CN114760628B - Terminal safety access method for railway broadband trunking communication system - Google Patents

Terminal safety access method for railway broadband trunking communication system Download PDF

Info

Publication number
CN114760628B
CN114760628B CN202210675295.7A CN202210675295A CN114760628B CN 114760628 B CN114760628 B CN 114760628B CN 202210675295 A CN202210675295 A CN 202210675295A CN 114760628 B CN114760628 B CN 114760628B
Authority
CN
China
Prior art keywords
card
encrypted
client application
information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210675295.7A
Other languages
Chinese (zh)
Other versions
CN114760628A (en
Inventor
闫晓宇
王开锋
郭强亮
李春铎
刘畅
付文刚
王丞
李辉
陈松
窦垭锡
张玉金
张志豪
李旭
杨居丰
白晓楠
高尚勇
张弘毅
刘运
王祖元
王宇飞
刘焱欣
于进
李峥
王洪杨
崔明星
谢红娟
祝远征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Railway Sciences Corp Ltd CARS
Signal and Communication Research Institute of CARS
Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd
Beijing Huatie Information Technology Co Ltd
Original Assignee
China Academy of Railway Sciences Corp Ltd CARS
Signal and Communication Research Institute of CARS
Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd
Beijing Huatie Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Railway Sciences Corp Ltd CARS, Signal and Communication Research Institute of CARS, Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd, Beijing Huatie Information Technology Co Ltd filed Critical China Academy of Railway Sciences Corp Ltd CARS
Priority to CN202210675295.7A priority Critical patent/CN114760628B/en
Publication of CN114760628A publication Critical patent/CN114760628A/en
Application granted granted Critical
Publication of CN114760628B publication Critical patent/CN114760628B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/48Security arrangements using identity modules using secure binding, e.g. securely binding identity modules to devices, services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a terminal security access method of a railway broadband trunking communication system, which increases an encryption interaction flow of a client application and a Micro SD card and an interaction flow of the client application, railway broadband trunking communication equipment (MC equipment) and a security authentication gateway, wherein the client application stores encrypted data with the encrypted Micro SD card through the security authentication gateway and performs authentication binding one by one, and accesses the system after the client application and the Micro SD card are interactively authenticated, thereby protecting the security of user data and reducing the risk of user information leakage caused by the diffusion of the client application or the loss of the terminal equipment.

Description

Terminal safety access method for railway broadband trunking communication system
Technical Field
The invention relates to the technical field of railway wireless communication, in particular to a safe access method for a railway broadband trunking communication system terminal.
Background
The railway broadband trunking communication system is developed based on a 3GPP key business communication (MCX) technology, serves as a solution of railway next-generation trunking communication, and provides powerful support for intellectualization and broadband of railway communication.
A terminal access scheme of a 3GPP key service communication (MCX) system is disclosed in chinese patent application publication No. CN110830927A, multimedia trunking communication method, apparatus and terminal, and in 2018 of beijing university of science and technology, MCPTT terminal software design and implementation.
However, the service of the railway broadband trunking communication system is separated from the bearer, and the client usually uses the form of the terminal upper layer application installation package, so that terminal devices adapted to different types and models can be installed. Because the application installation package of the client has the problems of easy diffusion, difficult supervision, complex and various railway communication equipment, wide distribution and the like, a terminal access scheme provided by a 3GPP key service communication (MCX) system cannot meet the safety requirement of terminal access of a railway broadband trunking communication system.
Terminal equipment of the railway broadband trunking communication system is wide in regional distribution, high in supervision difficulty and easy to replace maliciously, and risks that illegal terminals access a system and user data are stolen exist. Because the railway broadband trunking communication system client is provided in the form of the application installation package, the diffusion of the railway broadband trunking communication system client cannot be controlled, and illegal personnel can easily acquire the application installation package and install and use the railway broadband trunking communication system client. If the user name and the password of the user are leaked in a certain form, an effective access control strategy is lacked, and risks of some important data, sensitive information leakage, system malicious attack and the like exist.
Disclosure of Invention
The invention aims to provide a terminal security access method of a railway broadband trunking communication system, which can reduce the risks of channel attack and system impersonation registration and attack.
The purpose of the invention is realized by the following technical scheme:
a terminal security access method of a railway broadband trunking communication system comprises the following steps:
the method comprises the steps that a client application in the terminal device carries out interactive authentication with an encrypted Mirco SD card, and after the interactive authentication is passed, the client application obtains login authentication information from the encrypted Mirco SD card; wherein, the Mirco SD card is a flash memory card;
the client application acquires an encryption certificate through a security authentication gateway, acquires user configuration information and a login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the login authentication information, requests service registration from the railway broadband trunking communication equipment, and accesses the terminal equipment to the railway broadband trunking communication system after the successful registration.
According to the technical scheme provided by the invention, the encryption interaction process of the client application and the Micro SD card is added, the interaction process of the client application, the railway broadband trunking communication equipment (MC equipment) and the security authentication gateway is added, the client application and the encrypted Micro SD card are subjected to encrypted data storage and one-to-one authentication binding through the security authentication gateway, and the client application and the Micro SD card are accessed into the system after interactive authentication, so that the user data security is protected, and the risk of user information leakage caused by the diffusion of the client application or the loss of the terminal equipment and the like is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a flowchart of a method for securely accessing a terminal of a railway broadband trunking communication system according to an embodiment of the present invention;
fig. 2 is a flowchart of the interactive authentication between the client application and the encrypted Mirco SD card according to the embodiment of the present invention;
fig. 3 is a flowchart of accessing, by a client application, an MC device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a railway broadband trunking communication system architecture provided in an embodiment of the present invention;
FIG. 5 is a diagram illustrating the operation of the Micro SD card read/write device according to the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The terms that may be used herein are first described as follows:
the terms "comprising," "including," "containing," "having," or other similar terms in describing these terms are to be construed as non-exclusive inclusions. For example: including a feature (e.g., material, component, ingredient, carrier, formulation, material, dimension, part, component, mechanism, device, process, procedure, method, reaction condition, processing condition, parameter, algorithm, signal, data, product, or article of manufacture), is to be construed as including not only the particular feature explicitly listed but also other features not explicitly listed as such which are known in the art.
The following describes a method for securely accessing a terminal of a railway broadband trunking communication system provided by the invention in detail. Details which are not described in detail in the embodiments of the invention belong to the prior art which is known to the person skilled in the art. Those not specifically mentioned in the examples of the present invention were carried out according to the conventional conditions in the art or conditions suggested by the manufacturer.
As shown in fig. 1, a method for securely accessing a terminal of a railway broadband trunking communication system mainly includes the following steps:
and step 1, performing interactive authentication on the client application and the encrypted Mirco SD card.
In the embodiment of the invention, the client application and the encryption Mirco SD card carry out interactive authentication, and when the interactive authentication is passed, the client application acquires login authentication information from the encryption Mirco SD card; among them, the Mirco SD card is a flash memory card.
And 2, accessing the client application to the MC device through the security authentication gateway.
The client application acquires an encryption certificate through a security authentication gateway, acquires user configuration information and a login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the login authentication information, requests service registration from the railway broadband trunking communication equipment, and accesses the railway broadband trunking communication system after the successful registration.
In the embodiment of the invention, the terminal equipment is equipment provided with the client application, the railway broadband trunking communication system comprises other series of server equipment besides the railway broadband trunking communication equipment provided by the invention, and the invention mainly introduces the interaction process of the terminal equipment and the railway broadband trunking communication equipment, so that other server equipment is not provided.
After the steps are carried out, confidentiality and integrity protection can be provided for cluster voice, cluster data or cluster video communication service between the client application and the MC device. The safe access method can reduce the risks of user data leakage, illegal access to the system after the identity of the terminal user is disguised, attack on a communication channel and the like.
For ease of understanding, the following description will be made with respect to preferred embodiments of step 1 and step 2 described above.
First, mutual authentication of a client application and an encrypted Mirco SD card.
As shown in fig. 2, a flowchart illustrating the interactive authentication between the client application and the encrypted Mirco SD card is shown, which mainly includes the following steps:
and 11, the client application successfully identifies the encrypted Micro SD card and acquires an authentication certificate.
After the terminal equipment is started, the client application identifies whether the terminal equipment is correctly inserted into the encrypted Micro SD card; and if the encrypted Micro SD card is correctly inserted, reading the encrypted Micro SD card authentication information from the encrypted Micro SD card for verification of the encrypted Micro SD card by a subsequent security authentication gateway.
And step 12, the client application transmits the authentication certificate of the encrypted Micro SD card to the security authentication gateway and receives the authentication certificate returned by the security authentication gateway.
And after the client application obtains the encrypted Micro SD card authentication information, sending a linked list request to the security authentication gateway according to the routing table, wherein the information in the linked list request contains the encrypted Micro SD card authentication information. And after receiving the linked list request of the client application, the security authentication gateway decrypts the authentication information of the Micro SD card and verifies the authenticity of the authentication information. And if the authentication and verification of the Micro SD card is correct, sending the encrypted client application authentication certificate corresponding to the information to the client application to show that the authentication and verification information is correct. And if the Micro SD card authentication verification is wrong, sending failure information to the client application, and stopping subsequent work and displaying the failure reason to the terminal user by the client application.
And step 13, the client application writes the authentication certificate into the encrypted Micro SD card for verification.
And the client writes the authentication certificate into an appointed position in an encrypted Micro SD card, and the encrypted Micro SD card decrypts and verifies the authentication certificate. And if the authentication certificate is successfully verified, the client application and the encrypted Micro SD card complete bidirectional authentication, and prompt the terminal user that the encrypted Micro SD card is successfully authenticated and continue to perform subsequent processes. And if the authentication certificate fails to be verified, prompting the terminal user that the encrypted Micro SD card fails to be authenticated and stopping the subsequent process.
In the embodiment of the invention, the information of the encrypted Micro SD card interacting with the security authentication gateway when the identity is activated before use leaves corresponding encryption and decryption information (described later) on the Micro SD card and the security gateway. And 11-13, performing bidirectional authentication on the encrypted Micro SD card through the client application and the security authentication gateway, wherein the client application has own judgment response according to results returned by the client application and the security authentication gateway, and the encrypted Micro SD card also uses the encryption and decryption information reserved when the identity is activated to encrypt and decrypt information at this stage.
And step 14, the client application acquires and verifies IMEI information stored in the terminal equipment and the encrypted Micro SD card.
After the encrypted Mirco SD card successfully passes the bidirectional authentication, the client acquires IMEI (international mobile equipment identity) information from the terminal equipment system, acquires prestored IMEI information from the encrypted Micro SD card, and verifies whether the acquired two IMEI information are matched; and if the two IMEI information are matched, the client application and the encryption Mirco SD card complete interactive authentication. If the IMEI information is not matched, the terminal user is prompted that the encrypted Micro SD card is not matched, the correct encrypted Micro SD card needs to be verified, and the subsequent process is stopped.
And step 15, the client application acquires login authentication information stored in the encrypted Micro SD card.
The client application acquires encrypted login authentication information from a specified position in the encrypted Micro SD card, and the method comprises the following steps: the username and password required to log in to the system. The client application decrypts the login authentication information and then enters the step of accessing the MC device.
In the embodiment of the invention, the client application interacts with the encrypted Micro SD card to acquire the corresponding encryption and decryption key information so as to decrypt each item of encryption information from the encrypted Micro SD card.
In the embodiment of the invention, the encrypted Micro SD card can be divided into a plurality of storage areas as required, different storage areas store different types of data, the designated positions involved in the steps 11 to 15 can be set by self according to actual conditions, and the invention is not limited.
And secondly, accessing the MC equipment.
After the client application completes the interactive authentication with the encrypted Micro SD card and obtains the login user name and password, the MC device needs to be accessed, and then the user of the terminal device can realize the cluster voice communication, the cluster data communication and the cluster video communication service through the client application and the MC device. The process of accessing the MC device by the client application is shown in fig. 3, and mainly includes:
and step 21, the client application acquires the transmission channel encryption certificate from the security authentication gateway.
When the client application interacts information with the MC device, the client application needs to encrypt and decrypt the interacted information, and encryption and decryption need to provide encryption certificates for different terminal devices by using the security authentication gateway. Therefore, the client application needs to send the information of applying for the encrypted certificate to the security authentication gateway, and the security authentication gateway analyzes and verifies the information of applying for the encrypted certificate and then respectively sends the encrypted certificate to the client application and the corresponding railway broadband trunking communication equipment; the encryption certificate includes: user identity information of the terminal equipment and the validity duration of the encryption certificate.
Step 22, the client application initiates service authentication to the MC device to obtain user configuration information and a login authentication token.
In the embodiment of the invention, after the login authentication information is encapsulated according to a set protocol standard (for example, a 3GPP protocol standard), the client application encrypts the encapsulated information through an encryption certificate, and directly transmits the information to the railway broadband trunking communication equipment (that is, the encrypted information does not need to be transmitted through a security authentication gateway), and authenticates the user login through MC equipment; and receiving a result fed back by the railway broadband trunking communication equipment.
In the embodiment of the invention, the login authentication information is the user name and the password which are obtained before, and the login authentication information is the user name and the password which are configured in the database before the identity of the user is activated. And after receiving the encrypted information, the MC device decrypts through the encrypted certificate and verifies whether the user name and the password in the information are correct or not. And if the user name and the password in the MC equipment verification information are correct, sending the encrypted user configuration information and the login authentication token to the client application. The user configuration information is user configuration which is set in advance in a database by the MC device before the identity of the user is activated.
Step 23: and analyzing and checking the login authentication token to request service registration.
In the embodiment of the invention, the client application analyzes the user configuration information and the login authentication token through an encryption certificate, encrypts and stores the user configuration information into an encryption Micro SD card, and verifies the login authentication token; and if the login authentication token is correct, encrypting the analyzed login authentication token and then sending the encrypted login authentication token to the railway broadband trunking communication equipment for requesting service registration so that the corresponding terminal user completes the service registration of the system. After the service registration is completed, the client application reads partial user data generated by the previous service through the encrypted Micro SD card and displays the partial user data on a terminal equipment screen, wherein the partial user data comprises: address book, past call log, and data service inbox.
And thirdly, protecting the confidentiality and the integrity of the service.
The access of the terminal device can be realized through the schemes introduced in the first and second parts, then, the service including the cluster voice, the cluster data and the cluster video can be initiated through the client application, and in each service process, the information transmitted between the client application and the railway broadband cluster communication device is encrypted through the encryption certificate provided by the safety authentication gateway. After the client application and the railway broadband trunking communication equipment receive the encrypted data, clear data meeting a set protocol standard (for example, a 3GPP protocol standard) is decrypted through the encrypted certificate, and communication of each service is completed according to the set protocol standard. After the service process is finished, the client application displays part of user data generated by the service on a screen of the terminal equipment, wherein the part of user data comprises: an address book, a past call record and a data service inbox; and encrypting and synchronizing all user data generated by the service into the encrypted Micro SD card, wherein the all user data comprises: address book, past call log, data service inbox, voice recording, and video recording.
The invention provides a main scheme of a terminal safety access method of a railway broadband trunking communication system. Fig. 4 shows a railway broadband trunking communication system architecture, in which a security authentication gateway, a Micro SD card security read-write device (not shown in fig. 3) and encrypted Micro SD cards whose number is matched with that of terminals are added to the railway broadband trunking communication system based on a 3GPP standard key service communication (MCX) system, and an encryption interaction flow with the Micro SD cards is added to a client application and an interaction flow with the security authentication gateway is added to the client application and the MC device (i.e., steps 1 to 2).
FIG. 5 shows the working state diagram of the reading and writing of the Micro SD card by the Micro SD card security reading and writing device. As shown in FIG. 4, the Micro SD card security read-write device includes a human-computer interaction module and an SD card security write-in output module. Before the encrypted Micro SD card is used by the terminal equipment, the identity of the encrypted Micro SD card needs to be activated by the Micro SD card safety read-write equipment according to the user identity information and the terminal equipment. The identity activation step comprises: inserting the encrypted Mirco SD card into the SD card secure write-in output module of the Micro SD card secure read-write equipment, inputting user identity information of the terminal equipment and IMEI information of the terminal equipment through the human-computer interaction module of the Micro SD card secure read-write equipment, then interacting with the secure authentication gateway to perform data secure encryption, and writing the encrypted information into the encrypted Micro SD card through the SD card secure write-in output module after encryption is completed to complete identity activation.
In the embodiment of the invention, the user identity information and the IMEI information are mainly encrypted through the security authentication gateway, on one hand, the encrypted information category can be adaptively adjusted according to requirements; on the other hand, the encrypted data is directly stored in the encrypted Micro SD card, and the relevant encrypted information is extracted by the client application and then decrypted in a subsequent application (e.g., step 14 described above). Encryption and decryption algorithms related to the security authentication gateway, the encryption Mirco SD card and the client application in the part are all matched algorithms, and the encryption and decryption algorithms have corresponding encryption and decryption key information, so that information encryption and decryption processing can be accurately performed; in view of the fact that the encryption and decryption algorithms related in this section can be implemented by using conventional algorithms, further description is omitted.
In addition, after the terminal equipment is used, the encrypted Micro SD card is taken out and is connected to the Micro SD card safety read-write equipment; after data decryption is carried out by interaction with the security authentication gateway, the storage data in the encrypted Micro SD card can be exported through the SD card security write-in output module or can be directly checked through the man-machine interaction module of the Micro SD card security read-write equipment, and the storage data comprises: call recording, video recording, receiving information and call recording.
The safe access method for the railway broadband trunking communication system terminal provided by the embodiment of the invention can protect the following conditions:
1. the communication channel is attacked.
If no protection measures are taken for service signaling and user data in the channel, the service signaling and the user data are completely transmitted in a clear text form, and once the communication channel is attacked, the whole transmitted data is at risk of being damaged. The terminal security access method provides channel security protection, the whole process of transmitting the signaling is transmitted in a ciphertext mode, and risks of user data leakage, signaling tampering and the like caused by the fact that a communication channel is attacked are reduced.
2. The client application and the login user name and password are revealed.
If any safe access method is not adopted when client application and login user name and password of the railway broadband trunking communication system are leaked, user identity can be disguised and then illegally accessed, so that information sources are unreliable and information is stolen. The terminal secure access method can prevent the normal use of the client application which does not identify the encrypted Micro SD card by relying on the bidirectional authentication with the encrypted Micro SD card when the client application is started, thereby preventing the identity of a user from being disguised.
3. The encrypted Micro SD card is lost.
The encrypted Micro SD card stores user login authentication information and user data, but all data are encrypted through an encryption algorithm, an encryption key is stored in the security authentication gateway, and the stored information cannot be decrypted only through the encrypted Micro SD card. Even if the encrypted Micro SD card is lost, the security of the user identity and the user data can be ensured.
4. The client application is revealed and the encrypted Micro SD card is lost.
When the encrypted Micro SD card is activated by the user identity, besides logging in user authentication information, an International Mobile Equipment Identity (IMEI) of the terminal equipment is burned, and after the client application performs bidirectional authentication with the encrypted Micro SD card, the IMEI information in the encrypted Micro SD card needs to be read and compared with the IMEI acquired from the terminal equipment. Thereby preventing the user identity from being disguised.
5. The terminal device installed with the client application and the corresponding encrypted Micro SD card are lost.
When the terminal equipment provided with the client application and the corresponding encrypted Micro SD card are lost, a user of the terminal equipment can quickly perceive and report to a railway broadband trunking communication system administrator, and the system administrator can clear authentication information of the user in the security authentication gateway, so that subsequent service initiated by the terminal equipment and user data acquisition are prevented. And then, the login password of the user is modified in the MC device, and the subsequent login operation of the terminal device is prevented.
6. And forging the client application, and simultaneously, revealing a login user name and a login password.
Because the protocol standards of cluster voice (MCPTT), cluster data (MCData) and cluster video (MCvideo) quoted by 3GPP are published, an attacker can forge client application through the protocol standards, bypass the interactive authentication process of an encrypted Micro SD card, and directly try to log in through a leaked user name and password. The terminal security access method realizes the encryption of transmission data through the security authentication gateway, and a clear text signaling system meeting the 3GPP protocol standard cannot respond in the transmission process. A fake client application cannot log into the system or steal the relevant user data.
Through the above description of the embodiments, it is clear to those skilled in the art that the above embodiments can be implemented by software, and can also be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A terminal security access method of a railway broadband trunking communication system is characterized by comprising the following steps:
the method comprises the steps that a client application in the terminal equipment carries out interactive authentication with an encrypted Mirco SD card, and when the interactive authentication is passed, the client application acquires login authentication information from the encrypted Mirco SD card; wherein, the Mirco SD card is a flash memory card;
the client application acquires an encryption certificate through a security authentication gateway, acquires user configuration information and a login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the login authentication information, requests service registration from the railway broadband trunking communication equipment, and accesses the terminal equipment to the railway broadband trunking communication system after the service registration is successful.
2. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein after the terminal device is powered on, the step of performing interactive authentication between the client application and the encrypted Mirco SD card comprises:
the encryption Mirco SD card carries out bidirectional authentication and certification with the security certification gateway through client application, when the client successfully passes the bidirectional authentication and certification, the client acquires IMEI information from a terminal equipment system, acquires prestored IMEI information from the encryption Micro SD card, and verifies whether the acquired IMEI information is matched or not; wherein the IMEI represents an international mobile equipment identity; if the two IMEI information are matched, the client application and the encrypted Mirco SD card complete interactive authentication, and the client application acquires encrypted login authentication information from the encrypted Micro SD card, wherein the authentication information comprises the following steps: the username and password required to log in to the system.
3. The terminal security access method of the railway broadband trunking communication system according to claim 2, wherein the step of bidirectional authentication and authentication between the client application and the encrypted Mirco SD card comprises:
after the terminal equipment is started, the client application identifies whether the terminal equipment is correctly inserted into the encrypted Micro SD card; if the encrypted Micro SD card is correctly inserted, reading the encrypted Micro SD card authentication information from the encrypted Micro SD card;
the client application sends a linked list request to a security authentication gateway according to a routing table, wherein information in the linked list request comprises encrypted Micro SD card authentication information, and receives reply information fed back by the security authentication gateway; when the reply information is an authentication certificate, the encrypted Micro SD card authentication information is correct;
and the client writes the authentication certificate into an encrypted Micro SD card, the encrypted Micro SD card verifies the authentication certificate, and if the authentication certificate passes the verification, the security authentication gateway and the encrypted Mirco SD card successfully pass the bidirectional authentication.
4. The terminal secure access method of the railway broadband trunking communication system of claim 1, wherein the client application obtaining the encryption certificate through the secure authentication gateway comprises:
the client application sends information of applying for an encrypted certificate to the security authentication gateway, and the security authentication gateway analyzes and verifies the information of applying for the encrypted certificate and then respectively sends the encrypted certificate to the client application and corresponding railway broadband trunking communication equipment; the encryption certificate includes: user identity information of the terminal equipment and the validity duration of the encryption certificate.
5. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein the obtaining of the user configuration information and the login authentication token from the railway broadband trunking communication device through the encryption certificate and the login authentication information comprises:
after the client application packages the login authentication information according to a set protocol standard, the packaged information is encrypted through an encryption certificate and is transmitted to the railway broadband trunking communication equipment;
receiving a result fed back by the railway broadband trunking communication equipment; if the login authentication information is correct, the result fed back contains the encrypted user configuration information of the terminal equipment and the login authentication token.
6. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein the requesting service registration from the railway broadband trunking communication device comprises:
the client application analyzes user configuration information and a login authentication token through an encryption certificate, encrypts and stores the user configuration information into an encrypted Micro SD card, and verifies the login authentication token; and if the login authentication token is correct, encrypting the analyzed login authentication token and then sending the encrypted login authentication token to the railway broadband trunking communication equipment for requesting service registration so that the corresponding terminal user completes the service registration of the system.
7. The terminal secure access method of the railway broadband trunking communication system of claim 1 or 6, wherein after the service registration is completed, the client application reads a part of user data generated by a previous service through the encrypted Micro SD card and displays the part of user data on a terminal device screen, wherein the part of user data comprises: address book, past call log, and data service inbox.
8. The terminal security access method of the railway broadband trunking communication system according to claim 1 or 6, wherein after the service registration is completed, the client application can initiate services including trunking voice, trunking data and trunking video, and in each service process, information transmitted between the client application and the railway broadband trunking communication device is encrypted by an encryption certificate provided by the security authentication gateway;
after the client application and the railway broadband trunking communication equipment receive the encrypted data, clear text data meeting the set protocol standard is decrypted through the encrypted certificate, and communication of each service is completed according to the set protocol standard;
after the service flow is finished, the client application displays part of user data generated by the service on a screen of the terminal equipment, wherein the part of user data comprises: an address book, a past call record and a data service inbox; and encrypting and synchronizing all user data generated by the service into the encrypted Micro SD card, wherein the all user data comprises: address book, past call log, data service inbox, voice recording, and video recording.
9. The terminal security access method of the railway broadband trunking communication system of claim 1, further comprising: the identity activation is carried out on the encrypted Mirco SD card in advance through a Micro SD card safety read-write device, and the method comprises the following steps:
inserting the encrypted Mirco SD card into an SD card secure write-in output module of the Micro SD card secure read-write equipment, and inputting user identity information of the terminal equipment and IMEI information of the terminal equipment through a man-machine interaction module of the Micro SD card secure read-write equipment, wherein the IMEI represents an international mobile equipment identification code;
and then, data security encryption is carried out by interaction with the security authentication gateway, after encryption is finished, the encrypted information is written into the encrypted Micro SD card through the SD card security write-in output module, and identity activation is finished.
10. The terminal security access method for the railway broadband trunking communication system according to claim 9, further comprising: after the terminal equipment is used, taking out the encrypted Micro SD card and accessing the encrypted Micro SD card to the Micro SD card safety read-write equipment; after data decryption is carried out by interaction with the security authentication gateway, the storage data in the encrypted Micro SD card can be exported through the SD card security write-in output module or directly checked through the man-machine interaction module of the Micro SD card security read-write equipment, and the storage data comprises: call recording, video recording, receiving information and call recording.
CN202210675295.7A 2022-06-15 2022-06-15 Terminal safety access method for railway broadband trunking communication system Active CN114760628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210675295.7A CN114760628B (en) 2022-06-15 2022-06-15 Terminal safety access method for railway broadband trunking communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210675295.7A CN114760628B (en) 2022-06-15 2022-06-15 Terminal safety access method for railway broadband trunking communication system

Publications (2)

Publication Number Publication Date
CN114760628A CN114760628A (en) 2022-07-15
CN114760628B true CN114760628B (en) 2022-08-30

Family

ID=82337223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210675295.7A Active CN114760628B (en) 2022-06-15 2022-06-15 Terminal safety access method for railway broadband trunking communication system

Country Status (1)

Country Link
CN (1) CN114760628B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704092A (en) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 User identity authentication method, device and system
CN110097486A (en) * 2019-04-19 2019-08-06 公安部第三研究所 A kind of movable police verification core recording system
CN110830927A (en) * 2019-11-08 2020-02-21 佳讯飞鸿(北京)智能科技研究院有限公司 Multimedia cluster communication method, device and terminal
WO2022080388A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of ue, and ue
WO2022080371A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of communication terminal, communication terminal, method of core network apparatus, and core network apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704092A (en) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 User identity authentication method, device and system
CN110097486A (en) * 2019-04-19 2019-08-06 公安部第三研究所 A kind of movable police verification core recording system
CN110830927A (en) * 2019-11-08 2020-02-21 佳讯飞鸿(北京)智能科技研究院有限公司 Multimedia cluster communication method, device and terminal
WO2022080388A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of ue, and ue
WO2022080371A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of communication terminal, communication terminal, method of core network apparatus, and core network apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Issues related to MCX initial registration: MCPTT user authentication;MCC TF160等;《3GPP TSG-RAN5 Meeting #87-e R5-201323》;20200529;全文 *

Also Published As

Publication number Publication date
CN114760628A (en) 2022-07-15

Similar Documents

Publication Publication Date Title
CN108684041B (en) System and method for login authentication
CN105050081B (en) Method, device and system for connecting network access device to wireless network access point
US8806616B2 (en) System, method, and apparatus for allowing a service provider system to authenticate that a credential is from a proximate device
US11330432B2 (en) Maintenance system and maintenance method
US10931464B2 (en) Communication system, hardware security module, terminal device, communication method, and program
JP2023508317A (en) contactless card personal identification system
US20130219180A1 (en) Data processing for securing local resources in a mobile device
CN113557703B (en) Authentication method and device of network camera
CN107743067A (en) Awarding method, system, terminal and the storage medium of digital certificate
EP3367607B1 (en) Communication device, communication method and computer program
CN107204985A (en) Purview certification method based on encryption key, apparatus and system
CN107277017A (en) Purview certification method, apparatus and system based on encryption key and device-fingerprint
CN106550359A (en) The authentication method and system of a kind of terminal and SIM
EP3785153A1 (en) Remote biometric identification
CN104901967A (en) Registration method for trusted device
CN112261103A (en) Node access method and related equipment
CN110912857B (en) Method and storage medium for sharing login between mobile applications
CN114760628B (en) Terminal safety access method for railway broadband trunking communication system
CN116132986A (en) Data transmission method, electronic equipment and storage medium
CN113297563B (en) Method and device for accessing privileged resources of system on chip and system on chip
JP2004206258A (en) Multiple authentication system, computer program, and multiple authentication method
KR20040088137A (en) Method for generating encoded transmission key and Mutual authentication method using the same
CN116132072B (en) Security authentication method and system for network information
JP2008236594A (en) Wireless lan authentication system
CN118611973A (en) Anti-phishing safety identity authentication method based on Usbkey

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant