinds of optional schemes: (1) adopts a fixed value to all users; (2) each user is adopted to a fixed value, different user allows different values, and this is the scheme that this agreement adopts; (3) allow to dynamically arrange N u, this scheme is more flexible, but agreement also will be more complicated.If employing scheme (2) (scheme that namely the present invention adopts), determines N so uvalue need to be considered two factors: the one, consider the computing capability of user terminal, and can consideration bear N uinferior Hash calculates; The 2nd, consider from user security, the user who easily exposes should use less N uvalue, can change key so quickly, in case by the possibility of successful attack.If N ube chosen to be 1, can realize the disposable encryption of authenticate key.
Provide above embodiment to be only used to describe object of the present invention, and do not really want to limit the scope of the invention.Scope of the present invention is defined by the following claims.The various substitutions and modifications that are equal to that do not depart from spirit of the present invention and principle and make, all should contain within the scope of the present invention.

Claims (1)

1. be applicable to a networking authentication method for satellite mobile communication network, it is characterized in that comprising 4 steps respectively: user's registration, user management, mobile authentication and renewal certification;
(1) user registers implementation procedure
User U, using before network, first needs to go to register to the NCC of the network control center, and is its distributing user information by NCC; The information that NCC distributes to new user U comprises: user's permanent identity ID u; Shared authenticate key K between user and NCC aand permission K athe maximum times N using u, K ain the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; User's temporary identity TID u, in the time that user registers, produced by NCC, and upgrade in the time of each renewal certification; S ucan be used for identifying NCC provide networking authentication service for mobile subscriber U, provides networking authentication service, S if NCC allows for user U ufield value TURE, otherwise, S ufield value FALSE; User authenticates the certification number of times of counter m record move user U in satellite mobile communication network; After user has registered, user U, gateway station G preserve respectively one group with NCC and network and authenticate relevant private information to user U;
(2) user management implementation procedure
If NCC finds or suspects that user U is no longer credible, can forbid this user, if user U finds that oneself is disabled, can go application to lift a ban to NCC, NCC will regenerate authentication information for it; If no longer need the information of user U, can delete this user;
(3) mobile authentication
Mobile subscriber, as need accesses satellite mobile communication net and other users communicate, must complete mobile authentication; User successfully passes through after mobile authentication, and gateway station G trusts this user, between user U and gateway station G, has encryption key K e=K' e, K e, K' ebe respectively user side and gateway station end decruption key, can use this key to be encrypted protection to the data of transmitting below;
Described mobile authentication realization flow is as follows:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates wherein R is a random number, h () represents crash-resistant one-way hash function, then returns to result of calculation and TID to satellite uvalue; Satellite is received after the information from user U, adds ID satinformation sends to gateway station G corresponding information, wherein ID again satit is the identity numbering of current satellite; || represent attended operation;
Step2:
Gateway station G receives information, first checks ID satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC g, TID u), wherein ID git is the identity numbering of the accessible gateway station G of user;
Step3:
NCC receives after information, first passes through TID usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification to satellite and U, stop; Otherwise G receives user profile the storage of U;
Step5:
Gateway station G calculates R &prime; = H N U + 1 - ( j - 1 ) ( K A | | ID U | | TID U ) &CirclePlus; ( H ( P ) &CirclePlus; R ) With if H (P') with inconsistent, send the authentication failure notification of " authentication failed " to U, stop; Otherwise G sends [TID to U u, H (R'||P')], user profile the computation key K' of renewal U e;
Step6:
If U receives authentication failure notification, record failure information, termination procedure; Otherwise U receives [TID u, H (R'||P')], whether checking H (R'||P') is consistent with H (R||P); If consistent, the j time networking authentication success of U, otherwise authentification failure, termination procedure;
(4) upgrade certification
Upgrade in verification process, Step1 to Step4 process is identical with mobile authentication, and maximum not being both generates a new shared key and temporary identity authenticates for networking subsequently, upgrades verification process and is:
Step1:
First satellite sends authentication request to mobile subscriber, and user U receives after request, calculates then return to result of calculation and TID to satellite uvalue; Satellite is received after the information from user U, adds ID satinformation sends to gateway station G corresponding information again;
Step2:
Gateway station G receives information, first checks ID satwhether legal, legal information of searching user U, if find user U information, turns Step5; Otherwise gateway station G sends (ID by safe lane to NCC g, TID u);
Step3:
NCC receives after information, first passes through TID usearch the information of user U, if the user profile of not finding is returned to the authentication failure notification of " nonregistered user " to G; Otherwise NCC checks S ufield value, if S uvalue is FALSE, returns to the authentication failure notification of " forbidding user " to G, and notice registration gateway station G' deletes user profile, authentification failure; If S uvalue is TRUE, and NCC is the user profile to registration gateway station G' inquiry U by safe lane, and user profile is transferred to gateway station G from registration gateway station G';
Step4:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to satellite and U; Otherwise G receives user profile the storage of U;
Step5:
G sends information to NCC
Step6:
NCC calculates R' and P' after receiving information, if H (P') and H 2(K a|| ID u|| TID u) inconsistent, NCC sends the authentication failure notification of " authentication failed " to G;
Otherwise NCC produces a new temporary identity TID' at random u, and calculate new authenticate key and encryption key, then NCC sends to G and upgrade the TID of user profile ufield is TID' u;
Step7:
If G receives the authentication failure notification that NCC returns, forward this authentication failure notification, termination procedure to U via satellite; Otherwise G sends [TID to U after receiving message u, TID' u, H (R'||P'||TID' u)], upgrade the information of user U and preserve encryption key K' e;
Step8:
If U receives authentication failure notification, termination procedure;
Otherwise U calculates H (R||P||TID' after receiving message u), with the H (R'||P'||TID' receiving u) relatively, if inconsistent, authentification failure, termination procedure; Otherwise authentication success, U calculates new authenticate key and encryption key, and upgrades user profile;
After renewal authentication success finishes, between user U and gateway G, have and share encryption key K e=K' e, available this shared key is encrypted protection to the data of transmitting below.
CN201410285979.1A 2014-06-24 2014-06-24 Network access authentication method applicable to satellite mobile communication network Pending CN104038937A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410285979.1A CN104038937A (en) 2014-06-24 2014-06-24 Network access authentication method applicable to satellite mobile communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410285979.1A CN104038937A (en) 2014-06-24 2014-06-24 Network access authentication method applicable to satellite mobile communication network

Publications (1)

Publication Number Publication Date
CN104038937A true CN104038937A (en) 2014-09-10

Family

ID=51469495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410285979.1A Pending CN104038937A (en) 2014-06-24 2014-06-24 Network access authentication method applicable to satellite mobile communication network

Country Status (1)

Country Link
CN (1) CN104038937A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827304A (en) * 2016-03-21 2016-08-03 南京邮电大学 Gateway station-based satellite network anonymous authentication method
CN106850674A (en) * 2016-12-02 2017-06-13 中国电子科技集团公司第三十研究所 A kind of satellite in orbit identity identifying method
CN107204847A (en) * 2017-06-20 2017-09-26 西安电子科技大学 Empty overhead traveling crane ground track dedicated network access authentication and key agreement protocol and method
CN108282779A (en) * 2018-01-24 2018-07-13 中国科学技术大学 Incorporate Information Network low time delay anonymous access authentication method
CN109150290A (en) * 2018-10-23 2019-01-04 中国科学院信息工程研究所 A kind of satellite lightweight data transmission protection and ground safety service system
CN111431586A (en) * 2020-04-17 2020-07-17 中国电子科技集团公司第三十八研究所 Satellite network safety communication method
CN112087750A (en) * 2020-08-05 2020-12-15 西安电子科技大学 Access and switching authentication method and system under satellite network intermittent communication scene
CN112564775A (en) * 2020-12-18 2021-03-26 江苏省未来网络创新研究院 Spatial information network access control system and authentication method based on block chain
CN112615721A (en) * 2020-12-18 2021-04-06 江苏省未来网络创新研究院 Access authentication and authority management control flow method of spatial information network based on block chain
CN112968765A (en) * 2020-12-18 2021-06-15 江苏省未来网络创新研究院 Parameter initialization registration process method of spatial information network based on block chain
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
WO2022135382A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN115460595A (en) * 2022-11-11 2022-12-09 北京数盾信息科技有限公司 Data transmission method based on satellite network, central gateway station and system
CN116249226A (en) * 2022-12-23 2023-06-09 中国电信股份有限公司卫星通信分公司 Method and device for accessing terminal to network and communication system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020138757A1 (en) * 2001-03-23 2002-09-26 Motorola, Inc. Method for securely distributing software components on a computer network
CN101977073A (en) * 2010-10-28 2011-02-16 中国华录集团有限公司 Bidirectional authentication system for satellite receiving terminal and receiving antenna
CN103259655A (en) * 2012-05-07 2013-08-21 中国交通通信信息中心 User management system based on satellite communication service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020138757A1 (en) * 2001-03-23 2002-09-26 Motorola, Inc. Method for securely distributing software components on a computer network
CN101977073A (en) * 2010-10-28 2011-02-16 中国华录集团有限公司 Bidirectional authentication system for satellite receiving terminal and receiving antenna
CN103259655A (en) * 2012-05-07 2013-08-21 中国交通通信信息中心 User management system based on satellite communication service

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
G.ZHENG ET AL: "Design and logical analysis on the access authentication scheme for satellite mobile communication networks", 《IET INFORMATION SECURITY》 *
张小亮等: "一种适用于卫星通信网络的端到端认证协议", 《计算机研究与发展》 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827304A (en) * 2016-03-21 2016-08-03 南京邮电大学 Gateway station-based satellite network anonymous authentication method
CN105827304B (en) * 2016-03-21 2018-11-09 南京邮电大学 Satellite network anonymous authentication method based on gateway station
CN106850674A (en) * 2016-12-02 2017-06-13 中国电子科技集团公司第三十研究所 A kind of satellite in orbit identity identifying method
CN106850674B (en) * 2016-12-02 2019-07-16 中国电子科技集团公司第三十研究所 A kind of satellite in orbit identity identifying method
CN107204847A (en) * 2017-06-20 2017-09-26 西安电子科技大学 Empty overhead traveling crane ground track dedicated network access authentication and key agreement protocol and method
CN108282779A (en) * 2018-01-24 2018-07-13 中国科学技术大学 Incorporate Information Network low time delay anonymous access authentication method
CN108282779B (en) * 2018-01-24 2020-05-12 中国科学技术大学 Space-ground integrated space information network low-delay anonymous access authentication method
CN109150290A (en) * 2018-10-23 2019-01-04 中国科学院信息工程研究所 A kind of satellite lightweight data transmission protection and ground safety service system
CN109150290B (en) * 2018-10-23 2020-09-15 中国科学院信息工程研究所 Satellite lightweight data transmission protection method and ground safety service system
CN111431586A (en) * 2020-04-17 2020-07-17 中国电子科技集团公司第三十八研究所 Satellite network safety communication method
CN112087750A (en) * 2020-08-05 2020-12-15 西安电子科技大学 Access and switching authentication method and system under satellite network intermittent communication scene
CN112564775A (en) * 2020-12-18 2021-03-26 江苏省未来网络创新研究院 Spatial information network access control system and authentication method based on block chain
CN112615721A (en) * 2020-12-18 2021-04-06 江苏省未来网络创新研究院 Access authentication and authority management control flow method of spatial information network based on block chain
CN112968765A (en) * 2020-12-18 2021-06-15 江苏省未来网络创新研究院 Parameter initialization registration process method of spatial information network based on block chain
CN112968765B (en) * 2020-12-18 2022-07-22 江苏省未来网络创新研究院 Parameter initialization registration process method of spatial information network based on block chain
WO2022135382A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN114584975A (en) * 2022-02-23 2022-06-03 重庆邮电大学 Anti-quantum satellite network access authentication method based on SDN
CN114584975B (en) * 2022-02-23 2023-09-15 重庆邮电大学 SDN-based anti-quantum satellite network access authentication method
CN115460595A (en) * 2022-11-11 2022-12-09 北京数盾信息科技有限公司 Data transmission method based on satellite network, central gateway station and system
CN115460595B (en) * 2022-11-11 2023-03-24 北京数盾信息科技有限公司 Data transmission method based on satellite network, central gateway station and system
CN116249226A (en) * 2022-12-23 2023-06-09 中国电信股份有限公司卫星通信分公司 Method and device for accessing terminal to network and communication system

Similar Documents

Publication Publication Date Title
CN104038937A (en) Network access authentication method applicable to satellite mobile communication network
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
Jan et al. Design and analysis of lightweight authentication protocol for securing IoD
Chaudhry et al. A lightweight authentication scheme for 6G-IoT enabled maritime transport system
CN109547213B (en) Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
CN109327313A (en) A kind of Bidirectional identity authentication method with secret protection characteristic, server
CN111935714B (en) Identity authentication method in mobile edge computing network
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
CN101094065B (en) Method and system for distributing cipher key in wireless communication network
CN108282779B (en) Space-ground integrated space information network low-delay anonymous access authentication method
CN102594555A (en) Security protection method for data, entity on network side and communication terminal
CN104660605A (en) Multi-factor identity authentication method and system
CN112564775B (en) Spatial information network access control system and authentication method based on block chain
CN109688583B (en) Data encryption method in satellite-ground communication system
Shashidhara et al. A robust user authentication protocol with privacy-preserving for roaming service in mobility environments
CN107612949B (en) Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN103906052A (en) Mobile terminal authentication method, service access method and equipment
Liu et al. A secure and efficient authentication protocol for satellite-terrestrial networks
CN114466318B (en) Method, system and equipment for realizing multicast service effective authentication and key distribution protocol
Kumar et al. Blockchain-enabled secure communication for unmanned aerial vehicle (UAV) networks
Saxena et al. BVPSMS: A batch verification protocol for end-to-end secure SMS for mobile users
CN110572392A (en) Identity authentication method based on HyperLegger network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140910

WD01 Invention patent application deemed withdrawn after publication