CN110996322B - Method for realizing secondary authentication of terminal - Google Patents
Method for realizing secondary authentication of terminal Download PDFInfo
- Publication number
- CN110996322B CN110996322B CN201911194960.5A CN201911194960A CN110996322B CN 110996322 B CN110996322 B CN 110996322B CN 201911194960 A CN201911194960 A CN 201911194960A CN 110996322 B CN110996322 B CN 110996322B
- Authority
- CN
- China
- Prior art keywords
- secondary authentication
- terminal
- module
- aaa server
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for realizing terminal secondary authentication, which comprises the steps that after checking that the main authentication is passed, a terminal initiates a secondary authentication request to an AAA server through an EAP channel of a 5G network, wherein the secondary authentication request is used for triggering the AAA server to determine secondary authentication data corresponding to the terminal and sending the secondary authentication data to the terminal in a message form; and the terminal authenticates by using the secondary authentication data according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal. The method for realizing the secondary authentication of the terminal can provide customized secondary authentication service for the terminal needing the secondary authentication in different application scenes, guide an industrial user to deploy an AAA server meeting the requirements of bandwidth, time delay, connection number and the like of the application scene of the user, and achieve the aim of preventing an attacker from stealing the privacy of the user in a network layer.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication safety, in particular to a method for realizing secondary authentication of a terminal.
Background
The 5G technology is a development direction of a new generation of information communication technology, not only has stronger performance, but also has richer application scenes, extends from the traditional person-to-person communication to the intelligent interconnection between persons and objects, and is a key infrastructure for the digital transformation of the future economic society.
On the basis of main authentication, the 5G technology can provide a network slice for the industry, allow the industry to deploy a dedicated AAA (authentication, authorization, and accounting) server, perform secondary authentication, and complete access authentication dedicated for the industry. The primary authentication refers to authentication of a terminal (including but not limited to a mobile phone, a tablet computer, an internet of things terminal device, and the like) accessing a home network (in this case, a 5G network), and the secondary authentication refers to end-to-end authentication between the terminal and an AAA server. That is, after the user completes the access authentication of the 5G network, the user can further perform secondary authentication with a network slice or an AAA server where the industrial application is located, so as to ensure that an attacker can be prevented from stealing the user privacy in a network layer.
At present, a unified EAP authentication framework is adopted in the 5G technology, and the EAP authentication framework has good expansibility and can support an existing external data network, namely various existing authentication modes and authentication infrastructures, such as an Internet of things, a special traffic network, a special government and enterprise network and the like. However, since the 3GPP protocol only provides an optional end-to-end secondary authentication EAP channel, and how to implement the secondary authentication through the secondary authentication EAP channel is not given in the prior art, the industry user does not know how to deploy the AAA server that meets the requirements of the bandwidth, delay, connection number, and the like of the application scenario of the user.
Disclosure of Invention
The invention provides a method for realizing secondary authentication of a terminal, which aims to overcome the defects of the prior art.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a method for realizing secondary authentication of a terminal comprises the following steps:
after checking that the main authentication is passed, the terminal initiates a secondary authentication request to an AAA server through an EAP channel of the 5G network, wherein the secondary authentication request is used for triggering the AAA server to determine secondary authentication data corresponding to the terminal and sending the secondary authentication data to the terminal in a message form;
and the terminal authenticates by using the secondary authentication data according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal.
Further, in the method for implementing secondary authentication of the terminal, the terminal is a terminal in a high security level eMBB scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs high-strength asymmetric algorithm signature, signature verification and high-rate industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in an eMBB scene with a common security level and comprises an algorithm module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network by adopting an EAP-TLS protocol;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out asymmetric algorithm signature, signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal with a high security level eMTC scene and includes a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication trigger module, which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in a common security level eMTC scene and includes an algorithm module, a secondary authentication module and a secondary authentication trigger module, which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in a high security level urrllc scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in a high security level urrllc scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE carries out lightweight asymmetric algorithm signature, signature verification and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in a common security level urrllc scene and comprises an algorithm module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing the secondary authentication of the terminal, the terminal is a terminal in a common security level urrllc scene and comprises an algorithm module, a secondary authentication module and a secondary authentication trigger module which are connected in sequence;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the main authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network by adopting a lightweight EAP-TLS protocol;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight asymmetric algorithm signature and signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further, in the method for implementing secondary authentication of a terminal, before the step of initiating, by the terminal, a secondary authentication request to the AAA server through an EAP tunnel of the 5G network after the checking that the primary authentication has passed, the method further includes:
upon receiving the user interface information, OTA information or a specific event, the terminal checks whether the primary authentication has passed.
The method for realizing the secondary authentication of the terminal provided by the embodiment of the invention can provide customized secondary authentication service for the terminal needing the secondary authentication in different application scenes, guide an industrial user to deploy the AAA server meeting the requirements of the bandwidth, the time delay, the connection number and the like of the application scene of the user, and achieve the aim of preventing an attacker from stealing the privacy of the user in a network layer.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for implementing secondary authentication of a terminal according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a terminal in a high security level eMBB scenario according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal in a general security level eMBB scenario according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal of a high security level eMTC scenario according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal in a general security level eMTC scenario according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a terminal of a high security level uRLLC scenario provided in an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a terminal in a generic security level urrllc scenario according to an embodiment of the present invention;
fig. 8 is a schematic flowchart of performing secondary authentication by the terminal according to the embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Referring to fig. 1, an embodiment of the present invention provides a method for implementing secondary authentication of a terminal, where the method specifically includes the following steps:
s101, after checking that the main authentication is passed, the terminal initiates a secondary authentication request to an AAA server through an EAP channel of a 5G network, wherein the secondary authentication request is used for triggering the AAA server to determine secondary authentication data corresponding to the terminal and sending the secondary authentication data to the terminal in a message form;
it should be noted that, during the symmetric algorithm authentication, the AAA server and the terminal only need to interact back and forth once to determine the secondary authentication data corresponding to the terminal, and during the asymmetric algorithm authentication, the AAA server and the terminal need to interact back and forth multiple times until a handshake protocol is reached to determine the secondary authentication data corresponding to the terminal.
Further, at the time of symmetric algorithm authentication, the secondary authentication data includes a random number RAND and an authentication token AUTN, and at the time of asymmetric algorithm authentication, the secondary authentication data includes a random number RAND, an information digest MAC, and other TLS handshake protocol data.
Preferably, before the step S101, the method further includes:
after receiving user interface information, OTA information or a specific event, the terminal checks whether the main authentication is passed; if the result is passed, step S101 is executed.
And S102, the terminal authenticates by using the secondary authentication data according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal.
It should be noted that the application scenarios in which the terminal is located in the 5G network include three application scenarios, namely, an eMBB scenario (mobile broadband enhanced communication), an eMTC scenario (internet of things communication), and a urlllc scenario (ultra-reliable low-latency communication); the eMBB scenes further comprise high-security-level eMBB scenes and ordinary-security-level eMBB scenes, the eMBC scenes further comprise high-security-level eMBC scenes and ordinary-security-level eMBC scenes, and the uRLLC scenes further comprise high-security-level uRLLC scenes and ordinary-security-level uRLLC scenes. The present embodiment will next describe in detail how the terminal performs secondary authentication in different scenarios.
When the terminal is a terminal with a high security level eMBB scene, the terminal comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module (as shown in figure 2) which are sequentially connected; wherein the content of the first and second substances,
the USIM/SE stores the certificate, the key and the related configuration parameters required by the secondary authentication, and performs high-strength asymmetric algorithm signature, signature verification and high-speed industry-specific algorithm encryption and decryption operation;
the communication interface module can be an ISO7816 interface, a USB-IC interface, an SPI interface, an I2C interface or an SD interface and the like, and is connected with the secondary authentication module and the USIM/SE module;
and the secondary authentication triggering module triggers the secondary authentication module to perform secondary authentication under the condition that the primary authentication passes after receiving the user interface information, the OTA information or the specific event.
The secondary authentication module analyzes and encapsulates a secondary authentication protocol at the terminal side, and calls the USIM/SE through the communication interface module so that the USIM/SE performs high-strength asymmetric algorithm signature, signature verification and high-speed industry-specific algorithm encryption and decryption operation.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs high-strength asymmetric algorithm signature, signature verification and high-rate industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further specifically, a DN-AAA public key certificate is preset in the USIM/SE or downloaded through OTA, and the USIM/SE comprises an industry-specific high-security algorithm coprocessor. The complete flow of the secondary authentication of the terminal in the high security level eMBB scenario is as follows, and reference may be made to fig. 8:
1) the terminal initiates a registration application (register request) to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA protocol or 5G-AKA protocol to carry out main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if the current main authentication passes, the secondary authentication triggering module triggers the secondary authentication module to initiate a secondary authentication request to the AAA server by means of an EAP channel;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, performs instruction interaction (such as a SELECT instruction, an GENERATE ASYMMETRIC KEY PAIR instruction, a COMP1933496UTE DIGITAL SIGNATURE instruction, a VERIFY DIGITAL SIGNATURE instruction, a VERIFY CERTIFICATE instruction, an ENCIPHER instruction, a DECIPHER instruction and the like) to the USIM/SE through the communication interface module, completes high-strength asymmetric algorithm SIGNATURE and SIGNATURE verification, and completes the industry-specific algorithm encryption and decryption operation, MAC operation and the like of high speed of transmitted data;
5) the secondary authentication module encapsulates the USIM/SE operation result into a protocol message, and sends a response to the AAA server through the EAP channel of the 5G network to complete the end-to-end bidirectional authentication between the terminal and the AAA server.
(II) when the terminal is a terminal with a common security level eMBB scene, the terminal comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module (as shown in figure 3) which are connected in sequence; wherein the content of the first and second substances,
the secondary authentication triggering module triggers the secondary authentication module to carry out secondary authentication under the condition that the primary authentication passes after receiving user interface information, OTA information or a specific event;
and the secondary authentication module analyzes and encapsulates a secondary authentication protocol on the terminal side, and calls the algorithm module through a terminal software API (application program interface) so that the algorithm module performs asymmetric algorithm signature, signature verification and high-speed common industry algorithm encryption and decryption operation.
The algorithm module is realized in a terminal software mode, stores certificates, keys and related configuration parameters required by secondary authentication, performs asymmetric algorithm signature, signature verification and high-speed encryption and decryption operation of common industrial algorithms, and can adopt various software protection methods such as code confusion, reinforcement, TEE and the like according to the requirements of specific industries, thereby reducing information leakage and increasing the difficulty of code analysis.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network by adopting an EAP-TLS protocol;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out asymmetric algorithm signature, signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further specifically, a DN-AAA public key certificate is preset in an algorithm module of the terminal or downloaded through OTA, and a commonly used industry algorithm exists in the form of terminal software; the complete process of the secondary verification of the terminal under the scene of the common security level eMBB is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA protocol or 5G-AKA protocol to carry out main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if the current main authentication passes, the secondary authentication triggering module triggers the secondary authentication module to initiate a secondary authentication request to the AAA server by means of an EAP channel and adopting an EAP-TLS protocol;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, calls the algorithm module through the software API to finish asymmetric algorithm signature and signature verification, and carries out high-speed common industry algorithm encryption and decryption operation and MAC operation on the transmission data, and the packaging protocol message sends a response to the AAA server through the 5G network EAP channel to finish end-to-end bidirectional authentication between the terminal and the AAA server.
When the terminal is a terminal with a high security level eMTC scene, the terminal comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module (as shown in FIG. 4), which are connected in sequence; wherein the content of the first and second substances,
the USIM/SE stores the certificate, the key and the related configuration parameters required by the secondary authentication, and performs lightweight symmetric algorithm authentication and industry-specific algorithm encryption and decryption operation of sensitive data;
the communication interface module can be an ISO7816 interface, a USB-IC interface, an SPI interface, an I2C interface or an SD interface and the like, and is connected with the secondary authentication module and the USIM/SE;
the secondary authentication triggering module triggers the secondary authentication module to carry out secondary authentication under the condition that the primary authentication passes after receiving user interface information, OTA information or a specific event;
the secondary authentication module analyzes and encapsulates a lightweight secondary authentication protocol on the terminal side, and calls the USIM/SE through the communication interface module so that the USIM/SE performs lightweight symmetric algorithm authentication and industry-specific algorithm encryption and decryption operation of sensitive data.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further specifically, a DN-AAA industry special algorithm key K is preset in the USIM/SE, and the USIM/SE comprises an industry special high-safety algorithm coprocessor; the complete process of the secondary verification of the terminal under the high security level eMTC scene is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA protocol or 5G-AKA protocol to complete main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if the current main authentication passes, the secondary authentication triggering module triggers a secondary authentication request to the AAA server by means of an EAP channel, and the AAA server generates secondary authentication data and sends the secondary authentication data to the terminal through a 5G network;
4) the secondary authentication module receives a message of the AAA server, analyzes the message, and sends the obtained RAND + AUTN to the USIM/SE through a communication interface module of the USIM/SE by a select instruction (selecting industrial application on another logic channel) and an authentication instruction, wherein a P2 parameter in the authentication instruction is defined as 0B1001000 and represents a second authentication security;
5) and the USIM/SE calls a built-in industry special algorithm coprocessor to perform F1-F5 function operation, verifies that DN-AAA identity information contained in AUTH is legal, generates RES and returns the RES to the secondary authentication module in a response mode.
6) And the secondary authentication module encapsulates the RES into a protocol message, returns a response to the AAA server through an EAP channel of the 5G network, and determines whether the user is legal or not by verifying whether the RES is consistent with the expected response XRES or not by the AAA server, thereby finishing the end-to-end bidirectional authentication between the terminal and the AAA server. Meanwhile, the terminal takes CK and IK contained in the RES as a subsequent encrypted message key and an integrity check key.
When the terminal is a terminal with a common security level eMTC scene, the terminal comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module (as shown in fig. 5) which are connected in sequence; wherein the content of the first and second substances,
the secondary authentication triggering module is used for triggering the secondary authentication module to carry out secondary authentication under the condition that the primary authentication passes after receiving the user interface information, the OTA information or the specific event;
the terminal side analyzes and encapsulates the lightweight class secondary authentication protocol, and the lightweight class symmetric algorithm authentication and the common industry algorithm encryption and decryption operation of the sensitive data are completed by calling the algorithm module through the terminal software API;
the algorithm module is realized in a terminal software mode, stores certificates, keys and related configuration parameters required by secondary authentication, performs single/bidirectional authentication and sensitive data encryption and decryption operation of a lightweight symmetric algorithm, and can adopt various software protection methods such as code confusion, reinforcement, TEE and the like according to the requirements of specific industries, thereby reducing information leakage and increasing the difficulty of code analysis.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Further specifically, a DN-AAA group key algorithm K is preset in an algorithm module of the terminal, and a commonly used industry algorithm exists in the form of terminal software; the complete process of the secondary verification of the terminal under the scene of the common security level eMTC is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the network side adopt EAP-AKA or 5G-AKA to complete the main authentication.
3) The secondary authentication triggering module in the terminal receives the user interface information, OTA information or the specific event triggering, checks whether the current main authentication passes, if so, the secondary authentication module initiates a secondary authentication request to the AAA server by means of an EAP channel; the AAA server generates secondary authentication data and sends the secondary authentication data to the terminal through the 5G network;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, calls the obtained RAND + AUTN to an algorithm module to perform F1-F5 function operation, verifies that DN-AAA identity information contained in AUTH is legal, generates RES, packages the protocol message, and returns the packaged protocol message to the AAA server through a 5G network EAP channel in a response mode, thereby completing the end-to-end bidirectional authentication between the terminal and the AAA server. Meanwhile, the terminal takes CK and IK contained in the RES as a subsequent encrypted message key and an integrity check key.
(V) when the terminal is a terminal in a high security level uRLLC scene, the terminal comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module (as shown in FIG. 6) which are connected in sequence; wherein the content of the first and second substances,
the USIM/SE stores the certificate, the key and the related configuration parameters required by the secondary authentication, performs the bidirectional authentication of the special industry symmetric algorithm or the signature and the signature verification of the special industry high-speed asymmetric algorithm, and performs the encryption and decryption operation on the sensitive data by adopting the high-speed industry special algorithm;
the communication interface module can be an ISO7816 interface, a USB-IC interface, an SPI interface, an I2C interface or an SD interface and the like, and is used for connecting the secondary authentication module with the USIM/SE;
the secondary authentication module analyzes and encapsulates a lightweight secondary authentication protocol at the terminal side, and calls a USIM/SE through a communication interface module so that the USIM/SE completes the bidirectional authentication of a special industry symmetric algorithm or the signature and the signature verification of a special industry high-speed asymmetric algorithm and the industry special algorithm encryption and decryption operation of high speed of sensitive data;
and the secondary authentication triggering module receives the user interface information, the OTA information or the specific event and triggers secondary authentication under the condition that the primary authentication is passed.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Alternatively, the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE carries out lightweight asymmetric algorithm signature, signature verification and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
More specifically, the secondary verification process of the terminal under the high-security-level uRLLC scene is divided into two types, one type adopts symmetric algorithm bidirectional authentication, and the other type adopts asymmetric algorithm bidirectional authentication.
When the symmetric algorithm is adopted for bidirectional authentication, a DN-AAA industrial algorithm key K is preset in the USIM/SE; the USIM/SE contains an industry specific high security algorithm co-processor. To further reduce latency, industry applications have been configured as default selected applications on a designated logical channel (e.g., logical channel 2) and the communication interface is configured for high rates when USIM/SE personalization is performed. The complete process of the secondary authentication of the terminal in the high security level uRLLC scenario is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA or 5G-AKA to complete the main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if the current main authentication passes, the secondary authentication triggering module triggers a secondary authentication request to the AAA server by means of an EAP channel, and the AAA server generates secondary authentication data and sends the secondary authentication data to the terminal through a 5G network;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, and sends the obtained RAND + AUTN to the USIM/SE through the communication interface module of the USIM/SE on a specified editing channel (such as a logic channel 2), wherein the P2 parameter in the authentication instruction is defined as 0B1001000 and represents the secondary authentication security. Because the industry application on the appointed edit channel (such as the logic channel 2) is configured in advance as the default selection application, the interaction of a select instruction is saved, and the time delay is further reduced;
5) the USIM/SE calls a built-in high-speed industry special algorithm coprocessor to perform F1-F5 function operation, verifies that DN-AAA identity information contained in AUTH is legal, generates RES and returns to the secondary authentication module in a response mode;
6) and the secondary authentication module encapsulates the RES into a protocol message, returns a response to the AAA server through an EAP channel of the 5G network, and determines whether the user is legal or not by verifying whether the RES is consistent with the XRES or not by the AAA server, so that end-to-end bidirectional authentication between the terminal and the AAA server is completed. Meanwhile, the terminal takes CK and IK contained in the RES as a subsequent encrypted message key and an integrity check key.
When the high-speed asymmetric algorithm bidirectional authentication is adopted, a public key certificate of the DN-AAA asymmetric algorithm is preset in the USIM/SE first or downloaded through OTA before the secondary authentication is used, meanwhile, an asymmetric algorithm private key of a terminal end is generated in the USIM/SE, and the asymmetric algorithm public key certificate of the terminal end is distributed to the DN-AAA in advance. The USIM/SE comprises a high-security algorithm coprocessor special for the industry, and asymmetric signature and signature verification can meet the requirement of low time delay of the industry. To further reduce latency, industry applications have been configured as default selected applications on a designated logical channel (e.g., logical channel 2) and the communication interface is configured for high rates when USIM/SE personalization is performed. The complete process of the secondary authentication of the terminal in the high security level uRLLC scenario is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the network side adopt EAP-AKA or 5G-AKA to complete the main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if so, the secondary authentication triggering module triggers the secondary authentication module to initiate a secondary authentication request to the AAA server by means of an EAP channel;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, and carries out instruction interaction (COMP1933496UTE DIGITAL SIGNATURE instruction, VERIFY CERTIFICATE instruction and the like) to the USIM/SE through the communication interface module to complete high-strength asymmetric algorithm SIGNATURE, SIGNATURE verification and the like;
5) the secondary authentication module encapsulates the USIM/SE operation result into a protocol message, and sends a response to the AAA server through the EAP channel of the 5G network to complete the end-to-end bidirectional authentication between the terminal and the AAA server.
When the terminal is a terminal in a common security level uRLLC scene, the terminal comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module (as shown in FIG. 7) which are connected in sequence; wherein the content of the first and second substances,
the secondary authentication triggering module triggers the secondary authentication module to carry out secondary authentication under the condition that the primary authentication passes after receiving user interface information, OTA information or a specific event;
the secondary authentication module analyzes and encapsulates a lightweight secondary authentication protocol on the terminal side, and calls an algorithm module through a terminal software API (application program interface) to enable the algorithm module to finish single/bidirectional authentication of a lightweight common industry symmetric algorithm or high-speed signature and signature verification and high-speed common industry algorithm encryption and decryption operation;
the algorithm module is realized in a terminal software mode, stores certificates, keys and related configuration parameters required by secondary authentication, and performs single/bidirectional authentication of a lightweight symmetric algorithm or high-speed signature and signature verification and high-speed common industry algorithm encryption and decryption operation of sensitive data. According to the requirements of specific industries, various software protection methods such as code confusion, reinforcement, TEE and the like can be adopted, so that the leakage of information is reduced, and the difficulty of code analysis is increased.
Then, the step S101 specifically includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
Or, the step S101 specifically includes:
after the secondary authentication triggering module checks that the main authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network by adopting a lightweight EAP-TLS protocol;
alternatively, the step S102 specifically includes:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight asymmetric algorithm signature and signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
More specifically, the secondary verification process of the terminal under the network common security level urrllc scene is divided into two types, one type adopts symmetric algorithm bidirectional authentication, and the other type adopts asymmetric algorithm bidirectional authentication.
When the symmetric algorithm is adopted for bidirectional authentication, the algorithm module of the terminal needs to preset a DN-AAA industrial algorithm key K. The complete process of the secondary authentication of the terminal in the scenario of the common security level urrllc is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA or 5G-AKA to complete the main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or the specific event, if the current main authentication passes, the secondary authentication triggering module triggers a secondary authentication request to the AAA server by means of an EAP channel, and the AAA server generates secondary authentication data and sends the secondary authentication data to the terminal through a 5G network;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, calls the obtained RAND + AUTN to an algorithm module to perform F1-F5 function operation, verifies that DN-AAA identity information contained in AUTH is legal, generates RES, packages the protocol message, and returns the packaged protocol message to the AAA server through a 5G network EAP channel in a response mode, thereby completing the end-to-end bidirectional authentication between the terminal and the AAA server. Meanwhile, the terminal takes CK and IK contained in the RES as a subsequent encrypted message key and an integrity check key.
When the high-speed asymmetric algorithm bidirectional authentication is adopted, a DN-AAA asymmetric algorithm public key certificate is preset in the algorithm module or is downloaded through OTA before secondary authentication is used, meanwhile, an asymmetric algorithm private key of the terminal end is generated in the algorithm module, and the asymmetric algorithm public key certificate of the terminal end is distributed to DN-AAA in advance. Asymmetric signature and verification in the algorithm module can meet the requirement of low time delay in the industry. The complete process of the secondary authentication of the terminal in the scenario of the common security level urrllc is as follows:
1) the terminal initiates a registration application, a register request, to the 5G network;
2) the terminal and the 5G network adopt EAP-AKA or 5G-AKA to complete the main authentication;
3) the secondary authentication triggering module in the terminal checks whether the current main authentication passes after receiving the user interface information, the OTA information or a specific event, if the current main authentication passes, the secondary authentication triggering module triggers the secondary authentication module to initiate a secondary authentication request to the AAA server by means of an EAP channel and adopting a lightweight EAP-TLS protocol;
4) the secondary authentication module receives the message of the AAA server, analyzes the message, calls the algorithm module through the software API to finish asymmetric algorithm signature and signature verification, and the packaging protocol message sends a response to the AAA server through the EAP channel of the 5G network to finish the end-to-end bidirectional authentication between the terminal and the AAA server.
The method for realizing the secondary authentication of the terminal provided by the embodiment of the invention can provide customized secondary authentication service for the terminal needing the secondary authentication in different application scenes, guide an industrial user to deploy the AAA server meeting the requirements of the bandwidth, the time delay, the connection number and the like of the application scene of the user, and achieve the aim of preventing an attacker from stealing the privacy of the user in a network layer.
The above embodiments are merely to illustrate the technical solutions of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (2)
1. A method for realizing secondary authentication of a terminal is characterized by comprising the following steps:
after checking that the main authentication is passed, the terminal initiates a secondary authentication request to an AAA server through an EAP channel of the 5G network, wherein the secondary authentication request is used for triggering the AAA server to determine secondary authentication data corresponding to the terminal and sending the secondary authentication data to the terminal in a message form;
the terminal authenticates by using the secondary authentication data according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal;
the terminal is a terminal with a high-security level eMBB scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs high-strength asymmetric algorithm signature, signature verification and high-rate industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal of a common security level eMBB scene and comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of the 5G network by adopting an EAP-TLS protocol;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out asymmetric algorithm signature, signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal with a high-security level eMTC scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal with a common security level eMTC scene and comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal with a high-security-level uRLLC scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE performs lightweight symmetric algorithm authentication and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal with a high-security-level uRLLC scene and comprises a USIM/SE, a communication interface module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the USIM/SE through the communication interface module;
the USIM/SE carries out lightweight asymmetric algorithm signature, signature verification and high-speed industry-specific algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal in a common security level uRLLC scene and comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the primary authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight symmetric algorithm authentication and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
the secondary authentication module returns the response to the AAA server in the form of a message, and the AAA server determines the secondary authentication result of the terminal;
the terminal is a terminal in a common security level uRLLC scene and comprises an algorithm module, a secondary authentication module and a secondary authentication triggering module which are sequentially connected;
then, after checking that the primary authentication has passed, the step of the terminal initiating a secondary authentication request to the AAA server through an EAP channel of the 5G network includes:
after the secondary authentication triggering module checks that the main authentication is passed, the secondary authentication module initiates a secondary authentication request to the AAA server through an EAP channel of a 5G network by adopting a lightweight EAP-TLS protocol;
the steps that the terminal uses the secondary authentication data to authenticate according to the application scene, generates a response and returns the response to the AAA server so as to determine the secondary authentication result of the terminal comprise:
after receiving the secondary authentication data, the secondary authentication module calls the algorithm module through a terminal software API;
the algorithm module carries out lightweight asymmetric algorithm signature and signature verification and high-speed common industry algorithm encryption and decryption operation, generates a response and sends the response to the secondary authentication module;
and the secondary authentication module returns the response to the AAA server in a message form, and the AAA server determines the secondary authentication result of the terminal.
2. The method of claim 1, wherein before the step of initiating the secondary authentication request to the AAA server through the EAP tunnel of the 5G network after checking that the primary authentication has passed, the method further comprises:
upon receiving the user interface information, OTA information or a specific event, the terminal checks whether the primary authentication has passed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911194960.5A CN110996322B (en) | 2019-11-28 | 2019-11-28 | Method for realizing secondary authentication of terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911194960.5A CN110996322B (en) | 2019-11-28 | 2019-11-28 | Method for realizing secondary authentication of terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110996322A CN110996322A (en) | 2020-04-10 |
| CN110996322B true CN110996322B (en) | 2021-07-30 |
Family
ID=70087907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911194960.5A Active CN110996322B (en) | 2019-11-28 | 2019-11-28 | Method for realizing secondary authentication of terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110996322B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818014B (en) * | 2020-06-08 | 2023-05-09 | 中国电子科技集团公司第三十研究所 | Network side AAA design method and system for realizing secondary authentication function |
| CN112039838B (en) * | 2020-07-15 | 2022-03-15 | 中国电子科技集团公司第三十研究所 | Secondary authentication method and system suitable for different application scenes of mobile communication |
| CN113115413A (en) * | 2021-05-05 | 2021-07-13 | 航天云网云制造科技(浙江)有限公司 | Method for accessing user terminal to 5G network |
| CN113507705A (en) * | 2021-07-13 | 2021-10-15 | 中国人民解放军战略支援部队信息工程大学 | 5G secondary authentication method and system based on EAP-TLS protocol |
| JP7487837B1 (en) | 2023-11-16 | 2024-05-21 | 大日本印刷株式会社 | ELECTRONIC INFORMATION STORAGE MEDIUM, IC CHIP, IC CARD, KEY DATA STORAGE METHOD, AND PROGRAM |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018137873A1 (en) * | 2017-01-27 | 2018-08-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary authentication of a user equipment |
| CN109413194A (en) * | 2018-11-09 | 2019-03-01 | 中国电子科技集团公司第三十研究所 | The collaboration processing of user information cloud and transfer method for mobile communication system |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Secret protection and Extensible Authentication Protocol certification and authorization in cellular network |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104660571A (en) * | 2013-11-25 | 2015-05-27 | 上海益尚信息科技有限公司 | Method and device for controlling user equipment access through packet encapsulation |
| US10999787B2 (en) * | 2018-02-17 | 2021-05-04 | Huawei Technologies Co., Ltd. | System and method for UE context and PDU session context management |
-
2019
- 2019-11-28 CN CN201911194960.5A patent/CN110996322B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018137873A1 (en) * | 2017-01-27 | 2018-08-02 | Telefonaktiebolaget Lm Ericsson (Publ) | Secondary authentication of a user equipment |
| CN110235423A (en) * | 2017-01-27 | 2019-09-13 | 瑞典爱立信有限公司 | Auxiliary certification to user equipment |
| CN110291803A (en) * | 2017-05-09 | 2019-09-27 | 英特尔Ip公司 | Secret protection and Extensible Authentication Protocol certification and authorization in cellular network |
| CN109413194A (en) * | 2018-11-09 | 2019-03-01 | 中国电子科技集团公司第三十研究所 | The collaboration processing of user information cloud and transfer method for mobile communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110996322A (en) | 2020-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110996322B (en) | Method for realizing secondary authentication of terminal | |
| US10812969B2 (en) | System and method for configuring a wireless device for wireless network access | |
| CN110177354B (en) | Wireless control method and system for vehicle | |
| EP3723399A1 (en) | Identity verification method and apparatus | |
| CN101401465B (en) | Method and system for recursive authentication in a mobile network | |
| US20100306839A1 (en) | Entity bi-directional identificator method and system based on trustable third party | |
| KR101582502B1 (en) | Systems and methods for authentication | |
| CN106936774A (en) | Authentication method and system in credible performing environment | |
| US11057195B2 (en) | Method and system for providing security for the first time a mobile device makes contact with a device | |
| CN104205891A (en) | Virtual sim card cloud platform | |
| KR20050010959A (en) | Authentication in a communication system | |
| JP2012530311A5 (en) | ||
| CN112640385B (en) | non-SI device and SI device for use in SI system and corresponding methods | |
| US9998287B2 (en) | Secure authentication of remote equipment | |
| CN110278084B (en) | eID establishing method, related device and system | |
| CN112468305B (en) | Internet of things security authentication method and equipment | |
| WO2021120924A1 (en) | Method and device for certificate application | |
| CN113556227A (en) | Network connection management method and device, computer readable medium and electronic equipment | |
| TW201729562A (en) | Server, mobile terminal, and internet real name authentication system and method | |
| CN103368735B (en) | Using authentication method, the device and system of access smart card | |
| CN112640387A (en) | Non-3 GPP device access to core network | |
| CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
| CN102255904A (en) | Communication network and terminal authentication method thereof | |
| CN108966214A (en) | Authentication method, the wireless network safety communication method and device of wireless network | |
| CN112788598B (en) | Method and device for protecting parameters in authentication process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |