WO2018050081A1 - Procédé et appareil d'authentification d'identité de dispositif, et support de stockage - Google Patents

Procédé et appareil d'authentification d'identité de dispositif, et support de stockage Download PDF

Info

Publication number
WO2018050081A1
WO2018050081A1 PCT/CN2017/101655 CN2017101655W WO2018050081A1 WO 2018050081 A1 WO2018050081 A1 WO 2018050081A1 CN 2017101655 W CN2017101655 W CN 2017101655W WO 2018050081 A1 WO2018050081 A1 WO 2018050081A1
Authority
WO
WIPO (PCT)
Prior art keywords
public key
certificate
identity information
device identity
bound
Prior art date
Application number
PCT/CN2017/101655
Other languages
English (en)
Chinese (zh)
Inventor
庄小君
左敏
刘福文
彭晋
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2018050081A1 publication Critical patent/WO2018050081A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present application relates to the field of network and information security, and in particular, to a method, an apparatus, an electronic device, and a computer storage medium for device identity authentication.
  • the identity of the mobile device is generally identified using an International Mobile Equipment Identity (IMEI).
  • IMEI International Mobile Equipment Identity
  • the IMEI is stored in the mobile device and can be used to monitor stolen or invalid mobile devices.
  • the IMEI of the mobile device is stored in the memory of the mobile device, and the back of the mobile device body is also printed with the IMEI information logo, which causes the IMEI of the mobile device to be easily leaked.
  • malwares that can tamper with IMEI in certain models of mobile devices.
  • the IMEI is only used as a reference information, and the identity of the mobile device, ie IMEI, is not authenticated.
  • 5G 5th Generation Mobile Communication
  • 3GPP 3rd Generation Partnership Project
  • the 5G network system not only needs authentication.
  • the subscription identity associated with the device also requires the identity of the device itself.
  • Identity of the authentication device In the IMEI the network side needs to report the IMEI to the mobile device, and the IMEI needs to transmit in the security-protected message.
  • the IMEI transmission must be successfully connected to the network on the mobile device and pass through the non-access stratum (Non-access Stratum).
  • Non-access Stratum Non-access Stratum
  • NAS Non-access Stratum
  • AS Access Stratum
  • the identity stored in the device may be tampered with before the completion of the integrity and confidentiality protection key negotiation. If the subsequent communication is directly based on the identity information, it obviously leads to a problem of low security.
  • the embodiment of the present invention provides a method and device for device identity authentication, which is used to solve the problem of low security caused by identity information of the device.
  • the embodiment of the present application provides a method for device identity authentication, including:
  • the user equipment UE receives the device identity authentication request sent by the authentication center;
  • the device identity authentication response message carries the device identity information of the UE and a digital signature of the device identity generated by using the device private key, the digital signature And being used by the authentication center to perform verification based on a device public key that has a binding relationship with the device identity information.
  • a further embodiment of the present application provides a method for device identity authentication, including:
  • the authentication center receives the device identity authentication response message sent by the user equipment UE, where the device identity authentication response message carries the device identity information of the UE and the digital signature of the device identity generated by using the device private key;
  • the digital signature is verified based on the acquired device public key.
  • a further embodiment of the present application provides a method for device identity authentication, including:
  • the subscription device library receives the query request sent by the authentication center, and the query request carries useful Device identity information of the user equipment UE;
  • a receiving module configured to receive a device identity authentication request sent by the authentication center
  • the sending module is configured to send a device identity authentication response message to the authentication center, where the device identity authentication response message carries the device identity information of the UE and the digital signature of the device identity generated by using the device private key.
  • the digital signature is used for the authentication center to perform verification based on the device public key having a binding relationship with the device identity information.
  • a receiving module configured to receive a device identity authentication response message sent by the user equipment UE, where the device identity authentication response message carries the device identity information of the UE and a digital signature of the device identity generated by using the device private key;
  • An acquiring module configured to acquire a device public key that is bound to the device identity information
  • a verification module configured to verify the digital signature based on the acquired device public key.
  • a receiving module configured to receive a query request sent by the authentication center, where the query request carries device identity information of the user equipment UE;
  • the query module is configured to query, according to the query request, a device public key that is bound to the device identity information of the UE;
  • the sending module is configured to send the queried device public key to the authentication center.
  • a further embodiment of the present application provides an electronic device, where the electronic device includes: a transceiver, a memory, and a processor; at least a portion of the memory stores computer executable instructions;
  • the processor is respectively coupled to the transceiver and the memory, configured to execute the computer executable instructions, and implement the one or more devices by executing the computer executable instructions The method of identity authentication.
  • the present application also provides an embodiment for providing a computer storage medium having stored therein computer executable instructions for implementing the method of one or more of the aforementioned device identity authentications.
  • the user equipment UE generates a digital signature of the device identity by using the device private key, and sends the device identity information of the UE and the digital signature of the device identity generated by using the private key when performing device identity authentication. Give the certification center on the network side.
  • the authentication center verifies the digital signature of the device identity generated by using the private key by obtaining the device public key that has the binding relationship with the device identity information. If the device identity information of the UE has been tampered with on the mobile terminal, then the When the identifiable device identity information is used to query the binding relationship between the device identity information and the device public key, the binding relationship may not be queried; even if the hacked device identity information is used to query the binding relationship, the use and the The device public key bound to the falsified device identity information cannot decrypt the digital signature of the received device identity, that is, the digital signature verification fails.
  • the network side can accurately identify whether the device identity information on the mobile device is the identity information that has not been tampered with, and perform the related service according to the legal identity after verifying that the device identity is a legal identity. Thereby ensuring the security of the network.
  • FIG. 1 is a flowchart of a NAS security mode negotiation process according to an embodiment of the present application
  • FIG. 3 is a flowchart of a method for device identity authentication according to Embodiment 2 of the present application.
  • FIG. 5 is a flowchart of a method for device identity authentication according to Embodiment 4 of the present application.
  • FIG. 6 is a structural diagram of an apparatus for device identity authentication according to Embodiment 5 of the present application.
  • FIG. 7 is a structural diagram of an apparatus for device identity authentication according to Embodiment 6 of the present application.
  • FIG. 8 is a structural diagram of an apparatus for device identity authentication according to Embodiment 7 of the present application.
  • the NAS security mode negotiation process in the Long Term Evolution (LTE) of the universal mobile communication technology is described, which may include:
  • the user equipment (User Equipment, UE) reports the UE security capability to the Mobility Management Entity (MME);
  • MME Mobility Management Entity
  • the MME selects the confidentiality and integrity protection algorithm of the NAS signaling according to the UE security capability reported by the UE and the NAS layer algorithm list priority.
  • the MME sends the specified NAS encryption algorithm and the NAS integrity algorithm to the UE through the NAS Security Mode Command (NAS SMC);
  • the UE After receiving the NAS SMC, the UE sends a NAS security mode complete message to the MME, where the message will use the integrity algorithm selected by the MME to perform integrity protection on the message, optionally using the encryption algorithm selected by the MME. Confidentiality protection.
  • the above NAS security mode completion message initiates integrity and confidentiality protection, after which all NAS signaling will use the integrity and confidentiality algorithms negotiated by the process and the associated keys generated by the authentication negotiation process for integrity and confidentiality protection.
  • the UE may transmit the IMEI to the MME in the NAS message with integrity protection.
  • the network side can only prove that the received IMEI has not been tampered with during the transmission process, and cannot know whether the IMEI has been modified on the mobile terminal, and whether the IMEI carries the legal IMEI carried by the mobile terminal at the factory.
  • the user equipment User Equipment, UE
  • the user equipment generates a digital signature of the device identity by using the device private key, and generates the device identity information of the UE and the private key when performing device identity authentication.
  • the digital signature of the device identity is sent to the authentication center on the network side.
  • the authentication center verifies the digital signature of the device identity generated by using the private key by obtaining the device public key that has the binding relationship with the device identity information. If the device identity information of the UE has been tampered with on the mobile terminal, then the When the identifiable device identity information is used to query the binding relationship between the device identity information and the device public key, the binding relationship may not be queried; even if the hacked device identity information is used to query the binding relationship, the use and the The device public key bound to the falsified device identity information cannot decrypt the digital signature of the received device identity, that is, the digital signature verification fails.
  • the network side can accurately identify whether the device identity information on the mobile device is the identity information that has not been tampered with, and perform the related service according to the legal identity after verifying that the device identity is a legal identity. Thereby ensuring the security of the network.
  • a flowchart of a method for device identity authentication includes the following steps:
  • the authentication center sends a device identity authentication request to the UE.
  • the authentication center may be any network side device having an authentication function, such as a Mobility Management Entity (MME).
  • MME Mobility Management Entity
  • the device identity authentication request is used to request confirmation of whether the mobile device accessing the network is a legitimate device that has not been tampered with the device identity.
  • the UE may successfully access the network before receiving the device identity authentication request sent by the authentication center. After establishing a secure connection relationship with the authentication center, the authentication center initiates the authentication process.
  • S202 The UE sends a device identity authentication response message to the authentication center.
  • the device identity authentication response message carries the device identity information of the UE, and the digital signature of the device identity generated by using the device private key, and further, the device identity authentication response
  • the device certificate can also be carried in the message.
  • the device identity information includes at least the IMEI of the device, and the public-private key pair of the device may be preset before the mobile device is shipped from the factory. The process of generating the public-private key pair may be performed by the mobile device itself or by the device. The vendor uses a special public and private key to generate the payload and then injects the private key into the device.
  • the device private key needs to be stored in a secure environment on the mobile device, such as in a Trusted Platform Module (TPM) chip, or in a Trusted execution environment (TEE).
  • the device certificate can be the device certificate issued by the device vendor's certification authority (CA) to the device, or the device certificate issued by the operator or a third-party certificate authority.
  • CA certification authority
  • the device vendor needs to advertise the binding relationship between the device identity information and the device public key, or the binding relationship between the device identity information and the device certificate to the device vendor or a third-party binding library for subsequent query.
  • the authentication center acquires a device public key bound to the device identity information based on the device identity authentication response message sent by the UE.
  • the device public key that is bound to the device identity information may also be a device certificate that is bound to the device identity information, where the device certificate carries the device public key.
  • the device public key or the device certificate that is bound to the device identity information may be a device public key or a device certificate that is bound to the device identity information of the UE locally or to other devices, or may be based on receiving The device certificate carried in the device identity authentication response message is directly obtained to obtain the device public key.
  • the other device may specifically be a binding library of a contracted device library, a device vendor, or a third party.
  • the device may also query the device public key or device certificate bound to the device identity information through the proxy.
  • the authentication center can store the binding relationship locally, that is, the device identity information and the device public key or device certificate are tied. The relationship is stored locally, so that after receiving the device identity response message sent by the UE, it can first query the local device for the received device. The device public key or device certificate bound to the identity response message. If not, go to the binding library of other devices to query.
  • the certification center verifies the digital signature based on the obtained device public key.
  • the public key only needs to use the public key to verify the digital signature of the device identity information; if the authentication center obtains the device certificate carrying the device public key, the first use can be performed.
  • the CA certificate or the CA public key is used to verify the legality of the device certificate. After verifying that the device certificate is valid, the digital signature of the device identity information is verified based on the device public key in the device certificate.
  • the CA certificate is a certificate owned by the certificate authority.
  • the CA certificate contains the CA public key. The certificate authority can use the public key in the CA certificate to verify whether the device certificate issued by the certificate authority is a legal device certificate.
  • the CA can also directly generate the CA's public and private key pairs without using its own certificate, and use the CA's public key to verify whether the device certificate issued by the certificate authority is a valid device certificate.
  • the CA certificate or the CA public key may be preset in the authentication center, or may be obtained by the authentication center to query other devices, such as a subscription device library or a Home Subscriber Server (HSS).
  • the query is obtained by the UE, and may be sent by the UE to the authentication center.
  • the UE may include the CA certificate or the CA public key in the device identity authentication response message and send the message to the authentication unit.
  • the authentication center is used to increase security.
  • the CA certificate or the CA public key verifies that the device certificate has legality and verifies the digital signature by using the device public key, the body name of the device certificate may also be verified based on the device identity information.
  • the subject name of the device certificate may be verified by the certificate center based on the device identity information to generate a subject name, and verify whether the generated subject name is the subject name of the device certificate carrying the device public key.
  • the subject name of the device certificate that is, the identifiable name of the device certificate owner, may be considered as a unique value derived from the IMEI carried in the identity information. For example, setting the body name of the device certificate to IMEI A hash value, when the body name of the device certificate is verified, a hash calculation may be performed on the device identity identifier IMEI carried in the received identity authentication response message, and the hash value is calculated and matched with the device certificate. The subject names in the comparison are compared.
  • the subject name may be identification information of ownership of the device, for example, identity information such as identity card information, name, passport, and the like.
  • an algorithm for realizing a unique value derived from the IMEI may be preset on the authentication unit, and the unique value is calculated by the authentication unit based on the preset algorithm and compared with the subject name of the device certificate.
  • the algorithm may also be preset in other network side devices, such as preset in a subscription device or a Home Subscriber Server (HSS), and other network side devices calculate the derived from the IMEI based on a preset algorithm. The only value.
  • the authentication center may send a request for obtaining the unique value to other network side devices, and after obtaining the unique value, compare with the body name of the device certificate.
  • the device authentication is successful, it is proved that the identity information of the device is the same as the identity information of the device when the device is shipped, that is, the IMEI of the device can be proved to be an IMEI that has not been tampered with, and the device identity information is authenticated.
  • the authentication center may send a response message to the UE that the authentication fails. If the UE receives the authentication failure response message returned by the authentication center, the user may contact the device vendor for subsequent processing, for example, the device re-allocating the device identity information and generating a public-private key pair bound with the new device identity information, and Binding the relationship (here, the device public key can be bound to the identity information, or the device certificate with the device public key and the identity information can be bound) to the binding library of the device vendor or the third party. Store the device private key in a secure environment on your device.
  • a flowchart of a method for device identity authentication includes at least the following steps:
  • the authentication center sends a device identity authentication request to the UE.
  • S302 The UE sends a device identity authentication response message to the authentication center, where the device identity authentication ring The message carries the device identity information of the UE and the digital signature of the device identity generated by using the device private key.
  • the authentication center sends a request for querying the device public key bound to the device identity information to the subscription device library based on the device identity authentication response message sent by the received UE.
  • the subscription device library queries the device public key bound to the device identity information of the UE based on the query request.
  • the contracted device library may be a single entity or a part of the HSS.
  • the binding device library can be used to query the binding relationship between the device public key and the device identity information, and can also be used to query the binding relationship between the device certificate carrying the device public key and the device identity information.
  • the device public key that is bound to the device identity information of the UE may be obtained by querying the device identity information of the device vendor and the binding library of the device public key, where the device vendor may The device identity information of all mobile devices and the device public key bound to it are published in the binding library of the device identity information and the device public key, and the interface is opened to the operator for the operator to query.
  • the device public key that is bound to the device identity information of the UE may be obtained by querying the device identity information of all mobile devices established by the third party and the binding library of the device public key. The third party can open the interface to the authorized operator for the operator to query.
  • the contracted device library can query the device public key bound to the device identity information of the UE through the proxy.
  • the binding device library may store the binding relationship locally after the binding of the device identity information and the device public key, and then receive the query message sent by the authentication center. Go to the local query to see whether there is a device public key bound to the device identity information. If not, query the device vendor or third-party device identity information and the device public key binding library.
  • S305 The contracted device library sends the queried device public key to the authentication center.
  • the certification center verifies the digital signature based on the obtained device public key.
  • the digital signature can also be verified by the contracted device library based on the queried device public key. If the implementation is used, the authentication center sends the information to the contracted device library in step S303. Instead, the received device identity authentication response message is forwarded to the contracted device library, and the contracted device library queries the device public key bound to it based on the device identity identification information in the device identity authentication response message, and verifies the digital signature.
  • the device identity authentication request sent by the authentication center and the device identity authentication response message sent by the UE to the authentication center may be separate signaling messages, or may be included in other signaling messages, respectively. If the embodiment of the present application is applied to a 4G network, the device identity authentication request and the device identity authentication response message may be included in an existing NAS SMC and NAS Security Mode Complete (NAS SMP), respectively.
  • NAS SMP NAS Security Mode Complete
  • the request process of the device identity authentication may be completed in the process of requesting the UE to access the network, that is, when the UE sends a request for accessing the network to the authentication center, the UE may directly carry the device identity in the request message requesting access to the network.
  • the identification information and the digital signature of the device identity generated by using the device private key, so that the authentication center can be based on the received device identity information and the obtained device device binding information with the device identity information before the UE successfully accesses the network.
  • the key verifies the digital signature of the device identity.
  • the device identity information since the UE requests the access request message to access the network may not have integrity and confidentiality protection, the device identity information may be tampered with on the transmission path.
  • the network side can only detect that the device identity information has been tampered with, but it cannot be determined whether it is tampered with on the terminal or tampered with on the transmission link. Therefore, it is recommended that the device identity authentication process be performed after the UE successfully accesses the network.
  • a flowchart of a method for device identity authentication includes the following steps:
  • the authentication center sends a device identity authentication request to the UE.
  • the UE sends a device identity authentication response message to the authentication center, where the device identity authentication response message carries the device identity information of the UE and the device body generated by using the device private key.
  • the digital signature of the identification is a device identity authentication response message to the authentication center.
  • the authentication center sends, according to the device identity authentication response message sent by the UE, a request for querying a device certificate bound to the device identity information, where the device certificate carries the device public key.
  • the subscription device library queries the device certificate bound to the device identity information of the UE based on the query request.
  • the device certificate that is bound to the device identity information of the UE is obtained by querying the device identifier of the device or the third party, and the device certificate is obtained by querying the device identifier of the device or the third party.
  • the Chamber of Commerce applies for the device certificate before the device leaves the factory, and the binding relationship between the device certificate and the device identity information and the CA certificate or the CA public key are posted to the binding library of the device vendor or a third party for subsequent query.
  • the contracted device library can query the device certificate bound to the device identity information of the UE through the proxy.
  • the binding device library can store the binding relationship locally after the binding of the device identity information and the device certificate. After receiving the query message sent by the authentication center, the device can go first. The local query has the device certificate bound to the device identity information. If not, the device or the third party device identity information and the device certificate binding library are queried.
  • the contracted device library sends the queried device certificate bound to the device identity information of the UE to the authentication center.
  • the authentication center After obtaining the device certificate bound to the device identity information of the UE, the authentication center uses the CA certificate or the CA public key to verify the legality of the device certificate, and after verifying that the device certificate is legal, based on the device public key carried in the device certificate. Verify the digital signature.
  • a flowchart of a method for device identity authentication includes the following steps:
  • the authentication center sends a device identity authentication request to the UE.
  • the UE sends a device identity authentication response message to the authentication center, where the device identity authentication response message carries the device identity information of the UE, the digital signature of the device identity generated by using the device private key, and the device certificate.
  • the authentication center uses the CA certificate or the CA public key to verify the legality of the device certificate, and after verifying that the device certificate is legal, the digital signature is verified based on the device public key carried in the device certificate.
  • the authentication center After the digital signature is verified, the authentication center verifies the body name of the device certificate based on the device identity information.
  • the device of the present application further provides a device identity authentication device that is bound to the device identity authentication method.
  • the method for solving the problem is similar to the device identity authentication method in the embodiment of the present application.
  • the implementation of the device can be referred to the implementation of the method, and the repeated description will not be repeated.
  • the device structure diagram of device identity authentication provided in Embodiment 5 of the present application includes:
  • the receiving module 61 is configured to receive a device identity authentication request sent by the authentication center.
  • the sending module 62 is configured to send a device identity authentication response message to the authentication center, where the device identity authentication response message carries the device identity information of the UE and the digital signature of the device identity generated by using the device private key, so that The authentication center verifies the digital signature based on a device public key having a binding relationship with the device identity information.
  • the device identity authentication response message further includes a device certificate, so that the certificate authority is based on the device in the device certificate after verifying the legality of the device certificate by using the CA certificate or the CA public key. The key verifies the digital signature.
  • the device structure diagram of device identity authentication provided in Embodiment 6 of the present application includes:
  • the receiving module 71 is configured to receive a device identity authentication response message sent by the user equipment UE, where the device identity authentication response message carries the device identity information of the UE and a digital signature of the device identity generated by using the device private key;
  • the obtaining module 72 is configured to acquire a device public key that is bound to the device identity information.
  • the verification module 73 is configured to verify the digital signature based on the acquired device public key.
  • the device further includes:
  • the sending module 74 is configured to send a device identity authentication request to the user equipment UE.
  • the obtaining module 72 is specifically configured to:
  • the obtaining module 72 is further configured to:
  • the device public key bound to the device identity information of the UE is queried by the proxy device to other devices.
  • the device further includes:
  • the processing module 75 is configured to query other devices for the device public key bound to the device identity information of the UE, and store it locally.
  • the obtaining module 72 is further configured to acquire a device certificate that is bound to the device identity information of the UE, where the device certificate carries a device public key.
  • the verification module 73 is configured to verify the validity of the device certificate by using a CA certificate or a CA public key after acquiring the device certificate bound to the device identity information of the UE, and verifying the validity of the device certificate. After the device certificate is legal, the digital signature is verified based on the device public key carried in the device certificate.
  • the device identity authentication response message further includes the device certificate
  • the verification module 73 is further configured to verify the subject name of the device certificate based on the device identity information after the digital signature passes the verification.
  • the verification module 73 is further configured to:
  • the device structure diagram of device identity authentication provided in Embodiment 7 of the present application includes:
  • the receiving module 81 is configured to receive a query request sent by the authentication center, where the query request carries device identity information of the user equipment UE;
  • the query module 82 is configured to query, according to the query request, a device public key that is bound to the device identity information of the UE;
  • the sending module 83 is configured to send the queried device public key to the authentication center.
  • the querying module 82 is specifically configured to query a device public key that is bound to the device identity information of the UE locally or to other devices.
  • the query module 82 is further configured to query, by the proxy device, the device public key bound to the device identity information of the UE to the other device.
  • the query module 82 is further configured to query a device certificate that is bound to the device identity information of the UE, where the device certificate carries a device public key;
  • the sending module 83 is configured to send the queried device certificate carrying the device public key to the authentication center.
  • An embodiment of the present application provides an electronic device, where the electronic device includes: a transceiver, a memory, and a processor; at least a portion of the memory stores computer executable instructions.
  • the computer executable instructions can be a computer program or software.
  • the electronic device may be a terminal device such as a UE, and may also be a server of the authentication center or a server of the proxy device.
  • the processor is respectively connected to the transceiver and the memory, configured to execute the computer executable instructions, and implement the device identity authentication method provided by the one or more technical solutions by executing the computer executable instructions, For example, an authentication method applied to identity information in the UE, an authentication method of identity information of the authentication center, or an authentication method of identity information of the proxy device may be performed.
  • the transceiver may correspond to a network interface, and the network interface may be a cable connection. Port, can be used for other network elements for data interaction.
  • the memory can include: various types of storage media that can be used for data storage.
  • the memory includes a storage medium that is at least partially a non-volatile storage medium and can be used to store the computer program.
  • the processor may comprise a central processing unit, a microprocessor, a digital signal processor, an application processor, an application specific integrated circuit or a programmable array, etc., and may be used to implement the formation of PNF packets by execution of a computer program.
  • the processor can be connected to the transceiver and the memory through an in-device bus such as an integrated circuit bus.
  • the embodiment of the present application further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to implement a device identity authentication method provided by one or more of the foregoing technical solutions, for example,
  • the authentication method applied to the identity information in the UE, the authentication method of the identity information of the authentication center, or the authentication method of the identity information of the proxy device may be performed.
  • the computer storage medium provided by the embodiment of the present application includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. Medium.
  • the computer storage medium can be a non-transitory storage medium.
  • the non-transitory storage medium herein may also be referred to as a non-volatile storage medium.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • the present application refers to a method, a device (system), and a computer program according to an embodiment of the present application.
  • the flow chart and/or block diagram of the product is described. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative
  • the division of the unit is only a logical function division, and the actual implementation may have another division manner, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be Ignore, or not execute.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.
  • the user equipment UE receives the device identity authentication request sent by the authentication center, and sends the device identity authentication response message to the authentication center, where the device identity authentication response message carries the device identity information of the UE. And a digital signature of the device identity generated by using the device private key, where the digital signature is used by the authentication center to perform verification based on the device public key having a binding relationship with the device identity information.
  • the network side can accurately identify whether the device identity information on the mobile device is identity information that has not been tampered with, and securely perform related services according to the legal identity after verifying that the device identity is a legal identity, thereby ensuring the network.
  • the security has a positive industrial effect, and the technical solution provided by the embodiment of the present application has the prospect of being simple to implement and widely popularized in the field of communication and network technologies.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil d'authentification d'identité de dispositif, un dispositif électrique, et un support de stockage informatique. Dans le procédé décrit dans un mode de réalisation de la présente invention, un équipement d'utilisateur (UE) reçoit une demande d'authentification d'identité de dispositif envoyée par un centre d'authentification, et envoie un message de réponse d'authentification d'identité de dispositif au centre d'authentification. Le message de réponse d'authentification d'identité de dispositif contient des informations relatives à un identificateur d'identité de dispositif de l'UE, et une signature numérique de l'identificateur d'identité de dispositif générée à l'aide d'une clé privée.
PCT/CN2017/101655 2016-09-13 2017-09-13 Procédé et appareil d'authentification d'identité de dispositif, et support de stockage WO2018050081A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610822337.X 2016-09-13
CN201610822337.XA CN106899410B (zh) 2016-09-13 2016-09-13 一种设备身份认证的方法及装置

Publications (1)

Publication Number Publication Date
WO2018050081A1 true WO2018050081A1 (fr) 2018-03-22

Family

ID=59191144

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/101655 WO2018050081A1 (fr) 2016-09-13 2017-09-13 Procédé et appareil d'authentification d'identité de dispositif, et support de stockage

Country Status (2)

Country Link
CN (1) CN106899410B (fr)
WO (1) WO2018050081A1 (fr)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670825A (zh) * 2018-12-20 2019-04-23 姚前 一种基于证书关联的数字资产实名登记系统
CN110263585A (zh) * 2019-06-26 2019-09-20 腾讯科技(深圳)有限公司 测试监管方法、装置、设备及存储介质
CN110611569A (zh) * 2019-09-24 2019-12-24 腾讯科技(深圳)有限公司 一种认证方法及相关设备
WO2019242769A1 (fr) * 2018-06-21 2019-12-26 北京智芯微电子科技有限公司 Système et procédé d'application multi-ca pour puce de sécurité, et support de stockage
CN111400682A (zh) * 2018-12-29 2020-07-10 金联汇通信息技术有限公司 一种电子身份处理方法、系统、存储介质和电子设备
CN111666554A (zh) * 2020-06-03 2020-09-15 泰康保险集团股份有限公司 一种证书认证方法、装置、设备及存储介质
CN112150158A (zh) * 2019-06-28 2020-12-29 华为技术有限公司 一种区块链交易交付验证方法及装置
CN114268445A (zh) * 2020-09-15 2022-04-01 中国电信股份有限公司 云手机应用的认证方法、装置、系统、认证模块和终端
CN114826772A (zh) * 2022-05-30 2022-07-29 中国联合网络通信集团有限公司 数据完整性验证系统
CN115865396A (zh) * 2022-09-06 2023-03-28 中国联合网络通信集团有限公司 碳排放标识读取方法、装置、电子设备及可读存储介质
CN116055323A (zh) * 2018-08-20 2023-05-02 Oppo广东移动通信有限公司 一种场景恢复方法、云平台及计算机存储介质
CN116132071A (zh) * 2023-04-13 2023-05-16 中国信息通信研究院 基于区块链的标识解析节点身份认证方法和装置

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899410B (zh) * 2016-09-13 2019-06-25 中国移动通信有限公司研究院 一种设备身份认证的方法及装置
CN107733912A (zh) * 2017-10-31 2018-02-23 珠海市魅族科技有限公司 信息加密方法、信息认证方法、终端及计算机可读存储介质
CN109756447B (zh) * 2017-11-01 2022-03-29 华为技术有限公司 一种安全认证方法及相关设备
CN109756451B (zh) * 2017-11-03 2022-04-22 华为技术有限公司 一种信息交互方法及装置
CN108024242A (zh) * 2017-12-01 2018-05-11 广东欧珀移动通信有限公司 信息验证方法及装置、终端及计算机可读存储介质
CN108429740B (zh) 2018-02-12 2020-08-07 华为技术有限公司 一种获得设备标识的方法及装置
CN110198538B (zh) * 2018-02-26 2022-02-18 北京华为数字技术有限公司 一种获得设备标识的方法及装置
CN114745133A (zh) * 2018-03-27 2022-07-12 杭州蚂蚁聚慧网络技术有限公司 一种识别设备唯一性的方法及装置
CN111404667B (zh) * 2019-01-02 2023-05-09 中国移动通信有限公司研究院 一种密钥生成方法、终端设备及网络设备
CN112118211A (zh) * 2019-06-20 2020-12-22 北京京东尚科信息技术有限公司 设备通信方法、装置、系统、介质及电子设备
CN112311718B (zh) * 2019-07-24 2023-08-22 华为技术有限公司 检测硬件的方法、装置、设备及存储介质
CN110798475B (zh) * 2019-11-05 2021-08-03 北谷电子有限公司上海分公司 一种安全认证方法、装置、设备和存储介质
CN111598573B (zh) * 2020-04-10 2023-10-31 维沃移动通信有限公司 一种设备指纹验证方法及装置
CN113746805B (zh) * 2021-08-05 2023-05-30 广州裕睿信息科技有限公司 一种用户身份识别方法、系统、计算机设备及存储介质
CN114640475B (zh) * 2022-05-19 2022-09-06 广东省绿算技术有限公司 去中心化的身份认证方法、装置、计算机设备及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610241A (zh) * 2008-06-16 2009-12-23 华为技术有限公司 一种绑定认证的方法、系统和装置
US20140380056A1 (en) * 2013-06-24 2014-12-25 Certicom Corp. Securing method for lawful interception
CN104852800A (zh) * 2015-05-25 2015-08-19 小米科技有限责任公司 数据传输方法及装置
CN106603234A (zh) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 一种设备身份认证的方法、装置和系统
CN106899410A (zh) * 2016-09-13 2017-06-27 中国移动通信有限公司研究院 一种设备身份认证的方法及装置

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102083055A (zh) * 2009-11-27 2011-06-01 乐金电子(中国)研究开发中心有限公司 Imei验证方法,iemi保护移动通信终端及其初始化装置
CN102036236A (zh) * 2010-10-29 2011-04-27 深圳市爱贝信息技术有限公司 一种对移动终端认证的方法和装置
EP2600647B1 (fr) * 2011-12-02 2015-03-18 BlackBerry Limited Certificat dérivé en fonction d'une identité changeante
CN102831079B (zh) * 2012-08-20 2016-02-24 中兴通讯股份有限公司 一种对移动终端进行检测的方法和移动终端
CN103888414B (zh) * 2012-12-19 2017-05-03 中国移动通信集团公司 一种数据处理方法和设备
CN104735054B (zh) * 2015-02-06 2018-03-02 西安电子科技大学 数字家庭设备可信接入平台及认证方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610241A (zh) * 2008-06-16 2009-12-23 华为技术有限公司 一种绑定认证的方法、系统和装置
US20140380056A1 (en) * 2013-06-24 2014-12-25 Certicom Corp. Securing method for lawful interception
CN104852800A (zh) * 2015-05-25 2015-08-19 小米科技有限责任公司 数据传输方法及装置
CN106603234A (zh) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 一种设备身份认证的方法、装置和系统
CN106899410A (zh) * 2016-09-13 2017-06-27 中国移动通信有限公司研究院 一种设备身份认证的方法及装置

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019242769A1 (fr) * 2018-06-21 2019-12-26 北京智芯微电子科技有限公司 Système et procédé d'application multi-ca pour puce de sécurité, et support de stockage
CN116055323A (zh) * 2018-08-20 2023-05-02 Oppo广东移动通信有限公司 一种场景恢复方法、云平台及计算机存储介质
CN109670825A (zh) * 2018-12-20 2019-04-23 姚前 一种基于证书关联的数字资产实名登记系统
CN109670825B (zh) * 2018-12-20 2022-12-23 姚前 一种基于证书关联的数字资产实名登记系统
CN111400682A (zh) * 2018-12-29 2020-07-10 金联汇通信息技术有限公司 一种电子身份处理方法、系统、存储介质和电子设备
CN110263585A (zh) * 2019-06-26 2019-09-20 腾讯科技(深圳)有限公司 测试监管方法、装置、设备及存储介质
CN110263585B (zh) * 2019-06-26 2024-04-26 腾讯科技(深圳)有限公司 测试监管方法、装置、设备及存储介质
CN112150158A (zh) * 2019-06-28 2020-12-29 华为技术有限公司 一种区块链交易交付验证方法及装置
CN110611569B (zh) * 2019-09-24 2022-06-14 腾讯科技(深圳)有限公司 一种认证方法及相关设备
CN110611569A (zh) * 2019-09-24 2019-12-24 腾讯科技(深圳)有限公司 一种认证方法及相关设备
CN111666554B (zh) * 2020-06-03 2023-09-12 泰康保险集团股份有限公司 一种证书认证方法、装置、设备及存储介质
CN111666554A (zh) * 2020-06-03 2020-09-15 泰康保险集团股份有限公司 一种证书认证方法、装置、设备及存储介质
CN114268445A (zh) * 2020-09-15 2022-04-01 中国电信股份有限公司 云手机应用的认证方法、装置、系统、认证模块和终端
CN114826772A (zh) * 2022-05-30 2022-07-29 中国联合网络通信集团有限公司 数据完整性验证系统
CN114826772B (zh) * 2022-05-30 2024-03-08 中国联合网络通信集团有限公司 数据完整性验证系统
CN115865396A (zh) * 2022-09-06 2023-03-28 中国联合网络通信集团有限公司 碳排放标识读取方法、装置、电子设备及可读存储介质
CN115865396B (zh) * 2022-09-06 2024-03-01 中国联合网络通信集团有限公司 碳排放标识读取方法、装置、电子设备及可读存储介质
CN116132071B (zh) * 2023-04-13 2023-06-27 中国信息通信研究院 基于区块链的标识解析节点身份认证方法和装置
CN116132071A (zh) * 2023-04-13 2023-05-16 中国信息通信研究院 基于区块链的标识解析节点身份认证方法和装置

Also Published As

Publication number Publication date
CN106899410A (zh) 2017-06-27
CN106899410B (zh) 2019-06-25

Similar Documents

Publication Publication Date Title
WO2018050081A1 (fr) Procédé et appareil d'authentification d'identité de dispositif, et support de stockage
KR102018971B1 (ko) 네트워크 액세스 디바이스가 무선 네트워크 액세스 포인트를 액세스하게 하기 위한 방법, 네트워크 액세스 디바이스, 애플리케이션 서버 및 비휘발성 컴퓨터 판독가능 저장 매체
US11432150B2 (en) Method and apparatus for authenticating network access of terminal
US9094823B2 (en) Data processing for securing local resources in a mobile device
US20170208049A1 (en) Key agreement method and device for verification information
WO2017097041A1 (fr) Procédé et dispositif de transmission de données
WO2016011778A1 (fr) Procédé et appareil de traitement de données
CN110990827A (zh) 一种身份信息验证方法、服务器及存储介质
WO2020173332A1 (fr) Procédé et appareil d'activation d'application basée sur un environnement d'exécution de confiance
US10263782B2 (en) Soft-token authentication system
KR101686167B1 (ko) 사물 인터넷 기기의 인증서 배포 장치 및 방법
CN110545252B (zh) 一种认证和信息保护的方法、终端、控制功能实体及应用服务器
WO2014187206A1 (fr) Procédé et système pour sauvegarder une clé privée dans un jeton de signature électronique
KR101531662B1 (ko) 사용자 단말과 서버간 상호 인증 방법 및 시스템
WO2014187210A1 (fr) Procédé et système de sauvegarde de la clé privée d'un jeton de signature électronique
WO2016011588A1 (fr) Entité de gestion de mobilité, serveur domestique, terminal, et système et procédé d'authentification d'identité
US10291614B2 (en) Method, device, and system for identity authentication
CN104243452B (zh) 一种云计算访问控制方法及系统
CN110929231A (zh) 数字资产的授权方法、装置和服务器
CN115022850A (zh) 一种d2d通信的认证方法、装置、系统、电子设备及介质
TWI657350B (zh) App認證的系統和方法
WO2006026925A1 (fr) Procede d'etablissement de la cle d'authentification
WO2014187208A1 (fr) Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique
CN114338091B (zh) 数据传输方法、装置、电子设备及存储介质
US10979226B1 (en) Soft-token authentication system with token blocking after entering the wrong PIN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17850283

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15.07.2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17850283

Country of ref document: EP

Kind code of ref document: A1