CN109309648B - Information transmission method and equipment - Google Patents
Information transmission method and equipment Download PDFInfo
- Publication number
- CN109309648B CN109309648B CN201710624654.5A CN201710624654A CN109309648B CN 109309648 B CN109309648 B CN 109309648B CN 201710624654 A CN201710624654 A CN 201710624654A CN 109309648 B CN109309648 B CN 109309648B
- Authority
- CN
- China
- Prior art keywords
- information
- root key
- session root
- seaf
- ausf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
- H04L9/0836—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
Abstract
The invention relates to an information transmission method and equipment, which are used for solving the problem of potential safety hazard in a transmission mode of a session root key in the prior art. When the session root key is transmitted, the AUSF determines to encrypt the session root key after receiving the message that the terminal verification is successful, and returns the encrypted session root key to the SEAF, and the SEAF decrypts the encrypted session root key to obtain the session root key. The AUSF generates the encrypted session root key after receiving the verification message, and returns the encrypted session root key to the SEAF, and the SEAF decrypts the encrypted session root key to obtain the session root key, so that the security of the session root key during transmission is improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting information.
Background
An authentication protocol is a cryptographic protocol for verifying the authenticity of the identity of a communicating entity in real time, which is often accompanied by a session key establishment function in addition to authentication, and is therefore also often referred to as an authentication key establishment protocol.
EAP-AKA' (extended Authentication key agreement protocol) is used as an Authentication protocol for 3GPP (third generation partnership project) users and non-3 GPP users to access a network in a 5G network, and a termination point for authenticating the users to the network is AUSF (Authentication Server Function) in a home network. In the authentication process of EAP-AKA', the UE (terminal) and the AUSF perform bidirectional authentication first, and after the AUSF completes authentication of the UE, the AUSF sends a session root key MSK to a SEAF (Security Anchor Function) of the roaming network, thereby completing transmission of the session root key.
EAP-AKA' assumes the link between the AUSF and SEAF to be secure during transmission, but according to some other attack situations suffered by the link, the link between the AUSF and SEAF is not secure, and through the link between the AUSF and SEAF, an attacker may monitor the roaming network communication by obtaining the session root key MSK to obtain the communication content.
To sum up, in the prior art, there is a potential safety hazard in the way of transmitting the session root key
Disclosure of Invention
The invention provides a method and equipment for transmitting a root key, which are used for solving the problem of potential safety hazard in a transmission mode of a session root key in the prior art.
The embodiment of the invention provides an information transmission method, which comprises the following steps:
after receiving a message of successful authentication of the SEAF terminal, the AUSF determines an encrypted session root key, wherein the encrypted session root key is obtained by encrypting the session root key according to network information;
the AUSF sends the encrypted session root key and EAP (Extensible Authentication protocol) success information to the SEAF together.
The embodiment of the invention provides an information transmission method, which comprises the following steps:
after the SEAF successfully verifies the terminal, sending a terminal verification success message to the AUSF;
after receiving the encrypted session root key and the EAP success information sent by the AUSF, the SEAF sends the EAP success information to the terminal, wherein the encrypted session root key is obtained by encrypting according to network information;
and the SEAF decrypts the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, wherein the decryption information is obtained by encrypting according to network information.
The embodiment of the invention provides an information transmission method, which comprises the following steps:
the terminal receives EAP success information sent by the SEAF;
and the terminal sends decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the encrypted session root key from the AUSF according to the decryption information.
The embodiment of the invention provides an information transmission method, which comprises the following steps:
after receiving an Authentication Credential storage and Processing Function from the AUSF, the ARPF generates encryption information according to network information;
and the ARPF sends the encryption information to the AUSF so that the AUSF encrypts a session root key according to the encryption information and then sends the encrypted session root key to the SEAF.
An embodiment of the present invention provides an apparatus for information transmission, including: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving a message of successful authentication of the SEAF terminal, determining an encrypted session root key, wherein the encrypted session root key is obtained by encrypting according to network information;
and sending the encrypted session root key and the EAP success information to the SEAF.
An embodiment of the present invention provides an apparatus for information transmission, including: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after the SEAF successfully verifies the terminal, sending a terminal verification success message to the AUSF;
after receiving an encrypted session root key and EAP success information sent by the AUSF, sending the EAP success information to the terminal, wherein the encrypted session root key is obtained by encrypting according to network information;
and decrypting the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, wherein the decryption information is obtained after encryption according to network information.
An embodiment of the present invention provides an apparatus for information transmission, including: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
receiving EAP success information sent by the SEAF; and sending decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the received encrypted session root key from the AUSF according to the decryption information.
An embodiment of the present invention provides an apparatus for information transmission, including: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving an authentication vector request message from the AUSF, generating encryption information according to network information, and sending the encryption information to the AUSF, so that the AUSF encrypts a session root key according to the encryption information and sends the encrypted session root key to the SEAF.
An embodiment of the present invention provides an apparatus for information transmission, including:
the first receiving module is used for receiving a terminal verification success message of the SEAF;
a first execution module to determine an encrypted session root key;
and the first sending module is used for sending the encrypted session root key and the EAP success information to the SEAF.
An embodiment of the present invention provides an apparatus for information transmission, including:
a second receiving module, configured to receive an encrypted session root key and EAP success information sent by the AUSF;
the second execution module is used for decrypting the encrypted session root key according to the received decryption information from the terminal to obtain a session root key, wherein the decryption information is obtained after encryption is carried out according to network information;
and the second sending module is used for sending the EAP success information to the terminal.
An embodiment of the present invention provides an apparatus for information transmission, including:
a third receiving module, configured to receive EAP success information sent by the SEAF;
the third execution module is used for carrying out encryption according to the network information to obtain decryption information;
and the third sending module is used for sending the decryption information obtained by encrypting according to the network information to the SEAF.
An embodiment of the present invention provides an apparatus for information transmission, including:
a fourth receiving module, configured to receive an authentication vector request message from the AUSF;
the fourth execution module is used for generating encryption information according to the network information;
and the fourth sending module is used for sending the encrypted information generated according to the network information to the AUSF.
The embodiment of the invention provides a method and equipment for transmitting information, wherein when session root key transmission is carried out, an AUSF (autonomous Underwater user interface) determines to encrypt the session root key after receiving a message of successful terminal verification, and returns the encrypted session root key to an SEAF (session initiation function), and the SEAF decrypts the encrypted session root key to obtain the session root key. The AUSF generates the encrypted session root key after receiving the verification message, and returns the encrypted session root key to the SEAF, and the SEAF decrypts the encrypted session root key to obtain the session root key, so that the security of the session root key during transmission is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic diagram of a system according to an embodiment of the present invention;
FIG. 2 is a block diagram of a first apparatus for performing information transfer in accordance with an embodiment of the present invention;
FIG. 3 is a block diagram of a second apparatus for information transfer in accordance with an embodiment of the present invention;
FIG. 4 is a block diagram of a third apparatus for information transfer in accordance with an embodiment of the present invention;
FIG. 5 is a block diagram of a fourth apparatus for information transmission according to an embodiment of the present invention
FIG. 6 is a schematic diagram of a first apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a second apparatus according to an embodiment of the present invention;
FIG. 8 is a schematic view of a third apparatus according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a fourth apparatus according to an embodiment of the present invention;
FIG. 10 is a flowchart illustrating a method of information transmission according to an embodiment of the present invention;
FIG. 11 is a flowchart illustrating a method of information transmission according to an embodiment of the present invention;
FIG. 12 is a flowchart illustrating a method of information transmission according to an embodiment of the present invention;
FIG. 13 is a flowchart illustrating a method of information transmission according to an embodiment of the present invention;
FIG. 14 is a flowchart illustrating a first method for transmitting information according to a first embodiment of the present invention;
fig. 15 is a flowchart illustrating a complete method for transmitting information according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the system for root key transmission according to the embodiment of the present invention includes: AUSF 10, SEAF20, and terminal 30.
The SEAF20 is used for sending a terminal verification success message to the AUSF after the terminal verification is successful; after receiving an encrypted session root key and EAP success information sent by AUSF, sending the EAP success information to the terminal; and according to the received decryption information and the encrypted session root key which are encrypted according to the network information from the terminal, decrypting to obtain the session root key.
The terminal 30 is used for receiving EAP success information sent by the SEAF; and sending decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the received encrypted session root key from the AUSF according to the decryption information.
When the session root key is transmitted, the AUSF determines to encrypt the session root key after receiving the message that the terminal verification is successful, and returns the encrypted session root key to the SEAF, and the SEAF decrypts the encrypted session root key to obtain the session root key. The AUSF generates the encrypted session root key after receiving the verification message, and returns the encrypted session root key to the SEAF, and the SEAF decrypts the encrypted session root key to obtain the session root key, so that the security of the session root key during transmission is improved.
The AUSF encrypts the session root key according to the network information to obtain the encrypted session root key. In implementation, the AUSF may obtain the encrypted session root key after receiving the authentication vector response message from the ARPF, may obtain the encrypted session root key after receiving the terminal verification success message of the SEAF, and may obtain the encrypted session root key at any time before the encrypted session root key needs to be sent.
Optionally, there are many ways for the AUSF to obtain the encrypted session root key after encrypting the session root key according to the network information in the embodiment of the present invention, and one is listed below. It should be noted that the following manners are only examples, and any manner capable of encrypting the session root key to obtain the encrypted session root key is applicable to the embodiment of the present invention.
And the AUSF performs exclusive-OR operation on the encryption information and the session root key to obtain an encrypted session root key.
One possible expression is:
MSK*=MSK⊕MASK。
wherein ≧ represents exclusive or; MSK denotes the session root key; MSK denotes the encrypted session root key; MASK (MASK value) represents encryption information.
The encrypted information has two generation modes:
and in the generation mode 1, the AUSF performs hash operation on the network information to obtain the encrypted information.
Specifically, the AUSF performs hash operation on the network information to obtain the encrypted information.
The network information includes, but is not limited to, part or all of the following information:
IK ', CK', RES, RAND and roaming network name.
Wherein IK' is an integrity check key; CK' is an encryption key; RES is the expected response; RAND is a random number.
If the network information includes IK ', CK', RES, RAND and a roaming network name, one possible expression is:
MASK is PRF (IK ', CK', RES, RAND, roaming network name), where PRF is a hash function, and may be a function such as SHA-512, SHA-3-512, and the like.
The AUSF may determine the encryption information at any time before the encrypted session root key needs to be determined. Such as after receiving an authentication vector response message from the ARPF; for example after receiving a terminal verification success message of the SEAF.
And the generation mode 2 is that the AUSF receives the encrypted information obtained by carrying out hash operation on the network information by the ARPF.
For the generation mode 2, the manner of generating the encryption information by the ARPF is similar to the manner of generating the encryption information by the AUSF in the generation mode 1, and is not described herein again.
ARPF after forming the encryption information, the ARPF places the authentication vector AV and the encryption information in an authentication vector response message AV-Res, and sends AV-Res to AUSF.
Optionally, the AUSF sends the encrypted session root key and EAP success information together to the SEAF;
correspondingly, after receiving the encrypted session root key and the EAP success information sent by the AUSF, the SEAF reserves the EAP success information and sends the encrypted session root key to the terminal;
after receiving the EAP success information, the terminal generates decryption information MASK according to the network information and sends the decryption information MASK to the SEAF;
and the SEAF carries out XOR operation on the received decryption information and the reserved encrypted session root key to recover the session root key.
One possible expression is: MSK ═ MSK ≦ MASK.
Wherein ≧ represents exclusive or; MASK denotes decryption information.
The method for generating the decryption information MASK by the terminal is similar to the above-mentioned manner for generating the encryption information, and is not described herein again.
In order to further improve the reliability of transmitting the session root key, the embodiment of the invention also provides a scheme for performing integrity verification on the session root key.
Specifically, the AUSF sends a message authentication code for verifying the integrity of the session root key, the encrypted session root key, and the EAP success information to the SEAF.
Optionally, the AUSF generates the message verification code according to the following manner:
and the AUSF generates the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
One possible expression is:
MAC ═ KDF (MSK, MSK | "EAP-success").
Where |, denotes a connection.
The KDF is a message authentication operation, and may be set as needed, for example, to be HMAC.
Correspondingly, the SEAF receives the message authentication code, the encrypted session root key and the EAP success information sent by the AUSF, reserves the received message authentication code and the encrypted session root key, and sends the EAP success information to the terminal;
correspondingly, the terminal receives the EAP success information and sends decryption information MASK generated according to the network information to the SEAF;
and the SEAF carries out XOR operation on the received decryption information and the reserved encrypted session root key to recover the session root key.
When the session root key is subjected to integrity verification, the method for the SEAF to recover the session root key is the same as the method for the SEAF to recover the session root key when the session root key is not subjected to integrity verification, and details are not described herein again.
The method for generating the decryption information MASK by the terminal is similar to the above-mentioned manner for generating the encryption information, and is not described herein again.
Optionally, after obtaining the session root key, the SEAF may verify the integrity of the obtained session root key according to the message verification algorithm, specifically:
the SEAF generates a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
and the SEAF judges whether the message verification code to be verified is the same as the received message verification code, if so, the verification is determined to be passed, otherwise, the verification is determined to be failed.
The SEAF performs message authentication operation according to the recovered session root key and the received message authentication code MAC to obtain a new message authentication code SMAC to be authenticated, and one feasible expression is as follows:
SMAC ═ KDF (MSK, MSK | "EAP-success").
Wherein, the SMAC represents a message authentication code to be authenticated; KDF denotes message authentication operations.
The SEAF compares whether a message verification code SMAC to be verified is the same as the received message verification code MAC, if so, the verification is determined to be passed, and a session root key is not tampered in the transmission process; otherwise, determining that the verification fails and determining that the session root key is tampered in the transmission process.
As shown in fig. 2, a first structure of an apparatus for information transmission according to an embodiment of the present invention includes: at least one processing unit 200, and at least one memory unit 201, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving a message of successful authentication of the SEAF terminal, determining an encrypted session root key, wherein the encrypted session root key is obtained by encrypting according to network information;
and the AUSF sends the encrypted session root key and EAP success information to the SEAF.
Optionally, the processing unit is specifically configured to generate the encrypted session root key according to the following manner:
and the AUSF performs exclusive OR operation on the encryption information and the session root key to obtain the encryption session root key.
Optionally, the processing unit is further configured to:
before the AUSF performs XOR operation on encryption information obtained by performing hash operation on network information and a session root key to obtain an encryption session root key, the AUSF performs hash operation on the network information to obtain the encryption information; or
And receiving the encryption information obtained by carrying out hash operation on the network information by the ARPF.
Optionally, the processing unit is further specifically configured to:
and sending a message authentication code for verifying the integrity of the session root key, the encrypted session root key and the EAP success information to the SEAF.
Optionally, the processing unit is configured to:
and generating the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
As shown in fig. 3, a second structure of an apparatus for information transmission according to an embodiment of the present invention includes: at least one memory unit 300, and at least one processing unit 301, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after the SEAF successfully verifies the terminal, sending a terminal verification success message to the AUSF;
after receiving an encrypted session root key and EAP success information sent by the AUSF, sending the EAP success information to the terminal, wherein the encrypted session root key is obtained by encrypting according to network information;
and decrypting the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, wherein the decryption information is obtained after encryption according to network information.
Optionally, the processing unit is specifically configured to:
and carrying out XOR operation on the received decryption information from the terminal and the encrypted session root key to obtain the session root key.
Optionally, the processing unit is further configured to:
before sending EAP success information to the terminal, receiving a message authentication code, an encrypted session root key and EAP success information sent by the AUSF;
and after the encrypted session root key is decrypted by the received decryption information from the terminal to obtain the session root key, verifying the integrity of the obtained session root key according to the message verification code.
Optionally, the processing unit is configured to:
generating a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
and judging whether the message verification code to be verified is the same as the received message verification code, if so, determining that the verification is passed, otherwise, determining that the verification fails.
As shown in fig. 4, a third structure of an apparatus for information transmission according to an embodiment of the present invention includes: at least one memory unit 400, and at least one processing unit 401, wherein said memory unit stores program code which, when executed by said processing unit, causes said processing unit to perform the following processes:
receiving EAP success information sent by the SEAF; and sending decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the received encrypted session root key from the AUSF according to the decryption information.
As shown in fig. 5, a fourth structure of an apparatus for information transmission according to an embodiment of the present invention includes: at least one memory unit 500, and at least one processing unit 501, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving an authentication vector request message from the AUSF, generating encryption information according to network information, and sending the encryption information to the AUSF, so that the AUSF encrypts a session root key according to the encryption information and sends the encrypted session root key to the SEAF.
As shown in fig. 6, the apparatus of the first of the present examples includes:
a first receiving module 600, configured to receive a successful verification message of the SEAF terminal;
a first execution module 601, configured to determine an encrypted session root key;
a first sending module 602, configured to send the encrypted session root key and the EAP success information to the SEAF.
Optionally, the first executing module 601 is configured to:
and carrying out XOR operation on the encryption information and the session root key to obtain the encryption session root key.
Optionally, the first executing module 601 is further configured to:
carrying out XOR operation on encrypted information obtained by carrying out Hash operation on network information and a session root key to obtain the encrypted session root key, and carrying out Hash operation on the network information to obtain the encrypted information; or receiving the encryption information obtained by carrying out hash operation on the network information by the ARPF.
Optionally, the first executing module 601 is configured to:
and generating the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
Optionally, the first sending module 602 is further configured to:
and sending a message authentication code for verifying the integrity of the session root key, the encrypted session root key and the EAP success information to the SEAF.
As shown in fig. 7, the apparatus of the second example of the present invention includes:
a second receiving module 700, configured to receive an encrypted session root key and EAP success information sent by the AUSF;
a second executing module 701, configured to decrypt the encrypted session root key according to the received decryption information from the terminal to obtain a session root key, where the decryption information is obtained by encrypting according to network information;
a second sending module 702, configured to send the EAP success information to the terminal.
Optionally, the second receiving module 700 is configured to:
and before sending the EAP success information to the terminal, receiving the message authentication code, the encrypted session root key and the EAP success information sent by the AUSF.
And after the encrypted session root key is decrypted by the received decryption information from the terminal to obtain the session root key, verifying the integrity of the obtained session root key according to the message verification code.
Optionally, the second execution module 701 is configured to:
and carrying out XOR operation on the received decryption information from the terminal and the encrypted session root key to obtain the session root key.
Optionally, the second executing module 701 is further configured to:
generating a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
and judging whether the message verification code to be verified is the same as the received message verification code, if so, determining that the verification is passed, otherwise, determining that the verification fails.
As shown in fig. 8, the third apparatus of the present embodiment includes:
a third receiving module 800, configured to receive EAP success information sent by the SEAF;
a third executing module 801, configured to encrypt, according to the network information, to obtain decryption information;
a third sending module 802, configured to send, to the SEAF, decryption information obtained by encrypting according to the network information.
As shown in fig. 9, a fourth apparatus of an example of the present invention includes:
a fourth receiving module 900, configured to receive an authentication vector request message from the AUSF;
a fourth executing module 901, configured to generate encryption information according to the network information;
a fourth sending module 902, configured to send, to the AUSF, encryption information generated according to the network information.
Based on the same inventive concept, the embodiment of the present invention further provides an information transmission method, and since the device corresponding to the method is the first network element in the system for performing information transmission in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method can refer to the implementation of the system, and repeated details are not repeated.
In some possible embodiments, various aspects of the information transmission method provided by the embodiments of the present invention may also be implemented in the form of a program product, which includes program code for causing a computer device to execute the steps in the information transmission method according to various exemplary embodiments of the present invention described in this specification, when the program code runs on the computer device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A program product for data forwarding control according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a server device. However, the program product of the present invention is not limited thereto, and in this document, the readable storage medium may be any tangible medium containing or storing the program, which can be used by or in connection with an information transmission, apparatus, or device.
A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the periodic network action system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device.
As shown in fig. 10, the method for information transmission according to the embodiment of the present invention includes:
Optionally, the AUSF generates the encrypted session root key according to the following manner:
and the AUSF performs exclusive OR operation on the encryption information and the session root key to obtain the encryption session root key.
Optionally, the AUSF performs an exclusive or operation on the encrypted information obtained by performing the hash operation on the network information and the session root key, and before obtaining the encrypted session root key, the method further includes:
the AUSF performs Hash operation on network information to obtain the encryption information; or
And the AUSF receives the encrypted information obtained by carrying out hash operation on the network information by the ARPF.
Optionally, the AUSF sends the encrypted session root key to the SEAF, further including:
and the AUSF sends a message authentication code for verifying the integrity of the session root key, the encrypted session root key and the EAP success information to the SEAF.
Optionally, the AUSF generates the message verification code according to the following manner:
and the AUSF generates the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
Based on the same inventive concept, the embodiment of the present invention further provides an information transmission method, and since the device corresponding to the method is the first network element in the system for performing information transmission in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method can refer to the implementation of the system, and repeated details are not repeated.
As shown in fig. 11, the method for information transmission according to the embodiment of the present invention includes:
Optionally, the SEAF decrypts the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, and includes:
and the SEAF carries out XOR operation on the received decryption information from the terminal and the encrypted session root key to obtain the session root key.
Optionally, before the SEAF sends the EAP success information to the terminal, the method further includes:
the SEAF receives a message authentication code, an encrypted session root key and EAP success information sent by the AUSF;
optionally, after the SEAF decrypts the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, the SEAF further includes:
and the SEAF verifies the integrity of the obtained session root key according to the message verification code.
Optionally, the SEAF verifying the integrity of the obtained session root key according to the message verification algorithm includes:
the SEAF generates a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
optionally, the SEAF determines whether the message authentication code to be authenticated is the same as the received message authentication code, if so, determines that the authentication is passed, otherwise, determines that the authentication is failed.
Based on the same inventive concept, the embodiment of the present invention further provides an information transmission method, and since the device corresponding to the method is the first network element in the system of the method for transmitting information in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method can refer to the implementation of the system, and repeated details are not repeated.
As shown in fig. 12, the method for information transmission according to the embodiment of the present invention includes:
Based on the same inventive concept, the embodiment of the present invention further provides an information transmission method, and since the device corresponding to the method is the first network element in the system for performing information transmission in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method can refer to the implementation of the system, and repeated details are not repeated.
As shown in fig. 13, the method for information transmission according to the embodiment of the present invention includes:
The embodiment of the invention provides two complete information transmission modes.
As shown in fig. 14, a first information transmission method according to an embodiment of the present invention includes:
step 1401, AUSF sends authentication vector request message AV-Req to ARPF;
step 1404, the SEAF sends an authentication request to the terminal;
step 1405, the terminal responds to the authentication request and sends the authentication request to the SEAF;
As shown in fig. 15, a second information transmission method according to the embodiment of the present invention includes:
step 1501, AUSF sends authentication vector request message AV-Req to ARPF;
step 1504, the SEAF sends an authentication request to the terminal;
step 1505, the terminal responds to the authentication request and sends to the SEAF;
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the subject application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (26)
1. A method for information transmission, the method comprising:
after receiving a successful terminal verification message of a secure anchor point function (SEAF), an AUSF (authentication server function) determines an encrypted session root key, wherein the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to network information;
the AUSF sends the encrypted session root key and Extensible Authentication Protocol (EAP) success information to the SEAF together so that the SEAF decrypts the encrypted session root key according to received decryption information from a terminal to obtain a session root key, wherein the decryption information is obtained by encrypting the terminal according to network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
2. The method of claim 1, wherein the AUSF generates the encrypted session root key according to:
and the AUSF performs exclusive OR operation on the encryption information and the session root key to obtain the encryption session root key.
3. The method of claim 2, wherein before the AUSF performs an exclusive-or operation on the encrypted information obtained by performing the hash operation on the network information and the session root key to obtain the encrypted session root key, the method further comprises:
the AUSF performs Hash operation on network information to obtain the encryption information; or
And the AUSF receives the encrypted information obtained by carrying out hash operation on network information by the authentication certificate storage and processing function ARPF.
4. The method of claim 1, wherein the AUSF sends the encrypted session root key to a SEAF, further comprising:
and the AUSF sends a message authentication code for verifying the integrity of the session root key, the encrypted session root key and the EAP success information to the SEAF.
5. The method of claim 4, wherein the AUSF generates the message authentication code according to:
and the AUSF generates the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
6. A method for information transmission, the method comprising:
after the SEAF successfully verifies the terminal, sending a terminal verification success message to the AUSF so that the AUSF can determine an encrypted session root key, wherein the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to network information;
after receiving the encrypted session root key and the EAP success information sent by the AUSF, the SEAF sends the EAP success information to the terminal;
the SEAF decrypts the encrypted session root key according to the received decryption information from the terminal to obtain a session root key, wherein the decryption information is obtained by encrypting the terminal according to network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
7. The method of claim 6, wherein the SEAF decrypting the encrypted session root key based on decryption information received from the terminal to obtain a session root key comprises:
and the SEAF carries out XOR operation on the received decryption information from the terminal and the encrypted session root key to obtain the session root key.
8. The method of claim 6, wherein before the SEAF sends EAP success information to the terminal, further comprising:
the SEAF receives a message authentication code, an encrypted session root key and EAP success information sent by the AUSF;
after the SEAF decrypts the encrypted session root key according to the received decryption information from the terminal to obtain the session root key, the SEAF further includes:
and the SEAF verifies the integrity of the obtained session root key according to the message verification code.
9. The method of claim 6, wherein the SEAF verifying the integrity of the derived session root key according to the message verification algorithm comprises:
the SEAF generates a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
and the SEAF judges whether the message verification code to be verified is the same as the received message verification code, if so, the verification is determined to be passed, otherwise, the verification is determined to be failed.
10. A method for information transmission, the method comprising:
the terminal receives EAP success information sent by the SEAF;
the terminal sends decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the encrypted session root key from the AUSF according to the decryption information; the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to the network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
11. A method for information transmission, the method comprising:
after receiving an authentication vector request message from the AUSF, the ARPF generates encryption information according to the network information;
the ARPF sends the encryption information to the AUSF, so that the AUSF encrypts a session root key according to the encryption information after receiving a terminal verification success message of a secure anchor point function (SEAF) to obtain an encrypted session root key, and sends the encrypted session root key and Extensible Authentication Protocol (EAP) success information to the SEAF;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
12. An AUSF device, comprising: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving a message of successful authentication of the SEAF terminal, determining an encrypted session root key, wherein the encrypted session root key is obtained by encrypting according to encryption information, and the encryption information is obtained according to network information; sending the encrypted session root key and the EAP success information to an SEAF (session initiation function) together so that the SEAF decrypts the encrypted session root key according to received decryption information from the terminal to obtain a session root key, wherein the decryption information is obtained by encrypting according to the network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
13. The device of claim 12, wherein the processing unit is specifically configured to generate the encrypted session root key according to:
and the AUSF performs exclusive OR operation on the encryption information and the session root key to obtain the encryption session root key.
14. The device of claim 13, wherein the processing unit is further to:
carrying out XOR operation on encrypted information obtained by carrying out Hash operation on network information and a session root key to obtain the encrypted session root key, and carrying out Hash operation on the network information to obtain the encrypted information; or
And receiving the encryption information obtained by carrying out hash operation on the network information by the ARPF.
15. The device of claim 12, wherein the processing unit is further to:
and sending a message authentication code for verifying the integrity of the session root key, the encrypted session root key and the EAP success information to the SEAF.
16. The device of claim 15, wherein the processing unit is specifically configured to generate the message authentication code according to:
and generating the message authentication code through a message authentication algorithm according to the session root key, the encrypted session root key and the EAP success information.
17. A SEAF device, characterized in that the device comprises: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after the SEAF successfully verifies the terminal, sending a terminal verification success message to the AUSF so that the AUSF can determine an encrypted session root key, wherein the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to network information;
shallow
After receiving an encrypted session root key and EAP success information sent by the AUSF, sending the EAP success information to the terminal, wherein the encrypted session root key is obtained by encrypting according to network information;
decrypting the encrypted session root key according to the received decryption information from the terminal to obtain a session root key, wherein the decryption information is obtained by encrypting according to network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
18. The device of claim 17, wherein the processing unit is specifically configured to:
and carrying out XOR operation on the received decryption information from the terminal and the encrypted session root key to obtain the session root key.
19. The device of claim 17, wherein the processing unit is further to:
before sending EAP success information to the terminal, receiving a message authentication code, an encrypted session root key and EAP success information sent by the AUSF;
and after the encrypted session root key is decrypted by the received decryption information from the terminal to obtain the session root key, verifying the integrity of the obtained session root key according to the message verification code.
20. The device of claim 17, wherein the processing unit is to:
generating a message verification code to be verified through a message verification algorithm according to the obtained session root key, the received encrypted session root key and the EAP success information;
and judging whether the message verification code to be verified is the same as the received message verification code, if so, determining that the verification is passed, otherwise, determining that the verification fails.
21. A terminal device, characterized in that the device comprises: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
receiving EAP success information sent by the SEAF; sending decryption information obtained by encrypting according to network information to the SEAF so that the SEAF decrypts the received encrypted session root key from the AUSF according to the decryption information; the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to the network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
22. An ARPF device, comprising: at least one processing unit, and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
after receiving an authentication vector request message from an AUSF (autonomous Underwater System), generating encryption information according to network information, and sending the encryption information to the AUSF, so that after the AUSF receives a terminal verification success message of a secure anchor point function (SEAF), a session root key is encrypted according to the encryption information to obtain an encrypted session root key, and the encrypted session root key and Extensible Authentication Protocol (EAP) success information are sent to the SEAF together;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
23. An AUSF device, comprising:
the first receiving module is used for receiving a terminal verification success message of the SEAF;
a first execution module, configured to determine an encrypted session root key, where the encrypted session root key is obtained by encrypting, by the AUSF, a session root key according to encryption information, and the encryption information is obtained according to network information;
a first sending module, configured to send the encrypted session root key and EAP success information together to an SEAF, so that the SEAF decrypts the encrypted session root key according to received decryption information from a terminal to obtain a session root key, where the decryption information is obtained by encrypting, by the terminal, according to network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
24. A SEAF device, characterized in that the device comprises:
the second receiving module is used for receiving the encrypted session root key and the EAP success information sent by the AUSF; the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to network information;
the second execution module is used for decrypting the encrypted session root key according to the received decryption information from the terminal to obtain a session root key, wherein the decryption information is obtained by encrypting the terminal according to network information;
a second sending module, configured to send the EAP success information to the terminal;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
25. A terminal device, characterized in that the device comprises:
a third receiving module, configured to receive EAP success information sent by the SEAF;
the third execution module is used for carrying out encryption according to the network information to obtain decryption information;
a third sending module, configured to send decryption information obtained by encrypting according to network information to an SEAF, so that the SEAF decrypts a received encrypted session root key from the AUSF according to the decryption information; the encrypted session root key is obtained by encrypting the session root key by the AUSF according to encryption information, and the encryption information is obtained according to the network information;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
26. An ARPF device, comprising:
a fourth receiving module, configured to receive an authentication vector request message from the AUSF;
the fourth execution module is used for generating encryption information according to the network information;
a fourth sending module, configured to send encryption information generated according to network information to the AUSF, so that after receiving a terminal verification success message of the security anchor point function SEAF, the AUSF encrypts a session root key according to the encryption information to obtain an encrypted session root key, and sends the encrypted session root key and an extensible authentication protocol EAP success message together to the SEAF;
wherein the network information includes part or all of the following information:
integrity check key IK ', ciphering key CK', expected response RES, random number RAND and roaming network name.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710624654.5A CN109309648B (en) | 2017-07-27 | 2017-07-27 | Information transmission method and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710624654.5A CN109309648B (en) | 2017-07-27 | 2017-07-27 | Information transmission method and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109309648A CN109309648A (en) | 2019-02-05 |
CN109309648B true CN109309648B (en) | 2021-06-04 |
Family
ID=65202281
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710624654.5A Active CN109309648B (en) | 2017-07-27 | 2017-07-27 | Information transmission method and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109309648B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109309566B (en) * | 2017-07-28 | 2021-06-08 | 中国移动通信有限公司研究院 | Authentication method, device, system, equipment and storage medium |
CN112399412B (en) * | 2019-08-19 | 2023-03-21 | 阿里巴巴集团控股有限公司 | Session establishment method and device, and communication system |
CN113141327B (en) * | 2020-01-02 | 2023-05-09 | 中国移动通信有限公司研究院 | Information processing method, device and equipment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101179570A (en) * | 2007-06-05 | 2008-05-14 | 中兴通讯股份有限公司 | Method for binding link layer information based on network access authentication information carrying protocol |
-
2017
- 2017-07-27 CN CN201710624654.5A patent/CN109309648B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101179570A (en) * | 2007-06-05 | 2008-05-14 | 中兴通讯股份有限公司 | Method for binding link layer information based on network access authentication information carrying protocol |
Non-Patent Citations (5)
Title |
---|
"Authentication procedure for EAP-AKA’";Nokia;《3GPP TSG SA WG3 (Security) Meeting #87》;20170519;第6.1节 * |
"Authentication procedure for EPS AKA* - possible variant";Nokia;《3GPP TSG SA WG3 (Security) Meeting #87》;20170519;全文 * |
"Nokia comments on Alternative EAP proposal for 3GPP access (S3-161432 by Qualcomm Incorporated)";Nokia;《3GPP TSG SA WG3 (Security) Adhoc Meeting on FS_NSA》;20161229;全文 * |
"pCR solution to Key Issue # 3.1 Interception of radio interface keys sent between operator entities";Qualcomm Incorporated;《3GPP TSG SA WG3 (Security) Meeting #85》;20161111;全文 * |
Qualcomm Incorporated."pCR solution to Key Issue # 3.1 Interception of radio interface keys sent between operator entities".《3GPP TSG SA WG3 (Security) Meeting #85》.2016, * |
Also Published As
Publication number | Publication date |
---|---|
CN109309648A (en) | 2019-02-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110380852B (en) | Bidirectional authentication method and communication system | |
CN106603485B (en) | Key agreement method and device | |
EP3350958B1 (en) | Method and system for session key generation with diffie-hellman procedure | |
US8644515B2 (en) | Display authenticated security association | |
CN107295011B (en) | Webpage security authentication method and device | |
WO2019020051A1 (en) | Method and apparatus for security authentication | |
WO2015192670A1 (en) | User identity authentication method, terminal and service terminal | |
JP2018509117A (en) | Method, apparatus and system for identity authentication | |
CN108509787B (en) | Program authentication method | |
CN107820239B (en) | Information processing method and device | |
CN108809903B (en) | Authentication method, device and system | |
JP7192122B2 (en) | Systems and methods for authenticating connections between user devices and vehicles | |
CN110635901B (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
CN105391734A (en) | Secure login system, secure login method, login server and authentication server | |
CN108599926B (en) | HTTP-Digest improved AKA identity authentication system and method based on symmetric key pool | |
WO2016054905A1 (en) | Method for processing data | |
WO2018046017A1 (en) | Information processing method, device, electronic equipment and computer storage medium | |
CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
CN109309648B (en) | Information transmission method and equipment | |
CN111541716A (en) | Data transmission method and related device | |
CN111224784B (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
CN110838919A (en) | Communication method, storage method, operation method and device | |
CN106992866A (en) | It is a kind of based on wireless network access methods of the NFC without certificate verification | |
CN112487380A (en) | Data interaction method, device, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |