CN113507705A - 5G secondary authentication method and system based on EAP-TLS protocol - Google Patents

5G secondary authentication method and system based on EAP-TLS protocol Download PDF

Info

Publication number
CN113507705A
CN113507705A CN202110790525.XA CN202110790525A CN113507705A CN 113507705 A CN113507705 A CN 113507705A CN 202110790525 A CN202110790525 A CN 202110790525A CN 113507705 A CN113507705 A CN 113507705A
Authority
CN
China
Prior art keywords
user equipment
management function
authentication
access
function module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110790525.XA
Other languages
Chinese (zh)
Inventor
孙磊
郭松辉
刘海东
郝前防
李作辉
张静
周明
钱大赞
韩松莘
宋云帆
王淼
赵建成
杨梦梦
李楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202110790525.XA priority Critical patent/CN113507705A/en
Publication of CN113507705A publication Critical patent/CN113507705A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a 5G secondary authentication method and a system based on an EAP-TLS protocol, which comprises user equipment, an access and mobility management function module, a session management function module, a user plane function module, an authentication server function module and a data network authentication server. The invention verifies the identities of the user equipment and the data network authentication server through the digital certificate, realizes the bidirectional secondary authentication of the 5G service terminal and the data network, and further improves the safety and the usability of the 5G service.

Description

5G secondary authentication method and system based on EAP-TLS protocol
Technical Field
The invention relates to the technical field of 5G mobile communication, in particular to a 5G secondary Authentication method and a system of Extensible Authentication Protocol (EAP) -Transport Layer Security (TLS) Protocol.
Background
The existing main authentication scheme for Private line access of 4G users is identity authentication based on VPDN (Virtual Private Dial Network). The authentication scheme has the advantages that the operator completes the whole identity authentication process, and the security threats of low security, easy cracking by illegal users and the like exist. In order to meet the high security requirements of the vertical industry, the 5G network proposes a secondary authentication architecture that uses an extensible identity authentication protocol (EAP) to meet the security requirements of different services.
On the basis of the existing secondary authentication architecture, how to further improve the security and the availability of the 5G service is a problem to be solved urgently.
Disclosure of Invention
In view of the above, the present invention provides a 5G secondary authentication method based on an EAP-TLS protocol, which verifies the identities of each other through a digital certificate between a user equipment and a data network authentication server, thereby implementing bidirectional secondary authentication between a 5G service terminal and a data network, and further improving the security and usability of the 5G service.
The invention provides a 5G secondary authentication method based on an EAP-TLS protocol, which comprises the following steps:
performing network access authentication on the user equipment through the authentication server function module;
after the authentication is passed, establishing non-access layer security context connection between the user equipment and the access and mobility management functional module;
establishing a protocol data unit session between the user equipment and the access and mobility management function;
establishing a protocol data unit session between the access and mobility management function module and a session management function module;
the session management function module acquires subscription information from a unified data management module and verifies whether the request of the user equipment is in compliance;
if the user equipment is not authenticated and authorized, the session management function module triggers an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from a data network authentication server;
the session management function module sends an extensible identity authentication protocol data packet to the user equipment to request user identity information so as to start to acquire the authentication information of the user;
the user equipment responds to the request of the session management function module after receiving the identity request information and sends the user identity information to the session management function module;
if the session management function module and the user plane function module do not establish a protocol data unit session connection, the session management function module selects one user plane function module and establishes a protocol data unit session with the user plane function module;
the session management function module forwards an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module;
the data network authentication server retrieves a database of the data network authentication server through user identity information to acquire a transmission layer security protocol authentication method, the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element, and the session management function network element forwards the information of the data network authentication server to the user equipment;
after receiving the message of starting the transport layer security protocol, the user equipment sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element;
after receiving the EAP-Response/Client-Hello message, the data network authentication server determines that a transport layer security protocol is established, and then encapsulates an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sends the access challenge data packet to the user equipment through a session management function network element;
the user equipment verifies the digital certificate of the data network authentication server, and if the digital certificate of the user equipment is legal, the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of authentication message sending end are sent to the data network authentication server through the session management function network element;
the data network authentication server verifies the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the authentication message sending end are sent to the user equipment through the session management function network element;
after receiving the message of finishing the sending of the authentication message, the user equipment sends an EAP-Response/TLS-ACK message and the message of finishing the sending of the authentication message to the data network authentication server through the session management function network element;
the data network authentication server sends an EAP-Success message to the session management function network element;
and after receiving the EAP-Success message, the session management function network element finishes the secondary authentication process, continuously executes a protocol data unit session establishment request program, waits for a new protocol data unit establishment request and sends the EAP-Success to the user equipment.
Preferably, the performing network access authentication on the user equipment through the authentication server function module includes:
the user equipment initiates an authentication request to an authentication server function module in the 5G network according to the identity authentication information in the global user identification card;
the authentication server function module performs identity authentication on identity authentication information sent by the user equipment by using a network access protocol, and allows the user equipment to access the network when the authentication passes.
Preferably, the establishing a protocol data unit session between the user equipment and the access and mobility management function module includes:
and the user equipment establishes a protocol data unit session with the access and mobility management functional module by sending a non-access layer message to the access and mobility management functional module.
Preferably, the establishing a protocol data unit session between the access and mobility management function module and a session management function network element comprises:
and the access and mobility management function module uses a session management container between the user equipment and the access and mobility management function module as a bearer, and selects a session management function network element to send a protocol data unit session.
Preferably, after receiving the TLS protocol start message, the ue sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element, including:
and after receiving the message for starting the TLS protocol, the user equipment encapsulates EAP-Response/Client-Hello information into an access request data packet through the session management function network element and sends the access request data packet to the data network authentication server.
A5G secondary authentication system based on an EAP-TLS protocol comprises: the system comprises user equipment, an access and mobility management function module, a session management function module, a user plane function module, an authentication server function module and a data network authentication server; wherein:
the authentication server function module is used for performing network access authentication on the user equipment;
the user equipment is used for establishing non-access layer security context connection with the access and mobility management functional module after the authentication is passed;
the user equipment is also used for establishing a protocol data unit session with the access and mobility management functional module;
the access and mobility management function module is used for establishing a protocol data unit session with the session management function module;
the session management function module is used for acquiring subscription information from the unified data management module and verifying whether the request of the user equipment is in compliance;
if the user equipment is not authenticated and authorized, the session management function module is used for triggering an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from the data network authentication server;
the session management function module is further configured to send an extensible identity authentication protocol data packet to the user equipment to request user identity information, so as to start acquiring authentication information of a user;
the user equipment is also used for responding to the request of the session management function module after receiving the identity request information and sending the user identity information to the session management function module;
if the session management function module and the user plane function module do not establish a protocol data unit session connection, the session management function module is used for selecting one user plane function module and establishing a protocol data unit session with the user plane function module;
the session management function module is also used for forwarding an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module;
the data network authentication server is used for retrieving a database of the data network authentication server through user identity information to acquire a transmission layer security protocol authentication method, and the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element;
the session management function network element is used for forwarding the message of the data network authentication server to the user equipment;
the user equipment is further configured to send an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element after receiving a message for starting a transport layer security protocol;
the data network authentication server is used for determining that a transport layer security protocol is established after receiving the EAP-Response/Client-Hello message, and then packaging an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sending the access challenge data packet to the user equipment through a session management function network element;
the user equipment is also used for verifying the digital certificate of the data network authentication server, and if the digital certificate of the user equipment is legal, the network element with the session management function is also used for sending the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of finishing sending the authentication message to the data network authentication server;
the data network authentication server is also used for verifying the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the end of the authentication message sending are sent to the user equipment through the session management function network element;
the user equipment is further configured to send an EAP-Response/TLS-ACK and an authentication message sending end message to the data network authentication server through the session management function network element after receiving the authentication message sending end message;
the data network authentication server is also used for sending an EAP-Success message to the session management function network element;
the session management function network element is further configured to, after receiving the EAP-Success message, end the secondary authentication procedure, continuously execute the protocol data unit session establishment request procedure, wait for a new protocol data unit establishment request, and send the EAP-Success to the user equipment.
Preferably, when the user equipment is authenticated by the authentication server function module for network access, the user equipment is configured to initiate an authentication request to the authentication server function module according to the identity authentication information in the global user identification card;
the authentication server function module is used for performing identity authentication on identity authentication information sent by the user equipment by using a network access protocol, and when the authentication passes, the authentication server function module allows the user equipment to access the network.
Preferably, when a protocol data unit session is established between the user equipment and the access and mobility management function module, the user equipment is configured to establish a protocol data unit session with the access and mobility management function module by sending a non-access stratum message to the access and mobility management function module.
Preferably, when a protocol data unit session is established between the access and mobility management function module and the session management function network element, the access and mobility management function module is configured to use a session management container between the user equipment and the access and mobility management function module as a bearer, and select one session management function network element to send the protocol data unit session.
Preferably, when the user equipment sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element after receiving the TLS protocol start message, the user equipment is configured to encapsulate the EAP-Response/Client-Hello message into an access request packet through the session management function network element after receiving the TLS protocol start message, and send the access request packet to the data network authentication server.
In summary, the invention discloses a 5G secondary authentication method based on an EAP-TLS protocol, firstly, performing network access authentication on user equipment through an authentication server function module; then after passing the authentication, the user equipment establishes a non-access layer security context connection with the access and mobility management functional module; establishing a protocol data unit session between the user equipment and the access and mobility management function module; establishing a protocol data unit session between the access and mobility management function module and the session management function module; the session management function module acquires subscription information from the unified data management module and verifies whether the request of the user equipment is in compliance; if the user equipment is not authenticated and authorized, the session management function module triggers an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from a data network authentication server; the session management function module sends an extensible identity authentication protocol data packet to the user equipment to request the identity information of the user so as to start to acquire the authentication information of the user; after receiving the identity request information, the user equipment responds to the request of the session management function module and sends the user identity information to the session management function module; if the session management function module and the user plane function module do not establish the session connection of the protocol data unit, the session management function module selects one user plane function module and establishes a protocol data unit session with the user plane function module; the session management function module forwards an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module; the data network authentication server retrieves a database of the data network authentication server through the user identity information to acquire a transmission layer security protocol authentication method, the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element, and the session management function network element forwards the information of the data network authentication server to the user equipment; after receiving a message for starting a transport layer security protocol, the user equipment sends an EAP-Response/Client-Hello message to a data network authentication server through a session management function network element; after receiving the EAP-Response/Client-Hello message, the data network authentication server determines that a transport layer security protocol is established, and then encapsulates an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sends the access challenge data packet to the user equipment through a session management function network element; the user equipment verifies the digital certificate of the data network authentication server, and if the digital certificate is legal, the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of finishing sending the authentication message are sent to the data network authentication server through a session management function network element; the data network authentication server verifies the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the end of the authentication message sending are sent to the user equipment through a session management function network element; after receiving the message of finishing the sending of the authentication message, the user equipment sends the EAP-Response/TLS-ACK and the message of finishing the sending of the authentication message to a data network authentication server through a session management function network element; the data network authentication server sends an EAP-Success message to a session management function network element; after receiving the EAP-Success message, the network element of the session management function ends the secondary authentication process, continuously executes the session establishment request program of the protocol data unit, waits for a new establishment request of the protocol data unit, and sends the EAP-Success to the user equipment. The invention verifies the identities of the user equipment and the data network authentication server through the digital certificate, realizes the bidirectional secondary authentication of the 5G service terminal and the data network, and further improves the safety and the usability of the 5G service.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of an EAP architecture according to the present disclosure;
FIG. 2 is a schematic diagram of a 5G network architecture according to the present invention;
FIG. 3 is a flowchart of a 5G secondary authentication method based on EAP-TLS protocol disclosed in the present invention;
fig. 4 is a schematic structural diagram of a 5G secondary authentication system based on an EAP-TLS protocol disclosed in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to meet the unified authentication requirement, the 5G introduces an EAP architecture, which has three authentication entities, namely, EAPClient (EAP client), EAPAuthenticator (EAP authenticator) and EAPServer (EAP server), and the structure of the EAP architecture is shown in fig. 1. The EAP-TLS protocol is an authentication protocol in EAP framework, and is a bidirectional authentication protocol based on TLS protocol, and a Public Key Infrastructure (PKI) certificate system is a security foundation of EAP-TLS. Fig. 2 is a 5G network architecture. In the 5G secondary authentication architecture, the UE corresponds to an EAP Client (EAP Client), the SMF network element corresponds to an EAPAuthenticator (EAP authenticator), and a DN-AS (data network-authentication server) serves AS the EAPServer. The authentication process of the EAP-TLS protocol in the brief EAP architecture is as follows: firstly, the EAPServer provides a digital certificate to an EAP Client; after verifying the digital certificate of the EAP Server, the EAP Client submits the digital certificate of the EAP Client to the EAP Server, and the user can access the data network after the authentication of the EAPServer is successful. Meanwhile, a new session key is generated after each mutual authentication is completed, so that the safety of user data in the transmission process is ensured. The EAP Authenticator is used for initiating authentication and encapsulating and decapsulating the data of the EAPClient and the EAPServer.
The 5G secondary authentication process is similar to the EAP-TLS protocol authentication process in the EAP architecture, and the UE, SMF, and DN-AS in the 5G network respectively correspond to the EAPClient, EAPAuthenticator, and EAPServer in the EAP architecture, that is, the UE (User equipment) in the 5G network corresponds to the EAP Client in the EAP architecture; the SMF (Session Management Function) in 5G corresponds to an EAPAuthenticator in the EAP architecture; DN-AS in 5G corresponds to EAPServer in EAP architecture. The 5G secondary authentication flow is shown in fig. 2.
On the basis of the above, the present invention provides a 5G secondary authentication method based on EAP-TLS protocol, as shown in fig. 3, which may include the following steps:
step 1: performing network access authentication on the user equipment through the authentication server function module;
the UE initiates an Authentication request to an AUSF (Authentication Server Function Module) in the 5G network according to the Identity Authentication information in the USIM (Universal Subscriber Identity Module), the AUSF performs Identity Authentication on the Identity Authentication information sent by the UE by using a network access protocol, if the Authentication is passed, the AUSF allows the user to access the network, otherwise, the UE is refused to access the mobile network.
Step 2: after the authentication is passed, establishing non-access layer security context connection between the user equipment and the access and mobility management functional module;
after the authentication is passed, a NAS (Non Access Stratum) security context connection is established between the UE and the Access and Mobility Management Function (AMF).
And step 3: establishing a protocol data unit session between the user equipment and the access and mobility management function module;
the UE sends a NAS message to initiate new PDU (Protocol Data Unit) session establishment.
And 4, step 4: establishing a protocol data unit session between the access and mobility management function module and the session management function module;
AMF uses N1SM container (Session Management container between UE and AMF; SM: Session Management Session Management) as its active bearer, selects one SMF, sends PUD Session establishment request message, and then establishes PDU connection between AMF and SMF. The SMF continues to execute the PDU session establishment request procedure, waiting for a new PDU establishment request.
And 5: the session management function module acquires subscription information from the unified data management module and verifies whether the request of the user equipment is in compliance;
the SMF acquires Subscription Data of a user from a UDM (Unified Data Management module) according to a SUPI (Subscription Permanent Identifier), and checks whether the Subscription Data of the user requires secondary authentication and whether the UE is allowed to request secondary authentication according to the user Subscription and a local policy in the 5G network. If not, the SMF will reject the UE's request through NAS message and skip the rest of the following steps. If a secondary authentication is required, the SMF also checks if the UE has been authorized by the authentication server of the requested UDM. If previously authorized, the SMF may skip the subsequent secondary authentication process. Successful authentication and authorization information between the UE and the SMF is stored in the SMF and UDM.
Step 6: if the user equipment is not authenticated and authorized, the session management function module triggers an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from a data network authentication server;
if the UE is not authenticated, the SMF should trigger the EAP to perform identity authentication, so AS to obtain authentication authorization from a DN-AS (data network-authentication server).
And 7: the session management function module sends an extensible identity authentication protocol data packet to the user equipment to request the identity information of the user so as to start to acquire the authentication information of the user;
the SMF should send an EAP packet to the UE to request the user identity information to start acquiring the authentication information of the user.
And 8: the user equipment responds to the request of the session management function module after receiving the identity request information and sends the user identity information to the session management function module;
and the UE responds to the SMF request after receiving the identity request information and sends the user identity information to the SMF.
And step 9: if the session management function module and the user plane function module do not establish a protocol data unit session connection, the session management function module selects one user plane function module and establishes a protocol data unit session with the user plane function module;
if no PDU session connection is established between the SMF and a UPF (User Plane Function), the SMF selects a UPF and establishes a PDU session with it.
Step 10: the session management function module forwards an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module;
the SMF forwards EAP packets containing user identity information to the DN-AS via the UPF.
Step 11: the data network authentication server retrieves a database of the data network authentication server through user identity information to acquire a transmission layer security protocol authentication method, the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element, and the session management function network element forwards the information of the data network authentication server to the user equipment;
DN-AS searches database of DN-AS through user identity information to obtain TLS authentication method. DN-AS encapsulates the information of EAP request UE start TLS protocol into access challenge data packet and sends the data packet to SMF. The SMF forwards the DN-AS message to the UE.
Step 12: after receiving the message of starting the transport layer security protocol, the user equipment sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element;
and after receiving the message of starting the TLS protocol, the UE sends an EAP-Response/Client-Hello message to the data network authentication server through the SMF. The Client-Hello message contains the list of algorithms available to the UE, the random number generated by the UE and some other required information. SMF encapsulates EAP-Response/Client-Hello information into an access request data packet and sends the access request data packet to DN-AS.
Step 13: after receiving the EAP-Response/Client-Hello message, the data network authentication server determines that a transport layer security protocol is established, and then encapsulates an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sends the access challenge data packet to the user equipment through a session management function network element;
and after receiving the EAP-Response/Client-Hello message, the DN-AS determines that TLS authentication is established, and then encapsulates an access challenge data packet containing the EAP-Response message recorded by a plurality of TLSs and sends the access challenge data packet to the UE through the SMF. The TLS record contains the digital Certificate Server-Cert of the authentication Server, the digital Certificate Request Client Certificate-Request of the UE, the set-Hello and the Server Key-Exchange messages for using the Exchange Key. The Server Hello determines the required encryption algorithm and the Value of the random number ServerRandom Value generated by the authentication Server.
Step 14: the user equipment verifies the digital certificate of the data network authentication server, and if the digital certificate of the user equipment is legal, the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of authentication message sending end are sent to the data network authentication server through the session management function network element;
and the UE verifies the digital certificate Server-Cert of the data network authentication Server, and if the digital certificate Server-Cert is legal, the Client-Cert, the Client Key-Exchange, the Change Cipher-spec and the Finished message are sent to the authentication Server through the SMF. The Client-Cert is a digital certificate of the UE, the Client Key-Exchange is a fixed-length random string encrypted by using a public Key of an authentication server, and is also called a Pre Master Secret, and the Change Cipher-spec is an encryption type which can be supported by the UE. Finished indicates the end of the authentication message transmission.
Step 15: the data network authentication server verifies the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the authentication message sending end are sent to the user equipment through the session management function network element;
and the DN-AS verifies the certificate Client-Cert of the UE, and if the certificate Client-Cert is legal, the Change Cipher-spec and Finished messages are sent to the UE through the SMF, and the Change Cipher-spec contains the encryption type specified by the DN-AS.
Step 16: after receiving the message of finishing the sending of the authentication message, the user equipment sends an EAP-Response/TLS-ACK message and the message of finishing the sending of the authentication message to the data network authentication server through the session management function network element;
after receiving the Finished message, the UE sends EAP-Response/TLS-ACK and Finished message to DN-AS through SMF. ACK (Acknowledge character). Both the DN-AS and the UE derive the master key MK (Master Key).
And step 17: the data network authentication server sends an EAP-Success message to the session management function network element;
DN-AS sends EAP-Success message to SMF to indicate that user identity authentication is successful.
Step 18: and after receiving the EAP-Success message, the session management function network element finishes the secondary authentication process, continuously executes a protocol data unit session establishment request program, waits for a new protocol data unit establishment request and sends an EAP-Success result to the user equipment.
After receiving the EAP-Success message, SMF ends the secondary authentication process, and continuously executes the PDU session establishment request program to wait for a new PDU establishment request. SMF sends the EAP-Success result to UE, which shows that the identity authentication of each other is successful, and then UE establishes a new PDU session.
In summary, the invention verifies the identities of the user equipment and the data network authentication server through the digital certificate, thereby realizing the bidirectional secondary authentication of the 5G service terminal and the data network, and further improving the safety and the usability of the 5G service.
As shown in fig. 4, the present invention provides a 5G secondary authentication system based on EAP-TLS protocol, which may include: user Equipment (UE), an access and mobility management function (AMF), a Session Management Function (SMF), a User Plane Function (UPF), an authentication server function (AUSF) and a data network authentication server (DN-AS); wherein:
the authentication server function module is used for carrying out network access authentication on the user equipment;
the user equipment is used for establishing non-access layer security context connection with the access and mobility management functional module after the authentication is passed;
the user equipment is also used for establishing a protocol data unit session with the access and mobility management functional module;
the access and mobility management function module is used for establishing a protocol data unit session with the session management function module;
the session management function module is used for acquiring subscription information from the unified data management module and verifying whether the request of the user equipment is in compliance;
if the user equipment is not authenticated and authorized, the session management function module is used for triggering an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from the data network authentication server;
the session management function module is also used for sending an extensible identity authentication protocol data packet to the user equipment to request the identity information of the user so as to start to acquire the authentication information of the user;
the user equipment is also used for responding to the request of the session management function module after receiving the identity request information and sending the user identity information to the session management function module;
if the session management function module and the user plane function module do not establish the session connection of the protocol data unit, the session management function module is used for selecting one user plane function module and establishing a protocol data unit session with the user plane function module;
the session management function module is also used for forwarding an extensible identity authentication protocol data packet containing user identity information to a data network authentication server through the user plane function module;
the data network authentication server is used for retrieving a database of the data network authentication server through the user identity information to acquire a transmission layer security protocol authentication method, packaging information of an extensible identity authentication protocol request user equipment starting a transmission layer security protocol into an access challenge data packet and sending the access challenge data packet to a session management function network element;
the session management function network element is used for forwarding the message of the data network authentication server to the user equipment;
the user equipment is also used for sending EAP-Response/Client-Hello information to the data network authentication server through the session management function network element after receiving the information of starting the transport layer security protocol;
the data network authentication server is used for determining that a transport layer security protocol is established after receiving the EAP-Response/Client-Hello message, and then packaging an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sending the access challenge data packet to the user equipment through the session management function network element;
the user equipment is also used for verifying the digital certificate of the data network authentication server, and if the digital certificate is legal, the network element with the session management function is also used for sending the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of finishing sending the authentication message to the data network authentication server;
the data network authentication server is also used for verifying the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the authentication message sending end are sent to the user equipment through the session management function network element;
the user equipment is also used for sending the EAP-Response/TLS-ACK and the message of the end of the sending of the authentication message to the data network authentication server through the session management function network element after receiving the message of the end of the sending of the authentication message;
the data network authentication server is also used for sending the EAP-Success message to the session management function network element;
and the session management function network element is further configured to, after receiving the EAP-Success message, end the secondary authentication procedure, continuously execute the protocol data unit session establishment request program, wait for a new protocol data unit establishment request, and send the EAP-Success to the user equipment.
In summary, the working principle of the 5G secondary authentication system based on the EAP-TLS protocol disclosed in this embodiment is the same as the working principle of the above-mentioned 5G secondary authentication method based on the EAP-TLS protocol, and is not described herein again.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A5G secondary authentication method based on an EAP-TLS protocol is characterized by comprising the following steps:
performing network access authentication on the user equipment through the authentication server function module;
after the authentication is passed, establishing non-access layer security context connection between the user equipment and the access and mobility management functional module;
establishing a protocol data unit session between the user equipment and the access and mobility management function;
establishing a protocol data unit session between the access and mobility management function module and a session management function module;
the session management function module acquires subscription information from a unified data management module and verifies whether the request of the user equipment is in compliance;
if the user equipment is not authenticated and authorized, the session management function module triggers an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from a data network authentication server;
the session management function module sends an extensible identity authentication protocol data packet to the user equipment to request user identity information so as to start to acquire the authentication information of the user;
the user equipment responds to the request of the session management function module after receiving the identity request information and sends the user identity information to the session management function module;
if the session management function module and the user plane function module do not establish a protocol data unit session connection, the session management function module selects one user plane function module and establishes a protocol data unit session with the user plane function module;
the session management function module forwards an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module;
the data network authentication server retrieves a database of the data network authentication server through user identity information to acquire a transmission layer security protocol authentication method, the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element, and the session management function network element forwards the information of the data network authentication server to the user equipment;
after receiving the message of starting the transport layer security protocol, the user equipment sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element;
after receiving the EAP-Response/Client-Hello message, the data network authentication server determines that a transport layer security protocol is established, and then encapsulates an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sends the access challenge data packet to the user equipment through a session management function network element;
the user equipment verifies the digital certificate of the data network authentication server, and if the digital certificate of the user equipment is legal, the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of authentication message sending end are sent to the data network authentication server through the session management function network element;
the data network authentication server verifies the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the authentication message sending end are sent to the user equipment through the session management function network element;
after receiving the message of finishing the sending of the authentication message, the user equipment sends an EAP-Response/TLS-ACK message and the message of finishing the sending of the authentication message to the data network authentication server through the session management function network element;
the data network authentication server sends an EAP-Success message to the session management function network element;
and after receiving the EAP-Success message, the session management function network element finishes the secondary authentication process, continuously executes a protocol data unit session establishment request program, waits for a new protocol data unit establishment request and sends the EAP-Success to the user equipment.
2. The method of claim 1, wherein the performing network access authentication on the user equipment through the authentication server function module comprises:
the user equipment initiates an authentication request to an authentication server function module in the 5G network according to the identity authentication information in the global user identification card;
the authentication server function module performs identity authentication on identity authentication information sent by the user equipment by using a network access protocol, and allows the user equipment to access the network when the authentication passes.
3. The method of claim 1, wherein establishing a PDU session between the UE and the access and mobility management function (MME) comprises:
and the user equipment establishes a protocol data unit session with the access and mobility management functional module by sending a non-access layer message to the access and mobility management functional module.
4. The method of claim 1, wherein establishing a protocol data unit session between the access and mobility management function module and a session management function network element comprises:
and the access and mobility management function module uses a session management container between the user equipment and the access and mobility management function module as a bearer, and selects a session management function network element to send a protocol data unit session.
5. The method as claimed in claim 1, wherein the step of sending EAP-Response/Client-Hello message to the data network authentication server through the session management function network element after the user equipment receives the TLS protocol start message comprises:
and after receiving the message for starting the TLS protocol, the user equipment encapsulates EAP-Response/Client-Hello information into an access request data packet through the session management function network element and sends the access request data packet to the data network authentication server.
6. A5G secondary authentication system based on EAP-TLS protocol is characterized by comprising: the system comprises user equipment, an access and mobility management function module, a session management function module, a user plane function module, an authentication server function module and a data network authentication server; wherein:
the authentication server function module is used for performing network access authentication on the user equipment;
the user equipment is used for establishing non-access layer security context connection with the access and mobility management functional module after the authentication is passed;
the user equipment is also used for establishing a protocol data unit session with the access and mobility management functional module;
the access and mobility management function module is used for establishing a protocol data unit session with the session management function module;
the session management function module is used for acquiring subscription information from the unified data management module and verifying whether the request of the user equipment is in compliance;
if the user equipment is not authenticated and authorized, the session management function module is used for triggering an extensible identity authentication protocol to perform identity authentication so as to obtain authentication and authorization from the data network authentication server;
the session management function module is further configured to send an extensible identity authentication protocol data packet to the user equipment to request user identity information, so as to start acquiring authentication information of a user;
the user equipment is also used for responding to the request of the session management function module after receiving the identity request information and sending the user identity information to the session management function module;
if the session management function module and the user plane function module do not establish a protocol data unit session connection, the session management function module is used for selecting one user plane function module and establishing a protocol data unit session with the user plane function module;
the session management function module is also used for forwarding an extensible identity authentication protocol data packet containing user identity information to the data network authentication server through the user plane function module;
the data network authentication server is used for retrieving a database of the data network authentication server through user identity information to acquire a transmission layer security protocol authentication method, and the data network authentication server encapsulates information of an extensible identity authentication protocol requesting the user equipment to start a transmission layer security protocol into an access challenge data packet and sends the access challenge data packet to the session management function network element;
the session management function network element is used for forwarding the message of the data network authentication server to the user equipment;
the user equipment is further configured to send an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element after receiving a message for starting a transport layer security protocol;
the data network authentication server is used for determining that a transport layer security protocol is established after receiving the EAP-Response/Client-Hello message, and then packaging an access challenge data packet containing the EAP-Response message of a plurality of transport layer security records and sending the access challenge data packet to the user equipment through a session management function network element;
the user equipment is also used for verifying the digital certificate of the data network authentication server, and if the digital certificate of the user equipment is legal, the network element with the session management function is also used for sending the digital certificate of the user equipment, a fixed-length random string encrypted by using a public key of the data network authentication server, an encryption type which can be supported by the user equipment and a message of finishing sending the authentication message to the data network authentication server;
the data network authentication server is also used for verifying the digital certificate of the user equipment, and if the digital certificate of the user equipment is legal, the encryption type which can be supported by the user equipment and the message of the end of the authentication message sending are sent to the user equipment through the session management function network element;
the user equipment is further configured to send an EAP-Response/TLS-ACK and an authentication message sending end message to the data network authentication server through the session management function network element after receiving the authentication message sending end message;
the data network authentication server is also used for sending an EAP-Success message to the session management function network element;
the session management function network element is further configured to, after receiving the EAP-Success message, end the secondary authentication procedure, continuously execute the protocol data unit session establishment request procedure, wait for a new protocol data unit establishment request, and send the EAP-Success to the user equipment.
7. The system according to claim 6, wherein, when the user equipment is authenticated by the authentication server function module for network access, the user equipment is configured to initiate an authentication request to the authentication server function module according to the identity authentication information in the global user identification card;
the authentication server function module is used for performing identity authentication on identity authentication information sent by the user equipment by using a network access protocol, and when the authentication passes, the authentication server function module allows the user equipment to access the network.
8. The system according to claim 6, wherein when establishing a protocol data unit session between the user equipment and the access and mobility management function, the user equipment is configured to establish a protocol data unit session with the access and mobility management function by sending a non-access stratum message to the access and mobility management function.
9. The system according to claim 6, wherein when a protocol data unit session is established between said access and mobility management function module and a session management function network element, said access and mobility management function module is configured to select one session management function network element to send the protocol data unit session using a session management container between said user equipment and said access and mobility management function module as a bearer.
10. The system according to claim 6, wherein when the user equipment sends an EAP-Response/Client-Hello message to the data network authentication server through the session management function network element after receiving a TLS protocol start message, the user equipment is configured to encapsulate the EAP-Response/Client-Hello message into an access request packet through the session management function network element after receiving the TLS protocol start message, and send the access request packet to the data network authentication server.
CN202110790525.XA 2021-07-13 2021-07-13 5G secondary authentication method and system based on EAP-TLS protocol Pending CN113507705A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110790525.XA CN113507705A (en) 2021-07-13 2021-07-13 5G secondary authentication method and system based on EAP-TLS protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110790525.XA CN113507705A (en) 2021-07-13 2021-07-13 5G secondary authentication method and system based on EAP-TLS protocol

Publications (1)

Publication Number Publication Date
CN113507705A true CN113507705A (en) 2021-10-15

Family

ID=78012573

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110790525.XA Pending CN113507705A (en) 2021-07-13 2021-07-13 5G secondary authentication method and system based on EAP-TLS protocol

Country Status (1)

Country Link
CN (1) CN113507705A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124355A (en) * 2021-11-19 2022-03-01 西安热工研究院有限公司 Key authentication method based on extensible authentication protocol
CN115460606A (en) * 2022-11-10 2022-12-09 之江实验室 Method and device for enhancing control surface security based on 5G core network
WO2023202337A1 (en) * 2022-04-21 2023-10-26 华为技术有限公司 Communication method and apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180317086A1 (en) * 2017-01-27 2018-11-01 Telefonaktiebolaget Lm Ericsson (Publ) Secondary Authentication of a User Equipment
CN110996322A (en) * 2019-11-28 2020-04-10 楚天龙股份有限公司 Method for realizing secondary authentication of terminal
CN111669750A (en) * 2019-03-07 2020-09-15 华为技术有限公司 PDU session secondary verification method and device
CN112040481A (en) * 2020-08-19 2020-12-04 广东电网有限责任公司广州供电局 Secondary authentication method based on 5G communication gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180317086A1 (en) * 2017-01-27 2018-11-01 Telefonaktiebolaget Lm Ericsson (Publ) Secondary Authentication of a User Equipment
CN111669750A (en) * 2019-03-07 2020-09-15 华为技术有限公司 PDU session secondary verification method and device
CN110996322A (en) * 2019-11-28 2020-04-10 楚天龙股份有限公司 Method for realizing secondary authentication of terminal
CN112040481A (en) * 2020-08-19 2020-12-04 广东电网有限责任公司广州供电局 Secondary authentication method based on 5G communication gateway

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QIANFANG HAO: "5G Secondary Authentication based on EAP-TLS Protocol", 《CTMCD》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124355A (en) * 2021-11-19 2022-03-01 西安热工研究院有限公司 Key authentication method based on extensible authentication protocol
CN114124355B (en) * 2021-11-19 2024-01-23 西安热工研究院有限公司 Key authentication method based on extensible authentication protocol
WO2023202337A1 (en) * 2022-04-21 2023-10-26 华为技术有限公司 Communication method and apparatus
CN115460606A (en) * 2022-11-10 2022-12-09 之江实验室 Method and device for enhancing control surface security based on 5G core network
CN115460606B (en) * 2022-11-10 2023-03-24 之江实验室 Method and device for enhancing security of control plane based on 5G core network

Similar Documents

Publication Publication Date Title
EP2445143B1 (en) Method and system for accessing a 3rd generation network
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US8468353B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
JP6732095B2 (en) Unified authentication for heterogeneous networks
KR100704675B1 (en) authentication method and key generating method in wireless portable internet system
CN113507705A (en) 5G secondary authentication method and system based on EAP-TLS protocol
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
CN112105021B (en) Authentication method, device and system
US20100161958A1 (en) Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device
CN104982053B (en) For obtaining the method and network node of the permanent identity of certification wireless device
CN104683343B (en) A kind of method of terminal quick registration Wi-Fi hotspot
WO2007104248A1 (en) Method, system, apparatus and bsf entity for preventing bsf entity from attack
WO2008011826A1 (en) Method and device to execute multiple authentications during one epa process
CN213938340U (en) 5G application access authentication network architecture
CN101272297A (en) EAP authentication method of WiMAX network user
WO2014117524A1 (en) Method and system for transmitting pairwise master key in wlan access network
WO2019196794A1 (en) Authentication method and device, and computer-readable storage medium
WO2004102883A1 (en) A kind of method to realize user authentication
JP6205391B2 (en) Access point, server, communication system, wireless communication method, connection control method, wireless communication program, and connection control program
CN116347445A (en) Security protocol channel establishment method, transmission method and system based on non-3 GPP network element
CN115190450A (en) Internet of vehicles communication method and system for establishing TLS channel based on V2X certificate
WO2013064040A1 (en) Combined authentication method and system for ims sso
CN117714125A (en) SSL VPN terminal authentication method and system based on user security level
WO2011017851A1 (en) Method for accessing message storage server securely by client and related devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211015