CN114079921B - Session key generation method, anchor point function network element and system - Google Patents
Session key generation method, anchor point function network element and system Download PDFInfo
- Publication number
- CN114079921B CN114079921B CN202010772565.7A CN202010772565A CN114079921B CN 114079921 B CN114079921 B CN 114079921B CN 202010772565 A CN202010772565 A CN 202010772565A CN 114079921 B CN114079921 B CN 114079921B
- Authority
- CN
- China
- Prior art keywords
- terminal
- network element
- information
- authentication
- anchor point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure relates to a method for generating a session key, an anchor point functional network element and a system, and relates to the technical field of communication. The anchor point functional network element receives a trusted authentication and key request sent by the application functional network element, wherein the trusted authentication and key request comprises: first encryption information, K, of digital identity information of a terminal AKMA Identification of the ID and the application network element; the anchor point functional network element performs digital identity verification on the terminal according to the first encryption information; the anchor point functional network element sends an identity verification instruction to the terminal under the condition that the digital identity verification of the terminal is successful, wherein the identity verification instruction comprises: second encryption information of the digital identity information of the terminal; the anchor point functional network element receives an identity verification result returned by the terminal; the anchor point functional network element is used for judging whether the authentication is successful according to K under the condition that the authentication result shows that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method for generating a session key, an anchor point functional network element, and a system.
Background
In a 5G network environment, an initial shared session key may be provided between a mobile terminal and a mobile network by using an AKA (Authentication and Key Agreement) technology, which is called application-oriented Authentication and Key Management (AKMA), for an application client and an application function network element, so as to ensure secure communication between the client and the application function network element. The basic idea is to utilize the mutual authentication and authentication (EAP-AKA' or 5G-AKA) and hierarchical key generation system capability when the UE of the 5G network registers the access network, and generate initial session key K for application at terminal and mobile network side by key negotiation and key generation algorithm AF . Initially, the method comprisesInitial session key K AF The method is used for encrypting the session between the terminal and the application function network element, and ensuring the session security.
Disclosure of Invention
The inventors found that: the 5G AKMA technology may enable secure communication between the terminal and the application function network element. However, if the user who starts the AKMA, i.e. the user of the application, is an illegal user, the security of the communication between the terminal and the application function network element will be destroyed, so that the information of the truly legal user is at a security risk, such as virtual asset loss, etc.
One technical problem to be solved by the present disclosure is: how to improve the security of the terminal and the application function network element session.
According to some embodiments of the present disclosure, a method for generating a session key is provided, including: the anchor point functional network element receives a trusted authentication and key request sent by the application functional network element, wherein the trusted authentication and key request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID and identification of application function network element, first encryption information, K AKMA ID is obtained from the terminal, K AKMA The ID is the identification of the key between the terminal and the anchor point functional network element; the anchor point functional network element performs digital identity verification on the terminal according to the first encryption information; the anchor point functional network element sends an identity verification instruction to the terminal under the condition that the digital identity verification of the terminal is successful, wherein the identity verification instruction comprises: second encryption information of the digital identity information of the terminal; the anchor point functional network element receives an identity verification result returned by the terminal, wherein the identity verification result is a comparison result of identity verification information of a user stored by the terminal and identity verification information input by the user, and the identity verification information of the user stored by the terminal is determined according to the second encryption information; the anchor point functional network element is used for judging whether the authentication is successful according to K under the condition that the authentication result shows that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
In some embodiments, the first encrypted information is information obtained by encrypting the digital identity information by using a public key of the mobile network side, and the trusted authentication and key request further includes: identification of the terminal; the anchor point functional network element performs digital identity verification on the terminal according to the first encryption information, and the method comprises the following steps: the anchor point functional network element searches the locally stored digital identity information of the terminal according to the identification of the terminal; the anchor point functional network element sends a decryption request to the core network element, wherein the decryption request comprises: first encryption information; the anchor point functional network element receives digital identity information of a terminal returned by the core network element, wherein the digital identity information is a result of decrypting the first encryption information by the core network element by utilizing a private key of the mobile network side; the anchor point functional network element compares the digital identity information of the terminal returned by the core network element with the digital identity information of the terminal stored locally, and under the condition that the comparison is consistent, the digital identity verification is successful on the terminal.
In some embodiments, the digital identity information of the terminal is summary information generated by the anchor function network element according to at least one of identity information of the terminal user, an identity of the terminal, and a public key of the terminal.
In some embodiments, the trusted authentication and key request further comprises: the identification of the terminal, the anchor point function network element sending the identity verification indication to the terminal comprises: the anchor point functional network element searches the locally stored public key of the terminal according to the identification of the terminal; and the anchor point functional network element encrypts the digital identity information of the terminal by using the public key of the terminal to obtain second encrypted information.
In some embodiments, the anchor functional network element is according to K AKMA ID generation initial session key K AF Comprising the following steps: the anchor point functional network element sends an application-oriented authentication and key management AKMA key request to the core network element, wherein the AKMA key request comprises K AKMA An ID; the anchor point functional network element receives K returned by the core network element AKMA According to K AKMA Generating an initial session key K AF 。
In some embodiments, the method further comprises: the terminal receives an identity verification instruction sent by an anchor point function network element; the terminal sends a digital authentication request to a user card in the terminal, wherein the digital authentication request comprises: second encryption information; the terminal receives a digital identity verification result returned by the user card, wherein the digital identity verification result is a result of the user card decrypting the second encrypted information and comparing the decrypted information with the digital identity information of the terminal stored by the user card; under the condition that the digital identity verification result shows that verification is successful, the terminal prompts the user to input identity verification information; the terminal receives the identity verification information input by the user, compares the identity verification information input by the user with the identity verification information bound by the locally stored second encryption information, and obtains an identity verification result.
In some embodiments, the second encryption information is generated by encrypting a public key of the terminal, wherein the public key of the terminal is generated by a user card, and is sent to the anchor point function network element after being encrypted by a public key of the mobile network side; the user card stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card by using the private key of the terminal; the terminal stores the mapping relation between the second encryption information and the authentication information of the user.
In some embodiments, the method further comprises: the terminal starts an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF The method comprises the steps of carrying out a first treatment on the surface of the The terminal sends a digital identity acquisition request to a user card in the terminal; the terminal receives first encryption information of digital identity information of the terminal returned by the user card; the terminal generates an application request and sends the application request to the application function network element, wherein the application request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
According to further embodiments of the present disclosure, there is provided an anchor point function network element, including: the first receiving module is configured to receive a trusted authentication and key request sent by an application function network element, where the trusted authentication and key request includes: first encryption information, K, of digital identity information of a terminal AKMA ID and identification of application function network element, first encryption information, K AKMA ID is obtained from the terminal, K AKMA The ID is the identification of the key between the terminal and the anchor point functional network element; the verification module is used for carrying out digital identity verification on the terminal according to the first encryption information; the sending module is used for sending an identity verification instruction to the terminal under the condition that the digital identity verification of the terminal is successful, wherein the identity verification instruction comprises: digital identity information of terminalTwo encrypted messages; the second receiving module is used for receiving an identity verification result returned by the terminal, wherein the identity verification result is a comparison result of the identity verification information of the user stored by the terminal and the identity verification information input by the user, and the identity verification information of the user stored by the terminal is determined according to the second encryption information; a key generation module for generating a key according to K when the authentication result indicates that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
According to still further embodiments of the present disclosure, there is provided an anchor point function network element, including: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the method of generating a session key as in any of the embodiments described above.
According to still further embodiments of the present disclosure, there is provided a session key generation system including: the anchor point function network element of any of the foregoing embodiments; and the terminal is used for receiving an identity verification instruction sent by the anchor point functional network element, wherein the identity verification instruction comprises: and the second encryption information of the digital identity information of the terminal determines the stored identity verification information of the user according to the second encryption information, obtains an identity verification result according to a comparison result of the stored identity verification information of the user and the identity verification information input by the user, and sends the identity verification result to the anchor point functional network element.
In some embodiments, the terminal is configured to send a digital authentication request to a user card in the terminal, the digital authentication request comprising: and the second encryption information receives a digital identity verification result returned by the user card, prompts the user to input the identity verification information under the condition that the digital identity verification result shows that the verification is successful, receives the identity verification information input by the user, and compares the identity verification information input by the user with the identity verification information bound by the locally stored second encryption information to obtain the identity verification result.
In some embodiments, the terminal further comprises a user card; the user card is used for receiving the digital identity verification request sent by the terminal, decrypting the second encrypted information, and comparing the decrypted information with the digital identity information of the terminal stored by the user card to obtain a digital identity verification result.
In some embodiments, the second encryption information is generated by encrypting a public key of the terminal, wherein the public key of the terminal is generated by a user card, and is sent to the anchor point function network element after being encrypted by a public key of the mobile network side; the user card stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card by using the private key of the terminal; the terminal stores the mapping relation between the second encryption information and the authentication information of the user.
In some embodiments, the terminal is further configured to initiate an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF The method comprises the steps of carrying out a first treatment on the surface of the Sending a digital identity acquisition request to a user card in a terminal; receiving first encryption information of digital identity information of a terminal returned by a user card; generating an application request and sending the application request to an application function network element, wherein the application request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
In some embodiments, the system further comprises: an application function network element for sending a trusted authentication and key request to an anchor function network element and receiving an initial session key K sent by the anchor function network element AF 。
In some embodiments, the system further comprises: the core network element is configured to receive a decryption request sent by the anchor point functional network element, where the decryption request includes: and the first encryption information is decrypted by utilizing a private key of the mobile network side, and the decrypted result is sent to the anchor point functional network element.
According to still further embodiments of the present disclosure, a non-transitory computer readable storage medium is provided, having stored thereon a computer program, wherein the program when executed by a processor implements the steps of any of the foregoing embodiment methods.
In the process of generating an initial session key between a terminal and an application function network element, an anchor function network element receives a trusted authentication and key request sent by the application function network element, performs digital identity verification on the terminal, and performs digital body on the terminalAnd under the condition that the authentication is successful, initiating an authentication instruction to the terminal, generating an authentication result by the terminal according to the comparison result of the stored authentication information of the user and the authentication information input by the user, and returning to the anchor point functional network element. The anchor point functional network element is used for obtaining the authentication result according to the K under the condition that the authentication result shows that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
In the generation process of the initial session key, the anchor point function network element at the mobile network side verifies the digital identity of the terminal, the terminal verifies the identity verification information input by the user again, and the dual authentication ensures the legitimacy of the terminal and the user. In addition, the identity verification information stored by the terminal is closely related to the digital identity information, the digital identity is transmitted in an encrypted mode, the digital identity verification is authenticated by the anchor point functional network element at the mobile network side, and the safety of the authentication process and the safety of the storage and interaction of the digital identity of the user are further improved.
Other features of the present disclosure and its advantages will become apparent from the following detailed description of exemplary embodiments of the disclosure, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 illustrates a flow diagram of a method of generating a session key of some embodiments of the present disclosure.
Fig. 2 shows a flow diagram of a method of generating session keys according to further embodiments of the present disclosure.
Fig. 3 illustrates a schematic structural diagram of an anchor functional network element of some embodiments of the present disclosure.
Fig. 4 shows a schematic structural diagram of an anchor function network element according to further embodiments of the present disclosure.
Fig. 5 shows a schematic structural diagram of an anchor functional network element of further embodiments of the present disclosure.
Fig. 6 illustrates a schematic diagram of a session key generation system of some embodiments of the present disclosure.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
The present disclosure proposes a method for generating a session key, which is described below with reference to fig. 1 to 2.
Fig. 1 is a flow chart of some embodiments of a method of generating a session key of the present disclosure. As shown in fig. 1, the method of this embodiment includes: steps S102 to S110.
In step S102, the application function network element (AF) sends a trusted authentication and key request to the anchor function network element (AKMA Anchor Function, AAnF), and correspondingly, the anchor function network element receives the trusted authentication and key request sent by the application function network element.
The trusted authentication and key request includes: first encryption information, K, of digital identity information of a terminal AKMA ID and identity of the application network element. First encryption information, K AKMA The ID is obtained from the terminal. The application request sent by the terminal to the application function network element comprises the following steps: first encryption information, K AKMA An ID. The first encrypted information is obtained by the terminal from the user card. K (K) AKMA ID is the identification of the key between the terminal and the anchor point function network element, and is the identification of the terminal according to K AUSF After the terminal accesses the 5G network, the AUSF (Authentication Server Function, authentication service function) of the terminal and the 5G network stores the key K AUSF . Specifically generate K AKMA The method of ID may refer to existing standards and will not be described here.
In step S104, the anchor point functional network element performs digital authentication on the terminal according to the first encryption information.
In some embodiments, the trusted authentication and key request further comprises: and (5) identification of the terminal. The first encryption information is information obtained by encrypting the digital identity information by adopting a public key of the mobile network side. The anchor point functional network element searches the locally stored digital identity information of the terminal according to the identification of the terminal; the anchor point functional network element sends a decryption request to the core network element, wherein the decryption request comprises: first encryption information; the anchor point functional network element receives the digital identity information of the terminal returned by the core network element; the anchor point functional network element compares the digital identity information of the terminal returned by the core network element with the digital identity information of the terminal stored locally, and under the condition that the comparison is consistent, the digital identity verification is successful on the terminal. The digital identity information is the result of the core network element decrypting the first encrypted information using the private key of the mobile network side. The core network elements are, for example, 5G core network elements, including UDM (Unified Data Management, unified data management function) and AUSF (Authentication Server Function, authentication service function). The private key of the mobile network is stored at the core network element.
In some embodiments, the digital identity information of the terminal is summary information generated by the anchor function network element according to at least one of identity information of the terminal user, an identity of the terminal, and a public key of the terminal. The identity information of the end user includes, for example: identification card information (e.g., at least one of identification card number, name, head portrait), identification of the terminal includes, for example: at least one of mobile phone number and ICCID (Integrate Circuit Card Identity integrated circuit card identification code). The digital identity information is generated using a digest generation algorithm such as SHA1, SHA256, etc. The anchor point functional network element stores the corresponding relation between the identification of the terminal and the digital identity information. The anchor point functional network element transmits the digital identity information to the user card for storage through the secure channel. For example, the anchor point functional network element encrypts the digital identity information by using the public key of the terminal, sends the encrypted information to the user card through the terminal, and the user card decrypts the digital identity information by using the private key of the terminal and stores the digital identity information.
The digital identity information of the terminal is generated through the anchor point functional network element and stored in the user card, so that the safety of the digital identity information is ensured.
In step S106, the anchor point functional network element sends an authentication indication to the terminal in case that the digital authentication of the terminal is successful.
The identity verification indication includes: and second encryption information of the digital identity information of the terminal. In some embodiments, the anchor point functional network element searches a locally stored public key of the terminal according to the identity of the terminal; and encrypting the digital identity information of the terminal by using the public key of the terminal to obtain second encrypted information.
In some embodiments, the terminal receives an authentication indication sent by the anchor function network element; sending a digital authentication request to a user card in a terminal, wherein the digital authentication request comprises: second encryption information; receiving a digital identity verification result returned by the user card, and prompting the user to input identity verification information under the condition that the digital identity verification result indicates that verification is successful; and receiving the identity verification information input by the user, and comparing the identity verification information input by the user with the identity verification information bound by the locally stored second encryption information to obtain an identity verification result.
The terminal may store a mapping relationship between the second encryption information and authentication information of the user. Authentication information such as a user name and password or biometric information of the user, etc. The terminal collects the identity authentication information of the user in advance and stores the information corresponding to the second encryption information. The digital authentication result is a result of the user card decrypting the second encrypted information and comparing the decrypted information with the digital identity information of the terminal stored in the user card. The user card stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card by using the private key of the terminal.
The method for generating the public-private key pair by the user card can adopt an elliptic curve integrated encryption scheme, the terminal and the mobile network side both adopt the same elliptic curve, and the characteristics of the private key of the terminal, the public key of the mobile network side = the private key of the mobile network side and the public key of the terminal are provided (the multiplication between the keys is scalar multiplication on the elliptic curve). The public key of the terminal can be encrypted by the user card by using the public key of the mobile network side and then sent to the anchor point functional network element, and the anchor point functional network element can decrypt by using the private key of the mobile network side through the core network element to obtain the public key of the terminal for storage.
In the whole process, the terminal acquires the encrypted digital identity information, and the encryption and decryption of the digital identity information are both in the user card, so that the security of the digital identity information is ensured, and the digital identity information is not easy to acquire and tamper.
In step S108, the terminal sends the authentication result to the anchor point functional network element, and the anchor point functional network element receives the authentication result returned by the terminal.
The authentication result is a comparison result of authentication information of the user stored in the terminal and authentication information input by the user.
In step S110, the anchor point functional network element performs authentication according to K when the authentication result indicates that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
In some embodiments, the anchor function network element sends an AKMA key request to the core network element, the AKMA key request including K AKMA ID, receiving K returned by core network element AKMA According to K AKMA Generating an initial session key K AF . The core network element is for example an AUSF, according to K AKMA ID gets K AKMA Reference may be made specifically to the prior art and will not be described here in detail.
In the above embodiment, in the initial session key generation process between the terminal and the application function network element, the anchor function network element receives the trusted authentication and key request sent by the application function network element, performs digital authentication on the terminal, and performs digital authentication on the terminal to formUnder the condition of success, an authentication instruction is initiated to the terminal, and the terminal generates an authentication result according to the comparison result of the stored authentication information of the user and the authentication information input by the user and returns to the anchor point functional network element. The anchor point functional network element is used for judging whether the authentication is successful according to K under the condition that the authentication result shows that the authentication is successful AKMA ID generation initial session key K AF And sent to the application function network element.
In the generation process of the initial session key, the anchor point function network element at the mobile network side verifies the digital identity of the terminal, the terminal verifies the identity verification information input by the user again, and the dual authentication ensures the legitimacy of the terminal and the user. In addition, the identity verification information stored by the terminal is closely related to the digital identity information, the digital identity is transmitted in an encrypted mode, the digital identity verification is authenticated by the anchor point functional network element at the mobile network side, and the safety of the authentication process and the safety of the storage and interaction of the digital identity of the user are further improved.
Further embodiments of the method of generating a session key of the present disclosure are described below in conjunction with fig. 2.
Fig. 2 is a flow chart of other embodiments of a method of generating a session key of the present disclosure. As shown in fig. 2, the method of this embodiment includes: steps S202 to S252.
In step S202, the user card generates a public-private key pair of the terminal, and sends the public key of the terminal to the anchor point function network element through the terminal.
The user card is, for example, a SIM card, USIM card, or the like, and is not limited to the illustrated example.
In step S204, the anchor point functional network element generates digital identity information of the terminal according to the user information of the terminal, and sends the digital identity information to the user card for storage through the secure channel.
The user information includes, for example: at least one of identity information of the terminal user, an identity of the terminal, and a public key of the terminal.
In step S206, the user card encrypts the digital identity information by using the public key of the terminal to obtain second encrypted information.
In step S208, the user card sends the second encrypted information to the terminal, and correspondingly, the terminal receives the second encrypted information and binds and stores the second encrypted information and the authentication information of the user.
In step S210, the terminal starts an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF 。
In step S212, the terminal transmits a digital identity acquisition request to the user card.
In step S214, the user card encrypts the digital identity information by using the public key of the mobile network side to obtain first encrypted information.
In step S216, the user card returns the first encrypted information of the digital identity information of the terminal to the terminal, and correspondingly, the terminal receives the first encrypted information of the digital identity information of the terminal returned by the user card.
In step S218, the terminal generates an application request and sends the application request to the application function network element. The application request includes: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
In step S220, the application function network element sends a trusted authentication and key request to the anchor function network element. The trusted authentication and key request includes: first encryption information, K, of digital identity information of a terminal AKMA Identification of ID and application network element
In step S222, the anchor point functional network element searches the locally stored digital identity information of the terminal according to the identifier of the terminal.
In step S224, the anchor functional network element sends a decryption request to the core network element. The decryption request includes: first encryption information.
The core network element is for example UDM.
In step S226, the core network element decrypts the first encrypted information by using the private key of the mobile network side to obtain the digital identity information of the terminal.
In step S228, the core network element sends the digital identity information of the terminal to the anchor point function network element.
In step S230, the anchor point functional network element compares the digital identity information of the terminal returned by the core network element with the digital identity information of the terminal stored locally, and if the comparison is consistent, the digital identity verification is successful on the terminal.
In step S232, the anchor point functional network element sends an authentication indication to the terminal, where the authentication indication includes: and second encryption information of the digital identity information of the terminal.
The anchor point functional network element searches the locally stored public key of the terminal according to the identification of the terminal; and encrypting the digital identity information of the terminal by using the public key of the terminal to obtain second encrypted information.
In step S234, the terminal transmits a digital authentication request to the user card, the digital authentication request including: and second encryption information.
In step S236, the user card decrypts the second encrypted information by using the private key of the terminal, and compares the decrypted information with the digital identity information of the terminal stored in the user card, thereby obtaining a digital identity verification result.
In step S238, the terminal receives the digital authentication result returned from the user card.
In step S240, the terminal prompts the user to input authentication information when the digital authentication result indicates that the authentication is successful; and receiving the identity verification information input by the user, and comparing the identity verification information input by the user with the identity verification information bound by the locally stored second encryption information to obtain an identity verification result.
In step S242, the terminal sends the authentication result to the anchor point function network element.
In step S244, the anchor function network element sends an application-oriented authentication and key management AKMA key request to the core network element, the AKMA key request including K AKMA ID。
The core network element is for example an AUSF.
In step S246, the anchor functional network element receives K returned by the core network element AKMA 。
In step S248, the anchor function element rootAccording to K AKMA Generating an initial session key K AF 。
In step S250, the anchor function network element will initiate a session key K AF And sending the message to the application function network element.
In step S252, the application function network element notifies the terminal of the initial session key K AF Prepared.
The method performed by the terminal in the above-described embodiments may be performed by an SDK in the terminal. According to the method, when the terminal and the application function network element carry out AKMA key negotiation, the user identity information is verified through verification of the digital identity information, so that the safety of the negotiation process is ensured. In addition, in the negotiation process, the digital identity information is transmitted between the mobile network side and the terminal in an asymmetric encryption mode, and the digital identity information is stored in the mobile network side and the user card, so that the security is improved in various aspects.
The present disclosure also provides an anchor point function network element, described below in conjunction with fig. 3.
Fig. 3 is a block diagram of some embodiments of the anchor functional network element of the present disclosure. As shown in fig. 3, the anchor point function network element 30 of this embodiment includes: a first receiving module 310, a verification module 320, a transmitting module 330, a second receiving module 340, a key generating module 350.
The first receiving module 310 is configured to receive a trusted authentication and key request sent by an application function network element, where the trusted authentication and key request includes: first encryption information, K, of digital identity information of a terminal AKMA ID and identification of application function network element, first encryption information, K AKMA ID is obtained from the terminal, K AKMA The ID is an identification of a key between the terminal and the anchor point function network element.
In some embodiments, the digital identity information of the terminal is summary information generated by the anchor function network element according to at least one of identity information of the terminal user, an identity of the terminal, and a public key of the terminal.
The verification module 320 is configured to perform digital authentication on the terminal according to the first encrypted information.
In some embodiments, the verification module 320 is configured to search the locally stored digital identity information of the terminal according to the identifier of the terminal; sending a decryption request to a core network element, wherein the decryption request comprises: first encryption information; receiving digital identity information of a terminal returned by a core network element, wherein the digital identity information is a result of decrypting the first encrypted information by the core network element by using a private key of a mobile network side; and comparing the digital identity information of the terminal returned by the core network element with the digital identity information of the terminal stored locally, and if the comparison is consistent, performing digital identity verification on the terminal.
The sending module 330 is configured to send an authentication indication to the terminal if the digital authentication of the terminal is successful, where the authentication indication includes: and second encryption information of the digital identity information of the terminal.
In some embodiments, the sending module 330 is configured to search the locally stored public key of the terminal according to the identifier of the terminal; and encrypting the digital identity information of the terminal by using the public key of the terminal to obtain second encrypted information.
The second receiving module 340 is configured to receive an authentication result returned by the terminal, where the authentication result is a comparison result of authentication information of the user stored in the terminal and authentication information input by the user, and the authentication information of the user stored in the terminal is determined according to the second encryption information.
The key generation module 350 is configured to, in case the authentication result indicates that the authentication is successful, generate a key according to K AKMA ID generation initial session key K AF And sent to the application function network element.
In some embodiments, the key generation module 350 is configured to send an application-oriented authentication and key management AKMA key request to the core network element, where the AKMA key request includes K AKMA An ID; receiving K returned by core network element AKMA According to K AKMA Generating an initial session key K AF 。
The anchor point functional network elements in embodiments of the present disclosure may each be implemented by various computing devices or computer systems, as described below in connection with fig. 4 and 5.
Fig. 4 is a block diagram of some embodiments of the anchor functional network element of the present disclosure. As shown in fig. 4, the anchor point function network element 40 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410, the processor 420 being configured to perform the method of generating session keys performed by the anchor function network element in any of the embodiments of the present disclosure based on instructions stored in the memory 410.
The memory 410 may include, for example, system memory, fixed nonvolatile storage media, and the like. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), database, and other programs.
Fig. 5 is a block diagram of further embodiments of the anchor functional network element of the present disclosure. As shown in fig. 5, the anchor point function network element 50 of this embodiment includes: memory 510 and processor 520 are similar to memory 410 and processor 420, respectively. Input/output interface 530, network interface 540, storage interface 550, and the like may also be included. These interfaces 530, 540, 550, as well as the memory 510 and the processor 520, may be connected by a bus 560, for example. The input/output interface 530 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, a touch screen, etc. The network interface 540 provides a connection interface for various networking devices, such as may be connected to a database server or cloud storage server, or the like. The storage interface 550 provides a connection interface for external storage devices such as SD cards, U discs, and the like.
The terminal, the application function network element, and the core network element of the present disclosure may also be implemented by various computing devices or computer systems, and the specific structure is similar to that of fig. 4 and 5, and will not be described herein again.
The present disclosure also provides a system for generating a session key, which is described below in conjunction with fig. 6.
Fig. 6 is a block diagram of some embodiments of a generation system of the present disclosure session keys. As shown in fig. 6, the session key generation system 6 of this embodiment includes: anchor function network elements 30/40/50 of any of the previous embodiments, and a terminal 62.
The terminal 62 is configured to receive an authentication indication sent by the anchor function network element 30/40/50, where the authentication indication includes: and the second encryption information of the digital identity information of the terminal determines the stored identity verification information of the user according to the second encryption information, obtains an identity verification result according to a comparison result of the stored identity verification information of the user and the identity verification information input by the user, and sends the identity verification result to the anchor point functional network element 30/40/50.
In some embodiments, the terminal 62 is configured to send a digital authentication request to a user card in the terminal, the digital authentication request comprising: and the second encryption information receives a digital identity verification result returned by the user card, prompts the user to input the identity verification information under the condition that the digital identity verification result shows that the verification is successful, receives the identity verification information input by the user, and compares the identity verification information input by the user with the identity verification information bound by the locally stored second encryption information to obtain the identity verification result.
In some embodiments, the terminal 62 includes a user card 620, where the user card 620 is configured to receive the digital authentication request sent by the terminal 62, decrypt the second encrypted information, and compare the decrypted information with the digital authentication information of the terminal 62 stored in the user card 620 to obtain a digital authentication result.
In some embodiments, the second encryption information is generated by encrypting with the public key of the terminal 62, the public key of the terminal 62 is generated by the user card, and the second encryption information is transmitted to the anchor function network element 30/40/50 after being encrypted with the public key of the mobile network side. The user card 620 stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card 620 using the private key of the terminal. The terminal 62 stores the mapping relation of the second encryption information and the authentication information of the user.
In some embodiments, the terminal 62 is further configured to initiate an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF The method comprises the steps of carrying out a first treatment on the surface of the Sending a digital identity acquisition request to a user card 630 in the terminal 62; receiving first encryption information of digital identity information of a terminal returned by the user card 620; generating an application request and sending the application request to an application function network element, wherein the application request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
In some embodiments, the system 6 further comprises: an application function network element 64 for sending a trusted authentication and key request to the anchor function network element 30/40/50, and receiving an initial session key K sent by the anchor function network element 30/40/50 AF 。
In some embodiments, the system 6 further comprises: the core network element 66 is configured to receive a decryption request sent by the anchor functional network element 30/40/50, where the decryption request includes: the first encryption information is decrypted by using a private key of the mobile network side, and the decrypted result is sent to the anchor point function network element 30/40/50.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flowchart and/or block of the flowchart illustrations and/or block diagrams, and combinations of flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the preferred embodiments of the present disclosure is not intended to limit the disclosure, but rather to enable any modification, equivalent replacement, improvement or the like, which fall within the spirit and principles of the present disclosure.
Claims (18)
1. A method of generating a session key, comprising:
The anchor point function network element receives a trusted authentication and key request sent by the application function network element, wherein the trusted authentication and key request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID and identification of the application function network element, the first encryption information, K AKMA ID is obtained from the terminal, K AKMA The ID is the identification of the key between the terminal and the anchor point functional network element;
the anchor point functional network element performs digital identity verification on the terminal according to the first encryption information;
the anchor point functional network element sends an identity verification instruction to the terminal under the condition that the digital identity verification of the terminal is successful, wherein the identity verification instruction comprises: second encryption information of the digital identity information of the terminal;
the anchor point functional network element receives an identity verification result returned by the terminal, wherein the identity verification result is a comparison result of the identity verification information of the user stored by the terminal and the identity verification information input by the user, and the identity verification information of the user stored by the terminal is determined according to the second encryption information;
the anchor point functional network element is used for obtaining the authentication result according to the K under the condition that the authentication result shows that the authentication is successful AKMA ID generation initial session key K AF And sending the data to the application function network element.
2. The method for generating a session key according to claim 1, wherein the first encryption information is information obtained by encrypting the digital identity information by using a public key of a mobile network side, and the trusted authentication and key request further comprises: the identification of the terminal;
the anchor point function network element performs digital identity verification on the terminal according to the first encryption information, and the method comprises the following steps:
the anchor point functional network element searches the locally stored digital identity information of the terminal according to the identification of the terminal;
the anchor point functional network element sends a decryption request to the core network element, wherein the decryption request comprises: the first encryption information;
the anchor point functional network element receives digital identity information of the terminal returned by the core network element, wherein the digital identity information is a result of decrypting the first encryption information by the core network element by utilizing a private key of a mobile network side;
and the anchor point functional network element compares the digital identity information of the terminal returned by the core network element with the locally stored digital identity information of the terminal, and if the comparison is consistent, the digital identity verification of the terminal is successful.
3. The session key generation method according to claim 1, wherein,
the digital identity information of the terminal is abstract information generated by the anchor point functional network element according to at least one of the identity information of the terminal user, the identification of the terminal and the public key of the terminal.
4. The session key generation method of claim 1, wherein the trusted authentication and key request further comprises: the identification of the terminal, and the sending of the identity verification indication to the terminal by the anchor point functional network element comprises the following steps:
the anchor point functional network element searches a locally stored public key of the terminal according to the identifier of the terminal;
and the anchor point functional network element encrypts the digital identity information of the terminal by utilizing the public key of the terminal to obtain second encrypted information.
5. The session key generation method according to claim 1, wherein the anchor functional network element is according to the K AKMA ID generation initial session key K AF Comprising the following steps:
the anchor point functional network element sends an application-oriented authentication and key management AKMA key request to a core network element, wherein the AKMA key request comprises the K AKMA ID;
The anchor point functional network element receives K returned by the core network element AKMA According to K AKMA Generating an initial session key K AF 。
6. The session key generation method according to claim 1, further comprising:
the terminal receives the identity verification indication sent by the anchor point function network element;
the terminal sends a digital authentication request to a user card in the terminal, wherein the digital authentication request comprises: the second encryption information;
the terminal receives a digital identity verification result returned by the user card, wherein the digital identity verification result is a result of the user card decrypting the second encrypted information and comparing the decrypted information with the digital identity information of the terminal stored by the user card;
the terminal prompts a user to input identity verification information under the condition that the digital identity verification result shows that verification is successful;
the terminal receives the authentication information input by the user, compares the authentication information input by the user with the authentication information bound by the locally stored second encryption information, and obtains an authentication result.
7. The session key generation method of claim 6, wherein,
the second encryption information is generated by encrypting the public key of the terminal, the public key of the terminal is generated by the user card, and the second encryption information is transmitted to the anchor point function network element after being encrypted by the public key of the mobile network side;
The user card stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card by utilizing the private key of the terminal;
and the terminal stores the mapping relation between the second encryption information and the authentication information of the user.
8. The session key generation method according to claim 1, further comprising:
the terminal starts an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF ;
The terminal sends a digital identity acquisition request to a user card in the terminal;
the terminal receives first encryption information of digital identity information of the terminal returned by the user card;
the terminal generates an application request and sends the application request to the application function network element, wherein the application request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
9. An anchor point-functioning network element, comprising:
the first receiving module is configured to receive a trusted authentication and key request sent by an application function network element, where the trusted authentication and key request includes: first encryption information, K, of digital identity information of a terminal AKMA ID and identification of the application function network element, the first encryption information, K AKMA ID is obtained from the terminal, K AKMA The ID is the identification of the key between the terminal and the anchor point functional network element;
the verification module is used for carrying out digital identity verification on the terminal according to the first encryption information;
the sending module is used for sending an identity verification instruction to the terminal under the condition that the digital identity verification of the terminal is successful, wherein the identity verification instruction comprises: second encryption information of the digital identity information of the terminal;
the second receiving module is used for receiving an identity verification result returned by the terminal, wherein the identity verification result is a comparison result of the identity verification information of the user stored by the terminal and the identity verification information input by the user, and the identity verification information of the user stored by the terminal is determined according to the second encryption information;
a key generation module for, in case the authentication result indicates that the authentication is successful, generating a key according to the K AKMA ID generation initial session key K AF And sending the data to the application function network element.
10. An anchor point-functioning network element, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the method of generating a session key as claimed in any one of claims 1-5.
11. A system for generating a session key, comprising: the anchor point function network element of claim 9 or 10; and
the terminal is used for receiving the authentication indication sent by the anchor point functional network element, and the authentication indication comprises: and the second encryption information of the digital identity information of the terminal determines the stored identity verification information of the user according to the second encryption information, obtains an identity verification result according to a comparison result of the stored identity verification information of the user and the identity verification information input by the user, and sends the identity verification result to the anchor point functional network element.
12. The session key generation system of claim 11, wherein,
the terminal is used for sending a digital authentication request to a user card in the terminal, and the digital authentication request comprises: and the second encryption information receives a digital authentication result returned by the user card, prompts the user to input authentication information under the condition that the digital authentication result shows that authentication is successful, receives the authentication information input by the user, and compares the authentication information input by the user with authentication information bound by the locally stored second encryption information to obtain an authentication result.
13. The session key generation system of claim 12, wherein the terminal further comprises a user card;
the user card is used for receiving the digital identity verification request sent by the terminal, decrypting the second encrypted information, and comparing the decrypted information with the digital identity information of the terminal stored by the user card to obtain a digital identity verification result.
14. The session key generation system of claim 13, wherein,
the second encryption information is generated by encrypting the public key of the terminal, the public key of the terminal is generated by the user card, and the second encryption information is transmitted to the anchor point function network element after being encrypted by the public key of the mobile network side;
the user card stores the private key of the terminal, and the decryption information is obtained by decrypting the second encryption information by the user card by utilizing the private key of the terminal;
and the terminal stores the mapping relation between the second encryption information and the authentication information of the user.
15. The session key generation system of claim 11, wherein,
the terminal is also used for starting an AKMA negotiation function to generate K AKMA ID, and initial Session Key K AF The method comprises the steps of carrying out a first treatment on the surface of the Sending a digital identity acquisition request to a user card in the terminal; receiving first encryption information of digital identity information of the terminal returned by the user card; generating an application request and sending the application request to the application function network element, wherein the application request comprises: first encryption information, K, of digital identity information of a terminal AKMA ID, identification of the terminal.
16. The session key generation system of claim 11, further comprising:
an application function network element for sending a trusted authentication and key request to the anchor function network element and receiving an initial session key K sent by the anchor function network element AF 。
17. The session key generation system of claim 11, further comprising:
the core network element is configured to receive a decryption request sent by the anchor point functional network element, where the decryption request includes: and decrypting the first encryption information by using a private key of the mobile network side, and sending a decrypted result to the anchor point functional network element.
18. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010772565.7A CN114079921B (en) | 2020-08-04 | 2020-08-04 | Session key generation method, anchor point function network element and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010772565.7A CN114079921B (en) | 2020-08-04 | 2020-08-04 | Session key generation method, anchor point function network element and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114079921A CN114079921A (en) | 2022-02-22 |
| CN114079921B true CN114079921B (en) | 2023-10-03 |
Family
ID=80279389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010772565.7A Active CN114079921B (en) | 2020-08-04 | 2020-08-04 | Session key generation method, anchor point function network element and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114079921B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065466B (en) * | 2022-06-23 | 2024-01-19 | 中国电信股份有限公司 | Key negotiation method, device, electronic equipment and computer readable storage medium |
| CN117795905A (en) * | 2022-07-29 | 2024-03-29 | 北京小米移动软件有限公司 | API caller authentication method and device, communication equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027251A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Identity card reading terminal and cloud authentication platform data transmission method and system |
| CN106027254A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Secret key use method for identity card reading terminal in identity card authentication system |
| JP2018011191A (en) * | 2016-07-13 | 2018-01-18 | 日本電信電話株式会社 | Apparatus list creation system and apparatus list creation method |
| CN109714167A (en) * | 2019-03-15 | 2019-05-03 | 北京邮电大学 | Authentication and cryptographic key negotiation method and equipment suitable for mobile application signature |
| CN109922474A (en) * | 2017-08-07 | 2019-06-21 | 华为技术有限公司 | Trigger the method and relevant device of network authentication |
-
2020
- 2020-08-04 CN CN202010772565.7A patent/CN114079921B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027251A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Identity card reading terminal and cloud authentication platform data transmission method and system |
| CN106027254A (en) * | 2016-01-21 | 2016-10-12 | 李明 | Secret key use method for identity card reading terminal in identity card authentication system |
| JP2018011191A (en) * | 2016-07-13 | 2018-01-18 | 日本電信電話株式会社 | Apparatus list creation system and apparatus list creation method |
| CN109922474A (en) * | 2017-08-07 | 2019-06-21 | 华为技术有限公司 | Trigger the method and relevant device of network authentication |
| CN109714167A (en) * | 2019-03-15 | 2019-05-03 | 北京邮电大学 | Authentication and cryptographic key negotiation method and equipment suitable for mobile application signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114079921A (en) | 2022-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
| KR101130415B1 (en) | A method and system for recovering password protected private data via a communication network without exposing the private data | |
| KR101658501B1 (en) | Digital signature service system based on hash function and method thereof | |
| CN111556025A (en) | Data transmission method, system and computer equipment based on encryption and decryption operations | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| CN109905350B (en) | Data transmission method and system | |
| CN109861813B (en) | Anti-quantum computing HTTPS communication method and system based on asymmetric key pool | |
| CN106941404B (en) | Key protection method and device | |
| CN101212293A (en) | Identity authentication method and system | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN109495268B (en) | Two-dimensional code authentication method and device and computer readable storage medium | |
| CN114584306B (en) | Data processing method and related device | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN114079921B (en) | Session key generation method, anchor point function network element and system | |
| US20150350375A1 (en) | Information Processing Method, Trusted Server, and Cloud Server | |
| CN111740824B (en) | Trusted application management method and device | |
| CN111970114A (en) | File encryption method, system, server and storage medium | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
| CN105471896A (en) | Agent method, device and system based on SSL (Secure Sockets Layer) | |
| CN111836260B (en) | Authentication information processing method, terminal and network equipment | |
| WO2015104567A1 (en) | Secure communication between a server and a client web browser | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |