WO2020216338A1 - 一种参数发送方法及装置 - Google Patents

一种参数发送方法及装置 Download PDF

Info

Publication number
WO2020216338A1
WO2020216338A1 PCT/CN2020/086767 CN2020086767W WO2020216338A1 WO 2020216338 A1 WO2020216338 A1 WO 2020216338A1 CN 2020086767 W CN2020086767 W CN 2020086767W WO 2020216338 A1 WO2020216338 A1 WO 2020216338A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
authentication
parameter
message
reference value
Prior art date
Application number
PCT/CN2020/086767
Other languages
English (en)
French (fr)
Inventor
郭龙华
李�赫
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20794645.0A priority Critical patent/EP3952241A4/en
Priority to JP2021563063A priority patent/JP7237200B2/ja
Priority to CA3137389A priority patent/CA3137389A1/en
Publication of WO2020216338A1 publication Critical patent/WO2020216338A1/zh
Priority to US17/506,882 priority patent/US20220046003A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords

Definitions

  • This application relates to the field of communication technology, and in particular to a method and device for sending parameters.
  • the terminal device when a terminal device moves outside the home network and is within the scope of the service network, in order to ensure that the service network can provide services for the terminal device; the terminal device needs to perform mutual authentication with the home network. After the authentication is passed, The home network can send the subscription information of the terminal device to the service network.
  • the home network sends a sequence number (SQN) to the terminal device through the service network, and the SQN is used to prevent replay attacks.
  • SQN sequence number
  • the terminal device determines whether the SQN is in the preset range. If it is in the preset range, it can be considered that the SQN is not sent by the attacker to achieve the purpose of anti-replay; otherwise, the terminal device will pass the locally saved SQN through the service
  • the network is sent to the home network so that the home network can save the SQN, and then use the saved SQN to perform mutual authentication with the terminal device.
  • the terminal device when the terminal device sends the SQN, it will first XOR the SQN and the authentication key (AK) to obtain a result value, which is connected with the message authentication code (MAC) to form an AUTS and send it to the home network.
  • AK authentication key
  • MAC message authentication code
  • the authentication token carrying the SQN sent by the home network can be intercepted, and then the authentication token can be replayed to the terminal device multiple times; the terminal device will receive the authentication token multiple times, and it will feedback the synchronization failure multiple times.
  • Authentication failure message authentication failure message with synchronization failure, AUTS
  • the attacker only needs to receive two A simple calculation after different AUTS can determine whether the SQNs in the two AUTS are close, and then determine whether the two different AUTS are from the same terminal device based on this, which makes the terminal device easy to track, that is, the existing SQN
  • the sending method is less secure.
  • the present application provides a parameter sending method and device to solve the problem of poor security of the SQN sending mode in the prior art.
  • the embodiments of the present application provide a parameter sending method, which can be executed by a terminal device or a chip in the terminal device.
  • the method includes: the terminal device can receive a random number and a first number from the core network device during the authentication process. A sequence value.
  • the core network device may be a unified data management network element, and the unified data management network element may send an authentication authentication response carrying a random number and a first sequence value to the security anchor function network element during the authentication process of the terminal device
  • the security anchor function network element can carry the random number and the first sequence value in the user authentication request and send it to the terminal device, where the first sequence value can be carried in the authentication token; the terminal device can obtain the authentication token
  • the first sequence value is out of the correct range (for example, the first sequence value is compared with the locally pre-stored second sequence value, and the first sequence value is determined with the locally pre-stored first sequence value.
  • the message authentication code is connected after the exclusive OR value of the authentication key and the second sequence value, and the synchronization failure parameter is generated, where the authentication key is the terminal device according to the first parameter and The first reference value is generated based on the second parameter and the third parameter, where the first parameter, the second parameter and the third parameter are any one of the following: random number, local pre-stored The key K and the message authentication code; after the synchronization failure parameter is generated, a synchronization failure message carrying the synchronization failure parameter is sent to the core network device.
  • the first parameter, the second parameter, and the third parameter can be different from each other, that is, there are One parameter is the message authentication code, and the same parameter may also exist in the first parameter, the second parameter, and the third parameter.
  • the terminal device can carry the second sequence value in the synchronization failure parameter to notify the core network device ,
  • the authentication key in the synchronization failure parameter introduces the message authentication code in the generation process, which can ensure that the generated authentication key is different, and there is a big difference, and the generated synchronization failure parameter also has a big difference; the attacker Even when the two synchronization failure parameters are obtained from the terminal device, the size of the second order value cannot be calculated through a simple exclusive OR operation, thereby ensuring the safety of the second order value.
  • Method 1 Generate the first reference value according to the random number and the message authentication code.
  • a reference value and a key K are used as two output values of the F5 function to generate an authentication key.
  • Method 2 Generate the first reference value according to the key K and the message authentication code.
  • the first reference value and the random number are used as two input values of the F5 function, and the authentication key is output.
  • the authentication key is generated twice with a double-input single-output operation (that is, the number of input values is 2 and the number of output values is 1), and the message authentication code is introduced during the operation.
  • the output value of an operation can ensure the safety of the second order value and is not easy to be identified.
  • the authentication key can also be generated in the following manner: the first reference value is generated according to the random number and the key K.
  • the random number and the key K can be used as the two inputs of the F5 function Value, the output value is used as the first reference value; after that, the authentication key is generated according to the first reference value and the message authentication code.
  • the first reference value and the message authentication code can be used as the two input values of the F5 function, Use the output value as the authentication key.
  • the double-input single-output operation method is adopted twice, and the authentication key is generated through the random number, the key K and the message authentication code, which makes the generation method of the authentication key more complicated, and the second order value is not easy to be identified. Ensure the safety of the second order value.
  • the random number and the key K performs an exclusive OR to generate the first reference value.
  • the calculation amount of the exclusive OR operation is small, which can effectively improve the generation efficiency of the first reference value, thereby enabling the authentication key to be generated faster, and at the same time, the security of the second sequence value can be ensured.
  • the authentication key is generated according to the first reference value and the message authentication code.
  • an exclusive OR operation can also be used, that is, the first reference value and the message authentication code XOR generates an authentication key.
  • the calculation amount of the XOR operation is small, which can effectively improve the generation efficiency of the authentication key, thereby enabling the synchronization failure parameter to be generated faster, and at the same time ensuring the security of the second order value.
  • the terminal device before the terminal device sends a synchronization failure message to the core network device, it can also inform the core network device of the method of generating the authentication key.
  • the first indication message can be sent, and the first indication message is To indicate how the authentication key is generated.
  • the indication mode of the first indication message may adopt an explicit indication mode or an implicit indication mode, which is not limited in the embodiment of the present application.
  • the core network device can learn the generation mode of the authentication key through the first indication message, so that the second sequence value can be correctly obtained from the synchronization generation parameter.
  • the synchronization failure message may carry a first indication message, and the first indication message is used to indicate the way of generating the authentication key.
  • the core network device can learn the authentication key generation method by carrying the first indication message in the synchronization failure message, so that it can correctly obtain the second sequence value from the synchronization generation parameter, and does not need to send the first indication message separately , Can effectively save signaling.
  • the embodiments of the present application provide a parameter sending method, which can be executed by a core network device or a chip of a core network device.
  • the method includes: the core network device can send a random number and a first number to the terminal device during the authentication process. A sequence value.
  • the core network device may be a unified data management network element, and the unified data management network element may send an authentication response carrying a random number and a first order value to the security anchor function network element, and then the security anchor function network
  • the element can send the random number and the first sequence value to the terminal device through the user authentication request, where the first sequence value can be carried in the authentication token; after that, the core network device can receive the synchronization failure message from the terminal device, and synchronize
  • the failure message carries the synchronization failure parameter; the core network device obtains the message authentication code from the synchronization failure parameter; after that, it obtains the second order value from the synchronization failure parameter according to the authentication key.
  • the authentication key generation method can be used to generate authentication on the terminal device side.
  • the method of the key is the same.
  • the first reference value can be generated according to the second parameter and the third parameter, and then the authentication key is generated according to the first parameter and the first reference value.
  • the first parameter, the second parameter and the third parameter respectively include the following Any item of: random number, terminal device key K, message authentication code; the first parameter, second parameter, and third parameter can be different from each other, that is to say, one of the parameters is the message authentication code, the first parameter, The same parameter may also exist in the second parameter and the third parameter.
  • the core network device can obtain the second order value from the synchronization failure parameter according to the authentication key.
  • the core network device introduces the message authentication code during the generation of the authentication key, and furthermore, it can correctly obtain the synchronization failure parameter.
  • the second sequence value shows that even if the attacker obtains the synchronization failure parameter from the terminal device, he cannot calculate the size of the second sequence value through a simple XOR operation, so that the second sequence value can be safely transmitted to the core network device.
  • Method 1 Generate the first reference value according to the random number and the message authentication code.
  • use the random number and the message authentication code as the two input values of the F5 function, and the output value of the F5 function as the first reference value;
  • the reference value and the key K generate the authentication key.
  • a reference value and the key K are used as the two output values of the F5 function, and the output value of the F5 function is used as the authentication key.
  • Method 2 Generate the first reference value according to the key K and the message authentication code.
  • the key K and the message authentication code are used as the two input values of the F5 function, and the output value of the F5 function is used as the first reference value;
  • the first reference value and the random number generate an authentication key.
  • the first reference value and the random number are used as two input values of the F5 function, and the output value of the F5 function is used as the authentication key.
  • the authentication key is generated by the two-input single-output operation method, and the message authentication code is introduced as the input value of one of the operations during the operation, which can make it difficult for the attacker to identify the second order value, thereby ensuring Security of the second order value.
  • the authentication key can also be generated in the following manner: the first reference value is generated according to the random number and the key K.
  • the random number and the key K can be used as the two inputs of the F5 function Value, the output value is used as the first reference value; after that, the authentication key is generated according to the first reference value and the message authentication code.
  • the first reference value and the message authentication code can be used as the two input values of the F5 function, Use the output value as the authentication key.
  • the double-input single-output operation method is adopted twice, and the authentication key is generated through the random number, the key K and the message authentication code, which makes the generation method of the authentication key more complicated, and the second order value is not easy to be identified. Ensure the safety of the second order value.
  • the random number and the key K performs an exclusive OR to generate the first reference value.
  • the amount of calculation of the exclusive OR operation is small, which can effectively improve the efficiency of generating the first reference value, thereby enabling faster generation of the authentication key.
  • the authentication key is generated according to the first reference value and the message authentication code.
  • an exclusive OR operation can also be used, that is, the first reference value and the message authentication code XOR generates an authentication key.
  • the calculation amount of the XOR operation is small, which can effectively improve the generation efficiency of the authentication key, and thereby make it possible to obtain the second order value more quickly.
  • the core network device may also receive a first indication message from the terminal device, where the first indication message is used to indicate the manner of generating the authentication key.
  • the core network device can learn the generation mode of the authentication key through the first indication message, so that the second sequence value can be correctly obtained from the synchronization generation parameter.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate the way of generating the authentication key.
  • the core network device can learn the authentication key generation method by carrying the first indication message in the synchronization failure message, so that it can correctly obtain the second sequence value from the synchronization generation parameter, and does not need to send the first indication message separately , Can effectively save signaling.
  • the embodiments of the present application provide a method for sending parameters.
  • the method can be executed by a terminal device or a chip in the terminal device.
  • the method includes: the terminal device can receive a random number from the core network device during the authentication process. A sequence value.
  • the core network device may be a unified data management network element, and the unified data management network element may send a random number and a first sequence value to the security anchor function network element during the authentication process of the terminal device
  • the security anchor function network element can carry the random number and the first sequence value in the user authentication request and send it to the terminal device, where the first sequence value can be carried in the authentication token; after that, the terminal
  • the device can obtain the first sequence value in the authentication token, and compare the first sequence value with the locally pre-stored second sequence value, after determining that the difference between the first sequence value and the locally pre-stored second sequence value is greater than the threshold , Use the authentication key to symmetrically encrypt the second sequence value to generate the synchronization failure parameter.
  • the authentication key is generated based on the random number and the locally pre-stored key K; then, the synchronization failure message is sent to the core network device. Carry the synchronization failure parameter.
  • the terminal device can carry the second sequence value in the synchronization failure parameter and send it to the core network device.
  • the authentication key to symmetrically encrypt the second order value is not a simple XOR; the attacker cannot obtain the key used for symmetric encryption (that is, the authentication key), nor can it obtain the second order value , Thereby enhancing the security of SQN.
  • the terminal device can notify the generation method of the synchronization failure parameter before sending the synchronization failure message to the core network device. For example, it can send the first indication message, which is used to indicate synchronization. How the failed parameter was generated.
  • the indication mode of the first indication message may adopt an explicit indication mode or an implicit indication mode, which is not limited in the embodiment of the present application.
  • the core network device can learn the generation mode of the synchronization failure parameter through the first indication message, so that the second sequence value can be correctly obtained from the synchronization generation parameter.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate a manner of generating the synchronization failure parameter.
  • the core network device can learn the generation mode of the synchronization failure parameter by carrying the first indication message in the synchronization failure message, so that the second order value can be correctly obtained from the synchronization generation parameter, and there is no need to send the first indication message separately. , Can effectively save signaling.
  • the embodiments of the present application provide a parameter sending method, which can be executed by a core network device or a core network device's chip.
  • the method includes: the core network device can send a random number and a first
  • the sequence value for example, the core network device may be a unified data management network element, and the unified data management network element may send an authentication authentication response to the security anchor function network element.
  • the authentication authentication response includes a random number and an authentication carrying the first order value Token
  • the security anchor function network element can carry the random number and the first sequence value in the user authentication request and send it to the terminal device; after that, the core network device can receive the synchronization failure message from the terminal device, and the synchronization failure message carries Synchronization failure parameter:
  • the core network device can symmetrically decrypt the synchronization failure parameter according to the authentication key to obtain the second order value.
  • the authentication key is generated based on the random number and the key K of the terminal device.
  • the core network device can symmetrically decrypt the synchronization failure parameter according to the authentication key to obtain the second order value. It can be seen that even if the attacker obtains the synchronization failure parameter, the size of the second order value cannot be calculated by simple calculations. , So that the second sequence value can be safely transmitted to the core network device.
  • the core network device may also receive a first indication message from the terminal device, where the first indication message is used to indicate the manner of generating the authentication key.
  • the core network device can learn the generation mode of the synchronization failure parameter through the first indication message, so that the second sequence value can be correctly obtained from the synchronization generation parameter.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate the way of generating the authentication key.
  • the core network device can learn the generation mode of the synchronization failure parameter by carrying the first indication message in the synchronization failure message, so that the second order value can be correctly obtained from the synchronization generation parameter, and there is no need to send the first indication message separately. , Can effectively save signaling.
  • the embodiments of the present application also provide a communication device, the communication device is applied to terminal equipment, and the beneficial effects can be referred to the description of the first aspect or the third aspect and will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the first aspect or the third aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a receiving unit, a processing unit, and a sending unit. These units can perform the corresponding functions in the method examples of the first aspect. For details, please refer to the detailed description in the method examples. Do repeat.
  • the embodiments of the present application also provide a communication device, the communication device is applied to a core network device, and the beneficial effects can be referred to the description of the second aspect or the fourth aspect, which will not be repeated here.
  • the device has the function of realizing the behavior in the method example of the second aspect or the fourth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the structure of the device includes a sending unit, a receiving unit, and a processing unit. These units can perform the corresponding functions in the method examples of the second aspect or the fourth aspect. For details, refer to the detailed description in the method examples , Do not repeat it here.
  • an embodiment of the present application also provides a communication device, which is applied to a terminal device, and the beneficial effects can be referred to the description of the first aspect or the third aspect and will not be repeated here.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding function in the method of the first aspect or the third aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a communication interface for communicating with other devices.
  • an embodiment of the present application also provides a communication device, which is applied to a core network device.
  • the structure of the communication device includes a processor and a memory, and the processor is configured to support the base station to perform the corresponding function in the method of the second or fourth aspect.
  • the memory is coupled with the processor, and it stores program instructions and data necessary for the communication device.
  • the structure of the communication device also includes a transceiver for communicating with other devices.
  • the present application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause the computer to execute the methods described in the foregoing aspects.
  • this application also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the methods described in the above aspects.
  • the present application also provides a computer chip connected to a memory, and the chip is used to read and execute a software program stored in the memory, and execute the methods described in the above aspects.
  • Figure 1A is a schematic diagram of a network system architecture provided by this application.
  • FIG. 1B is a schematic structural diagram of a terminal device provided by this application.
  • Figure 2 is a schematic diagram of a method for mutual authentication between a UE and a home network in the prior art
  • Figure 3 is a schematic diagram of a parameter sending method provided by this application.
  • FIG. 4 is a schematic diagram of a parameter sending method provided by this application.
  • FIG. 5 is a schematic diagram of a parameter sending method provided by this application.
  • 6A to 6E are schematic diagrams of an AUTS generation method provided by this application.
  • FIGS. 7-12 are schematic diagrams of the structure of a communication device provided by this application.
  • the network architecture is a 5G network architecture.
  • the network elements in the 5G architecture include user equipment.
  • the terminal equipment is the UE as an example.
  • the network architecture also includes radio access network (RAN), access and mobility control functions (access and mobility function, AMF), unified data management (unified data management, UDM), authentication server function (authentication server function) , AUSF), security anchor function (SEAF), etc.
  • RAN radio access network
  • AMF access and mobility control functions
  • UDM unified data management
  • authentication server function authentication server function
  • AUSF security anchor function
  • SEAF security anchor function
  • RAN The main function of RAN is to control users to access the mobile communication network through wireless.
  • RAN is a part of mobile communication system. It implements a wireless access technology. Conceptually, it resides between a certain device (such as a mobile phone, a computer, or any remote control machine) and provides a connection to its core network.
  • the AMF network element is responsible for terminal access management and mobility management, such as registration management, connection management, mobility management, reachability management, etc.; in practical applications, it includes the mobility management entity in the LTE network framework. , MME) in the mobility management function, and joined the access management function.
  • MME mobility management entity
  • the SEAF network element is used to complete the authentication of the UE.
  • the function of the SEAF can be merged into the AMF.
  • the AUSF network element has an authentication service function, which is used to terminate the authentication function requested by the SEAF network element. During the authentication process, it receives the authentication vector sent by the UDM and processes the authentication vector, and sends the processed authentication vector to the SEAF.
  • the UDM network element can store the user's subscription information, generate authentication parameters, and so on.
  • ARPF network elements have authentication credential storage and processing functions, which are used to store long-term authentication credentials of users, such as permanent keys K.
  • the functions of ARPF network elements can be incorporated into UDM network elements.
  • the terminal equipment in this application also referred to as user equipment (UE), is a device with wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water It can also be deployed in the air (such as airplanes, balloons and satellites, etc.).
  • UE user equipment
  • the terminal device can be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (AR) terminal, and an industrial control (industrial control)
  • FIG. 1B a schematic structural diagram of a UE provided by an embodiment of this application, where the UE includes two types of modules, namely, a universal subscriber identity module (USIM) and a mobile equipment (mobile equipment, ME). ) Module.
  • USIM universal subscriber identity module
  • ME mobile equipment
  • the USIM can be the SIM card in the UE, which can store some important UE subscription information, such as the key K agreed by the UE and the home network in the embodiment of this application.
  • the USIM can also perform some parameter calculations. In the embodiment, message authentication code and synchronization failure parameter generation can be realized.
  • the ME module can collectively refer to the hardware components and software programs of the UE except the USIM.
  • the ME module usually does not store the subscription information of UEs with high security requirements.
  • the ME module can provide some auxiliary functions, including: realizing information forwarding between UISM and the network side.
  • the SEAF network element and the AUSF network element can be located in the same network or in different networks.
  • the SEAF network element is located in the serving network.
  • the SEAF network The element is located in the visited public land mobile network (VPLMN), and the AUSF network element is located in the home network. If the UE is outside the coverage of the home network, it cannot directly access the home network to obtain services.
  • VPN public land mobile network
  • the UE If the UE is outside the coverage of the home network and within the coverage of the serving network, in order for the UE to obtain the network services provided by the serving network, it needs to access the serving network; since the serving network has not signed a contract with the UE, the UE must be able to To obtain network services of the serving network, the serving network needs to verify the UE, and the home network and the UE need to perform mutual authentication. If the UE is within the coverage of the home network, the UE needs to access the home network; the home network and the UE also need to perform mutual authentication.
  • Fig. 2 is a schematic diagram of the existing fifth-generation mobile communication technology authentication and key agreement (5th-Generation Authentication and Key Agreement, 5G-AKA) method based on the system framework shown in Fig. 1A.
  • 5G-AKA fifth-generation mobile communication technology authentication and key agreement
  • Step 201 The UE carries the encrypted user identity in the registration request and sends it to the SEAF network element.
  • the UE may encrypt the subscription permanent identifier (SUPI) to generate a subscription concealed identifier (SUCI), and the UE carries the SUCI in the registration request and sends it to the SEAF network element.
  • SUPI subscription permanent identifier
  • SUCI subscription concealed identifier
  • the UE encrypts the user identity using the configured public key to obtain the encrypted user identity.
  • the UE when there are multiple public and private key pairs in the network, when the UE encrypts the user identity, it can indicate which public key the network uses to encrypt the user identity, so that the network can select the corresponding private key according to the UE's instructions Decrypt.
  • the UE also carries the key identifier used to decrypt the encrypted user ID and the encrypted user ID together in the registration request and sends it to the SEAF network element.
  • Step 202 In order to obtain the authentication vector and user identity of the UE from the home network, the SEAF network element carries the encrypted user identity in the authentication and authentication request and sends it to the AUSF network element in the home network.
  • the authentication request also carries a key identifier.
  • Step 203 The AUSF network element carries the encrypted user identity in the UE authentication acquisition request and sends it to the UDM network element.
  • the UE authentication acquisition request also carries a key identifier.
  • Step 204 The UDM network element decrypts the encrypted user ID to obtain the user ID, and the UDM network element queries the subscription information of the UE corresponding to the user ID according to the user ID.
  • the UDM network element acquires the decryption key according to the key identifier, and uses the decryption key to decrypt the encrypted user identifier to obtain the decrypted user identifier.
  • Step 205 The UDM network element generates an authentication vector according to the subscription information of the UE, where the authentication vector includes multiple parameters, including message authentication code (MAC), RAND, expected challenge response (eXpected RESponse, XRES*), K AUSF ; and the UDM network element will also obtain the locally pre-stored first SQN, and carry the first SQN and MAC in an authentication token (authentication token, AUTN).
  • MAC message authentication code
  • RAND expected challenge response
  • eXpected RESponse XRES*
  • K AUSF K AUSF
  • the authentication vector may include RAND, AUTN, XRES*, and K AUSF carrying the first SQN and MAC.
  • the RAND in the authentication vector is randomly generated by the UDM network element; for other parameters in the authentication vector, the UDM network element can generate MAC, XRES* and K AUSF through different operations according to the UE's key K and RAND in the UE subscription information.
  • UDM network elements when UDM network elements generate MAC, XRES*, and K AUSF, they all need UE-based keys K and RAND, but the calculation methods are different; exemplary, when UDM network elements generate MAC, except for keys K and RAND , Other parameters can also be introduced, for example, the first SQN and the authentication management field (authentication management field, AMF) can be used; the AMF can indicate the security authentication algorithm used and the UE can learn it.
  • AMF authentication management field
  • MAC is used for integrity verification
  • XRES* is used for authentication of the UE by the home network
  • K AUSF is a derived key synchronized between the UE and the AUSF network element and used to derive the anchor key K SEAF .
  • the UDM network element and the UE maintain an SQN locally.
  • the SQN maintained by the UDM network element is the first SQN
  • the SQN maintained by the UE side is the second SQN as an example
  • the UDM network element calls the locally pre-stored SQN
  • the first SQN is used to generate the AUTN in the authentication vector; after the AUTN is generated, the first SQN is updated, for example, the first SQN is increased by 1, and saved locally as the next two-way communication with the terminal number During authentication, the first SQN used by AUTN in the authentication vector is generated.
  • the UDM network element generates an authentication key (AK) based on the first operation (such as f 5 *, which can also be called the F5 function or F5 operation) according to the key K of RAND and UE. After that, the UDM network element performs the locally pre-stored first operation. A SQN and AK are XORed, and the resulting value is then connected to the MAC, that is, It can be seen that the following fixed bits in AUTN are MAC.
  • AK authentication key
  • AMF can also be carried in AUTN,
  • Step 206 The UDM network element sends an authentication acquisition response to the AUSF network element, and the authentication acquisition response includes the authentication vector and the user identifier.
  • Step 207 The AUSF network element further processes the authentication vector, for example, performs a hash operation on XRES* to generate HXRES*, deduces K AUSF to generate K SEAF , and the processed authentication vector includes RAND, AUTN, and HXRES*.
  • Step 208 The AUSF network element sends an authentication authentication response to the SEAF network element, and the authentication authentication response carries the processed authentication vector.
  • Step 209 The SEAF network element sends a user authentication request to the UE, where the user authentication request carries part of the parameters in the processed authentication vector, and the part of the parameters includes RAND and AUTN.
  • Step 210 Based on the first operation, the UE generates an authentication key (AK) according to the RAND and the locally stored key K. After removing the MAC in the AUTN, it XORs the remaining part of the AUTN with the AK to obtain the AK carried in the AUTN The first SQN.
  • AK authentication key
  • f5* is used to output the first 48 bits of the parameter OUT5
  • OUT5 is calculated as follows:
  • RAND and K are the input values of f5*, where OP, c5, and r5 are constants, E is a block encryption operation, E[X] K is used to denote block encryption of X using K; rot is a shift operation, Is an exclusive OR, in the embodiments of this application, the exclusive OR can be represented by xor, or Said.
  • the UE generates the MAC in the same way as the UDM network element, and generates the XMAC according to the key K stored in the USIM in the UE and the received RAND.
  • exemplary, other parameters such as AMF and the second SQN can be introduced.
  • AMF The UE obtains it from the AUTN, and realizes the authentication of the UE to the home network by comparing the XMAC and the MAC carried in the AUTN, and completes the integrity check.
  • the UE may determine whether the first SQN is within a preset range based on the locally pre-stored second SQN.
  • the UE determines whether the difference between the first SQN and the locally pre-stored second SQN is less than or equal to a threshold. If it is, it is considered that the home network is not an attacker.
  • the subsequent operations can be continued.
  • the UE generates RES* according to RAND and K in the same way as the UDM network element generates XRES*, and the UE carries the RES* in the authentication response and sends it to the SEAF network element.
  • the UE may update the locally pre-stored second SQN; for example, for example, add one to the locally pre-stored second SQN, and compare it with the first SQN carried in the AUTN when the user authentication request is received next time.
  • Step 211 If the difference between the first SQN and the locally pre-stored second SQN is greater than the threshold, the UE sends a synchronization failure message to the SEAF network element, and carries AUTS, and optionally, RAND.
  • the difference between the first SQN and the locally pre-stored second SQN is greater than the threshold, indicating that the user authentication request may be sent by an attacker, or the first SQN pre-stored locally on the UDM network element side is inconsistent with the second SQN pre-stored locally in the UE ;
  • an AUTS carrying the second SQN can be sent.
  • AUTS is generated as follows:
  • the UE Based on the first operation, the UE generates an authentication key (AK) according to RAND and the locally stored key K. After that, the UE performs an exclusive OR on the second SQN and AK stored locally, and then connects the XMAC to the generated result value, which means , It can be seen that the following fixed bits in AUTS are XMAC.
  • Step 212 After receiving the synchronization failure message, the SEAF network element sends the synchronization failure message to the AUSF network element.
  • Step 213 The AUSF network element sends a synchronization failure message to the UDM network element.
  • Step 214 After receiving the synchronization failure message, the UDM network element generates an authentication key (AK) according to the key K in the RAND and UE subscription information, removes the XMAC in the AUTS, and performs the difference between the AK and the remaining part of the AUTS. Or, obtain the second SQN carried in AUTS.
  • AK authentication key
  • the UDM network element synchronizes the second SQN stored locally.
  • the UE determines that the first SQN sent in the home network is greater than the threshold, it needs to feed back AUTS to the home network.
  • the AUTS generation method that the position of XMAC in AUTS is fixed, and the The AK carried in the AUTS after XMAC is usually unchanged; by processing the two AUTS, it is easy to determine whether the SQN carried in the AUTS is close.
  • the bits occupied by XMAC in the two AUTS are removed, and the remaining part of the AUTS is XORed. If the two AUTS are from the same UE, the AK is the same, and the XOR result is two The XOR value of the SQN. If the two AUTS transmission times are relatively close, the two SQNs are relatively close, and the result after the XOR is a smaller value close to zero.
  • the 5G-AKA authentication method in the roaming scenario is taken as an example.
  • the two-way authentication between the UE and the home network can also adopt other authentication methods, such as the use of Extensible Authentication Protocol (EAP) authentication methods.
  • EAP Extensible Authentication Protocol
  • the AUTS generation method is the same as that shown in Figure 2, which can be referred to the foregoing content; in addition, it should be noted that in the non-roaming scenario, the UE is in the home network. Two-way authentication is also required.
  • the authentication method is similar to that in the roaming scenario, except that the SEAF network element, AUSF network element, and UDM network element are all network elements in the home network.
  • the parameter sending method provided in the embodiment of the present application is applicable to the 5G-AKA authentication process in the roaming/non-roaming scenario, and also applicable to the EAP authentication process in the roaming/non-roaming scenario.
  • Method 1 Use the authentication key to symmetrically encrypt the SQN.
  • symmetric encryption of the SQN is not a simple XOR; the attacker cannot obtain the key (that is, the authentication key) used in the symmetric encryption, nor can the SQN be obtained, making the SQN difficult to identify, and then Improve the security of SQN.
  • Method 2 In addition to the random number and the key K, the message authentication code is also introduced in the process of generating the authentication key.
  • the introduction of the message authentication code can make the generated authentication key different each time, and there is a big difference, and the AUTS generated by the authentication key also has a big difference; the attacker can obtain two AUTS without simple calculation. Calculate whether the SQN is close to ensure the safety of the SQN.
  • the core network equipment is taken as an example of a unified data management network element.
  • the embodiment of this application does not limit the core network equipment to other network elements.
  • the first order value can be pre-stored and it needs to communicate with the terminal. All network elements whose devices synchronize the second order value can be used as core network devices.
  • Method 1 Use the authentication key to symmetrically encrypt the SQN.
  • the first method of a parameter sending method provided by an embodiment of the present application is introduced, and the method includes:
  • Step 301 During the authentication process of the unified data management network element and the terminal device, the unified data management network element may send the random number and the first sequence value to the terminal device.
  • the home network needs to ensure that the terminal device has a legal identity and has signed a contract with the home network, and the terminal device needs to confirm the legality of the home network, not malicious The internet.
  • the authentication process is based on the key K stored separately by the unified data management network element and the terminal device.
  • the authentication process can be seen in the embodiment shown in Figure 2, which includes the unified data management network element sending an authentication vector carrying AUTN to the terminal device. If the terminal device verifies that the SQN carried in the AUTN is within the correct range (that is, the difference between the locally pre-stored SQN is less than or equal to the threshold) and the MAC is correct, the terminal device authenticates the home network successfully. After the authentication is successful, the terminal device sends XRES* to the home network.
  • the home network authenticates the terminal device successfully; but if the terminal device fails to authenticate the home network, such as the SQN carried in AUTN is not correct Within the range (that is, the difference with the locally pre-stored SQN is greater than the threshold), the terminal device needs to synchronize the locally pre-stored SQN with the home network.
  • the parameter sending manner provided in the embodiments of the present application can be used to realize the SQN synchronization of the terminal device and the home network.
  • Step 302 The terminal device determines that the difference between the first sequence value and the locally pre-stored second sequence value is greater than the threshold.
  • Step 303 The terminal device uses the authentication key to symmetrically encrypt the locally prestored second order value to generate a synchronization failure parameter.
  • the authentication key is generated based on the random number and the locally prestored key K.
  • Step 304 The terminal device sends a synchronization failure message to the unified data management network element, and the synchronization failure message carries a synchronization failure parameter.
  • Step 305 After receiving the synchronization failure message, the unified data management network element symmetrically decrypts the synchronization failure parameters according to the authentication key to obtain the second order value, where the authentication key is generated based on the random number and the key K of the terminal device .
  • the terminal device When the terminal device needs to access the service network or the home network, the terminal device can perform mutual authentication with the home network.
  • the unified data management network element in the home network can generate an authentication vector, which includes a random number and an authentication token carrying the first order value, where the authentication token carries the first order value.
  • the application embodiment is not limited.
  • the method in step 205 may be used; the authentication vector may also include other parameters, such as XRES*, K AUSF , which is not limited in the embodiment of the application.
  • the unified data management network element After the unified data management network element generates the authentication vector, it can send the authentication vector to the authentication service function network element; the authentication service function network element can perform some processing on the authentication vector, as described in step 207, carry the processed authentication vector in The authentication response is sent to the security anchor function network element; it is also possible to directly carry the authentication vector in the authentication authentication response and send it to the security anchor function network element without processing.
  • the security anchor function network element After the security anchor function network element receives the authentication authentication response, it can send part of the parameters in the authentication vector to the terminal device, so that the terminal device can perform two-way authentication with the home network according to the received part of the parameters.
  • This part of the parameters includes Random number and authentication token.
  • the terminal device After the terminal device obtains the authentication token in the user authentication request, it will first obtain the first order value from the authentication token; the process for the terminal device to obtain the first order value from the authentication token is to generate an authentication order from the unified data management network element The reverse process of cards.
  • step 210 For the manner in which the terminal device obtains the first sequence value from the authentication token, refer to the related description in step 210, which will not be repeated here.
  • the terminal device and the unified data management network element can respectively prestore an SQN locally, the sequence value of the unified data management network element prestored is the first sequence value, and the sequence value of the terminal device prestored The second order value.
  • the terminal device compares the first order value with the second order value in order to prevent replay attacks and prevent the currently received user authentication request from being initiated by the attacker; in some scenarios, the terminal device and the unified data management network element are local A pre-stored SQN should be consistent; but there may be some deviations.
  • the UE and UDM network elements did not uniformly update the locally pre-stored SQN; UDM network elements may The first SQN has been incremented by one, but the UE side did not increment the second SQN due to authentication failure; therefore, the first order value and the second order value are allowed to be inconsistent, but the difference between the two order values must be less than or equal to Threshold, the embodiment of the present application does not limit the specific value of the threshold, and the corresponding threshold can be configured according to the application scenario.
  • the difference between these two sequence values is greater than the threshold, there may be two reasons, one is that the terminal device is under a replay attack, and the other is the difference between the first sequence value and the second sequence value pre-stored in the unified data management network element. The deviation is too large.
  • the terminal device can synchronize the sequence value with the unified data management network element, and send the locally pre-stored second sequence value to the unified data management network element, so that the unified data management network element can replace the locally pre-stored first sequence value Give the second order value.
  • the symmetric encryption in step 303 refers to an encryption method in which the encryption key and the decryption key are the same.
  • the embodiment of this application does not limit the specific encryption algorithm. Any encryption algorithm with the same encryption key and decryption key is applicable to this Application examples.
  • the authentication key can be used as the encryption key; for the symmetric encryption algorithm, the length of the required input value and the length of the encryption key are fixed, and the length of the final encrypted value is also fixed.
  • the length of the encryption key and the input value needs to meet the requirements of the symmetric encryption algorithm; take the advanced encryption standard (AES) encryption algorithm as an example, AES encryption
  • AES advanced encryption standard
  • AES encryption The algorithm requires that the length of the input value and the encryption key is 128 bits (bit). If the length of the second sequence value is less than 128 bits, the unified data management network element can increase the second sequence value.
  • a preset sequence (such as The sequence of all 1s or the sequence of all 0s can also be a sequence that can be known to both the UE and the unified data management network element), so that the length of the second sequence value connected to the preset sequence is 128 bits; for example, it can be in the second sequence After the value, connect one or more identical second order values, and take 128 bits from the first as the input value; if the length of the second order value is greater than 128 bits, the unified data management network element can subtract the second order value, for example, When deleting the preset sequence in the second order value (such as removing the part starting from the first digit of the second order value, it is necessary to ensure that the UE and the unified data management network element can know the deleted preset sequence, so that the unified data management network element can follow The complete second sequence value can be recovered), so that the adjusted second sequence value has a length of 128 bits.
  • the second order value is taken as an example. If the length of the authentication key does not meet the length requirement of the symmetric encryption algorithm for the encryption key, the authentication key can also be adjusted by adding or subtracting bits. .
  • the embodiment of the application does not limit the way of adjusting the authentication key and the second order value. Any way that can make the adjusted authentication key and the second order value meet the requirements of the symmetric encryption algorithm for the encryption key and input value is applicable In the examples of this application.
  • the encrypted value can be used as the synchronization failure parameter, and the symmetrically encrypted value is further processed to generate the synchronization failure parameter.
  • the terminal device can generate a message authentication code according to the random number and the locally pre-stored key K, and connect the message authentication code to the encrypted value to generate synchronization failure parameters; among them, the generation of the message authentication code can also introduce other
  • the parameter for example, can generate a message authentication code based on a random number, a locally pre-stored key K, AMF, and a second order value.
  • the terminal device in order to be able to generate the synchronization failure in the manner provided by the embodiment of this application Parameter; the terminal device needs to be upgraded.
  • the universal subscriber identity module (USIM) of the terminal device can be upgraded.
  • the terminal device After the terminal device generates the synchronization failure parameter, it can carry the synchronization failure parameter in the synchronization failure message; optionally, the synchronization failure message also includes a random number.
  • the terminal device can send the synchronization failure message to the security anchor function network element; the security anchor function network element forwards the synchronization failure message to the authentication service function network element; the authentication service function network element sends the synchronization failure message to the unified data management network element .
  • the unified data management network element receives the synchronization failure parameter, it cannot know which method the terminal device uses to generate the synchronization failure parameter. If the unified data management network element believes that the terminal device is generating the synchronization failure parameter, Using the method of the embodiment shown in FIG.
  • the terminal device and the unified data management network element may pre-appoint the generation of synchronization failure parameters Mode; the terminal device may also send a first indication message to the unified data management network element before sending the synchronization failure message to the unified data management network element to indicate the generation mode of the synchronization failure parameter; this embodiment of the application does not limit the indication mode, A displayed indication method may be used.
  • the first indication message may indicate that the synchronization failure parameter is generated using symmetric encryption.
  • the unified data management network element receives the first indication message, it may determine the subsequent synchronization failure parameter. It is generated using symmetric encryption; it can also be used implicitly.
  • the first indication message can indicate that the synchronization failure parameter is generated using the generation method after the terminal device (such as a USIM card) is upgraded, or it can indicate the terminal The device (such as the USIM card) has been upgraded, and it can also indicate the version of the USIM card in the terminal device, such as R15, R16.
  • the unified data management network element receives the first indication message, it can be determined that the USIM card of the terminal device has been upgraded. And the synchronization failure parameters received subsequently are generated using symmetric encryption.
  • the terminal device may further encrypt the first indication message before sending the first indication message, and this embodiment of the application does not limit the encryption manner.
  • the SUPI encryption method may be used to encrypt the first indication message, and the encryption method may refer to the relevant description of step 201, which will not be repeated here.
  • the terminal device simultaneously sends a first indication message when sending a synchronization failure message to the unified data management network element, and the first indication message is carried in the synchronization failure message.
  • the above-mentioned indication mode and sending mode of the first indication message are only examples, and the embodiment of the present application is not limited. Any generation mode that enables the unified data management network element to learn the synchronization failure parameter is applicable to the embodiment of the present application.
  • the unified data management network element obtains the second order value by reversely generating the synchronization failure parameter from the terminal device; that is, the unified data management network element needs to perform symmetric decryption.
  • the key used for symmetric decryption is still the authentication key; the unified data management network element can use the same method as the terminal device to generate the authentication key based on the random number and the key K of the terminal device; the random number can be synchronous The failure message is carried.
  • the unified data management network element can save the random number that was randomly generated when the authentication vector was previously generated. After receiving the synchronization failure message, it is based on the saved random number and the terminal device's The key K generates an authentication key.
  • a terminal device signs a contract with the home network, it will agree on a key K, which is stored in the terminal device’s subscription information, and the terminal device’s subscription information can be stored in the unified data management network element, or Stored in other network elements (such as the unified data repository (UDR) network element), the unified data management network element can obtain the contract information of the terminal device from other network elements, and the key K will also be stored in the terminal local.
  • a terminal device signs a contract with the home network, it will agree on a key K, which is stored in the terminal device’s subscription information, and the terminal device’s subscription information can be stored in the unified data management network element, or Stored in other network elements (such as the unified data repository (UDR) network element), the unified data management network element can obtain the contract information of the terminal device from other network elements, and the key K will also be stored in the terminal local.
  • UTR unified data repository
  • the synchronization failure parameter is generated, other parameters are also introduced. For example, after the terminal device symmetrically encrypts the second order value, the message authentication code is connected after the encrypted value; the unified data management network element can be Remove the message authentication code in the synchronization failure parameter, and then use the authentication key to symmetrically decrypt the remaining part of the synchronization failure parameter to obtain the second order value.
  • the unified data management network element After the unified data management network element obtains the second order value, it can directly replace the first order value stored locally; it can also first compare the second order value with the first order value; after determining the second order value and the first order value After the values are inconsistent, replace the first order value saved locally, otherwise, do not replace.
  • Method 2 In addition to the random number and the key K, the message authentication code is also introduced in the process of generating the authentication key.
  • the second method of a parameter sending method provided in an embodiment of the present application is introduced, and the method includes:
  • Step 401 the same as step 301, for details, please refer to the related description of step 301, which will not be repeated here.
  • Step 402 The same as step 302. For details, please refer to the related description of step 302, which will not be repeated here.
  • Step 403 The terminal device connects the message authentication code after the exclusive OR value of the authentication key and the sequence value, where the authentication key is generated based on the first parameter and the first reference value, and the first reference value is based on the second parameter and
  • the third parameter is generated, where the first parameter, the second parameter, and the third parameter are any of the following: a random number, a locally pre-stored key K, a message authentication code, the first parameter, the second parameter, and the first parameter.
  • the three parameters are different parameters.
  • Step 404 the same as step 304.
  • Step 404 please refer to the related description of step 304, which will not be repeated here.
  • Step 405 The unified data management network element first obtains the message authentication code from the synchronization failure parameter, and then obtains the second sequence value from the synchronization failure parameter according to the authentication key, and the unified data management network element generates the authentication key in the same manner as the terminal device generation The authentication key is the same.
  • the authentication key is generated twice with a double-input single-output operation (that is, the number of input values is 2 and the number of output values is 1), and during the operation
  • the message authentication code is introduced; and according to the different parameters used in each dual-input single-output operation, the authentication key generation methods can be divided into the following three:
  • the first type is to generate a first reference value based on a random number and a message authentication code, and generate an authentication key based on the first reference value and the key K.
  • the terminal device may first generate the message authentication code according to the random number and the key K; for example, when generating the message authentication code, other parameters such as the second SQN and AMF may also be introduced. After the message authentication code is generated, the first reference value can be generated with a random number.
  • the embodiment of this application does not limit the operation method of generating the first reference value based on the random number and the message authentication code. Any operation method that can generate one parameter from two parameters is applicable to the embodiment of this application.
  • the exclusive OR operation can be used.
  • XOR operation the first operation in the embodiment shown in FIG. 2 can also be used, that is, the F5 operation is used to generate the first reference value.
  • the F5 operation please refer to the relevant description in the embodiment shown in FIG. 2.
  • the random number and the message authentication code can replace any one of RAND and K in the OUT5 generating formula, respectively.
  • the terminal device can generate an authentication key according to the first reference value and the key K.
  • the embodiment of the present application does not limit the calculation method of generating the authentication key based on the first reference value and the key K.
  • the same calculation method as that of the first reference value can be used to generate the authentication key, or different
  • the operation method to generate the authentication key is not limited in the embodiment of this application. Any operation method that can generate one parameter from two parameters is applicable to the embodiment of this application. For example, exclusive OR operation, multiplication operation, and graphs can also be used.
  • the first operation in the embodiment shown in 2 that is, the F5 operation is used to generate the first reference value.
  • the key K and the first reference value can be Respectively replace any one of RAND and K in the OUT5 generating formula.
  • the second type is to generate a first reference value according to the key K and a message authentication code, and generate an authentication key according to the first reference value and a random number.
  • the first parameter value is generated according to the key K and the message authentication code, and then the authentication key is generated according to the first reference value and the random number; that is, the key K and The order of introducing the random number is opposite to the order of introducing the key K and the random number in the first method; for the operation method adopted, please refer to the relevant description in the first method, which will not be repeated here.
  • the third type is to generate the first reference value according to the random number and the key K, and generate the authentication key according to the first reference value and the message authentication code.
  • the first reference value is generated based on the random number and the key K.
  • the embodiment of the present application does not limit the calculation method for generating the first reference value; any calculation method that can generate one parameter by two parameters Both are applicable to the embodiments of the present application.
  • an XOR operation with a small amount of calculation may be used to generate the first reference value by XORing the random number and the key K, or other operation methods such as XOR operation may also be used;
  • the first operation in the embodiment shown in FIG. 2 is used, that is, the F5 operation is used to generate the first reference value.
  • the key K and the random number can be Respectively replace any one of RAND and K in the OUT5 generating formula.
  • the terminal device may generate an authentication key according to the first reference value and the message authentication code.
  • the embodiment of the present application does not limit the calculation method of generating the authentication key based on the first reference value and the key K.
  • the same calculation method as that of the first reference value can be used to generate the authentication key; different methods can also be used.
  • the operation method to generate the authentication key is not limited in the embodiment of this application. Any operation method that can generate one parameter through two parameters is applicable to the embodiment of this application.
  • the first reference value and the message authentication code can be XORed.
  • Generate an authentication key; the first operation in the embodiment shown in FIG. 2 can also be used, that is, the F5 operation is used to generate the first reference value.
  • the F5 operation please refer to the relevant description in the embodiment shown in FIG. 2.
  • the message authentication code and the first reference value can respectively replace any one of RAND and K in the OUT5 generating formula.
  • the terminal device since the method of generating the authentication key by the terminal device in the embodiment of this application is different from the method of generating AK in the embodiment shown in FIG. 2, in order to be able to use the method provided by the embodiment of this application to generate synchronization failure Parameter; the terminal device needs to be upgraded.
  • the universal subscriber identity module (USIM) of the terminal device can be upgraded.
  • the above three ways of generating authentication keys are all examples.
  • the embodiment of this application does not limit the way of generating authentication keys; in the above three ways, it can be seen that whether it is the first reference value or the final authentication key
  • the generation uses a dual-input single-output calculation method; compared with the generation method shown in Figure 2, it is only one more calculation. If the upgrade method is used, the terminal device can use the above three methods
  • a method for generating an authentication key has minor changes to the terminal device, and only needs to be configured to support multiple operations, which can reduce the changes to the terminal device while ensuring the security of the second order value.
  • the authentication key and the second order value are XORed, and the message authentication code is connected after the exclusive OR value of the authentication key and the second order value (the XOR value and the message authentication code are Splicing) to generate synchronization authentication parameters.
  • the unified data management network element when the unified data management network element receives the synchronization failure parameter, it cannot know which method the terminal device uses to generate the authentication key. If the unified data management network element believes that the terminal device is generating the synchronization failure parameter, Using the method of the embodiment shown in FIG. 2 will cause the unified data management network element to fail to correctly obtain the second order value; in order to avoid the above situation, the terminal device and the unified data management network element may pre-appoint the generation of the authentication key Mode; the terminal device may also send a first indication message to the unified data management network element before sending the synchronization failure message to the unified data management network element to indicate the method of generating the authentication key; the embodiment of the present application does not limit the indication mode, Displayed instructions may be used.
  • the first instruction message may indicate that the authentication key is generated using method one (using method one as an example, of course, any of the other methods may also be used).
  • the unified data management network element is in After receiving the first indication message, it can be determined that the authentication key in the synchronization failure parameter received subsequently was generated by way of one; an implicit indication way may also be used.
  • the first indication message may indicate the authentication key.
  • the key is generated by the generation method after the terminal device (such as the USIM card) is upgraded. It can also indicate that the terminal device (such as the USIM card) has been upgraded. It can also indicate the version information in the terminal device (such as the USIM card), such as indicating the version of the USIM card ( release) is R15 or R16.
  • the unified data management network element When the unified data management network element receives the first indication message, it can determine whether the USIM card of the terminal device is upgraded, and whether the subsequently received authentication key adopts the above three methods A kind of generated.
  • the specific method used may be pre-configured by the unified data management network element.
  • the unified data management network element may be pre-configured. If the terminal device has been upgraded, the authentication key is generated by using method one.
  • the terminal device simultaneously sends a first indication message when sending a synchronization failure message to the unified data management network element, and the first indication message is carried in the synchronization failure message.
  • the above-mentioned indication mode and sending mode of the first indication message are only examples, and the embodiment of the present application is not limited. Any generation mode that enables the unified data management network element to learn the synchronization failure parameter is applicable to the embodiment of the present application.
  • the unified data management network element obtains the second order value in a reverse manner of generating the synchronization failure parameter by the terminal device.
  • the unified data management network element In order to ensure that the authentication key used by the unified data management network element is the same as the authentication key used on the terminal device side, the unified data management network element needs to obtain the message authentication code generated by the terminal device side; since the terminal device is verifying the authentication key with the second After the sequence value is XORed, the message authentication code is connected after the XOR value, that is to say, the fixed multiple bits after the synchronization failure parameter are the message authentication code; the unified data management network element can directly The message authentication code is obtained from the synchronization failure parameter; the unified data management network element generates the authentication key in the same manner as the terminal device, and then performs an exclusive OR on the authentication key and the synchronization failure parameter with the remaining part of the message authentication code removed to obtain the second Order value.
  • the unified data management network element generates the authentication key in the same manner as the terminal device, and the unified data management network element can obtain the terminal device's key K from the contract information of the terminal device.
  • the manner in which the unified data management network element generates the authentication key will not be repeated here, and may refer to the manner in which the terminal device generates the authentication key.
  • the unified data management network element After the unified data management network element obtains the second order value, it can directly replace the first order value stored locally; it can also first compare the second order value with the first order value; after determining the second order value and the first order value After the values are inconsistent, replace the first order value saved locally, otherwise, do not replace.
  • the unified data management network element can perform integrity verification on the message authentication code obtained in the synchronization failure parameter; specifically, the unified data management network element can use the terminal The way the device generates the message verification code generates the verification value.
  • the terminal device generates the message verification code based on the key K, random number, second order value, and AMF; the unified data management network element may also use the key K, The random number, the second order value, and the AMF generate a check value.
  • the check value is consistent with the message authentication code, the check passes, otherwise the check fails, indicating that the information received by the unified data management network element may be tampered with; unified The second order value acquired by the data management network element may be wrong, and the unified data management network element may request the second order value from the terminal device again, or may not replace the locally stored first order value with the second order value.
  • a parameter sending method provided by an embodiment of this application includes:
  • Step 501 The same as steps 201 to 210.
  • steps 201 to 210 For details, please refer to the related descriptions of steps 201 to 210 shown in FIG. 2, which will not be repeated here.
  • Step 502 If the difference between the first SQN and the second SQN is greater than the threshold, the UE will send a synchronization failure message to the SEAF network element and carry AUTS and RAND.
  • f 5 * represents the first operation
  • the length of the input value is required to be 128 bits
  • xor represents the exclusive OR
  • TEMP is the first
  • the length of the reference value is 48 bits
  • the operation method used to generate XMAC is f 1 *
  • the length is 64 bits as an example. The following are respectively introduced:
  • AK is calculated by exclusive OR (xor) or the first operation, and the second SQN is symmetrically encrypted with AK as the encryption key.
  • f6* is the symmetric encryption algorithm, and AK is used for the second SQN.
  • XMAC is spliced after the generated result value.
  • the encryption key, input and output of symmetric encryption are as follows, taking the AK length of 128 bits as an example (bit):
  • Encryption key AK, the length is 128bit.
  • Input value second SQN
  • Method two use two first operations to calculate AK.
  • XMAC is used as an input value of the first operation
  • RAND is used as another input value of the first operation
  • the output is the first reference value.
  • the first reference value and the key K are used as the two input values of the second first operation, and the output is AK.
  • the XMAC is spliced after the generated result value to generate AUTS,
  • the third way as shown in 6C, use two first operations to calculate AK.
  • XMAC is used as an input value of the first operation
  • the key K is used as another input value of the first operation
  • the output is the first reference value.
  • the first reference value and RAND are used as the two input values of the second first operation, and the output is AK; after AK and the second SQN are XORed, the XMAC is spliced after the generated result value to generate AUTS,
  • Method 4 use two first operations to calculate AK; or use one first operation and one exclusive OR operation to calculate AK; the keys K and RAND are used as the two input values of the first first operation, and output The first reference value; afterwards, based on the first calculation, output AK according to XMAC and the first reference value; or XMAC and the first reference value are XORed to output AK; after AK and the second SQN are XORed, the result is generated After the value, splice XMAC to generate AUTS,
  • XMAC is used as an input of the first calculation
  • first reference value takes the first 128 bits as the first reference value Another input of an operation.
  • Manner 5 As shown in 6E, the key K and RAND are XORed to obtain the first reference value.
  • XMAC and TEMP are used as the two inputs of the first operation and output AK; after the exclusive OR of AK and the second SQN, XMAC is spliced after the generated result value to generate AUTS
  • the first operation is the F5 operation as an example.
  • the F5 operation process please refer to the related description of step 210 in the embodiment shown in FIG. 2.
  • the embodiment of this application does not Which one of the two input parameters of the F5 operation to replace RAND and which replace K can be set according to specific scenarios.
  • Step 503 The same as steps 212 to 213, for details, please refer to the related descriptions of steps 212 to 213 shown in FIG. 2, which will not be repeated here.
  • Step 504 After receiving the AUTS, the UDM network element obtains the second SQN from the AUTS, and saves the second SQN.
  • the UDM network element side can adopt the corresponding five methods to obtain the second SQN from the AUTS, which are introduced separately as follows:
  • UDM network element removes XMAC from AUTS to obtain f 6 * AK (second SQN); calculates AK by exclusive OR XOR or the first operation, and uses AK as the decryption key pair f 6 * AK (Second SQN) decrypts to obtain the second SQN.
  • the UDM network element obtains the XMAC from the AUTS, and the remaining part of the AUTS with the XMAC removed is the exclusive OR of the second SQN and AK (second ), UDM network elements can generate AK in the manner shown in Figs. 6B-6E, and perform XOR with the remaining part of AUTS without XMAC to obtain the second SQN.
  • an embodiment of the present application also provides a communication device for executing the method executed by the terminal device or UE in the method embodiment shown in FIGS. 4 and 5.
  • the device includes a receiving unit 701, a processing unit 702, and a sending unit 703:
  • the receiving unit 701 is configured to receive the random number and the first sequence value from the unified data management network element.
  • the processing unit 702 is configured to, after determining that the difference between the first order value and the locally pre-stored second order value is greater than the threshold, connect the message authentication code after the exclusive OR value of the authentication key and the order value, generate synchronization failure parameters, and authenticate
  • the key is generated based on the first parameter and the first reference value.
  • the first reference value is generated based on the second parameter and the third parameter.
  • the first parameter, the second parameter and the third parameter respectively include any of the following Items: random number, locally pre-stored key K, message authentication code.
  • the sending unit 703 is configured to send a synchronization failure message to the unified data management network element, and the synchronization failure message carries a synchronization failure parameter.
  • the processing unit 702 to generate the authentication key according to the first parameter and the first reference value, two of which are listed below:
  • the operation generates an authentication key based on the first reference value and the key K.
  • the operation generates an authentication key based on the first reference value and the random number.
  • the processing unit 702 when the processing unit 702 generates the authentication key according to the first parameter and the first reference value, the following method may also be adopted: first generate the first reference value according to the random number and the key K, and then according to the first reference value The value and message authentication code generate an authentication key.
  • the processing unit 702 when the processing unit 702 generates the first reference value according to the random number and the key K, in addition to using the F5 operation, other operations, such as an exclusive OR operation, can be used, for example, for the random number and the key K.
  • the key K is XORed to generate the first reference value.
  • the processing unit 702 when the processing unit 702 generates the authentication key according to the first reference value and the message authentication code, in addition to using the F5 operation, other operations, such as an exclusive OR operation, may be used, for example, for the first The reference value and the message authentication code are XORed to generate an authentication key.
  • the sending unit 703 may also inform the unified data management network element of the method of generating the authentication key. For example, it may send to the unified data management network element The first indication message, the first indication message is used to indicate the way of generating the authentication key.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate a manner of generating the authentication key.
  • an embodiment of the present application also provides a communication device for executing the method performed by the unified data management network element or UDM network element in the method embodiment shown in FIGS. 4 and 5,
  • the device includes a sending unit 801, a receiving unit 802, and a processing unit 803:
  • the sending unit 801 is configured to send the random number and the first sequence value to the terminal device.
  • the receiving unit 802 is configured to receive a synchronization failure message from a terminal device, and the synchronization failure message carries a synchronization failure parameter.
  • the processing unit 803 is configured to obtain the message authentication code from the synchronization failure parameter; obtain the second order value from the synchronization failure parameter according to the authentication key, the authentication key is generated according to the first parameter and the first reference value, and the first reference value It is generated according to the second parameter and the third parameter, where the first parameter, the second parameter and the third parameter respectively include any of the following: a random number, a key K of the terminal device, and a message authentication code.
  • the operation generates an authentication key based on the first reference value and the key K.
  • the operation generates an authentication key based on the first reference value and the random number.
  • the processing unit 803 when the processing unit 803 generates the authentication key according to the first parameter and the first reference value, the following method may also be adopted: first generate the first reference value according to the random number and the key K, and then according to the first reference value The value and message authentication code generate an authentication key.
  • the processing unit 803 when the processing unit 803 generates the first reference value according to the random number and the key K, in addition to using the F5 operation, other operations, such as an exclusive OR operation, can be used.
  • the key K is XORed to generate the first reference value.
  • the processing unit 803 when the processing unit 803 generates the authentication key according to the first reference value and the message authentication code, in addition to using the F5 operation, other operations, such as an exclusive OR operation, can be used, for example, for the first The reference value and the message authentication code are XORed to generate an authentication key.
  • the receiving unit 802 may also receive a first indication message from the terminal device, where the first indication message is used to indicate the manner of generating the authentication key.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate a manner of generating the authentication key.
  • an embodiment of the application also provides a communication device for executing the method executed by the terminal device or UE in the method embodiment shown in FIGS. 3 and 5.
  • the apparatus includes a receiving unit 901, a processing unit 902, and a sending unit 903:
  • the receiving unit 901 is configured to receive the random number and the first sequence value from the unified data management network element.
  • the processing unit 902 is configured to: after determining that the difference between the first order value and the locally pre-stored second order value is greater than the threshold, use the authentication key to symmetrically encrypt the second order value to generate a synchronization failure parameter.
  • the authentication key is based on Random number and locally pre-stored key K generated.
  • the sending unit 903 is configured to send a synchronization failure message to the unified data management network element, and the synchronization failure message carries a synchronization failure parameter.
  • the sending unit 903 may further send a first indication message, where the first indication message is used to indicate the generation manner of the synchronization failure parameter.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate a manner of generating the synchronization failure parameter.
  • the embodiment of the application also provides a communication device for executing the method performed by the unified data management network element or UDM network element in the method embodiment shown in FIGS. 3 and 5,
  • the device includes a sending unit 1001, a receiving unit 1002, and a processing unit 1103:
  • the sending unit 1001 is configured to send the random number and the first sequence value to the terminal device.
  • the receiving unit 1002 is configured to receive a synchronization failure message from a terminal device, and the synchronization failure message carries a synchronization failure parameter.
  • the processing unit 1003 is configured to symmetrically decrypt the synchronization failure parameter according to the authentication key to obtain the second order value.
  • the authentication key is generated according to the random number and the key K of the terminal device.
  • the receiving unit 1002 may also receive a first indication message from the terminal device, where the first indication message is used to indicate the manner of generating the authentication key.
  • the synchronization failure message includes a first indication message, and the first indication message is used to indicate a manner of generating the authentication key.
  • the division of units in the embodiments of this application is illustrative, and is only a logical function division. In actual implementation, there may be other division methods.
  • the functional units in the various embodiments of this application can be integrated into one process. In the device, it can also exist alone physically, or two or more units can be integrated into a module.
  • the above-mentioned integrated unit can be realized in the form of hardware or software function module.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including a number of instructions to enable a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor to execute all or part of the steps of the method in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .
  • both the unified data management network element and the terminal device may be presented in the form of dividing each functional module in an integrated manner.
  • the "module” here can refer to a specific ASIC, circuit, processor and memory that executes one or more software or firmware programs, integrated logic circuit, and/or other devices that can provide the above-mentioned functions.
  • the unified data management network element may adopt the form shown in FIG. 11.
  • the communication device 1100 shown in FIG. 11 includes at least one processor 1101, a memory 1102, and optionally, a communication interface 1103.
  • the memory 1102 may be a volatile memory, such as random access memory; the memory may also be a non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1102 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1102 may be a combination of the foregoing memories.
  • connection medium between the foregoing processor 1101 and the memory 1102 is not limited in the embodiment of the present application.
  • the processor 1101 may have a data transceiver function and can communicate with other devices.
  • an independent data transceiver module such as a communication interface 1103, may be used to send and receive data; the processor 1101 is communicating with other devices. During communication, data transmission can be performed through the communication interface 1103.
  • the processor 1101 in FIG. 11 can invoke the computer execution instructions stored in the memory 1402, so that the base station can execute the method executed by the base station in any of the foregoing method embodiments. .
  • the functions/implementation processes of the sending unit, the receiving unit, and the processing unit of FIG. 9 or 10 may all be implemented by the processor 1101 in FIG. 11 calling a computer execution instruction stored in the memory 1102.
  • the function/implementation process of the processing unit in FIG. 9 or 10 can be implemented by the processor 1101 in FIG. 11 calling a computer execution instruction stored in the memory 1102, and the function/implementation of the sending unit and the receiving unit in FIG. 9 or 10
  • the process can be implemented through the communication interface 1103 in FIG. 11.
  • the terminal device may adopt the form shown in FIG. 12.
  • the communication device 1200 shown in FIG. 12 includes at least one processor 1201, a memory 1202, and optionally, a transceiver 1203.
  • the memory 1202 may be a volatile memory, such as a random access memory; the memory may also be a non-volatile memory, such as read only memory, flash memory, hard disk drive (HDD) or solid-state drive (solid-state drive, SSD) or the memory 1202 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 1202 may be a combination of the above-mentioned memories.
  • connection medium between the foregoing processor 1201 and the memory 1202 is not limited in the embodiment of the present application.
  • the processor 1201 may have a data transceiving function and can communicate with other devices.
  • an independent data transceiving module such as a transceiver 1203, can be set to transmit and receive data; the processor 1201 is communicating with other devices.
  • the transceiver 1203 can be used for data transmission.
  • the processor 1201 in FIG. 12 can invoke the computer execution instructions stored in the memory 1202, so that the terminal device can execute the method executed by the terminal device in any of the foregoing method embodiments.
  • the functions/implementation processes of the receiving unit, the processing unit, and the sending unit in FIG. 7 or 8 can all be implemented by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202.
  • the function/implementation process of the processing unit in FIG. 7 or 8 can be realized by the processor 1201 in FIG. 12 calling a computer execution instruction stored in the memory 1202, and the functions/implementation of the receiving unit and the sending unit in FIG. 7 or 8
  • the implementation process can be implemented by the transceiver 1203 in FIG. 12.
  • the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

一种参数发送方法及装置,用以解决现有SQN的发送方式安全性较差的问题。本申请中,终端设备在认证过程中,可以接收来自核心网络设备的随机数和第一顺序值,终端设备在确定第一顺序值与本地预存的第二顺序值的差值大于阈值后,在认证密钥和顺序值的异或值后连接消息认证码,生成同步失败参数,其中,认证密钥根据随机数、本地预存的密钥K、消息认证码,通过两次双输入单输出的运算生成,可以保证安全传输第二顺序值;向核心网络设备发送携带同步失败参数的同步失败消息,核心网络设备接收到同步失败参数后,采用相同的方式生成认证密钥,从同步失败参数中获取第二顺序值。

Description

一种参数发送方法及装置
相关申请的交叉引用
本申请要求在2019年04月24日提交中国专利局、申请号为201910335677.3、申请名称为“一种参数发送方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及一种参数发送方法及装置。
背景技术
在移动通信系统中,当终端设备移动到归属网络之外,处于服务网络的范围内时,为了保证服务网络可以为终端设备提供服务;终端设备需要与归属网络进行双向认证,在认证通过后,归属网络可以将终端设备的签约信息发送给服务网络。
而在终端设备与归属网络进行双向认证的过程中,归属网络通过服务网络向终端设备发送顺序值(sequence number,SQN),SQN用于进行防重放攻击。终端设备在接收到SQN之后,确定SQN是否处于预设范围,若处于预设范围,可以认为SQN不是攻击者发送的,实现防重放的目的;否则,终端设备会将本地保存的SQN通过服务网络发送给归属网络,以使得归属网络可以保存SQN,之后利用保存的SQN与终端设备进行双向认证。
但是由于终端设备在发送SQN时,会先将SQN与认证密钥(AK)进行异或后得到一个结果值,该结果值连接消息认证码(MAC)共同形成AUTS发送给归属网络。
对于攻击者,可以截获归属网络发送的携带有SQN的认证令牌,然后多次向终端设备重放该认证令牌;终端设备多次收到认证令牌,则会多次反馈同步失败引起的认证失败消息(authentication failure message with synchronization failure,AUTS),但是由于AUTS的生成方式中,AK是固定的,且消息认证码在AUTS中的位置是不变的,导致攻击者只需接收到两个不同的AUTS后进行简单的运算可以判断两个AUTS中的SQN是否接近,进而基于此判断两个不同的AUTS是否来自同一个终端设备,导致终端设备容易被追踪,也就是说,现有的SQN的发送方式安全性较差。
发明内容
本申请提供一种参数发送方法及装置,用以解决现有技术中SQN的发送方式安全性较差的问题。
第一方面,本申请实施例提供了一种参数发送方法,该方法可由终端设备或终端设备中的芯片执行,方法包括:终端设备在认证过程中,可以接收来自核心网设备的随机数和第一顺序值。示例性的,核心网设备可以是统一数据管理网元,该统一数据管理网元可以在终端设备的认证过程中向安全锚功能网元发送携带有随机数和第一顺序值的认证鉴权响应,之后,安全锚功能网元可以将随机数和第一顺序值携带在用户鉴权请求中发送给终端设备,其中,第一顺序值可以携带在认证令牌中;终端设备可以获取认证令牌中的第一 顺序值,并确定所述第一顺序值超出正确的范围时(例如,对第一顺序值和本地预存的第二顺序值进行比较,在确定第一顺序值与本地预存的第二顺序值的差值大于阈值),在将认证密钥和所述第二顺序值的异或值后连接消息认证码,生成同步失败参数,其中,认证密钥是终端设备根据第一参数和第一参考值生成的,第一参考值是根据第二参数和第三参数生成的,其中,第一参数、第二参数和第三参数分别为下列中的任一项:随机数、本地预存的密钥K、消息认证码;生成了同步失败参数之后,向核心网设备发送携带同步失败参数的同步失败消息,第一参数、第二参数和第三参数可以彼此不同,也就是说其中存在一个参数为消息认证码,第一参数、第二参数和第三参数中也可以存在相同的参数。
通过上述方法,在来自核心网设备的第一顺序值与终端设备本地预存的第二顺序值的差值较大时,终端设备可以将第二顺序值携带在同步失败参数中通知给核心网设备,而同步失败参数中的认证密钥在生成过程中引入了消息认证码,能够保证生成的认证密钥不同,存在较大的差别,进而生成的同步失败参数也存在较大的差别;攻击者即便在从终端设备获取两个同步失败参数,也不能通过简单的异或运算推算出第二顺序值的大小,从而保证了第二顺序值的安全性。
在一种可能的设计中,根据第一参数和第一参考值生成认证密钥的方式有多种,下面列举其中两种:
方式一、根据随机数和消息认证码生成第一参考值,示例性的,将随机数和消息认证码作为F5函数的两个输入值,生成第一参考值;根据第一参考值和密钥K生成认证密钥,示例性的,将一参考值和密钥K作为F5函数的两个输出值,生成认证密钥。
方式二、根据密钥K和消息认证码生成第一参考值,示例性的,将密钥K和消息认证码作为F5函数的两个输入值,输出第一参考值;根据第一参考值和随机数生成认证密钥,示例性的,将第一参考值和随机数作为F5函数的两个输入值,输出认证密钥。
通过上述方法,认证密钥的生成采用了两次双输入单输出的运算方式(也就是输入值的个数为2,输出值的个数为1),运算过程中引入了消息认证码作为其中一个运算的输出值,可以保证第二顺序值的安全性,不易被识别。
在一种可能的设计中,认证密钥还可以根据如下方式生成:根据随机数和密钥K生成第一参考值,示例性的,可以将随机数和密钥K作为F5函数的两个输入值,将输出值作为第一参考值;之后,根据第一参考值和消息认证码生成认证密钥,示例性的,可以将第一参考值和消息认证码作为F5函数的两个输入值,将输出值作为认证密钥。
通过上述方法,采用两次双输入单输出的运算方式,通过随机数、密钥K以及消息认证码生成认证密钥,使得认证密钥的生成方式更加复杂,第二顺序值不易被识别,能够保证第二顺序值的安全性。
在一种可能的设计中,根据随机数和密钥K生成第一参考值时,除了可以采用F5函数外,还可以采用其他运算,如异或运算,也就是说,对随机数和密钥K进行异或生成第一参考值。
通过上述方法,异或运算的运算量较小,能够有效提高第一参考值的生成效率,进而使得可以较快速的生成认证密钥,同时还可以保证第二顺序值的安全性。
在一种可能的设计中,根据第一参考值和消息认证码生成认证密钥,除了可以采用F5函数外,还可以采用异或运算,也就是说,对第一参考值和消息认证码进行异或生成认证密钥。
通过上述方法,异或运算的运算量较小,能够有效提高认证密钥的生成效率,进而使得可以较快速的生成同步失败参数,同时还可以保证第二顺序值的安全性。
在一种可能的设计中,终端设备向核心网设备发送同步失败消息之前,还可以告知核心网设备生成认证密钥的生成方式,示例性的,可以发送第一指示消息,第一指示消息用于指示认证密钥的生成方式。第一指示消息的指示方式可以采用显式的指示方式,也可以隐式的指示方式,本申请实施例并不限定。
通过上述方法,通过第一指示消息,核心网设备可以获知认证密钥的生成方式,方便可以正确的从同步生成参数中获取第二顺序值。
在一种可能的设计中,同步失败消息中可以携带第一指示消息,第一指示消息用于指示认证密钥的生成方式。
通过上述方法,核心网设备通过同步失败消息中携带第一指示消息可以获知认证密钥的生成方式,方便可以正确的从同步生成参数中获取第二顺序值,且不需要单独发送第一指示消息,可以有效节约信令。
第二方面,本申请实施例提供了一种参数发送方法,该方法可由核心网设备或核心网设备的芯片执行,方法包括:核心网设备在认证过程中,可以向终端设备发送随机数和第一顺序值。示例性的,核心网设备可以是统一数据管理网元,统一数据管理网元可以向安全锚功能网元发送携带有随机数和第一顺序值的认证鉴权响应,之后,由安全锚功能网元可以将随机数和第一顺序值通过用户鉴权请求发送给终端设备,其中,第一顺序值可以携带在认证令牌中;之后,核心网设备可以接收来自终端设备的同步失败消息,同步失败消息中携带同步失败参数;核心网设备从同步失败参数获取消息认证码;之后,根据认证密钥从同步失败参数中获取第二顺序值,认证密钥的生成方式可以与终端设备侧生成认证密钥的方式相同,可以根据第二参数和第三参数生成第一参考值,之后根据第一参数和第一参考值生成认证密钥,第一参数、第二参数和第三参数分别包括下面的任一项:随机数、终端设备的密钥K、消息认证码;第一参数、第二参数和第三参数可以彼此不同,也就是说其中存在一个参数为消息认证码,第一参数、第二参数和第三参数中也可以存在相同的参数。
通过上述方法,核心网设备可以根据认证密钥从同步失败参数中获取第二顺序值,核心网设备在认证密钥的生成过程中引入了消息认证码,进而,可以从同步失败参数中正确获取第二顺序值,可见,攻击者即便从终端设备获取同步失败参数,也不能通过简单的异或运算推算出第二顺序值的大小,使得第二顺序值可以安全传输至核心网设备。
在一种可能的设计中,根据第一参数和第一参考值生成认证密钥的方式有多种,下面列举其中两种:
方式一、根据随机数和消息认证码生成第一参考值,示例性的,将随机数和消息认证码作为F5函数的两个输入值,F5函数的输出值作为第一参考值;根据第一参考值和密钥K生成认证密钥,示例性的,将一参考值和密钥K作为F5函数的两个输出值,F5函数的输出值作为认证密钥。
方式二、根据密钥K和消息认证码生成第一参考值,示例性的,将密钥K和消息认证码作为F5函数的两个输入值,F5函数的输出值作为第一参考值;根据第一参考值和随机数生成认证密钥,示例性的,将第一参考值和随机数作为F5函数的两个输入值,F5函数的输出值作为认证密钥。
通过上述方法,认证密钥的生成采用了两次双输入单输出的运算方式,运算过程中引入了消息认证码作为其中一个运算的输入值,可以使得攻击者不易识别第二顺序值,进而确保第二顺序值的安全性。
在一种可能的设计中,认证密钥还可以根据如下方式生成:根据随机数和密钥K生成第一参考值,示例性的,可以将随机数和密钥K作为F5函数的两个输入值,将输出值作为第一参考值;之后,根据第一参考值和消息认证码生成认证密钥,示例性的,可以将第一参考值和消息认证码作为F5函数的两个输入值,将输出值作为认证密钥。
通过上述方法,采用两次双输入单输出的运算方式,通过随机数、密钥K以及消息认证码生成认证密钥,使得认证密钥的生成方式更加复杂,第二顺序值不易被识别,能够保证第二顺序值的安全性。
在一种可能的设计中,根据随机数和密钥K生成第一参考值时,除了可以采用F5函数外,还可以采用其他运算,如异或运算,也就是说,对随机数和密钥K进行异或生成第一参考值。
通过上述方法,异或运算的运算量较小,能够有效提高第一参考值的生成效率,进而使得可以较快速的生成认证密钥。
在一种可能的设计中,根据第一参考值和消息认证码生成认证密钥,除了可以采用F5函数外,还可以采用异或运算,也就是说,对第一参考值和消息认证码进行异或生成认证密钥。
通过上述方法,异或运算的运算量较小,能够有效提高认证密钥的生成效率,进而使得可以较快速的获取第二顺序值。
在一种可能的设计中,核心网设备接收来自终端设备的同步失败消息之前,还可以接收来自终端设备的第一指示消息,第一指示消息用于指示认证密钥的生成方式。
通过上述方法,通过第一指示消息,核心网设备可以获知认证密钥的生成方式,方便可以正确的从同步生成参数中获取第二顺序值。
在一种可能的设计中,同步失败消息中包括第一指示消息,第一指示消息用于指示认证密钥的生成方式。
通过上述方法,核心网设备通过同步失败消息中携带第一指示消息可以获知认证密钥的生成方式,方便可以正确的从同步生成参数中获取第二顺序值,且不需要单独发送第一指示消息,可以有效节约信令。
第三方面,本申请实施例提供了一种参数发送方法,该方法可由终端设备或终端设备中的芯片执行,方法包括:终端设备在认证过程中,可以接收来自核心网设备的随机数和第一顺序值,示例性的,核心网设备可以是统一数据管理网元,该统一数据管理网元可以在终端设备的认证过程中向安全锚功能网元发送携带有随机数和第一顺序值的认证鉴权响应,之后,安全锚功能网元可以将随机数和第一顺序值携带在用户鉴权请求中发送给终端设备,其中,第一顺序值可以携带在认证令牌中;之后,终端设备可以获取认证令牌中的第一顺序值,并对第一顺序值和本地预存的第二顺序值进行比较,在确定第一顺序值与本地预存的第二顺序值的差值大于阈值后,利用认证密钥对第二顺序值进行对称加密,生成同步失败参数,认证密钥是根据随机数和本地预存的密钥K生成的;之后,向核心网设备发送同步失败消息,同步失败消息中携带同步失败参数。
通过上述方法,在来自核心网设备的第一顺序值与终端设备本地预存的第二顺序值的 差值较大时,终端设备可以将第二顺序值携带在同步失败参数中发送给核心网设备,而利用认证密钥对第二顺序值进行对称加密,并非是简单的异或;攻击者并不能获取对称加密的所采用的密钥(也就是认证密钥),也无法获取第二顺序值,进而提升了SQN的安全性。
在一种可能的设计中,终端设备在向核心网设备发送同步失败消息之前,是可以通知同步失败参数的生成方式,示例性的,可以发送第一指示消息,第一指示消息用于指示同步失败参数的生成方式。第一指示消息的指示方式可以采用显式的指示方式,也可以隐式的指示方式,本申请实施例并不限定。
通过上述方法,通过第一指示消息,核心网设备可以获知同步失败参数的生成方式,方便可以正确的从同步生成参数中获取第二顺序值。
在一种可能的设计中,同步失败消息中包括第一指示消息,第一指示消息用于指示同步失败参数的生成方式。
通过上述方法,核心网设备通过同步失败消息中携带第一指示消息可以获知同步失败参数的生成方式,方便可以正确的从同步生成参数中获取第二顺序值,且不需要单独发送第一指示消息,可以有效节约信令。
第四方面,本申请实施例提供了一种参数发送方法,该方法可由核心网设备或核心网设备的芯片执行方法包括:核心网设备在认证过程中,可以向终端设备发送随机数和第一顺序值,示例性的,核心网设备可以是统一数据管理网元,统一数据管理网元可以向安全锚功能网元发送认证鉴定响应,认证鉴定响应包括随机数和携带有第一顺序值的认证令牌,之后安全锚功能网元可以将随机数和第一顺序值携带在用户鉴权请求中发送给终端设备;之后,核心网设备可以接收来自终端设备的同步失败消息,同步失败消息中携带同步失败参数;核心网设备可以根据认证密钥对同步失败参数进行对称解密,获取第二顺序值,认证密钥根据随机数、终端设备的密钥K生成的。
通过上述方法,核心网设备可以根据认证密钥对同步失败参数进行对称解密,获取第二顺序值,可见,攻击者即便获取同步失败参数,也不能通过简单的运算推算出第二顺序值的大小,使得第二顺序值可以安全传输至核心网设备。
在一种可能的设计中,核心网设备接收来自终端设备的同步失败消息之前,还可以接收来自终端设备的第一指示消息,第一指示消息用于指示认证密钥的生成方式。
通过上述方法,通过第一指示消息,核心网设备可以获知同步失败参数的生成方式,方便可以正确的从同步生成参数中获取第二顺序值。
在一种可能的设计中,同步失败消息中包括第一指示消息,第一指示消息用于指示认证密钥的生成方式。
通过上述方法,核心网设备通过同步失败消息中携带第一指示消息可以获知同步失败参数的生成方式,方便可以正确的从同步生成参数中获取第二顺序值,且不需要单独发送第一指示消息,可以有效节约信令。
第五方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第一方面或第三方面的描述此处不再赘述。该装置具有实现上述第一方面或第三方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括接收单元、处理单元和发送单元,这些单元可以执行上 述第一方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第六方面,本申请实施例还提供了一种通信装置,所述通信装置应用于核心网设备,有益效果可以参见第二方面或第四方面的描述此处不再赘述。该装置具有实现上述第二方面或第四方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述装置的结构中包括发送单元、接收单元和处理单元,这些单元可以执行上述第二方面或第四方面方法示例中的相应功能,具体参见方法示例中的详细描述,此处不做赘述。
第七方面,本申请实施例还提供了一种通信装置,所述通信装置应用于终端设备,有益效果可以参见第一方面或第三方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述基站执行上述第一方面或第三方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括通信接口,用于与其他设备进行通信。
第八方面,本申请实施例还提供了一种通信装置,所述通信装置应用于核心网设备,有益效果可以参见第二方面或第四方面的描述此处不再赘述。所述通信装置的结构中包括处理器和存储器,所述处理器被配置为支持所述基站执行上述第二方面或第四方面方法中相应的功能。所述存储器与所述处理器耦合,其保存所述通信装置必要的程序指令和数据。所述通信装置的结构中还包括收发机,用于与其他设备进行通信。
第九方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十方面,本申请还提供一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。
第十一方面,本申请还提供一种计算机芯片,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行上述各方面所述的方法。
附图说明
图1A为本申请提供的一种网络系统架构示意图;
图1B为本申请提供的一种终端设备的结构示意图;
图2为现有技术中UE与归属网络双向认证的方法示意图;
图3为本申请提供的一种参数发送方法的示意图;
图4为本申请提供的一种参数发送方法的示意图;
图5为本申请提供的一种参数发送方法的示意图;
图6A~6E为本申请提供的一种AUTS的生成方式示意图;
图7~图12为本申请提供的一种通信装置的结构示意图。
具体实施方式
为了使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施例作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。 另外,需要理解的是,在本申请实施例的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。
参阅图1A所示,为本申请适用的一种可能的网络架构示意图。该网络架构为5G网络架构。该5G架构中的网元包括用户设备,图1A中以终端设备为UE为例。网络架构还包括无线接入网(radio access network,RAN)、接入和移动性控制功能(access and mobility function,AMF)、统一数据管理(unified data management,UDM)、认证服务功能(authentication server function,AUSF)、安全锚功能(security anchor function,SEAF)等。
RAN的主要功能是控制用户通过无线接入到移动通信网络。RAN是移动通信系统的一部分。它实现了一种无线接入技术。从概念上讲,它驻留某个设备之间(如移动电话、一台计算机,或任何远程控制机),并提供与其核心网的连接。
AMF网元负责终端的接入管理和移动性管理,如注册管理,连接管理,移动管理,可达性管理等;在实际应用中,其包括了LTE中网络框架中移动性管理实体(mobility management entity,MME)里的移动性管理功能,并加入了接入管理功能。
SEAF网元用于完成对UE的认证,在5G中,SEAF的功能可以合并到AMF中。
AUSF网元具有鉴权服务功能,用于终结SEAF网元请求的认证功能,在认证过程中,接收UDM发送的认证向量并对认证向量进行处理,将处理后的认证向量发送给SEAF。
UDM网元可存储用户的签约信息,生成认证参数等。
ARPF网元具有认证凭证存储和处理功能,用于存储用户的长期认证凭证,如永久密钥K等。在5G中,ARPF网元的功能可以合并到UDM网元中。
本申请中的终端设备,也可以称为用户设备(user equipment,UE),是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和卫星上等)。终端设备可以是手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端、增强现实(augmented reality,AR)终端、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。
如图1B所示,为本申请实施例提供的一种UE的结构示意图,其中,UE包括两种模块,分别为通用用户身份模块(universal subscriber identity module,USIM)和移动设备(mobile equipment,ME)模块。
USIM可以是UE中的SIM卡,可以存储一些较为重要的UE的签约信息,如在本申请实施例中UE与归属网络签约所约定的密钥K,USIM还可以执行一些参数计算,在本申请实施例中可以实现消息认证码、同步失败参数生成。
ME模块可以统指UE中除USIM外的硬件构成以及软件程序。ME模块中通常不会存储安全要求高的UE的签约信息,ME模块可以提供一些辅助功能,其中包括:实现UISM与网络侧之间的信息转发等。
在本申请实施例中,SEAF网元和AUSF网元可以位于相同的网络中,也可以位于不同的网络中,例如,SEAF网元位于服务网络(serving network)中,在漫游场景下,SEAF 网元位于拜访公共陆地移动网(visited public land mobile network,VPLMN)中,AUSF网元位于归属网络(home network)中,若UE在归属网络的覆盖范围之外则无法直接接入归属网络获取服务。
若UE在归属网络的覆盖范围之外,在服务网络的覆盖范围之内,UE为了能够获取服务网络提供的网络服务,则需要接入服务网络;由于服务网络并未与UE签约,UE为了可以获取服务网络的网络服务,服务网络需要对UE进行验证,归属网络和UE需要进行双向认证。若UE在归属网络的覆盖范围之内,UE需要接入归属网络;归属网络和UE之间同样需要进行双向认证。
在双向认证的过程中需要确定UE侧的第一SQN和UDM网元保存的第二SQN一致或两者的差值处于预设范围内;若不一致或不在预设范围内,则需要同步UE侧和UDM网元的SQN。
如图2所示为基于如图1A所示的系统框架中,现有的第五代移动通信技术认证和密钥协商(5th-Generation authentication and key agreement,5G-AKA)方法示意图。
步骤201:UE将加密后的用户标识携带在注册请求中发送给SEAF网元。
示例性的,UE可以对签约固定标识(subscription permanent identifier,SUPI)进行加密生成签约隐藏标识(subscription concealed identifier,SUCI),UE将SUCI携带在注册请求中发送给SEAF网元。
一种可能的实现方式中,UE使用配置的公钥对用户标识进行加密,得到加密后的用户标识。可选的,当网络存在多个公私钥对时,UE在加密用户标识时,可以指示网络自己使用了哪一个公钥对用户标识进行了加密,以便于网络根据UE的指示选择对应的私钥进行解密。例如UE还将用于解密该加密后的用户标识的密钥标识符和加密后的用户标识一起携带在注册请求中发送给SEAF网元。
步骤202:为了从归属网络中获取UE的认证向量和用户标识,SEAF网元将加密后的用户标识携带在认证鉴定请求中,发送给归属网络中的AUSF网元。
可选的,认证鉴定请求中还携带有密钥标识符。
步骤203:AUSF网元将加密后的用户标识携带在UE认证获取请求中,发送给UDM网元。
可选的,UE认证获取请求中还携带有密钥标识符。
步骤204:UDM网元对加密后的用户标识进行解密获取用户标识,UDM网元根据用户标识查询该用户标识对应的UE的签约信息。
可选的,当UE认证获取请求中携带有密钥标识符时,UDM网元根据密钥标识符获取解密密钥,并使用解密密钥解密加密后的用户标识,得到解密后用户标识。
步骤205:UDM网元根据UE的签约信息生成认证向量,其中认证向量包括多个参数,其中包括消息认证码(message authentication code,MAC),RAND,期望的挑战回复(eXpected RESponse,XRES*)、K AUSF;并且UDM网元还会获取本地预存的第一SQN,将第一SQN和MAC携带在认证令牌(authentication token,AUTN)中。
这样,认证向量中可以包括RAND、携带有第一SQN和MAC的AUTN、XRES*、K AUSF
认证向量中的RAND是UDM网元随机生成的;对于认证向量中的其他参数,UDM网元可以根据UE签约信息中UE的密钥K以及RAND,通过不同运算生成MAC、XRES* 以及K AUSF
也就是说,UDM网元在生成MAC、XRES*以及K AUSF均需要基于UE的密钥K和RAND,但运算方式不同;示例性的,UDM网元在生成MAC时,除了密钥K和RAND,还可以引入其他参数,例如可以利用第一SQN以及认证管理域(authentication management field、AMF);AMF可以指示所使用的安全认证算法且UE是可以获知的。
MAC用于完整性校验,XRES*用于归属网络对UE的认证,K AUSF是UE和AUSF网元之间同步的派生密钥,用于派生锚点密钥K SEAF
其中,下面对AUTN生成方式进行说明:
UDM网元和UE均会在本地维持一个SQN,在本申请实施例中以UDM网元维持的SQN为第一SQN,UE侧维持的SQN为第二SQN为例;UDM网元调用本地预存的第一SQN,用于生成认证向量中的AUTN;生成了AUTN后,会对第一SQN进行更新,例如,对第一SQN加1,将并保存在本地,作为下一次与该终端数进行双向认证时,生成认证向量中的AUTN所使用的第一SQN。
UDM网元基于第一运算(如f 5*,也可以称为F5函数或F5运算),根据RAND和UE的密钥K生成认证密钥(AK),之后,UDM网元对本地预存的第一SQN与AK进行异或,生成的结果值之后连接MAC,也就是说,
Figure PCTCN2020086767-appb-000001
可见AUTN中的后面固定的多个比特为MAC。
可选的,AMF也可以携带在AUTN中,
Figure PCTCN2020086767-appb-000002
步骤206:UDM网元向AUSF网元发送认证获取响应,认证获取响应中包括认证向量和用户标识。
步骤207:AUSF网元对认证向量进行进一步处理,例如对XRES*进行哈希运算,生成HXRES*,根据K AUSF进行推演生成K SEAF,处理后的认证向量包括RAND、AUTN、HXRES*。
步骤208:AUSF网元向SEAF网元发送认证鉴定响应,认证鉴定响应中携带有处理后的认证向量。
步骤209:SEAF网元向UE发送用户鉴权请求,其中,用户鉴权请求中携带处理后的认证向量中的部分参数,该部分参数包括RAND、AUTN。
步骤210:UE基于第一运算,根据RAND和本地存储的密钥K生成认证密钥(AK),将AUTN中的MAC去除后,对AUTN的剩余部分和AK进行异或,获得AUTN中携带的第一SQN。
以第一运算为f5*为例,f5*用于输出参数OUT5的前48位,OUT5计算如下:
Figure PCTCN2020086767-appb-000003
其中,
Figure PCTCN2020086767-appb-000004
其中,RAND和K为f5*的输入值,其中,OP、c5以及r5为常数,E为块加密运算,E[X] K用于表示利用K对X进行块加密;rot为移位运算,
Figure PCTCN2020086767-appb-000005
为异或,在本申请实施例中异或可以用xor表示,也可以用
Figure PCTCN2020086767-appb-000006
表示。
UE采用与UDM网元生成MAC相同的方式,根据UE中的USIM中存储的密钥K与接收的RAND生成XMAC,示例性的,还可以引入其他参数,如AMF以及第二SQN,其中,AMF是UE从AUTN中获取的,通过对XMAC和AUTN中携带的MAC的比对实现UE对归属网络的认证,实现完整性校验。
对归属网络的认证通过后,为了防止攻击者对UE发动重放攻击,UE可以基于本地预存的第二SQN,判断第一SQN是否在预设范围内。
示例性的,UE判断第一SQN是否与本地预存的第二SQN的差值小于或等于阈值。如果是,则认为归属网络并非攻击者。可以继续之后的操作,例如UE采用与UDM网元生成XRES*相同的方式,根据RAND和K生成RES*,UE将RES*携带在认证响应中,发送给SEAF网元。UE可以更新本地预存的第二SQN;示例性的,如对本地预存的第二SQN加一,在下次接收到用户鉴权请求时,与AUTN中携带的第一SQN进行比较。
步骤211:若第一SQN与本地预存的第二SQN的差值大于阈值,UE会向SEAF网元发送同步失败消息,并携带AUTS,可选的,还可以携带RAND。
第一SQN与本地预存的第二SQN的差值大于阈值,说明发送用户鉴权请求的可能是攻击者,也可能是UDM网元侧本地预存的第一SQN与UE本地预存的第二SQN不一致;为了保证UDM网元侧和UE侧SQN的同步,可以发送携带有第二SQN的AUTS。
其中,AUTS生成方式如下:
UE基于第一运算,根据RAND和本地存储的密钥K生成认证密钥(AK),之后,UE对本地预存的第二SQN与AK进行异或,生成的结果值之后连接XMAC,也就是说,
Figure PCTCN2020086767-appb-000007
Figure PCTCN2020086767-appb-000008
可见AUTS中的后面固定的多个比特为XMAC。
步骤212:SEAF网元接收到同步失败消息后,会将同步失败消息发送给AUSF网元。
步骤213:AUSF网元将同步失败消息发送给UDM网元。
步骤214:UDM网元在接收到同步失败消息后,根据RAND和UE签约信息中的密钥K生成认证密钥(AK),将AUTS中的XMAC去除后,对AK和AUTS的剩余部分进行异或,获得AUTS中携带的第二SQN。
UDM网元同步本地保存的第二SQN。
由上述内容可以才看出,UE在确定归属网络中发送第一SQN大于阈值时,需要向归属网络反馈AUTS,但是从AUTS的生成方式中可以看出,AUTS中XMAC的位置固定,在去除了XMAC后的AUTS中携带的AK通常是不变的;对两个AUTS进行处理,很容易确定AUTS中携带的SQN是否接近。
示例性的,将这两个AUTS中的XMAC占用的比特位去除,将AUTS的剩余部分进行异或,若这两个AUTS来自同一个UE,则AK是相同的,异或的结果为两个SQN的异或值,若这两个AUTS发送时间较为接近,这两个SQN较为接近,异或后的结果是一个较小的,接近于零的值。
有上可知,攻击者只要获取两个AUTS就可以通过简单的运算确定这两个AUTS是否来自同一个UE,确定来自同一个UE后,就可以对UE进行追踪,获取UE的一些信息,可能会造成信息泄露。
在上述说明中,是以漫游场景下的5G-AKA认证方式为例,UE与归属网络的双向认证还可以采用其他认证方式,例如采用可扩展认证协议(extensible authentication protocol,EAP)认证方式,区别在与AUSF的处理操作;在EAP的认证过程中,AUTS的生成方式与图2所示的方式相同,可参见前述内容;另外需要说明的是,在非漫游场景下,UE处于归属网络内,同样需要进行双向认证,认证方式与漫游场景下的认证方式相似,区别在与SEAF网元、AUSF网元以及UDM网元均为归属网络中的网元。而本申请实施例提供的参数发送方式适用于漫游/非漫游场景下的5G-AKA认证过程,也适用于漫游/非漫游场景下的EAP认证过程中。
为了保证SQN的安全性,本申请实施例中,提出了两种方式:
方式一、利用认证密钥对SQN进行对称加密。
采用这种方式,对SQN进行对称加密,并非是简单的异或;攻击者并不能获取对称加密的所采用的密钥(也就是认证密钥),也无法获取SQN,使得SQN不易识别,进而提升了SQN的安全性。
方式二、认证密钥生成的过程中除了随机数和密钥K还引入了消息认证码。
消息认证码的引入可以使得每次生成的认证密钥不同,存在较大的差别,而利用认证密钥生成的AUTS也存在较大的差别;攻击者获取两个AUTS,也不能通过简单的运算推算出SQN是否接近,从而保证了SQN的安全性。
当然,也可以结合方式一与方式二,在生成认证密钥时引入消息认证码,并利用生成的认证密钥对SQN进行对称加密,本申请实施例并不限定。
下面对着两种方式进行介绍:
需要说明的是,在下述说明中以核心网设备为统一数据管理网元为例,本申请实施例并不限定核心网设备可以为其他网元,凡是可以预存有第一顺序值,需要与终端设备同步第二顺序值的网元均可以作为核心网设备。
方式一、利用认证密钥对SQN进行对称加密。
如图3所示,对本申请实施例提供的一种参数发送方法中的方式一进行介绍,该方法包括:
步骤301:统一数据管理网元与终端设备在认证过程中,统一数据管理网元可以向终端设备发送随机数和第一顺序值。
在本申请实施例中认证过程为了实现终端设备和归属网络之间的相互认证,归属网络需要确保终端设备具有合法身份并与归属网络已签约,终端设备需要确认归属网络的合法性,而非恶意网络。
认证过程是基于统一数据管理网元与终端设备分别存储的密钥K进行的,认证过程可见如图2所示的实施例,其中包括统一数据管理网元向终端设备发送携带有AUTN的认证向量,若终端设备校验AUTN中携带的SQN在正确范围内(也就是与本地预存的SQN的差值小于或等于阈值)以及MAC正确,则终端设备对归属网络认证成功。认证成功后,终端设备向归属网络发送XRES*,如果XRES*与RES*相同,则归属网络对终端设备认证成功;但是若终端设备对归属网络认证失败,如AUTN中携带的SQN在不属于正确范围内(也就是与本地预存的SQN的差值大于阈值),终端设备则需要与归属网络同步本地预存的SQN。可采用本申请实施例提供的参数发送方式实现终端设备与归属网络的SQN同步。
步骤302:终端设备确定第一顺序值与本地预存的第二顺序值的差值大于阈值。
步骤303:终端设备利用认证密钥对本地预存的第二顺序值进行对称加密,生成同步失败参数,认证密钥是根据随机数和本地预存的密钥K生成的。
步骤304:终端设备向统一数据管理网元发送同步失败消息,同步失败消息中携带同步失败参数。
步骤305:统一数据管理网元接收同步失败消息后,根据认证密钥对同步失败参数进行对称解密,获取第二顺序值,其中,认证密钥是根据随机数、终端设备的密钥K生成的。
当终端设备需要接入服务网络或者归属网络的情况下,终端设备可以与归属网络进行 双向认证。在认证的过程中,归属网络中的统一数据管理网元可以生成认证向量,其中包括随机数、以及携带有第一顺序值的认证令牌,其中认证令牌中携带第一顺序值的方式本申请实施例并不限定,示例性的,可以采用如步骤205中的方式;该认证向量中还可以包括其他参数,例如,XRES*、K AUSF,本申请实施例并不限定。
统一数据管理网元在生成认证向量后,可以将认证向量发送给认证服务功能网元;认证服务功能网元可以对认证向量进行一些处理,如步骤207所述,将处理后的认证向量携带在认证鉴定响应中发送给安全锚功能网元;也可以不进行处理,直接将认证向量携带在认证鉴定响应中发送给安全锚功能网元。
安全锚功能网元在接收到认证鉴权响应后,可以向终端设发送认证向量中的部分参数,以使得终端设备可以根据接收到的部分参数与归属网络之间进行双向认证,该部分参数包括随机数和认证令牌。
终端设备获取用户鉴权请求中的认证令牌后,会先从认证令牌中获取第一顺序值;终端设备从认证令牌获取第一顺序值的过程,是统一数据管理网元生成认证令牌的逆过程。
终端设备从认证令牌中获取第一顺序值的方式可以参见步骤210中的相关描述,此处不再赘述。
在图2所示的实施例中已说明,终端设备和统一数据管理网元可以分别在本地预存一个SQN,统一数据管理网元预存的顺序值为第一顺序值,终端设备预存的顺序值为第二顺序值。
终端设备比较第一顺序值和第二顺序值,是为了防止重放攻击,避免当前接收到的用户鉴权请求是由攻击者发起的;在一些场景中,终端设备和统一数据管理网元本地预存一个SQN应当是一致的;但是也有可能存在一定得偏差,例如UE和UDM网元在之前的认证的过程中,UE和UDM网元没有对本地预存的SQN进行统一更新;UDM网元可能对第一SQN已进行加一处理,但UE侧由于认证失败,没有对第二SQN进行加一;所以允许第一顺序值和第二顺序值不一致,但这两顺序值的差值需要小于或等于阈值,本申请实施例并不限定阈值的具体数值,可以根据应用场景,配置相应的阈值。
若这两个顺序值的差值大于阈值,可能存在两种原因,一种是终端设备受到了重放攻击,另一种是统一数据管理网元预存的第一顺序值与第二顺序值的偏差过大。
无论哪种原因,终端设备可以与统一数据管理网元保持顺序值同步,将本地预存的第二顺序值发送给统一数据管理网元,以便统一数据管理网元将本地预存的第一顺序值替换给第二顺序值。
步骤303中的对称加密是指加密密钥和解密密钥相同的一种加密方式,本申请实施例并不限定具体的加密算法,凡是加密密钥和解密密钥相同的加密算法均适用于本申请实施例。
在本申请实施例中可以将认证密钥作为加密密钥;对于对称加密算法而言,要求的输入值的长度和加密密钥的长度是固定的,最终加密的结果值长度也是固定的。
在利用认证密钥对第二顺序值进行对称加密时,需要使得加密密钥和输入值的长度满足对称加密算法的要求;以高级加密标准(advanced encryption standard,AES)加密算法为例,AES加密算法要求输入值和加密密钥的长度为128比特(bit),若第二顺序值的长度小于128bit,统一数据管理网元可以对第二顺序值进行增位,例如可以增加预设序列(如全1的序列或全0的序列,也可以是UE和统一数据管理网元均可获知的序列),使得第二 顺序值连接预设序列后的长度为128bit;又例如,可以在第二顺序值后连接一个或多个相同的第二顺序值,从首位开始取128bit作为输入值;若第二顺序值的长度大于128bit,统一数据管理网元可以对第二顺序值进行减位,例如可以在删除第二顺序值中的预设序列(如去除第二顺序值首位开始的部分,需要保证UE和统一数据管理网元均可获知的删除的预设序列,以便统一数据管理网元在后续可以恢复出完整的第二顺序值),使得调整后的第二顺序值长度为128bit。
上述说明中,仅是以第二顺序值为例,若认证密钥的长度不满足对称加密算法对加密密钥的长度要求,也可以采用增位或减位的方式,对认证密钥进行调整。
本申请实施例并不限定调整认证密钥和第二顺序值的方式,凡是可以使得调整后的认证密钥和第二顺序值满足对称加密算法对加密密钥和输入值的要求的方式均适用于本申请实施例。
终端设备利用认证密钥对本地预存的第二顺序值进行对称加密后,可以将加密后的值作为同步失败参数,也在对称加密后的值做进一步处理,生成同步失败参数。
示例性的,终端设备可以根据随机数和本地预存的密钥K生成消息认证码,将消息认证码连接在加密后的值之后,生成同步失败参数;其中,消息认证码的生成还可以引入其他参数,示例性的,可以根据随机数、本地预存的密钥K、AMF以及第二顺序值生成消息认证码。
需要说明的是,由于本申请实施例中终端设备生成同步失败参数的方式与如图2所示的实施例中生成AUTS的方式是不同的,为了能够采用本申请实施例提供的方式生成同步失败参数;需要对终端设备进行升级,示例性的,可以对终端设备的全球用户身份模块(universal subscriber identity module,USIM)进行升级。
终端设备生成了同步失败参数之后,可以将同步失败参数携带在同步失败消息中;可选的,同步失败消息中还包括随机数。
终端设备可以将同步失败消息发生给安全锚功能网元;安全锚功能网元再将同步失败消息转发给认证服务功能网元;由认证服务功能网元将同步失败消息发送给统一数据管理网元。
需要说明的是,统一数据管理网元在接收到同步失败参数时,并不能获知终端设备是采用哪种方式生成同步失败参数的,若统一数据管理网元认为终端设备在生成同步失败参数时,采用如图2所示的实施例的方式,则会到导致统一数据管理网元无法正确获取第二顺序值;为了避免上述情况,终端设备和统一数据管理网元可以预先约定同步失败参数的生成方式;终端设备也可以在向统一数据管理网元发送同步失败消息之前,向统一数据管理网元发送第一指示消息,指示同步失败参数的生成方式;本申请实施例并不限定指示的方式,可以采用显示的指示方式,例如,该第一指示消息可以指示同步失败参数采用对称加密的方式生成,当统一数据管理网元在接收到该第一指示消息,可以确定后续接收到的同步失败参数是采用对称加密的方式生成的;也可以采用隐式的指示方式,又例如,该第一指示消息可以指示同步失败参数采用终端设备(如USIM卡)升级之后的生成方式生成,也可以指示终端设备(如USIM卡)已升级,还可以指示终端设备中USIM卡的版本,如R15、R16,当统一数据管理网元在接收到该第一指示消息,可以确定终端设备的USIM卡已升级,且后续接收到的同步失败参数是采用对称加密的方式生成的。
可选的,终端设备在发送第一指示消息之前,还可以进行对第一指示消息进行加密, 本申请实施例并不限定加密的方式。例如,可以采用对SUPI加密的方式,对第一指示消息进行加密,加密方式可以参见步骤201的相关说明,此处不再赘述。
作为一种可能的实施方式,为了节省信令,终端设备在向统一数据管理网元发送同步失败消息时,同时发送第一指示消息,该第一指示消息携带在同步失败消息中。
上述第一指示消息的指示方式以及发送方式仅是举例说明,本申请实施例并不限定,凡是可以使得统一数据管理网元可以获知同步失败参数的生成方式均适用于本申请实施例。
为了能够从同步失败参数获取第二顺序值,统一数据管理网元采用与终端设备生成同步失败参数逆向的方式,获取第二顺序值;也就是说,统一数据管理网元需要进行对称解密。而进行对称解密所采用的密钥仍为认证密钥;统一数据管理网元可以采用与终端设备相同的方式,根据随机数以及终端设备的密钥K生成认证密钥;该随机数可以是同步失败消息中携带的,作为另一种可能的实施方式,统一数据管理网元可以保存之前生成认证向量时随机生成的随机数,在接收到同步失败消息后,根据保存的随机数和终端设备的密钥K生成认证密钥。
应需理解的是,终端设备在与归属网络签约时,会约定密钥K,密钥K保存在终端设备的签约信息,而终端设备的签约信息可以保存在统一数据管理网元中,也可以保存在其他网元(如统一数据仓库功能(unified data repository,UDR)网元)中,统一数据管理网元可以从其他网元中获取终端设备的签约信息,同时密钥K也会存储在终端本地。
若同步失败参数在生成时,还引入了其他参数,如终端设备在对第二顺序值进行对称加密后,在加密后的值后连接了消息认证码;统一数据管理网元在解密之前,可以将同步失败参数中的消息认证码去除,再利用认证密钥对同步失败参数的剩余部分进行对称解密,获取第二顺序值。
统一数据管理网元在获取第二顺序值后,可以直接替换本地保存的第一顺序值;也可以先将第二顺序值与第一顺序值进行比较;在确定第二顺序值与第一顺序值不一致后,替换本地保存的第一顺序值,否则,不进行替换。
方式二、认证密钥生成的过程中除了随机数和密钥K还引入了消息认证码。
如图:4所示,对本申请实施例提供的一种参数发送方法中的方式二进行介绍,该方法包括:
步骤401:同步骤301,具体可参见步骤301的相关描述,此处不再赘述。
步骤402:同步骤302,具体可参见步骤302的相关描述,此处不再赘述。
步骤403:终端设备在认证密钥和顺序值的异或值后连接消息认证码,其中,认证密钥是根据第一参数和第一参考值生成的,第一参考值是根据第二参数和第三参数生成的,其中,第一参数、第二参数和第三参数分别为下列的任一项:随机数、本地预存的密钥K、消息认证码,第一参数、第二参数和第三参数为不同的参数。
步骤404:同步骤304,具体可参见步骤304的相关描述,此处不再赘述。
步骤405:统一数据管理网元先从同步失败参数中获取消息认证码,之后根据认证密钥从同步失败参数中获取第二顺序值,统一数据管理网元生成认证密钥的方式与终端设备生成认证密钥的方式相同。
为了保证第二顺序值的安全性,认证密钥的生成采用了两次双输入单输出的运算方式(也就是输入值的个数为2,输出值的个数为1),且运算过程中引入了消息认证码;而根 据每次双输入单输出运算采用的参数不同,可以将认证密钥的生成方式分为如下三种:
第一种、根据随机数和消息认证码生成第一参考值,根据第一参考值和密钥K生成认证密钥。
终端设备可以先根据随机数、密钥K生成消息认证码;示例性的,在生成消息认证码时,也可以引入其他参数,如第二SQN,以及AMF。生成了消息认证码后,可以与随机数生成第一参考值。
本申请实施例并不限定根据随机数和消息认证码生成第一参考值的运算方式,凡是可以通过两个参数生成一个参数的运算方式均适用于本申请实施例,例如,可以使异或运算、同或运算,也可以采用图2所示的实施例中的第一运算,也就是采用F5运算生成第一参考值,F5运算的说明可以参见图2所示的实施例中的相关说明,随机数和消息认证码可以分别替代OUT5生成公式中RAND和K中的任一个。
生成了第一参考值后,终端设备可以根据第一参考值和密钥K生成认证密钥。同样的,本申请实施例并不限定根据第一参考值和密钥K生成认证密钥的运算方式,可以采用与生成第一参考值相同的运算方式,生成认证密钥,也可以采用不同的运算方式生成认证密钥,本申请实施例并不限定,凡是可以通过两个参数生成一个参数的运算方式均适用于本申请实施例,例如,可以使异或运算、乘法运算,也可以采用图2所示的实施例中的第一运算,也就是采用F5运算生成第一参考值,F5运算的说明可以参见图2所示的实施例中的相关说明,密钥K和第一参考值可以分别替代OUT5生成公式中RAND和K中的任一个。
第二种、根据密钥K和消息认证码生成第一参考值,根据第一参考值和随机数生成认证密钥。
与第一种方式不同,第二种方式中,先根据密钥K和消息认证码生成第一参数值,之后根据第一参考值和随机数生成认证密钥;也就是说,密钥K和随机数的引入顺序与第一种方式中密钥K和随机数的引入顺序相反;采用的运算方式,可以参见第一种方式中的相关说明,此处不再赘述。
第三种、根据随机数和密钥K生成第一参考值,根据第一参考值和消息认证码生成认证密钥。
在第三种方式中,第一参考值是基于随机数和密钥K生成的,本申请实施例并不限定生成第一参考值的运算方式;凡是可以通过两个参数生成一个参数的运算方式均适用于本申请实施例,例如,可以采用运算量较小的异或运算,对随机数和密钥K进行异或生成第一参考值,也可以采用同或运算等其他运算方式;还可以采用图2所示的实施例中的第一运算,也就是采用F5运算生成第一参考值,F5运算的说明可以参见图2所示的实施例中的相关说明,密钥K和随机数可以分别替代OUT5生成公式中RAND和K中的任一个。
生成了第一参考值后,终端设备可以根据第一参考值和消息认证码生成认证密钥。同样的,本申请实施例并不限定根据第一参考值和密钥K生成认证密钥的运算方式,可以采用与生成第一参考值相同的运算方式,生成认证密钥;也可以采用不同的运算方式生成认证密钥,本申请实施例并不限定,凡是可以通过两个参数生成一个参数的运算方式均适用于本申请实施例,例如,可以对第一参考值和消息认证码进行异或生成认证密钥;也可以采用图2所示的实施例中的第一运算,也就是采用F5运算生成第一参考值,F5运算的说明可以参见图2所示的实施例中的相关说明,消息认证码和第一参考值可以分别替代OUT5 生成公式中RAND和K中的任一个。
需要说明的是,由于本申请实施例中终端设备生成认证密钥的方式与如图2所示的实施例中生成AK的方式是不同的,为了能够采用本申请实施例提供的方式生成同步失败参数;需要对终端设备进行升级,示例性的,可以对终端设备的全球用户身份模块(universal subscriber identity module,USIM)进行升级。
上述三种生成认证密钥的方式均是举例,本申请实施例并不限定认证密钥的生成方式;在上述三种方式中,可以看出,无论是第一参考值还是最终认证密钥的生成,均采用的是双输入单输出的运算方式;与如图2所示的生成方式相比,仅是多了一次运算,若通过升级的方式,使得终端设备可以采用上述三种方式中的一种生成认证密钥,对终端设备的改动较小,仅需配置支持多次运算,在保证第二顺序值的把安全性的同时也可以减少对终端设备的改动。
在生成的认证密钥后,对认证密钥和第二顺序值进行异或,并在认证密钥和第二顺序值的异或值后连接消息认证码(对异或值和消息认证码进行拼接),生成同步认证参数。
需要说明的是,统一数据管理网元在接收到同步失败参数时,并不能获知终端设备是采用哪种方式生成认证密钥的,若统一数据管理网元认为终端设备在生成同步失败参数时,采用如图2所示的实施例的方式,则会到导致统一数据管理网元无法正确获取第二顺序值;为了避免上述情况,终端设备和统一数据管理网元可以预先约定认证密钥的生成方式;终端设备也可以在向统一数据管理网元发送同步失败消息之前,向统一数据管理网元发送第一指示消息,指示认证密钥的生成方式;本申请实施例并不限定指示的方式,可以采用显示的指示方式,例如,该第一指示消息可以指示认证密钥采用方式一(以采用方式一为例,当然也可以采用其余方式中任一种)生成,当统一数据管理网元在接收到该第一指示消息,可以确定后续接收到的同步失败参数中的认证密钥是采用方式一生成的;也可以采用隐式的指示方式,又例如,该第一指示消息可以指示认证密钥采用终端设备(如USIM卡)升级之后的生成方式生成,也可以指示终端设备(如USIM卡)已升级,还可以指示终端设备中(如USIM卡)的版本信息如指示USIM卡的版本(release)为R15、或R16,当统一数据管理网元在接收到该第一指示消息,可以确定终端设备的USIM卡是否升级,且后续接收到的认证密钥是否是采用上述三种方式中的一种生成的。具体采用哪一种方式,可以是统一数据管理网元预先配置的,例如统一数据管理网元可以预先配置若终端设备已升级,则采用方式一生成认证密钥。
作为一种可能的实施方式,为了节省信令,终端设备在向统一数据管理网元发送同步失败消息时,同时发送第一指示消息,该第一指示消息携带在同步失败消息中。
上述第一指示消息的指示方式以及发送方式仅是举例说明,本申请实施例并不限定,凡是可以使得统一数据管理网元可以获知同步失败参数的生成方式均适用于本申请实施例。
为了能够从同步失败参数获取第二顺序值,统一数据管理网元采用与终端设备生成同步失败参数逆向的方式,获取第二顺序值。
为了保证统一数据管理网元采用的认证密钥与终端设备侧采用的认证密钥相同,统一数据管理网元需要获取终端设备侧生成的消息认证码;由于终端设备在对认证密钥和第二顺序值进行异或后,在异或后的值后连接了消息认证码,也就是说同步失败参数后的固定 的多个比特位为消息认证码;统一数据管理网元在解密之前,可以直接从同步失败参数获取消息认证码;统一数据管理网元采用与终端设备相同的方式生成认证密钥,之后对认证密钥和同步失败参数去除了消息认证码的剩余部分进行异或,获取第二顺序值。
统一数据管理网元生成认证密钥的方式与终端设备相同,其中统一数据管理网元可以从终端设备的签约信息中获取该终端设备的密钥K。统一数据管理网元生成认证密钥的方式此处不再赘述,可以参见前述终端设备生成认证密钥的方式。
统一数据管理网元在获取第二顺序值后,可以直接替换本地保存的第一顺序值;也可以先将第二顺序值与第一顺序值进行比较;在确定第二顺序值与第一顺序值不一致后,替换本地保存的第一顺序值,否则,不进行替换。
作为一种可能的实施方式,统一数据管理网元在获取第二顺序值后,可以对同步失败参数中获取的消息认证码进行完整性校验;具体的,统一数据管理网元可以采用与终端设备生成消息验证码的方式生成校验值,示例性的,若终端设备基于密钥K、随机数、第二顺序值以及AMF生成消息认证码;统一数据管理网元也可以根据密钥K、随机数、第二顺序值以及AMF生成校验值,若校验值与消息认证码一致,则校验通过,否则校验不通过,说明统一数据管理网元接收到的信息可能被篡改;统一数据管理网元获取的第二顺序值可能是错误的,统一数据管理网元可以再次向终端设备请求第二顺序值,也可以不将本地保存的第一顺序值替换为第二顺序值。
如图5所示,为本申请实施例提供的一种参数发送方法,该方法包括:
步骤501:同步骤201~210,具体可参见如图2所示的步骤201~210的相关说明,此处不再赘述。
步骤502:若第一SQN与第二SQN的差值大于阈值,UE会向SEAF网元发送同步失败消息,并携带AUTS和RAND。
在本申请实施例中提出了五种AUTS的生成方式,如图6A~6E所示,以f 5*表示第一运算,输入值的长度要求为128bit,以xor表示异或,TEMP为第一参考值长度为48bit,生成XMAC采用的运算方式为f 1*,长度为64比特为例,下面分别进行介绍:
方式一、如6A所示,利用异或(xor)或者第一运算计算得到AK,以AK作为加密密钥对第二SQN进行对称加密,其中,f6*为对称加密算法,利用AK对第二SQN加密之后,在生成的结果值之后拼接XMAC。
其中,对称加密的加密密钥、输入以及输出如下,以AK的长度为128比特为例(bit):
加密密钥:AK,长度为128bit。
输入值:第二SQN||第二SQN||第二SQN,三个相连的第二SQN的前128bit作为输入值。
输出值:f6* AK(第二SQN),长度为128bit。
AUTS=f 6* AK(第二SQN)||XMAC
方式二、如6B所示,利用两次第一运算计算AK。其中,XMAC||XMAC作为第一次第一运算的一个输入值,RAND作为第一次第一运算的另一个输入值,输出为第一参考值。第一参考值和密钥K作为第二次第一运算的两个输入值,输出得AK,对AK和第二SQN异或之后,在生成的结果值之后拼接XMAC,生成AUTS,
Figure PCTCN2020086767-appb-000009
方式三、如6C所示,利用两次第一运算计算AK。其中,XMAC||XMAC作为第一次第一运算的一个输入值,密钥K作为第一次第一运算的另一个输入值,输出为第一参考值。 第一参考值和RAND作为第二次第一运算的两个输入值,输出得AK;对AK和第二SQN异或之后,在生成的结果值之后拼接XMAC,生成AUTS,
Figure PCTCN2020086767-appb-000010
方式四、如6D所示,利用两次第一运算计算AK;或利用一次第一运算和一次异或运算计算AK;密钥K和RAND作为第一次第一运算的两个输入值,输出第一参考值;之后,基于第一运算,根据XMAC和第一参考值输出AK;或者对XMAC和第一参考值进行异或输出AK;对AK和第二SQN异或之后,在生成的结果值之后拼接XMAC,生成AUTS,
Figure PCTCN2020086767-appb-000011
当基于第一运算,根据XMAC和第一参考值输出AK时,XMAC||XMAC作为第一运算的一个输入,第一参考值||第一参考值||第一参考值取前128bit作为第一运算的另一个输入。
当对XMAC和第一参考值进行异或输出AK时,取XMAC的48bit作为异或运算的一个输入,第一参考值作为异或运算的另一个输入。
方式五、如6E所示,对密钥K和RAND进行异或获得第一参考值。XMAC与TEMP作为第一运算的两个输入,输出AK;对AK和第二SQN异或之后,在生成的结果值之后拼接XMAC,生成AUTS,
Figure PCTCN2020086767-appb-000012
需要说明的是,在方式二到方式五中,以第一运算为F5运算为例,F5运算的过程可参见如图2所示的实施例步骤210的相关说明中,本申请实施例并不限定F5运算的两个输入参数哪一个替代RAND,哪一个替代K,可以根据具体场景进行设置。
步骤503:同步骤212~213,具体可参见如图2所示的步骤212~213的相关说明,此处不再赘述。
步骤504:UDM网元在接收到AUTS后,从AUTS中获取第二SQN,保存该第二SQN。
对应于UE侧的五种AUTS的生成方式,UDM网元侧可以采用相应的五种从AUTS中获取第二SQN的方式,下面分别进行介绍:
对应于终端设备侧的方式一、UDM网元从AUTS中去除XMAC,获得f 6* AK(第二SQN);利用异或XOR或者第一运算计算得到AK,以AK作为解密密钥对f 6* AK(第二SQN)进行解密,获得第二SQN。
对应于终端设备侧的方式二到方式五、UDM网元从AUTS中获取XMAC,AUTS中去除了XMAC的剩余部分为第二SQN与AK的异或(第二
Figure PCTCN2020086767-appb-000013
),UDM网元对应的可以采用如图6B~6E所示的方式生成AK,与AUTS中去除了XMAC的剩余部分进行异或,获取第二SQN。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图4、5所示的方法实施例中终端设备或UE执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图7所示,装置包括接收单元701、处理单元702以及发送单元703:
接收单元701,用于接收来自统一数据管理网元的随机数和第一顺序值。
处理单元702,用于在确定第一顺序值与本地预存的第二顺序值的差值大于阈值后,在认证密钥和顺序值的异或值后连接消息认证码,生成同步失败参数,认证密钥是根据第一参数和第一参考值生成的,第一参考值是根据第二参数和第三参数生成的,其中,第一参数、第二参数和第三参数分别包括下面的任一项:随机数、本地预存的密钥K、消息认 证码。
发送单元703,用于向统一数据管理网元发送同步失败消息,同步失败消息中携带同步失败参数。
作为一种可能的实施方式,处理单元702根据第一参数和第一参考值生成认证密钥的方式有许多种,下面列举其中两种:
第一、根据随机数和消息认证码生成第一参考值,如利用F5运算根据随机数和消息认证码生成第一参数值;根据第一参考值和密钥K生成认证密钥,如利用F5运算根据第一参考值和密钥K生成认证密钥。
第二、根据密钥K和消息认证码生成第一参考值,如利用F5运算根据随机数和消息认证码生成第一参数值;根据第一参考值和随机数生成认证密钥,如利用F5运算根据第一参考值和随机数生成认证密钥。
作为一种可能的实施方式,处理单元702根据第一参数和第一参考值生成认证密钥时还可以采用如下方式:先根据随机数和密钥K生成第一参考值,之后根据第一参考值和消息认证码生成认证密钥。
作为一种可能的实施方式,处理单元702在根据随机数和密钥K生成第一参考值时,除了利用F5运算,也可以采用其他运算,如异或运算,示例性的,对随机数和密钥K进行异或生成第一参考值。
作为一种可能的实施方式,处理单元702在根据第一参考值和消息认证码生成认证密钥时,除了利用F5运算,也可以采用其他运算,如异或运算,示例性的,对第一参考值和消息认证码进行异或生成认证密钥。
作为一种可能的实施方式,发送单元703向统一数据管理网元发送同步失败消息之前,还可以告知统一数据管理网元认证密钥的生成方式,示例性的,可以向统一数据管理网元发送第一指示消息,第一指示消息用于指示认证密钥的生成方式。
作为一种可能的实施方式,同步失败消息中包括第一指示消息,第一指示消息用于指示认证密钥的生成方式。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图4、5所示的方法实施例中统一数据管理网元或UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图8所示,该装置包括发送单元801、接收单元802以及处理单元803:
发送单元801,用于向终端设备发送随机数和第一顺序值。
接收单元802,用于接收来自终端设备的同步失败消息,同步失败消息中携带同步失败参数。
处理单元803,用于从同步失败参数获取消息认证码;根据认证密钥从同步失败参数中获取第二顺序值,认证密钥是根据第一参数和第一参考值生成的,第一参考值是根据第二参数和第三参数生成的,其中,第一参数、第二参数和第三参数分别包括下面的任一项:随机数、终端设备的密钥K、消息认证码。
作为一种可能的实施方式,处理单元803根据第一参数和第一参考值生成认证密钥的方式有许多种,下面列举其中两种:
第一、根据随机数和消息认证码生成第一参考值,如利用F5运算根据随机数和消息认证码生成第一参数值;根据第一参考值和密钥K生成认证密钥,如利用F5运算根据第 一参考值和密钥K生成认证密钥。
第二、根据密钥K和消息认证码生成第一参考值,如利用F5运算根据随机数和消息认证码生成第一参数值;根据第一参考值和随机数生成认证密钥,如利用F5运算根据第一参考值和随机数生成认证密钥。
作为一种可能的实施方式,处理单元803根据第一参数和第一参考值生成认证密钥时还可以采用如下方式:先根据随机数和密钥K生成第一参考值,之后根据第一参考值和消息认证码生成认证密钥。
作为一种可能的实施方式,处理单元803在根据随机数和密钥K生成第一参考值时,除了利用F5运算,也可以采用其他运算,如异或运算,示例性的,对随机数和密钥K进行异或生成第一参考值。
作为一种可能的实施方式,处理单元803在根据第一参考值和消息认证码生成认证密钥时,除了利用F5运算,也可以采用其他运算,如异或运算,示例性的,对第一参考值和消息认证码进行异或生成认证密钥。
作为一种可能的实施方式,接收单元802接收来自终端设备的同步失败消息之前,还可以接收来自终端设备的第一指示消息,第一指示消息用于指示认证密钥的生成方式。
作为一种可能的实施方式,同步失败消息中包括第一指示消息,第一指示消息用于指示认证密钥的生成方式。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图3、5所示的方法实施例中终端设备或UE执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图9所示,装置包括接收单元901、处理单元902以及发送单元903:
接收单元901,用于接收来自统一数据管理网元的随机数和第一顺序值。
处理单元902,用于在确定第一顺序值与本地预存的第二顺序值的差值大于阈值后,利用认证密钥对第二顺序值进行对称加密,生成同步失败参数,认证密钥是根据随机数和本地预存的密钥K生成的。
发送单元903,用于向统一数据管理网元发送同步失败消息,同步失败消息中携带同步失败参数。
作为一种可能的实施方式,发送单元903在向统一数据管理网元发送同步失败消息之前,还可以发送第一指示消息,第一指示消息用于指示同步失败参数的生成方式。
作为一种可能的实施方式,同步失败消息中包括第一指示消息,第一指示消息用于指示同步失败参数的生成方式。
基于与方法实施例同一发明构思,本申请实施例还提供了一种通信装置,用于执行上述如图3、5所示的方法实施例中统一数据管理网元或UDM网元执行的方法,相关特征可参见上述方法实施例,此处不再赘述,如图10所示,该装置包括发送单元1001、接收单元1002以及处理单元1103:
发送单元1001,用于向终端设备发送随机数和第一顺序值。
接收单元1002,用于接收来自终端设备的同步失败消息,同步失败消息中携带同步失败参数。
处理单元1003,用于根据认证密钥对同步失败参数进行对称解密,获取第二顺序值,认证密钥根据随机数、终端设备的密钥K生成的。
作为一种可能的实施方式,接收单元1002在接收来自终端设备的同步失败消息之前,还可以接收来自终端设备的第一指示消息,第一指示消息用于指示认证密钥的生成方式。
作为一种可能的实施方式,同步失败消息中包括第一指示消息,第一指示消息用于指示认证密钥的生成方式。
本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能单元可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
该集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是个人计算机,手机,或者网络设备等)或处理器(processor)执行本申请各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,统一数据管理网元和终端设备均可以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。
在一个简单的实施例中,本领域的技术人员可以想到统一数据管理网元可采用图11所示的形式。
如图11所示的通信装置1100,包括至少一个处理器1101、存储器1102,可选的,还可以包括通信接口1103。
存储器1102可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1102是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1102可以是上述存储器的组合。
本申请实施例中不限定上述处理器1101以及存储器1102之间的具体连接介质。
处理器1101可以具有数据收发功能,能够与其他设备进行通信,在如图11装置中,也可以设置独立的数据收发模块,例如通信接口1103,用于收发数据;处理器1101在与其他设备进行通信时,可以通过通信接口1103进行数据传输。
当统一数据管理网元采用图11所示的形式时,图11中的处理器1101可以通过调用存储器1402中存储的计算机执行指令,使得基站可以执行上述任一方法实施例中的基站执行的方法。
具体的,图9或10的发送单元、接收单元和处理单元的功能/实现过程均可以通过图11中的处理器1101调用存储器1102中存储的计算机执行指令来实现。或者,图9或10中的处理单元的功能/实现过程可以通过图11中的处理器1101调用存储器1102中存储的计算机执行指令来实现,图9或10的发送单元和接收单元的功能/实现过程可以通过图11中的通信接口1103来实现。
在一个简单的实施例中,本领域的技术人员可以想到终端设备可采用图12所示的形式。
如图12所示的通信装置1200,包括至少一个处理器1201、存储器1202,可选的,还可以包括收发器1203。
存储器1202可以是易失性存储器,例如随机存取存储器;存储器也可以是非易失性存储器,例如只读存储器,快闪存储器,硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)、或者存储器1202是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器1202可以是上述存储器的组合。
本申请实施例中不限定上述处理器1201以及存储器1202之间的具体连接介质。
处理器1201可以具有数据收发功能,能够与其他设备进行通信,在如图12装置中,也可以设置独立的数据收发模块,例如收发器1203,用于收发数据;处理器1201在与其他设备进行通信时,可以通过收发器1203进行数据传输。
当终端设备采用图12所示的形式时,图12中的处理器1201可以通过调用存储器1202中存储的计算机执行指令,使得终端设备可以执行上述任一方法实施例中的终端设备执行的方法。
具体的,图7或8中的接收单元、处理单元以及发送单元的功能/实现过程均可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现。或者,图7或8中的处理单元的功能/实现过程可以通过图12中的处理器1201调用存储器1202中存储的计算机执行指令来实现,图7或8中的接收单元和发送单元的功能/实现过程可以通过图12中的收发器1203来实现。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (34)

  1. 一种参数发送方法,其特征在于,所述方法包括:
    在认证过程中,接收来自核心网设备的随机数和第一顺序值;
    在确定所述第一顺序值与本地预存的第二顺序值的差值大于阈值后,在认证密钥和所述第二顺序值的异或值后连接消息认证码,生成同步失败参数,所述认证密钥是根据第一参数和第一参考值生成的,所述第一参考值是根据第二参数和第三参数生成的,其中,所述第一参数、所述第二参数和所述第三参数分别包括下面的任一项:所述随机数、本地预存的密钥K、所述消息认证码;
    向所述核心网设备发送同步失败消息,所述同步失败消息中携带所述同步失败参数。
  2. 如权利要求1所述的方法,其特征在于,所述认证密钥是根据第一参数和第一参考值生成的,包括:
    根据所述随机数和所述消息认证码生成第一参考值,根据所述第一参考值和所述密钥K生成所述认证密钥;或
    根据所述密钥K和所述消息认证码生成第一参考值,根据所述第一参考值和所述随机数生成所述认证密钥。
  3. 如权利要求1所述的方法,其特征在于,所述认证密钥是根据第一参数和第一参考值生成的,包括:
    根据所述随机数和所述密钥K生成第一参考值,根据所述第一参考值和所述消息认证码生成所述认证密钥。
  4. 如权利要求3所述的方法,其特征在于,所述根据所述随机数和所述密钥K生成第一参考值,包括:
    对所述随机数和所述密钥K进行异或生成所述第一参考值。
  5. 如权利要求3所述的方法,其特征在于,所述根据所述第一参考值和所述消息认证码生成所述认证密钥,包括:
    对所述第一参考值和所述消息认证码进行异或生成所述认证密钥。
  6. 如权利要求1~5任一所述的方法,其特征在于,向所述核心网设备发送同步失败消息之前,还包括:
    向所述核心网设备发送第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  7. 如权利要求1~5任一所述的方法,其特征在于,所述同步失败消息包括第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  8. 一种参数发送方法,其特征在于,所述方法包括:
    在认证过程中,向终端设备发送随机数和第一顺序值;
    接收来自所述终端设备的同步失败消息,所述同步失败消息中携带同步失败参数;
    从所述同步失败参数获取消息认证码;
    根据认证密钥从所述同步失败参数中获取第二顺序值,所述认证密钥是根据第一参数和第一参考值生成的,所述第一参考值是根据第二参数和第三参数生成的,其中,所述第一参数、所述第二参数和所述第三参数分别包括下面的任一项:所述随机数、所述终端设备的密钥K、所述消息认证码。
  9. 如权利要求8所述的方法,其特征在于,所述认证密钥是根据第一参数和第一参考值生成的,包括:
    根据所述随机数和所述消息认证码生成第一参考值,根据所述第一参考值和所述密钥K生成所述认证密钥;或
    根据所述密钥K和所述消息认证码生成第一参考值,根据所述第一参考值和所述随机数生成所述认证密钥。
  10. 如权利要求8所述的方法,其特征在于,所述认证密钥是根据第一参数和第一参考值生成的,包括:
    根据所述随机数和所述密钥K生成第一参考值,根据所述第一参考值和所述消息认证码生成所述认证密钥。
  11. 如权利要求10所述的方法,其特征在于,所述根据所述随机数和所述密钥K生成第一参考值,包括:
    对所述随机数和所述密钥K进行异或生成所述第一参考值。
  12. 如权利要求10所述的方法,其特征在于,所述根据所述第一参考值和所述消息认证码生成所述认证密钥,包括:
    对所述第一参考值和所述消息认证码进行异或生成所述认证密钥。
  13. 如权利要求8~12任一所述的方法,其特征在于,所述接收来自所述终端设备的同步失败消息之前,还包括:
    接收来自所述终端设备的第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  14. 如权利要求8~12任一所述的方法,其特征在于,所述同步失败消息包括第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  15. 一种参数发送方法,其特征在于,所述方法包括:
    在认证过程中,接收来自核心网设备的随机数和第一顺序值;
    在确定所述第一顺序值与本地预存的第二顺序值的差值大于阈值后,利用认证密钥对所述第二顺序值进行对称加密,生成同步失败参数,所述认证密钥是根据所述随机数和本地预存的密钥K生成的;
    向所述核心网设备发送同步失败消息,所述同步失败消息中携带所述同步失败参数。
  16. 如权利要求15所述的方法,其特征在于,向所述核心网设备发送同步失败消息之前,还包括:
    发送第一指示消息,所述第一指示消息用于指示所述同步失败参数的生成方式。
  17. 如权利要求15所述的方法,其特征在于,所述同步失败消息包括第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  18. 一种参数发送方法,其特征在于,所述方法包括:
    在认证过程中,向终端设备发送随机数和第一顺序值;
    接收来自所述终端设备的同步失败消息,所述同步失败消息中携带同步失败参数;
    根据认证密钥对所述同步失败参数进行对称解密,获取第二顺序值,所述认证密钥是根据所述随机数、所述终端设备的密钥K生成的。
  19. 如权利要求18所述的方法,其特征在于,所述接收来自所述终端设备的同步失败消息之前,还包括:
    接收来自所述终端设备的第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  20. 如权利要求18所述的方法,其特征在于,所述同步失败消息包括第一指示消息,所述第一指示消息用于指示所述认证密钥的生成方式。
  21. 一种通信装置,其特征在于,用于实现如权利要求1至7任一项所述的方法。
  22. 一种通信装置,其特征在于,用于实现如权利要求8至14任一项所述的方法。
  23. 一种通信装置,其特征在于,用于实现如权利要求15至17任一项所述的方法。
  24. 一种通信装置,其特征在于,用于实现如权利要求18至20任一项所述的方法。
  25. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求1至7任一项所述的方法。
  26. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求8至14任一项所述的方法。
  27. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求15至17任一项所述的方法。
  28. 一种通信装置,其特征在于,包括处理器和存储器,所述存储器中存储有指令,所述处理器执行所述指令时,使得所述装置执行权利要求18至20任一项所述的方法。
  29. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求1至7中任一项所述的方法。
  30. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求8至14中任一项所述的方法。
  31. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求15至17中任一项所述的方法。
  32. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行如权利要求18至20中任一项所述的方法。
  33. 一种计算机芯片,其特征在于,所述芯片与存储器相连,所述芯片用于读取并执行所述存储器中存储的软件程序,执行如权利要求1到20任一项所述的方法。
  34. 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得计算机执行如权利要求1到20任一项所述的方法。
PCT/CN2020/086767 2019-04-24 2020-04-24 一种参数发送方法及装置 WO2020216338A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP20794645.0A EP3952241A4 (en) 2019-04-24 2020-04-24 METHOD AND APPARATUS FOR SENDING PARAMETERS
JP2021563063A JP7237200B2 (ja) 2019-04-24 2020-04-24 パラメータ送信方法及び装置
CA3137389A CA3137389A1 (en) 2019-04-24 2020-04-24 Parameter sending method and apparatus
US17/506,882 US20220046003A1 (en) 2019-04-24 2021-10-21 Parameter sending method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910335677.3 2019-04-24
CN201910335677.3A CN111865870B (zh) 2019-04-24 2019-04-24 一种参数发送方法及装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/506,882 Continuation US20220046003A1 (en) 2019-04-24 2021-10-21 Parameter sending method and apparatus

Publications (1)

Publication Number Publication Date
WO2020216338A1 true WO2020216338A1 (zh) 2020-10-29

Family

ID=72940871

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/086767 WO2020216338A1 (zh) 2019-04-24 2020-04-24 一种参数发送方法及装置

Country Status (6)

Country Link
US (1) US20220046003A1 (zh)
EP (1) EP3952241A4 (zh)
JP (1) JP7237200B2 (zh)
CN (2) CN114513330A (zh)
CA (1) CA3137389A1 (zh)
WO (1) WO2020216338A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205168A (zh) * 2021-12-20 2022-03-18 全球能源互联网研究院有限公司 一种用于身份认证的终端设备密钥分配方法及系统

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112561422B (zh) * 2020-12-04 2023-07-25 中国联合网络通信集团有限公司 基于网联无人机的商品运输方法、用户端、密钥管理平台
CN112788596A (zh) * 2021-02-03 2021-05-11 北京智芯微电子科技有限公司 安全加密信息生成方法和系统及5g终端认证方法和系统
CN114024674B (zh) * 2021-11-23 2024-05-31 支付宝(杭州)信息技术有限公司 两方安全比较的方法及系统
CN115002750A (zh) * 2022-05-25 2022-09-02 中国电信股份有限公司 一种通信认证方法及相关设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859729A (zh) * 2005-06-04 2006-11-08 华为技术有限公司 一种鉴权方法及相应的信息传递方法
CN101123778A (zh) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 网络接入鉴权方法及其usim卡
CN101399603A (zh) * 2007-09-30 2009-04-01 华为技术有限公司 重同步方法、认证方法及设备
CN101511084A (zh) * 2008-02-15 2009-08-19 中国移动通信集团公司 一种移动通信系统的鉴权和密钥协商方法
CN101741555A (zh) * 2008-11-12 2010-06-16 中兴通讯股份有限公司 身份认证和密钥协商方法及系统
WO2011003227A1 (en) * 2009-07-06 2011-01-13 Nokia Corporation Managing respective sequence numbers for different networks independently

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100389634C (zh) * 2005-08-02 2008-05-21 华为技术有限公司 一种同步攻击防护方法及相应的鉴权方法
CN101098221A (zh) * 2006-06-26 2008-01-02 华为技术有限公司 一种无线蜂窝网络中网络层安全认证方法
CN1968096B (zh) * 2006-10-25 2010-05-19 中国移动通信集团公司 一种同步流程优化方法和系统
CN101784048B (zh) * 2009-01-21 2014-01-01 中兴通讯股份有限公司 动态更新密钥的身份认证和密钥协商方法及系统
JP5754328B2 (ja) * 2011-09-28 2015-07-29 富士通株式会社 スイッチ装置およびスイッチ方法
US10694378B2 (en) 2013-03-29 2020-06-23 Sony Corporation Integrated circuit, communication method, computer program, and communication apparatus
KR101517909B1 (ko) * 2013-12-13 2015-05-06 경북대학교 산학협력단 유헬스케어 무선 센서 네트워크를 위한 상호 인증 방법
MA45323A (fr) * 2016-03-18 2019-01-23 Forticode Ltd Procédé et système d'authentification d'utilisateur à sécurité améliorée
JP2017191965A (ja) * 2016-04-11 2017-10-19 富士通株式会社 通信装置及びパケット送受信プログラム
CN107508672B (zh) * 2017-09-07 2020-06-16 浙江神州量子网络科技有限公司 一种基于对称密钥池的密钥同步方法和密钥同步装置、密钥同步系统
US10805161B2 (en) * 2017-09-13 2020-10-13 Verizon Digital Media Services Inc. Rapid configuration propagation in a distributed multi-tenant platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859729A (zh) * 2005-06-04 2006-11-08 华为技术有限公司 一种鉴权方法及相应的信息传递方法
CN101123778A (zh) * 2007-09-29 2008-02-13 大唐微电子技术有限公司 网络接入鉴权方法及其usim卡
CN101399603A (zh) * 2007-09-30 2009-04-01 华为技术有限公司 重同步方法、认证方法及设备
CN101511084A (zh) * 2008-02-15 2009-08-19 中国移动通信集团公司 一种移动通信系统的鉴权和密钥协商方法
CN101741555A (zh) * 2008-11-12 2010-06-16 中兴通讯股份有限公司 身份认证和密钥协商方法及系统
WO2011003227A1 (en) * 2009-07-06 2011-01-13 Nokia Corporation Managing respective sequence numbers for different networks independently

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3952241A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205168A (zh) * 2021-12-20 2022-03-18 全球能源互联网研究院有限公司 一种用于身份认证的终端设备密钥分配方法及系统
CN114205168B (zh) * 2021-12-20 2023-07-18 全球能源互联网研究院有限公司 一种用于身份认证的终端设备密钥分配方法及系统

Also Published As

Publication number Publication date
US20220046003A1 (en) 2022-02-10
CN111865870A (zh) 2020-10-30
JP2022529837A (ja) 2022-06-24
CA3137389A1 (en) 2020-10-29
CN114513330A (zh) 2022-05-17
JP7237200B2 (ja) 2023-03-10
EP3952241A1 (en) 2022-02-09
EP3952241A4 (en) 2022-06-01
CN111865870B (zh) 2022-01-11

Similar Documents

Publication Publication Date Title
WO2020177768A1 (zh) 一种网络验证方法、装置及系统
WO2020216338A1 (zh) 一种参数发送方法及装置
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US11496320B2 (en) Registration method and apparatus based on service-based architecture
KR101490214B1 (ko) 공유된 일시적 키 데이터의 세트를 갖는 교환들을 인코딩하기 위한 시스템들 및 방법들
US10555170B2 (en) Method and apparatus for authentication of wireless devices
KR102112542B1 (ko) 디피 헬먼(Diffie-Hellman) 절차를 이용한 세션 키 생성 방법 및 시스템
WO2020221252A1 (zh) 发送终端序列号的方法和装置以及认证方法和装置
CN111147231B (zh) 一种密钥协商的方法、相关装置及系统
WO2019095990A1 (zh) 一种通信方法及装置
WO2015144041A1 (zh) 一种网络鉴权认证的方法及设备
CN110831002B (zh) 一种密钥推演的方法、装置及计算存储介质
WO2015144042A1 (zh) 一种网络鉴权认证的方法及设备
US20230308875A1 (en) Wi-fi security authentication method and communication apparatus
CN111836260B (zh) 一种认证信息处理方法、终端和网络设备
CN111835691B (zh) 一种认证信息处理方法、终端和网络设备
CN112400335B (zh) 用于执行数据完整性保护的方法和计算设备
US20230108626A1 (en) Ue challenge to a network before authentication procedure
US20240323188A1 (en) Method and device for identity authentication
CN118802307A (zh) 通信鉴权方法及相关装置、存储介质、计算机程序产品
CN116347432A (zh) 网络认证方法、装置、终端及网络侧设备
WO2020037957A1 (zh) 客户端注册方法、装置及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20794645

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3137389

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2021563063

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020794645

Country of ref document: EP

Effective date: 20211027