CN116112924A - Wireless communication method and secure communication system - Google Patents
Wireless communication method and secure communication system Download PDFInfo
- Publication number
- CN116112924A CN116112924A CN202111325036.3A CN202111325036A CN116112924A CN 116112924 A CN116112924 A CN 116112924A CN 202111325036 A CN202111325036 A CN 202111325036A CN 116112924 A CN116112924 A CN 116112924A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- authentication
- access
- biological
- verification result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 105
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000012795 verification Methods 0.000 claims abstract description 88
- 238000001514 detection method Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000003321 amplification Effects 0.000 claims description 6
- 238000005259 measurement Methods 0.000 claims description 6
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 6
- 238000013139 quantization Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 4
- 238000010295 mobile communication Methods 0.000 description 23
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 15
- 230000007246 mechanism Effects 0.000 description 14
- 238000013461 design Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000009795 derivation Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 108020004414 DNA Proteins 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 102000053602 DNA Human genes 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 206010010356 Congenital anomaly Diseases 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000001427 coherent effect Effects 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 238000005562 fading Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment discloses a wireless communication method and a secure communication system, the method comprises the following steps: after receiving a first biological feature acquired by a user terminal, verifying the first biological feature according to the first biological feature and a pre-stored biological feature to obtain a first verification result; according to the first verification result, implementing access authentication of the user terminal to the network; after the access authentication is passed and when a second biological feature sent by a service server is received, verifying the second biological feature according to the second biological feature and the pre-stored biological feature to obtain a second verification result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
Description
Technical Field
The present disclosure relates to network information security technologies, and in particular, to a wireless communication method and a secure communication system.
Background
In the related art, authentication of service applications may be performed based on biometric information in a conventional mobile communication system; as an implementation manner, the biological characteristics can be pre-stored at one side of the service server, and each service server compares the biological characteristics extracted at the user terminal side with the pre-stored biological characteristics, thereby realizing service authentication; however, in a multi-service server scenario, different service servers may generate a large number of identical biometric information storage and identification judgment requirements, which reduces the efficiency of service authentication based on biometric information in a mobile communication system.
Disclosure of Invention
The embodiment of the application provides a wireless communication method and a secure communication system, which can improve the efficiency of service authentication based on biological characteristic information in a mobile communication system.
The embodiment of the application provides a wireless communication method, which comprises the following steps:
after receiving a first biological feature acquired by a user terminal, verifying the first biological feature according to the first biological feature and a pre-stored biological feature to obtain a first verification result; according to the first verification result, implementing access authentication of the user terminal to the network;
after the access authentication is passed and when a second biological feature sent by a service server is received, verifying the second biological feature according to the second biological feature and the pre-stored biological feature to obtain a second verification result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
In some embodiments, the implementing access authentication for the user terminal to access to the network according to the first verification result includes:
And sending response information indicating that the access authentication passes to the user terminal under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic.
In some embodiments, the implementing service authentication for the application in the service server according to the second verification result includes:
and sending response information representing that the service authentication passes to the service server under the condition that the second verification result represents that the second biological feature is matched with the pre-stored biological feature.
In some embodiments, before the secure communication system receives the first biometric transmitted by the user terminal, the method further comprises:
establishing an encrypted wireless channel between the user terminal and the secure communication system according to a communication key obtained by negotiation with the user terminal, wherein the communication key is obtained according to the characteristics of the wireless channel between the user terminal and the secure communication system; the encrypted wireless channel is used for realizing data transmission between the user terminal and the secure communication system.
In some embodiments, the method further comprises:
Receiving a key negotiation request sent by the user terminal, wherein the key negotiation request is used for requesting channel characteristic detection of a wireless channel between the user terminal and the secure communication system;
and carrying out channel characteristic detection on the wireless channel according to the key negotiation request, and obtaining the communication key according to a characteristic detection result.
In some embodiments, the performing channel feature detection on the wireless channel according to the key negotiation request includes:
performing at least one of the following channel characteristic detection operations on the wireless information channel: channel measurement, channel estimation, channel quantization coding, information reconciliation, and privacy amplification.
In some embodiments, the communication key is a physical layer key.
The embodiment of the application also provides a secure communication system, which is characterized in that the secure communication system comprises an access anchor point for realizing the access of the user terminal to the network and a verification anchor point for realizing the verification of the biological characteristics collected by the user terminal, wherein,
the access anchor point is used for sending the first biological characteristic to the verification anchor point after receiving the first biological characteristic acquired by the user terminal;
The authentication anchor point is used for authenticating the first biological characteristic according to the first biological characteristic and the pre-stored biological characteristic to obtain a first authentication result, and the first authentication result is sent to the access anchor point;
the access anchor point is further used for realizing access authentication of the user terminal to the network according to the first verification result;
the authentication anchor point is further configured to, after the access authentication is passed and when a second biological feature sent by the service server is received, authenticate the second biological feature according to the second biological feature and the pre-stored biological feature, and obtain a second authentication result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
The embodiment of the application also provides a secure communication system, which comprises a processor and a memory for storing a computer program capable of running on the processor; wherein,,
the processor is configured to run the computer program to perform any of the wireless communication methods described above.
It can be seen that in the embodiment of the present application, access authentication for a user terminal to access a network and service authentication for an application in a service server may be simultaneously implemented in a secure communication system; in the scene of a plurality of service servers, because different service servers are not required to store the identical biological characteristics and carry out the identification judgment of the biological characteristics, the security communication system uniformly carries out service authentication on the application of the different service servers on the basis of realizing the access authentication of the user terminal to the network, thereby improving the efficiency of carrying out service authentication based on the biological characteristic information in the mobile communication system.
Drawings
Fig. 1 is a flow chart of service authentication for performing access authentication on a user terminal access network and for applying services in the related art;
fig. 2 is a schematic diagram of a key hierarchy of an evolved packet system (Evolved Packet System, EPS) in the related art;
fig. 3 is a schematic structural diagram of distribution and derivation of a key on each network element at a network side in the related art;
fig. 4 is a schematic structural diagram of a key derivation scheme at a user terminal side of an EPS in the related art;
fig. 5 is a schematic diagram illustrating a control plane protocol stack of an LTE radio air interface in the related art;
fig. 6 is a schematic diagram illustrating a description of a user plane protocol stack of an LTE radio air interface in the related art;
fig. 7 is a schematic diagram of an attachment procedure of an LTE system in the related art;
fig. 8 is a flowchart of a wireless communication method according to an embodiment of the present application;
fig. 9 is a schematic diagram of a partial feature detection operation performed on a wireless information channel in an embodiment of the present application;
fig. 10 is a flowchart of access authentication for a user terminal to access a network in an embodiment of the present application;
FIG. 11 is a flow chart of service authentication for an application in a service server in an embodiment of the present application;
fig. 12 is a schematic diagram of a configuration of a secure communication system according to an embodiment of the present application.
Detailed Description
Referring to fig. 1, in the related art, an access anchor point and a verification anchor point of a conventional mobile communication system are used to implement access authentication of a User Equipment (UE) to an access network; after realizing access authentication of the user terminal to the network, the service server can realize authentication of service application, in actual implementation, the biological characteristics are prestored at the user terminal side, the service server requests the user terminal to report the biological characteristic recognition result, the reported biological characteristic recognition result is used as a trigger instruction, the user terminal side application extracts the biological characteristics and recognizes the biological characteristics prestored in the local area, the recognition result is fed back to the service server, and the service server executes subsequent service operation according to the recognition result fed back by the user terminal. Wherein, the above-mentioned instruction that service server and user terminal interact is transmitted based on the data pipeline of the traditional mobile communication system.
The authentication mechanism of the business application shown in fig. 1 has at least the following problems:
first, there is a risk of falsifying or adding a biometric feature by attacking the user terminal, causing a bypass of biometric feature false authentication; in addition, the identification operation of the biological characteristics is performed by the user terminal side, and the subsequent service operation result of the service server can be influenced by modifying the identification result in the system of the user terminal side.
Second, conventional mobile communication systems present security risks for the data pipes. Because the service server and the user terminal still transmit the interactive instruction based on the data pipeline established by the traditional mobile communication system, the encryption step established by the traditional mobile communication system is lagged, the encrypted application data is easy to be captured and broken off-line, the traditional encryption algorithm is complex, the flow mechanism is complex, and the security risk of the data pipeline is complex in design, and the existing service application authentication mechanism is also influenced. The security risk of the data pipeline of the traditional mobile communication system also affects the thought design of the service party for pre-storing the biological characteristics to the service server side, and because of the unsafe data pipeline, the risk that the biological characteristic information can be replaced in the transmission process of the data pipeline (especially the wireless access side) is considered, and the design of the local storage and the identification judgment of the biological characteristics at the terminal side is generally adopted in the related technology.
Thirdly, considering that if the biological characteristics are stored in the thought of the service server side, each service application server side needs to independently store the biological characteristic information of the user, because a unified authentication mechanism design is not available, a large number of identical biological characteristic storage and identification judgment requirements are generated on different service server sides, and the efficiency of service authentication based on the biological characteristic information in the mobile communication system is reduced.
The security risk of the data pipe existing in the conventional mobile communication system is exemplarily described as follows.
Taking a long term evolution (Long Term Evolution, LTE) System as an example, the System security architecture is fully described and introduced in the third generation partnership project (3rd Generation Partnership Project,3GPP) standard 33.401, wherein the core content is an authentication and key agreement (Authentication and Key Agreement, AKA), a System, an EPS key hierarchy and a distribution and derivation scheme of keys on the network and terminal sides.
Fig. 2 is a schematic diagram of a key hierarchy of an EPS in the related art, and referring to fig. 2, the key hierarchy of the EPS includes a global subscriber identity card (Universal Subscriber Identity Module, USIM)/authentication center (AUthentication Center, AUC), a UE/home subscriber server (Home Subscriber Server, HSS), a UE/mobility management entity (Mobility Management Entity, MME), and a UE/evolved node b (eNodeB, eNB).
Fig. 3 is a schematic structural diagram of distribution and derivation of a key at each network element at the network side in the related art, and referring to fig. 3, each network element at the network side includes HSS, MME, ENB.
Fig. 4 is a schematic structural diagram of a key derivation scheme at a user terminal side of an EPS in the related art, and referring to fig. 2 to fig. 4, a hierarchical key derivation mechanism in an lte system is implemented by designing a complex cryptographic algorithm (SNOW 3G, AES, ZUC) and encryption and completion secret keys derived by an interaction flow on different network elements (HSS, MME, eNB, UE) involved in access segment by segment based on a master key K pre-stored by a terminal USIM and a network AuC. The algorithm design is complex, the flow mechanism design is complex, and master keys are required to be prestored on both sides.
The complex cryptographic algorithm may be, for example, a SNOW 3G algorithm, an advanced encryption standard (Advanced Encryption Standard, AES) algorithm, or a ZUC algorithm.
Fig. 5 is a schematic diagram illustrating a control plane protocol stack of an LTE radio air interface in the related art, referring to fig. 5, in 3GPP standard 36.300, an architecture of the control plane protocol stack of the UE includes a Non-Access Stratum (NAS), a radio resource control (Radio Resource Control, RRC) Layer, a packet data convergence protocol (Packet Data Convergence Protocol, PDCP) Layer, a radio link control (Radio Link Control, RLC) Layer, a media Access control (Media Access Control, MAC) Layer, and a Physical Layer (PHY) Layer; the architecture of the control plane protocol stack of the eNB comprises an RRC layer, a PDCP layer, an RLC layer, a MAC layer and a PHY layer; the architecture of the control plane protocol stack of the MME includes the NAS layer.
Fig. 6 is a schematic diagram illustrating a description of a user plane protocol stack of an LTE radio air interface in the related art, referring to fig. 5, in 3GPP standard 36.300, an architecture of the user plane protocol stack of the UE includes a PDCP layer, an RLC layer, a MAC layer, and a PHY layer; the architecture of the control plane protocol stack of the eNB includes PDCP layer, RLC layer, MAC layer and PHY layer.
In the related art, the security mechanism of the LTE system to the control plane is implemented by providing ciphering and integrity protection operations for control plane signaling of the RRC layer and the NAS layer by the PDCP layer in fig. 5; the security mechanism for the user plane is implemented by providing ciphering and integrity protection operations for upper layer user plane data by the PDCP layer of fig. 6. These encryption and integrity measures are implemented at an upper layer, not based on the PHY layer.
Fig. 7 is a schematic diagram of an attachment procedure of an LTE system in the related art, referring to fig. 7, in 3GPP standard 23.401, before starting the encryption step (step 5 a), there is a part of an unencrypted signaling message transmitted over the air interface.
As can be seen from the above-described fig. 2 to 7, the data pipe of the conventional mobile communication system has the following problems: 1. establishing hysteresis in the encryption step; 2. only the application layer (signaling plane and user plane) data is encrypted, so that the data is easy to capture and crack offline; 3. the encryption algorithm and the flow mechanism are complex in design, the algorithm function is realized segment by a plurality of network elements, and the terminal and the network both need to pre-store a master key.
Aiming at the technical problems in the related art, the technical scheme of the embodiment of the application is provided.
The present application will be described in further detail with reference to the accompanying drawings and examples. It should be understood that the examples provided herein are for the purpose of illustrating the present application only and are not intended to limit the present application. In addition, the embodiments provided below are some of the embodiments for implementing the present application, and not all of the embodiments for implementing the present application, and the technical solutions described in the embodiments of the present application may be implemented in any combination without conflict.
The embodiment of the application provides a wireless communication method which can be applied to a safety communication system; illustratively, the secure communication system may include an access anchor for enabling the user terminal to access the network and a verification anchor for enabling verification of the biometric acquired by the user terminal.
Fig. 8 is a flowchart of a wireless communication method according to an embodiment of the present application, as shown in fig. 8, the flowchart may include:
step 801: after receiving the first biological characteristics acquired by the user terminal, verifying the first biological characteristics according to the first biological characteristics and the pre-stored biological characteristics to obtain a first verification result; and according to the first verification result, realizing access authentication of the user terminal to the network.
In the embodiment of the application, the access authentication of the user terminal to the network and the service authentication of the application in the service server can be realized by adopting a biological feature recognition (biological) technology.
The biological characteristic recognition technology is a technology for identifying and recognizing the identity of a person by utilizing the inherent physiological characteristics of a human body through the close combination of a computer and various sensors, a biological statistics principle and other high-tech means. Biological characteristics are natural characteristics, most of the biological characteristics are congenital characteristics, and the biological characteristics which can be used for identity authentication generally meet the following characteristics: first, generalization: i.e. everyone must possess this feature. Second, uniqueness: i.e. the characteristics of any two persons are not identical. Third, scalability: i.e. the characteristics are measurable. Fourth, stability: i.e. the characteristics do not change over a period of time.
Of course, in practical applications, other practical factors, such as: recognition accuracy, recognition speed, no harm to human body, and the like.
Illustratively, the biometric features for identity authentication may include at least one of: facial features, iris features, fingerprint features, voice features, deoxyribonucleic acid (DeoxyriboNucleic Acid, DNA), etc.
In the embodiment of the application, the biological characteristics of the user can be pre-stored in the verification anchor point of the secure communication system; after receiving the first biological characteristic collected by the user terminal, the access anchor point of the secure communication system can send the first biological characteristic to the verification anchor point; the authentication anchor point can authenticate the first biological feature according to the first biological feature and the pre-stored biological feature to obtain a first authentication result, and the first authentication result is sent to the access anchor point. And the access anchor point realizes access authentication of the user terminal to the network according to the first verification result.
In some embodiments, the implementation manner of the access anchor point for implementing access authentication of the user terminal to the network according to the first verification result may include: and sending response information indicating that the access authentication passes to the user terminal under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic.
In other embodiments, if the first verification result indicates that the first biometric and the pre-stored biometric do not match, the access anchor may send response information to the user terminal that the access authentication failed.
It can be seen that, according to the embodiment of the application, access authentication of the user terminal to the network can be accurately achieved according to the first verification result.
Step 802: after the access authentication is passed and when a second biological feature sent by the service server is received, verifying the second biological feature according to the second biological feature and the pre-stored biological feature to obtain a second verification result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
In the embodiment of the application, the verification anchor point can judge whether the access authentication passes or not according to the first verification result, and the access authentication is determined to pass under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic; after determining that the access authentication passes and receiving a second biological feature sent by the service server, verifying the second biological feature according to the second biological feature and the pre-stored biological feature to obtain a second verification result; and according to the second verification result, realizing service authentication of the application in the service server.
In some embodiments, the implementation manner of the verification anchor point to realize service authentication of the application in the service server according to the second verification result may include: and transmitting response information indicating that the service authentication passes to the service server under the condition that the second verification result indicates that the second biological characteristic is matched with the pre-stored biological characteristic.
In other embodiments, if the second verification result indicates that the second biometric and the pre-stored biometric do not match, the verification anchor may send response information to the service server that the service authentication failed.
It can be seen that, according to the second verification result, the embodiment of the application can accurately realize service authentication of the application in the service server.
In the embodiment of the application, the security problem of the biological feature can be solved by changing the position of the biological feature from the user terminal to the security communication system verification anchor point. Firstly, the security access authentication mechanism based on a premaster secret key K in the traditional mobile communication system is modified into the security access authentication mechanism realized by using biological characteristics, so that the problems of complex encryption algorithm and complicated flow mechanism design in the traditional mobile communication system are greatly reduced; secondly, the biological characteristic information is stored in a verification anchor point of the secure communication system, so that the risk of tampering or tampering of the identification result caused by the storage of the biological characteristic in the user terminal can be reduced; thirdly, the biological characteristics are intensively and uniformly stored in the verification anchor point of the safety communication system, so that the implementation difficulty of the service system is greatly reduced, the requirements of biological characteristic information storage, identification and judgment are not required to be met by each service server, and only the service server and the verification anchor point of the safety communication system are required to form communication connection; illustratively, the service server and the secure communication system may communicate with each other via a virtual private network (Virtual Private Network, VPN) or a public line with security transport layer protocol (Transport Layer Security, TLS) encryption enabled to protect information from attacks; fourth, the biological characteristics are intensively and uniformly stored in the verification anchor point of the secure communication system, so that the unified realization of access authentication and service authentication of the secure communication system can be realized.
In practical applications, steps 801 to 802 may be implemented based on a processor of a secure communication system, where the processor may be at least one of an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a digital signal processor (Digital Signal Processor, DSP), a digital signal processing device (Digital Signal Processing Device, DSPD), a programmable logic device (Programmable Logic Device, PLD), a field programmable gate array (Field Programmable Gate Array, FPGA), a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, and a microprocessor. It will be appreciated that the electronic device implementing the above-described processor function may be other, and embodiments of the present application are not limited.
It can be seen that in the embodiment of the present application, access authentication for a user terminal to access a network and service authentication for an application in a service server may be simultaneously implemented in a secure communication system; in the scene of a plurality of service servers, because different service servers are not required to store the identical biological characteristics and carry out the identification judgment of the biological characteristics, the security communication system uniformly carries out service authentication on the application of the different service servers on the basis of realizing the access authentication of the user terminal to the network, thereby improving the efficiency of carrying out service authentication based on the biological characteristic information in the mobile communication system.
In some embodiments of the present application, before the secure communication system receives the first biological feature sent by the user terminal, the wireless communication method may further include:
establishing an encrypted wireless channel between the user terminal and the secure communication system according to a communication key obtained through negotiation with the user terminal, wherein the communication key is obtained according to the characteristics of the wireless channel between the user terminal and the secure communication system; the encrypted wireless channel is used for realizing data transmission between the user terminal and the secure communication system.
In the embodiment of the application, a wireless channel characteristic technology can be adopted, and an encrypted wireless channel between the user terminal and the secure communication system is established according to a communication key obtained by negotiation with the user terminal.
An exemplary description of wireless channel characterization techniques follows.
In the security research of the wireless communication physical layer, channels of both communication parties have good short-time reciprocity, and similar channel characteristics can be extracted from the wireless channels and unique identifications can be generated. The technology can utilize the natural randomness of the wireless channel to generate the symmetric key for the wireless communication system in real time and realize the unique identification of the users of both communication parties.
The wireless channel key technology is different from the traditional key generation mode depending on a mathematical complex algorithm, and the technology can change the key in a short time by extracting unique channel characteristic information of both communication parties as a data source of the key and simultaneously utilizing the characteristic of variable wireless channel characteristics, and even realize a one-time-pad function, so that the security is higher, and the difficulty of cracking the key is increased.
In a communication system, wireless channels in coherent time have short-time reciprocity, pilot signals transmitted by two communication parties mutually undergo the same channel fading, so that the measured channel characteristics are very similar, channel state information is extracted from the channel characteristics, and further, the generation of a session key has high feasibility. The pilot signal heard by the third party eavesdropper cannot extract the same channel characteristics as the legitimate receiver because it experiences a different channel attenuation.
It can be seen that, in the embodiment of the application, the communication key is obtained according to the characteristics of the wireless channel between the user terminal and the secure communication system, so that an encrypted wireless channel between the user terminal and the secure communication system is established based on the communication key; since a relatively secure encrypted wireless channel can be constructed according to the time-varying characteristics of the wireless channel, the security of data transmission in the encrypted wireless channel can be enhanced.
Further, the embodiment of the application may advance the step of establishing the encrypted wireless channel before the user data transmission, that is, advance negotiate the key between the user terminal and the access anchor point by the wireless channel feature technology, and establish the encrypted wireless channel in advance. The wireless channel characteristic technology can ensure that the key information at two sides of the wireless air interface is not revealed when the user terminal negotiates keys with two sides of the access anchor point, so as to improve the safety of the wireless pipeline of the communication system; meanwhile, the dissimilarity characteristic of the wireless channels can also enable the key uniqueness between each user terminal and the access anchor point, and ensure that each user terminal and the access anchor point are different encryption pipelines.
In addition, by encrypting the wireless data pipeline to transmit the biological characteristics, the risk of replacing the biological characteristics in the transmission process of the traditional mobile communication system can be reduced.
In some embodiments of the present application, the above wireless communication method may further include:
receiving a key negotiation request sent by a user terminal, wherein the key negotiation request is used for requesting channel characteristic detection of a wireless channel between the user terminal and a secure communication system;
and carrying out channel characteristic detection on the wireless channel according to the key negotiation request, and obtaining a communication key according to the characteristic detection result.
In some embodiments, an implementation of channel feature detection for a wireless channel according to a key agreement request may include: performing at least one of the following channel characteristic detection operations on the wireless information channel: channel measurement, channel estimation, channel quantization coding, information reconciliation, and privacy amplification. A portion of the feature detection operation performed on the wireless information channel is shown in fig. 9.
It can be seen that, according to the embodiment of the application, the channel characteristic detection can be performed through the wireless information channel, and the communication key is determined, so that an encrypted wireless channel with higher security is established according to the communication key, and the security of data transmission in the encrypted wireless channel is improved.
In some embodiments of the present application, the communication key may be a physical layer key.
It can be seen that, in the embodiment of the present application, the data encryption hierarchy may be sunk from the application layer to the physical layer, that is, the data may be transmitted through an encrypted wireless channel established based on the generated physical layer key after the measurement, estimation, quantization, reconciliation and privacy amplification of the wireless channel characteristics, which may be implemented by sunk to the physical layer in the encryption processing procedure of the application layer in the related art; meanwhile, based on the time-varying characteristic of the wireless channel, the key updating frequency of the encrypted wireless channel can be improved, the safety of transmitted data is improved, and the difficulty of offline cracking through wireless air interface capturing is increased.
The following describes, with reference to the accompanying drawings, a flow of access authentication for a user terminal to access to a network and a flow of service authentication for an application in a service server in the embodiments of the present application.
Referring to fig. 10, the ue is responsible for triggering an access stratum wireless channel key negotiation request, generating a negotiated communication key after performing steps such as channel measurement, channel estimation, quantization coding, information reconciliation and privacy amplification with an access anchor point, and performing encryption protection on information based on wireless signal interaction.
After the user terminal successfully negotiates the secret key with the secret key, the user terminal reports the first biological characteristic acquired by the terminal to the access anchor point and sends a verification request to the verification anchor point through the access anchor point; when the user opens an account, the verification anchor point holds various relevant biological characteristics with the self uniqueness of the user, and the verification anchor point verifies, processes and replies the first biological characteristic information sent by the access anchor point according to the self pre-stored biological characteristics; and when receiving a reply of the verification anchor point (namely the first verification result), and determining that the first biological characteristic is matched with the prestored biological characteristic, the access anchor point establishes an association relation between the user terminal and the encrypted wireless channel and sends response information indicating that the access authentication passes to the user terminal. Thereafter, the user terminal may process the subsequent service.
Referring to fig. 11, after access authentication of a user terminal to an access network is achieved, an encrypted wireless channel based on wireless channel characteristics may be established. Triggering a service server where the application is located to require the user terminal to report the biological characteristics, collecting and extracting a second biological characteristic by the user terminal side, uploading the second biological characteristic to the service server through an encrypted wireless channel, sending the obtained second biological characteristic to a verification anchor point by the service server for identification and judgment, returning a second verification result obtained by judgment to the service server by the verification anchor point, and executing corresponding service operation when the service authentication is confirmed to pass according to the second verification result by the service server.
In summary, the embodiment of the application provides a communication method based on a secure communication system, which can uniformly realize access authentication for a user terminal to access a network and service authentication for application in a service server; the embodiment of the application improves the existing mobile communication system and service application system based on the wireless channel characteristic technology and the biological characteristic technology, and realizes safer and more reliable unified authentication; in practical implementation, the embodiment of the application establishes an encrypted wireless channel in advance by utilizing a negotiation key generated by the physical layer characteristics of the wireless channel, and after the encrypted wireless channel is established, the user terminal transmits the collected biological characteristics indicating the user identity to the service server through the encrypted wireless channel, and the service server requests the result after verifying the user identity from the secure communication system, so that subsequent service processing is performed.
The technical scheme of the embodiment of the application has at least the following effects:
firstly, the establishment time of an encrypted wireless channel is advanced through the wireless channel dissimilarity characteristic, and the risk of plaintext interaction leakage information before the encrypted wireless channel is established is solved; the key updating frequency of the encrypted wireless channel is improved through the time-varying characteristic of the wireless channel, and the data encryption level is sunk to the physical layer from the application layer, so that the difficulty of offline cracking through wireless air interface capturing is increased; the identity authentication and identification are carried out by using comprehensive element information of biological characteristics such as iris, fingerprint, voiceprint, face and the like of the user, the user terminal side does not need to be similar to the mechanism design of pre-stored master key information, the biological characteristics of the user are carried about, and only one part of biological characteristics is reserved at the verification anchor point when an account is opened; the method solves the problems of complex encryption algorithm and complicated flow mechanism which are needed to be realized by network elements involved in access authentication in the related technology.
And secondly, the unified authentication scheme constructed by the wireless channel key technology and the secure communication system pre-storing the biological characteristics can solve the problems that the biological characteristics of the user terminal side are easy to tamper, the identification result is easy to tamper and the biological characteristics transmitted based on the traditional mobile communication system are easy to replace.
Thirdly, through the constructed centralized unified authentication scheme, the biological feature storage and identification judgment requirements which are required to be realized in each business service system can be concentrated to a safe communication system, so that the realization difficulty of the business system is greatly reduced; the method can also realize the rapid, safe and unified authentication of the application level based on the biological characteristic information intensively and efficiently.
The embodiment of the application can be applied to various business application scenes, for example, can be applied to banking business application scenes.
Taking a scene of a banking business application as an example, in a traditional mobile communication system, the identification and judgment of biological characteristics (such as fingerprints) of the banking business application is based on the biological characteristics acquired and stored locally by a user terminal, the judgment is carried out locally, and then a judgment result is returned to a business server, and the business server executes subsequent business operations such as transfer, payment and the like according to the judgment result; in the traditional mobile communication system, because the user terminal side stores and judges the biological characteristic information, if the user terminal side encounters an operating system security hole, new biological characteristics can be replaced or added, the bypass operation of the biological characteristics can be locally realized at the user terminal side, the fraudulent use execution business operation is realized, and the serious security risk exists. By adopting the technical scheme of the embodiment of the application, the authentication biological characteristics required by the business application and the authentication biological characteristics required by the access authentication can be fused, so that unified authentication operation can be realized. The biological characteristics required by the authentication of the two are uniformly stored in an authentication anchor point of the mobile communication system, the authentication required by the access authentication can be completed in the mobile communication system, and the authentication operation required by the business application can be realized through an interface opened by a business server and a security communication system.
Based on the wireless communication method provided in the foregoing embodiment, the embodiment of the present application further provides a secure communication system; fig. 12 is a schematic structural diagram of a secure communication system according to an embodiment of the present application, as shown in fig. 12, the secure communication system 120 may include an access anchor 1201 for implementing a user terminal access network and a verification anchor 1202 for implementing verification of a biometric collected by the user terminal, where,
the access anchor 1201 is configured to send a first biological feature acquired by a user terminal to the verification anchor after receiving the first biological feature;
the verification anchor 1202 is configured to verify the first biological feature according to the first biological feature and a pre-stored biological feature, obtain a first verification result, and send the first verification result to the access anchor;
the access anchor 1201 is further configured to implement access authentication for the user terminal to access a network according to the first verification result;
the verification anchor 1202 is further configured to verify the second biological feature according to the second biological feature and the pre-stored biological feature after the access authentication is passed and when the second biological feature sent by the service server is received, so as to obtain a second verification result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
In some embodiments, the access anchor 1201 is configured to implement access authentication for the user terminal to access a network according to the first verification result, and includes:
and sending response information indicating that the access authentication passes to the user terminal under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic.
In some embodiments, the authentication anchor 1202 is configured to implement service authentication for an application in the service server according to the second authentication result, including:
and sending response information representing that the service authentication passes to the service server under the condition that the second verification result represents that the second biological feature is matched with the pre-stored biological feature.
In some embodiments, the access anchor 1201 is further configured to, before receiving the first biological feature sent by the user terminal, establish an encrypted wireless channel between the user terminal and the secure communication system according to a communication key negotiated with the user terminal, where the communication key is derived according to a feature of a wireless channel between the user terminal and the secure communication system; the encrypted wireless channel is used for realizing data transmission between the user terminal and the secure communication system.
In some embodiments, the access anchor 1201 is further configured to receive a key negotiation request sent by the user terminal, where the key negotiation request is used to request channel feature detection of a wireless channel between the user terminal and the secure communication system;
and carrying out channel characteristic detection on the wireless channel according to the key negotiation request, and obtaining the communication key according to a characteristic detection result.
In some embodiments, the access anchor 1201 is configured to perform channel feature detection on the wireless channel according to the key negotiation request, and includes:
performing at least one of the following channel characteristic detection operations on the wireless information channel: channel measurement, channel estimation, channel quantization coding, information reconciliation, and privacy amplification.
In some embodiments, the communication key is a physical layer key.
It should be noted that the description of the above device embodiments is similar to the description of the method embodiments described above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
It should be noted that, in the embodiment of the present application, if the method is implemented in the form of a software functional module, and sold or used as a separate product, the method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or portions contributing to the prior art may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a terminal, a server, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
Accordingly, embodiments of the present application further provide a computer storage medium having stored thereon computer-executable instructions for implementing any of the wireless communication methods provided in the above embodiments.
It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus of the present application, please refer to the description of the method embodiments of the present application for understanding.
It should be appreciated that reference throughout this specification to "some embodiments" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrase "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purposes of the embodiments of the present application.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the related art, embodied in the form of a software product stored in a storage medium, including several instructions for causing an apparatus automatic test line to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The methods disclosed in the several method embodiments provided in the present application may be arbitrarily combined without collision to obtain a new method embodiment.
The features disclosed in the several method or apparatus embodiments provided in the present application may be arbitrarily combined without conflict to obtain new method embodiments or apparatus embodiments.
The foregoing is merely an embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of wireless communication for use in a secure communication system, the method comprising:
after receiving a first biological feature acquired by a user terminal, verifying the first biological feature according to the first biological feature and a pre-stored biological feature to obtain a first verification result; according to the first verification result, implementing access authentication of the user terminal to the network;
after the access authentication is passed and when a second biological feature sent by a service server is received, verifying the second biological feature according to the second biological feature and the pre-stored biological feature to obtain a second verification result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
2. The method according to claim 1, wherein said implementing access authentication for the user terminal to access the network according to the first verification result comprises:
and sending response information indicating that the access authentication passes to the user terminal under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic.
3. The method according to claim 1, wherein said implementing service authentication for the application in the service server according to the second verification result includes:
and sending response information representing that the service authentication passes to the service server under the condition that the second verification result represents that the second biological feature is matched with the pre-stored biological feature.
4. A method according to any of claims 1 to 3, wherein before the secure communication system receives the first biometric transmitted by the user terminal, the method further comprises:
establishing an encrypted wireless channel between the user terminal and the secure communication system according to a communication key obtained by negotiation with the user terminal, wherein the communication key is obtained according to the characteristics of the wireless channel between the user terminal and the secure communication system; the encrypted wireless channel is used for realizing data transmission between the user terminal and the secure communication system.
5. The method according to claim 4, wherein the method further comprises:
receiving a key negotiation request sent by the user terminal, wherein the key negotiation request is used for requesting channel characteristic detection of a wireless channel between the user terminal and the secure communication system;
and carrying out channel characteristic detection on the wireless channel according to the key negotiation request, and obtaining the communication key according to a characteristic detection result.
6. The method of claim 5, wherein said performing channel feature detection on said wireless channel in accordance with said key agreement request comprises:
performing at least one of the following channel characteristic detection operations on the wireless information channel: channel measurement, channel estimation, channel quantization coding, information reconciliation, and privacy amplification.
7. The method of claim 4, wherein the communication key is a physical layer key.
8. A secure communication system comprising an access anchor for enabling a user terminal to access a network and a verification anchor for enabling verification of a biometric acquired by the user terminal, wherein,
The access anchor point is used for sending the first biological characteristic to the verification anchor point after receiving the first biological characteristic acquired by the user terminal;
the authentication anchor point is used for authenticating the first biological characteristic according to the first biological characteristic and the pre-stored biological characteristic to obtain a first authentication result, and the first authentication result is sent to the access anchor point;
the access anchor point is further used for realizing access authentication of the user terminal to the network according to the first verification result;
the authentication anchor point is further configured to, after the access authentication is passed and when a second biological feature sent by the service server is received, authenticate the second biological feature according to the second biological feature and the pre-stored biological feature, and obtain a second authentication result; according to the second verification result, realizing service authentication of the application in the service server; wherein the second biometric is a feature collected by the user terminal.
9. The system of claim 8, wherein the access anchor for implementing access authentication for the user terminal to access the network according to the first verification result comprises:
And sending response information indicating that the access authentication passes to the user terminal under the condition that the first verification result indicates that the first biological characteristic is matched with the pre-stored biological characteristic.
10. The system method of claim 8, wherein the verifying anchor is configured to implement service authentication for the application in the service server according to the second verification result, and comprises:
and sending response information representing that the service authentication passes to the service server under the condition that the second verification result represents that the second biological feature is matched with the pre-stored biological feature.
11. A secure communication system comprising a processor and a memory for storing a computer program capable of running on the processor; wherein,,
the processor is configured to run the computer program to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111325036.3A CN116112924A (en) | 2021-11-10 | 2021-11-10 | Wireless communication method and secure communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111325036.3A CN116112924A (en) | 2021-11-10 | 2021-11-10 | Wireless communication method and secure communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116112924A true CN116112924A (en) | 2023-05-12 |
Family
ID=86256622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111325036.3A Pending CN116112924A (en) | 2021-11-10 | 2021-11-10 | Wireless communication method and secure communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116112924A (en) |
-
2021
- 2021-11-10 CN CN202111325036.3A patent/CN116112924A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953727B (en) | Internet of things-oriented equipment anonymous identity authentication method and system | |
| US7725717B2 (en) | Method and apparatus for user authentication | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
| CN108809637B (en) | LTE-R vehicle-ground communication non-access stratum authentication key agreement method based on mixed password | |
| Ali et al. | ITSSAKA-MS: An improved three-factor symmetric-key based secure AKA scheme for multi-server environments | |
| KR20070091266A (en) | Bootstrapping authentication using distinguished random challenges | |
| JP7192122B2 (en) | Systems and methods for authenticating connections between user devices and vehicles | |
| CN105323754B (en) | A kind of distributed method for authenticating based on wildcard | |
| WO2017185450A1 (en) | Method and system for authenticating terminal | |
| CN107612949B (en) | Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint | |
| CN110278084B (en) | eID establishing method, related device and system | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| KR101856682B1 (en) | Entity authentication method and device | |
| CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
| KR20190031986A (en) | Apparatus for executing telebiometric authentication and apparatus for requesting the same | |
| CN107911211B (en) | Two-dimensional code authentication system based on quantum communication network | |
| CN106992866B (en) | Wireless network access method based on NFC certificateless authentication | |
| CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| KR102219086B1 (en) | HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems | |
| CN107888376B (en) | NFC authentication system based on quantum communication network | |
| KR101308498B1 (en) | authentification method based cipher and smartcard for WSN | |
| CN105516168A (en) | Off-line iris authentication device and method | |
| Ghose et al. | {HELP}:{Helper-Enabled}{In-Band} Device Pairing Resistant Against Signal Cancellation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |