CN116846560A - Access authentication method and related equipment - Google Patents

Access authentication method and related equipment Download PDF

Info

Publication number
CN116846560A
CN116846560A CN202310614782.7A CN202310614782A CN116846560A CN 116846560 A CN116846560 A CN 116846560A CN 202310614782 A CN202310614782 A CN 202310614782A CN 116846560 A CN116846560 A CN 116846560A
Authority
CN
China
Prior art keywords
access network
user
signature
verification
identification code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310614782.7A
Other languages
Chinese (zh)
Inventor
吴慧慈
徐鹏博
陶小峰
王晨宇
李娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202310614782.7A priority Critical patent/CN116846560A/en
Publication of CN116846560A publication Critical patent/CN116846560A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an access authentication method and related equipment. The method comprises the following steps: the core network side receives a user side identification code table, a user side session identification code table and an access network side session identification code which are sent by the access network side, generates a response value according to the access network side session identification code through a lattice-based signature algorithm, and randomly generates a challenge value; the user terminal generates a user terminal signature through a lattice-based signature algorithm according to the challenge value; the access network terminal generates an access network terminal signature through a lattice-based signature algorithm according to the challenge value, and generates a total user terminal signature through a signature aggregation algorithm according to at least one received user terminal signature; and the core network side generates at least one session key according to the session identification code table of the user side and the root key. The method and the related equipment can effectively improve the safety of access authentication and reduce the resources of an access authentication system.

Description

Access authentication method and related equipment
Technical Field
The present application relates to the field of access authentication technologies, and in particular, to an access authentication method and related devices.
Background
With the rapid development of quantum computing technology, how to resist attacks launched by attackers with quantum computing capability in the access authentication process of a user terminal becomes a research hotspot.
The related art mainly proposes a post quantum digital signature protocol, and the application of a signature to an authentication protocol is proposed by the scheme. However, the method cannot resist the active attack initiated by the attacker, and needs the support of a secure channel if the method is to be directly deployed in an application environment. There is a problem that active attacks cannot be resisted, and deployment is not flexible enough based on an excessively strong security assumption. On the other hand, in the related art, the access authentication of the device is usually point-to-point access authentication, and in a massive machine access environment, huge authentication and management resource overhead is generated.
In summary, the related art has the problems of inflexibility in deployment and high resource overhead.
Disclosure of Invention
In view of the above, the present application is directed to an access authentication method and related devices.
Based on the above purpose, the application provides an access authentication method which is applied to an access authentication system, wherein the access authentication system comprises a user end, an access network end and a core network end;
the method comprises the following steps:
the core network side receives a user side identification code table, a user side session identification code table and an access network side session identification code which are sent by the access network side, responds to the determination that the user side identification code table passes verification, generates a response value according to the access network side session identification code by a lattice-based signature algorithm, and randomly generates a challenge value; the session identification codes of the access network end are in one-to-one correspondence with the access network end;
The user terminal responds to the determination that the response value passes verification, and generates a user terminal signature through a lattice-based signature algorithm according to the challenge value;
the access network end responds to the determination that the response value passes verification, generates an access network end signature through a lattice-based signature algorithm according to the challenge value, and generates a total user end signature through a signature aggregation algorithm according to at least one received user end signature;
and the core network side responds to the determination that the access network side signature and the total user side signature pass verification, and generates at least one session key according to the user side session identification code table and the root key.
Optionally, before the receiving the user terminal identifier code table, the user terminal session identifier code table and the access network terminal session identifier code sent by the access network terminal, the method further includes:
the access network side receives at least one user side data packet, and generates a user side identification code table and a user side session identification code table according to all the user side data packets; the user terminal data packet comprises a user terminal identification code and a user terminal session identification code; the user terminal identification codes and the user terminal session identification codes are in one-to-one correspondence with the user terminals;
And the access network end sends the user end identification code list, the user end session identification code list and the access network end session identification code to the core network end.
Optionally, before the receiving at least one client data packet, the method further includes:
the user terminal sends the user terminal session identification code to the access network terminal;
the access network side receives the user side session identification code and generates a first verification signature according to the user side session identification code;
and the user terminal responds to the determination that the first verification signature passes verification and sends the user terminal data packet to the access network terminal.
Optionally, the step of generating the public-private key pair at the core network side includes:
the core network generates a first preset value n=2 k And a second preset value q, and setting the first preset value n=2 k As a ringTaking said q as the modulus of the polynomial coefficients on said ring;
the core network side obtains a master key of the core network side through a grid-based master key generation algorithm according to the first preset number and the second preset number;
and the core network terminal generates a public key and a private key of the core network terminal through a grid-based key extraction algorithm according to the master key and the core network terminal identification code.
Optionally, the step of generating the public-private key pair of the access network side includes:
the core network terminal generates a public and private key pair of the access network terminal through a grid-based key extraction algorithm according to the master key;
the access network end obtains a public and private key pair of the access network end.
Optionally, the generating step of the private key of the user includes:
the user terminal sends the user terminal data packet to the core network terminal;
the core network side receives the user side data packet, responds to the determination that the user side data packet passes verification, generates a second verification signature through a lattice-based signature algorithm according to the user side data packet, randomly generates a verification challenge value, and sends the second verification signature and the verification challenge value to the user side;
the user terminal responds to the determination that the second verification signature passes verification, generates a verification response value according to a root key and sends the verification response value to the core network terminal;
the core network side responds to the verification response value to pass verification, and generates a public and private key pair of the user side through a grid-based key extraction algorithm according to a master key and a user side identification code corresponding to the user side and sends the public and private key pair to the user side;
The user terminal receives the public and private key pair of the user terminal.
Optionally, the generating step of the private key of the user further includes:
the user terminal sends the user terminal data packet to the access network terminal;
the access network end receives and transmits the user end data packet to the core network end;
the core network side receives the user side data packet, responds to the determination that the user side data packet passes verification, generates a second verification signature through a lattice-based signature algorithm according to the user side data packet, randomly generates a verification challenge value, and sends the second verification signature and the verification challenge value to the access network side;
the access network side receives and transmits the second verification signature and the verification challenge value to the user side;
the user terminal responds to the determination that the second verification signature passes verification, generates a verification response value according to a root key and sends the verification response value to the access network terminal;
the access network end receives and transmits the verification response value to the core network end;
the core network side responds to the verification response value to pass verification, and generates a public and private key pair of the user side through a grid-based key extraction algorithm according to a master key and a user side identification code corresponding to the user side and sends the public and private key pair to the access network side;
The access network side receives and transmits the public and private keys of the user side to the user side;
the user terminal receives the public and private key pair of the user terminal.
Based on the same inventive concept, the application also provides an access authentication system, comprising:
the core network side is used for receiving a user side identification code table, a user side session identification code table and an access network side session identification code which are sent by the access network side, responding to the determination that the user side identification code table passes verification, generating a response value according to the access network side session identification code by a lattice-based signature algorithm, and randomly generating a challenge value; the session identification codes of the access network end are in one-to-one correspondence with the access network end; and generating at least one session key according to the client session identification code table and a root key in response to determining that the access network side signature and the total client side signature pass verification;
the user terminal is used for responding to the determination that the response value passes the verification, and generating a user terminal signature through a lattice-based signature algorithm according to the challenge value;
the access network side is used for responding to the determination that the response value passes verification, generating an access network side signature through a lattice-based signature algorithm according to the challenge value, and generating a total user side signature through a signature aggregation algorithm according to at least one received user side signature.
Based on the same inventive concept, the application also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the access authentication method according to any one of the above when executing the program.
Based on the same inventive concept, the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to execute any one of the above access authentication methods.
From the above, it can be seen that the access authentication method and related device provided by the application have the advantages that the access network side simultaneously realizes access authentication of a plurality of user sides, and the bilateral authentication among the user side, the access network side and the core network side ensures the safe access of the user side, reduces the resources consumed by the access authentication, and reduces the deployment difficulty of the access authentication system.
Drawings
In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort to those of ordinary skill in the art.
Fig. 1 is a flow diagram of an access authentication method according to one or more embodiments of the present application;
fig. 2 is a schematic diagram of an access authentication system according to one or more embodiments of the present application;
FIG. 3 is a flow diagram illustrating a user registration phase of an access authentication method according to one or more embodiments of the present application;
fig. 4 is a flow diagram of a group authentication phase of an access authentication method according to one or more embodiments of the present application;
fig. 5 is a schematic diagram of a hardware architecture of an electronic device according to one or more embodiments of the present application.
Detailed Description
The present application will be further described in detail below with reference to specific embodiments and with reference to the accompanying drawings, in order to make the objects, technical solutions and advantages of the present application more apparent.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
As described in the background, with rapid development of computer technology and quantum computing technology, the following application scenarios are presented for access authentication of devices: group access authentication in the context of attacks by attackers with quantum computing capabilities and in a mass machine access environment.
In the related art, in order to face the security problem that occurs in the above scenario, it is proposed to integrate the NTRU lattice-based post quantum lattice cryptographic signature algorithm into the authentication protocol, so as to improve the security of the authentication protocol. However, the above solution requires that the access authentication system must be deployed in a secure channel environment, and has a high requirement on communication equipment, which has a problem of poor deployment flexibility.
Moreover, the technical scheme cannot solve the problem of large consumption of authentication and management resources under the condition of accessing mass machines.
Therefore, the application provides an access authentication method, and the access network terminal gathers information of the user terminal needing access authentication, so that the access authentication is carried out by multiple devices at the same time.
Meanwhile, in order to ensure the security in the access authentication process, the method adopts a challenge response mechanism at the same time to realize bilateral authentication among the user terminal, the access network terminal and the core network terminal.
Before describing the claimed technical solution in detail, the algorithm presented below is described.
(1) Lattice-based master key generation algorithm MasterKey_Gen (N, q)
The master key generation algorithm based on the lattice is to preset the ringThe key calculation is performed with the order N of (c) and the modulus q of the coefficients of the polynomial replaced as inputs. Algorithm calculates standard deviation of target discrete Gaussian distribution according to the values of N and qAnd from +.about.0 for standard deviation σ and center>Upper part of the cylinderThe coefficients are sampled in a discrete gaussian distribution to generate polynomials f and g over the loop. Then verifying whether the Gaussian norms of f and g meet the requirement of generating NTRU lattice, if so, calculating fG-gF=q mod x N F, G, F of +1. And outputs an NTRU lattice B as the master key mSK and h=g/f as the master public key using the four polynomials.
(2) Lattice-based Key extraction algorithm Key_extract (mSK, userID, β)
The lattice-based key extraction algorithm takes as input the master key mSK obtained by the master key generation algorithm, the identity identifier UserID of the user, and a preset key norm limit β. The algorithm first applies a mapping of arbitrary 2-ary bit strings toComputing c=h (UserID) on the one-way function H of the polynomial on the ring; then s is calculated using fast fourier sampling at mSK 1 +s 2 h=c; final verification(s) 1 ,s 2 ) If the gaussian norm of (c) meets the limit of beta, outputting a private key skip=s corresponding to the user identity UserID if the gaussian norm of (c) meets the limit of beta 2
(3) Identity-based public key encryption algorithm encrypter (userID, m) and corresponding decryption algorithm Decrypt (c, skip)
The algorithm applies a grid-based encryption and decryption framework, and generates a public and private key based on identity by adopting a grid base. In one or more embodiments of the present application, the encrypted public key is a user identification code (userID), and the decrypted private key is the user's private key sampled based on the user identification code.
(4) Grid-based signature algorithm Sign (skip, h, hashContent)
The lattice-based signature algorithm takes a private key obtained by the identity-based public key decryption algorithm and a main public key h and HashContent obtained by the main public key generation algorithm as inputs, wherein HashContent is the content of a Hash function. The algorithm is a single user signature of information, using a framework built based on the discarded sampling technique. In the algorithm, a pair of random polynomials is first selectedTheir coefficients satisfy->And a discrete gaussian distribution centered at 0. Then calculate r=y 0 +hy 1 C=h1 (r, hashContent), H1 representing a one-way function H mapping arbitrary binary information onto a short polynomial 1 :{0,1} * →{e|e∈{-1,0,1} n ,||e|| 1 And lambda is less than or equal to lambda. After which z= (z) is calculated 0 ,z 1 )=((s 0 *c+y0),(s 1 * c+y0)), calculated z 0 ,z 1 Are all respectively provided with->Is true. Final output z=h -1 z 0 +z 1 And r is the signature output by the user. In some embodiments, the signature may be compressed by a compression algorithm to fit the transmission.
(5) Signature Aggregation algorithm Aggregation ([ Z1, Z2...Zn ], [ r1, r2...m ])
The signature aggregation algorithm takes signature pairs (Zi, ri) of a plurality of user terminals as input to calculate an aggregation value of the user terminal signatures. The computation of the aggregate signature is a loopAddition of the upper polynomial. I.e. aggz=sum (Z 1 ,...,Z n ),Aggr=sum(r 1 ,...,r n )。
(6) Signature verification algorithm Check (AggZ, aggr, [ c1, c2...cn ])
The signature verification algorithm is used to verify the validity of the aggregate signature, and takes as input the aggregate signatures of the users AggZ, aggr and the hash value calculated for each user in the user signature algorithm. First verify if AggZ satisfies the following equation:
if the above equation is true, it is verified whether the norm of AggZ is smaller thanWherein beta is 1 Is the upper bound on the ci norm, and both verifications consider the signature valid. In some embodiments, the algorithm may also be used to verify signatures generated by identity-based public key encryption and decryption algorithms.
The following detailed description of specific embodiments is provided to illustrate the application in terms of one or more embodiments.
Referring to fig. 1, an access authentication method of one or more embodiments of the present application includes the steps of:
step S101: the core network side receives the user terminal identification code table, the user terminal session identification code table and the access network terminal session identification code transmitted by the access network side, responds to the determination that the user terminal identification code table passes verification, generates a response value according to the access network terminal session identification code by a lattice-based signature algorithm, and randomly generates a challenge value; the session identification codes of the access network end are in one-to-one correspondence with the access network end.
In this step, the challenge-response mechanism is also used for bilateral verification. The principle is as follows: generating a corresponding response value according to the obtained session identification code (which can be regarded as a challenge value) of the access network end and sending the response value to the user end and the access network end in the follow-up process so that the user end and the access network end can verify the core network end; at the same time, the challenge value is randomly generated and sent to the user terminal and the access network terminal, so that the user terminal and the access network terminal can be verified according to the subsequently returned signature (which can be regarded as a response value). In the previous step, the verification between the user terminal and the access network terminal is realized, and in the step, the verification between the core network terminal and the user terminal and the access network terminal is realized, so that the three-party verification is realized.
In the embodiment of the application, the response value can be obtained through a lattice-based signature algorithm according to the session identification code of the access network side. In some embodiments, the signature may continue to be compressed and then used as a response value. The challenge value R2 may be obtained by a randomly generated method.
In some embodiments, the step of generating the public-private key pair at the core network end includes: generating a first preset value n=2 k And a second preset value q, and the first preset value n=2 k As a ringTaking the q as the modulus of the polynomial coefficient on the ring; generating a master key of the core network according to the first preset number and the second preset number; and generating a public and private key of the core network terminal according to the master key and the core network terminal identification code.
In some embodiments, before this step, verification of the core network end is further included. In some embodiments, this verification process includes the steps of: the access network side receives at least one user side data packet, and generates a user side identification code table and a user side session identification code table according to all the user side data packets; the user terminal data packet comprises a user terminal identification code and a user terminal session identification code; the user terminal identification codes correspond to the user terminals one by one; and the access network end sends the user end identification code table, the user end session identification code table and the access network end session identification code to the core network end.
In the process of implementing the present application, the applicant found that the technical solution of the related art cannot be implemented off the secure channel, because there is no lack of strict identification password flow.
Therefore, in the application, the user terminal identification code is adopted to identify the user terminal. In some embodiments, the ue identifier is issued by the core network. In some embodiments, the ue identifier is issued by a home network of the core network. In some embodiments, the ue identity remains unchanged all the time except for being reset according to a user command.
To provide safer authentication, for the client, the user session identifier may be used to enhance the identity. Because the session identification code is designed for the identity, the session identification code corresponds to the user end one by one. In some embodiments, the first session identification is randomly generated. In some embodiments, the randomly generated session identifier of the user end is only applied to the current access authentication process. Different methods for generating the session identification code can not affect the protection scope of the application as long as the corresponding purpose can be achieved.
In some embodiments, to ensure security, the ue needs to verify the access network before sending the session identifier and the ue identifier to the access network. In some embodiments, the verification process described above includes: the user terminal sends the user terminal session identification code to the access network terminal; the access network side receives the user side session identification code and generates a first verification signature according to the user side session identification code, the access network side session identification code and a public and private key pair of the access network side; and the user terminal responds to the first verification signature verification, and sends the user terminal data packet to the access network terminal. It should be noted that, at this time, the ue only sends the session identifier of the ue to the access network, and the access network cannot identify which ue the session identifier of the ue is sent by. The step above, the user side can first verify whether the access network connected with the user side meets the verification requirement before performing the access authentication. That is, the ue may first use the session identifier of the ue as the challenge value, use the first verification signature as the response value, and perform the subsequent steps after confirming the verification condition of the response value.
In some embodiments, the step of generating the public-private key pair of the access network includes: the core network end generates a public and private key pair of the access network end through a grid-based key extraction algorithm according to the master key; the access network end obtains public and private key pairs of the access network end.
In some embodiments, after the access network generates the table of ue identities and the table of ue session identities, the access network may send the table of ue identities and the table of ue session identities to the core network. In some embodiments, the table of user terminal identifiers and the table of user terminal session identifiers may be encrypted and then uploaded to the core network terminal. In some embodiments, the two tables may be encrypted with the core network side identification code as a public key. In some embodiments, the core network end identification code may be obtained by broadcasting.
In some embodiments, the access network sends the two tables and simultaneously sends the session identifier of the access network. In some embodiments, the access network session identifier is similar to the user session identifier in function and generation method.
Step S102: and the user terminal responds to the determination that the response value passes the verification, and generates a user terminal signature through a lattice-based signature algorithm according to the challenge value.
In some embodiments, the method for determining whether the response value is verified includes: according to the response value, a first verification process value is calculated according to the following formula; c 1 =h1 (PLMNid, r, sessionID); wherein c 1 Representing a first verification process value, wherein PLMNID represents the core network end identification code, r represents a result value obtained by calculation of a hash function, sessionID represents the access network end session identification code, and the hash function is used for calculating the response value; determining the response value verification in response to determining that the first verification process value satisfies the following formula; hz=r+h 0 c 1 The method comprises the steps of carrying out a first treatment on the surface of the Wherein h represents the above ringThe polynomial, Z and r represent the result value obtained by hash function calculation, PLMNId represents the first core network identification code, c 1 Representing a first verification process value.
In some embodiments, the user side identification code, the challenge value, and the user side session identification code may be used as inputs to derive the signature pair via a lattice-based signature algorithm.
In some embodiments, the signature pairs are obtained and then sent to the access network.
In some embodiments, the generating the private key of the user side includes: the user terminal sends the user terminal data packet to the core network terminal; the core network side receives the client side data packet, responds to the determination that the client side data packet passes verification, generates a second verification signature through a lattice-based signature algorithm according to the client side data packet, randomly generates a verification challenge value, and sends the second verification signature and the verification challenge value to the client side; the user terminal responds to the determination that the second verification signature passes verification, generates a verification response value according to a root key and sends the verification response value to the core network terminal; the core network side responds to the verification response value to pass verification, and generates a public and private key pair of the user side through a grid-based key extraction algorithm according to a master key and a user side identification code corresponding to the user side and sends the public and private key pair to the user side; and the user terminal receives the public and private key pair of the user terminal.
Step S103: and the access network end responds to the determination that the response value passes the verification, generates an access network end signature through a lattice-based signature algorithm according to the challenge value, and generates a total user end signature through a signature aggregation algorithm according to at least one received user end signature.
In some embodiments, after receiving the signature sent by at least one ue, the access network performs compression aggregation by using the signature aggregation algorithm to obtain a total ue signature.
In some embodiments, the access network signs the challenge value with a private key to obtain an access network signature.
In some embodiments, the step of generating the public-private key pair of the access network includes: the core network end generates a public and private key pair of the access network end through a grid-based key extraction algorithm according to the master key; the access network end obtains public and private key pairs of the access network end.
Step S104: and the core network side responds to the determination that the access network side signature and the total user side signature pass verification, and generates at least one session key according to the user side session identification code table and the root key.
In some embodiments, the method for determining whether the total ue signature is verified, applied to the core network, includes: calculating a second verification process value according to the user terminal identification code and the first session identification code by the following formula; c 2i =h1 (UserIDi, R2, seed); wherein c 2i Representing a second verification process value, userdii representing the ith user terminal identification code, R2 representing the challenge value, and seed representing the ith user terminal session identification code; determining the total client signature verification in response to determining that the second verification process value satisfies the following formula;wherein z is 0 、z 1 And r represents the result value calculated by the hash function, h represents the above-mentioned ring +.>Polynomial of c 2i Representing a verification process value; the hash function is used to calculate the total client signature.
It should be noted that, the method of the embodiment of the present application may be performed by a single device, for example, a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the method of an embodiment of the present application, the devices interacting with each other to accomplish the method.
It should be noted that the foregoing describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, the application also provides an access authentication system corresponding to the method of any embodiment.
Referring to fig. 2, the access authentication system includes:
an access network 12 for generating an access network signature by a lattice-based signature algorithm based on the challenge value in response to determining that the response value passes the verification, and generating a total user signature by a signature aggregation algorithm based on at least one of the received user signatures;
the core network 11 is configured to receive a user terminal identifier code table, a user terminal session identifier code table, and an access network terminal session identifier code sent by the access network terminal, generate a response value according to the access network terminal session identifier code by a lattice-based signature algorithm in response to determining that the user terminal identifier code table passes verification, and randomly generate a challenge value; the session identification codes of the access network terminals are in one-to-one correspondence with the access network terminals; and generating at least one session key according to the client session identification code table and the root key in response to determining that the access network side signature and the total client side signature pass verification;
The client 13 is configured to generate a client signature according to the challenge value and a lattice-based signature algorithm in response to determining that the response value passes the verification.
In combination with the access authentication system, in some embodiments, when it is determined that the system is started for the first time or restarted after being reset, the access authentication method includes three parts, namely an initialization phase, a user registration phase and a group authentication phase; when the system is determined to be not started for the first time or restarted after being reset, the access authentication method can directly enter a group authentication stage. Therefore, the technical scheme of the application greatly saves the resources in the access authentication.
The following describes the steps of the three stages in detail, taking the access authentication system as an example.
In the initialization stage, first, the core network, the access network and the user terminal are initialized. In some embodiments, in this stage, there is no need for mutual authentication at the core network side and the access network side.
In some embodiments, the Core Network (Core Network) side includes a Home Network (Home Network) and a Trust Center (Trust Center TC).
In some embodiments, the initialization for the core network side is mainly the initialization for the home network.
For the core network, a first preset value n=2 is selected first k As a ringIs a step of (a). In some embodiments, 512 or 1024 may be provided. In some embodiments, the second preset value q is chosen as the modulus of the polynomial coefficient. In some embodiments, q selects a prime number. In some embodiments, q may take on a value 12289 that may protect algorithms used in the authentication process from some hybrid attack. Then, the grid-based master key generation algorithm generates a grid B as a master key h as a public key, wherein the master key mainly acts as a signing key, and the public key mainly acts as verification of signature validity. The specific algorithm is as described above, and will not be described here.
Then, the core network side extracts the public and private key Sk for encryption and decryption according to the core network side identification code and the master key and the grid-based key extraction algorithm H = (s 1, s 2). The specific algorithm is as described above, and will not be described here.
And finally, presetting or sending the h, N and q to a user end and an access network end. The different methods for the user terminal and the access network terminal to acquire h, N and q can achieve the corresponding purposes, and the protection scope of the invention is not affected by the different methods.
In some implementationsIn an embodiment, the core network may also issue a legal identifier (GroupID) of the access network for the access network, and calculate the public key S of the access network for the access network based on a lattice key extraction algorithm G And (3) after= (s 0, s 1), sending the signal to the access network. In some embodiments, the core network side uses the home network to implement calculation of the public and private keys and issuance of the public and private keys and the access network side identification codes. In some embodiments, the core network side secure channel issues a public-private key, an access network side identification code. Different issuing modes can achieve corresponding purposes, and different methods can not influence the protection scope of the invention. In some embodiments, the public and private key S of the access network side G = (s 0, s 1) needs to satisfy s1+s2×h=h (GroupID).
The initialization of the access network end is to receive or obtain the public parameters h, N, q, the access network end identification code GroupID and the public and private key S of the access network end G =(s0,s1)。
In some embodiments, the core network may also issue a legal access network end identification code (UserID) for the user end. In some embodiments, the initialization of the ue is to receive or acquire the public parameters h, N, q, and the ue identifier UserID.
In the initialization stage, the public and private keys of the user terminal cannot be obtained because the user terminal is not verified yet.
In the user registration stage, double verification is realized between a root key k preset by a user and a core network end, so that a public and private key issued by the core network end is obtained.
As shown in fig. 3, at this stage, first, the ue generates a session identifier (seledid) of the ue and packages the seledid and the UserID as a ue packet, and sends the ue packet to the core network. In some embodiments, ciphertext encryptions < SessionID, userID > are obtained by a trellis-based encryption algorithm and the encryption result is sent to the core network side. In some embodiments, the signature pair may be encrypted by a core network side identification code PLMNid of the core network side as a public key. In some embodiments, the sending content may be forwarded by the access network.
After the core network receives the above-mentioned sent content, it verifies the UserID. In some embodiments, the core network side first decrypts the encrypted message. When the userID is issued by the core network end, the user end passes the verification. The core network side then uses the trellis-based signature algorithm Sign (Sk H ,h,[PLMNid,SessionID,UserID]) Obtaining a second verification signature<z,r>. The second verification signature user subsequently sends the user terminal to prove the identity of the core network terminal to the user terminal. The core network end simultaneously generates a random number R and generates a verification challenge value according to the random number. In some embodiments, the calculation formula of the verification challenge value is as follows: xres=challenge (R, sendid, k), where R represents the random number, sendid represents the client session identification code, and k represents the root key. Different ways of obtaining the verification challenge value can achieve the corresponding purpose, and different methods can not influence the protection scope of the invention. The core network terminal then signs the second verification signature<z,r>And sending the verification challenge value xres to the user side. In some embodiments, the second verification signature and verification challenge value may be transmitted after being compressed. In some embodiments, the sending content may be forwarded by the access network.
After receiving the content sent by the core network, the user terminal verifies whether the second verification signature meets z 0 +z 1 *h=H 0 (PLMNID) c+r, wherein z 0 、z 1 And r represents a result value obtained by hash function calculation, and PLMNId represents the core network end identification code. In some embodiments, the received encrypted content is first decrypted and then validated. If the above equation is satisfied, the ue considers the core network authentication. In some embodiments, the root key k may be used to generate a verification session key for authentication of the registration phase. In some embodiments, the user side calculates the calculation of the authentication response value res using the root key k. In some embodiments, the user side calculates the authentication session key SessionKey using a session key generation algorithm. The different verification response values and the calculation method of the verification session key can be achieved only For the corresponding purpose, the protection scope of the invention is not affected by different methods. In some embodiments, the ue sends the authentication response value and the authentication session key to the core network. In some embodiments, the ue forwards the authentication response value and the authentication session key to the network, and sends the authentication response value and the authentication session key to the core network.
In some embodiments, after receiving the response value and the authentication session key, the core network end first verifies whether the authentication challenge value is equal to the authentication response value, so as to verify whether the user end is authenticated. And responding to the verification of the verification response value, and generating a public and private key pair of the user side according to the master key and the user side identification code corresponding to the user side. In some embodiments, the core network obtains the public-private key pair of the user terminal according to the user terminal identification code userID and a lattice-based key extraction algorithm. In some embodiments, the public-private key pair of the user side is (UserID, skip). In some embodiments, the public-private key pair is sent to the client. In some embodiments, the public-private key encrypts the authentication session key and sends the encrypted authentication session key to the client. In some embodiments, the access network may forward the content of the transmission.
In the group authentication stage, the public and private keys of all the terminals obtained in the steps are mainly based on a challenge response mechanism, so that mutual authentication of three terminals is realized.
As shown in fig. 4, at this stage, the ue first needs to authenticate the access network again. In carrying out the application, the applicant has found that the related art generally only authenticates the identification code, but that such authentication is vulnerable to an attacker forging the identification code. Therefore, the applicant proposes to perform overlapping authentication by using each end identification code, session identification code and public and private key, so as to avoid malicious attack.
Here, first, the ue sends a ue session identifier to the access network. In some embodiments, the random number seed generates the client session identification code seed described above. The Seedi may function in a subsequent signing process and may function as an identifier during a session with the core network side to protect against replay attacks.
The access network receives the user terminal session identification code and simultaneously selects a random number mode to generate an access network terminal session identification code SessionID. Different ways of generating Seedi and SessionID can achieve the corresponding purpose, and the protection scope of the application is not affected by different methods. Then, the access network calculates a first verification signature res= (z, r) according to Seedi, sessionID and a public-private key pair of the access network, and a lattice-based signature algorithm. The access network side sends the first verification signature res= (z, r) to the user side. In some embodiments, the access network side simultaneously transmits the session identification code SessionID of the access network side to the user side.
After receiving the above-mentioned transmission content transmitted by access network end, user end first verifies the first verification signature. Responsive to determining the first authentication signature authentication, the client sends a client data packet to the access network. In some embodiments, the client data packet is encrypted and then sent to the access network. In some embodiments, encryption is performed using GroupID as the public key.
The access network may perform the above-mentioned authentication with multiple ues at the same time, so that the access network may receive multiple ue data packets. The user end data packets are in one-to-one correspondence with the user ends, and the access network end distinguishes different user ends according to the user end data packets.
The access network processes the received multiple user terminal data packets, and integrates to obtain a user terminal identification code table userID_LIST and a user terminal session identification code table seed_LIST. In some embodiments, if the obtained client data packet is transmitted encrypted, the client data packet is decrypted. In some embodiments, after the two tables are obtained, the two tables are sent to the core network side together with the session identification code SessionID of the access network side. In some embodiments, the two tables are encrypted and sent to the core network side. In some embodiments, the encrypted PLMNid is sent to the core network.
And the core network side responds to the verification of the user side identification code table, generates a response value according to the received session identification code of the access network side and the public and private key pair of the core network side, and generates a challenge value. In some embodiments, the response value grid is obtained by a grid-based signature algorithm. In some embodiments, the above-described response values may be compressed. In some embodiments, the challenge value may be randomly generated. And finally, the core network side sends the challenge value and the response value to the user side and the access network side. The different methods for generating the random value and the response value can not influence the protection scope of the invention as long as the corresponding purpose can be achieved. After the core network side generates the content, the content is sent to the user side.
The user terminal firstly verifies the response value. In response to determining the response value verification, the user end signature pair < zi, ri > is calculated according to the user end identification code userID and the challenge value R2 and the user end session identification code (also random seed) Seedi. In some embodiments, the client signature may be calculated using a lattice signature calculation method. Different signature generation modes can achieve corresponding purposes, and different methods can not influence the protection scope of the invention. After the core network side generates the content, the content is sent to the user side.
The access network side also receives the response value, and firstly verifies the response value. And responding to the determined response value verification, generating an access network side signature according to the challenge value and the public and private key pair of the access network side, and generating a total user side signature according to at least one received user side signature. In some embodiments, generating the total user side signature may be calculated by a signature aggregation algorithmAnd obtaining the total user side signature. In some embodiments, private key Skg is a signature of the challenge value to the access network side. In some embodiments, the overall client signature may be compressed prior to generation. In some embodiments, the access network side signature may be compressed prior to generation. And finally, the obtained access network terminal signature and the obtained user terminal signature are sent to a core network terminal.
A core network terminal responsive to determining the access network terminal signature and the total user terminal signature verificationAnd generating at least one session key according to the user side session identification code table and the root key. In some embodiments, equation c i Verify =h1 (UserIDi, R2, seed) in response to the resulting c i Satisfy z 0 +h*Verification is determined. In this verification process, if verified, all clients in the group verify. In some embodiments, the session key is generated from the Seed LIST and the root password k.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
The device of the foregoing embodiment is configured to implement the corresponding access authentication method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the access authentication method of any embodiment when executing the program.
Fig. 5 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 bus 1050 implement communication connections therebetween within the device.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the software or firmware implements the techniques described herein, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication in a wired manner (e.g., USB, network cable, etc.), or may implement communication in a wireless manner (e.g., mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the corresponding XX method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the access authentication method according to any of the embodiments above, corresponding to the method of any of the embodiments above.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The storage medium of the foregoing embodiments stores computer instructions for causing the computer to perform the access authentication method according to any one of the foregoing embodiments, and has the advantages of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the application as described above, which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, and the like, which are within the spirit and principles of the embodiments of the application, are intended to be included within the scope of the application.

Claims (10)

1. An access authentication method is applied to an access authentication system and is characterized in that the access authentication system comprises a user end, an access network end and a core network end;
the method comprises the following steps:
the core network side receives a user side identification code table, a user side session identification code table and an access network side session identification code which are sent by the access network side, responds to the determination that the user side identification code table passes verification, generates a response value according to the access network side session identification code by a lattice-based signature algorithm, and randomly generates a challenge value; the session identification codes of the access network end are in one-to-one correspondence with the access network end;
the user terminal responds to the determination that the response value passes verification, and generates a user terminal signature through a lattice-based signature algorithm according to the challenge value;
the access network end responds to the determination that the response value passes verification, generates an access network end signature through a lattice-based signature algorithm according to the challenge value, and generates a total user end signature through a signature aggregation algorithm according to at least one received user end signature;
And the core network side responds to the determination that the access network side signature and the total user side signature pass verification, and generates at least one session key according to the user side session identification code table and the root key.
2. The access authentication method according to claim 1, wherein before receiving the user terminal identifier code table, the user terminal session identifier code table, and the access network terminal session identifier code transmitted by the access network terminal, the method further comprises:
the access network side receives at least one user side data packet, and generates a user side identification code table and a user side session identification code table according to all the user side data packets; the user terminal data packet comprises a user terminal identification code and a user terminal session identification code; the user terminal identification codes and the user terminal session identification codes are in one-to-one correspondence with the user terminals;
and the access network end sends the user end identification code list, the user end session identification code list and the access network end session identification code to the core network end.
3. The access authentication method according to claim 2, wherein prior to said receiving at least one of said client data packets, said method further comprises:
The user terminal sends the user terminal session identification code to the access network terminal;
the access network side receives the user side session identification code and generates a first verification signature according to the user side session identification code;
and the user terminal responds to the determination that the first verification signature passes verification and sends the user terminal data packet to the access network terminal.
4. The access authentication method according to claim 3, wherein the step of generating the public-private key pair of the core network side comprises:
the core network generates a first preset value n=2 k And a second preset value q, and setting the first preset value n=2 k As a ringTaking said q as the modulus of the polynomial coefficients on said ring;
the core network side obtains a master key of the core network side through a grid-based master key generation algorithm according to the first preset number and the second preset number;
and the core network terminal generates a public key and a private key of the core network terminal through a grid-based key extraction algorithm according to the master key and the core network terminal identification code.
5. The access authentication method according to claim 3, wherein the step of generating the public-private key pair of the access network side comprises:
The core network terminal generates a public and private key pair of the access network terminal through a grid-based key extraction algorithm according to the master key;
the access network end obtains a public and private key pair of the access network end.
6. The access authentication method according to claim 3, wherein the step of generating the private key of the user terminal includes:
the user terminal sends the user terminal data packet to the core network terminal;
the core network side receives the user side data packet, responds to the determination that the user side data packet passes verification, generates a second verification signature through a lattice-based signature algorithm according to the user side data packet, randomly generates a verification challenge value, and sends the second verification signature and the verification challenge value to the user side;
the user terminal responds to the determination that the second verification signature passes verification, generates a verification response value according to a root key and sends the verification response value to the core network terminal;
the core network side responds to the verification response value to pass verification, and generates a public and private key pair of the user side through a grid-based key extraction algorithm according to a master key and a user side identification code corresponding to the user side and sends the public and private key pair to the user side;
The user terminal receives the public and private key pair of the user terminal.
7. The access authentication method according to claim 3, wherein the step of generating the private key of the user side further comprises:
the user terminal sends the user terminal data packet to the access network terminal;
the access network end receives and transmits the user end data packet to the core network end;
the core network side receives the user side data packet, responds to the determination that the user side data packet passes verification, generates a second verification signature through a lattice-based signature algorithm according to the user side data packet, randomly generates a verification challenge value, and sends the second verification signature and the verification challenge value to the access network side;
the access network side receives and transmits the second verification signature and the verification challenge value to the user side;
the user terminal responds to the determination that the second verification signature passes verification, generates a verification response value according to a root key and sends the verification response value to the access network terminal;
the access network end receives and transmits the verification response value to the core network end;
The core network side responds to the verification response value to pass verification, and generates a public and private key pair of the user side through a grid-based key extraction algorithm according to a master key and a user side identification code corresponding to the user side and sends the public and private key pair to the access network side;
the access network side receives and transmits the public and private keys of the user side to the user side;
the user terminal receives the public and private key pair of the user terminal.
8. An access authentication system, comprising:
the core network side is used for receiving a user side identification code table, a user side session identification code table and an access network side session identification code which are sent by the access network side, responding to the determination that the user side identification code table passes verification, generating a response value according to the access network side session identification code by a lattice-based signature algorithm, and randomly generating a challenge value; the session identification codes of the access network end are in one-to-one correspondence with the access network end; and generating at least one session key according to the client session identification code table and a root key in response to determining that the access network side signature and the total client side signature pass verification;
The user terminal is used for responding to the determination that the response value passes the verification, and generating a user terminal signature through a lattice-based signature algorithm according to the challenge value;
the access network side is used for responding to the determination that the response value passes verification, generating an access network side signature through a lattice-based signature algorithm according to the challenge value, and generating a total user side signature through a signature aggregation algorithm according to at least one received user side signature.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 7 when the program is executed by the processor.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 7.
CN202310614782.7A 2023-05-26 2023-05-26 Access authentication method and related equipment Pending CN116846560A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310614782.7A CN116846560A (en) 2023-05-26 2023-05-26 Access authentication method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310614782.7A CN116846560A (en) 2023-05-26 2023-05-26 Access authentication method and related equipment

Publications (1)

Publication Number Publication Date
CN116846560A true CN116846560A (en) 2023-10-03

Family

ID=88166032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310614782.7A Pending CN116846560A (en) 2023-05-26 2023-05-26 Access authentication method and related equipment

Country Status (1)

Country Link
CN (1) CN116846560A (en)

Similar Documents

Publication Publication Date Title
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
US9887838B2 (en) Method and device for secure communications over a network using a hardware security engine
JP5579872B2 (en) Secure multiple UIM authentication and key exchange
CN103763631B (en) Authentication method, server and television set
US8422670B2 (en) Password authentication method
JP2020526146A (en) Symmetric mutual authentication method between first application and second application
CN114553590B (en) Data transmission method and related equipment
WO2018024048A1 (en) Authentication method, server, terminal, and gateway
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
CN111614621A (en) Internet of things communication method and system
CN112165386B (en) Data encryption method and system based on ECDSA
Ahmed et al. Dynamic reciprocal authentication protocol for mobile cloud computing
JP6758476B2 (en) Systems and methods to obtain common session keys between devices
CN112602290B (en) Identity authentication method and device and readable storage medium
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
Yao et al. An inter-domain authentication scheme for pervasive computing environment
WO2021093811A1 (en) Network access method and related device
CN116846560A (en) Access authentication method and related equipment
Zhang Authenticated Key Exchange Protocols with Unbalanced Computational Requirements
Cetintav et al. A lightweight authentication and management method for Internet of Things
Patalbansi Secure Authentication and Security System for Mobile Devices in Mobile Cloud Computing
CN114006696A (en) Communication method, device, system and computer readable storage medium
CN114900288A (en) Industrial environment authentication method based on edge service
CN116233839A (en) Authentication method based on private network in 5G industry and core network equipment
CN114095229A (en) Method, device and system for constructing data transmission protocol of energy Internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination