CN113783703A - Satellite network terminal security access authentication method, device and system - Google Patents

Satellite network terminal security access authentication method, device and system Download PDF

Info

Publication number
CN113783703A
CN113783703A CN202111323181.8A CN202111323181A CN113783703A CN 113783703 A CN113783703 A CN 113783703A CN 202111323181 A CN202111323181 A CN 202111323181A CN 113783703 A CN113783703 A CN 113783703A
Authority
CN
China
Prior art keywords
parameter
token
terminal
information
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111323181.8A
Other languages
Chinese (zh)
Other versions
CN113783703B (en
Inventor
许晋
王丽敏
裴玉奎
殷柳国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202111323181.8A priority Critical patent/CN113783703B/en
Publication of CN113783703A publication Critical patent/CN113783703A/en
Application granted granted Critical
Publication of CN113783703B publication Critical patent/CN113783703B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18578Satellite systems for providing broadband data service to individual earth stations
    • H04B7/18593Arrangements for preventing unauthorised access or for providing user protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks

Abstract

The invention discloses a method, a device and a system for security access authentication of a satellite network terminal, wherein when the terminal is successfully registered with a security management and control center, if the terminal needs to be accessed into a satellite network, access authentication request information is generated and sent to a satellite communication base station; the access authentication request information at least includes: the authentication method comprises anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of a terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter. The satellite communication base station can verify the authentication request information according to the relationship between the preset second token verification parameter and the first token parameter. And if the verification is passed, generating authentication response information, and sending the authentication response information to the corresponding terminal for verification. Therefore, the main access authentication calculation is moved forward to the defending base station, so that the authentication transmission delay is effectively reduced, and the access authentication performance is improved.

Description

Satellite network terminal security access authentication method, device and system
Technical Field
The invention relates to the field of satellite communication, in particular to a method, a device and a system for authenticating the safe access of a satellite network terminal.
Background
With the development of communication technology, the application of satellite communication is more and more extensive, and a terminal needs to perform access authentication before accessing a satellite network for communication.
In the prior art, access authentication is usually performed in two ways, one is central authentication, that is, access authentication is performed through a security management and control center, and in this way, a terminal needs to transmit authentication request information to the security management and control center through a satellite and a satellite, so data transmission in the first way is complex, and a large authentication transmission delay is easily generated. The second mode is authentication by means of a satellite, namely access authentication is performed through the satellite, but the satellite resources are limited and limited by high authentication lightweight requirements, and sufficient safety intensity is difficult to guarantee. Some of the above drawbacks existing in the existing authentication method may affect the access authentication performance and the user experience.
Disclosure of Invention
In view of this, the embodiment of the invention discloses a method, a device and a system for secure access authentication of a satellite network terminal, which reduce the transmission delay of access authentication and improve the access authentication performance and user experience.
The embodiment of the invention discloses a security access authentication method for a satellite network terminal, which is applied to a satellite network system, wherein the satellite network system comprises: the system comprises a terminal, a satellite base station, a satellite and a safety control center; the method comprises the following steps:
after the terminal successfully registers in the security management and control center, if the satellite network needs to be accessed, access authentication request information is generated and sent to the satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter;
the satellite communication base station verifies the authentication request information based on the relation between a preset second token verification parameter and a first token parameter;
and if the authentication request information is verified by the satellite communication base station, feeding back access authentication response information to the terminal.
Optionally, the method further includes:
if the terminal is in initial network access application, generating registration request information, and sending the registration request information to a security management and control center through a pre-established security channel;
the security management and control center verifies the received registration request information and generates a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the second token parameter is related to a private key of a security control center and a first token parameter, and the first token parameter is related to a terminal real identity;
the security management and control center sends registration response information containing the second token parameter and the real identity of the terminal to the terminal through the security channel;
and the terminal calculates a first token parameter and a second token parameter according to the received real identity identifier in the registration response information, verifies the relation between the first token parameter and the second token parameter, and stores the real identity identifier, the first token parameter and the second token parameter.
Optionally, the verifying, by the gatekeeper base station, the authentication request information based on a relationship between a preset second token verification parameter and a first token parameter includes:
generating a second token checking parameter based on the second token parameter and the related authentication request parameter;
and detecting whether the first token parameter, the second token verification parameter and the related authentication request parameter meet the preset relationship between the first token parameter and the second token verification parameter.
Optionally, the generating the real identity identifier and the second token parameter of the terminal includes:
performing hash operation on the registration request information and a private key of a security control center to obtain a real identity of the terminal;
obtaining a pre-generated token public parameter and an effective period of the token public parameter;
performing hash operation on the real identity identifier, the token public parameter and the valid period of the token public parameter to obtain a first token parameter;
and generating a second token parameter based on the first token parameter and a private key of a security management and control center.
Optionally, the method further includes:
after receiving the access authentication response information of the satellite communication base station, the terminal verifies the access authentication response information, and if the access authentication response information passes the verification, the terminal prepares to access the satellite network; the access authentication response information includes at least a response value generated based on the second token verification parameter, the first token parameter, and the anonymous identity information.
Optionally, the method further includes:
the satellite communication base station generates authentication and verification information and sends the authentication and verification information to the satellite; the authentication check information at least includes: anonymous identity information and a first token parameter;
the satellite checks the source and integrity of the received authentication check information, and sends the authentication check information carrying the satellite network identifier to a safety control center under the condition that the check is passed;
and the safety control center verifies the identity of the terminal based on the authentication verification information, and records the corresponding relation between the anonymous identity information and the real identity identification of the terminal under the condition that the identity verification of the terminal passes.
Optionally, the method further includes:
and if the identity verification of the terminal fails, the security control center sends authentication verification abnormal response information and cancels the access right of the corresponding terminal.
The embodiment of the invention discloses a security access authentication device of a satellite network terminal, which is applied to a satellite network system, wherein the satellite network system comprises:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the device comprises:
the authentication request generating unit is used for generating access authentication request information and sending the authentication request information to the satellite network if the satellite network is required to be accessed after the terminal is successfully registered in the security management and control center; the authentication request information includes at least: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter;
the first verification unit is used for verifying the authentication request information based on the relation between a preset second token verification parameter and a first token parameter after the satellite communication base station receives the authentication request information;
and the feedback unit is used for calculating authentication response information and feeding back the authentication response information to the terminal if the authentication request information is verified by the satellite communication base station.
Optionally, the method further includes:
the registration request information generating unit is used for generating registration request information if the terminal is applied for network access for the first time and sending the registration request information to the security management and control center;
the registration request information verification unit is used for verifying the received registration request information by the security management and control center and generating a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the first token parameter is related to the real identity of the terminal; the second token parameter is related to a private key of the security management and control center and the first token parameter.
The sending unit is used for sending the second token parameter and the real identity identifier of the terminal to the terminal by the security control center;
and the registration response information verification unit is used for verifying the second token parameter and the real identity of the terminal by the terminal.
The embodiment of the invention discloses a satellite network system, which comprises:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the terminal is used for generating access authentication request information if a satellite network needs to be accessed after the terminal is successfully registered in the security management and control center, and sending the access authentication request information to the satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and related access authentication information;
the satellite communication base station is used for verifying the authentication request information based on the relation between a preset second token verification parameter and a first token parameter, and feeding authentication response information back to the terminal if the authentication request information is verified;
the satellite is used for carrying out source and integrity verification on the authentication verification information sent by the satellite base station after the terminal passes the initial access authentication of the satellite base station, and forwarding the authentication verification information to the security management and control center if the verification is passed;
the safety control center is used for configuring information related to identity authentication for each network node in the satellite network system when the system is initialized, configuring system parameters in advance, distributing the system parameters to each network node in the satellite network system, and configuring a unique real identity identifier, a first token parameter and a second token parameter for the terminal when the terminal applies for network access for the first time.
The embodiment of the invention discloses a method, a device and a system for authenticating the security access of a satellite network terminal, wherein when the terminal is successfully registered with a security management and control center, if the terminal needs to access a satellite network, access authentication request information is generated and sent to a satellite communication base station, and the satellite communication base station verifies the access authentication request information, wherein the access authentication request information at least comprises the following steps: the authentication method comprises anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of a terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter. The satellite network access authentication method includes that a satellite network access terminal receives a first token parameter and a second token parameter, and the first token parameter is used for verifying access authentication request information according to a relationship between the first token parameter and the second token parameter. Therefore, in the embodiment, the access authentication is moved forward, that is, the access authentication is performed through the satellite communication base station, and the transmission distance between the terminal and the satellite communication base station is relatively shorter, so that the authentication transmission delay is effectively reduced, and the access authentication performance is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is an interaction diagram illustrating a satellite network terminal secure access authentication according to embodiment 1 of the present invention;
fig. 2 is a schematic flowchart illustrating a method for authenticating a secure access of a satellite network terminal according to embodiment 2 of the present invention;
fig. 3 is a schematic flowchart illustrating a satellite network terminal authentication verification method according to embodiment 3 of the present invention;
fig. 4 is a flowchart illustrating a terminal registration method according to embodiment 4 of the present invention;
fig. 5 is a schematic structural diagram illustrating a satellite network terminal secure access authentication apparatus according to embodiment 5 of the present invention;
fig. 6 is a schematic structural diagram illustrating a satellite network system according to embodiment 6 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1, an interaction diagram of a satellite network terminal secure access authentication provided in embodiment 1 of the present invention is shown, in this embodiment, the method includes:
s101: if the terminal is in initial network access application, generating registration request information, and sending the registration request information to a security management and control center;
in this embodiment, the registration request information of the terminal includes related information representing the identity of the terminal, and includes, for example: terminal equipment number IDeAnd terminal check information info, the registration request information of the terminal is not limited to these two kinds of information.
In this embodiment, the channel through which the terminal sends the registration request information to the security management and control center may include multiple channels, for example, a satellite communication network, a ground communication network with sufficient security protection mechanisms and trusted functions, or a manual registration channel of the offline entity security management and control center, and the like.
S102: the security management and control center verifies the received registration request information and generates a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the first token parameter is related to a terminal real identity identifier, and the second token parameter is related to the first token parameter and a private key of a security control center;
in this embodiment, the security management and control center may verify the uniqueness and authenticity of the terminal through the registration request information, for example, if the registration request information includes: terminal equipment number IDeAnd the terminal checks the information info, the ID can be numbered by the terminal equipmenteChecking and verifying whether the terminal equipment is applied for the first time or not; the authenticity of the terminal is checked according to the terminal check information info;and when the terminal is the first application and the verification information of the terminal is the real situation, the verification is passed.
In this embodiment, the security management and control center generates a real identity identifier and a token parameter of the terminal when the registration request information of the terminal passes verification, where the real identity identifier is information uniquely representing the identity of the terminal and is represented as a UID; besides the validity period LT corresponding to the common parameter K, K pre-configured by the system, the token parameters mainly include: the terminal comprises a first token parameter alpha and a second token parameter theta, wherein the first token parameter alpha is related to the real identity UID of the terminal, and the second token parameter theta is related to the first token parameter alpha and a private key of a security control center.
In this embodiment, the calculation method of the real identity UID of the terminal includes multiple methods, which are not limited in this embodiment, wherein, in order to improve the operation efficiency, optionally, a hash method is used for calculation, for example, a factory number ID of the terminal device may be calculatedePerforming hash operation on the registration request information reg and a private key of the security management and control center to obtain the real identity of the terminal, for example, the real identity of the terminal may be calculated according to the following formula 1):
1)UID=hash(SKSMCC||reg);
UID is a real identity configured for the terminal by the security control center, hash is a hash algorithm, and SK isSMCCReg is the ID of the terminal equipment number for the private key of the security control centereAnd waiting for registration request information, wherein | represents character string splicing operation.
Optionally, in this embodiment, the calculating process of the first token parameter α includes:
acquiring a pre-generated token common parameter K and a validity period LT corresponding to the K;
and carrying out hash operation on the real identity UID, the token public parameter K and the validity period LT of the token public parameter to obtain a first token parameter alpha.
The token common parameter K is generated according to a first random number K generated by the security management and control center, and is expressed as formula 2):
2)K= k·G;
for example, it can be calculated by the following formula 3):
3)α=H(UID||K||LT);
and the UID is a real identity of the terminal, and the token public parameter K = K · G, where K is a first random number generated by the security control center, G is a generator of the cyclic addition group, and LT is a validity period configured for the token public parameter K by the security control center.
The second token parameter is determined based on the first token parameter and a private key of the security management and control center, and optionally, the following formula 4) may be used for calculation:
4)θ=αSKSMCC + k mod n;
it should be noted that the security management and control center selects a sufficiently large system security parameter n, GROUP in advancenIs a cyclic addition group with the order of n, and G is a generator of the group; and selects a secure random number SKSMCCRecalculating PK as the private keySMCC=SKSMCCG as the corresponding public key.
It should be further understood that the security management and control center broadcasts the token common parameters LT and K, so that the terminal, the satellite base station, and the satellite can all receive the token common parameters. In addition, in order to ensure the security of the information, in this embodiment, the security management and control center may periodically update the token common parameter, and periodically broadcast the updated token common parameter.
S103: the security management and control center sends the second token parameter and the real identity of the terminal to the terminal;
in this embodiment, as can be seen from the above description, the main token parameters generated by the security management and control center include: the security management and control system comprises a first token parameter alpha and a second token parameter theta, wherein the security management and control center sends the second token parameter theta and the real identity UID of the terminal to the terminal.
In this embodiment, if the registration request information includes related information indicating the identity of the terminal device, for example, a factory number of the terminal device, the factory number and a corresponding real identity are recorded.
S104: the terminal verifies the second token parameter and the real identity of the terminal;
in this embodiment, after receiving the second token parameter θ and the real identity UID of the terminal sent by the security management and control center, the terminal calculates the first token parameter α according to the real identity UID of the terminal, which may specifically be calculated by the above formula 3), where LT and K are token common parameters pre-configured by the security management and control center.
In this embodiment, after receiving the registration response message including the real identity identifier and the second token parameter sent by the security management and control center, the terminal may verify the received information.
Optionally, the terminal may verify the true identity and the related token parameter according to a preset relationship between the first token parameter and the second token parameter, for example, the above formula 3 may be combined with), and the following formula 5) verifies the true identity and the token parameter of the terminal:
5)θG=αPKSMCC+K;
wherein, if formula 5) is true, it indicates that the real id and the token parameter are correct.
Where θ is the second token parameter, G is the generator, α is the first token parameter, PKSMCCK is a public key of the security management and control center and is a token public parameter.
It should be noted that: the private key of the security control center may be denoted as SKSMCCThe public key can be calculated using equation 5) as follows:
6)PKSMCC= SKSMCC·G;
under one embodiment, the true identity and token parameters may be verified by a method comprising:
generating a first token parameter based on the real identity and the public token parameter;
verifying the first token parameter and the second token parameter according to the relationship between the first token parameter and the second token parameter;
if the verification is passed, the received real identity and the token parameter are correct.
In this embodiment, the terminal generates the authentication token under the condition that the received second token parameter and the true identity identifier of the terminal pass verification, where the authentication token parameters collectively include: the validity period LT of the token common parameter K, the first token parameter α, and the second token parameter θ, e.g., the authentication token is denoted AUTH = { LT, K, α, θ }. And, the terminal securely stores the authentication token and the real identity.
S105: when a terminal needs to access a satellite network, generating access authentication request information, and sending the access authentication request information to a satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related access authentication parameter;
in this embodiment, the real identity of the terminal is generated by the security management and control center, and is used to uniquely represent information of the terminal identity, and in order to avoid the leakage of the real identity of the terminal, in this embodiment, the real identity of the terminal is hidden, and anonymous identity information is generated, where the anonymous identity information may be generated according to the real identity of the terminal, the second random number generated by the terminal, and a public key of the security management and control center, and may be calculated, for example, according to the following formula 7):
7)PID=UID⊕hash(ru·PKSMCC);
wherein PID represents anonymous identity information, ruSecond random number, PK, generated for the terminalSMCCAnd the public key of the safety control center is represented, and the hash represents hash operation.
In this embodiment, the second token verification parameter is generated based on the second token parameter and the authentication request parameter, where in an implementation, the method for generating the second token verification parameter includes: generating a second token check parameter based on the second token parameter and the related access authentication parameter;
for example, the second token authentication parameter may be calculated by the following equations 8) -10):
8)Ru=ru·G;
9)β=H(T1||Ru||PID||α);
10)λ= θ + βru mod n;
wherein r isuSecond random number, R, generated for the terminaluRepresenting a corresponding parameter, T, generated by a second random number1Generating a first timestamp for a terminal, wherein G is a generator, H represents performing hash operation, mod represents a remainder operation, λ represents a second token verification parameter, and β represents an intermediate generation parameter, wherein β is obtained by performing hash operation on a related authentication request parameter, and the related authentication request parameter includes: t is、RuPID and alpha.
Furthermore, the anonymous identity information of the terminal, the first token parameter and the second token verification parameter can be encrypted by a public key of the satellite communication base station, such as XuAnd (3) the method is characterized in that the method is used for carrying out X pair by using an asymmetric encryption algorithm in combination with a public key of a satellite communication base station in a mode of not changing PID (proportion integration differentiation) | alpha | | | lambdauAnd (5) encrypting to obtain X.
S106: the satellite communication base station verifies the authentication request information based on the relation between a preset second token verification parameter and a first token parameter;
in this embodiment, as can be seen from the above description, the anonymous identity information, the first token parameter, and the second token verification parameter in the first access authentication request information may be encrypted according to a public key of the wayward base station, and the encrypted public key is denoted as X, and the wayward base station may decrypt X based on its own private key to obtain Xu
In this embodiment, in an implementation manner, S106 may be verified by the following method:
generating a second token verification parameter based on the relevant authentication request parameter and the first token parameter in the access authentication request information;
detecting whether the first token parameter, the second token verification parameter and the related authentication request parameter meet the preset relationship between the first token parameter and the second token verification parameter;
if the first token parameter and the second token verification parameter meet the preset relationship between the first token parameter and the second token verification parameter, the authentication request information is legal;
and if the first token parameter and the second token verification parameter do not meet the preset relationship between the first token parameter and the second token verification parameter, the authentication request information is illegal.
Alternatively, the authentication request information may be verified by the following formula 11):
11)λG=αPKSMCC+K+βRu
here, if equation 11) is satisfied, it indicates that the verification is passed, and if equation 11) is not satisfied, it indicates that the verification is not passed.
Wherein, λ is the second token check parameter, G is the generator, α is the first token parameter, PKSMCCThe authentication method includes that a public key of a security management and control center is represented, K is an authentication token public parameter, beta is an intermediate generation parameter, and Ru is an authentication parameter corresponding to a random number generated by a terminal, wherein beta can be obtained through calculation based on anonymous identity information, a first token parameter and a related authentication request parameter, and the calculation method is shown in formula 9).
It should be noted that: equation 11) can be derived by equation 5), equation 8), and equation 10) described above.
Further, the defending base station can verify the freshness of the access authentication request information according to the first time stamp sent by the terminal so as to prevent the access authentication request information from being attacked by replay.
S107: if the satellite communication base station passes the verification of the access authentication request information, feeding back access authentication response information to the terminal; the access authentication response information at least comprises a response value, and the response value is generated based on the access authentication request information, a timestamp of the satellite-based access base station side and a random number;
in this embodiment, as can be seen from the above description, the access authentication request information sent by the terminal to the satellite base station may be encrypted, and then the satellite base station needs to decrypt in advance to obtain the access authentication request information.
In this embodiment, if the certification request information is certified by the gatekeeper base station, a second timestamp and a third random number are generated, and a response value is generated according to the second timestamp, the third random number and the decrypted access certification request parameter, for example, the response value may be calculated according to the following formula 12):
12)RES=H(T2||rSTB||Xu);
in this embodiment, the access authentication response information may include, in addition to the response value: the second timestamp and the third random number generated by the satellite communication base station.
In addition, the sentry base station needs to store anonymous identity information PID of the terminal so as to provide network access authority for the terminal.
In this embodiment, when the gatekeeper base station detects that the access authentication request information is valid, it indicates that the terminal passes the basic access authentication, that is, the valid terminal has the right to access the satellite network.
S108: and the terminal verifies the access authentication response information after receiving the access authentication response information from the satellite communication base station, and if the access authentication response information passes the verification, the terminal finishes the authentication of the satellite communication base station.
In this embodiment, the terminal may generate a target response value according to the anonymous identity information, the first token parameter, and the second token verification parameter, in combination with the second timestamp and the third random number in the received access authentication response message, compare the response value fed back by the gatekeeper base station with the target response value, and if the two response values are identical, indicate that the access authentication response information is from a legitimate gatekeeper base station and is correct and complete.
In this embodiment, the terminal sends access authentication request information to the satellite base station, after authentication of the satellite base station is completed, access authentication response information is fed back to the terminal, and if verification of the access authentication response information is successful, bidirectional authentication is completed, and the terminal can prepare for accessing the satellite network, so that only two rounds of interaction are required between the terminal and the satellite base station, and access authentication of the terminal can be completed. The interaction times of the terminal and the satellite communication base station are reduced.
S109: the satellite communication base station generates authentication and verification information, and forwards the authentication and verification information to a safety control center through a satellite; the authentication check information at least includes: anonymous identity information, a first token parameter, a corresponding parameter generated by a second random number;
in this embodiment, the authentication and verification information includes, in addition to the anonymous identity information, the first token parameter, and the corresponding parameter generated by the second random number, the following: network identification and message signature of the satellite communication base station, wherein the authentication check information is expressed as<IDSTB,XSTB ,SIGNSTB>. Wherein, XSTBEncrypting the anonymous identity information, the first token parameter and a corresponding parameter generated by a second random number for the satellite communication base station to obtain a ciphertext; IDSTBNetwork identification of the guard base station; SIGNSTBFor the guard base station to the IDSTB||XSTBThe digital signature of (1).
S110: the satellite verifies the source and integrity of the received authentication verification information, and sends the authentication verification information carrying the satellite network identifier to the safety control center under the condition that the verification is passed;
in this embodiment, the satellite may check the integrity of the received information in various ways, which is not limited in this embodiment.
In one embodiment, the source and integrity of the authentication check message may be detected by verifying the message signature, which may include:
determining a public key of the satellite communication base station according to the network identifier of the satellite communication base station;
and verifying the message signature sent by the satellite communication base station based on the public key of the satellite communication base station.
Under the condition that the authentication verification information is detected to come from a legal satellite base station and the content is complete, replacing the network identification information of the satellite base station in the authentication verification information with the network identification information of the satellite, and recalculating the information label of the satelliteThe name is that the message signature of the satellite is used for replacing the message signature of the satellite communication base station in the authentication check information, namely the authentication check information sent to the security management and control center can be expressed as<IDSAT,XSTB ,SIGNSAT>Wherein IDSATNetwork identification, X, representing a satelliteSTBRepresenting an encrypted authentication verification parameter, SIGNSATIndicating satellite pair IDSAT||XSTBThe digital signature of (1).
In addition, the satellite needs to store anonymous identity information of the terminal so as to provide network access authority for the terminal.
S111: and the safety control center verifies the identity of the terminal based on the authentication verification information, and records the corresponding relation between the anonymous identity information and the real identity identification of the terminal under the condition that the identity verification of the terminal passes.
In this embodiment, the authentication and verification information at least includes: the first token parameter and the anonymous identity information, and verifying the identity of the terminal based on the first token parameter and the anonymous identity information, specifically, S111 includes:
calculating the real identity identification of the terminal according to the anonymous identity information;
calculating a first token parameter based on the real identity of the terminal;
matching the first token parameters obtained by calculation of the security management and control center with the received first token parameters;
and if the first token parameter calculated by the security management and control center is matched with the received first token parameter, the identity verification of the terminal is passed.
In this embodiment, the security management and control center stores the correspondence between the anonymous identity information of the terminal and the real identity identifier, so as to prevent an illegal behavior of a legal terminal after accessing the satellite network.
Further, if the terminal has an illegal condition, the security management and control center may obtain a corresponding real terminal identity identifier by combining the illegal anonymous identity information and the stored correspondence, so as to take relevant access management and control measures.
In this embodiment, after the terminal has successfully registered with the security management and control center, when the terminal needs to access the satellite network, access authentication request information is generated and sent to the gatekeeper base station, and the gatekeeper base station verifies the access authentication request information, where the access authentication request information at least includes: the authentication method comprises anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of a terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter. The satellite network access authentication method comprises the steps that a satellite network access authentication request message is received by a satellite network access base station, and the satellite network access authentication request message is sent to a satellite base station through a first token parameter. Therefore, in the embodiment, the access authentication is moved forward, namely, the access authentication is performed through the satellite communication base station, and the transmission distance between the terminal and the satellite communication base station is relatively shorter, so that the transmission delay is effectively reduced, and the access authentication performance is improved.
And the terminal and the satellite communication base station perform two rounds of authentication interaction, so that access authentication is basically realized, and the interaction times of the terminal and the satellite communication base station are reduced.
In addition, the satellite and the safety control center do not need to perform complex verification operation, and only light-weight verification is needed, so that the calculation processing overhead of the satellite is reduced.
Example 2:
referring to fig. 2, a schematic flowchart of a method for authenticating a secure access of a satellite network terminal according to embodiment 2 of the present invention is shown, where in this embodiment, the satellite network system includes:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the method comprises the following steps:
s201: after the terminal successfully registers in the security management and control center, when the terminal needs to access a satellite network, generating access authentication request information and sending the access authentication request information to a satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related access authentication parameter;
in this embodiment, the terminal needs to register with the security management and control center before performing access authentication, and after the registration is successful, access authentication request information may be generated when the terminal needs to access the satellite network. The process of registering the terminal with the security management and control center will be described below, and details are not described in this embodiment. It should be noted that, after the terminal is successfully registered, the real identity, the first token parameter, and the second token parameter configured by the security management and control center may be obtained.
In this embodiment, the access authentication request information at least includes anonymous identity information, a first token parameter, and a second token verification parameter, where the anonymous identity information may be generated according to a real identity of the terminal, and in an implementation, the real identity of the terminal and a second random number generated by the terminal may be used as parameters for calculating the anonymous identity information, for example, the anonymous identity information may be calculated by the above formula 7). The first token parameter is also calculated based on the real identity, and in one embodiment, the first token parameter may be calculated by the real identity of the terminal, the public parameter of the authentication token, and the validity period corresponding to the public parameter of the authentication token, for example, hash operation may be performed on the real identity, the public parameter of the authentication token, and the validity period of the public parameter of the authentication token to obtain the first token parameter; the second token verification parameter is calculated based on the second token parameter and the parameters related to the access authentication request (as shown in equations 9 and 10 above).
S202: the satellite communication base station verifies the access authentication request information based on the relation between a preset second token verification parameter and a first token parameter;
in this embodiment, the gatekeeper base station sets in advance a relationship between the second token verification parameter and the first token parameter, and may verify the authentication request information sent by the terminal according to the relationship, optionally, S202 includes:
calculating a second token verification parameter based on the second token parameter and the related access authentication request parameter;
detecting whether the first token parameter and the second token verification parameter meet the preset relationship between the first token parameter and the second token verification parameter;
if the first token parameter and the second token verification parameter meet the preset relationship between the first token parameter and the second token verification parameter, the authentication request information is legal;
and if the first token parameter and the second token verification parameter do not meet the preset relationship between the first token parameter and the second token verification parameter, the authentication request information is illegal.
In this embodiment, the second token verification parameter is calculated based on the second token parameter and the access authentication request related parameter. In this embodiment, the first token parameter and the second token verification parameter sent by the received terminal may be verified according to a preset corresponding relationship between the second token verification parameter and the first token parameter, for example, the access authentication request information may be verified according to the above formula 11), and if the access authentication request information passes the verification, the access authentication request information is legal.
S203: if the satellite communication base station passes the verification of the access authentication request information, feeding back access authentication response information to the terminal;
in this embodiment, if the validation request information is verified by the gatekeeper base station, it indicates that the valid terminal has the right to access the satellite network.
In this embodiment, the step of feeding back the authentication response information to the terminal by the satellite communication base station may include the following two cases:
the first condition is as follows: feeding back the verification condition of the authentication request information to the defending base station;
case two: in order to realize bidirectional access authentication, the defending base station feeds back access authentication response information to the terminal, so that the terminal can authenticate the defending base station to prevent an attacker from masquerading as a legal defending base station to implement network attack.
And for the second situation, the gatekeeper base station generates access authentication response information and feeds the access authentication response information back to the terminal when detecting that the access authentication request information is legal, wherein the access authentication response information at least comprises a response value, the response value is generated based on a second timestamp and a third random number generated by the gatekeeper base station and parameters in the decrypted authentication request information, and the terminal verifies the received access authentication response information.
In this embodiment, after the terminal has successfully registered with the security management and control center, when the terminal needs to access the satellite network, access authentication request information is generated and sent to the gatekeeper base station, and the gatekeeper base station verifies the access authentication request information, where the access authentication request information at least includes: the terminal comprises anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and related access authentication information. The satellite network access authentication method comprises the steps that a satellite network access authentication request message is received by a satellite network access base station, and the satellite network access authentication request message is sent to a satellite base station through a first token parameter. Therefore, in the embodiment, the access authentication is moved forward, that is, the access authentication is performed through the satellite communication base station, and the distance between the terminal and the satellite communication base station is relatively shorter, so that the authentication transmission delay is effectively reduced, and the access authentication performance is improved.
Example 3
After the terminal and the satellite network base station perform bidirectional access authentication, if the authentication is passed, the terminal can prepare to access the satellite network, and in addition, the security management and control center needs to further verify and record the identity of the terminal so as to prevent illegal behaviors of legal terminals after the legal terminals access the satellite network. Specifically, referring to fig. 3, a schematic flow chart of a method for authenticating and verifying a satellite network terminal according to embodiment 3 of the present invention is shown, where in this embodiment, the method includes:
s301: the satellite communication base station generates authentication and verification information and sends the authentication and verification information to a safety control center through a satellite; the authentication check information at least includes: anonymous identity information, a first token parameter, a corresponding parameter generated by a first random number;
in this embodiment, the authentication and verification information generated by the gatekeeper base station is used for the security management and control center to further verify the identity information of the terminal, and the satellite and the security management and control center in the approach only need to perform lightweight computing processing, which is specifically referred to as S302 and S303 below.
S302: the satellite detects the source and integrity of the received authentication and verification information, and sends the authentication and verification information carrying the satellite network identification to the safety control center under the condition that the source of the authentication and verification information is legal and the content is complete;
in this embodiment, the satellite may check the integrity of the received information in various ways, which is not limited in this embodiment.
Optionally, the integrity of the authentication check information may be checked by using a method of verifying a message signature, including:
determining a public key of the satellite communication base station according to the network identifier of the satellite communication base station;
and verifying the message signature sent by the satellite communication base station based on the public key of the satellite communication base station.
And under the condition that the source of the authentication verification information is legal and the content is complete, replacing the network identification information of the satellite communication base station in the authentication verification information with the network identification information of the satellite. Besides, the message signature of the satellite needs to be recalculated, and the message signature of the satellite replaces the message signature of the satellite communication base station in the authentication check information, that is, the authentication check message sent to the security management and control center can be represented as<IDSAT,XSTB ,SIGNSAT>Wherein IDSATNetwork identification, X, representing a satelliteSTBRepresenting an encrypted authentication verification parameter, SIGNSATRepresenting satellite use private key pair IDSAT||XSTBThe message is signed.
S303: the safety control center detects the source and integrity of the received authentication and verification information, verifies the identity of the terminal based on the authentication and verification information, and records the corresponding relation between the anonymous identity information and the real identity identification of the terminal under the condition that the identity verification of the terminal is passed.
In this embodiment, in order to prevent the terminal from making a fake to the identity, the identity of the terminal needs to be further verified, where the security management and control center may calculate the real identity identifier of the terminal according to the relevant parameters in the anonymous identity information and the authentication and verification information, specifically, S303 includes:
calculating the real identity identification of the terminal according to the anonymous identity information;
calculating a first token parameter based on the real identity of the terminal;
matching the first token parameters obtained by calculation of the security management and control center with the received first token parameters;
and if the first token parameter calculated by the security management and control center is matched with the received first token parameter, the identity verification of the terminal is passed.
In this embodiment, after further verifying the identity information of the terminal, the security management and control center stores the correspondence between the anonymous identity information and the real identity of the terminal, so as to prevent an illegal behavior of a legal terminal after accessing the satellite network.
In this embodiment, the identity of the terminal is further verified through the security management and control center, so that the problem of terminal identity counterfeiting is further avoided, and the corresponding relationship between the anonymous identity information and the real identity identifier is recorded, so that responsibility can be pursued when the terminal breaks rules.
Example 4:
referring to fig. 4, a flowchart of a method for terminal registration according to embodiment 4 of the present invention is shown, where in this embodiment, the method includes:
s401: if the terminal is in initial network access application, generating registration request information, and sending the registration request information to a security management and control center through a pre-established security channel and the security channel;
in this embodiment, the registration request information of the terminal includes related information representing a unique attribute of the terminal, and initial verification information that can verify whether the unique attribute information is true, including: terminal equipment number IDeAnd terminal check information info, the registration request information of the terminal is not limited to these two kinds of information.
In this embodiment, the channel through which the terminal sends the registration request information to the security management and control center may include multiple channels, for example: a satellite communication network, a ground communication network with sufficient security protection mechanism, or a manual registration channel of an offline entity security management and control center, etc.
S402: the security management and control center verifies the received registration request information and generates a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the first token parameter is related to the real identity of the terminal; the second token parameter is related to the first token parameter and a private key of the security management and control center.
In this embodiment, the security management and control center may verify the uniqueness and the authenticity of the terminal through the registration request information, for example, the registration request information may be: terminal equipment number IDeAnd the terminal check information info, the ID of the terminal equipment can be numberedeChecking the duplicate and verifying whether the terminal equipment is registered; checking the authenticity of the terminal according to the terminal check information info; and when the terminal is the first application and the verification information of the terminal is the real situation, the verification is passed.
In this embodiment, under the condition that the registration request information of the terminal is verified by the security management and control center, a real identity identifier and a main authentication token parameter of the terminal are generated, wherein the real identity identifier is information uniquely representing the identity of the terminal and is represented as a UID; the main authentication token parameters comprise a first token parameter alpha and a second token parameter theta, wherein the first token parameter alpha is related to the real identity of the terminal, and the second token parameter is related to the first token parameter and a private key of the security management and control center.
In the present embodiment, the first and second electrodes are,the calculation method of the real identity UID of the terminal includes multiple methods, which are not limited in this embodiment, wherein, in order to save calculation overhead, optionally, a hash method is used for calculation, for example, a serial number ID of the terminal device may be calculatedeEqual registration request information reg and private key SK of security control centerSMCCAnd carrying out Hash operation, thereby obtaining the real identity of the terminal.
Optionally, in this embodiment, the calculating process of the second token parameter α includes:
obtaining a pre-generated token common parameter K and a validity period LT of the token common parameter;
and carrying out hash operation on the real identity UID, the token public parameter K and the validity period LT of the token public parameter to obtain a first token parameter alpha.
The token common parameter K is generated according to a first random number K generated by the security management and control center, and is represented as: k = K · G, where G is a generator.
In this embodiment, the second token parameter is determined based on the first token parameter, the private key of the security management and control center, and the first random number, specifically, the second token parameter is generated according to the first token parameter, the private key of the security management and control center, and the first random number, for example, the second token parameter is as shown in the above formula 4).
S403: the security management and control center sends the second token parameter and the real identity of the terminal to the terminal;
in this embodiment, as can be seen from the above description, the main token parameters generated by the security management and control center include: the security management and control system comprises a first token parameter alpha and a second token parameter theta, wherein the security management and control center sends the second token parameter theta and the real identity UID of the terminal to the terminal.
In this embodiment, if the registration request information includes related information indicating the identity of the terminal device, for example, a factory number of the terminal device, the corresponding relationship between the factory number and the real identity is recorded for subsequent registration and duplication checking.
S404: the terminal verifies the second token parameter and the real identity of the terminal;
in this embodiment, after receiving the second token parameter θ sent by the security management and control center and the real identity UID of the terminal, the terminal calculates the first token parameter α according to the real identity UID of the terminal, which may specifically be calculated by the above formula 3), where LT and K are obtained by receiving broadcast information of the security management and control center.
In this embodiment, after receiving the real identity identifier and the second token parameter sent by the security management and control center, the terminal needs to verify the received information in order to verify the reliability of the message source.
Optionally, the terminal may verify the real identity identifier and the second token parameter according to a preset relationship between the first token parameter and the second token parameter, and in an implementation manner, the verifying the real identity identifier and the second token parameter may be performed by the following method, including:
generating a first token parameter based on the real identity and a preset token parameter;
verifying the first token parameter and the second token parameter according to the relationship between the first token parameter and the second token parameter;
if the verification is passed, the received real identity and the token parameter are correct.
In this embodiment, the terminal may confirm the reliability and correctness of the message source when the received second token parameter and the true identity identifier of the terminal pass verification, where the parameter of the authentication token includes: the validity period LT of the authentication token common parameter K, the first token parameter α, and the second token parameter θ, for example, the authentication token may be denoted AUTH = { LT, K, α, θ }. And the terminal securely stores the authentication token and the real identity.
In this embodiment, the terminal sends registration request information to the security management and control center through the security channel, and the security management and control center generates the first token parameter, the second token parameter, and the real identity identifier of the terminal, and sends the second token parameter and the real identity identifier of the terminal to the terminal. The terminal can calculate the relevant authentication request parameters based on the token parameters and the real identity identification for access authentication when the terminal needs to access the satellite network subsequently.
Example 5
Referring to fig. 5, a schematic structural diagram of a secure access authentication apparatus for a satellite network terminal according to embodiment 5 of the present invention is shown, in this embodiment, the apparatus is applied to a satellite network system, where the satellite network system includes:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the device comprises:
an access authentication request generating unit 501, configured to generate access authentication request information and send the access authentication request information to a gatekeeper base station when a terminal needs to access a satellite network after successfully registering with a security management and control center; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related access authentication parameter;
an access authentication request verification unit 502, configured to verify, after the gatekeeper base station receives the access authentication request information, the authentication request information based on a relationship between a preset second token verification parameter and a first token parameter;
and an access authentication response generating unit 503, configured to calculate access authentication response information and feed the access authentication response information back to the corresponding terminal if the gatekeeper base station verifies the access authentication request information.
The access authentication response verification unit 504 is configured to, after the terminal receives the access authentication response information of the gatekeeper base station, verify validity and integrity of the message source by verifying the response value, thereby completing a bidirectional authentication process.
Optionally, the method further includes:
the registration request generating unit is used for generating registration request information if the terminal is applied for network access for the first time, and sending the registration request information to the security management and control center through a pre-established security channel;
the registration request verification unit is used for verifying the registration request information after the security management and control center receives the registration request information;
a registration response generating unit, configured to generate a real identity identifier, a first token parameter, and a second token parameter of the terminal under the condition that the registration request is verified, and send registration response information including the second token parameter and the real identity identifier of the terminal to the terminal through the secure channel; wherein the first token parameter relates to a true identity of the terminal; the second token parameter is related to the first token parameter and a private key of a security management and control center;
the registration response verification unit is used for verifying the second token parameter and the real identity of the terminal after the terminal receives the second token parameter and the real identity;
and the first storage unit is used for storing the real identity identifier, the first token parameter and the second token parameter if the terminal verifies the relationship between the first token parameter and the second token parameter.
Optionally, the registration response generating unit includes:
the first hash operation subunit is used for performing hash operation on the registration request information and a private key of a security control center to obtain a real identity of the terminal;
the acquisition subunit is used for acquiring the pre-generated token common parameter and the validity period of the token common parameter;
the second hash operation subunit is used for performing hash operation on the real identity identifier, the token public parameter and the validity period of the token public parameter to obtain a first token parameter;
and the second generation subunit is used for generating a second token parameter based on the first token parameter and a private key of the security management and control center.
Optionally, the registration response verifying unit includes:
the first generation subunit is used for generating a first token parameter based on the real identity identifier of the terminal, the token public parameter and the validity period of the token public parameter;
and the detection subunit is used for detecting whether the first token parameter and the second token parameter meet the preset relationship between the first token parameter and the second token parameter.
Optionally, the method further includes:
the authentication response verification unit is used for verifying the access authentication response information after the terminal receives the access authentication response information, and if the access authentication response information passes the verification, the terminal prepares to access the satellite network; the access authentication response information includes at least a response value generated based on the second token verification parameter, the first token parameter, and the anonymous identity information.
Optionally, the method further includes:
the authentication and verification information generating unit is used for generating authentication and verification information and sending the authentication and verification information to the satellite if the satellite base station verifies the access authentication request information; the authentication check information at least includes: anonymous identity information and a first token parameter;
the authentication and verification information verification unit is used for detecting the source and the integrity of the received authentication and verification information after the satellite receives the authentication and verification information, and sending the authentication and verification information carrying the satellite network identifier to the safety control center under the condition that the source of the authentication and verification information is reliable and the content is complete;
and the identity verification unit is used for verifying the identity of the terminal based on the authentication and verification information after the security management and control center receives the authentication and verification information carrying the satellite network identifier, and recording the corresponding relation between the anonymous identity information and the real identity identifier of the terminal under the condition that the identity verification of the terminal is passed.
Optionally, the method further includes:
and the authentication check abnormal response unit is used for calculating and sending authentication check abnormal response information by the security control center if the identity check of the terminal fails, and canceling the access right of the corresponding terminal.
The device of this embodiment, after the terminal has successfully registered with the security management and control center, can generate the access authentication request information when needing to access the satellite network, and send the access authentication request information to the gatekeeper base station, and the gatekeeper base station verifies the access authentication request information, where the access authentication request information at least includes: the terminal comprises anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related access authentication parameter. The satellite network authentication method comprises the steps that a satellite network authentication request message is sent to a satellite base station, and the satellite network authentication request message is sent to a satellite base station through a satellite network. Therefore, in the embodiment, the access authentication is moved forward, namely, the access authentication is performed through the satellite communication base station, and the distance between the terminal and the satellite communication base station is relatively shorter, so that the authentication transmission delay is effectively reduced, and the access authentication performance is improved.
Example 6
Referring to fig. 6, a schematic structural diagram of a satellite network system according to an embodiment of the present invention is shown, in this embodiment, the system includes:
a terminal 601, a satellite base station 602, a satellite 603 and a security management and control center 604;
the terminal is used for generating access authentication request information when a satellite network needs to be accessed after the terminal is successfully registered in the security management and control center, and sending the access authentication request information to the satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related access authentication parameter;
the satellite communication base station is used for verifying the authentication request information based on the relation between a preset second token verification parameter and a first token parameter, and feeding back access authentication response information to the terminal if the access authentication request information passes the verification;
the satellite is used for carrying out source and integrity verification on the authentication verification information sent by the satellite base station after the terminal passes the initial access authentication of the satellite base station, and forwarding the authentication verification information to the security management and control center if the verification is passed;
the safety control center is used for configuring network identification and issuing digital certificates and other related identity authentication information for network nodes such as the satellite, the satellite communication base station and the like when the system is initialized; pre-configuring and distributing system parameters; and when the terminal applies for network access for the first time, configuring a network unique real identity and main authentication token parameters for the terminal.
In addition, the satellite network system is further configured to execute the method for authenticating the secure access of the satellite network terminal in embodiments 1 to 4, which is not described in this embodiment again.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A security access authentication method for a satellite network terminal is applied to a satellite network system, and the satellite network system comprises:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
after the terminal successfully registers in the security management and control center, if the satellite network needs to be accessed, access authentication request information is generated and sent to the satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter;
the satellite communication base station verifies the authentication request information based on the relation between a preset second token verification parameter and a first token parameter;
and if the authentication request information is verified by the satellite communication base station, feeding back access authentication response information to the terminal.
2. The method of claim 1, further comprising:
if the terminal is in initial network access application, generating registration request information, and sending the registration request information to a security management and control center through a pre-established security channel;
the security management and control center verifies the received registration request information and generates a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the second token parameter is related to a private key of a security control center and a first token parameter, and the first token parameter is related to a terminal real identity;
the security management and control center sends registration response information containing the second token parameter and the real identity of the terminal to the terminal through the security channel;
and the terminal calculates a first token parameter and a second token parameter according to the received real identity identifier in the registration response information, verifies the relation between the first token parameter and the second token parameter, and stores the real identity identifier, the first token parameter and the second token parameter.
3. The method of claim 1, wherein the verifying the authentication request information by the sentry base station based on a relationship between a preset second token verification parameter and a preset first token parameter comprises:
generating a second token checking parameter based on the second token parameter and the related authentication request parameter;
and detecting whether the first token parameter, the second token verification parameter and the related authentication request parameter meet the preset relationship between the first token parameter and the second token verification parameter.
4. The method of claim 2, wherein generating the true identity of the terminal and the second token parameter comprises:
performing hash operation on the registration request information and a private key of a security control center to obtain a real identity of the terminal;
obtaining a pre-generated token public parameter and an effective period of the token public parameter;
performing hash operation on the real identity identifier, the token public parameter and the valid period of the token public parameter to obtain a first token parameter;
and generating a second token parameter based on the first token parameter and a private key of a security management and control center.
5. The method of claim 1, further comprising:
after receiving the access authentication response information of the satellite communication base station, the terminal verifies the access authentication response information, and if the access authentication response information passes the verification, the terminal prepares to access the satellite network; the access authentication response information includes at least a response value generated based on the second token verification parameter, the first token parameter, and the anonymous identity information.
6. The method of claim 1, further comprising:
the satellite communication base station generates authentication and verification information and sends the authentication and verification information to the satellite; the authentication check information at least includes: anonymous identity information and a first token parameter;
the satellite checks the source and integrity of the received authentication check information, and sends the authentication check information carrying the satellite network identifier to a safety control center under the condition that the check is passed;
and the safety control center verifies the identity of the terminal based on the authentication verification information, and records the corresponding relation between the anonymous identity information and the real identity identification of the terminal under the condition that the identity verification of the terminal passes.
7. The method of claim 6, further comprising:
and if the identity verification of the terminal fails, the security control center sends authentication verification abnormal response information and cancels the access right of the corresponding terminal.
8. The security access authentication device for the satellite network terminal is applied to a satellite network system, and the satellite network system comprises:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the device comprises:
the authentication request generating unit is used for generating access authentication request information and sending the authentication request information to the satellite network if the satellite network is required to be accessed after the terminal is successfully registered in the security management and control center; the authentication request information includes at least: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and a related authentication request parameter;
the first verification unit is used for verifying the authentication request information based on the relation between a preset second token verification parameter and a first token parameter after the satellite communication base station receives the authentication request information;
and the feedback unit is used for calculating authentication response information and feeding back the authentication response information to the terminal if the authentication request information is verified by the satellite communication base station.
9. The apparatus of claim 8, further comprising:
the registration request information generating unit is used for generating registration request information if the terminal is applied for network access for the first time and sending the registration request information to the security management and control center;
the registration request information verification unit is used for verifying the received registration request information by the security management and control center and generating a real identity identifier, a first token parameter and a second token parameter of the terminal under the condition that the verification is passed; the first token parameter is related to the real identity of the terminal; the second token parameter is related to a private key of a security control center and the first token parameter;
the sending unit is used for sending the second token parameter and the real identity identifier of the terminal to the terminal by the security control center;
and the registration response information verification unit is used for verifying the second token parameter and the real identity of the terminal by the terminal.
10. A satellite network system, comprising:
the system comprises a terminal, a satellite base station, a satellite and a safety control center;
the terminal is used for generating access authentication request information if a satellite network needs to be accessed after the terminal is successfully registered in the security management and control center, and sending the access authentication request information to the satellite communication base station; the access authentication request information at least includes: anonymous identity information, a first token parameter and a second token verification parameter, wherein the anonymous identity information and the first token parameter are generated according to a real identity of the terminal, and the second token verification parameter is generated according to the second token parameter and related access authentication information;
the satellite communication base station is used for verifying the authentication request information based on the relation between a preset second token verification parameter and a first token parameter, and feeding authentication response information back to the terminal if the authentication request information is verified;
the satellite is used for carrying out source and integrity verification on the authentication verification information sent by the satellite base station after the terminal passes the initial access authentication of the satellite base station, and forwarding the authentication verification information to the security management and control center if the verification is passed;
the safety control center is used for configuring information related to identity authentication for each network node in the satellite network system when the system is initialized, configuring system parameters in advance, distributing the system parameters to each network node in the satellite network system, and configuring a unique real identity identifier, a first token parameter and a second token parameter for the terminal when the terminal applies for network access for the first time.
CN202111323181.8A 2021-11-10 2021-11-10 Satellite network terminal security access authentication method, device and system Active CN113783703B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111323181.8A CN113783703B (en) 2021-11-10 2021-11-10 Satellite network terminal security access authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111323181.8A CN113783703B (en) 2021-11-10 2021-11-10 Satellite network terminal security access authentication method, device and system

Publications (2)

Publication Number Publication Date
CN113783703A true CN113783703A (en) 2021-12-10
CN113783703B CN113783703B (en) 2022-02-25

Family

ID=78873628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111323181.8A Active CN113783703B (en) 2021-11-10 2021-11-10 Satellite network terminal security access authentication method, device and system

Country Status (1)

Country Link
CN (1) CN113783703B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114051241A (en) * 2022-01-13 2022-02-15 中移(上海)信息通信科技有限公司 Communication processing method and device
CN114095930A (en) * 2022-01-21 2022-02-25 清华大学 Satellite network user violation processing method combined with access authentication and related equipment
CN114641033A (en) * 2022-05-09 2022-06-17 上海大汉三通通信股份有限公司 5G message push speed control method, device, equipment and medium
CN114866258A (en) * 2022-05-16 2022-08-05 卡奥斯工业智能研究院(青岛)有限公司 Method and device for establishing access relationship, electronic equipment and storage medium
WO2023077706A1 (en) * 2022-02-15 2023-05-11 之江实验室 Spatial-temporal characteristic fused dual-stage secure access authentication method in satellite-ground communication
CN117060976A (en) * 2023-08-22 2023-11-14 元心信息科技集团有限公司 Satellite communication method, satellite communication system, electronic device, storage medium, and program product

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827304A (en) * 2016-03-21 2016-08-03 南京邮电大学 Gateway station-based satellite network anonymous authentication method
EP3349044A1 (en) * 2017-01-11 2018-07-18 The European Union, represented by the European Commission Method and system for radionavigation authentication
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication
CN112332901A (en) * 2020-09-29 2021-02-05 北京邮电大学 Heaven and earth integrated mobile access authentication method and device
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827304A (en) * 2016-03-21 2016-08-03 南京邮电大学 Gateway station-based satellite network anonymous authentication method
EP3349044A1 (en) * 2017-01-11 2018-07-18 The European Union, represented by the European Commission Method and system for radionavigation authentication
CN109039436A (en) * 2018-10-23 2018-12-18 中国科学院信息工程研究所 A kind of method and system of safety satellite access authentication
CN112332901A (en) * 2020-09-29 2021-02-05 北京邮电大学 Heaven and earth integrated mobile access authentication method and device
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
张兆雷等: "卫星IP网络中用户身份认证机制的改进研究", 《通信技术》 *
张小亮等: "一种适用于卫星通信网络的端到端认证协议", 《计算机研究与发展》 *
薛开平等: "天地一体化网络中基于令牌的安全高效漫游认证方案", 《通信学报》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114051241A (en) * 2022-01-13 2022-02-15 中移(上海)信息通信科技有限公司 Communication processing method and device
CN114051241B (en) * 2022-01-13 2022-05-03 中移(上海)信息通信科技有限公司 Communication processing method and device
WO2023134281A1 (en) * 2022-01-13 2023-07-20 中移(上海)信息通信科技有限公司 Communication processing method and apparatus, terminal, storage medium, and computer program product
CN114095930A (en) * 2022-01-21 2022-02-25 清华大学 Satellite network user violation processing method combined with access authentication and related equipment
CN114095930B (en) * 2022-01-21 2022-04-26 清华大学 Satellite network user violation processing method combined with access authentication and related equipment
WO2023077706A1 (en) * 2022-02-15 2023-05-11 之江实验室 Spatial-temporal characteristic fused dual-stage secure access authentication method in satellite-ground communication
CN114641033A (en) * 2022-05-09 2022-06-17 上海大汉三通通信股份有限公司 5G message push speed control method, device, equipment and medium
CN114866258A (en) * 2022-05-16 2022-08-05 卡奥斯工业智能研究院(青岛)有限公司 Method and device for establishing access relationship, electronic equipment and storage medium
CN117060976A (en) * 2023-08-22 2023-11-14 元心信息科技集团有限公司 Satellite communication method, satellite communication system, electronic device, storage medium, and program product
CN117060976B (en) * 2023-08-22 2024-04-12 元心信息科技集团有限公司 Satellite communication method, satellite communication system, electronic device, storage medium, and program product

Also Published As

Publication number Publication date
CN113783703B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN113783703B (en) Satellite network terminal security access authentication method, device and system
CN109462836B (en) Internet of vehicles malicious node detection system and method fusing block chain consensus mechanism
US11128477B2 (en) Electronic certification system
Garg et al. An efficient blockchain-based hierarchical authentication mechanism for energy trading in V2G environment
JP5099568B2 (en) Method and system for mutual authentication of entities based on a trusted third party
KR101571225B1 (en) Method and device for anonymous entity identification
Palaniswamy et al. An efficient authentication scheme for intra-vehicular controller area network
US9184917B2 (en) Method and system for registering a DRM client
US10637818B2 (en) System and method for resetting passwords on electronic devices
KR101570656B1 (en) Method and system for identifying anonymous entity
US11600129B2 (en) Electronic voting system and method based on homogeneous cryptography
CN111163109B (en) Block chain center-removing type node anti-counterfeiting method
US20210167963A1 (en) Decentralised Authentication
CN113609213B (en) Method, system, device and storage medium for synchronizing device keys
CN114938280A (en) Authentication method and system based on non-interactive zero-knowledge proof and intelligent contract
CN110752934B (en) Method for network identity interactive authentication under topological structure
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN113343204B (en) Digital identity management system and method based on block chain
CN113886781B (en) Multi-authentication encryption method, system, electronic device and medium based on block chain
CN114050930B (en) Data communication authentication method and system based on industrial Internet cloud computing
CN116743382B (en) Electronic voting method, trust center terminal, voting terminal and readable storage medium
US20230308266A1 (en) Method and System for Onboarding an IOT Device
CN113079489B (en) Communication method of hovercar based on block chain, hovercar and medium
CN114154125A (en) Certificateless identity authentication scheme of blockchain under cloud computing environment
CN115514504A (en) Cross-alliance node authentication method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant