CN112243235B - Group access authentication and switching authentication method suitable for world integration and application - Google Patents

Group access authentication and switching authentication method suitable for world integration and application Download PDF

Info

Publication number
CN112243235B
CN112243235B CN202010968822.4A CN202010968822A CN112243235B CN 112243235 B CN112243235 B CN 112243235B CN 202010968822 A CN202010968822 A CN 202010968822A CN 112243235 B CN112243235 B CN 112243235B
Authority
CN
China
Prior art keywords
group
authentication
satellite
management system
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010968822.4A
Other languages
Chinese (zh)
Other versions
CN112243235A (en
Inventor
曹进
马如慧
李晖
陈李兰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202010968822.4A priority Critical patent/CN112243235B/en
Publication of CN112243235A publication Critical patent/CN112243235A/en
Application granted granted Critical
Publication of CN112243235B publication Critical patent/CN112243235B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks

Abstract

The invention belongs to the technical field of communication network security, and discloses a group access authentication and switching authentication method and application suitable for world integration, wherein the method comprises a terminal registration process; a group member registration process; a group owner discovery process; a group access authentication procedure; a group switching process; a group member joining process; the group members exit the process; a group access authentication and switching authentication method with privacy protection. The invention can be applied to the scene of integrated group access authentication and switching; by performing the group owner discovery process offline, group owners can be selected periodically; the access authentication and the switching authentication of massive terminals are supported; the joining and the quitting of the members in the group can be supported through the joining and quitting processes of the group members, so that the flexibility of the system is improved; through group authentication, communication overhead, calculation overhead and signaling overhead can be effectively reduced; in addition, the privacy of the terminal identity information can be realized through a group access authentication and switching authentication method with privacy protection.

Description

Group access authentication and switching authentication method suitable for world integration and application
Technical Field
The invention belongs to the technical field of communication network security, and particularly relates to a group access authentication and switching authentication method and application suitable for world integration.
Background
With the development of satellite networks and the enhancement of national requirements on aerospace and disaster early warning, the fusion of different dimensional spaces becomes a future development trend, and therefore a comprehensive network which takes a ground network as a core, extends to a space network and is interconnected through inter-satellite links, satellite-ground links and the like to form a space-ground integration is provided. The heaven-earth integrated network is a network formed by interconnecting and fusing a plurality of heterogeneous networks such as a satellite network, a ground network and the like, and can realize cross-region and cross-airspace communication and the cooperative work of each node of the network. Currently, the development of fifth generation (5G) mobile communication systems makes it possible to merge satellite networks with terrestrial networks. And the access of large-scale mobile equipment also brings more potential safety hazards.
The access authentication is the first line of defense of system safety, the legality of a user accessing the system is guaranteed by using an access authentication program, and a safe and efficient network switching authentication mechanism is needed to guarantee the uninterrupted communication between nodes because the positions of the nodes in the world network are not fixed. Aiming at the problems that the positions among nodes of the heaven-earth integrated network are not fixed, the network topology changes frequently, the channel is open, the links between the satellite and the ground/the inter-satellite nodes are exposed, the satellite and the ground are easily attacked by malicious nodes, the satellite and the ground are delayed highly, the satellite and the ground are unbalanced in development, the computing power of the satellite nodes is weak and the like, a safety access authentication mechanism suitable for the heaven-earth integrated network is designed. Most of the existing world integrated access authentication respectively adopt an authentication mechanism of a ground communication network, and the burden of a ground control center is lightened by designing a lightweight protocol or transferring part of authentication functions to a satellite and the like, so that the communication delay is reduced. However, the safety of the ground control center cannot be guaranteed. In addition, the existing handover authentication scheme mostly considers the optimization of handover performance from the viewpoints of handover overhead, handover delay and the like, and rarely considers the guarantee of handover security. And aiming at the change of group members, flexible strain measures are lacked, and when massive groups are accessed to a satellite network at the same time, a large amount of communication overhead and signaling overhead are generated, so that the problems of signaling congestion and the like can be caused.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) in the prior art, most of access authentication processes are carried out based on a ground control center, various safety problems such as trust transfer exposure exist, the problem of high-efficiency safe access of massive multi-type terminals among heterogeneous networks cannot be solved, and various safety requirements of scenes in a future complex world network cannot be met.
(2) The existing switching authentication scheme mostly considers the optimization of switching performance from the aspects of switching overhead, switching time delay and the like, rarely utilizes technologies such as encryption and the like to ensure safe switching, and aims at the problems that a large amount of communication overhead and signaling overhead are generated during massive terminal authentication, so that signaling congestion is caused and the like.
(3) In the current scheme for concurrent authentication of massive terminals, reasonable communication overhead cannot be consumed while the safety of the group members is guaranteed according to the joining or quitting conditions of the group members.
The significance of solving the problems and the defects is as follows: the design of a group access authentication and switching authentication scheme suitable for a space-ground integrated network is of great importance, the safe and efficient concurrent access of massive terminals to a satellite network is guaranteed, the continuity of group network services in the moving process of groups and satellites is guaranteed, the dynamic addition and deletion of group members are realized, the requirement of group member privacy protection is met, and the all-round multilayer reliable safety support is provided for the group members to access the satellite network.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a group access authentication and switching authentication method suitable for world integration and application thereof.
The invention is realized in this way, a group that is suitable for the integration of heaven and earth inserts and switches over the authentication method, the group that is suitable for the integration of heaven and earth inserts and switches over the authentication method and is based on the existing 5G that improves and inserts the authentication protocol, adopt the group to authenticate the vector and realize the disposable access authentication of all terminals of a group, and provide the basic key that terminal and service network subsequently use, utilize the basic key to set up the safe switching, realize the trusted communication keeps; support the joining and exiting of members in the group; in the authentication process, a security channel is established in advance among the satellite, the gateway station/network management system (embedded foundation access domain access authentication module), the mobile switching security service system, the access authentication system and the entity identity management system.
Further, in the group access authentication and handover authentication method applicable to the heaven-earth integration, in the process that the terminal accesses the authentication satellite network, the satellite sends the identity identification information of the terminal to the entity identity management system, the entity identity management system generates a corresponding authentication vector for the terminal and sends the authentication vector to the satellite, and then the satellite performs mutual authentication and key agreement with the terminal by adopting the authentication vector; in the switching process, the mobile switching safety service system predicts the next satellite to be accessed by the group by combining effective information such as group position information, satellite position information, current visiting network information, satellite track and the like, generates a corresponding authentication vector and sends the authentication vector to a target satellite in advance, and when the group enters the coverage range of the target satellite, the mobile switching safety service system can perform quick authentication with the target satellite; in order to protect the privacy information of the user, a group access authentication and switching authentication method with privacy protection is adopted.
Further, the group access authentication and handover authentication method suitable for heaven-earth integration comprises the following steps:
step one, a terminal registration process;
the second step, the registration process of group members;
step three, a group owner discovery process;
fourthly, group access authentication process;
fifthly, a group switching process;
sixthly, group members join in the process;
seventhly, the group members quit the process;
and eighthly, the group access authentication and switching authentication method with privacy protection.
Further, the first step includes:
(1) the registry sends a registration request to the entity identity management system;
(2) after receiving the registration request, the entity identity management system generates a permanent identity ID of the terminal, and then generates a preset master key K according to the ID; finally, the entity identity management system sends a registration response message containing ID I K to the registrar;
(3) the register writes the message into the terminal password module after receiving the message, and then off-line distributes the terminal password module K to the terminal;
the second step includes:
(1) after the terminal registration process is executed, terminals in the same area or terminals belonging to the same manager form a fixed group, and group members send registration requests to an entity identity management system, wherein the registration requests comprise group identity identifications GID and group member identity identifications ID;
(2) the entity identity management system generates a group shared key GK after receiving the group member registration request, and then sends a registration response message containing GID (general identifier | | | GK) to the registrar;
(3) the registrar writes the registration response into the cryptographic module of the terminal after receiving the registration response, and distributes the cryptographic module GK of the terminal to the group members in an off-line manner;
the third step includes:
(1) after the group member registration stage is completed, a group owner discovery process is executed in an off-line manner; each terminal has a value Xi for measuring the computing capacity and the storage capacity; in the registration process, each group member encrypts its own performance parameters including IDi and Xi by using a group shared key GK, and then broadcasts the encrypted performance parameters to the surroundings;
(2) each group member compares the received performance parameters for ranking and broadcasts an encrypted performance parameter ranking order (IDm, IDi, idj.)GK
(3) And if the value of the member m is the maximum in the performance parameter ranking of the group members exceeding 2/3, selecting m as the group owner, and broadcasting the effective information of the group owner to the group members.
Further, the fourth step includes:
(1) when monitoring that the satellite network needs to be accessed, the group owner starts a timer, sets a timer trigger value, and broadcasts a group access authentication notification message to the surrounding, wherein the message contains a random number R1 newly generated by the group owner;
(2) after the terminal receives the group access authentication message broadcasted by the group owner, if the terminal needs to access the network, each group member sends a terminal access authentication request message to the group owner, wherein the terminal access authentication request message contains the identity identifier IDi of the terminal;
(3) when the timer time reaches, the group owner receives all the group member authentication requests, receives the authentication requests of n terminals, (ID1, ID 2.., IDn), the group identity GID and the random number R1 and sends the group identity GID and the random number R1 to the satellite, and the satellite forwards the group authentication request message to the ground foundation access domain access authentication module;
(4) the access authentication module of the ground-based access domain sends the ID1, the ID 2.., IDn, GID, R1 and the identity SNID of the access domain to an access authentication system;
(5) after receiving the group authentication and authorization request, the access authentication system sends a group authentication vector acquisition request to the entity identity management system;
(6) after receiving the authentication request message, the entity identity management system performs the following steps, wherein h is a safe hash function, and KDF is a key derivation function:
1) selecting a random number R2, and searching the shared key GK of the group and the long-term shared key Ki of each group member in a database of the random number R2;
2) XMACi ═ h (SNID, Ki, R1) was calculated,
Figure BDA0002683330380000052
3) computing a group temporary shared key TGK KDF (GK, R2);
4) calculating an authentication vector value XRESi ═ h (Ki, R2), KAMFiKDF (Ki, R2), authentication vector AVi ═ IDi | | | XRESi | | K for each terminalAMFi
5) Sending a group authentication vector acquisition response message to the access authentication system, wherein the response message comprises a random number R2, a group identity GID, a group temporary shared key TGK, a message authentication code XMAC and authentication vectors AVi of all group members;
(7) after receiving the group authentication vector acquisition response, the access authentication system performs the following steps:
1) computing
Figure BDA0002683330380000051
2) Calculating hxreg ═ h (R2, XRESG);
3) the access authentication system sends a group authentication authorization response message to the access authentication module of the ground-based access domain, wherein the group authentication authorization response message comprises R2, GID, TGK, XMAC, HXRSG and all IDi | | KAMFi
(8) After receiving the group authentication authorization response, the ground-based access domain access authentication module calculates the basic key K of each memberSat-i=KDF(R2,KAMFiTGK); sending to satellite contains R2, XMAC, HXRSG and all IDi, KSat-iGroup authentication authorization response message;
(9) after the satellite receives the group authentication authorization response message, HXREG, IDi and K are extractedSat-i(ii) a Then sending a group authentication response message R2, XMAC to the group owner; the group owner broadcasts R2 to the group members after receiving the message;
(10) after receiving the authentication response message, the group members calculate MACi h (SNID, Ki, R1), RESi h (Ki, R2), KSat-iAnd sends MACi, RESi to the group owner;
(11) after the group owner receives the group member authentication confirmation information, the group owner calculates
Figure BDA0002683330380000061
Then verifying MAC as XMAC, and calculating after verification
Figure BDA0002683330380000062
Sending an authentication success message to the group members, sending a group authentication confirmation message RESG to the satellite, calculating the HRESG (h) (R2, RESG) by the satellite, comparing the HRESG with the HXRESG, and forwarding the RESG to the access authentication system if the verification is successful;
(12) after receiving the RESG message, the access authentication system compares the RESG with the XRESG, and if the comparison is successful, the group verification is passed; the group and the heaven-earth integrated network complete bidirectional authentication, and the satellite and each group member will have KSat-iAs a base key.
Further, the fifth step includes:
(1) before a secure handover occurs, the following steps are required:
1) before switching, the terminal always keeps two group keys, a key GK shared with an entity identity management system and a temporary key TGK shared with a mobile switching security service system; when the group owner detects that the signal of the current access satellite is weakened and cannot provide smooth communication, the group owner broadcasts a group pre-switching notification message to all group members; the group members send the identity identifier IDi thereof to the group owner, and the group owner sends all the identifiers, the group identifier GID and the newly generated random number R3 to the current satellite;
2) current satellite SA1Forwarding the group pre-handoff request message (ID 1.., IDn), R3, GID to the mobile handoff security service system;
3) the mobile switching safety service system predicts the next satellite to be accessed by the group according to the effective information such as group position information, satellite position information, current visiting network information, satellite track and the like, generates a corresponding authentication vector and sends the authentication vector to a target satellite in advance; the authentication vector generation process comprises the following steps: the mobile switching safety service system selects a random number R4, and looks for the shared secret key K corresponding to each group member IDi in the databaseAMFiWhere i is 1.. times.n, and calculates a message authentication code XMACi ═ h (SNID, K), respectivelyAMFi,R3),
Figure BDA0002683330380000063
Figure BDA0002683330380000071
New basic key
Figure BDA0002683330380000072
Of each terminal
Figure BDA0002683330380000073
Parameters such as the random number R4, the group identity identification GID, the XMAC and the like are sent to a target satellite through a safety channel established by networking;
(2) after the preparation work before switching is finished, the following steps are carried out:
1) when the switching is triggered, the group owner sends a group switching authentication request message containing the GID to the target satellite SA2
2) Target satellite SA2After receiving the group switching authentication request, sending an XMAC value and an R4 value to the group owner; then, the target satellite calculates
Figure BDA0002683330380000074
And storing XRES 0;
3) after the group owner receives the information, the R3 and the R4 are forwarded to the group members;
4) group member calculation
Figure BDA0002683330380000075
MACi=h(SNID,KAMFi,R3),
Figure BDA0002683330380000076
And sends MACi and RESi to the group owner; group owner computing
Figure BDA0002683330380000077
Validating MAC (media access control) as XMAC, and if the validation is passed, calculating
Figure BDA0002683330380000078
Sending a group switch acknowledgement message RESO to the target satellite SA2(ii) a And sending a group switching success message to the group member satellite, comparing the message with the local XRESO after the group switching success message is received, if the message is consistent with the local XRESO, passing the authentication, and enabling the satellite and each group member to pass the authentication
Figure BDA0002683330380000079
As a base key.
Further, the sixth step includes:
(1) after the new member k finishes the terminal registration process, discovering the group, applying for joining the group, and sending a new member joining request message to the group owner, wherein the request message comprises a group identity identifier GID and a member identifier IDk; after receiving the new member join request, the group owner calculates a message authentication code s ═ h (GK, GID, IDk, (ID 1.., IDu), R5, 1); the group master sends the s, the IDk, the GID and the newly generated random number R5 to the entity identity management system;
(2) after receiving the request, the entity identity management system firstly searches the GK and the identifications (ID 1.. said., IDn) of all group members of the current group according to the GID, then verifies the validity of the s, and performs the following operations after the verification is passed:
1) selecting a random number R6, searching its database for the long-term shared key K of IDkk
2) Computing MACk=h(SNID,Kk,R5),XRESk=h(Kk,R6),KAMFk=KDF(Kk,R6);
3) Entity identity management system MACkR6 is sent to the group owner, which forwards the MACkR6, R5 to new member k;
(3) upon receipt by the new member k, the MAC is first verifiedkIf the verification is successful, calculating RESk=h(KkR6); subsequently, the new member k will RESkSending the information to a group owner, and forwarding the group owner to an entity identity management system;
(4) after the entity identity management system receives the information, the entity identity management system verifies RESk=XRESkIf the verification is successful, the entity identity management system carries out the following operations:
1) calculating a new group key GK*=KDF(GK,R6,R5);
2) Calculating UKj KDF (Kj, R6, R5), where j 1.. n, or j k;
3) calculation of TGK*=KDF(GK*,R6);
4) Subsequently, the entity identity management system will GID, TGK*,IDk,KAMFkSending the information to a mobile switching safety service system through a safety channel which is established in advance;
5) finally, the entity identity management system sends a group key update notification message to the group owner, wherein the group key update notification message includes the GID, the identities IDj of all group members, and the group key GK encrypted with each UKj*Sending the data to the group owner;
(5) the group owner forwards the group key updating notification message and R6, R5 to all group members, and the group member updates the group key to GK*The group owner updates the existing group member list.
Further, the seventh step includes:
(1) when a member i in the group needs to quit the group, sending a quit request message to a group owner, wherein the quit request message comprises a group identity identification GID and an identity identification IDi of the member i; after receiving the quit request, the group owner calculates a message authentication code s ═ h (GK, GID, IDi, (ID 1.., IDn), R7, 0), and sends s, GID, the newly generated random number R7 and the identity of the member requesting to quit to the entity identity management system;
(2) after receiving the message, the entity identity management system firstly verifies the validity of the s, and after the verification is passed, the following operations are carried out:
1) selecting a random number R8 and a new GK*
2) Calculating UKj ═ KDF (Kj, R8, R7), j ≠ 1.., n, and j ≠ i;
3) calculation of TGK*=KDF(GK*,R8);
(3) After the entity identity management system updates the group key, it sends a group key update notification to the group owner containing the group identity GID, the random number R8, and the group key GK encrypted with UKj (j ≠ i)*The group owner forwards the group key update notification and R7 to all group members; existing group members update group key to GK*
(4) The entity identity management system sends a group key updating notice to the mobile switching security service system to update the group key TGK related to switching*
The eighth step includes:
(1) the entity identity management system selects sk and pk as a private key and a public key respectively, and in the terminal registration process, the entity identity management system presets pk and ID I K to the terminal;
(2) in the registration process of group members, an entity identity management system additionally presets a temporary identifier TGIDi in a group for each group member;
(3) in the group owner discovery process, each group member adopts TGIDi as temporary identification in the group to replace IDi;
(4) in the group access authentication process, each group member encrypts an identity identifier IDi by adopting a public key pk of the entity identity management system to obtain a ciphertext and sends the ciphertext to a group owner, and the group owner converges all ciphertext messages and forwards the ciphertext messages to the entity identity management system; the entity identity management system decrypts the received identity identifier IDi by using a private key sk of the entity identity management system to obtain an identity identifier IDi, then the mobile switching security service system calculates a terminal temporary identifier TIDi, the TIDi is sent to a satellite, the satellite uses the TIDi as a temporary identifier of a terminal i, and a terminal side can also calculate the TIDi;
(5) in the group switching process, the group members directly send the TIDi to the current satellite SA1The current satellite forwards the current satellite to a mobile switching safety service system; then, the mobile switching safety service system calculates a new temporary identifier TIDi and sends the new temporary identifier TIDi as the target satellite SA2The target satellite takes TIDi as a temporary identifier of the terminal i;
(6) in the joining process of the group members, a new member k encrypts an identity identifier IDk of the new member k by using a public key pk of an entity identity management system to obtain a ciphertext and sends the ciphertext to a group owner, the group owner forwards the ciphertext to the entity identity management system, the entity identity management system decrypts the ciphertext to obtain the IDk, generates a temporary identifier TGIDk in the group for the member k, and replaces the original IDk by using the TGIDk in a group key updating notification message;
(7) in the process of group member exit, the exit member i directly sends TGIDi to the group owner, and the group owner forwards the TGIDi to the entity identity management system.
Another object of the present invention is to provide a group access authentication and handover authentication system suitable for world integration, which implements the group access authentication and handover authentication method suitable for world integration, the group access authentication and handover authentication system suitable for world integration including: the system comprises group members, satellite access nodes, gateway stations/network management systems (embedded foundation access domain access authentication modules), entity identity management systems, access authentication systems and mobile switching security service systems. The functions of each entity are introduced as follows:
the satellite access node represents an access network in a satellite network and is mainly responsible for forwarding and processing messages between the group members and the ground gateway station.
The gateway station/network management system is an interface for accessing the satellite into the ground network, and is connected with the mobile switching safety service system, the access authentication system and the entity identity management system through the ground wired network. The gateway station/network management system and the mobile switching safety service system are both affiliated to the visiting network server.
The entity identity management system is responsible for completing the registration of all entities including group members, satellites, ground stations and other entities, and distributing long-term shared keys and group shared keys to different entities.
The access authentication system is responsible for authenticating the validity of the group members, and both the access authentication system and the entity identity management system belong to the home network server.
The mobile switching safety service system is responsible for the quick authentication and authorization of the group members in the moving process.
Another object of the present invention is to provide a heaven-earth integrated network communication method using the group access authentication and handover authentication method suitable for heaven-earth integration.
By combining all the technical schemes, the invention has the advantages and positive effects that: the invention provides a method for accessing authentication and switching authentication based on a world integrated group, which is based on an improved 5G access authentication protocol, respectively manages related identity authentication and switching authentication functions through an access authentication system, an entity identity management system and a mobile switching security service system, and realizes one-time safe and efficient authentication of all terminals in a group by using a group access authentication vector and an access vector. Support group member joining and quitting and support group owner's renewal, can update the group key through the entity identity management system. In addition, the privacy of the user information can be protected through the group access authentication and switching authentication method with privacy protection.
The invention is provided by analyzing and improving according to the current 5G network access authentication protocol, and is suitable for the future scene of integration of heaven and earth; the terminals gathered in the same area or the terminals belonging to the same manager form a fixed group, a better terminal is selected as a group owner, the unified access authentication of the terminals in one group is completed at one time through the group authentication vector, and the network authentication efficiency is improved. Aiming at the characteristics of topological change of an inter-satellite network, open channels and intermittent communication of the channels, seamless safe switching between a group and a satellite is completed through real-time prediction of the positions of satellite nodes; the invention can realize the lightweight mutual authentication of a group of mass terminals and a world integrated network, support the joining and quitting functions of group members, meet the safety characteristics of mutual authentication and the like and resist protocol attack. The invention can realize the group access authentication and switching authentication method with privacy protection, and prevent the privacy information of the user from being revealed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
Fig. 1 is a flowchart of a group access authentication and handover authentication method suitable for world integration according to an embodiment of the present invention.
Fig. 2 is a diagram of a world-wide integrated network architecture provided by an embodiment of the present invention.
Fig. 3 is a general flowchart of a method for authentication of group access and handover integrated in heaven and earth according to an embodiment of the present invention.
Fig. 4 is a terminal registration process in a heaven and earth integrated network according to an embodiment of the present invention.
Fig. 5 is a group member registration process in a heaven-earth integrated network according to an embodiment of the present invention.
Fig. 6 is a process of discovering a group owner in a heaven-earth integrated network according to an embodiment of the present invention.
Fig. 7 is a group access authentication procedure in a heaven and earth integrated network according to an embodiment of the present invention.
Fig. 8 is a group handover authentication procedure in a heaven-earth integrated network according to an embodiment of the present invention.
Fig. 9 is a group member joining process in the heaven and earth integrated network according to the embodiment of the present invention.
Fig. 10 is a process of group member exit in the heaven-earth integrated network according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Aiming at the problems in the prior art, the invention provides a group access authentication and handover authentication method suitable for world integration and application thereof, and the invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the group access authentication and handover authentication method suitable for integration of heaven and earth provided by the present invention includes the following steps:
s101: a terminal registration process;
s102: a group member registration process;
s103: a group owner discovery process;
s104: a group access authentication procedure;
s105: a group switching process;
s106: a group member joining process;
s107: the group members exit the process;
s108: a group access authentication and switching authentication method with privacy protection.
Those skilled in the art can also implement the method of group access authentication and handover authentication suitable for world integration provided by the present invention by using other steps, and the method of group access authentication and handover authentication suitable for world integration provided by the present invention in fig. 1 is only one specific embodiment.
The technical solution of the present invention is further described below with reference to the accompanying drawings.
The invention is based on the improved existing 5G access authentication protocol, utilizes the good performance advantage of the symmetric key system, adopts the group authentication vector to realize the one-time access authentication of all the terminals of a group, provides the basic key for the subsequent use of the terminal and the service network, and utilizes the basic key to establish the safe switching, thereby realizing the trusted communication maintenance. The scheme also supports the joining and leaving of members of the group in the group. In the authentication process, a security channel is established in advance among the satellite, the gateway station/network management system (embedded foundation access domain access authentication module), the mobile switching security service system, the access authentication system and the entity identity management system. Specifically, in the process that the terminal accesses the authentication satellite network, the satellite sends the identity identification information of the terminal to the entity identity management system, the entity identity management system generates a corresponding authentication vector for the terminal and sends the authentication vector to the satellite, and then the satellite performs mutual authentication and key agreement with the terminal by adopting the authentication vector. In the switching process, the mobile switching safety service system predicts the next satellite to be accessed by the group according to the effective information such as group position information, satellite position information, current visiting network information, satellite track and the like, generates a corresponding authentication vector and sends the authentication vector to a target satellite in advance. Furthermore, when the group enters the coverage area of the target satellite, the group can be quickly authenticated with the target satellite. In addition, in order to protect the privacy information of the user, a group access authentication and switching authentication method with privacy protection can be adopted.
As shown in fig. 2, the heaven and earth integrated network architecture diagram provided by the present invention mainly includes the following entities: the system comprises group members, satellite access nodes, gateway stations/network management systems (embedded foundation access domain access authentication modules), entity identity management systems, access authentication systems and mobile switching security service systems.
The satellite access node represents an access network in a satellite network and is mainly responsible for forwarding and processing messages between the group members and the ground gateway station.
The gateway station/network management system is an interface for accessing the satellite into the ground network, and is connected with the mobile switching safety service system, the access authentication system and the entity identity management system through the ground wired network. The gateway station/network management system and the mobile switching safety service system are both affiliated to the visiting network server.
The entity identity management system is responsible for completing the registration of all entities including group members, satellites, ground stations and other entities, and distributing long-term shared keys and group shared keys to different entities.
The access authentication system is responsible for authenticating the validity of the group members, and both the access authentication system and the entity identity management system belong to the home network server.
The mobile switching safety service system is responsible for the quick authentication and authorization of the group members in the moving process.
As shown in fig. 3-10, the method for authentication of access and handover for a space-ground integrated network group provided by the present invention includes the following steps:
s1, terminal registration process;
s2, group member registration process;
s3, group owner discovery process;
s4, group access authentication process;
s5, group switching process;
s6, adding group members;
s7, quitting the process of the group members;
s8: a group access authentication and switching authentication method with privacy protection.
In this embodiment of the present invention, step S1 includes:
s11, the register sends a register request to the entity identity management system;
s12, after receiving the registration request, the entity identity management system generates a permanent identity ID of the terminal, and then generates a preset master key K according to the ID; finally, the entity identity management system sends a registration response message containing ID I K to the registrar;
and S13, the register writes the message into the terminal password module after receiving the message, and then distributes the terminal password module K to the terminal in an off-line manner.
In the embodiment of the present invention, the step S2 specifically includes:
s21, after executing the terminal registration process, the terminals in the same area or the terminals belonging to the same manager form a fixed group, and the group members send registration requests to the entity identity management system, wherein the registration requests comprise group identity identifications GID and group member identity identifications ID;
s22, the entity identity management system receives the group member registration request and then generates a group shared key GK, and then sends a registration response message containing GID (identity) GK to the registrar;
and S23, the register writes the registration response into the password module of the terminal after receiving the registration response, and distributes the terminal password module GK to the group members in an off-line manner.
In the embodiment of the present invention, the step S3 specifically includes:
s31, after finishing the registration stage of the group members, executing the group owner discovery process off line; each terminal has internally a value for measuring the computing power and the storage power, for example Xi; in the registration process, each group member encrypts its own performance parameters including IDi and Xi by using a group shared key GK, and then broadcasts the encrypted performance parameters to the surroundings;
s32, each group member compares and ranks the received performance parameters, and broadcasts the ranking order (IDm, IDi, IDj.)GK
And S33, if the performance parameter ranking of the group members exceeding 2/3 shows that the value of the member m is the largest, selecting m as the group owner, and then broadcasting the effective information of the group owner to the group members.
In the embodiment of the present invention, the step S4 specifically includes:
s41, when the group owner monitors that the satellite network needs to be accessed, a timer is started, a timer trigger value is set, the group owner broadcasts a group access authentication notification message to the surrounding, and the message contains a random number R1 newly generated by the group owner;
s42, after the terminal receives the group access authentication message broadcasted by the group owner, if the network is needed to be accessed, each group member sends a terminal access authentication request message to the group owner, and the terminal access authentication request message contains the identity IDi of the terminal;
s43, when the timer time arrives, the group owner sends all received group member authentication requests (assuming that the group owner receives the authentication requests of n terminals) (ID1, ID 2.., IDn), the group identity GID and the random number R1 to the satellite, and the satellite forwards the group authentication request message to the ground-based access domain access authentication module;
s44, the ground-based access domain access authentication module sends the ID1, the ID2, the IDn, the GID and the R1 and the access domain identity SNID thereof to an access authentication system;
s45, after receiving the group authentication authorization request, the access authentication system sends a group authentication vector acquisition request to the entity identity management system;
s46, after receiving the authentication request message, the entity identity management system performs the following steps (the following h is a secure hash function, and KDF is a key derivation function):
(1) selecting a random number R2, and searching the shared key GK of the group and the long-term shared key Ki of each group member in a database of the random number R2;
(2) XMACi ═ h (SNID, Ki, R1) was calculated,
Figure BDA0002683330380000164
(3) computing a group temporary shared key TGK KDF (GK, R2);
(4) calculating an authentication vector value XRESi ═ h (Ki, R2), KAMFiKDF (Ki, R2), authentication vector AVi ═ IDi | | | XRESi | | K for each terminalAMFi
(5) And sending a group authentication vector acquisition response message to the access authentication system, wherein the group authentication vector acquisition response message comprises a random number R2, a group identity GID, a group temporary shared key TGK, a message authentication code XMAC and authentication vectors AVi of all group members.
S47, after receiving the group authentication vector acquisition response, the access authentication system performs the following steps:
(1) computing
Figure BDA0002683330380000161
(2) Calculating hxreg ═ h (R2, XRESG);
(3) the access authentication system sends a group authentication authorization response message to the access authentication module of the ground-based access domain, wherein the group authentication authorization response message comprises R2, GID, TGK, XMAC, HXRSG and all IDi | | KAMFi
S48, after receiving the group authentication authorization response, the ground-based access domain access authentication module calculates the basic key K of each memberSat-i=KDF(R2,KAMFiTGK); sending to satellite contains R2, XMAC, HXRSG and all IDi, KSat-iGroup authentication authorization response cancellation inAnd (4) information.
S49, extracting HXREG, IDi, K after the satellite receives the group authentication authorization response messageSat-i(ii) a Then sending a group authentication response message R2, XMAC to the group owner; the group owner receives the message and broadcasts R2 to the group members.
S410, after receiving the authentication response message, the group member calculates MACi-h (SNID, Ki, R1), RESi-h (Ki, R2), and KSat-iAnd sends MACi, RESi to the group owner;
s411, after receiving the group member authentication confirmation information, the group owner calculates
Figure BDA0002683330380000162
Then verifying MAC as XMAC, and calculating after verification
Figure BDA0002683330380000163
Sending an authentication success message to the group members, sending a group authentication confirmation message RESG to the satellite, calculating the HRESG (h) (R2, RESG) by the satellite, comparing the HRESG with the HXRESG, and forwarding the RESG to the access authentication system if the verification is successful;
s412, after receiving the RESG message, the access authentication system compares the RESG with the XRESG, and if the comparison is successful, the group verification is passed; the group and the heaven-earth integrated network complete bidirectional authentication, and the satellite and each group member will have KSat-iAs a base key.
In the embodiment of the present invention, the step S5 specifically includes:
s51, before the safety switching happens, the following steps are required
(1) Before switching, the terminal always keeps two group keys, a key GK shared with an entity identity management system and a temporary key TGK shared with a mobile switching security service system; when the group owner detects that the current access satellite signal is weakened and is about to fail to provide smooth communication, the group owner broadcasts a group pre-handoff notification message to all group members. The group members send the identity identifier IDi thereof to the group owner, and the group owner sends all the identifiers, the group identifier GID and the newly generated random number R3 to the current satellite;
(2) current satellite SA1Group the groupPre-handoff request message (ID 1.., IDn), R3, GID is forwarded to the mobile handoff security service system;
(3) the mobile switching safety service system predicts the next satellite to be accessed by the group according to the effective information such as group position information, satellite position information, current visiting network information, satellite track and the like, generates a corresponding authentication vector and sends the authentication vector to the target satellite in advance. The authentication vector generation process comprises the following steps: the mobile switching safety service system selects a random number R4, and looks for the shared secret key K corresponding to each group member IDi in the databaseAMFiWhere i is 1. And respectively calculating the message authentication codes XMACI ═ h (SNID, K)AMFi,R3),
Figure BDA0002683330380000171
New basic key
Figure BDA0002683330380000172
Of each terminal
Figure BDA0002683330380000173
And parameters such as the random number R4, the group identity GID, the XMAC and the like are sent to the target satellite through a safety channel established by networking.
S52, after completing the preparation work before switching, the following steps are carried out:
(1) when the switching is triggered, the group owner sends a group switching authentication request message containing the GID to the target satellite SA2
(2) Target satellite SA2After receiving the group switching authentication request, sending an XMAC value and an R4 value to the group owner; then, the target satellite calculates
Figure BDA0002683330380000181
And stores XRES 0.
(3) Upon receipt by the group owner, R3 and R4 are forwarded to the group members.
(4) Group member calculation
Figure BDA0002683330380000182
MAGi=h(SNID,KAMFi,R3),
Figure BDA0002683330380000183
And sends MACi and RESi to the group owner; group owner computing
Figure BDA0002683330380000184
Validating MAC (media access control) as XMAC, and if the validation is passed, calculating
Figure BDA0002683330380000185
Sending a group switch acknowledgement message RESO to the target satellite SA2(ii) a And sending a group switching success message to the group member satellite, comparing the message with the local XRESO after the group switching success message is received, and if the message is consistent with the local XRESO, the authentication is passed. The satellite and each group member will
Figure BDA0002683330380000186
As a base key.
In the embodiment of the present invention, the step S6 specifically includes:
s61, finding the group by a new member k (completing the terminal registration process), applying for joining the group, and sending a new member joining request message to the group owner, wherein the request message comprises a group identity identifier GID and a member identifier IDk; after receiving the new member join request, the group owner calculates a message authentication code s ═ h (GK, GID, IDk, (ID 1.., IDn), R5, 1). The group master sends the s, the IDk, the GID and the newly generated random number R5 to the entity identity management system;
s62, after receiving the request, the entity identity management system firstly searches the GK and the identifications (ID 1.., IDn) of all group members of the current group according to the GID, then verifies the validity of the S, and after the verification is passed, the following operations are carried out:
(1) selecting a random number R6, searching its database for the long-term shared key K of IDkk
(2) Computing MACk=h(SNID,Kk,R5),XRESk=h(Kk,R6),KAMFk=KDF(Kk,R6);
(3) Entity identity management system MACkAnd R6 is sent to the group owner. Group ownerForwarding MACkR6, R5 to the new member k.
S63, after receiving, the new member k verifies MAC firstkIf the verification is successful, calculating RESk=h(KkR6). Subsequently, the new member k will RESkAnd sending the information to the group owner, and forwarding the group owner to the entity identity management system.
S64, after receiving, the entity identity management system verifies RESk=XRESkIf the verification is successful, the entity identity management system carries out the following operations:
(1) calculating a new group key GK*=KDF(GK,R6,R5);
(2) Calculating UKj KDF (Kj, R6, R5), where j 1.. n, or j k;
(3) calculation of TGK*=KDF(GK*,R6);
(4) Subsequently, the entity identity management system will GID, TGK*,IDk,KAMFkSending the information to a mobile switching safety service system through a safety channel which is established in advance;
(5) finally, the entity identity management system sends a group key update notification message to the group owner, wherein the group key update notification message includes the GID, the identities IDj of all group members, and the group key GK encrypted with each UKj*And sending the data to the group owner.
S65, forwarding the group key update notice message by the group owner and R6, R5 to all the group members, wherein the group key update is GK*The group owner updates the existing group member list.
In the embodiment of the present invention, the step S7 specifically includes:
s71, when the member i in the group needs to quit the group, sending a quit request message to the group owner, wherein the quit request message contains the group identity GID and the identity IDi of the member; after the group owner receives the exit request, a message authentication code s ═ h (GK, GID, IDi, (ID 1.., IDn), R7, 0) is calculated. The group owner sends the s, the GID, the newly generated random number R7 and the identity of the member requesting to quit to the entity identity management system;
s72, after receiving the message, the entity identity management system firstly verifies the validity of S, and after the verification is passed, the following operations are carried out:
(1) selecting a random number R8 and a new GK*
(2) Calculating UKj ═ KDF (Kj, R8, R7), j ≠ 1.., n, and j ≠ i;
(3) calculation of TGK*=KDF(GK*,R8);
S73, after the entity ID management system updates the group key, it sends the group key update notice to the group owner, which contains the group ID GID, the random number R8, and the group key GK encrypted by UKj (j ≠ i)*The group owner forwards the group key update notification along with R7 to all group members. Existing group members update group key to GK*
S74, entity identity management system sends update notice of group key to mobile switching safety service system, updates related group key TGK of switching*
In the embodiment of the present invention, the step S8 specifically includes: (the embodiment of the present invention is an improvement based on all the above-described examples)
S81, the entity identity management system selects sk and pk as a private key and a public key respectively, and in the terminal registration process, the entity identity management system presets pk and ID | K to the terminal.
S82, in the registration process of the group members, the entity identity management system additionally presets a temporary identifier TGIDi in the group for each group member.
S83, in the group owner discovery process, each group member adopts TGIDi as temporary identification (replacement IDi) within the group.
S84, in the group access authentication process, each group member encrypts the identity IDi by the public key pk of the entity identity management system to obtain a ciphertext and sends the ciphertext to the group owner, and the group owner gathers all ciphertext messages and forwards the ciphertext messages to the entity identity management system. And the entity identity management system decrypts the received ID by using the private key sk to obtain the identity IDi. And then, the mobile switching safety service system calculates the terminal temporary identification TIDi and sends the TIDi to the satellite. The satellite uses the TIDi as a temporary identifier of the terminal i (the terminal side can also calculate the TIDi in the same way).
S85, in the process of group switching, the group members directly send TIDi to the current satellite SA1The current satellite forwards to the mobile handoff security service system. Then, the mobile switching safety service system calculates a new temporary identifier TIDi and sends the new temporary identifier TIDi as the target satellite SA2And the target satellite takes TIDi as a temporary identifier of the terminal i.
S86, in the joining process of the group members, the new member k encrypts the identity IDk thereof by the public key pk of the entity identity management system to obtain a ciphertext and sends the ciphertext to the group owner, and the group owner forwards the ciphertext to the entity identity management system. And the entity identity management system decrypts to obtain the IDk and generates the temporary identifier TGIDk in the group for the member k. And in the group key update notification message, the original IDk is replaced with the TGIDk.
S87, in the process of group member exit, the exit member i directly sends TGIDi to the group owner. The group owner forwards the group owner to the entity identity management system.
The safety analysis of the invention:
1) mutual authentication: in the process of performing group access authentication, on one hand, the group members can authenticate the validity of the entity identity management system according to XMAC, and on the other hand, the network side can authenticate all the group members through aggregated RESG generated by the group.
2) And (3) key agreement: in the group access authentication process, because the preset master key K is only available on the terminal side and the entity identity management system side, the entity identity management system derives the K according to the KAMFiThe information is sent to a mobile switching safety service system through a safety channel which is established in advance, and the mobile switching safety service system and the terminal are sent according to KAMFiDeriving a basic key K from a publicly transmitted random numberSat-i. Subsequently, the mobile switching security service system will KSat-iAnd sending to the satellite through a secure channel. Therefore, the basic key can be safely negotiated between the satellite and the terminal.
3) Separation of front and back keys: during each group access authentication process, a new random number R2 is generated for calculating the basic key KSat-iAnd thus the keys are independent of each other. Even if the current is acquiredThe basic key, the previous or subsequent basic key may not be available to an attacker. Therefore, the scheme can realize the separation of the front and the back keys.
4) Resisting replay attacks: in the group access authentication process, each group member judges whether the message is replayed by verifying XMAC, wherein the XMAC is generated by the entity identity management system according to a random number R1 generated by the group owner; and the entity identity management system side can judge whether the message is replayed by verifying the RESG, wherein the RESG is generated by the group according to the random number R2 of the entity identity management system.
5) And (3) resisting impersonation attack: in the group access authentication process, because the terminal side and the network side realize mutual authentication, an attacker cannot impersonate one party to communicate with the other party.
6) Privacy protection: in the process of executing group access authentication and switching authentication of privacy protection, the identity identifier IDi of each group member adopts the public key pk of the entity identity management system to carry out random encryption to obtain ciphertext, the ciphertext generated each time is different, and only the entity identity management system can decrypt to obtain the IDi. Then, the mobile handover security service system generates the TIDi for each group member to identify the terminal i, and the TIDi needs to be updated in each handover process. Therefore, the attacker cannot obtain the identification information of the terminal i and cannot track the terminal i. In addition, in the processes of group owner discovery, group member joining and group member quitting, the method and the system adopt the temporary identifier TGIDi in the group to replace IDi to identify each group member, so that the privacy disclosure of the terminal information can be avoided.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (7)

1. A group access authentication and switching authentication method suitable for world integration is characterized in that the group access authentication and switching authentication method suitable for world integration is based on an improved existing 5G access authentication protocol, adopts a group authentication vector to realize one-time access authentication of all terminals of a group, provides a basic key for subsequent use of the terminals and a service network, and utilizes the basic key to establish safe switching to realize trusted communication maintenance; support the joining and exiting of members in the group; in the authentication process, a safety channel is established in advance among the satellite, the gateway station/network management system embedded foundation access authentication module, the mobile switching safety service system, the access authentication system and the entity identity management system;
the group access authentication and switching authentication method suitable for world integration comprises the following steps:
step one, a terminal registration process;
the second step, the registration process of group members;
step three, a group owner discovery process;
fourthly, group access authentication process; the method specifically comprises the following steps:
(1) when monitoring that the satellite network needs to be accessed, the group owner starts a timer, sets a timer trigger value, and broadcasts a group access authentication notification message to the surrounding, wherein the message contains a random number R1 newly generated by the group owner;
(2) after the terminal receives the group access authentication message broadcasted by the group owner, if the terminal needs to access the network, each group member sends a terminal access authentication request message to the group owner, wherein the terminal access authentication request message contains the identity identifier IDi of the terminal;
(3) when the timer time reaches, the group owner receives all the group member authentication requests, receives the authentication requests of n terminals, (ID1, ID 2.., IDn), the group identity GID and the random number R1 and sends the group identity GID and the random number R1 to the satellite, and the satellite forwards the group authentication request message to the ground foundation access domain access authentication module;
(4) the access authentication module of the ground-based access domain sends the ID1, the ID 2.., IDn, GID, R1 and the identity SNID of the access domain to an access authentication system;
(5) after receiving the group authentication and authorization request, the access authentication system sends a group authentication vector acquisition request to the entity identity management system;
(6) after receiving the authentication request message, the entity identity management system performs the following steps, wherein h is a safe hash function, and KDF is a key derivation function:
1) selecting a random number R2, and searching the shared key GK of the group and the long-term shared key Ki of each group member in a database of the random number R2;
2) computing
Figure FDA0003335257990000022
3) Computing a group temporary shared key TGK KDF (GK, R2);
4) calculating an authentication vector value XRESi ═ h (Ki, R2), KAMFiKDF (Ki, R2), authentication vector AVi ═ IDi | | | XRESi | | K for each terminalAMFi
5) Sending a group authentication vector acquisition response message to the access authentication system, wherein the response message comprises a random number R2, a group identity GID, a group temporary shared key TGK, a message authentication code XMAC and authentication vectors AVi of all group members;
(7) after receiving the group authentication vector acquisition response, the access authentication system performs the following steps:
1) computing
Figure FDA0003335257990000021
2) Calculating hxreg ═ h (R2, XRESG);
3) the access authentication system sends a group authentication authorization response message to the access authentication module of the ground-based access domain, wherein the group authentication authorization response message comprises R2, GID, TGK, XMAC, HXRSG and all IDi | | KAMFi
(8) After receiving the group authentication authorization response, the ground-based access domain access authentication module calculates the basic key K of each membersat-i=KDF(R2,KAMFiTGK); sending to satellite contains R2, XMAC, HXRSG and all IDi, KSat-iGroup authentication authorization response message;
(9) after the satellite receives the group authentication authorization response message, HXRESG is extracted,IDi,KSat-i(ii) a Then sending a group authentication response message R2, XMAC to the group owner; the group owner broadcasts R2 to the group members after receiving the message;
(10) after receiving the authentication response message, the group members calculate MACi h (SNID, Ki, R1), RESi h (Ki, R2), Ksat-iAnd sends MACi, RESi to the group owner;
(11) after the group owner receives the group member authentication confirmation information, the group owner calculates
Figure FDA0003335257990000023
Then verifying MAC as XMAC, and calculating after verification
Figure FDA0003335257990000024
Sending an authentication success message to the group members, sending a group authentication confirmation message RESG to the satellite, calculating the HRESG (h) (R2, RESG) by the satellite, comparing the HRESG with the HXRESG, and forwarding the RESG to the access authentication system if the verification is successful;
(12) after receiving the RESG message, the access authentication system compares the RESG with the XRESG, and if the comparison is successful, the group verification is passed; the group and the heaven-earth integrated network complete bidirectional authentication, and the satellite and each group member will have KSat-iAs a base key;
fifthly, a group switching process;
sixthly, group members join in the process;
seventhly, the group members quit the process;
and eighthly, the group access authentication and switching authentication method with privacy protection.
2. The method for space-ground integrated group access authentication and handover authentication of claim 1, wherein in the process of accessing the terminal to the authentication satellite network, the satellite sends the identification information of the terminal to the entity identity management system, the entity identity management system generates a corresponding authentication vector for the terminal and sends the authentication vector to the satellite, and the satellite performs mutual authentication and key agreement with the terminal by using the authentication vector; in the switching process, the mobile switching safety service system predicts the next satellite to be accessed by the group by combining the group position information, the satellite position information, the current visit network information and the satellite track effective information, generates a corresponding authentication vector and sends the authentication vector to a target satellite in advance, and when the group enters the coverage range of the target satellite, the mobile switching safety service system can perform quick authentication with the target satellite; in order to protect the privacy information of the user, a group access authentication and switching authentication method with privacy protection is adopted.
3. The method of claim 1, wherein the first step comprises:
(1) the registry sends a registration request to the entity identity management system;
(2) after receiving the registration request, the entity identity management system generates a permanent identity ID of the terminal, and then generates a preset master key K according to the ID; finally, the entity identity management system sends a registration response message containing ID I K to the registrar;
(3) the register writes the message into the terminal password module after receiving the message, and then off-line distributes the terminal password module K to the terminal;
the second step includes:
(1) after the terminal registration process is executed, terminals in the same area or terminals belonging to the same manager form a fixed group, and group members send registration requests to an entity identity management system, wherein the registration requests comprise group identity identifications GID and group member identity identifications ID;
(2) the entity identity management system generates a group shared key GK after receiving the group member registration request, and then sends a registration response message containing GID (general identifier | | | GK) to the registrar;
(3) the registrar writes the registration response into the cryptographic module of the terminal after receiving the registration response, and distributes the cryptographic module GK of the terminal to the group members in an off-line manner;
the third step includes:
(1) after the group member registration stage is completed, a group owner discovery process is executed in an off-line manner; each terminal has a value Xi for measuring the computing capacity and the storage capacity; in the registration process, each group member encrypts its own performance parameters including IDi and Xi by using a group shared key GK, and then broadcasts the encrypted performance parameters to the surroundings;
(2) each group member compares the received performance parameters for ranking and broadcasts an encrypted performance parameter ranking order (IDm, IDi, idj.)GK
(3) And if the value of the member m is the maximum in the performance parameter ranking of the group members exceeding 2/3, selecting m as the group owner, and broadcasting the effective information of the group owner to the group members.
4. The method for heaven-earth integrated group access authentication and handover authentication of claim 1, wherein the fifth step comprises:
(1) before a secure handover occurs, the following steps are required:
1) before switching, the terminal always keeps two group keys, a key GK shared with an entity identity management system and a temporary key TGK shared with a mobile switching security service system; when the group owner detects that the signal of the current access satellite is weakened and cannot provide smooth communication, the group owner broadcasts a group pre-switching notification message to all group members; the group members send the identity identifier IDi thereof to the group owner, and the group owner sends all the identifiers, the group identifier GID and the newly generated random number R3 to the current satellite;
2) current satellite SA1Forwarding the group pre-handoff request message (ID 1.., IDn), R3, GID to the mobile handoff security service system;
3) the mobile switching safety service system predicts the next satellite to be accessed by the group by combining the group position information, the satellite position information, the current visit network information and the satellite track effective information, generates a corresponding authentication vector and sends the authentication vector to a target satellite in advance; the authentication vector generation process comprises the following steps: the mobile switching safety service system selects a random number R4, and looks for the shared secret key K corresponding to each group member IDi in the databaseAMFiWherein i 1.. times, n, and calculating a message authentication code, respectively
Figure FDA0003335257990000051
New basic key
Figure FDA0003335257990000052
Of each terminal
Figure FDA0003335257990000053
The random number R4, the group identity identification GID and the XMAC parameter are sent to the target satellite through a safety channel established by networking;
(2) after the preparation work before switching is finished, the following steps are carried out:
1) when the switching is triggered, the group owner sends a group switching authentication request message containing the GID to the target satellite SA2
2) Target satellite SA2After receiving the group switching authentication request, sending an XMAC value and an R4 value to the group owner; then, the target satellite calculates
Figure FDA0003335257990000054
And storing XRES 0;
3) after the group owner receives the information, the R3 and the R4 are forwarded to the group members;
4) group member calculation
Figure FDA0003335257990000055
Figure FDA0003335257990000056
And sends MACi and RESi to the group owner; group owner computing
Figure FDA0003335257990000057
Validating MAC (media access control) as XMAC, and if the validation is passed, calculating
Figure FDA0003335257990000058
Sending a group switch acknowledgement message RES0 to the target satellite SA2(ii) a And sends a group switch success message to the group memberAfter receiving the satellite, the member satellite compares the satellite with the local XRES0, if the satellite is consistent with the local XRES0, the satellite passes the authentication, and the satellite and each group member are connected
Figure FDA0003335257990000059
As a base key.
5. The method for heaven-earth integrated group access authentication and handover authentication of claim 1, wherein the sixth step comprises:
(1) after the new member k finishes the terminal registration process, discovering the group, applying for joining the group, and sending a new member joining request message to the group owner, wherein the request message comprises a group identity identifier GID and a member identifier IDk; after receiving the new member join request, the group owner calculates a message authentication code s ═ h (GK, GID, IDk, (ID1, …, IDn), R5, 1); the group master sends the s, the IDk, the GID and the newly generated random number R5 to the entity identity management system; identification of all group members of the current group (ID 1.., IDn);
(2) after receiving the request, the entity identity management system firstly searches the GK and the identifications (ID 1.. said., IDn) of all group members of the current group according to the GID, then verifies the validity of the s, and performs the following operations after the verification is passed:
1) selecting a random number R6, searching its database for the long-term shared key K of IDkk
2) Computing MACk=h(SNID,Kk,R5),XRESk=h(Kk,R6),KAMFk=KDF(Kk,R6);
3) Entity identity management system MACkR6 is sent to the group owner, which forwards the MACkR6, R5 to new member k;
(3) upon receipt by the new member k, the MAC is first verifiedkIf the verification is successful, calculating RESk=h(KkR6); subsequently, the new member k will RESkSending the information to a group owner, and forwarding the group owner to an entity identity management system;
(4) after the entity identity management system receives the information, the entity identity management system verifies RESk=XRESkIf, ifAnd if the verification is successful, the entity identity management system performs the following operations:
1) calculating a new group key GK*=KDF(GK,R6,R5);
2) Calculating UKj KDF (Kj, R6, R5), where j 1.. n, or j k;
3) calculation of TGK*=KDF(GK*,R6);
4) Subsequently, the entity identity management system will GID, TGK*,IDk,KAMFkSending the information to a mobile switching safety service system through a safety channel which is established in advance;
5) finally, the entity identity management system sends a group key update notification message to the group owner, wherein the group key update notification message includes the GID, the identities IDj of all group members, and the group key GK encrypted with each UKj*Sending the data to the group owner;
(5) the group owner forwards the group key updating notification message and R6, R5 to all group members, and the group member updates the group key to GK*The group owner updates the existing group member list.
6. The method for heaven-earth integrated group access authentication and handover authentication of claim 1, wherein the seventh step comprises:
(1) when a member i in the group needs to quit the group, sending a quit request message to a group owner, wherein the quit request message comprises a group identity identification GID and an identity identification IDi of the member i; after receiving the quit request, the group owner calculates a message authentication code s ═ h (GK, GID, IDi, (D1.., IDn), R7, 0), and sends s, GID, a newly generated random number R7 and the identity of the member requesting to quit to the entity identity management system;
(2) after receiving the message, the entity identity management system firstly verifies the validity of the s, and after the verification is passed, the following operations are carried out:
1) selecting a random number R8 and a new GK*
2) Calculating UKj ═ KDF (Kj, R8, R7), j ≠ 1.., n, and j ≠ i;
3) calculation of TGK*=KDF(GK*,R8);
(3) After the entity identity management system updates the group key, it sends a group key update notification to the group owner containing the group identity GID, the random number R8, and the group key GK encrypted with UKj (j ≠ i)*The group owner forwards the group key update notification and R7 to all group members; existing group members update group key to GK*
(4) The entity identity management system sends a group key updating notice to the mobile switching security service system to update the group key TGK related to switching*
The eighth step includes:
(1) the entity identity management system selects sk and pk as a private key and a public key respectively, and in the terminal registration process, the entity identity management system presets pk and ID I K to the terminal; ID generates a preset master key K;
(2) in the registration process of group members, an entity identity management system additionally presets a temporary identifier TGIDi in a group for each group member;
(3) in the group owner discovery process, each group member adopts TGIDi as temporary identification in the group to replace IDi;
(4) in the group access authentication process, each group member encrypts an identity identifier IDi by adopting a public key pk of the entity identity management system to obtain a ciphertext and sends the ciphertext to a group owner, and the group owner converges all ciphertext messages and forwards the ciphertext messages to the entity identity management system; the entity identity management system decrypts the received identity identifier IDi by using a private key sk of the entity identity management system to obtain an identity identifier IDi, then the mobile switching security service system calculates a terminal temporary identifier TIDi, the TIDi is sent to a satellite, the satellite uses the TIDi as a temporary identifier of a terminal i, and a terminal side can also calculate the TIDi;
(5) in the group switching process, the group members directly send the TIDi to the current satellite SA1The current satellite forwards the current satellite to a mobile switching safety service system; then, the mobile switching safety service system calculates a new temporary identifier TIDi and sends the new temporary identifier TIDi as the target satellite SA2The target satellite takes TIDi as a temporary identifier of the terminal i;
(6) in the joining process of the group members, a new member k encrypts an identity identifier IDk of the new member k by using a public key pk of an entity identity management system to obtain a ciphertext and sends the ciphertext to a group owner, the group owner forwards the ciphertext to the entity identity management system, the entity identity management system decrypts the ciphertext to obtain the IDk, generates a temporary identifier TGIDk in the group for the member k, and replaces the original IDk by using the TGIDk in a group key updating notification message;
(7) in the process of group member exit, the exit member i directly sends TGIDi to the group owner, and the group owner forwards the TGIDi to the entity identity management system.
7. A heaven-earth integrated group access authentication and handover authentication system for implementing the heaven-earth integrated group access authentication and handover authentication method according to any one of claims 1 to 6, wherein the heaven-earth integrated group access authentication and handover authentication system comprises: the system comprises group members, a satellite access node, a gateway station/network management system embedded foundation access domain access authentication module, an entity identity management system, an access authentication system and a mobile switching security service system;
the satellite access node represents an access network in a satellite network and is mainly responsible for forwarding and processing messages between the group members and the ground gateway station;
the gateway station/network management system is an interface for accessing a satellite into a ground network and is connected with the mobile switching safety service system, the access authentication system and the entity identity management system through a ground wired network; the gateway station/network management system and the mobile switching safety service system are both affiliated to the visiting network server;
the entity identity management system is responsible for completing the registration of all entities including group members, satellites and ground station entities and distributing long-term shared keys and group shared keys to different entities;
the access authentication system is responsible for authenticating the validity of the group members, and both the access authentication system and the entity identity management system belong to a home network server;
the mobile switching safety service system is responsible for the quick authentication and authorization of the group members in the moving process.
CN202010968822.4A 2020-09-15 2020-09-15 Group access authentication and switching authentication method suitable for world integration and application Active CN112243235B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010968822.4A CN112243235B (en) 2020-09-15 2020-09-15 Group access authentication and switching authentication method suitable for world integration and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010968822.4A CN112243235B (en) 2020-09-15 2020-09-15 Group access authentication and switching authentication method suitable for world integration and application

Publications (2)

Publication Number Publication Date
CN112243235A CN112243235A (en) 2021-01-19
CN112243235B true CN112243235B (en) 2021-12-28

Family

ID=74170943

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010968822.4A Active CN112243235B (en) 2020-09-15 2020-09-15 Group access authentication and switching authentication method suitable for world integration and application

Country Status (1)

Country Link
CN (1) CN112243235B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113159872B (en) * 2021-02-26 2024-03-29 西安电子科技大学 Privacy protection online billing service authentication method, system, storage medium and application
CN112953726B (en) * 2021-03-01 2022-09-06 西安电子科技大学 Satellite-ground and inter-satellite networking authentication method, system and application for fusing double-layer satellite network
CN115694599A (en) * 2021-07-31 2023-02-03 华为技术有限公司 Transmission method, system and related device
CN114024594B (en) * 2021-11-09 2023-10-20 北京中科晶上科技股份有限公司 Communication method and device of satellite communication system
CN114466318B (en) * 2022-01-30 2023-04-07 西安电子科技大学 Method, system and equipment for realizing multicast service effective authentication and key distribution protocol
CN115361055B (en) * 2022-08-16 2023-07-21 中国科学院上海微系统与信息技术研究所 Inter-satellite switching method of satellite communication system based on user group

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10033702B2 (en) * 2015-08-05 2018-07-24 Intralinks, Inc. Systems and methods of secure data exchange
CN105262593B (en) * 2015-09-25 2018-07-13 长春理工大学 Based on the cross-domain anonymous Identity authentication method of the encrypted spatial network of hyperchaos

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication

Also Published As

Publication number Publication date
CN112243235A (en) 2021-01-19

Similar Documents

Publication Publication Date Title
CN112243235B (en) Group access authentication and switching authentication method suitable for world integration and application
Fang et al. Security for 5G mobile wireless networks
Xue et al. A lightweight and secure group key based handover authentication protocol for the software-defined space information network
Cao et al. A simple and robust handover authentication between HeNB and eNB in LTE networks
KR101486030B1 (en) Method for combining authentication and secret keys management mechanism in a sensor network
CN110035037B (en) Security authentication method, related equipment and system
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
CN101006682B (en) Fast network attchment
US20060233376A1 (en) Exchange of key material
CN101356759A (en) Token-based distributed generation of security keying material
CN110636495B (en) Method for terminal user safety roaming authentication in fog computing system
CN105007164B (en) Centralized safety control method and device
CN107920350A (en) Privacy protection switching authentication method based on SDN and 5G heterogeneous network
CN112235792B (en) Multi-type terminal access and switching authentication method, system, equipment and application
Zhang et al. Dynamic group based authentication protocol for machine type communications
Liu et al. A secure and efficient authentication protocol for satellite-terrestrial networks
CN112564775A (en) Spatial information network access control system and authentication method based on block chain
CN116546491A (en) Method, device and system for anchor key generation and management for encrypted communication with a service application in a communication network
CN115396887A (en) Rapid and safe switching authentication method, device and system for high-speed mobile terminal
WO2005064973A1 (en) Authentication in a communication network
CN105981028B (en) Network element certification on communication network
KR20090002328A (en) Method for joining new device in wireless sensor network
CN114946153A (en) Method, device and system for application key generation and management in a communication network in encrypted communication with a service application
Compagno et al. An ICN-based authentication protocol for a simplified LTE architecture
CN101729998A (en) Information transmission, common guide architecture, and authentication method, system and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant