CN114173327A - Authentication method and terminal based on 5G industry private network - Google Patents

Authentication method and terminal based on 5G industry private network Download PDF

Info

Publication number
CN114173327A
CN114173327A CN202111475908.4A CN202111475908A CN114173327A CN 114173327 A CN114173327 A CN 114173327A CN 202111475908 A CN202111475908 A CN 202111475908A CN 114173327 A CN114173327 A CN 114173327A
Authority
CN
China
Prior art keywords
terminal
execution environment
autn
supi
trusted execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111475908.4A
Other languages
Chinese (zh)
Inventor
吕航
雷波
王镇宇
李佳聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111475908.4A priority Critical patent/CN114173327A/en
Publication of CN114173327A publication Critical patent/CN114173327A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The disclosure relates to an authentication method based on a 5G industry private network, a terminal and a computer storage medium, and relates to the technical field of networks. The authentication method based on the 5G industry private network is executed in a trusted execution environment of a terminal, wherein the trusted execution environment of the terminal is independent of a rich execution environment of the terminal, and the authentication method comprises the following steps: acquiring a user permanent identifier (SUPI) of the terminal; generating a user hidden identifier SUCI according to the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by the core network equipment; receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the authentication of the trusted execution environment of the terminal is successful according to the SUCI; and authenticating the core network equipment according to the AUTN. According to the method and the device, the safety of the trusted execution environment of the terminal can be improved.

Description

Authentication method and terminal based on 5G industry private network
Technical Field
The disclosure relates to the field of network technologies, and in particular, to an authentication method based on a 5G industry private network, a terminal, and a computer-readable storage medium.
Background
The TEE (Trusted execution environment) is a secure intelligent terminal operating system proposed by ARM corporation. The TEE is a trusted Execution Environment that is independent of the REE (Rich Execution Environment) such as the Android system and can run in parallel with the REE. The TEE is mainly applied to the fields of security sensitive production, security payment and the like. Applications with high security requirements can be run in the trusted execution environment, and the REE running environment of the unsafe component can be separated from the TEE running environment of the safe component.
Disclosure of Invention
Aiming at the application scenario, the solution is provided by the disclosure, so that the security of the trusted execution environment of the terminal can be improved.
According to a first aspect of the present disclosure, there is provided a 5G industry private network-based authentication method, executed in a trusted execution environment of a terminal, the trusted execution environment of the terminal being independent of a rich execution environment of the terminal, the authentication method including: acquiring a user permanent identifier (SUPI) of the terminal; generating a user hidden identifier SUCI according to the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by the core network equipment; receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the authentication of the trusted execution environment of the terminal is successful according to the SUCI; and authenticating the core network equipment according to the AUTN.
In some embodiments, the global user identity module, USIM, card of the terminal is deployed in a trusted execution environment of the terminal, and obtaining the user permanent identifier, SUPI, of the terminal comprises: and acquiring the SUPI of the terminal from the USIM card.
In some embodiments, the trusted execution environment of the terminal deploys an industry private network terminal database storing relevant data required for an authentication process, and the generating a user hidden identifier SUCI according to the SUPI of the terminal includes: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating the SUCI according to the SQN and the SUPI.
In some embodiments, generating the SUCI from the SQN and the SUPI comprises: and encrypting the SQN and the SUPI by using an encryption algorithm pre-shared by the trusted execution environment of the terminal and the core network equipment to generate the SUCI.
In some embodiments, encrypting the SQN and the SUPI, generating the SUCI comprises: combining the SQN and the SUPI to obtain a composite field; and encrypting the composite field by using the encryption algorithm to obtain the SUCI.
In some embodiments, the SUPI is in an international mobile subscriber identity, IMSI, format or a network access identifier, NAI, format.
In some embodiments, the AUTN is an encrypted AUTN, the encrypted AUTN including an updated SQN, and authenticating the core network device according to the AUTN includes: decrypting the encrypted AUTN according to a preset encryption and decryption strategy shared by the trusted execution environment of the terminal and the core network equipment to obtain a decrypted AUTN; and verifying whether the decrypted AUTN is valid, wherein the trusted execution environment of the terminal successfully authenticates the core network equipment under the condition that the decrypted AUTN is valid.
In some embodiments, the preset encryption and decryption policy includes: and generating a target key according to the SQN before updating, the SUPI of the terminal and a preset initial key, wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal.
In some embodiments, the authentication method further comprises: under the condition that the trusted execution environment of the terminal successfully authenticates the core network equipment, acquiring the updated SQN according to the decrypted AUTN; deleting the SQN before updating; and storing the updated SQN to the industry private network terminal database.
According to a second aspect of the present disclosure, there is provided a terminal based on a 5G industry private network, including: a trusted execution environment and a rich execution environment that are relatively independent of each other, the trusted execution environment comprising: an acquisition module configured to acquire a user permanent identifier, SUPI, of the terminal; a generation module configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, the SUCI being used for a core network device to authenticate a trusted execution environment of the terminal; a receiving module configured to receive an authentication token AUTN from the core network device, where the AUTN is generated by the core network device when the trusted execution environment of the terminal is successfully authenticated according to the SUCI; and the authentication module is configured to authenticate the core network equipment according to the AUTN.
In some embodiments, the trusted execution environment further comprises: a universal subscriber identity module USIM card configured to store the SUPI of the terminal, the acquisition module being further configured to acquire the SUPI of the terminal from the USIM card.
In some embodiments, the trusted execution environment further comprises: an industry private network terminal database configured to store relevant data required for an authentication process, the relevant data including an SQN of the terminal; the generation module is further configured to: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating the SUCI according to the SQN and the SUPI.
According to a third aspect of the present disclosure, there is provided a terminal based on a 5G industry private network, including: a memory; and a processor coupled to the memory, the processor configured to execute the 5G industry private network-based authentication method of any of the above embodiments based on instructions stored in the memory.
According to a fourth aspect of the present disclosure, there is provided a computer-storable medium having stored thereon computer program instructions that, when executed by a processor, implement the authentication method based on the 5G industry private network according to any one of the above embodiments.
In the above embodiments, the security of the trusted execution environment of the terminal may be improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a flow diagram illustrating an authentication method according to some embodiments of the present disclosure;
figure 2a is a schematic diagram illustrating the structure of an IMSI according to some embodiments of the present disclosure;
figure 2b is a schematic diagram illustrating the structure of a composite field IMSI' according to some embodiments of the present disclosure;
fig. 2c is a schematic structural diagram illustrating a SUCI according to some embodiments of the present disclosure;
fig. 3 is a block diagram illustrating a terminal according to some embodiments of the present disclosure;
FIG. 4 is a block diagram illustrating a terminal according to further embodiments of the present disclosure;
FIG. 5 is a block diagram illustrating a terminal according to still further embodiments of the present disclosure;
FIG. 6 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flow diagram illustrating an authentication method according to some embodiments of the present disclosure.
As shown in FIG. 1, the authentication method based on the 5G industry private network comprises steps S1-S4. The authentication method is performed in a trusted execution environment of the terminal, which is independent of a rich execution environment of the terminal.
In step S1, SUPI (Subscription Permanent Identifier) of the terminal is acquired.
In some embodiments, a Universal Subscriber Identity Module (USIM) card of the terminal is deployed in a trusted execution environment of the terminal, and the SUPI of the terminal may be acquired from the USIM card. By deploying the USIM card in the trusted execution environment of the terminal, the process of acquiring the SUPI of the terminal is completely performed in the trusted execution environment, and the security of the trusted execution environment of the terminal can be further improved.
In some embodiments, SUPI is in IMSI (International Mobile Subscriber Identity) format or NAI (Network Access Identifier) format.
In step S2, a SUCI (Subscription managed Identifier) is generated from the SUPI of the terminal. The SUCI is used for the core network equipment to authenticate the trusted execution environment of the terminal.
In some embodiments, an industry private network terminal database is deployed in the trusted execution environment of the terminal, and relevant data required for the authentication process is stored in the industry private network terminal database. Under the condition, the sequence number SQN of the terminal can be obtained from an industry private network terminal database; and generating SUCI according to the SQN and the SUPI. According to the 5G AKA authentication mechanism, the SQN is different in different authentication processes, namely the SQN is variable, and the SUCI is generated according to the variable SQN, so that random disturbance is added to the SUCI in each authentication process, the security of a trusted execution environment of the terminal can be further improved, and particularly the security of the authentication process of the core network equipment to the terminal is improved.
In some embodiments, the SQN and the SUPI may be encrypted to generate the SUCI using an encryption algorithm pre-shared by the trusted execution environment of the terminal and the core network device. The pre-shared encryption algorithm is also used for the core network device to decrypt the SUCI so as to complete the authentication of the core network device to the terminal.
In some embodiments, encrypting the SQN and SUPI to generate the SUCI may be accomplished as follows.
First, the SQN and the SUPI are combined to obtain a composite field.
Fig. 2a is a schematic diagram illustrating the structure of an IMSI according to some embodiments of the present disclosure.
Taking SUPI as IMSI format as an example, as shown in fig. 2a, SUPI in IMSI format includes an MCC (Mobile Country Code) field, an MNC (Mobile Network Code) field, and an MSIN (Mobile Subscriber identity Number) field. The MCC field, MNC field are network and routing information, and the MSIN field is used to identify user information. The MSIN field is cryptographically protected when generating the SUCI.
Fig. 2b is a schematic diagram illustrating the structure of the composite field IMSI' according to some embodiments of the present disclosure.
As shown in fig. 2b, the composite field includes, in addition to the three fields shown in fig. 2a, a SQN, denoted SQN1, incorporated within the MSIN field. For example, the composite field flags the digits IMSI'.
Then, the composite field is encrypted by using an encryption algorithm to obtain the SUCI. In some embodiments, the encryption algorithm is an ECC (Elliptic Curve Cryptography) algorithm.
Fig. 2c is a schematic structural diagram illustrating a SUCI according to some embodiments of the present disclosure.
As shown in fig. 2c, the SUCI includes a SUPI type, a home network identifier, a routing identifier, a protection algorithm ID, a home network public key, and a SUPI ciphertext (Schema Output). The MSIN and SQN in fig. 2b are encrypted using an encryption algorithm and stored in the SUPI ciphertext field.
Taking SUPI as an NAI format as an example, after NAI and SQN can be spliced, the spliced result is encrypted to obtain SUCI.
Returning to fig. 1, in step S3, AUTN (Authentication Token) is received from the core network device. The AUTN is generated by the core network device under the condition that the trusted execution environment of the terminal is successfully authenticated according to the SUCI. In some embodiments, the AUTN is an encrypted AUTN of the core network device, the encrypted AUTN including the updated SQN. For example, the core network device first generates an original AUTN, denoted as AUTN 1. Then, the core network device encrypts AUTN1 to obtain an encrypted AUTN, which is denoted as AUTN 2. Based on the 5G AKA mechanism, those skilled in the art should understand that after the trusted execution environment of the terminal is successfully authenticated, the core network device updates the SQN corresponding to the trusted execution environment of the terminal and encapsulates the SQN in the AUTN, which is not described herein again. In addition, except for encapsulating the updated SQN, the AUTN also encapsulates other AK information used for authenticating the core network, which can be implemented by those skilled in the art based on a 5G AKA authentication mechanism and is not described again.
In step S4, the core network device is authenticated according to the AUTN.
For example, taking the example that the encrypted AUTN includes the updated SQN, the step S4 can be implemented as follows.
Firstly, according to a preset encryption and decryption strategy shared by a trusted execution environment of the terminal and the core network equipment, decrypting the encrypted AUTN to obtain a decrypted AUTN. For example, AUTN2 is decrypted to yield AUTN 1.
In some embodiments, the pre-setting of the encryption and decryption policy includes: and generating a target key according to the SQN before updating, the SUPI of the terminal and a preset initial key (for example, indicated as K), wherein the target key is used for the core network equipment to encrypt the AUTN and the trusted execution environment of the terminal to decrypt the encrypted AUTN. The target key for encrypting and decrypting the AUTN is generated based on the variable SQN, so that random disturbance is added into the target key, and the target key in each authentication process is different, thereby further improving the security of the trusted execution environment of the terminal, and particularly further improving the security of the authentication process of the trusted execution environment of the terminal on the core network equipment.
In some embodiments, an exclusive or operation is first performed on the SUPI and the initial key; and then, executing a series connection operation on the result of the XOR operation and the SQN before updating to obtain a target key.
For example, the target Key is denoted as KeyAutn. Taking the initial key represented as K and the value before update of the SQN of the terminal as SQN1 as an example, the target key can be calculated by the following formula
Figure BDA0003393514400000081
Then, whether the decrypted AUTN is valid is verified. And under the condition that the decrypted AUTN is effective, the trusted execution environment of the terminal successfully authenticates the core network equipment. For example, key information such as AK is acquired according to the decrypted AUTN and authentication is performed. In some embodiments, it is determined whether the decrypted AUTN is a valid AUTN. When the decrypted AUTN is the valid AUTN, the authentication is successful, and at this time, a completion response RES needs to be calculated (here, the existing mechanism of 5G AKA is not described here again). And under the condition that the decrypted AUTN is an invalid AUTN, judging that the authentication is invalid, and possibly carrying out man-in-the-middle attack.
In the above embodiment, by performing the authentication of the core network device by the trusted execution environment of the terminal based on the encrypted AUTN, it is possible to prevent the AUTN from revealing information closely related to the authentication in the transmission process to a certain extent, so that the security of the trusted execution environment of the terminal is further improved, and in particular, the security of the authentication process of the core network device by the trusted execution environment of the terminal is further improved.
In some embodiments, under the condition that the trusted execution environment of the terminal successfully authenticates the core network device, the updated SQN is obtained according to the decrypted AUTN; deleting the SQN before updating; and storing the updated SQN to an industry private network terminal database. The updated SQN can also be used in the next authentication and authentication process, and the variability of the SQN is reflected again here, so that the addition of the variable SQN in the SUCI can improve the security of the trusted execution environment of the terminal.
In the above embodiment, the trusted execution environment is enhanced, and the security of the trusted execution environment of the terminal is improved by implementing bidirectional Authentication between the trusted execution environment of the terminal and the core network device based on a 5G AKA (Authentication and Key Agreement) Authentication mechanism in the trusted execution environment of the terminal of the 5G industrial private network.
Fig. 3 is a block diagram illustrating a terminal according to some embodiments of the present disclosure.
As shown in fig. 3, the 5G industry private network-based terminal 3 includes a trusted execution environment 31 and a rich execution environment 32. The trusted execution environment 31 and the rich execution environment 32 are relatively independent of each other.
The trusted execution environment 31 includes an acquisition module 311, a generation module 312, a reception module 313, and an authentication module 314.
The obtaining module 311 is configured to obtain a user permanent identifier SUPI of the terminal, for example, to perform step S1 as shown in fig. 1.
The generating module 312 is configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, where the SUCI is used for the core network device to authenticate the trusted execution environment of the terminal, for example, to execute step S2 shown in fig. 1.
The receiving module 313 is configured to receive an authentication token AUTN from the core network device, where the AUTN is generated by the core network device in a case that the trusted execution environment of the terminal is successfully authenticated according to the SUCI, for example, to execute step S3 shown in fig. 1.
The authentication module 314 is configured to authenticate the core network device according to the AUTN, for example, execute step S4 shown in fig. 1.
In some embodiments, the trusted execution environment 31 further comprises a USIM card 315. The USIM card 315 is configured to store the SUPI of the terminal. The acquisition module 311 is also configured to acquire the SUPI of the terminal from the USIM card 315.
In some embodiments, the trusted execution environment 31 also includes an industry private network terminal database 316. The industry private network terminal database 316 is configured to store relevant data required for the authentication process, including the SQN of the terminal. The generation module 312 is further configured to obtain a serial number SQN of the terminal from the terminal database of the industry private network; from the SQN and SUPI, SUCI is generated.
Fig. 4 is a block diagram illustrating a terminal according to further embodiments of the present disclosure.
As shown in fig. 4, the 5G industry private network-based terminal 4 includes a trusted execution environment 41 and a rich execution environment 42. The trusted execution environment 41 and the rich execution environment 42 are relatively independent of each other.
The trusted execution environment 41 includes a TEE user layer 411, a TEE internal API (Application Programming Interface) 412, a TEE system kernel 413, and a trusted peripheral 414.
The TEE user layer 411 includes one or more trusted applications 4111. The TEE internal APIs 412 are used for communication interaction between the TEE user layer 411 and the TEE system kernel 413.
The TEE system core 413 comprises a 5G industry private network authentication control unit 4131, an industry private network terminal database 4132, an AUTN decryption engine 4133, an SUPI encryption engine 4134 and a key generator 4135.
The trusted peripheral 414 includes a 5G module 4141 and a USIM card 4142. The USIM card 4142 is configured to store SUPI of the terminal.
The trusted application 4111 of the TEE user layer 411 triggers the 5G industry private network authentication control unit 4131 to perform an authentication process in the 5G network through the 5G module 4141 and the core network device of the 5G through the TEE internal API 412.
The 5G industry private network authentication control unit 4131 notifies the SUPI encryption engine module 4134 to generate the SUCI. The SUPI encryption engine module 4134 acquires SUPI from the USIM card 4142 in response to receiving the notification to generate sui, and acquires the SQN of the terminal from the private network terminal database 4132 through the 5G private network authentication control unit 4131, and encrypts the SQN and SUPI to obtain sui. The SUPI encryption engine module 4134 transmits the SUCI to the 5G industry private network authentication control unit 4131. The 5G industry private network authentication control unit 4131 sends the SUCI to the core network device through the 5G module 4141.
The 5G private network authentication control unit 4131 further receives the encrypted AUTN from the core network device through the 5G module 4141, and sends the encrypted AUTN to the AUTN decryption engine 4133. The AUTN decryption engine 4133 notifies the key generator 4135 to generate the target key for decrypting the AUTN.
The key generator 4135 generates a target key and sends the target key to the AUTN decryption engine 4133. The generation of the specific target key may be implemented by the method steps described in the foregoing embodiments, and is not described herein again.
The AUTN decryption engine 4133 decrypts the encrypted AUTN using the target key, and sends the decrypted AUTN to the 5G industry private network authentication control unit 4131.
And the 5G industry private network authentication control unit 4131 authenticates the core network device according to the decrypted AUTN. The authentication procedure may be implemented by the method steps as described in the foregoing embodiments, for example, and will not be described herein again.
In some embodiments, the TEE system kernel 413 also includes a TEE trust module 4136.
The rich execution environment 42 includes an REE user layer 421, a TEE client API422, a REE system kernel 423, and normal peripherals 424.
The REE user layer 421 includes one or more 5G industry applications 4211 and one or more general applications 4212.
The REE system kernel 423 includes a hardware driver 4231, a network protocol stack 4232, and a TEE driver 4233.
The hardware drivers 4231, the network protocol stacks 4232 are configured to provide driver resources and network resources for the REE user layer 421. The generic peripheral 424 is configured to provide hardware support for the REE user layer 421 and the REE system kernel 423.
For example, when the user starts the 5G industry application 4211 of the REE user layer 421, the 5G industry application 4211 triggers, through the TEE client API422, the TEE driver 4233 to switch to the TEE trust module 4136 through the security monitoring (Secure Monitor) module 43 of the terminal 4, and then the TEE trust module 4136 triggers, through the TEE internal API412, the trusted application 4111 to trigger, through the TEE internal API412, the 5G industry private network authentication control unit 4131 and the core network device of the 5G to perform the authentication process in the 5G network.
In the above embodiment, the normal peripheral 424 and the trusted peripheral 412 together form the hardware platform of the terminal 4, as shown in fig. 4 by the dashed box.
Fig. 5 is a block diagram illustrating a terminal according to still further embodiments of the present disclosure.
As shown in fig. 5, the 5G industry private network-based terminal 5 includes a memory 51; and a processor 52 coupled to the memory 51. The memory 51 is used for storing instructions for executing the corresponding embodiment of the authentication method based on the 5G industry private network. The processor 52 is configured to execute the 5G industry private network based authentication method in any of the embodiments of the present disclosure based on instructions stored in the memory 51.
FIG. 6 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
As shown in FIG. 6, computer system 60 may take the form of a general purpose computing device. Computer system 60 includes a memory 610, a processor 620, and a bus 600 that connects the various system components.
The memory 610 may include, for example, system memory, non-volatile storage media, and the like. The system memory stores, for example, an operating system, an application program, a Boot Loader (Boot Loader), and other programs. The system memory may include volatile storage media such as Random Access Memory (RAM) and/or cache memory. The non-volatile storage medium, for example, stores instructions to perform corresponding embodiments of at least one of the 5G industry private network based authentication methods. Non-volatile storage media include, but are not limited to, magnetic disk storage, optical storage, flash memory, and the like.
The processor 620 may be implemented as discrete hardware components, such as a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gates or transistors, or the like. Accordingly, each of the modules, such as the judging module and the determining module, may be implemented by a Central Processing Unit (CPU) executing instructions in a memory for performing the corresponding step, or may be implemented by a dedicated circuit for performing the corresponding step.
Bus 600 may use any of a variety of bus architectures. For example, bus structures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, and Peripheral Component Interconnect (PCI) bus.
Computer system 60 may also include input-output interface 630, network interface 640, storage interface 650, and the like. These interfaces 630, 640, 650 and the memory 610 and the processor 620 may be connected by a bus 600. The input/output interface 630 may provide a connection interface for input/output devices such as a display, a mouse, and a keyboard. The network interface 640 provides a connection interface for various networking devices. The storage interface 650 provides a connection interface for external storage devices such as a floppy disk, a usb disk, and an SD card.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable apparatus to produce a machine, such that the execution of the instructions by the processor results in an apparatus that implements the functions specified in the flowchart and/or block diagram block or blocks.
These computer-readable program instructions may also be stored in a computer-readable memory that can direct a computer to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instructions which implement the function specified in the flowchart and/or block diagram block or blocks.
The present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
By the authentication method based on the 5G industry private network, the terminal and the computer storage medium in the embodiment, the security of the trusted execution environment of the terminal can be improved.
So far, the authentication method based on the 5G industry private network, the terminal, and the computer-storable medium according to the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.

Claims (14)

1. An authentication method based on a 5G industry private network, executed in a trusted execution environment of a terminal, the trusted execution environment of the terminal being independent of a rich execution environment of the terminal, the authentication method comprising:
acquiring a user permanent identifier (SUPI) of the terminal;
generating a user hidden identifier SUCI according to the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by the core network equipment;
receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the authentication of the trusted execution environment of the terminal is successful according to the SUCI;
and authenticating the core network equipment according to the AUTN.
2. The authentication method according to claim 1, wherein a universal subscriber identity module, USIM, card of the terminal is deployed in a trusted execution environment of the terminal, and obtaining a user permanent identifier, SUPI, of the terminal comprises:
and acquiring the SUPI of the terminal from the USIM card.
3. The authentication method as claimed in claim 1 or 2, wherein the trusted execution environment of the terminal deploys an industry private network terminal database storing relevant data required for an authentication process, and the generating of the user hidden identifier SUCI according to the SUPI of the terminal comprises:
acquiring a serial number SQN of the terminal from the industry private network terminal database;
and generating the SUCI according to the SQN and the SUPI.
4. The authentication method of claim 3, wherein generating the SUCI according to the SQN and the SUPI comprises:
and encrypting the SQN and the SUPI by using an encryption algorithm pre-shared by the trusted execution environment of the terminal and the core network equipment to generate the SUCI.
5. The authentication method of claim 4, wherein encrypting the SQN and the SUPI, generating the SUCI comprises:
combining the SQN and the SUPI to obtain a composite field;
and encrypting the composite field by using the encryption algorithm to obtain the SUCI.
6. The authentication method as recited in claim 1, wherein the SUPI is in an International Mobile Subscriber Identity (IMSI) format or a Network Access Identifier (NAI) format.
7. The authentication method of claim 3, wherein the AUTN is an encrypted AUTN, the encrypted AUTN includes an updated SQN, and authenticating the core network device according to the AUTN comprises:
decrypting the encrypted AUTN according to a preset encryption and decryption strategy shared by the trusted execution environment of the terminal and the core network equipment to obtain a decrypted AUTN;
and verifying whether the decrypted AUTN is valid, wherein the trusted execution environment of the terminal successfully authenticates the core network equipment under the condition that the decrypted AUTN is valid.
8. The authentication method of claim 7, wherein the preset encryption and decryption policy comprises:
and generating a target key according to the SQN before updating, the SUPI of the terminal and a preset initial key, wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal.
9. The authentication method of claim 7, further comprising:
under the condition that the trusted execution environment of the terminal successfully authenticates the core network equipment, acquiring the updated SQN according to the decrypted AUTN;
deleting the SQN before updating;
and storing the updated SQN to the industry private network terminal database.
10. A terminal based on 5G industry private network comprises: a trusted execution environment and a rich execution environment that are relatively independent of each other, the trusted execution environment comprising:
an acquisition module configured to acquire a user permanent identifier, SUPI, of the terminal;
a generation module configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, the SUCI being used for a core network device to authenticate a trusted execution environment of the terminal;
a receiving module configured to receive an authentication token AUTN from the core network device, where the AUTN is generated by the core network device when the trusted execution environment of the terminal is successfully authenticated according to the SUCI;
and the authentication module is configured to authenticate the core network equipment according to the AUTN.
11. The terminal of claim 10, wherein the trusted execution environment further comprises:
a universal subscriber identity module USIM card configured to store the SUPI of the terminal,
the acquisition module is further configured to acquire the SUPI of the terminal from the USIM card.
12. The terminal of claim 10 or 11, wherein the trusted execution environment further comprises:
an industry private network terminal database configured to store relevant data required for an authentication process, the relevant data including an SQN of the terminal;
the generation module is further configured to: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating the SUCI according to the SQN and the SUPI.
13. A terminal based on 5G industry private network comprises:
a memory; and
a processor coupled to the memory, the processor configured to perform the 5G industry proprietary network-based authentication method of any one of claims 1 to 9 based on instructions stored in the memory.
14. A computer-storable medium having stored thereon computer program instructions which, when executed by a processor, implement the authentication method based on the 5G industry private network according to any one of claims 1 to 9.
CN202111475908.4A 2021-12-06 2021-12-06 Authentication method and terminal based on 5G industry private network Pending CN114173327A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111475908.4A CN114173327A (en) 2021-12-06 2021-12-06 Authentication method and terminal based on 5G industry private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111475908.4A CN114173327A (en) 2021-12-06 2021-12-06 Authentication method and terminal based on 5G industry private network

Publications (1)

Publication Number Publication Date
CN114173327A true CN114173327A (en) 2022-03-11

Family

ID=80483207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111475908.4A Pending CN114173327A (en) 2021-12-06 2021-12-06 Authentication method and terminal based on 5G industry private network

Country Status (1)

Country Link
CN (1) CN114173327A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117177238A (en) * 2023-11-02 2023-12-05 中国电子科技集团公司第三十研究所 Method and system for initiating control instruction by terminal

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192602A1 (en) * 2004-12-17 2007-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Clone resistant mutual authentication in a radio communication network
CN108848495A (en) * 2018-05-18 2018-11-20 兴唐通信科技有限公司 A kind of user identity update method using preset key
CN109451483A (en) * 2019-01-03 2019-03-08 中国联合网络通信集团有限公司 ESIM data processing method, equipment and readable storage medium storing program for executing
US20200260273A1 (en) * 2017-10-06 2020-08-13 Thales Dis France Sa A method for transmitting to a physical or virtual element of a telecommunications network an encrypted subscription identifier stored in a security element, corresponding security element, physical or virtual element and terminal cooperating with this security element
WO2020177591A1 (en) * 2019-03-01 2020-09-10 中兴通讯股份有限公司 Determining method and device for key, storage medium and electronic device
US20210345116A1 (en) * 2019-01-15 2021-11-04 Zte Corporation Method and device for preventing user tracking, storage medium and electronic device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192602A1 (en) * 2004-12-17 2007-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Clone resistant mutual authentication in a radio communication network
US20200260273A1 (en) * 2017-10-06 2020-08-13 Thales Dis France Sa A method for transmitting to a physical or virtual element of a telecommunications network an encrypted subscription identifier stored in a security element, corresponding security element, physical or virtual element and terminal cooperating with this security element
CN108848495A (en) * 2018-05-18 2018-11-20 兴唐通信科技有限公司 A kind of user identity update method using preset key
CN109451483A (en) * 2019-01-03 2019-03-08 中国联合网络通信集团有限公司 ESIM data processing method, equipment and readable storage medium storing program for executing
US20210345116A1 (en) * 2019-01-15 2021-11-04 Zte Corporation Method and device for preventing user tracking, storage medium and electronic device
WO2020177591A1 (en) * 2019-03-01 2020-09-10 中兴通讯股份有限公司 Determining method and device for key, storage medium and electronic device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP: ""33846-080"", 3GPP SPECS\\ARCHIVE, 26 October 2020 (2020-10-26), pages 27 - 35 *
李娜,陈辉: "基于随机矩阵的物理层安全研究过程", vol. 1, 31 July 2021, 北京邮电大学出版社, pages: 10 - 15 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117177238A (en) * 2023-11-02 2023-12-05 中国电子科技集团公司第三十研究所 Method and system for initiating control instruction by terminal
CN117177238B (en) * 2023-11-02 2024-01-23 中国电子科技集团公司第三十研究所 Method and system for initiating control instruction by terminal

Similar Documents

Publication Publication Date Title
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
CN108140093B (en) Migrating secrets using a hardware root of trust for a device
CN110138799B (en) SGX-based secure cloud storage method
CN108140085B (en) Apparatus and method for providing a trusted platform
US11432150B2 (en) Method and apparatus for authenticating network access of terminal
US7373509B2 (en) Multi-authentication for a computing device connecting to a network
WO2018050081A1 (en) Device identity authentication method and apparatus, electric device, and storage medium
US11424919B2 (en) Protecting usage of key store content
CN110545252B (en) Authentication and information protection method, terminal, control function entity and application server
CN107453880B (en) Cloud data secure storage method and system
CN110889696A (en) Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN111614621B (en) Internet of things communication method and system
US20200374112A1 (en) Secure Provisioning of Data to Client Device
CN112632573A (en) Intelligent contract execution method, device and system, storage medium and electronic equipment
CN114173327A (en) Authentication method and terminal based on 5G industry private network
US9245097B2 (en) Systems and methods for locking an application to device without storing device information on server
CN114785527B (en) Data transmission method, device, equipment and storage medium
EP4318354A1 (en) Account opening method, system, and apparatus
CN112637169B (en) Passive NFC cloud lock encryption method
CN114329522A (en) Private key protection method, device, system and storage medium
EP3908948A1 (en) Service trust status
CN110858246A (en) Authentication method and system of security code space, and registration method thereof
WO2022109940A1 (en) Security authentication method and apparatus applied to wi-fi
Shriny et al. Design and implementation of the protocol for secure software-based remote attestation in IoT devices
WO2022109941A1 (en) Security authentication method and apparatus applied to wifi

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination