WO2020037958A1 - Procédé, dispositif, système de partage de clé et enregistrement de client basés sur gba - Google Patents

Procédé, dispositif, système de partage de clé et enregistrement de client basés sur gba Download PDF

Info

Publication number
WO2020037958A1
WO2020037958A1 PCT/CN2019/074725 CN2019074725W WO2020037958A1 WO 2020037958 A1 WO2020037958 A1 WO 2020037958A1 CN 2019074725 W CN2019074725 W CN 2019074725W WO 2020037958 A1 WO2020037958 A1 WO 2020037958A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
naf
user terminal
service server
character string
Prior art date
Application number
PCT/CN2019/074725
Other languages
English (en)
Chinese (zh)
Inventor
刘高峰
Original Assignee
刘高峰
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201810978212.5A external-priority patent/CN109121135A/zh
Application filed by 刘高峰 filed Critical 刘高峰
Priority to CN201910775078.3A priority Critical patent/CN111050322B/zh
Publication of WO2020037958A1 publication Critical patent/WO2020037958A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communication technology and Internet technology, and in particular, to a generic boot architecture-based (Generic Bootstrapping Architecture (GBA) client registration and key sharing method, device and system.
  • GBA Generic Bootstrapping Architecture
  • the 3GPP specification TS 33.220 defines a universal security authentication mechanism suitable for mobile networks-Generic Boot Architecture (Generic Bootstrapping Architecture (GBA), which is part of the Generic Authentication Architecture (GAA).
  • GBA Generic Bootstrapping Architecture
  • GAA Generic Authentication Architecture
  • GBA provides a mechanism based on authentication and key agreement (AKA) in user equipment (UE) and network application server (network application function (NAF).
  • AKA authentication and key agreement
  • UE user equipment
  • NAF network application function
  • the GBA architecture is mainly divided into two processes: GBA initialization and application key negotiation:
  • the first process is the GBA initialization process (GBA Bootstrapping: UE and bootstrapping service server server function (BSF), BSF, and home subscriber server
  • GBA GBA initialization process
  • BSF bootstrapping service server server function
  • HLR home subscriber server
  • the server (HSS) / home location register (HLR) performs key negotiation based on the AKA mechanism.
  • the UE and BSF negotiate a GBA master key Ks and generate a bootstrapping identifier (bootstrapping).
  • transaction identifier (B-TID) and the master keys Ks and B-TID are stored on the UE and BSF, respectively.
  • the second process is the application key negotiation process (Bootstrapping Usage Procedure): the UE negotiates the application key with NAF, and NAF obtains the application key and user information from the BSF according to the application key negotiation request sent by the UE, and then the UE and NAF Use this application key for authentication, message encryption, and other operations. More specifically, referring to FIG. 1, the application key negotiation process includes the following steps:
  • the UE sends an application connection request to the NAF through the Ua interface, and the request message carries the B-TID.
  • the UE uses the following formula to generate the application key Ks_ (ext / int) _NAF.
  • a TLS link can be established in advance to ensure the communication security of the Ua interface.
  • Ks_NAF KDF (Ks, "gba-me”, RAND, IMPI, NAF_Id)
  • Ks_ext_NAF KDF (Ks, "gba-me”, RAND, IMPI, NAF_Id)
  • Ks_int_NAF KDF (Ks, "gba-u”, RAND, IMPI, NAF_Id)
  • Ks is the master key Ks generated during the GBA initialization process
  • "gba-me” and “gba-u” are fixed strings
  • RAND is a random number generated during the GBA initialization process
  • IMPI is an IP multimedia private identification (IP Multimedia Private Identity)
  • NAF_Id is the identity of NAF
  • KDF is the abbreviation of key derivation function.
  • the NAF_Id is formed by connecting the FQDN (Fully Qualified Domain Name) of the NAF to be accessed and the protocol identifier (UaID) on the Ua interface.
  • the NAF After receiving the application connection request from the UE, the NAF sends an authentication request message to the BSF, which carries the B-TID and NAF_Id.
  • the BSF has already stored the B-TID and the IMPI corresponding to the B-TID, the master key Ks, the Ks key validity period, the GBA initialization time, and the GBA User security settings information (GUSS, GBA User Security Settings), etc.
  • the BSF After the BSF receives the NAF authentication request, the BSF verifies the identity of the sender according to the FQDN in the NAF_Id, and finds the corresponding master key Ks according to the B-TID.
  • the BSF If the BSF does not find the corresponding master key Ks or Ks has expired, the BSF returns an authentication failure response message to the NAF and asks the UE to re-initiate the GBA initialization process.
  • the BSF uses the same application key calculation formula as the UE to calculate the application key Ks_ (ext / int) _NAF, and then returns an authentication success response message to the NAF server, and According to the preset settings, Ks_ (ext / int) _NAF, Ks_ (ext / int) _NAF validity period, GBA initialization time, and corresponding user security settings (USS) are sent to NAF in the authentication success response message. .
  • NAF After NAF stores Ks_ (ext / int) _NAF and Ks_ (ext / int) _NAF validity period information, it returns an authentication success response message to the UE. In this way, an application key Ks_ (ext / int) _NAF is established between the UE and NAF. For subsequent authentication, message encryption and other operations.
  • the GBA architecture has been used in IMS services, such as multimedia broadcast multicast services.
  • IMS multimedia broadcast multicast services.
  • broadcast / multicast service MBMS
  • SUPL secure user plane location
  • a third-party application server is equivalent to As an example, NAF has the following technical defects:
  • Defect 1 Because the third-party application server is provided by a different third-party application service provider, and because NAF_Id is a parameter that is relatively easy to obtain through public channels or software reverse.
  • the third-party application server collects the B-TID carried in the application connection request of the third-party application client, and then generates an application connection request according to the B-TID and the NAF_Id of the other third-party application server.
  • Other third-party application servers initiate application connections, which will cause BSF to perform unnecessary application key Ks_ (ext / int) _NAF generation calculations, and will cause other third-party application servers to store unnecessary application keys Ks_ (ext / int ) _NAF, which will consume computing and storage resources of BSF and other third-party application servers. Since each third-party application server can collect B-TIDs, the more B-TIDs collected, the greater the potential harm to other third-party application servers.
  • Defect 2 Because a large number of third-party application clients will be installed on the user terminal, they are provided by different third-party application service providers, but the calculation method of the application key Ks_ (ext / int) _NAF in the GBA existing mechanism Among them, "gba-me” and “gba-u” are fixed string parameters, IMPI is a fixed parameter that is the same in the same user terminal, Ks and RAND are parameters that are the same during the validity period of Ks, and NAF_Id is It is easier to obtain the parameters through public channels or software reversely. Therefore, the third-party application client on the same user terminal can easily calculate the application key Ks_ (ext / int) _NAF of other third-party application clients, thereby counterfeiting. Access to other third-party application clients.
  • the main purpose of the present invention is to provide a method, device and system for client registration and key sharing based on GBA, which aims at providing a secure registration method, device and system for a third-party application client running in a user terminal.
  • Application client application key issues, so that the GBA architecture is more securely and effectively applied in the field of Internet technology.
  • the present invention provides the following technical solutions:
  • a GBA-based client registration and key sharing method is provided, which is applied to a user terminal running a third-party application client.
  • the method includes:
  • the GBA-based client registration and key sharing method is characterized in that the method is applied to a user terminal running a third-party application client, and the method includes:
  • the generating a first authentication key based on the first master key Ks includes: using the first master key Ks as the first authentication key; or, based on including the first master secret
  • the key Ks and the first fixed character string or / and the first random character string or / and the first time stamp or / and the B-TID or / and NAF_Id information generate a first authentication key
  • the generation method of the key is the same as the generation method of generating the second authentication key by the guided service server BSF
  • the first fixed character string is a first fixed character string that is pre-configured and pre-configured with the guided service server BSF
  • the first random string is a randomly generated string
  • the first timestamp is generated by obtaining the current system time of the user terminal
  • the NAF_Id is the third-party application client If the information generating the first authentication key includes the first random character string or / and the first time stamp or / and the NAF_Id, the first random character string or /
  • the generating the first verification information includes: generating the based on a second fixed character string or / and a second random character string or / and a second time stamp or / and the B-TID or / and the NAF_Id.
  • the first authentication information, and the generation method of the first authentication information is consistent with the generation method of generating the second authentication information by the guidance service server BSF, and the second fixed character string is pre-configured and is the same as the guidance service server A second fixed string pre-configured by the BSF with the same value, the second random string is a randomly generated string, and the second time stamp is generated by obtaining the current system time of the user terminal;
  • Generating the first verification information includes based on the second random string or / and a second time stamp or / and the NAF_Id, and using a signature encryption algorithm to pair the first verification information based on the first authentication key.
  • the signature encryption generates the first encrypted value, and then sends the second random character string or / and the second time stamp or / and the NAF_Id to the guidance service server BSF.
  • the generating the first verification information based on a second fixed character string or / and a second random character string or / and a second time stamp or / and the B-TID or / and the NAF_Id includes: One of the second fixed character string or the second random character string or the second time stamp or the B-TID or the NAF_Id as the first verification information; or A second fixed character string or / and the second random character string or / and the second time stamp or / and the B-TID or / and the NAF_Id information generates the first verification information.
  • the encrypting and generating the first encrypted value based on the first authentication key and the first verification information includes: signing and encrypting the first verification information based on the first authentication key using a signature encryption algorithm.
  • the first encrypted value or, using a symmetric encryption algorithm to symmetrically encrypt the information including the first authentication information based on the first authentication key to generate the first encrypted value.
  • receiving the registration information and services provided by the guidance service server BSF includes: generating a first application key based on the first master key Ks, and The method of generating the first application key is consistent with the method of generating the second application key generated by the guided service server BSF, and the first application key is used as an application key in the third-party application client;
  • a user token sent by the guided service server BSF is received, and the user token is used for the third party application client to access the corresponding third party application server for authentication.
  • the transmitting NAF_Id to the guidance service server BSF includes: further including the NAF_Id in the security authentication request sent to the guidance service server BSF; or, if a symmetric encryption algorithm is used based on the first authentication key
  • the key pair including the first authentication information is symmetrically encrypted to generate the first encrypted value, and the information generating the first authentication information further includes the NAF_Id, so that the guided service server BSF retrieves the The NAF_Id is obtained in the plaintext after the first encrypted value is decrypted.
  • the generating a first application key based on the first master key Ks includes: generating the first application key based on the first master key Ks and optional parameters; the optional parameters include One or more of Salt, RAND, IMPI, and NAF_Id, where Salt is the same salt value as the guided service server BSF; RAND is the RAND generated during the GBA initialization process; IMPI is the IMPI of the user terminal NAF_Id is the NAF_Id; KDF is the same key derivation function as the guided service server BSF; the optional parameters are consistent with the optional parameters when the guided service server BSF generates a second application key.
  • the optional parameters include One or more of Salt, RAND, IMPI, and NAF_Id, where Salt is the same salt value as the guided service server BSF; RAND is the RAND generated during the GBA initialization process; IMPI is the IMPI of the user terminal NAF_Id is the NAF_Id; KDF is the same key derivation function as the guided service
  • the method further includes: receiving the information sent by the guidance service server BSF Receiving an application authorization request message; displaying an application authorization verification interface; receiving authorization information entered by a terminal user in the application authorization verification interface; and if the authorization information indicates authorization confirmation, sending an application authorization response message to the boot service server BSF,
  • the application authorization response message is an application authorization confirmation message.
  • a method for client registration and key sharing based on GBA is provided, which is applied to guide a service server BSF, and the method includes:
  • the generating a second authentication key based on the second master key Ks includes: using the second master key Ks as the first authentication key; or, based on including the second master key
  • the key Ks and the first fixed character string or / and the first random character string or / and the first time stamp or / and the B-TID or / and NAF_Id information generate a first authentication key
  • the generation method of the key is the same as the generation method of generating the first authentication key by the user terminal
  • the first fixed character string is pre-configured and has the same value as the first fixed character string pre-configured by the user terminal.
  • a character string, the first random character string or / and the first timestamp or / and the NAF_Id are sent by the user terminal.
  • the generating the second verification information includes generating the second verification information based on a second fixed character string or / and a second random character string or / and a second time stamp or / and the B-TID or / and the NAF_Id.
  • the second authentication information, and the generation method of the second authentication information is consistent with the generation method of generating the first authentication information by the user terminal, and the second fixed character string is pre-configured and pre-configured by the user terminal A string with the same value in the second fixed string, and the second random string or / and the second time stamp or / and the NAF_Id are sent by the user terminal.
  • generating the second verification information based on a second fixed character string or / and a second random character string or / and the B-TID or / and the NAF_Id includes: Or one of the second random character string or the second time stamp or the B-TID or the NAF_Id as the second verification information; or, according to including the second fixed character string or / Generating the second verification information with the second random character string or / and the second time stamp or / and the B-TID or / and the NAF_Id information.
  • the verifying the first encrypted value based on the second authentication key and the second verification information includes: if the user terminal generates the first encrypted value using a signature encryption algorithm, using the same The signature encryption algorithm verifies the first encrypted value based on the second authentication key and the second verification information; or, if the user terminal generates the first encrypted value using a symmetric encryption algorithm, the same symmetric is used An encryption algorithm verifies the first encrypted value based on the second authentication key and the second verification information.
  • the using the same signature encryption algorithm to verify the first encryption value based on the second authentication key and the second verification information includes: using the same signature encryption algorithm as the user terminal, based on the The second authentication key signs and encrypts the second verification information to generate a second encrypted value; compares whether the second encrypted value is consistent with the first encrypted value; if they are consistent, it is determined that the verification of the first encrypted value is successful .
  • using the same symmetric encryption algorithm to verify the first encryption value based on the second authentication key and the second verification information includes: using the same symmetric encryption algorithm as the user terminal, based on the The second authentication key decrypts the first encrypted value to obtain a plaintext, and obtains the first verification information from the decrypted plaintext; compares whether the second verification information is consistent with the first verification information; if they are consistent; , It is determined that the verification of the first encrypted value is successful.
  • the providing registration information and services to the user terminal includes: generating a user token corresponding to the NAF_Id, so that The user token is an authentication used for the third-party application client to access a corresponding third-party application server; the registration success response message sent to the user terminal includes the user token, so that the user command The card is used to access the authentication and authentication of the corresponding third-party application server in the third-party application client corresponding to the NAF_Id.
  • the generating a user token corresponding to the NAF_Id includes: using a randomly generated globally unique character string as the user token; establishing a correspondence between the user token and the NAF_Id or / and the B-TID The relationship of IMPI.
  • the method further includes: generating a second application key based on the second master key Ks, and the second application The generation method of the key is consistent with the generation method of generating the first application key by the user terminal, and the correspondence between the B-TID and the NAF_Id and the second application key is established.
  • the generating a second application key based on the second master key Ks includes: generating the second application key based on the second master key Ks and optional parameters; the optional parameters include One or more of Salt, RAND, IMPI, and NAF_Id, where Salt is the same salt value as the user terminal; RAND is the RAND generated during the GBA initialization process; IMPI is the IMPI corresponding to the B-TID NAF_Id is the NAF_Id; KDF is the same key derivation function as the user terminal; the optional parameters are consistent with the optional parameters when the user terminal generates the first application key.
  • the optional parameters include One or more of Salt, RAND, IMPI, and NAF_Id, where Salt is the same salt value as the user terminal; RAND is the RAND generated during the GBA initialization process; IMPI is the IMPI corresponding to the B-TID NAF_Id is the NAF_Id; KDF is the same key derivation function as the user terminal; the optional parameters are
  • the method further includes: sending an application authorization to the user terminal.
  • Request message the application authorization request message includes a third-party application name or / and a mobile user name, the third-party application name is obtained according to the NAF_Id, and the mobile user name is according to an IMPI corresponding to the B-TID Acquired; receiving an application authorization response message sent by the user terminal; and if the application authorization response message is an application authorization confirmation message, performing the steps of providing registration information and services to the user terminal.
  • a GBA-based client registration and key sharing device which is characterized in that the device is applied to a user terminal running a third-party application client and includes: a memory, a processor, and the processor is used for When the program stored in the memory is executed, the method executes any one of the methods described above and applied to a user terminal running a third-party application client.
  • a GBA-based client registration and key sharing device which is characterized in that the device is used to guide a service server BSF and includes a memory and a processor, where the processor is configured to run a program stored in the memory, When the program runs, the method includes any one of the methods described above and applied to a guided service server BSF.
  • a client registration and key sharing system based on GBA is provided, which is characterized in that the system includes: a user terminal and a guided service server BSF; the user terminal includes the above-mentioned application in a user terminal running a third-party application client The device; the guided service server BSF includes the above-mentioned device applied to the guided service server BSF.
  • a storage medium is provided, characterized in that a program is stored in the storage medium, and the program is configured to implement any one of the methods described above in a user terminal running on a third-party application client.
  • a storage medium is provided, characterized in that a program is stored in the storage medium, and the program is configured to implement the method including any one of the above-mentioned application to guide a service server BSF.
  • the present invention provides a secure registration environment for third-party application clients running in user terminals after the GBA initialization process, and guides the service server BSF to provide corresponding registration information and only for authenticated user terminals. Services, including the generation of application keys, effectively solve the technical shortcomings of the GBA architecture application described in the background in the field of Internet technology.
  • FIG. 1 is a schematic flowchart of a GBA application key negotiation process
  • FIG. 2 is a schematic structural diagram of an implementation environment involved in a GBA-based client registration and key sharing method according to an embodiment of the present invention
  • Embodiment 3 is a schematic flowchart of Embodiment 1 of a GBA-based client registration and key sharing method according to the present invention
  • Embodiment 4 is a schematic flowchart of Embodiment 2 of a GBA-based client registration and key sharing method according to the present invention
  • FIG. 5 is a schematic flowchart of Embodiment 3 of a GBA-based client registration and key sharing method provided by the present invention.
  • NAF_Id is used to uniquely identify a third-party application server and to identify a third-party application client corresponding to the third-party application server.
  • NAF_Id can be a Fully Qualified Domain Name (FQDN), or it can be a connection between the FQDN and the protocol identifier (UaID) on the Ua interface, or it can be a string.
  • FQDN Fully Qualified Domain Name
  • UaID protocol identifier
  • Signature encryption algorithm refers to the encryption algorithm used to verify the authenticity of the information. Only a sender of the information can generate a string of numbers that cannot be forged by others. This digital string is also one of the authenticity of the information sent by the sender of the information.
  • Valid proofs such as message authentication codes (such as hash-based message authentication code HMAC, cipher block chain message authentication code CBC-MAC, Galois message authentication code GMAC, etc.), hash functions with key encryption, RSA-based Digital schemes (such as RSA-PSS), digital signature algorithms (DSA), and elliptic curve digital signature algorithms.
  • Symmetric encryption algorithm refers to an encryption algorithm that uses the same key for encryption and decryption, such as the Triple Data Encryption Standard (Triple Data Encryption Standard (DES), Advanced Encryption Standard (AES), etc.
  • Triple Data Encryption Standard Triple Data Encryption Standard (DES), Advanced Encryption Standard (AES), etc.
  • DES Triple Data Encryption Standard
  • AES Advanced Encryption Standard
  • FIG. 2 is a schematic structural diagram of an implementation environment involved in a GBA-based client registration and key sharing method according to an embodiment of the present invention.
  • the implementation environment includes a guided service server BSF, a user terminal, and a third-party application client.
  • BSF Guided service server BSF: BSF is usually provided by a communication operator service provider, which is connected to user terminals and third-party application servers through the Internet or a dedicated network, and communicates with HSS (Home Subscriber Server, home subscribers) through the communication operator network and a dedicated interface. Server) or / and HLR (Home Location Register (Home Location Register) connection. It should be noted that the BSF in this application can also be connected to unified data management (UDM).
  • UDM unified data management
  • the user terminal accesses the network through wired or wireless methods such as WLAN (including wifi), mobile data, LAN, and fixed broadband, and performs data connection with the guidance service server BSF.
  • the user terminal supports the GBA function, usually a smart phone, or a smart TV, a set-top box, a tablet computer, a portable computer, a desktop computer, and the like.
  • Third-party application client An application running in the operating system of a user terminal, provided by a third-party application service provider.
  • each user terminal may run multiple third-party application clients provided by different third-party application service providers, and each third-party The application client can connect to and access the corresponding third-party application server to obtain the required business application data and services.
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • AP Authentication Proxy
  • SLF Subscriber Locator Function
  • the third-party application server is equivalent to NAF in the GBA architecture. It is provided by a third-party application service provider and is used to connect with third-party application clients through the network to provide users with required application services, such as information, shopping, social networking, etc .; It is connected with the guidance service server BSF through the network to obtain the corresponding information of the B-TID.
  • FIG. 2 does not constitute a limitation on the implementation environment, and may include more or fewer components than shown, or some components may be combined, or different components may be arranged.
  • the user terminal and the guidance service server BSF have successfully performed the GBA initialization process.
  • the user terminal has a B-TID and corresponding RAND and Ks (that is, the first master key Ks); the guidance service server
  • the BSF stores the corresponding relationship between the B-TID and the corresponding RAND and Ks (that is, the second master key Ks), and simultaneously guides the service server BSF to store the B-TID and IMPI (IP Multimedia Private Identity, IP Multimedia Private Identity), that is, the BPI can be used to find and obtain the IMPI corresponding to the user terminal.
  • IMPI IP Multimedia Private Identity, IP Multimedia Private Identity
  • FIG. 3 shows a flowchart of Embodiment 1 of a GBA-based client registration and key sharing method provided by the present invention.
  • This embodiment can be used in the implementation environment shown in FIG. 2. This embodiment includes:
  • the user terminal starts the GBA-based client registration and key sharing process after obtaining an operation instruction for starting the GBA-based client registration and key sharing process.
  • the process may include the following three sub-processes and corresponding steps:
  • the user terminal and the guided service server BSF generate an authentication key with the same value based on the same B-TID and the same master key Ks. This can include:
  • Step 301 The user terminal obtains the B-TID and the first master key Ks.
  • the user terminal obtains the B-TID and the first master key Ks.
  • the B-TID and the B-TID should be stored on the guided service server BSF.
  • the second master key Ks corresponding to the TID.
  • Step 302 The user terminal generates a first authentication key based on the first master key Ks.
  • the first master key Ks may be used as the first authentication key.
  • the first fixed character string (1) is a character string that is pre-configured and has the same value as the first fixed character string (2) that is pre-configured on the boot service server BSF, the first random character string
  • the character string is a locally randomly generated character string, and the first time stamp is generated by acquiring the current system time of the user terminal.
  • DK PBKDF2 (passphrase, Salt, c, dkLen), where: DK is the first authentication key generated, PBKDF2 is the key derivation algorithm, passphrase is the first master key Ks and is the same as the first fixed string (1) or / And the first random string or / and the first timestamp or / and the B-TID or / and NAF_Id combination string; Salt is the salt value, in this case a fixed string; c is the number of iterations ; DlLen is the key output length, which can be used to generate a key length that meets the requirements according to the encryption algorithm used.
  • NAF_Id is the identity of the third-party application client running in the user terminal.
  • the third-party application client software installation package has built-in storage and is stored in a configuration file after installation, and the user terminal obtains the NAF_Id from the configuration file;
  • the third-party application client obtains the request after sending the request to the corresponding third-party application server, and the user terminal obtains the request from the third-party application client.
  • Step 303 The user terminal sends the B-TID and the information for generating the first authentication key to the guidance service server BSF.
  • the user terminal sends the B-TID to the guidance service server BSF, so that the guidance service server BSF can obtain the corresponding second master key Ks according to the B-TID.
  • the guided service server BSF In order for the guided service server BSF to generate a second authentication key with the same value as the first authentication key, if the information for generating the first authentication key further includes a first random character string or / and a first time stamp or / and NAF_Id, then send the first random character string or / and the first time stamp or / and the NAF_Id to the guidance service server BSF.
  • the guidance service server BSF receives the B-TID and the first random character string or / and the NAF_Id sent by the user terminal.
  • the above-mentioned information for generating the first authentication key further includes the first fixed character string (1), since the fixed character string can be configured in advance with a fixed character string of the same value on the guidance service server BSF, the first character string can be omitted.
  • a fixed string (1) is sent to the BSF.
  • Step 304 The service server BSF is guided to obtain the second master key Ks according to the B-TID.
  • a correspondence relationship between the B-TID and the second master key Ks is stored on the guidance service server BSF.
  • Step 305 The service server BSF is guided to generate a second authentication key based on the second master key Ks.
  • the guidance service server BSF uses the same authentication key generation method as the user terminal, and generates a second authentication key based on the second master key Ks.
  • the guide service server BSF uses the second master key Ks as the first authentication key.
  • the second authentication key is the same authentication key generation method as that of the user terminal in step 302 as an example.
  • the user terminal is based on including the first master key Ks and the first fixed character string (1) or / and the first random character string or / And the first timestamp or / and the B-TID or / and NAF_Id to generate a first authentication key
  • guide the service server BSF based on including the second master key Ks and the first fixed character string (2) or / and A first random character string or / and a first time stamp or / and the B-TID or / and NAF_Id information is used to generate a first authentication key
  • the second authentication key is generated in a manner that is similar to the first authentication key generated by the user terminal.
  • the key generation method is the same; wherein the first fixed character string (2) is a character string that is pre-configured and has the same value as the first fixed character string (1) that is pre-configured by the user terminal, the first random character string or / And the first time stamp or / and NAF_Id are sent by the user terminal.
  • the value of the first master key Ks corresponding to the same B-TID on the user terminal and the second master key Ks corresponding to the bootstrap service server BSF are the same.
  • the first authentication key and the second authentication key are generated using the same key generation method and based on the master key Ks having the same value. Therefore, the values of the first authentication key and the second authentication key are also the same.
  • the second sub-process the user terminal and the guidance service server BSF generate the same verification information. This can include:
  • Step 306. The user terminal generates first authentication information.
  • the user terminal generates first verification information, so that the first verification information is used for encryption, and the first verification information is made to have the same value as the second verification information generated by the guidance service server BSF.
  • the user terminal may use one of the second fixed character string (1) or the second random character string or the second time stamp or the B-TID or the NAF_Id as the first verification information; or, the user terminal may The character string (1) or / and the second random character string or / and the second time stamp or / and the B-TID or / and the NAF_Id information generates first verification information, for example, the user terminal sends a second fixed character string (1) or / and the second random character string or / and the second time stamp or / and the B-TID or / and the NAF_Id combination to generate the first verification information.
  • the second fixed character string (1) is a pre-configured character string having the same value as the second fixed character string (2) pre-configured on the guidance service server BSF, and the second random character string is generated locally and randomly.
  • a character string, and the second timestamp is generated by acquiring the current system time of the user terminal.
  • the user terminal sends the information for generating the first verification information to the guidance service server BSF.
  • the user terminal After the user terminal generates the first authentication information, in order to cause the guided service server BSF to generate the second authentication information having the same value as the first authentication information, if the generated first authentication information further includes a second random character string or / and a second Timestamp or / and the B-TID or / and the NAF_Id, and uses a signature encryption algorithm to sign and encrypt the first verification information to generate a first encrypted value, then the second random string or / and the second timestamp Or / and the B-TID or / and the NAF_Id are sent to the guidance service server BSF.
  • the guidance service server BSF receives the second random character string or / and the second time stamp or / and the B-TID or / and the NAF_Id sent by the user terminal.
  • the above-mentioned information for generating the first verification information further includes a second fixed character string (1), since the fixed character string can be configured in advance with a fixed character string of the same value on the guidance service server BSF, the second character string can be omitted
  • the fixed character string (1) is sent to the guidance service server BSF.
  • the generated first verification information further includes the second random character string or / and the second timestamp or / and the B-TID or / and the NAF_Id
  • the first verification information is obtained by using a symmetric encryption algorithm
  • the first encrypted value is generated by symmetric encryption. Since the first authentication information can be obtained after decrypting the first encrypted value, the second random string or / and the second time stamp or / and the B can be omitted.
  • the TID or / and the NAF_Id is sent to the guidance service server BSF.
  • this step can also be combined with the above step 303 into one step for implementation, that is, the user terminal can send the B-TID, the information for generating the first authentication key, and the information for generating the first authentication information at the same time in one transmission request.
  • the guidance service server BSF correspondingly, the above-mentioned corresponding steps of the guidance service server BSF generating the second authentication key and generating the second authentication information are also implemented after the combined step.
  • Step 308 Guide the service server BSF to generate the second verification information.
  • the service server BSF is guided to generate the second verification information, and the value of the generated second verification information is the same as the value of the first verification information generated by the user terminal.
  • step 406 Taking the method of generating the same authentication information as in step 406 as an example, if the user terminal uses one of the second fixed character string (1) or the second random character string or the second time stamp or the B-TID or the NAF_Id as The first verification information will guide the service server BSF to use the second fixed character string (2) or the second random character string or the second time stamp or the B-TID or the NAF_Id as the second verification information.
  • step 306 Taking the method of generating the same authentication information as step 306 as an example, if the user terminal includes a second fixed character string (1) or / and a second random character string or / and a second time stamp or / and the B-TID or / And the NAF_Id information to generate the first verification information, then guide the service server BSF to include the second fixed character string (2) or / and the second random character string or / and the second time stamp or / and the B-TID or / And the NAF_Id information generates second verification information.
  • the service server BSF is guided to send the second fixed character string (2) or / and the second random character string or / and the second time stamp or / and the B-TID or / Combined with the NAF_Id to generate second verification information.
  • the second fixed character string (2) is a character string that is pre-configured and has the same value as the second fixed character string (1) that is pre-configured on the user terminal, the second random character string or / and the second The timestamp or NAF_Id is sent by the user terminal.
  • the values of the first verification information and the second verification information are also the same.
  • the guidance service server BSF compares the second time stamp with the current system time of the guidance service server BSF. , Determine whether the time difference between the two is within the preset valid range: if it is within the valid range, then perform the following steps; if it is not within the valid range, then do not perform the following steps, and end this time based on GBA Client registration and key sharing methods.
  • the third sub-process The user terminal and the guided service server BSF implement security authentication based on an authentication key having the same value and authentication information having the same value. This can include:
  • Step 309 The user terminal encrypts and generates a first encrypted value based on the first authentication key and the first authentication information.
  • the user terminal encrypts and generates a first encrypted value based on the first authentication key and the first authentication information.
  • a first encrypted value based on the first authentication key and the first authentication information.
  • multiple implementations can be included, including at least:
  • the user terminal uses a signature encryption algorithm to sign-encrypt the first verification information based on the first authentication key to generate a first encrypted value.
  • the user terminal uses a signature encryption algorithm based on the first authentication key to sign and encrypt the first verification information.
  • the first encryption value is a signature value.
  • the signature value can uniquely identify the first verification information. Only the same signature is used. Only the encryption algorithm, the signature key with the same value, and the information to be signed with the same value can generate the same signature value.
  • the signature encryption algorithm uses a hash message authentication code as an example.
  • Signature SHA256 (k
  • the user terminal uses a symmetric encryption algorithm to symmetrically encrypt the information including the first authentication information based on the first authentication key to generate a first encrypted value.
  • the user terminal uses a symmetric encryption algorithm to symmetrically encrypt the information including the first authentication information based on the first authentication key to generate a first encrypted value.
  • the first encrypted value is a cipher text of the information including the first authentication information. Only the same symmetric encryption algorithm and the same value of the key can be used to decrypt the ciphertext to obtain the original plaintext.
  • the above-mentioned information including the first verification information means that the generated information also includes the first verification information and other information, for example, information generated after combining the first verification information and other information, and for the other information, Information, unless otherwise specified, is not limited in this embodiment.
  • Step 310 The user terminal sends a security authentication request to the guidance service server BSF, where the security authentication request includes the first encrypted value.
  • the user terminal sends a security authentication request to the boot service server BSF, where the security authentication request includes the first encrypted value, so that the boot service server BSF implements security authentication of the user terminal by verifying the first encrypted value.
  • the guidance service server BSF receives the security authentication request sent by the user terminal, and obtains the first encrypted value included in the security authentication request.
  • this step can also be combined with the above step 303 or / and step 307 into a single step for implementation, that is, the user terminal can send the security authentication request with the information of sending the B-TID and generating the first authentication key, or sending the first A step of verifying the information of the information is simultaneously sent to the guidance service server BSF in one transmission request. Accordingly, the corresponding steps of the guidance service server BSF generating the second authentication key and generating the second authentication information are also in the combined step. After implementation.
  • Step 311 The service server BSF is guided to verify the first encrypted value based on the second authentication key and the second verification information.
  • the guidance service server BSF needs to use the corresponding implementation manner to verify the first encrypted value based on the second authentication key and the second verification information.
  • the first implementation manner corresponds to the implementation manner in which the user terminal uses the signature encryption algorithm to generate the first encrypted value, and guides the service server BSF to use the same signature encryption algorithm as the user terminal, based on the second authentication key and the second
  • the verification information verifies the first encrypted value.
  • Step 311a The service server BSF is guided to use the same signature encryption algorithm as the user terminal to sign and encrypt the second verification information based on the second authentication key to generate a second encryption value.
  • the guidance service server BSF uses the same signature encryption algorithm as the user terminal to encrypt and sign the second verification information based on the second authentication key to generate a signature value, and the signature value is also expressed herein as a second encryption value.
  • the second authentication information and the first authentication information are the information to be signed with the same value, and the second authentication key and the first authentication key are the same value.
  • the signing key the second encrypted value and the first encrypted value generated should be the same.
  • Step 311b The service server BSF is guided to compare whether the second encrypted value is consistent with the first encrypted value; if they are consistent, it is determined that the security verification is successful.
  • the service server BSF is guided to use the same symmetric encryption algorithm as the user terminal to verify based on the second authentication key and the second verification information.
  • the second encrypted value can include:
  • Step 311i The service server BSF is guided to use the same symmetric encryption algorithm as the user terminal, decrypt the first encrypted value based on the second authentication key to obtain a plaintext, and obtain the first verification information from the plaintext.
  • the service server BSF is guided to use the same symmetric encryption algorithm as the user terminal to decrypt the first encrypted value based on the second authentication key, so as to obtain the decrypted plaintext.
  • the first verification information can be obtained from the plain text.
  • Step 311ii The service server BSF is guided to compare whether the second verification information is consistent with the first verification information; if they are consistent, it is determined that the security verification is successful.
  • Step 312. The service server BSF is guided to determine whether the security authentication is successful and perform a corresponding operation according to the verification result of the first encrypted value.
  • the guided service server BSF can provide the required data and services to the user terminal, such as sending a registration success response message to the user terminal, or providing registration information and services to the user terminal.
  • the user terminal may receive data and services provided by the guided service server BSF as needed, for example, receive a registration success response message sent by the guided service server BSF, or receive registration information and information provided by the guided service server BSF. Services, etc.
  • the guidance service server BSF can provide the required data and services to the user terminal, including sending a registration failure response message to the user terminal.
  • the user terminal After determining that the security authentication fails, the user terminal receives a registration failure response message and the like sent by the guidance service server BSF.
  • the method provided in this embodiment is mainly based on the B-TID and the first master key Ks in the user terminal, and based on the same B-TID and the corresponding second master stored in the boot service server BSF.
  • the key Ks guides the service server BSF to perform security authentication on the user terminal by using the same encryption algorithm as the user terminal. After the security authentication is successful, it can provide the user terminal and the third-party application client running on the user terminal with a corresponding security. Register information and services, and return a registration success response message to the user terminal.
  • FIG. 5 shows a flowchart of a second embodiment of a GBA-based client registration and key sharing method provided by the present invention.
  • the method can be used in the implementation environment shown in FIG. 2.
  • This embodiment further provides registration information for a third-party application client running in the user terminal, where the registration information includes an application key.
  • the user terminal In order for the guided service server BSF to provide corresponding registration information and services for the third-party application client running in the user terminal, the user terminal needs to pass the NAF_Id corresponding to the third-party application client to the guided service server BSF.
  • the user terminal passing the NAF_Id to the guided service server BSF may include various implementation manners, for example, it may include:
  • the user terminal sends the NAF_Id to the guidance service server BSF, and the guidance service server BSF receives the NAF_Id.
  • the user terminal sends the NAF_Id to the guidance service server BSF.
  • the NAF_Id can be sent to the guidance service server BSF in a separate transmission request, or the NAF_Id can be combined in the security authentication request or other transmission request to the guidance service server.
  • the BSF is, for example, incorporated in the security authentication request in the foregoing or step 310, or in the related steps in which the user terminal sends an authentication key or authentication information in step 303 or / and step 307.
  • the service server BSF is guided to receive the NAF_Id sent by the user terminal.
  • the user terminal encrypts the NAF_Id, and sends the encrypted cipher text to the guidance service server BSF, and the guidance service server BSF decrypts the cipher text to obtain the NAF_Id.
  • the user terminal uses the same key generation method to generate an encryption key with the same value based on the first master key Ks and the guidance service server BSF based on the second master key Ks.
  • the user terminal uses a symmetric encryption algorithm and the encryption key pair.
  • the NAF_Id is encrypted, and the encrypted cipher text is sent to the guidance service server BSF.
  • the guidance service server BSF decrypts the encryption key with the same value to obtain the NAF_Id.
  • the user terminal uses a symmetric encryption algorithm to symmetrically encrypt the information including the first authentication information based on the first authentication key to generate a first encrypted value, and then includes The information of the first verification information includes the NAF_Id. Therefore, in the second embodiment of step 411, the service server BSF is guided to obtain the NAF_Id from the decrypted plaintext.
  • the guided service server BSF can provide the registration information including the application key to the third-party application client running in the user terminal, that is, the following steps of this embodiment apply for registration on the GBA-based client And the key sharing method after the first embodiment. This can include:
  • Step 401 Guide the service server BSF to generate a second application key based on the second master key Ks.
  • the guidance service server BSF uses a key derivation algorithm to generate a second application key based on the second master key Ks. Further, the guidance service server BSF uses a key derivation algorithm based on the second master key Ks and / or a salt value, And / or RAND, and / or IMPI, and / or NAF_Id to generate a second application key.
  • Key KDF (Ks, Salt, RAND, IMPI, NAF_Id).
  • Key is the second application key
  • Ks is the second master key Ks
  • Salt is the salt value, which can be a fixed string or a random value. When it is a random value, then The guiding service server BSF must send this value to the user terminal
  • RAND is the RAND generated during the GBA initialization process
  • IMPI is the IMPI corresponding to the B-TID
  • NAF_Id is the NAF_Id obtained from the client registration request
  • KDF is the key derivation function .
  • Ks is a required parameter
  • Salt, RAND, IMPI, and NAF_Id are optional parameters.
  • Step 401a The service server BSF is guided to obtain the corresponding IMPI according to the B-TID.
  • the corresponding relationship between the B-TID and the IMPI is stored on the boot service server BSF, that is, the corresponding IMPI can be found and obtained according to the B-TID.
  • Step 401b The service server BSF is guided to obtain the RAND according to the B-TID.
  • the corresponding relationship between the B-TID and the RAND is stored on the boot service server BSF, that is, the corresponding RAND can be found and obtained according to the B-TID.
  • the generation format of the B-TID is "base64encode (RAND) @BSF_servers_domain_name"
  • the corresponding RAND can also be obtained from the B-TID.
  • Step 401c The guidance service server BSF generates a second application key based on the second master key Ks and "gba-me", the RAND, the IMPI, and the NAF_Id.
  • the guide service server BSF generates a second application key based on the second master key Ks and "gba-me", the RAND, the IMPI, and the NAF_Id, and the calculation formula is:
  • KDF Ks, "gba-me”, RAND, IMPI, NAF_Id
  • Step 402. The service server BSF is guided to establish a correspondence between the B-TID and the NAF-Id and the second application key.
  • the service server BSF is guided to establish a correspondence between the B-TID and the NAF-Id and the second application key, so that the second application key can be found according to the B-TID and the NAF-Id.
  • the guidance service server BSF has established the correspondence between the B-TID and the NAF-Id and the second application key.
  • the guidance service server BSF can store the correspondence locally or send the correspondence to a third-party authentication server. Or send the correspondence to a third-party application server corresponding to the NAF_Id. Then, based on the corresponding relationship, if the third-party application client running on the user terminal has the same B-TID and the same application key as the value of the second application key, the identity of the third-party application client can be realized Authentication, data encryption, etc.
  • the guidance service server BSF has previously established an account key relationship table for the NAF_Id, and the account key relationship table stores the B-TID and the second application key.
  • the account key relationship table stores the B-TID and the second application key.
  • One-to-one correspondence Guide the service server BSF to find the second application key in the account key relationship table according to the B-TID. If the second application key is not found, add the B-TID and The one-to-one correspondence of the second application key. If a second application key is found, the newly-generated second application key is used in the account key relationship table to replace the existing B-TID. The second application key.
  • steps 401 and 402 may also be performed after the following step 403, which is not limited in the present invention.
  • Step 403. The service server BSF is guided to send a registration response message to the user terminal, where the registration response message is a registration success response message.
  • the registration success response message sent to the user terminal also includes the Salt salt value.
  • Step 404 The user terminal receives the registration response message sent by the guided service server BSF and performs a corresponding operation.
  • the user terminal receives a registration response message sent by the guided service server BSF, and the registration response message is a registration success response message or a registration failure response message.
  • the user terminal performs corresponding operations according to the client registration response message, including:
  • step 405 is performed.
  • the process is ended, or the user terminal ends the process after sending the registration failure response message to a third-party application client.
  • Step 405 The user terminal uses the same application key generation method as the bootstrap service server BSF, and generates a first application key based on the first master key Ks.
  • the user terminal uses the same application key generation method as the bootstrap service server BSF, and generates a first application key based on the first master key Ks.
  • Key KDF (Ks, Salt, RAND, IMPI, NAF_Id).
  • Key is the first application key
  • Ks is the first master key
  • Salt is the same salt value as the boot service server BSF.
  • salt is the same If the salt value of the boot service server is a random value, the user terminal obtains the salt value from the registration success response message;
  • RAND is the RAND generated during the GBA initialization process;
  • IMPI is the IMPI of the user terminal;
  • NAF_Id Is the NAF_Id corresponding to the third-party application client;
  • KDF is the same key derivation function as the BSF of the boot service server.
  • Ks is a required parameter, Salt, RAND, IMPI, NAF_Id are optional parameters, and the optional parameters selected are consistent with the guidance service server BSF.
  • the key derivation algorithm formula Key KDF (Ks, "gba-me”, RAND, IMPI, NAF_Id) as an example, the first application key generation steps are as follows:
  • Step 405a The user terminal acquires the IMPI of the user terminal.
  • the user terminal obtains the IMPI of the user terminal, and the IMPI is the same IMPI obtained during the GBA initialization process.
  • an IMPI is obtained from an IP Multimedia Services Identity Module (ISIM) using a method consistent with the GBA initialization process.
  • ISIM IP Multimedia Services Identity Module
  • Step 405b The user terminal obtains RAND.
  • the B-TID and the corresponding RAND are stored on the user terminal, and the user terminal obtains the RAND.
  • the generation format of the B-TID is "base64encode (RAND) @BSF_servers_domain_name"
  • the corresponding RAND can also be obtained from the B-TID.
  • Step 405c The user terminal generates a first application key based on the first master key Ks and "gba-me", the RAND, the IMPI, and the NAF_Id.
  • the user terminal generates a second application key based on the first master key Ks and "gba-me", the RAND, the IMPI, and the NAF_Id, and the calculation formula is:
  • KDF Ks, "gba-me”, RAND, IMPI, NAF_Id
  • the B-TID stored on the user terminal and the corresponding RAND, Ks (that is, the first master key Ks) and the RAND corresponding to the B-TID stored on the boot service server BSF Ks (that is, the second master key Ks) is the same, and the IMPI obtained on the user terminal and the IMPI corresponding to the B-TID stored on the guided service server BSF are the same, and because the user terminal and the guided service server BSF are the same. If the same application key generation method, the same NAF_Id, and the same salt value are used, the values of the generated first application key and the second application key are the same.
  • the user terminal sends the B-TID and the first application key to the third-party application client corresponding to the NAF_Id. Based on the B-TID and the first application key, the third-party application client can quickly implement the third-party application server. , Secure identity authentication, data encryption and other operations.
  • an application key is further generated on the user terminal and the guidance service server BSF for the third-party application client on the user terminal, which not only has the effects of the first embodiment
  • the second aspect even if multiple key sharing processes are performed for the same third-party application client after the same GBA initialization process, if a random value is used by Salt, it is generated.
  • the application keys are also different for better security.
  • FIG. 5 illustrates a flowchart of a third embodiment of a GBA-based client registration and key sharing method provided by the present invention.
  • the method can be used in the implementation environment shown in FIG. 2.
  • This embodiment further provides registration information for a third-party application client running in the user terminal, and the registration information includes generating a user token for the third-party application client running in the user terminal.
  • the user terminal In order for the guided service server BSF to provide corresponding registration information and services for the third-party application client running in the user terminal, the user terminal needs to pass the NAF_Id corresponding to the third-party application client to the guided service server BSF.
  • the user terminal passing the NAF_Id to the guidance service server BSF may include various implementation manners. For specific implementation manners, reference may be made to the second embodiment of the above-mentioned GBA-based client registration and key sharing method, and details are not described herein again.
  • the guided service server BSF can provide the registration information including the user token to the third-party application client running in the user terminal, that is, the following steps of this embodiment apply for registration on the GBA-based client And the key sharing method after the first embodiment. This can include:
  • Step 501 The service server BSF is guided to generate a user token for the NAF_Id.
  • the service server BSF is guided to generate a user token for the NAF_Id.
  • the user token is unique and has sufficient length and sufficient randomness, making it difficult to be guessed and cracked.
  • Step 502. The service server BSF is guided to establish an association relationship between the user token and the NAF_Id or / and the IMPI corresponding to the B-TID.
  • the guide service server BSF can store the association locally, or send the association to the third-party authentication server synchronously, or send the association to the NAF_Id synchronously.
  • Corresponding third-party application server Corresponding third-party application server. Then, based on the association, if the third-party application client running on the user terminal has the same user token, the third-party application server can implement authentication to the third-party application client according to the association, for example, to the user For example, the token is sent to the third-party application server corresponding to the NAF_Id.
  • the third-party application server receives an authentication request including a user token, and searches for the corresponding user token in the association relationship. If so, the authentication succeeds. , Thereby determining that the sender of the authentication request is a third-party application client corresponding to the third-party application server.
  • an association relationship between the user token and the IMPI corresponding to the NAF_Id and the B-TID should be established so that the corresponding user terminal can be found according to the user token NAF_Id and IMPI to provide continuous service for the same user.
  • the third-party application server receives an authentication request including a user token, and searches for the corresponding IMPI in the association according to the user token. If found, it can provide continuous application services to users associated with the IMPI.
  • a cleaning mechanism should also be provided, and the corresponding association relationship should be cleared in time for the user token that has expired, such as deleting the corresponding association relationship of the user token after the user token is verified once, or setting the user token Set a valid period, and delete the corresponding association relationship of the user token that has expired in time according to the valid period.
  • the specific cleaning mechanism will not be repeated here.
  • Step 503. The service server BSF is guided to send a registration response message to the user terminal, where the registration response message is a registration success response message and includes the user token.
  • Step 504 The user terminal receives the registration response message sent by the guided service server BSF and performs a corresponding operation.
  • the user terminal receives a registration response message sent by the guided service server BSF, and the registration response message is a registration success response message or a registration failure response message.
  • the user terminal performs corresponding operations according to the registration response message, including:
  • the registration response message is a registration success response message
  • obtain the user token in the registration success response message and pass the user token to the third-party application client corresponding to NAF_Id for authentication and authentication, and then end this Process.
  • the process is ended, or the user terminal ends the process after sending the registration failure response message to a third-party application client.
  • the process of the above embodiment generates a user token for a third-party application client running in the user terminal.
  • the effects include: in the first aspect, automatically obtaining user tokens for third-party application clients, reducing end-user input operations and improving the user experience; in the second aspect, the user token can be used for The third-party application client authenticates to the corresponding third-party application server, thereby improving the user experience.
  • the user token when used for authentication, the user token does not need to perform operations such as cryptographic calculations. Suitable for some lightweight application clients (such as browser-based web applications).
  • FIG. 6 shows a flowchart of a fourth embodiment of a GBA-based client registration and key sharing method provided by the present invention.
  • the method can be used in the implementation environment shown in FIG. 2.
  • this embodiment further implements the authorization confirmation process of the end user.
  • the following steps of this method are based on the GBA-based client registration and key sharing method embodiment two, which is applied after the user terminal passes the NAF_Id and security authentication to the guided service server BSF, and the application is applied to the guided service server BSF as Before the third-party application client running in the user terminal provides the registration information including the application key, it specifically includes the following steps:
  • Step a Guide the service server BSF to send an application authorization request message to the user terminal.
  • the application authorization request message may include:
  • the corresponding relationship between the NAF_Id and the third-party application name is pre-stored on the boot service server BSF to guide the service server BSF Find and obtain the corresponding third-party application name in the corresponding relationship according to the NAF_Id.
  • the name is used to identify the mobile user.
  • the correspondence between the IMPI and the name of the mobile user is stored in the guidance service server BSF in advance.
  • the guidance service server BSF searches and obtains the correspondence according to the IMPI.
  • the IMPI is obtained by the guidance service server BSF according to the B-TID: After the GBA initialization process, the correspondence relationship between the B-TID and IMPI is stored on the guidance service server BSF, that is, the corresponding IMPI can be found and obtained according to the B-TID to guide the service.
  • the server BSF searches for and obtains the corresponding IMPI in the corresponding relationship according to the B-TID.
  • the user terminal receives the application authorization request message sent by the guidance service server BSF.
  • Step b The user terminal displays an application authorization verification interface.
  • the user terminal After receiving the application authorization request message sent by the service server BSF, the user terminal invokes and displays the application authorization verification interface to ask the end user whether to agree to authorize the third-party application.
  • the third-party application name or / and mobile user name included in the application authorization request message can be displayed, specifically:
  • Third-party application name which is the name of the third-party application client and third-party application server to be authorized
  • Mobile user name the name of the mobile user to be authorized.
  • the end user can enter authorization information indicating confirmation of authorization or cancellation of authorization.
  • a security verification code input box may also be included to ask the end user to enter a security verification code.
  • the security verification code is used to further verify the authorization of the end user.
  • the corresponding relationship between the B-TID and the security verification code is stored in advance on the guidance service server BSF.
  • Step c The user terminal receives authorization information entered by the end user in the application authorization verification interface.
  • Step d The user terminal sends an application authorization response message to the guidance service server BSF, where the application authorization response message is an application authorization confirmation message or an application authorization cancellation message.
  • the user terminal performs corresponding operations according to the authorization information input by the terminal user, including:
  • the application authorization response message sent by the user terminal to the guidance service server BSF is an application authorization confirmation message.
  • a security verification code input box is further included on the displayed application authorization verification interface, and the authorization message input by the end user received by the user terminal includes the security verification code, the user terminal sends the application authorization to the guidance service server BSF
  • the confirmation message also includes the security verification code.
  • the application authorization response message sent by the user terminal to the guidance service server BSF is an application authorization cancellation message.
  • Step e Guide the service server BSF to receive the application authorization response message sent by the user terminal and perform the corresponding operation.
  • the guidance service server BSF receives an application authorization response message sent by the user terminal, where the application authorization response message is an application authorization response message indicating confirmation of authorization or cancellation of authorization.
  • the corresponding relationship between the B-TID and the security verification code is stored in the guidance service server BSF in advance. If the application authorization confirmation message received by the guidance service server BSF includes the security verification code, the guidance service server BSF according to B- TID finds and obtains the corresponding security verification code in this correspondence, and compares whether the two security verification codes are consistent: if they are consistent, the subsequent steps are continued; if they are not consistent, the process is ended without guiding the service server BSF to the user terminal.
  • a third-party application client running in the process of providing registration information including a third-party user ID and application key
  • the process ends, and the process of directing the service server BSF to provide the third-party application client running in the user terminal with registration information including the third-party user identification and application key is not performed.
  • the method provided in this embodiment is based on the first embodiment of the GBA-based client registration and key sharing method, and adds a process for the end user to verify and authorize. By adding this process, the client registration information can be more confirmed.
  • the provision has obtained the authorization permission of the end user, so as to prevent the unnecessary third party application client from being authorized due to misoperation and the like.
  • This embodiment can also be combined with the third embodiment of the GBA-based client registration and key sharing method to form a new embodiment, that is, to apply the method steps of this embodiment after the user terminal passes the NAF_Id to the boot service server BSF and the security authentication is successful Before the application guides the service server BSF to provide a third-party application client running in the user terminal with a process including a user token, the specific process is not described in detail.
  • the present invention also provides a client registration and key sharing device based on GBA.
  • the key sharing and identity authentication device is applied to a user terminal running a third-party application client, and includes: a memory , A processor, and a GBA-based client registration and key sharing program stored on the memory and executable on the processor, the GBA-based client registration and key sharing program being used by the processor Implement the steps of the above-mentioned GBA-based client registration and key sharing method when executed.
  • the present invention also provides a GBA-based client registration and key sharing device.
  • the key sharing and identity authentication device is used to guide a service server BSF, and includes: a memory, a processor, and a storage device.
  • the GBA-based client registration and key sharing program on the memory and which can be run on the processor, the GBA-based client registration and key sharing program is implemented by the processor to implement the above-mentioned based on Steps of GBA's client registration and key sharing method.
  • the present invention also provides a GBA-based client registration and key sharing system.
  • the GBA-based client registration and key sharing system includes: a user terminal and a guided service server BSF;
  • the user terminal includes the above-mentioned GBA-based client registration and key sharing device applied to a user terminal running a third-party application client;
  • the guided service server BSF includes the above GBA-based client registration and key sharing device applied to the guided service server BSF.
  • the present invention also provides a storage medium applied to a user terminal, which is characterized in that a program is stored in the storage medium, and the program is used to implement the application to a third party running as described above.
  • GBA-based client registration and key sharing method in a user terminal of an application client is characterized in that a program is stored in the storage medium, and the program is used to implement the application to a third party running as described above.
  • the present invention also provides a storage medium applied to the boot service server BSF, which is characterized in that a program is stored in the storage medium, and the program is used to implement the application boot service server as described above.
  • the methods, devices, and systems of the present invention can be implemented in many ways.
  • the methods and systems of the present invention can be implemented by software, hardware, firmware or any combination of software, hardware, firmware.
  • the above-mentioned order of the steps of the method is merely for the purpose of illustration, and the steps of the method of the present invention are not limited to the order specifically described above, unless specifically stated otherwise.
  • the present invention can also be implemented as programs recorded in a recording medium, which programs include machine-readable instructions for implementing the method according to the present invention.
  • the present invention also covers a recording medium storing a program for executing the method according to the present invention.
  • the present invention provides a secure registration environment for third-party application clients running in user terminals after the GBA initialization process, and guides the service server BSF to provide corresponding registration information and only for authenticated user terminals. Services, including the generation of application keys, effectively solve the technical shortcomings of the GBA architecture application described in the background in the field of Internet technology.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un système de partage de clé et d'enregistrement de client basé sur GBA Le procédé comprend les étapes suivantes : un terminal utilisateur exécute un client d'application tierce effectuant une authentification de sécurité avec une fonction de serveur d'amorçage (BSF) Sur la base d'un B-TID acquis pendant un amorçage GBA et d'une clé générée pendant l'amorçage GBA; après que l'authentification de sécurité ait réussi, le BSF fournit des informations d'enregistrement sécurisées et un service pour le client d'application tierce, et génère un jeton d'utilisateur ou une clé d'application pour le client d'application tierce. L'invention résout le problème dans lequel un serveur d'application tierce génère une demande de contrefaçon malveillante pour consommer des ressources de calcul et de stockage d'un BSF et d'autres serveurs d'applications tiers, et permet également à un serveur d'application tierce sur le même dispositif utilisateur de calculer facilement une clé d'application d'un autre client d'application tierce.
PCT/CN2019/074725 2018-08-23 2019-02-04 Procédé, dispositif, système de partage de clé et enregistrement de client basés sur gba WO2020037958A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910775078.3A CN111050322B (zh) 2018-08-23 2019-08-22 基于gba的客户端注册和密钥共享方法、装置及系统

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201810978212.5A CN109121135A (zh) 2018-08-23 2018-08-23 基于gba的客户端注册和密钥共享方法、装置及系统
CN201810978212.5 2018-08-23
CNPCT/CN2019/073103 2019-01-25
CN2019073103 2019-01-25

Publications (1)

Publication Number Publication Date
WO2020037958A1 true WO2020037958A1 (fr) 2020-02-27

Family

ID=69592297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/074725 WO2020037958A1 (fr) 2018-08-23 2019-02-04 Procédé, dispositif, système de partage de clé et enregistrement de client basés sur gba

Country Status (1)

Country Link
WO (1) WO2020037958A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120284785A1 (en) * 2011-05-05 2012-11-08 Motorola Mobility, Inc. Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system
CN104348801A (zh) * 2013-07-31 2015-02-11 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN106534050A (zh) * 2015-09-11 2017-03-22 中移(杭州)信息技术有限公司 一种实现虚拟专用网络密钥协商的方法和装置
CN109121135A (zh) * 2018-08-23 2019-01-01 刘高峰 基于gba的客户端注册和密钥共享方法、装置及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120284785A1 (en) * 2011-05-05 2012-11-08 Motorola Mobility, Inc. Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system
CN104348801A (zh) * 2013-07-31 2015-02-11 华为技术有限公司 认证方法、生成信任状的方法及相关装置
CN106534050A (zh) * 2015-09-11 2017-03-22 中移(杭州)信息技术有限公司 一种实现虚拟专用网络密钥协商的方法和装置
CN109121135A (zh) * 2018-08-23 2019-01-01 刘高峰 基于gba的客户端注册和密钥共享方法、装置及系统

Similar Documents

Publication Publication Date Title
JP7119040B2 (ja) データ伝送方法、装置およびシステム
CN110380852B (zh) 双向认证方法及通信系统
CN111050322B (zh) 基于gba的客户端注册和密钥共享方法、装置及系统
CN109728909B (zh) 基于USBKey的身份认证方法和系统
Arshad et al. An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC
CN108599925B (zh) 一种基于量子通信网络的改进型aka身份认证系统和方法
WO2017028593A1 (fr) Procédé pour amener un dispositif d'accès à un réseau à accéder à un point d'accès à un réseau sans fil, dispositif d'accès à un réseau, serveur d'application et support de stockage lisible par ordinateur non volatil
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
WO2018076365A1 (fr) Procédé et dispositif de négociation de clés
US8793497B2 (en) Puzzle-based authentication between a token and verifiers
KR101009330B1 (ko) 모바일 네트워크를 기반으로 하는 엔드 투 엔드 통신에서의 인증을 위한 방법, 시스템 및 인증 센터
US6993652B2 (en) Method and system for providing client privacy when requesting content from a public server
JP5579872B2 (ja) 安全な複数uim認証および鍵交換
JP4741664B2 (ja) 認証及びプライバシーに対する方法及び装置
US20180199205A1 (en) Wireless network connection method and apparatus, and storage medium
WO2018040758A1 (fr) Procédé d'authentification, appareil d'authentification et système d'authentification
CN110858968A (zh) 客户端注册方法、装置及系统
US11044084B2 (en) Method for unified network and service authentication based on ID-based cryptography
JP7292263B2 (ja) デジタル証明書を管理するための方法および装置
US10680835B2 (en) Secure authentication of remote equipment
CN103763356A (zh) 一种安全套接层连接的建立方法、装置及系统
US8397281B2 (en) Service assisted secret provisioning
US20080137859A1 (en) Public key passing
CN110087240B (zh) 基于wpa2-psk模式的无线网络安全数据传输方法及系统
CN108599926B (zh) 一种基于对称密钥池的HTTP-Digest改进型AKA身份认证系统和方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19852071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/07/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19852071

Country of ref document: EP

Kind code of ref document: A1