CN113923658B - APN-based self-adaptive terminal authentication method and system - Google Patents
APN-based self-adaptive terminal authentication method and system Download PDFInfo
- Publication number
- CN113923658B CN113923658B CN202111159393.7A CN202111159393A CN113923658B CN 113923658 B CN113923658 B CN 113923658B CN 202111159393 A CN202111159393 A CN 202111159393A CN 113923658 B CN113923658 B CN 113923658B
- Authority
- CN
- China
- Prior art keywords
- terminal
- aka
- encryption algorithm
- apn
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The invention relates to an APN-based self-adaptive terminal authentication method, which is based on APN self-adaptive selection of AKA core encryption algorithm Ek and bidirectional authentication. The invention can effectively enhance the flexibility of terminal authentication and expand the use scene after adopting the self-adaptive terminal authentication method.
Description
Technical Field
The invention relates to the field of self-adaptive terminal authentication, in particular to an APN-based self-adaptive terminal authentication method and system.
Background
Before the terminal accesses the wireless network, the SIM card unit in the terminal and the core network need to perform two-way authentication based on the cryptographic technology so as to ensure the legitimacy of the identities of the two parties. At present, an AES algorithm is adopted by a wireless public network 3G/4G/5G terminal of a domestic operator to realize the authentication flow. But has a large disadvantage in safety performance.
Under certain specific industry application scenes, a domestic security algorithm is needed to be adopted in certain private networks to realize security authentication of the terminal side and the network side, so that the isolation strength between virtual networks is enhanced, and the information security protection level of the system is improved.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method. The self-adaptive terminal authentication method based on the APN realizes self-adaptive AKA authentication, effectively improves service safety deployment efficiency, and saves service safety deployment cost.
In order to achieve the above purpose, the invention adopts the following technical scheme:
an adaptive terminal authentication method based on APN comprises the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek that the terminal reported based on signing information
Step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector (AV), otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
step S5, the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; and (3) sending the RES to the MME/AMF, and comparing the RES with the XRES carried by the AV by the MME/AMF to verify the validity of the terminal UE and finish the bidirectional authentication of the terminal UE and the network.
Further, the step S4 specifically includes:
step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek to generate f1, f2, f3, f4, f5, f5 series functions; wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants;
step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by RAND, XRES, CK, IK, AUTN in series connection, AUTN is formed by SQN A AK, AMF, MAC in series connection, wherein, message authentication code MAC is generated by f1 for terminal authentication network legal; the XRES is generated by f2 and is used for the legal network authentication terminal, and the encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
An adaptive terminal authentication system based on APN comprises a processor, a memory and a computer program stored on the memory, wherein the steps in the adaptive terminal authentication method are specifically executed when the processor executes the computer program.
Compared with the prior art, the invention has the following beneficial effects:
the invention can effectively enhance the flexibility of terminal authentication, expand the use field, realize self-adaptive AKA authentication, effectively improve the service safety deployment efficiency and save the service safety deployment cost.
Drawings
FIG. 1 is a message passing diagram of step S2 in an embodiment of the present invention;
FIG. 2 is a message passing diagram of step S3 in an embodiment of the present invention;
FIG. 3 is a schematic diagram of generating a series of functions based on an AKA kernel encryption algorithm Ek in an embodiment of the present invention;
FIG. 4 is a schematic diagram of generating an authentication vector using an f-series function in an embodiment of the present invention;
FIG. 5 is a message passing diagram of step S5 in an embodiment of the present invention;
FIG. 6 is a schematic diagram of authentication in an embodiment of the invention.
Detailed Description
The invention will be further described with reference to the accompanying drawings and examples.
In this embodiment, an adaptive terminal authentication method based on an APN is provided, which includes the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; the HSS/UDM verifies APN and AKA core encryption algorithm Ek reported by the terminal based on the subscription information;
step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector (AV), otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
in this embodiment, step S4 specifically includes:
in step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek (such as SM4 or SM 1) to generate f1, f2, f3, f4, f5, f5 series functions. Wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants.
In step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by concatenation of RAND, XRES, CK, IK, AUTN, AUTN is formed by concatenation of SQN A AK, AMF, MAC. Wherein, the message authentication code MAC (Message Authentication Code) is generated by f1 and is used for the terminal to authenticate the network legal; XRES (eXpected RESponse) is generated by f2 for the network to authenticate that the terminal is legitimate. The encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
Step S5, the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits the AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; and (3) sending the RES to the MME/AMF, and comparing the RES with the XRES carried by the AV by the MME/AMF to verify the validity of the terminal UE and finish the bidirectional authentication of the terminal UE and the network.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the invention in any way, and any person skilled in the art may make modifications or alterations to the disclosed technical content to the equivalent embodiments. However, any simple modification, equivalent variation and variation of the above embodiments according to the technical substance of the present invention still fall within the protection scope of the technical solution of the present invention.
Claims (2)
1. An adaptive terminal authentication method based on APN is characterized by comprising the following steps:
step S1, an AKA core encryption algorithm Ek adopted by a terminal UE is anchored to a terminal signing APN;
step S2, the terminal UE encapsulates the preconfigured APN and the AKA core encryption algorithm Ek in NAS message and transmits the encapsulated APN and AKA core encryption algorithm Ek to the MME/AMF;
step S3, the MME/AMF encapsulates the APN and the suggested AKA core encryption algorithm Ek in Authentication message and transmits the encapsulated APN and the suggested AKA core encryption algorithm Ek to the HSS/UDM; HSS/UDM verifies APN and AKA core encryption algorithm Ek that the terminal reported based on signing information
Step S4, if signing APN and AKA core encryption algorithm are the same as the reported value of the terminal, HSS/UDM adopts AKA core encryption algorithm Ek suggested by UE to generate authentication vector Authentication Vector, otherwise HSS/UDM ignores APN and AKA core encryption algorithm Ek reported by the terminal and uses AKA authentication flow defined by 3GPP standard;
step S5, the MME/AMF transmits Authentication Vector and the actually adopted AKA core encryption algorithm Ek to the MME/AMF through Authentication message, and the MME/AMF transmits AV and the actually adopted AKA core encryption algorithm Ek to the terminal UE through NAS message information;
step S6, the terminal UE calculates f series functions based on an actually used AKA core encryption algorithm Ek, calculates XMAC and RES based on the f series functions, compares the XMAC with MAC carried by AV, and verifies the network legitimacy; the RES is sent to the MME/AMF, the MME/AMF compares the RES with the XRES carried by the AV, the legality of the terminal UE is verified, and the bidirectional authentication of the terminal UE and the network is completed;
the step S4 specifically includes:
step S41, HSS/UDM adopts terminal UE to suggest AKA core encryption algorithm Ek to generate f1, f2, f3, f4, f5, f5 series functions; wherein, OPc is derived from the user root key K and the operator personality OP, and the calculation mode is as follows: opc=op a, ek (OP), a representing an exclusive or operation, OP being specified by the operator and stored in the terminal UE; r1\r2\r3\r4\r5 is five fixed cyclic constants, c1..c5 is five fixed constants;
step S42, HSS/UDM uses f series function to generate authentication vector AV, AV is formed by RAND, XRES, CK, IK, AUTN in series connection, AUTN is formed by SQN A AK, AMF, MAC in series connection, wherein, message authentication code MAC is generated by f1 for terminal authentication network legal; the XRES is generated by f2 and is used for the legal network authentication terminal, and the encryption key CK is generated by f 3; the integrity protection key IK is generated by f 4; an anonymity key AK is generated by f5 for hiding the SQN information.
2. An APN-based adaptive terminal authentication system, comprising a processor, a memory and a computer program stored on the memory, wherein the processor, when executing the computer program, performs the steps of the adaptive terminal authentication method according to claim 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111159393.7A CN113923658B (en) | 2021-09-30 | 2021-09-30 | APN-based self-adaptive terminal authentication method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111159393.7A CN113923658B (en) | 2021-09-30 | 2021-09-30 | APN-based self-adaptive terminal authentication method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113923658A CN113923658A (en) | 2022-01-11 |
CN113923658B true CN113923658B (en) | 2023-06-23 |
Family
ID=79237412
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111159393.7A Active CN113923658B (en) | 2021-09-30 | 2021-09-30 | APN-based self-adaptive terminal authentication method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113923658B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104754581A (en) * | 2015-03-24 | 2015-07-01 | 河海大学 | Public key password system based LTE wireless network security certification system |
CN107454045A (en) * | 2016-06-01 | 2017-12-08 | 宇龙计算机通信科技(深圳)有限公司 | A kind of method, apparatus and system of the certification of user's IMS registration |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2258126B9 (en) * | 2008-04-02 | 2013-06-19 | Nokia Siemens Networks OY | Security for a non-3gpp access to an evolved packet system |
GB2537377B (en) * | 2015-04-13 | 2021-10-13 | Vodafone Ip Licensing Ltd | Security improvements in a cellular network |
-
2021
- 2021-09-30 CN CN202111159393.7A patent/CN113923658B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104754581A (en) * | 2015-03-24 | 2015-07-01 | 河海大学 | Public key password system based LTE wireless network security certification system |
CN107454045A (en) * | 2016-06-01 | 2017-12-08 | 宇龙计算机通信科技(深圳)有限公司 | A kind of method, apparatus and system of the certification of user's IMS registration |
Non-Patent Citations (2)
Title |
---|
刘渊峰.电力系统视频监控网络安全接入协议研究.《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》.2020,全文. * |
周玮 ; 雒江涛 ; .IMS终端AKA认证过程的研究与实现.电视技术.2010,(第02期),全文. * |
Also Published As
Publication number | Publication date |
---|---|
CN113923658A (en) | 2022-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10187202B2 (en) | Key agreement for wireless communication | |
WO2020177768A1 (en) | Network verification method, apparatus, and system | |
JP6492115B2 (en) | Encryption key generation | |
US9088408B2 (en) | Key agreement using a key derivation key | |
JP2011254512A5 (en) | ||
CN102395130B (en) | LTE authentication method | |
US20220046003A1 (en) | Parameter sending method and apparatus | |
CN103476028B (en) | The processing method and processing device of NAS message when NAS COUNT overturn | |
CN113395406A (en) | Encryption authentication method and system based on power equipment fingerprints | |
CN113923658B (en) | APN-based self-adaptive terminal authentication method and system | |
CN114363890A (en) | Extended universal boot architecture authentication method, device and storage medium | |
CN108243416B (en) | User equipment authentication method, mobile management entity and user equipment | |
WO2018126791A1 (en) | Authentication method and device, and computer storage medium | |
CN113449286B (en) | Method, system and equipment for safety check of S-NSSAI (S-NSSAI) sent by UE (user equipment) | |
CN112235799B (en) | Network access authentication method and system for terminal equipment | |
CN112788596A (en) | Method and system for generating security encryption information and method and system for authenticating 5G terminal | |
CN116846560A (en) | Access authentication method and related equipment | |
CN117353928A (en) | Authentication method, authentication system, UDM and terminal | |
CN108282780A (en) | A kind of key transmission method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |