CN112087750B - Access and switching authentication method and system under satellite network intermittent communication scene - Google Patents

Access and switching authentication method and system under satellite network intermittent communication scene Download PDF

Info

Publication number
CN112087750B
CN112087750B CN202010776718.5A CN202010776718A CN112087750B CN 112087750 B CN112087750 B CN 112087750B CN 202010776718 A CN202010776718 A CN 202010776718A CN 112087750 B CN112087750 B CN 112087750B
Authority
CN
China
Prior art keywords
satellite
message
leo1
authentication
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010776718.5A
Other languages
Chinese (zh)
Other versions
CN112087750A (en
Inventor
曹进
马如慧
陈李兰
李晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202010776718.5A priority Critical patent/CN112087750B/en
Publication of CN112087750A publication Critical patent/CN112087750A/en
Application granted granted Critical
Publication of CN112087750B publication Critical patent/CN112087750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0055Transmission or use of information for re-establishing the radio link
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/16Performing reselection for specific purposes
    • H04W36/18Performing reselection for specific purposes for allowing seamless reselection, e.g. soft reselection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Astronomy & Astrophysics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention belongs to the technical field of network security communication, and discloses an access and switching authentication method and system under a satellite network intermittent communication scene. The operation is carried out by using simple hash and XOR operation, and meanwhile, the terminal is ensured to be safely accessed to the satellite network through a timestamp, a message authentication code, a random number and RES, so that the bidirectional authentication is realized while the communication overhead and the calculation overhead are reduced; the rapid communication recovery authentication after the UE is disconnected with the satellite network is realized based on the current session key of the mobile user UE and the satellite network, the unnecessary access authentication times are reduced, and the system burden is reduced; the safety switching is realized through the random number and the hash function, and the safety switching is realized while the communication cost in the satellite switching process is reduced; the user achieves anonymity by generating a temporary identity and each successful authentication is refreshed for the next authentication.

Description

Access and switching authentication method and system under satellite network intermittent communication scene
Technical Field
The invention belongs to the technical field of network security communication, and particularly relates to a terminal access authentication and seamless switching authentication method and system suitable for a satellite network intermittent communication scene.
Background
In order to realize network coverage in the global range, international organizations such as 3GPP have listed satellite networks as one of 5G access modes, and the science and technology department of China has started research and development work of a satellite communication and ground mobile communication fusion technology in 2019. The satellite network is based on a foundation network, and combines the characteristics of wide communication coverage area, high-efficiency broadcasting and the like of the satellite network, so that the air, the ocean and the ground are connected and communicated, and the global full coverage is realized. The satellite network composed of various heterogeneous networks comprises various network nodes and can provide various services such as emergency guarantee, space-based relay, mobile communication and the like, wherein particularly the high-speed development of the LEO satellite communication network has the advantages of small link loss, low time delay and low satellite cost, is widely applied to the construction of the satellite network and has important strategic significance for the country.
In a satellite network, in order to guarantee the security of the network, access authentication needs to be performed on nodes, and only the nodes after successful authentication can access the network. However, since satellite-borne resources of a satellite network are limited, a high-complexity authentication algorithm cannot be deployed. In addition, the long satellite-to-ground distance results in long propagation delays. In the fast and low-delay real-time authentication process, how to complete the identity authentication of different nodes while consuming less calculation overhead, storage overhead and authentication delay is a problem to be solved. Because the satellite is always in a severe natural environment, such as extreme weather like sun blackson, the interplanetary link in an actual environment is unstable, intermittent communication of a communication link is easy to generate, the satellite is always in a high-speed motion state, and the earth is constantly in a revolution and rotation state, so that the signal coverage range of the satellite is always changed. Most of the existing access authentication schemes are researched by dividing access authentication and handover authentication, and a reconnection scene is rarely considered, so that a comprehensive application mechanism is lacked to realize the scenes including the access authentication, the reconnection authentication and the safe handover authentication.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) in the prior art, the safety problem that the user is disconnected and reconnected with the satellite network due to the unstable link of the satellite network is mostly not considered, so that the terminal performs unnecessary access authentication for many times, and communication resources are wasted.
(2) Most of the existing access authentication and switching authentication schemes are independently and deeply researched, wherein the switching authentication schemes mostly have related problems of safety, performance and the like, and the low-overhead cryptographic technology is less used for realizing the safety switching authentication, so that the authentication schemes cannot meet the performance requirements in most of actual satellite network scenes.
(3) In the existing satellite network authentication scheme and in the research of anonymous user access authentication, the traditional public key cryptosystem generates great burden for a satellite system and cannot meet the safety requirement of equipment due to the fact that the calculation overhead and the password updating overhead are too large.
The significance of solving the problems and the defects is as follows: the method for authenticating the access and the switching under the scene of the intermittent communication of the satellite network is designed to be very important, the terminal is ensured to be safely and efficiently accessed to the ground network through the satellite network, the communication is quickly recovered after the terminal is broken in a severe satellite network environment, the service continuity of the terminal and the satellite in the moving process is ensured, and the omnibearing, multilayer and reliable safety support is provided for the terminal to be accessed to the satellite network.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an access and switching authentication method and system under a satellite network intermittent connection scene.
The invention is realized in this way, a method for authenticating access and switching under the scene of intermittent communication of a satellite network comprises the following steps:
the first step, user registration process;
secondly, an initial access authentication process is carried out;
thirdly, a communication recovery process;
and fourthly, a satellite switching process.
Further, the user registration process of the access and handover authentication method in the satellite network intermittent connectivity scene includes:
(1) the ground control center has a long-term private key x and a random number protection key RK;
(2) the mobile user UE sends a user registration request containing identity information UID to a ground management center NCC through a secure channel;
(3) after receiving the message, the ground control center NCC first generates a random number r, calculates key h (r, x), and then the ground control center generates a random number according to the random numberNumber protection key RK generation
Figure BDA0002618693800000031
And sends { key, k } to the mobile user UE through the secure channel.
Further, the initial access authentication process of the access and handover authentication method in the satellite network intermittent connectivity scene includes:
(1) when the mobile user UE firstly accesses the satellite network, because key is h (r, x), the UE generates a random number p, and calculates
Figure BDA0002618693800000032
Computing
Figure BDA0002618693800000033
Calculating a message authentication code MAC1 as h (UID, p, k, t), wherein t is a current timestamp, and sending a user access authentication request message containing { TID, k, p, MAC1, t } to a satellite network LEO;
(2) after receiving the message, the satellite network LEO adds the LEOID thereof to the message and then sends the message to the ground control center NCC;
(3) after receiving the message, the ground control center NCC firstly detects whether t-t0 is in an allowed interval, wherein t0 is the time when the ground control center NCC receives the message, and if the NCC is in the allowed time range, the NCC calculates a random number by an exclusive OR algorithm
Figure BDA0002618693800000034
Computing
Figure BDA0002618693800000035
Then the real identity of the UE is solved by the random numbers r' and p
Figure BDA0002618693800000036
Calculating and verifying whether the MAC1 ' h (UID ', p ', k, t) is equal to the received MAC1, and if so, proceeding to the next step, that is, the NCC generates a random number q, calculates key h (q, x), and new
Figure BDA0002618693800000037
Computing
Figure BDA0002618693800000038
Calculating a message authentication code MAC2 ═ h (UID, p', k, t2), where t2 is the current timestamp; finally, NCC sends { Q, MAC2, t2} to satellite network LEO;
(4) after receiving the information, the satellite network LEO directly forwards the information to the mobile user UE;
(5) after the mobile user UE receives the message, it first checks if t2-t3 is within the allowed interval, where t3 is the time when the mobile user UE receives the message, if the time difference is not within the allowed interval, the session is ended, if it is within the allowed interval, the following process is performed, i.e. the mobile user UE utilizes the inverse difference or the algorithm to calculate and solve
Figure BDA0002618693800000041
MAC2 ' ═ h (UID, p ', k, t2) and verifies whether MAC2 ' agrees with received MAC2, if not, the session is ended, if so, the session key sk ═ h (UID, p, k) and the response RES ═ h (sk, p, k) are calculated and RES is sent to the satellite network LEO, the UE stores key, k for possible re-authentication;
(6) after receiving the information, the satellite network LEO directly forwards the information to a ground control center NCC;
(7) and after receiving the message, the ground control center NCC calculates sk (h) (UID, p, k), verifies RES (sk, p, k), ends the session if the verification fails, and sends (TID, sk) to the satellite through a secure channel if the verification succeeds, wherein the sk serves as a session key for the satellite to communicate with the mobile user UE.
Further, the communication recovery process of the access and handover authentication method in the satellite network intermittent connectivity scene includes:
(1) the mobile user UE generates a random number m and calculates
Figure BDA0002618693800000042
Sending a connection recovery request message (TID, M, t1) to the satellite, wherein t1 is a current timestamp;
(2) after the satellite receives the message, it first checks the validity of t1 and then solves it
Figure BDA0002618693800000043
Then, the satellite generates a random number n, which is calculated
Figure BDA0002618693800000044
Sending N, mac and the current timestamp t2 to the mobile user, wherein mac is h (TID, m', N, t 2);
(3) after receiving the message, the mobile user UE checks the validity of t2, if it is valid, it solves the result
Figure BDA0002618693800000045
Verifying whether the mac is correct; if the verification fails, the session is ended, and if the verification succeeds, a new session key sk2 is calculated to be h (TID, m, n '), a RES2 is calculated to be h (sk2, m, n'), and RES2 is sent to the satellite;
(4) after receiving the message, the satellite calculates sk2 h (TID, m ', n), verifies RES2 h (sk2, m', n), and if the verification fails, the sk2 is used as a new session key for the satellite to communicate with the mobile user.
Further, the satellite switching process of the access and switching authentication method in the satellite network intermittent connectivity scene includes:
(1) when a user terminal UE monitors that an original satellite LEO1 is about to leave an receivable signal area, the UE sends a pre-switching request TID and position information of the UE to an LEO1, an LEO1 decides the next satellite LEO2 to which the UE is about to access according to the position information of the UE and satellite track information, and if the LEO1 cannot decide the next satellite to which the UE is about to access, the LEO1 sends the position information of the UE to a ground control center NCC; the ground control center NCC selects a new access satellite for the UE according to the track prediction, and sends LEOID2 and orbit information of a new satellite LEO2 to an original satellite LEO 1;
(2) the original satellite LEO1 generates a random number s1, calculates K1 as h (s1, sk), wherein sk is a session key of the current satellite, and the original satellite LEO1 sends (TID, K1) to the new satellite LEO2 through a secure channel which is established in advance among satellites;
(3) after receiving the message, the new satellite LEO2 generates a random number s2, calculates a new session key sk ═ h (K1, s2), and sends s2 back to the original satellite LEO1 through a secure channel;
(4) the original satellite LEO1 sends s1 and s2 to the mobile user UE;
(5) upon receiving the message, the mobile UE calculates sk' ═ h (h (s1, sk), s 2). This sk' serves as a session key for the mobile user UE to communicate with the new satellite LEO 2.
It is a further object of the invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of:
generating a temporary identity for the user by using an XOR algorithm and a hash function, and realizing the anonymity of the user;
introducing a timestamp, a message authentication code, a random number and the like to ensure the security and generate and update a session key;
the rapid access of the terminal during initial network access ensures the rapid recovery process of communication after the user is disconnected with the satellite network link, and completes the rapid switching process of the terminal and the target satellite.
It is another object of the present invention to provide a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
generating a temporary identity for the user by using an XOR algorithm and a hash function, and realizing the anonymity of the user;
introducing a timestamp, a message authentication code, a random number and the like to ensure the security and generate and update a session key;
the rapid access of the terminal during initial network access ensures the rapid recovery process of communication after the user is disconnected with the satellite network link, and completes the rapid switching process of the terminal and the target satellite.
Another object of the present invention is to provide a network access authentication and seamless handover system for operating the access and handover authentication method in the scenario of intermittent connectivity of the satellite network, wherein the network access authentication and seamless handover system comprises:
the user registration module is used for completing a user registration request;
the initial access module is used for realizing initial access authentication between the ground control center and the mobile user;
the communication recovery module is used for performing quick verification and key agreement after chain breakage;
and the satellite switching module is used for realizing seamless switching authentication between the mobile user and the satellite node.
Another object of the present invention is to provide a satellite communication network control system, which carries the network access authentication and seamless handover system.
Another object of the present invention is to provide a wireless communication system equipped with the network access authentication and seamless handover system.
By combining all the technical schemes, the invention has the advantages and positive effects that:
aiming at the characteristics of dynamic change of satellite network topology, large satellite-ground time delay, limited satellite-borne resources and the like, the invention designs a safe and efficient initial access authentication scheme of the terminal, only adopts simple hash and XOR operation in cryptography, reduces the interaction times with a ground control center, reduces the calculation overhead and communication overhead in the communication process, and realizes the safe and efficient terminal access authentication process under the condition of ensuring the safety. Meanwhile, replay attack is resisted while bidirectional authentication is achieved by introducing a timestamp, a message authentication code, a random number, RES and the like.
Aiming at the characteristics of communication interruption and the like caused by the unstable satellite network link, the invention designs a rapid communication recovery authentication mechanism, reduces the interaction times with a ground control center based on the existing session key, and ensures that the terminal is safely and rapidly reconnected to access the satellite network.
Aiming at the characteristics of frequent terminal switching caused by high-speed operation of satellite network nodes and the like, the invention designs a terminal seamless safe switching authentication scheme, realizes quick safe switching authentication by utilizing simple random numbers and Hash operation, and reduces the system overhead as much as possible while ensuring the seamless safe switching of the terminal.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
Fig. 1 is a flowchart of an access and handover authentication method in a satellite network intermittent connectivity scenario according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a network access authentication and seamless handover system according to an embodiment of the present invention;
in fig. 2: 1. a user registration module; 2. an initial access module; 3. a communication recovery module; 4. and a satellite switching module.
Fig. 3 is a flowchart of a user registration phase provided by an embodiment of the present invention.
Fig. 4 is a flowchart of an initial access phase according to an embodiment of the present invention.
Fig. 5 is a flow chart of a communication recovery phase according to an embodiment of the present invention.
Fig. 6 is a flowchart of a satellite handoff phase according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Aiming at the problems in the prior art, the invention provides an access and handover authentication method and system under a satellite network intermittent connection scene, and the invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the access and handover authentication method under the discontinuous connectivity scenario of the satellite network provided by the present invention includes the following steps:
s101: a user registration process;
s102: an initial access authentication process;
s103: a communication recovery procedure;
s104: a satellite handoff procedure.
The access and switching authentication method under the satellite network intermittent communication scene provided by the invention can be implemented by other steps by ordinary technicians in the field.
As shown in fig. 2, the network access authentication and seamless handover system provided by the present invention includes:
and the user registration module 1 is used for completing a user registration request.
And the initial access module 2 is used for realizing initial access authentication between the ground control center and the mobile user.
And the communication recovery module 3 is used for performing quick verification and key agreement after the chain is broken.
And the satellite switching module 4 is used for realizing seamless switching authentication between the mobile user and the satellite node.
The technical solution of the present invention is further described below with reference to the accompanying drawings.
The terms used in the present invention mean: UE: a user terminal; LEO: a satellite network; NCC: a ground control center; MAC: a message authentication code; RES, authentication response; h (·) hash function;
Figure BDA0002618693800000081
performing exclusive or operation; l |: and (6) splicing operation.
The access and switching authentication method under the satellite network intermittent communication scene provided by the invention comprises the following steps:
s1, user registration process;
s2, an initial access process;
s3, communication recovery process;
and S4, satellite switching process.
In a preferred embodiment of the present invention, the user registration procedure of step S1 includes:
s11, the ground control center has a long-term private key x and a random number protection key RK;
s12, the mobile user UE sends a user registration request containing the identity information UID to the ground management center NCC through a secure channel;
s13, after receiving the message, the ground control center NCC first generates a random number r, calculates key h (r, x), and then generates the random number according to the random number protection key RK
Figure BDA0002618693800000082
And sends { key, k } to the mobile user UE through the secure channel.
In a preferred embodiment of the present invention, the step S2 of initiating the access procedure includes:
s21, when the UE first accesses the satellite network, the UE generates a random number p because key is h (r, x), and calculates the random number p
Figure BDA0002618693800000083
Computing
Figure BDA0002618693800000084
Calculating a message authentication code MAC1 as h (UID, P, k, t), wherein t is a current timestamp, and then sending a user access authentication request message containing { TID, k, P, MAC1, t } to a satellite network LEO;
s22, after receiving the message and attaching the LEOID to the message, the satellite network LEO sends the message to the ground control center NCC;
s23, after the ground control center NCC receives the message, it first checks if t-t0 is in the allowed interval (where t0 is the time when the ground control center NCC receives the message), if the NCC in the allowed time range calculates the random number by the anti-difference or algorithm
Figure BDA0002618693800000091
Computing
Figure BDA0002618693800000098
Then the real identity of the UE is solved by the random numbers r' and p
Figure BDA0002618693800000092
Calculating and verifying whether the MAC1 ' h (UID ', p ', k, t) is equal to the received MAC1, and if so, proceeding to the next step, that is, the NCC generates a random number q, calculates key h (q, x), and new
Figure BDA0002618693800000093
Computing
Figure BDA0002618693800000094
The message authentication code MAC2 is calculated as h (UID, p', k, t2), where t2 is the current timestamp. Finally, the NCC sends { Q, MAC2, t2} to the satellite network LEO.
S24, after receiving the information, the satellite network LEO directly forwards the information to the mobile user UE.
S25, after the mobile user UE receives the message, it checks first whether t2-t3 is in the allowed interval (where t3 is the time when the mobile user UE receives the message), if the time difference is not in the allowed interval, the session is ended, if it is in the allowed interval, the following process is carried out, i.e. the mobile user UE utilizes the dispute or the algorithm to calculate and solve
Figure BDA0002618693800000095
MAC2 ' ═ h (UID, p ', k, t2) and verifies whether MAC2 ' agrees with received MAC2, ends the session if not, calculates session key sk ═ h (UID, p, k) and response RES ═ h (sk, p, k) if agreeing, and sends RES to satellite network LEO. Furthermore, the UE stores the key, k for possible re-authentication.
And S26, after receiving the information, the satellite network LEO directly forwards the information to the ground control center NCC.
S27, the ground control center NCC receives the message, calculates sk ═ h (UID, p, k), and verifies RES ═ h (sk, p, k). If the verification fails, the session is ended, and if the verification succeeds, the (TID, sk) is sent to the satellite through the secure channel. At this time, sk serves as a session key for the satellite to communicate with the mobile user UE.
In a preferred embodiment of the present invention, the communication resuming process of step S3 includes:
s31, the mobile user UE generates a random number m and calculates
Figure BDA0002618693800000096
Sending a connection recovery request message (TID, M, t1) to the satellite, wherein t1 is a current timestamp;
s32, after the satellite receives the message, firstly checking the validity of t1, and then solving
Figure BDA0002618693800000097
Then, the satellite generates a random number n, which is calculated
Figure BDA0002618693800000101
Sending N, mac and the current timestamp t2 to the mobile user, wherein mac is h (TID, m', N, t 2);
s33, after the mobile user UE receives the message, checking the validity of t2, if the validity is solved
Figure BDA0002618693800000102
And verifying whether the mac is correct. If the verification fails, the session is ended, and if the verification succeeds, a new session key sk2 is calculated to be h (TID, m, n '), a RES2 is calculated to be h (sk2, m, n'), and RES2 is sent to the satellite;
s34, after receiving the message, the satellite calculates sk2 ═ h (TID, m ', n), and verifies RES2 ═ h (sk, m', n). And ending the session if the verification fails. At this point, sk2 acts as a new session key for the satellite to communicate with the mobile user.
In a preferred embodiment of the present invention, the satellite switching process of step S4 includes:
s41, when the UE detects that the original satellite LEO1 is about to leave its receivable signal area, the UE sends the pre-handover request TID and the UE' S location information to LEO 1. The LEO1 decides the next satellite LEO2 to be accessed by the UE according to the location information of the UE and the satellite trajectory information. If LEO1 cannot decide the next satellite to be accessed by the UE, LEO1 sends the location information of the UE to the NCC. The ground control center NCC selects a new access satellite for the UE according to the track prediction, and sends LEOID2 and orbit information of a new satellite LEO2 to an original satellite LEO 1;
s42, then, the original satellite LEO1 generates a random number S1, and calculates K1 ═ h (S1, sk), where sk is the session key of the current satellite. The original satellite LEO1 sends (TID, K1) to the new satellite LEO2 through a safety channel which is established in advance among satellites;
s43, after receiving the message, the new satellite LEO2 generates a random number S2, calculates a new session key sk ═ h (K1, S2), and sends S2 back to the original satellite LEO1 through a secure channel;
s44, the original satellite LEO1 sends S1 and S2 to the mobile user UE;
s45, the mobile UE receives the message, and calculates sk ═ h (h (S1, sk), S2). This sk' serves as a session key for the mobile user UE to communicate with the new satellite LEO 2.
The safety analysis of the invention:
1) resisting replay attack: the message { TID, k, P, MAC1, t } sent by the mobile user UE and the message { Q, MAC2, t2} sent by the ground control center NCC contain time stamps, so that the freshness of the messages can be ensured. Meanwhile, the message authentication code also comprises a timestamp and a random number, so that an attacker cannot tamper with the message authentication code. Thus, the present invention can resist replay attacks.
2) Resisting Dos attacks: in the scheme provided by the invention, the ground control center NCC can verify the identity of the mobile user UE only by verifying the message authentication code through XOR operation or Hash operation without storing complicated information such as a user verification table, and the consumption of computing resources and storage resources is very small. Therefore, the invention can resist Dos attack of attackers.
3) Preventing server impersonation attacks: if the attacker pretends to be the ground control center NCC, the forged Q, MAC2, t2 needs to be sent to the user, and the MAC2 is generated based on the random number p sent by the mobile user UE in an encrypted manner and the random number Q generated by the ground control center NCC, so that the attacker cannot acquire the encryption key. Therefore, the present invention can prevent server impersonation attacks.
4) Preventing impersonation attacks by users: if the attacker pretends to be a mobile user UE, the { TID, k, P, MAC1, t } needs to be sent to the ground control center NCC, and the attacker does not know the user identity UID and cannot generate a correct MAC. Therefore, the present invention can prevent a user from impersonating an attack.
5) User anonymity: the user terminal generates a temporary identity TID (UID) and h (key, t, p) in each access authentication process, where t is a timestamp and p is a newly generated random number. Therefore, the TID in each authentication process is different, and an attacker cannot know the real identity UID of the user from the TID. Therefore, the invention has the user anonymity.
6) Mutual authentication: at the time of performing the initial access, the user authenticates the legality of the ground control center NCC by verifying the message authentication code MAC2, and the NCC authenticates the legality of the user by authenticating the MAC1 and RES. Therefore, the present invention can realize mutual authentication.
It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (1)

1. An access and switching authentication method under a satellite network intermittent connection scene is characterized by comprising the following steps:
the first step, user registration process;
secondly, initial access authentication is carried out;
thirdly, a communication recovery process;
fourthly, a satellite switching process is carried out;
the first step of the user registration process comprises:
(1) the ground control center NCC has a long-term private key x and a random number protection key RK;
(2) the mobile user UE sends a user registration request containing identity information UID to a ground control center NCC through a secure channel;
(3) after receiving the message, the ground control center NCC first generates a random number r, calculates key h (r, x), and then generates the random number according to the random number protection key RK
Figure FDA0003264800630000011
And sending the { key, k } to the mobile user UE through a secure channel; h (·): a hash function;
the second step of initial access authentication comprises:
(1) when the mobile user UE firstly accesses the satellite network, because key is h (r, x), the UE generates a random number p, and calculates
Figure FDA0003264800630000012
Computing
Figure FDA0003264800630000013
The message authentication code MAC1 is calculated as h (UID, p, k, t), t is the time when the UE generates the access authentication request message, the user access authentication request message is composed of the { TID, k,p, MAC1, t is sent to satellite LEO 1;
(2) after receiving the message, the satellite LEO1 adds its LEO ID to the message and sends the message to the ground control center NCC;
(3) after receiving the message, the ground control center NCC firstly detects whether t-t0 is in an allowed interval, wherein t0 is the time when the ground control center NCC receives the message, and if the NCC is in the allowed time range, the NCC calculates a random number by an exclusive OR algorithm
Figure FDA0003264800630000014
Computing
Figure FDA0003264800630000015
Then the real identity of the UE is solved by the random numbers r' and p
Figure FDA0003264800630000016
Calculating and verifying whether the MAC1 ' h (UID ', p ', k, t) is equal to the received MAC1, and if so, proceeding to the next step, that is, the NCC generates a random number q, calculates key h (q, x), and new
Figure FDA0003264800630000023
Computing
Figure FDA0003264800630000021
Calculating the message authentication code MAC2 ═ h (UID, p', k)*T2), where t2 is the time when the NCC generated the reply message; finally, NCC sends { Q, MAC2, t2} to satellite LEO 1;
(4) after receiving the information, satellite LEO1 directly forwards the information to mobile user UE;
(5) after the mobile user UE receives the message, it first checks if t2-t3 is within the allowed interval, where t3 is the time when the mobile user UE receives the message, if the time difference is not within the allowed interval, the session is ended, if it is within the allowed interval, the following process is performed, i.e. the mobile user UE utilizes the inverse difference or the algorithm to calculate and solve
Figure FDA0003264800630000022
MAC2′=h(UID,p′,k*T2) and verifies whether MAC 2' agrees with received MAC2, if not, ends the session, if so, calculates the session key sk h (UID, p, k) and response RES h (sk, p, k), and sends RES to satellite LEO1, the UE stores key, k for re-authentication;
(6) after receiving the information, the satellite LEO1 directly forwards the information to the ground control center NCC;
(7) after receiving the message, the ground control center NCC calculates sk-h (UID, p, k), verifies RES-h (sk, p, k), ends the session if the verification fails, and sends (TID, sk) to the satellite LEO1 through the secure channel if the verification succeeds, and at this time, sk serves as a session key for the satellite LEO1 to communicate with the mobile user UE;
the communication recovery process of the third step includes:
(1) the mobile user UE generates a random number m and calculates
Figure FDA0003264800630000024
Sending a connection recovery request message (TID, M, t4) to the satellite, wherein t4 is the time when the UE generates the connection recovery request message;
(2) after the satellite receives the message, it first checks the validity of t4 and then solves it
Figure FDA0003264800630000025
Then, the satellite generates a random number n, which is calculated
Figure FDA0003264800630000026
MAC h (TID, m', N, t5), sending N, MAC and t5 to the mobile user UE, where t5 represents the time when the satellite generated the reply message;
(3) after receiving the message, the mobile user UE checks the validity of t5, if it is valid, it solves the result
Figure FDA0003264800630000027
Figure FDA0003264800630000028
Verifying whether the mac is correct; if the verification fails, the session is ended, and if the verification succeeds, a new session key sk2 is calculated to be h (TID, m, n '), a RES2 is calculated to be h (sk2, m, n'), and RES2 is sent to the satellite;
(4) after receiving the message, the satellite calculates sk2 h (TID, m ', n), verifies RES2 h (sk2, m', n), and if the verification fails, the sk2 is used as a new session key for the satellite to communicate with the mobile user;
the satellite switching process of the fourth step includes:
(1) when a user terminal UE monitors that an original satellite LEO1 is about to leave an receivable signal area, the UE sends a pre-switching request to an LEO1, wherein the pre-switching request comprises a TID and position information of the UE, the LEO1 decides the next satellite LEO2 to which the UE is about to access according to the position information of the UE and satellite track information, and if the LEO1 cannot decide the next satellite to which the UE is about to access, the LEO1 sends the position information of the UE to a ground control center NCC; the ground control center NCC selects a new access satellite for the UE according to the track prediction, and sends LEOID2 and orbit information of a new satellite LEO2 to an original satellite LEO 1;
(2) the original satellite LEO1 generates a random number s1, calculates K1 as h (s1, sk), wherein sk is a session key of the current satellite, and the original satellite LEO1 sends (TID, K1) to the new satellite LEO2 through a secure channel which is established in advance among satellites;
(3) after receiving the message, the new satellite LEO2 generates a random number s2, calculates a new session key sk ═ h (K1, s2), and sends s2 back to the original satellite LEO1 through a secure channel;
(4) the original satellite LEO1 sends s1 and s2 to the mobile user UE;
(5) after receiving the message, the mobile UE calculates sk' as a session key for the mobile UE to communicate with the new satellite LEO2, h (s1, sk, s 2).
CN202010776718.5A 2020-08-05 2020-08-05 Access and switching authentication method and system under satellite network intermittent communication scene Active CN112087750B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010776718.5A CN112087750B (en) 2020-08-05 2020-08-05 Access and switching authentication method and system under satellite network intermittent communication scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010776718.5A CN112087750B (en) 2020-08-05 2020-08-05 Access and switching authentication method and system under satellite network intermittent communication scene

Publications (2)

Publication Number Publication Date
CN112087750A CN112087750A (en) 2020-12-15
CN112087750B true CN112087750B (en) 2021-12-03

Family

ID=73735628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010776718.5A Active CN112087750B (en) 2020-08-05 2020-08-05 Access and switching authentication method and system under satellite network intermittent communication scene

Country Status (1)

Country Link
CN (1) CN112087750B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615721B (en) * 2020-12-18 2022-12-06 江苏省未来网络创新研究院 Access authentication and authority management control flow method of spatial information network based on block chain
CN112564775B (en) * 2020-12-18 2023-04-07 江苏省未来网络创新研究院 Spatial information network access control system and authentication method based on block chain
CN113068187B (en) * 2021-02-20 2022-03-11 西安电子科技大学 Unmanned aerial vehicle-assisted terminal access authentication method, system, equipment and application
CN113079016B (en) * 2021-03-23 2022-01-21 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network
CN114466359B (en) * 2022-01-07 2024-03-01 中国电子科技集团公司电子科学研究院 Distributed user authentication system and authentication method suitable for low orbit satellite network
CN114172669B (en) * 2022-02-15 2022-05-03 之江实验室 Two-stage security access authentication method fusing space-time characteristics in satellite-ground communication
CN114828005A (en) * 2022-05-24 2022-07-29 西安电子科技大学 Enhanced inter-satellite networking authentication method based on location key
CN117278109B (en) * 2023-11-20 2024-03-01 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Satellite in-orbit security anomaly identification method, system and computer readable storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979408A (en) * 2017-12-08 2018-05-01 北京理工大学 A kind of high rail Satellite Networking certification and credible holding agreement

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5842125A (en) * 1995-11-30 1998-11-24 Amsc Subsidiary Corporation Network control center for satellite communication system
CN104038937A (en) * 2014-06-24 2014-09-10 中国科学院软件研究所 Network access authentication method applicable to satellite mobile communication network
CN109039436B (en) * 2018-10-23 2020-09-15 中国科学院信息工程研究所 Method and system for satellite security access authentication
CN110971415B (en) * 2019-12-13 2022-05-10 重庆邮电大学 Space-ground integrated space information network anonymous access authentication method and system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979408A (en) * 2017-12-08 2018-05-01 北京理工大学 A kind of high rail Satellite Networking certification and credible holding agreement

Also Published As

Publication number Publication date
CN112087750A (en) 2020-12-15

Similar Documents

Publication Publication Date Title
CN112087750B (en) Access and switching authentication method and system under satellite network intermittent communication scene
Yang et al. Efficient handover authentication with user anonymity and untraceability for mobile cloud computing
CN109547213B (en) Inter-satellite networking authentication system and method suitable for low-earth-orbit satellite network
Jiang et al. Security in space information networks
KR101124190B1 (en) A method and apparatus for new key derivation upon handoff in wireless networks
US20030026220A1 (en) System and related methods to facilitate delivery of enhanced data services in a mobile wireless communications environment
US20140053241A1 (en) Authenticating a Device in a Network
CN112332900B (en) Low-orbit satellite communication network rapid switching authentication method
CN112564775B (en) Spatial information network access control system and authentication method based on block chain
CN110035037A (en) Safety certifying method, relevant device and system
CN112235792B (en) Multi-type terminal access and switching authentication method, system, equipment and application
CN112953726A (en) Method, system and application for fusing dual-layer satellite network satellite-ground and inter-satellite networking authentication
Liu et al. A secure and efficient authentication protocol for satellite-terrestrial networks
Wei et al. BAVP: blockchain-based access verification protocol in LEO constellation using IBE keys
KR20080019978A (en) Dual authentication method in mobile networks
CN106507355B (en) A kind of the PMIPv6 Verification System and method of identity-based allograph
Huang et al. A fast authentication scheme for WiMAX–WLAN vertical handover
CN114173342B (en) Common identification authentication method for LEO low orbit satellite network
CN114679303B (en) Source address verification method and device for satellite Internet
CN105472609A (en) Switching authentication mechanism based on safety interconnection under aviation communication NEMO network
Lin et al. A fast iterative localized re-authentication protocol for heterogeneous mobile networks
CN112653506B (en) Block chain-based handover flow method for spatial information network
Wang et al. A lightweight and secure authentication protocol for space-ground integrated network of railway
You et al. ESS-FH: Enhanced security scheme for fast handover in hierarchical mobile IPv6
CN110062427B (en) Trusted service management method and device supporting wireless network switching and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant