CN116545686A - UAF-based SDF identity authentication method - Google Patents
UAF-based SDF identity authentication method Download PDFInfo
- Publication number
- CN116545686A CN116545686A CN202310486908.7A CN202310486908A CN116545686A CN 116545686 A CN116545686 A CN 116545686A CN 202310486908 A CN202310486908 A CN 202310486908A CN 116545686 A CN116545686 A CN 116545686A
- Authority
- CN
- China
- Prior art keywords
- host
- authentication
- uaf
- network security
- security architecture
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 33
- 238000004891 communication Methods 0.000 claims abstract description 28
- 238000012795 verification Methods 0.000 claims abstract description 10
- 230000004044 response Effects 0.000 claims description 10
- 239000003999 initiator Substances 0.000 claims description 9
- 239000003795 chemical substances by application Substances 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 230000004913 activation Effects 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 claims description 3
- 101100462378 Danio rerio otpb gene Proteins 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 238000005336 cracking Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of identity verification, in particular to an SDF identity authentication method based on UAF, wherein a network security architecture controller authenticates and authorizes a user; the method comprises the steps that a receiving host and a starting host establish a bidirectional TLS tunnel to be connected with a network security architecture controller for authentication; after the starting host passes the authentication, the network security architecture controller generates an access receiving host list, and the receiving host receives the communication and generates a strategy required by the encrypted communication; the network security architecture controller generates a host list and a required strategy to a starting host, the starting host initiates single-packet authentication to a connected receiving host, and the receiving host communicates with the receiving host through a bidirectional TLS tunnel.
Description
Technical Field
The invention relates to the technical field of identity verification, in particular to an SDF identity authentication method based on UAF.
Background
The network security architecture of the system gives excessive rights to intranet users, once the intranet is infiltrated by an attacker, further attack is difficult to prevent, in order to solve the great challenges faced by the current network security, the cloud security alliance combines the security concept of 'zero trust', and an open security architecture-SDP is provided, wherein the SDP architecture mainly comprises three components: the SDP separates a control channel from a data channel, and the SDP controller is positioned on a control plane and authenticates and authorizes the IH host initiating the request; the AH host and IH host of SDP are located in the data plane, and authentication and authorization are performed according to the policy of SDP controller. If the authorization or authentication by the SDP controller is not passed, the AH host acting as the gateway will not be accessible and thus cannot obtain service.
When the IH host wants to verify the establishment of the TLS tunnel through the SDP host, the IH host firstly uses OTP1 which is negotiated with the SDP controller in advance to generate an SPA key, the SPA key is used for carrying out TLS communication later, and then the OTP1 is used for encrypting the SPA data packet. After the IH host passes through the verification of the SDP controller, a new SPA key can be generated through the OTP2 which is negotiated with the AH host in advance, and an SPA data packet is encrypted by using the OTP2 and then sent to the AH host, and a bidirectional TLS tunnel is established with the AH host; while AH hosts often exist as a gateway to a set of services, the IH host has access to the services after a TLS tunnel is established with the IH host. The AH itself is protected by the SDP controller. By default, the AH rejects all connections except the SDP controller. Only after the SDP controller grants the AH will accept the connection from the IH.
However, since the SDP generates the SPA key and encrypts the OTP of the SPA packet in advance, the plaintext is stored locally. Therefore, an attacker can acquire the OTP stored in the plaintext through an IH host used by an invasive user, and the invasive mode can be that the user downloads Trojan horse by cheating; an attacker can also achieve the purpose of acquiring the OTP by brute force cracking. When a user sends an SPA data packet to an SDP controller or an AH host through the IH host, an attacker can intercept the SPA data packet and decrypt the SPA data packet by using OTP so as to acquire various key data in the SPA packet, so that the data when the AH host communicates with the IH host can be stolen, and even malicious operation sensitive information can be obtained.
Disclosure of Invention
The invention aims to provide an SDF identity authentication method based on UAF, which aims to solve the problem that the prior network security architecture is stolen by adopting one-time password authentication.
In order to achieve the above purpose, the present invention provides an SDF identity authentication method based on UAF, comprising the steps of:
the network security architecture controller authenticates and authorizes the user;
the receiving host and the starting host establish a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
after the starting host passes the authentication, the network security architecture controller generates and accesses the receiving host list, and the receiving host receives the communication and generates a strategy required by the encrypted communication;
the network security architecture controller generates the host list and the required policy to the starting host, the starting host initiates single-packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel.
The specific mode that the receiving host and the starting host establish a bidirectional TLS tunnel and the network security architecture controller are connected and authenticated is as follows:
receiving the activation of a host to be online, and establishing a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
and starting the host to activate the online, and establishing a bidirectional TLS tunnel to connect and authenticate with the network security architecture controller.
After the starting host passes the authentication, the network security architecture controller generates a specific mode of accessing the receiving host list, and the receiving host receives the communication and generates a policy required by encrypted communication:
after the starting host passes the authentication, the network security architecture controller generates a list of the receiving hosts accessed by the starting host;
the network security architecture controller notifies the recipient host to receive the communication from the initiator host and generates an encryption required policy based on the communication.
The network security architecture controller generates the host list and the required policy to the starting host, the starting host initiates single-packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel in a specific mode:
the network security architecture controller generating the host list and the required policy to the initiating host;
the initiator initiates a single packet authentication to each of the recipient allowed to connect, and then communicates with the recipient through the bidirectional TLS tunnel.
The network security architecture comprises a resource server, an accepting host, a starting host and a network security architecture controller, wherein the network security architecture controller is respectively connected with the accepting host and the starting host through control channels, the accepting host and the starting host are connected through data channels, and the resource server is connected with the accepting host through data channels.
The network security architecture controller comprises an SDP control module and an authentication service module.
The starting host comprises an SDP client, a UAF authenticator, a UAF client and a user agent.
The receiving host is an SDP gateway.
Wherein the network security architecture controller function includes the UAF authenticator that the authentication service module will send a deployment policy to the SDP client when the SDP client requests registration; authenticating the authentication certificate sent by the UAF authenticator, and if the UAF authenticator passes the authentication, storing a user public key used for challenge authentication and sent by the UAF authenticator; when the UAF authenticator is successfully registered and associated with the user account of the authentication service module, the authentication service module provides the UAF authenticator with a unique security identification code specific to the authentication service module and the UAF authenticator; when the SDP client requests authentication, the authentication service module generates a random number by using a random function to challenge the challenge and sends the challenge and the challenge together with a deployment strategy and an authentication request to the UAF authenticator; it is verified whether the answer code from the SDP client is correct.
Wherein the UAF authenticator function comprises performing UAF biometric authentication on a user to verify the identity of the user; generating a public-private key pair for challenge response; receiving verification of the network security architecture controller through a challenge response mechanism; and the symmetric key used for establishing the bidirectional TLS tunnel between the SDP client and the SDP controller.
According to the UAF-based SDF identity authentication method, the user is authenticated and authorized through the network security architecture controller; the receiving host (AH) and the starting host establish a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication; after a starting host (IH) passes authentication, the network security architecture controller generates an access host list, and the receiving host receives communication and generates a strategy required by encrypted communication; the network security architecture controller generates the host list and the required policy to the starting host, the starting host initiates single packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an SDF identity authentication method based on UAF provided by the present invention.
Figure 2 is a flowchart of a particular manner in which an accepting host and initiating host establish a bi-directional TLS tunnel to authenticate with the network security architecture controller.
FIG. 3 is a flowchart of a particular manner in which the network security architecture controller generates access to the list of recipient hosts that receive communications and generate policies required to encrypt the communications after the initiating host passes authentication.
Fig. 4 is a flowchart of a specific manner in which the network security architecture controller may generate the host list and the required policy to the initiator, where the initiator initiates single-packet authentication to the connected receiver, and the receiver communicates with the receiver through the bidirectional TLS tunnel.
FIG. 5 is a connection schematic of a network security architecture;
fig. 6 is a user authentication flow chart of an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
Referring to fig. 1 to 5, the present invention provides an SDF identity authentication method based on UAF, comprising the following steps:
s1, authenticating and authorizing a user by a network security architecture controller;
specifically, the SDP controller activates and goes online, authenticating and authorizing the user (device/application).
S2, the host and the starting host establish a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
the specific mode is as follows:
s21, receiving the activation of a host to be online, and establishing a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
specifically, the AH is activated and brought online, and then connected to the SDP controller and authenticated by establishing a bidirectional TLS tunnel. The AH will not respond to any other host or non-preconfigured requests at this stage.
S22, starting the host to activate the online, and establishing a bidirectional TLS tunnel to connect and authenticate with the network security architecture controller.
Specifically, the IH activates and goes online, and then a bidirectional TLS tunnel is also established to connect with the SDP controller and authenticated.
S3, after the starting host passes authentication, the network security architecture controller generates and accesses the receiving host list, and the receiving host receives communication and generates a strategy required by encrypted communication;
the specific mode is as follows:
s31, after the starting host passes authentication, the network security architecture controller generates a list of the receiving hosts accessed by the starting host;
specifically, after the IH passes the verification, the SDP controller generates an AH list that the IH can access.
S32 the network security architecture controller notifies the recipient host to receive the communication from the initiator host and generates an encryption required policy based on the communication.
Specifically, the SDP controller notifies the AH to accept communications from the IH and generates policies for it that are needed to encrypt communications.
And S4, the network security architecture controller generates the host list and the required strategy to the starting host, the starting host initiates single-packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel.
The specific mode is as follows:
s41, the network security architecture controller generates the host list and the required strategy to the starting host;
specifically, the SDP controller sends the AH list and the encryption policy to the IH.
S42 the initiator initiates a single packet authentication to each of the recipient hosts that are allowed to connect, and then the initiator communicates with the recipient hosts through the bidirectional TLS tunnel.
Specifically, the IH initiates a single packet authentication to each of the AHs that are allowed to connect, and then communicates with the AHs by establishing the bidirectional TLS tunnel.
The network security architecture comprises a resource server, an accepting host, a starting host and a network security architecture controller, wherein the network security architecture controller is respectively connected with the accepting host and the starting host through control channels, the accepting host and the starting host are connected through data channels, the resource server is connected with the accepting host through data channels, the network security architecture controller comprises an SDP control module and an authentication service module, the starting host comprises an SDP client, a UAF authenticator, a UAF client and a user agent, and the accepting host is an SDP gateway.
In this embodiment, the SDP identity authentication based on UAF is provided for the SDP client terminal by the cooperation of the authentication service module and the SDP control module of the SDP controller with the UAF authenticator. Before the identity authentication is completed, the SDP gateway is completely hidden and cannot be detected and scanned, so that the safety of network communication is greatly improved.
The following is a table of symbols and function interfaces related to the SDP identity authentication framework of UAF, as follows:
the network security architecture controller functions as follows:
1. the user uses the IH to register the UAF authenticator through the user agent (application or browser), and initiates registration. Where Initiate registration is the originating registration identity.
2. The authentication service module (relying party) of the SDP controller discovers the UAF authenticator on the IH (user equipment), and sending Registration Request Policy AppID to the UAF client to validate Policy and deployment, wherein Registration Request is the registration request identity of the authentication service module.
3. And the user selects the biological recognition authentication service supported by the UAF authenticator according to a verification method specified by the matching service through the IH.
4. The UAF authenticator generates a random number k (k < n, n is the order of elliptic curve) through random () as private key ska and generates public key pka= ska ·g, this key pair being for only the IH, the SDP control module (relying party) of the SDP controller and the user account.
5. The UAF authenticator leaves the private key unsent and sends the authentication iaaid pva time1 to the authentication service module (relying party).
6. The authentication service module verifies authentication assertion sent by the UAF authenticator through an authentication public key ck distributed by the metadata of the authenticator to ensure that the UAF authenticator is truly and credible: verify (ck, certificate).
7. When the UAF authenticator registers successfully and is associated with the user account (IH) of the authentication service module, the authentication service module provides the UAF authenticator with a unique set of ids specific to the authentication service module and the UAF authenticator for future interactions between the UAF authenticator and the authentication service module, and the identity is not known to any other device, the authentication service module stores the user public key.
The UAF authenticator functions as follows:
1. the UAF authenticator performs UAF biometric authentication on the user to check the identity of the user.
2. The UAF authenticator may generate a public-private key pair (ska, pka) for the challenge response.
3. When the user needs to carry out identity authentication, the UAF authenticator can accept the verification of the SDP controller through a challenge response mechanism.
4. The UAF authenticator can decrypt and obtain a symmetric key k1 sent by the SDP controller and used for establishing the bidirectional TLS tunnel between the SDP client and the SDP controller through a stored user private key.
As shown in FIG. 6, after registration, the user may be on the IH host used to quickly access the requested application in a self-selected manner. The authentication service module and the SDP control module are mutually trusted and communicated.
The specific flow is as follows:
when a user wishes to access a service resource protected by an AH host acting as a gateway through an IH host, authentication is initiated to an authentication service module through a user agent (application or browser). Where Initiate Authentication is the originating authentication identity.
The authentication service module generates a random number challenge through random (), and transmits Authentication Request |policy 2|challenge to the UAF authenticator.
The user accepts the identity verification of the UAF authenticator by the biometric mode selected at registration.
After the user passes the authentication of the UAF authenticator, the UAF authenticator uses the account identifier to find the user private key ska corresponding to the user, encrypts the challenge with ska and returns the challenge as a response to the authentication service module: c1 =sm2 (ska, challenge).
After receiving the response C1, the authentication service module decrypts the response by using the corresponding user public key pka, and checks whether the challenge is consistent with the response: verify (pka, C1).
After the user passes verification of the authentication service module, the authentication service module firstly generates a random number m through random () to be used as an initial secret key, then generates a symmetric key K1 by using AES (m), and stores the symmetric key K1 in an SDP control module: k1||time2. And then the user public key pka is used for encrypting the lifetime of the keys K1 and then is sent to the SDP client: c2 =sm2 (pka, k1||time2).
After receiving the message sent by the authentication service module, the UAF authenticator decrypts the message by using the user private key ska to obtain a shared key K1 with the SDP control module: verify (ska, C2).
After receiving the shared key K1 from the authentication service module, the SDP control module determines an SDP gateway list to which the user equipment is authorized to connect, and accepts d1=sm4 (K1, tlsDataID) sent from the SDP client terminal to establish a bidirectional TLS tunnel therewith.
The SDP control module sends notify policy3 to the SDP gateway informing the SDP gateway to accept the communication from the SDP client and initiate any optional policies needed to encrypt the communication.
The SDP control module sends d2=sm4 (k 1, list policy 3) to the SDP client.
The SDP client obtains list and policy by decrypting D2 through k1. The SDP control module generates a shared symmetric key K2 for each pair of users and the SDP gateway, sends k2||time3 to the SDP gateway, and sends d3=sm4 (K1, k2|time 3) to the SDP client of the corresponding client.
The SDP client obtains k2 by decrypting D3 with k1: decrypt (k 1, D3), and establishes bidirectional TLS with SDP gateway corresponding to each key through different symmetric keys, and sends different SM4 (k 2, tlsDataID) to different SDP gateways.
The SDP client communicates with the service resources through the SDP gateway and using a bi-directionally encrypted data channel.
The above disclosure is only a preferred embodiment of the UAF-based SDF authentication method of the present invention, and it should be understood that the scope of the present invention is not limited thereto, and those skilled in the art will understand that all or part of the procedures for implementing the above embodiments are equivalent and still fall within the scope of the present invention.
Claims (10)
1. The UAF-based SDF identity authentication method is characterized by comprising the following steps of:
the network security architecture controller authenticates and authorizes the user;
the receiving host and the starting host establish a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
after the starting host passes the authentication, the network security architecture controller generates and accesses the receiving host list, and the receiving host receives the communication and generates a strategy required by the encrypted communication;
the network security architecture controller generates the host list and the required policy to the starting host, the starting host initiates single-packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel.
2. The method for UAF-based SDF authentication of claim 1,
the specific mode that the receiving host and the starting host establish a bidirectional TLS tunnel and the network security architecture controller are connected and authenticated is as follows:
receiving the activation of a host to be online, and establishing a bidirectional TLS tunnel to be connected with the network security architecture controller for authentication;
and starting the host to activate the online, and establishing a bidirectional TLS tunnel to connect and authenticate with the network security architecture controller.
3. The method for UAF-based SDF authentication of claim 1,
after the starting host passes the authentication, the network security architecture controller generates a specific mode of accessing the receiving host list, and the receiving host receives the communication and generates a strategy required by encrypted communication:
after the starting host passes the authentication, the network security architecture controller generates a list of the receiving hosts accessed by the starting host;
the network security architecture controller notifies the recipient host to receive the communication from the initiator host and generates an encryption required policy based on the communication.
4. The method for UAF-based SDF authentication of claim 1,
the network security architecture controller generates the host list and the required policy to the starting host, the starting host initiates single-packet authentication to the connected receiving host, and the receiving host communicates with the receiving host through the bidirectional TLS tunnel in a specific mode:
the network security architecture controller generating the host list and the required policy to the initiating host;
the initiator initiates a single packet authentication to each of the recipient allowed to connect, and then communicates with the recipient through the bidirectional TLS tunnel.
5. The method for UAF-based SDF authentication of claim 1,
the network security architecture comprises a resource server, an accepting host, a starting host and a network security architecture controller, wherein the network security architecture controller is respectively connected with the accepting host and the starting host through control channels, the accepting host and the starting host are connected through data channels, and the resource server is connected with the accepting host through data channels.
6. The method for authenticating an SDF based on UAF of claim 5,
the network security architecture controller comprises an SDP control module and an authentication service module.
7. The method for authenticating an SDF based on UAF of claim 5,
the starting host comprises an SDP client, a UAF authenticator, a UAF client and a user agent.
8. The method for authenticating an SDF based on UAF of claim 5,
the receiving host is the SDP gateway.
9. The method for authenticating an SDF based on UAF of claim 7,
the network security architecture controller function includes the authentication service module sending a deployment policy to the UAF authenticator of the SDP client when the SDP client requests registration; authenticating the authentication certificate sent by the UAF authenticator, and if the UAF authenticator passes the authentication, storing a user public key used for challenge authentication and sent by the UAF authenticator; when the UAF authenticator is successfully registered and associated with the user account of the authentication service module, the authentication service module provides the UAF authenticator with a unique security identification code specific to the authentication service module and the UAF authenticator; when the SDP client requests authentication, the authentication service module generates a random number by using a random function to challenge the challenge and sends the challenge and the challenge together with a deployment strategy and an authentication request to the UAF authenticator; it is verified whether the answer code from the SDP client is correct.
10. The method for authenticating an SDF based on UAF of claim 7,
the UAF authenticator function comprises the steps of performing UAF biometric authentication on a user to verify the identity of the user; generating a public-private key pair for challenge response; receiving verification of the network security architecture controller through a challenge response mechanism; and the symmetric key used for establishing the bidirectional TLS tunnel between the SDP client and the SDP controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310486908.7A CN116545686A (en) | 2023-04-30 | 2023-04-30 | UAF-based SDF identity authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310486908.7A CN116545686A (en) | 2023-04-30 | 2023-04-30 | UAF-based SDF identity authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116545686A true CN116545686A (en) | 2023-08-04 |
Family
ID=87442919
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310486908.7A Pending CN116545686A (en) | 2023-04-30 | 2023-04-30 | UAF-based SDF identity authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116545686A (en) |
-
2023
- 2023-04-30 CN CN202310486908.7A patent/CN116545686A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5123209B2 (en) | Method, system, and authentication center for authentication in end-to-end communication based on a mobile network | |
| US8532620B2 (en) | Trusted mobile device based security | |
| US20170054707A1 (en) | Method and Apparatus for Trusted Authentication and Logon | |
| EP2351316B1 (en) | Method and system for token-based authentication | |
| EP2834729B1 (en) | Secure authentication in a multi-party system | |
| KR101038064B1 (en) | Authenticating an application | |
| US8763097B2 (en) | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication | |
| JP5688087B2 (en) | Method and apparatus for reliable authentication and logon | |
| CN108769007B (en) | Gateway security authentication method, server and gateway | |
| EP1498800A1 (en) | Security link management in dynamic networks | |
| EP2820794A1 (en) | Authentication and secured information exchange system, and method therefor | |
| KR20120047972A (en) | Method, device and network system for negotiating encryption information | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| US8498617B2 (en) | Method for enrolling a user terminal in a wireless local area network | |
| US20220116385A1 (en) | Full-Duplex Password-less Authentication | |
| US20210256102A1 (en) | Remote biometric identification | |
| WO2007104248A1 (en) | Method, system, apparatus and bsf entity for preventing bsf entity from attack | |
| TW202207667A (en) | Authentication and validation procedure for improved security in communications systems | |
| JP6266170B2 (en) | Three-tier security and calculation architecture | |
| JP2017139026A (en) | Method and apparatus for reliable authentication and logon | |
| JP6723422B1 (en) | Authentication system | |
| CN116545686A (en) | UAF-based SDF identity authentication method | |
| CN109818903B (en) | Data transmission method, system, device and computer readable storage medium | |
| JP2015111440A (en) | Method and apparatus for trusted authentication and log-on | |
| KR20130046781A (en) | System and method for access authentication for wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |