CN112333705A - Identity authentication method and system for 5G communication network - Google Patents

Identity authentication method and system for 5G communication network Download PDF

Info

Publication number
CN112333705A
CN112333705A CN202110015618.5A CN202110015618A CN112333705A CN 112333705 A CN112333705 A CN 112333705A CN 202110015618 A CN202110015618 A CN 202110015618A CN 112333705 A CN112333705 A CN 112333705A
Authority
CN
China
Prior art keywords
authentication
function module
random number
hash value
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110015618.5A
Other languages
Chinese (zh)
Other versions
CN112333705B (en
Inventor
沈玉勤
焦显伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Telecom Easiness Information Technology Co Ltd
Original Assignee
Beijing Telecom Easiness Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Telecom Easiness Information Technology Co Ltd filed Critical Beijing Telecom Easiness Information Technology Co Ltd
Priority to CN202110015618.5A priority Critical patent/CN112333705B/en
Publication of CN112333705A publication Critical patent/CN112333705A/en
Application granted granted Critical
Publication of CN112333705B publication Critical patent/CN112333705B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

The invention relates to an identity authentication method and system for a 5G communication network. The safety anchor function sends a first random number and a service identifier to the user equipment, the user equipment and the authentication certificate storage and processing function module respectively select a second random number and a third random number, the freshness of the message is ensured by using the random numbers to replace sequence numbers (SQN), and different failure messages do not need to be sent for synchronization failure, so that the possibility of tracking is avoided; when the user equipment encrypts the user permanent identifier, the user equipment directly uses the shared secret key for encryption, so that the problems of calculation overhead and Public Key Infrastructure (PKI) are directly avoided; the authentication credential storage and processing functional module can avoid resource consumption if the identity verification information comes from an attacker in the authentication of the user equipment; entities participating in authentication are mutually authenticated, so that impersonation attack is avoided, and the communication security is ensured. The user can safely and efficiently carry out identity authentication.

Description

Identity authentication method and system for 5G communication network
Technical Field
The invention relates to the field of information security, in particular to an identity authentication method and system for a 5G communication network.
Background
The fifth Generation mobile communication technology (5 th-Generation, 5G) aims to build a user-centered omnidirectional information ecosystem and realize intelligent interconnection of people and everything. While enjoying the convenience of 5G, it should be appreciated that the access devices of the system are no longer single communication devices, but also include application-specific Internet of things-oriented devices, which collect the privacy information of the user, such as health information, life footprint, etc. Therefore, to ensure that the private information of the user is not leaked, the 5G communication system will provide more reliable security protection. The 5G communication system also adds security features such as protection of International Mobile Subscriber Identity (IMSI), integrity protection of user data, non-repudiation of service request, and the like, on the basis of inheriting Long Term Evolution (LTE) system security.
The 5G AKA authentication process is a crucial process in the 5G communication system, and only if the mutual authentication of the identities between the terminal and the network and the establishment of the security context are realized through the 5G AKA authentication process, the terminal can utilize the key in the security context to carry out confidentiality and integrity protection on the transmitted data. Although security has been enhanced over previous generations, some unrealistic system assumptions have been discovered that are critical to security, and the marginal aspects of the protocol make 5G communication systems vulnerable to a variety of attacks, such as: with different failure causes (MAC or synchronization), leading to tracking of the target user; to provide privacy protection and prevent revealing user identity, 5G-AKA implements an Elliptic Curve Integrated Encryption Scheme (ECIES), which, however, can lead to computational overhead and Public Key Infrastructure (PKI) problems; denial of service (DOS) attacks result in resource consumption.
Disclosure of Invention
The invention aims to provide an identity authentication method and an identity authentication system for a 5G communication network, which improve the safety and the efficiency of 5G communication network communication.
In order to achieve the purpose, the invention provides the following scheme:
an identity authentication method for a 5G communication network, comprising:
the user equipment acquires the service identifier and the first random number sent by the safety anchor function module, and selects a second random number;
the user equipment generates authentication data and a first authentication code according to the second random number, the service identifier, the first random number, the user permanent identifier and the shared key, and sends the authentication data and the first authentication code to the safety anchor function module;
the safety anchor function module sends the received authentication data and the first authentication code to an authentication server function module;
the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier, and judges whether the safety anchor function module is authorized according to the service identifier;
when the security anchor function module is authorized, sending the authentication data and the first authentication code to an authentication credential storage and processing function module;
the authentication credential storage and processing functional module decrypts the authentication data and the first authentication code by using a user identifier hiding function to obtain a user hidden identifier; verifying the first authentication code by using the user hidden identifier;
when the authentication passes, the authentication credential storage and processing functional module selects a third random number, determines a second authentication code, a first authentication token and a first hash value according to the authentication data, the first authentication code, the user hidden identifier and the third random number, and derives a first key to obtain a first authentication vector; the first authentication vector comprises the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier;
the authentication credential storage and processing functional module sends the first authentication vector to the authentication server functional module;
the authentication server function module generates a second authentication vector according to the first authentication vector and sends the second authentication vector to the safety anchor function module; the second authentication vector comprises the third random number, the first authentication token, the second hash value, the second key, and the user hidden identifier;
the safety anchor function module calculates a third authentication code and a second authentication token according to the second authentication vector; sending the first authentication token, the third random number and the second authentication token to the user equipment;
the user equipment verifies the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module;
the safety anchor function module determines a fourth hash value according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector;
when the fourth hash value is equal to the second hash value, the security anchor function module sending the third hash value to the authentication server function module;
the authentication server function module matches the second hash value with the first hash value; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
Optionally, the user equipment generates authentication data and a first authentication code according to the second random number, the service identifier, the first random number, the user permanent identifier, and the shared key, and sends the authentication data and the first authentication code to the security anchor function module, which specifically includes:
the user equipment generates a user hidden identifier according to the second random number, the service identifier, the first random number, the user permanent identifier and the shared secret key;
the user equipment generates the first authentication code according to the user hidden identifier, the second random number, the service identifier and the first random number;
the user equipment generates the authentication data according to the user hidden identifier, the second random number and the service identification.
Optionally, the authenticating server function module decrypts the authentication data and the first authentication code to obtain the service identifier, and determines whether the security anchor function module is authorized according to the service identifier, and specifically includes:
the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier;
acquiring a desired network name set;
judging whether the service identification belongs to the expected network name set or not;
if yes, the safety anchor function module is authorized;
if not, the safety anchor function module is not authorized.
Optionally, the authentication server function module generates a second authentication vector according to the first authentication vector, and sends the second authentication vector to the security anchor function module, and the method specifically includes:
the authentication server function module stores the first hash value and the first key and generates the second hash value and the second key;
and generating a second authentication vector according to the second hash value, the second key and the first authentication vector.
Optionally, the verifying, by the user equipment, the second authentication vector according to the first authentication token and the second authentication token specifically includes:
the user equipment determines a third authentication code and a second authentication code according to the first authentication token, the second authentication token and the second authentication vector;
judging whether the third authentication code and the second authentication code are the same;
if the two are the same, the verification is passed;
if not, the verification fails.
An identity authentication system for a 5G communication network, comprising:
the user equipment acquires a data unit, and is used for acquiring the service identifier and the first random number sent by the safety anchor function module and selecting a second random number;
a first sending unit of user equipment data, configured to generate, by the user equipment, authentication data and a first authentication code according to the second random number, the service identifier, the first random number, a user permanent identifier, and a shared key, and send the authentication data and the first authentication code to the security anchor function module;
the first data sending unit of the safety anchor function module is used for sending the received authentication data and the first authentication code to the authentication server function module by the safety anchor function module;
the first decryption verification unit is used for decrypting the authentication data and the first authentication code by the authentication server functional module to obtain the service identifier and judging whether the safety anchor functional module is authorized or not according to the service identifier;
an authentication server function module data transmitting unit for transmitting the authentication data and the first authentication code to an authentication credential storage and processing function module when the security anchor function module is authorized;
the second decryption verification unit is used for decrypting the authentication data and the first authentication code by the authentication credential storage and processing functional module by using a user identifier hiding function to obtain a user hidden identifier; verifying the first authentication code by using the user hidden identifier;
the first authentication vector determining unit is used for selecting a third random number by the authentication credential storage and processing functional module when the authentication passes, determining a second authentication code, a first authentication token and a first hash value according to the authentication data, the first authentication code, the user hidden identifier and the third random number, and deriving a first key to obtain a first authentication vector; the first authentication vector comprises the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier;
a first authentication vector sending unit, configured to send the first authentication vector to the authentication server function module by the authentication credential storage and processing function module;
a second authentication vector determining and sending unit, configured to generate, by the authentication server function module, a second authentication vector according to the first authentication vector, and send the second authentication vector to the security anchor function module; the second authentication vector comprises the third random number, the first authentication token, the second hash value, the second key, and the user hidden identifier;
the second data sending unit of the safety anchor function module is used for calculating a third authentication code and a second authentication token by the safety anchor function module according to the second authentication vector; sending the first authentication token, the third random number and the second authentication token to the user equipment;
a first verification unit, configured to verify, by the user equipment, the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module;
the second verification unit is used for determining a fourth hash value by the safety anchor function module according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector;
a third sending unit of the security anchor function module data, configured to send the third hash value to the authentication server function module when the fourth hash value is equal to the second hash value;
a verification success unit for the authentication server function module to match the second hash value with the first hash value; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
Optionally, the first user equipment data sending unit specifically includes:
a user hidden identifier generating subunit, configured to generate, by the user equipment, a user hidden identifier according to the second random number, the service identifier, the first random number, the user permanent identifier, and the shared key;
a first authentication code generation subunit, configured to generate, by the user equipment, the first authentication code according to the user hidden identifier, the second random number, the service identifier, and the first random number;
and the authentication data generation subunit is used for generating the authentication data by the user equipment according to the user hidden identifier, the second random number and the service identifier.
Optionally, the first decryption verification unit specifically includes:
the service identifier determining subunit is used for decrypting the authentication data and the first authentication code by the authentication server functional module to obtain the service identifier;
an expected network name set obtaining subunit, configured to obtain an expected network name set;
a judging subunit, configured to judge whether the service identifier belongs to the expected network name set;
the safety anchor function module authorized subunit is used for authorizing the safety anchor function module if the safety anchor function module belongs to the authorized subunit;
the security anchor function module is not authorized subunit, if not, the security anchor function module is not authorized.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the identity authentication method and system for the 5G communication network, the safety anchor function sends the first random number and the service identifier to the user equipment, the user equipment and the authentication credential storage and processing function module respectively select the second random number and the third random number, the freshness of the message is ensured by using the random numbers to replace sequence numbers (SQN), and different failure messages do not need to be sent for synchronization failure, so that the possibility of tracking is avoided; when the user equipment encrypts the user permanent identifier, the user equipment directly uses the shared secret key for encryption, so that the problems of calculation overhead and Public Key Infrastructure (PKI) are directly avoided; the authentication credential storage and processing functional module can avoid resource consumption if the identity verification information comes from an attacker in the authentication of the user equipment; entities participating in authentication are mutually authenticated, so that impersonation attack is avoided, and the communication security is ensured. The user can safely and efficiently carry out identity authentication.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic flow chart of an identity authentication method for a 5G communication network according to the present invention;
fig. 2 is a schematic diagram of an identity authentication method for a 5G communication network according to the present invention;
fig. 3 is a simplified flowchart of an identity authentication method for a 5G communication network according to the present invention;
fig. 4 is a schematic structural diagram of an identity authentication system for a 5G communication network according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide an identity authentication method and an identity authentication system for a 5G communication network, which improve the safety and the efficiency of 5G communication network communication.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a schematic flow chart of an identity authentication method for a 5G communication network provided by the present invention, and as shown in fig. 1, the identity authentication method for a 5G communication network provided by the present invention includes:
s101, the user equipment obtains the service identifier and the first random number sent by the safety anchor function module, and selects a second random number.
S102, the user equipment generates authentication data and a first authentication code according to the second random number, the service identification, the first random number, the user permanent identifier and the shared secret key, and sends the authentication data and the first authentication code to the safety anchor function module.
S102 specifically comprises the following steps:
and the user equipment generates a user hidden identifier according to the second random number, the service identification, the first random number, the user permanent identifier and the shared secret key.
The user equipment generates the first authentication code according to the user hidden identifier, the second random number, the service identifier and the first random number.
The user equipment generates the authentication data according to the user hidden identifier, the second random number and the service identification.
S103, the safety anchor function module sends the received authentication data and the first authentication code to an authentication server function module.
S104, the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier, and judges whether the safety anchor function module is authorized according to the service identifier.
S104 specifically comprises the following steps:
and the authentication server functional module decrypts the authentication data and the first authentication code to obtain the service identifier.
A desired set of network names is obtained.
And judging whether the service identification belongs to the expected network name set.
And if so, the safety anchor function module is authorized.
If not, the safety anchor function module is not authorized.
S105, when the safety anchor function module is authorized, the authentication data and the first authentication code are sent to an authentication credential storage and processing function module.
S106, the authentication credential storage and processing functional module decrypts the authentication data and the first authentication code by using a user identifier hiding function to obtain a user hidden identifier; and verifying the first authentication code by using the user hidden identifier.
S107, when the authentication passes, the authentication credential storage and processing functional module selects a third random number, determines a second authentication code, a first authentication token and a first hash value according to the authentication data, the first authentication code, the user hidden identifier and the third random number, and derives a first key to obtain a first authentication vector; the first authentication vector includes the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier.
S108, the authentication credential storage and processing functional module sends the first authentication vector to the authentication server functional module.
S109, the authentication server function module generates a second authentication vector according to the first authentication vector and sends the second authentication vector to the safety anchor function module; the second authentication vector includes the third random number, the first authentication token, the second hash value, the second key (anchor key), and the user hidden identifier.
S109 specifically comprises:
the authentication server function module stores the first hash value and the first key, and generates the second hash value and the second key (anchor key).
A second authentication vector is generated from the second hash value, the second key (anchor key) and the first authentication vector.
S110, the safety anchor function module calculates a third authentication code and a second authentication token according to the second authentication vector; and sending the first authentication token, the third random number and the second authentication token to the user equipment.
S111, the user equipment verifies the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key (anchor key) according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module.
S111 specifically includes:
and the user equipment determines a third authentication code and a second authentication code according to the first authentication token, the second authentication token and the second authentication vector.
And judging whether the third authentication code and the second authentication code are the same.
If the two are the same, the verification is passed.
If not, the verification fails.
S112, the safety anchor function module determines a fourth hash value according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector.
S113, when the fourth hash value is equal to the second hash value, the security anchor function module sends the third hash value to the authentication server function module.
S114, the authentication server function module matches the second hash value with the first hash value; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
As shown in fig. 2 and fig. 3, as a specific embodiment, the UE is a user equipment, the SEAF is a security anchor function module, and the SN isnameFor service identification, K is a shared secret key, SUPI is a user permanent identifier, R1Is a first random number, R2As a second random number, SUCI is a user hidden identifier, SUCI = K (SUPI, R)1,R2,SNname),MACUEFor the first authentication code, use one-way hash function f1 kComputing MACUE =f1 k(SUCI,R1,R2,R1,SNname),MUETo authenticate the data, MUE= (SUCI,R2,SNname) AUSF is authentication server function module, ARPF is authentication certificate storage and processing function module, SIDF is user identifier hiding function, RARPFIs a third random number, MACARPFBeing a second authentication code, MACARPF= f1 k (RARPF,R1,R2, SNname) AUTN is the first authentication token, AUTN = (R)ARPF, MACARPF) XRES is the first hash value, XRES = f4(RARPF,R1,R2SUPI, K), first authentication vector 5G HE AV = (R)ARPF,XRES*,AUTN,SUPI,KAUSF),KAUSFIs the first key, 5G AV is the second authentication vector, 5G AV = (R)ARPF,HXRES*,AUTN,SUPI,KSEAF) HXRES is the second hash value, HXRES = SHA256 (R)ARPF, XRES*),KSEAFIs a second key, KSEAF = KeySeed(K,RARPF,R1,R2,SNname),MACSEAFIs a third authentication code, AUTHSEAFIs a second authentication token, AUTHSEAF = (R2, MACSEAF) RES is the third hash value, HRES is the fourth hash value.
As shown in fig. 2 and 3, the specific authentication method is as follows:
the method comprises the following steps: in the initialization phase, the SEAF Sends (SN) to the UEname,R1)。
Step two: when the UE receives the message, the UE generates R2Generating authentication data and an authentication code (M)UE,MACUE) Sent to the SEAF.
Step three: SEAF receives M sent by UEUEAnd MACUEThen, it is sent to the AUSF for further verification.
Step four: after receiving the authentication data request message, AUSF pair receives SNnameCompares it with the expected network name to check if the requesting SEAF in the serving network is authorized, and then (M)UE,MACUE) Sent to the ARPF.
Step five: after ARPF receives the authentication request message, the SIDF decrypts SUCI, and calculates MACUE(ii) a Generation of RARPFComputing MACARPFAUTN; calculate XRES, and KAUSFThen, 5G HE AV = (R) is transmittedARPF,XRES*,AUTN,SUPI,KAUSF) To AUSF. I.e. the user identifier hiding function SIDF uses K to decrypt the user hidden identifier SUCI to obtain the user permanent identifier SUPI, R1,R2,SNname
Step six: upon receipt of ARPF messages, AUSF stores XRES, KAUSF(ii) a Then, an authentication vector 5G AV = (R) is generatedARPF,HXRES*,AUTN,SUPI,KSEAF) Then 5G AVSent to the SEAF.
Step seven: upon receiving the AUSF message, the SEAF calculates the MACSEAF,AUTHSEAFThen (R) isARPF ,AUTN,AUTHSEAF) And sending the information to the UE.
Step eight: upon receipt of the information, the UE verifies the freshness of the 5G AV and verifies the MAC by calculationARPFAnd MACSEAFIf equal, calculating RES and KAUSFAnd KSEAF(ii) a And finally, the UE sends RES to the SEAF.
Step nine: after receiving the message sent by the UE, the SEAF calculates HRES, compares it with HXRES, and if equal, indicates that the authentication is successful, and then sends RES to the AUSF.
Step ten: for mutual authentication with the UE, the AUSF receives RES, matches XRES, and if equal and the 5G AV is not expired, sends a successful authentication message to the SEAF containing the user permanent identifier SUPI.
Fig. 4 is a schematic structural diagram of an identity authentication system for a 5G communication network, shown in fig. 4, the identity authentication system for a 5G communication network provided by the present invention includes:
the ue obtaining data unit 401 is configured to obtain, by the ue, the service identifier and the first random number sent by the security anchor function module, and select a second random number.
A first user equipment data sending unit 402, configured to generate, by the user equipment, authentication data and a first authentication code according to the second random number, the service identifier, the first random number, a user permanent identifier, and a shared key, and send the authentication data and the first authentication code to the security anchor function module.
A first sending unit 403 of the data of the security anchor function module, configured to send the received authentication data and the first authentication code to an authentication server function module by the security anchor function module.
A first decryption verification unit 404, configured to decrypt the authentication data and the first authentication code by the authentication server function module to obtain the service identifier, and determine whether the security anchor function module is authorized according to the service identifier.
An authentication server function module data sending unit 405, configured to send the authentication data and the first authentication code to an authentication credential storage and processing function module when the security anchor function module is authorized.
A second decryption verification unit 406, configured to decrypt, by using a user identifier hiding function, the authentication data and the first authentication code by the authentication credential storage and processing function module to obtain a user hidden identifier; and verifying the first authentication code by using the user hidden identifier.
A first authentication vector determining unit 407, configured to select a third random number by the authentication credential storage and processing function module when the authentication passes, determine a second authentication code, a first authentication token, and a first hash value according to the authentication data, the first authentication code, the user hidden identifier, and the third random number, and derive a first key to obtain a first authentication vector; the first authentication vector includes the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier.
A first authentication vector sending unit 408, configured to the authentication credential storage and processing function module to send the first authentication vector to the authentication server function module.
A second authentication vector determining and sending unit 409, configured to generate, by the authentication server function module, a second authentication vector according to the first authentication vector, and send the second authentication vector to the security anchor function module; the second authentication vector includes the third random number, the first authentication token, the second hash value, the second key (anchor key), and the user hidden identifier.
A second sending unit 410 of data of the security anchor function module, configured to calculate, by the security anchor function module, a third authentication code and a second authentication token according to the second authentication vector; and sending the first authentication token, the third random number and the second authentication token to the user equipment.
A first verification unit 411, configured to verify, by the user equipment, the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key (anchor key) according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module.
A second verification unit 412, configured to determine, by the security anchor function module, a fourth hash value according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector.
A third sending unit 413 of the security anchor function module data, configured to, when the fourth hash value is equal to the second hash value, the security anchor function module sends the third hash value to the authentication server function module.
A verification success unit 414, configured to match the second hash value with the first hash value by the authentication server function module; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
The first user equipment data sending unit 402 specifically includes:
and a user hidden identifier generating subunit, configured to generate, by the user equipment, a user hidden identifier according to the second random number, the service identifier, the first random number, the user permanent identifier, and the shared key.
A first authentication code generation subunit, configured to generate, by the user equipment, the first authentication code according to the user hidden identifier, the second random number, the service identifier, and the first random number.
And the authentication data generation subunit is used for generating the authentication data by the user equipment according to the user hidden identifier, the second random number and the service identifier.
The first decryption verification unit 404 specifically includes:
and the service identifier determining subunit is used for decrypting the authentication data and the first authentication code by the authentication server functional module to obtain the service identifier.
And the expected network name set acquiring subunit is used for acquiring an expected network name set.
And the judging subunit is used for judging whether the service identifier belongs to the expected network name set.
The security anchor function module is authorized subunit, configured to authorize the security anchor function module if the security anchor function module belongs to the security anchor function module.
The security anchor function module is not authorized subunit, if not, the security anchor function module is not authorized.
The invention has the following beneficial effects:
1. by using the invention, the shared secret key K in 5G is adopted for the confidentiality of the user identity, thereby reducing the corresponding calculation expense and the PKI problem of the public key infrastructure.
2. The method provided by the invention ensures the freshness of the message by replacing the sequence number SQN with the random number, thereby avoiding the authentication failure caused by the synchronization problem of the sequence number SQN and sending the failure message, and further avoiding the tracking possibility.
3. The method provided by the invention can reduce the attack of the identity authentication information and greatly consume network resources by advancing the authentication of the user.
4. The communication entities in the method provided by the invention carry out mutual authentication, thereby avoiding impersonation attack and ensuring the security of communication.
5. The method provided by the invention is calculated by generating random numbers, and can ensure that each authentication process is different from the last authentication process, namely, the method can resist replay attack.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (8)

1. An identity authentication method for a 5G communication network, comprising:
the user equipment acquires the service identifier and the first random number sent by the safety anchor function module, and selects a second random number;
the user equipment generates authentication data and a first authentication code according to the second random number, the service identifier, the first random number, the user permanent identifier and the shared key, and sends the authentication data and the first authentication code to the safety anchor function module;
the safety anchor function module sends the received authentication data and the first authentication code to an authentication server function module;
the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier, and judges whether the safety anchor function module is authorized according to the service identifier;
when the security anchor function module is authorized, sending the authentication data and the first authentication code to an authentication credential storage and processing function module;
the authentication credential storage and processing functional module decrypts the authentication data and the first authentication code by using a user identifier hiding function to obtain a user hidden identifier; verifying the first authentication code by using the user hidden identifier;
when the authentication passes, the authentication credential storage and processing functional module selects a third random number, determines a second authentication code, a first authentication token and a first hash value according to the authentication data, the first authentication code, the user hidden identifier and the third random number, and derives a first key to obtain a first authentication vector; the first authentication vector comprises the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier;
the authentication credential storage and processing functional module sends the first authentication vector to the authentication server functional module;
the authentication server function module generates a second authentication vector according to the first authentication vector and sends the second authentication vector to the safety anchor function module; the second authentication vector comprises the third random number, the first authentication token, the second hash value, the second key, and the user hidden identifier;
the safety anchor function module calculates a third authentication code and a second authentication token according to the second authentication vector; sending the first authentication token, the third random number and the second authentication token to the user equipment;
the user equipment verifies the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module;
the safety anchor function module determines a fourth hash value according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector;
when the fourth hash value is equal to the second hash value, the security anchor function module sending the third hash value to the authentication server function module;
the authentication server function module matches the second hash value with the first hash value; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
2. The identity authentication method of claim 1, wherein the user equipment generates authentication data and a first authentication code according to the second random number, the service identifier, the first random number, a user permanent identifier and a shared key, and sends the authentication data and the first authentication code to the security anchor function module, and specifically comprises:
the user equipment generates a user hidden identifier according to the second random number, the service identifier, the first random number, the user permanent identifier and the shared secret key;
the user equipment generates the first authentication code according to the user hidden identifier, the second random number, the service identifier and the first random number;
the user equipment generates the authentication data according to the user hidden identifier, the second random number and the service identification.
3. The identity authentication method for a 5G communication network according to claim 1, wherein the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier, and determines whether the security anchor function module is authorized according to the service identifier, specifically comprising:
the authentication server function module decrypts the authentication data and the first authentication code to obtain the service identifier;
acquiring a desired network name set;
judging whether the service identification belongs to the expected network name set or not;
if yes, the safety anchor function module is authorized;
if not, the safety anchor function module is not authorized.
4. The identity authentication method according to claim 1, wherein the authentication server function module generates a second authentication vector according to the first authentication vector, and sends the second authentication vector to the security anchor function module, and specifically comprises:
the authentication server function module stores the first hash value and the first key and generates the second hash value and the second key;
and generating a second authentication vector according to the second hash value, the second key and the first authentication vector.
5. The identity authentication method for a 5G communication network according to claim 1, wherein the verifying the second authentication vector by the user equipment according to the first authentication token and the second authentication token specifically comprises:
the user equipment determines a third authentication code and a second authentication code according to the first authentication token, the second authentication token and the second authentication vector;
judging whether the third authentication code and the second authentication code are the same;
if the two are the same, the verification is passed;
if not, the verification fails.
6. An identity authentication system for a 5G communication network, comprising:
the user equipment acquires a data unit, and is used for acquiring the service identifier and the first random number sent by the safety anchor function module and selecting a second random number;
a first sending unit of user equipment data, configured to generate, by the user equipment, authentication data and a first authentication code according to the second random number, the service identifier, the first random number, a user permanent identifier, and a shared key, and send the authentication data and the first authentication code to the security anchor function module;
the first data sending unit of the safety anchor function module is used for sending the received authentication data and the first authentication code to the authentication server function module by the safety anchor function module;
the first decryption verification unit is used for decrypting the authentication data and the first authentication code by the authentication server functional module to obtain the service identifier and judging whether the safety anchor functional module is authorized or not according to the service identifier;
an authentication server function module data transmitting unit for transmitting the authentication data and the first authentication code to an authentication credential storage and processing function module when the security anchor function module is authorized;
the second decryption verification unit is used for decrypting the authentication data and the first authentication code by the authentication credential storage and processing functional module by using a user identifier hiding function to obtain a user hidden identifier; verifying the first authentication code by using the user hidden identifier;
the first authentication vector determining unit is used for selecting a third random number by the authentication credential storage and processing functional module when the authentication passes, determining a second authentication code, a first authentication token and a first hash value according to the authentication data, the first authentication code, the user hidden identifier and the third random number, and deriving a first key to obtain a first authentication vector; the first authentication vector comprises the third random number, the first authentication token, the first hash value, the first key, and the user hidden identifier;
a first authentication vector sending unit, configured to send the first authentication vector to the authentication server function module by the authentication credential storage and processing function module;
a second authentication vector determining and sending unit, configured to generate, by the authentication server function module, a second authentication vector according to the first authentication vector, and send the second authentication vector to the security anchor function module; the second authentication vector comprises the third random number, the first authentication token, the second hash value, the second key, and the user hidden identifier;
the second data sending unit of the safety anchor function module is used for calculating a third authentication code and a second authentication token by the safety anchor function module according to the second authentication vector; sending the first authentication token, the third random number and the second authentication token to the user equipment;
a first verification unit, configured to verify, by the user equipment, the second authentication vector according to the first authentication token and the second authentication token; when the verification is passed, the user equipment determines a third hash value and the first key and the second key according to the first authentication token, the third random number and the second authentication token, and sends the third hash value to the security anchor function module;
the second verification unit is used for determining a fourth hash value by the safety anchor function module according to the third hash value; and determining whether the fourth hash value is equal to the second hash value in the second authentication vector;
a third sending unit of the security anchor function module data, configured to send the third hash value to the authentication server function module when the fourth hash value is equal to the second hash value;
a verification success unit for the authentication server function module to match the second hash value with the first hash value; if the matching is successful, the authentication server function module sends a successful identity verification message to the safety anchor function module; the successful authentication message includes a user permanent identifier.
7. The identity authentication system used in a 5G communication network according to claim 6, wherein the first sending unit of the user equipment data specifically comprises:
a user hidden identifier generating subunit, configured to generate, by the user equipment, a user hidden identifier according to the second random number, the service identifier, the first random number, the user permanent identifier, and the shared key;
a first authentication code generation subunit, configured to generate, by the user equipment, the first authentication code according to the user hidden identifier, the second random number, the service identifier, and the first random number;
and the authentication data generation subunit is used for generating the authentication data by the user equipment according to the user hidden identifier, the second random number and the service identifier.
8. The identity authentication system for a 5G communication network according to claim 6, wherein the first decryption verification unit specifically comprises:
the service identifier determining subunit is used for decrypting the authentication data and the first authentication code by the authentication server functional module to obtain the service identifier;
an expected network name set obtaining subunit, configured to obtain an expected network name set;
a judging subunit, configured to judge whether the service identifier belongs to the expected network name set;
the safety anchor function module authorized subunit is used for authorizing the safety anchor function module if the safety anchor function module belongs to the authorized subunit;
the security anchor function module is not authorized subunit, if not, the security anchor function module is not authorized.
CN202110015618.5A 2021-01-07 2021-01-07 Identity authentication method and system for 5G communication network Active CN112333705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110015618.5A CN112333705B (en) 2021-01-07 2021-01-07 Identity authentication method and system for 5G communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110015618.5A CN112333705B (en) 2021-01-07 2021-01-07 Identity authentication method and system for 5G communication network

Publications (2)

Publication Number Publication Date
CN112333705A true CN112333705A (en) 2021-02-05
CN112333705B CN112333705B (en) 2021-04-02

Family

ID=74301509

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110015618.5A Active CN112333705B (en) 2021-01-07 2021-01-07 Identity authentication method and system for 5G communication network

Country Status (1)

Country Link
CN (1) CN112333705B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804680A (en) * 2021-04-15 2021-05-14 北京电信易通信息技术股份有限公司 Mobile terminal equipment safety authentication method and system based on chaotic mapping
CN113709731A (en) * 2021-08-02 2021-11-26 深圳供电局有限公司 Encryption method and system of 5G security protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997728A (en) * 2013-02-19 2014-08-20 中国移动通信集团公司 Bidirectional authentication method and system of phone card
CN108347417A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of method for network authorization, user equipment, network authentication node and system
CN109446788A (en) * 2018-10-12 2019-03-08 广州杰赛科技股份有限公司 A kind of identity identifying method and device, computer storage medium of equipment
EP3703406A1 (en) * 2019-02-27 2020-09-02 Samsung Electronics Co., Ltd. Methods and systems for mitigating denial of service (dos) attack in a wireless network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997728A (en) * 2013-02-19 2014-08-20 中国移动通信集团公司 Bidirectional authentication method and system of phone card
CN108347417A (en) * 2017-01-24 2018-07-31 华为技术有限公司 A kind of method for network authorization, user equipment, network authentication node and system
CN109446788A (en) * 2018-10-12 2019-03-08 广州杰赛科技股份有限公司 A kind of identity identifying method and device, computer storage medium of equipment
EP3703406A1 (en) * 2019-02-27 2020-09-02 Samsung Electronics Co., Ltd. Methods and systems for mitigating denial of service (dos) attack in a wireless network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804680A (en) * 2021-04-15 2021-05-14 北京电信易通信息技术股份有限公司 Mobile terminal equipment safety authentication method and system based on chaotic mapping
CN112804680B (en) * 2021-04-15 2021-07-09 北京电信易通信息技术股份有限公司 Mobile terminal equipment safety authentication method and system based on chaotic mapping
CN113709731A (en) * 2021-08-02 2021-11-26 深圳供电局有限公司 Encryption method and system of 5G security protocol

Also Published As

Publication number Publication date
CN112333705B (en) 2021-04-02

Similar Documents

Publication Publication Date Title
ES2706540T3 (en) User equipment credentials system
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
US7734280B2 (en) Method and apparatus for authentication of mobile devices
ES2584862T3 (en) Authentication in data communication
EP2416524B1 (en) System and method for secure transaction of data between wireless communication device and server
US8578164B2 (en) Method of one-way access authentication
Cheikhrouhou et al. A lightweight user authentication scheme for wireless sensor networks
CN107820239B (en) Information processing method and device
JP2012110009A (en) Methods and arrangements for secure linking of entity authentication and ciphering key generation
CN113824570B (en) Block chain-based security terminal authentication method and system
Xu et al. An anonymous handover authentication scheme based on LTE-A for vehicular networks
WO2007028328A1 (en) Method, system and device for negotiating about cipher key shared by ue and external equipment
Claeys et al. Securing complex IoT platforms with token based access control and authenticated key establishment
CN112312393A (en) 5G application access authentication method and 5G application access authentication network architecture
Mishra et al. A pairing-free identity based authentication framework for cloud computing
CN112333705B (en) Identity authentication method and system for 5G communication network
Parne et al. PPSE: Privacy preservation and security efficient AKA protocol for 5G communication networks
CN101192927A (en) Authorization based on identity confidentiality and multiple authentication method
CN112399407B (en) 5G network authentication method and system based on DH ratchet algorithm
Shashidhara et al. On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks
WO2021093811A1 (en) Network access method and related device
KR20090002328A (en) Method for joining new device in wireless sensor network
Sivaselvan et al. Authentication and capability-based access control: An integrated approach for IoT environment
CN112118569A (en) Group authentication method and system in asynchronous group communication of LTE network machine type communication equipment
Zemao et al. Optimizing PKI for 3GPP authentication and key agreement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: An identity authentication method and system for 5g communication network

Effective date of registration: 20220218

Granted publication date: 20210402

Pledgee: Bank of Jiangsu Limited by Share Ltd. Beijing branch

Pledgor: BEIJING TELECOMMUNICATION YITONG INFORMATION TECHNOLOGY Co.,Ltd.

Registration number: Y2022110000036