WO2020177768A1 - Network verification method, apparatus, and system - Google Patents

Network verification method, apparatus, and system Download PDF

Info

Publication number
WO2020177768A1
WO2020177768A1 PCT/CN2020/078309 CN2020078309W WO2020177768A1 WO 2020177768 A1 WO2020177768 A1 WO 2020177768A1 CN 2020078309 W CN2020078309 W CN 2020078309W WO 2020177768 A1 WO2020177768 A1 WO 2020177768A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
random
authentication code
terminal
message authentication
Prior art date
Application number
PCT/CN2020/078309
Other languages
French (fr)
Chinese (zh)
Inventor
胡伟华
洪佳楠
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN201910170883.3A priority Critical patent/CN111669276A/en
Priority to CN201910170883.3 priority
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020177768A1 publication Critical patent/WO2020177768A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/02Communication control; Communication processing
    • H04L29/06Communication control; Communication processing characterised by a protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0807Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0869Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

A network verification method, apparatus, and system, used for solving the problem that a terminal device cannot verify a service network while performing two-way authentication with a home network. In the present application, a unified data management network element in a first network generates a first message authentication code according to a key K of the terminal device, a first random number, and a network identifier of a second network; the first random number and the first message authentication code are sent to the terminal device by means of the second network. After receiving the first random number and the first message authentication code, the terminal device generates a second message authentication code by means of a local stored key K, the first random number, and the network identifier of the second network; after the first message authentication code and the second message authentication code are confirmed to be consistent, verification on the second network is successful. The terminal device also completes the verification on the second network while verifying the first network according to the first message authentication code.

Description

一种网络验证方法、装置及系统Network verification method, device and system
相关申请的交叉引用Cross references to related applications
本申请要求在2019年03月07日提交中国专利局、申请号为201910170883.3、申请名称为“一种网络验证方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910170883.3, and the application name is "a network verification method, device and system" on March 07, 2019. The entire content is incorporated herein by reference. Applying.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种网络验证方法、装置及系统。This application relates to the field of communication technology, and in particular to a network verification method, device and system.
背景技术Background technique
在移动通信系统中,当终端设备和第一网络签约后,第一网络即为终端设备的家乡网络,家乡网络中保存有终端设备的签约信息,若终端设备移动到第一网络的服务范围之外,例如当前终端设备处于第二网络的服务范围内,此时第二网络就成为服务网络,需要为终端设备提供网络服务。In a mobile communication system, when a terminal device signs a contract with the first network, the first network is the home network of the terminal device. The home network saves the contract information of the terminal device. If the terminal device moves within the service range of the first network In addition, for example, the current terminal device is within the service range of the second network, and the second network becomes the service network at this time, and network services need to be provided for the terminal device.
在第二网络为终端设备提供网络服务之前,第二网络需要获知终端设备的签约信息,为了获取终端设备的签约信息,终端设备需要先与第一网络通过第二网络作为中介进行双向认证,双向认证通过后,第一网络会将终端设备的签约信息发送给第二网络。Before the second network provides network services for the terminal device, the second network needs to know the contract information of the terminal device. In order to obtain the contract information of the terminal device, the terminal device needs to perform two-way authentication with the first network through the second network as an intermediary. After the authentication is passed, the first network will send the contract information of the terminal device to the second network.
但是在上述验证过程中,终端设备并不会对第二网络进行验证,也就是无法识别出第二网络是否为欺骗网络,在双向验证之后,第二网络会获取终端设备的签约信息,导致终端设备的信息泄露。However, in the above verification process, the terminal device does not verify the second network, that is, it cannot identify whether the second network is a spoofing network. After two-way verification, the second network will obtain the contract information of the terminal device, resulting in the terminal Information leakage of the device.
发明内容Summary of the invention
本申请提供一种网络验证方法、装置及系统,用以解决现有技术中终端设备在与家乡网络双向认证时,无法对服务网络验证的问题。This application provides a network verification method, device, and system to solve the problem that the terminal device in the prior art cannot verify the service network when it authenticates with the home network.
第一方面,本申请实施例提供了一种网络验证方法,该方法可由统一数据管理网元或统一数据管理网元的芯片执行,所述方法包括:第一网络中的统一数据管理网元根据终端设备的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码;然后,所述统一数据管理网元向通过第二网络向所述终端设备发送随机数、第一消息认证码。In the first aspect, the embodiments of the present application provide a network verification method, which can be executed by a unified data management network element or a unified data management network element chip. The method includes: the unified data management network element in the first network is based on The key K of the terminal device, the first random number, and the network identification of the second network generate the first message authentication code; then, the unified data management network element sends the random number and the first message to the terminal device through the second network. A message authentication code.
通过上述方法,所述统一数据管理网元在生成所述第一消息认证码时,采用所述第二网络的网络标识,可以使得所述终端设备在根据所述第一消息认证码对所述第一网络进行认证的过程中,同时可以完成对所述第二网络验证。Through the above method, when the unified data management network element generates the first message authentication code, the network identifier of the second network can be used, so that the terminal device can verify the authentication code according to the first message authentication code. During the authentication process of the first network, the authentication of the second network can be completed at the same time.
在一种可能的设计中,所述第一消息认证码携带在认证令牌中的。In a possible design, the first message authentication code is carried in an authentication token.
通过上述方法,将所述第一消息认证码携带在认证令牌中,可以保证所述第一消息认证码的安全性。Through the above method, the first message authentication code is carried in the authentication token, which can ensure the security of the first message authentication code.
在一种可能的设计中,所述统一数据管理网元可以直接根据终端设备的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码(第一种方式),示例性的,如可以通过预设的运算,根据所述终端设备的密钥K、所述第一随机数、以及所述第二网络的 网络标识生成第一消息认证码;也可以采用其他方式生成第一消息认证码,示例性的,所述统一数据管理网元可以先根据所述第一随机数和所述第二网络的网络标识生成的第二随机数;之后,再根据所述终端设备的密钥K、所述第二随机数生成第一消息认证码(第二种方式)。In a possible design, the unified data management network element may directly generate the first message authentication code according to the key K of the terminal device, the first random number, and the network identification of the second network (the first way), Exemplarily, for example, the first message authentication code can be generated according to the key K of the terminal device, the first random number, and the network identifier of the second network through a preset operation; other methods can also be used Generate a first message authentication code. For example, the unified data management network element may first generate a second random number according to the first random number and the network identity of the second network; then, according to the terminal The key K of the device and the second random number generate a first message authentication code (the second way).
通过上述方法,所述统一数据管理网元可以采用不同的方式生成所述第一消息认证码,其中第一种方式较为直接,运算简单,可以较好的节省效率;第二种方式能够在不更改现有标准中消息认证码生成算法的前提下,可以实现终端设备对服务网络的验证。Through the above method, the unified data management network element can use different methods to generate the first message authentication code. The first method is more direct, simple in operation, and can save efficiency; the second method can be used in different ways. Under the premise of changing the message authentication code generation algorithm in the existing standard, the terminal device can verify the service network.
在一种可能的设计中,在所述根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码之前,统一数据管理网元可以接收来自所述第二网络中的网元的终端认证获取请求,所述终端认证获取请求包括加密后的用户标识;之后,解密所述加密后的用户标识,获得解密后的用户标识;可以根据所述解密后的用户标识,获取所述终端设备的签约数据,其中,所述终端的签约数据中包括所述终端设备的密钥K。In a possible design, before the first message authentication code is generated according to the key K of the terminal device, the first random number, and the network identity of the second network, the unified data management network element may receive the The terminal authentication acquisition request of the network element in the second network, the terminal authentication acquisition request includes the encrypted user identification; afterwards, the encrypted user identification is decrypted to obtain the decrypted user identification; the decrypted user identification can be obtained according to the decryption After the user identification, the contract data of the terminal device is acquired, wherein the contract data of the terminal includes the key K of the terminal device.
通过上述方法,所述统一数据管理网元可以通过所述终端设备的用户标识查询到所述终端设备的密钥K,使得之后可以成功生成所述第一消息认证码,进一步的,保证可以实现所述终端设备对所述第二网络的验证。Through the above method, the unified data management network element can query the key K of the terminal device through the user ID of the terminal device, so that the first message authentication code can be successfully generated later, and further, it can be guaranteed The verification of the second network by the terminal device.
第二方面,本申请实施例提供了一种网络验证方法,该方法可由终端设备或终端设备的芯片执行所述方法包括:终端设备通过第二网络接收来自第一网络中的统一数据管理网元的第一随机数、第一消息认证码;之后,所述终端设备根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码;然后,所述终端设备在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。In a second aspect, embodiments of the present application provide a network verification method, which can be executed by a terminal device or a chip of the terminal device. The method includes: the terminal device receives a unified data management network element from the first network through a second network Then, the terminal device generates a second message authentication code according to the locally stored key K, the first random number, and the network identity of the second network; then After determining that the first message authentication code is consistent with the second message authentication code, the terminal device determines that the verification of the second network is successful.
通过上述方法,所述终端设备在生成所述第二消息认证码时,采用所述第二网络的网络标识,可以使得所述终端设备在根据所述第一消息认证码和所述第二消息认证码对所述第一网络进行认证的过程中,同时可以完成对所述第二网络验证。With the above method, when the terminal device generates the second message authentication code, the network identifier of the second network is used, so that the terminal device can be used according to the first message authentication code and the second message. In the process of authenticating the first network by the authentication code, the verification of the second network can be completed at the same time.
在一种可能的设计中,所述第一消息认证码携带在认证令牌中的。In a possible design, the first message authentication code is carried in an authentication token.
通过上述方法,将所述第一消息认证码携带在认证令牌中,可以保证所述第一消息认证码的安全性。Through the above method, the first message authentication code is carried in the authentication token, which can ensure the security of the first message authentication code.
在一种可能的设计中,所述终端设备可以直接根据本地存储的密钥K、第一随机数、以及第二网络的网络标识生成第二消息认证码(第一种方式),示例性的,如可以通过预设的运算,所述本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第一消息认证码;也可以采用其他方式生成第一消息认证码,示例性的,所述终端设备可以先根据第一随机数和所述第二网络的网络标识生成的第二随机数;之后,再根据所述本地存储的密钥K、所述第二随机数生成第二消息认证码(第二种方式)。In a possible design, the terminal device can directly generate the second message authentication code (the first way) according to the locally stored key K, the first random number, and the network identity of the second network (the first way), as an example For example, the locally stored key K, the first random number, and the network identification of the second network can be used to generate the first message authentication code through a preset calculation; the first message can also be generated in other ways The authentication code, for example, the terminal device may first generate a second random number based on the first random number and the network identity of the second network; then, according to the locally stored key K, the first random number Two random numbers generate the second message authentication code (the second way).
通过上述方法,所述终端设备可以采用不同的方式生成所述第二消息认证码,其中第一种方式较为直接,运算简单,可以较好的节省效率;第二种方式并不需要更改现有标准中消息认证码生成算法,还保证可以实现终端设备对第二网络的验证。Through the above method, the terminal device can generate the second message authentication code in different ways. The first method is more direct, simple in operation, and can save efficiency; the second method does not need to change the existing The message authentication code generation algorithm in the standard also ensures that the terminal device can verify the second network.
在一种可能的设计中,所述终端设备通过第二网络接收来自第一网络的随机数、第一消息认证码时,可以从所述第二网络的安全锚功能网元接收携带有所述随机数、第一消息认证码的认证请求,获取所述随机数、第一消息认证码。In a possible design, when the terminal device receives the random number and the first message authentication code from the first network through the second network, it may receive from the security anchor function network element of the second network carrying the An authentication request for a random number and a first message authentication code is used to obtain the random number and a first message authentication code.
通过上述方法,所述终端设备可以方便的获取所述随机数和第一消息认证码,可以保证后续完成对所述第二网络的验证。Through the above method, the terminal device can easily obtain the random number and the first message authentication code, which can ensure that the verification of the second network is completed subsequently.
第三方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一网络中的统一数据管理网元,有益效果可以参见第一方面的描述此处不再赘述。该装置具有实现上述第一方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。In the third aspect, an embodiment of the present application also provides a communication device, which is applied to a unified data management network element in a first network. For beneficial effects, refer to the description of the first aspect and will not be repeated here. The device has the function of realizing the behavior in the method example of the first aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method examples of the first aspect. For details, please refer to the detailed description in the method examples. Do repeat.
第四方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第二方面的描述此处不再赘述。该装置具有实现上述第二方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、生成单元和验证单元,这些单元可以执行上述第二方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。In the fourth aspect, the embodiments of the present application also provide a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here. The device has the function of realizing the behavior in the method example of the second aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the structure of the device includes a receiving unit, a generating unit, and a verification unit. These units can perform the corresponding functions in the method example of the second aspect. For details, please refer to the detailed description in the method example. Do repeat.
第五方面,本申请实施例还提供了一种通信装置,所述通信装置应用于第一网络中的统一数据管理网元,有益效果可以参见第一方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述基站执行上述第一方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。In the fifth aspect, an embodiment of the present application also provides a communication device, which is applied to a unified data management network element in the first network. For beneficial effects, refer to the description of the first aspect and will not be repeated here. The structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding functions in the above-mentioned method in the first aspect. The memory is coupled with the processor, and it stores program instructions and data necessary for the communication device. The structure of the communication device also includes a communication interface for communicating with other devices.
第六方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第二方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述基站执行上述第二方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括收发机,用于与其他设备进行通信。In the sixth aspect, the embodiments of the present application also provide a communication device, the communication device is applied to a terminal device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here. The structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding function in the method of the second aspect described above. The memory is coupled with the processor, and it stores program instructions and data necessary for the communication device. The structure of the communication device also includes a transceiver for communicating with other devices.
第七方面,本申请实施例还提供了一种通信系统,有益效果可以参见第一方面和第二方面的描述此处不再赘述。所述系统包括第一网络中的统一数据管理网元和第一网络中的认证服务功能网元;In the seventh aspect, the embodiments of the present application also provide a communication system, and the beneficial effects can be referred to the description of the first and second aspects, which will not be repeated here. The system includes a unified data management network element in the first network and an authentication service function network element in the first network;
其中,所述认证服务功能网元,用于接收来自第二网络中安全锚功能网元的认证鉴定请求;所述认证鉴定请求中包括来自终端设备的加密后的用户标识;向所述统一数据管理网元发送终端认证获取请求,所述终端认证获取请求包括所述加密后的用户标识;Wherein, the authentication service function network element is configured to receive an authentication and identification request from a security anchor function network element in the second network; the authentication and identification request includes an encrypted user identification from a terminal device; and the unified data The management network element sends a terminal authentication acquisition request, where the terminal authentication acquisition request includes the encrypted user identifier;
所述统一数据管理网元,用于接收所述终端认证获取请求;解密所述加密后的用户标识,得到解密后的用户标识;根据所述解密后的用户标识,获取所述终端设备对应的签约数据,其中,所述终端设备对应的签约数据中包括所述终端设备的密钥K;根据所述终端设备的密钥K、第一随机数、以及所述第二网络的网络标识生成第一消息认证码;以及通过所述第二网络向所述终端设备发送所述第一随机数和所述第一消息认证码。The unified data management network element is configured to receive the terminal authentication acquisition request; decrypt the encrypted user ID to obtain the decrypted user ID; and obtain the corresponding terminal device according to the decrypted user ID Subscription data, wherein the subscription data corresponding to the terminal device includes the key K of the terminal device; the second network is generated according to the key K of the terminal device, the first random number, and the network identification of the second network A message authentication code; and sending the first random number and the first message authentication code to the terminal device through the second network.
在一种可能的设计中,所述第一消息认证码携带在认证令牌中。In a possible design, the first message authentication code is carried in an authentication token.
在一种可能的设计中,所述统一数据管理网元在根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码时,可以直接根据所述终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码,也可以采用其他方式生成所述第一消息认证码,示例性的,可以先根据所述第一随机数和所述第二网络的网络标识生成第二随机数;之后根据所述终端设备的密钥K和所述第二随机数生成所述第一消息认证码。In a possible design, when the unified data management network element generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identification of the second network, it may directly according to the The key K of the terminal device, the first random number, and the network identification of the second network generate the first message authentication code. The first message authentication code may also be generated in other ways. For example, the first message authentication code may be generated according to The first random number and the network identification of the second network generate a second random number; then the first message authentication code is generated according to the key K of the terminal device and the second random number.
在一种可能的设计中,所述系统还可以包括所述第二网络的安全锚功能网元;所述安全锚功能网元可以从所述终端设备接收注册请求,所述注册请求中包括所述加密的用户标识;还可以向所述认证服务功能网元发送所述认证鉴定请求;还可以通过所述认证服务功能网元接收来自所述统一数据管理网元的所述第一随机数和所述第一消息认证码,以及向所述终端设备发送认证请求,所述认证请求中包括所述第一随机数和所述第一消息认证码。In a possible design, the system may further include a security anchor function network element of the second network; the security anchor function network element may receive a registration request from the terminal device, and the registration request includes all The encrypted user identification; the authentication request may also be sent to the authentication service function network element; the first random number and the first random number from the unified data management network element may also be received through the authentication service function network element The first message authentication code, and sending an authentication request to the terminal device, the authentication request including the first random number and the first message authentication code.
第八方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。In an eighth aspect, the present application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the above aspects.
第九方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。In a ninth aspect, the present application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the foregoing aspects.
第十方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述各方面所述的方法。In a tenth aspect, the present application also provides a computer chip connected to a memory, and the chip is configured to read and execute a software program stored in the memory, and execute the methods described in the foregoing aspects.
附图说明Description of the drawings
图1A为本申请提供的一种网络系统架构示意图;Figure 1A is a schematic diagram of a network system architecture provided by this application;
图1B为本申请提供的一种终端设备的结构示意图;FIG. 1B is a schematic structural diagram of a terminal device provided by this application;
图2为现有技术中UE与家乡网络双向认证的方法示意图;Figure 2 is a schematic diagram of a method for mutual authentication between a UE and a home network in the prior art;
图3为本申请提供的一种网络验证方法的示意图;Figure 3 is a schematic diagram of a network verification method provided by this application;
图4为本申请提供的一种网络验证方法的示意图;Figure 4 is a schematic diagram of a network verification method provided by this application;
图5为本申请提供的一种网络验证方法的示意图;Figure 5 is a schematic diagram of a network verification method provided by this application;
图6为本申请提供的一种网络验证方法的示意图;Figure 6 is a schematic diagram of a network verification method provided by this application;
图7~10为本申请提供的一种通信装置的结构示意图。7 to 10 are schematic diagrams of the structure of a communication device provided by this application.
具体实施方式detailed description
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施例作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。另外,需要理解的是,在本申请实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings. The specific operation method in the method embodiment can also be applied to the device embodiment or the system embodiment. Wherein, in the description of the present application, unless otherwise specified, "multiple" means two or more. In addition, it should be understood that in the description of the embodiments of the present application, words such as "first" and "second" are only used for the purpose of distinguishing the description, and cannot be understood as indicating or implying relative importance, and cannot be understood. To indicate or imply order.
参阅图1A所示,为本申请适用的一种可能的网络架构示意图。该网络架构为5G网络架构。该5G架构中的网元包括用户设备,图1A中以终端设备为UE为例。网络架构还包括无线接入网(radio access network,RAN)、接入和移动性控制功能(access and mobility function,AMF)、统一数据管理(unified data management,UDM)、认证服务功能(authentication server function,AUSF)、安全锚功能(security anchor function,SEAF)等。Refer to FIG. 1A, which is a schematic diagram of a possible network architecture applicable to this application. The network architecture is a 5G network architecture. The network elements in the 5G architecture include user equipment. In FIG. 1A, the terminal equipment is the UE as an example. The network architecture also includes radio access network (RAN), access and mobility control function (access and mobility function, AMF), unified data management (unified data management, UDM), authentication service function (authentication server function) , AUSF), security anchor function (SEAF), etc.
所述RAN的主要功能是控制用户通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。The main function of the RAN is to control users to wirelessly access the mobile communication network. RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
所述AMF网元负责终端的接入管理和移动性管理,如注册管理,连接管理,移动管理,可达性管理等;在实际应用中,其包括了LTE中网络框架中移动性管理实体(mobility management entity,MME)里的移动性管理功能,并加入了接入管理功能。The AMF network element is responsible for terminal access management and mobility management, such as registration management, connection management, mobility management, reachability management, etc.; in practical applications, it includes mobility management entities in the LTE network framework. The mobility management function in the management entity (MME) has been added to the access management function.
所述SEAF网元用于完成对UE的认证,在5G中,SEAF的功能可以合并到AMF中。The SEAF network element is used to complete the authentication of the UE. In 5G, the function of the SEAF can be incorporated into the AMF.
所述AUSF网元具有鉴权服务功能,用于终结所述SEAF网元请求的认证功能,在认证过程中,接收UDM发送的认证向量并对认证向量进行处理,将处理后的认证向量发送给SEAF。The AUSF network element has an authentication service function for terminating the authentication function requested by the SEAF network element. During the authentication process, it receives the authentication vector sent by UDM and processes the authentication vector, and sends the processed authentication vector to SEAF.
所述UDM网元可存储用户的签约信息,生成认证参数等。The UDM network element can store the user's subscription information, generate authentication parameters, and so on.
所述ARPF网元具有认证凭证存储和处理功能,用于存储用户的长期认证凭证,如永久密钥K等。在5G中,所述ARPF网元的功能可以合并到UDM网元中。The ARPF network element has authentication credential storage and processing functions, which are used to store the user's long-term authentication credential, such as a permanent key K. In 5G, the functions of the ARPF network element can be incorporated into the UDM network element.
本申请中的终端设备,也可以称为用户设备(user equipment,UE),是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。所述终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。The terminal equipment in this application, also referred to as user equipment (UE), is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water On board (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, satellites, etc.). The terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and wireless terminals in transportation safety , Wireless terminals in smart cities, wireless terminals in smart homes, etc.
如图1B所示,为本申请实施例提供的一种UE的结构示意图,其中,UE包括两种模块,分别为通用用户身份模块(universal subscriber identity module,USIM)和移动设备(mobile equipment,ME)模块。As shown in Figure 1B, a schematic structural diagram of a UE provided by an embodiment of this application, where the UE includes two types of modules, namely, a universal subscriber identity module (USIM) and a mobile equipment (mobile equipment, ME). ) Module.
所述USIM可以是UE中的SIM卡,可以存储一些较为重要的UE的签约信息,如在本申请实施例中所述UE与所述家乡网络签约所约定的密钥K,所述USIM还可以执行一些参数计算,在本申请实施例中可以实现第一消息认证码生成。The USIM may be the SIM card in the UE, which may store some important UE subscription information, such as the key K agreed upon by the UE and the home network in the embodiment of this application, the USIM may also By performing some parameter calculations, the first message authentication code can be generated in this embodiment of the application.
所述ME模块可以统指所述UE中除所述USIM外的硬件构成以及软件程序。所述ME模块中通常不会存储安全要求高的UE的签约信息,所述ME模块可以提供一些辅助功能,其中包括:实现所述UISM与网络侧之间的信息转发、利用所述USIM输出的参数生成RES*、生成K AUSF,在本申请实施例中,所述ME还可以实现第二随机数的生成。 The ME module may collectively refer to hardware components and software programs of the UE except the USIM. The ME module usually does not store the subscription information of UEs with high security requirements. The ME module can provide some auxiliary functions, including: realizing information forwarding between the UISM and the network side, and using the USIM to output information The parameter generates RES* and generates K AUSF . In the embodiment of the present application, the ME may also implement the generation of the second random number.
其中,图1A的架构中,与本申请有关的网元主要是:所述UE、所述AUSF网元、所述UDM网元以及所述SEAF网元。Among them, in the architecture of FIG. 1A, the network elements related to this application are mainly: the UE, the AUSF network element, the UDM network element, and the SEAF network element.
在本申请实施例中,所述SEAF网元和所述AUSF网元位于不同的网络中,例如,所述SEAF网元位于服务网络(serving network)中,在漫游场景下,所述SEAF网元位于拜访公共陆地移动网(visited public land mobile network,VPLMN)中,所述AUSF网元位于家乡网络(home network)中,若所述UE在所述家乡网络的覆盖范围之外则无法直接接入所述家乡网络获取服务。In the embodiment of this application, the SEAF network element and the AUSF network element are located in different networks. For example, the SEAF network element is located in a serving network. In a roaming scenario, the SEAF network element Located in the visited public land mobile network (VPLMN), the AUSF network element is located in the home network, if the UE is outside the coverage of the home network, it cannot directly access The hometown network obtains services.
若所述UE在家乡网络的覆盖范围之外,在所述服务网络的覆盖范围之内,所述UE为了能够获取所述服务网络提供的网络服务,则需要接入所述服务网络;由于所述服务网络并未与所述UE签约,所述UE为了可以获取所述服务网络的网络服务,所述服务网络需要对所述UE进行验证,所述家乡网络和所述UE需要进行双向认证。If the UE is outside the coverage of the home network, but within the coverage of the service network, the UE needs to access the service network in order to be able to obtain the network service provided by the service network; The service network does not contract with the UE. In order for the UE to obtain network services of the service network, the service network needs to verify the UE, and the home network and the UE need to perform mutual authentication.
如图2所示为基于如图1A所示的系统框架中,现有的双向认证的方法示意图。Figure 2 is a schematic diagram of the existing two-way authentication method based on the system framework shown in Figure 1A.
步骤201:所述UE将加密后的用户标识携带在注册请求中发送给所述SEAF网元。Step 201: The UE carries the encrypted user identity in the registration request and sends it to the SEAF network element.
示例性的,所述UE可以对签约固定标识(subscription permanent identifier,SUPI)进行加密生成签约隐藏标识(subscription concealed identifier,SUCI),所述UE将SUCI携带 在注册请求中发送给所述SEAF网元。Exemplarily, the UE may encrypt a subscription permanent identifier (SUPI) to generate a subscription concealed identifier (SUCI), and the UE carries the SUCI in the registration request and sends it to the SEAF network element .
一种可能的实现方式中,所述UE使用配置的公钥对用户标识进行加密,得到加密后的用户标识。可选的,当网络存在多个公私钥对时,所述UE在加密用户标识时,可以指示网络自己使用了哪一个公钥对用户标识进行了加密,以便于网络根据所述UE的指示选择对应的私钥进行解密。例如所述UE还将用于解密该加密后的用户标识的密钥标识符和所述加密后的用户标识一起携带在注册请求中发送给所述SEAF网元。In a possible implementation manner, the UE uses a configured public key to encrypt the user identity to obtain the encrypted user identity. Optionally, when there are multiple public and private key pairs in the network, when the UE is encrypting the user identity, it may indicate which public key the network used to encrypt the user identity, so that the network can select according to the instructions of the UE The corresponding private key is decrypted. For example, the UE also carries the key identifier used to decrypt the encrypted user identification and the encrypted user identification together in the registration request and sends it to the SEAF network element.
步骤202:为了从家乡网络中获取所述UE的认证向量和用户标识,所述SEAF网元将加密后的用户标识携带在认证鉴定请求中,发送给所述家乡网络中的AUSF网元。Step 202: In order to obtain the authentication vector and user identity of the UE from the home network, the SEAF network element carries the encrypted user identity in the authentication and authentication request and sends it to the AUSF network element in the home network.
可选的,所述认证鉴定请求中还携带有所述密钥标识符。Optionally, the authentication and authentication request also carries the key identifier.
步骤203:所述AUSF网元将加密后的用户标识携带在UE认证获取请求中,发送给所述UDM网元。Step 203: The AUSF network element carries the encrypted user identity in the UE authentication acquisition request, and sends it to the UDM network element.
可选的,所述UE认证获取请求中还携带有所述密钥标识符。Optionally, the UE authentication acquisition request also carries the key identifier.
步骤204:所述UDM网元对加密后的用户标识进行解密获取用户标识,所述UDM网元根据用户标识查询该用户标识对应的UE的签约信息。Step 204: The UDM network element decrypts the encrypted user ID to obtain the user ID, and the UDM network element queries the subscription information of the UE corresponding to the user ID according to the user ID.
可选的,当所述UE认证获取请求中携带有密钥标识符时,所述UDM网元根据所述密钥标识符获取解密密钥,并使用所述解密密钥解密所述加密后的用户标识,得到解密后用户标识。Optionally, when the UE authentication acquisition request carries a key identifier, the UDM network element acquires a decryption key according to the key identifier, and uses the decryption key to decrypt the encrypted User ID, get the user ID after decryption.
步骤205:所述UDM网元根据所述UE的签约信息生成认证向量,其中所述认证向量包括多个参数,其中包括消息认证码(message authentication code,MAC),RAND,期望的挑战回复(eXpected RESponse,XRES*)、K AUSFStep 205: The UDM network element generates an authentication vector according to the subscription information of the UE, where the authentication vector includes multiple parameters, including a message authentication code (MAC), RAND, and an expected challenge response (eXpected). RESponse, XRES*), K AUSF .
示例性的,MAC可以携带在认证令牌(authentication token,AUTN),也就是说,所述认证向量可以包括RAND、携带有MAC的AUTN、XRES*、K AUSF;AUTN携带MAC的方式可参见现有AUTN的生成方式。 Exemplarily, the MAC can be carried in an authentication token (authentication token, AUTN), that is, the authentication vector can include RAND, AUTN carrying MAC, XRES*, K AUSF ; the way AUTN carries MAC can be found in the existing There is a way of generating AUTN.
所述认证向量中的RAND是所述UDM网元随机生成的;对于所述认证向量中的其他参数,所述UDM网元可以根据所述UE签约信息中所述UE的密钥K以及RAND,通过不同运算生成MAC、XRES*以及K AUSFThe RAND in the authentication vector is randomly generated by the UDM network element; for other parameters in the authentication vector, the UDM network element may according to the key K and RAND of the UE in the UE subscription information, Generate MAC, XRES* and K AUSF through different operations.
也就是说,所述UDM网元在生成MAC、XRES*以及K AUS均需要基于所述UE的密钥K和RAND,但运算方式不同。 That is to say, when the UDM network element generates MAC, XRES*, and K AUS , it needs to be based on the UE's keys K and RAND, but the calculation methods are different.
例如,所述UDM网元根据所述UE的密钥K、所述RAND以及消息认证码生成算法,确定消息认证码MAC。For example, the UDM network element determines the message authentication code MAC according to the key K of the UE, the RAND, and the message authentication code generation algorithm.
MAC用于所述UE对所述家乡网络的认证,XRES*用于家乡网络对UE的认证,K AUSF是所述UE和所述AUSF网元之间同步的派生密钥,用于派生锚点密钥K SEAFMAC is used for the authentication of the UE to the home network, XRES* is used for the authentication of the home network to the UE, and K AUSF is a derived key for synchronization between the UE and the AUSF network element and is used to derive an anchor point Key K SEAF .
步骤206:所述UDM网元向所述AUSF网元发送认证获取响应,所述认证获取响应中包括所述认证向量和所述用户标识。Step 206: The UDM network element sends an authentication acquisition response to the AUSF network element, where the authentication acquisition response includes the authentication vector and the user identifier.
步骤207:所述AUSF网元对所述认证向量进行进一步处理,例如对XRES*进行哈希运算,生成HXRES*,根据K AUSF进行推演生成K SEAF,处理后的认证向量包括RAND、MAC、HXRES*,其中,MAC可以携带在AUTN,也就是说,所述处理后的认证向量包括RAND、携带有MAC的AUTN。 Step 207: the network element Ausf the authentication vector further processing, for example, XRES * hashed to generate HXRES *, to generate K SEAF according deducing K AUSF, the authentication vector processing includes RAND, MAC, HXRES *, where the MAC can be carried in AUTN, that is, the processed authentication vector includes RAND and AUTN carrying MAC.
步骤208:所述AUSF网元向所述SEAF网元发送认证鉴定响应,所述认证鉴定响应 中携带有所述处理后的认证向量。Step 208: The AUSF network element sends an authentication authentication response to the SEAF network element, and the authentication authentication response carries the processed authentication vector.
步骤209:所述SEAF网元向所述UE发送认证请求,其中,所述认证请求中携带处理后的认证向量中的部分参数,该部分参数包括RAND、MAC,其中,MAC可以携带在AUTN中。Step 209: The SEAF network element sends an authentication request to the UE, where the authentication request carries part of the parameters in the processed authentication vector, and the part of the parameters includes RAND and MAC, where MAC can be carried in AUTN .
步骤210:所述UE根据所述UE中的USIM中存储的密钥K与从所述SEAF网元接收的RAND生成XMAC,这里所述UE生成XMAC所采用的运算方式与所述UDM网元生成MAC所采用的运算方式相同。Step 210: The UE generates an XMAC according to the key K stored in the USIM in the UE and the RAND received from the SEAF network element. Here, the calculation method used by the UE to generate the XMAC is the same as that of the UDM network element. The calculation method adopted by the MAC is the same.
所述UE对XMAC和AUTN中携带的MAC的比对实现所述UE对所述家乡网络的认证。若XMAC和AUTN中的MAC一致,则认证成功,否则认证失败。The UE's comparison of the XMAC and the MAC carried in the AUTN realizes the authentication of the UE to the home network. If the MAC in XMAC and AUTN are the same, the authentication is successful, otherwise the authentication fails.
在认证成功后,所述UE根据RAND和K生成RES*,这里所述UE生成RES*所采用的运算方式与所述UDM网元生成XRES*所采用的运算方式相同。After the authentication is successful, the UE generates RES* according to RAND and K. Here, the operation mode used by the UE to generate RES* is the same as the operation mode used by the UDM network element to generate XRES*.
步骤211:所述UE将RES*包含在认证响应中,发送给所述SEAF网元。Step 211: The UE includes the RES* in the authentication response and sends it to the SEAF network element.
步骤212:所述SEAF网元对所述认证响应中包括的RES*进行哈希运算,生成HRES*,将HRES*与所述AUSF网元发送的认证向量中的HXRES*进行比对,通过HRES*与的HXRES*的比对完成所述服务网络对所述UE的认证,若HRES*与的HXRES*一致,则所述服务网络对所述UE认证成功,否则认证失败。Step 212: The SEAF network element performs a hash operation on the RES* included in the authentication response to generate HRES*, compares HRES* with HXRES* in the authentication vector sent by the AUSF network element, and passes HRES The comparison between * and HXRES* completes the authentication of the UE by the service network. If the HRES* is consistent with the HXRES*, the service network authenticates the UE successfully, otherwise the authentication fails.
步骤213:在所述服务网络对所述UE认证成功之后,所述SEAF网元将所述UE返回的RES*转发给所述AUSF网元,由所述AUSF网元进行下一步的认证。Step 213: After the service network successfully authenticates the UE, the SEAF network element forwards the RES* returned by the UE to the AUSF network element, and the AUSF network element performs the next step of authentication.
步骤214:所述AUSF网元接收到RES*后,将RES*与所述认证向量中的XRES*进行比对,结果若一致,则完成所述家乡网络对所述UE的认证。Step 214: After receiving the RES*, the AUSF network element compares the RES* with the XRES* in the authentication vector, and if the results are consistent, the authentication of the UE by the home network is completed.
步骤215:所述AUSF网元在认证成功之后,会将用户标识和K SEAF发送给所述SEAF网元。 Step 215: After the authentication is successful, the AUSF network element sends the user ID and K SEAF to the SEAF network element.
由上述内容可以才看出,所述UE在接入所述服务网络后,仅是所述UE与所述家乡网络之间存在双向认证,也即所述UE对所述家乡网络的认证和所述家乡网络对所述UE的认证,而所述UE并不会对服务网络进行验证,也无法识别所述服务网络是否为欺骗网络。It can be seen from the above content that after the UE accesses the service network, there is only mutual authentication between the UE and the home network, that is, the UE’s authentication and the home network The home network authenticates the UE, but the UE does not verify the service network, nor can it identify whether the service network is a spoofing network.
为了在所述UE与所述家乡网络进行双向认证的过程中同时完成对所述服务网络的验证,本申请提出了一种网络验证方法,在本申请实施例中,所述家乡网络中的统一数据管理网元在生成认证向量时,认证向量中的消息认证码(在本申请实施例中对应了第一消息认证码)的生成过程中利用所述统一数据管理网元确定的服务网络的网络标识;所述UE在对所述家乡网络认证时,也需要结合所述服务网络发送给所述UE的网络标识生成消息认证码(在本申请实施例中对应了第二消息认证码),与来自所述家乡网络中的统一数据管理网元的消息认证码进行比对,以完成所述UE对所述家乡网络的验证,也就是说,在所述UE对所述家乡网络认证的过程中,涉及到所述服务网络的网络标识的验证,采用本申请实施例的方式既可以实现对所述家乡网络的验证,同时也可以验证所述服务网络是否为欺骗网络。In order to simultaneously complete the verification of the service network during the two-way authentication between the UE and the home network, this application proposes a network verification method. In the embodiment of this application, the unified network in the home network When the data management network element generates the authentication vector, the message authentication code in the authentication vector (corresponding to the first message authentication code in the embodiment of this application) is generated using the network of the service network determined by the unified data management network element Identity; when the UE authenticates the home network, it also needs to generate a message authentication code (corresponding to the second message authentication code in this embodiment of the application) in combination with the network identity sent to the UE by the serving network, and The message authentication code from the unified data management network element in the home network is compared to complete the verification of the home network by the UE, that is, during the authentication process of the home network by the UE Involving the verification of the network identification of the service network, the method of the embodiment of this application can not only realize the verification of the home network, but also verify whether the service network is a spoofing network.
具体的,本申请实施例提供的网络验证方法,以可以分为两种方式:Specifically, the network verification method provided in the embodiment of this application can be divided into two ways:
方式一、所述家乡网络中的统一数据管理网元在生成第一消息认证码时直接利用了所述统一数据管理网元确定的服务网络的网络标识,相应的,所述UE在生成第二消息认证码时直接利用了所述UE从所述服务网络接收的服务网络的网络标识。Manner 1: The unified data management network element in the home network directly uses the network identifier of the service network determined by the unified data management network element when generating the first message authentication code, and accordingly, the UE is generating the second message authentication code. The message authentication code directly uses the network identifier of the serving network received by the UE from the serving network.
方式二、所述家乡网络中的统一数据管理网元在生成第一消息认证码时,先基于第一随机数和所述统一数据管理网元确定的服务网络的网络标识生成第二随机数,之后,根据所述第二随机数生成所述第一消息认证码,相应的,所述UE在生成第二消息认证码时,先基于第一随机数和所述UE从服务网络接收的网络标识生成第二随机数,之后,根据所述第二随机数生成所述第二消息认证码。Manner 2: When the unified data management network element in the hometown network generates the first message authentication code, it first generates a second random number based on the first random number and the network identification of the service network determined by the unified data management network element. After that, the first message authentication code is generated according to the second random number. Correspondingly, when the UE generates the second message authentication code, it is based on the first random number and the network identification received by the UE from the serving network. A second random number is generated, and then, the second message authentication code is generated according to the second random number.
上述两种实现方式,相比于现有技术,本申请实施例中,所述UDM网元或者所述UE在生成消息认证码MAC时,都引入了服务网络的网络标识这一新的输入参数,使得所述UE在验证家乡网络的时候,也能够同步实现对服务网络的验证。Compared with the prior art, in the above two implementation manners, in this embodiment of the application, when the UDM network element or the UE generates the message authentication code MAC, a new input parameter of the network identifier of the serving network is introduced. , So that when the UE verifies the home network, it can also synchronize the verification of the service network.
下面对这两种方式分别进行介绍:The following two methods are introduced separately:
方式一、消息认证码是直接基于服务网络的网络标识生成的。Method 1: The message authentication code is directly generated based on the network identification of the service network.
如图3所示,以第一网络为UE的家乡网络,第二网络是UE当前所连接的服务网络,统一数据管理网元为UDM网元、认证服务功能网元为AUSF网元、安全锚功能网元为SEAF网元为例,对本申请实施例提供的一种网络验证方法中的方式一进行介绍,该方法包括:As shown in Figure 3, the first network is the UE’s home network, the second network is the service network currently connected to the UE, the unified data management network element is the UDM network element, the authentication service function network element is the AUSF network element, and the security anchor The functional network element is a SEAF network element as an example, and the first method in the network verification method provided in the embodiment of the present application is introduced, and the method includes:
步骤301:所述第一网络中的UDM网元根据所述UE的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码。Step 301: The UDM network element in the first network generates a first message authentication code according to the key K of the UE, the first random number, and the network identity of the second network.
示例性的,所述UDM网元可以基于第一运算,根据所述UE的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码。Exemplarily, the UDM network element may generate the first message authentication code based on the first operation, the key K of the UE, the first random number, and the network identity of the second network.
作为一种可能的实施方式,在步骤301之前,所述UDM网元可以接收来自所述第一网络中的AUSF网元的UE认证获取请求之后,可以生成所述第一随机数。As a possible implementation manner, before step 301, the UDM network element may generate the first random number after receiving the UE authentication acquisition request from the AUSF network element in the first network.
所述AUSF网元在接收到所述第二网络中的SEAF发送的携带所述UE用户标识的认证鉴定请求后,所述AUSF网元向所述UDM网元发送携带有所述加密后的用户标识的UE认证获取请求,以请求所述UDM网元生成的认证向量;所述UDM网元在接收到所述UE认证获取请求确定后续需要对UE进行认证,采用随机生成的方式生成所述随机数。After the AUSF network element receives the authentication request sent by the SEAF in the second network and carries the UE user identity, the AUSF network element sends the encrypted user to the UDM network element The identified UE authentication acquisition request is to request the authentication vector generated by the UDM network element; the UDM network element determines that the UE needs to be authenticated after receiving the UE authentication acquisition request, and generates the random number.
需要说明的是,所述UE认证获取请求中可以携带加密后的用户标识,也可以携带不加密后的用户标识(本申请中用所述UE的用户标识表示不加密的用户标识或解密后的用户标识),如在所述UE首次接入所述第二网络的情况下,可以携带加密后的用户标识,在所述UE非首次接入所述第二网络的情况下,可以携带不加密的用户标识,在本申请实施例中以所述UE认证获取请求中携带有加密后的用户标识为例进行说明。对于所述UE认证获取请求中携带所述UE的用户标识的情况,所述UDM网元可以省略解密过程,执行之后的操作。It should be noted that the UE authentication acquisition request may carry an encrypted user ID or an unencrypted user ID (in this application, the UE user ID is used to indicate an unencrypted user ID or a decrypted user ID User ID). For example, when the UE accesses the second network for the first time, the encrypted user ID can be carried, and when the UE is not accessing the second network for the first time, it can carry the unencrypted user ID. In the embodiment of this application, the encrypted user identification carried in the UE authentication acquisition request is taken as an example for description. For the case that the UE authentication acquisition request carries the user identity of the UE, the UDM network element may omit the decryption process and perform subsequent operations.
一种可能的实现方式中,所述UE认证获取请求中包括加密后的用户标识。所述UDM获取默认的私钥对所述加密后的用户标识进行解密,获得解密后的用户标识。In a possible implementation manner, the UE authentication acquisition request includes an encrypted user identity. The UDM obtains the default private key to decrypt the encrypted user ID, and obtains the decrypted user ID.
另一种可能的实现方式中,所述UE认证获取请求中包括加密后的用户标识和用于解密所述加密后的用户标识的密钥对应的密钥标识符。所述UDM网元根据所述密钥标识符获取解密密钥,并使用所述解密密钥对所述加密后的用户标识进行解密,获得解密后的用户标识。In another possible implementation manner, the UE authentication acquisition request includes an encrypted user identity and a key identifier corresponding to a key used to decrypt the encrypted user identity. The UDM network element obtains a decryption key according to the key identifier, and uses the decryption key to decrypt the encrypted user identity to obtain the decrypted user identity.
所述UDM网元在获取所述UE的用户标识后,可以根据所述UE的用户标识获取所述UE的签约信息,并从所述UE的签约信息中确定与所述UE在签约时约定的密钥K,执行步骤301。After obtaining the user identity of the UE, the UDM network element may obtain the subscription information of the UE according to the user identity of the UE, and determine from the subscription information of the UE the agreement with the UE when signing the contract. Key K, go to step 301.
在步骤301中,区别于现有技术,所述UDM网元在生成消息认证码时,会结合所述 第二网络的网络标识。In step 301, different from the prior art, the UDM network element combines the network identification of the second network when generating the message authentication code.
所述UDM网元获取所述第二网络的网络标识的方式本申请实施例并不限定,所述第二网络的网络标识可以是所述第二网络中的核心网网元,如所述SEAF网元发送给所述UDM网元的,也可以是所述AUSF网元在获取了所述第二网络的网络标识之后,发送给所述UDM网元的。The manner in which the UDM network element obtains the network identification of the second network is not limited in this embodiment. The network identification of the second network may be a core network element in the second network, such as the SEAF The network element sent to the UDM network element may also be sent to the UDM network element by the AUSF network element after obtaining the network identifier of the second network.
所述AUSF网元可以将所述第二网络的网络标识携带在需要发送给所述UDM网元的信息中,将所述第二网络的网络标识发送给所述UDM网元,所述需要发送给所述UDM网元的信息可以是所述UE认证获取请求,也可以其他信息,本申请实施例并不限定。The AUSF network element may carry the network identification of the second network in the information that needs to be sent to the UDM network element, send the network identification of the second network to the UDM network element, and the need to send The information given to the UDM network element may be the UE authentication acquisition request, or other information, which is not limited in this embodiment of the application.
需要说明的是,所述AUSF网元获取所述第二网络的网络标识的方式本申请实施例并不限定,所述第二网络的网络标识可以是所述第二网络中的核心网网元,如所述SEAF网元发送给所述AUSF网元,也可以是所述AUSF网元通过与所述第二网络中的核心网网元,如所述SEAF网元通信的信息通道确定所述第二网络,进而确定所述第二网络的网络标识。It should be noted that the manner in which the AUSF network element obtains the network identification of the second network is not limited in this embodiment. The network identification of the second network may be a core network element in the second network. If the SEAF network element is sent to the AUSF network element, the AUSF network element may also determine that the AUSF network element communicates with the core network element in the second network as the information channel of the SEAF network element communication. The second network, and then determine the network identity of the second network.
所述第二网络的网络标识用于标识所述第二网络,具体的,所述第二网络的网络标识可以是统一分配的序列号,也可以是可路由网络地址,还可以是如域名形式标识的网络名,本申请实施例并不限定所述第二网络的网络标识的形式,凡是可以标识所述第二网络的标识均适用于本申请实施例。The network identifier of the second network is used to identify the second network. Specifically, the network identifier of the second network can be a uniformly assigned serial number, or it can be a routable network address, or it can be in the form of a domain name, for example. For the identified network name, the embodiment of this application does not limit the form of the network identification of the second network, and any identifier that can identify the second network is applicable to the embodiment of this application.
在步骤301中,所述UDM网元生成所述第一消息认证码时,所采用的第一运算可以是将所述UE的密钥K、所述第一随机数、以及所述第二网络的网络标识作为输入参数获取消息验证码的运算方式,该第一运算相比于现有的消息认证码生成算法(如步骤205所述的消息认证码算法),至少多了一个输入参数“第二网络的网络标识”,本申请实施例中并不限定所述第一运算的具体类型,且在基于所述第一运算生成所述第一消息认证码时,还可以结合其他参数,例如可以结合匿名化序列号(sequence number,SQN),认证管理域(authentication management field,AMF)等,本申请实施例并不限定。In step 301, when the UDM network element generates the first message authentication code, the first operation used may be to combine the UE's key K, the first random number, and the second network The network identifier is used as the input parameter to obtain the operation method of the message verification code. Compared with the existing message authentication code generation algorithm (such as the message authentication code algorithm described in step 205), this first operation has at least one more input parameter "No. 2. The network identifier of the network", the embodiment of the application does not limit the specific type of the first operation, and when the first message authentication code is generated based on the first operation, other parameters may be combined, for example, In combination with an anonymized sequence number (sequence number, SQN), authentication management field (authentication management field, AMF), etc., this embodiment of the application is not limited.
在生成了所述第一消息认证码后,可以将所述第一消息认证码携带在认证令牌中,也就是说,所述UDM网元在构造所述认证令牌时,将所述第一消息认证码作为所述认证令牌中的一部分。After the first message authentication code is generated, the first message authentication code may be carried in the authentication token, that is, when the UDM network element constructs the authentication token, the first message authentication code A message authentication code is used as a part of the authentication token.
步骤302:所述UDM网元通过第二网络向所述UE发送所述第一随机数、第一消息认证码。Step 302: The UDM network element sends the first random number and the first message authentication code to the UE through the second network.
所述UDM网元在生成了所述第一消息认证码之后,可以将所述第一随机数和所述第一消息认证码发送给所述UE,示例性的,所述UDM网元可以生成认证向量,所述认证向量中包括所述第一随机数和所述认证令牌,所述认证令牌中携带所述第一消息认证码,所述UDM网元将所述认证向量中的第一随机数和认证令牌通过所述第二网络中的SEAF网元发送给所述UE。After the UDM network element generates the first message authentication code, it may send the first random number and the first message authentication code to the UE. For example, the UDM network element may generate An authentication vector, the authentication vector includes the first random number and the authentication token, the authentication token carries the first message authentication code, and the UDM network element sets the first message in the authentication vector A random number and an authentication token are sent to the UE through the SEAF network element in the second network.
作为一种可能的实施方式,所述UDM网元可以通过所述第二网络的SEAF网元将所述认证向量中的第一随机数和认证令牌发送给所述UE;具体的,所述UDM网元可以先将所述认证向量发送给所述第一网络中的AUSF网元中,之后,再由所述第一网络中的AUSF网元将所述第一随机数和所述第一消息认证码发送给所述第二网络的SEAF网元。As a possible implementation manner, the UDM network element may send the first random number and the authentication token in the authentication vector to the UE through the SEAF network element of the second network; specifically, the The UDM network element may first send the authentication vector to the AUSF network element in the first network, and then the AUSF network element in the first network will combine the first random number with the first The message authentication code is sent to the SEAF network element of the second network.
当所述SEAF网元接收到所述认证向量后,可以获取所述认证向量中的第一随机数和认证令牌,将所述第一随机数和所述认证令牌发送给所述UE。After the SEAF network element receives the authentication vector, it can obtain the first random number and the authentication token in the authentication vector, and send the first random number and the authentication token to the UE.
应需理解的是,所述认证向量还可以包括其他参数,如XRES*、K AUSF,所述第一网 络中的AUSF网元在接收到所述认证向量后,可以对所述认证向量进一步处理,具体可以参见步骤207中的相关描述,此处不再赘述。 It should be understood that the authentication vector may also include other parameters, such as XRES*, K AUSF , and the AUSF network element in the first network may further process the authentication vector after receiving the authentication vector For details, please refer to the relevant description in step 207, which will not be repeated here.
步骤303:所述UE通过第二网络接收所述第一随机数、所述第一消息认证码后,根据本地存储的密钥K、第一随机数、以及所述第二网络的网络标识生成第二消息认证码。Step 303: After the UE receives the first random number and the first message authentication code through the second network, generate it according to the locally stored key K, the first random number, and the network identification of the second network The second message authentication code.
示例性的,所述UE可以采用与所述UDM网元侧相同的方式生成所述第二消息认证码,所述UE基于所述第一运算,通过本地存储的密钥K、第一随机数、以及所述第二网络的网络标识生成第二消息认证码。Exemplarily, the UE may generate the second message authentication code in the same manner as the UDM network element side, and the UE uses the locally stored key K and the first random number based on the first operation. And the network identification of the second network generates a second message authentication code.
所述UE在生成所述第二消息认证码之前,需要先确定所述第二网络的网络标识,所述UE确定所述第二网络的网络标识的方式本申请实施例并不限定,例如可以是基站通过广播消息,将所述第二网络的网络标识发送给所述UE的,又例如所述第二网络的网络标识可以是所述第二网络中的SEAF网元发送给所述UE的。Before the UE generates the second message authentication code, it needs to determine the network identity of the second network. The manner in which the UE determines the network identity of the second network is not limited in the embodiment of the application. For example, The base station sends the network identification of the second network to the UE through a broadcast message. For example, the network identification of the second network may be sent to the UE by the SEAF network element in the second network .
所述UE与所述第一网络签约时,会约定密钥K,所述密钥K保存在所述UE的签约信息中,同时所述密钥K也会存储在所述UE本地。When the UE signs a contract with the first network, a key K is agreed, and the key K is stored in the subscription information of the UE, and the key K is also stored locally in the UE.
所述UE采用与所述UDM网元中生成所述第一消息认证码相同的方式生成所述第二消息认证码,所述UE基于相同的所述第一运算,通过本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码。The UE generates the second message authentication code in the same manner as the UDM network element generates the first message authentication code, and the UE uses the locally stored key K based on the same first operation. , The first random number and the network identification of the second network generate a second message authentication code.
步骤304:所述UE在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。Step 304: After determining that the first message authentication code is consistent with the second message authentication code, the UE determines that the verification of the second network is successful.
所述UE在生成所述第二消息认证码后,可以与接收到所述第一消息认证码进行比对。After the UE generates the second message authentication code, it may compare with the received first message authentication code.
若所述第一消息认证码和所述第二消息认证码一致,则说明所述UDM网元在生成所述第一消息认证码采用的第二网络的网络标识与所述UE在生成所述第二消息认证码采用的第二网络的网络标识相同,所述UE接收到所述第二网络的网络标识为真实的网络标识,所述第二网络不是欺骗网络,对所述第二网络验证成功。If the first message authentication code is consistent with the second message authentication code, it means that the network identity of the second network used by the UDM network element to generate the first message authentication code is the same as that of the UE The network ID of the second network used by the second message authentication code is the same, the UE receives that the network ID of the second network is a real network ID, the second network is not a spoofing network, and the second network is verified success.
若所述第一消息认证码和所述第二消息认证码不一致,则对所述第一网络或者是说第二网络验证不成功。If the first message authentication code and the second message authentication code are inconsistent, the verification of the first network or the second network is unsuccessful.
方式二、消息认证码是基于由服务网络的网络标识确定的随机数生成的。Method 2: The message authentication code is generated based on a random number determined by the network identifier of the service network.
如图4所示,以所述第一网络为所述UE的家乡网络,所述第二网络是所述UE当前所连接的服务网络,统一数据管理网元为UDM网元、认证服务功能网元为AUSF网元、安全锚功能网元为SEAF网元为例,对本申请实施例提供的一种网络验证方法中的方式二进行介绍,该方法包括:As shown in FIG. 4, the first network is the home network of the UE, the second network is the service network to which the UE is currently connected, and the unified data management network element is a UDM network element and an authentication service function network. The element is an AUSF network element, and the security anchor function network element is a SEAF network element. As an example, the second method of the network verification method provided in the embodiment of the present application is introduced. The method includes:
步骤401:所述UDM网元根据所述第一随机数和所述第二网络的网络标识生成第二随机数。Step 401: The UDM network element generates a second random number according to the first random number and the network identification of the second network.
示例性的,所述UDM网元可以基于第二运算,根据所述第一随机数、以及第二网络的网络标识生成第一消息认证码。Exemplarily, the UDM network element may generate a first message authentication code according to the first random number and the network identification of the second network based on the second operation.
在如图4所示的实施例中,所述第二运算为将所述第一随机数、以及所述第二网络的网络标识作为输入参数的以获取一个新的随机数的运算方式,本申请实施例中并不限定所述第一运算的具体类型,所述UDM网元确定所述第二网络的网络标识的方式与如图3所示的实施例中所述UDM网元确定所述第二网络的网络标识的方法相同,具体可参见如图3所示的实施例中的相关描述,此处不再赘述。In the embodiment shown in FIG. 4, the second operation is an operation method that uses the first random number and the network identification of the second network as input parameters to obtain a new random number. The application embodiment does not limit the specific type of the first operation. The manner in which the UDM network element determines the network identity of the second network is the same as the UDM network element in the embodiment shown in FIG. The method of the network identification of the second network is the same. For details, please refer to the related description in the embodiment shown in FIG. 3, which will not be repeated here.
作为一种可能的实施方式,在步骤401之前,所述UDM网元可以接收来自所述第一 网络中的AUSF网元的UE认证获取请求之后,可以生成所述第一随机数。关于所述UE认证获取请求的说明、以及所述UDM网元对所述加密后的用户标识,进行解密,并获取所述UE的密钥K的说明可以参见步骤301中的相关描述,此处不再赘述。As a possible implementation manner, before step 401, the UDM network element may generate the first random number after receiving a UE authentication acquisition request from an AUSF network element in the first network. For the description of the UE authentication acquisition request and the description of the UDM network element decrypting the encrypted user identity and obtaining the key K of the UE, please refer to the relevant description in step 301, here No longer.
步骤402:所述UDM网元根据所述UE的密钥K、所述第二随机数生成第一消息认证码。Step 402: The UDM network element generates a first message authentication code according to the key K of the UE and the second random number.
示例性的,所述UDM网元可以基于第三运算,根据所述UE的密钥K、所述第二随机数生成第一消息认证码。Exemplarily, the UDM network element may generate the first message authentication code based on the third operation and the key K of the UE and the second random number.
所述UDM网元在生成所述第二随机数后,基于所述第二运算生成所述第一消息认证码,在步骤402中,所述UDM网元生成所述第一消息认证码时,所采用的所述第二运算可以是将所述UE的密钥K、所述第二随机数、以及所述UDM网元确定的所述第二网络的网络标识作为输入参数获取消息认证码的运算方式,该第三运算可以和现有的消息认证码生成算法相同。本申请实施例中并不限定所述第三运算的具体类型,且在基于所述第三运算生成所述第一消息认证码时,还可以结合其他参数,例如可以结合SQN、AMF等,本申请实施例并不限定。在生成了所述第一消息认证码后,可以将所述第一消息认证码携带在认证令牌中,也就是说,所述UDM网元在构造所述认证令牌时,将所述第一消息认证码作为所述认证令牌中的一部分。After the UDM network element generates the second random number, it generates the first message authentication code based on the second operation. In step 402, when the UDM network element generates the first message authentication code, The second operation used may be to obtain a message authentication code using the UE's key K, the second random number, and the network identification of the second network determined by the UDM network element as input parameters The operation method, the third operation can be the same as the existing message authentication code generation algorithm. The embodiment of this application does not limit the specific type of the third operation, and when the first message authentication code is generated based on the third operation, other parameters may also be combined, for example, SQN, AMF, etc. may be combined. The application examples are not limited. After the first message authentication code is generated, the first message authentication code may be carried in the authentication token, that is, when the UDM network element constructs the authentication token, the first message authentication code A message authentication code is used as a part of the authentication token.
步骤403:所述UDM网元通过第二网络向所述UE发送所述第一随机数、所述第一消息认证码。Step 403: The UDM network element sends the first random number and the first message authentication code to the UE through a second network.
所述UDM网元通过第二网络向所述UE发送第一随机数、第一消息认证码与如图3所述的实施例中所述UDM网元向通过第二网络向所述UE发送随机数、第一消息认证码的方式相同,此处不再赘述。The UDM network element sends the first random number, the first message authentication code, and the UDM network element to the UE through the second network to the UE through the second network. The method of the number and the first message authentication code are the same, and will not be repeated here.
步骤404:所述UE通过第二网络接收所述第一随机数、第一消息认证码后,根据所述第一随机数和所述第二网络的网络标识生成第二随机数,示例性的,所述UE可以基于所述第一运算,生成第二随机数。Step 404: After the UE receives the first random number and the first message authentication code through the second network, it generates a second random number according to the first random number and the network identity of the second network, which is exemplary The UE may generate a second random number based on the first operation.
步骤405:所述UE根据本地存储的密钥K、第二随机数生成第二消息认证码,示例性的,所述UE可以基于所述第三运算,生成第二消息认证码。Step 405: The UE generates a second message authentication code according to a locally stored key K and a second random number. Exemplarily, the UE may generate a second message authentication code based on the third operation.
所述UE在生成所述第二消息认证码之前,需要先确定所述第二网络的网络标识,所述UE确定所述第二网络的网络标识可参见如图3所示的实施例中的相关描述,此处不再赘述。Before the UE generates the second message authentication code, it needs to determine the network identity of the second network. For determining the network identity of the second network by the UE, refer to the example in the embodiment shown in FIG. 3 Related descriptions are not repeated here.
所述UE在接收到所述第一随机数后,可以采用与所述第一网络中的UDM网元中生成所述第一消息认证码相同的方式生成所述第二消息认证码,所述UE首先基于相同的所述第一运算,通过所述第一随机数、以及所述UE从所述第二网络接收的所述第二网络的网络标识生成所述第二随机数;之后基于相同的所述第二运算,通过本地存储的密钥K、第二随机数生成第二消息认证码。After receiving the first random number, the UE may generate the second message authentication code in the same manner as the UDM network element in the first network generates the first message authentication code. The UE first generates the second random number based on the same first operation, using the first random number and the network identifier of the second network received by the UE from the second network; then based on the same In the second operation, a second message authentication code is generated through the locally stored key K and the second random number.
所述密钥K的描述可参见如图3所示的实施例中的相关描述,此处不再赘述。For the description of the key K, refer to the related description in the embodiment shown in FIG. 3, which will not be repeated here.
步骤406:所述UE在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。Step 406: After determining that the first message authentication code is consistent with the second message authentication code, the UE determines that the verification of the second network is successful.
所述UE在生成所述第二消息认证码后,可以与接收到所述第一消息认证码进行比对。After the UE generates the second message authentication code, it may compare with the received first message authentication code.
若所述第一消息认证码和所述第二消息认证码一致,则说明所述UDM网元在生成所述第一消息认证码采用的第二随机数与所述UE在生成所述第二消息认证码采用的第二随 机数相同,进一步的可以说明,所述UDM网元在生成所述第二随机数采用的第二网络的网络标识与所述UE在生成所述第二随机数采用的第二网络的网络标识相同,所述UE接收到所述第二网络的网络标识为真实的网络标识,所述第二网络不是欺骗网络,对所述第二网络验证成功。If the first message authentication code is consistent with the second message authentication code, it means that the second random number used by the UDM network element in generating the first message authentication code is different from the second random number used by the UE in generating the second message authentication code. The second random number used by the message authentication code is the same. It can be further illustrated that the network identity of the second network used by the UDM network element to generate the second random number is the same as the second random number used by the UE when generating the second random number. The network identifiers of the second network are the same, the UE receives that the network identifier of the second network is a real network identifier, the second network is not a spoofing network, and the verification of the second network succeeds.
若所述第一消息认证码和所述第二消息认证码不一致,则说明所述UDM网元在生成所述第一消息认证码采用的第二随机数与所述UE在生成所述第二消息认证码采用的第二随机数不同,进一步的可以说明,所述UDM网元在生成所述第二随机数采用的第二网络的网络标识与所述UE在生成所述第二随机数采用的第二网络的网络标识不同,所述UE接收到所述第二网络的网络标识不是真实的网络标识,所述第二网络是欺骗网络,对所述第二网络验证不成功。If the first message authentication code is inconsistent with the second message authentication code, it means that the second random number used by the UDM network element to generate the first message authentication code is different from the second random number used by the UE to generate the second message authentication code. The second random number used by the message authentication code is different. It can be further illustrated that the network identity of the second network used by the UDM network element in generating the second random number is different from the network identifier of the second network used by the UE in generating the second random number. The network identity of the second network is different, the network identity of the second network received by the UE is not a real network identity, the second network is a spoofing network, and the verification of the second network is unsuccessful.
相比于图3所示实施例,本申请实施例可以在不更改现有标准中消息认证码生成算法的前提下,实现UE对服务网络的验证;从图2所示的实施例,可以看出现有的消息认证码是根据所述UE的密钥K和RAND生成的,当采用如图4所示的实施例中,可以不更改生成消息认证码(对应图4中的第一消息认证码和第二消息认证码)的生成算法,不需要更改用于生成消息认证码的参数数量,只需将现有的消息认证码生成方式中的RAND更新为第二随机数即可,也就是说,仍可以沿用现有的消息认证码的生成算法,使得生成消息认证码的方式更加方便、高效。Compared with the embodiment shown in FIG. 3, the embodiment of this application can realize the verification of the UE to the service network without changing the message authentication code generation algorithm in the existing standard; from the embodiment shown in FIG. 2, it can be seen The message authentication code that appears is generated according to the key K and RAND of the UE. When the embodiment shown in FIG. 4 is used, the message authentication code may not be changed (corresponding to the first message authentication code in FIG. 4). And the second message authentication code) generation algorithm, there is no need to change the number of parameters used to generate the message authentication code, just update the RAND in the existing message authentication code generation method to the second random number, that is to say , The existing message authentication code generation algorithm can still be used, making the way of generating the message authentication code more convenient and efficient.
下面将如图3、4所示的实施例应用于具体场景,对本申请实施例提供的网络认证方法,进行进一步介绍:The following applies the embodiments shown in FIGS. 3 and 4 to specific scenarios, and further introduces the network authentication method provided by the embodiments of the present application:
在本申请实施例中涉及两种服务网络的网络标识(serving network name,SNN),分别为所述家乡网络确定的服务网络的网络标识(如所述家乡网络中的UDM网元确定的服务网络的网络标识)和所述UE从服务网络接收的服务网络的网络标识,为了便于说明,用第一SNN和第二SNN进行区分,其中,所述第一SNN为所述家乡网络确定的服务网络的网络标识,所述第二SNN为所述UE从所述服务网络接收的服务网络的网络标识。In the embodiment of this application, the network identifiers (serving network name, SNN) of the two service networks are involved, which are respectively the network identifiers of the service network determined by the home network (such as the service network determined by the UDM network element in the home network). The network identifier of the service network received by the UE from the service network is distinguished by the first SNN and the second SNN for ease of description, where the first SNN is the service network determined by the home network The second SNN is the network identifier of the serving network received by the UE from the serving network.
一般来说,第一SNN为所述服务网络的真实的网络标识,而所述服务网络发送给终端设备的第二SNN,并不一定是真实网络标识,所述服务网络有可能通过发送假的网络标识给终端设备,欺骗所述终端设备,获取所述终端设备的相关信息,在本申请实施例中可以通过第一SNN和第二SNN是否一致来验证所述服务网络是否为欺骗网络。Generally speaking, the first SNN is the real network ID of the service network, and the second SNN sent by the service network to the terminal device is not necessarily the real network ID. The service network may send fake The network is identified to the terminal device, the terminal device is deceived, and the relevant information of the terminal device is obtained. In the embodiment of the present application, whether the first SNN and the second SNN are consistent can be used to verify whether the service network is a spoofing network.
如图5所示,为本申请实施例提供的一种网络认证方法,该方法包括:As shown in FIG. 5, a network authentication method provided by this embodiment of the application includes:
步骤501:同步骤201~204,具体可参见如图2所示的步骤201~204的相关说明,此处不再赘述。Step 501: The same as steps 201 to 204, for details, please refer to the related descriptions of steps 201 to 204 shown in FIG.
需要说明的是,本申请实施例中并不限定所述家乡网络中的UDM网元确定所述第一SNN的方式,例在所述服务网络中的SEAF网元在所述家乡网络中的AUSF网元发送加密后的用户标识时,所述网元可以同时发送所述第一SNN,所述AUSF网元获取所述第一SNN;所述AUSF网元在转发加密后的用户标识时,也会将所述第一SNN发送给所述UDM网元;又例如,所述AUSF网元可以根据与所述SEAF网元交互的通道,确定该通道对应的服务网络,进而确定第一SNN,之后,在向所述UDM网元发送加密后的用户标识时,同时发送所述第一SNN,在本申请实施例中,凡是可以使所述UDM网元接收到所述第一SNN的方式均适用于本申请实施例。It should be noted that the embodiment of this application does not limit the manner in which the UDM network element in the home network determines the first SNN. For example, the SEAF network element in the service network is in the AUSF of the home network. When the network element sends the encrypted user identity, the network element may simultaneously send the first SNN, and the AUSF network element obtains the first SNN; when the AUSF network element forwards the encrypted user identity, it may also The first SNN will be sent to the UDM network element; for another example, the AUSF network element may determine the service network corresponding to the channel according to the channel interacting with the SEAF network element, and then determine the first SNN, and then When sending the encrypted user identity to the UDM network element, the first SNN is also sent. In the embodiment of this application, any method that enables the UDM network element to receive the first SNN is applicable In the examples of this application.
步骤502:所述UDM网元生成第一认证向量,其中所述第一认证向量包括RAND、 XRES*、K AUSF、第一消息认证码MAC*,其中MAC携带在AUTN中。 Step 502: The UDM network element generates a first authentication vector, where the first authentication vector includes RAND, XRES*, K AUSF and a first message authentication code MAC*, where MAC is carried in AUTN.
其中,RAND、XRES*、K AUSF可以采用现有的生成方式,此处不再详述。 Among them, RAND, XRES*, and K AUSF can adopt existing generation methods, which will not be detailed here.
对于MAC*,所述UDM网元基于所述第一运算,根据所述UE签约信息中的密钥K、RAND、第一SNN生成MAC*。For MAC*, the UDM network element generates MAC* according to the keys K, RAND, and the first SNN in the UE subscription information based on the first calculation.
下面列举一种第一认证向量中各个参数的生成方式:The following lists a method for generating each parameter in the first authentication vector:
所述UDM网元生成RAND后,通过如下方式生成MAC*、XRES*、K AUSFAfter the UDM network element generates RAND, it generates MAC*, XRES*, and K AUSF in the following manner:
MAC*=f 1(K,RAND,第一SNN),XRES*=f 2(K,RAND,第一SNN),K AUSF=f 3(K,RAND),其中,f 1、f 2、f 3分别表示一种运算方式。 MAC*=f 1 (K, RAND, first SNN), XRES*=f 2 (K, RAND, first SNN), K AUSF = f 3 (K, RAND), where f 1 , f 2 , f 3 respectively represent an operation method.
步骤503:所述UDM网元在生成了所述第一认证向量之后,将所述第一认证向量发送给所述AUSF网元,示例性的,所述UDM网元将携带有所述第一认证向量携带在认证获取响应发送给所述AUSF网元。Step 503: After generating the first authentication vector, the UDM network element sends the first authentication vector to the AUSF network element. Exemplarily, the UDM network element will carry the first authentication vector. The authentication vector is carried in the authentication acquisition response and sent to the AUSF network element.
步骤504:所述AUSF网元在接收到所述第一认证向量后,对所述第一认证向量进行进一步处理,生成第二认证向量。Step 504: After receiving the first authentication vector, the AUSF network element further processes the first authentication vector to generate a second authentication vector.
其中,所述第二认证向量中包括RAND、HXRES*、MAC*,MAC*携带在AUTN中。Wherein, the second authentication vector includes RAND, HXRES*, MAC*, and MAC* is carried in AUTN.
HXRES*的生成方式参见步骤207中的相关描述,此处不再赘述。For the generation method of HXRES*, please refer to the related description in step 207, which will not be repeated here.
可选的,所述AUSF网元还可以根据K AUSF进行推演生成K SEAF,并在本地保存K SEAF以便后续发送给所述SEAF网元。 Optionally, the AUSF network element may further generate K SEAF based on K AUSF derivation , and save the K SEAF locally for subsequent transmission to the SEAF network element.
步骤505:所述AUSF网元向所述服务网络中的SEAF网元发送所述第二认证向量。Step 505: The AUSF network element sends the second authentication vector to the SEAF network element in the service network.
所述AUSF可以向所述服务网络中的SEAF网元发送携带有所述第二认证向量的认证鉴定响应。The AUSF may send an authentication authentication response carrying the second authentication vector to the SEAF network element in the service network.
步骤506:所述SEAF网元在接收到所述第二认证向量后,向所述UE发送非接入层(non-access stratum,NAS)消息(如认证请求),所述NAS消息中包括RAND,MAC*,MAC*可以携带在AUTN中。Step 506: After receiving the second authentication vector, the SEAF network element sends a non-access stratum (NAS) message (such as an authentication request) to the UE, where the NAS message includes RAND , MAC*, MAC* can be carried in AUTN.
步骤507:所述UE接收到所述NAS消息后,基于所述第一运算,通过所述USIM中存储的密钥K、RAND、所述第二SNN生成第二消息认证码XMAC*。Step 507: After receiving the NAS message, the UE generates a second message authentication code XMAC* based on the first calculation using the keys K, RAND, and the second SNN stored in the USIM.
其中,所述第二SNN是所述UE在接入服务网络后,所述服务网络发送给所述UE的服务网络的网络标识,本申请实施例并不限定所述第二SNN发送给UE的方式,凡是可以使所述UE接收到所述第二SNN的方式均适用于本申请实施例。The second SNN is the network identifier of the serving network sent by the serving network to the UE after the UE accesses the serving network. The embodiment of the present application does not limit the sending of the second SNN to the UE Modes, any mode that can enable the UE to receive the second SNN are applicable to the embodiments of the present application.
步骤508:所述UE在确定XMAC*与AUTN中携带的MAC*一致后,向所述SEAF网元发送携带有RES*的认证响应。Step 508: After determining that the XMAC* is consistent with the MAC* carried in AUTN, the UE sends an authentication response carrying RES* to the SEAF network element.
其中,RES*的生成方式可以参见步骤210中的相关描述,此处不再赘述。For the method of generating RES*, refer to the related description in step 210, which will not be repeated here.
需要说明的是,所述UE进行XMAC*和MAC*的对比的操作可以是UE中的USIM模块执行的,可以是ME模块本申请实施例并不限定。It should be noted that the operation of the UE to compare XMAC* and MAC* may be performed by the USIM module in the UE, and may be the ME module, which is not limited in this embodiment of the application.
若所述UDM网元在生成认证令牌时采用如步骤502中列举的方式,下面对所述UE进行XMAC*和MAC*的对比的方式进行详细介绍:If the UDM network element adopts the method listed in step 502 when generating the authentication token, the method for comparing the XMAC* and MAC* of the UE is described in detail below:
首先,所述UE采用与所述UDM网元生成MAC*的相同的方式生成XMAC*,也即XMAC*=f 1(K,RAND,第二SNN)。 First, the UE generates XMAC* in the same manner as the UDM network element generates MAC*, that is, XMAC*=f 1 (K, RAND, second SNN).
所述UE可以采用与所述UDM网元生成XRES*的相同的方式生成RES*,也即RES*=f 2(K,RAND,第二SNN)。 The UE may generate RES* in the same way as the UDM network element generates XRES*, that is, RES*=f 2 (K, RAND, second SNN).
所述UE在生成XMAC*后,对XMAC*和AUTN*中的MAC*进行对比,若一致,则 说明在所述UE生成XMAC*时使用的所述第一SNN和所述UDM网元生成MAC*时使用的所述第二SNN相同,所述服务网络不是欺骗网络,所述UE对服务网络验证成功;若不一致,则说明所述服务网络为欺骗网络,所述UE对所述服务网络验证失败。After generating XMAC*, the UE compares the MAC* in XMAC* and AUTN*. If they are consistent, it means that the first SNN and UDM network element used when the UE generates XMAC* generate MAC * When the second SNN used is the same, the service network is not a spoofing network, and the UE has successfully verified the service network; if they are inconsistent, the service network is a spoofing network, and the UE authenticates the service network failure.
若所述UE对服务网络验证失败,所述UE可以向SEAF网元发送用于指示验证失败的消息。If the UE fails to verify the serving network, the UE may send a message indicating that the verification fails to the SEAF network element.
步骤509:同步骤212~步骤215,此处不再赘述,实现所述服务网络对UE进行认证,所述家乡网络对UE进行认证。Step 509: Same as step 212 to step 215, and will not be repeated here. The service network authenticates the UE and the home network authenticates the UE.
如图6所示,为本申请实施例提供的另一种网络认证方法,该方法包括:As shown in FIG. 6, another network authentication method provided by this embodiment of the application includes:
步骤601:同步骤501。Step 601: same as step 501.
步骤602:所述UDM网元生成第一认证向量,其中所述第一认证向量包括第一RAND、XRES*、K AUSF、第一消息认证码(MAC*)。 Step 602: The UDM network element generates a first authentication vector, where the first authentication vector includes a first RAND, XRES*, K AUSF and a first message authentication code (MAC*).
其中,MAC*可以携带在AUTN中,第一RAND是所述UDM网元随机生成的随机数。Wherein, MAC* can be carried in AUTN, and the first RAND is a random number randomly generated by the UDM network element.
所述UDM网元生成MAC*的过程如下:所述UDM网元先基于所述第二运算,根据所述第一RAND和所述第一SNN生成第二RAND,之后,再基于所述第三运算,根据所述UE签约信息中的密钥K与所述第二RAND生成MAC*。The process for the UDM network element to generate MAC* is as follows: the UDM network element first generates a second RAND based on the second operation, based on the first RAND and the first SNN, and then based on the third Calculate and generate MAC* according to the key K in the UE subscription information and the second RAND.
XRES*、K AUSF的生成方式可以与现有的生成方式相同,也即通过对应的运算方式,根据第一RAND和密钥K生成,也可以通过对应的运算方式,根据所述第二RAND和密钥K生成,本申请实施例并不限定。 XRES* and K AUSF can be generated in the same way as the existing generation method, that is, they can be generated according to the first RAND and the key K through the corresponding calculation method, or they can be generated according to the corresponding calculation method according to the second RAND and the key K. The key K generation is not limited in the embodiment of the present application.
下面列举一种第一认证向量中各个参数的生成方式:The following lists a method for generating each parameter in the first authentication vector:
通过如下方式生成MAC*、XRES*、K AUSFGenerate MAC*, XRES*, K AUSF in the following way:
第二RAND=H(第一RAND,第一SNN),MAC*=f 1(K,第二RAND,),XRES*=f 2(K,第二RAND,第一SNN),K AUSF=f 3(K,第二RAND),其中,H、f 1、f 2、f 3分别表示一种运算方式。 Second RAND=H (first RAND, first SNN), MAC*=f 1 (K, second RAND,), XRES*=f 2 (K, second RAND, first SNN), K AUSF = f 3 (K, second RAND), where H, f 1 , f 2 , and f 3 each represent an operation mode.
步骤603:所述UDM网元在生成了所述第一认证向量之后,将所述第一认证向量发送给所述AUSF网元,示例性的,所述UDM网元将携带有所述第一认证向量携带在认证获取响应发送给所述AUSF网元。Step 603: After the UDM network element generates the first authentication vector, it sends the first authentication vector to the AUSF network element. For example, the UDM network element will carry the first authentication vector. The authentication vector is carried in the authentication acquisition response and sent to the AUSF network element.
步骤604:所述AUSF网元在接收到所述第一认证向量后,对所述第一认证向量进行进一步处理,生成第二认证向量。Step 604: After receiving the first authentication vector, the AUSF network element further processes the first authentication vector to generate a second authentication vector.
其中,所述第二认证向量中包括第一RAND、HXRES*、MAC*,其中,MAC*可以携带在AUTN中。Wherein, the second authentication vector includes the first RAND, HXRES*, MAC*, where MAC* can be carried in AUTN.
HXRES*的生成方式参见步骤207中的相关描述,此处不再赘述。For the generation method of HXRES*, please refer to the related description in step 207, which will not be repeated here.
可选的,所述AUSF网元还可以根据K AUSF进行推演生成K SEAF,并在本地保存K SEAF以便后续发送给SEAF网元。 Optionally, the AUSF network element may further generate K SEAF based on K AUSF derivation , and save the K SEAF locally for subsequent transmission to the SEAF network element.
步骤605:所述AUSF网元向所述SEAF网元发送所述第二认证向量。Step 605: The AUSF network element sends the second authentication vector to the SEAF network element.
所述AUSF可以向所述服务网络中的SEAF网元发送携带有所述第二认证向量的认证鉴定响应。The AUSF may send an authentication authentication response carrying the second authentication vector to the SEAF network element in the service network.
步骤606:所述SEAF网元在接收到所述第二认证向量后,向所述UE发送NAS消息(如认证请求),所述NAS消息中包括第一RAND,MAC*,其中,MAC*可以携带在AUTN中。所述NAS消息还可以包括其他信息,本申请实施例并不限定。Step 606: After receiving the second authentication vector, the SEAF network element sends a NAS message (such as an authentication request) to the UE. The NAS message includes the first RAND, MAC*, where MAC* can be Carried in AUTN. The NAS message may also include other information, which is not limited in this embodiment of the application.
步骤607:所述UE接收到所述NAS消息后,基于所述第二运算,通过所述第一RAND、第二SNN生成第二RAND,之后再基于第三运算,根据第二RAND和USIM中存储的密钥K生成第二消息认证码XMAC*。Step 607: After receiving the NAS message, the UE generates a second RAND through the first RAND and the second SNN based on the second operation, and then based on the third operation, according to the second RAND and USIM The stored key K generates the second message authentication code XMAC*.
需要说明的是,步骤607中的第二RAND与步骤602中的第二RAND不同,步骤607中的第二RAND是所述UE生成的,步骤602中的第二RAND是所述UDM网元生成的,步骤607中的第二RAND与步骤602中的第二RAND的数值是否相同,取决于所述第一SNN和所述第二SNN是否相同,若所述第一SNN和所述第二SNN不同,则步骤607中的第二RAND与步骤602中的第二RAND的数值不同,所述第一SNN和所述第二SNN相同,则步骤607中的第二RAND与步骤602中的第二RAND的数值相同。It should be noted that the second RAND in step 607 is different from the second RAND in step 602. The second RAND in step 607 is generated by the UE, and the second RAND in step 602 is generated by the UDM network element. Yes, whether the second RAND in step 607 has the same value as the second RAND in step 602 depends on whether the first SNN and the second SNN are the same, if the first SNN and the second SNN If the value of the second RAND in step 607 is different from that of the second RAND in step 602, and the first SNN and the second SNN are the same, the second RAND in step 607 is the same as the second RAND in step 602. The value of RAND is the same.
步骤608:所述UE在确定XMAC*与认证令牌中的MAC*一致后,向所述SEAF网元发送RES*。Step 608: After determining that the XMAC* is consistent with the MAC* in the authentication token, the UE sends RES* to the SEAF network element.
所述UE根据第二RAND和密钥K生成RES*,这里所述UE生成RES*所采用的运算方式与所述UDM网元生成XRES*所采用的运算方式相同。The UE generates RES* according to the second RAND and the key K. Here, the operation mode used by the UE to generate RES* is the same as the operation mode used by the UDM network element to generate XRES*.
需要说明的是,所述UE进行XMAC*和MAC*的对比的操作可以是所述UE中的USIM模块执行的,可以是其他模块(如ME模块)本申请实施例并不限定。It should be noted that the operation of the UE to compare XMAC* and MAC* may be performed by the USIM module in the UE, and may be other modules (such as the ME module), which is not limited in this embodiment of the application.
若所述UDM网元在生成认证令牌时采用如步骤602中列举的方式,下面对UE进行XMAC*和MAC*的对比的方式进行介绍:If the UDM network element uses the method listed in step 602 when generating the authentication token, the following describes the method of comparing the UE with XMAC* and MAC*:
首先,所述UE采用与所述UDM网元生成MAC*的相同的方式生成XMAC*,也即第二RAND=H(第一RAND,第二SNN),XMAC*=f 1(K,SQN,第二RAND,第二SNN)。 First, the UE generates XMAC* in the same way as the UDM network element generates MAC*, that is, second RAND=H (first RAND, second SNN), XMAC*=f 1 (K, SQN, Second RAND, second SNN).
所述UE可以采用与所述UDM网元生成XRES*的相同的方式生成RES*,也即RES*=f 2(K,第二RAND,第二SNN)。 The UE may generate RES* in the same manner as the UDM network element generates XRES*, that is, RES*=f 2 (K, second RAND, second SNN).
所述UE在生成XMAC*后,对XMAC*和AUTN*中的MAC*进行对比,若一致,则说明在所述UE生成XMAC*时使用的第二RAND和所述UDM网元生成MAC*时使用的第二RAND相同,进一步可以说明所述UE生成第二RAND使用的第二SNN和UDM网元生成第二RAND使用的第一SNN相同,所述服务网络不是欺骗网络,所述UE对所述服务网络验证成功;若不一致,则说明所述服务网络为欺骗网络,所述UE对所述服务网络验证失败。After generating XMAC*, the UE compares the MAC* in XMAC* and AUTN*. If they are consistent, it means that the second RAND used when the UE generates XMAC* and the UDM network element generates MAC* The second RAND used is the same, which can further indicate that the second SNN used by the UE to generate the second RAND is the same as the first SNN used by the UDM network element to generate the second RAND. The serving network is not a spoofing network. The verification of the service network is successful; if they are inconsistent, the service network is a spoofing network, and the UE fails to verify the service network.
若所述UE对服务网络验证失败,所述UE向所述SEAF网元发送用于指示验证失败的消息。If the UE fails to verify the serving network, the UE sends a message indicating that the verification fails to the SEAF network element.
步骤609:同步骤509,此处不再赘述。Step 609: Same as step 509, and will not be repeated here.
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图3~6所示的方法实施例中所述UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图7所示,所述装置包括处理单元701和发送单元702:Based on the same inventive concept as the method embodiment, an embodiment of the present application also provides a communication device for executing the method executed by the UDM network element described in the method embodiment shown in FIGS. 3-6. For related features, see The foregoing method embodiments will not be repeated here. As shown in FIG. 7, the device includes a processing unit 701 and a sending unit 702:
所述处理单元701,用于根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码;The processing unit 701 is configured to generate a first message authentication code according to the key K of the terminal device, the first random number, and the network identifier of the second network;
所述发送单元702,用于通过所述第二网络向所述终端设备发送所述第一随机数和所述第一消息认证码。The sending unit 702 is configured to send the first random number and the first message authentication code to the terminal device through the second network.
作为一种可能的实施方式,所述第一消息认证码携带在认证令牌中。As a possible implementation manner, the first message authentication code is carried in an authentication token.
作为一种可能的实施方式,所述处理单元701在根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码时,可以直接根据所述终端设备的密 钥K、所述第一随机数、以及所述第二网络的网络标识生成第一消息认证码,也可以采用其他方式,示例性的,所述处理单元701可以先根据所述第一随机数和所述第二网络的网络标识生成第二随机数;之后,根据所述终端设备的密钥K和所述第二随机数生成所述第一消息认证码。As a possible implementation manner, when the processing unit 701 generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identity of the second network, it may directly according to the terminal The key K of the device, the first random number, and the network identification of the second network may be used to generate the first message authentication code. Other methods may also be used. For example, the processing unit 701 may first generate the first message authentication code according to the first A random number and the network identification of the second network generate a second random number; then, the first message authentication code is generated according to the key K of the terminal device and the second random number.
作为一种可能的实施方式,所述装置还包括接收单元703,所述接收单元703在所述处理单元701根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码之前,可以接收来自所述第二网络中的认证服务功能网元发送的终端认证获取请求,所述终端认证获取请求包括加密后的用户标识;所述处理单元701则可以解密所述加密后的用户标识,得到解密后的用户标识;以及根据所述解密后的用户标识,获取所述终端设备的签约数据,其中,所述终端的签约数据中包括所述终端设备的密钥K。As a possible implementation manner, the apparatus further includes a receiving unit 703. The receiving unit 703 performs the processing unit 701 according to the key K of the terminal device, the first random number, and the network identification of the second network. Before generating the first message authentication code, a terminal authentication acquisition request sent from an authentication service function network element in the second network may be received, where the terminal authentication acquisition request includes an encrypted user ID; the processing unit 701 may Decrypt the encrypted user ID to obtain the decrypted user ID; and obtain the contract data of the terminal device according to the decrypted user ID, wherein the contract data of the terminal includes the terminal device Key K.
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图3~6所示的方法实施例中所述终端设备执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图8所示,该装置包括接收单元801、生成单元802以及验证单元803:Based on the same inventive concept as the method embodiment, an embodiment of the present application also provides a communication device for executing the method executed by the terminal device in the method embodiment shown in FIGS. 3-6. For related features, see the above The method embodiments will not be repeated here. As shown in FIG. 8, the device includes a receiving unit 801, a generating unit 802, and a verification unit 803:
所述接收单元801,用于通过第二网络接收来自第一网络的随机数、第一消息认证码;以及从所述第二网络接收所述第二网络的网络标识;The receiving unit 801 is configured to receive a random number and a first message authentication code from a first network through a second network; and receive a network identification of the second network from the second network;
所述生成单元802,用于根据本地存储的密钥K、第一随机数、以及所述第二网络的网络标识生成第二消息认证码;The generating unit 802 is configured to generate a second message authentication code according to the locally stored key K, the first random number, and the network identifier of the second network;
所述验证单元803,用于在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。The verification unit 803 is configured to determine that the verification of the second network is successful after determining that the first message authentication code is consistent with the second message authentication code.
作为一种可能的实施方式,所述第一消息认证码携带在认证令牌中。As a possible implementation manner, the first message authentication code is carried in an authentication token.
作为一种可能的实施方式,所述生成单元802在根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码,可以直接根据所述本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成所述第二消息认证码,也可以采用其他方式,示例性的,所述生成单元802可以先根据所述第一随机数和所述第二网络的网络标识生成第二随机数;之后,根据所述本地存储的密钥K和所述第二随机数生成所述第二消息认证码。As a possible implementation manner, the generating unit 802 generates the second message authentication code according to the locally stored key K, the first random number, and the network identification of the second network, and may directly according to the The locally stored key K, the first random number, and the network identifier of the second network may generate the second message authentication code. Other methods may also be used. For example, the generating unit 802 may first The first random number and the network identification of the second network generate a second random number; then, the second message authentication code is generated according to the locally stored key K and the second random number.
作为一种可能的实施方式,所述接收单元801在通过第二网络接收来自第一网络的随机数、第一消息认证码时,所述随机数、第一消息认证码可以携带在一些信令中,示例性的,所述接收单元801可以从所述第二网络的安全锚功能网元接收认证请求,所述认证请求中包括所述第一随机数、第一消息认证码。As a possible implementation manner, when the receiving unit 801 receives the random number and the first message authentication code from the first network through the second network, the random number and the first message authentication code may be carried in some signaling For example, the receiving unit 801 may receive an authentication request from a security anchor function network element of the second network, where the authentication request includes the first random number and the first message authentication code.
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。The division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods. In addition, the functional units in the various embodiments of this application can be integrated into one process. In the device, it can also exist alone physically, or two or more units can be integrated into a module. The above-mentioned integrated unit can be realized in the form of hardware or software function module.
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例 该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including a number of instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
在本申请实施例中,所述统一数据管理网元和所述终端设备均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。In the embodiment of the present application, both the unified data management network element and the terminal device may be presented in the form of dividing various functional modules in an integrated manner. The "module" here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
在一个简单的实施例中,本领域的技术人员可以想到所述统一数据管理网元可采用图9所示的形式。In a simple embodiment, those skilled in the art can imagine that the unified data management network element may adopt the form shown in FIG. 9.
如图9所示的通信装置900,包括至少一个处理器901、存储器902,可选的,还可以包括通信接口903。The communication device 900 shown in FIG. 9 includes at least one processor 901, a memory 902, and optionally, a communication interface 903.
存储器902可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器902是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器902可以是上述存储器的组合。The memory 902 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 902 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 902 may be a combination of the above-mentioned memories.
本申请实施例中不限定上述处理器901以及存储器902之间的具体连接介质。本申请实施例在图中以存储器902和处理器901之间通过总线904连接,总线904在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线904可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the foregoing processor 901 and the memory 902 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 902 and the processor 901 are connected through a bus 904 in the figure. The bus 904 is represented by a thick line in the figure. The connection mode between other components is only for schematic illustration and is not quoted. Is limited. The bus 904 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
处理器901可以具有数据收发功能,能够与其他设备进行通信,在如图9装置中,也可以设置独立的数据收发模块,例如通信接口903,用于收发数据;处理器901在与其他设备进行通信时,可以通过通信接口903进行数据传输。The processor 901 may have a data transceiving function and can communicate with other devices. In the device shown in Figure 9, an independent data transceiving module, such as a communication interface 903, may be set to transmit and receive data; the processor 901 is communicating with other devices. During communication, data transmission can be performed through the communication interface 903.
当所述统一数据管理网元采用图9所示的形式时,图9中的处理器901可以通过调用存储器1402中存储的计算机执行指令,使得所述基站可以执行上述任一方法实施例中的所述基站执行的方法。When the unified data management network element adopts the form shown in FIG. 9, the processor 901 in FIG. 9 can call the computer execution instructions stored in the memory 1402, so that the base station can execute any of the foregoing method embodiments. The method executed by the base station.
具体的,图7的发送单元、接收单元和处理单元的功能/实现过程均可以通过图9中的处理器901调用存储器902中存储的计算机执行指令来实现。或者,图7中的处理单元的功能/实现过程可以通过图9中的处理器901调用存储器902中存储的计算机执行指令来实现,图7的发送单元和接收单元的功能/实现过程可以通过图9中的通信接口903来实现。Specifically, the functions/implementation processes of the sending unit, the receiving unit, and the processing unit in FIG. 7 may all be implemented by the processor 901 in FIG. 9 calling a computer execution instruction stored in the memory 902. Alternatively, the function/implementation process of the processing unit in FIG. 7 may be implemented by the processor 901 in FIG. 9 calling the computer execution instructions stored in the memory 902, and the function/implementation process of the sending unit and the receiving unit in FIG. 9 in the communication interface 903 to achieve.
在一个简单的实施例中,本领域的技术人员可以想到所述终端设备可采用图10所示的形式。In a simple embodiment, those skilled in the art can imagine that the terminal device may adopt the form shown in FIG. 10.
如图10所示的通信装置1000,包括至少一个处理器1001、存储器1002,可选的,还可以包括收发器1003。The communication device 1000 as shown in FIG. 10 includes at least one processor 1001, a memory 1002, and optionally, a transceiver 1003.
存储器1002可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1002是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1002可以是上述存储器的组合。The memory 1002 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as a read only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1002 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 1002 may be a combination of the above-mentioned memories.
本申请实施例中不限定上述处理器1001以及存储器1002之间的具体连接介质。本申 请实施例在图中以存储器1002和处理器1001之间通过总线1004连接,总线1004在图中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。该总线1004可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the foregoing processor 1001 and the memory 1002 is not limited in the embodiment of the present application. In the embodiment of the present application, the memory 1002 and the processor 1001 are connected by a bus 1004 in the figure, and the bus 1004 is represented by a thick line in the figure. The connection mode between other components is only for schematic illustration and is not cited Is limited. The bus 1004 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used to represent in FIG. 10, but it does not mean that there is only one bus or one type of bus.
处理器1001可以具有数据收发功能,能够与其他设备进行通信,在如图10装置中,也可以设置独立的数据收发模块,例如收发器1003,用于收发数据;处理器1001在与其他设备进行通信时,可以通过收发器1003进行数据传输。The processor 1001 may have a function of data transceiving and can communicate with other devices. In the device shown in Figure 10, an independent data transceiving module, such as a transceiver 1003, can be set to send and receive data; the processor 1001 is communicating with other devices. During communication, the transceiver 1003 can be used for data transmission.
当终端设备采用图10所示的形式时,图10中的处理器1001可以通过调用存储器1002中存储的计算机执行指令,使得所述终端设备可以执行上述任一方法实施例中的终端设备执行的方法。When the terminal device adopts the form shown in FIG. 10, the processor 1001 in FIG. 10 can call the computer execution instructions stored in the memory 1002, so that the terminal device can execute the terminal device in any of the foregoing method embodiments. method.
具体的,图8中的接收单元、生成单元以及验证单元的功能/实现过程均可以通过图10中的处理器1001调用存储器1002中存储的计算机执行指令来实现。或者,图8中的生成单元以及验证单元的功能/实现过程可以通过图10中的处理器1001调用存储器1002中存储的计算机执行指令来实现,图8中的接收单元的功能/实现过程可以通过图10中的收发器1003来实现。Specifically, the functions/implementation processes of the receiving unit, the generating unit, and the verification unit in FIG. 8 can all be implemented by the processor 1001 in FIG. 10 calling a computer execution instruction stored in the memory 1002. Alternatively, the function/implementation process of the generating unit and the verification unit in FIG. 8 may be implemented by the processor 1001 in FIG. 10 calling computer execution instructions stored in the memory 1002, and the function/implementation process of the receiving unit in FIG. 8 may be implemented by The transceiver 1003 in FIG. 10 is implemented.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。This application is described with reference to flowcharts and/or block diagrams of methods, equipment (systems), and computer program products according to this application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

Claims (26)

  1. 一种网络验证方法,其特征在于,所述方法包括:A network verification method, characterized in that the method includes:
    统一数据管理网元根据终端设备的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码;The unified data management network element generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identity of the second network;
    通过所述第二网络向所述终端设备发送所述第一随机数和所述第一消息认证码。Sending the first random number and the first message authentication code to the terminal device through the second network.
  2. 如权利要求1所述的方法,其特征在于,所述第一消息认证码携带在认证令牌中。The method of claim 1, wherein the first message authentication code is carried in an authentication token.
  3. 如权利要求1或2所述的方法,其特征在于,所述统一数据管理网元根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码,包括:The method of claim 1 or 2, wherein the unified data management network element generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identification of the second network ,include:
    所述统一数据管理网元根据所述第一随机数和所述第二网络的网络标识生成第二随机数;Generating, by the unified data management network element, a second random number according to the first random number and the network identification of the second network;
    所述统一数据管理网元根据所述终端设备的密钥K和所述第二随机数生成所述第一消息认证码。The unified data management network element generates the first message authentication code according to the key K of the terminal device and the second random number.
  4. 如权利要求1~3任一所述的方法,其特征在于,所述统一数据管理网元在所述根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码之前,所述方法还包括:The method according to any one of claims 1 to 3, wherein the unified data management network element generates data based on the key K of the terminal device, the first random number, and the network identification of the second network. Before the first message authentication code, the method further includes:
    所述统一数据管理网元接收来自所述第二网络中的认证服务功能网元发送的终端认证获取请求,所述终端认证获取请求包括加密后的用户标识;The unified data management network element receives a terminal authentication acquisition request sent from an authentication service function network element in the second network, where the terminal authentication acquisition request includes an encrypted user identifier;
    所述统一数据管理网元解密所述加密后的用户标识,得到解密后的用户标识;The unified data management network element decrypts the encrypted user identification to obtain the decrypted user identification;
    所述统一数据管理网元根据所述解密后的用户标识,获取所述终端设备对应的签约数据,其中,所述终端设备对应的签约数据中包括所述终端设备的密钥K。The unified data management network element obtains the contract data corresponding to the terminal device according to the decrypted user identifier, wherein the contract data corresponding to the terminal device includes the key K of the terminal device.
  5. 一种网络验证方法,其特征在于,所述方法包括:A network verification method, characterized in that the method includes:
    通过第二网络接收来自第一网络中统一数据管理网元的第一随机数和第一消息认证码;Receiving the first random number and the first message authentication code from the unified data management network element in the first network through the second network;
    根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码;Generating a second message authentication code according to the locally stored key K, the first random number, and the network identity of the second network;
    在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。After determining that the first message authentication code is consistent with the second message authentication code, it is determined that the verification of the second network is successful.
  6. 如权利要求5所述的方法,其特征在于,所述第一消息认证码携带在认证令牌中。8. The method of claim 5, wherein the first message authentication code is carried in an authentication token.
  7. 如权利要求5或6所述的方法,其特征在于,所述根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码,包括:The method according to claim 5 or 6, wherein the generating the second message authentication code according to the locally stored key K, the first random number, and the network identifier of the second network comprises:
    根据所述第一随机数和所述第二网络的网络标识生成第二随机数;Generating a second random number according to the first random number and the network identification of the second network;
    根据所述本地存储的密钥K和所述第二随机数生成所述第二消息认证码。The second message authentication code is generated according to the locally stored key K and the second random number.
  8. 如权利要求5~7任一所述的方法,其特征在于,所述通过第二网络接收来自第一网络中统一数据管理网元的第一随机数和第一消息认证码,包括:The method according to any one of claims 5 to 7, wherein the receiving the first random number and the first message authentication code from the unified data management network element in the first network through the second network comprises:
    从所述第二网络的安全锚功能网元接收认证请求,所述认证请求中包括所述第一随机数和所述第一消息认证码。An authentication request is received from a security anchor function network element of the second network, where the authentication request includes the first random number and the first message authentication code.
  9. 一种通信装置,其特征在于,所述装置包括处理单元和发送单元:A communication device, characterized in that the device includes a processing unit and a sending unit:
    所述处理单元,用于根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码;The processing unit is configured to generate a first message authentication code according to the key K of the terminal device, the first random number, and the network identity of the second network;
    所述发送单元,用于通过所述第二网络向所述终端设备发送所述第一随机数和所述第一消息认证码。The sending unit is configured to send the first random number and the first message authentication code to the terminal device through the second network.
  10. 如权利要求9所述的装置,其特征在于,所述第一消息认证码携带在认证令牌中。The device according to claim 9, wherein the first message authentication code is carried in an authentication token.
  11. 如权利要求9或10所述的装置,其特征在于,所述处理单元在根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码,具体用于:The apparatus according to claim 9 or 10, wherein the processing unit generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identification of the second network, specifically Used for:
    根据所述第一随机数和所述第二网络的网络标识生成第二随机数;Generating a second random number according to the first random number and the network identification of the second network;
    根据所述终端设备的密钥K和所述第二随机数生成所述第一消息认证码。The first message authentication code is generated according to the key K of the terminal device and the second random number.
  12. 如权利要求9~11任一所述的装置,其特征在于,所述装置还包括接收单元,所述接收单元在所述处理单元根据终端设备的密钥K、所述第一随机数、以及第二网络的网络标识生成第一消息认证码之前,用于:The device according to any one of claims 9 to 11, wherein the device further comprises a receiving unit, and the receiving unit in the processing unit according to the key K of the terminal device, the first random number, and Before generating the first message authentication code, the network identifier of the second network is used to:
    接收来自所述第二网络中的认证服务功能的终端认证获取请求,所述终端认证获取请求包括加密后的用户标识;Receiving a terminal authentication acquisition request from an authentication service function in the second network, where the terminal authentication acquisition request includes an encrypted user identifier;
    所述处理单元,还用于解密所述加密后的用户标识,得到解密后的用户标识;以及根据所述解密后的用户标识,获取所述终端设备的签约数据,其中,所述终端的签约数据中包括所述终端设备的密钥K。The processing unit is further configured to decrypt the encrypted user ID to obtain the decrypted user ID; and obtain the contract data of the terminal device according to the decrypted user ID, wherein the contract of the terminal The data includes the key K of the terminal device.
  13. 一种通信装置,其特征在于,所述装置包括接收单元、生成单元以及验证单元:A communication device, characterized in that the device includes a receiving unit, a generating unit, and a verification unit:
    所述接收单元,用于通过第二网络接收来自第一网络中统一数据管理网元的第一随机数和第一消息认证码;The receiving unit is configured to receive the first random number and the first message authentication code from the unified data management network element in the first network through the second network;
    所述生成单元,用于根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码;The generating unit is configured to generate a second message authentication code according to the locally stored key K, the first random number, and the network identifier of the second network;
    所述验证单元,用于在确定所述第一消息认证码和所述第二消息认证码一致后,确定对所述第二网络验证成功。The verification unit is configured to determine that the verification of the second network is successful after determining that the first message authentication code is consistent with the second message authentication code.
  14. 如权利要求13所述的装置,其特征在于,所述第一消息认证码携带在认证令牌中。The apparatus according to claim 13, wherein the first message authentication code is carried in an authentication token.
  15. 如权利要求13或14所述的装置,其特征在于,所述生成单元在根据本地存储的密钥K、所述第一随机数、以及所述第二网络的网络标识生成第二消息认证码,具体用于:The apparatus according to claim 13 or 14, wherein the generating unit generates the second message authentication code according to the locally stored key K, the first random number, and the network identifier of the second network , Specifically used for:
    根据所述第一随机数和所述第二网络的网络标识生成第二随机数;Generating a second random number according to the first random number and the network identification of the second network;
    根据所述本地存储的密钥K和所述第二随机数生成所述第二消息认证码。The second message authentication code is generated according to the locally stored key K and the second random number.
  16. 如权利要求13~15任一所述的装置,其特征在于,所述接收单元在通过第二网络接收来自第一网络中统一数据管理网元的第一随机数和第一消息认证码,具体用于:The apparatus according to any one of claims 13 to 15, wherein the receiving unit receives the first random number and the first message authentication code from the unified data management network element in the first network through the second network, specifically Used for:
    从所述第二网络的安全锚功能网元接收认证请求,所述认证请求中包括所述第一随机数和所述第一消息认证码。An authentication request is received from a security anchor function network element of the second network, where the authentication request includes the first random number and the first message authentication code.
  17. 一种通信系统,其特征在于,所述系统包括第一网络中的统一数据管理网元和第一网络中的认证服务功能网元;A communication system, characterized in that the system includes a unified data management network element in a first network and an authentication service function network element in the first network;
    所述认证服务功能网元,用于接收来自第二网络中安全锚功能网元的认证鉴定请求;所述认证鉴定请求中包括来自终端设备的加密后的用户标识;向所述统一数据管理网元发送终端认证获取请求,所述终端认证获取请求包括所述加密后的用户标识;The authentication service function network element is configured to receive an authentication and identification request from a security anchor function network element in the second network; the authentication and identification request includes an encrypted user identification from a terminal device; and the unified data management network Sending a terminal authentication acquisition request, where the terminal authentication acquisition request includes the encrypted user identification;
    所述统一数据管理网元,用于接收所述终端认证获取请求;解密所述加密后的用户标识,得到解密后的用户标识;根据所述解密后的用户标识,获取所述终端设备对应的签约数据,其中,所述终端设备对应的签约数据中包括所述终端设备的密钥K;根据所述终端 设备的密钥K、第一随机数、以及所述第二网络的网络标识生成第一消息认证码;以及通过所述第二网络向所述终端设备发送所述第一随机数和所述第一消息认证码。The unified data management network element is configured to receive the terminal authentication acquisition request; decrypt the encrypted user ID to obtain the decrypted user ID; and obtain the corresponding terminal device according to the decrypted user ID Subscription data, wherein the subscription data corresponding to the terminal device includes the key K of the terminal device; the second network is generated according to the key K of the terminal device, the first random number, and the network identification of the second network A message authentication code; and sending the first random number and the first message authentication code to the terminal device through the second network.
  18. 如权利要求17所述的系统,其特征在于,所述第一消息认证码携带在认证令牌中。The system according to claim 17, wherein the first message authentication code is carried in an authentication token.
  19. 如权利要求17或18所述的系统,其特征在于,所述统一数据管理网元在根据终端设备的密钥K、第一随机数、以及第二网络的网络标识生成第一消息认证码,具体用于:The system according to claim 17 or 18, wherein the unified data management network element generates the first message authentication code according to the key K of the terminal device, the first random number, and the network identification of the second network, Specifically used for:
    根据所述第一随机数和所述第二网络的网络标识生成第二随机数;根据所述终端设备的密钥K和所述第二随机数生成所述第一消息认证码。A second random number is generated according to the first random number and the network identity of the second network; the first message authentication code is generated according to the key K of the terminal device and the second random number.
  20. 如权利要求17~19任一所述的系统,其特征在于,所述系统还包括所述第二网络中的安全锚功能网元;The system according to any one of claims 17 to 19, wherein the system further comprises a security anchor function network element in the second network;
    所述安全锚功能网元,用于从所述终端设备接收注册请求,所述注册请求中包括所述加密的用户标识;向所述认证服务功能网元发送所述认证鉴定请求;通过所述认证服务功能网元接收来自所述统一数据管理网元的所述第一随机数和所述第一消息认证码,以及向所述终端设备发送认证请求,所述认证请求中包括所述第一随机数和所述第一消息认证码。The security anchor function network element is configured to receive a registration request from the terminal device, the registration request includes the encrypted user identification; send the authentication and authentication request to the authentication service function network element; pass the The authentication service function network element receives the first random number and the first message authentication code from the unified data management network element, and sends an authentication request to the terminal device, the authentication request including the first A random number and the first message authentication code.
  21. 一种通信装置,其特征在于,所述通信装置包括处理器和存储器;A communication device, characterized in that the communication device includes a processor and a memory;
    所述存储器用于存储计算机执行指令,当所述通信装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述通信装置执行如权利要求1-4任一所述的方法。The memory is used to store computer execution instructions. When the communication device is running, the processor executes the computer execution instructions stored in the memory, so that the communication device executes any one of claims 1-4 The method described.
  22. 一种通信装置,其特征在于,所述通信装置包括处理器和存储器;A communication device, characterized in that the communication device includes a processor and a memory;
    所述存储器用于存储计算机执行指令,当所述通信装置运行时,所述处理器执行所述存储器存储的所述计算机执行指令,以使所述通信装置执行如权利要求5-8任一所述的方法。The memory is used to store computer-executable instructions, and when the communication device is running, the processor executes the computer-executable instructions stored in the memory, so that the communication device executes any one of claims 5-8 The method described.
  23. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求1至4中任一项所述的方法。A computer-readable storage medium, characterized in that instructions are stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the method according to any one of claims 1 to 4.
  24. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求5至8中任一项所述的方法。A computer-readable storage medium, characterized in that instructions are stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the method according to any one of claims 5 to 8.
  25. 一种计算机芯片,其特征在于,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行如权利要求1到8任一项所述的方法。A computer chip, characterized in that the chip is connected to a memory, and the chip is used to read and execute a software program stored in the memory, and execute the method according to any one of claims 1 to 8.
  26. 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得计算机执行如权利要求1到8任一项所述的方法。A computer program product containing instructions, which is characterized in that when it runs on a computer, it causes the computer to execute the method according to any one of claims 1 to 8.
PCT/CN2020/078309 2019-03-07 2020-03-06 Network verification method, apparatus, and system WO2020177768A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910170883.3A CN111669276A (en) 2019-03-07 2019-03-07 Network verification method, device and system
CN201910170883.3 2019-03-07

Publications (1)

Publication Number Publication Date
WO2020177768A1 true WO2020177768A1 (en) 2020-09-10

Family

ID=72338432

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/078309 WO2020177768A1 (en) 2019-03-07 2020-03-06 Network verification method, apparatus, and system

Country Status (2)

Country Link
CN (1) CN111669276A (en)
WO (1) WO2020177768A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420695A (en) * 2008-12-16 2009-04-29 天津工业大学 A kind of 3G subscription fast roaming authentication method based on WLAN (wireless local area network)
CN101473670A (en) * 2006-06-19 2009-07-01 荷兰应用自然科学研究组织 Method and system for controlling access to networks
CN101867923A (en) * 2010-06-11 2010-10-20 西安电子科技大学 Heterogeneous wireless network secure access authentication method based on identity self-confirmation
CN108880813A (en) * 2017-05-08 2018-11-23 中国移动通信有限公司研究院 A kind of implementation method and device of attachment flow
WO2019000171A1 (en) * 2017-06-26 2019-01-03 Zte Corporation Methods and computing device for authenticating a user equipment via a home network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026863A (en) * 2006-02-21 2007-08-29 上海宇梦通信科技有限公司 UMTS authenticating vector generating method based on service network label
US9491618B2 (en) * 2014-09-26 2016-11-08 Qualcomm Incorporated Serving network authentication
EP3876573A1 (en) * 2015-02-27 2021-09-08 Telefonaktiebolaget LM Ericsson (publ) Security arrangements in communication between a communication device and a network device
CN111865603A (en) * 2016-09-05 2020-10-30 华为技术有限公司 Authentication method, authentication device and authentication system
CN108848502B (en) * 2018-05-18 2021-07-23 兴唐通信科技有限公司 Method for protecting SUPI (supl interconnection) by using 5G-AKA (alkyl ketene dimmer)

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101473670A (en) * 2006-06-19 2009-07-01 荷兰应用自然科学研究组织 Method and system for controlling access to networks
CN101420695A (en) * 2008-12-16 2009-04-29 天津工业大学 A kind of 3G subscription fast roaming authentication method based on WLAN (wireless local area network)
CN101867923A (en) * 2010-06-11 2010-10-20 西安电子科技大学 Heterogeneous wireless network secure access authentication method based on identity self-confirmation
CN108880813A (en) * 2017-05-08 2018-11-23 中国移动通信有限公司研究院 A kind of implementation method and device of attachment flow
WO2019000171A1 (en) * 2017-06-26 2019-01-03 Zte Corporation Methods and computing device for authenticating a user equipment via a home network

Also Published As

Publication number Publication date
CN111669276A (en) 2020-09-15

Similar Documents

Publication Publication Date Title
JP2019169963A (en) Security configuration in communication between communication device and network device
US10003965B2 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
US10848970B2 (en) Network authentication method, and related device and system
US9654284B2 (en) Group based bootstrapping in machine type communication
CN101931955B (en) Authentication method, device and system
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
US10943005B2 (en) Secure authentication of devices for internet of things
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US20210289353A1 (en) Network access authentication method and device
CN104955040B (en) Network authentication method and equipment
CN108848495B (en) User identity updating method using preset key
US11082843B2 (en) Communication method and communications apparatus
CN104602229B (en) A kind of efficient initial access authentication method for WLAN and 5G combination network application scenarios
CN109561431B (en) WLAN access control system and method based on multi-password identity authentication
KR20140030518A (en) Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
WO2020177768A1 (en) Network verification method, apparatus, and system
WO2017118269A1 (en) Method and apparatus for protecting air interface identity
WO2020216338A1 (en) Parameter sending method and apparatus
US20200195445A1 (en) Registration method and apparatus based on service-based architecture
WO2020253736A1 (en) Authentication method, apparatus and system
CN108737432B (en) Confusion-based distributed authentication method, device and system in IoT (Internet of things) scene
WO2020216047A1 (en) Authentication information processing method, terminal, and network device
Liu et al. A new authentication and key agreement protocol for 5G wireless networks
CN110831002A (en) Extended universal boot architecture authentication method, device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20766434

Country of ref document: EP

Kind code of ref document: A1