CN117880806A

CN117880806A - Certificate distribution method, device, equipment and storage medium

Info

Publication number: CN117880806A
Application number: CN202410089796.6A
Authority: CN
Inventors: 张建荣; 张建桁; 鲁华伟; 蒋小燕; 余雷; 陈亚东; 李冶; 熊婷; 赵元; 邓鸿亮; 韩浩; 李军; 龚云亮; 刘俊凯; 杨勇康
Original assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Current assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Priority date: 2024-01-22
Filing date: 2024-01-22
Publication date: 2024-04-12

Abstract

The present disclosure relates to the field of channel certificate distribution technologies, and in particular, to a method, an apparatus, a device, and a storage medium for certificate distribution. Acquiring a certificate service request sent by a user, and sending a key generation request to network application equipment according to the certificate service request; acquiring a first response message sent by the network application equipment, and sending a B-TID request to the network application equipment according to the random number and the authentication token in the first response message; acquiring a second response message sent by the network application equipment, and determining a shared user session key corresponding to the user terminal according to the second response message; and sending an application session key request to the network application equipment according to the shared user session key, so that the network application equipment distributes corresponding certificate information to the user terminal according to the application session key request. The method effectively avoids the problems of certificate distribution safety and compatibility caused by the fact that the user terminal directly accesses the guide service equipment by using the network application equipment.

Description

Certificate distribution method, device, equipment and storage medium

Technical Field

The present disclosure relates to the field of channel certificate distribution technologies, and in particular, to a method, an apparatus, a device, and a storage medium for certificate distribution.

Background

In the 5G era, everything is interconnected, with the development of numerous services, service security becomes more and more important, and the identity confirmation problem of legal base stations when terminal equipment is connected, the integrity, confidentiality and non-repudiation problem of communication data, etc., all of which need to adopt proper cryptographic schemes and identity authentication technologies.

Public key encryption authentication based on digital certificates in the prior art is a security mechanism commonly adopted by standard organizations at home and abroad at present.

However, in the prior art, the public key encryption authentication based on the digital certificate has the problems of security and service compatibility, and in terms of security, both the terminal and the CA authentication platform are connected with the network element, so that the terminal has potential safety hazards due to direct access to the BSF; in terms of service compatibility, when a single type of certificate is distributed, one digital certificate can only provide service for one device, and cannot meet the security requirement scene of multi-service differentiation of a 5G terminal. Therefore, the security and service compatibility problems existing in the public key encryption authentication based on the digital certificate in the prior art are currently in need of solving.

Disclosure of Invention

The application provides a certificate distribution method, a device, equipment and a storage medium, which are used for solving the problems in the prior art, namely, the problems that a terminal and a CA authentication platform are connected with a network element in the aspect of security based on public key encryption authentication of a digital certificate in the prior art, and potential safety hazards exist due to the fact that the terminal directly accesses BSF; when a single type of certificate is distributed in terms of service compatibility, one digital certificate can only provide service for one device, and the problem that the security requirement scene of multi-service differentiation of a 5G terminal cannot be met is solved.

In a first aspect, the present application provides a certificate distribution method, applied to a user terminal, the method including:

acquiring a certificate service request sent by a user, and sending a key generation request to network application equipment according to the certificate service request;

acquiring a first response message sent by the network application equipment, and sending a B-TID request to the network application equipment according to a random number and an authentication token in the first response message;

acquiring a second response message sent by the network application equipment, and determining a shared user session key corresponding to the user terminal according to the second response message;

and sending an application session key request to the network application equipment according to the shared user session key, so that the network application equipment distributes corresponding certificate information to the user terminal according to the application session key request.

Optionally, the sending, to the network application device, a B-TID request according to the random number in the first response message and the authentication token includes:

and determining an RES value according to the random number and the authentication token, carrying the RES value into the B-TID request and sending the B-TID request to the network application equipment.

In a second aspect, the present application provides a certificate distribution method, applied to a network application device, where the method includes:

acquiring a key generation request sent by a user terminal, and forwarding the key generation request to a guiding service device, so that the guiding service device determines a random number and an authentication token corresponding to the user terminal according to the key generation request;

acquiring a first response message sent by the guiding service device, and forwarding the first response message to the user terminal, wherein the first response message comprises: the random number and the authentication token corresponding to the user terminal;

acquiring a B-TID request sent by the user terminal, and forwarding the B-TID request to the guiding service equipment;

acquiring a second response message sent by the guiding service device, storing the second response message, and forwarding the second response message to the user terminal, so that the user terminal determines a shared user session key corresponding to the user terminal according to the second response message, wherein the second response message comprises: the B-TID requests corresponding B-TID information;

acquiring an application session key request sent by the user terminal, and forwarding the application session key request to the guiding service equipment;

Acquiring a third response message sent by the guiding service equipment, and carrying out mapping processing on the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information;

sending the mapping information and the certificate service request sent by the user terminal to a target authentication platform corresponding to the certificate service, so that the target authentication platform generates certificate information according to the mapping information and the certificate service request;

and acquiring the certificate information sent by the target authentication platform and distributing the certificate information to the user terminal.

In a third aspect, the present application provides a certificate distribution method applied to a boot service device, the method including:

acquiring a key generation request sent by network application equipment, and sending a first response message to the network application equipment according to the key generation request, wherein the first response message comprises a random number and an authentication token;

acquiring a B-TID request sent by the network application equipment, and sending a second response message to the network application equipment according to the B-TID request so that the network application equipment forwards the second response message to a user terminal, wherein the user terminal determines a shared user session key corresponding to the user terminal according to the second response message, and the second response message comprises: the B-TID requests corresponding B-TID information;

And acquiring an application session key request sent by the network application equipment, and sending a third response message to the network application equipment according to the application session key request, wherein the third response message comprises an application session key corresponding to the application session key request.

Optionally, the obtaining a key generation request sent by the network application device, and sending a first response message to the network application device according to the key generation request, where the first response message includes a random number and an authentication token, includes:

sending a first request to a user server according to the key generation request, wherein the first request is used for indicating that a user authentication vector and subscription information are acquired from the user server;

the user server generates authentication data according to the user authentication vector and subscription information, and completes authentication according to the authentication data;

and after the authentication is completed by the user server, a first response message is sent to the network application equipment according to the key generation request.

Optionally, the obtaining the application session key request sent by the network application device, and sending a third response message to the network application device according to the application session key request, includes:

Generating an application session key according to the application session key request and the shared user session key, and writing the application session key into the third response information;

and sending the third response message to the network application equipment.

In a fourth aspect, the present application provides a certificate distributing apparatus, applied to a user terminal, the apparatus comprising:

the acquisition module is used for acquiring a certificate service request sent by a user and sending a key generation request to the network application equipment according to the certificate service request;

the acquisition module is further used for acquiring a first response message sent by the network application equipment and sending a B-TID request to the network application equipment according to the random number and the authentication token in the first response message;

the acquisition module is further configured to acquire a second response message sent by the network application device, and determine a shared user session key corresponding to the user terminal according to the second response message;

and the sending module is used for sending an application session key request to the network application equipment according to the shared user session key so that the network application equipment distributes corresponding certificate information to the user terminal according to the application session key request.

Optionally, the apparatus further includes: a determining module;

and the determining module is used for determining an RES value according to the random number and the authentication token, carrying the RES value into the B-TID request and sending the B-TID request to the network application equipment.

In a fifth aspect, the present application provides a certificate distribution apparatus applied to a network application device, the apparatus including:

the acquisition module is used for: acquiring a key generation request sent by a user terminal, and forwarding the key generation request to a guiding service device, so that the guiding service device determines a random number and an authentication token corresponding to the user terminal according to the key generation request;

the obtaining module is further configured to obtain a first response message sent by the guidance service device, and forward the first response message to the user terminal, where the first response message includes: the random number and the authentication token corresponding to the user terminal;

the acquisition module is further configured to acquire a B-TID request sent by the user terminal, and forward the B-TID request to the guiding service device;

the obtaining module is further configured to obtain a second response message sent by the service guiding device, store the second response message, and forward the second response message to the user terminal, so that the user terminal determines, according to the second response message, a shared user session key corresponding to the user terminal, where the second response message includes: the B-TID requests corresponding B-TID information;

The acquisition module is further configured to acquire an application session key request sent by the user terminal, and forward the application session key request to the guiding service device;

the acquisition module is further configured to acquire a third response message sent by the guiding service device, and perform mapping processing on the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information;

and a sending module: the target authentication platform is used for sending the mapping information and the certificate service request sent by the user terminal to a target authentication platform corresponding to the certificate service so that the target authentication platform generates certificate information according to the mapping information and the certificate service request;

the acquisition module is further configured to acquire the certificate information sent by the target authentication platform, and distribute the certificate information to the user terminal.

In a sixth aspect, the present application provides a certificate distribution apparatus applied to a guidance service device, the apparatus including:

the generation module is used for acquiring a key generation request sent by the network application equipment, and sending a first response message to the network application equipment according to the key generation request, wherein the first response message comprises a random number and an authentication token;

The obtaining module is configured to obtain a B-TID request sent by the network application device, and send a second response message to the network application device according to the B-TID request, so that the network application device forwards the second response message to a user terminal, and the user terminal determines, according to the second response message, a shared user session key corresponding to the user terminal, where the second response message includes: the B-TID requests corresponding B-TID information;

the acquisition module is further configured to acquire an application session key request sent by the network application device, and send a third response message to the network application device according to the application session key request, where the third response message includes an application session key corresponding to the application session key request.

Optionally, the apparatus further includes: a transmitting module;

the generation module is further configured to send a first request to a user server according to the key generation request, where the first request is used to instruct the user server to obtain a user authentication vector and subscription information;

the generation module is also used for generating authentication data according to the user authentication vector and subscription information by the user server and completing authentication according to the authentication data;

And the sending module is used for sending a first response message to the network application equipment according to the key generation request after the authentication is completed by the user server.

In a seventh aspect, the present application provides a certificate distribution apparatus, comprising: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executes computer-executable instructions stored by the memory such that the at least one processor performs the method of certificate distribution as described above in the first aspect and various possible implementations of the first aspect.

In a fourth aspect, embodiments of the present invention provide a readable storage medium having stored thereon a computer program which, when executed by a processor, implements the certificate distribution method according to the first aspect and various possible implementations of the first aspect.

The application provides a certificate distribution method, a device, equipment and a storage medium. Acquiring a certificate service request sent by a user, and sending a key generation request to network application equipment according to the certificate service request; acquiring a first response message sent by the network application equipment, and sending a B-TID request to the network application equipment according to a random number and an authentication token in the first response message; acquiring a second response message sent by the network application equipment, and determining a shared user session key corresponding to the user terminal according to the second response message; and sending an application session key request to the network application equipment according to the shared user session key, so that the network application equipment distributes corresponding certificate information to the user terminal according to the application session key request. According to the method, the problem that the user terminal directly accesses the guiding service equipment to cause information leakage of the guiding service equipment is effectively avoided by using the network application equipment, namely the problem that in the aspect of safety, the terminal and the CA authentication platform are both connected with the network element, and potential safety hazards exist due to the fact that the terminal directly accesses the BSF is effectively solved; the network application equipment identifies the target authentication platform corresponding to the certificate service to generate the corresponding certificate information and then distributes the corresponding certificate information, so that the problem that one digital certificate can only provide service for one equipment and cannot meet the security requirement scene of 5G terminal multi-service differentiation when a single type of certificate is distributed in terms of service compatibility is effectively solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

FIG. 1 is a flow chart diagram of a method of certificate distribution provided herein;

FIG. 2 is a second flowchart of a certificate distribution method provided herein;

FIG. 3 is a schematic diagram of a certificate distributing apparatus provided in the present application;

fig. 4 is a schematic structural diagram of a certificate distributing apparatus provided in the present application;

fig. 5 is a schematic structural diagram of a certificate distributing apparatus provided in the present application;

fig. 6 is a schematic structural diagram of a certificate distributing apparatus provided in the present application.

Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein.

In the embodiments of the present application, words such as "exemplary" or "such as" are used to mean examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

It should be noted that, the user information (including, but not limited to, user terminal information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region, and be provided with corresponding operation entries for the user to select authorization or rejection.

First, terms related to the present application will be explained:

GBA secure channel: GBA (generic authentication mechanism) is a secure channel, which is an internet-based secure channel, and is connected through the internet to realize security of remote access and data transmission, and network GBA secure channels generally employ encryption technology to protect security of data transmission, so as to ensure that only authorized personnel can access and use data, and at the same time, it can perform identity authentication on a visitor, so as to ensure that only legal users can access network resources. The network GBA security tunnels also have some other functions, such as firewalls, intrusion detection and prevention systems, etc., to protect the network from attacks and threats. Thus, when using a network GBA security channel, some additional security measures need to be taken, such as periodically updating and upgrading the system, using strong passwords, etc.

HTTP GET message: the HTTP GET message is an HTTP request method for requesting a server to acquire a specific resource. The GET request appends the request parameters to the request line via the URL and does not modify the data on the server, but only obtains a copy of the data. In Web applications, GET is one of the most commonly used request methods. When data is requested using the GET method, the requested data is attached to the URL and presented in the form of a query string. When using GET requests, the browser will send the requested data to the server, but will not maintain a session between the browser and the server, i.e. the connection will be re-established every time a request is made, and the server will process each request independently. GET requests are typically used to obtain or retrieve information, rather than to send data. Since the GET request will display the data publicly in the URL, the transmission of sensitive information, such as passwords or personal information, in the URL should be avoided.

NAF: (Network Application Function, abbreviated NAF) is an abbreviation for network application function. In a specific network environment, the NAF may be regarded AS VoLTE AS (Voice over LTE Application Server), i.e. an LTE based network voice application server. As the X2AP server side, the NAF processes the modification and query requests of the UE (User Equipment) supplementary service, and returns the result to the UE. High performance: the NAF may have high performance, be able to handle large amounts of network traffic and data, ensuring stability and efficiency of network applications. Scalability: NAF may have scalability, enabling functionality and performance to be increased or decreased as needed to accommodate changing network environments and application requirements. Safety: the NAF may have security that can protect networks and applications from attacks and threats, ensuring the security and privacy of the data. Ease of use: the NAF may have ease of use, be able to provide a friendly user interface and easy-to-use tools, facilitating user management and configuration of network applications. Customizable: the NAF may be customizable, capable of being customized and configured to meet specific network application requirements, according to the needs and preferences of the user.

BSF: (Bootstrapping Service Function, BSF for short), is a secure channel with a bootstrapping service function for mutual authentication between a UE (user equipment) and a 3G infrastructure and bootstrapping session keys from the 3G infrastructure. Session key as a result of AKA (authentication key) enables a network application service entity (NAF) to provide further services. The BSF (bootstrapping service function) realizes mutual authentication by mutual authentication with a user. The specific process is as follows: the user establishes a connection with the BSF through a UE (user terminal); the BSF sends a message to the user requesting the user to provide identity information; after receiving the message, the user generates a response by using the identity information of the user and sends the response back to the BSF; after receiving the user's response, the BSF verifies whether the response matches the expected response, and if so, considers the user to be legitimate.

CA authentication platform: the CA authentication platform is a digital certificate authentication system that provides a secure, reliable way to verify and manage digital certificates. A digital certificate is an electronic document issued by an authority to prove the identity and rights of an entity (e.g., a person, organization, or device). CA authentication platforms typically include several core functions: certificate management: the platform is responsible for generating, issuing, updating and revoking digital certificates. These certificates may be used for security related operations such as identity authentication, data encryption, time stamping, etc. The CA authentication platform has wide application in various fields, such as e-government affairs, e-commerce, network security and the like. It provides a secure, reliable way for these fields to verify and manage digital certificates, thereby ensuring the security of communications and transactions.

HSS: (Home Subscriber Server, abbreviated as HSS) is a home subscriber server in the 3GPP network architecture, which is responsible for storing all HLR subscription data and authentication information. The main difference between HSS and HLR is that HSS can store authentication information and subscription information of users, while HLR can only store subscription information of users. The main functions of the HSS include: storing subscription information of a user, such as user identity, password, access right and the like; storing authentication information of the user, such as a user key, an authentication algorithm and the like; providing authentication and authorization services for users to protect the security of the network; providing charging information of the user to support charging requirements of an operator; providing an interface with an external system to support the business requirements of an operator; in summary, HSS is an integral part of the 3GPP network architecture, which provides operators with more flexible, safer, more efficient service support capabilities.

B-TID information: network B-TID information refers to information related to B-TID in a network environment. The B-TID is emergency identifier information that may be used to identify network devices, network nodes, network connections, etc. in a network environment. In particular, the network B-TID information may include an identifier of the network device, an identifier of the network node, an identifier of the network connection, etc. Such information may help a network administrator or system administrator identify and manage various devices and connections in the network environment. The specific network B-TID information may vary from network device to network device and system to system.

IMPI: IMPI is an international mobile subscriber identity, commonly referred to simply as IMSI. It is a unique number sequence for identifying a mobile subscriber and consists of MCC (mobile country code), MNC (mobile network code) and MSIN (mobile station identification number). IMSI allows a mobile network to authenticate and charge a user. In the GSM system, the IMSI is stored in the SIM card. When the handset is connected to the mobile network, the network identifies and authenticates the handset user via the IMSI. In addition, IMSI can be used to locate and track the location of a mobile phone user.

Ks_naf: ks_naf is a key derivation function that is used to generate a shared key for the NAF (network application function) to access supplementary services. Specifically, ks_naf is derived from parameters of Ks, preset string, RAND, IMPI and naf_id, and this key is used for mutual authentication and traffic functions between UE (user equipment) and NAF.

Ks_ (ext) _ NAF: ks_ (ext) _ NAF is an extended key derivation function that is a shared key used to generate an extended NAF (network application function) access supplementary service, this key being derived from Ks, a preset string, RAND, IMPI, NAF _id and extension parameters.

In the current 5G-age everything interconnection, with the development of numerous services, service security becomes more and more important, and the problem of identity confirmation of legal base stations when terminal equipment is connected, the problem of integrity, confidentiality, non-repudiation and the like of communication data, and the problem of solving the problems all need to adopt a proper password scheme and an identity authentication technology.

Aiming at the problems, public key encryption authentication based on digital certificates in the prior art is a security mechanism commonly adopted by the current domestic and foreign standard organizations.

However, in the prior art, the public key encryption authentication based on the digital certificate has the problems of security and service compatibility, and in terms of security, both the terminal and the CA authentication platform are connected with the network element, so that the terminal has potential safety hazards due to direct access to the BSF; in terms of service compatibility, when a single type of certificate is distributed, one digital certificate can only provide service for one device, and cannot meet the security requirement scene of multi-service differentiation of a 5G terminal.

In view of the above problems, the present application provides a method for distributing certificates, which solves the security problem caused by direct access to a guiding service device by a user terminal by using a network application device, that is, the network application device plays a role of a transmission intermediary in a certificate distribution interaction flow. Firstly, a user terminal obtains a certificate service request sent by a user, the request is forwarded to a guiding service device through a network application device according to the request, the guiding service device forwards a first response message containing a random number and an authentication token to a client terminal through the network application device according to the request after receiving the request, the client terminal forwards a B-TID request to the network application device according to the random number and the authentication token in the first response message, the B-TID request is forwarded to the guiding service device through the network application device, the guiding service device forwards a returned second response message to the client terminal through the network application device after receiving the request, the network application device stores the second response message, the client terminal determines a shared user session key corresponding to the user terminal according to the second response message after receiving the second response message, the client terminal forwards the application session key request to the guiding service device according to the shared user session key, the network application device maps the B-TID in a returned third response message containing the application session key to the second response message stored in the network application device, the guiding service device maps the B-TID and the second response message stored in the network application device to the authentication platform, and sends the second response message to the corresponding authentication platform to the network application platform after receiving the second response message, and the second response message is sent to the target platform to the target certificate platform.

The method effectively avoids the problems of information leakage and the like of the guiding service equipment by using the network application equipment to directly access the guiding service equipment, and is suitable for distributing certificates of various types, thereby meeting the safety requirement scene of multi-service differentiation of the 5G terminal.

The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 1 is a schematic flow chart of a certificate distribution method according to an embodiment of the present application. As shown in fig. 1, the certificate distribution method shown in this embodiment includes:

s101, acquiring a certificate service request sent by a user.

The step obtains a certificate service request sent by a user for the user terminal, and the request can be, for example: the HTTP GET request may be, for example, an application and a certificate cancellation, and it should be noted that the operations performed by the certificate cancellation and the application certificate on the corresponding certificate distribution platform are different, and the certificate distribution platform may be, for example: the CA authentication platform corresponding to the certificate service, and different certificate services correspond to different CA authentication platforms, and specifically, the selection is performed according to actual conditions, and the distributed certificate types may be, for example: V2X certificates, X509 certificates, SM9 short secret certificates, etc., and the services of the V2X certificates may be, for example, registration, application, identity, anonymity, etc. of the internet of vehicles service, and the services of the X509 certificates may be, for example: website https certificate service, etc., as long as the certificate type can use the rule of the request, and the user terminal may be, for example: and the UE.

S102, sending a key generation request according to the certificate service request.

The step is that the user terminal sends a key generation request to the network application equipment according to the certificate service request.

It will be appreciated that the authentication process between the user terminal and the network application device may be performed prior to performing this step, and this process may be, for example: according to the certificate service request, an authentication request is sent to the network application equipment, a channel of the request can be, for example, a GBA channel, the network application equipment returns a response message to the user terminal, and the response message can be, for example: 401, when the response message is 401, the network application device indicates that the ue does not have a corresponding access right, and the network application device instructs the ue to initiate a GBA authentication procedure, where the GBA authentication procedure may be, for example: and the GBA key generation flow can initiate a key generation request to the network application equipment through HTTP GET information through the user terminal, and can issue a corresponding certificate after the request. The user terminal may be, for example: the UE, the network application device may be, for example: NAF.

And S103, forwarding the key generation request.

The step is that the network application equipment forwards the key generation request to the guiding service equipment so that the guiding service equipment determines the random number and the authentication token corresponding to the user terminal according to the key generation request. The guiding service device may be, for example: BSF.

And S104, sending a first response message, wherein the first response message comprises a random number and an authentication token.

Wherein, the step is that the guiding service device sends a first response message to the network application device, and the network application device may be: NAF, the bootstrapping service device may be, for example: BSF. Taking NAF and BSF as examples, the generation procedure of the first response message may be, for example: after the BSF receives the key generation request, the BSF sends a MAR request message to the HSS to obtain a user authentication vector and GUSS subscription information, where the user authentication vector may include, for example: RAND, XRES, CK, IK, AUTN, the HSS generates authentication data according to the user authentication vector and GUSS subscription information, and after the user server completes authentication, sends a first response message carrying the user authentication vector and GUSS subscription information to the network application device according to the key generation request, where the first response message may include, for example: the random number (RAND), authentication token (AUTN value), and GUSS subscription information, and the first response message may be, for example: the 401 response message indicates that the request needs to be authenticated, and the request is determined according to the actual situation. The HSS is a home subscriber server, and may be replaced in actual use by a device having the same function as the home subscriber server in the prior art, which is not particularly limited herein.

S105, forwarding the first response message, wherein the first response message comprises the following steps: and the random number and the authentication token corresponding to the user terminal.

Wherein the step is that the network application device forwards the first response message to the user terminal.

And S106, sending a B-TID request according to the random number and the authentication token in the first response message.

Wherein, this step may be, for example: and calculating the RES value through the user terminal according to the random number and the authentication command, carrying the RES value into the B-TID request, and sending the B-TID request to the network application equipment.

It will be appreciated that the purpose of this step is to forward the B-TID request to the boot service device via the network application device, and then the boot service device processes the request and sends the request to the network application device to generate the certificate information of the certificate service corresponding to the request.

And S107, forwarding the B-TID request.

Wherein the step is for the guidance service device to forward the B-TID request to the network application device.

S108, sending a second response message according to the B-TID request.

Wherein the step is that the guiding service device sends a second response message to the network application device, so that the network application device forwards the second response message to the user terminal, and the user terminal determines the shared user session key corresponding to the user terminal according to the second response message, where the second response message may include, for example: the B-TID request corresponds to the B-TID information and Ks effective period information, and the GUSS subscription information in the first response message, where the second response message may be, for example: the 200OK response message indicates that the request is in a successful authentication state, and then the flow of the certificate application may be continued, specifically, selection is performed according to the actual situation.

And S109, carrying out storage processing on the second response message.

The step is that the network application equipment stores the second response message so that the network application equipment maps the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information, and the target authentication platform generates corresponding certificate information according to the mapping information and the certificate service request.

It will be appreciated that the storage processing of the network application device in this step may further include, for example: and simultaneously stores information such as B-TID, IMPI, KS, GUSS.

And S110, forwarding the second response message.

The step is that the network application device forwards a second response message to the user terminal, so that the user terminal determines a shared user session key corresponding to the user terminal according to the second response message, where the second response message may include, for example: the B-TID requests the corresponding B-TID information.

And S111, determining a shared user session key corresponding to the user terminal according to the second response message.

The step is that the user terminal determines a shared user session key corresponding to the user terminal according to the second response message, wherein the shared user session key can be, for example, a GBA application layer session key ks_naf.

And S112, sending an application session key request according to the shared user session key.

The step is that the user terminal sends an application session key request to the network application device according to the shared user session key, so that the network application device distributes corresponding certificate information to the user terminal according to the application session key request. The application session key request may be, for example: obtained by a BIR request message, without specific limitation herein.

And S113, forwarding the application session key request.

Wherein the step is that the network application device forwards the application session key request to the bootstrap service device.

And S114, sending a third response message according to the application session key request, wherein the third response message comprises an application session key corresponding to the application session key request.

The step is that the guiding service equipment sends a third response message to the network application equipment according to the application session key request. The third response message may be, for example, a BIA response message, which may include, for example: the application session key requests a corresponding application session key, which may be, for example: ks_ (ext) _ NAF, the application session key may be generated, for example, by the bootstrapping service device based on the shared user session key ks_ NAF, and the application session key may be returned, for example, by a BIA response message to the network application device after the bootstrapping service device receives the application session key request.

And S115, mapping the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information.

Wherein, this step is a mapping process performed by the network application device, and the mapping process may be, for example: and carrying out one-to-one mapping processing on the stored B-TID information in the second response message and the application session key Ks_ (ext) _NAF in the third response message, and then searching the application session key Ks_ (ext) _NAF corresponding to the B-TID information through the B-TID information for corresponding processing.

And S116, sending the mapping information and the certificate service request sent by the user terminal to a target authentication platform corresponding to the certificate service so that the target authentication platform generates the certificate information according to the mapping information and the certificate service request.

The network application equipment sends the mapping information and the certificate service request sent by the user terminal to a target authentication platform corresponding to the certificate service, the target authentication platform generates corresponding certificate information and returns the corresponding certificate information to the network application equipment, and the network application equipment can distribute the certificate information to the corresponding user terminal.

The generation process of the certificate information may be, for example: the CA authentication platform applies K1-K4 to the network application equipment, wherein the application of K1 can be encryption, the application of K2 can be application for authenticating CA certificate, the network application equipment responds to the application of K1-K4 of the CA authentication platform and can be flexibly selected according to the application in the prior art, and the application is not particularly limited; the CA authentication platform encrypts and decrypts the response message of the network application equipment according to the secret key; the CA authentication platform generates corresponding information according to the request type, where the information may be, for example: and generating a corresponding certificate or authentication information, and returning the authentication information and the certificate to the network application equipment by the CA authentication platform, so that the generation of the certificate information is completed.

And S117, distributing the certificate information.

Wherein, this step is that the network application device distributes the certificate information to the user terminal. The location where the user terminal performs the storage of the certificate may be, for example, a memory card having a storage function, and is not particularly limited herein.

It should be noted that, the channel of the interaction flow in the present application may be, for example, based on a GBA security channel, which is not particularly limited herein, so long as the security channel used conforms to the rules of interaction information in the present application. The interactive information appearing in the application can be consistent with the information of the interactive flow in the HTTP request in the prior art, and the interactive flow also carries corresponding IMPI, and the IMPI is extracted and used specifically according to the actual application.

According to the certificate distribution method provided by the embodiment, the security problem caused by the fact that the user terminal directly accesses the guiding service equipment is solved by using the network application equipment, namely the network application equipment mainly plays a role in message forwarding in a certificate distribution interaction flow. The method comprises the steps that firstly, a certificate service request sent by a user is obtained at a user terminal, the key generation request is forwarded to a guide service device through network application equipment according to the request, after the guide service device receives the key generation request, a first response message containing a random number and an authentication token is forwarded to a client terminal through the network application equipment according to the request, the client terminal sends a B-TID request to the network application equipment according to the random number and the authentication token in the first response message, the B-TID request is forwarded to the guide service device through the network application equipment, the guide service device receives the request and then forwards a returned second response message to the client terminal through the network application equipment, at the moment, the network application equipment stores the second response message, after the client terminal receives the second response message, a shared user session key corresponding to the user terminal is determined according to the second response message, the shared user session key is forwarded to the guide service device according to the shared user session key, the guide service device maps the B-TID in a returned third response message containing the application session key to the network application equipment and the second response message in the network application equipment, the guide service device can be mapped to the corresponding user session key, and the user terminal can be distributed to a corresponding certificate platform, and the user terminal can be distributed to the corresponding certificate can be distributed, and the user terminal can be distributed to a corresponding certificate platform.

According to the method, the problem that the user terminal directly accesses the guiding service equipment to cause information leakage of the guiding service equipment is effectively avoided by using the network application equipment, namely the problem that in the aspect of safety, the terminal and the CA authentication platform are both connected with the network element, and potential safety hazards exist due to the fact that the terminal directly accesses the BSF is effectively solved; the network application equipment identifies the target authentication platform corresponding to the certificate service to generate the corresponding certificate information and then distributes the corresponding certificate information, so that the problem that one digital certificate can only provide service for one equipment and cannot meet the security requirement scene of 5G terminal multi-service differentiation when a single type of certificate is distributed in terms of service compatibility is effectively solved.

Fig. 2 is a second flowchart of a certificate distribution method according to an embodiment of the present application. As shown in fig. 2, this embodiment describes a method for distributing a certificate in detail based on the embodiment of fig. 1. It should be noted that, the target authentication platform provided in this embodiment is a target authentication platform corresponding to a certificate service of a certificate service request sent by a user terminal, different certificate service requests correspond to different certificate services, that is, correspond to different target authentication platforms, where the number of target authentication platforms may be plural, and this embodiment only uses one target authentication platform corresponding to a certificate service of a certificate service request sent by a user terminal in this embodiment as an example for explanation, where the certificate distribution method shown in this embodiment includes:

S201, acquiring a certificate service request sent by a user.

Step S201 is similar to step S101 described above, and will not be described here.

And S202, sending a key generation request according to the certificate service request.

Step S202 is similar to step S102 described above, and will not be described here.

And S203, forwarding the key generation request.

Step S203 is similar to step S103 described above, and will not be described here.

S204, sending a first response message, wherein the first response message comprises a random number and an authentication token.

Step S204 is similar to step S104 described above, and will not be described here.

S205, forwarding the first response message, where the first response message includes: and the random number and the authentication token corresponding to the user terminal.

Step S205 is similar to step S105 described above, and will not be described here.

S206, determining the RES value according to the random number and the authentication token, carrying the RES value to the B-TID request and sending the B-TID request.

The step is that the user terminal calculates the RES value according to the random number and the authentication token, and then carries the RES value into the B-TID request and sends the B-TID request to the network application equipment.

S207, forwarding the B-TID request.

Step S207 is similar to step S107 described above, and will not be described here.

And S208, sending a second response message according to the B-TID request.

Step S208 is similar to step S108 described above, and will not be described here.

And S209, carrying out storage processing on the second response message.

Step S209 is similar to step S109 described above, and will not be described here.

And S210, forwarding the second response message.

Step S210 is similar to step S110 described above, and will not be described here.

S211, determining a shared user session key corresponding to the user terminal according to the second response message.

Step S211 is similar to step S111 described above, and will not be described here.

S212, sending an application session key request according to the shared user session key.

Step S212 is similar to step S112 described above, and will not be described here.

And S213, forwarding the application session key request.

Step S213 is similar to step S113 described above, and will not be described here.

And S214, generating an application session key according to the application session key request and the shared user session key, and writing the application session key into the third response information.

Wherein the step is to direct the service device to generate an application session key from the application session key request and the shared user session key.

And S215, sending the third response message.

Step S215 is similar to step S114 described above, and will not be described here.

And S216, mapping the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information.

Step S216 is similar to step S115 described above, and will not be described here.

S217, the mapping information and the certificate service request sent by the user terminal are sent.

The network application equipment sends the mapping information and the certificate service request sent by the user terminal to the target authentication platform.

S218, generating certificate information according to the mapping information and the certificate service request.

The step is that the target authentication platform generates certificate information according to the mapping information and the certificate service request, and the target authentication platform may be, for example: the CA authentication platforms corresponding to the certificate services correspond to different certificate services, namely correspond to different target authentication platforms, and the target authentication platforms can be multiple. The process of generating the certificate may be, for example: the CA authentication platform applies for K1 to K4 to the network application device, where the application of K1 may be, for example, encryption, the application of K2 may be, for example, application for authenticating a CA certificate, in specific use, K1 to K4 may be selected according to the application in the prior art, where, without specific limitation, the network application device responds to the K1 to K4 application of the CA authentication platform, the CA authentication platform encrypts and decrypts a response message of the network application device according to a key, and the CA authentication platform generates corresponding information according to a request type, where the information may be, for example: the CA authentication platform returns the authentication information and the certificate to the network application equipment, so that the generation of the certificate information is completed, and the network application equipment can be: the NAF may be a device having the same function as the NAF in the prior art, and may be flexibly selected according to the actual situation when in use, which is not particularly limited herein.

And S219, sending the certificate information.

The step is that the target authentication platform sends certificate information to the network application equipment.

And S220, distributing the certificate information.

Step S220 is similar to step S117 described above, and will not be described here.

According to the certificate distribution method provided by the embodiment, the user terminal is introduced to determine the RES value according to the random number and the authentication token in the first response message, then the RES value is carried into the B-TID request and is sent to the network application equipment, and the RES value is determined through the random number and the authentication token, so that the accuracy of data transmission is effectively improved; and the guiding of the service equipment to generate a third response message containing the application session key corresponding to the application session key request is completed by firstly generating the application session key according to the application session key request and the shared user session key, and then writing the application session key into the third response message and sending the third response message to the network application equipment. The method effectively solves the problems that public key encryption authentication based on the digital certificate can have safety and service compatibility, and in the aspect of safety, a terminal and a CA authentication platform are both connected with a network element, so that the terminal can have potential safety hazards due to direct access to the BSF; in terms of service compatibility, when a single type of certificate is distributed, one digital certificate can only provide service for one device, and cannot meet the security requirement scene of multi-service differentiation of a 5G terminal.

Fig. 3 is a schematic structural diagram of a certificate distributing apparatus according to an embodiment of the present application. As shown in fig. 3, the certificate distribution apparatus 300 provided in the present application includes:

an obtaining module 301, configured to obtain a certificate service request sent by a user, and send a key generation request to a network application device according to the certificate service request;

the acquiring module 301 is further configured to acquire a first response message sent by the network application device, and send a B-TID request to the network application device according to a random number and an authentication token in the first response message;

the acquiring module 301 is further configured to acquire a second response message sent by the network application device, and determine a shared user session key corresponding to the user terminal according to the second response message;

and the sending module 302 is configured to send an application session key request to the network application device according to the shared user session key, so that the network application device distributes corresponding certificate information to the user terminal according to the application session key request.

Optionally, the apparatus further includes: a determining module 303;

the determining module 303 is configured to determine a RES value according to the random number and the authentication token, and send the RES value to the network application device by carrying the RES value to the B-TID request.

Fig. 4 is a schematic structural diagram of a certificate distributing apparatus according to an embodiment of the present application. As shown in fig. 4, the certificate distribution apparatus 400 provided in the present application includes:

acquisition module 401: acquiring a key generation request sent by a user terminal, and forwarding the key generation request to a guiding service device, so that the guiding service device determines a random number and an authentication token corresponding to the user terminal according to the key generation request;

the obtaining module 401 is further configured to obtain a first response message sent by the bootstrap service device, and forward the first response message to the user terminal, where the first response message includes: the random number and the authentication token corresponding to the user terminal;

the obtaining module 401 is further configured to obtain a B-TID request sent by the user terminal, and forward the B-TID request to the guiding service device;

the obtaining module 401 is further configured to obtain a second response message sent by the bootstrap service device, store the second response message, and forward the second response message to the user terminal, so that the user terminal determines, according to the second response message, a shared user session key corresponding to the user terminal, where the second response message includes: the B-TID requests corresponding B-TID information;

The obtaining module 401 is further configured to obtain an application session key request sent by the user terminal, and forward the application session key request to the bootstrap service device;

the obtaining module 401 is further configured to obtain a third response message sent by the bootstrap service device, and perform mapping processing on the B-TID information in the stored second response message and the application session key in the third response message to obtain mapping information;

the sending module 402: the target authentication platform is used for sending the mapping information and the certificate service request sent by the user terminal to a target authentication platform corresponding to the certificate service so that the target authentication platform generates certificate information according to the mapping information and the certificate service request;

the obtaining module 401 is further configured to obtain the certificate information sent by the target authentication platform, and distribute the certificate information to the user terminal.

Fig. 5 is a schematic structural diagram of a certificate distributing apparatus according to an embodiment of the present application. As shown in fig. 5, the certificate distribution apparatus 500 provided in the present application includes:

a generating module 501, configured to obtain a key generation request sent by a network application device, and send a first response message to the network application device according to the key generation request, where the first response message includes a random number and an authentication token;

An obtaining module 502, configured to obtain a B-TID request sent by the network application device, and send a second response message to the network application device according to the B-TID request, so that the network application device forwards the second response message to a user terminal, and the user terminal determines, according to the second response message, a shared user session key corresponding to the user terminal, where the second response message includes: the B-TID requests corresponding B-TID information;

the obtaining module 502 is further configured to obtain an application session key request sent by the network application device, and send a third response message to the network application device according to the application session key request, where the third response message includes an application session key corresponding to the application session key request.

Optionally, the apparatus further includes: a transmitting module 503;

the generating module 501 is further configured to send a first request to a user server according to the key generation request, where the first request is used to instruct to obtain a user authentication vector and subscription information from the user server;

the generating module 501 is further configured to generate authentication data according to the user authentication vector and subscription information by using the user server, and complete authentication according to the authentication data;

The sending module 503 is configured to send a first response message to the network application device according to the key generation request after the authentication is completed by the user server.

Fig. 6 is a schematic structural diagram of a certificate distributing apparatus provided in the present application. As shown in fig. 6, the present application provides a certificate distribution apparatus 600 including: a receiver 601, a transmitter 602, a processor 603 and a memory 604.

A receiver 601 for receiving instructions and data;

a transmitter 602 for transmitting instructions and data;

memory 604 for storing computer-executable instructions;

the processor 603 is configured to execute computer-executable instructions stored in the memory 604 to implement the steps performed by the certificate distribution method in the above embodiment. Reference may be made in particular to the description of the embodiments of the certificate distribution method described above.

Alternatively, the memory 604 may be separate or integrated with the processor 603.

When the memory 604 is provided separately, the electronic device further comprises a bus for connecting the memory 604 and the processor 603.

The present application also provides a computer-readable storage medium in which computer-executable instructions are stored, which when executed by a processor, implement a certificate distribution method as performed by the above-described certificate distribution apparatus.

Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A certificate distribution method, applied to a user terminal, comprising:

2. The method of claim 1, wherein the sending the B-TID request to the network application device based on the random number and the authentication token in the first response message comprises:

3. A certificate distribution method, applied to a network application device, comprising:

4. A certificate distribution method, applied to a boot service device, comprising:

5. The method of claim 4, wherein the obtaining the key generation request sent by the network application device, and sending a first response message to the network application device according to the key generation request, where the first response message includes a random number and an authentication token, includes:

6. The method of claim 4, wherein the obtaining the application session key request sent by the network application device and sending a third response message to the network application device according to the application session key request, comprises:

And sending the third response message to the network application equipment.

7. A certificate distribution apparatus, characterized by being applied to a user terminal, comprising:

8. A certificate distribution apparatus, characterized by being applied to a network application device, comprising:

9. A certificate distribution apparatus, characterized by being applied to a guidance service device, comprising:

10. A certificate distribution apparatus, characterized by comprising:

a memory;

a processor;

wherein the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored in the memory to implement the certificate distribution method of any one of claims 1-6.

11. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to implement the method of distributing certificates according to any of claims 1-6.