WO2020221252A1 - Procédé et appareil permettant d'envoyer un numéro de séquence de terminal et procédé et appareil d'authentification - Google Patents

Procédé et appareil permettant d'envoyer un numéro de séquence de terminal et procédé et appareil d'authentification Download PDF

Info

Publication number
WO2020221252A1
WO2020221252A1 PCT/CN2020/087517 CN2020087517W WO2020221252A1 WO 2020221252 A1 WO2020221252 A1 WO 2020221252A1 CN 2020087517 W CN2020087517 W CN 2020087517W WO 2020221252 A1 WO2020221252 A1 WO 2020221252A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
ausf
terminal
authentication
response message
Prior art date
Application number
PCT/CN2020/087517
Other languages
English (en)
Chinese (zh)
Inventor
游世林
谢振华
彭锦
余万涛
林兆骥
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020221252A1 publication Critical patent/WO2020221252A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • This application relates to the field of communications, for example, to methods and devices for sending terminal serial numbers and authentication methods and devices.
  • the 3rd Generation Partnership Project (3GPP) has formulated a variety of mobile network specifications, including the authentication and key agreement process (Authentication and Key Agreement, AKA process for short), which is used in user equipment (UE, User Equipment) mutually authenticate with the network and establish a common key.
  • AKA process Authentication and Key Agreement
  • UE User Equipment
  • AKA process scheme when a terminal device receives an authentication request message from the network, it verifies the network authentication token (Network Authentication Token, AUTN) in the authentication request message. If the verification fails, it will respond with an authentication failure message (failure message), which carries the failure reason parameter (CAUSE).
  • AKA process Authentication and Key Agreement
  • the failure reason is the message authentication code failure (MAC Failure), indicating that the terminal authentication network failed ; If MAC is equal to XMAC, it indicates that the terminal has successfully authenticated to the network, and whether the terminal re-authenticating network sequence number (Sequence Number, SQN) is greater than the terminal sequence number (SQNms). If the SQN is less than or equal to SQNms, it indicates a synchronization failure (Sync Failure). In this case, the terminal feeds back a user authentication request failure message to the network side, and the message carries the SQNms.
  • MAC Failure message authentication code failure
  • An attacker may use this mechanism to replay a used legal authentication request message (AUTN, random number (RAND)), so that the result of the terminal authentication is a synchronization failure, and the SQNms is carried in the user authentication. Failure response message.
  • AUTN used legal authentication request message
  • RAND random number
  • the embodiment of the present application provides a method for sending a terminal serial number, which includes: authenticating a received user authentication request message, and in response to the failure reason of the authentication being a synchronization failure, calculating a terminal-side authentication command containing the terminal serial number Encrypt the terminal-side authentication token to obtain the ciphertext of the terminal-side authentication token; feedback a user authentication failure response message carrying the ciphertext of the terminal-side authentication token.
  • An embodiment of the present application provides an authentication method, including: receiving a user authentication failure response message, the user authentication failure response message carrying the failure reason is a synchronization failure, the user authentication failure response message also carrying the terminal side authentication token Ciphertext; decrypt the ciphertext of the terminal-side authentication token to obtain the terminal-side authentication token; use the terminal serial number contained in the terminal-side authentication token to reset the network serial number.
  • An embodiment of the present application provides an apparatus for sending a terminal serial number, including: a token calculation module, configured to authenticate a received user authentication request message, and in response to the authentication failure cause being a synchronization failure, the calculation includes the terminal The terminal side authentication token of the serial number; an encryption module for encrypting the terminal side authentication token to obtain the ciphertext of the terminal side authentication token; a feedback module for feeding back the terminal side authentication order The user authentication failure response message of the ciphertext of the brand.
  • a token calculation module configured to authenticate a received user authentication request message, and in response to the authentication failure cause being a synchronization failure, the calculation includes the terminal The terminal side authentication token of the serial number; an encryption module for encrypting the terminal side authentication token to obtain the ciphertext of the terminal side authentication token; a feedback module for feeding back the terminal side authentication order The user authentication failure response message of the ciphertext of the brand.
  • An embodiment of the present application provides an authentication device, including: a receiving module, configured to receive a user authentication failure response message, the user authentication failure response message carries a failure reason for synchronization failure, and the user authentication failure response message also carries a terminal The ciphertext of the side authentication token; the decryption module is used to decrypt the ciphertext of the terminal side authentication token to obtain the terminal side authentication token; the reset module is used to adopt the terminal side authentication token that contains The terminal serial number resets the network serial number.
  • the embodiment of the present application provides a terminal device for sending a terminal serial number, including: a processor and a memory; the memory is used for storing instructions; the processor is configured to read the instructions to execute, for example, sending the terminal serial number Any of the methods described.
  • the embodiment of the present application also provides a network device for authentication, including: a processor and a memory; the memory is used to store instructions; the processor is configured to read the instructions to execute any of the authentication methods The method described.
  • the embodiment of the present application provides a communication system, including the aforementioned terminal device and network device.
  • the embodiment of the present application provides a storage medium that stores a computer program, and when the computer program is executed by a processor, implements any one of the method for sending a terminal serial number or the authentication method.
  • the terminal side authentication token containing the terminal serial number is calculated, and the terminal side authentication token is encrypted, and the encrypted The terminal side authentication token is carried in the feedback user authentication failure response message. This method makes it difficult for an attacker to decrypt the terminal serial number, which can effectively reduce the risk of the terminal serial number being exposed.
  • FIG. 1 is a schematic flowchart of a method for sending a terminal serial number according to an embodiment of the application
  • Figure 2 is a schematic diagram of an applied network architecture provided by an embodiment of the application.
  • FIG. 3 is a schematic diagram 1 of the flow of an authentication method provided by an embodiment of this application.
  • FIG. 4 is a second schematic diagram of the flow of an authentication method provided by an embodiment of this application.
  • FIG. 5 is a schematic diagram of an interaction process between a terminal device and a network device according to an embodiment of the application
  • FIG. 6 is a schematic structural diagram of an apparatus for sending a terminal serial number provided by an embodiment of this application.
  • FIG. 7 is a schematic structural diagram of an authentication device provided by an embodiment of the application.
  • FIG. 8 is a schematic structural diagram of a terminal device for sending a terminal serial number according to an embodiment of the application.
  • FIG. 9 is a schematic structural diagram of a network device for authentication provided by an embodiment of this application.
  • Fig. 10 is a schematic structural diagram of a communication system provided by an embodiment of the application.
  • FIG. 1 is a schematic diagram of the implementation process of the method, including:
  • S12 Encrypt the terminal side authentication token to obtain the ciphertext of the terminal side authentication token
  • the network architecture includes: terminal equipment, base stations, authentication functions, authentication service functions, and subscription data management functions.
  • the base station provides communication and other services provided by various mobile networks for the terminal equipment, and the base station may be an evolved base station (evolved NodeB, eNB) or a next generation base station (next generation NodeB, gNB).
  • the authentication function is a software function or hardware device of the core network of the mobile network, which is used to interact with the base station through signaling, so that the mobile network and the terminal device can realize mutual authentication.
  • the authentication function can be a mobility management entity (MME, Mobility Management Entity), a security anchor function (SEAF, Security Anchor Function), or an access and mobility management function (AMF, Access and Mobility Management Function).
  • MME mobility management entity
  • SEAF Security Anchor Function
  • AMF Access and Mobility Management Function
  • the authentication service function is used to connect with the subscription data management function through a signaling interface, obtain key information related to the user, and provide the information to the authentication function through the signaling interface.
  • the authentication service function may be an authentication server function (AUSF, Authentication Server Function).
  • the subscription data management function stores and processes user-related data, generates information for authenticating users and user-related key information based on user-related data, and provides information for authenticating users and user-related key information through the signaling interface Give authentication service function.
  • the contracted data management function may be a unified data management function (UDM, Unified Data Management).
  • the authentication service function can be co-located with the contract data management function.
  • the calculation of the terminal side authentication token including the terminal serial number in step S11 includes: using the random number (RAND) carried in the user authentication request message, the terminal serial number, and the authentication The management domain parameter calculates the terminal side authentication token.
  • RAND random number
  • the encrypting the terminal-side authentication token includes: obtaining a key K AUSF , using the key K AUSF to encrypt the terminal-side authentication token; and the obtaining the secret
  • the method of the key K AUSF is: in response to the existence of the key K AUSF in the user context information, the key K AUSF is obtained from the user context information; and in response to the absence of the key K AUSF in the user context information , Calculate the key K AUSF or set the key K AUSF to a preset fixed value; wherein, the calculation method of the K AUSF is: use F3K and F4K to derive K AUSF , the F3K and F4K Is the key derivation function using the root key K as the key.
  • the user authentication failure response message when the key K AUSF is obtained by calculation, the user authentication failure response message further carries a marker, and the marker is used to mark that the key K AUSF is obtained by calculation.
  • the encrypting the terminal side authentication token includes: determining a key K AUSF *, and using the key K AUSF * to encrypt the terminal side authentication token;
  • the method of determining the key K AUSF * is: in response to the existence of the key K AUSF in the user context information, the key K AUSF is obtained from the user context information; and the key generation function is used to compare the key K AUSF and the RAND calculated to obtain the key K AUSF *; in response to user key K AUSF context information does not exist, the key K AUSF calculated, using the key generation function of the key and the K AUSF
  • the RAND is calculated to obtain the key K AUSF *; wherein, the key K AUSF is calculated by using F3K and F4K to derive the key K AUSF , and the F3K and F4K are based on the root key K as The key derivation function of the key.
  • the user authentication failure response message when the key K AUSF is obtained by calculation, the user authentication failure response message further carries a marker, and the marker is used to mark that the key K AUSF is obtained by calculation.
  • Fig. 3 is a schematic diagram 1 of the authentication method process proposed in the embodiment of the application, including:
  • S31 Receive a user authentication failure response message, where the failure reason carried in the user authentication failure response message is synchronization failure, and the user authentication failure response message also carries the ciphertext of the terminal-side authentication token.
  • S32 Decrypt the ciphertext of the terminal-side authentication token to obtain the terminal-side authentication token.
  • the authentication method proposed in the embodiment of the present application can be applied to a network device, for example, to a network device in which the authentication service function and the contract data management function are combined in the network architecture shown in FIG. 2.
  • the network device is referred to as the authentication service function/subscription data management function for short.
  • decrypting the ciphertext of the terminal-side authentication token includes: in response to the user authentication failure response message further carrying a marker, obtaining the temporarily stored key K AUSF , and using the secret
  • the key K AUSF decrypts the ciphertext of the terminal-side authentication token; in response to the user authentication failure response message that does not carry a marker, the fixed key K AUSF is obtained or the key K AUSF is set to a preset A fixed value, using the key K AUSF to decrypt the cipher text of the terminal side authentication token.
  • decrypting the ciphertext of the terminal-side authentication token includes: in response to the user authentication failure response message further carrying a marker, obtaining the temporarily stored key K AUSF ;
  • the function calculates the key K AUSF and the random number RAND to obtain the key K AUSF *; uses the key K AUSF * to decrypt the cipher text of the terminal side authentication token; in response to the user authentication
  • the failure response message does not carry the identifier, and the fixed key K AUSF is obtained ; the key K AUSF and the random number RAND are calculated by using the key generation function to obtain the key K AUSF *; the key K AUSF is used * Decrypt the ciphertext of the terminal-side authentication token.
  • Fig. 4 is a schematic diagram 2 of the flow of an authentication method proposed in an embodiment of this application.
  • the method further includes:
  • the method further includes:
  • S44 Use the reset network serial number to generate an authentication request response message, and send the authentication request response message.
  • the authentication method proposed in the embodiment of the present application can obtain or generate the key K AUSF *, and use K AUSF * to decrypt the ciphertext of the terminal side authentication token from the terminal device to obtain the terminal side authentication token.
  • the terminal serial number is extracted from the side authentication token.
  • the terminal side authentication token is abbreviated as AUTS
  • the terminal serial number is abbreviated as SQNms
  • the network serial number is abbreviated as SQN.
  • Figure 5 is a schematic diagram of the interaction process between the terminal device and the network device according to an embodiment of the application.
  • the interaction process includes:
  • Step 501 The terminal device initiates a registration request message to the base station.
  • the registration request message carries the cell identity, user security capability, and carries an encrypted user subscription identity (SUCI, Subscription Concealed Identifier) or 5G user temporary identity (5G-GUTI, 5G Globally). Unique Temporary UE Identity).
  • SUCI Subscribed User subscription identity
  • 5G-GUTI 5G Globally.
  • Unique Temporary UE Identity Unique Temporary UE Identity
  • Step 502 The base station forwards a registration request message to the authentication function 1, where the registration request message carries the cell identity, user security capability, and carries SUCI or 5G-GUTI.
  • Step 503 If the user identity carried in the above registration request message is 5G-GUTI, the authentication function 1 initiates a user context request message to the authentication function 2 according to the AMF identity in the 5G-GUTI, and the user context request message carries 5G-GUTI. GUTI. The authentication function 2 returns a user context request response message to the authentication function 1, and the user context request response message carries the user context.
  • the user context includes at least a user permanent identifier (SUPI, Subscription Permanent Identifier) and a user security context.
  • Step 504 If the user identification carried in the above registration request message is SUCI, or step 503 fails, or the authentication function needs to initiate an AKA authentication process, the authentication function 1 initiates an authentication request message to the authentication service function/subscription data management function.
  • the authentication request message carries SUCI or SUPI.
  • Step 505 The subscription data management function decrypts the SUCI to obtain the SUPI; or directly extracts the SUPI carried in the authentication request message. According to the SUPI query to the user's subscription parameters, the root key K is extracted from the user's subscription parameters.
  • the subscription data management function generates the home authentication vector (RAND, AUTN, XRES*, and K AUSF ) according to the root key K; among them,
  • RAND is a random number.
  • is a splicing operation; AMF is an authentication management field parameter (Authentication Management Field); MAC F1K(SQN
  • XRES* F2K(RAND);
  • K AUSF is derived from F3K and F4K;
  • F1K, F2K, F3K, F4K and F5K are key derivation functions with K as the key respectively.
  • the contract data management function issues the home authentication vector (RAND, AUTN, XRES*, and K AUSF ) and SUPI to the authentication service function.
  • the authentication service function stores (RAND, AUTN, XRES*) and SUPI in the home authentication vector, and temporarily stores the K AUSF in the home authentication vector. (If there has been a successful authentication process before, the authentication service function will always store an old K AUSF ).
  • the authentication service function performs a hash calculation on XRES* to obtain HXRES*, and uses K AUSF to derive to obtain K SEAF , thereby obtaining the authentication vector (RAND, AUTN, HXRES*, and K SEAF ).
  • the authentication service function sends an authentication request response message to the authentication function 1, and the authentication request response message carries AUTN, RAND and HXRES*.
  • Step 506 The authentication function 1 sends a user authentication request message to the terminal device, where the user authentication request message carries AUTN and RAND.
  • Step 507 After receiving the RAND and AUTN, the terminal device calculates the SQN and XMAC according to the calculation method in step 505. If it is verified that the MAC is equal to XMAC, verify whether the SQN in the AUTN is less than or equal to SQNms, and if the SQN is less than or equal to SQNms, the reason for the authentication failure is recorded as a synchronization failure (Sync failure).
  • Sync failure a synchronization failure
  • F1*K and F5*K are key derivation functions with K as the key.
  • K AUSF terminal device checks the user context, user context K AUSF if present, the AUTS is used to encrypt K AUSF.
  • S KDF (AUTS, K AUSF ) is used for encryption, where S is the cipher text of AUTS, and KDS is the key generation function (Key Derivation Function).
  • KDF AUTS, K AUSF
  • KDS Key Derivation Function
  • the terminal device sends a user authentication failure response message to the authentication function 1, where the user authentication failure response message carries S, and may also carry the failure reason value "Sync failure".
  • K AUSF does not exist in the user context
  • the terminal uses the method in step 505 to calculate K AUSF and uses K AUSF to encrypt AUTS.
  • S KDF (AUTS, K AUSF ) is used for encryption, where S is the cipher text of AUTS.
  • the terminal device sends a user authentication failure response message to the authentication function 1.
  • the user authentication failure response message carries S, and may also carry the failure reason value "Sync failure" and a flag (flag identification). The flag identification is used to mark K AUSF. Calculated.
  • K AUSF if K AUSF does not exist in the user context, the terminal sets K AUSF to a preset fixed value (for example, sets each bit of K AUSF to 0), and uses K AUSF to encrypt AUTS.
  • KDF AUTS, K AUSF
  • S is the cipher text of AUTS.
  • the terminal device sends a user authentication failure response message to the authentication function 1, where the user authentication failure response message carries S, and may also carry the failure reason value "Sync failure".
  • a key generation function may be used to calculate the above K AUSF and RAND to obtain a new key K AUSF *; and K AUSF * may be used to encrypt AUTS.
  • the terminal device sends a user authentication failure response message to the authentication function 1, where the user authentication failure response message carries S, and may also carry the failure reason value "Sync failure". If the K AUSF is obtained through calculation, the user authentication failure response message also carries a flag identifier, which is used to mark that the K AUSF is obtained through calculation.
  • Step 508 After the authentication function 1 receives the user authentication failure response message, it sends an authentication request message to the authentication service function/subscription data management function according to the failure reason value "Sync failure".
  • the authentication request message carries the above S, or carries The above S and flag are identified.
  • Step 509 If the authentication request message does not carry the flag, the authentication service function uses the old K AUSF that is stored in a fixed manner to decrypt S, or uses a fixed value of K AUSF (for example, each bit of K AUSF is 0) to decrypt S, Get AUTS. If the authentication request message carries the flag, the authentication service function uses the temporarily stored K AUSF to decrypt S to obtain AUTS.
  • the authentication service function extracts the old K AUSF that is permanently stored; uses the key generation function to calculate the K AUSF and RAND to obtain the new key K AUSF *; K AUSF * Decrypt S and get AUTS. If the authentication request message carries the flag, the authentication service function extracts the temporarily stored K AUSF ; uses the key generation function to calculate the K AUSF and RAND to obtain the new key K AUSF *; and uses K AUSF * to decrypt S, get AUTS.
  • the authentication service function obtains a new authentication vector from the contract data management function, and the contract data management function resets the SQN according to the SQNms in the AUTS.
  • the authentication service function/subscription data management function recalculates the authentication vector according to the method in step 505, and sends an authentication request response message to the authentication function 1, and the authentication request response message carries the newly calculated AUTN, RAND and HXRES*. If the authentication is successful, the authentication service function changes the temporarily stored K AUSF to a fixed storage, and overwrites the old K AUSF that was originally fixedly stored. At this time, the authentication service function only stores one K AUSF .
  • the terminal device sends the AUTS containing SQNms to the network side, and encrypts the AUTS when sending. This operation makes it difficult for an attacker to decrypt S, so the risk of SQNms being exposed is reduced.
  • the embodiment of the present application also proposes a device for sending a terminal serial number, as shown in FIG. 6 is a schematic diagram of the device structure, including: a token calculation module 610 for authenticating a received user authentication request message, and responding to the authentication The reason for the failure is synchronization failure, calculating the terminal side authentication token containing the terminal serial number; encryption module 620, configured to encrypt the terminal side authentication token to obtain the ciphertext of the terminal side authentication token; feedback module 630: Feed back a user authentication failure response message carrying the ciphertext of the terminal-side authentication token.
  • the token calculation module 610 is configured to calculate the terminal-side authentication token using the random number RAND carried in the user authentication request message, the terminal serial number, and authentication management domain parameters.
  • the encryption module 620 includes: a first key acquisition submodule and an encryption submodule; the first key acquisition submodule is used for the case that the key K AUSF exists in the user context information under key K AUSF acquiring the context information from the user; K AUSF case where the key does not exist in the user context information, calculates the key K AUSF or the pre-set key K AUSF Set a fixed value; wherein, the calculation method of the K AUSF is: use F3K and F4K to derive K AUSF , the F3K and F4K are key derivation functions with the root key K as the key; the encryption sub The module is used to encrypt the terminal side authentication token by using the key K AUSF .
  • the first key obtaining sub-module for, in the presence of the key K AUSF user context information, the key K AUSF acquired from the user context information; using The key generation function calculates the key K AUSF and the RAND to obtain the key K AUSF *; in the case that the key K AUSF does not exist in the user context information, the key K AUSF is calculated, and the key K AUSF is used.
  • the key generation function calculates the key K AUSF and the RAND to obtain the key K AUSF *; wherein the key K AUSF is calculated by using F3K and F4K to derive the key K AUSF , F3K and F4K are key derivation functions using the root key K as the key; the encryption sub-module is used to encrypt the terminal-side authentication token using the key K AUSF *.
  • the user authentication failure response message fed back by the feedback module 630 also carries a marker, and the marker is used to mark the key K AUSF It is calculated.
  • the foregoing apparatus for sending a terminal serial number may be a terminal device.
  • the embodiment of the present application also proposes an authentication device, as shown in FIG. 7 is a schematic diagram of the device structure, including: a receiving module 710, configured to receive a user authentication failure response message, the user authentication failure response message carrying the failure reason is synchronization failure, The user authentication failure response message also carries the ciphertext of the terminal-side authentication token; the decryption module 720 is configured to decrypt the ciphertext of the terminal-side authentication token to obtain the terminal-side authentication token; the reset module 730, It is used to reset the network serial number by using the terminal serial number contained in the terminal side authentication token.
  • the decryption module 720 includes a second key acquisition submodule and a decryption submodule; the second key acquisition submodule is configured to carry a marker in the user authentication failure response message. In this case, obtain the temporarily stored key K AUSF ; in the case that the user authentication failure response message does not carry a marker, obtain the permanently stored key K AUSF or set the key K AUSF to a preset fixed value Decryption sub-module, using the key K AUSF to decrypt the ciphertext of the terminal side authentication token.
  • the second key acquisition submodule is configured to acquire the temporarily stored key K AUSF when the user authentication failure response message also carries a marker; using the key
  • the generation function calculates the key K AUSF and the random number RAND to obtain the key K AUSF *; in the case that the user authentication failure response message does not carry the identifier, obtains the fixed key K AUSF ;
  • the key generation function calculates the key K AUSF and the random number RAND to obtain the key K AUSF *;
  • the decryption sub-module is used to use the key K AUSF * to encrypt the terminal side authentication token The text is decrypted.
  • the device further includes: a saving module 740 for temporarily saving the key K AUSF in the home authentication vector.
  • the storage module 740 is further configured to change the temporarily stored key K AUSF to a fixed storage when the authentication is successful.
  • FIG. 8 is a schematic structural diagram of a terminal device for sending a terminal serial number according to an embodiment of the application.
  • the terminal device 80 provided in an embodiment of the application includes a memory 803 and a processor 804.
  • the terminal device 80 may also include an interface 801 and a bus 802.
  • the interface 801, the memory 803, and the processor 804 are connected through a bus 802.
  • the memory 803 is used to store instructions.
  • the processor 804 is configured to read the instructions to execute the technical solutions of the foregoing method embodiments applied to the terminal device.
  • the implementation principles and technical effects are similar, and details are not described herein again.
  • FIG. 9 is a schematic structural diagram of a network device for authentication provided in an embodiment of the application.
  • the network device 90 provided in an embodiment of the application includes a memory 903 and a processor 904.
  • the network device 90 may further include an interface 901 and a bus 902.
  • the interface 901, the memory 903, and the processor 904 are connected through a bus 902.
  • the memory 903 is used to store instructions.
  • the processor 904 is configured to read the instructions to execute the technical solutions of the foregoing method embodiments applied to network devices. The implementation principles and technical effects are similar, and will not be repeated here.
  • FIG. 10 is a schematic structural diagram of a communication system provided by an embodiment of the application. As shown in FIG. 10, the system includes: the terminal device 80 in the above-mentioned embodiment, and the network device 90 in the above-mentioned embodiment, one of the terminal device 80 and the network device 90 There may also be an authentication function node between.
  • the present application provides a storage medium that stores a computer program that, when executed by a processor, implements the method for sending a terminal serial number or the authentication method in the foregoing embodiment.
  • this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of hardware embodiments, software embodiments, or embodiments combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) including computer-usable program code.
  • computer-usable storage media including but not limited to disk storage, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un appareil permettant d'envoyer un numéro de séquence de terminal et un procédé et un appareil d'authentification. Le procédé permettant d'un numéro de séquence de terminal comprend les étapes suivantes : effectuer une authentification en réponse à un message de demande d'authentification d'utilisateur reçu, et en réponse au résultat d'authentification indiquant une défaillance d'authentification provoquée par une défaillance de synchronisation, calculer un jeton d'authentification côté terminal comprenant un numéro de séquence de terminal ; chiffrer le jeton d'authentification côté terminal afin d'obtenir le texte chiffré du jeton d'authentification côté terminal ; et renvoyer un message de réponse de défaillance d'authentification d'utilisateur portant le texte chiffré du jeton d'authentification côté terminal.
PCT/CN2020/087517 2019-04-28 2020-04-28 Procédé et appareil permettant d'envoyer un numéro de séquence de terminal et procédé et appareil d'authentification WO2020221252A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910351367.0A CN110536292A (zh) 2019-04-28 2019-04-28 发送终端序列号的方法和装置以及认证方法和装置
CN201910351367.0 2019-04-28

Publications (1)

Publication Number Publication Date
WO2020221252A1 true WO2020221252A1 (fr) 2020-11-05

Family

ID=68659648

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/087517 WO2020221252A1 (fr) 2019-04-28 2020-04-28 Procédé et appareil permettant d'envoyer un numéro de séquence de terminal et procédé et appareil d'authentification

Country Status (2)

Country Link
CN (1) CN110536292A (fr)
WO (1) WO2020221252A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205819A (zh) * 2021-12-10 2022-03-18 中国电信股份有限公司 一种基于混合组网的QoS调用方法及装置、电子设备

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641498B (zh) * 2019-03-01 2022-12-20 中兴通讯股份有限公司 密钥的确定方法及装置
CN110536292A (zh) * 2019-04-28 2019-12-03 中兴通讯股份有限公司 发送终端序列号的方法和装置以及认证方法和装置
CN113556733B (zh) * 2020-04-14 2023-09-22 大唐移动通信设备有限公司 签约隐藏标识符生成、解密方法及相关装置
CN111628985A (zh) * 2020-05-22 2020-09-04 深圳市有方科技股份有限公司 安全访问控制方法、装置、计算机设备和存储介质
CN114040387B (zh) * 2020-07-21 2024-06-04 中国移动通信有限公司研究院 一种攻击消息的确定方法、装置及设备
CN116569516A (zh) * 2020-09-30 2023-08-08 中兴通讯股份有限公司 防止移动终端的认证序列号泄露的方法
CN113596824A (zh) * 2021-07-30 2021-11-02 深圳供电局有限公司 一种5g安全协议中认证失败明文信息的加密方法
CN114124513B (zh) * 2021-11-18 2024-01-30 中国电信股份有限公司 身份认证方法、系统、装置、电子设备和可读介质
CN115002750A (zh) * 2022-05-25 2022-09-02 中国电信股份有限公司 一种通信认证方法及相关设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859712A (zh) * 2005-08-02 2006-11-08 华为技术有限公司 一种同步攻击防护方法及相应的鉴权方法
US20090061820A1 (en) * 2007-08-27 2009-03-05 Sarvar Patel Method and system of communication using extended sequence number
CN103560879A (zh) * 2013-10-09 2014-02-05 中国科学院信息工程研究所 一种轻量级认证与密钥协商的实现方法
CN108768632A (zh) * 2018-05-29 2018-11-06 如般量子科技有限公司 一种基于对称密钥池和中继通信的aka身份认证系统和方法
CN110536292A (zh) * 2019-04-28 2019-12-03 中兴通讯股份有限公司 发送终端序列号的方法和装置以及认证方法和装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859712A (zh) * 2005-08-02 2006-11-08 华为技术有限公司 一种同步攻击防护方法及相应的鉴权方法
US20090061820A1 (en) * 2007-08-27 2009-03-05 Sarvar Patel Method and system of communication using extended sequence number
CN103560879A (zh) * 2013-10-09 2014-02-05 中国科学院信息工程研究所 一种轻量级认证与密钥协商的实现方法
CN108768632A (zh) * 2018-05-29 2018-11-06 如般量子科技有限公司 一种基于对称密钥池和中继通信的aka身份认证系统和方法
CN110536292A (zh) * 2019-04-28 2019-12-03 中兴通讯股份有限公司 发送终端序列号的方法和装置以及认证方法和装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
QUALCOMM INCORPORATED: "Modifying AKA to provide freshness for the protection of SQN in the case of re-synchronisations", 3GPP DRAFT; S3-190375, 1 February 2019 (2019-02-01), Kochi (India), pages 1 - 1, XP051611640 *
ZTE CORPORATION: "Handling of Sync failure for 5G AKA", 3GPP DRAFT; S3-191200, 10 May 2019 (2019-05-10), Reno (US), pages 1 - 4, XP051721374 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205819A (zh) * 2021-12-10 2022-03-18 中国电信股份有限公司 一种基于混合组网的QoS调用方法及装置、电子设备

Also Published As

Publication number Publication date
CN110536292A (zh) 2019-12-03

Similar Documents

Publication Publication Date Title
WO2020221252A1 (fr) Procédé et appareil permettant d'envoyer un numéro de séquence de terminal et procédé et appareil d'authentification
US11228442B2 (en) Authentication method, authentication apparatus, and authentication system
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
CN110049492B (zh) 通信方法、核心网网元、终端设备及存储介质
US11075752B2 (en) Network authentication method, and related device and system
EP2868029B1 (fr) Accord de clé destiné à la communication sans fil
KR102112542B1 (ko) 디피 헬먼(Diffie-Hellman) 절차를 이용한 세션 키 생성 방법 및 시스템
EP3328108A1 (fr) Procédé d'authentification, procédé de ré-authentification et appareil de communication
CA2983550A1 (fr) Dispositifs et methodes d'authentification de dispositif client
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
CN108012266B (zh) 一种数据传输方法及相关设备
US20200275268A1 (en) Communication method and communications apparatus
CN111641498B (zh) 密钥的确定方法及装置
CN108809903B (zh) 一种认证方法、装置及系统
JP7237200B2 (ja) パラメータ送信方法及び装置
WO2020133543A1 (fr) Procédé de communication et produit associé
CN111565169B (zh) 移动边缘计算架构下云边端认证方法、电子设备及存储介质
EP3413508A1 (fr) Dispositifs et procédés d'authentification d'un dispositif client
WO2017009714A1 (fr) Établissement d'un abonnement temporaire avec un réseau e-utran isolé
WO2019024937A1 (fr) Procédé, appareil et système de négociation de clé
WO2018126750A1 (fr) Procédé et dispositif de fourniture de clé
CN116347432A (zh) 网络认证方法、装置、终端及网络侧设备
WO2020037957A1 (fr) Procédé, appareil et système d'enregistrement de client
KR20150135715A (ko) 이동통신 시스템에서 사용자의 프라이버시를 보호하는 장치 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20799411

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20799411

Country of ref document: EP

Kind code of ref document: A1