CN114760038A

CN114760038A - Identity authentication method and device

Info

Publication number: CN114760038A
Application number: CN202011569210.4A
Authority: CN
Inventors: 铁满霞; 曹军; 赵晓荣; 赖晓龙; 李琴; 张变玲; 黄振海; 王月辉
Original assignee: China Iwncomm Co Ltd
Current assignee: China Iwncomm Co Ltd
Priority date: 2020-12-26
Filing date: 2020-12-26
Publication date: 2022-07-15
Also published as: WO2022135418A1

Abstract

The application discloses an identity authentication method, which comprises the following steps: the method comprises the steps that an Authentication Access Controller (AAC) receives an identity ciphertext message sent by a request device (REQ), the identity ciphertext message comprises a first identity information ciphertext generated by the REQ through encrypting information including identity information of the REQ and a first identity key by using a public key of an encryption certificate, the AAC sends a first authentication request message comprising the first identity information ciphertext and an identity authentication code of the AAC to a first authentication server, the first authentication server verifies the validity of the AAC according to the identity authentication code of the AAC to generate first authentication result information, a second authentication server verifies the validity of the REQ according to a digital certificate of the REQ to generate second authentication result information, the REQ and the AAC respectively acquire authentication result information of opposite ends to realize bidirectional identity authentication, and entity sensitive information is transmitted in a ciphertext form, so that the security of an entity is guaranteed.

Description

Identity authentication method and device

Technical Field

The present application relates to the field of network communication security technologies, and in particular, to an identity authentication method and apparatus.

Background

At present, a communication network generally requires bidirectional identity authentication between a user and a network access point to ensure that a legitimate user accesses a legitimate network, and in an existing entity authentication scheme, the identities of entities either uniformly adopt digital certificates or pre-share keys between the entities, but in some scenarios in practical application, a situation that one end adopts a digital certificate as an identity credential and the other end adopts a pre-share key as an identity credential is faced, which presents a challenge to an entity identity authentication mechanism.

In addition, in the process of identity authentication, identity information of an entity is directly exposed, and sometimes, the identity information of the entity contains a plurality of private or sensitive information of the entity, such as an identity card number, a home address, bank card information and the like.

Disclosure of Invention

In order to solve the above technical problem, the present application provides an identity authentication method and apparatus, which can implement entity bidirectional identity authentication and entity identity protection under the condition that a requesting device adopts a digital certificate and an authentication access controller adopts a pre-shared key as an identity credential.

In view of this, a first aspect of the present application provides an identity authentication method, including:

the authentication access controller receives an identity ciphertext message sent by a request device, wherein the identity ciphertext message comprises a first identity information ciphertext; the first identity information ciphertext is generated by encrypting information, including identity information of the requesting device and a first identity key of the requesting device, by the requesting device using a public key of an encryption certificate; the identity information of the requesting device comprises a digital certificate of the requesting device; the first identity key comprises a second key;

the authentication access controller sends a first authentication request message to a first authentication server trusted by the authentication access controller, wherein the first authentication request message comprises the first identity information ciphertext and an identity authentication code of the authentication access controller; the identity authentication code of the authentication access controller is generated by the authentication access controller through calculation of information including the first identity information ciphertext by using a pre-shared key of the first authentication server and a cryptographic algorithm agreed with the first authentication server;

the authentication access controller receives a first authentication response message sent by the first authentication server, wherein the first authentication response message comprises first authentication result information, a first digital signature of a second authentication server trusted by the request device, a second authentication result information ciphertext and a first message authentication code of the first authentication server; the first authentication result information comprises a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data comprising the first authentication result information, the second authentication result information ciphertext is generated by encrypting information comprising second authentication result information by using the second key, the second authentication result information comprises a second verification result of a digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information comprising the second authentication result information ciphertext through a pre-shared key of the authentication access controller by using a cryptographic algorithm agreed with the authentication access controller;

the authentication access controller verifies a first message authentication code of the first authentication server by using a pre-shared key of the first authentication server through a cryptographic algorithm agreed with the first authentication server, and if the verification is passed, sends a third authentication response message to the request device, wherein the third authentication response message comprises an identity authentication result information ciphertext generated by the authentication access controller through encrypting encrypted data comprising the first authentication result information and the first digital signature by using a message encryption key;

the requesting device decrypts the identity authentication result information ciphertext by using the message encryption key to obtain the first authentication result information and the first digital signature;

the request equipment verifies the first digital signature by using the public key of the second authentication server, and if the verification is passed, the request equipment determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; when the request equipment determines that the identity authentication result of the authentication access controller is legal, a fourth authentication response message is sent to the authentication access controller; alternatively, the first and second electrodes may be,

the request equipment verifies the first digital signature by using the public key of the second authentication server, and if the first digital signature passes the verification, the request equipment sends a fourth authentication response message to the authentication access controller and determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; alternatively, the first and second electrodes may be,

the requesting device verifies the first digital signature by using the public key of the second authentication server; if the first digital signature passes the verification, the requesting device determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; the requesting device sends a fourth authentication response message to the authentication access controller;

wherein the fourth authentication response message includes a second key ciphertext generated by encrypting information including the second key using the message encryption key;

and after receiving the fourth authentication response message, the authentication access controller decrypts the second key ciphertext by using the message encryption key to obtain a second key, decrypts the second authentication result information ciphertext by using the second key to obtain second authentication result information, and determines the identity authentication result of the request device according to a second verification result in the second authentication result information.

A second aspect of the present application provides a requesting device, comprising:

the encryption module is used for encrypting information including the identity information of the request equipment and a first identity key of the request equipment by using a public key of an encryption certificate to generate a first identity information ciphertext, the identity information of the request equipment comprises a digital certificate of the request equipment, and the first identity key comprises a second key;

a sending module, configured to send an identity ciphertext message to an authentication access controller, where the identity ciphertext message includes the first identity information ciphertext;

a receiving module, configured to receive a third authentication response message sent by the authentication access controller, where the third authentication response message includes an identity authentication result information ciphertext, and the identity authentication result information ciphertext is generated by encrypting, by the authentication access controller, encrypted data that includes the first authentication result information and the first digital signature by using a message encryption key; the first authentication result information comprises a first verification result of the authentication access controller, and the first digital signature is a digital signature generated by a second authentication server trusted by the requesting device through calculation on signature data comprising the first authentication result information;

the decryption module is used for decrypting the identity authentication result information ciphertext by using the message encryption key to obtain the first authentication result information and the first digital signature;

the verification module is used for verifying the first digital signature by using the public key of the second authentication server, and if the verification is passed, the determining module determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; when the determining module determines that the identity authentication result of the authentication access controller is legal, the sending module sends a fourth authentication response message to the authentication access controller; alternatively, the first and second electrodes may be,

the sending module is used for sending a fourth authentication response message to the authentication access controller and the determining module is used for determining the identity authentication result of the authentication access controller according to the first authentication result in the first authentication result information if the first digital signature passes the authentication; alternatively, the first and second liquid crystal display panels may be,

for verifying the first digital signature with a public key of the second authentication server; if the first digital signature passes the verification, the determining module determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; the sending module sends a fourth authentication response message to the authentication access controller;

wherein the fourth authentication response message includes a second key ciphertext generated by the encryption module encrypting information including the second key using a message encryption key.

A third aspect of the present application provides an authentication access controller, comprising:

the receiving module is used for receiving an identity ciphertext message sent by a request device, wherein the identity ciphertext message comprises a first identity information ciphertext; the first identity information ciphertext is generated by the requesting device encrypting information comprising the identity information of the requesting device and a first identity key of the requesting device by using a public key of an encryption certificate; the identity information of the requesting device comprises a digital certificate of the requesting device; the first identity key comprises a second key;

a sending module, configured to send a first authentication request message to a first authentication server trusted by the authentication access controller, where the first authentication request message includes the first identity information ciphertext and an identity authentication code of the authentication access controller; the identity authentication code of the authentication access controller is generated by the authentication access controller through calculation of information including the first identity information ciphertext by using a pre-shared key of the first authentication server and a cryptographic algorithm agreed with the first authentication server;

the receiving module is further configured to receive a first authentication response message sent by the first authentication server, where the first authentication response message includes first authentication result information, a first digital signature of a second authentication server trusted by the requesting device, a second authentication result information ciphertext, and a first message authentication code of the first authentication server; the first authentication result information comprises a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data comprising the first authentication result information, the second authentication result information ciphertext is generated by encrypting information comprising second authentication result information through the second key, the second authentication result information comprises a second verification result of a digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information comprising the second authentication result information ciphertext through a pre-shared key of the authentication access controller and a cryptographic algorithm agreed with the authentication access controller;

a verification module, configured to verify a first message authentication code of the first authentication server by using a pre-shared key of the first authentication server and using a cryptographic algorithm agreed with the first authentication server;

the sending module is further configured to send a third authentication response message to the requesting device if the authentication is passed, where the third authentication response message includes an identity authentication result information ciphertext generated by the authentication access controller encrypting, with use of a message encryption key, encrypted data including the first authentication result information and the first digital signature;

the receiving module is further configured to receive a fourth authentication response message sent by the requesting device, where the fourth authentication response message includes a second key ciphertext generated by encrypting information including the second key with the message encryption key;

the decryption module is used for decrypting the second key ciphertext by using the message encryption key to obtain a second key, and decrypting the second authentication result information ciphertext by using the second key to obtain second authentication result information;

and the determining module is used for determining the identity authentication result of the request equipment according to the second verification result in the second authentication result information.

A fourth aspect of the present application provides a first authentication server, comprising:

a receiving module, configured to receive a first authentication request message sent by an authentication access controller, where the first authentication request message includes a first identity information ciphertext and an identity authentication code of the authentication access controller, the first identity information cryptogram is generated by the requesting device encrypting information including the identity information of the requesting device and the first identity key of the requesting device using the public key of the encryption certificate, the identity information of the requesting device includes a digital certificate of the requesting device, the first identity key includes a second key, the identity authentication code of the authentication access controller is generated by the authentication access controller through calculation of information including the first identity information ciphertext by using a pre-shared key of the first authentication server and a cryptographic algorithm agreed with the first authentication server;

a sending module, configured to send a first authentication response message to the authentication access controller, where the first authentication response message includes first authentication result information, a first digital signature of a second authentication server trusted by the requesting device, a second authentication result information ciphertext, and a first message authentication code of the first authentication server; the first authentication result information includes a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data including the first authentication result information, the second authentication result information ciphertext is generated by encrypting information including the second authentication result information through the second key, the second authentication result information includes a second verification result of the digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information including the second authentication result information ciphertext through a pre-shared key of the authentication access controller and through agreement of a cryptographic algorithm with the authentication access controller.

A fifth aspect of the present application provides a second authentication server comprising:

a receiving module, configured to receive a second authentication request message sent by a first authentication server, where the second authentication request message includes first authentication result information, a first identity information ciphertext, and a second digital signature, or the second authentication request message includes the first authentication result information, the first identity information ciphertext, and a second message authentication code; the first identity information ciphertext is generated by encrypting information including identity information of the requesting device and a first identity key of the requesting device by using a public key of an encryption certificate, the identity information of the requesting device comprises a digital certificate of the requesting device, and the first identity key comprises a second key; the second digital signature is calculated by the first authentication server for signature data including the first authentication result information and the first identity information ciphertext or the second message authenticator is calculated by the first authentication server for information including the first authentication result information and the first identity information ciphertext;

the verification module is used for verifying the second digital signature by using a public key of the first authentication server or verifying the second message authentication code by using a pre-shared key of the first authentication server, and if the second message authentication code passes the verification, the first identity information ciphertext is decrypted by using a private key corresponding to an encrypted certificate to obtain a digital certificate and a second key of the requesting device, and the digital certificate of the requesting device is subjected to validity verification to obtain a second verification result;

a generating module, configured to generate the second authentication result information according to information including the second verification result, encrypt information including the second authentication result information using the second key to generate a second authentication result information ciphertext, calculate signature data including the first authentication result information to generate a first digital signature, calculate signature data including the second authentication result information ciphertext to generate a third digital signature, or calculate information including the second authentication result information ciphertext to generate a third message authentication code;

a sending module, configured to send a second authentication response message to the first authentication server, where the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the third digital signature, or the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the third message authentication code.

From the above, it can be seen that: in the identity authentication method provided by the application, a request device adopts a digital certificate as an identity certificate thereof, an authentication access controller adopts a pre-shared secret key as an identity certificate thereof, in the identity authentication process, the request device firstly sends an identity ciphertext message to the authentication access controller, the identity ciphertext message comprises a first identity information ciphertext, namely a ciphertext generated by the request device by encrypting information comprising the identity information of the request device and the first identity secret key of the request device by using a public key of an encryption certificate, wherein the identity information of the request device comprises the digital certificate thereof, the first identity secret key comprises a second secret key, the authentication access controller calculates and generates an identity authentication code of the authentication access controller by using the pre-shared secret key of a first authentication server trusted by the authentication access controller and a cryptographic algorithm of the first identity information ciphertext, and sends a first authentication request message carrying a first identity information cryptogram and an identity authentication code of the authentication access controller to the first authentication server, the second authentication server trusted by the requesting device verifies the validity of the digital certificate of the requesting device, the first authentication server verifies the identity authentication code of the authentication access controller, after the verification is completed, the first authentication server sends a first authentication response message to the authentication access controller, the first authentication response message comprises first authentication result information, a first digital signature of the second authentication server, a second authentication result information cryptogram and a first message authentication code of the first authentication server, then the authentication access controller verifies the first message authentication code of the first authentication server by using a pre-shared key and an agreed cryptographic algorithm with the first authentication server, after the verification is passed, the method comprises the steps of sending a third authentication response message carrying an identity authentication result information ciphertext to a request device, decrypting the identity authentication result information ciphertext by the request device through a message encryption key to obtain first authentication result information and obtain a verification result of an authentication access controller, sending a fourth authentication response message comprising a second key ciphertext to the authentication access controller when the identity of the authentication access controller is determined to be legal, decrypting the second key ciphertext through the message encryption key by the authentication access controller to obtain a second key, decrypting the second authentication result information ciphertext through the second key to obtain second authentication result information, and obtaining the verification result of the request device from the second authentication result information, so that bidirectional identity authentication of the request device and the authentication access controller is realized, and a legal basis is laid for ensuring that only a legal user can access a legal network. And moreover, the identity information and/or the identity authentication result information of the entity are transmitted in a ciphertext mode, so that the security of private information in the transmission process is guaranteed, and the identity protection of the entity is realized.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic diagram of an identity authentication method according to an embodiment of the present application;

fig. 2 is a schematic diagram of a method for requesting a device REQ and authenticating an access controller AAC to negotiate an encryption key of a message according to an embodiment of the present application;

fig. 3 is a schematic diagram of an identity authentication method provided in an embodiment of the present application, where "+" denotes an optional field or an optional operation;

fig. 4 is a schematic diagram of an identity authentication method provided in an embodiment of the present application, where "+" denotes an optional field or an optional operation;

fig. 5 is a schematic diagram of an identity authentication method provided in an embodiment of the present application, where "+" denotes an optional field or an optional operation;

fig. 6 is a schematic diagram of an identity authentication method provided in an embodiment of the present application, where "+" denotes an optional field or an optional operation;

fig. 7 is a block diagram illustrating a structure of a request device REQ according to an embodiment of the present disclosure;

fig. 8 is a block diagram illustrating an architecture of an AAC according to an embodiment of the present disclosure;

fig. 9 is a block diagram illustrating a structure of an AS-AAC server according to an embodiment of the present disclosure;

fig. 10 is a block diagram of a second authentication server AS-REQ according to an embodiment of the present application.

Detailed Description

In a communication network, a requesting device may access a network through an Authentication access controller, and in order to ensure that the requesting device accessing the network belongs to a legitimate user and that the network accessed by the requesting device is a legitimate network, bidirectional Identity Authentication (MIA for short) needs to be performed between the Authentication access controller and the requesting device.

Taking the current wireless communication and mobile communication scenarios as examples, in a scenario where the requesting device accesses the wireless network through the authentication access controller, the requesting device may be a terminal device such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer, and the like, and the authentication access controller may be a network side device such as a wireless access point, a wireless router, and the like. Under the scene that the request device is accessed to the wired network through the authentication access controller, the request device can be terminal devices such as a desktop computer and a notebook computer, and the authentication access controller can be network side devices such as a switch or a router. In a scenario that the requesting device accesses a fourth/fifth Generation mobile communication technology (the 4th/5th Generation mobile communication technology, abbreviated as 4G/5G) network through the authentication access controller, the requesting device may be a terminal device such as a mobile phone and a tablet computer, and the authentication access controller may be a network side device such as a base station. Of course, the method and the device are also applicable to various data communication scenes such as other wired networks, near field communication networks and the like.

However, in the existing entity authentication scheme, the identity credentials of the entity are either uniformly in the form of a digital certificate or a pre-shared key, and a simple and effective identity authentication mechanism is not proposed for the case that one end of the entity is used as the identity credentials and the other end of the entity is used as the identity credentials in practical application. And in the transmission process of the identity authentication message, the identity information of the entity is directly exposed, so that the security of the identity authentication message cannot be guaranteed.

In order to solve the above technical problem, an embodiment of the present application provides an identity authentication method, where a digital certificate is used for a requesting device, an authentication access controller is used for an application scenario in an authentication manner of pre-sharing a secret key, a first authentication server trusted by the authentication access controller verifies an identity authentication code of the authentication access controller to obtain a first verification result, a second authentication server trusted by the requesting device verifies the validity of the digital certificate of the requesting device to obtain a second verification result, and the requesting device and the authentication access controller determine whether an entity of an opposite party is legal according to the verification results corresponding to the entity of the opposite party respectively, so as to implement bidirectional identity authentication between the authentication access controller and the requesting device, thereby laying a foundation for ensuring that only a legal user can communicate with a legal network. And the private information of the entity, such as the identity identification, the authentication result information and the like, is transmitted in a ciphertext form, so that the safety of the private information in the transmission process is ensured, and the identity protection of the entity is realized.

For convenience of introduction, in the embodiments of the present application, the identity Authentication method of the present application will be described by taking a request device (REQ), an Authentication Access Controller (AAC), and an Authentication Server (AS) AS examples.

Wherein, AAC trusted AS is called a first authentication server AS-AAC, and REQ trusted AS is called a second authentication server AS-REQ. The AS-REQ holds a digital certificate and a corresponding private key of the digital certificate, which are in accordance with the requirements of ISO/IEC9594-8/ITU X.509, other standards or other technical systems, the AS-AAC can verify the identity validity of AAC, and the AS-REQ can verify the validity of the digital certificate of REQ. The AS-AAC and the AS-REQ can be the same AS or different ASs, and when the AS-AAC and the AS-REQ are the same, namely the non-roaming condition exists; when the AS-AAC and the AS-REQ are different, namely in a roaming situation, a valid pre-shared key exists between the AS-AAC and the AS-REQ, or when the AS-AAC holds a digital certificate and a corresponding private key of the digital certificate which are in accordance with ISO/IEC9594-8/ITU X.509, other standards or other technical systems, the AS-AAC and the AS-REQ trust each other and know the digital certificate of the other party or the public key in the digital certificate. The Certificate decryption server (CS-DEC) holds an encryption Certificate and a private key corresponding to the encryption Certificate, wherein the encryption Certificate and the private key correspond to the encryption Certificate, the encryption Certificate is in accordance with ISO/IEC9594-8/ITU X.509, other standards or other technical systems, one or more encryption certificates can be provided, and the CS-DEC can be an independent server or can reside in the AS-AAC and/or AS-REQ.

The REQ can be an endpoint participating in an identity authentication process, establishes a connection with AAC, accesses services provided by AAC, accesses AS through AAC, and has a digital certificate and a corresponding private key of the digital certificate which are in accordance with ISO/IEC9594-8/ITU X.509, other standards or other technical systems, knows the public key in the digital certificate or the AS-REQ, and knows the public key in the encryption certificate or the CS-DEC. AAC may be another endpoint participating in the authentication process, establishing a connection with, serving, and communicating with the REQ, and having direct access to AS-AAC, with pre-shared keys between AAC and AS-AAC, and in some cases knowledge of the encryption certificate of CS-DEC or the public key in the encryption certificate.

An identity authentication method provided in an embodiment of the present application is described below with reference to fig. 1, where the method includes:

s101, AAC receives the identity ciphertext message REQInit sent by REQ.

The REQInit comprises a first identity information ciphertext EncPub_{AS_REQ}. Wherein EncPub_{AS_REQ}The REQ encrypts encrypted data including the identity information of the REQ and a first identity key of the REQ by using a public key of an encryption certificate; identity information of a REQ includes a digital certificate Cert of the REQ_REQThe first identity key comprises a second key Nonce_REQPub。

S102, AAC sends a first authentication request message AACVeri to its trusted AS-AAC.

The AACVeri comprises EncPub_{AS_REQ}And identity identifier MIC of AAC_AAC. Wherein, MIC_AACIs pre-shared key K of AAC utilization and AS-AAC_{AAC_AS}The cryptographic algorithm pair agreed with AS-AAC is adopted to comprise EncPub_{AS_REQ}The information inside is calculated and generated. As an example, the cryptographic algorithm agreed upon between AAC and AS-AAC may be a hash algorithm, using the K_{AAC_AS}Incorporating a hashing algorithm pair including MIC in AACVeri_AACOther fields preceding the field, e.g. including EncPub_{AS_REQ}Carrying out hash operation on the information to obtain a hash value, and using the hash value as an identity authentication code MIC of AAC_AAC. Thus, MIC is paired by AS-AAC_AACThe verification is carried out to obtain a first verification result Res_AACDecryption of EncPub by REQ-trusted AS-REQ pairs_{AS_REQ}Obtained Cert_REQThe verification is carried out to obtain a second verification result Res_REQ。

It should be noted that, when AAC trusted AS-AAC and REQ trusted AS-REQ are the same authentication server, REQ and AAC are trusted by the same authentication serverThe server may be represented by AS-AAC (or AS-REQ, of course). In this case, the MIC may be paired by AS-AAC (which may also be denoted AS AS-REQ)_AACCarry out verification to obtain Res_AACFor decrypting EncPub_{AS_REQ}The Cert obtained_REQCarrying out validity verification to obtain Res_REQ. Wherein, for EncPub_{AS_REQ}Can be performed by a certificate decryption server CS-DEC, which decrypts EncPub using a private key corresponding to said encrypted certificate_{AS_REQ}AS-AAC (also denoted AS-REQ) obtains decrypted Cert from CS-DEC_REQ(ii) a Alternatively, the AS-AAC (also denoted AS AS-REQ) decrypts EncPub with a private key corresponding to the encryption certificate of CS-DEC residing in the AS-AAC (also denoted AS AS-REQ)_{AS_REQ}Obtaining Cert_REQ. Upon verifying the MIC_AACWhen the key K is pre-shared with AAC, the AS-AAC (also denoted AS AS-REQ) determines the pre-shared key K_{AAC_AS}And a contracted cryptographic algorithm, reusing the K_{AAC_AS}Adopting the cryptographic algorithm pair to include MIC in AACVeri_AACOther fields preceding the field, e.g. including EncPub_{AS_REQ}Information therein, locally computing to generate MIC_AACThen calculating MIC_AACWith received MIC_AACMaking a comparison to complete the MIC_AACAnd (4) verifying. AS-AAC in determining said K_{AAC_AS}And when the encryption algorithm is used, the effective pre-shared key K with AAC can be confirmed in advance_{AAC_AS}And a cryptographic algorithm; in addition, AACVeri can also carry AAC identity ID_AACAS-AAC can be based on ID_AACDetermining a valid pre-shared key K with AAC_{AAC_AS}And cryptographic algorithms.

Next, AS-AAC (which may also be denoted AS AS-REQ) includes the Res_AACThe information inside generates the first authentication result information Pub_AACAccording to the inclusion of the Res_REQGenerates second authentication result information Pub from the included information_REQUsing decrypted EncPub_{AS_REQ}The obtained Nonce_REQPubFor including Pub_REQEncrypting the information to obtain a second authentication result information ciphertext (e.g., Nonce may be encrypted_REQPubAnd Pub_REQPerforming XOR operation to generate a second authentication result information ciphertext (Pub)_REQ⊕Nonce_REQPub) And use of said K_{AAC_AS}And calculating information including the second identification result information ciphertext by adopting the cryptographic algorithm to generate a first information identification code MIC of the AS-AAC_{AS_AAC}(first message authentication code MIC, which may also be denoted AS AS-REQ)_{AS_REQ}) To include said Pub_AACComputing the signature data to generate a first digital signature Sig_{AS_AAC1}(also denoted Sig)_{AS_REQ1}) According to including said Pub_AACThe Sig_{AS_AAC1}(also denoted Sig)_{AS_REQ1}) The second identification result information ciphertext and the MIC_{AS_AAC}(may also be denoted MIC)_{AS_REQ}) The included information generates a first authentication response message ASVeri.

When AAC-trusted AS-AAC and REQ-trusted AS-REQ are two different authentication servers, in this case, the MIC is verified by AS-AAC_AACTo obtain Res_AACDecrypting EncPub by AS-REQ_{AS_REQ}Obtained Cert_REQCarry out validity verification to obtain Res_REQ。

In particular, AS-AAC utilizes a pre-shared key K with AAC_{AAC_AS}Adopting a cryptographic algorithm agreed with AAC to carry out comparison on the MIC_AACCarry out verification to obtain Res_AACAccording to the inclusion of the Res_AACThe information inside generates the first authentication result information Pub_AACTo include said Pub_AACAnd said EncPub_{AS_REQ}Computing the signature data to generate a second digital signature Sig_{AS_AAC2}And sending a second authentication request message AS-AACVeri to AS-REQ, wherein the Pub is included in the AS-AACVeri_AACThe EncPub_{AS_REQ}And said Sig_{AS_AAC2}. Therein, Sig_{AS_AAC2}Replaceable with MIC_{AS_AAC2}，MIC_{AS_AAC2}The AS-AAC utilizes a pre-shared key of the AS-REQ, adopts a cryptographic algorithm agreed with the AS-REQ to the Pub_AACThe EncPub_{AS_REQ}The generated second message authentication code is calculated from the included information.

Then, AS-REQ utilizing AS-AACPublic key verification Sig_{AS_AAC2}Or verifying MIC by using pre-shared key with AS-AAC and adopting cryptographic algorithm agreed with AS-AAC_{AS_AAC2}After the verification is passed, the EncPub is decrypted by the AS-REQ_{AS_REQ}Obtained Cert_REQCarrying out validity verification to obtain Res_REQThen according to the inclusion of Res_REQGenerates second authentication result information Pub from the included information_REQDecrypting said EncPub with_{AS_REQ}The obtained Nonce_REQPubFor including Pub_REQEncrypting the information to generate a second authentication result information ciphertext, and encrypting the information comprising the Pub_AACThe signature data inside is calculated to generate a first digital signature Sig_{AS_REQ1}Calculating the signature data including the second authentication result information ciphertext to generate a third digital signature Sig_{AS_REQ3}And sending a second authentication response message AS-REQVeri to AS-AAC, wherein the AS-REQVeri comprises the Pub_AACThe Sig_{AS_REQ1}The second authentication result information ciphertext and the Sig_{AS_REQ3}. Wherein Sig_{AS_REQ3}Can be replaced by MIC_{AS_REQ3}，MIC_{AS_REQ3}The AS-REQ calculates and generates a third message authentication code for the information including the second authentication result information ciphertext by using a pre-shared key of the AS-AAC and a cryptographic algorithm agreed with the AS-AAC.

AS-AAC verifies the Sig with the public key of AS-REQ_{AS_REQ3}Or verifying MIC by using pre-shared key with AS-REQ and adopting cryptographic algorithm agreed with AS-REQ_{AS_REQ3}After verification is passed, the K is utilized by AS-AAC_{AAC_AS}And calculating information including the second authentication result information ciphertext by adopting a cryptographic algorithm agreed with AAC to generate a first message authentication code MIC of the AS-AAC_{AS_AAC}And according to inclusion of said Pub_AACThe Sig_{AS_REQ1}The second identification result information ciphertext and the MIC_{AS_AAC}The included information generates the first authentication response message ASVeri.

S103, AAC receives a first authentication response message ASVeri sent by AS-AAC.

The ASVeri comprises first identification result information and a first numberSignature Sig_{AS_REQ1}The second identification result information ciphertext and the first information identification code MIC of AS-AAC_{AS_AAC}。

S104, using the pre-shared key of the AS-AAC to verify the MIC by adopting the cryptographic algorithm agreed with the AS-AAC_{AS_AAC}。

If the verification is passed, S105 is executed. Wherein AAC utilizes a pre-shared key K with AS-AAC_{AAC_AS}Calculating information including second authentication result information ciphertext by adopting cryptographic algorithm agreed with AS-AAC to generate MIC_{AS_AAC}To calculate MIC_{AS_AAC}With the received MIC_{AS_AAC}Comparing, if consistent, then MIC_{AS_AAC}And if the verification is passed, discarding the ASVeri.

S105, AAC sends a third authentication response message AACAuth to REQ.

The AACAuth comprises identity authentication result information ciphertext EncData_AAC. Wherein EncData_AACIs that AAC uses a message encryption key pair comprising a first authentication result information and a first digital signature Sig_{AS_REQ1}The encrypted data inside is generated by encryption. In this application, an encrypted object is referred to as encrypted data.

S106, REQ utilizes the message encryption key to decrypt EncData_AACObtaining the first authentication result information and Sig_{AS_REQ1}。

S107, verifying the Sig by the REQ by using the public key of the AS-REQ_{AS_REQ1}。

S108, REQ according to Res in the first identification result information_AACAnd determining the identity authentication result of the AAC.

Due to Res_AACCan reflect whether AAC is legal or not, so REQ can be determined according to Res in the first discrimination result information_AACIt is determined whether AAC is legal.

S109, REQ sends a fourth authentication response message REQAuth to AAC.

The REQAuth comprises a second key ciphertext EncData_REQ. Wherein, EncData_REQIs REQ includes a Nonce using a message encryption key pair_REQPubThe information in the content is generated by encryption.

It should be noted that: the execution sequence of S107 to S109 does not affect the specific implementation of the present application, and in practical applications, the execution sequence of S107 to S109 may be set according to requirements. Preferably, S107 is executed first, when REQ is applied to the Sig_{AS_REQ1}If the verification fails, discarding AACAuth, and when REQ matches the Sig_{AS_REQ1}And after the verification is passed, executing S108 again, executing S109 again when the REQ determines that AAC is legal, and selecting whether to execute S109 or not by the REQ according to a local strategy when the REQ determines that AAC is illegal, wherein in consideration of efficiency, the preferable scheme is not to execute and end the authentication process.

S110, AAC utilizes the message encryption key to decrypt the EncData_REQObtain the Nonce_REQPubUsing the Nonce_REQPubDecrypting the second authentication result information ciphertext to obtain second authentication result information, and performing decryption according to Res in the second authentication result information_REQThe identity authentication result of the REQ is determined.

Due to Res_REQWhether REQ is legal or not can be reflected, so that AAC can be determined according to Res in second authentication result information_REQIt is determined whether the REQ is legitimate.

It can be seen from the above technical solution that, when bidirectional identity authentication is performed on the requesting device and the authentication access controller, aiming at the application scenario that the request equipment adopts a digital certificate and the authentication access controller adopts an authentication mode of a pre-shared key, a first authentication server trusted by the authentication access controller verifies an identity authentication code of the authentication access controller by using the pre-shared key agreed with the authentication access controller to obtain a first verification result, a second authentication server trusted by the request equipment verifies the digital certificate of the request equipment to obtain a second verification result, and the request equipment and the authentication access controller respectively obtain the verification results corresponding to the entities of the other party, whether the entity of the opposite side is legal or not can be determined, the bidirectional identity authentication between the authentication access controller and the request equipment is realized, and a foundation is laid for ensuring that only a legal user can access a legal network. And the private information of the entity, such as the identity identification, the authentication result information and the like, is transmitted in a ciphertext form, so that the security of the private information in the transmission process is ensured, and the identity protection of the entity is realized.

To ensure the reliability of the authentication result, AAC may generate a message integrity check code. For example, the AACAuth of S105 may further include a first message integrity check code MacTag_AAC，MacTag_AACIs that AAC utilizes the message integrity check key pair including MacTag divided in AACAuth_AACOther fields except the field are generated by calculation; the REQ may verify the MacTag with a message integrity check key before determining the identity of AAC_AACAnd determining the identity authentication result of the AAC after the verification is passed. Wherein REQ verifies MacTag_AACWhen the message integrity check key pair is used, the MacTag in AACAuth is divided by the message integrity check key pair_AACOther fields except the field are locally calculated to generate MacTag_AACAnd comparing the locally calculated MacTag_AACAnd Mactag in received AACAuth_AACAnd if the two are consistent, the verification is passed, and if the two are not consistent, the verification is not passed.

Likewise, the REQ may also generate a message integrity check code. For example, the REQAuth of S109 may further include a second message integrity check code MacTag_REQ，MacTag_REQIs REQ to use the message integrity check key pair including the MacTag-Subdivision in REQAuth_REQAnd other fields except the field are calculated and generated. Accordingly, AAC may verify MacTag with a message integrity check key before AAC determines the identity of REQ_REQAnd determining the identity authentication result of the REQ after the REQ passes the verification. Wherein, AAC verifies MacTag_REQWhen the message integrity check key pair is used, the MacTag in REQAuth is divided by the message integrity check key pair_REQOther fields except the field are locally calculated to generate MacTag_REQAnd comparing the locally calculated MacTag_REQAnd Mactag in received REQAuth_REQAnd if the two are consistent, the verification is passed, and if the two are not consistent, the verification is not passed.

Note that, the generation manner of the message integrity check key used by REQ and AAC is described in the next embodiment.

Referring to fig. 1, the REQInit of S101 may further include a digital signature Sig of REQ_REQ，Sig_REQThe signature data of (1) is included in REQInitSig_REQOther previous fields, AAC determines Sig before AAC determines REQ's identity_REQIf the verification is passed, if the Sig is determined_REQIf the verification is passed, the Res in the second authentication result information is used as the basis_REQThe identity authentication result of the REQ is determined. In the present application, the signed object is referred to as signature data. Wherein AAC determines Sig_REQWhether to verify the verification comprises the following ways:

an implementation manner is that, when the second authentication result information further includes a Cert_REQWhen AAC utilizes Cert in the second authentication result information_REQVerifying the Sig_REQDetermining Sig according to the verification result_REQWhether the verification is passed. Another implementation is that the AS-REQ decrypts the EncPub with decryption key_{AS_REQ}Obtained Cert_REQVerifying the Sig_REQIf the verification is passed, continuing to execute subsequent operation and sending a first authentication response message ASVeri to the AAC, and if the verification is not passed, not sending the first authentication response message ASVeri to the AAC; thus, if AAC is able to receive ASVeri, AAC determines Sig_REQAnd the verification is passed.

It should be noted that information such as the random number, the identity identifier, etc. generated by the requesting device and/or the authenticated access controller may be communicated in the message exchanged in the authentication process. Under normal conditions, the random number and/or the identity carried in the received message and the random number and/or the identity carried in the sent message should be the same, but when network jitter or attacks and other conditions are encountered, parameter information in the message may be lost or tampered. Therefore, in some embodiments, the reliability of the authentication result can be further guaranteed by comparing whether the random numbers and/or the identities in the transmitted and received messages are consistent.

Referring to fig. 1, the identity ID of AAC may also be included in the AACVeri of S102_AACAnd/or AAC generated first random number Nonce_AACCorrespondingly, the ASVeri of S103 also includes ID_AACAnd/or Nonce_AAC(ii) a Then, prior to S105, AAC may be paired with the ID in ASVeri_AACAnd AAC's own identity ID_AAC(alsoThat is, ID transmitted by AAC through AACVeri_AAC) Is verified and/or a Nonce in ASVeri_AACAnd the Nonce for AAC generation_AAC(i.e., Nonce in AAC by AACVeri_AAC) The consistency of (a) is verified, and if the verification is passed, the AAC re-executes S105.

In other embodiments, the first authentication result information may further include an ID_AACEncData in AACAuth of S105_AACFurther includes an ID_AACThe REQ also needs to determine the ID in the first authentication result information before the REQ determines the identity authentication result of AAC_AACAnd decrypting EncData_AACThe obtained ID_AACIf the verification is passed, REQ carries out verification according to Res in the first identification result information_AACAnd determining the identity authentication result of the AAC.

Of course, the REQ may also be the second random number Nonce generated by the REQ in order to ensure the reliability of the authentication result_REQAnd/or identity ID of REQ_REQAnd carrying out consistency verification.

Referring to fig. 1, in S101, the identity information of the REQ may further include an ID_REQThe first identity key may further include a third key Nonce_REQIDAnd then the first identity information ciphertext EncPub_{AS_REQ}Includes not only Cert_REQAnd Nonce_REQPubAnd may also include an ID_REQAnd Nonce_REQID. Accordingly, when generating the second authentication result information ciphertext, Nonce may also be used_REQIDFor including ID_REQThe information within is encrypted to generate the ID ciphertext of the REQ (simply, the ID ciphertext of the REQ may be Nonce)_REQIDAnd ID_REQGenerated by performing an exclusive-or operation, i.e. ID_REQ⊕Nonce_REQID) If so, the ASVeri of S103 further includes the identity identification ciphertext of REQ, and EncData in AACAuth of S105_AACThe encrypted data of (2) further includes an identification ciphertext of the REQ; accordingly, the REQ also needs to identify the ID according to its own identity before it determines the identity authentication result of AAC_REQAnd said Nonce_REQIDFor decrypting EncData_AACOf the resulting REQAnd verifying the identity identification ciphertext, wherein the specific verification comprises the following steps: REQ utilizing said Nonce_REQIDFor identity ID including REQ itself_REQThe information inside is encrypted to generate the identity identification ciphertext of the REQ, and the generated identity identification ciphertext of the REQ and the decrypted EncData are encrypted_AACCarrying out consistency verification on the obtained identity identification ciphertext of the REQ; alternatively, REQ utilizes Nonce_REQIDDecrypt the identity ciphertext of the REQ to get the ID_REQThe ID obtained by decryption_REQIdentity ID with REQ itself_REQCarrying out consistency verification; if the verification is passed, REQ is again based on Res in the first authentication result information_AACAnd determining the identity authentication result of the AAC.

Of course, Nonce in S101 may be included_REQCorrespondingly, the AACVeri of S102 and the ASVeri of S103 can also include Nonce_REQEncData in AACAuth of S105_AACFurther includes a Nonce_REQ. Accordingly, REQ needs to decrypt EncData before it determines the identity of AAC_AACThe obtained Nonce_REQWith REQ generated Nonce_REQIf the verification is passed, REQ is again based on Res in the first identification result information_AACAnd determining the identity authentication result of the AAC.

In the above embodiments, the identity ID of AAC_AACThe first identification result information and the like are transmitted in a plaintext form, and the information can also be transmitted in a ciphertext form in consideration of the security of the AAC sensitive information.

Referring to fig. 1, in some embodiments, the AACVeri of S102 may further include a second identity information ciphertext EncPub_{AS_AAC}Said EncPub_{AS_AAC}Is AAC utilizes public key pair of cryptographic certificate to include ID_AACAnd a second identity key of AAC, the second identity key comprising a fourth key Nonce_AACPubAnd a fifth key Nonce_AACID. Correspondingly, the ASVeri of S103 includes the first authentication result information, Sig_{AS_REQ1}AAC identity identification ciphertext, second identification result information ciphertext and MIC_{AS_AAC}. Wherein, the first identification result information is in a form of ciphertextFormula (e.g. using the Nonce)_AACPubFor including Pub_AACGenerated by encrypting the information therein, simply generated by exclusive-or operation, i.e. Pub_AAC⊕Nonce_AACPub) (ii) a The identity identification ciphertext of AAC is that AS-AAC utilizes the Nonce_AACIDFor the ID_AACGenerated by encrypting the information inside (simply, generated by an exclusive-or operation, i.e. an ID)_AAC⊕Nonce_AACID)。

Based on this, after receiving ASVeri of S103, AAC may identify ID according to AAC itself_AACAnd said fifth key Nonce_AACIDVerifying the identity identification ciphertext of the AAC, wherein the specific verification comprises the following steps: AAC utilizing the Nonce_AACIDFor identity ID comprising AAC itself_AACEncrypting the internal information to generate an identity identification ciphertext of the AAC, and performing consistency verification on the generated identity identification ciphertext of the AAC and the identity identification ciphertext of the AAC in the ASVeri received S103; alternatively, AAC utilizes Nonce_AACIDDecrypting identity identification ciphertext of AAC to obtain ID_AACAnd will decrypt the ID_AACIdentity ID with AAC itself_AACAnd (4) verifying the consistency, and sending AACAuth to the REQ after the verification is passed. Wherein EncData in AACAuth of S105_AACFurther comprising said Nonce_AACPub(ii) a Accordingly, the REQ may utilize the decryption EncData before it determines the identity of AAC_AACThe obtained Nonce_AACPubDecrypting the first authentication result information to obtain a first authentication result Res_AACThen according to the first verification result Res_AACAnd determining the identity authentication result of the AAC.

In the above embodiment, the message encryption key used by REQ and AAC may be obtained by negotiation between the REQ and AAC, or may be shared in advance, so this embodiment further provides a method for negotiating the message encryption key by REQ and AAC, referring to fig. 2, the method includes:

s201, AAC sends a key request message AACInit to REQ.

The AACInit comprises a key exchange parameter KeyInfo of AAC_AAC，KeyInfo_AACIncluding the temporary public key of the AAC,the key exchange refers to a key exchange algorithm such as Diffie-Hellman (DH for short). The AACInit can also comprise a first random number Nonce generated by AAC_AAC。

The AACInit can also comprise Security capabilities_AAC，Security capabilities_AACThe Security capability parameter information indicating AAC support includes an identity authentication suite (the identity authentication suite includes one or more identity authentication methods), a symmetric encryption algorithm, an integrity verification algorithm and/or a key derivation algorithm, etc. supported by AAC, so that the REQ may select a specific Security policy to use, and then the REQ may be based on Security capabilities_AACSelecting a particular Security policy Security capabilities for use with REQ_REQ。Security capabilities_REQIndicating the identity authentication method, symmetric encryption algorithm, integrity check algorithm and/or key derivation algorithm, etc., which the REQ is determined to use accordingly.

S202, REQ exchanges parameter KeyInfo according to key including REQ_REQCorresponding temporary private key and KeyInfo_AACAnd performing key exchange calculation on the included temporary public key to generate a first key, and calculating a message encryption key by using a key derivation algorithm according to information including the first key.

If AACInit of S201 also includes the Nonce of AAC generation_AACREQ may be based on the inclusion of KeyInfo_REQCorresponding temporary private key and KeyInfo_AACThe included temporary public key is subjected to key exchange calculation to generate a first key K1, and K1 is combined to include Nonce_AACAnd a second random number Nonce generated by REQ_REQThe message encryption key is calculated using a negotiated or preset key derivation algorithm. The negotiated key derivation algorithm may be Security capabilities sent by REQ according to AAC_AACBut the key derivation algorithm used is selected. Among them, KeyInfo_REQIs a key exchange parameter generated by the REQ, including the temporary public key of the REQ. KeyInfo_REQThe corresponding ephemeral private key is the ephemeral private key generated by the REQ that corresponds to the ephemeral public key of the REQ, i.e., the ephemeral public key and the ephemeral private key are a pair of ephemeral public and private keys.

S203, REQ sends an identity ciphertext message REQInit to AAC.

KeyInfo is included in REQInit_REQSo that AAC includes KeyInfo_AACCorresponding temporary private key and KeyInfo_REQThe information including the temporary public key is calculated to obtain the message encryption key. Among them, KeyInfo_AACThe corresponding temporary private key is the temporary private key generated by AAC corresponding to the temporary public key of AAC, i.e. the temporary public key and the temporary private key are a pair of temporary public and private keys.

The REQInit can also comprise Security capabilities_REQ. Nonces may also be included in the REQInit_REQSo that AAC includes said KeyInfo_AACCorresponding temporary private key and KeyInfo_REQIncluded temporary public key, the Nonce_AACAnd said Nonce_REQThe message encryption key is calculated from the included information.

Nonce may be further included in the REQInit_AACFurther, AAC may be applied to Nonce in REQInit before calculating the message encryption key_AACAnd the Nonce for AAC generation_AACIs verified to ensure that the AAC received REQInit is a response message to AACInit.

S204, AAC according to KeyInfo_AACCorresponding temporary private key and KeyInfo_REQAnd performing key exchange calculation on the included temporary public key to generate the first key, and calculating a message encryption key by using the key derivation algorithm according to the information including the first key.

If the Nonce is also included in the REQInit_REQAAC may then be based on including the KeyInfo_AACCorresponding temporary private key and the KeyInfo_REQPerforming a key exchange calculation on the included temporary public key to generate the first key K1, combining K1 to include the Nonce_AACAnd said Nonce_REQThe message encryption key is calculated using a negotiated or preset key derivation algorithm. Wherein, the negotiated key derivation algorithm may be Security capabilities sent by AAC according to REQ_REQBut the key derivation algorithm used is selected.

It should be noted that, in the embodiment of fig. 2, REQ and AAC may also generate a message integrity check key. The embodiment in which REQ and AAC each generate a message integrity check key is the same as the embodiment in which REQ and AAC each generate a message encryption key illustrated in the example of fig. 2. For example, AAC may derive a string of key data by using a key derivation algorithm in the manner of the embodiment in fig. 2, where the key data may serve as both a message encryption key and a message integrity check key, or a part of the key data may serve as a message encryption key and another part of the key data may serve as a message integrity check key; AAC may also derive two strings of the same or different key data in several times by using a key derivation algorithm in the manner of the embodiment of fig. 2, one string being used as a message encryption key and one string being used as a message integrity check key. REQ may derive a string of key data by using a key derivation algorithm in the manner of the embodiment of fig. 2, where the key data may serve as both a message encryption key and a message integrity check key, or may use a part of the key data as a message encryption key and another part of the key data as a message integrity check key; the REQ may also derive two strings of the same or different key data in several times by using a key derivation algorithm in the manner of the embodiment of fig. 2, one string being used as a message encryption key and one string being used as a message integrity check key.

The embodiment of the application also provides a method for determining a first authentication server and/or a second authentication server used in the authentication process by using information interaction between AAC and REQ, which comprises the following steps:

referring to fig. 2, AAC adds the identity ID of at least one authentication server trusted by AAC to AACInit of S201_{AS_AAC}REQ may be based on the ID_{AS_AAC}Identification ID of at least one authentication server determining self trust_{AS_REQ}. In particular implementation, REQ Slave ID_{AS_AAC}The identity of at least one authentication server which is trusted by the authentication server is selected as the ID_{AS_REQ}If the selection fails, the REQ takes the identity of at least one authentication server trusted by the REQ as an ID_{AS_REQ}(wherein, the successful selection corresponds to the non-roaming condition, and the failed selection corresponds to the roaming condition), and the ID is used_{AS_REQ}REQInit added to S203 is sent to AAC. Further, AAC may be based on ID_{AS_AAC}And ID_{AS_REQ}Determining a first authentication server, e.g. AAC, can determine the ID_{AS_REQ}And ID_{AS_AAC}If the identity of the authentication server exists, the authentication server is in a non-roaming condition, and the AAC determines a first authentication server participating in identity authentication from the identity of the at least one REQ and AAC jointly-trusted authentication server; if not, the roaming is the case, AAC needs to be according to ID_{AS_AAC}Determining a first authentication server AS-AAC participating in identity authentication, and adding ID_{AS_REQ}Is sent to AS-AAC so that AS-AAC is based on ID_{AS_REQ}A second authentication server AS-REQ is determined.

As another implementation, AAC may not necessarily send an ID to REQ_{AS_AAC}And the identity ID of at least one authentication server trusted by itself by the REQ_{AS_REQ}REQInit added to S203 is sent to AAC. According to ID_{AS_REQ}Identity ID of at least one authentication server trusted by AAC itself_{AS_AAC}The specific implementation manner of determining the first authentication server and/or the second authentication server participating in identity authentication is as in the previous embodiment.

Because the authentication servers trusted by REQ and AAC can be the same or different, when the authentication servers trusted by REQ and AAC are the same, the non-roaming condition is obtained; when REQ and AAC trusted authentication servers are different, this is the roaming case. The identity authentication method provided by the embodiment of the present application is introduced below with reference to non-roaming and roaming application scenarios: firstly, in the non-roaming condition, REQ identity protection identity authentication method; (II) identity authentication methods for REQ and AAC identity protection under the non-roaming condition; (III) in roaming condition, REQ identity protection identity authentication method; and (IV) in case of roaming, REQ and AAC identity protection identity authentication methods.

Referring to fig. 3, an embodiment of an identity authentication method in the above case (a) is shown. Among them, REQ and AAC can be expressed by AS-AAC (or AS-REQ, of course) AS a commonly trusted authentication server. In this embodiment, the message encryption key negotiation process between REQ and AAC is merged into the identity authentication process in parallel, which is more convenient for engineering implementation. The identity authentication method comprises the following steps:

s301, AAC Generation Nonce_AACAnd KeyInfo_AACGenerating Security capabilities as required_AAC。

S302, AAC sends a key request message AACInit to REQ.

The AACInit comprises a Nonce_AAC、KeyInfo_AACAnd Security capabilities_AAC. Wherein Security capabilities are provided_AACOptional fields represent security capability parameter information supported by AAC, including an AAC-supported authentication suite, a symmetric encryption algorithm, and/or a key derivation algorithm, etc. (the same below).

After receiving the AACInit, the S303, REQ performs the following operations (unless otherwise specified or logically related, the actions numbered (1) and (2) … … in this document do not have a certain order due to the numbering, and are the same throughout), including:

(1) and generating the Nonce_REQAnd KeyInfo_REQ；

(2) Generating Security capabilities as required_REQ；

(3) According to the list including KeyInfo_REQCorresponding temporary private key and KeyInfo_AACThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by REQ and AAC are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; the step can be executed when a message encryption key and a message integrity check key are needed to be used in the following;

(4) and generating the Nonce_REQIDAnd Nonce_REQPub；

(5) Computing EncPub using public key of encryption certificate_{AS_REQ}；

(6) Calculating RDigital signature Sig of EQ_REQ。

S304, REQ sends an identity ciphertext message REQInit to AAC.

The REQInit comprises Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、EncPub_{AS_REQ}And Sig_REQ. Therein, Sig_REQThe signature data includes Sig in REQInit_REQOther fields before, e.g. including Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQAnd EncPub_{AS_REQ}；Nonce_AACShould equal the corresponding field in AACInit; EncPub_{AS_REQ}Includes ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub；Security capabilities_REQWhether REQ generates Security capabilities for optional fields_REQDepending on whether Security capabilities are carried in AACInit sent from AAC to REQ_AAC。Security capabilities_REQIndicating REQ according to Security capabilities_AACThe choice of the particular security policy to be made, i.e. the identity authentication method, the symmetric encryption algorithm and/or the key derivation algorithm, etc. (see below) that the REQ determines to use.

S305, receiving REQInit by AAC, and executing the following operations comprising:

(1) check for Nonce in REQInit_AACNonce generated with AAC_AACIf not, discarding REQInit;

(2) according to the KeyInfo_AACCorresponding temporary private key and the KeyInfo_REQThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by AAC and REQ are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; of course, this step may be performed when a message encryption key or a message integrity check key is needed subsequently.

(3)Computing to generate MIC_AAC。

S306, AAC sends a first authentication request message AACVeri to AS-AAC.

The AACVeri comprises EncPub_{AS_REQ}、Nonce_REQ、ID_AAC、Nonce_AACAnd MIC_AAC. Wherein EncPub_{AS_REQ}、Nonce_REQShould be equal to the corresponding field in REQInit, respectively; ID_AAC、Nonce_AACIs the identity ID of AAC_AACAnd AAC generated Nonce_AAC；MIC_AACPre-shared key K for AAC utilization and AS-AAC_{AAC_AS}Adopting a hash algorithm agreed with AS-AAC to carry out MIC in AACVeri_AACThe resulting hash value is computed over the information in the other preceding fields. For example, EncPub is included in sequence in AACVeri_{AS_REQ}、Nonce_REQ、ID_AAC、Nonce_AACAnd MIC_AACWhen AAC utilizes said K_{AAC_AS}Using said hash algorithm pair to include EncPub_{AS_REQ}、Nonce_REQ、ID_AACAnd Nonce_AACCalculating the information inside to obtain MIC_AAC。

S307, after the AS-AAC receives the AACVeri, performing the following operations including:

(1) verifying MIC_AACTo obtain Res_AACAccording to including Res_AACAnd ID_AACInnovative information Generation Pub_AAC；

Wherein AS-AAC is based on ID in AACVeri_AACDetermining a pre-shared key K with AAC_{AAC_AS}And a hash algorithm using said K_{AAC_AS}Adopting the hash algorithm to carry out MIC in AACVeri_AACThe previous other fields compute the MIC locally_AACAnd adds it to the received MIC_AACComparing, if the two are the same, then MIC_AACThe AS-AAC judges the AAC identity authentication result to be legal after verification, and if the AAC identity authentication result is different, the MIC is determined to be legal_AACAnd if the verification fails, the AS-AAC performs the following operations according to the local policy, including: discarding AACVeri, or judging the identification result of AAC as illegal, etc.

(2) Decrypting Enc by using private key corresponding to encrypted certificatePub_{AS_REQ}Obtaining the ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPubVerifying Cert_REQGet Res_REQAccording to including Res_REQAnd Cert_REQGeneration of information in Pub_REQ；

(3) And use of the Nonce_REQIDFor ID_REQPerforming XOR operation to obtain ID_REQ⊕Nonce_REQIDUsing the Nonce_REQPubFor Pub_REQPerforming XOR operation to obtain Pub_REQ⊕Nonce_REQPub；

(4) Calculating a first digital signature Sig_{AS_AAC1}Calculating the first message authentication code MIC of the AS-AAC_{AS_AAC}。

S308, the AS-AAC sends a first authentication response message ASVeri to the AAC.

The ASVeri comprises an ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_AAC1}、ID_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd MIC_{AS_AAC}. Wherein, ID_REQ、Nonce_REQ、ID_AAC、Nonce_AACShould be equal to the corresponding field in AACVeri, respectively; sig_{AS_AAC1}Includes ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC；MIC_{AS_AAC}Is AS-AAC utilizes said K_{AAC_AS}Including ID with hash algorithm agreed with AAC_AAC、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubThe information inside is calculated and generated.

After receiving ASVeri, S309 and AAC perform the following operations, including:

(1) check ID in ASVeri_AAC、Nonce_AACWhether or not to respectively identify with AAC own identity ID_AACAnd the Nonce for AAC Generation_AACThe same; if not, discarding the ASVeri;

(2) verifying MIC_{AS_AAC}(ii) a If the verification fails, discarding the ASVeri;

wherein AAC utilizes said K_{AAC_AS}Including ID with hash algorithm pair agreed with AS-AAC_AAC、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubWith information therein, locally computing MIC_{AS_AAC}And compares it with the received MIC_{AS_AAC}Comparing, if the two are the same, then MIC_{AS_AAC}Verification is passed, if different, MIC_{AS_AAC}The verification is not passed.

(3) Calculating identity authentication result information ciphertext EncData by using message encryption key_AAC；

(4) And calculating a first message integrity check code MacTag_AAC。

S310, AAC sends a third authentication response message AACAuth to REQ.

The AACAuth comprises Nonce_AAC、Nonce_REQ、EncData_AACAnd Mactag_AAC. Wherein, Nonce_REQAnd Nonce_AACAre optional fields and are respectively equal to Nonce in REQInit_REQAnd the Nonce for AAC generation_AAC。EncData_AACIncludes ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_AAC1}And ID_AACAnd ID of_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_AAC1}From ASVeri, ID_AACShould equal the identity ID of AAC itself_AAC。MacTag_AACThe calculation process of (2) is as follows: using message integrity check key to adopt integrity check algorithm to divide MacTag in AACAuth_AACMactag is generated by calculating information in other fields except for the field_AAC。

S311, after receiving AACAuth, REQ performs the following operations including:

(1) if AACAuth carries Nonce_REQAnd/or Nonce_AACCheck the Nonce_REQNonce whether generated with REQ_REQSame, and/or check Nonce_AACWhether or not to match the Nonce in AACInit_AACThe same;

(2) verification of MacTag_AAC；

The verification process comprises the following steps: using messagesThe integrity check key adopts an integrity check algorithm to divide MacTag in AACAuth_AACThe MacTag is locally calculated by information in other fields except the field_AAC(this calculation method is similar to the AAC calculation MacTag_AACIn the same manner) of the MacTag to be calculated_AACAnd the received MacTag_AACAnd (6) comparing.

(3) Decrypting EncData using message encryption key_AACGet ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_AAC1}And ID_AAC；

(4) And use of the Nonce_REQIDFor ID_REQ⊕Nonce_REQIDRecovering ID by performing XOR operation_REQChecking the ID_REQ、Nonce_REQWhether or not to respectively identify with REQ's own ID_REQREQ-generated Nonce_REQThe same;

(5) checking Pub_AACID of (1)_AACAnd the ID obtained by decryption_AACWhether the two are consistent;

(6) public key verification Sig using AS-AAC_{AS_AAC1}；

(7) If any step of the checking and the verification is not passed, immediately discarding the AACAuth; if the above checks and verifications are passed, according to Pub_AACRes in (1)_AACDetermining the identity authentication result of the AAC; if the AAC is illegal, ending the authentication process;

(8) calculating a second key cipher text EncData by using the message encryption key_REQ；

(9) And calculating a second message integrity check code MacTag_REQ。

S312, REQ sends a fourth authentication response message REQAuth to AAC.

The REQAUth comprises Nonce_AAC、Nonce_REQ、EncData_REQAnd Mactag_REQ. Wherein, Nonce_REQAnd Nonce_AACAre optional fields and should be equal to the Nonce generated by the REQ, respectively_REQAnd Nonce in AACInit_AAC；EncData_REQIncluding Nonce, in the encrypted data_REQPub。MacTag_REQHas been calculatedThe process is as follows: using message integrity check key to adopt integrity check algorithm to divide MacTag in REQAuth_REQMactag is generated by calculating information in other fields except for the field_REQ。

S313, after AAC receives REQAUth, the following operations are executed, including:

(1) if REQAUth carries Nonce_REQAnd/or Nonce_AACThen check the Nonce_REQWhether or not to match the Nonce in REQInit_REQThe same, and/or check the Nonce_AACNonce whether or not to be associated with AAC Generation_AACThe same;

(2) verification of MacTag_REQ；

The verification process comprises the following steps: using message integrity check key to adopt integrity check algorithm to divide MacTag in REQAuth_REQThe MacTag is calculated locally by information in other fields except the field_REQ(this calculation method and REQ calculation MacTag_REQIn the same manner) and calculates a MacTag_REQAnd the received MacTag_REQA comparison is made.

(3) Decrypting EncData using message encryption key_REQObtaining the Nonce_REQPub；

(4) And use of the Nonce_REQPubFor Pub_REQ⊕Nonce_REQPubRecovering Pub by XOR operation_REQ；

(5) Use of Pub_REQCert in (1)_REQVerification Sig_REQ；

(6) If the above checks and verifications are passed, then according to Pub_REQRes in_REQDetermining the identity authentication result of the REQ; if any of the above checks and verifications fail, REQAUth is discarded immediately.

Thus, authentication of AAC and of REQ, i.e. bidirectional authentication of REQ and AAC, is achieved at S311 and S313, respectively, and the identity ID of REQ_REQDigital certificate Cert_REQAnd the identification result and the like are transmitted in a ciphertext mode in the whole process, so that the identity protection of the REQ is realized.

Note that, in S313, Sig is verified_REQMay be performed in advance in S307 instead,therein, Sig_REQCan be delivered to AS-AAC through AACVeri of S306, then in S307, AS-AAC also utilizes Cert_REQVerifying Sig_REQAfter verification, the subsequent operation is performed, in which case AAC does not verify Sig any more in S313_REQAt this time Pub_REQMay not include Cert_REQ。

Referring to fig. 4, an embodiment of an identity authentication method in the case (two) is described above. Among them, REQ and AAC can be expressed by AS-AAC (or AS-REQ, of course) AS a commonly trusted authentication server. In the embodiment, the message encryption key negotiation process between REQ and AAC is merged into the identity authentication process in parallel, so that the engineering implementation is facilitated. The identity authentication method comprises the following steps:

s401, AAC Generation Nonce_AACAnd KeyInfo_AACGenerating Security capabilities as required_AAC。

S402, AAC sends a key request message AACInit to REQ.

The AACInit comprises a Nonce_AAC、KeyInfo_AACAnd Security capabilities_AAC. Wherein Security capabilities are provided_AACIs an optional field.

S403, after receiving AACInit, REQ performs the following operations, including:

(1) and generating the Nonce_REQAnd KeyInfo_REQ；

(2) Generating Security capabilities as required_REQ；

(3) According to the list including KeyInfo_REQCorresponding temporary private key and KeyInfo_AACThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by REQ and AAC are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; of course, this step may also be executed when a message encryption key or a message integrity check key is to be used subsequently;

(4) and generating the Nonce_REQIDAnd Nonce_REQPub；

(5) Computing EncPub using public key of encryption certificate_{AS_REQ}；

(6) Calculating Sig_REQ。

S404, REQ sends an identity ciphertext message REQInit to AAC.

The REQInit comprises Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、EncPub_{AS_REQ}And Sig_REQ. Wherein EncPub_{AS_REQ}Is REQ includes an ID with a public key pair of a cryptographic certificate_REQ、Cert_REQ、Nonce_REQPubAnd Nonce_REQIDThe encrypted data inside is generated by encryption; sig_REQThe signature data includes Sig in REQInit_REQOther preceding fields, e.g. including Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQAnd EncPub_{AS_REQ}；Security capabilities_REQWhether REQ generates Security capabilities for optional fields_REQDepending on whether Security capabilities are carried in AACInit sent from AAC to REQ_AAC。

S405, after the AAC receives REQInit, the following operations are executed, including:

(1) check for Nonce in REQInit_AACNonce generated with AAC_AACIf the two are consistent, discarding REQInit;

(2) according to the KeyInfo_AACCorresponding temporary private key and the KeyInfo_REQThe included temporary public key is subjected to key exchange calculation to generate a first key K1, and K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by AAC and REQ are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; of course, this step may be performed when a message encryption key or a message integrity check key is needed subsequently.

(3) And generating the Nonce_AACPubAnd Nonce_AACID；

(4) Generating EncPub by public key calculation of encryption certificate_{AS_AAC}；

(5) Computing to generate MIC_AAC。

S406, AAC sends a first authentication request message AACVeri to AS-AAC.

The AACVeri comprises EncPub_{AS_REQ}、Nonce_REQ、EncPub_{AS_AAC}、Nonce_AACAnd MIC_AAC. Wherein, Nonce_REQShould equal the corresponding field in REQInit, Nonce_AACShould equal the Nonce for AAC generation_AAC。EncPub_{AS_AAC}Is AAC utilizes public key pair of cryptographic certificate to include ID_AAC、Nonce_AACID、Nonce_AACPubThe information inside is generated by encryption; MIC_AACIs pre-shared key K of AAC utilization and AS-AAC_{AAC_AS}Adopting a hash algorithm agreed with AS-AAC to carry out MIC in AACVeri_AACThe hash value of the previous other field calculation.

S407, after receiving the AACVeri, the AS-AAC executes the following operations:

(1) decrypting EncPub by using private key corresponding to encryption certificate_{AS_AAC}Obtaining the ID_AAC、Nonce_AACIDAnd Nonce_AACPub；

(2) Verifying MIC_AACTo obtain Res_AACAccording to including Res_AACAnd ID_AACGeneration of information in Pub_AAC；

Wherein AS-AAC is based on ID_AACDetermining a pre-shared key K with AAC_{AAC_AS}And a hash algorithm using said K_{AAC_AS}Applying the hashing algorithm to MIC in the AACVeri_AACThe previous other fields compute the MIC locally_AACAnd adds it to the received MIC_AACComparing, if the two are the same, then MIC_AACThe AS-AAC judges the AAC identity authentication result to be legal after verification, and if the AAC identity authentication result is different, the MIC is determined to be legal_AACAnd if the verification fails, the AS-AAC performs the following operations according to the local policy, including: discarding AACVeri, or judging the identification result of AAC as illegal, etc.

(3) Decrypting EncPub by using private key corresponding to encryption certificate_{AS_REQ}Get ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub；

(4) And verifying Cert_REQGet Res_REQAccording to including Res_REQAnd Cert_REQGeneration of information in Pub_REQ；

(5) And use of the Nonce_REQIDFor ID_REQPerforming XOR operation to obtain identity ID of REQ_REQ⊕Nonce_REQIDUsing the Nonce_AACIDFor ID_AACCarrying out XOR operation to obtain identity identification ciphertext ID of AAC_AAC⊕Nonce_AACIDUsing the Nonce_AACPubFor Pub_AACPerforming XOR operation to obtain Pub_AAC⊕Nonce_AACPubUsing the Nonce_REQPubFor Pub_REQPerforming XOR operation to obtain Pub_REQ⊕Nonce_REQPub；

(6) Calculating a first digital signature Sig_{AS_AAC1}And first message authentication code MIC of AS-AAC_{AS_AAC}。

S408, the AS-AAC sends a first authentication response message ASVeri to the AAC.

The ASVeri comprises an ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_AAC1}、ID_AAC⊕Nonce_AACID、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd MIC_{AS_AAC}. Wherein, ID_REQ、Nonce_REQ、ID_AAC、Nonce_AACShould be equal to the corresponding field in the AACVeri, respectively. Sig_{AS_AAC1}Includes ID_REQ⊕Nonce_REQID、Nonce_REQAnd Pub_AAC⊕Nonce_AACPub；MIC_{AS_AAC}Is AS-AAC utilizes said K_{AAC_AS}Including ID with hash algorithm agreed with AAC_AAC⊕Nonce_AACID、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubThe information inside is calculated and generated.

S409, after the AAC receives the ASVeri, executing the following operations including:

(1) and use of the Nonce_AACIDFor ID_AAC⊕Nonce_AACIDRecovering ID by performing XOR operation_AACChecking the ID_AAC、Nonce_AACWhether or not to respectively identify with AAC own identity ID_AACAnd Nonce for AAC generation_AACThe same; if not, discarding the ASVeri;

wherein AAC utilizes said K_{AAC_AS}Including ID with hash algorithm pair agreed with AS-AAC_AAC⊕Nonce_AACID、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubWith information therein, locally computing MIC_{AS_AAC}And compares it with the received MIC_{AS_AAC}Comparing, if the two are the same, then MIC_{AS_AAC}Verification is passed, if different, MIC_{AS_AAC}The verification is not passed;

(3) generating EncData by message encryption key calculation_AAC；

(4) And calculating to generate MacTag_AAC。

S410, AAC sends a third authentication response message AACAuth to REQ.

The AACAuth comprises Nonce_AAC、Nonce_REQ、EncData_AACAnd MacTag_AAC. Wherein, Nonce_REQAnd Nonce_AACAre optional fields and should be equal to Nonce in REQInit, respectively_REQAnd Nonce for AAC generation_AAC。EncData_AACIncludes ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_AAC1}、Nonce_AACPubAnd ID_AACWherein ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_AAC1}Derived from ASVeri; mactag_AACThe calculation process of (c) is described in relation to the embodiment of fig. 3.

After receiving the AACAuth, the S411, REQ performs the following operations, including:

(1) if there is a Nonce in AACAuth_REQAnd/or Nonce_AACCheck the Nonce_REQNonce whether generated with REQ_REQSame, and/or check Nonce_AACWhether or not to match the Nonce in AACInit_AACThe same;

(2) verification of MacTag_AAC(ii) a The verification process is described in relation to the embodiment of fig. 3;

(3) decrypting EncData using a message encryption key_AACGet ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_AAC1}、Nonce_AACPubAnd ID_AAC；

(4) Use of the Nonce_REQIDFor ID_REQ⊕Nonce_REQIDRecovering ID by performing XOR operation_REQUsing the Nonce_AACPubFor Pub_AAC⊕Nonce_AACPubRecovering Pub by XOR operation_AAC；

(5) Checking ID_REQ、Nonce_REQWhether or not to respectively identify with REQ's own identity ID_REQREQ-generated Nonce_REQWhether they are the same;

(6) checking Pub_AACID of (1)_AACWhether or not to match the ID obtained by decryption_AACThe consistency is achieved;

(7) public key verification Sig using AS-AAC_{AS_AAC1}；

(8) If any step of the checking and the verification is not passed, immediately discarding the AACAuth; if the above checks and verifications are passed, according to Pub_AACRes in (1)_AACDetermining the identity authentication result of the AAC; if the AAC is determined to be illegal, ending the authentication process;

(9) generating EncData by message encryption key calculation_REQ；

(10) And calculating to generate MacTag_REQ。

S412, REQ sends a fourth authentication response message REQAuth to AAC.

The REQAUth comprises Nonce_AAC、Nonce_REQ、EncData_REQAnd MacTag_REQ. Wherein, Nonce_REQAnd Nonce_AACAre optional fields and should be equal to the Nonce generated by the REQ, respectively_REQNonce in AACInit_AAC。EncData_REQIncluding Nonce, in the encrypted data_REQPub。MacTag_REQAs described in relation to the embodiment of fig. 3.

After receiving REQAUth, S413 and AAC execute the following operations, including:

(1) if REQAUth carries Nonce_AACAnd/or Nonce_REQCheck the Nonce_AACAnd the Nonce for AAC generation_AACWhether they are the same, and/or, check Nonce_REQWhether or not to match the Nonce in REQInit_REQThe same;

(2) verification of MacTag_REQ(ii) a The verification process is described in relation to the embodiment of fig. 3;

(3) decrypting EncData using a message encryption key_REQObtain the Nonce_REQPub；

(5) And use of Pub_REQCert in (1)_REQVerifying Sig_REQ；

(6) If all the above checks and verifications pass, then according to Pub_REQRes in (1)_REQDetermining the identity authentication result of the REQ; if any of the above checks and verifications fail, REQAuth is immediately discarded.

Thus, authentication of AAC and REQ, i.e. bidirectional authentication of REQ and AAC, is achieved at S411 and S413, respectively, and the identity ID of REQ_REQDigital certificate Cert_REQIdentification result and identity ID of AAC_AACAnd the identification result and the like are transmitted in a ciphertext mode in the whole process, so that the identity protection of the REQ and the AAC is realized.

Note that, in S413, Sig is verified_REQMay be performed in advance in S407, wherein Sig_REQCan be delivered to the AS-AAC through AACVeri of S406, then in S407, the AS-AAC also needs to verify Sig_REQVerification of passThen executing subsequent operation; in this case, AAC no longer verifies Sig in S413_REQAt this time Pub_REQMay not include Cert_REQ。

Referring to fig. 5, it is an embodiment of an authentication method in the case (three), in which the message encryption key negotiation process between REQ and AAC is merged into the authentication process in parallel, which is more convenient for engineering implementation. The identity authentication method comprises the following steps:

s501, AAC generation Nonce_AACAnd KeyInfo_AACGenerating Security capabilities as required_AAC。

S502, AAC sends a key request message AACInit to REQ.

The AACInit comprises a Nonce_AAC、KeyInfo_AAC、Security capabilities_AACAnd ID_{AS_AAC}. Wherein, Security capabilities_AACAnd ID_{AS_AAC}Is an optional field, and ID_{AS_AAC}Identity of at least one authentication server representing AAC trust for enabling REQ according to ID_{AS_AAC}It is determined whether there is a co-trusted authentication server (see below).

S503, after receiving AACInit, REQ performs the following operations including:

(1) and generating the Nonce_REQ、Nonce_REQID、Nonce_REQPubAnd KeyInfo_REQ；

(2) And generating an ID as required_{AS_REQ}And Security capabilities_REQ；

(3) According to the list including KeyInfo_REQCorresponding temporary private key and KeyInfo_AACThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information used for REQ and AAC is the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; of course, this step may be executed when a message encryption key or a message integrity check key is needed to be used subsequently.

(4) Generating EncPub by public key calculation of encryption certificate_{AS_REQ}；

(5) Calculating the digital signature Sig of the REQ_REQ。

S504, REQ sends an identity ciphertext message REQInit to AAC.

The REQInit comprises Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、ID_{AS_REQ}、EncPub_{AS_REQ}And Sig_REQ. Wherein, Nonce_AACShould equal the corresponding field in AACInit; sig_REQThe signature data includes Sig in REQInit_REQOther fields before, e.g. including Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、ID_{AS_REQ}And EncPub_{AS_REQ}；EncPub_{AS_REQ}Includes ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub。Security capabilities_REQAnd ID_{AS_REQ}Is an optional field, and ID_{AS_REQ}Identity of at least one authentication server representing REQ trust, when ID exists in AACInit_{AS_AAC}When the REQ tries to select at least one from its trusted authentication server with the ID_{AS_AAC}Wherein the same authentication server is used as ID_{AS_REQ}If the selection fails, at least one authentication server trusted by the authentication server is used as the ID_{AS_REQ}(ii) a When no ID exists in AACInit_{AS_AAC}When the REQ has at least one authentication server trusted by itself as ID_{AS_REQ}(the same applies hereinafter).

And S505, after receiving REQInit, the AAC executes the following operations, including:

(2) according to the system comprising the KeyInfo_AACCorresponding temporary private key and the KeyInfo_REQThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (AAC andother information employed by the REQ is the same and optional, such as a particular string, etc.) calculates a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm;

(3) and calculating to generate MIC_AAC；

(4) If REQInit carries ID_{AS_REQ}And the AACInit carries the ID_{AS_AAC}Then AAC judgment ID_{AS_REQ}And ID_{AS_AAC}Whether at least one identity mark of the same authentication server exists or not, if so, the authentication server is in a non-roaming condition, and the AAC determines a first authentication server participating in identity authentication from the identity marks of the at least one REQ and AAC jointly trusted authentication server; if not, the roaming is the case, AAC needs to be according to ID_{AS_AAC}Determining a first authentication server AS-AAC participating in identity authentication, and adding ID_{AS_REQ}Is sent to AS-AAC so that AS-AAC is based on ID_{AS_REQ}Determining a second authentication server AS-REQ; alternatively, the first and second electrodes may be,

if REQInit carries ID_{AS_REQ}But no ID is carried in AACInit_{AS_AAC}Then AAC judgment ID_{AS_REQ}Whether the identity identification of at least one identical authentication server exists in the authentication server trusted by AAC, if so, namely, the authentication server is in a non-roaming condition, the AAC determines a first authentication server participating in identity authentication from the identity identification of the at least one REQ and AAC jointly trusted authentication server; if the ID does not exist, the roaming situation is achieved, the AAC needs to determine a first authentication server AS-AAC participating in identity authentication according to an authentication server trusted by the AAC, and the ID is used_{AS_REQ}Is sent to AS-AAC so that AS-AAC is based on ID_{AS_REQ}Determining a second authentication server AS-REQ;

it should be noted that the result of the determination in this embodiment is a roaming condition.

S506, AAC sends a first authentication request message AACVeri to AS-AAC.

The AACVeri comprises a Nonce_AAC、Nonce_REQ、ID_{AS_REQ}、EncPub_{AS_REQ}、ID_AACAnd MIC_AAC. Wherein, ID_{AS_REQ}Is an optional field; MIC_AACIs AAC uses pre-shared secret key K with AS-AAC_{AAC_AS}Adopting a hash algorithm agreed with AS-AAC to carry out MIC in AACVeri_AACThe resulting hash value is computed over the information in the other preceding fields.

S507, after the AS-AAC receives the AACVeri, the following operations are executed, including:

(1) verifying MIC_AACTo obtain Res_AACAccording to including Res_AACAnd ID_AACGeneration of information in Pub_AAC(ii) a Verifying MIC_AACSee the relevant contents in the embodiment of fig. 3;

(2) if ID is present in AACVeri_{AS_REQ}Then AS-AAC according to ID_{AS_REQ}Determining a second authentication server AS-REQ; if not, the AS-AAC is known AS the AS-REQ;

(3) and calculating to generate a second digital signature Sig_{AS_AAC2}。

S508, the AS-AAC sends a second authentication request message AS-AACVeri to the AS-REQ.

The AS-AACVeri comprises a Nonce_AAC、Nonce_REQ、EncPub_{AS_REQ}、ID_AAC、Pub_AACAnd Sig_{AS_AAC2}. Wherein, Nonce_AAC、Nonce_REQ、EncPub_{AS_REQ}、ID_AACShould be equal to the corresponding field in AACVeri, respectively; sig_{AS_AAC2}The signature data comprises Sig in AS-AACVeri_{AS_AAC2}Other fields before.

S509, after the AS-REQ receives the AS-AACVeri, the public key of the AS-AAC is used for verifying Sig_{AS_AAC2}。

If the verification is passed, S510 is executed.

S510, the AS-REQ sends a first decryption request message AS-REQReq to the CS-DEC.

The AS-REQReeq comprises EncPub_{AS_REQ}。

S511, CS-DEC utilizes private key corresponding to encryption certificate to decrypt EncPub_{AS_REQ}Get ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub。

S512, the CS-DEC sends a first decryption response message CS-DECRep to the AS-REQ.

Including an ID in the CS-DECRep_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub。

S513, after the AS-REQ receives the CS-DECRep, the following operations are executed, including:

(1) and verifying Cert_REQGet Res_REQAccording to including Res_REQAnd Cert_REQGeneration of information in Pub_REQ；

(2) And use of the Nonce_REQIDFor ID_REQPerforming XOR operation to obtain ID_REQ⊕Nonce_REQIDUsing the Nonce_REQPubFor Pub_REQPerforming XOR operation to obtain Pub_REQ⊕Nonce_REQPub；

(3) Calculating a first digital signature Sig_{AS_REQ1}And a third digital signature Sig_{AS_REQ3}。

S514, the AS-REQ sends a second authentication response message AS-REQVeri to the AS-AAC.

The AS-REQVeri comprises ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_REQ1}、ID_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd Sig_{AS_REQ3}. Wherein, ID_REQ、Nonce_REQIDAnd Nonce_REQPubShould be equal to the corresponding field in CS-DECRep, respectively; sig_{AS_REQ1}Includes ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC；Sig_{AS_REQ3}Includes ID_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPub。

S515, after the AS-AAC receives the AS-REQVeri, the following operations are executed, including:

(1) public key verification Sig using AS-REQ_{AS_REQ3}If the verification fails, discarding the AS-REQVeri;

(2) and calculating a first message identification code MIC of the AS-AAC_{AS_AAC}。

S516, the AS-AAC sends a first authentication response message ASVeri to the AAC.

The ASVeri comprises an ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_REQ1}、ID_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd MIC_{AS_AAC}. Wherein, ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_REQ1}、ID_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPubShould be equal to the corresponding field in AS-REQVeri, respectively; MIC_{AS_AAC}Is AS-AAC utilizes said K_{AAC_AS}Including ID with hash algorithm agreed with AAC_AAC、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubA hash value computed over the information contained therein.

After receiving ASVeri, S517 and AAC execute the following operations, including:

(1) check ID in ASVeri_AAC、Nonce_AACIdentity ID of whether AAC is distinguished or not_AACAnd Nonce for AAC generation_AACThe same; if not, discarding the ASVeri;

(2) verifying MIC_{AS_AAC}If the verification fails, discarding the ASVeri; verification process see the relevant contents of the embodiment of fig. 3;

(3) calculating EncData using message encryption key_AAC(ii) a Computing MacTag_AAC。

S518, AAC sends a third authentication response message AACAuth to REQ.

The AACAuth comprises Nonce_AAC、Nonce_REQ、EncData_AACAnd Mactag_AAC. Wherein, Nonce_REQ、Nonce_AACFor optional fields, shall be equal to Nonce in REQInit, respectively_REQAnd Nonce for AAC generation_AAC；EncData_AACIs AAC uses a message encryption key, uses a symmetric encryption algorithm to include ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_REQ1}And ID_AACThe encrypted data inside is generated by encryption; mactag_AACSee the phases of the embodiment of FIG. 3And closing the content.

After receiving the AACAuth, the S519, REQ performs the following operations including:

(1) if there is a Nonce in AACAuth_REQAnd/or Nonce_AACCheck the Nonce_REQWhether with REQ generated Nonce_REQSame, and/or check Nonce_AACWhether or not to match the Nonce in AACInit_AACThe same;

(2) verification of MacTag_AAC(ii) a Verification process see the relevant contents of the embodiment of fig. 3;

(3) decrypting EncData using message encryption key_AACGet ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC、Sig_{AS_REQ1}And ID_AAC；

(4) And use of the Nonce_REQIDFor ID_REQ⊕Nonce_REQIDRecovering ID by performing XOR operation_REQ；

(5) Checking ID_REQ、Nonce_REQWhether or not to respectively identify with REQ's own ID_REQREQ-generated Nonce_REQThe same;

(6) checking the ID obtained by decryption_AACAnd Pub_AACID of (1)_AACWhether the two are consistent;

(7) public key verification Sig using AS-REQ_{S_REQ1}；

(8) If any step of the checking and verifying is not passed, immediately discarding the AACAuth; if the above checks and verifications are passed, according to Pub_AACRes in (1)_AACDetermining the identity authentication result of the AAC; if AAC is illegal, ending the identification process;

(9) calculating EncData using message encryption key_REQ；

(10) Computing MacTag_REQ。

S520, REQ sends a fourth authentication response message REQAuth to AAC.

The REQAUth comprises Nonce_AAC、Nonce_REQ、EncData_REQAnd Mactag_REQ. Wherein, Nonce_REQAnd Nonce_AACIs a selectable wordSegment, should be equal to Nonce for REQ generation, respectively_REQAnd Nonce in AACInit_AAC；EncData_REQIncluding Nonce, in the encrypted data_REQPub；MacTag_REQSee the relevant contents of the embodiment of fig. 3.

After receiving REQAUth, the AAC 521 executes the following operations, including:

(1) if the Nonce exists in REQAuth_AACAnd/or Nonce_REQCheck the Nonce_AACNonce whether or not generated with AAC_AACThe same, and/or check the Nonce_REQWhether or not to match the Nonce in REQInit_REQThe same;

(2) verification of MacTag_REQ(ii) a Verification process see the relevant contents of the embodiment of fig. 3;

(4) And use of the Nonce_REQPubFor Pub_REQ⊕Nonce_REQPubPerforming XOR operation to recover Pub_REQ；

(5) Use of Pub_REQCert in (1)_REQVerification Sig_REQ；

Therefore, identity authentication of AAC and REQ under the roaming condition is respectively realized in S519 and S521, namely bidirectional identity authentication of REQ and AAC is realized, the authentication result of REQ is transmitted in a ciphertext in the whole process, and identity protection of REQ is realized.

In addition, the verification Sig in (1) and S521_REQMay be performed in advance in S513 instead, wherein Sig_REQCan be delivered to the AS-REQ by AACVeri of S506 and AS-AACVeri of S508, then the AS-REQ further utilizes Cert in S513_REQVerification Sig_REQAnd executing subsequent operation after the verification is passed. In this case, AAC no longer verifies Sig in S521_REQAt this time Pub_REQMay not include Cert_REQ。(2) Second digital signature Sig in S507, S508_{AS_AAC2}May be replaced by a second message authentication code MIC_{AS_AAC2}Wherein, MIC_{AS_AAC2}The AS-AAC utilizes a pre-shared key with the AS-REQ and adopts a hash algorithm agreed with the AS-REQ to carry out MIC in AS-AACVeri_{AS_AAC2}The hash value calculated for the other previous field; the AS-REQ verifies Sig in S509_{AS_AAC2}Replace with verifying MIC_{AS_AAC2}. Third digital signature Sig in S513, S514_{AS_REQ3}May be replaced by a third message authentication code MIC_{AS_REQ3}Wherein, MIC_{AS_REQ3}The ID included in the AS-REQVeri is subjected to hash algorithm agreed with the AS-AAC by the AS-REQ by using a pre-shared key with the AS-AAC_AAC、Nonce_AAC、Pub_REQ⊕Nonce_REQPubA hash value computed over the inner field; the AS-AAC verification Sig in S515_{AS_REQ3}Replace with verifying MIC_{AS_REQ3}。

Referring to fig. 6, it is an embodiment of an authentication method in the case (four), in which the message encryption key negotiation process between REQ and AAC is merged into the authentication process in parallel, which is more convenient for engineering implementation. The identity authentication method comprises the following steps:

s601, AAC generation Nonce_AACAnd KeyInfo_AACGenerating Security capabilities as required_AAC。

S602, AAC sends a key request message AACInit to REQ.

The AACInit comprises a Nonce_AAC、KeyInfo_AAC、Security capabilities_AACAnd ID_{AS_AAC}. Wherein, Security capabilities_AACAnd ID_{AS_AAC}Is an optional field.

S603, after receiving AACInit, REQ performs the following operations, including:

(1) and generating the Nonce_REQ、Nonce_REQID、Nonce_REQPubAnd KeyInfo_REQ；

(2) And generating an ID as required_{AS_REQ}And Security capabilities_REQ；

(3) According to the list including KeyInfo_REQCorresponding temporary private key and KeyInfo_AACThe included temporary public key is subjected to key exchange calculation to generate a first key K1, and K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by REQ and AAC are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm; of course, this step may also be executed when a message encryption key and a message integrity check key are required to be used in the following;

(4) computing EncPub using public key of encryption certificate_{AS_REQ}；

(5) Calculating the digital signature Sig of the REQ_REQ。

S604, REQ sends an identity ciphertext message REQInit to AAC.

The REQInit comprises Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、ID_{AS_REQ}、EncPub_{AS_REQ}And Sig_REQ. Wherein, Nonce_AACShould equal the corresponding field in AACInit; security capabilities_REQAnd ID_{AS_REQ}Is an optional field; EncPub_{AS_REQ}Includes ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub；Sig_REQThe signature data includes Sig in REQInit_REQOther preceding fields, e.g. including Nonce_AAC、Nonce_REQ、Security capabilities_REQ、KeyInfo_REQ、ID_{AS_REQ}And EncPub_{AS_REQ}。

After receiving REQInit, S605 and AAC execute the following operations, including:

(2) according to the KeyInfo_AACCorresponding temporary private key and the KeyInfo_REQThe included temporary public key is subjected to key exchange calculation to generate a first key K1, K1 is combined with Nonce_AAC、Nonce_REQAnd other information (other information employed by AAC and REQ are the same and optional, such as a specific string, etc.) calculate a message encryption key and a message integrity check key using a negotiated or preset key derivation algorithm;

(3) computing EncPub using public key of encryption certificate_{AS_AAC}；

(4) And calculating to generate MIC_AAC；

(5) The process of determining the AS-AAC participating in identity authentication is the same AS that related to the embodiment of FIG. 5.

S606, AAC sends a first authentication request message AACVeri to AS-AAC.

The AACVeri comprises REQInit and EncPub_{AS_AAC}、Nonce_AACAnd MIC_AAC. Wherein EncPub_{AS_AAC}Is AAC utilizes public key pair of cryptographic certificate to include ID_AAC、Nonce_AACID、Nonce_AACPubThe information inside is generated by encryption; MIC_AACIs pre-shared key K of AAC utilization and AS-AAC_{AAC_AS}Adopting a hash algorithm agreed with AS-AAC to carry out MIC in AACVeri_AACThe hash value of the previous other field calculation.

S607, AS-AAC sends a second decryption request message AS-AACReq to CS-DEC.

The AS-AACReq comprises EncPub_{AS_AAC}。

S608, the CS-DEC utilizes the private key corresponding to the encryption certificate to decrypt EncPub_{AS_AAC}Get ID_AAC、Nonce_AACPubAnd Nonce_AACID。

S609, the CS-DEC sends a second decryption response message CS-DECRep to the AS-AAC.

Including an ID in the CS-DECRep_AAC、Nonce_AACPubAnd Nonce_AACID。

S610, after the AS-AAC receives the CS-DECRep, the following operations are executed, including:

(1) verifying MIC_AACTo obtain Res_AACAccording to including Res_AACAnd ID_AACGeneration of information in Pub_AAC(ii) a Verification process see the relevant contents in the embodiment of fig. 4;

(2)、using the Nonce_AACIDFor ID_AACPerforming XOR operation to obtain ID_AAC⊕Nonce_AACIDUsing the Nonce_AACPubFor Pub_AACPerforming XOR operation to obtain Pub_AAC⊕Nonce_AACPub，

(3) Calculating a second digital signature Sig_{AS_AAC2}。

S611, the AS-AAC sends a second authentication request message AS-AACVeri to the AS-REQ.

The AS-AACVeri comprises REQInit and ID_AAC⊕Nonce_AACID、Pub_AAC⊕Nonce_AACPubAnd Sig_{AS_AAC2}. Therein, Sig_{AS_AAC2}The signature data comprises Sig in AS-AACVeri_{AS_AAC2}Other fields before.

S612, after the AS-REQ receives the AS-AACVeri, the public key of the AS-AAC is used for verifying Sig_{AS_AAC2}。

If the verification is passed, S613 is executed.

S613, the AS-REQ sends a first decryption request message AS-REQReeq to the CS-DEC.

The AS-REQReeq comprises EncPub_{AS_REQ}。

S614, CS-DEC decrypts EncPub by using private key corresponding to encryption certificate_{AS_REQ}Get ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub。

S615, the CS-DEC sends a first decryption response message CS-DECRep to the AS-REQ.

The CS-DECRep includes ID_REQ、Cert_REQ、Nonce_REQIDAnd Nonce_REQPub。

After S616 and AS-REQ receive CS-DECRep, the following operations are executed, including:

(1) by Cert_REQVerifying Sig_REQIf the verification is not passed, discarding the CS-DECRep;

(2) cert verification_REQGet Res_REQAccording to including Res_REQGeneration of information in Pub_REQ；

(4) And calculating to generate a first digital signature Sig_{AS_REQ1}And a third digital signature Sig_{AS_REQ3}。

S617, the AS-REQ sends a second authentication response message AS-REQVeri to the AS-AAC.

The AS-REQVeri includes an ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_REQ1}、ID_AAC⊕Nonce_AACID、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd Sig_{AS_REQ3}Wherein Sig_{AS_REQ1}Includes ID_REQ⊕Nonce_REQID、Nonce_REQAnd Pub_AAC⊕Nonce_AACPub，Sig_{AS_REQ3}Includes ID_AAC⊕Nonce_AACID、Nonce_AACAnd Pub_REQ⊕Nonce_REQPub。

And S618, after the AS-AAC receives the AS-REQVeri, executing the following operations including:

(1) public key verification Sig using AS-REQ_{AS_REQ3}(ii) a If the verification fails, discarding the AS-REQVeri;

(2) calculating a first message authentication code MIC of the AS-AAC_{AS_AAC}。

S619, the AS-AAC sends a first authentication response message ASVeri to the AAC.

The ASVeri comprises an ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_REQ1}、ID_AAC⊕Nonce_AACID、Nonce_AAC、Pub_REQ⊕Nonce_REQPubAnd MIC_{AS_AAC}. Wherein, ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Sig_{AS_REQ1}、ID_AAC⊕Nonce_AACID、Nonce_AAC、Pub_REQ⊕Nonce_REQPubShould be equal to the corresponding field in AS-REQVeri, respectively; MIC_{AS_AAC}Is AS-AAC utilizes said K_{AAC_AS}Including ID by hashing algorithm agreed with AAC_AAC⊕Nonce_AACID、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubA hash value computed over the information contained therein.

S620, after receiving the ASVeri, the AAC executes the following operations, including:

(1) use of the Nonce_AACIDFor ID_AAC⊕Nonce_AACIDRecovering ID by performing XOR operation_AACChecking the ID_AAC、Nonce_AACWhether or not to respectively identify with AAC own identity ID_AACAnd Nonce for AAC generation_AACThe same; if not, discarding the ASVeri;

(2) verifying MIC_{AS_AAC}(ii) a If the verification fails, discarding the ASVeri; the verification process refers to the relevant contents in the embodiment of fig. 4;

(3) calculating EncData using message encryption key_AAC；

(4) Calculating MacTag_AAC。

S621, AAC sends a third authentication response message AACAuth to REQ.

The AACAuth comprises Nonce_AAC、Nonce_REQ、EncData_AACAnd MacTag_AAC. Wherein, Nonce_REQAnd Nonce_AACAre optional fields and should be equal to Nonce in REQInit, respectively_REQAnd the Nonce for AAC generation_AAC；EncData_AACIs that AAC uses a message encryption key to include ID using a symmetric encryption algorithm_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Nonce_AACPub、Sig_{AS_REQ1}And ID_AACThe encrypted data inside is generated by encryption; mactag_AACThe calculation of (c) is as described in relation to the embodiment of fig. 3.

After receiving the aaclauth, the S622 and REQ perform the following operations, including:

(1) if there is a Nonce in AACAuth_REQAnd/or Nonce_AACThen checkCheck the Nonce_REQWhether with REQ generated Nonce_REQSame, and/or check Nonce_AACWhether or not to match the Nonce in AACInit_AACThe same;

(2) and verifying MacTag_AAC(ii) a The verification process is described in relation to the embodiment of fig. 3;

(3) decrypting EncData using message encryption key_AACGet ID_REQ⊕Nonce_REQID、Nonce_REQ、Pub_AAC⊕Nonce_AACPub、Nonce_AACPub、Sig_{AS_REQ1}And ID_AAC；

(6) checking Pub_AACID of (1)_AACWhether or not to match the ID obtained by decryption_AACConsistency;

(7) public key verification Sig using AS-REQ_{AS_REQ1}；

(8) If any step of the checking and the verification fails, immediately discarding the AACAuth; after the above checks and verifications are passed, according to Pub_AACRes in_AACDetermining the identity authentication result of the AAC; if AAC is illegal, ending the identification process;

(9) generating EncData by message encryption key calculation_REQ(ii) a Computing to generate MacTag_REQ。

S623, REQ sends a fourth authentication response message REQAuth to AAC.

The REQAUth comprises Nonce_AAC、Nonce_REQ、EncData_REQAnd Mactag_REQ. Wherein, Nonce_AACAnd Nonce_REQAre optional fields and should be equal to Nonce in AACInit, respectively_AACAnd REQ generated Nonce_REQ；EncData_REQIncluding Nonce_REQPub；MacTag_REQAs described in relation to the embodiment of fig. 3.

After receiving REQAUth, the AAC 624 executes the following operations, including:

(1) if the Nonce exists in REQAuth_AACAnd/or Nonce_REQCheck the Nonce_AACAnd the Nonce for AAC generation_AACWhether they are the same, and/or, check Nonce_REQWhether or not to match the Nonce in REQInit_REQThe same;

(3) decrypting EncData using message encryption key_REQObtain the Nonce_REQPub；

(5) If all the above checks and verifications pass, then according to Pub_REQRes in (1)_REQDetermining the identity authentication result of the REQ; if any of the above checks and verifications fail, REQAuth is immediately discarded.

Therefore, identity authentication of AAC and REQ under roaming conditions is achieved in S622 and S624 respectively, that is, bidirectional identity authentication of REQ and AAC is achieved, and identity protection of REQ and AAC is achieved by transmitting authentication results of REQ and AAC in ciphertext in the whole process.

Note that the second digital signature Sig in S610 and S611_{AS_AAC2}May be replaced by a second message authentication code MIC_{AS_AAC2}Wherein, MIC_{AS_AAC2}The AS-AAC utilizes a pre-shared key with the AS-REQ and adopts a hash algorithm agreed with the AS-REQ to carry out MIC in AS-AACVeri_{AS_AAC2}The hash value of the previous other field calculation; the AS-REQ verifies Sig in S612_{AS_AAC2}Replacement to verify MIC_{AS_AAC2}. Third digital signature Sig in S616 and S617_{AS_REQ3}Can be replaced by a third message authentication code MIC_{AS_REQ3}Wherein, MIC_{AS_REQ3}The AS-REQ uses a pre-shared key with the AS-AAC and adopts the agreement with the AS-AACHashing algorithm pair including ID in AS-REQVeri_AAC⊕Nonce_AACID、Nonce_AACAnd Pub_REQ⊕Nonce_REQPubA hash value computed over the inner field; the AS-AAC verification Sig in S618_{AS_REQ3}Replace with verifying MIC_{AS_REQ3}。

In the above embodiments, each message may also carry a HASH value HASH_{X_Y}The HASH value HASH_{X_Y}The message is obtained by calculating the latest preamble message sent by the opposite terminal entity Y by the sender entity X of the message by using a hash algorithm, and the hash algorithm is used for verifying whether the entity X receives the complete latest preamble message by the opposite terminal entity Y. Wherein, HASH_{REQ_AAC}HASH value, HASH, indicating the calculation of REQ on the latest preamble message received from AAC transmission_{AAC_REQ}HASH value, HASH, representing the calculation of AAC on the latest preamble message received from REQ_{AAC_AS-AAC}HASH value, HASH, representing the calculation of AAC on the latest preamble message sent by the AS-AAC received_{AS-AAC_AAC}HASH value, HASH, representing the calculation of the latest preamble of an AS-AAC transmission to a received AAC transmission_{AS-AAC_AS-REQ}HASH value, HASH, representing the calculation of AS-AAC on the latest preamble message sent by the AS-REQ_{AS-REQ_AS-AAC}Represents the hash value calculated by the AS-REQ on the latest preamble message sent by the received AS-AAC. If the message currently sent by the entity X at the sending party is the first message interacted between the entity X and the entity Y, which means that the entity X does not receive the preamble message sent by the entity Y at the opposite end, the HASH in the message_{X_Y}May be absent or meaningless.

Correspondingly, after the opposite terminal entity Y receives the message sent by the entity X, if the message contains HASH_{X_Y}Entity Y ignores HASH when entity Y has not sent a preamble message to entity X_{X_Y}(ii) a When entity Y has sent a preamble message to entity X, entity Y locally calculates the HASH value of the latest preamble message sent to entity X before by using the HASH algorithm, and compares the HASH value with the HASH value HASH carried in the received message_{X_Y}And comparing, if the comparison result is consistent with the comparison result, executing the subsequent steps, otherwise discarding or ending the authentication process.

In the present invention, for an entity X, a preamble message sent from an opposite end entity Y to the entity X means: before the entity X sends the message M to the opposite end entity Y, the received message sent from the opposite end entity Y to the entity X; the latest preamble message sent by the correspondent entity Y to the entity X means: before the entity X sends the message M to the opposite end entity Y, the latest message sent by the opposite end entity Y to the entity X is received. If the message M sent by the entity X to the opposite terminal entity Y is the first message interacted between the entity X and the entity Y, no preamble message sent by the opposite terminal entity Y to the entity X exists before the entity X sends the message M to the opposite terminal entity Y.

The optional fields and optional operations in the embodiments corresponding to fig. 3 to 6 are denoted by "") in fig. 3 to 6 of the drawings in the specification. The content included in the message according to all the above embodiments does not limit the sequence, and in a case that there is no particular description, the sequence of operations on the relevant message and the sequence of processing the content included in the message after the message is received by the message recipient are not limited.

Based on the method embodiments corresponding to fig. 1 to fig. 6, referring to fig. 7, an embodiment of the present application further provides a requesting device 700, including:

an encrypting module 710, configured to encrypt information that includes identity information of the requesting device and a first identity key of the requesting device with a public key of an encryption certificate to generate a first identity information ciphertext, where the identity information of the requesting device includes a digital certificate of the requesting device, and the first identity key includes a second key;

a sending module 720, configured to send an identity ciphertext message to an authentication access controller, where the identity ciphertext message includes the first identity information ciphertext;

a receiving module 730, configured to receive a third authentication response message sent by the authentication access controller, where the third authentication response message includes an identity authentication result information ciphertext generated by the authentication access controller encrypting, by using a message encryption key, encrypted data including the first authentication result information and the first digital signature; the first authentication result information includes a first verification result for the authentication access controller, and the first digital signature is a digital signature generated by a second authentication server trusted by the requesting device through calculation on signature data including the first authentication result information;

a decryption module 740, configured to decrypt the identity authentication result information ciphertext using the message encryption key to obtain the first authentication result information and the first digital signature;

a verification module 750, configured to verify the first digital signature by using the public key of the second authentication server, and if the first digital signature passes the verification, a determination module 760 determines an identity authentication result of the authentication access controller according to a first verification result in the first authentication result information; when the determining module 760 determines that the identity authentication result of the authentication access controller is legal, the sending module 720 sends a fourth authentication response message to the authentication access controller; alternatively, the first and second electrodes may be,

the verification module 750 is configured to verify the first digital signature by using the public key of the second authentication server, and if the first digital signature passes the verification, the sending module 720 sends a fourth authentication response message to the authentication access controller, and the determining module 760 determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; alternatively, the first and second liquid crystal display panels may be,

the verification module 750 is configured to verify the first digital signature with the public key of the second authentication server; if the first digital signature passes the verification, the determining module 760 determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; the sending module 720 sends a fourth authentication response message to the authentication access controller;

wherein the fourth authentication response message includes a second key ciphertext generated by the encryption module 710 encrypting information including the second key with a message encryption key.

Optionally, the receiving module 730 is further configured to: before the sending module 720 sends the identity ciphertext message, receiving a key request message sent by the authentication access controller, where the key request message includes a key exchange parameter of the authentication access controller; the requesting device further includes:

a calculation module, configured to perform key exchange calculation according to a temporary private key corresponding to a key exchange parameter of the requesting device and a temporary public key included in a key exchange parameter of the authentication access controller to generate a first key, and calculate the message encryption key according to information including the first key by using a key derivation algorithm;

the identity cryptogram message also includes the key exchange parameters of the requesting device.

Optionally, the key request message further includes a first random number generated by the authentication access controller; the calculation module is specifically configured to: calculating the message encryption key from information including the first key, the first random number, and a second random number generated by the requesting device; correspondingly, the identity ciphertext message further includes the second random number.

Optionally, the key request message further includes security capability parameter information supported by the authentication access controller; the determining module 760 is further configured to determine a specific security policy used by the requesting device according to the security capability parameter information; the particular security policy is also included in the identity ciphertext message.

Optionally, the key request message further includes an identity of at least one authentication server trusted by the authentication access controller; the determining module 760 is further configured to determine, according to the identity of the at least one authentication server trusted by the authentication access controller, the identity of the at least one authentication server trusted by the requesting device; the identity cryptogram message further includes an identity of at least one authentication server trusted by the requesting device.

Optionally, the identity ciphertext message sent by the sending module 720 further includes an identity of at least one authentication server trusted by the requesting device.

Optionally, the identity information of the requesting device further includes an identity of the requesting device; the first identity key further comprises a third key; the first authentication response message further includes an identity ciphertext of the requesting device; the identity identification ciphertext of the request equipment is generated by encrypting information including the identity identification of the request equipment by using the third key;

the encrypted data of the identity authentication result information ciphertext in the third authentication response message further comprises an identity identification ciphertext of the request device; the decryption module decrypts the identity authentication result information ciphertext to obtain the identity identification ciphertext of the request device;

the verification module 750 is further configured to verify the identity ciphertext of the requesting device according to the identity of the requesting device itself and the third key before the determination module 760 determines the identity authentication result of the authenticated access controller.

Optionally, the third authentication response message received by the receiving module 730 further includes a first message integrity check code; the verification module 750 is further configured to verify the first message integrity check code by using a message integrity check key before the determination module 760 determines the identity authentication result of the authenticated access controller; and the message integrity check key and the message encryption key are generated in the same way.

Optionally, the fourth authentication response message sent by the sending module 720 further includes a second message integrity check code, where the second message integrity check code is generated by the requesting device through calculation using a message integrity check key on fields including the fourth authentication response message except the second message integrity check code; and the message integrity check key and the message encryption key are generated in the same way.

Optionally, the first authentication result information is generated by encrypting information including a first verification result of the authenticated access controller by using the fourth key; the encrypted data of the identity authentication result information ciphertext in the third authentication response message further comprises the fourth key;

the decryption module 740 is further configured to decrypt the identity authentication result information ciphertext to obtain the fourth key, and the decryption module 740 is further configured to decrypt the first authentication result information by using the fourth key to obtain the first verification result.

Optionally, the message sent by the requesting device to the authentication access controller further includes a hash value calculated by the requesting device for the latest preamble message sent by the authentication access controller.

Referring to fig. 8, an embodiment of the present application further provides an authentication access controller 800, including:

a receiving module 810, configured to receive an identity ciphertext message sent by a requesting device, where the identity ciphertext message includes a first identity information ciphertext; the first identity information ciphertext is generated by the requesting device encrypting information comprising the identity information of the requesting device and a first identity key of the requesting device by using a public key of an encryption certificate; the identity information of the requesting device comprises a digital certificate of the requesting device; the first identity key comprises a second key;

a sending module 820, configured to send a first authentication request message to a first authentication server trusted by the authentication access controller, where the first authentication request message includes the first identity information ciphertext and an identity authentication code of the authentication access controller; the identity authentication code of the authentication access controller is generated by the authentication access controller through calculation of information including the first identity information ciphertext by using a pre-shared key of the first authentication server and a cryptographic algorithm agreed with the first authentication server;

the receiving module 810 is further configured to receive a first authentication response message sent by the first authentication server, where the first authentication response message includes first authentication result information, a first digital signature of a second authentication server trusted by the requesting device, a second authentication result information ciphertext, and a first message authentication code of the first authentication server; the first authentication result information comprises a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data comprising the first authentication result information, the second authentication result information ciphertext is generated by encrypting information comprising second authentication result information by using the second key, the second authentication result information comprises a second verification result of a digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information comprising the second authentication result information ciphertext through a pre-shared key of the authentication access controller by using a cryptographic algorithm agreed with the authentication access controller;

a verification module 830, configured to verify the first message authentication code of the first authentication server by using a pre-shared key of the first authentication server and using a cryptographic algorithm agreed with the first authentication server;

a sending module 820, further configured to send a third authentication response message to the requesting device if the verification is passed, where the third authentication response message includes an identity authentication result information ciphertext generated by the authentication access controller encrypting, by using a message encryption key, encrypted data including the first authentication result information and the first digital signature;

a receiving module 810, further configured to receive a fourth authentication response message sent by the requesting device, where the fourth authentication response message includes a second key ciphertext generated by encrypting, with the message encryption key, information that includes the second key;

a decryption module 840, configured to decrypt the second key ciphertext with the message encryption key to obtain a second key, and decrypt the second authentication result information ciphertext with the second key to obtain second authentication result information;

a determining module 850, configured to determine an authentication result of the requesting device according to the second verification result in the second authentication result information.

Optionally, the sending module 820 is further configured to: before receiving the identity ciphertext message, sending a key request message to the requesting device, wherein the key request message comprises a key exchange parameter of the authentication access controller; the identity ciphertext message further includes a key exchange parameter of the requesting device; the authentication access controller further comprises:

and the calculation module is used for performing key exchange calculation according to a temporary private key corresponding to the key exchange parameters of the authentication access controller and a temporary public key included in the key exchange parameters of the request equipment to generate a first key, and calculating the message encryption key by using a key derivation algorithm according to information including the first key.

Optionally, the key request message further includes a first random number generated by the authentication access controller; correspondingly, the identity ciphertext message further includes a second random number generated by the requesting device; the calculation module is specifically configured to: calculating the message encryption key from information including the first key, the first random number, and the second random number.

Optionally, the identity ciphertext message further includes the first random number; before the calculation module calculates the message encryption key, the verification module 830 is further configured to verify consistency between the first random number in the identity ciphertext message and the first random number generated by the authentication access controller.

Optionally, the key request message further includes an identity of at least one authentication server trusted by the authentication access controller; correspondingly, the identity ciphertext message further includes an identity of at least one authentication server trusted by the requesting device; the determining module 850 is further configured to determine the first authentication server according to the identity of the at least one authentication server trusted by the requesting device in the identity ciphertext message and the identity of the at least one authentication server trusted by the authentication access controller in the key request message.

Optionally, the identity ciphertext message further includes an identity of at least one authentication server trusted by the requesting device; the determining module 850 is further configured to determine the first authentication server according to the identity of the at least one authentication server trusted by the requesting device and the identity of the authentication server trusted by the authentication access controller.

Optionally, the first authentication request message further includes an identity of the authentication access controller and/or a first random number generated by the authentication access controller; correspondingly, the first authentication response message further includes an identity of the authentication access controller and/or the first random number; the verifying module 830 is further configured to verify the consistency between the identity of the authentication access controller in the first authentication response message and the identity of the authentication access controller before the sending module 820 sends the third authentication response message; and/or verifying the consistency of the first random number in the first authentication response message and the first random number generated by the authentication access controller.

Optionally, the first authentication request message further includes a second identity information ciphertext, where the second identity information ciphertext is generated by the authentication access controller encrypting, by using an encryption certificate, information including an identity of the authentication access controller and a second identity key of the authentication access controller, and the second identity key includes a fourth key and a fifth key;

correspondingly, the first authentication response message further comprises an identity identification ciphertext of the authentication access controller; the first authentication result information is generated by encrypting information including a first authentication result of the authentication access controller using the fourth key; the identity identification ciphertext of the authentication access controller is generated by encrypting information including the identity identification of the authentication access controller by using the fifth key;

the verification module 830 is further configured to: verifying the identity identification ciphertext of the authentication access controller according to the identity identification of the authentication access controller and the fifth key; if the verification is passed, the sending module 820 sends a third authentication response message to the requesting device; wherein, the encrypted data of the identity authentication result information ciphertext in the third authentication response message further comprises the fourth key.

Optionally, the third authentication response message sent by the sending module 820 further includes a first message integrity check code, where the first message integrity check code is generated by the authentication access controller through calculation of a message integrity check key on fields including the third authentication response message except the first message integrity check code; and the message integrity check key and the message encryption key are generated in the same way.

Optionally, the fourth authentication response message received by the receiving module 810 further includes a second message integrity check code; the verification module 830 is further configured to verify the second message integrity check code with a message integrity check key before the determination module 850 determines the identity authentication result of the requesting device; and the message integrity check key and the message encryption key are generated in the same way.

Optionally, when the identity ciphertext message further includes the digital signature of the requesting device, the determining module 850 is further configured to: and before the identity authentication result of the request equipment is determined, determining whether the digital signature of the request equipment passes the authentication, and if the digital signature of the request equipment passes the authentication, determining the identity authentication result of the request equipment according to a second authentication result in the second authentication result information.

Optionally, the determining module 850 determines whether the digital signature of the requesting device is verified by:

the second authentication server verifies the digital signature of the requesting device by using the digital certificate of the requesting device, and if the receiving module 810 receives the first authentication response message, the determining module 850 determines that the digital signature of the requesting device is verified; alternatively, the first and second electrodes may be,

when the second authentication result information further includes the digital certificate of the requesting device, the verification module 830 verifies the digital signature of the requesting device by using the digital certificate of the requesting device, and the determination module 850 determines whether the digital signature of the requesting device passes the verification according to the verification result.

Optionally, the message sent by the authentication access controller to the requesting device further includes a hash value calculated by the authentication access controller for the latest preamble message sent by the requesting device; the message sent by the authentication access controller to the first authentication server further comprises a hash value calculated by the authentication access controller on the received latest preamble message sent by the first authentication server.

Referring to fig. 9, an embodiment of the present application further provides a first authentication server 900, including:

a receiving module 910, configured to receive a first authentication request message sent by an authentication access controller, the first authentication request message comprises a first identity information cipher text and an identity authentication code of the authentication access controller, the first identity information cryptogram is generated by the requesting device encrypting information including the identity information of the requesting device and the first identity key of the requesting device using the public key of the encryption certificate, the identity information of the requesting device includes a digital certificate of the requesting device, the first identity key includes a second key, the identity authentication code of the authentication access controller is generated by the authentication access controller through calculation of information including the first identity information ciphertext by using a pre-shared key of the first authentication server and a cryptographic algorithm agreed with the first authentication server;

a sending module 920, configured to send a first authentication response message to the authentication access controller, where the first authentication response message includes first authentication result information, a first digital signature of a second authentication server trusted by the requesting device, a second authentication result information ciphertext, and a first message authentication code of the first authentication server; the first authentication result information includes a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data including the first authentication result information, the second authentication result information ciphertext is generated by encrypting information including the second authentication result information through the second key, the second authentication result information includes a second verification result of the digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information including the second authentication result information ciphertext through a pre-shared key of the authentication access controller and through agreement of a cryptographic algorithm with the authentication access controller.

Optionally, the first authentication server 900 further includes:

the first verification module is used for verifying the identity authentication code of the authentication access controller to obtain a first verification result, decrypting the first identity information ciphertext by using a private key corresponding to an encrypted certificate to obtain a digital certificate and the second key of the request device, and verifying the validity of the digital certificate of the request device to obtain a second verification result;

a first generation module, configured to generate the first authentication result information according to information including the first authentication result, generate the second authentication result information according to information including the second authentication result, encrypt information including the second authentication result information with the second key to generate a second authentication result information ciphertext, calculate and generate a first digital signature for signature data including the first authentication result information, and calculate and generate a first message authentication code of the first authentication server for information including the second authentication result information ciphertext;

a second generating module, configured to generate the first authentication response message according to information including the first authentication result information, the first digital signature, the second authentication result information ciphertext, and a first message authentication code of the first authentication server.

Optionally, the first authentication server 900 further includes:

the second verification module is used for verifying the identity authentication code of the authentication access controller to obtain a first verification result;

a third generation module, configured to generate the first authentication result information according to information including the first verification result, and calculate and generate a second digital signature for signature data including the first authentication result information and the first identity information ciphertext or calculate and generate a second message authentication code for information including the first authentication result information and the first identity information ciphertext;

the sending module is further configured to send a second authentication request message to a second authentication server, where the second authentication request message includes the first authentication result information, the first identity information ciphertext, and the second digital signature, or the second authentication request message includes the first authentication result information, the first identity information ciphertext, and the second message authentication code;

the receiving module is further configured to receive a second authentication response message sent by the second authentication server, where the second authentication response message includes the first authentication result information, the first digital signature, a second authentication result information ciphertext, and a third digital signature, or the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and a third message authentication code; wherein the first digital signature is generated by the second authentication server through calculation of signature data including the first authentication result information; the third digital signature is generated by the second authentication server through calculation of signature data including the second authentication result information ciphertext or the third message authentication code is generated by the second authentication server through calculation of information including the second authentication result information ciphertext;

a third verification module for verifying the third digital signature using the public key of the second authentication server or the third message authentication code using a pre-shared key with the second authentication server;

and the fourth generation module is used for calculating information including the second authentication result information ciphertext to generate a first message authentication code of the first authentication server if the authentication passes, and generating the first authentication response message according to the information including the first authentication result information, the first digital signature, the second authentication result information ciphertext and the first message authentication code of the first authentication server.

Optionally, the message sent by the first authentication server to the authentication access controller further includes a hash value calculated by the first authentication server for the received latest preamble message sent by the authentication access controller; the message sent by the first authentication server to the second authentication server further includes a hash value calculated by the first authentication server for the received latest preamble message sent by the second authentication server.

Referring to fig. 10, an embodiment of the present application further provides a second authentication server 1000, including:

a receiving module 1010, configured to receive a second authentication request message sent by a first authentication server, where the second authentication request message includes first authentication result information, a first identity information ciphertext, and a second digital signature, or the second authentication request message includes the first authentication result information, the first identity information ciphertext, and a second message authentication code; the first identity information ciphertext is generated by encrypting information including identity information of the requesting device and a first identity key of the requesting device by using a public key of an encryption certificate, the identity information of the requesting device comprises a digital certificate of the requesting device, and the first identity key comprises a second key; the second digital signature is generated by the first authentication server through calculation of signature data including the first authentication result information and the first identity information ciphertext or the second message authentication code is generated by the first authentication server through calculation of information including the first authentication result information and the first identity information ciphertext;

a verification module 1020, configured to verify the second digital signature using a public key of the first authentication server or verify the second message authentication code using a pre-shared key of the first authentication server, and if the verification passes, decrypt the first identity information ciphertext using a private key corresponding to an encrypted certificate to obtain a digital certificate of the requesting device and the second key, and perform validity verification on the digital certificate of the requesting device to obtain a second verification result;

a generating module 1030, configured to generate the second authentication result information according to the information including the second verification result, encrypt the information including the second authentication result information by using the second key to generate a second authentication result information ciphertext, calculate and generate a first digital signature for signature data including the first authentication result information, calculate and generate a third digital signature for signature data including the second authentication result information ciphertext, or calculate and generate a third message authentication code for the information including the second authentication result information ciphertext;

a sending module 1040, configured to send a second authentication response message to the first authentication server, where the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the third digital signature, or the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the third message authentication code.

Optionally, the message sent by the second authentication server to the first authentication server further includes a hash value calculated by the second authentication server on the received latest preamble message sent by the first authentication server.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media capable of storing program codes, such as Read-Only Memory (ROM), RAM, magnetic disk, or optical disk.

It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the apparatus and system embodiments are described in a relatively simple manner since they correspond to and are consistent with the method embodiments, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement without inventive effort.

The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of identity authentication, the method comprising:

the authentication access controller receives an identity ciphertext message sent by a request device, wherein the identity ciphertext message comprises a first identity information ciphertext; the first identity information ciphertext is generated by the requesting device encrypting information comprising the identity information of the requesting device and a first identity key of the requesting device by using a public key of an encryption certificate; the identity information of the requesting device comprises a digital certificate of the requesting device; the first identity key comprises a second key;

the authentication access controller receiving a first authentication response message sent by the first authentication server, the first authentication response message including first authentication result information, a first digital signature of a second authentication server trusted by the requesting device, a second authentication result information ciphertext, and a first message authentication code of the first authentication server; the first authentication result information comprises a first verification result of the authentication access controller, the first digital signature is a digital signature generated by the second authentication server through calculation of signature data comprising the first authentication result information, the second authentication result information ciphertext is generated by encrypting information comprising second authentication result information through the second key, the second authentication result information comprises a second verification result of a digital certificate of the request device, and the first message authentication code of the first authentication server is generated by the first authentication server through calculation of information comprising the second authentication result information ciphertext through a pre-shared key of the authentication access controller and a cryptographic algorithm agreed with the authentication access controller;

the requesting device verifies the first digital signature using a public key of the second authentication server; if the first digital signature passes the verification, the requesting device determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; the requesting device sends a fourth authentication response message to the authentication access controller;

and after receiving the fourth authentication response message, the authentication access controller decrypts the second key ciphertext by using the message encryption key to obtain a second key, decrypts the second authentication result information ciphertext by using the second key to obtain second authentication result information, and determines the identity authentication result of the request equipment according to a second verification result in the second authentication result information.

2. The method of claim 1, wherein before the authenticating access controller receives an identity ciphertext message sent by a requesting device, the method further comprises:

the authentication access controller sends a key request message to the request device, wherein the key request message comprises a key exchange parameter of the authentication access controller;

the request equipment performs key exchange calculation according to a temporary private key corresponding to key exchange parameters of the request equipment and a temporary public key included in the key exchange parameters of the authentication access controller to generate a first key, and calculates the message encryption key by using a key derivation algorithm according to information including the first key;

the identity ciphertext message further includes a key exchange parameter of the requesting device;

and the authentication access controller performs key exchange calculation according to a temporary private key corresponding to key exchange parameters of the authentication access controller and a temporary public key included in the key exchange parameters of the request equipment to generate the first key, and calculates the message encryption key by using the key derivation algorithm according to information including the first key.

3. The method of claim 2, wherein the key request message further includes a first random number generated by the authentication access controller;

the step of calculating, by the requesting device, the message encryption key specifically includes:

the request device calculates the message encryption key according to information including the first key, the first random number and a second random number generated by the request device;

correspondingly, the identity ciphertext message further comprises the second random number;

the calculating, by the authentication access controller, the message encryption key specifically includes:

the authentication access controller calculates the message encryption key based on information including the first key, the first random number, and the second random number.

4. The method of claim 3, wherein the identity ciphertext message further comprises the first nonce; before the authenticating access controller calculates the message encryption key, the method further comprises:

the authentication access controller verifies the consistency of the first random number in the identity ciphertext message and the first random number generated by the authentication access controller; and if the authentication is passed, the authentication access controller calculates the message encryption key again.

5. The method according to claim 2, wherein the key request message further includes security capability parameter information supported by the authentication access controller; the method further comprises the following steps:

the request equipment determines a specific security policy used by the request equipment according to the security capability parameter information; the particular security policy is also included in the identity ciphertext message.

6. The method according to claim 2, wherein the key request message further includes an identity of at least one authentication server trusted by the authentication access controller; the method further comprises:

the request equipment determines the identity of at least one authentication server trusted by the request equipment according to the identity of at least one authentication server trusted by the authentication access controller; the identity cryptograph message further includes an identity of at least one authentication server trusted by the requesting device; the method further comprises:

and the authentication access controller determines the first authentication server according to the identity of the at least one authentication server trusted by the request equipment in the identity ciphertext message and the identity of the at least one authentication server trusted by the authentication access controller in the key request message.

7. The method according to claim 1, wherein the identity ciphertext message further includes an identity of at least one authentication server trusted by the requesting device; the method further comprises:

and the authentication access controller determines the first authentication server according to the identity of at least one authentication server trusted by the request equipment and the identity of an authentication server trusted by the authentication access controller.

8. The method according to claim 1, wherein the first authentication request message further includes an identity of the authentication access controller and/or a first random number generated by the authentication access controller;

correspondingly, the first authentication response message further includes an identity of the authentication access controller and/or the first random number;

before the authenticating access controller sends a third authentication response message to the requesting device, the method further comprises:

the authentication access controller verifies the consistency of the identity of the authentication access controller in the first authentication response message and the identity of the authentication access controller, and/or verifies the consistency of the first random number in the first authentication response message and the first random number generated by the authentication access controller; and if the verification is passed, the authentication access controller executes related operation again.

9. The method of claim 1, wherein the identity information of the requesting device further comprises an identity of the requesting device; the first identity key further comprises a third key;

the first authentication response message further includes an identification ciphertext of the requesting device, where the identification ciphertext of the requesting device is generated by encrypting, using the third key, information including the identification of the requesting device;

the encrypted data of the identity authentication result information ciphertext in the third authentication response message further includes the identity identification ciphertext of the requesting device;

before the requesting device determines the result of the authentication of the identity of the authenticated access controller, the method further comprises:

the request equipment decrypts the identity authentication result information ciphertext by using a message encryption key to obtain an identity identification ciphertext of the request equipment, and verifies the identity identification ciphertext of the request equipment according to the identity identification of the request equipment and the third key; and if the verification is passed, the request equipment executes the relevant operation again.

10. The method according to claim 1, wherein the identity cryptogram message further includes a second random number generated by the requesting device, and the first authentication request message further includes the second random number, and the first authentication response message further includes the second random number;

the encrypted data of the identity authentication result information ciphertext in the third authentication response message further includes the second random number;

the request equipment decrypts the identity authentication result information ciphertext by using a message encryption key to obtain the second random number and verifies the consistency of the second random number and the second random number generated by the request equipment; and if the verification is passed, the request equipment executes related operation again.

11. The method according to claim 2, wherein the third authentication response message further includes a first message integrity check code, and the first message integrity check code is generated by the authentication access controller through calculation of a message integrity check key for fields including the third authentication response message except the first message integrity check code; the message integrity check key of the authentication access controller and the message encryption key of the authentication access controller are generated in the same way;

the request equipment verifies the first message integrity check code by using a message integrity check key; if the verification is passed, the request equipment executes the relevant operation again; the message integrity check key of the requesting device is generated in the same manner as the message encryption key of the requesting device.

12. The method according to claim 2, wherein the fourth authentication response message sent by the requesting device further includes a second message integrity check code, and the second message integrity check code is generated by the requesting device through calculation using a message integrity check key for fields including the fourth authentication response message except the second message integrity check code; the message integrity check key of the request equipment and the message encryption key of the request equipment are generated in the same way;

accordingly, before the authentication access controller determines the identity authentication result of the requesting device, the method further comprises:

the authentication access controller verifies the second message integrity check code by using a message integrity check key; if the authentication is passed, the authentication access controller executes the relevant operation again; and the message integrity check key of the authentication access controller is generated in the same way as the message encryption key of the authentication access controller.

13. The method according to claim 1, wherein the first authentication request message further includes a second identity information ciphertext, the second identity information ciphertext is generated by the authentication access controller encrypting information including an identity of the authentication access controller and a second identity key of the authentication access controller by using a public key of an encryption certificate, and the second identity key includes a fourth key and a fifth key;

correspondingly, the first authentication response message further includes an identity ciphertext of the authentication access controller, and the identity ciphertext of the authentication access controller is generated by encrypting information including the identity of the authentication access controller by using the fifth key; the first authentication result information is generated by encrypting information including a first authentication result of the authentication access controller using the fourth key; the method further comprises:

the authentication access controller verifies the identity identification ciphertext of the authentication access controller according to the identity identification of the authentication access controller and the fifth key, and if the verification is passed, a third authentication response message is sent to the request equipment;

the encrypted data of the identity authentication result information ciphertext in the third authentication response message further includes the fourth key;

the requesting device further obtains the fourth key by decrypting the identity authentication result information ciphertext using the message encryption key, and obtains the first verification result by decrypting the first authentication result information using the fourth key.

14. The method of claim 1, wherein when the identity cryptogram message further includes a digital signature of the requesting device, before the authenticating access controller determines the identity authentication result of the requesting device, the method further comprises:

and the authentication access controller determines whether the digital signature of the request equipment passes the authentication, and determines the identity authentication result of the request equipment according to a second authentication result in the second authentication result information if the digital signature of the request equipment passes the authentication.

15. The method of claim 14, wherein the authenticating access controller determining whether the digital signature of the requesting device is verified specifically comprises:

the second authentication server verifies the digital signature of the request device by using the digital certificate of the request device, and if the authentication access controller receives the first authentication response message, the authentication access controller determines that the digital signature of the request device is verified; alternatively, the first and second liquid crystal display panels may be,

and when the second authentication result information further comprises the digital certificate of the request equipment, the authentication access controller verifies the digital signature of the request equipment by using the digital certificate of the request equipment, and determines whether the digital signature of the request equipment passes the verification according to the verification result.

16. The method according to any of claims 1 to 15, wherein the first authentication server trusted by the authentication access controller and the second authentication server trusted by the requesting device are the same authentication server, the method further comprising:

the first authentication server verifies the identity authentication code of the authentication access controller to obtain a first verification result, decrypts the first identity information ciphertext by using a private key corresponding to an encrypted certificate to obtain the digital certificate and the second key of the request device, verifies the validity of the digital certificate of the request device to obtain a second verification result, generates first authentication result information according to information including the first verification result, generates second authentication result information according to information including the second verification result, encrypts the information including the second authentication result information by using the second key to generate a second authentication result information ciphertext, calculates signature data including the first authentication result information to generate a first digital signature, calculates the information including the second authentication result information ciphertext to generate the first message authentication code, generating the first authentication response message according to information including the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the first message authentication code.

17. The method according to any of claims 1 to 15, wherein the first authentication server trusted by the authentication access controller and the second authentication server trusted by the requesting device are two different authentication servers; the method further comprises:

the first authentication server verifies the identity authentication code of the authentication access controller to obtain a first verification result, generates first authentication result information according to information including the first verification result, and calculates and generates a second digital signature on signature data including the first authentication result information and the first identity information ciphertext or calculates and generates a second message authentication code on information including the first authentication result information and the first identity information ciphertext;

the first authentication server sends a second authentication request message to a second authentication server, wherein the second authentication request message comprises the first authentication result information, the first identity information ciphertext and the second digital signature or the second authentication request message comprises the first authentication result information, the first identity information ciphertext and the second message authentication code; verifying the second digital signature by the second authentication server using the public key of the first authentication server or verifying the second message authentication code by the second authentication server using a pre-shared key of the first authentication server, if the verification is passed, decrypting the first identity information ciphertext by the second authentication server using a private key corresponding to an encrypted certificate to obtain the digital certificate of the requesting device and the second key, performing validity verification on the digital certificate of the requesting device to obtain a second verification result, generating second authentication result information according to information including the second verification result, encrypting the information including the second authentication result information by using the second key to generate a second authentication result information ciphertext, and calculating signature data including the first authentication result information to generate a first digital signature, calculating the signature data including the second authentication result information ciphertext to generate a third digital signature or calculating the information including the second authentication result information ciphertext to generate a third message authentication code;

the first authentication server receives a second authentication response message sent by the second authentication server, wherein the second authentication response message comprises the first authentication result information, the first digital signature, the second authentication result information ciphertext and the third digital signature, or the second authentication response message comprises the first authentication result information, the first digital signature, the second authentication result information ciphertext and the third message authentication code;

the first authentication server verifies the third digital signature by using a public key of the second authentication server or the first authentication server verifies the third message authentication code by using a pre-shared key of the second authentication server, if the third message authentication code passes the verification, the first authentication server calculates information including the second authentication result information ciphertext to generate a first message authentication code of the first authentication server, and the first authentication response message is generated according to the information including the first authentication result information, the first digital signature, the second authentication result information ciphertext and the first message authentication code of the first authentication server.

18. The method according to any of claims 1 to 15, wherein the message sent by said requesting device to said authenticating access controller further comprises a hash value computed by said requesting device on the latest preamble message received from said authenticating access controller;

when the authentication access controller receives the message sent by the request device, the hash value in the received message is verified first, and the subsequent operation is executed after the verification is passed;

the message sent by the authentication access controller to the request device also comprises a hash value calculated by the authentication access controller on the received latest preamble message sent by the request device;

when the request device receives the message sent by the authentication access controller, the hash value in the received message is verified first, and the subsequent operation is executed after the verification is passed;

the message sent by the authentication access controller to the first authentication server further comprises a hash value calculated by the authentication access controller on the received latest preorder message sent by the first authentication server;

when the first authentication server receives the message sent by the authentication access controller, the hash value in the received message is verified, and the subsequent operation is executed after the verification is passed;

the message sent by the first authentication server to the authentication access controller also comprises a hash value calculated by the first authentication server on the received latest preorder message sent by the authentication access controller;

when the authentication access controller receives the message sent by the first authentication server, the hash value in the received message is verified, and the subsequent operation is executed after the verification is passed;

the message sent by the first authentication server to the second authentication server also comprises a hash value calculated by the first authentication server on the received latest preorder message sent by the second authentication server;

when the second authentication server receives the message sent by the first authentication server, the hash value in the received message is verified, and the subsequent operation is executed after the verification is passed;

the message sent by the second authentication server to the first authentication server further comprises a hash value calculated by the second authentication server on the received latest preamble message sent by the first authentication server;

when the first authentication server receives the message sent by the second authentication server, the hash value in the received message is verified first, and the subsequent operation is executed after the verification is passed.

19. A requesting device, characterized in that the requesting device comprises:

a receiving module, configured to receive a third authentication response message sent by the authentication access controller, where the third authentication response message includes an identity authentication result information ciphertext generated by the authentication access controller encrypting, by using a message encryption key, encrypted data including the first authentication result information and the first digital signature; the first authentication result information includes a first verification result for the authentication access controller, and the first digital signature is a digital signature generated by a second authentication server trusted by the requesting device through calculation on signature data including the first authentication result information;

the sending module is used for sending a fourth authentication response message to the authentication access controller and the determining module is used for determining the identity authentication result of the authentication access controller according to the first authentication result in the first authentication result information if the first digital signature passes the authentication; alternatively, the first and second electrodes may be,

for verifying the first digital signature with the public key of the second authentication server; if the first digital signature passes the verification, the determining module determines the identity authentication result of the authentication access controller according to the first verification result in the first authentication result information; the sending module sends a fourth authentication response message to the authentication access controller;

20. The requesting device of claim 19, wherein the receiving module is further configured to: before the sending module sends the identity ciphertext message, receiving a key request message sent by the authentication access controller, wherein the key request message comprises a key exchange parameter of the authentication access controller; the requesting device further includes:

21. The requesting device of claim 20, wherein the key request message further includes a first random number generated by the authentication access controller; the calculation module is specifically configured to: calculating the message encryption key from information including the first key, the first random number, and a second random number generated by the requesting device;

correspondingly, the identity ciphertext message further includes the second random number.

22. The requesting device of claim 20, wherein the key request message further includes security capability parameter information supported by the authentication access controller; the determination module is further to: determining a specific security policy used by the requesting device according to the security capability parameter information; the particular security policy is also included in the identity ciphertext message.

23. The requesting device of claim 20, wherein the key request message further includes an identity of at least one authentication server trusted by the authentication access controller; the determining module is further configured to: determining the identity of at least one authentication server trusted by the request equipment according to the identity of at least one authentication server trusted by the authentication access controller; the identity cryptogram message further includes an identity of at least one authentication server trusted by the requesting device.

24. The requesting device of claim 19, wherein the identity ciphertext message sent by the sending module further comprises an identity of at least one authentication server trusted by the requesting device.

25. The requesting device of claim 19, wherein the identity information of the requesting device further comprises an identity of the requesting device; the first identity key further comprises a third key; the first authentication response message further includes an identity ciphertext of the requesting device; the identity identification ciphertext of the request equipment is generated by encrypting information including the identity identification of the request equipment by using the third key;

before the determining module determines the authentication result of the authentication access controller, the verifying module is further configured to: and verifying the identity identification ciphertext of the request equipment according to the identity identification of the request equipment and the third key.

26. The requesting device of claim 20, wherein the third authentication response message received by the receiving module further includes a first message integrity check code;

before the determining module determines the authentication result of the authentication access controller, the verifying module is further configured to: verifying the first message integrity check code by using a message integrity check key; and the message integrity check key and the message encryption key are generated in the same way.

27. The requesting device according to claim 20, wherein the fourth authentication response message sent by the sending module further includes a second message integrity check code, and the second message integrity check code is generated by the requesting device through calculation using a message integrity check key for fields including the fourth authentication response message except the second message integrity check code; and the message integrity check key and the message encryption key are generated in the same way.

28. The requesting device according to claim 19, wherein the first authentication result information is generated by encrypting information including a first authentication result of the authentication access controller using the fourth key; the encrypted data of the identity authentication result information ciphertext in the third authentication response message further comprises the fourth key;

the decryption module is further configured to decrypt the identity authentication result information ciphertext to obtain the fourth key, and the decryption module is further configured to: and decrypting the first authentication result information by using the fourth key to obtain a first authentication result.

29. The requesting device of any of claims 19-28, wherein the message sent by said requesting device to said authenticating access controller further comprises a hash value computed by said requesting device on the latest preamble message received from said authenticating access controller.

30. An authentication access controller, characterized in that the authentication access controller comprises:

the receiving module is further configured to receive a fourth authentication response message sent by the requesting device, where the fourth authentication response message includes a second key ciphertext generated by encrypting, with the message encryption key, information that includes the second key;

31. The authenticated access controller of claim 30, wherein said sending module is further configured to: before receiving the identity ciphertext message, sending a key request message to the requesting device, wherein the key request message comprises a key exchange parameter of the authentication access controller; the identity ciphertext message further includes a key exchange parameter of the requesting device; the authentication access controller further comprises:

32. The controller according to claim 31, wherein said key request message further includes a first random number generated by said controller; correspondingly, the identity ciphertext message further includes a second random number generated by the requesting device;

the calculation module is specifically configured to: calculating the message encryption key from information including the first key, the first random number, and the second random number.

33. The authentication access controller of claim 32, the identity ciphertext message further comprising the first nonce; before the calculation module calculates the message encryption key, the verification module is further configured to: and verifying the consistency of the first random number in the identity ciphertext message and the first random number generated by the authentication access controller.

34. The authentication access controller of claim 31, wherein the key request message further comprises an identity of at least one authentication server trusted by the authentication access controller; correspondingly, the identity ciphertext message further includes an identity of at least one authentication server trusted by the requesting device;

the determination module is further configured to: and determining the first authentication server according to the identity of the at least one authentication server trusted by the request equipment in the identity ciphertext message and the identity of the at least one authentication server trusted by the authentication access controller in the key request message.

35. The authentication access controller of claim 30, wherein the identity ciphertext message further comprises an identity of at least one authentication server trusted by the requesting device;

the determination module is further to: and determining the first authentication server according to the identity of at least one authentication server trusted by the request equipment and the identity of an authentication server trusted by the authentication access controller.

36. The controller according to claim 30, wherein the first authentication request message further comprises an identity of the authentication access controller and/or a first random number generated by the authentication access controller;

the verification module is further configured to: before the sending module sends a third authentication response message, verifying the consistency between the identity of the authentication access controller in the first authentication response message and the identity of the authentication access controller; and/or verifying the consistency of the first random number in the first authentication response message and the first random number generated by the authentication access controller.

37. The controller according to claim 30, wherein the first authentication request message further includes a second identity information ciphertext, the second identity information ciphertext is generated by the authentication access controller encrypting information including an identity of the authentication access controller and a second identity key of the authentication access controller by using a public key of an encryption certificate, and the second identity key includes a fourth key and a fifth key;

the verification module is further to: verifying the identity identification ciphertext of the authentication access controller according to the identity identification of the authentication access controller and the fifth secret key; if the verification is passed, the sending module sends a third authentication response message to the request device; wherein, the encrypted data of the identity authentication result information ciphertext in the third authentication response message further comprises the fourth key.

38. The controller according to claim 31, wherein the third authentication response message sent by the sending module further includes a first message integrity check code, and the first message integrity check code is generated by the authentication access controller through calculation using a message integrity check key for fields including the third authentication response message except the first message integrity check code; and the message integrity check key and the message encryption key are generated in the same way.

39. The authentication access controller of claim 31, wherein the fourth authentication response message received by the receiving module further comprises a second message integrity check code;

before the determining module determines the identity authentication result of the requesting device, the verifying module is further configured to verify the second message integrity check code by using a message integrity check key; and the message integrity check key and the message encryption key are generated in the same way.

40. The authenticated access controller of claim 30, wherein when the identity cryptogram message further includes a digital signature of the requesting device, the determining module is further configured to: and before the identity authentication result of the request equipment is determined, determining whether the digital signature of the request equipment passes the authentication, and if the digital signature of the request equipment passes the authentication, determining the identity authentication result of the request equipment according to a second authentication result in the second authentication result information.

41. The authenticated access controller of claim 40, wherein the determination module determines whether the digital signature of the requesting device verifies by:

the second authentication server verifies the digital signature of the request device by using the digital certificate of the request device, and if the receiving module receives the first authentication response message, the determining module determines that the digital signature of the request device is verified; alternatively, the first and second liquid crystal display panels may be,

when the second authentication result information further includes the digital certificate of the requesting device, the verification module verifies the digital signature of the requesting device by using the digital certificate of the requesting device, and the determination module determines whether the digital signature of the requesting device passes the verification according to the verification result.

42. An authenticating access controller according to any one of claims 30 to 41, wherein the message sent by the authenticating access controller to the requesting device further includes a hash value calculated by the authenticating access controller on the latest preamble message received from the requesting device; the message sent by the authentication access controller to the first authentication server further comprises a hash value calculated by the authentication access controller on the received latest preamble message sent by the first authentication server.

43. A first authentication server, the first authentication server comprising:

44. The first authentication server of claim 43, further comprising:

a first generation module, configured to generate the first authentication result information according to information including the first verification result, generate the second authentication result information according to information including the second verification result, encrypt information including the second authentication result information using the second key to generate a second authentication result information ciphertext, calculate and generate a first digital signature for signature data including the first authentication result information, calculate and generate a first message authentication code for the first authentication server for information including the second authentication result information ciphertext;

45. The first authentication server of claim 43, further comprising:

the receiving module is further configured to receive a second authentication response message sent by the second authentication server, where the second authentication response message includes the first authentication result information, the first digital signature, a second authentication result information ciphertext, and a third digital signature, or the second authentication response message includes the first authentication result information, the first digital signature, the second authentication result information ciphertext, and a third message authentication code; wherein the first digital signature is generated by the second authentication server through calculation on signature data including the first authentication result information; the third digital signature is generated by the second authentication server through calculation of signature data including the second authentication result information ciphertext or the third message authentication code is generated by the second authentication server through calculation of information including the second authentication result information ciphertext;

a third verification module, configured to verify the third digital signature with a public key of the second authentication server or verify the third message authentication code with a pre-shared key of the second authentication server;

and a fourth generating module, configured to calculate, if the verification passes, information including the second authentication result information ciphertext to generate a first message authentication code of the first authentication server, and generate the first authentication response message according to information including the first authentication result information, the first digital signature, the second authentication result information ciphertext, and the first message authentication code of the first authentication server.

46. The first authentication server according to any of claims 43 to 45, wherein the message sent by the first authentication server to the authentication access controller further comprises a hash value computed by the first authentication server on the received latest preamble message sent by the authentication access controller; the message sent by the first authentication server to the second authentication server further includes a hash value calculated by the first authentication server for the received latest preamble message sent by the second authentication server.

47. A second authentication server, characterized in that the second authentication server comprises:

the verification module is used for verifying the second digital signature by using a public key of the first authentication server or verifying the second message authentication code by using a pre-shared key of the first authentication server, if the verification is passed, decrypting the first identity information ciphertext by using a private key corresponding to an encrypted certificate to obtain a digital certificate of the request device and the second key, and performing validity verification on the digital certificate of the request device to obtain a second verification result;

48. The second authentication server of claim 47, wherein the message sent by the second authentication server to the first authentication server further comprises a hash value computed by the second authentication server on the received latest preamble message sent by the first authentication server.