CN110933670A - Security USIM card for realizing main authentication enhancement and main authentication method of terminal - Google Patents

Security USIM card for realizing main authentication enhancement and main authentication method of terminal Download PDF

Info

Publication number
CN110933670A
CN110933670A CN201911193300.5A CN201911193300A CN110933670A CN 110933670 A CN110933670 A CN 110933670A CN 201911193300 A CN201911193300 A CN 201911193300A CN 110933670 A CN110933670 A CN 110933670A
Authority
CN
China
Prior art keywords
authentication
terminal
imsi
processing module
network side
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911193300.5A
Other languages
Chinese (zh)
Inventor
蒋曲明
王志红
邬亮
何明
兰天
王俊
张力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chu Tianlong Co Ltd
CETC 30 Research Institute
China Mobile Chengdu ICT Co Ltd
Original Assignee
Chu Tianlong Co Ltd
CETC 30 Research Institute
China Mobile Chengdu ICT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chu Tianlong Co Ltd, CETC 30 Research Institute, China Mobile Chengdu ICT Co Ltd filed Critical Chu Tianlong Co Ltd
Priority to CN201911193300.5A priority Critical patent/CN110933670A/en
Publication of CN110933670A publication Critical patent/CN110933670A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules

Abstract

The invention discloses a main authentication method of a safety USIM card and a terminal for realizing the enhancement of main authentication, which comprises the following steps: the SUCI processing module calls a special algorithm coprocessor to encrypt the currently activated IMSI into a ciphertext and sends the ciphertext to a network side through a terminal, so that the network side issues an authentication vector to the terminal; the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to dynamically update the IMSI, and calls the special algorithm coprocessor to calculate the authentication RES, and the authentication RES is sent to the network side through the terminal, and the network side determines whether the authentication passes or not. The invention adopts cipher text SUCI to replace plaintext SUPI, so that IMSI carries out cipher text transmission on an empty port, identity information of a user is ensured not to be leaked, and the processing processes of the secret key storage and signature verification of SUCI are completed in the USIM card, thus having higher safety and flexibility; in the main authentication process, the IMSI is dynamically changed and is not easy to be maliciously tracked, and the main authentication algorithm can adopt different grouping algorithms according to application scenes and industries so as to be convenient for distinguishing different users.

Description

Security USIM card for realizing main authentication enhancement and main authentication method of terminal
Technical Field
The embodiment of the invention relates to the technical field of communication security, in particular to a security USIM card for realizing the enhancement of main authentication and a main authentication method of a terminal.
Background
The development of internet technology has gone through the evolution process from fixed networks, wired internet, wireless internet, to mobile internet. The mobile internet has higher convenience, and is now an important network access way for personal users and enterprise users.
At present, different industries have different security requirements for access networks, and some enterprises have requirements for security private networks. Although the wired internet and the fixed network can be satisfied by independently establishing a private network in a private line pulling mode, in the mode, enterprise personnel can access the office only in a place covered by the wired private network, the flexibility is poor, and the development pace of the mobile internet cannot be kept up with obviously. Although the existing 2G, 3G or 4G mobile network can encrypt the application layer data transmitted in the mobile network, the existing 2G, 3G or 4G mobile network is not a private network in a strict sense in practice and is not high in safety; in the 4G network, when a user who wants to access the 4G network is authenticated, the IMSI (International Mobile subscriber identity) is transmitted in clear text in the air interface, which may cause leakage of user privacy information (such as identity, location, phone number, etc.). Later, with the popularization and application of the 5G technology, people find that the slicing technology of the 5G network can provide support of an industry safety private network for the vertical industry in the mobile internet, and can meet industry-specific safety requirements in the aspects of authentication, access control, privacy protection, cryptography, safe network management and the like. However, even if a method of encrypting a SUbscription Permanent Identifier (SUPI) to obtain a SUbscription hidden identity Identifier (SUCI) has been adopted in 5G to avoid clear text transmission of the air interface of the IMSI and ensure that the identity information of the private network user is not leaked on the air interface, the security and flexibility are poor because the key and operation of the SUCI algorithm in the prior art are completed by terminal software. In addition, a main authentication algorithm f1-f5 used for network login authentication in the prior art fixedly adopts an AES algorithm and is unchangeable; the IMSI is also fixed and invariant, and is relatively easy to be maliciously tracked.
Disclosure of Invention
The invention provides a security USIM card for realizing main authentication enhancement and a main authentication method of a terminal, aiming at solving the defects of the prior art.
In order to achieve the above purpose, the present invention provides the following technical solutions:
in a first aspect, an embodiment of the present invention provides a secure USIM card for implementing a master authentication enhancement, including a SUCI processing module, an IMSI parsing and replacing module, a master authentication algorithm processing module, and a dedicated algorithm coprocessor;
the SUCI processing module is used for reading the currently activated IMSI and calling the special algorithm coprocessor after a terminal sends a registration request to a network side;
the special algorithm coprocessor is used for encrypting the currently activated IMSI into a ciphertext;
the SUCI processing module is further configured to return response data including the ciphertext to the terminal (including but not limited to a mobile phone, a tablet computer, an Internet of things terminal device, and the like), and send the response data to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
the main authentication algorithm processing module is used for calling the IMSI analysis processing and replacing module and the special algorithm coprocessor after the terminal receives the authentication vector;
the IMSI analyzing and replacing module is used for analyzing a new IMSI from the authentication vector and replacing the original IMSI with the new IMSI to form the currently activated IMSI;
the special algorithm coprocessor is also used for selecting a matched encryption algorithm according to the industry or application scene of the terminal and calculating authentication RES by combining the authentication vector;
the main authentication algorithm processing module is further configured to return the authentication RES to the terminal, send the authentication RES to the network side through the terminal, and determine whether the authentication passes through by the network side.
Further, in the security USIM card for implementing the enhanced master authentication, the security USIM card stores a preset authentication key K.
Further, in the security USIM card for implementing the enhancement of the master authentication, the security USIM card stores a home network public key certificate which is preset or issued through an OTA.
In a second aspect, an embodiment of the present invention provides a method for authenticating a terminal, where the method is implemented by a USIM card implementing enhanced master authentication according to the first aspect, and the method includes:
after a terminal sends a registration request to a network side, the SUCI processing module reads the currently activated IMSI and calls the special algorithm coprocessor to encrypt the currently activated IMSI into a ciphertext;
the SUCI processing module returns response data containing the ciphertext to the terminal and sends the response data to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI from the authentication vector, and replaces the original IMSI with the new IMSI to become the currently activated IMSI;
the main authentication algorithm processing module calls the special algorithm coprocessor to select a matched encryption algorithm according to the industry or application scene where the terminal is located, and calculates authentication RES by combining the authentication vector;
and the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, and the network side determines whether the authentication passes or not.
Further, in the main authentication method of the terminal, after the terminal sends a registration request to the network side, the SUCI processing module reads the currently activated IMSI and invokes the dedicated algorithm coprocessor to encrypt the currently activated IMSI into a ciphertext includes:
after a terminal sends a registration request to a network side, the SUCI processing module reads the currently activated IMSI and intercepts MSIN (Mobile Subscriber identity Number) in the IMSI as SUPI;
the SUCI processing module inquires whether an activated USIM card public and private key pair exists; the USIM card public and private key pair comprises a USIM card public key and a USIM card private key;
if the USIM card public and private key pair does not exist, the SUCI processing module calls the special algorithm coprocessor to generate the USIM card public and private key pair of a special asymmetric algorithm, and returns to the step that the SUCI processing module inquires whether the activated USIM card public and private key pair exists or not;
if the encryption key and the MAC key exist, the SUCI processing module uses a public key in a preset or home network public key certificate and the USIM card private key as input, calls the special algorithm coprocessor to form a share key, and further obtains the encryption key and the MAC key;
the SUCI processing module calls the special algorithm coprocessor to encrypt the SUPI according to the encryption key to obtain SUCI;
and the SUCI processing module calls the special algorithm coprocessor to perform MAC operation on the SUCI according to the MAC key to obtain an MAC value.
Further, in the main authentication method of the terminal, the SUCI processing module returns response data including the ciphertext to the terminal, and sends the response data to the network side through the terminal, so that the step of issuing an authentication vector to the terminal by the network side is specifically;
the SUCI processing module combines the USIM card public key, the SUCI and the MAC value into response data to be returned to the terminal, and the response data is sent to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
wherein the Authentication vector includes RAND (Random Challenge) and AUTN (Authentication Token).
Further, in the master authentication method of the terminal, after the terminal receives the authentication vector, the master authentication algorithm processing module invokes the IMSI parsing processing and replacing module to parse a new IMSI from the authentication vector, and the step of replacing the original IMSI with the new IMSI to become the currently activated IMSI specifically includes:
after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI and a replacement mark from the RAND, and replaces the original IMSI with the new IMSI to become the currently activated IMSI according to the replacement mark.
Further, in the main authentication method of the terminal, the step of calling the dedicated algorithm coprocessor to select a matched encryption algorithm according to the industry or application scene where the terminal is located by the main authentication algorithm processing module and calculating the authentication RES by combining the authentication vector specifically includes:
and the main authentication algorithm processing module uses a preset authentication key K and the RAND as input, calls the special algorithm coprocessor to select matched F1-F5 functions according to the industry or application scene where the terminal is located, and calculates authentication RES.
Further, in the master authentication method of the terminal, the step of returning the authentication RES to the terminal by the master authentication algorithm processing module, sending the authentication RES to the network side through the terminal, and the step of determining whether the authentication passes by the network side specifically includes:
and the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, the network side judges whether the authentication RES is equal to an expected response XRES stored by the network side, if so, the authentication is passed, otherwise, the authentication is failed.
Compared with the prior art, the invention has the following beneficial effects:
1. cipher text SUCI is adopted to replace plaintext SUPI, so that the IMSI carries out cipher text transmission on the empty port, the identity information of a user is ensured not to be leaked on the empty port, the processing processes of key storage and signature verification of the SUCI are completed in the USIM card, and the safety and flexibility are higher than those of the terminal realized by software, and the customization requirements of different application scenes of different industries can be realized only by replacing different USIM cards or calling different algorithm engines in the USIM card without replacing the terminal, so that the requirement of high safety of the vertical industry can be met;
2. the main authentication algorithm can adopt different grouping algorithms according to application scenes and industries, so that different users can be distinguished conveniently, such as private network users and public network users;
3. and the new IMSI is dynamically issued in the main authentication process, and the SUCI operation is performed by using the new IMSI when the authentication is performed on the network next time, so that the dynamically changed IMSI is beneficial to the privacy protection of the user, and other people cannot position and track the user through the IMSI.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic structural diagram of a secure USIM card implementing master authentication enhancement according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a main authentication method of a terminal according to a second embodiment of the present invention.
Reference numerals:
the device comprises a SUCI processing module 1, an IMSI analyzing processing and replacing module 2, a main authentication algorithm processing module 3 and a special algorithm coprocessor 4.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or intervening elements may also be present. When a component is referred to as being "disposed on" another component, it can be directly on the other component or intervening components may also be present.
Furthermore, the terms "long", "short", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of describing the present invention, but do not indicate or imply that the referred devices or elements must have the specific orientations, be configured to operate in the specific orientations, and thus are not to be construed as limitations of the present invention.
The technical scheme of the invention is further explained by the specific implementation mode in combination with the attached drawings.
Example one
Referring to fig. 1, an embodiment of the present invention provides a security USIM card for implementing a main authentication enhancement, including a SUCI processing module 1, an IMSI parsing processing and replacing module 2, a main authentication algorithm processing module 3, and a dedicated algorithm coprocessor 4;
the SUCI processing module 1 is used for reading the currently activated IMSI and calling the special algorithm coprocessor 4 after a terminal sends a registration request to a network side;
the special algorithm coprocessor 4 is used for encrypting the currently activated IMSI into a ciphertext;
the SUCI processing module 1 is further configured to return response data including the ciphertext to the terminal, and send the response data to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
the main authentication algorithm processing module 3 is used for calling the IMSI analysis processing and replacing module 2 and the special algorithm coprocessor 4 after the terminal receives the authentication vector;
the IMSI analyzing and replacing module 2 is used for analyzing a new IMSI from the authentication vector and replacing the original IMSI with the new IMSI to form the currently activated IMSI;
the special algorithm coprocessor 4 is also used for selecting a matched encryption algorithm according to the industry or application scene of the terminal and calculating authentication RES by combining the authentication vector;
the main authentication algorithm processing module 3 is further configured to return the authentication RES to the terminal, send the authentication RES to the network side through the terminal, and determine whether the authentication passes through by the network side.
Preferably, the secure USIM card stores a preset authentication key K.
Preferably, the secure USIM card stores a home network public key certificate which is preset or issued through OTA.
It should be noted that the dedicated algorithm coprocessor 4 may be integrated in the secure USIM card, or may be an industry-specific secure chip and sealed as a dual chip with the secure USIM card.
According to the safe USIM card for realizing the enhancement of the master authentication, the cipher text SUCI is adopted to replace the plaintext SUPI, so that the IMSI carries out cipher text transmission on an empty port, the identity information of a user is ensured not to be leaked on the empty port, the processing processes of the secret key storage and signature verification of the SUCI are completed in the USIM card, and the USIM card has higher safety and flexibility than the USIM card realized by software in a terminal; in the main authentication process, the IMSI is dynamically changed and is not easy to be maliciously tracked, and the main authentication algorithm can adopt different grouping algorithms according to application scenes and industries so as to be convenient for distinguishing different users.
Example two
Referring to fig. 2, an embodiment of the present invention provides a method for authenticating a terminal, which is implemented by a USIM card for implementing enhanced master authentication according to the first embodiment, where the method specifically includes the following steps:
s201, after a terminal sends a registration request to a network side, the SUCI processing module reads the currently activated IMSI and calls the special algorithm coprocessor to encrypt the currently activated IMSI into a cipher text.
Specifically, the step S201 further includes:
when a terminal sends a registration request to a network side, the terminal sends a get identity instruction to a USIM card, and the SUCI processing module reads the currently activated IMSI and intercepts the MSIN in the IMSI as SUPI;
the SUCI processing module inquires whether an activated USIM card public and private key pair exists; the USIM card public and private key pair comprises a USIM card public key and a USIM card private key;
if the USIM card public and private key pair does not exist, the SUCI processing module calls the special algorithm coprocessor to generate the USIM card public and private key pair of a special asymmetric algorithm, and returns to the step that the SUCI processing module inquires whether the activated USIM card public and private key pair exists or not; the special asymmetric algorithm can be ECC/ECDH/ECDSA, SM2, Elgamal and other industry-customized asymmetric algorithms.
If the encryption key and the MAC key exist, the SUCI processing module uses a public key in a preset or home network public key certificate and the USIM card private key as input, calls the special algorithm coprocessor to form a share key, and further obtains the encryption key and the MAC key;
the SUCI processing module calls the special algorithm coprocessor to encrypt the SUPI according to the encryption key to obtain SUCI;
and the SUCI processing module calls the special algorithm coprocessor to perform MAC operation on the SUCI according to the MAC key to obtain an MAC value.
And S202, the SUCI processing module returns response data containing the ciphertext to the terminal and sends the response data to a network side through the terminal, so that the network side issues an authentication vector to the terminal.
Specifically, the step S202 further includes:
the SUCI processing module combines the USIM card public key, the SUCI and the MAC value into response data to be returned to the terminal, the response data is sent to a network side through the terminal, the network side is enabled to send an authentication vector to the terminal, and the terminal sends the authentication vector to the secure USIM card through an AUTHENTICATE instruction;
wherein the authentication vector comprises RAND and AUTN.
And S203, after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI from the authentication vector, and replaces the original IMSI with the new IMSI to obtain the currently activated IMSI.
Specifically, the step S203 further includes:
after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI and a replacement mark from the RAND, and replaces the original IMSI with the new IMSI to become the currently activated IMSI according to the replacement mark.
And S204, the main authentication algorithm processing module calls the special algorithm coprocessor to select a matched encryption algorithm according to the industry or application scene where the terminal is located, and calculates authentication RES by combining the authentication vector.
Specifically, the step S204 further includes:
and the main authentication algorithm processing module uses a preset authentication key K and the RAND as input, calls the special algorithm coprocessor to select matched F1-F5 functions according to the industry or application scene where the terminal is located, and calculates authentication RES.
The F1-F5 functions may adopt various block encryption algorithms, such as AES, SM4, 3DES, and block encryption algorithms customized by other industries, according to different industries and different application scenarios. The selection rules for calling the F1-F5 functions are as follows: let N (N < ═ 256) of the optional grouping algorithms, M is the label of the finally selected grouping algorithm, and M is mod (RAND, N).
S205, the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, and the network side determines whether the authentication passes or not.
Specifically, the step S205 further includes:
and the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, the network side judges whether the authentication RES is equal to an expected response XRES stored by the network side, if so, the authentication is passed, otherwise, the authentication is failed.
In the master authentication method for the terminal provided by the embodiment of the invention, ciphertext SUCI is adopted to replace plaintext SUPI, so that IMSI performs ciphertext transmission on an empty port, identity information of a user is ensured not to be leaked on the empty port, and the processing processes of SUCI key storage and signature verification are completed in a USIM card, so that the master authentication method has higher safety and flexibility than the method realized by software in the terminal; in the main authentication process, the IMSI is dynamically changed and is not easy to be maliciously tracked, and the main authentication algorithm can adopt different grouping algorithms according to application scenes and industries so as to be convenient for distinguishing different users.
The above embodiments are merely to illustrate the technical solutions of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A security USIM card for realizing the enhancement of main authentication is characterized by comprising an SUCI processing module, an IMSI analysis processing and replacing module, a main authentication algorithm processing module and a special algorithm coprocessor;
the SUCI processing module is used for reading the currently activated IMSI and calling the special algorithm coprocessor after a terminal sends a registration request to a network side;
the special algorithm coprocessor is used for encrypting the currently activated IMSI into a ciphertext;
the SUCI processing module is also used for returning response data containing the ciphertext to the terminal and sending the response data to a network side through the terminal so that the network side issues an authentication vector to the terminal;
the main authentication algorithm processing module is used for calling the IMSI analysis processing and replacing module and the special algorithm coprocessor after the terminal receives the authentication vector;
the IMSI analyzing and replacing module is used for analyzing a new IMSI from the authentication vector and replacing the original IMSI with the new IMSI to form the currently activated IMSI;
the special algorithm coprocessor is also used for selecting a matched encryption algorithm according to the industry or application scene of the terminal and calculating authentication RES by combining the authentication vector;
the main authentication algorithm processing module is further configured to return the authentication RES to the terminal, send the authentication RES to the network side through the terminal, and determine whether the authentication passes through by the network side.
2. The USIM card with enhanced master authentication as claimed in claim 1, wherein the USIM card stores a preset authentication key K.
3. The USIM card with enhanced master authentication as claimed in claim 1, wherein the USIM card stores a home network public key certificate that is pre-set or issued OTA.
4. A method for performing master authentication of a terminal, wherein the method is implemented by a security USIM card for performing master authentication enhancement according to any one of claims 1 to 3, the method comprising:
after a terminal sends a registration request to a network side, the SUCI processing module reads the currently activated IMSI and calls the special algorithm coprocessor to encrypt the currently activated IMSI into a ciphertext;
the SUCI processing module returns response data containing the ciphertext to the terminal and sends the response data to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI from the authentication vector, and replaces the original IMSI with the new IMSI to become the currently activated IMSI;
the main authentication algorithm processing module calls the special algorithm coprocessor to select a matched encryption algorithm according to the industry or application scene where the terminal is located, and calculates authentication RES by combining the authentication vector;
and the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, and the network side determines whether the authentication passes or not.
5. The main authentication method of the terminal according to claim 4, wherein after the terminal sends a registration request to the network side, the SUCI processing module reads the currently activated IMSI and invokes the dedicated algorithm coprocessor to encrypt the currently activated IMSI into a ciphertext, comprising:
after a terminal sends a registration request to a network side, the SUCI processing module reads the currently activated IMSI and intercepts MSIN in the IMSI as SUPI;
the SUCI processing module inquires whether an activated USIM card public and private key pair exists; the USIM card public and private key pair comprises a USIM card public key and a USIM card private key;
if the USIM card public and private key pair does not exist, the SUCI processing module calls the special algorithm coprocessor to generate the USIM card public and private key pair of a special asymmetric algorithm, and returns to the step that the SUCI processing module inquires whether the activated USIM card public and private key pair exists or not;
if the encryption key and the MAC key exist, the SUCI processing module uses a public key in a preset or home network public key certificate and the USIM card private key as input, calls the special algorithm coprocessor to form a share key, and further obtains the encryption key and the MAC key;
the SUCI processing module calls the special algorithm coprocessor to encrypt the SUPI according to the encryption key to obtain SUCI;
and the SUCI processing module calls the special algorithm coprocessor to perform MAC operation on the SUCI according to the MAC key to obtain an MAC value.
6. The main authentication method of a terminal according to claim 5, wherein the SUCI processing module returns response data including the ciphertext to the terminal, and sends the response data to a network side through the terminal, so that the step of issuing an authentication vector to the terminal by the network side is specifically;
the SUCI processing module combines the USIM card public key, the SUCI and the MAC value into response data to be returned to the terminal, and the response data is sent to a network side through the terminal, so that the network side issues an authentication vector to the terminal;
wherein the authentication vector comprises RAND and AUTN.
7. The method according to claim 6, wherein after the terminal receives the authentication vector, the primary authentication algorithm processing module invokes the IMSI parsing and replacing module to parse a new IMSI from the authentication vector, and the step of replacing the original IMSI with the new IMSI to obtain the currently activated IMSI specifically comprises:
after the terminal receives the authentication vector, the main authentication algorithm processing module calls the IMSI analysis processing and replacing module to analyze a new IMSI and a replacement mark from the RAND, and replaces the original IMSI with the new IMSI to become the currently activated IMSI according to the replacement mark.
8. The main authentication method of the terminal according to claim 7, wherein the main authentication algorithm processing module invokes the dedicated algorithm coprocessor to select a matched encryption algorithm according to an industry or an application scenario in which the terminal is located, and the step of calculating the authentication RES in combination with the authentication vector specifically comprises:
and the main authentication algorithm processing module uses a preset authentication key K and the RAND as input, calls the special algorithm coprocessor to select matched F1-F5 functions according to the industry or application scene where the terminal is located, and calculates authentication RES.
9. The primary authentication method of the terminal according to claim 8, wherein the primary authentication algorithm processing module returns the authentication RES to the terminal, and sends the authentication RES to the network side through the terminal, and the step of determining whether the authentication is passed or not by the network side specifically includes:
and the main authentication algorithm processing module returns the authentication RES to the terminal, the authentication RES is sent to the network side through the terminal, the network side judges whether the authentication RES is equal to an expected response XRES stored by the network side, if so, the authentication is passed, otherwise, the authentication is failed.
CN201911193300.5A 2019-11-28 2019-11-28 Security USIM card for realizing main authentication enhancement and main authentication method of terminal Pending CN110933670A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911193300.5A CN110933670A (en) 2019-11-28 2019-11-28 Security USIM card for realizing main authentication enhancement and main authentication method of terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911193300.5A CN110933670A (en) 2019-11-28 2019-11-28 Security USIM card for realizing main authentication enhancement and main authentication method of terminal

Publications (1)

Publication Number Publication Date
CN110933670A true CN110933670A (en) 2020-03-27

Family

ID=69846838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911193300.5A Pending CN110933670A (en) 2019-11-28 2019-11-28 Security USIM card for realizing main authentication enhancement and main authentication method of terminal

Country Status (1)

Country Link
CN (1) CN110933670A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111770496A (en) * 2020-06-30 2020-10-13 中国联合网络通信集团有限公司 5G-AKA authentication method, unified data management network element and user equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101216899A (en) * 2008-01-14 2008-07-09 上海复旦微电子股份有限公司 SIM card chip compatible with non-contact logic encryption card
CN101808313A (en) * 2010-03-09 2010-08-18 华为技术有限公司 Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system
CN109803251A (en) * 2017-11-16 2019-05-24 诺基亚技术有限公司 Method and apparatus for the privacy management entity selection in communication system
CN109842877A (en) * 2019-04-09 2019-06-04 中国电子科技集团公司第三十研究所 A method of realizing that IMSI changes function in SIM card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101216899A (en) * 2008-01-14 2008-07-09 上海复旦微电子股份有限公司 SIM card chip compatible with non-contact logic encryption card
CN101808313A (en) * 2010-03-09 2010-08-18 华为技术有限公司 Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system
CN109803251A (en) * 2017-11-16 2019-05-24 诺基亚技术有限公司 Method and apparatus for the privacy management entity selection in communication system
CN109842877A (en) * 2019-04-09 2019-06-04 中国电子科技集团公司第三十研究所 A method of realizing that IMSI changes function in SIM card

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111770496A (en) * 2020-06-30 2020-10-13 中国联合网络通信集团有限公司 5G-AKA authentication method, unified data management network element and user equipment
CN111770496B (en) * 2020-06-30 2022-08-02 中国联合网络通信集团有限公司 5G-AKA authentication method, unified data management network element and user equipment

Similar Documents

Publication Publication Date Title
US10848970B2 (en) Network authentication method, and related device and system
CN111669276B (en) Network verification method, device and system
KR101438243B1 (en) Sim based authentication
CN104205891B (en) Virtual SIM card cloud platform
US9432349B2 (en) Service access authentication method and system
KR101485230B1 (en) Secure multi-uim authentication and key exchange
CN109561430A (en) A kind of implementation method and equipment of public network user access private network
Fan et al. Cross-network-slice authentication scheme for the 5 th generation mobile communication system
CN110417797A (en) Authenticate the method and device of user
KR20210014669A (en) Communication method and communication device
WO2021036292A1 (en) Identity authentication method and apparatus
CN102318386A (en) Service-based authentication to a network
CN101163003A (en) System and method for authenticating network for terminal when SIM card use UMTS terminal and UMTS system
US20190007835A1 (en) Profile installation based on privilege level
CN108012266A (en) A kind of data transmission method and relevant device
US20210258174A1 (en) Secure cryptoprocessor
CN110475247A (en) Message treatment method and device
Lee et al. An efficient authentication protocol for mobile communications
US10652746B2 (en) Secure device access token
CN110933670A (en) Security USIM card for realizing main authentication enhancement and main authentication method of terminal
CN102202291B (en) Card-free terminal, service access method and system thereof, terminal with card and bootstrapping server function (BSF)
CA2783570C (en) Smart card security feature profile in home subscriber server
KR101181558B1 (en) Anonymous Authentication Method For Mobile Satellite Communication Systems
CN108513289A (en) A kind of processing method of terminal iidentification, device and relevant device
Fan et al. An efficient secure handover scheme supporting cross-network slicing for multi-operator environments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200327

RJ01 Rejection of invention patent application after publication