CN117411647A - Satellite communication authentication method and system and satellite communication encryption method - Google Patents
Satellite communication authentication method and system and satellite communication encryption method Download PDFInfo
- Publication number
- CN117411647A CN117411647A CN202210795098.9A CN202210795098A CN117411647A CN 117411647 A CN117411647 A CN 117411647A CN 202210795098 A CN202210795098 A CN 202210795098A CN 117411647 A CN117411647 A CN 117411647A
- Authority
- CN
- China
- Prior art keywords
- authentication
- key
- satellite terminal
- information
- management platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000006854 communication Effects 0.000 title claims abstract description 63
- 238000004891 communication Methods 0.000 title claims abstract description 59
- 238000004590 computer program Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 2
- 239000000523 sample Substances 0.000 claims 1
- 239000000758 substrate Substances 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000014616 translation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B7/00—Radio transmission systems, i.e. using radiation field
- H04B7/14—Relay systems
- H04B7/15—Active relay systems
- H04B7/185—Space-based or airborne stations; Stations for satellite systems
- H04B7/18578—Satellite systems for providing broadband data service to individual earth stations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Astronomy & Astrophysics (AREA)
- Aviation & Aerospace Engineering (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a satellite communication authentication method and system and a satellite communication encryption method. Wherein the method comprises the following steps: receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises first encryption information encrypted based on a first key in a security chip, a first identifier of the security chip and a second identifier of the first key; the first authentication information is sent to a key management platform, the key management platform decrypts the first encryption information to authenticate the satellite terminal, and after authentication is passed, second authentication information comprising second encryption information encrypted based on a second key associated with the security chip, a first identifier and a third identifier of the second key is generated; and receiving the second authentication information sent by the key management platform, forwarding the second authentication information to the satellite terminal, and decrypting the second encryption information by the satellite terminal to authenticate the key management platform. The method and the device solve the technical problem that the related technology cannot efficiently and safely perform identity authentication in the satellite network.
Description
Technical Field
The application relates to the technical field of communication security, in particular to a satellite communication authentication method and system and a satellite communication encryption method.
Background
Satellite mobile communication is widely applied to the fields of difficult coverage or excessively high construction cost in a ground communication system by virtue of the advantages of wide coverage, no influence of geographical conditions and the like. The current satellite has data terminal products, but a large number of handheld terminals still have no special data channel, and meanwhile, when a symmetric key system is used for realizing a voice encryption function, key agreement has the problems that a satellite channel and a key management platform channel are not matched, and an authentication protocol has more interaction times, so that the interaction times are excessive, the security is poor and the authentication efficiency is low in the whole interaction process.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a satellite communication authentication method and system and a satellite communication encryption method, which at least solve the technical problem that the related technology cannot efficiently and safely perform identity authentication in a satellite network.
According to an aspect of the embodiments of the present application, there is provided a satellite communication authentication method, including: receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform; the first authentication information is sent to a key management platform, wherein the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identifier and a third identifier of the second key based on a second key associated with the security chip; and receiving second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining a second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
Optionally, the first encryption information includes: a first random number generated by the satellite terminal, a fourth identifier and a first identifier of the key management platform; the second encrypted information includes: the second random number, the first random number, the fourth identifier and the first identifier are generated by the key management platform.
Optionally, before sending the first authentication information to the key management platform, the method further comprises: performing a preliminary check on the first authentication information, wherein the preliminary check includes at least one of: checking the service life cycle of the satellite terminal, and checking the binding relation between the satellite terminal and the security chip; when the preliminary examination passes, continuing to send the first authentication information to the key management platform; and when the preliminary check fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
Optionally, after the authentication of the satellite terminal by the key management platform, the method further comprises: receiving an authentication result fed back by the key management platform; when the authentication result is that the authentication is passed, feeding back authentication success information to the satellite terminal, and continuously receiving second authentication information sent by the key management platform; and when the authentication result is that the authentication fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
Optionally, before receiving the first authentication information sent by the satellite terminal, the method further includes: receiving authentication service opening information sent by a satellite terminal, wherein the authentication service opening information comprises: the satellite terminal encrypts third encryption information, the first identifier and a fifth identifier of the third key based on a third key in the security chip; transmitting the authentication service opening information to a key management platform, wherein the key management platform is used for determining a third key according to the first identifier and the fifth identifier and decrypting the third encryption information to obtain decryption information; and receiving decryption information sent by the key management platform, and opening the authentication service authority of the satellite terminal based on the decryption information.
Optionally, the third encryption information includes: a third random number generated by the satellite terminal, terminal information of the satellite terminal and a first identifier; the decryption information at least comprises: terminal information of the satellite terminal; opening the authentication service authority of the satellite terminal based on the decryption information, comprising: binding the terminal information of the satellite terminal with the first identifier of the security chip, and opening the authentication service authority of the satellite terminal.
Optionally, the first authentication information and the second authentication information are both transmitted over a satellite channel.
According to another aspect of the embodiments of the present application, there is further provided a satellite communication encryption method, including: responding to a service request of calling a second satellite terminal by a first satellite terminal, and respectively authenticating the first satellite terminal and the second satellite terminal by using the satellite communication authentication method; when the authentication is passed, applying a working key to a key management platform, encrypting the working key by using a filling key associated with the first satellite terminal and the second satellite terminal, and issuing the encrypted working key to the first satellite terminal and the second satellite terminal; and encrypting the communication data by using the working key in the communication process of the first satellite terminal and the second satellite terminal.
According to another aspect of the embodiments of the present application, there is also provided a satellite communication authentication system, including: the system comprises a satellite terminal, a proxy authentication platform and a key management platform, wherein the satellite terminal is used for generating first authentication information, and the first authentication information comprises: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform; the proxy authentication platform is used for receiving the first authentication information sent by the satellite terminal and sending the first authentication information to the key management platform; the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identifier and a third identifier of the second key based on a second key associated with the security chip; the proxy authentication platform is also used for receiving the second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal; the satellite terminal is further used for determining a second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
According to another aspect of the embodiments of the present application, there is also provided an electronic device including: the system comprises a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the satellite communication authentication method or the satellite communication encryption method through the computer program.
In this embodiment of the present application, by receiving first authentication information sent by a satellite terminal, the first authentication information includes: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, and sends first authentication information to the key management platform, wherein the key management platform is used for determining the first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal, after the authentication is passed, second authentication information is generated, and finally the second authentication information sent by the key management platform is received and forwarded to the satellite terminal. The authentication from the satellite terminal to the key management platform is completed under the satellite network condition through the symmetric key system, so that the authentication efficiency is improved; based on the security chip prefabricated key as authentication information, the function of one-time authentication corresponding to one-time key is realized, and the technical problem that the related technology cannot perform identity authentication in a satellite network efficiently and safely is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic structural diagram of a satellite communication authentication system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an alternative satellite communications authentication system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an alternative satellite communications authentication system according to an embodiment of the present application;
FIG. 4 is a flow chart of a satellite communication authentication method according to an embodiment of the present application;
FIG. 5 is a schematic flow chart of an alternative method for opening satellite communication authentication service rights according to an embodiment of the present application;
FIG. 6 is a flow chart of an alternative satellite communication authentication method according to an embodiment of the present application;
fig. 7 is a flow chart of a satellite communication encryption method according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For a better understanding of the embodiments of the present application, some nouns or translations of terms that appear during the description of the embodiments of the present application are explained as follows:
satellite terminal: refers to a communication terminal representing a user terminal in a mobile satellite communication system. The satellite terminal can have different expression forms, such as a handheld terminal or a vehicle-mounted terminal, and the satellite terminal is used for realizing the setting and acquisition of the communication state of a terminal user through the installation of the wireless receiving and transmitting antenna so as to complete communication.
A key management platform: the method is used for completing all functions related to the secret key in the satellite terminal communication process, and the functions comprise: key filling, key issuing, medium authentication and other functions. And the satellite terminal completes key filling and key issuing through the TF card when accessing the network, and the key is stored in a security chip in the TF card. The filling secret key is mainly used for entity authentication links of the satellite terminal in the call service, and provides password operation and medium authentication capability for the proxy authentication platform in the authentication process.
TF Card (Trans-flash Card, trans flash Card): the post formally renamed Micro SD Card is mainly used for mobile phones. It is a very small flash memory card that is widely used in GPS devices, portable music players and some flash memory disks due to its small size and ever-increasing storage capacity.
And (3) a safety chip: is a security medium which accords with the certificate issued by the national commercial code bureau and has the security protection capability. The security chip can be in butt joint with the key management platform to realize the function of filling the key, and the key in the security chip is taken as an authentication key to the key management platform to carry out identity authentication and one-time authentication of the session key and one-time key issuing.
Proxy authentication platform: the method is used for completing authentication between the calling terminal and the called terminal in satellite communication service. The method solves the problem that satellite channel coding and a traditional key management platform support protocol are not matched in the authentication and authorization process. The proxy authentication platform stores information such as security chip ID, key identification, user opening information and the like of the TF card of the satellite terminal. And matching the user information with the key identification in the authentication process, and calling a key management platform to complete encryption and decryption operation of authentication data.
Satellite channel: refers to a communication channel which uses satellites and ground stations as relays and microwaves as transmission media to provide uniform irrelevant distances for any region of the world.
Example 1
According to an embodiment of the present application, there is provided a satellite communication authentication system, as shown in fig. 1, the system at least includes a satellite terminal 11, a proxy authentication platform 12 and a key management platform 13, wherein:
the satellite terminal 11 is configured to generate first authentication information, where the first authentication information includes: the satellite terminal 11 is based on the first encryption information encrypted by the first key in the secure chip, the first identification of the secure chip, and the second identification of the first key, wherein the secure chip includes the key set charged by the key management platform 13.
The proxy authentication platform 12 is configured to receive the first authentication information sent by the satellite terminal 11, and send the first authentication information to the key management platform 13.
A key management platform 13 for determining a first key according to the first identifier and the second identifier and decrypting the first encrypted information to authenticate the satellite terminal 11; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform 13 encrypts the second encryption information, the first identification, and the third identification of the second key based on the second key associated with the secure chip.
The proxy authentication platform 12 is further configured to receive the second authentication information sent by the key management platform 13, and forward the second authentication information to the satellite terminal 11.
The satellite terminal 11 is further configured to determine a second key according to the first identifier and the third identifier and decrypt the second encrypted information to authenticate the key management platform 13.
Fig. 2 shows a schematic structure diagram of an alternative satellite communication authentication system, as shown in fig. 2, a satellite terminal is connected with a proxy authentication platform through a satellite channel to complete satellite communication service so as to realize authentication and authentication between a calling terminal and a called terminal, the proxy authentication platform stores a security chip ID, a key identification, user opening information and the like of the satellite terminal, the proxy authentication platform applies a key to a key management platform, the key management platform charges the security chip of the satellite terminal with the key when the satellite terminal accesses the network, and simultaneously stores the key into the security chip of the satellite terminal, so that the key is used as an authentication key to the key management platform to perform identity authentication, and finally, the satellite terminal can realize that normal communication process between terminal users is completed through a wireless transceiver antenna.
Fig. 3 also shows a schematic structural diagram of an alternative satellite communication authentication system, mainly for explaining the functions that can be implemented by each device in the system.
On the basis of the satellite communication authentication system, the embodiment of the application also provides a satellite communication authentication method which is used for specifically explaining the flow executed by the proxy authentication platform in the satellite communication authentication system. It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Fig. 4 is a schematic flow chart of an alternative satellite communication authentication method according to an embodiment of the present application, as shown in fig. 4, the method at least includes steps S402-S406, wherein:
step S402, receiving first authentication information sent by a satellite terminal, where the first authentication information includes: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform.
The first encryption information includes: the first random number generated by the satellite terminal, a fourth identifier of the key management platform and the first identifier.
As an optional implementation manner, before the proxy authentication platform receives the first authentication information sent by the satellite terminal, the proxy authentication platform may first receive authentication service provisioning information sent by the satellite terminal, where the authentication service provisioning information includes: the satellite terminal encrypts third encryption information, the first identifier and a fifth identifier of the third key based on a third key in the security chip; transmitting the authentication service opening information to a key management platform, wherein the key management platform is used for determining a third key according to the first identifier and the fifth identifier and decrypting the third encryption information to obtain decryption information; and receiving decryption information sent by the key management platform, and opening the authentication service authority of the satellite terminal based on the decryption information.
Wherein the third encryption information includes: a third random number generated by the satellite terminal, terminal information of the satellite terminal and a first identifier; the decryption information at least comprises: terminal information of the satellite terminal; opening the authentication service authority of the satellite terminal based on the decryption information, comprising: binding the terminal information of the satellite terminal with the first identifier of the security chip, and opening the authentication service authority of the satellite terminal.
For example, fig. 5 shows a schematic flow chart of an alternative method for opening the satellite communication authentication service authority, as shown in fig. 5.
The key management platform fills a key set into a security chip of a TF card of the satellite terminal, the satellite terminal obtains a first identification ID of the security chip, a third key Z and a serial number C (fifth identification) of the third key from the security chip in the TF card, and the proxy authentication platform receives authentication service opening information which is sent by the satellite terminal and consists of the first identification ID of the security chip, the serial number C (fifth identification) of the third key and third encryption information encrypted by the satellite terminal based on the third key Z in the security chip, wherein the third encryption information comprises: the third random number A generated by the satellite terminal, the terminal information of the satellite terminal and the first identification ID of the security chip are transmitted to the key management platform, the key management platform determines a third key Z through the first identification ID of the security chip and the serial number C (fifth identification) of the third key, decrypts the third encryption information, and acquires the terminal information of the satellite terminal and the third random number A generated by the satellite terminal from the third encryption information.
The key management platform returns the acquired terminal information of the satellite terminal and the third random number A generated by the satellite terminal to the proxy authentication platform, the proxy authentication platform binds the terminal information of the satellite terminal with the first identification ID of the security chip and opens the authentication service authority of the satellite terminal, and the proxy authentication platform sends the terminal information of the satellite terminal to the satellite terminal, the satellite terminal writes the terminal information into the satellite terminal and stores the terminal information into the security chip.
After completing the opening of the satellite communication authentication service authority, the satellite terminal can be subjected to first interactive authentication through the proxy authentication platform, and as an optional implementation manner, after the proxy authentication platform receives the first authentication information, the first authentication information is subjected to preliminary check, wherein the preliminary check at least comprises one of the following steps: checking the service life cycle of the satellite terminal, and checking the binding relation between the satellite terminal and the security chip; when the preliminary examination passes, continuing to send the first authentication information to the key management platform; and when the preliminary check fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
Step S404, the first authentication information is sent to a key management platform, wherein the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identification, and a third identification of the second key based on a second key associated with the secure chip.
Wherein the second encryption information includes: the second random number, the first random number, the fourth identifier and the first identifier are generated by the key management platform.
As an optional implementation manner, the key management platform checks the first authentication information sent by the proxy authentication platform, determines the first key according to the first identifier and the second identifier, decrypts the first encryption information, compares the fourth identifier of the key management platform in the first encryption information with the first random number, determines whether the first authentication information is tampered by comparing the decrypted first identifier, authenticates the satellite terminal, and feeds the authentication result back to the proxy authentication platform.
Optionally, after the key management platform authenticates the satellite terminal, receiving an authentication result fed back by the key management platform; when the authentication result is that the authentication fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow; and when the authentication result is that the satellite terminal passes, feeding back authentication success information to the satellite terminal, and continuously receiving second authentication information sent by the key management platform.
As an alternative implementation manner, after the key management platform checks that the authentication is passed, the key management platform generates second authentication information, the key management platform generates a second random number, encrypts the second random number by using the second key in the security chip, and encapsulates the serial number of the second key into the second authentication information.
Step S406, receiving the second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining the second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
Wherein the first authentication information and the second authentication information are both transmitted through a satellite channel.
For example, fig. 6 shows a schematic flow chart of an alternative satellite communication authentication method, as shown in fig. 6, wherein,
the satellite terminal acquires a first identification ID of the security chip, a first secret key K in the security chip and a serial number T of the first secret key from the security chip, and then the proxy authentication platform receives first authentication information which is sent by the satellite terminal and consists of first encryption information encrypted by the first secret key K in the security chip and is the first identification ID and the serial number T (second identification) of the first secret key through a satellite channel, wherein the first encryption information comprises: the first random number W generated by the satellite terminal, the fourth identifier of the key management platform and the first identifier ID of the security chip start first authentication.
After the proxy authentication platform receives the first authentication information, the use life cycle of the satellite terminal and the binding relation between the satellite terminal and the security chip need to be checked preliminarily, and when the use life cycle of the satellite terminal is checked preliminarily and/or the binding relation between the satellite terminal and the security chip fails, the proxy authentication platform feeds back failure information to the satellite terminal and terminates the authentication flow; and when the use life cycle of the satellite terminal and the binding relation between the satellite terminal and the security chip pass through the preliminary check, the proxy authentication platform continues to send a first authentication message to the key management platform.
After receiving the first authentication information, the key management platform determines a first key K according to a first identification ID of the security chip and a serial number T (second identification) of the first key, decrypts the first encryption information, authenticates the satellite terminal by comparing the terminal information of the decrypted satellite terminal with a first random number W generated by the satellite terminal, and records the authentication information.
After the first authentication information is sent to the satellite terminal by the key management platform to pass the authentication, the proxy authentication platform receives an authentication result fed back by the key management platform, and when the authentication result is not passed, the proxy authentication platform feeds back authentication failure information to the satellite terminal and terminates the authentication flow. And when the authentication result is passed, the proxy authentication platform feeds back authentication success information to the satellite terminal.
Meanwhile, the key management platform generates second authentication information composed of a first identification ID of the security chip, a serial number H (third identification) of the second key, and second encryption information encrypted by the key management platform based on the second key associated with the security chip, wherein the second encryption information comprises: the method comprises the steps that a second random number B generated by a key management platform, a first random number A generated by a satellite terminal, a fourth identifier of the key management platform and a first identifier ID of a security chip begin to carry out second authentication, an agent authentication platform receives second authentication information sent by the key management platform through a satellite channel and forwards the second authentication information to the satellite terminal, the satellite terminal determines a second key M according to the first identifier ID of the security chip and a serial number H (third identifier) of the second key, decrypts the second encryption information, compares whether the decrypted second random number B is consistent with the sent first random number W, whether the decrypted first identifier ID of the security chip is consistent with the identifier ID of a plaintext chip, and the decrypted fourth identifier of the key management platform so as to authenticate the key management platform. And meanwhile, the random number B generated by the key management platform is stored in a security chip of the satellite terminal, so that replay is prevented.
Receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform; the first authentication information is sent to a key management platform, wherein the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identifier and a third identifier of the second key based on a second key associated with the security chip; and receiving second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining a second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform. In the method, the problem that the satellite channel codes and the traditional key management platform support protocols are not matched in the current authentication and authentication process can be solved through the proxy authentication platform, and the quick authentication and authentication are realized through the two interactions of the satellite channels, so that the authentication and authentication efficiency is improved.
Example 2
According to an embodiment of the present application, there is further provided a satellite communication encryption method, which may be implemented in the satellite communication authentication system shown in fig. 1, as shown in fig. 7, and the method at least includes steps S702 to S706, where:
in step S702, in response to a service request that the first satellite terminal calls the second satellite terminal, the first satellite terminal and the second satellite terminal are authenticated by using the satellite communication authentication method in embodiment 1, respectively.
Specifically, the first satellite terminal and the second satellite terminal are authenticated through steps S1-S3, respectively, wherein:
s1, receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform;
the first encryption information includes: the first random number generated by the satellite terminal, a fourth identifier of the key management platform and the first identifier.
Optionally, after receiving the first authentication information sent by the satellite terminal, the proxy authentication platform performs a preliminary check on the first authentication information, where the preliminary check includes at least one of: checking the service life cycle of the satellite terminal, and checking the binding relation between the satellite terminal and the security chip; when the preliminary check fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow; and when the preliminary check passes, continuing to send the first authentication information to the key management platform.
S2, the first authentication information is sent to a key management platform, wherein the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identifier and a third identifier of the second key based on a second key associated with the security chip;
optionally, after the key management platform authenticates the satellite terminal, receiving an authentication result fed back by the key management platform; when the authentication result is that the authentication is passed, feeding back authentication success information to the satellite terminal, and continuously receiving second authentication information sent by the key management platform; and when the authentication result is that the authentication fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
And S3, receiving second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining a second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
Wherein the second encryption information includes: the second random number, the first random number, the fourth identifier and the first identifier are generated by the key management platform.
The first authentication information and the second authentication information are both transmitted through a satellite channel.
And step S704, when the authentication is passed, applying a working key to the key management platform, encrypting the working key by using the filling key associated with the first satellite terminal and the second satellite terminal, and transmitting the encrypted working key to the first satellite terminal and the second satellite terminal.
In step S706, during the communication between the first satellite terminal and the second satellite terminal, the communication data is encrypted using the working key.
For example, when the first satellite terminal a initiates a call service, the first satellite terminal a and the second satellite terminal B initiate an authentication request service at the same time, and send an authentication request to the proxy authentication platform, the proxy authentication platform completes authentication of the first satellite terminal a and the second satellite terminal B through two interactions, authenticates identities and authorities of the first satellite terminal a and the second satellite terminal B by using a filling key, and when the authentication passes, the proxy authentication platform applies a key to the key management platform, encrypts the key by using the filling key associated with the first satellite terminal a and the second satellite terminal B, and issues the encrypted key to the first satellite terminal a and the second satellite terminal B.
Example 3
According to an embodiment of the present application, there is also provided a nonvolatile storage medium including a stored program, wherein the device in which the nonvolatile storage medium is controlled to execute the satellite communication authentication method in embodiment 1 when the program runs.
According to an embodiment of the present application, there is also provided a processor for running a program, wherein the program executes the satellite communication authentication method in embodiment 1.
According to an embodiment of the present application, there is also provided an electronic device including: a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the satellite communication authentication method in embodiment 1 by the computer program.
Optionally, the program execution realizes the following steps: receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises: the satellite terminal is based on first encryption information encrypted by a first key in the security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform; the first authentication information is sent to a key management platform, wherein the key management platform is used for determining a first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information, the first identifier and a third identifier of the second key based on a second key associated with the security chip; and receiving second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining a second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (10)
1. A satellite communication authentication method, comprising:
receiving first authentication information sent by a satellite terminal, wherein the first authentication information comprises the following steps: the satellite terminal is based on first encryption information encrypted by a first key in a security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by a key management platform;
the first authentication information is sent to a key management platform, wherein the key management platform is used for determining the first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information based on a second key associated with the secure chip, the first identification, and a third identification of the second key;
and receiving the second authentication information sent by the key management platform and forwarding the second authentication information to the satellite terminal, wherein the satellite terminal is used for determining the second key according to the first identifier and the third identifier and decrypting the second encryption information so as to authenticate the key management platform.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the first encryption information includes: the first random number generated by the satellite terminal, the fourth identifier of the key management platform and the first identifier;
the second encryption information includes: the second random number generated by the key management platform, the first random number, the fourth identifier and the first identifier.
3. The method of claim 1, wherein prior to sending the first authentication information to a key management platform, the method further comprises:
performing a preliminary check on the first authentication information, wherein the preliminary check includes at least one of: checking the service life cycle of the satellite terminal, and checking the binding relation between the satellite terminal and the security chip;
when the preliminary check passes, continuing to send the first authentication information to a key management platform;
and when the preliminary check fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
4. The method of claim 1, wherein after the key management platform authenticates the satellite terminal, the method further comprises:
receiving an authentication result fed back by the key management platform;
when the authentication result is that the satellite terminal passes, the authentication success information is fed back to the satellite terminal, and the second authentication information sent by the key management platform is continuously received;
and when the authentication result is that the authentication fails, feeding back authentication failure information to the satellite terminal, and stopping the authentication flow.
5. The method of claim 1, wherein prior to receiving the first authentication information transmitted by the satellite terminal, the method further comprises:
receiving authentication service opening information sent by the satellite terminal, wherein the authentication service opening information comprises: the satellite terminal is based on third encryption information encrypted by a third key in the security chip, the first identifier and a fifth identifier of the third key;
the authentication service opening information is sent to the key management platform, wherein the key management platform is used for determining the third key according to the first identifier and the fifth identifier and decrypting the third encryption information to obtain decryption information;
and receiving the decryption information sent by the key management platform, and opening the authentication service authority of the satellite terminal based on the decryption information.
6. The method of claim 5, wherein the step of determining the position of the probe is performed,
the third encryption information includes: the third random number generated by the satellite terminal, the terminal information of the satellite terminal and the first identifier;
the decryption information at least comprises: terminal information of the satellite terminal;
opening the authentication service authority of the satellite terminal based on the decryption information, including: binding the terminal information of the satellite terminal with the first identifier of the security chip, and opening the authentication service authority of the satellite terminal.
7. The method according to any one of claims 1 to 6, wherein,
the first authentication information and the second authentication information are both transmitted over a satellite channel.
8. A satellite communication encryption method, comprising:
in response to a service request of a first satellite terminal calling a second satellite terminal, authenticating the first satellite terminal and the second satellite terminal respectively by using the satellite communication authentication method according to any one of claims 1 to 6;
when the authentication is passed, applying a working key to the key management platform, encrypting the working key by using a filling key associated with the first satellite terminal and the second satellite terminal, and issuing the encrypted working key to the first satellite terminal and the second satellite terminal;
and in the communication process of the first satellite terminal and the second satellite terminal, encrypting communication data by using the working key.
9. A satellite communications authentication system, comprising: the system comprises a satellite terminal, a proxy authentication platform and a key management platform, wherein,
the satellite terminal is configured to generate first authentication information, where the first authentication information includes: the satellite terminal is based on first encryption information encrypted by a first key in a security chip, a first identifier of the security chip and a second identifier of the first key, wherein the security chip comprises a key set filled by the key management platform;
the proxy authentication platform is used for receiving the first authentication information sent by the satellite terminal and sending the first authentication information to the key management platform;
the key management platform is used for determining the first key according to the first identifier and the second identifier and decrypting the first encryption information so as to authenticate the satellite terminal; after the authentication is passed, generating second authentication information, wherein the second authentication information comprises the following steps: the key management platform encrypts second encryption information based on a second key associated with the secure chip, the first identification, and a third identification of the second key;
the proxy authentication platform is further configured to receive the second authentication information sent by the key management platform, and forward the second authentication information to the satellite terminal;
the satellite terminal is further configured to determine the second key according to the first identifier and the third identifier, and decrypt the second encrypted information, so as to authenticate the key management platform.
10. An electronic device, comprising: a memory and a processor, wherein the memory stores therein a computer program configured to execute the satellite communication authentication method of any one of claims 1 to 7 or the satellite communication encryption method of claim 8 by the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210795098.9A CN117411647A (en) | 2022-07-07 | 2022-07-07 | Satellite communication authentication method and system and satellite communication encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210795098.9A CN117411647A (en) | 2022-07-07 | 2022-07-07 | Satellite communication authentication method and system and satellite communication encryption method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117411647A true CN117411647A (en) | 2024-01-16 |
Family
ID=89491258
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210795098.9A Pending CN117411647A (en) | 2022-07-07 | 2022-07-07 | Satellite communication authentication method and system and satellite communication encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117411647A (en) |
-
2022
- 2022-07-07 CN CN202210795098.9A patent/CN117411647A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101641976B (en) | An authentication method | |
| JP4263384B2 (en) | Improved method for authentication of user subscription identification module | |
| CN102378170B (en) | Method, device and system of authentication and service calling | |
| US20020187808A1 (en) | Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network | |
| CN111615105B (en) | Information providing and acquiring method, device and terminal | |
| RU2008118495A (en) | METHOD AND DEVICE FOR ESTABLISHING A SAFE ASSOCIATION | |
| CN113015159B (en) | Initial security configuration method, security module and terminal | |
| JP2012110009A (en) | Methods and arrangements for secure linking of entity authentication and ciphering key generation | |
| CN109714769B (en) | Information binding method, device, equipment and storage medium | |
| CN103179176B (en) | The call method that web applies under cloud/cluster environment, device and system | |
| CN103906052A (en) | Mobile terminal authentication method, service access method and equipment | |
| US20090044007A1 (en) | Secure Communication Between a Data Processing Device and a Security Module | |
| CN104836784A (en) | Information processing method, client, and server | |
| KR20080094839A (en) | Method of establishing a cryptographic key, network head and receiver for this method, and method of transmitting signals | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN115022868A (en) | Satellite terminal entity authentication method, system and storage medium | |
| CN115334497A (en) | Satellite terminal key distribution method, device and system | |
| CN114390524B (en) | Method and device for realizing one-key login service | |
| CN111770494B (en) | Beidou RDSS user identity authentication and fire wire registration method and device based on mobile phone number | |
| CN112491907A (en) | Data transmission method, device, system, storage medium and electronic equipment | |
| CN102547686B (en) | M2M (Machine-to-Machine) terminal security access method and terminal and management platform | |
| CN114158046B (en) | Method and device for realizing one-key login service | |
| CN114599033B (en) | Communication authentication processing method and device | |
| CN116233832A (en) | Verification information sending method and device | |
| CN116248290A (en) | Identity authentication method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |