WO2021088593A1

WO2021088593A1 - Verification method, device and equipment and computer readable storage medium

Info

Publication number: WO2021088593A1
Application number: PCT/CN2020/120327
Authority: WO
Inventors: 刘福文
Original assignee: 中国移动通信有限公司研究院; 中国移动通信集团有限公司
Priority date: 2019-11-06
Filing date: 2020-10-12
Publication date: 2021-05-14
Also published as: CN112839329B; CN112839329A

Abstract

The present disclosure relates to the technical field of communications. Disclosed are a verification method, device and equipment and a computer readable storage medium, for solving the problem of SUPI guessing attacks. The method comprises: performing an integrity operation on target information by using a shared key to obtain an integrity verification value; sending the integrity verification value to a first network element; and receiving a verification result of the first network element for the integrity verification value. The shared key is used between the first network element and a terminal.

Description

Verification method, device, equipment and computer readable storage medium

Cross-references to related applications

This application claims the priority of Chinese Patent Application No. 201911104767.8 filed in China on November 6, 2019, the entire content of which is incorporated herein by reference.

Technical field

The present disclosure relates to the field of communication technologies, and in particular, to a verification method, device, device, and computer-readable storage medium.

Background technique

The 5G security standard adopts an integrated encryption scheme (elliptic curve integrate encrypt scheme, ECIES) to protect the user's long-term identity (Subscription Permanent Identifier, SUPI) to protect user privacy.

ECIES encrypts SUPI so that the attacker cannot obtain the SUPI of User Equipment (UE) on the wireless air interface. However, the attacker can confirm whether the guessed SUPI is correct by guessing the value of SUPI and observing the feedback message of the Unified Data Management (UDM) entity. The above is called a SUPI guessing attack. The attacker can find out the entire SUPI database of a particular network by repeating the above attack several times. How to solve the SUPI guessing attack is the main research direction of related technical personnel.

Summary of the invention

The embodiments of the present disclosure provide a verification method, device, equipment, and computer-readable storage medium to solve the SUPI guessing attack.

In the first aspect, embodiments of the present disclosure provide a verification method applied to a terminal, including:

Use the shared key to perform integrity operations on the target information to obtain the integrity verification value;

Sending the integrity verification value to the first network element;

Receiving a verification result of the integrity verification value of the first network element;

Wherein, the shared key is a key used between the first network element and the terminal.

The shared key is an operator specific code (OPC) key or root key K that is commonly known to the first network element and the terminal; the integrity verification value is the first complete Sexual protection label;

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

A global subscriber identity module (Universal Subscriber Identity Module, USIM) uses an integrity calculation function to perform calculations on the OPC key or root key K, first information, and second information to obtain the first integrity protection label;

The first information is an integrity key, and the second information is a result of encrypting SUPI with an encryption key.

Wherein, the shared key is the session root key KAUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label;

The mobile end (Mobile End, ME) uses an integrity calculation function to perform calculations on the first information, the second information, and the session root key KAUSF key to obtain the first integrity protection label;

The first information is an integrity key, and the second information is a result of encrypting the user's permanent identity SUPI with an encryption key.

Wherein, the sending the integrity verification value to the first network element includes:

Send a subscriber hidden identifier (Subscription Concealed Identifier, SUCI) to the first network element, and carry the first integrity protection label in the SUCI.

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; the integrity verification value is a second integrity protection label;

Wherein, the use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

The USIM uses an integrity calculation function to perform calculations on the OPC key or root key K in the SUCI and the existing integrity protection label to obtain the second integrity protection label.

Wherein, the shared key is the session root key KAUSF between the first network element and the terminal; the integrity verification value is a second integrity protection label;

The ME uses the integrity operation function to perform operations on the existing integrity protection label in the SUCI and the session root key KAUSF between the two to obtain the second integrity protection label.

Sending the SUCI and the second integrity protection label to the first network element.

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; the integrity verification value is a random number and a third integrity protection label;

Random number generated by USIM;

The USIM uses an integrity operation function to perform operations on the OPC key or root key K and the random number to obtain the third integrity protection label; or, use a predefined function to perform operations on the OPC secret The key and/or the root key K and the random number are operated to obtain the third integrity protection label.

Sending, by the ME, the SUCI, the random number, and the third integrity protection label to the first network element;

Wherein, the SUCI, the random number and the third integrity protection label are obtained by the ME by the USIM; or, the random number and the third integrity protection label are obtained by the ME Obtained by the USIM, and the SUCI is generated by the ME.

In the second aspect, embodiments of the present disclosure provide a verification method applied to a first network element, including:

Receive the integrity verification value sent by the terminal;

Verify the integrity verification value;

Sending a verification result of the integrity verification value to the terminal;

Wherein, the integrity verification value is obtained by performing an integrity operation on the target information using a shared key, and the shared key is a key used between the first network element and the terminal.

Wherein, the integrity verification value is a first integrity protection label;

The integrity verification value sent by the receiving terminal includes:

Receiving the SUCI sent by the terminal, and carrying the first integrity protection label in the SUCI.

Wherein, the shared key is an OPC key or a root key K that is commonly known to the first network element and the terminal; the verification of the integrity verification value includes:

Decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K according to the SUPI;

The OPC key or root key K, the third information, and the fourth information are calculated using the integrity calculation function to obtain the first calculation value; wherein, the third information is the integrity key, and the fourth The information is an encryption result of using an encryption key to encrypt the SUPI;

In the case that the first operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

If the SUPI is not found, the verification result is that the verification fails.

Wherein, the method further includes:

In the case of finding the SUPI, obtain the session root key KAUSF corresponding to the SUPI;

The fifth information, the sixth information, and the session root key KAUSF are calculated using the integrity calculation function to obtain the second calculation value; wherein, the fifth information is the integrity key, and the sixth information is the use An encryption result obtained by encrypting the SUPI by an encryption key;

In the case that the second operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the integrity verification value is a second integrity protection label;

The integrity verification value sent by the receiving terminal includes:

Receiving the SUCI and the second integrity protection label sent by the terminal.

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal;

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI and the second integrity protection label;

Obtaining the OPC key or root key K according to the SUPI;

Using an integrity calculation function to perform calculations on the OPC key or root key K and the integrity protection label carried in the SUCI to obtain a second calculation value;

In the case where the verification of the integrity protection label carried in the SUCI and the second operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the shared key is the session root key KAUSF between the first network element and the terminal;

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

Wherein, the method further includes:

Using an integrity operation function to perform operations on the integrity protection label carried in the SUCI and the session root key KAUSF to obtain a fourth operation value;

In the case where the verification of the integrity protection label carried in the SUCI and the fourth operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the obtaining the session root key KAUSF corresponding to the SUPI includes:

Obtain the session root key KAUSF stored by the first network element itself; or

Obtain the session root key KAUSF from the second network element.

Wherein, the integrity verification value is a random number and a third integrity protection label;

The method also includes:

Receive the SUCI sent by the terminal.

The verifying the integrity verification value includes:

Obtain the random number;

Look up the random number in the database;

In the case where the random number is found, the verification result is that the verification fails.

Wherein, the method further includes:

If the random number is not found, decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K corresponding to the SUPI;

Operate the OPC key or root key K and the random number using an integrity operation function to obtain a fifth operation value; or use a predefined function to perform operations on the OPC key and/or root key K and Performing an operation on the random number to obtain a fifth operation value;

In the case that the third integrity protection label is consistent with the fifth operation value, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the method further includes:

If the random number is not found, the random number is stored.

In a third aspect, embodiments of the present disclosure provide a verification device, which is applied to a terminal, and includes:

The acquisition module is used to perform integrity operations on the target information by using the shared key to obtain the integrity verification value;

A sending module, configured to send the integrity verification value to the first network element;

A receiving module, configured to receive a verification result of the integrity verification value of the first network element;

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; the integrity verification value is a first integrity protection label;

The obtaining module is specifically configured to perform operations on the OPC key or root key K, the first information, and the second information by using an integrity operation function through the USIM to obtain the first integrity protection label;

The obtaining module is specifically configured to perform operations on the first information, the second information, and the session root key KAUSF key by using an integrity operation function through the ME to obtain the first integrity protection label;

Wherein, the sending module is specifically configured to send SUCI to the first network element, and carry the first integrity protection label in the SUCI.

The acquisition module is specifically configured to perform operations on the OPC key or root key K and the existing integrity protection label in the SUCI by using the integrity operation function through the USIM to obtain the second integrity protection label.

The acquisition module is specifically configured to perform operations on the existing integrity protection label in the SUCI and the session root key KAUSF between the ME using an integrity operation function to obtain the second integrity protection label.

Wherein, the sending module is specifically configured to send SUCI and the second integrity protection label to the first network element.

The acquisition module includes:

Generate sub-module, used to generate random numbers through USIM;

The obtaining sub-module is used to perform operations on the OPC key or root key K and the random number by the USIM using an integrity operation function to obtain the third integrity protection label; or, using a predefined The function performs an operation on the OPC key and/or the root key K and the random number to obtain the third integrity protection label.

Wherein, the sending module is configured to send SUCI, the random number, and the third integrity protection label to the first network element through the ME;

In a fourth aspect, embodiments of the present disclosure provide a verification device, which is applied to a first network element, and includes:

The receiving module is used to receive the integrity verification value sent by the terminal;

A verification module for verifying the integrity verification value;

A sending module, configured to send a verification result of the integrity verification value to the terminal;

The receiving module is configured to receive the SUCI sent by the terminal, and carry the first integrity protection label in the SUCI.

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; the verification module includes:

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

An obtaining sub-module for obtaining the OPC key or root key K according to the SUPI;

The processing sub-module is used to perform operations on the OPC key or root key K, the third information, and the fourth information by using the integrity operation function to obtain the first operation value; wherein, the third information is the integrity secret Key, the fourth information is an encryption result obtained by encrypting the SUPI using an encryption key;

The verification sub-module is configured to, when the first operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the shared key is the session root key KAUSF between the first network element and the terminal; the verification module includes:

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

The search sub-module is used to search the SUPI in the database;

The verification sub-module is used to verify that the verification result is that the verification fails if the SUPI is not found.

Wherein, the verification module further includes:

The obtaining sub-module is used to obtain the session root key KAUSF corresponding to the SUPI when the SUPI is found;

The processing sub-module is used to perform operations on the fifth information, the sixth information and the session root key KAUSF by using the integrity operation function to obtain the second operation value; wherein, the fifth information is the integrity key, so The sixth information is an encryption result of using an encryption key to encrypt the SUPI;

The verification sub-module is further configured to: in the case that the second operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the integrity verification value is a second integrity protection label; the receiving module is further configured to receive the SUCI sent by the terminal.

A decryption sub-module for decrypting the SUCI to obtain the SUPI and the second integrity protection label;

A processing sub-module, configured to use an integrity calculation function to perform calculations on the OPC key or root key K and the integrity protection label carried in the SUCI to obtain a second calculation value;

The verification sub-module is configured to verify that the verification result is passed when the verification of the integrity protection label carried in the SUCI and the second operation value is passed; otherwise, the verification result is that the verification fails.

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

The search sub-module is used to search the SUPI in the database;

Wherein, the verification module further includes:

A processing sub-module, configured to use an integrity operation function to perform operations on the integrity protection label carried in the SUCI and the session root key KAUSF to obtain a fourth operation value;

The verification submodule is further configured to: in the case where the verification of the integrity protection label carried in the SUCI and the fourth operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the obtaining submodule is configured to obtain the session root key KAUSF stored by the first network element itself; or obtain the session root key KAUSF from the second network element.

The receiving module is further configured to receive SUCI sent by the terminal.

The first obtaining submodule is used to obtain the random number;

The search sub-module is used to search the random number in the database;

The verification sub-module is used to verify that the verification fails when the random number is found.

Wherein, the verification module further includes:

The decryption sub-module is used to decrypt the SUCI to obtain SUPI if the random number is not found;

The second obtaining submodule is used to obtain the OPC key or root key K corresponding to the SUPI;

The processing sub-module is used to perform operations on the OPC key or root key K and the random number using an integrity operation function to obtain a fifth operation value; or use a predefined function to perform operations on the OPC key and/ Or the root key K and the random number are operated to obtain the fifth operation value;

The verification sub-module is further configured to: in the case that the third integrity protection label is consistent with the fifth operation value, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the device further includes:

The storage module is configured to store the random number when the random number is not found.

In a fifth aspect, embodiments of the present disclosure provide a verification device, which is applied to a terminal and includes a processor and a transceiver;

The processor is configured to perform an integrity operation on the target information by using a shared key to obtain an integrity verification value;

The transceiver is configured to send the integrity verification value to a first network element; receive a verification result of the integrity verification value by the first network element;

Wherein, the shared key is an OPC key or a root key K that is commonly known to the first network element and the terminal; the integrity verification value is a first integrity protection label;

The processor is further configured to perform operations on the OPC key or root key K, the first information, and the second information by using an integrity operation function through the USIM to obtain the first integrity protection label;

The processor is further configured to perform operations on the first information, the second information, and the session root key KAUSF key by using an integrity operation function through the ME to obtain the first integrity protection label;

The transceiver is further configured to send a user hidden identifier SUCI to the first network element, and carry the first integrity protection label in the SUCI.

The processor is further configured to: use an integrity calculation function to perform calculations on the OPC key or root key K and the existing integrity protection label in the SUCI through the USIM to obtain the second integrity protection label .

The processor is further configured to: use the ME to use an integrity operation function to perform operations on the existing integrity protection label in the SUCI and the session root key KAUSF between them to obtain the second integrity protection label.

Wherein, the processor is further configured to send SUCI and the second integrity protection label to the first network element.

The processor is further configured to: generate a random number through the USIM; the USIM uses an integrity operation function to perform operations on the OPC key or root key K and the random number to obtain the third integrity protection Label; or, using a predefined function to perform operations on the OPC key and/or root key K and the random number to obtain the third integrity protection label.

Wherein, the transceiver is further configured to send the SUCI, the random number, and the third integrity protection label to the first network element through the ME.

In a sixth aspect, embodiments of the present disclosure provide a verification device, which is applied to a first network element, and includes: a processor and a transceiver;

The transceiver is used to receive the integrity verification value sent by the terminal;

The processor is configured to verify the integrity verification value;

The transceiver is further configured to send a verification result of the integrity verification value to the terminal;

The transceiver is further configured to receive the SUCI sent by the terminal, and carry the first integrity protection label in the SUCI.

Wherein, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; the processor is further configured to:

Decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K according to the SUPI;

Wherein, the shared key is the session root key KAUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label; the processor is further configured to:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

Wherein, the processor is also used for:

The transceiver is also used to receive SUCI sent by the terminal.

Wherein, the shared key is an OPC key or a root key K known to the first network element and the terminal; the processor is also used to: decrypt the SUCI to obtain SUPI and the second Integrity protection label;

Obtaining the OPC key or root key K according to the SUPI;

The processor is also used for:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

Wherein, the processor is also used for:

Wherein, the processor is further configured to: obtain the session root key KAUSF stored by the first network element itself; or obtain the session root key KAUSF from the second network element.

The transceiver is also used to receive SUCI sent by the terminal.

The processor is also used for:

Obtain the random number;

Look up the random number in the database;

Wherein, the processor is also used for:

If the random number is not found, decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K corresponding to the SUPI;

Wherein, the processor is further configured to store the random number when the random number is not found.

In the embodiment of the present disclosure, the shared key of the terminal and the first network element is used to perform an integrity operation on the target information, thereby generating an integrity verification value. Because the attacker does not know the shared key between the terminal and the first network element, even if the SUPI guess is correct, the first network element will detect the error of the integrity verification value and return a registration rejection message, thereby solving the SUPI guessing attack problem.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present disclosure more clearly, the following will briefly introduce the accompanying drawings used in the description of the embodiments of the present disclosure. Obviously, the accompanying drawings in the following description are only some embodiments of the present disclosure. For those of ordinary skill in the art, other drawings can be obtained from these drawings without creative labor.

FIG. 1 is one of the flowcharts of the verification method provided by an embodiment of the present disclosure;

FIG. 2 is the second flow chart of the verification method provided by an embodiment of the present disclosure;

FIG. 3 is the third flowchart of the verification method provided by an embodiment of the present disclosure;

FIG. 4 is the fourth flow chart of the verification method provided by the embodiment of the present disclosure;

FIG. 5 is the fifth flowchart of the verification method provided by an embodiment of the present disclosure;

FIG. 6 is one of the structural diagrams of the verification device provided by the embodiment of the present disclosure;

FIG. 7 is the second structural diagram of the verification device provided by the embodiment of the present disclosure;

FIG. 8 is the third structural diagram of the verification device provided by the embodiment of the present disclosure;

FIG. 9 is the fourth structural diagram of the verification device provided by an embodiment of the present disclosure;

FIG. 10 is one of the structural diagrams of a communication device provided by an embodiment of the present disclosure;

Fig. 11 is a second structural diagram of a communication device provided by an embodiment of the present disclosure.

Detailed ways

The technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are part of the embodiments of the present disclosure, rather than all of the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present disclosure.

Referring to FIG. 1, FIG. 1 is a flowchart of a verification method provided by an embodiment of the present disclosure, which is applied to a terminal. As shown in Figure 1, it includes the following steps:

Step 101: Perform an integrity operation on the target information by using a shared key to obtain an integrity verification value.

In related technologies, the process of terminal encryption for SUPI is as follows: First, an elliptic curve Diffie-Hellman key exchange (Elliptic Curve Diffie-Hellman key exchange, ECDH) private key A _{PRI is} randomly generated, and an ECDH public key A _{PUB is derived} . Then, the terminal uses its own private key A _PRI and the network's ECDH public key B _{PUB to} generate a shared key K _ECDH . The terminal derives the encryption key K _E _{from K ECDH} , the initial value of AES count encryption, and the integrity key K _M , which is called key data K _D , namely:

Here KDF is the key deduction function,

It is the decimal number of the terminal's ECDH public key A _PUB. The far left of KD is the encryption key K _E , the middle is the initial value of AES count encryption, and the far right is the integrity key K _M.

Counting Advanced Encryption Standard (Advanced Encryption Standard, AES) for encryption using K _E SUPI encrypt the encrypted message using the K _M SUPI is complete security, generate an integrity protection tag Tag.

Among them, Tag=HMAC-SHA-256(K _M ,K _E {SUPI})

Among them, SUCI includes the following:

SUCI=Type of SUPI+Home network ID+Route ID+Protection scheme ID+B _PUB +A _PUB +K _E {SUPI}+Tag.

Among them, the home network identifier is used to find the corresponding home network, and the routing identifier is used to find the corresponding UDM in the same home network.

In the embodiment of the present disclosure, the shared key of the terminal and the network is used to generate an integrity verification value for the related message. Because the attacker does not know the shared key between the terminal and the network, even if the SUPI guess is correct, the network will detect the error of the integrity protection label generated according to the embodiment of the present disclosure, and will return a registration rejection message with reason #3. Thus the problem of SUPI guessing attack is solved.

According to different messages for generating the integrity verification value, there are three implementation solutions in the embodiments of the present disclosure.

The first solution is to add a key that only the terminal and the network know to the function input for generating the integrity protection tag Tag to obtain the first integrity protection tag. In this way, even if the SUPI guess is correct, because there is no key known to the terminal and the network, the tag generated by the attacker will be detected by the network as an error. Then, the network will also return a registration rejection message with reason #3, thus solving the SUPI guessing attack problem.

Specifically, in this solution, the SUPI encryption can be performed in a universal integrated circuit card (also called a universal integrated circuit card, UICC, USIM), or it can be performed on the terminal ME.

(1) SUPI is encrypted on USIM:

Specifically, the shared key is an OPC key or a root key K commonly known by the first network element and the terminal, and the integrity verification value is a first integrity protection label.

At present, many operators use the OPC key preset in the USIM. The OPC is obtained after a series of calculations between the OP and the root key K, which ensures that different cards are preset with different OPCs. When the SUPI is encrypted on the USIM, in the implementation of the present disclosure, the terminal and the network shared key OPC or the root key K known to the terminal and the network is used to generate the first integrity protection label.

In this step, the USIM uses an integrity calculation function to perform calculations on the first information, the second information, the OPC key or the root key to obtain the first integrity protection label. The specific method is as follows:

Tag=HMAC-SHA-256 (K _M , K _E {SUPI}, OPC or K).

Among them, Tag is the first integrity protection tag, K _M represents the integrity key, K _E represents the encryption key, and K represents the root key. The integrity calculation function here is HMAC-SHA-256, and it can also be other integrity calculation functions, such as HMAC-SHA3.

On the network side, UDM verifies the correctness of the first integrity protection label. Even if the attacker guesses a correct SUPI, because he does not know the OPC or the root key K, the attacker cannot generate the correct first integrity protection label, and the network will return a registration rejection message with reason #3. In other words, whether the attacker guessed a correct SUPI or did not guess a correct SUPI, the network will return a registration rejection message with reason #3.

(2) SUPI is encrypted on the terminal ME:

The shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label.

After using 5G Authentication and Key Agreement (AKA) or Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA') in the terminal and network to complete mutual authentication , The terminal and the network will calculate and store the session root key K _AUSF . When the SUPI is encrypted on the terminal ME, the embodiment of the present disclosure uses the shared key K _{AUSF of the} terminal and the network to generate the first integrity protection label.

In this step, the ME uses an integrity calculation function to perform calculations on the first information, the second information, and the session root key K _AUSF to obtain the first integrity protection label. The specific method is as follows:

Tag=HMAC-SHA-256 (K _M , K _E {SUPI}, K _AUSF ).

On the network side, UDM verifies the correctness of the first integrity protection label. Even if the attacker guesses a correct SUPI, because he does not know K _AUSF , the attacker cannot generate the correct first integrity protection label, and the network will return a registration rejection message with reason #3.

The initial value of K _{AUSF is zero.} On the network side, _{there are two possibilities for storing K AUSF} : (1) It is stored on both the Authentication Server Function (AUSF) and UDM at the same time; (2) It is only stored on the AUSF.

For the case (1), UDM decrypts SUCI to obtain SUPI, and directly uses the stored K _AUSF to perform operations in the above-mentioned manner and verify.

For the case (2), UDM first decrypts SUCI to get SUPI, and then searches for SUPI in the database. If there is no corresponding SUPI in the database, UDM returns a "404 Not Found" message, and the network returns a registration rejection message with reason #3 accordingly. If there is a corresponding SUPI in the database, UDM obtains the K _{AUSF corresponding to SUPI from AUSF} , and then verifies the first integrity protection label. If the verification is passed, UDM returns a "200 OK" message containing the authentication vector; if the verification fails, UDM returns a "404 Not Found" message.

In the first solution, the terminal sends SUCI to the first network element, and the first integrity protection label is carried in the SUCI.

The second scheme is to use the shared key of the terminal and the network to perform a complete protection operation on the tag of the SUCI on the basis of the SUCI to generate a second integrity protection tag, that is, the STag. Because the attacker does not know the shared key between the terminal and the network, even if the SUPI guess is correct, the network will detect the STag error and return a registration rejection message with reason #3, so that the SUPI guess attack problem is solved.

In the embodiment of the present disclosure, the second integrity protection tag STag can be generated by the USIM, and the second integrity protection tag STag can also be generated by the ME.

(1) STag is generated on USIM:

Specifically, the shared key is an OPC key or a root key K commonly known to the first network element and the terminal; the integrity verification value is a second integrity protection label.

When the STag is implemented on the USIM, in the embodiment of the present disclosure, the terminal and the network shared key OPC or the root key K are used to calculate the third integrity protection tag Tag in the SUCI to generate the Stag. Specifically, the USIM uses an integrity calculation function to perform calculations on the OPC key or root key K and the existing integrity protection label in the SUCI to obtain the second integrity protection label. The calculation is as follows:

STag=HMAC-SHA-256 (OPC or K, Tag).

Among them, STag is the second integrity protection tag, and Tag is the third integrity protection tag. The integrity calculation function here is HMAC-SHA-256, and it can also be other integrity calculation functions, such as HMAC-SHA3.

On the network side, the UDM will verify the correctness of the Tag and STag in the SUCI. Only when both of them pass the verification, the network side will send a verification request message to the terminal.

(2) STag is generated on ME:

Specifically, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a second integrity protection label.

When the STag is implemented on the ME, here, the session root key K _AUSF between the terminal and the network is used to calculate the third integrity protection tag Tag to generate the second integrity protection tag Stag. Specifically, the ME uses an integrity calculation function to calculate the existing integrity protection label in the _SUCI and the session root key K AUSF between the two to obtain the second integrity protection label. The calculation method is as follows:

STag=HMAC-SHA-256( _KAUSF , Tag).

In the second solution, in addition to sending the second integrity protection label to the first network element, the terminal also needs to send SUCI to the first network element.

The third scheme is to generate a one-time random number on the USIM of the terminal, and use the shared key of the terminal and the network to perform an integrity calculation on it to generate an integrity verification value NTag. Because the attacker does not know the shared key between the terminal and the network, even if the SUPI guess is correct, the network will detect the NTag error and return a registration rejection message with reason #3, so that the SUPI guess attack problem is solved.

Specifically, in the embodiment of the present disclosure, the shared key is an OPC key or a root key K that is commonly known to the first network element and the terminal. A random number is generated by the USIM, and the USIM uses an integrity operation function or a function defined in 3GPP TS 35.206 to operate the OPC key and/or root key K and the random number to obtain the third Integrity protection label.

Specifically, the USIM generates a one-time random number Nonce, and uses the OPC key or root key K shared by the terminal and the network to generate a third integrity protection tag NTag for Nonce, which is calculated as follows:

NTag = HMAC-SHA-256 (OPC or K, Nonce)

Among them, NTag is the third integrity protection tag, and Nonce is a random number. The integrity calculation function here is HMAC-SHA-256, and it can also be other integrity calculation functions, such as HMAC-SHA3.

Alternatively, the USIM uses a predefined function to perform operations on the OPC key and/or root key K and the random number to obtain the fifth operation value. The calculation is as follows:

NTag=f2 (OPC and/or K, Nonce)

Among them, NTag is the third integrity protection tag, and Nonce is a random number. Here is the predefined function f2 function, where the encryption function is AES or other encryption functions. Of course, the predefined f3 or f4 or f5 function can also be used.

When sending the random number and the third integrity protection label, the ME sends the SUCI, the random number and the third integrity protection label to the first network element. Wherein, the SUCI, the random number and the third integrity protection label are obtained by the ME by the USIM; or, the random number and the third integrity protection label are obtained by the ME Obtained by the USIM, and the SUCI is generated by the ME.

Specifically, if the encryption of SUPI is performed on the USIM, the USIM transmits SUCI, Nonce, and NTag to the ME, and the ME sends it to the network. If the encryption of SUPI is performed on the ME, the USIM transmits the Nonce and NTag to the ME. After the ME completes the encryption of SUCI, it sends SUCI, Nonce and NTag to the network.

After receiving SUCI, Nonce and NTag, the network first checks whether there is Nonce in the database. If it exists, it responds with a rejection message to resist replay attacks. If Nonce does not exist in the database, decrypt SUCI to get SUPI, and get OPC or root key K according to SUPI. Use OPC or root key K to verify NTag. If the verification is successful, store Nonce and generate a verification vector. If the verification fails, reply with a rejection message.

The above three schemes are all based on the key shared by the terminal and the network to generate an integrity protection tag Tag or an integrity secondary tag STag or a one-time random number integrity protection tag NTag. Since the attacker does not know the secret key shared by the terminal and the network, it cannot forge a correct integrity protection tag or integrity secondary tag STag or NTag. In this way, even if an attacker can guess a correct SUPI, he cannot generate a correct integrity protection tag or integrity secondary tag STag or NTag. In other words, the proposed scheme can resist SUPI guessing attacks.

Among them, the first scheme only adds the shared key of the terminal and the network to the integrity function, so it basically does not increase the amount of calculation. Scheme 2 and Scheme 3 only increase the calculation amount of an integrity function, and this calculation requires less calculation resources and has less impact on the system. In addition, Scheme 2 and Scheme 3 are well compatible with systems in related technologies. Because the integrity secondary tag STag or the one-time random number integrity protection tag NTag is superimposed on the ECIES scheme, there is no need Make adjustments to the elliptic curve integrate encrypt scheme (ECIES) scheme.

Step 102: Send the integrity verification value to the first network element.

When according to the above-mentioned first solution, the SUCI is sent to the first network element, and the SUCI includes the first integrity verification label.

When according to the above-mentioned second solution, the SUCI and the second integrity verification label are respectively sent to the first network element.

When according to the above-mentioned first case solution, the SUCI, the random number and the third integrity verification label are respectively sent to the first network element.

Step 103: Receive a verification result of the integrity verification value by the first network element.

Referring to FIG. 2, FIG. 2 is a flowchart of a verification method provided by an embodiment of the present disclosure, which is applied to the first network element. The first network element may be UDM, for example. As shown in Figure 2, it includes the following steps:

Step 201: Receive the integrity verification value sent by the terminal.

Depending on the integrity verification value, there can be different receiving methods here.

For example, the first network element receives the SUCI sent by the terminal, and carries the first integrity protection label in the SUCI.

Or, the first network element receives the SUCI and the second integrity protection label;

Or, the first network element receives the SUCI, the random number, and the third integrity protection label.

Step 202: Verify the integrity verification value.

According to different shared keys, in the embodiments of the present disclosure, there may be different verification methods.

In the case where the shared key is an OPC key or a root key commonly known by the first network element and the terminal, if the first integrity protection label is carried in the SUCI, this step may include:

Step 2021: Decrypt the SUCI to obtain SUPI.

Step 2022: Obtain the OPC key or root key according to the SUPI.

The corresponding relationship between the SUPI and the key can be stored in the first network element. Then, here, the OPC key or the root key can be obtained according to the SUPI obtained in step 2021.

Step 2023: Use the integrity calculation function to perform calculations on the OPC key or root key of the third information and the fourth information to obtain a first calculation value; wherein, the third information is the integrity key, so The fourth information is the result of encryption performed by the SUPI using the encryption key.

Tag=HMAC-SHA-256 (K _M , K _E {SUPI}, OPC or K).

Among them, Tag is the first operation value, K _M represents the integrity key, K _E represents the encryption key, and K represents the root key. The integrity calculation function here is HMAC-SHA-256, and it can also be other integrity calculation functions, such as HMAC-SHA3.

Step 2024: When the first operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

In the case that the shared key is the session root key K _AUSF between the first network element and the terminal, if the first integrity protection label is carried in the SUCI, this step may include:

Step 2025: Decrypt the SUCI to obtain SUPI.

Step 2026: Search the SUPI in the database.

Step 2027: If the SUPI is not found, the verification result is that the verification fails.

Further, in order to improve safety, the method may further include:

Step 2028: If the SUPI is found, obtain the session root key K _AUSF corresponding to the SUPI. Specifically, the first network element may obtain the session itself stored root key _K AUSF; or obtaining the root key _K AUSF session from the second network element. The second network element may be AUSF, for example.

Step 2029: Use an integrity calculation function to perform calculations on the fifth information, the sixth information, and the session root key KAUSF to obtain a second calculation value; wherein, the fifth information is the integrity key, and the The sixth information is the encryption result of using the encryption key to encrypt the SUPI.

Step 2030: In a case where the second operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

The initial value of K _{AUSF is zero.} On the network side, _{there are two possibilities for storing K AUSF} : (1) It is stored on both AUSF and UDM at the same time; (2) It is only stored on AUSF. In the first case, UDM decrypts SUCI to obtain SUPI, and directly uses the stored K _AUSF to perform operations in the above manner and verify.

For the second case, UDM first decrypts SUCI to get SUPI, and then searches for SUPI in the database. If there is no corresponding SUPI in the database, UDM returns a "404 Not Found" message, and the network returns a registration rejection message with reason #3 accordingly. If there is a corresponding SUPI in the database, UDM obtains the K _{AUSF corresponding to SUPI from AUSF} , and then verifies the first integrity protection label. If the verification is passed, UDM returns a "200 OK" message containing the authentication vector; if the verification fails, UDM returns a "404 Not Found" message.

If the integrity verification value is the second integrity protection label, the first network element also needs to receive the SUCI sent by the terminal.

In this case, if the shared key is an OPC key or a root key K that is commonly known to the first network element and the terminal, this step may include:

Step 2031: Decrypt the SUCI to obtain the SUPI and the second integrity protection label;

Step 2032, obtain the OPC key or root key K according to the SUPI;

Step 2033: Use an integrity calculation function to perform calculations on the OPC key or root key K and the integrity protection label carried in the SUCI to obtain a second calculation value;

Step 2034: In the case where the verification of the integrity protection label carried in the SUCI and the second operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

In this case, if the shared key is the session root key K _AUSF between the first network element and the terminal, this step may include:

Step 2035: Decrypt the SUCI to obtain SUPI;

Step 2036: Search the SUPI in the database;

Step 2037: If the SUPI is not found, the verification result is that the verification fails.

To further improve safety, the method may further include:

Step 2038: If the SUPI is found, obtain the session root key K _AUSF corresponding to the SUPI;

Step 2039: Use an integrity calculation function to perform calculations on the integrity protection label carried in the SUCI and the session root key K _AUSF to obtain a fourth calculation value.

Step 2040: In the case where the verification of the integrity protection label carried in the SUCI and the fourth operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

Wherein, the process of obtaining the session root key K AUSF corresponding to the _SUPI may include obtaining the session root key K _AUSF stored by the first network element itself; or obtaining the session from a second network element Root key K _AUSF . The second network element may be AUSF.

If the integrity verification value is a random number and the third integrity protection label, the first network element also needs to receive the SUCI sent by the terminal. The shared key is an OPC key or a root key K commonly known by the first network element and the terminal; this step may include:

Step 2041. Obtain the random number.

Step 2042, search the random number in the database.

Step 2043: If the random number is found, the verification result is that the verification fails.

To further improve safety, the method may further include:

Step 2043: If the random number is not found, decrypt the SUCI to obtain SUPI;

Step 2044: Obtain the OPC key or root key K corresponding to the SUPI;

Step 2045: Use an integrity operation function to perform operations on the OPC key or root key K and the random number to obtain a fifth operation value; or use a predefined function to perform operations on the OPC key and/or root secret. Perform operations on the key K and the random number to obtain a fifth operation value;

Step 2046: When the third integrity protection label is consistent with the fifth operation value, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.

After receiving SUCI, Nonce and NTag, the first network element first checks whether there is Nonce in the database. If it exists, it responds with a rejection message to resist replay attacks. If Nonce does not exist in the database, decrypt SUCI to get SUPI, and get OPC or root key K according to SUPI. Use OPC or root key K to verify NTag. If the verification is successful, store Nonce and generate a verification vector. If the verification fails, reply with a rejection message.

Step 203: Send a verification result of the integrity verification value to the terminal.

Refer to FIG. 3, which is a flowchart of a verification method provided by an embodiment of the present disclosure, which includes the following steps:

Step 301: The terminal converts the SUPI into SUCI, where the Tag in the SUCI is generated according to the method of the embodiment of the present disclosure, that is, the aforementioned first integrity protection tag.

Then, the terminal sends the SUCI to the Access and Mobility Management Function (AMF)/Security Anchor Function (SEAF).

Step 302: AMF/SEAF sends SUCI to AUSF.

Step 303: AUSF sends SUCI to UDM.

Step 304: The UDM verifies the first integrity protection label in the SUCI.

Among them, the specific verification method can refer to the description of the foregoing embodiment.

Step 305: If the verification is passed, UDM sends "200 OK" to AUSF. If the verification fails, it will return "404 Not Found" with the content of "USER_NOT_FOUND".

Step 306: After receiving "200 OK", AUSF sends "201 Created" to AMF/SEAF. After AUSF receives "404 Not Found", it will send the "404 Not Found" message to AMF/SEAF.

Step 307: In the case of "201 Created", the AMF/SEAF sends RAND and AUTN to the terminal in the verification request message. In the case of "404 Not Found", AMF/SEAF sends a registration rejection message with reason #3 to the terminal.

Refer to Fig. 4, which is a flowchart of a verification method provided by an embodiment of the present disclosure, which includes the following steps:

Step 401: The terminal converts SUPI to SUCI, and obtains a second integrity protection label according to the method of the foregoing embodiment.

Then, the terminal sends the SUCI and the second integrity protection label to AMF/SEAF.

Step 402: AMF/SEAF sends SUCI and the second integrity protection label to AUSF.

Step 403: AUSF sends the SUCI and the second integrity protection label to UDM.

Step 404: Verify the Tag in the SUCI and the second integrity protection tag.

Step 405: If the verification is passed, UDM sends "200 OK" to AUSF. If the verification fails, UDM returns "404 Not Found" with the content of "USER_NOT_FOUND".

Step 406: After receiving "200 OK", AUSF sends "201 Created" to AMF/SEAF. After AUSF receives "404 Not Found", it will send the "404 Not Found" message to AMF/SEAF.

Step 407: In the case of "201 Created", AMF/SEAF sends RAND and AUTN to the terminal in the identity verification request message. In the case of "404 Not Found", AMF/SEAF sends a registration rejection message with reason #3 to the terminal.

Referring to FIG. 5, FIG. 5 is a flowchart of a verification method provided by an embodiment of the present disclosure, which includes the following steps:

Step 501: The terminal sends the SUCI, the random number and the third integrity protection label to the AMF/SEAF.

The terminal can obtain the third integrity protection label according to the method of the foregoing embodiment.

Step 502: AMF/SEAF sends SUCI, random number and third integrity protection label to AUSF.

Step 503: AUSF sends SUCI, random number and third integrity protection label to UDM.

Step 504: The UDM verifies the random number and the third integrity protection label.

Among them, UDM first checks whether there is a random number Nonce in the database, and if it does, it responds with a rejection message to resist replay attacks; if the Nonce database does not exist, it decrypts SUCI to SUPI, and obtains OPC or root key K according to SUPI. . Use OPC or root key K to verify NTag. If the verification is successful, store Nonce and generate an authentication vector. If the verification fails, reply with a rejection message.

Step 505: If the verification fails or there is a random number Nonce, return "504 Not Found" with the content of "USER_NOT_FOUND". If the verification is passed, "200 OK" is sent to AUSF.

Step 506: After receiving "200 OK", AUSF sends "201 Created" to AMF/SEAF. After the AUSF receives the "504 Not Found", it will send the "504 Not Found" message to the AMF/SEAF.

Step 507: In the case of "201 Created", AMF/SEAF sends RAND and AUTN to the terminal in the identity verification request message. In the case of "504 Not Found", AMF/SEAF sends a registration rejection message with reason #3 to the terminal.

The embodiment of the present disclosure also provides a verification device, which is applied to a terminal. Refer to FIG. 6, which is a structural diagram of a verification device provided by an embodiment of the present disclosure. Since the principle of the verification device to solve the problem is similar to the verification method in the embodiment of the present disclosure, the implementation of the verification device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 6, the verification device includes: an acquisition module 601, configured to perform integrity operations on target information using a shared key to obtain an integrity verification value; and a sending module 602, configured to send the integrity to the first network element Verification value; a receiving module 603, configured to receive the verification result of the integrity verification value of the first network element;

The obtaining module 601 is specifically configured to perform operations on the OPC key or root key K, first information, and second information by using an integrity operation function through USIM to obtain the first integrity protection label;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label;

The obtaining module 601 is specifically configured to perform operations on the first information, the second information, and the session root key K _AUSF key by using an integrity operation function through the ME to obtain the first integrity protection label;

The sending module 602 is specifically configured to send SUCI to the first network element, and the first integrity protection label is carried in the SUCI.

The obtaining module 601 is specifically configured to perform operations on the OPC key or root key K and the existing integrity protection label in the SUCI by using an integrity operation function through the USIM to obtain the second integrity protection label.

The shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a second integrity protection label;

The acquisition module 601 is specifically configured to perform operations on the existing integrity protection label in the _SUCI and the session root key K AUSF between the ME using an integrity operation function to obtain the second integrity protection label .

Wherein, the sending module 602 is further configured to send SUCI and the second integrity protection label to the first network element.

The obtaining module 601 includes:

Generate sub-module, used to generate random numbers through USIM;

Wherein, the sending module 602 is configured to send SUCI, the random number, and the third integrity protection label to the first network element through the ME;

The device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described in this embodiment here.

The embodiment of the present disclosure also provides a verification device, which is applied to the first network element. Refer to FIG. 7, which is a structural diagram of a verification device provided by an embodiment of the present disclosure. Since the principle of the verification device to solve the problem is similar to the verification method in the embodiment of the present disclosure, the implementation of the verification device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 7, the verification device includes: a receiving module 701, used to receive the integrity verification value sent by the terminal; a verification module 702, used to verify the integrity verification value; a sending module 703, used to send the The terminal sends a verification result of the integrity verification value; wherein, the integrity verification value is obtained by performing an integrity operation on the target information using a shared key, and the shared key is the first network element and the The key used between the terminals.

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the verification module includes:

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

The search sub-module is used to search the SUPI in the database;

Wherein, the verification module further includes:

The obtaining sub-module is used to obtain the session root key K _AUSF corresponding to the SUPI when the SUPI is found;

The processing sub-module is used to perform operations on the fifth information, the sixth information and the session root key K _AUSF by using an integrity operation function to obtain a second operation value; wherein, the fifth information is an integrity key, The sixth information is an encryption result of using an encryption key to encrypt the SUPI;

The decryption sub-module is used to decrypt the SUCI to obtain SUPI;

The search sub-module is used to search the SUPI in the database;

Wherein, the verification module further includes:

A processing submodule, configured to use an integrity operation function to perform operations on the integrity protection label carried in the SUCI and the session root key K _AUSF to obtain a fourth operation value;

Wherein, the obtaining submodule is configured to obtain the session root key K _AUSF stored by the first network element itself; or obtain the session root key K _AUSF from the second network element.

The first obtaining submodule is used to obtain the random number;

The search sub-module is used to search the random number in the database;

Wherein, the verification module further includes:

Wherein, the device further includes:

The device provided in the embodiment of the present disclosure can execute the foregoing method embodiment, and its implementation principles and technical effects are similar, and details are not described herein again in this embodiment.

The embodiment of the present disclosure also provides a verification device, which is applied to a terminal. Refer to FIG. 8, which is a structural diagram of a verification device provided by an embodiment of the present disclosure. Since the principle of the verification device to solve the problem is similar to the verification method in the embodiment of the present disclosure, the implementation of the verification device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 8, the verification device includes: a processor 801 and a transceiver 802.

The processor 801 is configured to perform an integrity operation on the target information by using a shared key to obtain an integrity verification value;

The transceiver 802 is configured to send the integrity verification value to a first network element; receive a verification result of the integrity verification value by the first network element;

The processor is further configured to perform operations on the first information, the second information, and the session root key K _AUSF key by using an integrity operation function through the ME to obtain the first integrity protection label;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a second integrity protection label;

The processor is further configured to: calculate the existing integrity protection label in the _SUCI and the session root key K AUSF between the ME using an integrity operation function to obtain the second integrity protection label.

Wherein, the transceiver is further configured to send SUCI, the random number, and the third integrity protection label to the first network element through the ME;

The embodiment of the present disclosure also provides a verification device, which is applied to the first network element. Refer to FIG. 9, which is a structural diagram of a verification device provided by an embodiment of the present disclosure. Since the principle of the verification device to solve the problem is similar to the verification method in the embodiment of the present disclosure, the implementation of the verification device can refer to the implementation of the method, and the repetition will not be repeated.

As shown in FIG. 9, the verification device includes: a processor 901 and a transceiver 902.

The transceiver 902 is configured to receive the integrity verification value sent by the terminal;

The processor 901 is configured to verify the integrity verification value;

The transceiver 902 is further configured to send a verification result of the integrity verification value to the terminal;

Decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K according to the SUPI;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label; the processor is further configured to:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

Wherein, the processor is also used for:

In the case of finding the SUPI, obtain the session root key K _AUSF corresponding to the SUPI;

The fifth information, the sixth information, and the session root key K _AUSF are calculated using the integrity calculation function to obtain the second calculation value; wherein, the fifth information is the integrity key, and the sixth information is An encryption result obtained by encrypting the SUPI using an encryption key;

The transceiver is also used to receive SUCI sent by the terminal.

Obtaining the OPC key or root key K according to the SUPI;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal;

The processor is also used for:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

Wherein, the processor is also used for:

Using an integrity operation function to perform operations on the integrity protection label carried in the SUCI and the session root key K _AUSF to obtain a fourth operation value;

Wherein, the processor is further configured to: obtain the session root key K _AUSF stored by the first network element itself; or obtain the session root key K _AUSF from the second network element.

The transceiver is also used to receive SUCI sent by the terminal.

The processor is also used for:

Obtain the random number;

Look up the random number in the database;

Wherein, the processor is also used for:

If the random number is not found, decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K corresponding to the SUPI;

As shown in FIG. 10, the communication device of the embodiment of the present disclosure, applied to a terminal, includes: a processor 1000, configured to read a program in a memory 1020, and execute the following process:

Sending the integrity verification value to the first network element;

The transceiver 1010 is used to receive and send data under the control of the processor 1000.

Wherein, in FIG. 10, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1000 and various circuits of the memory represented by the memory 1020 are linked together. The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 1010 may be a plurality of elements, including a transmitter and a transceiver, and provide a unit for communicating with various other devices on a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 can store data used by the processor 1000 when performing operations.

The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 can store data used by the processor 1000 when performing operations.

The processor 1000 is further configured to read the program and execute the following steps:

USIM uses an integrity calculation function to perform calculations on the OPC key or root key K, first information, and second information to obtain the first integrity protection label;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label; the processor 1000 is also used to read The procedure described below performs the following steps:

The ME uses an integrity calculation function to perform calculations on the first information, the second information, and the session root key K _AUSF key to obtain the first integrity protection label;

Send a SUCI (Subscription Concealed Identifier) to the first network element, and carry the first integrity protection label in the SUCI.

The shared key is an OPC key or a root key K known to the first network element and the terminal; the integrity verification value is a second integrity protection label; the processor 1000 is also used to read The procedure described below performs the following steps:

The USIM uses an integrity calculation function to perform calculations on the OPC key or root key K and the existing integrity protection label in the SUCI to obtain the second integrity protection label.

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a second integrity protection label; the processor 1000 is also used to read The procedure described below performs the following steps:

The ME uses an integrity operation function to perform operations on the existing integrity protection label in the _SUCI and the session root key K AUSF between the two to obtain the second integrity protection label.

Wherein, the shared key is an OPC key or a root key K commonly known to the first network element and the terminal; the integrity verification value is a random number and a third integrity protection label; the processor 1000 It is also used to read the program and perform the following steps:

Random number generated by USIM;

As shown in FIG. 11, the communication device of the embodiment of the present disclosure, applied to the first network element, includes: a processor 1100, configured to read a program in a memory 1111, and execute the following process:

Receive the integrity verification value sent by the terminal;

Verify the integrity verification value;

The transceiver 1110 is configured to receive and send data under the control of the processor 1100.

Wherein, in FIG. 11, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1100 and various circuits of the memory represented by the memory 1111 are linked together. The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 1110 may be a plurality of elements, including a transmitter and a transceiver, and provide a unit for communicating with various other devices on a transmission medium. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1111 may store data used by the processor 1100 when performing operations.

The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1111 may store data used by the processor 1100 when performing operations.

Wherein, the integrity verification value is the first integrity protection label; the processor 1100 is further configured to read the program and perform the following steps: receive the SUCI sent by the terminal, and carry the first SUCI in the SUCI Integrity protection label.

Wherein, the shared key is an OPC key or root key K that is commonly known to the first network element and the terminal; the processor 1100 is further configured to read the program and execute the following steps:

Decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K according to the SUPI;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the integrity verification value is a first integrity protection label; the processor 1100 is also used to read The procedure described below performs the following steps:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

The processor 1100 is further configured to read the program and execute the following steps:

Wherein, the integrity verification value is a second integrity protection label; the processor 1100 is further configured to read the program and execute the following steps: receiving the SUCI and the second integrity protection label sent by the terminal.

Decrypt the SUCI to obtain SUPI and the second integrity protection label;

Obtaining the OPC key or root key K according to the SUPI;

Wherein, the shared key is the session root key K _AUSF between the first network element and the terminal; the processor 1100 is further configured to read the program and perform the following steps:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

_{Obtain the session root key K AUSF} stored by the first network element itself; or

Obtain the session root key K _AUSF from the second network element.

Wherein, the integrity verification value is a random number and a third integrity protection label; the processor 1100 is further configured to read the program and execute the following steps:

Receive the SUCI sent by the terminal.

Obtain the random number;

Look up the random number in the database;

If the random number is not found, decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K corresponding to the SUPI;

If the random number is not found, the random number is stored.

The embodiments of the present disclosure also provide a computer-readable storage medium, and a computer program is stored on the computer-readable storage medium. When the computer program is executed by a processor, each process of the above-mentioned verification method embodiment is realized, and the same technical effect can be achieved. To avoid repetition, I won’t repeat it here. Wherein, the computer-readable storage medium, such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk, or optical disk, etc.

It should be noted that in this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements, It also includes other elements not explicitly listed, or elements inherent to the process, method, article, or device. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, article, or device that includes the element.

Through the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. Implementation mode. According to this understanding, the technical solution of the present disclosure can be embodied in the form of a software product in essence or the part that contributes to the related technology. The computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk). ) Includes several instructions to make a terminal (which can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present disclosure.

The embodiments of the present disclosure are described above with reference to the accompanying drawings, but the present disclosure is not limited to the above-mentioned specific embodiments. The above-mentioned specific embodiments are only illustrative and not restrictive. Those of ordinary skill in the art are Under the enlightenment of the present disclosure, without departing from the purpose of the present disclosure and the scope of protection of the claims, many forms can be made, all of which fall within the protection of the present disclosure.

Claims

A verification method applied to a terminal, including:

Use the shared key to perform integrity operations on the target information to obtain the integrity verification value;

Sending the integrity verification value to the first network element;

Receiving a verification result of the integrity verification value of the first network element;

Wherein, the shared key is a key used between the first network element and the terminal.
The method according to claim 1, wherein the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; and the integrity verification value is the first integrity Protection label

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

The global user identification module USIM uses an integrity calculation function to perform calculations on the OPC key or root key K, the first information, and the second information to obtain the first integrity protection label;

The first information is an integrity key, and the second information is a result of encrypting the user's permanent identity SUPI with an encryption key.
The method according to claim 1, wherein the shared key is the session root key K AUSF between the first network element and the terminal; and the integrity verification value is a first integrity protection label ；

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

The mobile terminal ME uses an integrity calculation function to perform calculations on the first information, the second information, and the session root key K AUSF key to obtain the first integrity protection label;

The first information is an integrity key, and the second information is a result of encrypting the user's permanent identity SUPI with an encryption key.
The method according to claim 2 or 3, wherein the sending the integrity verification value to the first network element comprises:

Send a user hidden identifier SUCI to the first network element, and carry the first integrity protection label in the SUCI.
The method according to claim 1, wherein the shared key is an OPC key or a root key K known to the first network element and the terminal; and the integrity verification value is a second integrity Protection label

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

The USIM uses an integrity calculation function to perform calculations on the OPC key or root key K in the SUCI and the existing integrity protection label to obtain the second integrity protection label.
The method according to claim 1, wherein the shared key is the session root key K AUSF between the first network element and the terminal; and the integrity verification value is a second integrity protection label ；

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

The ME uses an integrity operation function to perform operations on the existing integrity protection label in the SUCI and the session root key K AUSF between the two to obtain the second integrity protection label.
The method according to claim 5 or 6, wherein the sending the integrity verification value to the first network element comprises:

Sending the SUCI and the second integrity protection label to the first network element.
The method according to claim 1, wherein the shared key is an OPC key or a root key K known to the first network element and the terminal; the integrity verification value is a random number and the first 3. Integrity protection label;

The use of the shared key to perform an integrity operation on the target information to obtain an integrity verification value includes:

Random number generated by USIM;

The USIM uses an integrity operation function to perform operations on the OPC key or root key K and the random number to obtain the third integrity protection label; or, use a predefined function to perform operations on the OPC secret The key and/or the root key K and the random number are operated to obtain the third integrity protection label.
The method according to claim 8, wherein the sending the integrity verification value to the first network element comprises:

Sending, by the ME, the SUCI, the random number, and the third integrity protection label to the first network element;

Wherein, the SUCI, the random number and the third integrity protection label are obtained by the ME by the USIM; or, the random number and the third integrity protection label are obtained by the ME Obtained by the USIM, and the SUCI is generated by the ME.
A verification method, applied to the first network element, includes:

Receive the integrity verification value sent by the terminal;

Verify the integrity verification value;

Sending a verification result of the integrity verification value to the terminal;

Wherein, the integrity verification value is obtained by performing an integrity operation on the target information using a shared key, and the shared key is a key used between the first network element and the terminal.
The method according to claim 10, wherein the integrity verification value is a first integrity protection label;

The integrity verification value sent by the receiving terminal includes:

Receiving the SUCI sent by the terminal, and carrying the first integrity protection label in the SUCI.
The method according to claim 11, wherein the shared key is an OPC key or a root key K commonly known by the first network element and the terminal; and the verification of the integrity verification value is performed ,include:

Decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K according to the SUPI;

The OPC key or root key K, the third information, and the fourth information are calculated using the integrity calculation function to obtain the first calculation value; wherein, the third information is the integrity key, and the fourth The information is an encryption result of using an encryption key to encrypt the SUPI;

In the case that the first operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.
The method according to claim 11, wherein the shared key is the session root key K AUSF between the first network element and the terminal; and the integrity verification value is a first integrity protection label ；

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

If the SUPI is not found, the verification result is that the verification fails.
The method according to claim 13, further comprising:

In the case of finding the SUPI, obtain the session root key K AUSF corresponding to the SUPI;

The fifth information, the sixth information, and the session root key K AUSF are calculated using the integrity calculation function to obtain the second calculation value; wherein, the fifth information is the integrity key, and the sixth information is An encryption result obtained by encrypting the SUPI using an encryption key;

In the case that the second operation value is consistent with the first integrity protection label, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.
The method according to claim 10, wherein the integrity verification value is a second integrity protection label;

The method also includes:

Receive the SUCI sent by the terminal.
The method according to claim 15, wherein the shared key is an OPC key or a root key K commonly known by the first network element and the terminal;

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI and the second integrity protection label;

Obtaining the OPC key or root key K according to the SUPI;

Using an integrity calculation function to perform calculations on the OPC key or root key K and the integrity protection label carried in the SUCI to obtain a second calculation value;

In the case where the verification of the integrity protection label carried in the SUCI and the second operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.
The method according to claim 15, wherein the shared key is a session root key K AUSF between the first network element and the terminal;

The verifying the integrity verification value includes:

Decrypt the SUCI to obtain SUPI;

Search the SUPI in the database;

If the SUPI is not found, the verification result is that the verification fails.
The method according to claim 17, further comprising:

In the case of finding the SUPI, obtain the session root key K AUSF corresponding to the SUPI;

Using an integrity operation function to perform operations on the integrity protection label carried in the SUCI and the session root key K AUSF to obtain a fourth operation value;

In the case where the verification of the integrity protection label carried in the SUCI and the fourth operation value is passed, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.
The method according to claim 14 or 18, wherein the obtaining the session root key K AUSF corresponding to the SUPI comprises:

Obtain the session root key K AUSF stored by the first network element itself; or

Obtain the session root key K AUSF from the second network element.
The method according to claim 10, wherein the integrity verification value is a random number and a third integrity protection label;

The method also includes:

Receive the SUCI sent by the terminal.
The method according to claim 20, wherein the shared key is an OPC key or a root key K commonly known by the first network element and the terminal;

The verifying the integrity verification value includes:

Obtain the random number;

Look up the random number in the database;

In the case where the random number is found, the verification result is that the verification fails.
The method according to claim 21, further comprising:

If the random number is not found, decrypt the SUCI to obtain SUPI;

Obtaining the OPC key or root key K corresponding to the SUPI;

Operate the OPC key or root key K and the random number using an integrity operation function to obtain a fifth operation value; or use a predefined function to perform operations on the OPC key and/or root key K and Performing an operation on the random number to obtain a fifth operation value;

In the case that the third integrity protection label is consistent with the fifth operation value, the verification result is that the verification is passed; otherwise, the verification result is that the verification is not passed.
The method of claim 22, further comprising:

If the random number is not found, the random number is stored.
A verification device applied to a terminal, including:

The acquisition module is used to perform integrity operations on the target information by using the shared key to obtain the integrity verification value;

A sending module, configured to send the integrity verification value to the first network element;

A receiving module, configured to receive a verification result of the integrity verification value of the first network element;

Wherein, the shared key is a key used between the first network element and the terminal.
A verification device, applied to a first network element, includes:

The receiving module is used to receive the integrity verification value sent by the terminal;

A verification module for verifying the integrity verification value;

A sending module, configured to send a verification result of the integrity verification value to the terminal;

Wherein, the integrity verification value is obtained by performing an integrity operation on the target information using a shared key, and the shared key is a key used between the first network element and the terminal.
A verification device, applied to a terminal, including: a processor and a transceiver;

The processor is configured to perform an integrity operation on the target information by using a shared key to obtain an integrity verification value;

The transceiver is configured to send the integrity verification value to a first network element; receive a verification result of the integrity verification value by the first network element;

Wherein, the shared key is a key used between the first network element and the terminal.
A verification device, applied to a first network element, including: a processor and a transceiver;

The transceiver is used to receive the integrity verification value sent by the terminal;

The processor is configured to verify the integrity verification value;

The transceiver is further configured to send a verification result of the integrity verification value to the terminal;

Wherein, the integrity verification value is obtained by performing an integrity operation on the target information using a shared key, and the shared key is a key used between the first network element and the terminal.
A communication device, including: a transceiver, a memory, a processor, and a program stored on the memory and running on the processor; wherein,

The processor is configured to read the program in the memory to implement the steps in the method according to any one of claims 1 to 9; or to implement the steps in the method according to any one of claims 10 to 23 step.
A computer-readable storage medium for storing a computer program, wherein the computer program implements the steps in the method according to any one of claims 1 to 9 when the computer program is executed by a processor; or implements the steps in claim 10 Step in the method of any one of to 23.