CN113923658B - APN-based self-adaptive terminal authentication method and system - Google Patents

APN-based self-adaptive terminal authentication method and system Download PDF

Info

Publication number
CN113923658B
CN113923658B CN202111159393.7A CN202111159393A CN113923658B CN 113923658 B CN113923658 B CN 113923658B CN 202111159393 A CN202111159393 A CN 202111159393A CN 113923658 B CN113923658 B CN 113923658B
Authority
CN
China
Prior art keywords
terminal
aka
encryption algorithm
apn
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111159393.7A
Other languages
Chinese (zh)
Other versions
CN113923658A (en
Inventor
张松磊
贾强
陈爽
倪文书
刘刚
陈人楷
林昱
陈均
陈小倩
詹璇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Original Assignee
State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Fujian Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd filed Critical State Grid Fujian Electric Power Co Ltd
Priority to CN202111159393.7A priority Critical patent/CN113923658B/en
Publication of CN113923658A publication Critical patent/CN113923658A/en
Application granted granted Critical
Publication of CN113923658B publication Critical patent/CN113923658B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention relates to an APN-based self-adaptive terminal authentication method, which is based on APN self-adaptive selection of AKA core encryption algorithm Ek and bidirectional authentication. The invention can effectively enhance the flexibility of terminal authentication and expand the use scene after adopting the self-adaptive terminal authentication method.

Description

APN-based self-adaptive terminal authentication method and system
Technical Field
The invention relates to the field of self-adaptive terminal authentication, in particular to an APN-based self-adaptive terminal authentication method and system.
Background
Before the terminal accesses the wireless network, the SIM card unit in the terminal and the core network need to perform two-way authentication based on the cryptographic technology so as to ensure the legitimacy of the identities of the two parties. At present, an AES algorithm is adopted by a wireless public network 3G/4G/5G terminal of a domestic operator to realize the authentication flow. But has a large disadvantage in safety performance.
Under certain specific industry application scenes, a domestic security algorithm is needed to be adopted in certain private networks to realize security authentication of the terminal side and the network side, so that the isolation strength between virtual networks is enhanced, and the information security protection level of the system is improved.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method. The self-adaptive terminal authentication method based on the APN realizes self-adaptive AKA authentication, effectively improves service safety deployment efficiency, and saves service safety deployment cost.
In order to achieve the above purpose, the invention adopts the following technical scheme:
an adaptive terminal authentication method based on APN comprises the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek that the terminal reported based on signing information
Step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector (AV), otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
step S5, the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; and (3) sending the RES to the MME/AMF, and comparing the RES with the XRES carried by the AV by the MME/AMF to verify the validity of the terminal UE and finish the bidirectional authentication of the terminal UE and the network.
Further, the step S4 specifically includes:
step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek to generate f1, f2, f3, f4, f5, f5 series functions; wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants;
step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by RAND, XRES, CK, IK, AUTN in series connection, AUTN is formed by SQN A AK, AMF, MAC in series connection, wherein, message authentication code MAC is generated by f1 for terminal authentication network legal; the XRES is generated by f2 and is used for the legal network authentication terminal, and the encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
An adaptive terminal authentication system based on APN comprises a processor, a memory and a computer program stored on the memory, wherein the steps in the adaptive terminal authentication method are specifically executed when the processor executes the computer program.
Compared with the prior art, the invention has the following beneficial effects:
the invention can effectively enhance the flexibility of terminal authentication, expand the use field, realize self-adaptive AKA authentication, effectively improve the service safety deployment efficiency and save the service safety deployment cost.
Drawings
FIG. 1 is a message passing diagram of step S2 in an embodiment of the present invention;
FIG. 2 is a message passing diagram of step S3 in an embodiment of the present invention;
FIG. 3 is a schematic diagram of generating a series of functions based on an AKA kernel encryption algorithm Ek in an embodiment of the present invention;
FIG. 4 is a schematic diagram of generating an authentication vector using an f-series function in an embodiment of the present invention;
FIG. 5 is a message passing diagram of step S5 in an embodiment of the present invention;
FIG. 6 is a schematic diagram of authentication in an embodiment of the invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings and examples.
In this embodiment, an adaptive terminal authentication method based on an APN is provided, which includes the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; the HSS/UDM verifies APN and AKA core encryption algorithm Ek reported by the terminal based on the subscription information;
step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector (AV), otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
in this embodiment, step S4 specifically includes:
in step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek (such as SM4 or SM 1) to generate f1, f2, f3, f4, f5, f5 series functions. Wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants.
In step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by concatenation of RAND, XRES, CK, IK, AUTN, AUTN is formed by concatenation of SQN A AK, AMF, MAC. Wherein, the message authentication code MAC (Message Authentication Code) is generated by f1 and is used for the terminal to authenticate the network legal; XRES (eXpected RESponse) is generated by f2 for the network to authenticate that the terminal is legitimate. The encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
Step S5, the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; and (3) sending the RES to the MME/AMF, and comparing the RES with the XRES carried by the AV by the MME/AMF to verify the validity of the terminal UE and finish the bidirectional authentication of the terminal UE and the network.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the invention in any way, and any person skilled in the art may make modifications or alterations to the disclosed technical content to the equivalent embodiments. However, any simple modification, equivalent variation and variation of the above embodiments according to the technical substance of the present invention still fall within the protection scope of the technical solution of the present invention.

Claims (2)

1. An adaptive terminal authentication method based on APN is characterized by comprising the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek that the terminal reported based on signing information
Step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector, otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
step S5, the MME/AMF transmits Authentication Vector and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; the RES is sent to the MME/AMF, the MME/AMF compares the RES with the XRES carried by the AV, the legality of the terminal UE is verified, and the bidirectional authentication of the terminal UE and the network is completed;
the step S4 specifically includes:
step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek to generate f1, f2, f3, f4, f5, f5 series functions; wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants;
step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by RAND, XRES, CK, IK, AUTN in series connection, AUTN is formed by SQN A AK, AMF, MAC in series connection, wherein, message authentication code MAC is generated by f1 for terminal authentication network legal; the XRES is generated by f2 and is used for the legal network authentication terminal, and the encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
2. An APN-based adaptive terminal authentication system, comprising a processor, a memory and a computer program stored on the memory, wherein the processor, when executing the computer program, performs the steps of the adaptive terminal authentication method according to claim 1.
CN202111159393.7A 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system Active CN113923658B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111159393.7A CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111159393.7A CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Publications (2)

Publication Number Publication Date
CN113923658A CN113923658A (en) 2022-01-11
CN113923658B true CN113923658B (en) 2023-06-23

Family

ID=79237412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111159393.7A Active CN113923658B (en) 2021-09-30 2021-09-30 APN-based self-adaptive terminal authentication method and system

Country Status (1)

Country Link
CN (1) CN113923658B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104754581A (en) * 2015-03-24 2015-07-01 河海大学 Public key password system based LTE wireless network security certification system
CN107454045A (en) * 2016-06-01 2017-12-08 宇龙计算机通信科技(深圳)有限公司 A kind of method, apparatus and system of the certification of user's IMS registration

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2258126B9 (en) * 2008-04-02 2013-06-19 Nokia Siemens Networks OY Security for a non-3gpp access to an evolved packet system
GB2537377B (en) * 2015-04-13 2021-10-13 Vodafone Ip Licensing Ltd Security improvements in a cellular network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104754581A (en) * 2015-03-24 2015-07-01 河海大学 Public key password system based LTE wireless network security certification system
CN107454045A (en) * 2016-06-01 2017-12-08 宇龙计算机通信科技(深圳)有限公司 A kind of method, apparatus and system of the certification of user's IMS registration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘渊峰.电力系统视频监控网络安全接入协议研究.《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》.2020,全文. *
周玮 ; 雒江涛 ; .IMS终端AKA认证过程的研究与实现.电视技术.2010,(第02期),全文. *

Also Published As

Publication number Publication date
CN113923658A (en) 2022-01-11

Similar Documents

Publication Publication Date Title
US10187202B2 (en) Key agreement for wireless communication
WO2020177768A1 (en) Network verification method, apparatus, and system
JP6492115B2 (en) Encryption key generation
US9088408B2 (en) Key agreement using a key derivation key
JP2011254512A5 (en)
CN102395130B (en) LTE authentication method
US20220046003A1 (en) Parameter sending method and apparatus
CN103476028B (en) The processing method and processing device of NAS message when NAS COUNT overturn
CN113395406A (en) Encryption authentication method and system based on power equipment fingerprints
CN113923658B (en) APN-based self-adaptive terminal authentication method and system
CN114363890A (en) Extended universal boot architecture authentication method, device and storage medium
CN108243416B (en) User equipment authentication method, mobile management entity and user equipment
WO2018126791A1 (en) Authentication method and device, and computer storage medium
CN113449286B (en) Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment)
CN112235799B (en) Network access authentication method and system for terminal equipment
CN112788596A (en) Method and system for generating security encryption information and method and system for authenticating 5G terminal
CN116846560A (en) Access authentication method and related equipment
CN117353928A (en) Authentication method, authentication system, UDM and terminal
CN108282780A (en) A kind of key transmission method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant