CN108347417A - A kind of method for network authorization, user equipment, network authentication node and system - Google Patents
A kind of method for network authorization, user equipment, network authentication node and system Download PDFInfo
- Publication number
- CN108347417A CN108347417A CN201710060133.1A CN201710060133A CN108347417A CN 108347417 A CN108347417 A CN 108347417A CN 201710060133 A CN201710060133 A CN 201710060133A CN 108347417 A CN108347417 A CN 108347417A
- Authority
- CN
- China
- Prior art keywords
- key
- user equipment
- network authentication
- pvt
- authentication node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A kind of method for network authorization, user equipment, network authentication node and system.User equipment sends the ID and PVT of network authentication node to user equipment to network authentication node transmission auth type instruction information, the ID and PVT of user equipment, network authentication node.User equipment generates user equipment symmetric key according to ID, PVT of network authentication node and the private key based on user equipment identity and global public key, and deduces key according to the first authentication key of user equipment Symmetric key generation and first key.Network authentication node generates network authentication node symmetric key according to ID, PVT of user equipment and the private key based on network authentication node identities and global public key, and according to the second authentication key of network authentication node Symmetric key generation and the second secret key deduction key.Network authentication node carries out EAP PSK authentication with user equipment, and IBC public-key technologies can be enable to match the existing agreements of EAP.
Description
Technical field
This application involves field of communication technology more particularly to a kind of method for network authorization, user equipment, network authentication nodes
And system.
Background technology
Network authentication is carried out between network authentication node and user equipment, is to ensure that communication network being capable of normal continuous fortune
Indispensable one of the important link of row.
With the fast development of mobile Internet, internet and communication network merge and its expansion of carrier network business
Exhibition, more and more equipment start the cordless communication network of access carrier operation, include not only existing mobile broadband equipment
Further include Internet of Things (Internet of Things, IOT) equipment of many vertical industries such as mobile phone (mobile).Existing shifting
The authentication method of dynamic communication network, as in long term evolution (Long Term Evolution, LTE) based on evolved packet system
(Evolved Packet System, EPS)-certifiede-mail protocol agreement (Authentication and Key
Agreement, AKA) method that carries out network authentication and Identity Management can not fully meet whole next generation wireless communications
The access of equipment in network (such as the 5th generation (5G) network).Therefore, it is necessary to establish a more open authentication framework and draw
Enter new authentication method.
In order to allow a greater variety of equipment of next generation wireless communication network support, third generation cooperative partner program (Third
Generation Partnership Project, 3GPP) the trouble free service group (SA3) of normal structure currently studies in 5G
Open authentication architecture is introduced in network, allows equipment to access network using various identity, and built using a variety of authentication modes
Vertical trusting relationship.Certification frame based on Extensible Authentication Protocol (Extensible Authentication Protocol, EAP)
Frame, by the exploitation for many years of internet protocol standard tissue (Internet Engineering Task Force, IETF) with
And being widely used in internet system, have become an opening and perfect authentication protocol system.Therefore, 3GPP
SA3 prepares to introduce the authentication framework based on EAP in next generation wireless communication network.Being specifically defined for the authentication framework of EAP can
Referring to RFC 3748, RFC 5247.EAP authentication frame supports a variety of authentication protocols based on EAP, such as transport layer based on EAP
Authentication protocol (EAP Transport Lay Protocol, EAP-TLS), the transport layer certification association based on EAP and tunneling technique
It discusses (EAP Tunneled Transport Lay Protocol, EAP-TTLS), the shared key authentication method based on EAP
(EAP Pre-Shared Key, EAP-PSK) etc..
In addition to open authentication framework and its a variety of authentication protocols of support, 3GPP SA3 are also in research using different close
Code technology carries out network authentication, including traditional public key framework (Public Key Infrastructure, PKI) authentication techniques
With novel ID-ased cryptography (Identity Based Cryptography, IBC) authentication techniques.Technology based on PKI
By years of researches and Protocol Design, supported in a variety of authentication techniques.
IBC authentication techniques provide a kind of Identity based encryption and endorsement method, belong to a kind of public-key technology.It is different from
PKI technologies are set by a common cipher key center according to the user received when carrying out key generation using IBC public-key technologies
Standby identity (Identify, ID) information, in conjunction with the preconfigured global ginseng based on IBC public-key technologies of cipher key center
Number, the i.e. global private key and public key of cipher key center generate the private key corresponding to user equipment ID for user equipment and pass through safety
Channel is sent to user equipment.In other words, user equipment ID is exactly public key in IBC public-key technologies, therefore, there is no need to carry certificate
In the information such as necessary public key and signature, for certificate, with the short advantage of length.Meanwhile for receiving
For side, since the signature of certificate need not be verified, so having advantage in calculation amount.Network resource consumption and calculate for
The IOT equipment of low cost is crucial, therefore, the next generation is more suitable for wirelessly than the certificate based on PKI based on the public-key technology of IBC
Communication network.
But since the certification based on IBC public-key technologies is also in developing stage, a variety of authentication methods that EAP is supported
The certification based on IBC public-key technologies is not supported, therefore, it is impossible in 3GPP work on hands and its EAP authentication frame supported
On carry out the interactive authentication based on IBC, needed during actual use it is further designed, to make IBC public keys
Technology can match the existing agreements of EAP.
Invention content
A kind of method for network authorization of the embodiment of the present application offer, user equipment, network authentication node and system, so that IBC
Public-key technology can match the existing agreements of EAP.
In a first aspect, providing a kind of network authentication system, which includes user equipment and network authentication section
Point, wherein:The user equipment to the network authentication node send auth type instruction information, the user equipment ID with
And the PVT of the user equipment, the auth type instruction information are used to indicate the user equipment and need to carry out identity-based
Cryptographic technique and Extensible Authentication Protocol shared key EAP-PSK certifications.The network authentication node, it is described for receiving
Auth type instruction information, the id information of the user equipment and the PVT of the user equipment that user equipment is sent,
If indicating that information determines that the user equipment needs to carry out ID-ased cryptography technology and EAP-PSK according to the auth type
Certification then sends the ID of the network authentication node and PVT of the network authentication node to the user equipment.The use
Family equipment receives the ID of the network authentication node that the network authentication node is sent and the network authentication node
PVT, according to the ID of the network authentication node, the PVT of the network authentication node and based on the user equipment identity
Private key and global public key generate user equipment symmetric key, according to first authentication key of user equipment Symmetric key generation and
First key deduces key, and deduces key using the first authentication key and first key and carried out with the network authentication node
EAP-PSK certifications.The network authentication node is according to the ID of the user equipment, the PVT of the user equipment and is based on institute
The private key and global public key for stating network authentication node identities generate network authentication node symmetric key, according to the network authentication section
Point symmetry key generates the second authentication key and the second secret key deduction key, and uses the second authentication key and the second secret key deduction
Key carries out EAP-PSK certifications with the user equipment.
In the embodiment of the present application, user equipment according to the ID of network authentication node, the PVT of the network authentication node and
The symmetric key of user equipment, network are generated based on the IBC identity informations such as the user equipment private key of itself and global public key
Certification node is according to the private key of the ID of user equipment, the PVT of user equipment and network authentication node itself and global public key etc.
IBC identity informations generate the symmetric key of network authentication node.User equipment and network authentication node are by the symmetrical of each self-generating
Key can be realized in the case where not changing the interaction of EAP-PSK authentication protocols and its format as wildcard, use base
Interactive authentication is realized in the authentication method of EAP-PSK, in the enterprising of 3GPP work on hands and its EAP authentication frame supported
Interactive authentication of the row based on IBC, enables IBC public-key technologies to match the existing agreements of EAP.
In a kind of possible design, the user equipment is in the following way according to the user equipment Symmetric key generation
First authentication key and first key deduce key, including:The network authentication node is additionally operable to send the network authentication section
The private key expiration date information of point so that user equipment can be according to the private key expiration date of user equipment symmetric key, user equipment
Phase information and network authentication node private key expiration date information further generate the first authentication key and first key deduction is close
Key.The user equipment receives the private key expiration date information for the network authentication node that the network authentication node is sent,
According to the private key expiration date information of user equipment, the private key expiration date information of the network authentication node and the user
Equipment symmetric key, generates the first authentication key and first key deduces key.Or the user equipment is according to the user
At least one of random number that the random number that equipment generates is generated with the network authentication node received and the use
Family equipment symmetric key, generates the first authentication key and first key deduces key.
The network authentication node is close according to the second authentication key of the network authentication node Symmetric key generation and second
Key deduces key, including:The user equipment is additionally operable to send the private key expiration date information of the user equipment so that network
Certification node can be according to network authentication node symmetric key, the private key expiration date information of network authentication node and user equipment
Private key expiration date information further generates the second authentication key and the second secret key deduction key.The network authentication node receives
The private key expiration date information for the user equipment that the user equipment is sent, according to the private key expiration date of network authentication node
Phase information, the private key expiration date information of the user equipment and the network authentication node symmetric key generate second and recognize
Demonstrate,prove key and the second secret key deduction key.Or the random number that the network authentication node is generated according to the network authentication node
At least one of random number generated with the user equipment received and the network authentication node symmetric key,
Generate the second authentication key and the second secret key deduction key.
Wherein, auth type instruction information can be to include EAP-PSK flag bits and be used to indicate identity-based
Cryptographic technique generates the certification request of symmetric key.Or the auth type instruction information may be the user equipment
The PVT of ID and the user equipment.
Wherein, the user equipment can send the auth type by access request information and indicate information, the user
The PVT of the ID of equipment and the user equipment.The private key expiration date information of user equipment and user equipment.Or the use
Family equipment also can send the auth type by access request information and indicate information, pass through the second of EAP-PSK authentication protocols
Message sends the PVT of the ID and the user equipment of the user equipment.
Wherein, the user equipment can send the auth type by access request information and indicate information, the user
The private key expiration date information of the ID of equipment, the PVT of the user equipment and user equipment.Or the user equipment also may be used
The auth type is sent by access request information and indicates information, is sent by the Article 2 message of EAP-PSK authentication protocols
The private key expiration date information of the ID of the user equipment, the PVT of the user equipment and user equipment.
Wherein, the network authentication node can be sent the network and recognized by a piece of news of EAP-PSK authentication protocols
Demonstrate,prove the PVT of the ID and the network authentication node of node.
Wherein, the network authentication node can be sent the network and recognized by a piece of news of EAP-PSK authentication protocols
Demonstrate,prove ID, the PVT of the network authentication node and the private key expiration date information of the network authentication node of node.
In a kind of possible design, the user equipment symmetric key meets formula K_UE=(SSK_UE) ([KPAK+
hash(G||KPAK||ID_AUSF||PVT_AUSF)]PVT_AUSF)。
The network authentication node symmetric key meet formula K_AUSF=(SSK_AUSF) ([KPAK+hash (and G | | KPAK
||ID_UE||PVT_UE)]PVT_UE)。
Wherein, K_UE is user equipment symmetric key, and SSK_UE is the private key of user equipment, and KPAK is global public key, ID_
AUSF is the mark of network authentication node, and PVT_AUSF is the PVT of network authentication node, and K_AUSF is that network authentication node is symmetrical
Key, SSK_AUSF are the private key of network authentication node, and KPAK is global public key, and ID_UE is the mark of user equipment, PVT_UE
Indicate that elliptic curve generates member for the PVT of user equipment, G, [x] P characterizes the dot product that point P is directed on elliptic curve, and wherein x is represented
One integer, P represent a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbolic representation
Connection operator.
Second aspect provides a kind of user equipment, which includes transmission unit, receiving unit and authentication unit,
Wherein, the transmission unit, for network authentication node send auth type instruction information, the user equipment ID and
The PVT of the user equipment, the auth type instruction information are used to indicate the user equipment and need to carry out identity-based
The shared key EAP-PSK certifications of cryptographic technique and Extensible Authentication Protocol.The receiving unit is recognized for receiving the network
Demonstrate,prove the ID for the network authentication node that node the is sent and PVT of the network authentication node.The authentication unit is used for root
According to the ID of the network authentication node, the PVT of the network authentication node and the private key based on the user equipment identity and
Global public key generates user equipment symmetric key, close according to first authentication key of user equipment Symmetric key generation and first
Key deduces key, and deduces key using the first authentication key and first key and carry out EAP-PSK with the network authentication node
Certification.
The transmission unit by access request information send the auth type indicate information, the user equipment ID
With the PVT of the user equipment;Or the auth type is sent by access request information and indicates information, recognized by EAP-PSK
The Article 2 message of card agreement sends the PVT of the ID and the user equipment of the user equipment.
In the embodiment of the present application, user equipment is to network authentication node sends auth type instruction information, the user sets
The PVT of standby ID and the user equipment, and receive the ID for the network authentication node that the network authentication node is sent
And the PVT of the network authentication node, therefore can according to the ID of network authentication node, the PVT of the network authentication node and
The symmetric key that user equipment is generated based on the IBC identity informations such as the user equipment private key of itself and global public key, will give birth to
At symmetric key as wildcard, generate authentication key and secret key deduction key, and use the first authentication key and the
One secret key deduction key carries out EAP-PSK certifications with the network authentication node, can realize and not change EAP-PSK certifications association
In the case of view interaction and its format, interactive authentication is realized using the authentication method based on EAP-PSK, in 3GPP work on hands
And its interactive authentication based on IBC is carried out on the EAP authentication frame supported, so that IBC public-key technologies is matched EAP and has
Agreement.
In a kind of possible design, the authentication unit is given birth to according to the user equipment symmetric key in the following way
Key is deduced at the first authentication key and first key:
According to the private key expiration date information of the receiving unit user equipment, the network authentication node that receives
Private key expiration date information and the user equipment symmetric key, generate the first authentication key and first key deduces key;
Or in the random number generated according to the user equipment and the random number of the network authentication node received generation extremely
Few one and the user equipment symmetric key, generate the first authentication key and first key deduces key.
In alternatively possible design, auth type instruction information be include EAP-PSK flag bits and for referring to
Show that ID-ased cryptography technology generates the certification request of symmetric key;Or the auth type instruction information is the user
The PVT of the ID of equipment and the user equipment.
In another possible design, the transmission unit is additionally operable to send the private key expiration date of the user equipment
Information;
The transmission unit sends the auth type by access request information and indicates information, the user equipment
The private key expiration date information of ID, the PVT of the user equipment and the user equipment;Or it is sent out by access request information
The auth type instruction information is sent, ID, the institute of the user equipment are sent by the Article 2 message of EAP-PSK authentication protocols
State the PVT of user equipment and the private key expiration date information of the user equipment.
In another possible design, the user equipment symmetric key meets formula K_UE=(SSK_UE) ([KPAK+
hash(G||KPAK||ID_AUSF||PVT_AUSF)]PVT_AUSF)。
Wherein, K_UE is user equipment symmetric key, and SSK_UE is the private key of user equipment, and KPAK is global public key, ID_
AUSF is the mark of network authentication node, and PVT_AUSF is the PVT of network authentication node, and G indicates that elliptic curve generates member, [x] P
The dot product that point P is directed on elliptic curve is characterized, wherein x represents an integer, and P represents a point on elliptic curve, hash ()
The hash function in cryptography meaning is characterized, | | symbolic representation Connection operator.
The third aspect provides a kind of network authentication node, which includes receiving unit, transmission unit and recognize
Demonstrate,prove unit.Wherein, the receiving unit, for the auth type instruction information for receiving user equipment transmission, the user
The PVT of the id information of equipment and the user equipment.The transmission unit, for indicating to believe according to the auth type
In the case that breath determines cipher key technique and the EAP-PSK certifications that the user equipment needs progress identity-based, to the user
Equipment sends the ID of the network authentication node and PVT of the network authentication node.The authentication unit, for according to institute
State the ID of user equipment, the PVT of the user equipment and the private key based on the network authentication node identities and global public key
Network authentication node symmetric key is generated, it is close according to the second authentication key of the network authentication node Symmetric key generation and second
Key deduces key, and carries out EAP-PSK certifications with the user equipment using the second authentication key and the second secret key deduction key.
Wherein, the transmission unit sends the network authentication node by a piece of news of EAP-PSK authentication protocols
ID and the network authentication node PVT.
In the embodiment of the present application, network authentication node receives auth type instruction information, the institute that user equipment is sent
The id information of user equipment and the PVT of the user equipment are stated, according to the ID of the user equipment, the user equipment
PVT and the private key based on the network authentication node identities and global public key generation network authentication node symmetric key, will give birth to
At symmetric key as wildcard, according to the second authentication key of the network authentication node Symmetric key generation and second
Secret key deduction key, and carry out EAP-PSK with the user equipment using the second authentication key and the second secret key deduction key and recognize
Card can be realized in the case where not changing the interaction of EAP-PSK authentication protocols and its format, use the certification based on EAP-PSK
Method realizes interactive authentication, to carry out the interaction based on IBC on 3GPP work on hands and its EAP authentication frame supported
Certification enables IBC public-key technologies to match the existing agreements of EAP.
In a kind of possible design, the authentication unit is symmetrically close according to the network authentication node in the following way
Key generates the second authentication key and the second secret key deduction key:
According to the private key expiration date information of network authentication node, the private key expiration date of the user equipment received
Information and the network authentication node symmetric key generate the second authentication key and the second secret key deduction key.Or according to
At least one of the random number of random number and the user equipment generation received that the network authentication node generates, with
And the network authentication node symmetric key, generate the second authentication key and the second secret key deduction key.
In alternatively possible design, auth type instruction information be include EAP-PSK flag bits and for referring to
Show that ID-ased cryptography technology generates the certification request of symmetric key;Or the auth type instruction information is the user
The PVT of the ID of equipment and the user equipment.
In another possible design, the transmission unit, the private key for being additionally operable to send the network authentication node is expired
Date information.The transmission unit sends the network authentication node by a piece of news of EAP-PSK authentication protocols
The private key expiration date information of ID, the PVT of the network authentication node and the network authentication node.
In another possible design, the network authentication node symmetric key meets formula K_AUSF=(SSK_AUSF)
([KPAK+hash(G||KPAK||ID_UE||PVT_UE)]PVT_UE).Wherein, K_AUSF is that network authentication node is symmetrically close
Key, SSK_AUSF are the private key of network authentication node, and KPAK is global public key, and ID_UE is the mark of user equipment, and PVT_UE is
The PVT of user equipment, G indicate that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve, and wherein x represents one
A integer, P represent a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbolic representation word
Symbol connection.
Fourth aspect provides a kind of method for network authorization, and in the method, user equipment is recognized to the transmission of network authentication node
Type indication information, the ID of the user equipment and the PVT of the user equipment are demonstrate,proved, the auth type instruction information is used for
Indicate that the user equipment needs to carry out ID-ased cryptography technology and the shared key EAP-PSK of Extensible Authentication Protocol recognizes
Card.Network authentication node receives auth type instruction information, the identity of the user equipment that the user equipment is sent
Identify the authentication public key token PVT of id information and the user equipment.If the network authentication node is according to the certification class
Type instruction information determines that the user equipment needs to carry out the shared close of ID-ased cryptography technology and Extensible Authentication Protocol
Key EAP-PSK certifications then send the ID of the network authentication node and the network authentication node to the user equipment
PVT.The user equipment receives the ID for the network authentication node that the network authentication node is sent and the network is recognized
Demonstrate,prove the PVT of node.The user equipment is according to the ID of the network authentication node, the PVT and base of the network authentication node
User equipment symmetric key is generated in the private key of the user equipment identity and global public key, and symmetrical according to the user equipment
Key generates the first authentication key and first key deduces key, and key and institute are deduced using the first authentication key and first key
It states network authentication node and carries out EAP-PSK certifications.The network authentication node is set according to ID, the user of the user equipment
Standby PVT and the private key based on the network authentication node identities and global public key generate network authentication node symmetric key,
According to the second authentication key of the network authentication node Symmetric key generation and the second secret key deduction key, and use the second certification
Key and the second secret key deduction key carry out EAP-PSK certifications with the user equipment.
Wherein, the user equipment sends the auth type by access request information and indicates that information, the user are set
The PVT of standby ID and the user equipment.Or the user equipment sends the auth type by access request information and refers to
Show information, the ID of the user equipment and the user equipment are sent by the Article 2 message of EAP-PSK authentication protocols
PVT.The network authentication node sends the ID of the network authentication node by a piece of news of EAP-PSK authentication protocols
With the PVT of the network authentication node.
It is described close according to first authentication key of user equipment Symmetric key generation and first in a kind of possible design
Key deduces key, including:The private key expiration date information for the network authentication node that the network authentication node is sent is received,
According to the private key expiration date information of user equipment, the private key expiration date information of the network authentication node and the user
Equipment symmetric key, generates the first authentication key and first key deduces key.Or according to the user equipment generate with
At least one of random number that machine number and the network authentication node received generate and the user equipment are symmetrically close
Key, generates the first authentication key and first key deduces key.
In alternatively possible design, it is described according to the second authentication key of the network authentication node Symmetric key generation and
Second secret key deduction key, including:Receive the private key expiration date information for the user equipment that the user equipment is sent, root
Recognize according to the private key expiration date information, the private key expiration date information of the user equipment and the network of network authentication node
Node symmetric key is demonstrate,proved, the second authentication key and the second secret key deduction key are generated.Or it is given birth to according to the network authentication node
At at least one of the random number that generates of random number and the user equipment that receives and the network authentication node
Symmetric key generates the second authentication key and the second secret key deduction key.
Wherein, the auth type instruction information is to include EAP-PSK flag bits and be used to indicate identity-based signature life
At the certification request of symmetric key;Or the auth type instruction information is that the ID of the user equipment and the user set
Standby PVT.
In another possible design, the user equipment sends the auth type instruction letter by access request information
The private key expiration date information of breath, the ID of the user equipment, the PVT of the user equipment and user equipment.Or it is described
User equipment sends the auth type by access request information and indicates information, passes through the Article 2 of EAP-PSK authentication protocols
Message sends the private key expiration date information of the ID of the user equipment, the PVT of the user equipment and user equipment.
In another possible design, the network authentication node passes through a piece of news of EAP-PSK authentication protocols, hair
Send the private key expiration date of the ID of the network authentication node, the PVT of the network authentication node and the network authentication node
Phase information.
In another possible design, the user equipment symmetric key meets formula K_UE=(SSK_UE) ([KPAK+
hash(G||KPAK||ID_AUSF||PVT_AUSF)]PVT_AUSF).Wherein, K_UE is user equipment symmetric key, SSK_UE
For the private key of user equipment, KPAK is global public key, and ID_AUSF is the mark of network authentication node, and PVT_AUSF recognizes for network
The PVT of node is demonstrate,proved, G indicates that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve, and wherein x represents one
Integer, P represent a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbolic representation character
Connection.
In another possible design, the network authentication node symmetric key meets formula K_AUSF=(SSK_AUSF)
([KPAK+hash(G||KPAK||ID_UE||PVT_UE)]PVT_UE).Wherein, K_AUSF is that network authentication node is symmetrically close
Key, SSK_AUSF are the private key of network authentication node, and KPAK is global public key, and ID_UE is the mark of user equipment, and PVT_UE is
The PVT of user equipment, G indicate that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve, and wherein x represents one
A integer, P represent a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbolic representation word
Symbol connection.
In the embodiment of the present application, user equipment according to the ID of network authentication node, the PVT of the network authentication node and
The symmetric key of user equipment, network are generated based on the IBC identity informations such as the user equipment private key of itself and global public key
Certification node is according to the private key of the ID of user equipment, the PVT of user equipment and network authentication node itself and global public key etc.
IBC identity informations generate the symmetric key of network authentication node.User equipment and network authentication node are by the symmetrical of each self-generating
Key can be realized in the case where not changing the interaction of EAP-PSK authentication protocols and its format as wildcard, use base
Interactive authentication is realized in the authentication method of EAP-PSK, in the enterprising of 3GPP work on hands and its EAP authentication frame supported
Interactive authentication of the row based on IBC, enables IBC public-key technologies to match the existing agreements of EAP.
Description of the drawings
Fig. 1 is a kind of configuration diagram of network authentication system provided by the embodiments of the present application;
Fig. 2 is the authentication framework configuration diagram based on EAP in the prior art;
Fig. 3 is the implementation flow chart of EAP-PSK interactive authentications in the prior art;
Fig. 4 is the configuration diagram of network authentication system provided by the embodiments of the present application;
Fig. 5 is communication apparatus structure schematic diagram provided by the embodiments of the present application;
Fig. 6 is a kind of network authentication interaction diagrams provided by the embodiments of the present application;
Fig. 7 is the implementation flow chart of first embodiment provided by the embodiments of the present application;
Fig. 8 is the implementation flow chart of second embodiment provided by the embodiments of the present application;
Fig. 9 is the implementation flow chart of 3rd embodiment provided by the embodiments of the present application;
Figure 10 is the implementation flow chart of fourth embodiment provided by the embodiments of the present application;
Figure 11 is the implementation flow chart of the 5th embodiment provided by the embodiments of the present application;
Figure 12 is the structural schematic diagram of user equipment provided by the embodiments of the present application and network authentication node.
Specific implementation mode
Below in conjunction with attached drawing, technical solutions in the embodiments of the present application is described.
Fig. 1 is a kind of configuration diagram of network authentication system provided by the embodiments of the present application.As shown in Figure 1, network is recognized
Card system 100 may include user equipment 10, (such as certificate server (the Authentication Server of network authentication node 20
Function, AUSF)), safe anchor point (Security Anchor Function, SEAF) 30, authentication context storage and place
Manage node (Authentication Credential Repository and Processing Function, ARPF) 40.
Wherein, user equipment 10 may include mobile phone, tablet computer, laptop, mobile internet device (Mobile
Internet Device, MID), the user terminals such as wearable device (such as smartwatch, Intelligent bracelet, pedometer etc.),
It may include IoT equipment, can also include other communication equipments.AUSF provides network for the user equipment of all access networks to be recognized
Card service, and interacted with ARPF and SEAF, it is the destination node for the solicited message for receiving SEAF, can also configures in third party system
In.SEAF is used for the network function of certification.Mainly interacted with AUSF and user equipment.For AKA certifications, SEAF is from AUSF
Intermediate key is received, the session key management of user equipment is responsible for.ARPF storages are for certification, the long-term safety of Encryption Algorithm
Network function hereafter, it can also be used to store safety-related user configuration information (profile).
It should be pointed out that each network function node (such as SEAF, AUSF, ARPF) shown in Fig. 1 is current 3GPP
The title occurred in SA3 normal structures manuscript and technical report (TR), these titles also have the possibility changed, for example rename, net
The merging of network function, partition etc., the application is not limited to the title of these network function nodes and these network functions are specifically matched
Which set in network element.For realizing that other network elements of similar functions, the application are equally applicable.
In Fig. 1, user equipment 10 can by provided for user equipment 10 network insertion service function base station (NodeB),
The access network elements such as base station controller (Radio Network Controller, RNC) or access gateway are interacted with AUSF
Certification.In the application following embodiment mainly for the interactive authentication process between user equipment 10 and network authentication node 20 into
Row explanation.
It can be based on the EAP-PSK associations that the authentication framework framework of EAP is supported between user equipment 10 and network authentication node 20
View carries out EAP-PSK interactive authentications.Fig. 2 show the authentication framework configuration diagram based on EAP.In Fig. 2, recognizing based on EAP
It is mainly made of three entities in card frame, i.e. the certification request client (Supplicant) of user equipment side, accesses net
The certificate server (Server) of certification node (Authenticator) and network side.Supplicant is that end side is responsible for
The entity for running EAP authentication protocol frame, contains the interface with key storage entity, Authenticator is responsible for certification and disappears
The distribution of the relaying and its session key of breath, Server are responsible for the certification of network side.
Fig. 3 is shown carries out EAP-PSK interactive authentications in the prior art between user equipment 10 and network authentication node 20
Implementation flow chart.As shown in fig.3, including:
S101:Network authentication node 20 sends out a piece of news to user equipment 10, first message include one with
The identification information (ID_S) of machine number (RAND_S) and network authentication node 20.
S102:User equipment 10 sends Article 2 message to network authentication node 20, includes network in the Article 2 message
The random number (RAND_P) and user equipment 10 that the random number (RAND_S) and user equipment 10 that certification node 20 generates generate
Identification information (ID_P).
S103:Network authentication node 20 sends Article 3 message, which contains using wildcard needle
To the message authentication code (Message Authentication Code, MAC) that the Article 3 message generates, it to be used for user
10 certification network authentication node 20 of equipment, is represented by MAC_S.
S104:After user equipment 10 receives the Article 3 message of the transmission of network authentication node 20, user equipment 10 generates
And Article 4 message is sent, also include a MAC generated using wildcard in the Article 4 message, is used for network
20 certification user equipment 10 of certification node.
After above-mentioned interactive process, user equipment 10 and network authentication node 20 using include in the information interacted with
Machine number and its wildcard, generating session key makes for user equipment 10 and network authentication node 20 in subsequent communication
With.Specific session key generation method can be found in RFC 4764.
Also certification can be interacted between user equipment 10 and network authentication node 20 based on IBC public-key technologies.Based on IBC
Public-key technology interacts in verification process, and cipher key center possesses private key s, and generates an overall situation using private key and global parameter
Public key (KMS Public Authentication Key, KPAK), when cipher key center is that user equipment 10 generates signature private key
When, cipher key center generates generates a random number first, then use this random number and user equipment 10 ID and other
Global parameter, generate a private key (Secret Signing Key, SSK) for user equipment 10, meanwhile, it is random using this
Number, to generate an authentication public key token (Public Validation Token, PVT), and together by SSK, PVT and KPAK
Issue user equipment 10.User equipment 10 signs to message using SSK, and the message with signature is sent to network and is recognized
Node 20 is demonstrate,proved, the ID and its PVT of user are included in the message with signature.Network authentication node 20 can be used and itself preserve
KPAK, the ID and PVT of the user equipment 10 received verify the signature of message.
Interact in verification process using the above method that there are backgrounds between user equipment 10 and network authentication node 20
Technology segment refer to " a variety of authentication methods that EAP is supported do not support the certification based on IBC public-key technologies, therefore, it is impossible to
The interactive authentication based on IBC is carried out on 3GPP work on hands and its EAP authentication frame supported " the technical issues of.
Interactive authentication method provided by the embodiments of the present application, in conjunction with based on IBC public-key technologies authentication mode and be based on
The authentication mode of EAP-PSK, user equipment 10 and network authentication node 20 are raw in the case where possessing based on IBC identity and key
At symmetric key, and using the symmetric key as wildcard, the feelings of the interaction of EAP-PSK authentication protocols and its format are not changed
Under condition, interactive authentication is realized using the authentication method based on EAP-PSK, to recognize in 3GPP work on hands and its EAP supported
The interactive authentication based on IBC is carried out on card frame, IBC public-key technologies is enable to match the existing agreements of EAP.
Interactive authentication is realized in conjunction with the authentication mode based on IBC public-key technologies and the authentication mode based on EAP-PSK
The configuration diagram for the network authentication system that user equipment 10 and network authentication node 20 form can be as shown in Figure 4.Described in Fig. 4
In network authentication system 200, user equipment 10 and network authentication node 20 functionally can be divided into IBC modules and EAP-
PSK modules.Wherein, IBC modules can be used for the management and storage of the keys such as SSK, PVT, KPAK, ID and its Expiration Date, Yi Jijie
ID, Expiration Date and the PVT etc. that opposite end is sent are received, to the ID received and its Expiration Date, PVT etc. carries out validity checking, such as
The IBC modules of user equipment 10 can determine whether the ID received is whether the ID of network authentication node 20 and date are already expired
Phase etc..IBC modules can be additionally used in the opposite end IBC parameters such as ID provided according to EAP-PSK modules, and Expiration Date and PVT generate symmetrical
Symmetric key is simultaneously sent to EAP-PSK modules by key.The function of EAP-PSK modules includes:The generation of EAP-PSK certification message
With transmission, such as ID of the parameter based on IBC, Expiration Date, PVT are encapsulated in the message based on EAP-PSK, and from EAP-PSK
Message in the parsing parameter based on IBC such as ID, Expiration Date, PVT etc. be sent to IBC modules.It is generated using IBC modules symmetrical
Key is authenticated.Session key etc. is further generated according to the key generated after certification, EAP-PSK certifications are carried out with opposite end.
User equipment 10 or network authentication node 20 in Fig. 4 can pass through communication device shown in fig. 5 (or system)
300 realize.
As shown in figure 5, communication device (or system) 300 may include at least one processor 301, memory 303 and extremely
A few communication interface 304.These components can communicate on one or more communication bus 302.
It should be noted that Fig. 5 is only a kind of realization method of the embodiment of the present application, and in practical application, communication device 300
It can also include more or fewer components, not be restricted here.
Communication interface 304 is coupled in the receiver and transmitter of communication device 300 for sending and receiving radiofrequency signal.
Communication interface 304 is wirelessly connect by radiofrequency signal and communication network and other communication apparatus communications such as Ethernet (Ethernet)
It networks (Radio Access Technology, RAN), WLAN Wireless Local Area Networks,
WLAN) etc..In the specific implementation, the communication protocol that communication interface 304 is supported may include but be not limited to:2G/3G, long term evolution
(Long Term Evolution, LTE), Wireless Fidelity (Wireless-Fidelity, Wi-Fi), the new wireless (New of 5G
Radio, NR) etc..
Memory 303 is coupled with processor 301, for storing various software programs and/or multigroup instruction.Specific implementation
In, memory 303 may include the memory of high random access, and may also comprise nonvolatile memory, such as one or
Multiple disk storage equipments, flash memory device or other non-volatile solid-state memory devices.Memory 303 can store an operating system
(following abbreviation systems), such as the embedded OSs such as ANDROID, IOS, WINDOWS or LINUX.Memory 303 can
Realization program for storing the embodiment of the present application.Memory 303 can also store network communication program, the network communication program
It can be used for and one or more optional equipments, one or more terminal devices, one or more network equipments are communicated.
Processor 301 can be a general central processor (Central Processing Unit, CPU), microprocessor
Device, application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC) or one or more
A integrated circuit for controlling the execution of application scheme program.
In some embodiments, communication device 300 can also include output equipment 305 and input equipment 306.Output equipment
305 and processor 301 communicate, can show information in many ways.For example, output equipment 305 can be liquid crystal display
(Liquid Crystal Display, LCD), Light-Emitting Diode (Light Emitting Diode, LED) shows equipment, cloudy
Extreme ray pipe (Cathode Ray Tube, CRT) shows equipment or projecting apparatus (projector) etc..Input equipment 306 and place
It manages device 301 to communicate, the input of user can be received in many ways.For example, input equipment 306 can be mouse, keyboard, touch
Screen equipment or sensing equipment etc..It is used for the ease of the user of output equipment 305 and input equipment 306, in some embodiments,
Memory 202 can also store user interface program, which can will be applied by patterned operation interface
The content image of program is true to nature to be shown, and is received user by input controls such as menu, dialog box and buttons and corresponded to
It is operated with the control of program.When communication device 300 shown in fig. 5 is embodied as user equipment 10 shown in Fig. 4, communication device
One or more software modules can be stored in 300 memory, be can be used for providing access request, are generated symmetric key, user
The functions such as authentication response specifically refer to subsequent processes embodiment.When communication device 300 shown in fig. 5 be embodied as it is shown in Fig. 4
When network authentication node 20, one or more software modules can be stored in the memory of communication device 300, can be used for providing life
At the functions such as symmetric key and accessing user's legitimate verification, subsequent processes embodiment is specifically referred to, is specifically referred to follow-up
Embodiment of the method.
User equipment 10 and network authentication node 20 will be combined below the embodiment of the present application and is recognized based on IBC public-key technologies
Card mode and authentication mode based on EAP-PSK realize that the implementation method of interactive authentication illustrates.
Fig. 6 show a kind of network authentication interaction diagrams provided by the embodiments of the present application.As shown in fig.6, including:
S201:User equipment 10 sends auth type instruction information, the user equipment 10 to network authentication node 20
The PVT of ID and the user equipment 10, the auth type instruction information are used to indicate the user equipment 10 and need to carry out
The certification of ID-ased cryptography technology and EAP-PSK.
In the embodiment of the present application, the auth type instruction information can be sent by access request information.The user sets
Standby 10 ID and the PVT of the user equipment 10 can be sent by access request information, can also pass through EAP-PSK authentication protocols
Article 2 message is sent.
S202:Network authentication node 20 receives the auth type instruction information, described of the transmission of the user equipment 10
The PVT of the id information of user equipment 10 and the user equipment 10, and indicated described in information determination according to the auth type
Whether user equipment 10 needs to carry out the certification of ID-ased cryptography technology and EAP-PSK.
In the embodiment of the present application, it includes EAP-PSK that the auth type of the transmission of user equipment 10, which indicates that information can be,
Flag bit is simultaneously used to indicate the certification request that identity-based signature generates symmetric key, and network authentication node 20 receives this and includes
EAP-PSK flag bits and the certification request for being used to indicate ID-ased cryptography technology generation symmetric key, it may be determined that use
Family equipment 10 needs to carry out the certification of identity signature and EAP-PSK.The auth type that user equipment 10 is sent indicates information
Or the ID of the user equipment 10 and PVT of user equipment 10, network authentication node 20 receive the ID of user equipment 10
And the PVT of user equipment 10 then can determine that user equipment 10 needs to carry out the certification of identity signature and EAP-PSK.
If the network authentication node 20 according to the auth type indicate information determine the user equipment 10 need into
The certification of row ID-ased cryptography technology and EAP-PSK can perform S203 and S204.
S203:The network authentication node 20 according to the ID of the user equipment 10, the PVT of the user equipment 10 and
Private key and global public key based on 20 identity of network authentication node generate 20 symmetric key of network authentication node, and according to institute
State 20 the second authentication key of Symmetric key generation of network authentication node and the second secret key deduction key.
Network authentication node 20 can be based on the id-based signatures (Identity of RFC6507 in the embodiment of the present application
Based Signature, IBS) cryptographic technique and its static Diffie-Helleman operations are carried out on elliptic curve group,
According to the ID of the user equipment 10, the PVT of the user equipment 10 and the private based on 20 identity of network authentication node
Key and global public key generate 20 symmetric key of network authentication node.
In a kind of embodiment of the application, the private key expiration date information of user equipment 10 also can be transmitted in user equipment 10,
So that network authentication node 20 can be believed according to the private key expiration date of 20 symmetric key of network authentication node, network authentication node 20
The private key expiration date information of breath and user equipment 10 further generates the second authentication key and the second secret key deduction key.
User equipment 10 can send the private key expiration date information of user equipment 10 by access request information, can also pass through
The Article 2 message of EAP-PSK authentication protocols sends the private key expiration date information of user equipment 10.
In another embodiment of the application, random number and connect that user equipment 10 can be generated according to the user equipment 10
At least one of random number that the network authentication node 20 received generates and 10 symmetric key of the user equipment,
And further generate authentication key and secret key deduction key.
S204:Network authentication node 20 sends the ID of the network authentication node 20 and described to the user equipment 10
The PVT of network authentication node 20.
In the embodiment of the present application, network authentication node 20 can send institute by a piece of news of EAP-PSK authentication protocols
State the ID of network authentication node 20, the PVT of the network authentication node 20.
Wherein, the execution step of S203 and S204 in no particular order sequence.
S205:The user equipment 10 receives the ID for the network authentication node 20 that the network authentication node 20 is sent
And the PVT of the network authentication node 20, according to the ID of the network authentication node 20, the network authentication node 20
PVT and the private key based on 10 identity of the user equipment and global public key generation 10 symmetric key of user equipment, and according to institute
State 10 the first authentication key of Symmetric key generation of user equipment and first key and deduce key, with the network authentication node 20 into
Row EAP-PSK certifications.
In a kind of embodiment of the application, the private key expiration date of network authentication node 20 also can be transmitted in network authentication node 20
Phase information so that user equipment 10 can be according to 10 symmetric key of user equipment, 10 private key expiration date information of user equipment and net
20 private key expiration date information of network certification node further generates the first authentication key and first key deduces key.
Wherein, network authentication node 20 can send network authentication node by a piece of news of EAP-PSK authentication protocols
20 private key expiration date information.
In another embodiment of the application, what network authentication node 20 can also be generated according to the network authentication node 20
Random number that random number and the user equipment 10 that receives generate and at least one of and the network authentication node
20 symmetric keys, and further generate the second authentication key and the second secret key deduction key.
S206:The user equipment 10 is deduced with the network authentication node 20 using the first authentication key and first key
Key carries out EAP-PSK certifications.The network authentication node 20 uses the second authentication key and second with the user equipment 10
Secret key deduction key carries out EAP-PSK certifications.
It should be noted that " first ", " second " distinguishing authentication key and close are used in the embodiment of the present application for convenience of description
Key deduces key, and the symmetric key that user equipment generates is known as user equipment symmetric key, will be by network authentication node
The symmetric key of generation is known as network authentication node symmetric key, is only for distinguishing these keys being that user equipment 10 generates
Or network authentication node 20 generate, specific title does not limit.
Explanation is needed further exist for, EAP-PSK certifications are carried out in user equipment 10 and the network authentication node 20, if
Certification passes through, then user equipment symmetric key is identical as network authentication node symmetric key, the first authentication key and the second certification
Key is identical, and it is identical as the second secret key deduction key that first key deduces key.
In the embodiment of the present application, user equipment 10 is according to the ID of network authentication node 20, the network authentication node 20
PVT and pair that user equipment 10 is generated based on the IBC identity informations such as the private key of itself of the user equipment 10 and global public key
Claim key, network authentication node 20 is according to the ID of user equipment 10, the PVT of user equipment 10 and network authentication node 20 itself
Private key and the IBC identity informations such as global public key generate the symmetric key of network authentication node 20.User equipment 10 and network are recognized
Node 20 is demonstrate,proved using the symmetric key of each self-generating as wildcard, can realize and not change the friendship of EAP-PSK authentication protocols
Mutually and its in the case of format, interactive authentication is realized using the authentication method based on EAP-PSK, in 3GPP work on hands and its
The interactive authentication based on IBC is carried out on the EAP authentication frame supported, IBC public-key technologies is enable to match the existing associations of EAP
View.
The application below with reference to specific embodiment to this application involves authenticating party of the combination based on IBC public-key technologies
Formula and authentication mode based on EAP-PSK realize that the process of interactive authentication illustrates.
With user equipment 10 it is UE in the application following embodiment, network authentication node 20 illustrates for being AUSF.
Embodiment one
Fig. 7 show the implementation flow chart of first embodiment provided by the present application, as shown in fig.7, including:
S301:UE sends access request message (Attach) to AUSF.
The access request message that UE is sent to AUSF includes auth type instruction information, and the auth type indicates information
The UE is used to indicate to need to carry out ID-ased cryptography technology (IBC) and EAP-PSK certifications.Certification in the embodiment of the present application
Type indication information be include EAP-PSK flag bits and be used to indicate identity-based signature generate symmetric key certification request,
The embodiment of the present application will include EAP-PSK flag bits for convenience of description and be used to indicate the generation of ID-ased cryptography technology symmetrically
The certification request of key is indicated with EAP-PSK-IBS.It may also comprise the ID of UE in the access request message that UE is sent to AUSF, i.e.,
ID_UE。
S302:AUSF determines whether UE needs to carry out the certification of ID-ased cryptography technology and EAP-PSK.AUSF is received
To including EAP-PSK-IBS, it may be determined that UE needs to carry out the certification of identity signature and EAP-PSK.AUSF also can basis
The ID_UE of the UE carried in attach message judges whether UE needs to carry out the certification of identity signature and EAP-PSK.
S303:For AUSF after confirming that UE needs to carry out the certification of identity signature and EAP-PSK, AUSF sends out EAP- to UE
The a piece of news of PSK authentication agreement, the random parameter RAND _ S generated comprising AUSF in a piece of news, the identity of AUSF,
Wherein the identity of AUSF is at least made of the PVT (PVT_AUSF) corresponding to the ID of AUSF (ID_AUSF) and its IBS private keys SSK.
S304:UE is after receiving a piece of news of EAP-PSK authentication protocols of AUSF transmissions, from wherein parsing phase
The parameter answered, including RAND_S, ID_AUSF and PVT_AUSF.The IBS private key SSK_UE that UE is possessed using itself, it is oval bent
Line generates member G, KPAK, and the AUSF parameters ID_AUSF, PVT_AUSF that receive generate the symmetric key of UE, and UE's is symmetrical
Key can meet following formula:
K_UE=(SSK_UE) ([KPAK+hash (G | | KPAK | | ID_AUSF | | PVT_AUSF)] PVT_AUSF).
Wherein, K_UE is UE symmetric keys, and SSK_UE is the private key of UE, and KPAK is global public key, and ID_AUSF is AUSF's
Mark, PVT_AUSF are the PVT of AUSF, and G indicates that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve,
Wherein x represents an integer, and P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, |
| symbolic representation Connection operator.
In the embodiment of the present application, K_UE can be used further to generate the first authentication key required by EAP-PSK for UE
(Authentication Key, AK) and first key deduce key (Key Derivation Key, KDK).
S305:UE sends the Article 2 message of EAP-PSK authentication protocols to AUSF, includes RAND_ in the Article 2 message
Random parameter RAND _ P that S, UE are generated contains ID_UE and PVT_UE, and by UE according to EAP- in the domains ID of EAP-PSK
PSK uses the Message Authentication Code MAC_P that AK is that above-mentioned message generates, wherein MAC_P meets following formula:
MAC_P=CMAC-AES-128 (AK, ID_P | | ID_S | | RAND_S | | RAND_P).
Wherein, CMAC is Message Authentication Code, and AES is a kind of Encryption Algorithm.
S306:After AUSF receives the Article 2 message of EAP-PSK authentication protocols, RAND_S, RAND_ are parsed first
Then UE, ID_UE and PVT_UE using the private key SSK_AUSF of itself and its receive the parameter ID_UE and PVT_UE of UE and produce
The symmetric key symmetric-key K_AUSF of raw AUSF, wherein K_AUSF meets following formula:
K_AUSF=(SSK_AUSF) ([KPAK+hash (G | | KPAK | | ID_UE | | PVT_UE)] PVT_UE);
Wherein, K_AUSF is AUSF symmetric keys, and SSK_AUSF is the private key of AUSF, and KPAK is global public key, and ID_UE is
The mark of UE, PVT_UE are the PVT of UE, and G indicates that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve,
Wherein x represents an integer, and P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, |
| symbolic representation Connection operator.
In the embodiment of the present application, AUSF further generates AK and KDK using K_AUSF, and using AK and receives information production
Raw Message Authentication Code MAC_P ', wherein MAC_P ' meets following formula:
MAC_P '=CMAC-AES-128 (AK, ID_P | | ID_S | | RAND_S | | RAND_P);
AUSF can pass through MAC_P ' verifications MAC_P.
Further, AUSF generates session key using KDK and RAND_P.
S307:AUSF sends the Article 3 message of EAP-PSK authentication protocols to UE, includes RAND_S in Article 3 message,
Information as defined in the EAP-PSK authentication protocols such as Message Authentication Code MAC.
S308:After UE receives the Article 3 message of the EAP-PSK authentication protocols of AUSF transmissions, UE uses KDK and RAND_
P generates session key.
S309:After UE receives the Article 3 message of the above-mentioned EAP-PSK authentication protocols for having AUSF to send, sent to AUSF
The Article 4 message of EAP-PSK authentication protocols, the Article 4 message of EAP-PSK authentication protocols can be understood as UE and sends out AUSF
The response message of the Article 3 message of the EAP-PSK authentication protocols sent, wherein containing the EAP-PSK authentication protocols such as RAND_S rule
Fixed information.
In the application first embodiment, auth type instruction information be include that EAP-PSK flag bits and being used to indicate are based on
Identity signature generates the certification request of symmetric key, and is sent by access request information.The UE is assisted by EAP-PSK certifications
The Article 2 message of view sends the PVT of the ID of the UE, the UE.The a piece of news that AUSF passes through EAP-PSK authentication protocols
Send the ID of the AUSF, the PVT of the AUSF.
Embodiment two
Fig. 8 show the implementation flow chart of second embodiment provided by the present application, as shown in fig.8, including:
In Fig. 8, S401, S402, S407, S408 and S409 respectively with S301, S302, S307, S308 in embodiment one
Identical with S309, details are not described herein, is only illustrated below with regard to difference.
S403:For AUSF after confirming that UE needs to carry out the certification of identity signature and EAP-PSK, AUSF sends out EAP- to UE
The a piece of news of PSK authentication agreement, the random parameter RAND _ S generated comprising AUSF in a piece of news, the identity of AUSF,
The wherein identity of AUSF at least by the PVT (PVT_AUSF) corresponding to the ID of AUSF (ID_AUSF) and its IBS private keys SSK, and
The expiration date information (KeyExpireTime_AUSF) of AUSF corresponding private keys forms.
S404:UE is after receiving a piece of news of EAP-PSK authentication protocols of AUSF transmissions, from wherein parsing phase
The parameter answered, including RAND_S, ID_AUSF and PVT_AUSF and KeyExpireTime_AUSF.UE is possessed using itself
IBS private key SSK_UE, elliptic curve generate member G, KPAK, and the AUSF parameters ID_AUSF, PVT_AUSF that receive generate UE
Symmetric key, the symmetric key of UE can meet following formula:
K_UE=(SSK_UE) ([KPAK+hash (G | | KPAK | | ID_AUSF | | PVT_AUSF)] PVT_AUSF).
Wherein, K_UE is UE symmetric keys, and SSK_UE is the private key of UE, and KPAK is global public key, and ID_AUSF is AUSF's
Mark, PVT_AUSF are the PVT of AUSF, and G indicates that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve,
Wherein x represents an integer, and P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, |
| symbolic representation Connection operator.
In the embodiment of the present application, K_UE, KeyExpireTime_UE and KeyExpireTime_AUSF can be used to obtain for UE
Key K ', wherein K '=KDF (K_UE, KeyExpireTime_AUSF | | KeyExpireTime_UE).KDF is a key
Function is deduced, a kind of realization method is exactly the Hash operation in cryptography meaning.UE further generates EAP-PSK using K ' and is wanted
The AK and KDK asked.
S405:UE sends the Article 2 message of EAP-PSK authentication protocols to AUSF, includes RAND_ in the Article 2 message
Random parameter RAND _ P that S, UE are generated contains ID_UE and PVT_UE in the domains ID of EAP-PSK, KeyExpireTime_UE,
UE uses the Message Authentication Code MAC_P that AK is the generation of above-mentioned message according to EAP-PSK, wherein MAC_P meets following formula:
MAC_P=CMAC-AES-128 (AK, ID_P | | ID_S | | RAND_S | | RAND_P).
S406:After AUSF receives the Article 2 message of EAP-PSK authentication protocols, RAND_S, RAND_ are parsed first
Then UE, ID_UE, PVT_UE and KeyExpireTime_UE using the private key SSK_AUSF of itself and its receive the ginseng of UE
Number ID_UE and PVT_UE generates the symmetric key symmetric-key K_AUSF of AUSF, wherein K_AUSF meets following formula:
K_AUSF=(SSK_AUSF) ([KPAK+hash (G | | KPAK | | ID_UE | | PVT_UE)] PVT_UE);
Wherein, K_AUSF is AUSF symmetric keys, and SSK_AUSF is the private key of AUSF, and KPAK is global public key, and ID_UE is
The mark of UE, PVT_UE are the PVT of UE, and G indicates that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve,
Wherein x represents an integer, and P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, |
| symbolic representation Connection operator.
Further, AUSF obtains key K ' using K_AUSF, KeyExpireTime_AUSF and KeyExpireTime_UE
=KDF (K_AUSF, KeyExpireTime_AUSF | | KeyExpireTime_UE), and further generated using above-mentioned K ' AK and
KDK, and using AK and receive information generation MAC_P ', wherein MAC_P '=CMAC-AES-128 (A, ID_P | | ID_S | |
RAND_S||RAND_P).AUSF can pass through MAC_P ' verifications MAC_P.
Further, AUSF generates session key using KDK and RAND_P.
In the present embodiment, what KeyExpireTime_UE and UE that AUSF is sent to UE were sent to AUSF
KeyExpireTime_UE may be different, therefore, when UE and AUSF deduces key, can use at least one
KeyExpireTime, but the KeyExpireTime that uses of both sides be it is identical UE's or AUSF's.If
Two simultaneously in use, then can be used united mode and KeyExpireTime=(KeyExpireTime_AUSF | |
KeyExpireTime_UE)。
In the application second embodiment, auth type instruction information be include that EAP-PSK flag bits and being used to indicate are based on
Identity signature generates the certification request of symmetric key, and is sent by access request information.UE is additionally operable to send the private key mistake of UE
Phase date information, and the auth type is sent by the Article 2 message of EAP-PSK authentication protocols and indicates information, the UE
The private key expiration date information of ID, the PVT of the UE and the UE.AUSF is additionally operable to send the private key expiration date letter of AUSF
Breath, and the ID of the AUSF, the PVT of the AUSF and described are sent by a piece of news of EAP-PSK authentication protocols
The private key expiration date information of AUSF.
Embodiment three
Fig. 9 show the implementation flow chart of 3rd embodiment provided by the present application, as shown in fig.9, including:
In Fig. 9, S501, S502, S503, S505, S507, S508 and S509 respectively in embodiment one S301, S302,
S303, S305, S307, S308 are identical with S309, and details are not described herein, are only illustrated below with regard to difference.
S504 steps are carrying out message sink and parsing, and generate involved in symmetrical key procedure and the embodiment one of UE
Process it is identical, the difference is that this step is added to the deduction mode of three kinds of different key K '.
In the embodiment of the present application, UE can be random parameter RAND _ P of the UE distribution according to cipher key center and cipher key center is
The symmetric key K_UE of at least one of random parameter RAND _ S of the AUSF distribution and UE obtains key K '.Its
In, K ' meets following formula:
K '=KDF (K_UE, RAND_S, RAND_P) or K '=KDF (K_UE, RAND_S) or K '=KDF (K_
UE, RNAD_P).
UE further generates AK and KDK using above-mentioned K '.
S506 steps are carrying out message sink and parsing, and the symmetrical key procedure of generation AUSF is related to embodiment one
And process it is identical, the difference is that this step is added to the deduction mode of three kinds of different key K '.
In the application, AUSF can also be random parameter RAND _ P of the UE distribution according to cipher key center and cipher key center is institute
At least one of random parameter RAND _ S of the AUSF distribution and AUSF symmetric keys K_AUSF is stated, key K ' is obtained.Its
In, K ' meets following formula:
K '=KDF (K_AUSF, RAND_S, RAND_P) or K '=KDF (K_AUSF, RAND_S) or K '=KDF
(K_AUSF, RNAD_P).
AUSF further generates AK and KDK using above-mentioned K '.
In the application 3rd embodiment, UE can be in random parameter RAND _ P and key of UE distribution according to cipher key center
The heart is that the symmetric key K_UE of at least one of random parameter RAND _ S of the AUSF distribution and UE obtains key
At least one in K ', random parameter RAND _ P of the UE distribution and random parameter RAND _ S that cipher key center is AUSF distribution
A and described AUSF symmetric key K_AUSF obtain key K '.UE and AUSF simultaneously further generates AK and KDK with K '.
Example IV
Figure 10 show the implementation flow chart of fourth embodiment provided by the present application, as shown in fig.10, including:
In Figure 10, S603, S605, S607, S608 and S609 respectively with S303, S305, S307, S308 in embodiment one
Identical with S309, details are not described herein, is only illustrated below with regard to difference.
S601:UE sends access request message (Attach) to AUSF, and access request message includes auth type instruction
The information such as information, ID_UE, PVT_UE and UE private key expired time KeyExpireTime_UE.
S602:AUSF parses and obtains ID_UE after receiving the access request information of UE transmissions, PVT_UE and
KeyExpireTime_UE etc..AUSF generates the symmetric key symmetric-key K_AUSF of AUSF according to the information that UE is provided.
Further, AUFS generates K '=KDF (K_AUSF, KeyExpireTime_UE), this step can be set as being optional.
AUSF obtains AK and KDK according to K or K ' and EAP-PSK standards RFC 4764.
S604:UE is after receiving a piece of news of EAP-PSK authentication protocols of AUSF transmissions, from wherein parsing phase
The parameter answered, including RAND_S, ID_AUSF and PVT_AUSF and KeyExpireTime_AUSF.UE is possessed using itself
IBS private key SSK_UE, elliptic curve generate member G, KPAK, and the AUSF parameters ID_AUSF, PVT_AUSF that receive generate UE
Symmetric key K_UE.
Further, above-mentioned K_UE, KeyExpireTime_UE and KeyExpireTime_AUSF can be used to obtain key for UE
K '=KDF (K, KeyExpireTime_AUSF | | KeyExpireTime_UE).UE produce K '=KDF (K_UE,
KeyExpireTime_AUSF | | KeyExpireTime_UE, this step can be set as being optional.K ' can be used further to generate for UE
AK required by EAP-PSK and KDK.
S606:The information such as the ID_UE that AUSF is provided according to UE, PVT_UE determine that UE needs to carry out ID-ased cryptography
Technology and EAP-PSK certifications.
In the application fourth embodiment, UE by access request information send auth type indicate information, the UE ID,
The private key expiration date information of the PVT of the UE and UE.AUSF is sent out by a piece of news of EAP-PSK authentication protocols
Send the private key expiration date information of the ID of the AUSF, the PVT of the AUSF and the AUSF.
In the present embodiment, what KeyExpireTime_UE and UE that AUSF is sent to UE were sent to AUSF
KeyExpireTime_AUSF may be different, therefore, when UE and AUSF deduces key, can use at least one
KeyExpireTime, but the KeyExpireTime that uses of both sides be it is identical UE's or AUSF's.If
Two simultaneously in use, then can be used united mode and KeyExpireTime=(KeyExpireTime_AUSF | |
KeyExpireTime_UE)。
Embodiment five
Figure 11 show the implementation flow chart of the 5th embodiment provided by the present application, refering to fig. 1 shown in 1, including:
In Figure 11, S703, S704, S705, S707, S708 and S709 respectively in embodiment one S303, S304,
S305, S307, S308 are identical with S309, and details are not described herein, are only illustrated below with regard to difference.
S701:UE sends access request message (Attach) to AUSF, and access request message includes ID_UE and PVT_UE
Etc. information.
S702:AUSF parses and obtains ID_UE and PVT_UE after receiving the access request information that UE is sent, and generates AUSF
Symmetric key K_AUSF.Further, AUSF obtains AK and KDK according to K_AUSF and EAP-PSK standards RFC4764.
S706:The information such as the ID_UE that AUSF is provided according to UE, PVT_UE determine that UE needs to carry out ID-ased cryptography
Technology and EAP-PSK certifications.
In the 5th embodiment of the application, the information such as the ID_UE that AUSF is sent by UE, PVT_UE determine that UE needs to carry out
ID-ased cryptography technology and EAP-PSK certifications.
The above-mentioned angle mainly interacted from network authentication node and user equipment to scheme provided by the embodiments of the present application into
Introduction is gone.It is understood that network authentication node and user equipment are in order to realize above-mentioned function, it is each it comprises executing
The corresponding hardware configuration of function and/or software module.Each exemplary unit described in conjunction with embodiment disclosed herein
And algorithm steps, the embodiment of the present application can be realized with the combining form of hardware or hardware and computer software.Some function
It executes in a manner of hardware or computer software driving hardware actually, depend on the specific application of technical solution and designs about
Beam condition.Those skilled in the art can realize described function to each specific application using different methods,
But this realization is it is not considered that exceed the range of the technical solution of the embodiment of the present application.
The embodiment of the present application can carry out functional unit according to above method example to network authentication node and user equipment
Division two or more functions can also be integrated for example, can correspond to each function divides each functional unit
In a processing unit.The form that hardware had both may be used in above-mentioned integrated unit is realized, software function list can also be used
The form of member is realized.It should be noted that being schematical, only a kind of logic to the division of unit in the embodiment of the present application
Function divides, formula that in actual implementation, there may be another division manner.
When being realized using example, in hardware, communication device shown in fig. 5 can be used in network authentication node and user equipment
Structure.
When being realized in the form of SFU software functional unit, network authentication node and user equipment can be used shown in Figure 12
Structure.
Refering to fig. 1 shown in 2, user equipment 1000 includes transmission unit 1001, receiving unit 1002 and authentication unit 1003.
Network authentication node 2000 includes receiving unit 2001, transmission unit 2002 and authentication unit 2003.Wherein:
Transmission unit 1001, for sending auth type instruction information, the user equipment to network authentication node 2000
The PVT of 1000 ID and the user equipment 1000, the auth type instruction information are used to indicate the user equipment
1000 need to carry out ID-ased cryptography technology and EAP-PSK certifications.Receiving unit 2001, for receiving user equipment 1000
Auth type instruction information, the id information of the user equipment 1000 and the PVT of the user equipment 1000 sent.
Transmission unit, for indicating that information determines that the user equipment 1000 needs to carry out identity-based label according to the auth type
In the case of name and EAP-PSK certifications, ID and the institute of the network authentication node 2000 are sent to the user equipment 1000
State the PVT of network authentication node 2000.Receiving unit 1002, the net sent for receiving the network authentication node 2000
The PVT of the ID of network certification node 2000 and the network authentication node 2000.Authentication unit 1003, for according to the network
The ID of certification node 2000, the PVT of the network authentication node 2000 and the private key based on 1000 identity of the user equipment
The symmetric key that user equipment 1000 is generated with global public key, recognizes according to the Symmetric key generation of the user equipment 1,000 first
It demonstrate,proves key and first key deduces key, and key and the network authentication section are deduced using the first authentication key and first key
Point 2000 carries out EAP-PSK certifications.Authentication unit 2003, for ID, the user equipment according to the user equipment 1000
1000 PVT and the private key based on 2000 identity of network authentication node and global public key generation network authentication node 2000
Symmetric key, it is close according to the second authentication key of Symmetric key generation of the network authentication node 2000 and the second secret key deduction
Key, and using the second authentication key and the second secret key deduction key EAP-PSK certifications are carried out with the user equipment 1000.
Wherein, the authentication unit 1003, in the following way according to the Symmetric key generation of the user equipment 1000
First authentication key and first key deduce key:
The private key expiration date information of the network authentication node 2000 received according to the receiving unit 1002 with
And the symmetric key of the user equipment 1000, it generates the first authentication key and first key deduces key.Or the user
What the random number that equipment 1000 is generated according to the user equipment 1000 was generated with the network authentication node 2000 received
The symmetric key of at least one of random number and the user equipment 1000 generates the first authentication key and first key
Deduce key.
The authentication unit 2003, in the following way according to the second certification of the network authentication node Symmetric key generation
Key and the second secret key deduction key:
According to the private key expiration date information of the user equipment 1000 received and the network authentication node
2000 symmetric key generates the second authentication key and the second secret key deduction key;Or recognized according to the network received
Demonstrate,prove at least one of the random number that node 2000 generates and the random number that the user equipment 1000 generates and the network
The symmetric key of certification node 2000 generates the second authentication key and the second secret key deduction key.
Wherein, the auth type instruction information is to include EAP-PSK flag bits and be used to indicate identity-based signature life
At the certification request of symmetric key;Or the auth type instruction information is the ID of the user equipment 1000 and the use
The PVT of family equipment 1000.
Wherein, the transmission unit 1001 is additionally operable to send the private key expiration date information of the user equipment 1000.Institute
State transmission unit 1001 by access request information send the auth type indicate information, the user equipment 1000 ID,
The private key expiration date information of the PVT of the user equipment 1000 and the user equipment 1000;Or pass through access request
Information sends the auth type and indicates information, and the user equipment is sent by the Article 2 message of EAP-PSK authentication protocols
The private key expiration date information of 1000 ID, the PVT of the user equipment 1000 and the user equipment 1000.
Wherein, the transmission unit 2002 is additionally operable to send the private key expiration date letter of the network authentication node 2000
Breath;The transmission unit 2002 sends the network authentication node 2000 by a piece of news of EAP-PSK authentication protocols
The private key expiration date information of ID, the PVT of the network authentication node 2000 and the network authentication node 2000.
Wherein, the symmetric key of the user equipment 1000 meet formula K_UE=(SSK_UE) ([KPAK+hash (G | |
KPAK||ID_AUSF||PVT_AUSF)]PVT_AUSF);Wherein, K_UE is the symmetric key of user equipment 1000, and SSK_UE is
The private key of user equipment 1000, KPAK are global public key, and ID_AUSF is the mark of network authentication node 2000, and PVT_AUSF is
The PVT of network authentication node 2000, G indicate that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve,
Middle x represents an integer, and P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | |
Symbolic representation Connection operator.
The symmetric key of the network authentication node 2000 meets formula K_AUSF=(SSK_AUSF) ([KPAK+hash (G
||KPAK||ID_UE||PVT_UE)]PVT_UE);Wherein, K_AUSF is the symmetric key of network authentication node 2000, SSK_
AUSF is the private key of network authentication node 2000, and KPAK is global public key, and ID_UE is the mark of user equipment 1000, PVT_UE
Indicate that elliptic curve generates member for the PVT of user equipment 1000, G, [x] P characterizes the dot product that point P is directed on elliptic curve, wherein x
An integer is represented, P represents a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbol
Characterize Connection operator.
It should be noted that the specific implementation of each functional unit may be used also in user equipment 1000 and network authentication node 2000
The function of user equipment 10 and network authentication node 20 with reference to described in the various embodiments described above, which is not described herein again.
In conclusion implement the embodiment of the present application, it can be the case where not changing the interaction of EAP-PSK authentication protocols and its format
Under, interactive authentication is realized using the authentication method based on EAP-PSK, in 3GPP work on hands and its EAP authentication supported
The interactive authentication based on IBC is carried out on frame, and IBC public-key technologies is enable to match the existing agreements of EAP.
It should be understood by those skilled in the art that, the embodiment of the present application can be provided as method, system or computer program production
Product.Therefore, in terms of the embodiment of the present application can be used complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, it wherein includes computer available programs generation that the embodiment of the present application, which can be used in one or more,
The meter implemented in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code
The form of calculation machine program product.
The embodiment of the present application is with reference to the method, equipment (system) and computer program product according to the embodiment of the present application
Flowchart and/or the block diagram describe.It should be understood that can be realized by computer program instructions in flowchart and/or the block diagram
The combination of flow and/or box in each flow and/or block and flowchart and/or the block diagram.These calculating can be provided
Processing of the machine program instruction to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices
Device is to generate a machine so that the instruction executed by computer or the processor of other programmable data processing devices generates
For realizing the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes
Device.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, those skilled in the art can carry out the embodiment of the present application various modification and variations without departing from this Shen
Spirit and scope please.In this way, if these modifications and variations of the embodiment of the present application belong to the application claim and its wait
Within the scope of technology, then the application is also intended to include these modifications and variations.
Claims (26)
1. a kind of network authentication system, which is characterized in that including:User equipment and network authentication node, wherein:
The user equipment, for the body to network authentication node transmission auth type instruction information, the user equipment
The authentication public key token PVT of part mark ID and the user equipment, the auth type instruction information are used to indicate the use
Family equipment needs to carry out the shared key EAP-PSK certifications of ID-ased cryptography technology and Extensible Authentication Protocol, and receives
The ID for the network authentication node that the network authentication node the is sent and PVT of the network authentication node, according to described
The ID of network authentication node, the PVT of the network authentication node and the private key based on the user equipment identity and overall situation public affairs
Key generates user equipment symmetric key, is deduced according to first authentication key of user equipment Symmetric key generation and first key
Key, and deduce key using the first authentication key and first key and carry out EAP-PSK certifications with the network authentication node;
The network authentication node, for receiving auth type instruction information, the user that the user equipment is sent
The PVT of the id information of equipment and the user equipment, if indicating that information determines the user equipment according to the auth type
It needs to carry out ID-ased cryptography technology and EAP-PSK certifications, then sends the network authentication node to the user equipment
ID and the network authentication node PVT, and according to the ID of the user equipment, the PVT and base of the user equipment
Network authentication node symmetric key is generated in the private key of the network authentication node identities and global public key, is recognized according to the network
The second authentication key of node Symmetric key generation and the second secret key deduction key are demonstrate,proved, and uses the second authentication key and the second key
It deduces key and carries out EAP-PSK certifications with the user equipment.
2. network authentication system as described in claim 1, which is characterized in that the network authentication node is additionally operable to described in transmission
The private key expiration date information of network authentication node, the user equipment are additionally operable to send the private key expiration date letter of user equipment
Breath;
When the user equipment deduces key according to first authentication key of user equipment Symmetric key generation and first key,
It is specifically used for:
The private key expiration date information for receiving the network authentication node that the network authentication node is sent, according to user equipment
Private key expiration date information, the private key expiration date information of the network authentication node and the user equipment it is symmetrically close
Key, generates the first authentication key and first key deduces key;Or
What the random number that the user equipment is generated according to the user equipment was generated with the network authentication node received
At least one of random number and the user equipment symmetric key, generate the first authentication key and first key deduction is close
Key;
The network authentication node is pushed away according to the second authentication key of the network authentication node Symmetric key generation and the second key
Key is drilled, including:
The network authentication node receives the private key expiration date information for the user equipment that the user equipment is sent, according to
Private key expiration date information, the private key expiration date information of the user equipment and the network authentication of network authentication node
Node symmetric key generates the second authentication key and the second secret key deduction key;Or
The random number and the user equipment life received that the network authentication node is generated according to the network authentication node
At at least one of random number and the network authentication node symmetric key, generate the second authentication key and second close
Key deduces key.
3. network authentication system as claimed in claim 1 or 2, which is characterized in that the auth type instruction information is to include
EAP-PSK flag bits and the certification request for being used to indicate ID-ased cryptography technology generation symmetric key;Or
The auth type instruction information is the ID of the user equipment and the PVT of the user equipment.
4. network authentication system as described in any one of claims 1 to 3, which is characterized in that the user equipment passes through access
Solicited message send auth type instruction information, the user equipment ID and the user equipment PVT;Or
The user equipment sends the auth type by access request information and indicates information, passes through EAP-PSK authentication protocols
Article 2 message send the user equipment ID and the user equipment PVT.
5. such as Claims 1-4 any one of them network authentication system, which is characterized in that the network authentication node passes through
The a piece of news of EAP-PSK authentication protocols sends the PVT of the ID and the network authentication node of the network authentication node.
6. such as network authentication system described in any one of claim 1 to 5, which is characterized in that the user equipment symmetric key
Meet formula K_UE=(SSK_UE) ([KPAK+hash (and G | | KPAK | | ID_AUSF | | PVT_AUSF)] PVT_AUSF);
The network authentication node symmetric key meet formula K_AUSF=(SSK_AUSF) ([KPAK+hash (and G | | KPAK | |
ID_UE||PVT_UE)]PVT_UE);
Wherein, K_UE is user equipment symmetric key, and SSK_UE is the private key of user equipment, and KPAK is global public key, ID_AUSF
For the mark of network authentication node, PVT_AUSF is the PVT of network authentication node, and K_AUSF is that network authentication node is symmetrically close
Key, SSK_AUSF are the private key of network authentication node, and KPAK is global public key, and ID_UE is the mark of user equipment, and PVT_UE is
The PVT of user equipment, G indicate that elliptic curve generates member, and [x] P characterizes the dot product that point P is directed on elliptic curve, and wherein x represents one
A integer, P represent a point on elliptic curve, and hash () characterizes the hash function in cryptography meaning, | | symbolic representation word
Symbol connection.
7. a kind of user equipment, which is characterized in that including:
Transmission unit, for the identity ID to network authentication node transmission auth type instruction information, the user equipment
And the authentication public key token PVT of the user equipment, the auth type instruction information, which is used to indicate the user equipment, to be needed
Carry out the shared key EAP-PSK certifications of ID-ased cryptography technology and Extensible Authentication Protocol;
Receiving unit, ID and the network for receiving the network authentication node that the network authentication node is sent recognize
Demonstrate,prove the PVT of node;
Authentication unit, for according to the ID of the network authentication node, the PVT of the network authentication node and based on the use
The private keys of family equipment identities and global public key generate user equipment symmetric key, according to the user equipment Symmetric key generation the
One authentication key and first key deduce key, and deduce key using the first authentication key and first key and recognize with the network
It demonstrate,proves node and carries out EAP-PSK certifications.
8. user equipment as claimed in claim 7, which is characterized in that the authentication unit, in the following way according to
The first authentication key of user equipment Symmetric key generation and first key deduce key:
According to the private key for the network authentication node that the private key expiration date information of user equipment, the receiving unit receive
Expiration date information and the user equipment symmetric key, generate the first authentication key and first key deduces key;Or
In the random number that the random number generated according to the user equipment and the network authentication node received generate extremely
Few one and the user equipment symmetric key, generate the first authentication key and first key deduces key.
9. user equipment as claimed in claim 7 or 8, which is characterized in that it includes EAP- that the auth type, which indicates that information is,
PSK flag bits and the certification request for being used to indicate ID-ased cryptography technology generation symmetric key;Or
The auth type instruction information is the ID of the user equipment and the PVT of the user equipment.
10. such as claim 7 to 9 any one of them user equipment, which is characterized in that the transmission unit passes through access request
Information send auth type instruction information, the user equipment ID and the user equipment PVT;Or
The auth type is sent by access request information and indicates information, passes through the Article 2 message of EAP-PSK authentication protocols
Send the private key expiration date information of the ID of the user equipment, the PVT of the user equipment and the user equipment.
11. such as claim 7 to 10 any one of them user equipment, which is characterized in that the user equipment symmetric key is full
Sufficient formula K_UE=(SSK_UE) ([KPAK+hash (G | | KPAK | | ID_AUSF | | PVT_AUSF)] PVT_AUSF);
Wherein, K_UE is user equipment symmetric key, and SSK_UE is the private key of user equipment, and KPAK is global public key, ID_AUSF
For the mark of network authentication node, PVT_AUSF is the PVT of network authentication node, and G indicates that elliptic curve generates member, [x] P characterizations
The dot product of point P is directed on elliptic curve, wherein x represents an integer, and P represents a point on elliptic curve, hash () characterizations
Hash function in cryptography meaning, | | symbolic representation Connection operator.
12. a kind of network authentication node, which is characterized in that including:
Receiving unit, for receiving the auth type instruction information of user equipment transmission, the identity mark of the user equipment
Know the authentication public key token PVT of id information and the user equipment;
Transmission unit, for indicating that information determines that the user equipment needs to carry out identity-based according to the auth type
In the case of cipher key technique and EAP-PSK certifications, the ID of the network authentication node and described is sent to the user equipment
The PVT of network authentication node;
Authentication unit, for according to the ID of the user equipment, the PVT of the user equipment and based on the network authentication section
The private key of point identity and global public key generate network authentication node symmetric key, are given birth to according to the network authentication node symmetric key
At the second authentication key and the second secret key deduction key, and use the second authentication key and the second secret key deduction key and the use
Family equipment carries out EAP-PSK certifications.
13. network authentication node as claimed in claim 12, which is characterized in that the authentication unit, in the following way root
According to the second authentication key of the network authentication node Symmetric key generation and the second secret key deduction key:
According to the private key expiration date information of network authentication node, the private key expiration date information of the user equipment received
And the network authentication node symmetric key, generate the second authentication key and the second secret key deduction key;Or
In the random number that the random number generated according to the network authentication node and the user equipment received generate extremely
Few one and the network authentication node symmetric key, generate the second authentication key and the second secret key deduction key.
14. network authentication node as described in claim 12 or 13, which is characterized in that the auth type instruction information is packet
It includes EAP-PSK flag bits and is used to indicate the certification request that ID-ased cryptography technology generates symmetric key;Or
The auth type instruction information is the ID of the user equipment and the PVT of the user equipment.
15. such as claim 12 to 14 any one of them network authentication node, which is characterized in that the transmission unit passes through
The a piece of news of EAP-PSK authentication protocols sends the PVT of the ID and the network authentication node of the network authentication node.
16. such as claim 12 to 15 any one of them network authentication node, which is characterized in that the network authentication node pair
Claim key meet formula K_AUSF=(SSK_AUSF) ([KPAK+hash (and G | | KPAK | | ID_UE | | PVT_UE)] PVT_UE);
Wherein, K_AUSF is network authentication node symmetric key, and SSK_AUSF is the private key of network authentication node, and KPAK is the overall situation
Public key, ID_UE are the mark of user equipment, and PVT_UE is the PVT of user equipment, and G indicates that elliptic curve generates member, [x] P characterizations
The dot product of point P is directed on elliptic curve, wherein x represents an integer, and P represents a point on elliptic curve, hash () characterizations
Hash function in cryptography meaning, | | symbolic representation Connection operator.
17. a kind of method for network authorization, which is characterized in that including:
User equipment sends auth type instruction information, the identity ID of the user equipment and institute to network authentication node
The authentication public key token PVT of user equipment is stated, the auth type instruction information is used to indicate the user equipment and needs to carry out
The shared key EAP-PSK certifications of ID-ased cryptography technology and Extensible Authentication Protocol;
The user equipment receives the ID for the network authentication node that the network authentication node is sent and the network is recognized
Demonstrate,prove the PVT of node;
The user equipment is according to the ID of the network authentication node, the PVT of the network authentication node and is based on the use
The private key of family equipment identities and global public key generate user equipment symmetric key, and according to the user equipment Symmetric key generation
First authentication key and first key deduce key, deduce key using the first authentication key and first key and recognize with the network
It demonstrate,proves node and carries out EAP-PSK certifications.
18. method as claimed in claim 17, which is characterized in that described according to the user equipment Symmetric key generation first
Authentication key and first key deduce key, including:
The private key expiration date information for receiving the network authentication node that the network authentication node is sent, according to user equipment
Private key expiration date information, the private key expiration date information of the network authentication node and the user equipment it is symmetrically close
Key, generates the first authentication key and first key deduces key;
Or
In the random number that the random number generated according to the user equipment and the network authentication node received generate extremely
Few one and the user equipment symmetric key, generate the first authentication key and first key deduces key.
19. the method as described in claim 17 or 18, which is characterized in that it includes EAP- that the auth type, which indicates that information is,
PSK flag bits are simultaneously used to indicate the certification request that identity-based signature generates symmetric key;Or
The auth type instruction information is the ID of the user equipment and the PVT of the user equipment.
20. such as claim 17 to 19 any one of them method, which is characterized in that the user equipment is believed by access request
Breath send auth type instruction information, the user equipment ID and the user equipment PVT;Or
The user equipment sends the auth type by access request information and indicates information, passes through EAP-PSK authentication protocols
Article 2 message send the user equipment ID and the user equipment PVT.
21. such as claim 17 to 20 any one of them method, which is characterized in that the user equipment symmetric key meets public
Formula K_UE=(SSK_UE) ([KPAK+hash (G | | KPAK | | ID_AUSF | | PVT_AUSF)] PVT_AUSF);
Wherein, K_UE is user equipment symmetric key, and SSK_UE is the private key of user equipment, and KPAK is global public key, ID_AUSF
For the mark of network authentication node, PVT_AUSF is the PVT of network authentication node, and G indicates that elliptic curve generates member, [x] P characterizations
The dot product of point P is directed on elliptic curve, wherein x represents an integer, and P represents a point on elliptic curve, hash () characterizations
Hash function in cryptography meaning, | | symbolic representation Connection operator.
22. a kind of method for network authorization, which is characterized in that including:
Network authentication node receives auth type instruction information, the identity of the user equipment that the user equipment is sent
Identify the authentication public key token PVT of id information and the user equipment;
If the network authentication node indicates that information determines that the user equipment carries out being based on body according to the auth type
The shared key EAP-PSK certifications of the cryptographic technique and Extensible Authentication Protocol of part then send the net to the user equipment
The PVT of the ID of network certification node and the network authentication node;
The network authentication node is recognized according to the ID of the user equipment, the PVT of the user equipment and based on the network
The private key and global public key for demonstrate,proving node identities generate network authentication node symmetric key, symmetrically close according to the network authentication node
Key generates the second authentication key and the second secret key deduction key, and uses the second authentication key and the second secret key deduction key and institute
It states user equipment and carries out EAP-PSK certifications.
23. method as claimed in claim 22, which is characterized in that described according to the network authentication node Symmetric key generation
Second authentication key and the second secret key deduction key, including:
The private key expiration date information for receiving the user equipment that the user equipment is sent, according to the private of network authentication node
Key expiration date information, the private key expiration date information of the user equipment and the network authentication node symmetric key, it is raw
At the second authentication key and the second secret key deduction key;Or
In the random number that the random number generated according to the network authentication node and the user equipment received generate extremely
Few one and the network authentication node symmetric key, generate the second authentication key and the second secret key deduction key.
24. the method as described in claim 22 or 23, which is characterized in that it includes EAP- that the auth type, which indicates that information is,
PSK flag bits are simultaneously used to indicate the certification request that identity-based signature generates symmetric key;Or
The auth type instruction information is the ID of the user equipment and the PVT of the user equipment.
25. such as claim 22 to 24 any one of them method, which is characterized in that the network authentication node passes through EAP-
The a piece of news of PSK authentication agreement sends the PVT of the ID and the network authentication node of the network authentication node.
26. such as claim 22 to 25 any one of them method, which is characterized in that the network authentication node symmetric key is full
Sufficient formula K_AUSF=(SSK_AUSF) ([KPAK+hash (G | | KPAK | | ID_UE | | PVT_UE)] PVT_UE);
Wherein, K_AUSF is network authentication node symmetric key, and SSK_AUSF is the private key of network authentication node, and KPAK is the overall situation
Public key, ID_UE are the mark of user equipment, and PVT_UE is the PVT of user equipment, and G indicates that elliptic curve generates member, [x] P characterizations
The dot product of point P is directed on elliptic curve, wherein x represents an integer, and P represents a point on elliptic curve, hash () characterizations
Hash function in cryptography meaning, | | symbolic representation Connection operator.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710060133.1A CN108347417B (en) | 2017-01-24 | 2017-01-24 | Network authentication method, user equipment, network authentication node and system |
PCT/CN2017/103241 WO2018137352A1 (en) | 2017-01-24 | 2017-09-25 | Network verification method, user equipment, network authentication node and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710060133.1A CN108347417B (en) | 2017-01-24 | 2017-01-24 | Network authentication method, user equipment, network authentication node and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108347417A true CN108347417A (en) | 2018-07-31 |
CN108347417B CN108347417B (en) | 2020-08-07 |
Family
ID=62962945
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710060133.1A Active CN108347417B (en) | 2017-01-24 | 2017-01-24 | Network authentication method, user equipment, network authentication node and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108347417B (en) |
WO (1) | WO2018137352A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020177591A1 (en) * | 2019-03-01 | 2020-09-10 | 中兴通讯股份有限公司 | Determining method and device for key, storage medium and electronic device |
CN111669748A (en) * | 2020-05-20 | 2020-09-15 | 中国科学院软件研究所 | Mobile communication authentication method with privacy protection function |
CN111865598A (en) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | Identity verification method and related device for network function service |
CN112242976A (en) * | 2019-07-17 | 2021-01-19 | 华为技术有限公司 | Identity authentication method and device |
CN112333705A (en) * | 2021-01-07 | 2021-02-05 | 北京电信易通信息技术股份有限公司 | Identity authentication method and system for 5G communication network |
CN113079508A (en) * | 2021-04-06 | 2021-07-06 | 中国工商银行股份有限公司 | Data transmission method, device and equipment based on block chain network |
CN113455024A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Key acquisition method and related device |
WO2022067827A1 (en) * | 2020-09-30 | 2022-04-07 | 华为技术有限公司 | Key derivation method and apparatus, and system |
CN114448644A (en) * | 2022-03-04 | 2022-05-06 | 芜湖雄狮汽车科技有限公司 | Method, device, equipment and medium for realizing digital certificate based on symmetric algorithm |
CN115314278A (en) * | 2022-08-04 | 2022-11-08 | 长扬科技(北京)股份有限公司 | Trusted network connection identity authentication method, electronic equipment and storage medium |
CN116260582A (en) * | 2023-05-16 | 2023-06-13 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109309917B (en) * | 2018-10-24 | 2021-11-02 | 上海收付宝科技有限公司 | eID digital identity authentication method and system based on mobile terminal software cryptographic module |
CN111435932B (en) * | 2019-01-14 | 2021-10-01 | 华为技术有限公司 | Token processing method and device |
CN112311556B (en) * | 2020-11-05 | 2024-05-24 | 北京领主科技有限公司 | Device authentication method, device control method, node, device and blockchain |
CN117858082A (en) * | 2022-09-30 | 2024-04-09 | 中国移动通信有限公司研究院 | Authentication processing method, device, equipment and readable storage medium |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101110673A (en) * | 2006-07-17 | 2008-01-23 | 华为技术有限公司 | Method and device for performing multi-time authentication through one EAP course |
CN101119196A (en) * | 2006-08-03 | 2008-02-06 | 西安电子科技大学 | Bidirectional identification method and system |
CN101166090A (en) * | 2006-10-20 | 2008-04-23 | 中兴通讯股份有限公司 | An authorization method based on multiple authentication and RSA authentication |
CN101414907A (en) * | 2008-11-27 | 2009-04-22 | 北京邮电大学 | Method and system for accessing network based on user identification authorization |
CN101552984A (en) * | 2009-05-05 | 2009-10-07 | 广州杰赛科技股份有限公司 | Base station secure accessing method of mobile communication system |
CN101594616A (en) * | 2009-07-08 | 2009-12-02 | 深圳华为通信技术有限公司 | Authentication method, server, subscriber equipment and communication system |
CN101815294A (en) * | 2009-02-20 | 2010-08-25 | 华为技术有限公司 | Access authentication method, equipment and system of P2P (peer-to-peer) network |
CN101822082A (en) * | 2007-10-05 | 2010-09-01 | 交互数字技术公司 | The technology that is used for safe laneization between UICC and the terminal |
CN101895881A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Method for realizing GBA secret key and pluggable equipment of terminal |
CN102281287A (en) * | 2011-06-23 | 2011-12-14 | 北京交通大学 | TLS (transport layer security)-based separation mechanism mobile signaling protection system and method |
CN103795728A (en) * | 2014-02-24 | 2014-05-14 | 哈尔滨工程大学 | EAP authentication method capable of hiding identities and suitable for resource-constrained terminal |
CN104365151A (en) * | 2012-06-15 | 2015-02-18 | 诺基亚通信公司 | Dynamic control of network selection |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442522B (en) * | 2008-12-25 | 2011-08-10 | 中国电子科技集团公司第五十四研究所 | Identification authentication method for communication entity based on combined public key |
-
2017
- 2017-01-24 CN CN201710060133.1A patent/CN108347417B/en active Active
- 2017-09-25 WO PCT/CN2017/103241 patent/WO2018137352A1/en active Application Filing
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101110673A (en) * | 2006-07-17 | 2008-01-23 | 华为技术有限公司 | Method and device for performing multi-time authentication through one EAP course |
CN101119196A (en) * | 2006-08-03 | 2008-02-06 | 西安电子科技大学 | Bidirectional identification method and system |
CN101166090A (en) * | 2006-10-20 | 2008-04-23 | 中兴通讯股份有限公司 | An authorization method based on multiple authentication and RSA authentication |
CN101822082A (en) * | 2007-10-05 | 2010-09-01 | 交互数字技术公司 | The technology that is used for safe laneization between UICC and the terminal |
CN101414907A (en) * | 2008-11-27 | 2009-04-22 | 北京邮电大学 | Method and system for accessing network based on user identification authorization |
CN101815294A (en) * | 2009-02-20 | 2010-08-25 | 华为技术有限公司 | Access authentication method, equipment and system of P2P (peer-to-peer) network |
CN101552984A (en) * | 2009-05-05 | 2009-10-07 | 广州杰赛科技股份有限公司 | Base station secure accessing method of mobile communication system |
CN101895881A (en) * | 2009-05-18 | 2010-11-24 | 中国移动通信集团公司 | Method for realizing GBA secret key and pluggable equipment of terminal |
CN101594616A (en) * | 2009-07-08 | 2009-12-02 | 深圳华为通信技术有限公司 | Authentication method, server, subscriber equipment and communication system |
CN102281287A (en) * | 2011-06-23 | 2011-12-14 | 北京交通大学 | TLS (transport layer security)-based separation mechanism mobile signaling protection system and method |
CN104365151A (en) * | 2012-06-15 | 2015-02-18 | 诺基亚通信公司 | Dynamic control of network selection |
CN103795728A (en) * | 2014-02-24 | 2014-05-14 | 哈尔滨工程大学 | EAP authentication method capable of hiding identities and suitable for resource-constrained terminal |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020177591A1 (en) * | 2019-03-01 | 2020-09-10 | 中兴通讯股份有限公司 | Determining method and device for key, storage medium and electronic device |
CN111865598A (en) * | 2019-04-28 | 2020-10-30 | 华为技术有限公司 | Identity verification method and related device for network function service |
CN111865598B (en) * | 2019-04-28 | 2022-05-10 | 华为技术有限公司 | Identity verification method and related device for network function service |
CN112242976A (en) * | 2019-07-17 | 2021-01-19 | 华为技术有限公司 | Identity authentication method and device |
CN112242976B (en) * | 2019-07-17 | 2022-02-25 | 华为技术有限公司 | Identity authentication method and device |
CN111669748A (en) * | 2020-05-20 | 2020-09-15 | 中国科学院软件研究所 | Mobile communication authentication method with privacy protection function |
CN111669748B (en) * | 2020-05-20 | 2021-06-29 | 中国科学院软件研究所 | Mobile communication authentication method with privacy protection function |
CN113455024A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Key acquisition method and related device |
WO2022067827A1 (en) * | 2020-09-30 | 2022-04-07 | 华为技术有限公司 | Key derivation method and apparatus, and system |
CN112333705B (en) * | 2021-01-07 | 2021-04-02 | 北京电信易通信息技术股份有限公司 | Identity authentication method and system for 5G communication network |
CN112333705A (en) * | 2021-01-07 | 2021-02-05 | 北京电信易通信息技术股份有限公司 | Identity authentication method and system for 5G communication network |
CN113079508A (en) * | 2021-04-06 | 2021-07-06 | 中国工商银行股份有限公司 | Data transmission method, device and equipment based on block chain network |
CN113079508B (en) * | 2021-04-06 | 2022-08-26 | 中国工商银行股份有限公司 | Data transmission method, device and equipment based on block chain network |
CN114448644A (en) * | 2022-03-04 | 2022-05-06 | 芜湖雄狮汽车科技有限公司 | Method, device, equipment and medium for realizing digital certificate based on symmetric algorithm |
CN114448644B (en) * | 2022-03-04 | 2024-06-04 | 芜湖雄狮汽车科技有限公司 | Digital certificate realization method, device, equipment and medium based on symmetric algorithm |
CN115314278A (en) * | 2022-08-04 | 2022-11-08 | 长扬科技(北京)股份有限公司 | Trusted network connection identity authentication method, electronic equipment and storage medium |
CN115314278B (en) * | 2022-08-04 | 2023-06-30 | 长扬科技(北京)股份有限公司 | Trusted network connection identity authentication method, electronic equipment and storage medium |
CN116260582A (en) * | 2023-05-16 | 2023-06-13 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
CN116260582B (en) * | 2023-05-16 | 2023-08-15 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
Also Published As
Publication number | Publication date |
---|---|
CN108347417B (en) | 2020-08-07 |
WO2018137352A1 (en) | 2018-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108347417A (en) | A kind of method for network authorization, user equipment, network authentication node and system | |
EP3506669B1 (en) | Network authentication method, and related device and system | |
CN109428874B (en) | Registration method and device based on service architecture | |
CN107809411B (en) | Authentication method of mobile network, terminal equipment, server and network authentication entity | |
Zhang et al. | SeDS: Secure data sharing strategy for D2D communication in LTE-Advanced networks | |
CN108293185B (en) | Wireless device authentication method and device | |
CN110474875B (en) | Discovery method and device based on service architecture | |
Chen et al. | Lightweight and provably secure user authentication with anonymity for the global mobility network | |
EP1714418B1 (en) | Key management for network elements | |
JP5432156B2 (en) | Secure communication method between UICC and terminal | |
CN109905348B (en) | End-to-end authentication and key agreement method, device and system | |
KR20140029447A (en) | Method and apparatus for providing machine-to-machine service | |
CN110366175B (en) | Security negotiation method, terminal equipment and network equipment | |
KR20100076058A (en) | A method of one-way access authentication | |
CN109756877A (en) | A kind of anti-quantum rapid authentication and data transmission method of magnanimity NB-IoT equipment | |
CN113545115B (en) | Communication method and device | |
Cai et al. | A handshake protocol with unbalanced cost for wireless updating | |
CN109076058A (en) | A kind of authentication method and device of mobile network | |
Pérez et al. | Architecture of security association establishment based on bootstrapping technologies for enabling secure IoT infrastructures | |
Borgohain et al. | A lightweight D2D authentication protocol for relay coverage scenario in 5G mobile network | |
CN102487506A (en) | Access authentication method, system and server based on WAPI (wireless local access network authentication and privacy infrastructure) protocol | |
EP3471365A1 (en) | Key acquisition method and apparatus | |
CN114258703B (en) | Communication method and communication device under multiple connections | |
Yavuz et al. | End-to-End Secure IoT Node Provisioning. | |
CN114650533A (en) | Wireless communication method and communication device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |