CN113038463B - Communication encryption authentication experimental device - Google Patents

Communication encryption authentication experimental device Download PDF

Info

Publication number
CN113038463B
CN113038463B CN202110335517.6A CN202110335517A CN113038463B CN 113038463 B CN113038463 B CN 113038463B CN 202110335517 A CN202110335517 A CN 202110335517A CN 113038463 B CN113038463 B CN 113038463B
Authority
CN
China
Prior art keywords
data
algorithm
identification
identification data
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110335517.6A
Other languages
Chinese (zh)
Other versions
CN113038463A (en
Inventor
朱红岩
安波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhengqidun Data Security Technology Co ltd
Original Assignee
Beijing Zhengqidun Data Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhengqidun Data Security Technology Co ltd filed Critical Beijing Zhengqidun Data Security Technology Co ltd
Priority to CN202110335517.6A priority Critical patent/CN113038463B/en
Publication of CN113038463A publication Critical patent/CN113038463A/en
Application granted granted Critical
Publication of CN113038463B publication Critical patent/CN113038463B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The embodiment of the invention relates to a communication encryption authentication experimental device, which comprises: the system comprises an upper computer communication module, a 5G analog terminal module and a user identity identification module. By using the test device, the SUCI data calculated by the upper computer can be verified, and the communication encryption/decryption original text data calculated by the upper computer can be verified.

Description

Communication encryption authentication experimental device
Technical Field
The invention relates to the technical field of data processing, in particular to a communication encryption authentication experimental device.
Background
In recent years, with the maturity and development of the fifth generation mobile communication (5G) technology and the internet of things technology, many colleges and universities have begun to incorporate part of the contents into the teaching outline and have customized and developed corresponding experimental equipment and experimental systems. However, in many experimental apparatuses and systems, a problem is found in that there is a lack of an experimental apparatus related to communication encryption authentication, such as an experimental apparatus related to user hidden Identifier (SUCI) authentication related to communication text data encryption/decryption.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a communication encryption authentication experimental device which comprises an upper computer communication module, a 5G simulation terminal module and a user identity identification module. By using the test device, the SUCI calculated by the upper computer can be verified, and the communication encryption/decryption original text data calculated by the upper computer can be verified.
In order to achieve the above object, an embodiment of the present invention provides a communication encryption authentication experimental apparatus, including: the system comprises an upper computer communication module, a 5G analog terminal module and a user identity identification module;
the upper computer communication module is connected with the upper computer and the 5G analog terminal module; the upper computer communication module is used for receiving first experiment instruction data sent from the upper computer; sending the first experiment instruction data to the 5G simulation terminal module; receiving first experiment instruction return data sent back from the 5G simulation terminal module; returning the first experiment instruction to data and sending the data back to the upper computer;
the 5G simulation terminal module is connected with the user identity identification module; the 5G simulation terminal module is used for identifying the instruction type of the first experiment instruction data; when the instruction type is a communication encryption authentication instruction, extracting first plaintext data and first algorithm identification data from the first experiment instruction data; establishing a first data channel with the user identity identification module according to a Bearer Independent Protocol (BIP); sending the first plain data and the first algorithm identification data to the user identity identification module through the first data channel; receiving first ciphertext authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the first ciphertext authentication data, and sending the first experiment instruction return data back to the upper computer communication module; when the instruction type is a communication decryption authentication instruction, extracting first ciphertext data and second algorithm identification data from the first experiment instruction data; establishing a second data channel with the user identity identification module according to the BIP protocol; sending the first ciphertext data and the second algorithm identification data to the user identity identification module through the second data channel; receiving first plaintext authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the first plaintext authentication data, and sending the first experiment instruction return data back to the upper computer communication module; when the instruction type is a SUCI authentication instruction of a user hidden identifier, SUCI authentication instruction data are generated by assembly and sent to the user identity identification module; receiving SUCI authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the SUCI authentication data, and sending the first experiment instruction return data back to the upper computer communication module;
the user identity identification module is used for encrypting the first plaintext data by using a data encryption processing flow corresponding to the first algorithm identification data after receiving the first plaintext data and the first algorithm identification data, so as to generate first ciphertext authentication data; sending the first ciphertext authentication data back to the 5G analog terminal module;
the user identity identification module is further configured to decrypt the first ciphertext data by using a data decryption processing flow corresponding to the second algorithm identification data after receiving the first ciphertext data and the second algorithm identification data, and generate the first plaintext authentication data; the first plaintext authentication data are sent back to the 5G analog terminal module;
the user identity identification module is also used for carrying out SUCI calculation on the locally Stored User Permanent Identifier (SUPI) data according to a designated SUCI calculation processing flow after receiving the SUCI authentication instruction data to generate the SUCI authentication data; and sending the SUCI authentication data back to the 5G analog terminal module.
Preferably, the first and second liquid crystal materials are,
the upper computer communication module comprises a plurality of upper computer communication interfaces; the communication interface of the upper computer comprises a Universal Serial Bus (USB) communication interface, a Serial Peripheral Interface (SPI) communication interface, a two-wire serial bus I2C communication interface, an asynchronous receiving and transmitting transmitter (UART) communication interface and an international organization for standardization (ISO 7816) communication interface.
Preferably, the first and second liquid crystal materials are,
the 5G analog terminal module is specifically configured to establish the first data CHANNEL or the second data CHANNEL with the subscriber identity module using an OPEN CHANNEL instruction of the BIP protocol.
Preferably, the first and second liquid crystal materials are,
the first and second algorithm identification data comprise first identification data and second identification data;
the first identification data comprises an RSA algorithm, a data encryption standard DES algorithm, a triple data encryption standard 3DES algorithm, an advanced encryption standard AES algorithm, a national secret SM1 algorithm, a national secret SM2 algorithm and a national secret SM4 algorithm;
the second identification data comprises a code book ECB mode, a cipher text packet chaining CBC mode and a calculator CTR mode.
Preferably, the first and second liquid crystal materials are,
the user identity recognition module is specifically configured to recognize the first identification data of the first algorithm identification data when encrypting the first plaintext data;
if the first identification data of the first algorithm identification data is the RSA algorithm or the SM2 algorithm, selecting a corresponding RSA or SM2 encryption key, and encrypting the first plaintext data by using a corresponding RSA or SM2 algorithm;
identifying the second identification data of the first algorithm identification data if the first identification data of the first algorithm identification data is the DES algorithm, the 3DES algorithm, the SM1 algorithm, or the SM4 algorithm; when the second identification data of the first algorithm identification data is the ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 encryption key, and carrying out ECB mode encryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first plaintext data; when the second identification data of the first algorithm identification data is in the CBC mode, selecting the DES, 3DES, SM1 or SM4 encryption key, and performing the CBC mode encryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first plaintext data;
if the first identification data of the first algorithm identification data is the AES algorithm, identifying the second identification data of the first algorithm identification data; when the second identification data of the first algorithm identification data is the ECB mode, selecting a corresponding AES encryption key, and carrying out ECB mode encryption of an AES algorithm on the first plaintext data; and when the second identification data of the first algorithm identification data is the CTR mode, selecting the AES encryption key, and encrypting the first plaintext data in the CTR mode of the AES algorithm.
Preferably, the first and second liquid crystal materials are,
the user identity identification module is specifically configured to identify the first identification data of the second algorithm identification data when decrypting the first ciphertext data;
if the first identification data of the second algorithm identification data is the RSA algorithm or the SM2 algorithm, selecting a corresponding RSA or SM2 decryption key, and performing corresponding RSA or SM2 algorithm decryption on the first ciphertext data;
identifying the second identification data of the second algorithm identification data if the first identification data of the second algorithm identification data is the DES algorithm, the 3DES algorithm, the SM1 algorithm, or the SM4 algorithm; when the second identification data of the second algorithm identification data is the ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 decryption key, and performing ECB mode decryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first ciphertext data; when the second identification data of the second algorithm identification data is the CBC mode, selecting the DES, 3DES, SM1 or SM4 decryption key, and performing CBC mode decryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first ciphertext data;
if the first identification data of the second algorithm identification data is the AES algorithm, identifying the second identification data of the second algorithm identification data; when the second identification data of the second algorithm identification data is the ECB mode, selecting a corresponding AES decryption key, and performing ECB mode decryption on the first ciphertext data by using the AES algorithm; and when the second identification data of the second algorithm identification data is the CTR mode, selecting the AES decryption key, and decrypting the CTR mode of the AES algorithm on the first ciphertext data.
Preferably, the method is characterized in that,
the user identity identification module is specifically used for carrying out shared key calculation processing according to a specified shared key algorithm and preset operator public key data and local authentication private key data when SUCI calculation is carried out, and first shared key data is generated; according to preset local authentication public key data and the local authentication private key data, shared information calculation processing is carried out according to a specified shared information algorithm to generate first shared information data; performing key dispersion processing according to the first shared key data and the first shared information data and a specified key dispersion algorithm to generate first encryption key data, first initial counter data and first verification key data; taking the first initial counter data as an initial counter of AES encryption, and encrypting the SUPI data in a CTR mode of an AES algorithm by using the first encryption key data to generate first encrypted data; according to the first encrypted data and the first verification key data, performing verification code calculation according to a specified verification algorithm to generate first verification code data; and splicing according to the first encrypted data and the first check code data and a specified SUCI data format to generate the SUCI authentication data.
Further, it is characterized in that,
the specified shared key algorithm is an X25519 algorithm; the specified shared information algorithm is an Elliptic-Curve-Point-Octet-String Conversion algorithm; the specified key dispersion algorithm is ANSI-X9.63-KDF algorithm; the designated checking algorithm is an HMAC-SHA-256 algorithm.
The embodiment of the invention provides a communication encryption authentication experimental device which comprises an upper computer communication module, a 5G simulation terminal module and a user identity identification module. By using the test device, the SUCI calculated by the upper computer can be verified, and the communication encryption/decryption original text data calculated by the upper computer can be verified, so that the defects of test equipment in the current test system are overcome, and the completeness of the test system is improved.
Drawings
Fig. 1 is a block diagram of a communication encryption authentication experimental apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
After a developer develops program codes related to communication original text data encryption/decryption or SUCI authentication, the program codes can be installed in an upper computer as a verification program, and a communication encryption authentication experimental device provided by the embodiment of the invention is used for authenticating a calculation result; fig. 1 is a block structure of a communication encryption authentication experimental apparatus according to an embodiment of the present invention, where the apparatus may be a terminal device or a server implementing the functions of the present invention, or may be an apparatus connected to the terminal device or the server implementing the functions of the present invention, and for example, the apparatus may be an apparatus or a chip system of the terminal device or the server. As shown in fig. 1, the apparatus includes: the system comprises an upper computer communication module 101, a 5G analog terminal module 102 and a user identity identification module 103.
The upper computer communication module 101 is connected with an upper computer and a 5G analog terminal module 102; the upper computer communication module 101 is used for receiving first experiment instruction data sent from an upper computer; sending the first experiment instruction data to the 5G simulation terminal module 102; receiving first experiment instruction return data sent back from the 5G simulation terminal module 102; and returning the first experiment instruction to the data and sending back to the upper computer.
Here, the upper computer communication module 101 includes a plurality of upper computer communication interfaces; the upper computer communication Interface includes a Universal Serial Bus (USB) communication Interface, a Serial Peripheral Interface (SPI) communication Interface, a two-wire Serial Bus (I2C) communication Interface, an Asynchronous Receiver/Transmitter (UART) communication Interface, and an ISO7816 communication Interface of the International Organization for Standardization (ISO).
Here, the upper computer communication module 101 may be connected to the upper computer through any one of the interfaces. The upper computer is a device, equipment or server provided with a user authentication program. When a user needs to verify own data encryption program code, a plaintext used for encryption and an algorithm identifier can be packaged in first experiment instruction data specifically a communication encryption authentication instruction, the first experiment instruction data is sent to an experiment device through the upper computer communication module 101, and after first experiment instruction return data returned from the experiment device is obtained, the data is used for comparing with data calculated by the user data encryption program code; when a user needs to verify own data decryption program codes, a ciphertext and an algorithm identifier for decryption can be packaged in first experiment instruction data specifically as a communication encryption authentication instruction, the first experiment instruction data is sent to an experiment device through the upper computer communication module 101, and after first experiment instruction return data returned from the experiment device is obtained, the data is used for comparing with data calculated by the user data decryption program codes; when a user needs to verify the SUCI calculation program code of the user, the first experiment instruction data can be set as the SUCI authentication instruction and sent to the experiment device through the upper computer communication module 101, and after the first experiment instruction return data returned from the experiment device is obtained, the data is used for comparing with the data calculated by the SUCI calculation program code of the user.
The 5G analog terminal module 102 is connected with the user identity identification module 103; the 5G simulation terminal module 102 is used for identifying the instruction type of the first experiment instruction data;
when the instruction type is a communication encryption authentication instruction, extracting first plaintext data and first algorithm identification data from first experiment instruction data; establishing a first data channel with the user identity recognition module 103 according to a Bearer Independent Protocol (BIP); the first plaintext data and the first algorithm identification data are sent to the user identity identification module 103 through a first data channel; receiving first ciphertext authentication data sent back from the user identity recognition module 103; according to the first ciphertext authentication data, assembling to generate first experiment instruction return data, and sending the first experiment instruction return data back to the upper computer communication module 101;
when the instruction type is a communication decryption authentication instruction, extracting first ciphertext data and second algorithm identification data from the first experiment instruction data; establishing a second data channel with the user identity identification module 103 according to the BIP protocol; the first ciphertext data and the second algorithm identification data are sent to the user identity identification module 103 through a second data channel; receiving first plaintext authentication data sent back from the user identification module 103; according to the first plaintext authentication data, first experiment instruction return data are generated in an assembling mode and sent back to the upper computer communication module 101;
when the command type is identified as a SUCI authentication command, SUCI authentication command data is generated by assembly and sent to the user identity identification module 103; and receives the SUCI authentication data sent back from the user identification module 103; and according to the SUCI authentication data, assembling and generating first experiment instruction return data, and sending the first experiment instruction return data back to the upper computer communication module 101.
Here, the experimental apparatus provided in the embodiment of the present invention supports calculation of ciphertext/plaintext data related to encryption/decryption of communication text data, and also supports calculation of SUCI authentication data related to SUCI authentication, where the three calculation processes are all completed by the 5G analog terminal module 102 calling the user identity recognition module 103, and three experimental instructions agreed between the upper computer and the 5G analog terminal module 102 are used to activate the three processing flows: the system comprises a communication encryption authentication command, a communication decryption authentication command and a SUCI authentication command.
In a specific implementation manner provided in the embodiment of the present invention, the 5G analog terminal module 102 is specifically configured to establish the first data CHANNEL or the second data CHANNEL with the subscriber identity module 103 by using an OPEN CHANNEL instruction of the BIP protocol.
Here, the BIP protocol is a data transmission protocol based on a logical channel rather than a physical channel, and based on the BIP protocol, block transmission of big data and assembly after transmission can be completed; the embodiment of the invention does not specifically limit the length of the data for encryption/decryption operation transmitted between the 5G analog terminal module 102 and the user identity identification module 103, so in order to ensure the integrity of data transmission, the embodiment of the invention specifically uses the BIP protocol to complete data transmission when processing communication encryption/decryption authentication; before data transmission using the protocol, according to the protocol requirements, an OPEN CHANNEL command (OPEN CHANNEL) which is one of the protocol commands needs to be used to create a logical CHANNEL, i.e. the first and second data CHANNELs mentioned above.
The user identity recognition module 103 is configured to encrypt the first plaintext data by using a data encryption processing flow corresponding to the first algorithm identification data after receiving the first plaintext data and the first algorithm identification data, and generate first ciphertext authentication data; and sends the first ciphertext authentication data back to the 5G analog terminal module 102.
In another specific implementation manner provided in the embodiment of the present invention, the user identity recognition module 103 is specifically configured to, when encrypting the first plaintext data, recognize the first identification data of the first algorithm identification data;
if the first identification data of the first algorithm identification data is RSA algorithm or SM2 algorithm, selecting corresponding RSA or SM2 encryption keys, and encrypting the first plaintext data by using corresponding RSA or SM2 algorithm;
if the first identification data of the first algorithm identification data is a DES algorithm, a 3DES algorithm, an SM1 algorithm or an SM4 algorithm, identifying the second identification data; when the second identification data of the first algorithm identification data is in an ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 encryption key, and carrying out ECB mode encryption on the first plaintext data by using a corresponding DES, 3DES, SM1 or SM4 algorithm; when second identification data of the first algorithm identification data is in a CBC mode, selecting a DES (data encryption standard), 3DES (data encryption standard), SM1 or SM4 encryption key, and carrying out CBC mode encryption on the first plaintext data by using a corresponding DES, 3DES, SM1 or SM4 algorithm;
if the first identification data of the first algorithm identification data is an AES algorithm, identifying the second identification data; when the second identification data of the first algorithm identification data is in the ECB mode, selecting a corresponding AES encryption key, and carrying out ECB mode encryption on the first plaintext data; and when the second identification data of the first algorithm identification data is in the CTR mode, selecting an AES encryption key, and encrypting the first plaintext data in the CTR mode of the AES algorithm.
Wherein the first algorithm identification data comprises first identification data and second identification data; the first identification Data includes an RSA algorithm, a Data Encryption Standard (DES) algorithm, a Triple Data Encryption Standard (3 DES) algorithm, an Advanced Encryption Standard (AES) algorithm, a national secret SM1 algorithm, a national secret SM2 algorithm, and a national secret SM4 algorithm, and the second identification Data includes an Electronic Code Book (ECB) mode, a Ciphertext Block Chaining (CBC) mode, and a calculator (Counter, CTR) mode.
Here, the first algorithm identification data set includes first identification data representing a specific algorithm type and second identification data representing a specific mode of a current algorithm type; the embodiment of the invention supports the encryption processing of a plurality of algorithms, wherein the asymmetric algorithm at least supports two types of RSA and SM2, and when the first identification data is RSA or SM2 algorithm, the mode is not distinguished, so that the second identification data is not required to be identified; the symmetric algorithm at least supports five of DES, 3DES, AES, SM1 and SM4, and because the symmetric algorithms all have mode distinction, when the first identification data is DES, 3DES, AES, SM1 or SM4 algorithm, the second identification data needs to be recognized. Therefore, the encryption processing supported by the embodiment of the present invention includes: RSA encryption, SM2 encryption, DES ECB/CBC mode encryption, 3DES ECB/CBC mode encryption, SM1 ECB/CBC mode encryption, SM4 ECB/CBC mode encryption, AES ECB/CTR mode encryption. In practical experimental application, a user verification program installed on an upper computer encrypts first plaintext data to obtain ciphertext data to be verified, meanwhile, the upper computer calls a verification device provided by the embodiment of the invention to calculate corresponding first ciphertext authentication data, then, the verification program of the upper computer compares the ciphertext data to be verified by using the first ciphertext authentication data, if the two are consistent, communication encryption verification is successful, otherwise, communication encryption verification is failed, and after the user finds that the verification fails, the source code of the installed user verification program can be further debugged until the verification is successful.
The user identity recognition module 103 is further configured to decrypt the first ciphertext data by using a data decryption processing flow corresponding to the second algorithm identification data after receiving the first ciphertext data and the second algorithm identification data, and generate first plaintext authentication data; and sends the first plaintext authentication data back to the 5G analog terminal module 102.
Here, the second algorithm identification data is similar to the first algorithm identification data in the foregoing, and further description is not provided herein.
In another specific implementation manner provided in the embodiment of the present invention, the user identity recognition module 103 is specifically configured to recognize the first identification data of the second algorithm identification data when decrypting the first ciphertext data;
if the first identification data of the second algorithm identification data is the RSA algorithm or the SM2 algorithm, selecting a corresponding RSA or SM2 decryption key, and carrying out corresponding RSA or SM2 algorithm decryption on the first ciphertext data;
if the first identification data of the second algorithm identification data is a DES algorithm, a 3DES algorithm, an SM1 algorithm or an SM4 algorithm, identifying the second identification data of the second algorithm identification data; when the second identification data of the second algorithm identification data is in the ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 decryption key, and performing ECB mode decryption on the first ciphertext data by using a corresponding DES, 3DES, SM1 or SM4 algorithm; when the second identification data of the second algorithm identification data is in a CBC mode, selecting a DES (data encryption standard), 3DES (data encryption standard), SM1 or SM4 decryption key, and performing CBC mode decryption on the first ciphertext data by using a corresponding DES, 3DES, SM1 or SM4 algorithm;
if the first identification data of the second algorithm identification data is an AES algorithm, identifying the second identification data; when the second identification data of the second algorithm identification data is in the ECB mode, selecting a corresponding AES decryption key, and carrying out ECB mode decryption on the first ciphertext data through the AES algorithm; and when the second identification data of the second algorithm identification data is in the CTR mode, selecting an AES decryption key, and decrypting the first ciphertext data in the CTR mode of the AES algorithm.
Here, the embodiment of the present invention supports decryption processing of a plurality of algorithms, wherein the asymmetric algorithm supports at least two of RSA and SM2, and when the first identification data is RSA or SM2 algorithm, since there is no mode distinction, it is not necessary to identify the second identification data; the symmetric algorithm at least supports five of DES, 3DES, AES, SM1 and SM4, and because the symmetric algorithms all have mode distinction, when the first identification data is DES, 3DES, AES, SM1 or SM4 algorithm, the second identification data needs to be recognized. Therefore, the decryption process supported by the embodiment of the present invention includes: RSA decryption, SM2 decryption, DES ECB/CBC mode decryption, 3DES ECB/CBC mode decryption, SM1 ECB/CBC mode decryption, SM4 ECB/CBC mode decryption, AES ECB/CTR mode decryption. In practical experimental application, a user verification program installed on an upper computer decrypts first ciphertext data to obtain plaintext data to be verified, meanwhile, the upper computer calls a verification device provided by the embodiment of the invention to calculate corresponding first plaintext authentication data, then, the verification program of the upper computer compares the plaintext data to be verified by using the first plaintext authentication data, if the two plaintext authentication data are consistent, communication decryption verification is successful, otherwise, communication decryption verification is failed, and after the user finds that the verification fails, the source code of the installed user verification program can be further debugged until the verification is successful.
The user identity identification module 103 is further configured to, after receiving the SUCI authentication instruction data, perform SUCI calculation on locally Stored User Permanent Identifier (SUPI) data according to a designated SUCI calculation processing flow, and generate SUCI authentication data; and sends the SUCI authentication data back to the 5G analog terminal module 102.
Here, the SUPI data is preset information stored locally in the 5G subscriber identity module, and the SUCI authentication data is a result of performing a specific calculation on the SUPI data.
In another specific implementation manner provided in the embodiment of the present invention, the user identity recognition module 103 is specifically configured to, when performing the SUCI calculation, perform shared key calculation processing according to a specified shared key algorithm according to preset operator public key data and local authentication private key data, and generate first shared key data; according to preset local authentication public key data and local authentication private key data, performing shared information calculation processing according to a specified shared information algorithm to generate first shared information data; performing key dispersion processing according to the first shared key data and the first shared information data and a specified key dispersion algorithm to generate first encryption key data, first initial counter data and first verification key data; taking the first initial counter data as an initial counter of AES encryption, and encrypting the SUPI data in a CTR mode of an AES algorithm by using the first encryption key data to generate first encrypted data; according to the first encrypted data and the first verification key data, performing verification code calculation according to a specified verification algorithm to generate first verification code data; and splicing according to the first encrypted data and the first check code data and a specified SUCI data format to generate SUCI authentication data.
Here, the operator public key data is preset public key data, the upper computer stores the public key and the operator private key data corresponding to the public key, the local authentication public and private key data is a set of public and private key pair data locally generated by the user identification module 103, and the upper computer stores the local authentication public key data in the public and private key pair.
Here, the specified shared key algorithm is an X25519 algorithm in an RFC 7748 file issued by the Internet Society (ISOC), and the algorithm is based on an elliptic curve algorithm and can be based on two public and private key pairs: the public key 1/private key 1 and the public key 2/private key 2 generate a pair of shared secret key pairs which are inverse operations to each other: generating a shared key 1 by the public key 1+ the private key 2, generating a shared key 2 by the public key 2+ the private key 1, and forming a shared key pair by the shared key 1 and the shared key 2;
after obtaining the first shared key data, the user identity recognition module 103 does not directly use the first shared key data to process the SUPI data, but uses a distributed key of the first shared key data to process the SUPI data; in the embodiment of the present invention, the dispersion factor for performing key dispersion on the first shared key data is the above-mentioned first shared information data; the shared information algorithm for generating the information is an Elliptic-Curve-Point-Octet-String Conversion algorithm, and the Algorithm is used for converting a corresponding byte data sequence according to input local authentication public key and private key data and a Point coordinate rule of an Elliptic Curve to obtain a byte data sequence, namely first shared information data;
after obtaining the first shared information data, the user identity module 103 uses an ANSI-X9.63-KDF algorithm issued by the AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) as a specified key dispersion algorithm, and uses the first shared information data as a key dispersion factor to disperse the first shared key data; the calculation result is a byte data sequence, and the data length of the byte data sequence is a first number + a second number + a third number, wherein the first number defaults to 16 bytes, the second number defaults to 16 bytes, and the third number defaults to 32 bytes; the user identity identification module 103 selects the first number of byte data of the byte data sequence as first encryption key data, selects the second number of byte data as first initial counter data after the first number of byte data, and selects the last third number of byte data as first verification key data;
after obtaining the first encryption key data, the first initial counter data and the first verification key data, the user identification module 103 calculates the encryption data corresponding to the SUPI data in the CTR mode of the AES algorithm, because the CTR mode needs to initialize the calculator, the first initial counter data is used as the initial data of the calculator, and when calculating the encryption data, the user identification module 103 encrypts the SUPI data by using the first encryption key data to obtain the first encryption data; after the first encrypted data is obtained, the user identity identification module 103 selects an HMAC-SHA-256 algorithm as a designated verification algorithm, performs digital digest calculation, that is, verification code calculation on a data sequence composed of the first encrypted data and first verification key data, and uses the obtained result as first verification code data, wherein the default length of the first verification code data is 8 bytes;
finally, the user identity identification module 103 assembles the first encrypted data and the first check code data according to a preset SUCI data format, so as to obtain SUCI authentication data.
In practical experimental application, a user verification program installed on an upper computer calculates SUPI data to obtain SUCI data to be verified, meanwhile, the upper computer calls a verification device provided by the embodiment of the invention to calculate corresponding SUCI authentication data, then, the verification program of the upper computer compares the SUCI data to be verified by using the SUCI authentication data, if the SUCI authentication data is consistent with the SUCI authentication data, the SUCI authentication is successful, otherwise, the SUCI authentication is failed, and after the user finds that the authentication is failed, the source code of the installed user verification program can be further debugged until the authentication is successful.
It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the upper computer communication module may be a processing element separately set up, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a processing element of the apparatus calls and executes the functions of the above determination module. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, the execution steps of the modules may be performed by hardware integrated logic circuits in a processor element or by instructions in the form of software.
For example, the above modules may be one or more integrated circuits configured to perform the steps performed by the above modules, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more Digital Signal Processors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), etc. For another example, when some of the above modules are implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor that can invoke the program code. As another example, these modules may be integrated together and implemented in the form of a System-on-a-chip (SOC).
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, bluetooth, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), etc.
The embodiment of the invention provides a communication encryption authentication experimental device which comprises an upper computer communication module, a 5G simulation terminal module and a user identity identification module. By using the test device, the SUCI calculated by the upper computer can be verified, and the communication encryption/decryption original text data calculated by the upper computer can be verified, so that the defects of test equipment in the current test system are overcome, and the completeness of the test system is improved.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of performing described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (8)

1. A communication encryption authentication experimental device is characterized by comprising: the system comprises an upper computer communication module, a fifth generation mobile communication 5G analog terminal module and a user identity identification module;
the upper computer communication module is connected with the upper computer and the 5G analog terminal module; the upper computer communication module is used for receiving first experiment instruction data sent by the upper computer; sending the first experiment instruction data to the 5G simulation terminal module; receiving first experiment instruction return data sent back from the 5G simulation terminal module; returning the first experiment instruction to data and sending the data back to the upper computer;
the 5G simulation terminal module is connected with the user identity identification module; the 5G simulation terminal module is used for identifying the instruction type of the first experiment instruction data; when the instruction type is a communication encryption authentication instruction, extracting first plaintext data and first algorithm identification data from the first experiment instruction data; establishing a first data channel with the user identity identification module according to a Bearer Independent Protocol (BIP); sending the first plain data and the first algorithm identification data to the user identity identification module through the first data channel; receiving first ciphertext authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the first ciphertext authentication data, and sending the first experiment instruction return data back to the upper computer communication module; when the instruction type is a communication decryption authentication instruction, extracting first ciphertext data and second algorithm identification data from the first experiment instruction data; establishing a second data channel with the user identity identification module according to the BIP protocol; sending the first ciphertext data and the second algorithm identification data to the user identity identification module through the second data channel; receiving first plaintext authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the first plaintext authentication data, and sending the first experiment instruction return data back to the upper computer communication module; when the instruction type is a SUCI authentication instruction of a user hidden identifier, SUCI authentication instruction data are generated by assembly and sent to the user identity identification module; receiving SUCI authentication data sent back from the user identity identification module; assembling and generating the first experiment instruction return data according to the SUCI authentication data, and sending the first experiment instruction return data back to the upper computer communication module;
the user identity identification module is used for encrypting the first plaintext data by using a data encryption processing flow corresponding to the first algorithm identification data after receiving the first plaintext data and the first algorithm identification data, so as to generate first ciphertext authentication data; sending the first ciphertext authentication data back to the 5G analog terminal module;
the user identity identification module is further configured to decrypt the first ciphertext data by using a data decryption processing flow corresponding to the second algorithm identification data after receiving the first ciphertext data and the second algorithm identification data, and generate the first plaintext authentication data; the first plaintext authentication data are sent back to the 5G analog terminal module;
the user identity identification module is also used for carrying out SUCI calculation on the locally Stored User Permanent Identifier (SUPI) data according to a designated SUCI calculation processing flow after receiving the SUCI authentication instruction data to generate the SUCI authentication data; and sending the SUCI authentication data back to the 5G analog terminal module.
2. The communication encryption authentication experimental apparatus according to claim 1,
the upper computer communication module comprises a plurality of upper computer communication interfaces; the communication interface of the upper computer comprises a Universal Serial Bus (USB) communication interface, a Serial Peripheral Interface (SPI) communication interface, a two-wire serial bus I2C communication interface, an asynchronous transceiver transmitter (UART) communication interface and an international organization for standardization (ISO 7816) communication interface.
3. The communication encryption authentication experimental apparatus according to claim 1,
the 5G analog terminal module is specifically configured to establish the first data CHANNEL or the second data CHANNEL with the subscriber identity module using an OPEN CHANNEL instruction of the BIP protocol.
4. The communication encryption authentication experimental apparatus according to claim 1,
the first and second algorithm identification data comprise first identification data and second identification data;
the first identification data comprises an RSA algorithm, a data encryption standard DES algorithm, a triple data encryption standard 3DES algorithm, an advanced encryption standard AES algorithm, a national secret SM1 algorithm, a national secret SM2 algorithm and a national secret SM4 algorithm;
the second identification data includes a codebook ECB mode, a ciphertext block chaining CBC mode, and a calculator CTR mode.
5. The communication encryption authentication experimental apparatus according to claim 4,
the user identity recognition module is specifically configured to recognize the first identification data of the first algorithm identification data when encrypting the first plaintext data;
if the first identification data of the first algorithm identification data is the RSA algorithm or the SM2 algorithm, selecting a corresponding RSA or SM2 encryption key, and encrypting the first plaintext data by using a corresponding RSA or SM2 algorithm;
identifying the second identification data of the first algorithm identification data if the first identification data of the first algorithm identification data is the DES algorithm, the 3DES algorithm, the SM1 algorithm, or the SM4 algorithm; when the second identification data of the first algorithm identification data is the ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 encryption key, and carrying out ECB mode encryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first plaintext data; when the second identification data of the first algorithm identification data is in the CBC mode, selecting the DES, 3DES, SM1 or SM4 encryption key, and performing the CBC mode encryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first plaintext data;
if the first identification data of the first algorithm identification data is the AES algorithm, identifying the second identification data of the first algorithm identification data; when the second identification data of the first algorithm identification data is the ECB mode, selecting a corresponding AES encryption key, and carrying out ECB mode encryption of an AES algorithm on the first plaintext data; and when the second identification data of the first algorithm identification data is the CTR mode, selecting the AES encryption key, and encrypting the first plaintext data in the CTR mode of the AES algorithm.
6. The communication encryption authentication experimental apparatus according to claim 4,
the user identity identification module is specifically configured to identify the first identification data of the second algorithm identification data when decrypting the first ciphertext data;
if the first identification data of the second algorithm identification data is the RSA algorithm or the SM2 algorithm, selecting a corresponding RSA or SM2 decryption key, and performing corresponding RSA or SM2 algorithm decryption on the first ciphertext data;
identifying the second identification data of the second algorithm identification data if the first identification data of the second algorithm identification data is the DES algorithm, the 3DES algorithm, the SM1 algorithm, or the SM4 algorithm; when the second identification data of the second algorithm identification data is the ECB mode, selecting a corresponding DES, 3DES, SM1 or SM4 decryption key, and performing ECB mode decryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first ciphertext data; when the second identification data of the second algorithm identification data is the CBC mode, selecting the DES, 3DES, SM1 or SM4 decryption key, and performing CBC mode decryption of the corresponding DES, 3DES, SM1 or SM4 algorithm on the first ciphertext data;
if the first identification data of the second algorithm identification data is the AES algorithm, identifying the second identification data of the second algorithm identification data; when the second identification data of the second algorithm identification data is the ECB mode, selecting a corresponding AES decryption key, and performing ECB mode decryption on the first ciphertext data by using the AES algorithm; and when the second identification data of the second algorithm identification data is the CTR mode, selecting the AES decryption key, and decrypting the CTR mode of the AES algorithm on the first ciphertext data.
7. The communication encryption authentication experimental apparatus according to claim 1,
the user identity identification module is specifically used for carrying out shared key calculation processing according to a specified shared key algorithm and preset operator public key data and local authentication private key data when SUCI calculation is carried out, and first shared key data is generated; according to preset local authentication public key data and the local authentication private key data, shared information calculation processing is carried out according to a specified shared information algorithm to generate first shared information data; performing key dispersion processing according to the first shared key data and the first shared information data and a specified key dispersion algorithm to generate first encryption key data, first initial counter data and first verification key data; taking the first initial counter data as an initial counter of AES encryption, and encrypting the SUPI data in a CTR mode of an AES algorithm by using the first encryption key data to generate first encrypted data; according to the first encrypted data and the first verification key data, performing verification code calculation according to a specified verification algorithm to generate first verification code data; and splicing according to the first encrypted data and the first check code data and a specified SUCI data format to generate the SUCI authentication data.
8. The communication encryption authentication experimental apparatus according to claim 7,
the specified shared key algorithm is an X25519 algorithm; the specified shared information algorithm is an Elliptic-Curve-Point-Octet-String Conversion algorithm; the specified key dispersion algorithm is ANSI-X9.63-KDF algorithm; the designated checking algorithm is an HMAC-SHA-256 algorithm.
CN202110335517.6A 2021-03-29 2021-03-29 Communication encryption authentication experimental device Active CN113038463B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110335517.6A CN113038463B (en) 2021-03-29 2021-03-29 Communication encryption authentication experimental device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110335517.6A CN113038463B (en) 2021-03-29 2021-03-29 Communication encryption authentication experimental device

Publications (2)

Publication Number Publication Date
CN113038463A CN113038463A (en) 2021-06-25
CN113038463B true CN113038463B (en) 2022-05-13

Family

ID=76452743

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110335517.6A Active CN113038463B (en) 2021-03-29 2021-03-29 Communication encryption authentication experimental device

Country Status (1)

Country Link
CN (1) CN113038463B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113901492A (en) * 2021-09-06 2022-01-07 苏州国芯科技股份有限公司 Data transmission encryption and decryption method, device, system and equipment
CN114285584B (en) * 2021-12-22 2024-01-16 北京正奇盾数据安全技术有限公司 Encryption algorithm experiment system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7725719B2 (en) * 2005-11-08 2010-05-25 International Business Machines Corporation Method and system for generating ciphertext and message authentication codes utilizing shared hardware
CN102075544A (en) * 2011-02-18 2011-05-25 博视联(苏州)信息科技有限公司 Encryption system, encryption method and decryption method for local area network shared file
US20200228311A1 (en) * 2019-01-10 2020-07-16 Syccure Inc. Lightweight encryption, authentication, and verification of data moving to and from intelligent devices
CN110535868A (en) * 2019-09-05 2019-12-03 山东浪潮商用系统有限公司 Data transmission method and system based on Hybrid Encryption algorithm
CN110868287B (en) * 2019-10-24 2023-06-30 广州江南科友科技股份有限公司 Authentication encryption ciphertext coding method, system, device and storage medium
CN110930603B (en) * 2019-12-04 2021-06-04 中钞科堡现金处理技术(北京)有限公司 Bidirectional encryption verification system and cash recycling machine with same

Also Published As

Publication number Publication date
CN113038463A (en) 2021-06-25

Similar Documents

Publication Publication Date Title
CN109150499B (en) Method and device for dynamically encrypting data, computer equipment and storage medium
CN108833101B (en) Data transmission method of Internet of things equipment, internet of things equipment and authentication platform
CN110460439A (en) Information transferring method, device, client, server-side and storage medium
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
CN111131278B (en) Data processing method and device, computer storage medium and electronic equipment
EP3968597B1 (en) Methods for encrypting and decrypting data
CN113038463B (en) Communication encryption authentication experimental device
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
CN111131416A (en) Business service providing method and device, storage medium and electronic device
WO2020102974A1 (en) Data access method, data access apparatus, and mobile terminal
WO2018120938A1 (en) Offline key transmission method, terminal and storage medium
CN112039826A (en) Login method and device applied to applet terminal
CN105376059A (en) Method and system for performing application signature based on electronic key
EP3133791B1 (en) Double authentication system for electronically signed documents
CN110545542B (en) Main control key downloading method and device based on asymmetric encryption algorithm and computer equipment
CN114095277A (en) Power distribution network secure communication method, secure access device and readable storage medium
CN112632573A (en) Intelligent contract execution method, device and system, storage medium and electronic equipment
CN114692120B (en) National password authentication method, virtual machine, terminal equipment, system and storage medium
CN109492359A (en) A kind of secure network middleware and its implementation and device for authentication
CN113392062B (en) Data storage method and device, electronic equipment and computer readable storage medium
CN114036546A (en) Identity verification method and device based on mobile phone number, computer equipment and medium
CN114117388A (en) Device registration method, device registration apparatus, electronic device, and storage medium
CN114172923A (en) Data transmission method, communication system and communication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Zhu Hongyan

Inventor after: Guo Mingchao

Inventor after: An Bo

Inventor before: Zhu Hongyan

Inventor before: An Bo

CB03 Change of inventor or designer information