CN114285557A - Communication encryption method, system and device - Google Patents
Communication encryption method, system and device Download PDFInfo
- Publication number
- CN114285557A CN114285557A CN202111589904.9A CN202111589904A CN114285557A CN 114285557 A CN114285557 A CN 114285557A CN 202111589904 A CN202111589904 A CN 202111589904A CN 114285557 A CN114285557 A CN 114285557A
- Authority
- CN
- China
- Prior art keywords
- key
- terminal
- akma
- session
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 78
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000006870 function Effects 0.000 claims description 43
- 238000009795 derivation Methods 0.000 claims description 10
- 230000000977 initiatory effect Effects 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 14
- 241000208340 Araliaceae Species 0.000 description 4
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 4
- 235000003140 Panax quinquefolius Nutrition 0.000 description 4
- 235000008434 ginseng Nutrition 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- RZVAJINKPMORJF-UHFFFAOYSA-N Acetaminophen Chemical compound CC(=O)NC1=CC=C(O)C=C1 RZVAJINKPMORJF-UHFFFAOYSA-N 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
Abstract
The disclosure relates to a communication encryption method, system and device, relating to the technical field of communication. The communication encryption method comprises the following steps: receiving a ciphertext sent by the terminal and a random number generated by the terminal when the Session is established, wherein the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an AF key; generating a Session key according to the random number and a locally stored AF key; and decrypting the ciphertext by using the Session key to obtain the plaintext. The technical scheme of the disclosure can improve the communication safety.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a communication encryption method, a communication encryption system, a communication encryption apparatus, and a non-volatile computer-readable storage medium.
Background
The 3GPP (3rd Generation Partnership Project) proposes an AKMA (Authentication and Key Management for Applications) specification, which is applied to the field of internet of things. In a 5G scenario, the AKMA specification may provide fast and efficient authentication, key management, and data exchange for the terminal and the application server.
In the related art, in order to ensure the security of data transmission between the terminal device and the application server, the AKMA authentication method uses a long-term fixed key to encrypt and decrypt data in communication by establishing a session and generating an application layer key.
Disclosure of Invention
The inventors of the present disclosure found that the following problems exist in the above-described related art: there is a risk of the key being compromised or cracked, resulting in a reduction in communication security.
In view of this, the present disclosure provides a communication encryption technical solution, which can improve communication security.
According to some embodiments of the present disclosure, there is provided a communication encryption method including: receiving a ciphertext sent by the terminal and a random number generated by the terminal when the Session is established, wherein the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an AF (application function) key; generating a Session key according to the random number and a locally stored AF key; and decrypting the ciphertext by using the Session key to obtain the plaintext.
In some embodiments, the communication encryption method further comprises: and acquiring an AF (auto-ranging) key generated by the AKMA anchor function network element according to the AKMA key, wherein the AKMA key is generated in the AKMA authentication process and is stored in the terminal and the AKMA anchor function network element.
In some embodiments, the AKMA key is generated according to an AUSF (Authentication Server Function) key when the terminal access master Authentication is successful, and the AUSF key is stored in the terminal and an AUSF network element.
In some embodiments, the receiving the ciphertext sent by the terminal and the random number generated at the session establishment includes: and after the AF key is obtained, initiating a session establishment response to the terminal to establish a communication channel.
In some embodiments, generating the Session key from the random number and the locally stored AF key comprises: and taking the random number and the AF Key as parameters of a KDF (Key Derivation Function) to generate a Session Key, wherein the random number is generated by a random number generator of the terminal after a communication channel is established.
In some embodiments, the entry of the KDF also includes one octet, the AF identity, and the length of the AF identity.
According to further embodiments of the present disclosure, there is provided a communication encryption apparatus including: the receiving unit is used for receiving a ciphertext sent by the terminal and a random number generated by the terminal when the Session is established, the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an AF key; a generation unit, configured to generate a Session key according to the random number and a locally stored AF key; and the decryption unit is used for decrypting the ciphertext by using the Session key to obtain the plaintext.
In some embodiments, the receiving unit obtains an AF key generated by the AKMA anchor function network element according to the AKMA key, where the AKMA key is generated in the AKMA authentication process and stored in the terminal and the AKMA anchor function network element.
In some embodiments, the AKMA key is generated according to the AUSF key when the terminal access master authentication is successful, and the AUSF key is stored in the terminal and the AUSF network element.
In some embodiments, the receiving the ciphertext sent by the terminal and the random number generated at the session establishment includes: and after the AF key is obtained, initiating a session establishment response to the terminal to establish a communication channel.
In some embodiments, the generation unit takes the random number and the AF key as the entry parameters of the KDF, and generates the Session key, where the random number is generated by the terminal using its random number generator after the communication channel is established.
In some embodiments, the entry of the KDF also includes one octet, the AF identity, and the length of the AF identity.
According to still further embodiments of the present disclosure, there is provided a communication encryption system including: and the application function network element is used for executing the communication encryption method in any embodiment.
In some embodiments, the communication encryption system further comprises: and the AKMA anchor function network element is used for receiving the AKMA key from the AUSF network element, storing the AKMA key in the terminal and the AKMA anchor function network element, and generating the AF key according to the AKMA key.
In some embodiments, the communication encryption system further comprises: and the AUSF network element is used for generating an AUSF key under the condition that the authentication of the network access master of the terminal is successful, the AUSF key is stored in the terminal and the AUSF network element, and the AKMA key is generated according to the AUSF key.
According to still further embodiments of the present disclosure, there is provided a communication encryption apparatus including: a memory; and a processor coupled to the memory, the processor configured to perform the communication encryption method of any of the above embodiments based on instructions stored in the memory device.
According to still further embodiments of the present disclosure, there is provided a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the communication encryption method in any of the above embodiments.
In the embodiment, the random number generated by the terminal is used, and a Session key is added as a key level to encrypt and decrypt data; the terminal generates a random number to update the session key before data transmission; the server also needs to synchronously update the session key after receiving the content. Therefore, a key updating mechanism can be established, so that the risk of key leakage or cracking is reduced, and the communication safety is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure can be more clearly understood from the following detailed description with reference to the accompanying drawings, in which:
fig. 1 illustrates a flow diagram of some embodiments of a communication encryption method of the present disclosure;
fig. 2 illustrates a schematic diagram of some embodiments of a communication encryption method of the present disclosure;
fig. 3 illustrates a signaling diagram of some embodiments of the communication encryption method of the present disclosure;
fig. 4 illustrates a block diagram of some embodiments of a communication encryption apparatus of the present disclosure;
fig. 5 shows a block diagram of further embodiments of a communication encryption apparatus of the present disclosure;
fig. 6 illustrates a block diagram of still further embodiments of the communication encryption apparatus of the present disclosure;
fig. 7 illustrates a block diagram of some embodiments of a communication encryption system of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
As described above, in order to solve the technical problem that the session key cannot be updated in time when the terminal device interacts with the application server due to the fact that the AKMA authentication method has no key update mechanism, thereby reducing the probability that the session key is cracked due to the accumulation of encrypted content, the present disclosure adds a key hierarchy of the session key on the basis of the AKMA key derivation mechanism to encrypt and decrypt data; the terminal needs to update the session key before data transmission, and the server also needs to update the session key after receiving the content.
For example, the technical solution of the present disclosure can be realized by the following embodiments.
Fig. 1 illustrates a flow diagram of some embodiments of a communication encryption method of the present disclosure.
As shown in fig. 1, in step 110, a ciphertext sent by the terminal and a random number generated by the terminal at the time of session establishment are received. And encrypting the ciphertext by using a Session key, wherein the Session key is generated by the terminal according to the random number and the AF key.
In some embodiments, two modules are added to the terminal: the random number generating module is used for generating a random number before the terminal sends data each time and used as an input variable of the session key updating module; and the session key updating module is used for creating a new session key for each session.
For example, the terminal derives the Session Key KSESSIONAnd encrypts the session content. Before the terminal sends session content to the server, a random number generation module is used for generating a random number RAND. RAND and AF key KAFAs a parameter of the key derivation algorithm, a Session key K is derivedSESSIONAnd encrypting the data to obtain a ciphertext.
For example, the terminal transmits the ciphertext to the server together with the RAND. The terminal sends the cipher text generated by the session and the random number RAND to the server, and the RAND is used for the server to update the session key.
In some embodiments, an AF key generated by the AKMA anchor function network element from the AKMA key is obtained. The AKMA key is generated in the AKMA authentication process and stored in the terminal and the AKMA anchor function network element.
For example, the AKMA key is generated according to the AUSF key when the terminal access master authentication is successful, and the AUSF key is stored in the terminal and the AUSF network element.
In some embodiments, the terminal accesses the network owner successfully, and the UDM (Unified Data Management) network element generates the AUSF key KAUSF. AUSF network element generates AKMA key KAKMAThe data is stored in the terminal and the AKMA anchor function network element; AKMA anchor function network element generates AF secret key KAFAnd storing the data in the terminal and the AF network element.
In some embodiments, the terminal initiates an application session establishment request; the terminal and the AKMA anchor function network element are composed of KAKMADerivation of KAF(ii) a Application function network element obtaining KAFA secret key; application function network element receives KAFThen, initiating a session establishment response to the terminal, and establishing a channel; a random number generator in the terminal generates a random number RAND; RAND and secret key KAFDeriving K as a parameter for a key derivation algorithmSESSION;KSESSIONEncrypting the data to obtain a ciphertext; and sending the ciphertext and the RAND to an application function network element.
In step 120, a Session key is generated based on the random number and the locally stored AF key.
In some embodiments, the receiving the ciphertext sent by the terminal and the random number generated at the session establishment includes: and after the AF key is obtained, initiating a session establishment response to the terminal to establish a communication channel.
In some embodiments, generating the Session key from the random number and the locally stored AF key comprises: and taking the random number and the AF key as the parameters of the KDF to generate a Session key, wherein the random number is generated by the terminal by using a random number generator after the communication channel is established. For example, the method of the KDF may be specifically selected as an HMAC (Hash-based Message Authentication Code) algorithm.
For example, the application function network element receives the RAND of the session and the locally stored KAFTaken together as ginseng to derive KSESSION。
In step 130, the Session key is used to decrypt the ciphertext to obtain the plaintext.
In some embodiments, the server receives the ciphertext and the RAND, updates the session keyAnd obtains the plaintext. For example, the server receives the RAND of the session and the locally stored KAFTaken together as ginseng to derive KSESSION(ii) a By KSESSIONAnd decrypting the data to obtain the plaintext.
In some embodiments, K may be generated using KDFSESSION。
For example, the input parameter of KDF is composed of the upper-level key KAFAnd a character string S: kSESSION=KDF(KAF,S)=HMAC-SHA-256(KAF,S),S=FC||P0||L0||P1。
Where FC is 0x82, P0 is AF _ ID, P1 is RAND, and L0 is length of AF _ ID, and the RAND is generated by a random number generator in the terminal.
In some embodiments, the input to the KDF is KAF123; AF _ ID 112234; l0 ═ 6; RAND 2345; the text content to be encrypted is hello; generated KSESSIONComprises the following steps: aa221476b8e5ae8bf0eb28644b092165f9738771dff4b81baebc54a12b 961756.
In some embodiments, the text content may be encrypted and decrypted using AES (Advanced Encryption Standard) to obtain the utilization KSESSIONThe encrypted ciphertext is U2FsdGVkX19/ikVmu11GX/avP66pIuc6hBLbUfAwFVg, using KSESSIONThe decrypted plaintext is hello.
In the above embodiment, an AKMA enhanced communication encryption method is proposed. Before the terminal sends data, a random number generation module generates a random number of the session; the key K is generated by a key derivation algorithm in a session key updating moduleAFDeriving a session key K between a terminal and a serverSESSIONThe session content is encrypted with this key. After receiving the cipher text, the server can derive the same session key KSESSIONAnd decrypting the content by using the key to obtain a plaintext.
Therefore, the secret key is updated by transmitting the random number for generating the secret key without transmitting the secret key, so that the risk of intercepting the secret key can be effectively reduced, the problem that the session secret key is not updated timely is solved, and the safety of the whole system is improved.
Fig. 2 illustrates a schematic diagram of some embodiments of a communication encryption method of the present disclosure.
As shown in fig. 2, two modules are added to the terminal: the random number generating module is used for generating a random number before the terminal sends data each time and used as an input variable of the session key updating module; and the session key updating module is used for creating a new session key for each session. The technical scheme of the present disclosure can be realized by the following steps.
Terminal-derived Session Key KSESSIONAnd encrypts the session content. For example, before the terminal sends session content to the server, the random number generation module is used to generate a random number RAND. RAND and AF key KAFAs a parameter of the key derivation algorithm, a Session key K is derivedSESSIONAnd encrypting the data to obtain a ciphertext.
The terminal sends the ciphertext to the server together with the RAND. For example, the terminal sends the cipher text generated by the session and the random number RAND to the server, and the RAND is used for the server to update the session key.
And the server receives the ciphertext and the RAND, updates the session key and obtains a plaintext. For example, the server receives the RAND of the session and the locally stored KAFTaken together as ginseng to derive KSESSION(ii) a By KSESSIONAnd decrypting the data to obtain the plaintext.
Fig. 3 illustrates a signaling diagram of some embodiments of the communication encryption method of the present disclosure.
As shown in fig. 3, in event 1, the terminal network access master authentication procedure generates an AUSF key KAUSFAnd the information is stored in the functional network elements of the terminal and the authentication server.
At event 2, the AUSF network element generates an AKMA key KAKMASending to AKMA anchor function network element, the terminal generates AKMA key KAKMA。
At event 3, the terminal initiates an application session establishment request.
In event 4, the terminal and the AKMA anchor function network element are defined by KAKMADerivation of KAF。
In event 5, the application function network element obtains KAFA key.
At event 6, the application function network element receives KAFAnd then, initiating a session establishment response to the terminal, and establishing a channel.
At event 7, a random number generator in the terminal generates a random number RAND.
At event 8, RAND and Key KAFDeriving K as a parameter for a key derivation algorithmSESSION。
In event 9, KSESSIONAnd encrypting the data to obtain a ciphertext.
And in an event 10, the ciphertext and the RAND are sent to the application function network element.
In event 11, the application function network element receives the RAND of the session and the locally stored KAFTaken together as ginseng to derive KSESSION。
At event 12, the session key KSESSIONAnd decrypting the data to obtain the plaintext.
Fig. 4 illustrates a block diagram of some embodiments of a communication encryption apparatus of the present disclosure.
As shown in fig. 4, the communication encryption apparatus 4 includes: a receiving unit 41, configured to receive a ciphertext sent by the terminal and a random number generated by the terminal when the Session is established, where the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an AF key; a generating unit 42, configured to generate a Session key according to the random number and a locally stored AF key; and a decryption unit 43, configured to decrypt the encrypted text using the Session key to obtain a plaintext.
In some embodiments, the receiving unit 41 obtains an AF key generated by the AKMA anchor function network element according to the AKMA key, where the AKMA key is generated during the AKMA authentication process and stored in the terminal and the AKMA anchor function network element.
In some embodiments, the AKMA key is generated according to the AUSF key when the terminal access master authentication is successful, and the AKMA key is stored in the terminal and the AUSF network element.
In some embodiments, the receiving the ciphertext sent by the terminal and the random number generated at the session establishment includes: and after the AF key is obtained, initiating a session establishment response to the terminal to establish a communication channel.
In some embodiments, the generating unit 42 generates the Session key by using the random number and the AF key as the entry parameters of the KDF, where the random number is generated by the terminal using its random number generator after the communication channel is established.
In some embodiments, the entry of the KDF also includes one octet, the AF identity, and the length of the AF identity.
Fig. 5 shows a block diagram of further embodiments of the communication encryption apparatus of the present disclosure.
As shown in fig. 5, the communication encryption device 5 of this embodiment includes: a memory 51 and a processor 52 coupled to the memory 51, the processor 52 being configured to execute the communication encryption method in any one of the embodiments of the present disclosure based on instructions stored in the memory 51.
The memory 51 may include, for example, a system memory, a fixed nonvolatile storage medium, and the like. The system memory stores, for example, an operating system, an application program, a Boot Loader, a database, and other programs.
Fig. 6 illustrates a block diagram of still further embodiments of the communication encryption apparatus of the present disclosure.
As shown in fig. 6, the communication encryption device 6 of this embodiment includes: a memory 610 and a processor 620 coupled to the memory 610, the processor 620 being configured to execute the communication encryption method in any of the foregoing embodiments based on instructions stored in the memory 610.
The memory 610 may include, for example, system memory, fixed non-volatile storage media, and the like. The system memory stores, for example, an operating system, an application program, a Boot Loader, and other programs.
The communication encryption apparatus 6 may further include an input-output interface 630, a network interface 640, a storage interface 650, and the like. These interfaces 630, 640, 650 and the connections between the memory 610 and the processor 620 may be through a bus 660, for example. The input/output interface 630 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, a touch screen, a microphone, and a sound box. The network interface 640 provides a connection interface for various networking devices. The storage interface 650 provides a connection interface for external storage devices such as an SD card and a usb disk.
Fig. 7 illustrates a block diagram of some embodiments of a communication encryption system of the present disclosure.
As shown in fig. 7, the communication encryption system 7 includes: an application function network element 71, configured to perform the communication encryption method in any of the above embodiments.
In some embodiments, the communication encryption system 6 further comprises: and the AKMA anchor function network element 72 is configured to receive the AKMA key from the AUSF network element, and generate an AF key according to the AKMA key.
In some embodiments, the communication encryption system 7 further comprises: and the AUSF network element 73 is used for generating an AKMA key under the condition that the authentication of the network access master of the terminal is successful, wherein the AKMA key is stored in the terminal and the AUSF anchor function network element and is generated according to the AUSF key.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media having computer-usable program code embodied therein, including but not limited to disk storage, CD-ROM, optical storage, and the like.
Thus far, a communication encryption method, a communication encryption system, a communication encryption apparatus, and a nonvolatile computer-readable storage medium according to the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (13)
1. A communication encryption method, comprising:
receiving a ciphertext sent by a terminal and a random number generated by the terminal when the Session is established, wherein the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an Application Function (AF) key;
generating the Session key according to the random number and the AF key stored locally;
and decrypting the ciphertext by using the Session key to obtain a plaintext.
2. The communication encryption method according to claim 1, further comprising:
and acquiring the AF key generated by the application layer authentication and key management AKMA anchor function network element according to the AKMA key, wherein the AKMA key is generated in the AKMA authentication process and is stored in the terminal and the AKMA anchor function network element.
3. The communication encryption method according to claim 2, wherein the AKMA key is generated according to an authentication server function AUSF key stored in the terminal and the AUSF network element when the terminal access master authentication is successful.
4. The communication encryption method according to claim 1, wherein the cipher text transmitted from the receiving terminal and the random number generated at the session establishment include:
and after the AF key is obtained, initiating a session establishment response to the terminal so as to establish a communication channel.
5. The communication encryption method according to any one of claims 1 to 4, wherein the generating the Session key from the random number and the locally stored AF key comprises:
and taking the random number and the AF key as the access parameters of a key derivation function KDF to generate the Session key, wherein the random number is generated by the terminal by using a random number generator after a communication channel is established.
6. The communication encryption method of claim 5, wherein the entry of the KDF further comprises one octet, an AF identification and the length of the AF identification.
7. A communication encryption apparatus comprising:
a receiving unit, configured to receive a ciphertext sent by a terminal and a random number generated by the terminal when a Session is established, where the ciphertext is encrypted by using a Session key, and the Session key is generated by the terminal according to the random number and an Application Function (AF) key;
a generating unit, configured to generate the Session key according to the random number and the locally stored AF key;
and the decryption unit is used for decrypting the ciphertext by using the Session key to obtain a plaintext.
8. The communication encryption apparatus according to claim 7,
the receiving unit acquires the AF key generated by the AKMA anchor function network element according to the AKMA key, wherein the AKMA key is generated in the AKMA authentication process and is stored in the terminal and the AKMA anchor function network element.
9. A communication encryption system comprising:
an application function network element for performing the communication encryption method of any one of claims 1-6.
10. The communication encryption system of claim 9, further comprising:
and the application layer authentication and key management AKMA anchor function network element is used for receiving an AKMA key from an authentication server function AUSF network element, storing the AKMA key in the terminal and the AKMA anchor function network element, and generating an AF key according to the AKMA key.
11. The communication encryption system of claim 10, further comprising:
and the AUSF network element is used for generating an AKMA key under the condition that the authentication of the network access master of the terminal is successful, wherein the AKMA key is stored in the terminal and the AKMA anchor function network element and is generated according to the AUSF key.
12. A communication encryption apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the communication encryption method of any of claims 1-6 based on instructions stored in the memory.
13. A non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the communication encryption method of any one of claims 1 to 6.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589904.9A CN114285557A (en) | 2021-12-23 | 2021-12-23 | Communication encryption method, system and device |
| PCT/CN2022/132005 WO2023116266A1 (en) | 2021-12-23 | 2022-11-15 | Communication encryption method, system, and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111589904.9A CN114285557A (en) | 2021-12-23 | 2021-12-23 | Communication encryption method, system and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114285557A true CN114285557A (en) | 2022-04-05 |
Family
ID=80874537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111589904.9A Pending CN114285557A (en) | 2021-12-23 | 2021-12-23 | Communication encryption method, system and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114285557A (en) |
| WO (1) | WO2023116266A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023116266A1 (en) * | 2021-12-23 | 2023-06-29 | 中国电信股份有限公司 | Communication encryption method, system, and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109788474A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and device of message protection |
| CN113162758A (en) * | 2020-01-23 | 2021-07-23 | 中国移动通信有限公司研究院 | Key generation method and device |
| CN113225176A (en) * | 2020-02-04 | 2021-08-06 | 华为技术有限公司 | Key obtaining method and device |
| CN113676901A (en) * | 2020-04-30 | 2021-11-19 | 华为技术有限公司 | Key management method, device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114285557A (en) * | 2021-12-23 | 2022-04-05 | 中国电信股份有限公司 | Communication encryption method, system and device |
-
2021
- 2021-12-23 CN CN202111589904.9A patent/CN114285557A/en active Pending
-
2022
- 2022-11-15 WO PCT/CN2022/132005 patent/WO2023116266A1/en unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109788474A (en) * | 2017-11-14 | 2019-05-21 | 华为技术有限公司 | A kind of method and device of message protection |
| CN113162758A (en) * | 2020-01-23 | 2021-07-23 | 中国移动通信有限公司研究院 | Key generation method and device |
| WO2021147997A1 (en) * | 2020-01-23 | 2021-07-29 | 中国移动通信有限公司研究院 | Key generation method and device |
| CN113225176A (en) * | 2020-02-04 | 2021-08-06 | 华为技术有限公司 | Key obtaining method and device |
| CN113676901A (en) * | 2020-04-30 | 2021-11-19 | 华为技术有限公司 | Key management method, device and system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023116266A1 (en) * | 2021-12-23 | 2023-06-29 | 中国电信股份有限公司 | Communication encryption method, system, and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023116266A1 (en) | 2023-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| EP3318043B1 (en) | Mutual authentication of confidential communication | |
| US20180013555A1 (en) | Data transmission method and apparatus | |
| CN103124269B (en) | Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment | |
| JP2019533384A (en) | Data transmission method, apparatus and system | |
| CN111464301B (en) | Key management method and system | |
| EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
| US20200195446A1 (en) | System and method for ensuring forward & backward secrecy using physically unclonable functions | |
| CN107453880A (en) | A kind of cloud secure storage method of data and system | |
| CN110868291A (en) | Data encryption transmission method, device, system and storage medium | |
| JP2020532177A (en) | Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission | |
| US10630466B1 (en) | Apparatus and method for exchanging cryptographic information with reduced overhead and latency | |
| CN104767766A (en) | Web Service interface verification method, Web Service server and client side | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| US20230269078A1 (en) | Key sharing method, key sharing system, authenticating device, authentication target device, recording medium, and authentication method | |
| JP2022117456A (en) | Message transmission system with hardware security module | |
| WO2023116266A1 (en) | Communication encryption method, system, and device | |
| CN113141333B (en) | Communication method, device, server, system and storage medium of network access device | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN111740995A (en) | Authorization authentication method and related device | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |