CN112235799A - Network access authentication method and system for terminal equipment - Google Patents

Network access authentication method and system for terminal equipment Download PDF

Info

Publication number
CN112235799A
CN112235799A CN202011099106.3A CN202011099106A CN112235799A CN 112235799 A CN112235799 A CN 112235799A CN 202011099106 A CN202011099106 A CN 202011099106A CN 112235799 A CN112235799 A CN 112235799A
Authority
CN
China
Prior art keywords
authentication
authentication request
network
request information
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011099106.3A
Other languages
Chinese (zh)
Other versions
CN112235799B (en
Inventor
汪洋
胡悦
王智慧
丁慧霞
吴赛
孟萨出拉
段钧宝
杨德龙
马宝娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202011099106.3A priority Critical patent/CN112235799B/en
Publication of CN112235799A publication Critical patent/CN112235799A/en
Application granted granted Critical
Publication of CN112235799B publication Critical patent/CN112235799B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention belongs to the technical field of communication, and discloses a network access authentication method and a network access authentication system for terminal equipment, which comprise the following steps: sending first authentication request information to a network terminal, wherein the first authentication request information comprises a root key and is used for triggering the network terminal to send authentication request feedback information; receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key; and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow. The method solves the defect of low security of mutual authentication between the terminal equipment and the network, and enhances the security of network access authentication of the terminal equipment by modifying the root key.

Description

Network access authentication method and system for terminal equipment
Technical Field
The invention belongs to the technical field of communication, and relates to a network access authentication method and system for terminal equipment.
Background
With the continuous development of the 5G communication technology, and the mutual penetration and deep fusion of the 5G communication technology and the Internet of things technology, the arrival of the user-centered everything interconnection era brings higher requirements on network security. With the development of technology and the demand of various mobile intelligent terminal devices, the eSIM will gradually replace the traditional solid SIM card, so that the mobile terminal can be connected with the cellular network without using a pluggable SIM card. The third Generation Partnership Project (3rd Generation Partnership Project, 3GPP) standard TS33.501 defines a 5G Authentication and Key Agreement protocol (5 GAKA) for Authentication between a terminal and a network.
At present, mutual authentication between the terminal and the network is realized mainly by means of a root key K stored in the subscriber SIM card, and a session key is derived. The security condition is that the root key K is unknown to anyone but the network operator. However, the root key K is very likely to have been compromised already during the production phase of the SIM card, and therefore this security condition is not reliable. A passive attacker can eavesdrop on the communication using a session key derived from the root key K, and the exchange messages between the terminal and the network. An active attacker may exploit the stolen large number of root keys to forge the base station and launch the attack.
From the current technical development, a brute force cracking means for the root key K value can also crack the eSIM, so that the security of the root key K of the existing eSIM is low, the security of mutual authentication between the terminal device and the network is low, and the access of an illegal terminal and the malicious tampering behaviors of software and hardware of the terminal are easy to occur.
Disclosure of Invention
The invention aims to overcome the defect of low security of mutual authentication between terminal equipment and a network in the prior art, and provides a network access authentication method and system for the terminal equipment.
In order to achieve the purpose, the invention adopts the following technical scheme to realize the purpose:
in a first aspect of the present invention, a method for authenticating a terminal device accessing a network includes the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key;
and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow.
The invention further improves the network access authentication method of the terminal equipment, which comprises the following steps:
the updated root key is randomly generated according to the format requirements of the root key.
And the updated root key is obtained by calculating the root key through a preset hash algorithm.
The second authentication request information is sent within the preset time after the authentication request feedback information returned by the network terminal is received; otherwise, authentication fails.
The authentication process is a 5G AKA authentication process or an EAP-AKA' authentication process.
In a second aspect of the present invention, a method for authenticating network access of a terminal device is characterized by comprising the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated key exchange constant;
and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
The invention further improves the network access authentication method of the terminal equipment, which comprises the following steps:
and setting and storing the updated key exchange constant based on the type of the terminal equipment.
In a second aspect of the present invention, a network access authentication method for a terminal device includes the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an update root key and an update key exchange constant;
and performing network access authentication on the terminal equipment through a preset authentication flow, wherein the root key in the authentication flow is replaced by the updated root key, and the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
In a fourth aspect of the present invention, a network access authentication system for a terminal device includes:
the first authentication request module is used for sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
the second authentication request module is used for receiving authentication request feedback information returned by the network terminal and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key; and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication process, wherein the updated root key is adopted to replace the root key in the authentication process.
In a fifth aspect of the present invention, a network access authentication system for a terminal device includes:
the first authentication request module is used for sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
the second authentication request module is used for receiving and responding to authentication request feedback information returned by the network terminal and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated key exchange constant;
and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a network access authentication method of terminal equipment, which aims at the problem that a root key is easy to steal, so that the mutual authentication security between the terminal equipment and a network is not high, and is characterized in that second authentication request information is sent to a network terminal, wherein the second authentication request information comprises an updated root key, namely, the root key is actively modified at the terminal equipment and is sent to the network terminal, and the subsequent authentication process is carried out by adopting the updated root key, so that an attacker is effectively prevented from using the stolen root key for authentication, the purpose of improving the network security characteristic is realized, only the change of the terminal equipment and the network terminal is involved, the number of network elements is small, the realization difficulty is low, the security of key derivation of each layer is improved by starting from the root key, and the security of the whole authentication process is further ensured.
According to the network access authentication method of the terminal equipment, the key exchange constants in the authentication process are modified, so that different key exchange constants are adopted to calculate each level of derivative keys during authentication, and even if the root key of the terminal equipment is leaked, an attacker cannot clearly update the specific situation of the key exchange constants, correct network access authentication of the terminal equipment still cannot be realized, and the network access authentication safety of the terminal equipment is effectively improved. Meanwhile, although the operation involves a plurality of network elements in the equipment terminal, the access network and the core network, the calculation flow of the key derivation algorithm does not need to be modified, and only the key exchange constant participating in the operation needs to be modified, so that the risk of the terminal equipment side can be effectively reduced, and the implementation is convenient.
Drawings
Fig. 1 is a block diagram of a flow of a network access authentication method of a terminal device according to an embodiment of the present invention;
fig. 2 is a block diagram of a 5G AKA authentication procedure according to an embodiment of the present invention;
FIG. 3 is a block diagram of the EAP-AKA' authentication process according to an embodiment of the present invention;
fig. 4 is a flowchart of a network access authentication method for a terminal device according to another embodiment of the present invention;
FIG. 5 is a block diagram of a key derivation process according to an embodiment of the invention;
fig. 6 is a flowchart of a network access authentication method for a terminal device according to still another embodiment of the present invention;
fig. 7 is a block diagram of a network access authentication system of a terminal device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the accompanying drawings:
referring to fig. 1, in an embodiment of the present invention, a method for authenticating a terminal device accessing a network is provided, where a root key of the terminal device is changed, and a manner of generating an updated root key is adopted, so as to solve an authentication security problem caused by the root key being easily stolen, effectively prevent an illegal terminal device from accessing and malicious tampering behaviors of software and hardware of the terminal device, and improve security of the network. Specifically, the network access authentication method for the terminal equipment comprises the following steps:
s11: and sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key for authentication.
Specifically, based on the network access requirement, the terminal device generally sends a first authentication request message to the power grid to notify the network that the current terminal device needs to access the network. Generally, the first authentication request message includes a root key, which may be used to characterize the identity of the terminal device, and the traditional authentication method is to implement network access authentication in a Home operator (Home PLMN) and a Visited operator (Visited PLMN) of the network end through the root key. In this embodiment, the root key is used as the identity, and the network receives the root key and determines whether to perform subsequent authentication based on the root key. Meanwhile, the first authentication request message may also include a user identifier (SUPI) of the current terminal device, and the network may determine whether the current terminal device performs subsequent authentication according to a combination of the user identifier and the root key.
The first authentication request information is used for triggering the network terminal to send authentication request feedback information, and when the network terminal detects that the stored same root key exists, the network terminal sends the authentication request feedback information to the terminal equipment.
S12: and receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key.
Specifically, after receiving the authentication request feedback information returned by the network, the terminal device sends the updated root key to the network in the form of the second authentication request information to negotiate with the network, and it is expected to use the updated root key for the authentication process.
Preferably, the updating root key is randomly generated according to the format requirement of the root key, the random generation mode is adopted, only the limitation of the format requirement is realized, the content is flexible and changeable, the uncertainty of the updating root key is increased, and the cracking difficulty is further increased.
Preferably, the updated root key may also be calculated by a preset hash algorithm from the root key. Where the hash algorithm maps a binary value of arbitrary length to a shorter binary value of fixed length, this small binary value is called the hash value. Hash values are the only and extremely compact representation of a piece of data, if a piece of plaintext is hashed and even if only one letter of the piece is altered, subsequent hashes will produce different values, and it is computationally infeasible to find two different inputs that are hashed to the same value, so that the hash value of the data can verify the integrity of the data, typically for use in fast-lookup and encryption algorithms.
The root key is generated based on the Hash algorithm, for example, Hash operation is realized through a program on the terminal device esim, and the root key is updated automatically.
Preferably, the second authentication request message is sent within a preset time after receiving the authentication request feedback message returned by the network; otherwise, authentication fails. Through the given preset time limit, the network terminal cannot wait for the second authentication request information without limit, and the terminal device does not send the second authentication request information to the network terminal within the specified preset time, that is, the network terminal does not receive the second authentication request information within the specified time, which indicates that the authentication fails.
S13: and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow.
Specifically, in this embodiment, the Authentication procedure may be a 5G AKA (Authentication and Key Authentication, identity Authentication and Key agreement) Authentication procedure or an EAP-AKA 'Authentication procedure, and both the 5G AKA Authentication procedure or the EAP-AKA' (extensible Authentication protocol method or third generation Authentication and Key agreement) Authentication procedure have detailed descriptions in 3GPP TS33.501, and Authentication is performed according to the described 5G AKA Authentication procedure or EAP-AKA 'Authentication procedure, in this embodiment, referring to fig. 2, a specific procedure of the 5G AKA Authentication procedure is shown, where UE is user equipment, seaf (security anchor function) is a security anchor function, and (Authentication server function) is an Authentication service function, referring to fig. 3, which shows a specific procedure of the EAP-AKA' Authentication procedure.
In this embodiment, a 5G AKA authentication procedure or an EAP-AKA' authentication procedure is used as a basis, but different from this, a root key used in the authentication procedure is replaced with an updated root key, and the network and the terminal device perform the entire authentication procedure based on the updated root key.
In summary, in the network access authentication method for the terminal device in this embodiment, to solve the problem that the root key is easily stolen, and thus the security of mutual authentication between the terminal device and the network is not high, the second authentication request information is sent to the network, where the second authentication request information includes an updated root key, that is, the root key is actively modified at the terminal device and sent to the network, and the subsequent authentication process is performed by using the updated root key, so that an attacker is effectively prevented from using the stolen root key for authentication, and the purpose of improving the network security characteristics is achieved.
Referring to fig. 4, in yet another embodiment of the present invention, a method for authenticating network access of a terminal device is provided, which includes the following steps.
S21: and sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key for authentication.
S22: and receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated key exchange constant.
S23: and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
Compared with the previous embodiment, the network access authentication method of the terminal device in this embodiment is different in that the value of the root key is not modified, but the key exchange constant that needs to be used in the authentication process is modified, and the method in the previous embodiment is still adopted, and the device terminal sends the second authentication request message to the network terminal, but the second authentication request message includes the updated key exchange constant, and the updated key exchange constant is adopted to replace the key exchange constant in the authentication process for performing the authentication process, and similarly, the authentication process may also select a 5G AKA authentication process or an EAP-AKA' authentication process.
The updated key exchange constant is manually set in advance according to a specific rule and is stored in the identification terminal, according to the specification of 3GPP standard specification 3GPP TS33.501 and 3GPP TS 33.220 on a key Derivation function kdf (key Derivation function), the input parameter of the key Derivation function is an eight-bit string, and the length of a single input parameter does not exceed 65535 octets. Referring to fig. 5, the scattering of root keys to obtain network element keys at different levels is shownThe key derivation process of (1), wherein, the CK encryption key, the IK integrity key, the key for the terminal device to calculate the consistency check with the network end, KAUSFIs key-dependent, from CK ', IK ' by ME and AUSF in case of EAP-AKA ', CK ' and IK ' are received by AUSF as part of the transformed AV from ARPF; or, IK, K by ME and ARPF from CK in the case of 5G AKAAUSFIs received by the AUSF as part of the 5G HE AV from the ARPF. KSEAFIs formed by ME and AUSF from KAUSFA derived anchor key. KSEAFSEAF, K provided by AUSF to service networkAMFIs from KSEAFME and SEAF derived keys. When performing horizontal key derivation, K is further derived by ME and source AMFAMF。KnasintIs from KAMFME and AMF (authentication management field) derived keys, which are only used to protect NAS signaling by a specific integrity algorithm. KnasencIs from KAMFThe ME and AMF, which is only used to protect NAS signaling through a specific encryption algorithm. KgNBIs from KAMFME and AMF derived keys. When performing horizontal or vertical key derivation, K is further derived from ME and the source gNBgNB。KgNBServing as a K base station between ME and ng-eNB. KupencIs a key derived by ME and TFgNB from K, which is only used to protect UP traffic by a specific encryption algorithm. KupintIs from K by ME and gNBgNBDerived keys, which are only used to protect UP traffic between ME and gNB by a specific integrity algorithm. KrrcintIs a key derived by the ME and TFgNB from K that is only used to protect RRC signaling with a specific integrity algorithm. KrrcencIs from ME and from KgNBIs used only to protect RRC signaling with a specific ciphering algorithm. NH is a key derived from ME and AMF; kN3IWFIs from K by ME and AMFAMFDerived keys for non-3 GPP access.
In the key derivation process, the key exchange constant FC involved in the calculation process of the key derivation algorithm is used in the range of 0x69 to 0x76 in 3GPP TS33.501, as shown in table 1.
Table 1 updating key exchange constant and key exchange constant comparison table
Figure BDA0002724756450000101
Wherein XX is a substitute, which means that any value can be taken from the range of 0x 69-0 x76, and the value can be taken randomly or in other preset regular values.
Preferably, the update key exchange constant is set and stored based on the type of the terminal device, and based on the corresponding relationship between the type of the terminal device and the update key exchange constant, the type of the terminal device currently performing authentication can be analyzed from the network side, so that special management is facilitated.
In summary, in the network access authentication method for the terminal device in this embodiment, by modifying the key exchange constant in the authentication process, different key exchange constants are used for calculating the derivative keys at each level during authentication, and such setting enables that even if the root key of the terminal device is leaked, an attacker cannot clearly update the specific situation of the key exchange constant, and still cannot achieve correct network access authentication of the terminal device, thereby effectively improving the security of network access authentication of the terminal device. Meanwhile, although the operation involves a plurality of network elements in the equipment terminal, the access network and the core network, the calculation flow of the key derivation algorithm does not need to be modified, and only the key exchange constant participating in the operation needs to be modified, so that the risk of the terminal equipment side can be effectively reduced, and the implementation is convenient.
Referring to fig. 6, in yet another embodiment of the present invention, a method for authenticating network access of a terminal device is provided, which includes the following steps.
S31: and sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key for authentication.
S32: and receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an update root key and an update key exchange constant.
S33: and performing network access authentication on the terminal equipment through a preset authentication flow, wherein the root key in the authentication flow is replaced by the updated root key, and the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
In this embodiment, a manner of combining a root key and a key exchange constant is modified, the root key may be modified according to the method provided in the embodiment shown in fig. 1, the key exchange constant may be modified according to the method provided in the embodiment shown in fig. 4, and security of network access authentication of the terminal device is further improved by double modification.
In another embodiment of the present invention, the inventor finds that, with the development of 5G, it provides a new transformer for enterprises in the vertical industry, which brings opportunities and challenges, and temporarily hands the network security problem to a solution of private network or public network to guarantee, for users in the power industry in the vertical industry, the security of air interface communication still needs to be considered, so as to improve the security of the power 5G module and achieve the security of the power terminal, in this embodiment, the power module eSIM is used as the terminal device to describe the network access authentication method of the terminal device of the present invention, aiming at the problem of eSIM leakage of the power module, the security of the system key is enhanced by improving the root key of the eSIM of the power terminal device, so as to improve the power private network and realize the security improvement in the security direction of the power 5G module, thereby effectively preventing the access of illegal communication terminals and the malicious tampering of software and hardware of the communication terminals, the safety of the private power network is improved.
Specifically, the terminal device eSIM sends first authentication request information to the network side, where the first authentication request information is used to trigger the network side to send authentication request feedback information, and the first authentication request information includes a root key used for authentication; then, the terminal equipment eSIM receives and responds to authentication request feedback information returned by the network terminal, and sends second authentication request information to the network terminal, wherein the second authentication request information comprises an update root key; the updated root key is obtained by utilizing a Hash algorithm for calculation, and then the network access authentication of the terminal equipment is carried out through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow.
The root key K is modified at the network side UDM/ARPF (Unified Data Management/Authentication and Processing Function, Unified Data Management platform/Authentication certificate repository and Processing Function) and the terminal equipment eSIM side.
Meanwhile, the second authentication request information sent by the terminal equipment eSIM also comprises an updated key exchange constant, in the embodiment, the updated key exchange constant takes a value in a key exchange constant use range 0x 69-0 x76 specified in 3GPP TS33.501, but a specific value of the updated key exchange constant is determined according to the type of the electrical equipment, so that a one-to-one corresponding relation between the key exchange constant and the type of the electrical equipment is formed, and the type of the electrical equipment where the terminal equipment eSIM currently authenticated is located is conveniently analyzed from a network side; and can be set according to other design requirements. And when the network access authentication of the terminal equipment is carried out through a preset authentication flow, wherein in the authentication flow, the key exchange constant is replaced by the updated key exchange constant.
A set of key exchange constants customized by the power private network participates in the operation of key derivation algorithms at all levels to obtain dispersed keys at all levels, and the aim of further enhancing the network access authentication security can be achieved.
Referring to fig. 7, in yet another embodiment of the present invention, a terminal device network access authentication system is provided, where the terminal device network access authentication system is capable of implementing the terminal device network access authentication method in the embodiment shown in fig. 1, and specifically, the terminal device network access authentication system includes a first authentication request module, a second authentication request module, and a network access authentication module.
The first authentication request module is used for sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication; the second authentication request module is used for receiving authentication request feedback information returned by the network terminal and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key; and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow.
In another embodiment of the present invention, a network access authentication system for a terminal device is provided, where the network access authentication system for a terminal device can implement the network access authentication method for a terminal device in the embodiment shown in fig. 4, and specifically, the network access authentication system for a terminal device has the same structure as the network access authentication system for a terminal device in the previous embodiment, and the difference lies in the functions implemented by the modules.
Specifically, compared with the network access authentication system of the terminal device in the previous embodiment, the second authentication request module and the network access authentication module in the network access authentication system of the terminal device in this embodiment are different from those in the previous embodiment, in this embodiment, the second authentication request module is configured to receive and respond to authentication request feedback information returned by the network terminal, and send second authentication request information to the network terminal, where the second authentication request information includes an updated key exchange constant; and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1. A terminal device network access authentication method is characterized by comprising the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key;
and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the updated root key is adopted to replace the root key in the authentication flow.
2. The network-accessing authentication method for the terminal device according to claim 1, wherein the updated root key is randomly generated according to the format requirement of the root key.
3. The network-accessing authentication method for the terminal device according to claim 1, wherein the updated root key is calculated from the root key by a preset hash algorithm.
4. The network access authentication method of the terminal device according to claim 1, wherein the second authentication request message is sent within a preset time after receiving the authentication request feedback message returned by the network; otherwise, authentication fails.
5. The method as claimed in claim 1, wherein the authentication procedure is a 5G AKA authentication procedure or an EAP-AKA' authentication procedure.
6. A terminal device network access authentication method is characterized by comprising the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated key exchange constant;
and performing network access authentication of the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
7. The method for authenticating network access of terminal device according to claim 6, wherein the update key exchange constant is set and stored based on the type of the terminal device.
8. A terminal device network access authentication method is characterized by comprising the following steps:
sending first authentication request information to a network end, wherein the first authentication request information is used for triggering the network end to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
receiving and responding to authentication request feedback information returned by the network terminal, and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an update root key and an update key exchange constant;
and performing network access authentication on the terminal equipment through a preset authentication flow, wherein the root key in the authentication flow is replaced by the updated root key, and the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
9. A terminal device network access authentication system is characterized by comprising:
the first authentication request module is used for sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
the second authentication request module is used for receiving authentication request feedback information returned by the network terminal and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated root key; and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication process, wherein the updated root key is adopted to replace the root key in the authentication process.
10. A terminal device network access authentication system is characterized by comprising:
the first authentication request module is used for sending first authentication request information to the network terminal, wherein the first authentication request information is used for triggering the network terminal to send authentication request feedback information, and the first authentication request information comprises a root key used for authentication;
the second authentication request module is used for receiving and responding to authentication request feedback information returned by the network terminal and sending second authentication request information to the network terminal, wherein the second authentication request information comprises an updated key exchange constant;
and the network access authentication module is used for performing network access authentication on the terminal equipment through a preset authentication flow, wherein the key exchange constant in the authentication flow is replaced by the updated key exchange constant.
CN202011099106.3A 2020-10-14 2020-10-14 Network access authentication method and system for terminal equipment Active CN112235799B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011099106.3A CN112235799B (en) 2020-10-14 2020-10-14 Network access authentication method and system for terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011099106.3A CN112235799B (en) 2020-10-14 2020-10-14 Network access authentication method and system for terminal equipment

Publications (2)

Publication Number Publication Date
CN112235799A true CN112235799A (en) 2021-01-15
CN112235799B CN112235799B (en) 2021-11-16

Family

ID=74112933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011099106.3A Active CN112235799B (en) 2020-10-14 2020-10-14 Network access authentication method and system for terminal equipment

Country Status (1)

Country Link
CN (1) CN112235799B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115413A (en) * 2021-05-05 2021-07-13 航天云网云制造科技(浙江)有限公司 Method for accessing user terminal to 5G network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859734A (en) * 2005-10-10 2006-11-08 华为技术有限公司 Controlled key updating method
CN207251631U (en) * 2017-06-12 2018-04-17 浙江神州量子网络科技有限公司 A kind of follow-on SIM card and mobile terminal and identification system
CN108599925A (en) * 2018-03-20 2018-09-28 如般量子科技有限公司 A kind of modified AKA identity authorization systems and method based on quantum communication network
CN109151823A (en) * 2018-09-10 2019-01-04 中国联合网络通信集团有限公司 The method and system of eSIM card authentication
US20190253895A1 (en) * 2016-09-30 2019-08-15 Huawei Technologies Co., Ltd. Control signaling processing method, device, and system
US20190261178A1 (en) * 2016-07-05 2019-08-22 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859734A (en) * 2005-10-10 2006-11-08 华为技术有限公司 Controlled key updating method
US20190261178A1 (en) * 2016-07-05 2019-08-22 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system
US20190253895A1 (en) * 2016-09-30 2019-08-15 Huawei Technologies Co., Ltd. Control signaling processing method, device, and system
CN207251631U (en) * 2017-06-12 2018-04-17 浙江神州量子网络科技有限公司 A kind of follow-on SIM card and mobile terminal and identification system
CN108599925A (en) * 2018-03-20 2018-09-28 如般量子科技有限公司 A kind of modified AKA identity authorization systems and method based on quantum communication network
CN109151823A (en) * 2018-09-10 2019-01-04 中国联合网络通信集团有限公司 The method and system of eSIM card authentication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113115413A (en) * 2021-05-05 2021-07-13 航天云网云制造科技(浙江)有限公司 Method for accessing user terminal to 5G network

Also Published As

Publication number Publication date
CN112235799B (en) 2021-11-16

Similar Documents

Publication Publication Date Title
JP6979420B2 (en) Security configuration for communication between communication devices and network devices
US11228442B2 (en) Authentication method, authentication apparatus, and authentication system
US10003965B2 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
US9189632B2 (en) Method for protecting security of data, network entity and communication terminal
US9654284B2 (en) Group based bootstrapping in machine type communication
KR101485230B1 (en) Secure multi-uim authentication and key exchange
EP2296392A1 (en) Authentication method, re-certification method and communication device
WO2020221252A1 (en) Method and apparatus for sending terminal sequence number and authentication method and apparatus
US11909869B2 (en) Communication method and related product based on key agreement and authentication
WO2020177591A1 (en) Determining method and device for key, storage medium and electronic device
CN110583036B (en) Network authentication method, network equipment and core network equipment
Arkko et al. A USIM compatible 5G AKA protocol with perfect forward secrecy
US20220182822A1 (en) Methods and apparatus relating to authentication of a wireless device
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN112399407B (en) 5G network authentication method and system based on DH ratchet algorithm
CN112333705B (en) Identity authentication method and system for 5G communication network
CN112235799B (en) Network access authentication method and system for terminal equipment
CN105873059A (en) United identity authentication method and system for power distribution communication wireless private network
WO2020147856A1 (en) Authentication processing method and device, storage medium, and electronic device
WO2007025484A1 (en) Updating negotiation method for authorization key and device thereof
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN213938340U (en) 5G application access authentication network architecture
CN114386020A (en) Quick secondary identity authentication method and system based on quantum security
WO2019024937A1 (en) Key negotiation method, apparatus and system
US20220104012A1 (en) Authentication processing method and device, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant