CN109309566B - Authentication method, device, system, equipment and storage medium - Google Patents

Authentication method, device, system, equipment and storage medium Download PDF

Info

Publication number
CN109309566B
CN109309566B CN201710633597.7A CN201710633597A CN109309566B CN 109309566 B CN109309566 B CN 109309566B CN 201710633597 A CN201710633597 A CN 201710633597A CN 109309566 B CN109309566 B CN 109309566B
Authority
CN
China
Prior art keywords
key
response
authentication
sub
seaf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710633597.7A
Other languages
Chinese (zh)
Other versions
CN109309566A (en
Inventor
刘福文
彭晋
左敏
庄小君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710633597.7A priority Critical patent/CN109309566B/en
Publication of CN109309566A publication Critical patent/CN109309566A/en
Application granted granted Critical
Publication of CN109309566B publication Critical patent/CN109309566B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The invention discloses an authentication method, an authentication device, an authentication system, authentication equipment and a storage medium, wherein the method comprises the following steps: the AUSF equipment receives an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquires an encryption key, and encrypts the session root key by adopting the encryption key; sending a 5G-AIA message comprising the RAND, the AUTN and the encrypted session root key to the SEAF equipment, so that the SEAF equipment sends the RAND and the AUTN to the UE, determines a decryption key by adopting a preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving the 5G-AC message sent after the SEAF equipment successfully decrypts the encrypted session root key, and determining that the SEAF equipment completes authentication on the UE. The method is used for solving the problems that in the prior art, session root key plaintext transmission is easy to obtain by an attacker, and the communication safety of a user is influenced.

Description

Authentication method, device, system, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an authentication method, apparatus, system, device, and storage medium.
Background
In order to cope with the explosive mobile data traffic growth, massive device connection, and various new business and application scenarios that are continuously emerging in the future, a fifth Generation mobile communication system (5th-Generation, 5G) has been produced. Evolved Packet System-Authentication and Key Agreement (EPS-AKA) is a cryptographic protocol for verifying the authenticity of a communication entity identity in real time, plays a Key role in a security System, is often accompanied by a session Key establishment function in addition to Authentication, and is therefore also referred to as an Authentication Key establishment protocol. 3GPP TS 33.501 has decided to use EPS-AKA as one of the authentication protocols in 5G for access authentication for 3GPP users. EPS-AKA is an improvement of EPS-AKA. The EPS-AKA is an improvement over EPS-AKA in that monitoring of the UE Authentication result by the Authentication Server Function (AUSF) device is enhanced, thereby avoiding possible Authentication result spoofing by the Security Anchor Function (SEAF) device to the AUSF device. The method is that after the SEAF device successfully authenticates the UE, the SEAF device also returns an authentication result to the AUSF device to confirm whether the UE is authenticated in the SEAF device.
However, in this authentication manner, the EPS-AKA transmits the session root key from the AUSF device to the SEAF device in plain text like the EPS-AKA, and an attacker can steal the transmitted session root key and eavesdrop the contents of the SEAF device communication according to the session root key, which cannot guarantee the communication security of the user and affects the user experience.
Disclosure of Invention
The invention provides an authentication method, an authentication device, an authentication system, authentication equipment and a storage medium, which are used for solving the problems that in the prior art, when a session root key is transmitted in a plaintext between AUSF (autonomous underwater environment) equipment and SEAF (secure access plane) equipment, an attacker can easily obtain the session root key, and the communication safety and experience of a user are influenced.
The invention discloses an authentication method, which is applied to AUSF (autonomous Underwater System) equipment with an authentication service function, and comprises the following steps:
receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by using the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm;
sending a 5G authentication start response 5G-AIA message comprising an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key;
and receiving a 5G authentication confirmation 5G-AC message sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key.
Further, the obtaining the encryption key includes:
generating a first key according to an expected response contained in the authentication vector and a preset algorithm, and acquiring an encryption key according to the generated first key; or
Receiving a first key sent by an authentication credential storage and processing function (ARPF) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the first key according to an expected response and a preset algorithm.
Further, obtaining an encryption key from the first key comprises:
using the first key as an encryption key; or
And intercepting a first set length as an encryption key in the first key according to a preset first method.
Further, before the sending the 5G-AIA message including the RAND, AUTN, and encrypted session root key to the SEAF device, the method further includes:
obtaining a first sub-expected response;
the sending the 5G-AIA message including the RAND, the AUTN and the encrypted session root key to the SEAF device includes:
sending a 5G-AIA message to the SEAF device including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
Further, the obtaining the first sub-expected response comprises:
generating a first hash value according to the RAND, the expected response, the session root key and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or
And intercepting a third set length as a first sub-expected response in the first secret key according to a preset third method.
Further, before the receiving the 5G authentication confirmation message sent by the SEAF device, the method further includes:
obtaining a second sub-expected response;
receiving a 5G-AC message sent by a SEAF device, and determining that the SEAF device completes authentication on UE comprises:
and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the verification is passed.
Further, the obtaining a second sub-expected response comprises:
generating a second hash value according to the RAND, the expected response, the session root key and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or
And intercepting a fifth set length as a second sub-expected response in the first key according to a preset fifth method.
Further, generating the first key according to the expected response and the preset algorithm includes:
and generating a first secret key according to the RAND, the expected response and a preset algorithm.
The invention discloses an authentication method, which is applied to security anchor point function SEAF equipment and comprises the following steps:
receiving a 5G authentication start response 5G-AIA message which is sent by AUSF equipment and comprises a random number RAND, an authentication token AUTN and an encrypted session root key, and sending the RAND and the AUTN to the UE, wherein the encrypted session root key in the 5G-AIA message is received by the AUSF equipment, and the AUSF equipment receives an authentication vector which comprises the random number RAND, the authentication token AUTN, an expected response and the session root key and determines the authentication vector according to the expected response and a preset algorithm;
receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key;
and if the encrypted session root key is decrypted successfully, sending a 5G authentication confirmation 5G-AC message to the AUSF device.
Further, the determining a decryption key according to the authentication response and the preset algorithm includes:
generating a second key according to the authentication response and a preset algorithm, and taking the second key as a decryption key; or
And generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length as a decryption key in the second key according to a preset first method.
Further, the receiving 5G-AIA message sent by the AUSF device and containing the RAND, the AUTN, and the encrypted session root key includes:
receiving a 5G-AIA message which is sent by AUSF equipment and contains RAND, AUTN, a first sub-expected response and an encrypted session root key;
before the sending the 5G-AC message to the AUSF device, the method further includes:
acquiring a first sub-response;
and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, performing subsequent steps.
Further, the obtaining the first sub-response comprises:
generating a first check hash value according to the RAND, the authentication response, the session root key and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or
And intercepting a third set length as a first sub-response in the second secret key according to a preset third method.
Further, before the sending the 5G-AC to the AUSF device, the method further includes:
acquiring a second sub-response;
the sending the 5G-AC message to the AUSF device includes:
and sending a 5G-AC message containing the second sub-response to the AUSF equipment.
Further, the obtaining the second sub-response comprises:
generating a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or
And intercepting a fifth set length as a second sub-response in the second secret key according to a preset fifth method.
Further, the generating the second key according to the authentication response and the preset algorithm includes:
and generating a second secret key according to the RAND, the authentication response and a preset algorithm.
The invention discloses an authentication device, which is applied to AUSF equipment with an authentication service function, and comprises the following components:
the encryption module is used for receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm;
a sending module, configured to send a 5G authentication initiation response 5G-AIA message including an RAND, an AUTN, and an encrypted session root key to a security anchor point function SEAF device, so that after receiving the 5G-AIA message, the SEAF device sends the RAND and the AUTN to the UE, and generates a decryption key according to an authentication response returned by the UE by using the preset algorithm, and decrypts the encrypted session root key;
and the receiving determining module is used for receiving a 5G authentication confirmation message 5G-AC sent by the SEAF equipment and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC is sent after the SEAF equipment successfully decrypts the encrypted session root key.
The invention discloses an authentication device, which is applied to security anchor point function SEAF equipment, and comprises:
a transceiver module, configured to receive a 5G-AIA message sent by an au sf device and including a random number RAND, an authentication token AUTN, and an encrypted session root key, and send the RAND and the AUTN to the UE, where the encrypted session root key in the 5G-AIA message is determined by the au sf device receiving an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and a session root key, and according to the expected response and a preset algorithm;
the receiving decryption module is used for receiving the authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key;
and the sending module is used for sending a 5G authentication confirmation 5G-AC message to the AUSF device if the encrypted session root key is decrypted successfully.
The invention discloses AUSF equipment with an authentication service function, which comprises a memory, a processor and a transceiver;
the processor is used for reading the program in the memory and executing the following processes: receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key through a transceiver, acquiring an encryption key, and encrypting the session root key by using the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G authentication start response 5G-AIA message comprising an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving a 5G authentication confirmation message 5G-AC sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC is sent after the SEAF equipment successfully decrypts the encrypted session root key.
Further, the processor is specifically configured to generate a first key according to an expected response included in the authentication vector and a preset algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm.
Further, the processor is specifically configured to use the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method.
Further, the processor is further configured to obtain a first sub-expected response; sending, by the transceiver, a 5G-AIA message to the SEAF device including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
Further, the processor is specifically configured to generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the key according to a preset third method.
Further, the processor is further configured to obtain a second sub-expected response; and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response through the transceiver, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the verification is passed.
Further, the processor is specifically configured to generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the key according to a preset fifth method.
Further, the processor is specifically configured to generate a first key according to the RAND, the expected response, and a preset algorithm.
The invention discloses a safety anchor point function SEAF device, comprising: a memory, a processor, and a transceiver;
the processor is used for reading the program in the memory and executing the following processes: receiving, by a transceiver, a 5G authentication initiation response 5G-AIA message including a random number RAND, an authentication token AUTN, and an encrypted session root key, which is sent by an authentication service function AUSF device, sending the RAND and the AUTN to the UE, where the encrypted session root key in the 5G-AIA message is, and the AUSF device receives an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and the session root key, and determines the authentication vector according to the expected response and a preset algorithm; receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key; and if the encrypted session root key is decrypted successfully, sending a 5G authentication confirmation 5G-AC message to the AUSF device.
Further, the processor is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
Further, the processor is specifically configured to receive, by the transceiver, a 5G-AIA message sent by the AUSF device and including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, performing subsequent steps.
Further, the processor is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key, and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
Further, the processor is further configured to obtain a second sub-response; transmitting, by a transceiver, a 5G-AC message including the second sub-response to the AUSF device.
Further, the processor is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key, and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
Further, the processor is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
The invention discloses an authentication system, which comprises UE, AUSF (authentication service function) equipment and SEAF (secure anchor point function) equipment; wherein the content of the first and second substances,
the AUSF equipment is used for receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G authentication start response 5G-AIA message comprising the RAND, the AUTN and the encrypted session root key to the SEAF equipment;
the SEAF equipment is used for receiving a 5G-AIA message which is sent by AUSF equipment and comprises a random number RAND, an authentication token AUTN and an encrypted session root key, and sending the RAND and the AUTN to the UE;
the UE is used for receiving the RAND and the AUTN sent by the SEAF equipment, generating an authentication response according to the RAND and the AUTN, and sending the authentication response to the SEAF equipment;
the SEAF equipment is further configured to receive an authentication response returned by the UE, determine a decryption key according to the authentication response and the preset algorithm, and decrypt the encrypted session root key; if the encrypted session root key is decrypted successfully, a 5G authentication confirmation 5G-AC message is sent to the AUSF device;
the AUSF equipment is further configured to receive a 5G-AC message sent by the SEAF equipment, and determine that the SEAF equipment completes authentication on the UE.
Further, the AUSF device is specifically configured to generate a first key according to an expected response included in the authentication vector and a preset algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm; wherein obtaining an encryption key from the first key comprises: using the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method;
the SEAF device is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
Further, the AUSF device is further configured to obtain a first sub-expected response; sending a 5G-AIA message including the RAND, the AUTN, the first sub-expected response and the encrypted session root key to the SEAF device;
the SEAF device is specifically configured to receive a 5G-AIA message that includes the RAND, the AUTN, the first sub-expected response, and the encrypted session root key and is sent by the AUSF device; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, sending a 5G-AC message to the AUSF device.
Further, the AUSF device is specifically configured to generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the secret key according to a preset third method;
the SEAF device is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
Further, the AUSF device is further configured to obtain a second sub-expected response;
the SEAF equipment is also used for acquiring a second sub-response; sending a 5G authentication confirmation message containing the second sub-response to the AUSF equipment;
the AUSF device is specifically configured to receive a 5G authentication confirmation message including a second sub-response sent by the SEAF device, verify the second sub-response according to the second sub-expected response, and determine that the SEAF device completes authentication of the UE if the verification passes.
Further, the AUSF device is specifically configured to generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the secret key according to a preset fifth method;
the SEAF device is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
Further, the AUSF device is specifically configured to generate a first key according to the RAND, the expected response, and a preset algorithm;
the SEAF device is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
The invention discloses an electronic device, comprising: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of any of the methods described above.
The invention discloses an electronic device, comprising: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of any of the methods described above.
The invention discloses a computer readable storage medium storing a computer program executable by an electronic device, the program, when run on the electronic device, causing the electronic device to perform the steps of any of the methods described above.
The invention discloses a computer readable storage medium storing a computer program executable by an electronic device, the program, when run on the electronic device, causing the electronic device to perform the steps of any of the methods described above.
The invention discloses an authentication method, an authentication device, an authentication system, authentication equipment and a storage medium, wherein the method comprises the following steps: the AUSF equipment receives an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquires an encryption key, and encrypts the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G-AIA message including an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving a 5G authentication confirmation 5G-AC message sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key. In the embodiment of the invention, the AUSF equipment acquires the encryption key determined according to the expected response and the preset algorithm, encrypts the session root key by adopting the encryption key, sends the 5G-AIA message comprising the encrypted session root key to the SEAF equipment, and the SEAF equipment generates the decryption key by adopting the preset algorithm according to the authentication response returned by the UE and decrypts the encrypted session root key, so that the session root key plaintext is prevented from being transmitted between the AUSF equipment and the SEAF equipment, the transmission safety of the session root key is increased, the communication safety of a user is ensured, and the user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of an authentication process provided in embodiment 1 of the present invention;
fig. 2 is a schematic diagram of an authentication process according to embodiment 4 of the present invention;
fig. 3 is a schematic diagram of an authentication process according to embodiment 6 of the present invention;
fig. 4 is a schematic diagram of an authentication process according to embodiment 7 of the present invention;
fig. 5 is a schematic diagram of an authentication process according to embodiment 9 of the present invention;
fig. 6 is a schematic diagram of an authentication process according to embodiment 9 of the present invention;
fig. 7 is a schematic structural diagram of an authentication apparatus according to embodiment 11 of the present invention;
fig. 8 is a schematic structural diagram of an authentication apparatus according to embodiment 12 of the present invention;
fig. 9 is a schematic structural diagram of an AUSF device provided in embodiment 13 of the present invention;
fig. 10 is a schematic structural diagram of a SEAF device according to embodiment 14 of the present invention;
fig. 11 is a schematic structural diagram of an authentication system according to embodiment 15 of the present invention;
fig. 12 is an electronic device provided in embodiment 16 of the present invention;
fig. 13 is an electronic device provided in embodiment 18 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1:
fig. 1 is a schematic diagram of an authentication process provided in an embodiment of the present invention, where the authentication process includes:
s101: receiving an authentication vector comprising a random number (RAND), an authentication token (AUTN), an expected response (XRES), and a session root Key (KASME), and obtaining an encryption key, encrypting the session root key using the encryption key, wherein the encryption key is determined according to the expected response and a predetermined algorithm.
The network logic entities defined in the 5G network include: a terminal (UE), a SEAF device, an AUSF device, an Authentication credentialing and Processing Function (ARPF) device. The authentication method provided by the embodiment of the invention is applied to the AUSF equipment of the home network equipment of the UE. The SEAF device in the embodiment of the present invention is a roaming network device of the UE.
Specifically, the AUSF device in the UE's home network device sends an authentication vector request message (AV-Req) to the ARPF device, and the ARPF device generates an Authentication Vector (AV) including RAND, AUTN, XRES, and KASME after receiving the AV-Req sent by the AUSF device.
Wherein the XRES may be calculated by the following formula: XRES ═ PRF (CK, IK, RES, RAND, roaming network name), where PRF is the first set hash function, CK is the ciphering key, IK is the integrity check key, RES is the expected response, RAND is the random number; KASME can be calculated from the following formula: KASME ═ PRF (CK, IK,
Figure GDA0002789672150000141
roaming network name), wherein PRF is a second set hash function, CK is an encryption key, IK is an integrity check key, SQN is a sequence number received by a network side, and AK is an anonymous key; the first hash function and the second hash function may be set according to the length of XRES and the length of KASME required by the user, for example: the SHA-3 with an output length of 224 bits in the Secure Hash Algorithm (SHA) may be selected as a first set Hash function, and 128 bits are intercepted as XRES in the 224-bit Hash value output by the SHA-3 according to a preset method, for example, 128 bits of the initial portion may be intercepted, or 128 bits of the middle portion may be intercepted, and the SHA-256 with an output length of 256 bits may be selected as a second set Hash function. In the embodiment of the present invention, the determination process of RAND, AUTN, CK, IK, RES, SQN, and AK is the same as the determination process of RAND, AUTN, CK, IK, RES, SQN, and AK in the existing EPS-AKA, and is not described again.
After generating the authentication vector, the AUSF device or the ARPF device in the UE's home network device may determine the encryption key according to XRES and a predetermined hash function, where the predetermined hash function may be any one of SHA-224, SHA-256, SHA-384, and the like. Wherein, the session root key can be encrypted by adopting the following formula:
Figure GDA0002789672150000142
wherein EKASME is the encrypted session root key, KASME is the session root key, and MASK is the encryption key.
In addition, if the key is determined by the AUSF device and the session root key is encrypted by using the encryption key, the ARPF device generates an authentication vector including RAND, AUTN, XRES and KASME, and then sends an authentication vector response message (AV-Resp) including the authentication vector of RAND, AUTN, XRES and KASME to the AUSF device. And the AUSF equipment generates a key according to the XRES and a preset algorithm, acquires an encryption key according to the generated key, and encrypts the KASME by adopting the encryption key to generate EKASME.
If the key is determined by the ARPF device, the ARPF device generates the key according to the XRES and a preset algorithm, carries the key in an authentication vector and sends the key to the AUSF device, or sends the key to the AUSF device through a new piece of information. After receiving the key, the AUSF device acquires an encryption key, and encrypts KASME included in the received authentication vector to generate EKASME.
S102: sending a 5G Authentication Initiation Answer (5G-Authentication Initiation Answer, 5G-AIA) message including the RAND, the AUTN and the encrypted session root key to the SEAF equipment, so that the SEAF equipment sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to the Authentication response returned by the UE, and decrypts the encrypted session root key;
specifically, the AUSF device in the UE's home network device sends a 5G-AIA message including the RAND, the AUTN, and the encrypted session root key to the SEAF device, the SEAF device sends an authentication request message (Auth-req) including the RAND and the AUTN to the UE after receiving the 5G-AIA message, the UE generates an authentication Response (RES) according to the RAND and the AUTN after receiving the Auth-req, sends an authentication response message (Auth-Resp) including the RES to the SEAF device, and the SEAF device generates a decryption key according to the RAND and the preset algorithm, and performs an exclusive or operation on the encrypted session root key according to the decryption key to obtain the session root key. The process of generating the authentication response by the UE according to the RAND and the AUTN belongs to the prior art, and is not described in detail in the embodiment of the present invention.
S103: receiving a 5G Authentication confirmation (5G-Authentication confirmation, 5G-AC) message sent by the SEAF equipment, and determining that the SEAF equipment completes the Authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key.
If the SEAF device successfully decrypts the encrypted session root key to obtain the session root key, the SEAF device sends a 5G-AC message to AUSF equipment of home network equipment of the UE, and the AUSF equipment of the home network equipment of the UE receives the 5G-AC message to determine that the SEAF device completes authentication on the UE.
In the embodiment of the invention, the AUSF equipment acquires the encryption key determined according to the expected response and the preset algorithm, encrypts the session root key by adopting the encryption key, sends the 5G-AIA message comprising the encrypted session root key to the SEAF equipment, and the SEAF equipment generates the decryption key by adopting the preset algorithm according to the authentication response returned by the UE and decrypts the encrypted session root key, so that the session root key plaintext is prevented from being transmitted between the AUSF equipment and the SEAF equipment, the transmission safety of the session root key is increased, the communication safety of a user is ensured, and the user experience is improved.
Example 2:
in this embodiment of the present invention, the key may be generated by an AUSF device or an ARPF device, and after the key is generated, the AUSF device obtains the encryption key, where on the basis of the foregoing embodiment, in this embodiment of the present invention, obtaining the encryption key includes:
generating a first key according to an expected response contained in the authentication vector and a preset algorithm, and acquiring an encryption key according to the generated first key; or
Receiving a first key sent by ARPF equipment, and acquiring an encryption key according to the received first key, wherein the ARPF equipment generates the first key according to an expected response and a preset algorithm.
Specifically, if the first key is generated by the ARPF device, after the ARPF device generates an authentication vector including the random number RAND, the authentication token AUTN, the expected response, and the session root key, the ARPF device generates the first key according to the expected response and a preset algorithm, and sends the pair of keys to the AUSF device, and the AUSF device obtains the encryption key according to its own requirements. The first key may be carried in an authentication vector sent by the ARPF device to the AUSF device, or may be sent to the AUSF device through a new piece of information.
If the first key is generated by the AUSF device, after the AUSF device receives the authentication vector sent by the ARPF device, the AUSF device generates the first key according to the expected response carried in the authentication vector and the preset algorithm, and after the first key is generated, the encryption key is obtained according to the self requirement.
Specifically, in order to increase flexibility in the embodiment of the present invention, acquiring an encryption key according to the first key includes:
using the first key as an encryption key; or
And intercepting a first set length as an encryption key in the first key according to a preset first method.
That is, after the AUSF device acquires the first key, the first key may be directly used as the encryption key, or a part of the first key may be intercepted as the encryption key. Specifically, which way is flexibly selected according to the user requirement, for example, if the required encryption key is 256 bits and the generated first key is 256 bits, the first key may be used as the encryption key, and if the generated first key is 512 bits, 256 bits need to be intercepted from the 512 bits to be used as the encryption key.
In addition, in order to further increase the security of the session root key, in an embodiment of the present invention, generating the first key according to an expected response and a preset algorithm includes:
and generating a first secret key according to the RAND, the expected response and a preset algorithm.
That is, when generating the first key, the first key may be generated together with the expected response according to the RAND, and because of the presence of the RAND, the security of the generated second key may be further ensured, so that the security of the encrypted session root key may be ensured. Specifically, in the embodiment of the present invention, the preset algorithm may be a hash algorithm or the like.
The first key, MASK, may be calculated, for example, by the following formula1=PRF1(XRES | RAND), wherein MASK1Being a first key, PRF1Is a preset first hash function, XRES is the expected response, RAND is a random number.
Specifically, when the first key is generated, a suitable hash algorithm is selected according to the length of the encryption key, for example, if a 256-bit first key is generated, the preset first hash algorithm may be SHA-256 or SHA-3-256. If a 512-bit first key needs to be generated, the preset first hash algorithm may be any one of SHA-512 or SHA-3-512.
Example 3:
in order to ensure the security of the communication between the home network device and the roaming network device of the UE, on the basis of the foregoing embodiments, in an embodiment of the present invention, before sending the 5G-AIA message including the RAND, AUTN, and the encrypted session root key to the SEAF device, the method further includes:
obtaining a first sub-expected response;
the sending the 5G-AIA message including the RAND, the AUTN and the encrypted session root key to the SEAF device includes:
sending a 5G-AIA message to the SEAF device including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
The session root key is encrypted by using the encryption key in order to ensure the security of the session root key transmitted between the UE's home network device and the UE's roaming network device, but in order to further ensure the security of the communication between the UE's home network device and the roaming network device, the first sub-expected response may be carried in the 5G-AIA message.
Specifically, in the embodiment of the present invention, a first sub-expected response may be obtained according to a random number and a certain algorithm, and when a 5G-AIA message is sent to the SEAF device, the first sub-expected response may be carried in the 5G-AIA message, where the algorithm may be any one of SHA-256, SHA-384, SHA-512, and other algorithms. The first sub-expected response may also be generated based on other data known to both the AUSF device and the SEAF device, for example, the AUTN may also be used. Because the 5G-AIA message includes the RAND and the AUTN, the UE can return the authentication response after receiving the RAND and the AUTN sent by the roaming network device, so that the roaming network device of the UE can generate the second key according to the authentication response and the preset algorithm, and acquire the decryption key by using the same method as that for acquiring the encryption key, and decrypt the encrypted session root key.
In addition, the roaming network device of the UE may generate the first sub-response by using the same method as the AUSF device, so as to verify the first sub-response according to the first sub-expected response, thereby ensuring the security of the communication between the home network device of the UE and the roaming network device.
Example 4:
in order to further ensure the integrity of the session root key or effectively improve the efficiency of data transmission, on the basis of the foregoing embodiments, in an embodiment of the present invention, the obtaining the first sub-expected response includes:
generating a first hash value according to the RAND, the expected response, the session root key and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or the like, or, alternatively,
and intercepting a third set length as a first sub-expected response in the first secret key according to a preset third method.
Specifically, in order to ensure the integrity of the session root key, in the embodiment of the present invention, after the session root key is encrypted by the AUSF device in the home network device of the UE using the encryption key, a first hash value may be generated according to the RAND, the expected response, the session root key, and a preset first hash algorithm, where the first hash algorithm may be any one of SHA-256 or SHA-3-256.
The first isThe hash value may be calculated according to the following formula: TEMP2=PRF2(XRES | RAND | KASME |), wherein TEMP2Is a first hash value, PRF2For the first hash algorithm, XRES is the expected response, RAND is the random number, KASME is the session root key. In addition, if the preset first hash algorithm is SHA-256 or SHA-3-256, the determined length of the first hash value is 256 bits.
And after the first hash value is determined, the AUSF equipment generating the first hash value intercepts a second set length from the first hash value as a first sub-expected response according to a preset second method. Specifically, when the first sub-expected response is intercepted in the first hash value, any method may be adopted as long as it is ensured that the home network device and the roaming network device of the UE adopt the same interception method.
For example: for example, the length of the required first sub-expected response is 128 bits, if the first hash value is 256 bits, the hash value with the length of 128 bits from the 1 st bit to the 128 th bit in the first hash value may be truncated as the first sub-expected response, the hash value with the length of 128 bits from the 129 th bit to the 256 th bit in the first hash value may also be truncated as the first sub-expected response, and of course, 128 bits may also be truncated from the middle as the first sub-expected response.
In order to effectively improve the data transmission efficiency, because the first key is generated, a third set length can be intercepted as the first sub-expected response in the first key according to a preset third method. The first sub-expected response is intercepted from the first key, and may be the same as, different from, or partially the same as the intercepted encryption key, and may be flexibly selected as needed in specific implementation. As long as it is ensured that the home network device and the roaming network device of the UE adopt the same method to obtain the first sub-response.
In the above embodiments of the present invention, the first key may be generated by an ARPF device or an AUSF device. The following description will be made in detail taking an example in which the ARPF device generates the first key.
Fig. 2 is a schematic diagram of an authentication process provided in an embodiment of the present invention, where the authentication process includes the following steps:
s201: the AUSF device transmits an authentication vector request message (AV-Req) to the ARPF device, and the ARPF device generates a first Authentication Vector (AV) including RAND, AUTN, XRES, and KASME upon receiving the AV-Req transmitted by the AUSF device.
S202: the ARPF device generates a 256-bit first key according to the RAND and the XRES and a first preset hash algorithm, and sends a second Authentication Vector (AV) containing the RAND, the AUTN, the XRES, the KASME and the first key to the AUSF device.
Specifically, the ARPF device may also generate a 512-bit first key according to RAND and XRES, and either SHA-512 or SHA-3-512.
S203: and the AUSF equipment takes the received first key as an encryption key according to the received second authentication vector.
Specifically, if the encryption key required by the AUSF device is 256 bits, and the first key received by the AUSF device is 512 bits, the AUSF device intercepts 256 bits of the 512 bits as the encryption key, for example, the first 256 bits, the last 256 bits, or 256 bits from a certain set bit may be intercepted from the 512 bits.
S204: the AUSF equipment generates a first hash value according to the RAND, the expected response, the session root key and a preset first hash algorithm, and intercepts a second set length from the first hash value as a first sub-expected response according to a preset second method.
And when the first sub-expected response is obtained, if the required first sub-expected response is 128 bits, the AUSF device generates a 256-bit first hash value according to the RAND, the expected response, the session root key, and one of the SHA-256 or SHA-3-256, and the AUSF device intercepts 128 bits in the 256-bit first hash value as the first sub-expected response, and specifically intercepts the first 128 bits of the 256 bits, or the last 128 bits, or 128 bits starting from a certain set bit.
If the first key received by the AUSF device is 512 bits, to improve the efficiency of data transmission, the AUSF device may directly intercept 128 bits from the first key as a first sub-expected response, for example, may intercept the first 128 bits of the 512 bits, or the following 128 bits, or 128 bits from a certain set bit, and the like. The truncated encryption key and the first sub-expected response may be the same, different, or partially the same, for example, the first 128 bits of 512 bits may be truncated as the first sub-expected response, and 256 bits may be truncated as the encryption key in the remaining bits.
S205: the AUSF device encrypts KASME with the encryption key, generates EKASME, and sends a 5G-AIA message containing RAND, AUTN, the first sub-expected response, and EKASME to the SEAF device.
S206: the SEAF equipment sends an authentication request message containing RAND and AUTN to the UE according to the received 5G-AIA message, the UE generates an authentication response according to the RAND and the AUTN, and the authentication response is carried in the authentication response message and sent to the SEAF equipment.
S207: and the SEAF equipment generates a 256-bit first check hash value according to the authentication response, the RAND and a preset first preset hash algorithm, determines a decryption key according to the first check hash value, and decrypts the encrypted session root key by using the decryption key.
The method for generating the first check hash value by the SEAF device is the same as the method for generating the first key by the ARPF device, and the method for determining the decryption key according to the first check hash value is the same as the method for obtaining the encryption key by the AUSF device according to the first key, which is specifically referred to the above process and is not described herein again. And after the decryption is successful, the SEAF equipment generates a first sub-response by adopting a method corresponding to the AUSF equipment acquiring the first sub-expected response.
S208: and after the SEAF equipment succeeds in decryption and passes verification of the first sub-response by adopting the first sub-expected response, the SEAF equipment sends a 5G-AC message to the AUSF equipment, and the AUSF equipment receives the 5G-AC message to confirm that the SEAF equipment completes authentication on the UE.
Example 5:
in order to further ensure the security of the communication between the roaming network device of the UE and the home network device, before the receiving the 5G-AC message sent by the SEAF device, the method further includes:
obtaining a second sub-expected response;
receiving a 5G-AC message sent by a SEAF device, and determining that the SEAF device completes authentication on UE comprises:
and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the verification is passed.
To further ensure the security of the communication between the roaming network device and the home network device of the UE, the second sub-response may be carried in a 5G-AC message. The corresponding AUSF device needs to obtain the second sub-expected response.
Specifically, in the embodiment of the present invention, the second sub-expected response may be obtained according to the random number and a preset certain algorithm, where the preset certain algorithm may be any one of SHA-256, SHA-384, SHA-512, and the like. The second sub-expected response may also be generated based on other data known to both the AUSF device and the SEAF device, for example, the AUTN may also be used. And the 5G-AC message sent by the SEAF equipment to the AUSF equipment correspondingly carries the second sub-response. The roaming network equipment of the UE generates a second sub-response by adopting the same method as the AUSF equipment, so that the second sub-response is verified according to the response expected by the second sub-response, and the safety of communication between the roaming network equipment of the UE and the home network equipment is ensured.
Example 6:
in order to further ensure the integrity of the session root key or effectively improve the efficiency of data transmission, on the basis of the foregoing embodiments, in an embodiment of the present invention, the obtaining the second sub-expected response includes:
generating a second hash value according to the RAND, the expected response, the session root key and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or
And intercepting a fifth set length as a second sub-expected response in the first key according to a preset fifth method.
In the embodiment of the present invention, in order to ensure the integrity of the session root key, after the session root key is encrypted by the encryption key, the AUSF device in the home network device of the UE may further generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm, where the second hash algorithm may be any one of SHA-256 or SHA-3-256.
For a specific generation process of the second hash value, refer to embodiment 4, which is not described herein again.
And after the second hash value is determined, generating AUSF equipment of the second hash value, and intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method. Specifically, when the second sub-expected response is intercepted in the second hash value, any method may be adopted as long as it is ensured that the home network device and the roaming network device of the UE adopt the same interception method.
For example: if the second hash value is 256 bits, the hash value with the length of 128 bits from the 1 st bit to the 128 th bit in the second hash value may be truncated as the second sub-expected response, the hash value with the length of 128 bits from the 129 th bit to the 256 th bit in the second hash value may be truncated as the second sub-expected response, and of course, 256 bits may be truncated from the middle as the second sub-expected response.
Since the first sub-expected response is obtained according to the second hash value, the first sub-expected response and the second sub-expected response can be obtained simultaneously and both can be obtained from the second hash value, for example, a hash value of 128 bits from bit 1 to bit 128 of the second hash value can be regarded as the first sub-expected response, and a hash value of 128 bits from bit 129 to bit 256 of the second hash value can be intercepted as the second sub-expected response. The opposite is also possible, and of course, the first sub-expected response and the second sub-expected response may also be partially identical, or all identical.
In order to effectively improve the data transmission efficiency, since the first key is generated, a fifth set length may be intercepted as the second expected response in the first key according to a preset fifth method. The second expected response is intercepted from the first key, and may be the same as, unfair with, or partially the same as the intercepted encryption key and the first sub-expected response, and may be flexibly selected according to the needs in specific implementation. As long as it is ensured that the home network device and the roaming network device of the UE adopt the same method to obtain the first sub-response. For example, if the generated first key is 512 bits, the first 128 bits of the 512 bits may be used as the first expected response, and the last 128 bits may be used as the second expected response, and the remaining bits are the encryption key.
In the above embodiments of the present invention, the first key may be generated by an ARPF device or an AUSF device. The following description will be made in detail by taking an example in which the AUSF device generates the first key.
Fig. 3 is a schematic diagram of an authentication process according to an embodiment of the present invention, where the authentication process includes the following steps:
s301: the AUSF device sends an authentication vector request message (AV-Req) to the ARPF device, and the ARPF device generates an Authentication Vector (AV) including RAND, AUTN, XRES, and KASME after receiving the AV-Req sent by the AUSF device, and sends the authentication vector to the AUSF device.
And S302, the AUSF equipment receives the authentication vector, generates a 512-bit first secret key according to RAND and XRES in the authentication vector and a first preset Hash algorithm, and intercepts a first set length from the first secret key as an encryption secret key according to a preset first method.
Specifically, if the encryption key required by the AUSF device is 256 bits, and after the AUSF device generates the 512-bit first key, 256 bits are intercepted from the 512 bits as the encryption key, for example, the first 256 bits, the last 256 bits, or 256 bits from a certain set bit may be intercepted.
Furthermore, the AUSF device may generate a 256-bit first key according to RAND and XRES, and one of SHA-256 or SHA-3-256, and directly use the 256-bit first key as an encryption key.
S303: the AUSF device intercepts a third set length as a first sub-expected response in the first secret key according to a preset third method, and intercepts a fifth set length as a second sub-expected response in the first secret key according to a preset fifth method.
If the first sub-expected response and the second sub-expected response required by the AUSF device are both 128 bits, in order to improve the efficiency of data transmission, the AUSF device may intercept two 128 bits as the first sub-expected response and the second sub-expected response directly from the 512-bit first key, for example, a hash value of the length of 128 bits from bit 1 to bit 128 of the first key may be the first sub-expected response, and a hash value of the length of 128 bits from bit 385 to bit 512 of the first key may be the second sub-expected response. The opposite is also possible, and of course, the first sub-expected response and the second sub-expected response may also be partially identical, or all identical.
The AUST can generate a first hash value according to the RAND, the expected response, the session root key and a preset first hash algorithm, and intercept a second set length from the first hash value as a first sub-expected response according to a preset second method; and according to a preset fourth method, intercepting a fourth set length from the second hash value as a second sub-expected response.
For example: the hash value of 128 bits from bit 1 to bit 128 of the first hash value may be a first sub-expected response, and the hash value of 128 bits from bit 129 to bit 256 of the second hash value may be truncated as a second sub-expected response. The opposite is also possible, and of course, the first sub-expected response and the second sub-expected response may also be partially identical, or all identical.
S304: the AUSF device encrypts KASME with the encryption key to generate EKASME, and sends a 5G-AIA message containing RAND, AUTN, the first sub-expected response and EKASME to the SEAF device.
S305: the SEAF equipment sends an authentication request message containing RAND and AUTN to the UE according to the received 5G-AIA message, the UE generates an authentication response according to the RAND and the AUTN, and the authentication response is carried in the authentication response message and sent to the SEAF equipment.
S306: and the SEAF equipment generates a 512-bit first check hash value according to the authentication response, the RAND and a preset first preset hash algorithm, determines a decryption key according to the first check hash value, and decrypts the encrypted session root key by using the decryption key.
The method for generating the first check hash value by the SEAF device is the same as the method for generating the first key by the AUSF device, and the method for determining the decryption key according to the first check hash value is the same as the method for obtaining the encryption key by the AUSF device according to the first key, which is specifically referred to above process and will not be described herein again. And after the decryption is successful, the SEAF equipment generates a first sub-response by adopting a method corresponding to the AUSF equipment acquiring the first sub-expected response. And generating a second sub-response by adopting the same method for acquiring the second sub-expected response as the AUSF device.
S307: and after the decryption is successful and the first sub-response is verified by adopting the first sub-expected response, the SEAF equipment sends a 5G-AC message containing a second sub-response to the AUSF equipment.
S308: and the AUSF equipment receives the 5G-AC message, verifies the second sub-response in the 5G-AC message by adopting the second sub-expected response, and if the verification is passed, confirms that the SEAF equipment completes the authentication of the UE.
Example 7:
fig. 4 is a schematic diagram of an authentication process provided in an embodiment of the present invention, where the authentication process includes:
s401: receiving a 5G-AIA message which is sent by AUSF equipment and comprises a random number (RAND), an authentication token (AUTN) and an encrypted session root key, and sending the RAND and the AUTN to the UE, wherein the encrypted session root key in the 5G-AIA message is that the AUSF equipment receives an authentication vector comprising the random number RAND, the authentication token AUTN, an expected response and the session root key, and determines the authentication vector according to the expected response and a preset algorithm.
The authentication method provided by the embodiment of the invention is applied to the SEAF equipment of the roaming network equipment of the UE. The AUSF equipment in the embodiment of the invention is the home network equipment of the UE.
Specifically, the SEAF device receives a 5G-AIA message including the RAND, the AUTN, and the encrypted session root key sent by the AUSF device, and sends an authentication request message (Auth-req) including the RAND and the AUTN to the UE.
The encrypted session root key (EKASME) in the 5G-AIA message is determined by the AUSF device receiving an authentication vector including a random number RAND, an authentication token AUTN, an expected response, and a session root key, and according to the expected response and a preset algorithm. For a specific process of determining the encryption key, see the other embodiments described above.
S402: and receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key.
Specifically, after receiving the Auth-req including the RAND and the AUTN, the UE generates an authentication Response (RES) according to the RAND and the AUTN, and sends an authentication response message (Auth-Resp) including the RES to the SEAF device. And after receiving the Auth-Resp containing RES, the SEAF equipment determines a decryption key according to RES and a preset algorithm, and performs exclusive-or operation on the encrypted session root key according to the decryption key to obtain the session root key. The method by which the roaming network device of the UE generates the decryption key is the same as the method by which the home network device of the UE generates the encryption key.
Specifically, the SEAF device may determine the decryption key according to RES and a preset Hash function, where the preset Hash function may be any one of a Secure Hash Algorithm (SHA-224), SHA-256, SHA-384, and the like.
S403: and if the encrypted session root key is decrypted successfully, sending a 5G-AC message to the AUSF device.
If the SEAF device successfully decrypts the encrypted session root key to obtain the session root key, the SEAF device sends a 5G-AC message to the AUSF device, so that the AUSF device determines that the SEAF device completes authentication on the UE after receiving the 5G-AC message.
In the embodiment of the invention, the SEAF equipment receives the 5G-AIA message which is sent by the AUSF equipment and contains the encrypted session root key, and determines the decryption key by adopting the preset algorithm which is the same as the home network equipment of the UE according to the authentication response returned by the UE, so as to decrypt the encrypted session root key, thereby avoiding the transmission of the session root key plaintext between the AUSF equipment and the SEAF equipment, increasing the security of the transmission of the session root key, ensuring the communication security of the user and improving the user experience.
Example 8:
to ensure the privacy of the session root key, on the basis of the above embodiment, in an embodiment of the present invention, the determining a decryption key according to the authentication response and the preset algorithm includes:
generating a second key according to the authentication response and a preset algorithm, and taking the second key as a decryption key; or
And generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length as a decryption key in the second key according to a preset first method.
Specifically, after receiving the authentication response sent by the UE, the SEAF device generates the second key in the same manner as the method for generating the first key by the home network device of the UE. And acquiring a decryption key from the second key by the same method for acquiring the encryption key from the first key as the AUSF device.
According to the method for acquiring the encryption key by the AUSF device, after the SEAF device acquires the second key, the second key can be directly used as a decryption key, or a part of the second key can be intercepted and used as a decryption key. Specifically, which way is flexibly selected according to the user requirement, for example, if the required decryption key is 256 bits and the generated second key is 256 bits, the second key may be used as the decryption key, and if the generated second key is 512 bits, 256 bits need to be intercepted from the 512 bits to be used as the decryption key.
In order to further increase the security of the session root key, in the embodiment of the present invention, generating the second key according to the authentication response and the preset algorithm includes:
and generating a second secret key according to the RAND, the authentication response and a preset algorithm.
That is, when the second key is generated, the second key may be generated together with the authentication response, because the existence of the random number may further ensure the security of the generated second key, and thus may ensure the security of the encrypted session root key. Specifically, in the embodiment of the present invention, the preset algorithm may be a hash algorithm or the like.
Specifically, when the SEAF device generates the second key according to the RAND, the authentication response, and the preset algorithm, since the SEAF device knows the method for generating the first key, a corresponding method may be adopted when generating the second key. For example, if a 256-bit first key is generated, the preset algorithm may be SHA-256 or SHA-3-256. The SEAF device also generates a 256-bit second key based on the SHA-256 or SHA-3-256, and if a 512-bit first key is generated using SHA-512, the SEAF device also generates a 512-bit second key based on SHA-512.
Example 9:
in order to ensure the security of the communication between the home network device and the roaming network device of the UE, on the basis of the foregoing embodiments, in an embodiment of the present invention, the receiving the 5G-AIA message including the RAND, the AUTN, and the encrypted session root key sent by the AUSF device includes:
receiving a 5G-AIA message which is sent by AUSF equipment and contains RAND, AUTN, a first sub-expected response and an encrypted session root key;
before the sending the 5G-AC message to the AUSF device, the method further includes:
acquiring a first sub-response;
and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, performing subsequent steps.
The session root key is encrypted by using the encryption key in order to ensure the security of the session root key transmitted between the UE's home network device and the UE's roaming network device, but in order to further ensure the security of the communication between the UE's home network device and the roaming network device, the first sub-expected response may be carried in the 5G-AIA message.
In order to ensure the security of the communication between the home network device and the roaming network device of the UE, the SEAF device obtains the first sub-response after receiving the 5G-AIA message, and verifies the first sub-response according to the first sub-expected response. Specifically, the process of acquiring the first sub-response by the SEAF device is the same as the process of acquiring the first sub-expected response by the AUSF device.
Specifically, according to the method for acquiring the first sub-expected response by the AUSF device, in the embodiment of the present invention, the first sub-response may be acquired according to a random number and an algorithm, where the algorithm may be any one of SHA-256, SHA-384, SHA-512, and the like. The first sub-response may be generated based on other data known to both the AUSF device and the SEAF device, and may be, for example, an AUTN.
In order to further ensure the integrity of the session root key or effectively improve the efficiency of data transmission, on the basis of the foregoing embodiments, in an embodiment of the present invention, the acquiring the first sub-response includes:
generating a first check hash value according to the RAND, the authentication response, the session root key and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or
And intercepting a third set length as a first sub-response in the second secret key according to a preset third method.
Specifically, in order to ensure the integrity of the session root key, in the embodiment of the present invention, after the session root key is encrypted by using the encryption key, the AUSF device in the home network device of the UE may further generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm, and generate a first sub-expected response according to the first hash value, where the first hash algorithm may be any one of SHA-256 or SHA-3-256.
And correspondingly, the roaming network equipment serving as the UE generates the first sub-response by adopting the same method as the AUSF equipment. If the first sub-expected response is intercepted from the first hash value, the SEAF device intercepts the first sub-response from the first check hash value in the same method as the method for intercepting the first sub-expected response from the first hash value after generating the first check hash value in the same method.
In order to effectively improve the data transmission efficiency, the first sub-expected response may be intercepted from the first key because the first key has already been generated. Accordingly, the SEAF device intercepts the first sub-response from the second key in a corresponding way.
Fig. 5 is a schematic diagram of an authentication process provided in an embodiment of the present invention, where the authentication process includes the following steps:
s501: the ARPF device generates AV including RAND, AUTN, XRES and KASME after receiving the AV-Req sent by the ARSF device, and sends the AV-Req to the AUSF device.
S502: the AUSF device receives AV, generates a 256-bit first key according to RAND and XRES and a first preset hash algorithm, and uses the first key as an encryption key.
S503: the AUSF device generates a first hash value of 256 bits based on the RAND, the expected response, the session root key, and SHA-256, and takes the first 128 bits of the 256 bits as a first sub-expected response.
S504: the AUSF device encrypts KASME with the encryption key, generates EKASME, and sends a 5G-AIA message containing RAND, AUTN, the first sub-expected response, and EKASME to the SEAF device.
S505: the SEAF equipment sends an authentication request message containing RAND and AUTN to the UE according to the received 5G-AIA message, the UE generates an authentication response according to the RAND and the AUTN, and the authentication response is carried in the authentication response message and sent to the SEAF equipment.
S506: and the SEAF equipment generates a 256-bit second key according to the authentication response, the RAND and a preset first preset Hash algorithm, uses the second key as a decryption key, and decrypts the EKASME by using the decryption key.
S507: if the decryption is successful, the SEAF equipment generates a first check hash value of 256 bits according to the RAND, the authentication response, the session root key and the SHA-256, and takes the first 128 bits of the 256 bits as a first sub-response.
S508: and the SEAF equipment adopts the first sub expected response to verify the first sub response, and sends a 5G-AC message to the AUSF equipment after the verification is passed.
Example 10:
to further ensure the security of communication between the roaming network device and the home network device of the UE, before sending the 5G-AC to the AUSF device, the method further includes:
acquiring a second sub-response;
the sending the 5G-AC message to the AUSF device includes:
and sending a 5G-AC message containing the second sub-response to the AUSF equipment.
To further ensure the security of the communication between the roaming network device and the home network device of the UE, the second sub-response may be carried in a 5G-AC message. Specifically, the process of acquiring the second sub-response is the same as the process of acquiring the second sub-expected response by the AUSF device.
Specifically, according to the method for acquiring the second sub-expected response by the AUSF device, in the embodiment of the present invention, the second sub-response may be acquired according to a random number and an algorithm, where the algorithm may be any one of SHA-256, SHA-384, SHA-512, and the like. The second sub-response may be generated based on other data known to both the AUSF device and the SEAF device, and may be, for example, an AUTN.
In order to further ensure the integrity of the session root key or effectively improve the efficiency of data transmission, on the basis of the foregoing embodiments, in an embodiment of the present invention, the acquiring the second sub-response includes:
generating a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or
And intercepting a fifth set length as a second sub-response in the second secret key according to a preset fifth method.
Specifically, in order to ensure the integrity of the session root key, in the embodiment of the present invention, after the session root key is encrypted by using the encryption key, the AUSF device in the home network device of the UE may further generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm, and generate a second sub-expected response according to the second hash value, where the second hash algorithm may be any one of SHA-256 or SHA-3-256.
And correspondingly, the roaming network equipment serving as the UE generates a second sub-response by adopting the same method as the AUSF equipment. If the second sub-expected response is truncated from the second hash value, the SEAF device truncates the second sub-response from the second check hash value in the same manner as the truncation of the second sub-expected response from the second hash value after generating the second check hash value in the same manner.
In order to effectively improve the data transmission efficiency, the second sub-expected response may be intercepted from the second key because the second key has already been generated. Accordingly, the SEAF device intercepts the second sub-response from the second key in a corresponding manner.
Fig. 6 is a schematic diagram of an authentication process provided in an embodiment of the present invention, where the authentication process includes the following steps:
s601: the ARPF device generates AV including RAND, AUTN, XRES and KASME after receiving the AV-Req sent by the ARSF device, and sends the AV-Req to the AUSF device.
S602: the AUSF device receives the AV, generates a 512-bit first key from RAND, XRES, and SHA-512, takes the first 128 bits of the 512 bits as a first sub-expected response, the last 128 bits as a second sub-expected response, and the remaining 256 bits as an encryption key.
S603: the AUSF device encrypts KASME with the encryption key, generates EKASME, and sends a 5G-AIA message containing RAND, AUTN, the first sub-expected response, and EKASME to the SEAF device.
S604: the SEAF equipment sends an authentication request message containing RAND and AUTN to the UE according to the received 5G-AIA message, the UE generates an authentication response according to the RAND and the AUTN, and the authentication response is carried in the authentication response message and sent to the SEAF equipment.
S605: the SEAF device generates a 512-bit second key according to the authentication response, RAND and SHA-512, takes the first 128 bits of the second key as a first sub-response, takes the last 128 bits as a second response, and takes the remaining 256 bits as a decryption key.
S606: the SEAF equipment decrypts the EKASME by using the decryption key, verifies the first sub-response by using the first sub-expected response when the decryption is successful, and sends a 5G-AC message containing the second sub-response to the AUSF equipment after the verification is passed.
S607: and the AUSF equipment receives the 5G-AC message, verifies the second sub-response by adopting the second sub-expected response, and confirms that the SEAF equipment completes the authentication of the UE after the verification passes.
Example 11:
fig. 7 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present invention, which is applied to an authentication service function AUSF device, and the apparatus includes:
an encryption module 71, configured to receive an authentication vector including a random number RAND, an authentication token AUTN, an expected response, and a session root key, obtain an encryption key, and encrypt the session root key using the encryption key, where the encryption key is determined according to the expected response and a preset algorithm;
a sending module 72, configured to send a 5G-AIA message including an RAND, an AUTN, and an encrypted session root key to a security anchor point function SEAF device, so that after receiving the 5G-AIA message, the SEAF device sends the RAND and the AUTN to the UE, and generates a decryption key according to an authentication response returned by the UE by using the preset algorithm, and decrypts the encrypted session root key;
a receiving determining module 73, configured to receive a 5G authentication confirmation message 5G-AC sent by the SEAF device, and determine that the SEAF device completes authentication on the UE, where the 5G-AC is sent after the SEAF device successfully decrypts the encrypted session root key.
The encryption module 71 is specifically configured to generate a first key according to an expected response included in the authentication vector and a preset algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an authentication credential storage and processing function (ARPF) device, and acquiring an encryption key according to the received first key, wherein the ARPF generates the first key according to an expected response and a preset algorithm.
The encryption module 71 is specifically configured to use the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method.
The encryption module 71 is specifically configured to obtain a first sub-expected response;
the sending module 72 is specifically configured to send, to the SEAF device, a 5G-AIA message including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
The encryption module 71 is specifically configured to generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the first key according to a preset third method.
The encryption module 71 is further configured to obtain a second sub-expected response;
the receiving determining module 73 is specifically configured to receive a 5G-AC message that is sent by the SEAF device and includes a second sub-response, verify the second sub-response according to the second sub-expected response, and if the verification passes, determine that the SEAF device completes authentication of the UE.
The encryption module 71 is specifically configured to generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the first key according to a preset fifth method.
The encryption module 71 is specifically configured to generate a first key according to the RAND, the expected response, and a preset algorithm.
Example 12:
fig. 8 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present invention, which is applied to a security anchor point function SEAF device, and the apparatus includes:
a transceiver module 81, configured to receive a 5G-AIA message sent by an au sf device and including a random number RAND, an authentication token AUTN, and an encrypted session root key, and send the RAND and the AUTN to the UE, where the encrypted session root key in the 5G-AIA message is determined by the au sf device receiving an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and a session root key, and according to the expected response and a preset algorithm;
a receiving and decrypting module 82, configured to receive an authentication response returned by the UE, determine a decryption key according to the authentication response and the preset algorithm, and decrypt the encrypted session root key;
a sending module 83, configured to send a 5G authentication acknowledgement 5G-AC message to the AUSF device if the encrypted session root key is decrypted successfully.
The receiving and decrypting module 82 is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decrypting key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
The transceiver module 81 is specifically configured to receive a 5G-AIA message that is sent by the AUSF device and includes the RAND, the AUTN, the response expected by the first sub-node, and the encrypted session root key;
the receiving and decrypting module 82 is further configured to obtain a first sub-response; and verifying the first sub-response according to the first sub-expected response, and triggering a sending module if the verification is passed.
The receiving and decrypting module 82 is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key, and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
The receiving and decrypting module 82 is further configured to obtain a second sub-response;
the sending module 83 is further configured to send a 5G-AC message including the second sub-response to the AUSF device.
The receiving and decrypting module 82 is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key, and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
The receiving and decrypting module 82 is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
Example 13:
based on the same inventive concept, the embodiment of the present invention further provides an authentication service function AUSF device, and since the principle of solving the problem of the authentication service function AUSF device is similar to the authentication method applied to the authentication service function AUSF device, the implementation of the authentication service function AUSF device may refer to the implementation of the method, and repeated details are not repeated.
Fig. 9 is a schematic structural diagram of an AUSF device according to an embodiment of the present invention, where in fig. 9, the bus architecture may include any number of interconnected buses and bridges, and specifically, one or more processors 91 represented by the processor 91 and various circuits of the memory 93 represented by the memory 93 are linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 92 may be a number of elements, including a transmitter and transceiver 92, providing a means for communicating with various other apparatus over a transmission medium. The processor 91 is responsible for managing the bus architecture and general processing, and the memory 93 may store data used by the processor 91 in performing operations.
In the AUSF device provided in the embodiments of the present invention:
the processor 91 is configured to read a program in the memory 93, and execute the following processes: receiving, by the transceiver 92, an authentication vector including a random number RAND, an authentication token AUTN, an expected response, and a session root key, and obtaining an encryption key, and encrypting the session root key using the encryption key, where the encryption key is determined according to the expected response and a preset algorithm; sending a 5G-AIA message including an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving a 5G authentication confirmation message 5G-AC sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC is sent after the SEAF equipment successfully decrypts the encrypted session root key.
Preferably, the processor 91 is specifically configured to generate a first key according to an expected response included in the authentication vector and a preset algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm.
Preferably, the processor 91 is specifically configured to use the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method.
Preferably, the processor 91 is further configured to obtain a first sub-expected response; a 5G-AIA message comprising the RAND, AUTN, first sub-expected response and encrypted session root key is sent to the SEAF device via transceiver 92.
Preferably, the processor 91 is specifically configured to generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the key according to a preset third method.
Preferably, the processor 91 is further configured to obtain a second sub-expected response; and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response through the transceiver 92, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the second sub-response passes the verification.
Preferably, the processor 91 is specifically configured to generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the key according to a preset fifth method.
Preferably, the processor 91 is specifically configured to generate a first key according to the RAND, the expected response and a preset algorithm.
Example 14:
based on the same inventive concept, the embodiment of the present invention further provides an SEAF device with a security anchor point function, and since the principle of solving the problem of the SEAF device is similar to the authentication method applied to the SEAF device, the implementation of the SEAF device may refer to the implementation of the method, and repeated parts are not described again.
Fig. 10 is a schematic structural diagram of a SEAF device according to an embodiment of the present invention, where in fig. 10, the bus architecture may include any number of interconnected buses and bridges, and specifically, one or more processors 111 represented by the processor 111 and various circuits of the memory 113 represented by the memory 113 are linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 112 may be a number of elements, including a transmitter and transceiver 112, providing a means for communicating with various other apparatus over a transmission medium. The processor 111 is responsible for managing the bus architecture and general processing, and the memory 113 may store data used by the processor 111 in performing operations.
In the SEAF device provided in the embodiment of the present invention:
the processor 111 is configured to read the program in the memory 113 and execute the following processes: receiving, by a transceiver 112, a 5G-AIA message including a random number RAND, an authentication token AUTN, and an encrypted session root key, which is sent by an authentication service function AUSF device, and sending the RAND and the AUTN to the UE, where the encrypted session root key in the 5G-AIA message is that the AUSF device receives an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and the session root key, and determines the authentication vector according to the expected response and a preset algorithm; receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key; and if the encrypted session root key is decrypted successfully, sending a 5G authentication confirmation 5G-AC message to the AUSF device.
Preferably, the processor 111 is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
Preferably, the processor 111 is specifically configured to receive, through the transceiver 112, a 5G-AIA message sent by the AUSF device and including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, performing subsequent steps.
Preferably, the processor 111 is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key, and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
Preferably, the processor 111 is further configured to obtain a second sub-response; sending a 5G-AC message containing the second sub-response to the AUSF device via transceiver 112.
Preferably, the processor 111 is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
Preferably, the processor 111 is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
Example 15:
fig. 11 is a schematic structural diagram of an authentication system according to an embodiment of the present invention, where the authentication system includes a UE121, an AUSF device 122, and an SEAF device 123; wherein the content of the first and second substances,
the AUSF device 122 is configured to receive an authentication vector including a random number RAND, an authentication token AUTN, an expected response, and a session root key, obtain an encryption key, and encrypt the session root key using the encryption key, where the encryption key is determined according to the expected response and a preset algorithm; and sends a 5G-AIA message including RAND, AUTN, and the encrypted session root key to the SEAF device 123;
the SEAF device 123 is configured to receive a 5G-AIA message that is sent by the AUSF device 122 and includes a random number RAND, an authentication token AUTN, and an encrypted session root key, and send the RAND and the AUTN to the UE 121;
the UE121 is configured to receive the RAND and the AUTN sent by the SEAF device 123, generate an authentication response according to the RAND and the AUTN, and send the authentication response to the SEAF device 123;
the SEAF device 123 is further configured to receive an authentication response returned by the UE121, determine a decryption key according to the authentication response and the preset algorithm, and decrypt the encrypted session root key; and if the encrypted session root key is decrypted successfully, a 5G authentication acknowledgement 5G-AC message is sent to the AUSF device 122;
the AUSF device 122 is further configured to receive the 5G-AC message sent by the SEAF device 123, and determine that the SEAF device 123 completes authentication on the UE 121.
The AUSF device 122 is specifically configured to generate a first key according to an expected response included in the authentication vector and a preset algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm; wherein obtaining an encryption key from the first key comprises: using the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method;
the SEAF device 123 is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
The AUSF device 122, further configured to obtain a first sub-expected response; sending a 5G-AIA message to the SEAF device 123 including the RAND, AUTN, the first sub-expected response, and the encrypted session root key;
the SEAF device 123 is specifically configured to receive a 5G-AIA message that includes the RAND, the AUTN, the response expected by the first child, and the encrypted session root key and is sent by the AUSF device 122; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, sending a 5G-AC message to the AUSF device 122.
The AUSF device 122 is specifically configured to generate a first hash value according to the RAND, the expected response, the session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the secret key according to a preset third method;
the SEAF device 123 is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key, and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
The AUSF device 122, further configured to obtain a second sub-expected response;
the SEAF device 123 is further configured to obtain a second sub-response; sending a 5G authentication acknowledgement message including the second sub-response to the AUSF device 122;
the AUSF device 122 is specifically configured to receive a 5G authentication confirmation message that includes a second sub-response and is sent by the SEAF device 123, verify the second sub-response according to the second sub-expected response, and if the verification passes, determine that the SEAF device 123 completes authentication on the UE 121.
The AUSF device 122 is specifically configured to generate a second hash value according to the RAND, the expected response, the session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the secret key according to a preset fifth method;
the SEAF device 123 is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key, and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
The AUSF device 122 is specifically configured to generate a first key according to the RAND, the expected response, and a preset algorithm;
the SEAF device 123 is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
Example 16:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, as shown in fig. 12, including: the system comprises a processor 131, a communication interface 132, a memory 133 and a communication bus 134, wherein the processor 131, the communication interface 132 and the memory 133 complete mutual communication through the communication bus 134;
the memory 133 stores therein a computer program that, when executed by the processor 131, causes the processor 131 to perform the authentication process described in embodiments 1-6 above.
The electronic device provided by the embodiment of the invention can be a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a network side device and the like.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 132 is used for communication between the above-described electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
Example 17:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by an electronic device is stored, and when the program runs on the electronic device, the electronic device is caused to execute the authentication process described in the foregoing embodiments 1 to 6.
Example 18:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, as shown in fig. 13, including: processor 141, communication interface 142, memory 143 and communication bus 144, wherein processor 141, communication interface 142 and memory 143 communicate with each other via communication bus 144;
the memory 143 stores therein a computer program that, when executed by the processor 141, causes the processor 141 to perform the authentication process described in embodiments 7 to 10 above.
The electronic device provided by the embodiment of the invention can be a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a network side device and the like.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 142 is used for communication between the electronic device and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
Example 19:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer storage readable storage medium, in which a computer program executable by an electronic device is stored, and when the program runs on the electronic device, the electronic device is caused to execute the authentication process described in the foregoing embodiments 7 to 10.
The invention discloses an authentication method, an authentication device, an authentication system, authentication equipment and a storage medium, wherein the method comprises the following steps: the AUSF equipment receives an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquires an encryption key, and encrypts the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G-AIA message including an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to the UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving a 5G authentication confirmation 5G-AC message sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key. In the embodiment of the invention, the AUSF equipment acquires the encryption key determined according to the expected response and the preset algorithm, encrypts the session root key by adopting the encryption key, sends the 5G-AIA message comprising the encrypted session root key to the SEAF equipment, and the SEAF equipment generates the decryption key by adopting the preset algorithm according to the authentication response returned by the UE and decrypts the encrypted session root key, so that the session root key plaintext is prevented from being transmitted between the AUSF equipment and the SEAF equipment, the transmission safety of the session root key is increased, the communication safety of a user is ensured, and the user experience is improved.
For the system/apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (43)

1. An authentication method, applied to an authentication service function (AUSF) device, includes:
receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by using the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm;
sending a 5G authentication start response 5G-AIA message comprising an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key;
and receiving a 5G authentication confirmation 5G-AC message sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key.
2. The method of claim 1, wherein the obtaining an encryption key comprises:
generating a first key according to an expected response contained in the authentication vector and a preset algorithm, and acquiring an encryption key according to the generated first key; or
Receiving a first key sent by an authentication credential storage and processing function (ARPF) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the first key according to an expected response and a preset algorithm.
3. The method of claim 2, wherein obtaining an encryption key based on the first key comprises:
using the first key as an encryption key; or
And intercepting a first set length as an encryption key in the first key according to a preset first method.
4. The method of claim 2, wherein prior to sending a 5G-AIA message to a SEAF device comprising the RAND, AUTN, and encrypted session root key, the method further comprises:
obtaining a first sub-expected response;
the sending the 5G-AIA message including the RAND, the AUTN and the encrypted session root key to the SEAF device includes:
sending a 5G-AIA message to the SEAF device including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
5. The method of claim 4, wherein the obtaining the first sub-expected response comprises:
generating a first hash value according to the RAND, the expected response, the session root key and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or
And intercepting a third set length as a first sub-expected response in the first secret key according to a preset third method.
6. The method of claim 2, wherein prior to receiving the 5G authentication confirmation message sent by the SEAF device, the method further comprises:
obtaining a second sub-expected response;
receiving a 5G-AC message sent by a SEAF device, and determining that the SEAF device completes authentication on UE comprises:
and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the verification is passed.
7. The method of claim 6, wherein the obtaining a second sub-expected response comprises:
generating a second hash value according to the RAND, the expected response, the session root key and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or
And intercepting a fifth set length as a second sub-expected response in the first key according to a preset fifth method.
8. The method of any of claims 2-7, wherein generating the first key based on the expected response and a predetermined algorithm comprises:
and generating a first secret key according to the RAND, the expected response and a preset algorithm.
9. An authentication method applied to a secure anchor function (SEAF) device, the method comprising:
receiving a 5G authentication start response 5G-AIA message which is sent by AUSF equipment and comprises a random number RAND, an authentication token AUTN and an encrypted session root key, and sending the RAND and the AUTN to UE, wherein the encrypted session root key in the 5G-AIA message is that the AUSF equipment receives an authentication vector which comprises the random number RAND, the authentication token AUTN, an expected response and the session root key and is determined according to the expected response and a preset algorithm;
receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key;
and if the encrypted session root key is decrypted successfully, sending a 5G authentication confirmation 5G-AC message to the AUSF device.
10. The method of claim 9, wherein the determining a decryption key according to the authentication response and the predetermined algorithm comprises:
generating a second key according to the authentication response and a preset algorithm, and taking the second key as a decryption key; or
And generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length as a decryption key in the second key according to a preset first method.
11. The method of claim 10, wherein receiving the 5G-AIA message sent by the AUSF device containing the RAND, the AUTN, and the encrypted session root key comprises:
receiving a 5G-AIA message which is sent by AUSF equipment and contains RAND, AUTN, a first sub-expected response and an encrypted session root key;
before the sending the 5G-AC message to the AUSF device, the method further includes:
acquiring a first sub-response;
and verifying the first sub-response according to the first sub-expected response, and if the verification is passed, performing subsequent steps.
12. The method of claim 11, wherein the obtaining the first sub-response comprises:
generating a first check hash value according to the RAND, the authentication response, the session root key and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or
And intercepting a third set length as a first sub-response in the second secret key according to a preset third method.
13. The method of claim 10, wherein prior to the sending of the 5G-AC message to the AUSF device, the method further comprises:
acquiring a second sub-response;
the sending the 5G-AC message to the AUSF device includes:
and sending a 5G-AC message containing the second sub-response to the AUSF equipment.
14. The method of claim 13, wherein the obtaining a second sub-response comprises:
generating a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or
And intercepting a fifth set length as a second sub-response in the second secret key according to a preset fifth method.
15. The method of any of claims 10-14, wherein generating the second key based on the authentication response and a predetermined algorithm comprises:
and generating a second secret key according to the RAND, the authentication response and a preset algorithm.
16. An authentication apparatus, applied to an authentication service function, AUSF, device, the apparatus comprising:
the encryption module is used for receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm;
a sending module, configured to send a 5G authentication initiation response 5G-AIA message including an RAND, an AUTN, and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to a UE after receiving the 5G-AIA message, and generates a decryption key according to an authentication response returned by the UE by using the preset algorithm, and decrypts the encrypted session root key;
and the receiving determining module is used for receiving a 5G authentication confirmation 5G-AC message sent by the SEAF equipment and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC message is sent after the SEAF equipment successfully decrypts the encrypted session root key.
17. An authentication apparatus, applied to a security anchor function SEAF device, the apparatus comprising:
a transceiver module, configured to receive a 5G-AIA message sent by an au sf device and including a random number RAND, an authentication token AUTN, and an encrypted session root key, and send the RAND and the AUTN to a UE, where the encrypted session root key in the 5G-AIA message is determined by the au sf device receiving an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and a session root key, and according to the expected response and a preset algorithm;
the receiving decryption module is used for receiving the authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key;
and the sending module is used for sending a 5G authentication confirmation 5G-AC message to the AUSF device if the encrypted session root key is decrypted successfully.
18. An AUSF device comprising a memory, a processor, and a transceiver;
the processor is used for reading the program in the memory and executing the following processes: receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key through a transceiver, acquiring an encryption key, and encrypting the session root key by using the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G authentication start response 5G-AIA message comprising an RAND, an AUTN and an encrypted session root key to a security anchor point function SEAF device, so that the SEAF device sends the RAND and the AUTN to UE after receiving the 5G-AIA message, generates a decryption key by adopting the preset algorithm according to an authentication response returned by the UE, and decrypts the encrypted session root key; and receiving a 5G authentication confirmation message 5G-AC sent by the SEAF equipment, and determining that the SEAF equipment completes the authentication of the UE, wherein the 5G-AC is sent after the SEAF equipment successfully decrypts the encrypted session root key.
19. The AUSF device of claim 18, wherein the processor is specifically configured to generate a first key according to an expected response included in the authentication vector and a predetermined algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm.
20. The AUSF device of claim 19, wherein the processor is specifically configured to use the first key as a ciphering key; or intercepting a first set length as an encryption key in the first key according to a preset first method.
21. The AUSF device of claim 19, wherein the processor is further configured to obtain a first sub-expected response; sending, by the transceiver, a 5G-AIA message to the SEAF device including the RAND, the AUTN, the first sub-expected response, and the encrypted session root key.
22. The AUSF device of claim 21, wherein the processor is specifically configured to generate a first hash value based on the RAND, an expected response, a session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the key according to a preset third method.
23. The AUSF device of claim 19, wherein the processor is further configured to obtain a second sub-expected response; and receiving a 5G-AC message which is sent by the SEAF equipment and contains a second sub-response through the transceiver, verifying the second sub-response according to the second sub-expected response, and determining that the SEAF equipment completes the authentication of the UE if the verification is passed.
24. The AUSF device of claim 23, wherein the processor is specifically configured to generate a second hash value based on the RAND, an expected response, a session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the key according to a preset fifth method.
25. The AUSF device of any one of claims 19-24, wherein the processor is specifically configured to generate a first key based on the RAND, the expected response, and a predetermined algorithm.
26. A secure anchor function SEAF device, comprising: a memory, a processor, and a transceiver;
the processor is used for reading the program in the memory and executing the following processes: receiving, by a transceiver, a 5G authentication initiation response 5G-AIA message including a random number RAND, an authentication token AUTN, and an encrypted session root key, which is sent by an authentication service function AUSF device, sending the RAND and the AUTN to a UE, where the encrypted session root key in the 5G-AIA message is, and the AUSF device receives an authentication vector including the random number RAND, the authentication token AUTN, an expected response, and the session root key, and determines the authentication vector according to the expected response and a preset algorithm; receiving an authentication response returned by the UE, determining a decryption key according to the authentication response and the preset algorithm, and decrypting the encrypted session root key; and if the encrypted session root key is decrypted successfully, sending a 5G authentication confirmation 5G-AC message to the AUSF device.
27. The SEAF device of claim 26, wherein the processor is specifically configured to generate a second key according to the authentication response and a predetermined algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
28. The SEAF device of claim 27, wherein the processor is specifically configured to receive, via the transceiver, a 5G-AIA message sent by the AUSF device containing the RAND, the AUTN, the first sub-expected response, and the encrypted session root key; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the verification is passed, performing subsequent steps.
29. The SEAF device of claim 28, wherein the processor is specifically configured to generate a first check hash value based on the RAND, an authentication response, a session root key, and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
30. The SEAF device of claim 27, wherein the processor is further configured to obtain a second sub-response; transmitting, by a transceiver, a 5G-AC message including the second sub-response to the AUSF device.
31. The SEAF device of claim 30, wherein the processor is further configured to generate a second check hash value based on the RAND, an authentication response, a session root key, and a predetermined second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
32. The SEAF device of any one of claims 27-31, wherein the processor is specifically configured to generate a second key based on the RAND, the authentication response, and a predetermined algorithm.
33. An authentication system, characterized in that the authentication system comprises a UE, an authentication service function AUSF device and a security anchor point function SEAF device; wherein the content of the first and second substances,
the AUSF equipment is used for receiving an authentication vector containing a random number RAND, an authentication token AUTN, an expected response and a session root key, acquiring an encryption key, and encrypting the session root key by adopting the encryption key, wherein the encryption key is determined according to the expected response and a preset algorithm; sending a 5G authentication start response 5G-AIA message comprising the RAND, the AUTN and the encrypted session root key to the SEAF equipment;
the SEAF equipment is used for receiving a 5G-AIA message which is sent by AUSF equipment and comprises a RAND (random access network), an AUTN (autonomous integrity network) and an encrypted session root key, and sending the RAND and the AUTN to the UE;
the UE is used for receiving the RAND and the AUTN sent by the SEAF equipment, generating an authentication response according to the RAND and the AUTN, and sending the authentication response to the SEAF equipment;
the SEAF equipment is further configured to receive an authentication response returned by the UE, determine a decryption key according to the authentication response and the preset algorithm, and decrypt the encrypted session root key; if the encrypted session root key is decrypted successfully, a 5G authentication confirmation 5G-AC message is sent to the AUSF device;
the AUSF equipment is further configured to receive a 5G-AC message sent by the SEAF equipment, and determine that the SEAF equipment completes authentication on the UE.
34. The system according to claim 33, wherein the AUSF device is specifically configured to generate a first key according to an expected response included in the authentication vector and a predetermined algorithm, and obtain an encryption key according to the generated first key; or receiving a first key sent by an ARPF (authentication, authorization and accounting) device, and acquiring an encryption key according to the received first key, wherein the ARPF device generates the key according to an expected response and a preset algorithm; wherein obtaining an encryption key from the first key comprises: using the first key as an encryption key; or intercepting a first set length as an encryption key in the first key according to a preset first method;
the SEAF device is specifically configured to generate a second key according to the authentication response and a preset algorithm, and use the second key as a decryption key; or generating a second key according to the authentication response and a preset algorithm, and intercepting a first set length in the second key as a decryption key according to a preset first method.
35. The system of claim 34, wherein the AUSF device is further configured to obtain a first sub-expected response; sending a 5G-AIA message including the RAND, the AUTN, the first sub-expected response and the encrypted session root key to the SEAF device;
the SEAF device is specifically configured to receive a 5G-AIA message that includes the RAND, the AUTN, the first sub-expected response, and the encrypted session root key and is sent by the AUSF device; acquiring a first sub-response; and verifying the first sub-response according to the first sub-expected response, and if the first sub-response passes the verification, sending a 5G-AC message to the AUSF device.
36. The system according to claim 35, wherein the AUSF device is specifically configured to generate a first hash value based on the RAND, the expected response, a session root key, and a preset first hash algorithm; intercepting a second set length from the first hash value as a first sub-expected response according to a preset second method; or intercepting a third set length as a first sub-expected response in the secret key according to a preset third method;
the SEAF device is specifically configured to generate a first check hash value according to the RAND, the authentication response, the session root key and a preset first hash algorithm; according to a preset second method, intercepting a second set length from the first check hash value as a first sub-response; or intercepting a third set length as a first sub-response in the second key according to a preset third method.
37. The system of claim 36, wherein the AUSF device is further configured to obtain a second sub-expected response;
the SEAF equipment is also used for acquiring a second sub-response; sending a 5G authentication confirmation message containing the second sub-response to the AUSF equipment;
the AUSF device is specifically configured to receive a 5G authentication confirmation message including a second sub-response sent by the SEAF device, verify the second sub-response according to the second sub-expected response, and determine that the SEAF device completes authentication of the UE if the verification passes.
38. The system according to claim 37, wherein the AUSF device is specifically configured to generate a second hash value based on the RAND, the expected response, a session root key, and a preset second hash algorithm; intercepting a fourth set length from the second hash value as a second sub-expected response according to a preset fourth method; or intercepting a fifth set length as a second sub-expected response in the secret key according to a preset fifth method;
the SEAF device is specifically configured to generate a second check hash value according to the RAND, the authentication response, the session root key and a preset second hash algorithm; according to a preset fourth method, intercepting a fourth set length from the second check hash value as a second sub-response; or intercepting a fifth set length as a second sub-response in the second key according to a preset fifth method.
39. The system according to any of claims 34-38, wherein said AUSF device, in particular for generating a first key based on said RAND, said expected response and a predetermined algorithm;
the SEAF device is specifically configured to generate a second key according to the RAND, the authentication response, and a preset algorithm.
40. An electronic device, comprising: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to carry out the steps of the method of any of claims 1-8.
41. An electronic device, comprising: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
the memory has stored therein a computer program which, when executed by the processor, causes the processor to carry out the steps of the method of any of claims 9-15.
42. A computer-readable storage medium, having stored thereon a computer program executable by an electronic device, for causing the electronic device to perform the steps of the method of any one of claims 1-8, when the program is run on the electronic device.
43. A computer-readable storage medium, having stored thereon a computer program executable by an electronic device, for causing the electronic device to perform the steps of the method of any one of claims 9-15, when the program is run on the electronic device.
CN201710633597.7A 2017-07-28 2017-07-28 Authentication method, device, system, equipment and storage medium Active CN109309566B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710633597.7A CN109309566B (en) 2017-07-28 2017-07-28 Authentication method, device, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710633597.7A CN109309566B (en) 2017-07-28 2017-07-28 Authentication method, device, system, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN109309566A CN109309566A (en) 2019-02-05
CN109309566B true CN109309566B (en) 2021-06-08

Family

ID=65205173

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710633597.7A Active CN109309566B (en) 2017-07-28 2017-07-28 Authentication method, device, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109309566B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654861B (en) * 2019-03-04 2023-05-09 中国移动通信有限公司研究院 Authentication method, authentication device, authentication equipment and computer readable storage medium
CN111835691B (en) * 2019-04-22 2022-09-27 中国移动通信有限公司研究院 Authentication information processing method, terminal and network equipment
CN113141327B (en) * 2020-01-02 2023-05-09 中国移动通信有限公司研究院 Information processing method, device and equipment
CN113472634B (en) * 2021-06-30 2023-08-18 完美世界(北京)软件科技发展有限公司 Instant messaging method, device and system, storage medium and electronic device
CN115277194A (en) * 2022-07-27 2022-11-01 歌尔科技有限公司 Product authentication method, wearable device, watchband and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106714153B (en) * 2015-11-13 2022-06-10 华为技术有限公司 Key distribution, generation and reception method and related device
CN109309648B (en) * 2017-07-27 2021-06-04 中国移动通信有限公司研究院 Information transmission method and equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
.《3GPP TS 33.501 V0.21.0 (2017-035)》.2017, *
NTT-Docomo.3rd Generation Partnership Project *

Also Published As

Publication number Publication date
CN109309566A (en) 2019-02-05

Similar Documents

Publication Publication Date Title
US11323276B2 (en) Mutual authentication of confidential communication
CN109309566B (en) Authentication method, device, system, equipment and storage medium
US11432150B2 (en) Method and apparatus for authenticating network access of terminal
JP6399382B2 (en) Authentication system
CN105553951A (en) Data transmission method and data transmission device
AU2016211551A1 (en) Methods for secure credential provisioning
CN103415008A (en) Encryption communication method and encryption communication system
CN110198295A (en) Safety certifying method and device and storage medium
CN102780698A (en) User terminal safety communication method in platform of Internet of Things
CN106576043A (en) Virally distributable trusted messaging
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CA3178180A1 (en) Constructing a distributed ledger transaction on a cold hardware wallet
US20230188325A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN114143117A (en) Data processing method and device
WO2018076798A1 (en) Method and apparatus for transmitting data
US9876774B2 (en) Communication security system and method
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
CN114065170A (en) Method and device for acquiring platform identity certificate and server
Sinha et al. A Secure Three-Party Authenticated Key Exchange Protocol for Social Networks.
EP3361670B1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
CN111656729A (en) System and method for computing escrow session key and private session key for encoding digital communications between two devices
JP2014220668A (en) Transmission side device and reception side device
KR101591323B1 (en) Data transmission terminal apparatus and data transmission method for non-repudiation of the data transmission terminal apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant