CN114760628B - A kind of railway broadband trunking communication system terminal security access method - Google Patents

A kind of railway broadband trunking communication system terminal security access method Download PDF

Info

Publication number
CN114760628B
CN114760628B CN202210675295.7A CN202210675295A CN114760628B CN 114760628 B CN114760628 B CN 114760628B CN 202210675295 A CN202210675295 A CN 202210675295A CN 114760628 B CN114760628 B CN 114760628B
Authority
CN
China
Prior art keywords
card
encrypted
authentication
information
micro
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210675295.7A
Other languages
Chinese (zh)
Other versions
CN114760628A (en
Inventor
闫晓宇
王开锋
郭强亮
李春铎
刘畅
付文刚
王丞
李辉
陈松
窦垭锡
张玉金
张志豪
李旭
杨居丰
白晓楠
高尚勇
张弘毅
刘运
王祖元
王宇飞
刘焱欣
于进
李峥
王洪杨
崔明星
谢红娟
祝远征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Railway Sciences Corp Ltd CARS
Signal and Communication Research Institute of CARS
Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd
Beijing Huatie Information Technology Co Ltd
Original Assignee
China Academy of Railway Sciences Corp Ltd CARS
Signal and Communication Research Institute of CARS
Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd
Beijing Huatie Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Railway Sciences Corp Ltd CARS, Signal and Communication Research Institute of CARS, Beijing Ruichi Guotie Intelligent Transport Systems Engineering Technology Co Ltd, Beijing Huatie Information Technology Co Ltd filed Critical China Academy of Railway Sciences Corp Ltd CARS
Priority to CN202210675295.7A priority Critical patent/CN114760628B/en
Publication of CN114760628A publication Critical patent/CN114760628A/en
Application granted granted Critical
Publication of CN114760628B publication Critical patent/CN114760628B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/48Security arrangements using identity modules using secure binding, e.g. securely binding identity modules to devices, services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明公开了一种铁路宽带集群通信系统终端安全接入方法,增加了客户端应用与Micro SD卡的加密交互流程,以及增加了客户端应用、铁路宽带集群通信设备(MC设备)与安全认证网关的交互流程,客户端应用通过安全认证网关与加密Micro SD卡进行加密数据存储并且一一鉴权绑定,并在客户端应用与Micro SD卡交互认证之后再进行接入系统,保护了用户数据安全,降低了因客户端应用被扩散或终端设备遗失等原因导致用户信息泄露的风险。

Figure 202210675295

The invention discloses a terminal security access method of a railway broadband trunking communication system, which adds an encrypted interaction process between a client application and a Micro SD card, as well as a client application, railway broadband trunking communication equipment (MC equipment) and security authentication. The interaction process of the gateway, the client application stores encrypted data with the encrypted Micro SD card through the security authentication gateway and binds them one by one, and accesses the system after the client application and the Micro SD card are authenticated interactively, which protects the user Data security reduces the risk of user information leakage due to the proliferation of client applications or the loss of terminal devices.

Figure 202210675295

Description

一种铁路宽带集群通信系统终端安全接入方法A kind of railway broadband trunking communication system terminal security access method

技术领域technical field

本发明涉及铁路无线通信技术领域,尤其涉及一种铁路宽带集群通信系统终端安全接入方法。The present invention relates to the technical field of railway wireless communication, in particular to a terminal security access method of a railway broadband trunking communication system.

背景技术Background technique

铁路宽带集群通信系统基于3GPP 关键业务通信(MCX)技术研发,作为铁路下一代集群通信的解决方案,为铁路通信的智能化、宽带化提供有力支撑。The railway broadband trunking communication system is developed based on the 3GPP critical service communication (MCX) technology. As a solution for the next generation of railway trunking communications, it provides strong support for the intelligentization and broadbandization of railway communications.

公开号为CN110830927A的中国专利申请《一种多媒体集群通信方法、装置及终端》,以及北京理工大学2018年的论文《MCPTT终端软件的设计与实现》均公开了3GPP 关键业务通信(MCX)系统的终端接入方案。The Chinese patent application "A Multimedia Trunking Communication Method, Device and Terminal" with publication number CN110830927A, and the 2018 paper "MCPTT Terminal Software Design and Implementation" by Beijing Institute of Technology all disclose the 3GPP critical service communication (MCX) system. Terminal access plan.

但是,铁路宽带集群通信系统业务与承载分离,客户端通常是使用终端上层应用安装包的形式,可以安装适配于不同种类、型号的终端设备。因为客户端的应用安装包存在易扩散、难监管和铁路通信设备复杂多样、分布广泛等问题,因此,3GPP 关键业务通信(MCX)系统提供的终端接入方案无法满足铁路宽带集群通信系统终端接入的安全需求。However, the service and bearer of the railway broadband trunking communication system are separated, and the client usually uses the upper-layer application installation package of the terminal, which can be installed and adapted to different types and models of terminal equipment. Because the application installation package of the client is easy to spread, difficult to supervise, and the railway communication equipment is complex, diverse, and widely distributed, the terminal access solution provided by the 3GPP critical business communication (MCX) system cannot meet the terminal access of the railway broadband trunking communication system. security needs.

铁路宽带集群通信系统终端设备地域分布广、监管难度大、易被恶意替换,存在非法终端接入系统和用户数据被窃取的风险。由于铁路宽带集群通信系统客户端以应用安装包的形式提供,无法控制铁路宽带集群通信系统客户端的扩散,不法人员可以较轻易地获取应用安装包,安装并使用铁路宽带集群通信系统客户端。如果用户的用户名和密码以某种形式泄露,缺少有效地访问控制策略,存在某些重要数据、敏感信息泄露和系统被恶意攻击等风险。The terminal equipment of the railway broadband trunking communication system is widely distributed, difficult to supervise, and easy to be maliciously replaced. There is a risk of illegal terminal access to the system and user data being stolen. Since the railway broadband trunking communication system client is provided in the form of an application installation package, the proliferation of railway broadband trunking communication system clients cannot be controlled, and criminals can easily obtain the application installation package, install and use the railway broadband trunking communication system client. If the user's username and password are leaked in some form, and there is no effective access control strategy, there are risks such as leakage of some important data and sensitive information, and malicious attacks on the system.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种铁路宽带集群通信系统终端安全接入方法,能够降低信道被攻击和系统被冒名注册与攻击的风险。The purpose of the present invention is to provide a terminal security access method of a railway broadband trunking communication system, which can reduce the risk of channel being attacked and system being registered and attacked by false name.

本发明的目的是通过以下技术方案实现的:The purpose of this invention is to realize through the following technical solutions:

一种铁路宽带集群通信系统终端安全接入方法,包括:A terminal security access method of a railway broadband trunking communication system, comprising:

终端设备中的客户端应用与加密Mirco SD卡进行交互认证,当交互认证通过后,所述客户端应用从加密Mirco SD卡中获取登录鉴权信息;其中,Mirco SD卡为一种快闪存储器卡;The client application in the terminal device performs interactive authentication with the encrypted Mirco SD card. After the interactive authentication is passed, the client application obtains login authentication information from the encrypted Mirco SD card; wherein the Mirco SD card is a flash memory Card;

所述客户端应用通过安全认证网关获取加密证书,通过所述加密证书与登录鉴权信息从铁路宽带集群通信设备中获取用户配置信息和登录鉴权令牌,并向所述铁路宽带集群通信设备请求业务注册,注册成功后所述终端设备接入所述铁路宽带集群通信系统。The client application obtains the encryption certificate through the security authentication gateway, obtains the user configuration information and the login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the log-in authentication information, and sends the information to the railway broadband trunking communication equipment. Service registration is requested, and after successful registration, the terminal device accesses the railway broadband trunking communication system.

由上述本发明提供的技术方案可以看出,增加了客户端应用与Micro SD卡的加密交互流程,以及增加了客户端应用、铁路宽带集群通信设备(MC设备)与安全认证网关的交互流程,客户端应用通过安全认证网关与加密Micro SD卡进行加密数据存储并且一一鉴权绑定,并在客户端应用与Micro SD卡交互认证之后再接入系统,保护了用户数据安全,降低了因客户端应用被扩散或终端设备遗失等原因导致用户信息泄露的风险。It can be seen from the technical solution provided by the present invention that the encrypted interaction process between the client application and the Micro SD card is added, and the interaction process between the client application, the railway broadband cluster communication device (MC device) and the security authentication gateway is added, The client application stores encrypted data with the encrypted Micro SD card through the security authentication gateway, and authenticates and binds them one by one, and accesses the system after the client application and the Micro SD card are interactively authenticated, which protects the security of user data and reduces the risk of The risk of user information leakage due to the proliferation of client applications or the loss of terminal devices.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1为本发明实施例提供的一种铁路宽带集群通信系统终端安全接入方法的流程图;FIG. 1 is a flowchart of a method for securely accessing a terminal of a railway broadband trunking communication system according to an embodiment of the present invention;

图2为本发明实施例提供的客户端应用与加密Mirco SD卡的交互认证的流程图;2 is a flowchart of the interactive authentication between a client application and an encrypted Mirco SD card provided by an embodiment of the present invention;

图3为本发明实施例提供的客户端应用接入MC设备的流程图;3 is a flowchart of a client application accessing an MC device according to an embodiment of the present invention;

图4为本发明实施例提供的铁路宽带集群通信系统架构示意图;FIG. 4 is a schematic diagram of the architecture of a railway broadband trunking communication system provided by an embodiment of the present invention;

图5为本发明实施例提供的Micro SD卡安全读写设备读写Micro SD卡工作状态图。FIG. 5 is a working state diagram of a Micro SD card security reading and writing device provided by an embodiment of the present invention for reading and writing a Micro SD card.

具体实施方式Detailed ways

下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present invention.

首先对本文中可能使用的术语进行如下说明:First a description of terms that may be used in this article:

术语“包括”、“包含”、“含有”、“具有”或其它类似语义的描述,应被解释为非排它性的包括。例如:包括某技术特征要素(如原料、组分、成分、载体、剂型、材料、尺寸、零件、部件、机构、装置、步骤、工序、方法、反应条件、加工条件、参数、算法、信号、数据、产品或制品等),应被解释为不仅包括明确列出的某技术特征要素,还可以包括未明确列出的本领域公知的其它技术特征要素。The terms "comprising", "comprising", "containing", "having" or other descriptions with similar meanings should be construed as non-exclusive inclusions. For example: including certain technical characteristic elements (such as raw materials, components, ingredients, carriers, dosage forms, materials, dimensions, parts, components, mechanisms, devices, steps, processes, methods, reaction conditions, processing conditions, parameters, algorithms, signals, data, products or products, etc.), should be construed to include not only certain technical feature elements explicitly listed, but also other technical feature elements known in the art that are not explicitly listed.

下面对本发明所提供的一种铁路宽带集群通信系统终端安全接入方法进行详细描述。本发明实施例中未作详细描述的内容属于本领域专业技术人员公知的现有技术。本发明实施例中未注明具体条件者,按照本领域常规条件或制造商建议的条件进行。The following describes in detail a method for secure terminal access of a railway broadband trunking communication system provided by the present invention. Contents that are not described in detail in the embodiments of the present invention belong to the prior art known to those skilled in the art. If the specific conditions are not indicated in the examples of the present invention, it is carried out according to the conventional conditions in the art or the conditions suggested by the manufacturer.

如图1所示,一种铁路宽带集群通信系统终端安全接入方法,主要包括如下步骤:As shown in Figure 1, a method for secure terminal access of a railway broadband trunking communication system mainly includes the following steps:

步骤1、客户端应用与加密Mirco SD卡进行交互认证。Step 1. The client application performs interactive authentication with the encrypted Mirco SD card.

本发明实施例中,客户端应用与加密Mirco SD卡进行交互认证,当交互认证通过后,所述客户端应用从加密Mirco SD卡中获取登录鉴权信息;其中,Mirco SD卡为一种快闪存储器卡。In the embodiment of the present invention, the client application performs interactive authentication with the encrypted Mirco SD card, and after the interactive authentication is passed, the client application obtains login authentication information from the encrypted Mirco SD card; wherein the Mirco SD card is a fast flash memory card.

步骤2、客户端应用通过安全认证网关接入MC设备。Step 2. The client application accesses the MC device through the security authentication gateway.

所述客户端应用通过安全认证网关获取加密证书,通过所述加密证书与登录鉴权信息从铁路宽带集群通信设备中获取用户配置信息和登录鉴权令牌,并向所述铁路宽带集群通信设备请求业务注册,注册成功后终端设备接入所述铁路宽带集群通信系统。The client application obtains the encryption certificate through the security authentication gateway, obtains the user configuration information and the login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the log-in authentication information, and sends the information to the railway broadband trunking communication equipment. Service registration is requested, and after successful registration, the terminal device accesses the railway broadband trunking communication system.

本发明实施例中,所述终端设备即为安装有客户端应用的设备,铁路宽带集群通信系统中除了包含本发明提及的铁路宽带集群通信设备,还包含其他一系列服务器设备,本发明主要针对终端设备与铁路宽带集群通信设备的交互过程进行介绍,故未提及其他服务器设备。In the embodiment of the present invention, the terminal equipment is the equipment installed with the client application. In addition to the railway broadband trunking communication equipment mentioned in the present invention, the railway broadband trunking communication system also includes a series of other server equipment. The interaction process between terminal equipment and railway broadband trunking communication equipment is introduced, so other server equipment is not mentioned.

通过上述步骤后,可以为客户端应用与MC设备之间的集群语音、集群数据或集群视频通信业务提供机密性和完整性保护。该安全接入方法可以降低用户数据泄露、终端用户身份被伪装后非法接入系统以及通信信道被攻击等风险。After the above steps are passed, confidentiality and integrity protection can be provided for the trunked voice, trunked data or trunked video communication services between the client application and the MC device. The secure access method can reduce risks such as leakage of user data, illegal access to the system after the identity of the terminal user is disguised, and attacks on the communication channel.

为了便于理解,下面针对上述步骤1与步骤2的优选实施方式进行介绍。For ease of understanding, preferred implementations of the above steps 1 and 2 are described below.

一、客户端应用与加密Mirco SD卡的交互认证。1. Interactive authentication between client application and encrypted Mirco SD card.

如图2所示,展示了客户端应用与加密Mirco SD卡的交互认证的流程图,主要包括如下步骤:As shown in Figure 2, it shows the flow chart of the interactive authentication between the client application and the encrypted Mirco SD card, which mainly includes the following steps:

步骤11、客户端应用成功识别到加密Micro SD卡并获取鉴权证书。Step 11. The client application successfully recognizes the encrypted Micro SD card and obtains an authentication certificate.

所述终端设备开机后,客户端应用识别终端设备是否正确插入了加密Micro SD卡;如果正确插入了加密Micro SD卡,则从加密Micro SD卡中读取加密的Micro SD卡鉴权认证信息,用于后续安全认证网关对加密Micro SD卡校验。After the terminal device is powered on, the client application identifies whether the encrypted Micro SD card is correctly inserted into the terminal device; if the encrypted Micro SD card is correctly inserted, the encrypted Micro SD card authentication and authentication information is read from the encrypted Micro SD card, It is used for the subsequent security authentication gateway to verify the encrypted Micro SD card.

步骤12、客户端应用将加密Micro SD卡的鉴权证书传递给安全认证网关,并接收安全认证网关回复的鉴权证书。Step 12: The client application transmits the authentication certificate of the encrypted Micro SD card to the security authentication gateway, and receives the authentication certificate replied by the security authentication gateway.

客户端应用得到加密的Micro SD卡鉴权认证信息后,根据路由表向安全认证网关发送链表请求,链表请求中的信息包含加密的Micro SD卡鉴权认证信息。安全认证网关在接收到客户端应用的链表请求后,对其中的Micro SD卡鉴权认证信息进行解密并校验鉴权认证信息的真伪。如果Micro SD卡鉴权认证校验正确,将信息对应的加密的客户端应用鉴权证书发送给客户端应用,表示鉴权认证信息正确。如果Micro SD卡鉴权认证校验错误,将失败信息发送给客户端应用,客户端应用停止后续工作并向终端用户显示失败原因。After the client application obtains the encrypted Micro SD card authentication and authentication information, it sends a linked list request to the security authentication gateway according to the routing table. The information in the linked list request includes the encrypted Micro SD card authentication and authentication information. After receiving the linked list request from the client application, the security authentication gateway decrypts the authentication and authentication information of the Micro SD card and verifies the authenticity of the authentication and authentication information. If the authentication verification of the Micro SD card is correct, the encrypted client application authentication certificate corresponding to the information is sent to the client application, indicating that the authentication and authentication information is correct. If there is an error in the authentication and verification of the Micro SD card, the failure information is sent to the client application, and the client application stops subsequent work and displays the failure reason to the end user.

步骤13、客户端应用将鉴权证书写入加密Micro SD卡进行验证。Step 13: The client application writes the authentication certificate to the encrypted Micro SD card for verification.

所述客户端将所述鉴权证书写入加密Micro SD卡中的指定位置,由所述加密Micro SD卡对所述鉴权证书进行解密并进行校验。如果校验鉴权证书成功,客户端应用和加密Micro SD卡完成了双向的鉴权认证,提示终端用户加密Micro SD卡连接认证成功并继续进行后续的流程。如果校验鉴权证书失败,将提示终端用户加密Micro SD卡认证失败并停止后续流程。The client writes the authentication certificate into a designated location in the encrypted Micro SD card, and the encrypted Micro SD card decrypts and verifies the authentication certificate. If the verification of the authentication certificate is successful, the client application and the encrypted Micro SD card have completed the two-way authentication and authentication, and the end user is prompted that the encrypted Micro SD card connection authentication is successful and the subsequent process is continued. If the verification of the authentication certificate fails, the end user will be prompted that the encryption of the Micro SD card has failed and the subsequent process will be stopped.

本发明实施例中,加密Micro SD卡在使用前身份激活时和安全认证网关交互的信息,会在Micro SD卡和安全网关留下相应的加解密信息(将在后文进行介绍)。步骤11~步骤13是加密Micro SD卡通过客户端应用和安全认证网关进行双向认证,双方返回的结果客户端应用都会有自己的判断响应, 加密Micro SD卡在此阶段也是使用身份激活时保留的加解密信息进行信息的加密与解密。In the embodiment of the present invention, the encrypted information exchanged between the Micro SD card and the security authentication gateway when the identity is activated before use will leave corresponding encryption and decryption information on the Micro SD card and the security gateway (which will be described later). Steps 11 to 13 are the two-way authentication of the encrypted Micro SD card through the client application and the security authentication gateway. The client application will have its own judgment response to the results returned by both parties. The encrypted Micro SD card is also reserved when the identity is activated at this stage. Encryption and decryption information Encrypt and decrypt information.

步骤14、客户端应用获取并校验终端设备和加密Micro SD卡存储的IMEI信息。Step 14: The client application acquires and verifies the IMEI information stored in the terminal device and the encrypted Micro SD card.

加密Mirco SD卡成功通过双向的鉴权认证后,所述客户端从终端设备系统中获取IMEI(国际移动设备识别码)信息,并从加密Micro SD卡中获取预先存储的IMEI信息,校验获取的两个IMEI信息是否匹配;如果两个IMEI信息匹配,则客户端应用与加密Mirco SD卡完成交互认证。如果IMEI信息不匹配,将提示终端用户加密Micro SD卡不匹配,需要核实正确的加密Micro SD卡,并停止后续流程。After the encrypted Mirco SD card successfully passes the two-way authentication, the client obtains the IMEI (International Mobile Equipment Identity) information from the terminal equipment system, and obtains the pre-stored IMEI information from the encrypted Micro SD card, and then checks and obtains Whether the two IMEI information matches; if the two IMEI information matches, the client application completes the mutual authentication with the encrypted Mirco SD card. If the IMEI information does not match, the end user will be prompted that the encrypted Micro SD card does not match. It is necessary to verify the correct encrypted Micro SD card and stop the subsequent process.

步骤15、客户端应用获取加密Micro SD卡存储的登录鉴权信息。Step 15: The client application obtains the login authentication information stored in the encrypted Micro SD card.

客户端应用从加密Micro SD卡中的指定位置获取加密的登录鉴权信息,包括:登录系统需要的用户名和密码。客户端应用将登录鉴权信息进行解密,然后进入接入MC设备的步骤。The client application obtains the encrypted login authentication information from the specified location in the encrypted Micro SD card, including the user name and password required to log in to the system. The client application decrypts the login authentication information, and then enters the step of accessing the MC device.

本发明实施例中,客户端应用会与加密Micro SD卡进行交互获取相应加解密的密钥信息,以便对来自加密Micro SD卡的各项加密信息进行解密。In the embodiment of the present invention, the client application interacts with the encrypted Micro SD card to obtain corresponding encryption and decryption key information, so as to decrypt various encrypted information from the encrypted Micro SD card.

本发明实施例中,加密Micro SD卡可以按照需要划分多个存储区域,不同存储区域存储有不同类型的数据,上述步骤11~步骤15过程中所涉及的指定位置可根据实际情况自行设定,本发明不做限定。In the embodiment of the present invention, the encrypted Micro SD card can be divided into multiple storage areas as required, and different storage areas store different types of data. The present invention is not limited.

二、接入MC设备。2. Access MC equipment.

客户端应用在完成和加密Micro SD卡的交互认证获取到登录的用户名密码后,需要接入MC设备,之后,终端设备的用户才可以通过客户端应用和MC设备实现集群语音通信、集群数据通信以及集群视频通信业务。其中,客户端应用接入MC设备的流程如图3所示,主要包括:After the client application completes and encrypts the mutual authentication of the Micro SD card and obtains the login user name and password, it needs to access the MC device. After that, the user of the terminal device can realize cluster voice communication and cluster data through the client application and the MC device. Communication and trunking video communication services. The process of accessing the MC device by the client application is shown in Figure 3, which mainly includes:

步骤21、客户端应用向安全认证网关获取传输信道加密证书。Step 21: The client application obtains a transmission channel encryption certificate from the security authentication gateway.

客户端应用在与MC设备交互信息时,需要对交互的信息进行加密和解密,加密和解密需要使用安全认证网关提供针对不同终端设备的加密证书。因此,所述客户端应用需要向安全认证网关发送申请加密证书信息,安全认证网关对申请加密证书信息进行解析并校验后,向客户端应用与相应的铁路宽带集群通信设备分别发送加密证书;所述加密证书包括:终端设备的用户身份信息、以及加密证书有效时长。When the client application exchanges information with the MC device, it needs to encrypt and decrypt the exchanged information. For encryption and decryption, the security authentication gateway needs to provide encryption certificates for different terminal devices. Therefore, the client application needs to send the encryption certificate application information to the security authentication gateway, and the security authentication gateway sends the encryption certificate to the client application and the corresponding railway broadband trunking communication device after parsing and verifying the application encryption certificate information; The encryption certificate includes: user identity information of the terminal device and the validity period of the encryption certificate.

步骤22、客户端应用向MC设备发起业务鉴权,得到用户配置信息和登录鉴权令牌。Step 22: The client application initiates service authentication to the MC device, and obtains user configuration information and a login authentication token.

本发明实施例中,所述客户端应用将所述登录鉴权信息按照设定协议标准(例如,3GPP协议标准)封装后,通过加密证书对封装后的信息进行加密,并直接传输至铁路宽带集群通信设备(即加密后的信息无需通过安全认证网关进行传输),通过MC设备进行用户登录的鉴权;以及,接收所述铁路宽带集群通信设备反馈的结果。In the embodiment of the present invention, after the client application encapsulates the login authentication information according to a set protocol standard (for example, 3GPP protocol standard), the encapsulated information is encrypted by an encryption certificate, and is directly transmitted to the railway broadband The trunking communication device (that is, the encrypted information does not need to be transmitted through the security authentication gateway), performs user login authentication through the MC device; and receives the result fed back by the railway broadband trunking communication equipment.

本发明实施例中,所述登录鉴权信息即为之前获得的用户名和密码,且它们是用户的身份激活前预先在数据库配置的用户名密码。MC设备在收到加密信息后通过加密证书进行解密,并校验信息中的用户名密码是否正确。如果MC设备校验信息中的用户名密码正确,则向客户端应用发送加密的用户配置信息和登录鉴权令牌。其中,用户配置信息是MC设备在用户的身份激活前预先在数据库设置的用户配置。In the embodiment of the present invention, the login authentication information is the user name and password obtained before, and they are the user name and password pre-configured in the database before the user's identity is activated. After receiving the encrypted information, the MC device decrypts it through the encryption certificate, and verifies whether the user name and password in the information are correct. If the user name and password in the verification information of the MC device are correct, the encrypted user configuration information and the login authentication token are sent to the client application. Wherein, the user configuration information is the user configuration pre-set in the database by the MC device before the user's identity is activated.

步骤23:解析并校验登录鉴权令牌,请求业务注册。Step 23: Parse and verify the login authentication token, and request service registration.

本发明实施例中,所述客户端应用通过加密证书解析出用户配置信息和登录鉴权令牌,将用户配置信息加密存储至加密Micro SD卡中,并校验登录鉴权令牌;如果登录鉴权令牌正确,则将解析出的登录鉴权令牌加密后发送至所述铁路宽带集群通信设备请求业务注册,使得相应终端用户完成系统的业务注册。当完成业务注册后,所述客户端应用通过加密Micro SD卡读取之前业务所产生的部分用户数据并显示于终端设备屏幕,所述部分用户数据包括:通信录、以往的通话记录以及数据业务收件箱。In the embodiment of the present invention, the client application parses out the user configuration information and the login authentication token through the encrypted certificate, encrypts and stores the user configuration information in the encrypted Micro SD card, and verifies the login authentication token; If the authentication token is correct, the parsed login authentication token is encrypted and sent to the railway broadband trunking communication equipment to request service registration, so that the corresponding terminal user completes the system service registration. After completing the service registration, the client application reads part of the user data generated by the previous service through the encrypted Micro SD card and displays it on the screen of the terminal device. The part of the user data includes: address book, past call records and data services inbox.

三、业务的机密性和完整性保护。3. Confidentiality and integrity protection of business.

通过以上第一与第二部分介绍的方案可以实现终端设备的接入,之后,可以通过客户端应用发起包括集群语音、集群数据以及集群视频的业务,在各项业务过程中,客户端应用和铁路宽带集群通信设备之间传输的信息均通过安全认证网关提供的加密证书进行加密。客户端应用和铁路宽带集群通信设备收到加密数据后,通过加密证书解密出满足设定协议标准(例如,3GPP协议标准)的明文数据,按照设定协议标准完成各项业务的通信。当业务流程结束后,客户端应用将业务产生的部分用户数据在终端设备屏幕显示,所述部分用户数据包括:通信录、以往的通话记录以及数据业务收件箱;并将业务产生的全部用户数据加密同步到加密Micro SD卡中,所述全部用户数据包括:通信录、以往的通话记录、数据业务收件箱、语音录音以及视频录像。Through the solutions introduced in the first and second parts above, the access of terminal equipment can be realized. After that, services including trunking voice, trunking data and trunking video can be initiated through the client application. In the process of each service, the client application and The information transmitted between the railway broadband trunking communication equipment is encrypted by the encryption certificate provided by the security authentication gateway. After receiving the encrypted data, the client application and the railway broadband trunking communication equipment decrypt the plaintext data that meets the set protocol standard (for example, the 3GPP protocol standard) through the encryption certificate, and complete the communication of various services according to the set protocol standard. When the business process ends, the client application displays part of the user data generated by the service on the screen of the terminal device, the part of the user data includes: address book, past call records and data service inbox; The data is encrypted and synchronized to the encrypted Micro SD card, and all user data includes: address book, past call records, data service inbox, voice recording and video recording.

以上为本发明提供的铁路宽带集群通信系统终端安全接入方法的主要方案。图4展示了铁路宽带集群通信系统架构,铁路宽带集群通信系统在3GPP标准的关键业务通信(MCX)系统基础上增加了安全认证网关、Micro SD卡安全读写设备(图3未示出)和数量与终端相匹配的加密Micro SD卡,并在客户端应用增加了与Micro SD卡的加密交互流程和在客户端应用和MC设备增加了与安全认证网关的交互流程(也即前述步骤1~步骤2)。The above is the main solution of the terminal security access method of the railway broadband trunking communication system provided by the present invention. Figure 4 shows the architecture of the railway broadband trunking communication system. The railway broadband trunking communication system adds a security authentication gateway, a Micro SD card security reading and writing device (not shown in Figure 3) and The number of encrypted Micro SD cards matches the terminal, and the encrypted interaction process with the Micro SD card is added in the client application and the interaction process with the security authentication gateway is added in the client application and MC device (that is, the aforementioned steps 1~ step 2).

图5展示了Micro SD卡安全读写设备读写Micro SD卡工作状态图。如图4所示,Micro SD卡安全读写设备包括人机交互模块和SD卡安全写入输出模块。加密Micro SD卡在终端设备使用前需要依据用户身份信息和终端设备由Micro SD卡安全读写设备进行身份激活。身份激活步骤包括:将所述加密Mirco SD卡插入至所述Micro SD卡安全读写设备的SD卡安全写入输出模块,并通过Micro SD卡安全读写设备的人机交互模块输入终端设备的用户身份信息和终端设备的IMEI信息,之后,与安全认证网关交互进行数据安全加密,加密完成后通过SD卡安全写入输出模块将加密信息写入加密Micro SD卡中,完成身份激活。Figure 5 shows the working state diagram of the Micro SD card security reading and writing device reading and writing the Micro SD card. As shown in Figure 4, the Micro SD card security read and write device includes a human-computer interaction module and an SD card security write and output module. The encrypted Micro SD card needs to be activated by the Micro SD card security read-write device based on the user identity information and the terminal device before the terminal device is used. The identity activation step includes: inserting the encrypted Mirco SD card into the SD card safe writing output module of the Micro SD card safe reading and writing device, and inputting the information of the terminal device through the human-computer interaction module of the Micro SD card safe reading and writing device. The user identity information and the IMEI information of the terminal device are then interacted with the security authentication gateway to perform data security encryption. After the encryption is completed, the encrypted information is written into the encrypted Micro SD card through the SD card security write output module to complete the identity activation.

本发明实施例中,用户身份信息和IMEI信息主要通过安全认证网关进行加密,一方面,加密的信息类别还可以根据需求自适应调整;另一方面,加密后直接存入加密MicroSD卡,后续应用中(例如,前文介绍的步骤14)由客户端应用提取相关加密信息后进行解密。此部分中安全认证网关、加密Mirco SD卡与客户端应用所涉及的加解密算法均为配套算法,且它们均具备相应的加解密密钥信息,能够准确的进行信息加密与解密处理;考虑到此次部分所涉及的加解密算法可使用常规算法实现,故不做赘述。In the embodiment of the present invention, the user identity information and IMEI information are mainly encrypted through the security authentication gateway. On the one hand, the encrypted information type can also be adaptively adjusted according to requirements; (for example, step 14 described above), the client application extracts the relevant encrypted information and decrypts it. The encryption and decryption algorithms involved in the security authentication gateway, encrypted Mirco SD card and client applications in this part are all matching algorithms, and they all have the corresponding encryption and decryption key information, which can accurately encrypt and decrypt information; considering that The encryption and decryption algorithms involved in this part can be implemented using conventional algorithms, so they will not be described in detail.

此外,当终端设备使用完毕后,将加密Micro SD卡取出并接入Micro SD卡安全读写设备;当与安全认证网关交互进行数据解密后,能够通过SD卡安全写入输出模块将加密Micro SD卡中的存储数据导出或直接通过Micro SD卡安全读写设备的人机交互模块查看,所述存储数据包括:通话录音、视频录像、收件信息与通话记录。In addition, when the terminal device is used up, take out the encrypted Micro SD card and connect it to the Micro SD card safe reading and writing device; after interacting with the security authentication gateway to decrypt the data, the encrypted Micro SD card can be written to the output module through the SD card safe writing output module. The stored data in the card can be exported or viewed directly through the human-computer interaction module of the Micro SD card security read-write device. The stored data includes: call recording, video recording, receipt information and call records.

本发明实施例提供的铁路宽带集群通信系统终端安全接入方法,可以防护如下情况:The terminal security access method of the railway broadband trunking communication system provided by the embodiment of the present invention can protect the following situations:

1、通信信道被攻击。1. The communication channel is attacked.

业务信令和用户数据在信道中若未采取任何保护措施,完全以明文形式传输,通信信道一旦被攻击,整个传输数据面临被破坏的风险。终端安全接入方法提供信道安全防护,传输信令全程以密文形式传输,降低了通信信道被攻击带来的用户数据泄露和信令被篡改等风险。If no protection measures are taken in the channel, the service signaling and user data are completely transmitted in plain text. Once the communication channel is attacked, the entire transmission data is at risk of being destroyed. The terminal security access method provides channel security protection, and the transmission signaling is transmitted in the form of cipher text throughout the whole process, which reduces the risks of user data leakage and signaling tampering caused by the communication channel being attacked.

2、客户端应用和登录用户名密码泄露。2. The client application and login username and password are leaked.

铁路宽带集群通信系统的客户端应用和登录用户名密码泄露时若未采取任何安全接入方法,用户身份会被伪装后非法接入,导致信息来源不可靠及信息被窃取。终端安全接入方法在启动客户端应用时依靠与加密Micro SD卡双向鉴权,能够阻止未识别加密Micro SD卡的客户端应用的正常使用,从而防止用户身份会被伪装。If no secure access method is adopted when the client application and login user name and password of the railway broadband trunking communication system are leaked, the user identity will be disguised and then illegally accessed, resulting in unreliable information sources and information theft. The terminal security access method relies on the two-way authentication with the encrypted Micro SD card when starting the client application, which can prevent the normal use of the client application that does not recognize the encrypted Micro SD card, thereby preventing the user identity from being disguised.

3、加密Micro SD卡遗失。3. The encrypted Micro SD card is lost.

加密Micro SD卡中储存有用户登录鉴权信息和用户数据,但所有数据均经过加密算法加密,加密密钥储存于安全认证网关,仅通过加密Micro SD卡无法对存储信息进行破解。即使加密Micro SD卡遗失也能保证用户身份和用户数据的安全。The encrypted Micro SD card stores user login authentication information and user data, but all data is encrypted by an encryption algorithm, and the encryption key is stored in the security authentication gateway, and the stored information cannot be cracked only by encrypting the Micro SD card. Even if the encrypted Micro SD card is lost, the security of user identity and user data is guaranteed.

4、客户端应用被泄露,同时加密Micro SD卡遗失。4. The client application is leaked and the encrypted Micro SD card is lost.

加密Micro SD卡在用户身份激活时,除了登录用户鉴权信息外,还烧录了终端设备的国际移动设备识别码(IMEI),客户端应用在与加密Micro SD卡进行双向鉴权后,还需要读取加密Micro SD卡中IMEI信息,和从终端设备获取的IMEI相比较。从而防止用户身份被伪装。When the user identity is activated on the encrypted Micro SD card, in addition to logging in the user authentication information, the International Mobile Equipment Identity (IMEI) of the terminal device is also burned. After the client application performs two-way authentication with the encrypted Micro SD card, the It is necessary to read the IMEI information in the encrypted Micro SD card and compare it with the IMEI obtained from the terminal device. This prevents user identity from being spoofed.

5、安装有客户端应用的终端设备和对应的加密Micro SD卡遗失。5. The terminal device with the client application installed and the corresponding encrypted Micro SD card are lost.

安装有客户端应用的终端设备和对应的加密Micro SD卡遗失时,终端设备的使用用户会迅速感知并上报铁路宽带集群通信系统管理员,系统管理员可以在安全认证网关中清除该用户的认证信息,从而阻止终端设备后续发起的业务和用户数据获取。然后在MC设备中修改用户的登录密码,阻止终端设备的后续登录操作。When the terminal device installed with the client application and the corresponding encrypted Micro SD card are lost, the user of the terminal device will quickly perceive and report it to the railway broadband trunking communication system administrator, and the system administrator can clear the user's authentication in the security authentication gateway information, thereby preventing the subsequent acquisition of services and user data initiated by the terminal device. Then, modify the user's login password on the MC device to prevent subsequent login operations of the terminal device.

6、伪造客户端应用,同时登录用户名密码泄露。6. Forge the client application, and at the same time the login user name and password are leaked.

因为3GPP引用的集群语音(MCPTT)、集群数据(MCData)、集群视频(MCVideo)协议标准公开,攻击者可以通过协议标准伪造客户端应用,绕开加密Micro SD卡的交互认证过程,通过泄露的用户名密码直接尝试登录。终端安全接入办法通过安全认证网关实现传输数据的加密,传输过程中满足3GPP协议标准的明文信令系统不会响应。伪造的客户端应用无法登录系统或窃取有关的用户数据。Because the protocol standards for trunked voice (MCPTT), trunked data (MCData), and trunked video (MCVideo) quoted by 3GPP are open, attackers can forge client applications through the protocol standards, bypass the interactive authentication process of encrypted Micro SD cards, and pass the leaked Username and password to try to log in directly. The terminal security access method realizes the encryption of the transmitted data through the security authentication gateway, and the plaintext signaling system that meets the 3GPP protocol standard will not respond during the transmission process. A fake client application cannot log into the system or steal relevant user data.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例可以通过软件实现,也可以借助软件加必要的通用硬件平台的方式来实现。基于这样的理解,上述实施例的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the above embodiments can be implemented by software or by means of software plus a necessary general hardware platform. Based on this understanding, the technical solutions of the above embodiments may be embodied in the form of software products, and the software products may be stored in a non-volatile storage medium (which may be CD-ROM, U disk, mobile hard disk, etc.), including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments of the present invention.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明披露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求书的保护范围为准。The above description is only a preferred embodiment of the present invention, but the protection scope of the present invention is not limited to this. Substitutions should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1. A terminal security access method of a railway broadband trunking communication system is characterized by comprising the following steps:
the method comprises the steps that a client application in the terminal equipment carries out interactive authentication with an encrypted Mirco SD card, and when the interactive authentication is passed, the client application acquires login authentication information from the encrypted Mirco SD card; wherein, the Mirco SD card is a flash memory card;
the client application acquires an encryption certificate through a security authentication gateway, acquires user configuration information and a login authentication token from the railway broadband trunking communication equipment through the encryption certificate and the login authentication information, requests service registration from the railway broadband trunking communication equipment, and accesses the terminal equipment to the railway broadband trunking communication system after the service registration is successful.
2. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein after the terminal device is powered on, the step of performing interactive authentication between the client application and the encrypted Mirco SD card comprises:
the encryption Mirco SD card carries out bidirectional authentication and certification with the security certification gateway through client application, when the client successfully passes the bidirectional authentication and certification, the client acquires IMEI information from a terminal equipment system, acquires prestored IMEI information from the encryption Micro SD card, and verifies whether the acquired IMEI information is matched or not; wherein the IMEI represents an international mobile equipment identity; if the two IMEI information are matched, the client application and the encrypted Mirco SD card complete interactive authentication, and the client application acquires encrypted login authentication information from the encrypted Micro SD card, wherein the authentication information comprises the following steps: the username and password required to log in to the system.
3. The terminal security access method of the railway broadband trunking communication system according to claim 2, wherein the step of bidirectional authentication and authentication between the client application and the encrypted Mirco SD card comprises:
after the terminal equipment is started, the client application identifies whether the terminal equipment is correctly inserted into the encrypted Micro SD card; if the encrypted Micro SD card is correctly inserted, reading the encrypted Micro SD card authentication information from the encrypted Micro SD card;
the client application sends a linked list request to a security authentication gateway according to a routing table, wherein information in the linked list request comprises encrypted Micro SD card authentication information, and receives reply information fed back by the security authentication gateway; when the reply information is an authentication certificate, the encrypted Micro SD card authentication information is correct;
and the client writes the authentication certificate into an encrypted Micro SD card, the encrypted Micro SD card verifies the authentication certificate, and if the authentication certificate passes the verification, the security authentication gateway and the encrypted Mirco SD card successfully pass the bidirectional authentication.
4. The terminal secure access method of the railway broadband trunking communication system of claim 1, wherein the client application obtaining the encryption certificate through the secure authentication gateway comprises:
the client application sends information of applying for an encrypted certificate to the security authentication gateway, and the security authentication gateway analyzes and verifies the information of applying for the encrypted certificate and then respectively sends the encrypted certificate to the client application and corresponding railway broadband trunking communication equipment; the encryption certificate includes: user identity information of the terminal equipment and the validity duration of the encryption certificate.
5. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein the obtaining of the user configuration information and the login authentication token from the railway broadband trunking communication device through the encryption certificate and the login authentication information comprises:
after the client application packages the login authentication information according to a set protocol standard, the packaged information is encrypted through an encryption certificate and is transmitted to the railway broadband trunking communication equipment;
receiving a result fed back by the railway broadband trunking communication equipment; if the login authentication information is correct, the result fed back contains the encrypted user configuration information of the terminal equipment and the login authentication token.
6. The terminal security access method of the railway broadband trunking communication system of claim 1, wherein the requesting service registration from the railway broadband trunking communication device comprises:
the client application analyzes user configuration information and a login authentication token through an encryption certificate, encrypts and stores the user configuration information into an encrypted Micro SD card, and verifies the login authentication token; and if the login authentication token is correct, encrypting the analyzed login authentication token and then sending the encrypted login authentication token to the railway broadband trunking communication equipment for requesting service registration so that the corresponding terminal user completes the service registration of the system.
7. The terminal secure access method of the railway broadband trunking communication system of claim 1 or 6, wherein after the service registration is completed, the client application reads a part of user data generated by a previous service through the encrypted Micro SD card and displays the part of user data on a terminal device screen, wherein the part of user data comprises: address book, past call log, and data service inbox.
8. The terminal security access method of the railway broadband trunking communication system according to claim 1 or 6, wherein after the service registration is completed, the client application can initiate services including trunking voice, trunking data and trunking video, and in each service process, information transmitted between the client application and the railway broadband trunking communication device is encrypted by an encryption certificate provided by the security authentication gateway;
after the client application and the railway broadband trunking communication equipment receive the encrypted data, clear text data meeting the set protocol standard is decrypted through the encrypted certificate, and communication of each service is completed according to the set protocol standard;
after the service flow is finished, the client application displays part of user data generated by the service on a screen of the terminal equipment, wherein the part of user data comprises: an address book, a past call record and a data service inbox; and encrypting and synchronizing all user data generated by the service into the encrypted Micro SD card, wherein the all user data comprises: address book, past call log, data service inbox, voice recording, and video recording.
9. The terminal security access method of the railway broadband trunking communication system of claim 1, further comprising: the identity activation is carried out on the encrypted Mirco SD card in advance through a Micro SD card safety read-write device, and the method comprises the following steps:
inserting the encrypted Mirco SD card into an SD card secure write-in output module of the Micro SD card secure read-write equipment, and inputting user identity information of the terminal equipment and IMEI information of the terminal equipment through a man-machine interaction module of the Micro SD card secure read-write equipment, wherein the IMEI represents an international mobile equipment identification code;
and then, data security encryption is carried out by interaction with the security authentication gateway, after encryption is finished, the encrypted information is written into the encrypted Micro SD card through the SD card security write-in output module, and identity activation is finished.
10. The terminal security access method for the railway broadband trunking communication system according to claim 9, further comprising: after the terminal equipment is used, taking out the encrypted Micro SD card and accessing the encrypted Micro SD card to the Micro SD card safety read-write equipment; after data decryption is carried out by interaction with the security authentication gateway, the storage data in the encrypted Micro SD card can be exported through the SD card security write-in output module or directly checked through the man-machine interaction module of the Micro SD card security read-write equipment, and the storage data comprises: call recording, video recording, receiving information and call recording.
CN202210675295.7A 2022-06-15 2022-06-15 A kind of railway broadband trunking communication system terminal security access method Active CN114760628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210675295.7A CN114760628B (en) 2022-06-15 2022-06-15 A kind of railway broadband trunking communication system terminal security access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210675295.7A CN114760628B (en) 2022-06-15 2022-06-15 A kind of railway broadband trunking communication system terminal security access method

Publications (2)

Publication Number Publication Date
CN114760628A CN114760628A (en) 2022-07-15
CN114760628B true CN114760628B (en) 2022-08-30

Family

ID=82337223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210675295.7A Active CN114760628B (en) 2022-06-15 2022-06-15 A kind of railway broadband trunking communication system terminal security access method

Country Status (1)

Country Link
CN (1) CN114760628B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704092A (en) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 User identity authentication method, device and system
CN110097486A (en) * 2019-04-19 2019-08-06 公安部第三研究所 A kind of movable police verification core recording system
CN110830927A (en) * 2019-11-08 2020-02-21 佳讯飞鸿(北京)智能科技研究院有限公司 Multimedia cluster communication method, device and terminal
WO2022080388A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of ue, and ue
WO2022080371A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of communication terminal, communication terminal, method of core network apparatus, and core network apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704092A (en) * 2014-11-25 2016-06-22 卓望数码技术(深圳)有限公司 User identity authentication method, device and system
CN110097486A (en) * 2019-04-19 2019-08-06 公安部第三研究所 A kind of movable police verification core recording system
CN110830927A (en) * 2019-11-08 2020-02-21 佳讯飞鸿(北京)智能科技研究院有限公司 Multimedia cluster communication method, device and terminal
WO2022080388A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of ue, and ue
WO2022080371A1 (en) * 2020-10-16 2022-04-21 Nec Corporation Method of communication terminal, communication terminal, method of core network apparatus, and core network apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Issues related to MCX initial registration: MCPTT user authentication;MCC TF160等;《3GPP TSG-RAN5 Meeting #87-e R5-201323》;20200529;全文 *

Also Published As

Publication number Publication date
CN114760628A (en) 2022-07-15

Similar Documents

Publication Publication Date Title
CN108684041B (en) System and method for login authentication
CN101588245B (en) Method of identity authentication, system and memory device thereof
CN113557703B (en) Authentication method and device of network camera
CN101986598B (en) Authentication method, server and system
JP4698751B2 (en) Access control system, authentication server system, and access control program
CN110891065A (en) Token-based user identity auxiliary encryption method
KR20090012013A (en) Mutual authentication method using Kerberos and its system
CN115473655B (en) Terminal authentication method, device and storage medium for access network
KR101531662B1 (en) Method and system for mutual authentication between client and server
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
CN107277017A (en) Purview certification method, apparatus and system based on encryption key and device-fingerprint
CN114978773A (en) Single package authentication method and system
CN104243452B (en) A kind of cloud computing access control method and system
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN114338091A (en) Data transmission method and device, electronic equipment and storage medium
CN110912857B (en) Method and storage medium for sharing login between mobile applications
CN114466353A (en) App user ID information protection device and method, electronic equipment and storage medium
CN209882108U (en) Device for mobile phone terminal to safely access information network
CN116132072B (en) Method and system for security authentication of network information
CN114760628B (en) A kind of railway broadband trunking communication system terminal security access method
CN114844648B (en) Data verification method, data processing method and device
CN111092734A (en) Product activation authentication method based on ad hoc network communication
CN114039748B (en) Authentication method, system, computer device and storage medium
CN113676468B (en) Three-party enhanced authentication system design method based on message verification technology
CN109874141B (en) A method and device for securely accessing an information network via a mobile terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant