WO2020147602A1 - Procédé, appareil et système d'authentification - Google Patents

Procédé, appareil et système d'authentification Download PDF

Info

Publication number
WO2020147602A1
WO2020147602A1 PCT/CN2020/070450 CN2020070450W WO2020147602A1 WO 2020147602 A1 WO2020147602 A1 WO 2020147602A1 CN 2020070450 W CN2020070450 W CN 2020070450W WO 2020147602 A1 WO2020147602 A1 WO 2020147602A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
failure
terminal device
value corresponding
information
Prior art date
Application number
PCT/CN2020/070450
Other languages
English (en)
Chinese (zh)
Inventor
张博
赵绪文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020147602A1 publication Critical patent/WO2020147602A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • This application relates to the field of communications, and, more specifically, to an authentication method, device, and system.
  • the attacker can intercept the user ID of a terminal device through the air interface message, and control the pseudo base station to intercept the authentication request message sent from the network side to the terminal device, and then the attacker controls multiple pseudo base station pairs to attract each terminal device below Replaying the authentication request message triggers each terminal device to perform authentication.
  • the terminal device After the terminal device receives the authentication request message, since the authentication request message is replayed, the message authentication code (MAC) authentication succeeds, but the sequence number (SQN) authentication fails.
  • the terminal device feeds back the authentication failure information of the synchronization failure type to the pseudo base station.
  • other terminal equipment After receiving the authentication request message, other terminal equipment fails the authentication of the message authentication code, and feeds back an authentication failure message of the message authentication code failure type to the pseudo base station.
  • the pseudo base station can determine that the terminal device is within the coverage of one or more pseudo base stations according to the type of the authentication failure message, so that methods such as triangulation can be used to accurately locate the user equipment.
  • the user ID is encrypted, and the attacker cannot accurately identify the identity of a certain terminal device through the user ID, but it is still possible to perform the above attacks twice to achieve a certain terminal.
  • Positioning of the device For example, when the first attack is carried out, the signal coverage of the pseudo base station is set to be small, and only the terminal device is attracted to the pseudo base station (the pseudo base station can be as close as possible to the terminal device), and the authentication request message is intercepted. After the terminal device moves to another area, the attacker can continue to perform the above-mentioned similar steps, and finally locate the terminal device.
  • This application provides an authentication method, device and system with higher security performance.
  • an authentication method includes: a terminal device receives an authentication request message sent by an access and mobility management function entity; the terminal device performs authentication according to the authentication request message; if the authentication fails, the terminal device The reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information; the terminal device sends the failure encryption information to the access and mobility management function entity.
  • the reason value of the authentication failure type is encrypted, so that even if the attacker intercepts the authentication failure message, he cannot distinguish the specific authentication failure type, so that the attacker cannot locate the user and protects the user. Your privacy is not leaked, which improves system security performance.
  • the terminal device encrypts the cause value corresponding to the authentication failure type to obtain the failure encryption information, including: if the authentication failure type is synchronization failure, The reason value corresponding to the synchronization failure and the local serial number information of the terminal device are encrypted to obtain the failure encryption information; or, if the authentication failure type is a message authentication code failure, the reason value corresponding to the message authentication code failure is performed Encryption processing to obtain the failed encrypted information.
  • the length of the failure encryption information is the same.
  • the attacker cannot distinguish which authentication failure type is based on the length of the failed encryption information, so that the attacker cannot locate or correlate the location of the tracked user, ensuring that the user's privacy is not leaked.
  • the encryption processing of the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failure encryption information includes: The cause value corresponding to the synchronization failure and the local serial number information of the terminal device are serially operated to obtain a first intermediate value; an encryption operation is performed on the first intermediate value to obtain the failed encrypted information.
  • the reason value corresponding to the failure of the message authentication code is encrypted to obtain the failure encryption information, including: the reason value corresponding to the failure of the message authentication code Perform a series operation with a binary number of N bits to obtain a second intermediate value; perform an encryption operation on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.
  • the failed encryption information is sent through an authentication failure message, and the authentication failure message further includes: encryption indication information for indicating that the authentication failure message carries the failed encryption information .
  • the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.
  • the method further includes: obtaining a first authentication code according to a cause value corresponding to the authentication failure type, where the first authentication code is used to verify the authentication failure type;
  • the terminal device sends the first authentication code to the access and mobility management function entity.
  • the method further includes: the terminal device generates a shared secret key; the terminal device encrypts the cause value corresponding to the authentication failure type to obtain the failure encryption information, Including: the terminal device uses the shared secret key to encrypt the cause value corresponding to the authentication failure type to obtain the failure encryption information.
  • an authentication method includes: an access and mobility management function entity sends an authentication request message to a terminal device; the access and mobility management function entity receives failure encryption information sent by the terminal device, and the failure The encrypted information is obtained after encrypting the reason value corresponding to the authentication failure type.
  • the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.
  • the length of the failure encryption information is the same.
  • the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure
  • the cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.
  • the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the failure of the message authentication code, including:
  • the cause value corresponding to the failure of the message authentication code is concatenated with a binary number of N bits to obtain a second intermediate value; the second intermediate value is encrypted to obtain the failed encryption information, where N is greater than An integer equal to 1.
  • the failure encryption information is sent through an authentication failure message, and the authentication failure message further includes: encryption indication information for indicating that the authentication failure message carries the failure Encrypt information.
  • the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.
  • the method further includes: the access and mobility management function entity sends the failure encryption information to the authentication server function entity.
  • the method further includes: the access and mobility management function entity decrypts the failed encrypted information.
  • the authentication failure message further includes a first authentication code that is obtained according to the cause value of the authentication failure type, and the first authentication code is used for Verifying the authentication failure type; the method further includes: matching the first authentication code with the second authentication code, and determining the authentication failure type according to the matching result, wherein the second authentication code corresponds to the first authentication failure type The reason value is obtained, and the first authentication failure type is message verification code failure or synchronization failure.
  • the method further includes: the access and mobility management function entity generates a shared secret key; the access and mobility management function entity decrypts the failed encrypted information , Including: the access and mobility management function entity uses the shared secret key to decrypt the failed encrypted information.
  • an authentication method includes: the authentication server function entity receives the failure encryption information sent by the access and mobility management function entity, and the failure encryption information is encrypted by the reason value corresponding to the authentication failure type. get.
  • the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.
  • the length of the failure encryption information is the same.
  • the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure
  • the cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.
  • the failed encryption information is obtained by encrypting the reason value corresponding to the message authentication code failure, including: the reason value corresponding to the message authentication code failure and N A binary number of bits is concatenated to obtain a second intermediate value; an encryption operation is performed on the second intermediate value to obtain the failed encryption information, where N is an integer greater than or equal to 1.
  • the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.
  • the method further includes: the authentication server function entity sends the failed encryption information to the unified data management entity.
  • the method further includes: the authentication server functional entity decrypts the failed encrypted information.
  • the method further includes: the authentication server functional entity generates a shared secret key; the authentication server functional entity decrypts the failed encrypted information, including: The authentication server functional entity uses the shared secret key to decrypt the failed encrypted information.
  • the method further includes: the authentication server functional entity generates a second authentication code, and the second authentication code is used to verify the authentication failure type; the authentication The server function entity sends the second authentication code to the access and mobility management function entity.
  • an authentication method includes: a unified data management entity receives failure encryption information sent by an authentication server functional entity, the failure encryption information is obtained after encryption processing is performed on a cause value corresponding to an authentication failure type; The unified data management entity decrypts the failed encrypted information.
  • the failed encryption information is obtained after encryption processing is performed on the cause value corresponding to the authentication failure type, including: if the authentication failure type is a synchronization failure, the failed encryption information Obtained after encryption processing is performed on the reason value corresponding to the synchronization failure and the local serial number information of the terminal device; or, if the authentication failure type is a message authentication code failure, the failure encryption information is determined by the reason corresponding to the message authentication code failure The value is obtained after encryption processing.
  • the length of the failure encryption information is the same.
  • the failed encryption information is obtained by encrypting the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, including: corresponding to the synchronization failure
  • the cause value of and the local serial number information of the terminal device are concatenated to obtain the first intermediate value; the first intermediate value is encrypted to obtain the failed encryption information.
  • the failure encryption information is obtained by encrypting the reason value corresponding to the failure of the message authentication code, including: the reason value corresponding to the failure of the message authentication code and The binary numbers of N bits are concatenated to obtain the second intermediate value; the second intermediate value is encrypted to obtain the failed encryption information, where N is an integer greater than or equal to 1.
  • the local serial number information of the terminal device includes the local serial number of the terminal device or a parameter generated after the local serial number of the terminal device is processed.
  • the method further includes: the unified data management entity generates a shared secret key; the unified data management entity decrypts the failed encrypted information, including: using the shared The secret key decrypts the failed encrypted information.
  • the method further includes: the unified data management entity generates a second authentication code, the second authentication code is used to verify the type of authentication failure; the unified data management The entity sends the second authentication code to the access and mobility management function entity.
  • an authentication device including various modules or units for executing the method in any one of the foregoing first to fourth aspects.
  • an authentication device including a processor.
  • the processor is coupled with the memory, and can be used to execute instructions in the memory to implement the method in any one of the possible implementation manners of the first to fourth aspects.
  • the secure conversation device further includes a memory.
  • the secure conversation device further includes a communication interface, and the processor is coupled with the communication interface.
  • the authentication device is a communication device, such as a terminal device, AMF, AUSF, or UDM in the embodiment of this application.
  • the communication interface may be a transceiver, or an input/output interface.
  • the authentication device is a chip configured in a communication device, such as a chip configured in a terminal device, AMF, AUSF, or UDM as in the embodiment of the present application.
  • the communication interface may be an input/output interface.
  • the transceiver may be a transceiver circuit.
  • the input/output interface may be an input/output circuit.
  • a processor including: an input circuit, an output circuit, and a processing circuit.
  • the processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any one of the possible implementation manners of the first to fourth aspects.
  • the processor may be a chip
  • the input circuit may be an input pin
  • the output circuit may be an output pin
  • the processing circuit may be a transistor, a gate circuit, a flip-flop, and various logic circuits.
  • the input signal received by the input circuit may be received and input by, for example, but not limited to a receiver
  • the signal output by the output circuit may be, for example but not limited to, output to and transmitted by the transmitter
  • the circuit may be the same circuit, which is used as an input circuit and an output circuit at different times, respectively.
  • the embodiments of the present application do not limit the specific implementation manner of the processor and various circuits.
  • a processing device including a processor and a memory.
  • the processor is configured to read instructions stored in the memory, and can receive signals through a receiver, and transmit signals through a transmitter, so as to execute the method in any one of the possible implementation manners of the first to fourth aspects.
  • processors there are one or more processors and one or more memories.
  • the memory may be integrated with the processor, or the memory and the processor are provided separately.
  • the memory may be non-transitory (non-transitory) memory, such as read-only memory (read only memory (ROM), which may be integrated with the processor on the same chip, or may be set in different On the chip, the embodiments of the present application do not limit the type of memory and the manner of setting the memory and the processor.
  • ROM read only memory
  • sending instruction information may be a process of outputting instruction information from the processor
  • receiving capability information may be a process of receiving input capability information by the processor.
  • the processed output data may be output to the transmitter, and the input data received by the processor may come from the receiver.
  • the transmitter and the receiver may be collectively referred to as a transceiver.
  • the processing device in the eighth aspect may be a chip, and the processor may be implemented by hardware or software.
  • the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software
  • the processor may be a general-purpose processor, implemented by reading software codes stored in a memory, the memory may be integrated in the processor, or may be located outside the processor and exist independently.
  • a computer program product includes: a computer program (also called code, or instruction), which when the computer program is executed, causes the computer to execute the first to fourth The method in any possible implementation of the aspect.
  • a computer program also called code, or instruction
  • a computer-readable medium stores a computer program (also called code, or instruction) when it runs on a computer, so that the computer executes the first to fourth The method in any possible implementation of the aspect.
  • a communication system which includes the aforementioned terminal equipment, access and mobility management function entity, authentication server function entity, or unified data management entity.
  • FIG. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application
  • Fig. 2 is a schematic flowchart of an example of the authentication method according to the present application.
  • Fig. 3 is a schematic flowchart of another example of the authentication method according to the present application.
  • Fig. 4 is a schematic flowchart of another example of the authentication method according to the present application.
  • Fig. 5 is a schematic flowchart of another example of the authentication method according to the present application.
  • Fig. 6 is a schematic block diagram of an authentication device according to the present application.
  • Fig. 7 is a schematic block diagram of an authentication device according to the present application.
  • GSM global mobile communication
  • CDMA code division multiple access
  • WCDMA broadband code division multiple access
  • general packet radio service general packet radio service, GPRS
  • LTE long term evolution
  • LTE frequency division duplex FDD
  • TDD time division duplex
  • UMTS universal mobile communication system
  • WiMAX worldwide interoperability for microwave access
  • the embodiments of the application do not specifically limit the specific structure of the execution body of the method provided in the embodiments of the application, as long as the program that records the code of the method provided in the embodiments of the application can be executed according to the embodiments of the application.
  • the provided method can be used for communication.
  • the execution subject of the method provided in the embodiments of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call and execute the program.
  • FIG. 1 is a schematic diagram of a network architecture suitable for the method provided in the embodiment of the present application.
  • the network architecture may be a non-roaming architecture, for example.
  • the network architecture may specifically include the following network elements:
  • Terminal equipment can be called user equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile equipment, user terminal, wireless communication equipment, User agent or user device.
  • the UE may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), and a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in future 5G networks or terminals in future public land mobile communication networks (PLMN) Devices, etc., can also be end devices, logical entities, smart devices such as mobile phones, smart terminals and other terminal devices, or communication devices such as servers, gateways, base stations, controllers, or Internet of Things devices such as sensors, electricity meters, water meters, etc. Internet of Things (IoT) devices. This embodiment of the application does not limit this.
  • IoT Internet of Things
  • Access network provides network access functions for authorized users in a specific area, and can use different quality transmission tunnels according to user levels and business needs.
  • the access network may be an access network that uses different access technologies.
  • 3rd Generation Partnership Project 3rd Generation Partnership Project
  • 3GPP 3rd Generation Partnership Project
  • non-3GPP non-third generation cooperation Partnership Project
  • the 3GPP access technology refers to the access technology that conforms to the 3GPP standard.
  • the access network that uses the 3GPP access technology is called a radio access network (Radio Access Network, RAN).
  • Radio Access Network Radio Access Network
  • next generation Node Base station gNB
  • a non-3GPP access technology refers to an access technology that does not comply with the 3GPP standard specifications, for example, an air interface technology represented by an access point (AP) in wifi.
  • AP access point
  • An access network that implements access network functions based on wireless communication technology may be called a radio access network (RAN).
  • the wireless access network can manage wireless resources, provide access services for the terminal, and then complete the forwarding of control signals and user data between the terminal and the core network.
  • the wireless access network may be, for example, a base station (NodeB), an evolved base station (evolved NodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (CRAN) scenario, or the access network device can be a relay station, an access point, an in-vehicle device, a wearable device, and a network in a future 5G network Equipment or network equipment in the future evolved PLMN network.
  • CRAN cloud radio access network
  • the embodiments of the present application do not limit the specific technology and specific device form adopted by the wireless access network device.
  • Access and mobility management function (AMF) entities mainly used for mobility management and access management, etc., and can be used to implement mobility management entity (mobility management entity, MME) functions in addition to sessions Functions other than management, such as lawful interception, or access authorization (or authentication) functions. In the embodiment of this application, it can be used to realize the functions of access and mobility management network elements.
  • MME mobility management entity
  • Session management function (SMF) entity mainly used for session management, UE's Internet Protocol (IP) address allocation and management, selection of manageable user plane functions, policy control, or charging function interfaces End point and downlink data notification, etc. In the embodiment of this application, it can be used to realize the function of the session management network element.
  • IP Internet Protocol
  • User Plane Function User Plane Function
  • UPF User Plane Function
  • DN data network
  • it can be used to implement the function of the user plane gateway.
  • Data Network A network used to provide data transmission.
  • the operator's business network the operator's business network, the Internet (Internet) network, third-party business network, etc.
  • Authentication server function authentication server function, AUSF
  • AUSF authentication server function
  • Network Open Function (NEF) entity It is used to safely open the services and capabilities provided by 3GPP network functions to the outside.
  • Network storage function (NF) repository function (NRF) entity used to store network function entities and description information of the services they provide, and support service discovery, network element entity discovery, etc.
  • PCF Policy control function
  • Unified data management unified data management, UDM
  • UDM Unified data management
  • Application function (AF) entity used for data routing influenced by applications, accessing network open function network elements, or interacting with a policy framework for policy control, etc.
  • the N1 interface is the reference point between the terminal and the AMF entity;
  • the N2 interface is the reference point between the AN and the AMF entity, used for non-access stratum (NAS) message transmission, etc.;
  • N3 The interface is the reference point between the (R)AN and the UPF entity, used to transmit user plane data, etc.;
  • the N4 interface is the reference point between the SMF entity and the UPF entity, used to transmit, for example, the tunnel identification information and data of the N3 connection Cache indication information, downlink data notification message and other information;
  • N6 interface is the reference point between UPF entity and DN, used to transmit user plane data, etc.
  • the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited to this. Any network architecture that can realize the functions of the above-mentioned network elements is applicable to the embodiments of the present application.
  • AMF entity, SMF entity, UPF entity, NSSF entity, NEF entity, AUSF entity, NRF entity, PCF entity, and UDM entity shown in Figure 1 can be understood as network elements used to implement different functions in the core network. , For example, can be combined into network slices on demand. These core network elements can be independent devices or can be integrated in the same device to achieve different functions, which is not limited in this application.
  • the entity used to implement AMF is referred to as AMF
  • the entity used to implement AUSF is referred to as AUSF
  • the entity used to implement UDM functions is referred to as UDM.
  • AMF entity used to implement AMF
  • AUSF entity used to implement AUSF
  • UDM entity used to implement UDM functions
  • the name of the interface between the various network elements in FIG. 1 is only an example, and the name of the interface in a specific implementation may be other names, which is not specifically limited in this application.
  • the name of the message (or signaling) transmitted between the various network elements is only an example, and does not constitute any limitation on the function of the message itself.
  • FIG. 2 is a schematic flowchart of an authentication method 200 provided by an embodiment of the present application. As shown in FIG. 2, the method 200 includes the following contents.
  • step S210 the AMF sends an authentication request message to the terminal device.
  • the AMF sends an authentication request message to the terminal device to prepare to authenticate the terminal device.
  • the authentication request message may carry an authentication random number (random, RAND) and an authentication token (authentication token, AUTN), and the AUTN may include a message authentication code and a serial number.
  • step S221 the terminal device performs authentication according to the authentication request message.
  • the terminal device can be authenticated according to the RAND and AUTN.
  • the terminal device can send the RAND and AUTN to the universal subscriber identity module (USIM).
  • USIM first calculates the expected message authentication code XMAC based on the AUTN, RAND and the root key K, and then XMAC compares the verification with the MAC in the AUTN. If the verification fails (for example, the two are not equal), it is determined that the authentication has failed, and the authentication failure type is a message authentication code failure (MAC failure). At this time, the terminal device generates The reason value corresponding to the message authentication code failure.
  • MAC failure message authentication code failure
  • the terminal device If the XMAC and the MAC in the AUTN are successfully compared and verified (for example, the two are equal), continue to check whether the SQN in the AUTN is within the valid range (for example, check whether the SQN is greater than the local terminal device Serial number SQN MS ), if the verification fails (for example, SQN is less than or equal to SQN MS ), it is determined that the authentication has failed, and the authentication failure type is synch failure. At this time, the terminal device also generates a synchronization failure corresponding Reason value.
  • the reason value corresponding to the message authentication code failure is used to indicate that the authentication failure type is message authentication code failure
  • the reason value corresponding to the synchronization failure is used to indicate the authentication failure type is synchronization failure, and the two are different.
  • the reason value corresponding to the message authentication code failure and the reason value corresponding to the synchronization failure may be 8-bit binary numbers.
  • the reason value corresponding to the message authentication code failure may be "00010100”.
  • the synchronization failure The corresponding reason value can be "00010101”.
  • step 222 if the authentication fails, the reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information.
  • the reason value corresponding to the message authentication code failure is encrypted.
  • the cause value corresponding to the synchronization failure is encrypted.
  • the method of encrypting the cause value corresponding to the authentication failure type in the embodiment of the present application is not limited.
  • the terminal device may be connected to a network side device (for example, any one of AMF, AUSF, and UDM) Negotiate a method for encrypting the cause value corresponding to the authentication failure type.
  • a network side device for example, any one of AMF, AUSF, and UDM
  • the cause value corresponding to the authentication failure type can be encrypted using a symmetric encryption method.
  • the terminal device uses the root key K to encrypt the cause value corresponding to the authentication failure type, and the network side The device (for example, any one of AMF, AUSF, and UDM) can use the same secret key to decrypt the failed encrypted information.
  • the terminal device may use the same shared key as the network side device (for example, a shared secret key calculated based on the authentication function key Kausf ) to encrypt the cause value corresponding to the authentication failure type, and similarly
  • the network-side device (for example, any one of AMF, AUSF, and UDM) can use the shared secret key to decrypt the failed encrypted information.
  • asymmetric encryption can also be used to encrypt the cause value corresponding to the authentication failure type.
  • the public key (private key) of the home network can be used to encrypt the authentication failure type information.
  • the side device can use the corresponding private key (public key) to decrypt the failed encrypted information.
  • a method based on user concealed identifier (subscription concealed identifier, SUCI) encryption or a method based on resynchronization parameter (resynchronization token, AUTS) encryption can be used to encrypt the cause value corresponding to the authentication failure type, then the network The side device can use the corresponding SUCI-based decryption method or the AUTS-based decryption method to decrypt the failed encrypted information.
  • the secret key used for encrypting the cause value corresponding to the authentication failure type may be possessed by the terminal device itself, may also be obtained through the network, or may be derived by itself.
  • step 230 the terminal device sends the failed encryption information to the AMF.
  • the terminal device sends the failure encryption information to the AMF, which is used to feed back the result of the authentication failure to the AMF and other network-side devices, so that the AMF and other network-side devices can determine the next action according to the result of the authentication failure. Initiate authentication).
  • the terminal device may send the failure encryption information to the AMF through an authentication failure message.
  • the network-side device such as AMF can decrypt the failed encrypted information in a predetermined manner to obtain the cause value corresponding to the authentication failure type, and finally determine the authentication failure type.
  • the embodiment of the application can encrypt the reason value corresponding to the authentication failure type to obtain the failed encrypted information. Even if the failed encrypted information is intercepted by an attacker over the air, the attacker cannot decrypt the failed encrypted information, and thus cannot distinguish whether it is Which type of authentication failure, so that the attacker cannot locate or associate the location of the tracked user to ensure that the user's privacy is not leaked.
  • step S222 the manner of performing encryption processing on the cause values corresponding to different authentication failure types may be different.
  • the reason value corresponding to the message authentication code failure is encrypted.
  • the cause value corresponding to the synchronization failure and the local serial number information of the terminal device can be simultaneously encrypted.
  • the authentication failure information usually also includes the local serial number information of the terminal device, so that the UDM can obtain the local serial number SQN MS of the terminal device and initiate a new authentication based on the SQN MS .
  • the authentication failure information does not include the local serial number information of the terminal device. In order to prevent an attacker from distinguishing the type of authentication failure based on the local serial number information of the terminal device, for synchronization failures, you can The reason value corresponding to the synchronization failure and the local serial number information of the terminal device are simultaneously encrypted.
  • the local serial number SQN MS of the terminal device can be obtained through the local serial number information of the terminal device.
  • the local serial number information of the terminal device may include the local serial number of the terminal device or the local serial number of the terminal device after processing
  • the generated parameter for example, the local serial number information of the terminal device may include an authentication failure parameter (authentication failure parameter).
  • the authentication failure parameters usually include the parameter name, parameter length, and AUTS.
  • AK is an anonymous key (anonymity key, AK)
  • means performing an exclusive OR operation
  • means performing a series operation
  • MAC-S is a resynchronization message authentication code (message authentication code synchronization).
  • the local serial number information of the terminal device may also include the resynchronization parameter AUTS, the local serial number SQN MS of the terminal device and the anonymous secret key AK, the result of the exclusive OR operation SQN MS ⁇ AK or the local The serial number SQN MS .
  • the reason value corresponding to the synchronization failure and the authentication failure parameter can be encrypted at the same time to obtain the failure encryption information.
  • the cause value corresponding to the synchronization failure and the AUTS can be encrypted at the same time to obtain the failure encryption information.
  • the reason value corresponding to the synchronization failure and the SQN MS ⁇ AK can be encrypted at the same time to obtain the failed encryption information.
  • the cause value corresponding to the synchronization failure and the SQN MS can be encrypted at the same time to obtain the failure encryption information.
  • the cause value corresponding to the synchronization failure and the local serial number information of the terminal device are encrypted, and the failure encryption information can be obtained in the following manner:
  • the cause value corresponding to the synchronization failure (denoted as cause#1) and the local serial number information of the terminal device (denoted as SQN#1) are concatenated to obtain the first intermediate value, which can be denoted as: cause#1
  • the serial operation of the cause value corresponding to the synchronization failure and the local serial number information of the terminal device means that the cause value corresponding to the synchronization failure and the local serial number information of the terminal device are joined end to end (both The order of is not limited), to obtain the first intermediate value, continue to perform the encryption operation on the first intermediate value to obtain the failed encryption information.
  • the first intermediate value obtained can be denoted as: cause#1
  • the cause value corresponding to the synchronization failure is concatenated with the AUTS, and the first intermediate value obtained can be recorded as: cause#1
  • the serial operation of the cause value corresponding to the synchronization failure and the SQN MS ⁇ AK, the first intermediate value obtained can be written as: cause#1
  • Encryption operation to obtain the encryption failure information can be recorded as: Enc(cause#1
  • the first intermediate value obtained can be recorded as: cause#1
  • performing encryption processing on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the failed encryption information may also be performed in other ways. For example, other operations (for example, exclusive OR operation) may be performed on the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to obtain the first intermediate value, and then an encryption operation is performed on the first intermediate value.
  • Other operations for example, exclusive OR operation
  • an encryption operation is performed on the first intermediate value.
  • the length of the failure encryption information is the same.
  • the length of the reason value corresponding to the synchronization failure and the reason value corresponding to the message authentication code failure are the same.
  • the reason value corresponding to the synchronization failure can be compared with the terminal device's
  • the local serial number information is concatenated to obtain the first intermediate value, and the first intermediate value is encrypted to obtain the failed encryption information.
  • the length of the encryption failure information corresponding to it may be significantly greater than the encryption failure information corresponding to the message authentication code failure. For this reason, the attacker may distinguish which authentication failure type is based on the length of the encryption failure message.
  • the terminal device when the terminal device encrypts the cause value corresponding to the authentication failure type, for different authentication failure types, the length of the failed encryption information may be the same.
  • the length of the failed encryption information can be made the same in at least one of the following ways:
  • a specific encryption method for example, a specific encryption key
  • a specific encryption method to encrypt the cause value corresponding to the failure of the message authentication code
  • a specific encryption method to encrypt the cause value corresponding to the synchronization failure and the local serial number information of the terminal device encryption.
  • Different encryption methods may change the length of the failed encrypted information after encryption. Therefore, a specific encryption method can be used for encryption processing, so that for different authentication failure types, the length of the failed encrypted information is the same value.
  • a series operation can be performed on the content before the encryption operation and a binary number of a certain length, and then the encryption operation is performed, so that the length of the failed encryption information can be the same.
  • the content before the encryption operation can be its corresponding cause value
  • the content before the encryption operation can be the corresponding cause value in series with the local serial number information of the terminal device The result of the operation is the first intermediate value.
  • the cause value corresponding to the message authentication code failure (denoted as cause#2) and N-bit binary number (denoted as string#1) can be performed Concatenation operation to obtain the second intermediate value, which can be recorded as: cause#2
  • the composition of the N-bit binary number can be determined through negotiation with the network side device (for example, any one of AMF, AUSF, and UDM).
  • the N-bit binary number can consist of any number of bits of "0" and any number of bits.
  • a binary number of N bits may be composed of N “0”s, and for another example, a binary number of N bits may also be composed of N “1s”.
  • the length of the failed encryption information corresponding to the two can be made the same (that is, the Enc(cause#1
  • the value of N may be equal to any one of the length values of AFP#1, AUTS, SQN MS ⁇ AK, and SQN MS .
  • the length of the authentication failure information of the two different authentication failure types can be the same according to the method similar to the above-mentioned "concatenation operation with N-bit binary numbers"
  • Fixed value for example, "N-digit binary number” can also be equivalent to "N-digit decimal number”, “N-digit hexadecimal number” or "N-digit character”, etc.
  • N-digit binary number can also be equivalent to "N-digit decimal number", “N-digit hexadecimal number” or "N-digit character”, etc.
  • Various forms that may appear in the future should be within the scope of the technical solution of this application.
  • the attacker cannot distinguish which authentication failure type is based on the length of the failed encrypted information, so that the attacker cannot locate or correlate the location of the tracked user to ensure that the user's privacy is not leaked.
  • the length of the information is variable and all within the same range of variation.
  • the above method 1 and/or method 2 can also be used to make the length of the failed encryption information corresponding to the failure of the message authentication code variable and within the first variation range;
  • the length of the failed encryption information corresponding to the synchronization failure can be made variable by means 1 and/or means 2 above, and it is also within the first variation range.
  • FIG. 3 is a schematic flowchart of an authentication method 300 according to another embodiment of the present application. As shown in FIG. 3, the method 300 includes the following contents.
  • step S300 an authentication process is initiated between the UDM and the terminal device.
  • UDM first creates a 5G home environment authentication vector (5G HE AV) according to the authentication request.
  • the 5G HE AV may include authentication such as RAND, AUTN, and expected response parameters (XRES).
  • the 5G HE AV is sent to AUSF, and AUSF generates a 5G visiting environment authentication vector (5G serving environment authentication vector, 5G SE HV) based on the 5G HE AV.
  • the 5G SE HV may include the RAND, AUTN, and hash
  • the expected response (hash expected response, HXRES) and other authentication parameters are then sent to the 5G SE HV to the AMF, and the AMF generates an authentication request message based on the 5G SE HV.
  • step S310 the AMF sends the authentication request message to the terminal device.
  • step S321 the terminal device performs authentication according to the authentication request message.
  • step S322 if the authentication fails, the reason value corresponding to the authentication failure type is encrypted to obtain the failure encryption information.
  • step S330 the terminal device sends an authentication failure message to the AMF, and the authentication failure message includes the failure encryption information.
  • the failed encryption information may be sent to the AMF through the authentication failure message, or may be sent to the AMF in other forms (for example, sent separately).
  • step S350 AMF sends the failed encryption information to UDM.
  • step S360 UDM decrypts the failed encrypted information.
  • the terminal device can send the failed encryption information to the AMF through the authentication failure message.
  • the AMF can directly send the failed encryption information to UDM, or send the failed encryption information to UDM through AUSF. information.
  • the failed encryption information can also be sent to UDM along with the service invocation of the authentication process.
  • the AMF sends the failure encryption information to the UDM, and the UDM obtains the failure encryption information, and decrypts the failure encryption information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determining the authentication failure type.
  • UDM can also obtain the local serial number information of the terminal device, and finally obtain the local serial number SQN MS of the terminal device. The UDM determines the next action (for example, re-initiating authentication) according to the acquired information.
  • the UDM can determine the way to decrypt the failed encrypted information according to the specific way the terminal device performs encryption processing.
  • the root key K the private key (public key) corresponding to the public key (private key) of the home network
  • the method of decrypting based on the user hidden identifier SUCI the method of decrypting based on the resynchronization parameter AUTS, UDM or AUSF deduction Any one of the shared secret keys will decrypt the failed encrypted information.
  • UDM uses any of the above methods to decrypt the failed encrypted information to obtain the cause value corresponding to the authentication failure type, and finally determine the authentication failure type. UDM can determine the next action according to the authentication failure type, for example, including the following Case A and Case B.
  • the UDM can perform step S370.
  • step S370 the UDM re-initiates the authentication process.
  • the UDM may perform step S380.
  • the UDM sends the reason value corresponding to the message authentication code failure to the AMF, and the AMF re-initiates the authentication process or performs other operations.
  • the UDM may directly send the cause value corresponding to the message authentication code failure to the AMF, or may send the cause value corresponding to the message authentication code failure to the AMF through AUSF.
  • the method 300 may also include the following content.
  • step S323 the terminal device generates encryption instruction information.
  • the encryption indication information is used to indicate that the authentication failure message carries the failure encryption information, where the authentication failure message includes the encryption indication information.
  • the terminal device may send the encryption instruction information to the AMF through the authentication failure message, or may send the encryption instruction information to the AMF through other methods (for example, sending separately).
  • the encryption indication information may be a new cause value contained in the 5GMMCause cell.
  • the new cause value may be used to indicate that the authentication failure type is "message verification code failure or synchronization failure” or "unknown failure” (unknown failure)".
  • step 340 the AMF determines whether the authentication failure message includes the encryption indication information.
  • the AMF determines whether the authentication failure message includes the encryption instruction information, and if it determines that the encryption instruction information exists, it can be determined that the received failure encryption information is obtained after encryption processing, and the AMF can encrypt the failure
  • the information is sent to AUSF, and AUSF then sends the failed encrypted information to UDM, or AMF can directly send the failed encrypted information to UDM.
  • the encryption indication information is generated at the same time when the failed encryption information is generated, and the AMF determines whether the authentication failure message includes the encryption indication information, thereby preventing the AMF from mistakenly thinking the failed encryption information as the cause of a certain type of authentication failure Value, or to prevent AMF from mistakenly interpreting the failed encryption information as some kind of abnormal cell.
  • AMF may also send the encryption instruction information to UDM.
  • the AMF may directly send the encryption instruction information to the UDM, or may send the encryption instruction information to the UDM through the AUSF.
  • the failed encryption information can also be sent to UDM along with the service invocation of the authentication process.
  • FIG. 4 is a schematic flowchart of the authentication method 400 according to the present application under the 5G network architecture. As shown in FIG. 4, the method 400 includes the following contents.
  • Steps S400, S410, S421, S422, and S430 can be understood with reference to steps S300, S310, S321, S322, and S330 in the method 300, and will not be repeated here.
  • step S401 UDM generates (or deduces) a shared secret key for decrypting the authentication failure information.
  • step S402 UDM sends the shared secret key to AMF.
  • the embodiment of the present application does not limit the method for UDM to generate the shared secret key and the parameters required to generate the shared secret key.
  • UDM can derive the shared secret key based on the authentication function key Kausf . Then the shared secret key is sent to the AMF, and the AMF stores the shared secret key.
  • the UDM can negotiate with the terminal device a method for generating the shared secret key and the parameters required for generating the shared secret key.
  • UDM can send the shared secret key to AMF directly, or send the shared secret key to AMF through AUSF.
  • the shared secret key may be sent to AUSF along with the 5G home environment authentication vector, and sent to the AMF along with the 5G visited environment authentication vector.
  • the shared secret key can also be generated by the AUSF, and the AUSF sends the shared secret key to the AMF.
  • the shared secret key can be sent to the AMF along with the 5G visited environment authentication vector.
  • the shared secret key can also be calculated by the AMF itself.
  • step S4211 the terminal device generates the shared secret key, and the shared secret key is used to encrypt the cause value corresponding to the authentication failure type.
  • the terminal device may also generate the shared secret key, and use the shared secret key to encrypt the cause value corresponding to the authentication failure type (which may also include the local serial number information of the terminal device).
  • the terminal device can also derive the shared secret key based on the authentication function key Kausf , and use the shared secret key to perform encryption processing.
  • the terminal device may also negotiate with UDM (or AUSF, or AMF) to use other methods and other parameters to generate the shared secret key.
  • UDM or AUSF, or AMF
  • step S422 if the authentication fails, the terminal device uses the shared secret key to encrypt the cause value (which may also include the terminal device's local serial number information) corresponding to the authentication failure type to obtain the failed encryption information.
  • the cause value which may also include the terminal device's local serial number information
  • step S441 AMF decrypts the failed encrypted information.
  • the AMF obtains the failed encryption information, and uses the shared secret key to decrypt the failed encryption information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determines the authentication failure type.
  • AMF can also obtain the local serial number information of the terminal device. The AMF determines the next action (for example, re-initiating authentication) based on the acquired information.
  • AMF uses the shared secret key to decrypt the failed encrypted information, thereby obtaining the cause value corresponding to the authentication failure type, and finally determining the authentication failure type.
  • AMF can determine the next action according to the authentication failure type, for example, including the following Case X and Case Y.
  • step S442 is executed, and the AMF initiates a re-authentication process, or performs other operations.
  • steps S450-460 are executed.
  • step S450 the AMF sends the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM.
  • the AMF may directly send the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM, or may send the cause value corresponding to the synchronization failure and the local serial number information of the terminal device to the UDM through AUSF.
  • the reason value corresponding to the synchronization failure and the local serial number information of the terminal device can also be sent to the UDM along with the service invocation of the authentication process.
  • step S460 UDM initiates a re-authentication process.
  • UDM obtains the cause value corresponding to the synchronization failure and the local serial number information of the terminal device, determines that the type of authentication failure is a synchronization failure, and determines the local serial number SQN MS of the terminal device at the same time. UDM can initiate a re-authentication process based on the local serial number SQN MS of the terminal device.
  • the method 400 provided in this embodiment and the method 300 provided in the foregoing embodiment respectively use UDM and AMF to decrypt the failed encrypted information. It should be understood that AUSF can also decrypt the failed encrypted information, and the authentication obtained after decryption The reason value corresponding to the failure type (which may also include the local serial number information of the terminal device) is sent to the UDM.
  • FIG. 5 is a schematic flowchart of an authentication method 500 according to the present application under the 5G network architecture. As shown in FIG. 5, the method 500 includes the following contents.
  • Steps S500, S510, S521, and S522 can be understood with reference to steps S300, S310, S321, and S322 in the method 300, which will not be repeated here.
  • step S501 the UDM obtains the second authentication code according to the cause value corresponding to the first authentication failure type.
  • UDM may calculate the second authentication code according to the reason value corresponding to the first authentication failure type, the second authentication code is used to verify the authentication failure type, and the first authentication failure type is the message verification code failure or synchronization failure .
  • step S502 UDM sends the second authentication code to AMF.
  • the first authentication failure type is a message verification code failure
  • UDM may calculate the second authentication code according to the reason value corresponding to the message verification code failure.
  • the first authentication failure type is synchronization failure
  • UDM may calculate the second authentication code according to the cause value corresponding to the synchronization failure.
  • the embodiment of the present application does not limit the method of calculating the second authentication code according to the cause value corresponding to the first authentication failure type, nor does it limit other parameters required for the calculation.
  • the second authentication code can be calculated based on the root key K, RAND, and the cause value corresponding to the authentication failure type.
  • the UDM can negotiate with the terminal device a method for calculating the second authentication code and the parameters required for calculating the second authentication code.
  • the UDM calculates the second authentication code, and sends the second authentication code to the AMF. After the AMF receives the second authentication code, it can store it.
  • UDM can send the second authentication code directly to AMF, or can send the second authentication code to AMF through AUSF.
  • the second authentication code can be sent to AUSF along with the 5G home environment authentication vector, and sent to the AMF along with the 5G visited environment authentication vector.
  • the second authentication code may also be calculated by the AUSF, and the AUSF sends the second authentication code to the AMF.
  • the second authentication code can be sent to the AMF along with the 5G visited environment authentication vector.
  • the second authentication code can also be calculated by the AMF itself.
  • step S523 the terminal device obtains the first authentication code according to the cause value corresponding to the authentication failure type.
  • the terminal device calculates the first authentication code according to the cause value corresponding to the authentication failure type, and the first authentication code is used to verify the authentication failure type.
  • the terminal device calculates the first authentication code according to the cause value corresponding to the authentication failure type, and the first authentication code is used to verify the authentication failure type.
  • the authentication failure type is message authentication code failure
  • the first authentication code is calculated according to the reason value corresponding to the message authentication code failure.
  • the first authentication code is calculated according to the cause value corresponding to the synchronization failure.
  • the embodiment of the present application does not limit the method for calculating the first authentication code according to the cause value corresponding to the authentication failure type, nor does it limit other parameters required for the calculation.
  • the method for the terminal device to calculate the first authentication code according to the cause value corresponding to the authentication failure type and the method for UDM to calculate the second authentication code according to the cause value corresponding to the first authentication failure type may be the same or different.
  • the other parameters required for the calculation can be the same or different.
  • the two can use the same calculation method, and the terminal device can also calculate the first authentication code based on the root key K, RAND, and the cause value corresponding to the authentication failure type.
  • step S530 the terminal device sends an authentication failure message to the AMF, where the authentication failure message includes failure encryption information and the first authentication code.
  • the failed encryption information and the first authentication code may also be sent to the AMF without passing the authentication failure message, or in other words, the failed encryption information and the first authentication code may also be sent to the AMF separately or at the same time in other ways.
  • step S541 the AMF determines the type of authentication failure according to the first authentication code and the second authentication code.
  • the first authentication code and the second authentication code can be calculated using the same method and parameters.
  • the first authentication failure type may be a message verification code failure, that is, the second authentication code is calculated according to the reason value corresponding to the message verification code failure.
  • the first authentication code can be matched with the second authentication code, and the authentication failure type can be determined according to the matching result.
  • the type of authentication failure is the first authentication failure type, and the type of authentication failure can be determined as the message verification code failure.
  • the type of authentication failure is a type other than the first type of authentication failure, and the type of authentication failure can be determined to be a synchronization failure.
  • step S501 the second authentication code can also be generated simultaneously according to different authentication failure types.
  • a second authentication code is calculated according to the reason value corresponding to the message verification code failure, and at the same time, a second authentication code is also calculated according to the reason value corresponding to the synchronization failure.
  • the AMF may jointly determine the authentication failure type according to the first authentication code and the two second authentication codes. For example, the first authentication code and the above two second authentication codes can be matched simultaneously, and the authentication failure type can be jointly determined according to the matching result.
  • this embodiment can learn the authentication failure type in advance according to the matching result of the first authentication code and the second authentication code, and does not need to decrypt the failed encrypted information and then know the authentication failure type.
  • the process is more Streamlined and more efficient.
  • AMF can determine the next action according to the type of authentication failure, for example, including the following cases M and N.
  • step S542 is executed, and the AMF initiates a re-authentication process or performs other operations.
  • steps S550-570 are executed.
  • step S550 the AMF sends the failure encryption information corresponding to the synchronization failure to the UDM.
  • the AMF may directly send the failure encryption information corresponding to the synchronization failure to the UDM, or may also send the failure encryption information corresponding to the synchronization failure to the UDM through AUSF.
  • the failure encryption information corresponding to the synchronization failure can also be sent to UDM along with the service invocation of the authentication process.
  • step S560 UDM decrypts the failed encrypted information corresponding to the synchronization failure.
  • step S570 UDM initiates a re-authentication process.
  • the UDM may determine the manner of decrypting the failed encrypted information according to the specific manner in which the terminal device performs encryption processing.
  • the root key K the private key (public key) corresponding to the public key (private key) of the home network
  • the method of decrypting based on the user hidden identifier SUCI the method of decrypting based on the resynchronization parameter AUTS, UDM or AUSF deduction Any one of the shared secret keys will decrypt the failed encrypted information.
  • UDM uses any of the above methods to decrypt the failed encryption information, thereby obtaining the cause value corresponding to the authentication failure type and the local serial number information of the terminal device. UDM initiates a re-authentication process based on the above-mentioned information obtained.
  • FIG. 6 is a schematic block diagram of an authentication device 800 provided by an embodiment of the present application.
  • the authentication device 800 may include: a transceiver unit 810 and a processing unit 820.
  • the authentication apparatus 800 may be the terminal device in the above method embodiment, or may be a chip for implementing the function of the terminal device in the above method embodiment.
  • the authentication apparatus 800 may correspond to the terminal equipment in the methods 200 to 500 according to the embodiments of the present application, and the authentication apparatus 800 may include the terminal used to execute the method 200 in FIG. 2 to the method 500 in FIG.
  • the unit of the method performed by the device the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 800 may be the AMF in the above method embodiment, or may be a chip for implementing the function of the AMF in the above method embodiment.
  • the authentication device 800 may correspond to the AMF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for performing the AMF execution in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method.
  • the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 800 may be the AUSF in the above method embodiment, or may be a chip for realizing the function of the AUSF in the above method embodiment.
  • the authentication device 800 may correspond to the AUSF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for executing the AUSF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method.
  • the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 800 may be the UDM in the above method embodiment, or may be a chip for implementing the function of the UDM in the above method embodiment.
  • the authentication device 800 may correspond to the UDM in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 800 may include a method for executing the UDM in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method.
  • the units in the authentication device 800 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the transceiving unit in the authentication device 800 may correspond to the transceiver 920 in the authentication device 900 shown in FIG. 7, and the processing unit 820 in the authentication device 800 may correspond to the authentication device 900 shown in FIG. In the processor 910.
  • FIG. 7 is a schematic block diagram of an authentication device 900 provided in an embodiment of the present application.
  • the authentication device 900 includes a processor 910 and a transceiver 920.
  • the processor 910 is coupled with the memory, and is configured to execute instructions stored in the memory to control the transceiver 920 to send signals and/or receive signals.
  • the authentication device 900 further includes a memory 930 for storing instructions.
  • processor 910 and the memory 930 may be combined into one processing device, and the processor 910 is configured to execute the program code stored in the memory 930 to implement the foregoing functions.
  • the memory 930 may also be integrated in the processor 910 or independent of the processor 910.
  • the transceiver 920 may include a receiver (or called a receiver) and a transmitter (or called a transmitter).
  • the transceiver may further include an antenna, and the number of antennas may be one or more.
  • the authentication device 900 may be the terminal device in the above method embodiment, or may be a chip for implementing the function of the terminal device in the above method embodiment.
  • the authentication device 900 may correspond to a terminal device in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a terminal for executing the method 200 in FIG. 2 to the method 500 in FIG. 5
  • the unit of the method performed by the device is respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 900 may be the AMF in the above method embodiment, or may be a chip for realizing the function of the AMF in the above method embodiment.
  • the authentication device 900 may correspond to the AMF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the AMF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method.
  • the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 900 may be the AUSF in the above method embodiment, or may be a chip for realizing the function of the AUSF in the above method embodiment.
  • the authentication device 900 may correspond to the AUSF in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the AUSF in the method 200 in FIG. 2 to the method 500 in FIG. Unit of method.
  • the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the authentication device 900 may be the UDM in the above method embodiment, or may be a chip for implementing the function of the UDM in the above method embodiment.
  • the authentication device 900 may correspond to the UDM in the methods 200 to 500 according to the embodiments of the present application, and the authentication device 900 may include a method for executing the UDM in the method 200 in FIG. 2 to the method 500 in FIG. 5 Unit of method.
  • the units in the authentication device 900 and the other operations and/or functions described above are respectively intended to implement the method 200 in FIG. 2, the method 300 in FIG. 3, the method 400 in FIG. 4, and the method 500 in FIG. Process. It should be understood that the specific process for each unit to execute the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, no further description is provided here.
  • the present application also provides a computer program product.
  • the computer program product includes: computer program code, which when the computer program code runs on a computer, causes the computer to execute the steps shown in FIGS. 2 to 5 The authentication method of any one of the embodiments is shown.
  • the present application also provides a computer-readable medium that stores program code, and when the program code runs on a computer, the computer executes the steps shown in FIGS. 2 to 5 The authentication method of any one of the embodiments is shown.
  • the present application also provides a system, which includes the aforementioned user equipment, AMF, AUSF, and UDM.
  • the computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available medium integrated servers, data centers, and the like.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a high-density digital video disc (DVD)), or a semiconductor medium (for example, a solid state disk, SSD)) etc.
  • a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
  • an optical medium for example, a high-density digital video disc (DVD)
  • DVD high-density digital video disc
  • SSD solid state disk
  • Each network element in the above device embodiments can completely correspond to each network element in the method embodiment, and the corresponding module or unit executes the corresponding steps, for example, the transceiver unit (transceiver) executes the receiving or sending steps in the method embodiment In addition to sending and receiving, other steps can be executed by the processing unit (processor).
  • the function of the specific unit can refer to the corresponding method embodiment. There may be one or more processors.
  • At least one refers to one or more, and “multiple” refers to two or more.
  • “And/or” describes the relationship of the related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, B exists alone, where A B can be singular or plural.
  • the character “/” generally indicates that the related object is a “or” relationship.
  • “At least one of the following” or similar expressions refers to any combination of these items, including any combination of single items or plural items.
  • At least one of a, b, or c can mean: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, where A, b, or c may be single or multiple.
  • a component may be, but is not limited to, a process running on a processor, a processor, an object, an executable file, an execution thread, a program, and/or a computer.
  • the application running on the computing device and the computing device can be components.
  • One or more components can reside in a process and/or thread of execution, and a component can be localized on one computer and/or distributed between 2 or more computers.
  • these components can execute from various computer readable media having various data structures stored thereon.
  • a component can be based on a signal having one or more data packets (for example, data from two components interacting with another component between a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
  • data packets for example, data from two components interacting with another component between a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical, or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • each functional unit may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software When implemented using software, it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions (programs). When the computer program instructions (programs) are loaded and executed on the computer, the processes or functions according to the embodiments of the present application are generated in whole or in part.
  • the computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be from a website site, computer, server or data center Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available medium integrated servers, data centers, and the like.
  • the usable medium may be a magnetic medium (eg, floppy disk, hard disk, magnetic tape), optical medium (eg, DVD), or semiconductor medium (eg, solid state disk (SSD)), or the like.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application essentially or part of the contribution to the existing technology or part of the technical solution can be embodied in the form of a software product
  • the computer software product is stored in a storage medium, including Several instructions are used to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon les modes de réalisation, la présente invention concerne un procédé, un appareil et un système d'authentification. Le procédé d'authentification comprend les étapes suivantes : un dispositif terminal reçoit un message de requête d'authentification envoyé par une fonction de gestion d'accès et de mobilité ; le dispositif terminal effectue une authentification en fonction du message de requête d'authentification ; si l'authentification échoue, le dispositif terminal effectue un traitement de chiffrement sur une valeur de raison correspondant au type de défaillance d'authentification pour obtenir des informations de chiffrement de défaillance ; le dispositif terminal envoie les informations de chiffrement de défaillance à la fonction de gestion d'accès et de mobilité. Selon les modes de réalisation de la présente invention, en chiffrant une valeur de raison d'un type de défaillance d'authentification, même un attaquant intercepte un message de défaillance d'authentification, l'attaquant ne peut pas distinguer le type de défaillance d'authentification spécifique, de telle sorte que l'attaquant ne peut pas localiser l'utilisateur, et il est garanti que la confidentialité de l'utilisateur n'est pas sujette à une fuite.
PCT/CN2020/070450 2019-01-18 2020-01-06 Procédé, appareil et système d'authentification WO2020147602A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910049182.4A CN111465007B (zh) 2019-01-18 2019-01-18 一种认证方法、装置和系统
CN201910049182.4 2019-01-18

Publications (1)

Publication Number Publication Date
WO2020147602A1 true WO2020147602A1 (fr) 2020-07-23

Family

ID=71613705

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/070450 WO2020147602A1 (fr) 2019-01-18 2020-01-06 Procédé, appareil et système d'authentification

Country Status (2)

Country Link
CN (2) CN111465007B (fr)
WO (1) WO2020147602A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113596824A (zh) * 2021-07-30 2021-11-02 深圳供电局有限公司 一种5g安全协议中认证失败明文信息的加密方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130054394A1 (en) * 2011-08-24 2013-02-28 Follett Corporation Method and system for distributing digital media content
CN103297401A (zh) * 2012-03-01 2013-09-11 腾讯科技(深圳)有限公司 一种错误码的返回方法和装置
CN104604181A (zh) * 2012-06-28 2015-05-06 塞尔蒂卡姆公司 无线通信的密钥协定
CN106851410A (zh) * 2016-12-09 2017-06-13 深圳市纽格力科技有限公司 一种机顶盒故障修复方法和系统
CN107820244A (zh) * 2016-09-12 2018-03-20 中兴通讯股份有限公司 入网认证方法及装置

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1966925B1 (fr) * 2005-12-22 2014-10-22 InterDigital Technology Corporation Procede et appareil pour assurer la securite de donnees et pour mettre en oeuvre une demande automatique de repetition dans un systeme de communication sans fil
CN101686233B (zh) * 2008-09-24 2013-04-03 电信科学技术研究院 Ue与网络安全算法不匹配的处理方法、系统及装置
US9544770B2 (en) * 2010-12-01 2017-01-10 Microsoft Technology Licensing, Llc User authentication in a mobile environment
US20120202512A1 (en) * 2011-02-04 2012-08-09 Richard Neil Braithwaite Data throughput for cell-edge users in a lte network using alternative power control for up-link harq relays
WO2013176502A1 (fr) * 2012-05-24 2013-11-28 주식회사 케이티 Procédé permettant de fournir des informations relatives à un fournisseur de communications mobiles et dispositif permettant la mise en œuvre dudit procédé
KR20160046655A (ko) * 2014-10-21 2016-04-29 주식회사 케이티 가입자 식별 모듈을 이용한 사용자 인증을 위한 장치 및 방법
WO2016086356A1 (fr) * 2014-12-02 2016-06-09 华为技术有限公司 Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système
US9800578B2 (en) * 2015-10-27 2017-10-24 Blackberry Limited Handling authentication failures in wireless communication systems
CN108809903B (zh) * 2017-05-02 2021-08-10 中国移动通信有限公司研究院 一种认证方法、装置及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130054394A1 (en) * 2011-08-24 2013-02-28 Follett Corporation Method and system for distributing digital media content
CN103297401A (zh) * 2012-03-01 2013-09-11 腾讯科技(深圳)有限公司 一种错误码的返回方法和装置
CN104604181A (zh) * 2012-06-28 2015-05-06 塞尔蒂卡姆公司 无线通信的密钥协定
CN107820244A (zh) * 2016-09-12 2018-03-20 中兴通讯股份有限公司 入网认证方法及装置
CN106851410A (zh) * 2016-12-09 2017-06-13 深圳市纽格力科技有限公司 一种机顶盒故障修复方法和系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113596824A (zh) * 2021-07-30 2021-11-02 深圳供电局有限公司 一种5g安全协议中认证失败明文信息的加密方法

Also Published As

Publication number Publication date
CN111465007A (zh) 2020-07-28
CN114245372B (zh) 2024-03-15
CN111465007B (zh) 2022-10-11
CN114245372A (zh) 2022-03-25

Similar Documents

Publication Publication Date Title
CN108781366B (zh) 用于5g技术的认证机制
CN110830991B (zh) 安全会话方法和装置
US11917054B2 (en) Network key processing method and system and related device
US10455414B2 (en) User-plane security for next generation cellular networks
US10798082B2 (en) Network authentication triggering method and related device
US10833876B2 (en) Protection of the UE identity during 802.1x carrier hotspot and Wi-Fi calling authentication
WO2018201946A1 (fr) Procédé de génération de clé d'ancrage, dispositif et système
WO2020248624A1 (fr) Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès
US11082843B2 (en) Communication method and communications apparatus
EP4262257A1 (fr) Procédé et dispositif de communication sécurisée
JP6651613B2 (ja) ワイヤレス通信
US20170078288A1 (en) Method for accessing communications network by terminal, apparatus, and communications system
US20190149326A1 (en) Key obtaining method and apparatus
US20210168614A1 (en) Data Transmission Method and Device
WO2022134089A1 (fr) Procédé et appareil de génération de contexte de sécurite, et support de stockage lisible par ordinateur
WO2020147602A1 (fr) Procédé, appareil et système d'authentification
US11553561B2 (en) Protection of the UE identity during 802.1x carrier hotspot and wi-fi calling authentication
US20220159457A1 (en) Providing ue capability information to an authentication server
US20230362631A1 (en) Secure storage and processing of sim data
WO2023131044A1 (fr) Procédé et dispositif d'authentification et de sécurité, et support de stockage
WO2022174729A1 (fr) Procédé de protection de la confidentialité d'identification d'identité, et appareil de communication
US20230319564A1 (en) Access Point Supporting Certificate-Based and Pre-Shared-Key-Based Authentication
Edo Scientific Analysis and Feasibility Study of Vulnerabilities in Mobile Cellular Networks
Ülküderner Wireless network security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20741536

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20741536

Country of ref document: EP

Kind code of ref document: A1