WO2022033186A1 - General bootstrapping architecture-based authentication method and corresponding device - Google Patents

General bootstrapping architecture-based authentication method and corresponding device Download PDF

Info

Publication number
WO2022033186A1
WO2022033186A1 PCT/CN2021/101804 CN2021101804W WO2022033186A1 WO 2022033186 A1 WO2022033186 A1 WO 2022033186A1 CN 2021101804 W CN2021101804 W CN 2021101804W WO 2022033186 A1 WO2022033186 A1 WO 2022033186A1
Authority
WO
WIPO (PCT)
Prior art keywords
key algorithm
wireless access
access node
suite
application layer
Prior art date
Application number
PCT/CN2021/101804
Other languages
French (fr)
Chinese (zh)
Inventor
刘小军
缪永生
张宝健
李如俊
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2022033186A1 publication Critical patent/WO2022033186A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the embodiments of the present disclosure relate to, but are not limited to, the field of communication technologies, and in particular, relate to an authentication method and a corresponding device based on a universal bootstrap architecture.
  • GBA General Bootstrapping Architecture
  • GBA uses Authentication and Key Agreement (AKA, the authentication and key agreement protocol of the third generation mobile communication network) to provide a mechanism for key sharing, mutual authentication and service protection between the UE and the network. It has high security and versatility.
  • AKA Authentication and Key Agreement
  • AP wireless access node
  • the AP acts as an authentication proxy function to authenticate the UE, and the proxy AS completes the authentication of the UE. .
  • ALG Application Layer Gateway
  • TLS Transport Layer Security
  • An embodiment of the present disclosure provides a GBA-based authentication method applied to a terminal side, including: negotiating a security transport layer protocol with an application layer gateway to confirm the key algorithm suite used;
  • the secret key algorithm suite is applied to the wireless access node so that the wireless access node uses the secret key algorithm suite for authentication.
  • Embodiments of the present disclosure also provide a GBA-based authentication method applied to a gateway side, including: negotiating a security transport layer protocol with a user terminal, confirming a key algorithm suite used by the user terminal; The algorithm suite is applied to the wireless access node such that the wireless access node uses the secret key algorithm suite for authentication.
  • Embodiments of the present disclosure also provide a GBA-based authentication method applied to a wireless access node, including: performing authentication by using a key algorithm suite applied to the wireless access node by an application layer gateway, wherein the key algorithm The suite is the secret key algorithm suite used by the user terminal for negotiation and confirmation of the security transport layer protocol between the application layer gateway and the user terminal.
  • An embodiment of the present disclosure further provides a terminal, where the terminal includes a first processor and a first memory, where the first processor is configured to execute one or more computer programs stored in the first memory, so as to implement the computer program according to the present disclosure.
  • GBA-based authentication method applied to terminal testing.
  • An embodiment of the present disclosure further provides a gateway, the gateway includes a second processor and a second memory, where the second processor is configured to execute one or more computer programs stored in the second memory, so as to implement the method according to the present disclosure. GBA-based authentication method applied to the gateway side.
  • An embodiment of the present disclosure further provides a wireless access node, where the wireless access node includes a third processor and a third memory, where the third processor is configured to execute one or more computer programs stored in the third memory to implement The GBA-based authentication method applied to the wireless access node side according to the present disclosure.
  • the embodiments of the present disclosure further provide a computer storage medium, on which one or more programs are stored, and the one or more programs can be executed by one or more processors, so as to implement the application of the present disclosure on the terminal side, GBA-based authentication method on the gateway side or the wireless access node side.
  • FIG. 1 is a schematic diagram of the GBA basic architecture provided by the present disclosure
  • Fig. 2 is the basic authentication flow schematic diagram of GBA provided by the present disclosure
  • Fig. 3 is the schematic flowchart of the authentication method of GBA provided by the present disclosure
  • FIG. 4 is a schematic schematic diagram of the basic flow of applying a secret key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure
  • FIG. 5 is another basic schematic flow diagram of applying a key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure
  • FIG. 6 is another basic schematic flow chart of applying a key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure
  • FIG. 7 is another schematic flow chart of applying the secret key algorithm suite to the wireless access node through the application layer gateway of the present disclosure
  • Fig. 8 is the basic flow schematic diagram of the authentication method of GBA provided by the present disclosure.
  • FIG. 9 is a schematic diagram of the basic structure of the terminal provided by the present disclosure.
  • FIG. 10 is a schematic diagram of the basic structure of the gateway provided by the present disclosure.
  • FIG. 11 is a schematic diagram of the basic structure of a wireless access node provided by the present disclosure.
  • FIG 1 is a schematic diagram of the basic architecture of GBA, which includes: a user's home network server (Home Subscribe Server, HSS), a bootstrapping server function (Bootstrapping Server Function, BSF), a network application function (Network Application Function, NAF) Or wireless access node (Access Point, AP) function, ALG, it needs to be understood that NAF is used to perform the same function as AP, that is, AP or NAF only needs to exist.
  • the ALG establishes TLS channels with the UE and the AP respectively, and performs authentication.
  • the UE negotiates a TLS connection with the ALG, confirms the cipher suite used, and the cipher suite finally used is "yyzz".
  • the UE sends a service request (HTTP GET) to the ALG, the ALG negotiates a TLS connection with the AP, and confirms the cipher suite used.
  • the cipher suite finally used is "aabb”.
  • the ALG forwards the HTTP GET to the AP.
  • the AP responds with 401Unauthorized to the UE, the UE generates the first Ks_NAF/Ks_int_NAF according to the TLS cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/Ks_int_NAF as the key ( key) to calculate the first response (response), and send the first response to the AP through the ALG.
  • the AP obtains the second Ks_NAF/Ks_int_NAF from the BSF according to the TLS cipher suite ("aabb") negotiated with the ALG and other parameters, and then The second Ks_NAF/Ks_int_NAF is used as the key to calculate the second response.
  • the AP compares the second response calculated by itself with the first response sent by the UE. If the second response is consistent with the first response, the authentication is successful, but because the AP uses the The TLS cipher suite is inconsistent with the TLS cipher suite used by the UE, and the calculated Ks_NAF/Ks_int_NAF and responses will also be inconsistent, resulting in AP authentication failure.
  • the present disclosure provides a user terminal (UE)
  • the GBA-based authentication method on the side is shown in FIG. 3, which includes steps S301 to S302.
  • step S301 negotiate with the application layer gateway (ALG) on the transport layer protocol (TSL) to confirm the key algorithm suite to be used.
  • AAG application layer gateway
  • TTL transport layer protocol
  • step S302 the key algorithm suite is applied to the wireless access node (AP) through the ALG, so that the AP uses the key algorithm suite for authentication.
  • AP wireless access node
  • the UE negotiates a TLS connection with the ALG, and confirms the Cipher Suite used by the UE and the ALG. It should be understood that the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
  • applying the key algorithm suite determined by the UE and the ALG to the AP includes but is not limited to the following two ways:
  • the first way forward the key algorithm suite to the AP through the ALG, so as to apply the key algorithm suite to the AP;
  • the second way use the secret key algorithm suite to negotiate the security transport layer protocol with the AP through the ALG, so as to apply the secret key algorithm suite to the AP.
  • the above-mentioned first manner may include: sending the service request to the ALG; forwarding the service request to the AP through the ALG, and the ALG carrying the key algorithm suite when forwarding the service request to the AP.
  • the UE sends a service request to the ALG, and the ALG sends the secret key algorithm suite used by the UE side to the AP through extended parameters.
  • the AP authenticates, the authentication is performed according to the secret key algorithm suite sent by the ALG. For example, steps 1 to 10 are shown in FIG. 4 .
  • the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the Cipher Suite used by the UE and the ALG is "yyzz".
  • TLS Transport Layer Security
  • step 3 the UE initiates a service request (HTTP GET) to the ALG.
  • HTTP GET a service request
  • the ALG negotiates a TLS connection with the AP, confirms the cipher suite used on the AP side, and confirms that the cipher suite finally used on the AP side is "aabb";
  • step 6 the ALG forwards the HTTP GET request of the UE, and sends the cipher suite "yyzz" used by the UE side to the AP through the extended parameters, so that the AP performs the processing according to the UE carried by the ALG and the cipher suite ("yyzz") used by the ALG.
  • Authentication that is, applying the cipher suite to the AP through the ALG, so that the AP uses the same cipher suite ("yyzz") as the UE to achieve authentication.
  • steps 7 to 8 after receiving the cipher suite "yyzz" used by the UE side, the AP sends a 401 unauthorized (unauthorized) response to the ALG, and forwards it to the UE via the ALG.
  • step 9 the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), and sends it to the ALG , and then forwarded to the AP via the ALG.
  • yyzz UE side cipher suite
  • the AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the cipher suite ("yyzz") used by the UE side carried by the ALG and other parameters, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response, and the AP compares the first The first response and the second response, if the second response is consistent with the first response, the authentication is successful, because the cipher suite used by the AP is the same as the cipher suite used by the UE, the calculation of Ks_NAF/Ks_int_NAF and the response will also be consistent, and the final AP authentication success.
  • the above-mentioned first manner may further include: sending a service request to the ALG, where the service request carries the key algorithm suite; and forwarding the service request to the AP through the ALG.
  • the UE sends the service request to the ALG the UE carries the key algorithm suite used by the UE side in the service request and sends it to the ALG, and the ALG forwards the service request to the AP.
  • Key algorithm suite for authentication For example, steps 1 to 10 are shown in FIG. 5 .
  • the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the Cipher Suite used by the UE and the ALG is "yyzz".
  • TLS Transport Layer Security
  • step 3 the UE initiates a service request (HTTP GET) to the ALG, and the service request carries the determined cipher suite ("yyzz") through extended parameters.
  • HTTP GET HTTP GET
  • yyzz determined cipher suite
  • the ALG negotiates a TLS connection with the AP, and confirms that the cipher suite used on the AP side is "aabb";
  • step 6 when the ALG forwards the HTTP GET request of the UE, it transparently transmits the cipher suite ("yyzz") extended parameters sent by the UE to the AP, so that the AP can authenticate the UE according to the UE carried by the ALG and the cipher suite ("yyzz") used by the ALG. That is, the cipher suite is applied to the AP through the ALG, so that the AP uses the same cipher suite ("yyzz") as the UE to achieve authentication.
  • the cipher suite is applied to the AP through the ALG, so that the AP uses the same cipher suite ("yyzz") as the UE to achieve authentication.
  • the AP sends a 401 unauthorized response to the ALG and to the UE via the ALG.
  • step 9 the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response) to the ALG, At this time, the cipher suite ("yyzz") can also be carried in the first response through the extended parameter.
  • Step 10 The ALG forwards the HTTP GET request of the UE, and transparently transmits the cipher suite ("yyzz") extended parameters sent by the UE to the AP.
  • the AP obtains the first cipher suite ("yyzz") from the BSF according to the cipher suite ("yyzz") and other parameters carried by the ALG and used by the UE side.
  • the suite is the same as the cipher suite used by the UE.
  • the calculation of Ks_NAF/Ks_int_NAF and the response will also be the same. Finally, the AP authentication succeeds.
  • the second way is to use the secret key algorithm suite to negotiate the security transport layer protocol with the AP through the ALG, so as to apply the secret key algorithm suite to the AP, for example, steps 1 to 10 shown in FIG. 6 .
  • the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the cipher suite used by the UE side is "yyzz".
  • TLS Transport Layer Security
  • step 3 the UE initiates a service request (HTTP GET) to the ALG.
  • HTTP GET a service request
  • steps 4 to 5 when the ALG negotiates a TLS connection with the AP, carry the cipher suite ("yyzz") used by the UE side to ensure that the AP side can use the same cipher suite ("yyzz") on the UE side, so that the cipher suite ("yyzz") used by the AP side can be used.
  • the suite is also "yyzz", and the AP uses the same cipher suite ("yyzz") as the UE to implement authentication.
  • the ALG forwards the UE's HTTP GET request.
  • the AP sends a 401 Unauthorized response to the UE via the ALG.
  • the UE In steps 9 to 10, the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), and sends to the ALG, and then forwarded to the AP via the ALG.
  • yyzz UE side cipher suite
  • the AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the TLS cipher suite ("yyzz") and other parameters used by the AP side, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response, and the AP compares the first response with the second response , if the second response is consistent with the first response, the authentication is successful, because the TLS cipher suite used by the AP is the same as the TLS cipher suite used by the UE, the calculation of Ks_NAF/Ks_int_NAF and the response will also be consistent, and the final AP authentication succeeds.
  • Perform TLS negotiation with the ALG, and confirm the key algorithm suite used includes: perform TSL negotiation with the ALG, confirm the supported cipher suite list, and the cipher suite list includes at least two usable keys Algorithm suite, and performing TLS negotiation with the AP using the secret key algorithm suite through the ALG includes: performing the secure transport layer protocol negotiation with the AP using the secret key algorithm suite set through the ALG, and determining the secret key algorithm suite used by the ALG and the AP. For example, steps 1 to 10 as shown in FIG. 7 .
  • step 1 the UE initiates TLS negotiation to the ALG, and the Client Hello carries the cipher suite list (0xC030, 0x0035, 0x002D) supported by the UE side.
  • step 2 the ALG initiates the TLS negotiation with the AP.
  • the Client Hello uses the intersection of the UE and the ALG to support the cipher suite list (0xC030, 0x002D), so that the cipher suite used by the AP side must be the cipher suite that the UE side can use.
  • step 3 the ALG receives the AP's Server Hello and confirms the cipher suite (0xC030) used by the AP.
  • step 4 the ALG returns Server Hello to the UE, and uses the cipher suite (0xC030) used by the AP side, so that the UE side uses the same cipher suite as the AP side.
  • the UE initiates a service request (HTTP GET), and the ALG forwards the UE's HTTP GET request.
  • HTTP GET a service request
  • ALG forwards the UE's HTTP GET request.
  • the AP sends a 401 Unauthorized response to the UE via the ALG.
  • step 9 the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite (0xC030) and other parameters negotiated with the ALG, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), sends it to the ALG, and then It is forwarded to the AP via the ALG.
  • the AP forwards the first response of the UE to the AP.
  • the AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the cipher suite (0xC030) and other parameters used by the AP side, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response.
  • the AP compares the second response calculated by itself with the first response sent by the UE. If the second response is consistent with the first response, the authentication is successful, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, and the calculated Ks_NAF /Ks_int_NAF, the response will be the same, and the final AP authentication is successful.
  • the GBA-based authentication method applied to the UE side confirms the key algorithm suite used by performing TSL negotiation with the ALG; and applies the key algorithm suite to the AP through the ALG, so that the AP uses the Authentication, that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the ALG applies the secret key algorithm suite used by the UE side to the AP side, so that the AP side and the UE side use the same secret key algorithm suite to calculate the authentication parameters.
  • Performing authentication avoids the problem of using different secret key algorithm suites after the UE and AP establish TLS tunnels with the ALG respectively, resulting in authentication failure, which affects the AP's authentication of the UE, and improves the user experience.
  • the present disclosure also provides a GBA-based authentication method applied to the application layer gateway (ALG) side, as shown in FIG. 8 , the method includes steps S801 to S802.
  • ALG application layer gateway
  • step S801 a Transport Layer Security (TLS) negotiation is performed with a user terminal (UE) to confirm the secret key algorithm suite used by the UE.
  • TLS Transport Layer Security
  • step S802 the secret key algorithm suite is applied to the wireless access node (AP), so that the AP uses the secret key algorithm suite for authentication.
  • AP wireless access node
  • the ALG negotiates the TLS connection with the UE, and confirms the Cipher Suite of the key algorithm suite used by the UE and the ALG. It should be understood that the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
  • the secret key algorithm suite is applied to the AP, so that the method for the AP to use the secret key algorithm suite for authentication is the same as the method in the above example, which will not be repeated here.
  • the GBA-based authentication method applied to the ALG side performs TSL negotiation with the UE to confirm the secret key algorithm suite used by the UE; applies the secret key algorithm suite to the AP, so that the AP uses the secret key algorithm suite for authentication , that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side and the UE side use the same secret key algorithm suite to calculate and obtain the authentication parameters for authentication, which prevents the UE and the AP from establishing TLS tunnels with the ALG respectively, using Different key algorithm suites lead to authentication failure, which affects the authentication of the AP to the UE and improves the user experience.
  • the present disclosure also provides a GBA-based authentication method applied to a wireless access node (AP) side, the method including but not limited to: performing authentication using a key algorithm suite applied to the AP by an application layer gateway (ALG),
  • ALG application layer gateway
  • the secret key algorithm suite is the secret key algorithm suite used by the UE for which the ALG and the User Terminal (UE) perform Transport Layer Security (TSL) negotiation and confirmation.
  • TSL Transport Layer Security
  • the ALG negotiates a TLS connection with the UE, and after confirming the cipher suite (Cipher Suite) used by the UE and the ALG, applies the cipher suite to the AP, so that the AP performs authentication according to the cipher suite.
  • the cipher suite Cipher Suite
  • the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
  • the secret key algorithm suite is applied to the AP, so that the method for the AP to use the secret key algorithm suite for authentication is the same as the method in the above example, which will not be repeated here.
  • the GBA-based authentication method applied to the AP side uses the secret key algorithm suite applied by the ALG to the AP for authentication;
  • the secret key algorithm suite is the secret key algorithm used by the UE for TLS negotiation and confirmation between the ALG and the UE Suite, that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side uses the same secret key algorithm suite as the UE side to calculate the authentication parameters for authentication, which avoids the need for the UE and AP to establish TLS tunnels with the ALG respectively.
  • Different key algorithm suites lead to authentication failure, which affects the authentication of the AP to the UE and improves the user experience.
  • the present disclosure also provides a terminal including a first processor 901 , a first memory 902 and a first communication bus 903 .
  • the first communication bus 903 is used to realize the connection communication between the first processor 901 and the first memory 902 .
  • the first processor 901 is configured to execute one or more computer programs stored in the first memory 902 to implement the GBA-based authentication method executed by the user terminal side of the present disclosure.
  • This feedback also provides a gateway, including a second processor 1001 , a second memory 1002 and a second communication bus 1003 .
  • the second communication bus 1003 is used to realize the connection communication between the second processor 1001 and the second memory 1002 .
  • the second processor 1001 is configured to execute one or more computer programs stored in the second memory 1002 to implement the GBA-based authentication method executed by the application layer gateway side of the present disclosure.
  • the present disclosure also provides a wireless access node including a third processor 1101 , a third memory 1102 and a third communication bus 1103 .
  • the third communication bus 1103 is used to realize the connection communication between the third processor 1101 and the third memory 1102 .
  • the third processor 1101 is configured to execute one or more computer programs stored in the third memory 1102 to implement the GBA-based authentication method performed by the wireless access node side of the present disclosure.
  • the present disclosure also provides a computer-readable storage medium embodied in any method or technology for storage of information, such as computer-readable instructions, data structures, computer program modules, or other data Volatile or nonvolatile, removable or non-removable media.
  • Computer-readable storage media include but are not limited to RAM (Random Access Memory, random access memory), ROM (Read-Only Memory, read only memory), EEPROM (Electrically Erasable Programmable read only memory, electrically erasable programmable read only memory) ), flash memory or other memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, Or any other medium that can be used to store the desired information and that can be accessed by a computer.
  • RAM Random Access Memory
  • ROM Read-Only Memory
  • EEPROM Electrically Erasable Programmable read only memory
  • flash memory or other memory technology
  • CD-ROM Compact Disc Read-
  • the computer-readable storage medium in the present disclosure can be used to store one or more computer programs, and the stored one or more computer programs can be executed by a processor to implement the application of the present disclosure to a terminal side, a gateway side or a wireless access node GBA-based authentication method on the side.
  • the functional modules/units in the system and the device can be implemented as software (can be implemented by computer program codes executable by the computing device), firmware, hardware, and their appropriate combination.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively.
  • Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • communication media typically embodies computer readable instructions, data structures, computer program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery, as is well known to those of ordinary skill in the art medium. Therefore, the present disclosure is not limited to any particular combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure provides a GBA-based authentication method, comprising: negotiating a transport layer security protocol with a user terminal to confirm a secret key algorithm suite used by the user terminal; and applying the secret key algorithm suite to a wireless access node, such that the wireless access node performs authentication by using the secret key algorithm suite. The present disclosure also provides a terminal, a gateway, the wireless access node, and a computer readable storage medium.

Description

基于通用引导架构的鉴权方法、及对应装置Authentication method and corresponding device based on general bootstrap architecture 技术领域technical field
本公开实施例涉及但不限于通讯技术领域,具体而言,涉及一种基于通用引导架构的鉴权方法、及对应装置。The embodiments of the present disclosure relate to, but are not limited to, the field of communication technologies, and in particular, relate to an authentication method and a corresponding device based on a universal bootstrap architecture.
背景技术Background technique
随着通信技术的发展,在很多通信业务中,很多应用都需要用户终端(User Equipment,UE)和接入层(Access Stratum,AS)之间进行交互,如业务激活、业务设置、业务访问等。为了保证业务应用的安全性,就要求在UE和AS之间进行双向认证,如果UE和AS直接交互,存在两个严重问题:1)UE和每个AS之间都要进行独立的认证,包括认证机制的协商、秘钥的管理;2)UE每次登陆不同的AS,都需要输入秘钥,用户体验差。因此第三代合作伙伴计划(The Third Generation Partnership Project,3GPP)标准组织提出了通用认证架构的概念,其中通用引导架构(General Bootstrapping Architecture,GBA)就是一种基于共享秘钥的通用认证架构。GBA使用认证与秘钥协商(Authentication and Key Agreement,AKA,第三代移动通讯网络的认证与秘钥协商协议)为UE和网络之间提供一种秘钥共享、相互认证和业务保护的机制,具有较高的安全性和通用性,GBA中,在UE和AS之间添加了无线访问节点(Access Point,AP),AP作为认证代理功能,对UE进行鉴权,代理AS完成对UE的认证。With the development of communication technology, in many communication services, many applications require interaction between the user terminal (User Equipment, UE) and the access layer (Access Stratum, AS), such as service activation, service setting, service access, etc. . In order to ensure the security of service applications, two-way authentication is required between the UE and the AS. If the UE and the AS interact directly, there are two serious problems: 1) Independent authentication must be performed between the UE and each AS, including Negotiation of authentication mechanism and management of secret key; 2) UE needs to input secret key every time it logs in to a different AS, resulting in poor user experience. Therefore, the Third Generation Partnership Project (3GPP) standard organization proposed the concept of a general authentication architecture, of which the General Bootstrapping Architecture (GBA) is a general authentication architecture based on a shared secret key. GBA uses Authentication and Key Agreement (AKA, the authentication and key agreement protocol of the third generation mobile communication network) to provide a mechanism for key sharing, mutual authentication and service protection between the UE and the network. It has high security and versatility. In GBA, a wireless access node (Access Point, AP) is added between the UE and the AS. The AP acts as an authentication proxy function to authenticate the UE, and the proxy AS completes the authentication of the UE. .
GBA因为对外提供公网服务地址,考虑到安全等因素,实际组网引入了应用层网关(Application Layer Gateway,ALG),由ALG实现接入控制,如防火墙、防病毒、入侵检测、用户接入主动认证等功能,为GBA提供全方位的接入安全管理方案,引入ALG后,UE与AP分别和ALG建立传输层安全性协议(Transport Layer Security,TLS)隧道,导致影响AP对UE的鉴权。Because GBA provides public network service addresses, considering security and other factors, the actual networking introduces an Application Layer Gateway (ALG), which implements access control by ALG, such as firewall, antivirus, intrusion detection, and user access. Active authentication and other functions provide GBA with a comprehensive access security management solution. After ALG is introduced, UE and AP establish Transport Layer Security (TLS) tunnels with ALG respectively, which affects the authentication of AP to UE. .
发明内容SUMMARY OF THE INVENTION
本公开实施例提供一种应用于终端侧的基于GBA的鉴权方法,包括:与应用层网关进行安全传输层协议协商,确认使用的秘钥算法套件;以及通过所述应用层网关将所述秘钥算法套件应用到无线访问节点,使得所述无线访问节点使用所述秘钥算法套件进行鉴权。An embodiment of the present disclosure provides a GBA-based authentication method applied to a terminal side, including: negotiating a security transport layer protocol with an application layer gateway to confirm the key algorithm suite used; The secret key algorithm suite is applied to the wireless access node so that the wireless access node uses the secret key algorithm suite for authentication.
本公开实施例还提供一种应用于网关侧的基于GBA的鉴权方法,包括:与用户终端进行安全传输层协议协商,确认所述用户终端使用的秘钥算法套件;以及将所述秘钥算法套件应用到无线访问节点,使得所述无线访问节点使用所述秘钥算法套件进行鉴权。Embodiments of the present disclosure also provide a GBA-based authentication method applied to a gateway side, including: negotiating a security transport layer protocol with a user terminal, confirming a key algorithm suite used by the user terminal; The algorithm suite is applied to the wireless access node such that the wireless access node uses the secret key algorithm suite for authentication.
本公开实施例还提供一种应用于无线访问节点侧的基于GBA的鉴权方法,包括:使用由应用层网关应用到无线访问节点的秘钥算法套件进行鉴权,其中,所述秘钥算法套件为所述应用层网关与用户终端进行安全传输层协议协商确认的所述用户终端使用的秘钥算法套件。Embodiments of the present disclosure also provide a GBA-based authentication method applied to a wireless access node, including: performing authentication by using a key algorithm suite applied to the wireless access node by an application layer gateway, wherein the key algorithm The suite is the secret key algorithm suite used by the user terminal for negotiation and confirmation of the security transport layer protocol between the application layer gateway and the user terminal.
本公开实施例还提供一种终端,所述终端包括第一处理器和第一存储器,所述第一处理器用于执行第一存储器中存储的一个或者多个计算机程序,以实现根据本公开的应用于终端测的基于GBA的鉴权方法。An embodiment of the present disclosure further provides a terminal, where the terminal includes a first processor and a first memory, where the first processor is configured to execute one or more computer programs stored in the first memory, so as to implement the computer program according to the present disclosure. GBA-based authentication method applied to terminal testing.
本公开实施例还提供一种网关,所述网关包括第二处理器和第二存储器,所述第二处理器用于执行第二存储器中存储的一个或者多个计算机程序,以实现根据本公开的应用于网关侧的基于GBA的鉴权方法。An embodiment of the present disclosure further provides a gateway, the gateway includes a second processor and a second memory, where the second processor is configured to execute one or more computer programs stored in the second memory, so as to implement the method according to the present disclosure. GBA-based authentication method applied to the gateway side.
本公开实施例还提供一种无线访问节点,所述无线访问节点包括第三处理器和第三存储器,所述第三处理器用于执行第三存储器中存储的一个或者多个计算机程序,以实现根据本公开的应用于无线访问节点侧的基于GBA的鉴权方法。An embodiment of the present disclosure further provides a wireless access node, where the wireless access node includes a third processor and a third memory, where the third processor is configured to execute one or more computer programs stored in the third memory to implement The GBA-based authentication method applied to the wireless access node side according to the present disclosure.
本公开实施例还提供一种计算机存储介质,其上存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现根据本公开的应用于终端侧、网关侧或无线访问节点侧的基于GBA的鉴权方法。The embodiments of the present disclosure further provide a computer storage medium, on which one or more programs are stored, and the one or more programs can be executed by one or more processors, so as to implement the application of the present disclosure on the terminal side, GBA-based authentication method on the gateway side or the wireless access node side.
附图说明Description of drawings
图1为本公开提供的GBA基本架构示意图;1 is a schematic diagram of the GBA basic architecture provided by the present disclosure;
图2为本公开提供的GBA的基本鉴权流程示意图;Fig. 2 is the basic authentication flow schematic diagram of GBA provided by the present disclosure;
图3为本公开提供的GBA的鉴权方法的流程示意图;Fig. 3 is the schematic flowchart of the authentication method of GBA provided by the present disclosure;
图4为本公开提供的通过应用层网关将秘钥算法套件应用到无线访问节点的基本流程示意图;4 is a schematic schematic diagram of the basic flow of applying a secret key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure;
图5为本公开提供的通过应用层网关将秘钥算法套件应用到无线访问节点的另一基本流程示意图;5 is another basic schematic flow diagram of applying a key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure;
图6为本公开提供的通过应用层网关将秘钥算法套件应用到无线访问节点的另一基本流程示意图;6 is another basic schematic flow chart of applying a key algorithm suite to a wireless access node through an application layer gateway provided by the present disclosure;
图7为本公开的通过应用层网关将秘钥算法套件应用到无线访问节点基本的另一流程示意图;FIG. 7 is another schematic flow chart of applying the secret key algorithm suite to the wireless access node through the application layer gateway of the present disclosure;
图8为本公开提供的GBA的鉴权方法的基本流程示意图;Fig. 8 is the basic flow schematic diagram of the authentication method of GBA provided by the present disclosure;
图9为本公开提供的终端的基本结构示意图;FIG. 9 is a schematic diagram of the basic structure of the terminal provided by the present disclosure;
图10为本公开提供的网关的基本结构示意图;以及FIG. 10 is a schematic diagram of the basic structure of the gateway provided by the present disclosure; and
图11为本公开提供的无线访问节点的基本结构示意图。FIG. 11 is a schematic diagram of the basic structure of a wireless access node provided by the present disclosure.
具体实施方式detailed description
为了使本公开的目的、技术方案及优点更加清楚明白,下面通过具体实施方式结合附图对本公开实施例作进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本公开,并不用于限定本公开。In order to make the objectives, technical solutions and advantages of the present disclosure more clear, the embodiments of the present disclosure will be further described in detail below through specific implementations in conjunction with the accompanying drawings. It should be understood that the specific embodiments described herein are only used to explain the present disclosure, but not to limit the present disclosure.
如图1所示,图1为GBA基本架构示意图,其包括:用户归属网络服务器(Home Subscribe Server、HSS)、引导服务功能(Bootstrapping Server Function,BSF)、网络应用功能(Network Application Function,NAF)或无线访问节点(Access Point,AP)功能、ALG,需要理解的是,NAF用于执行与AP相同的功能,即,AP或NAF存在其中一个即可。ALG分别与UE和AP建立TLS通道,并进行鉴权,如图2所示,UE与ALG协商TLS连接,确认使用的秘钥算 法套件(cipher suite),最终使用的cipher suite为“yyzz”。UE发送业务请求(HTTP GET)给ALG,ALG与AP协商TLS连接,确认使用的cipher suite,最终使用的cipher suite为“aabb”。ALG将HTTP GET转发给AP,AP回应401Unauthorized到UE后,UE根据与ALG协商的TLS cipher suite(“yyzz”)和其他参数生成第一Ks_NAF/Ks_int_NAF,再将第一Ks_NAF/Ks_int_NAF当做密钥(key)计算第一响应(response),并将该第一响应经过ALG发给AP,AP根据与ALG协商的TLS cipher suite(“aabb”)和其他参数从BSF获取第二Ks_NAF/Ks_int_NAF,再将第二Ks_NAF/Ks_int_NAF当做密钥计算第二响应,AP比较自己计算的第二响应和UE发来的第一响应,如果第二响应和第一响应一致,则鉴权成功,但是因为AP使用的TLS cipher suite与UE使用的TLS cipher suite不一致,计算出的Ks_NAF/Ks_int_NAF、响应也会不一致,进而导致AP鉴权失败。As shown in Figure 1, Figure 1 is a schematic diagram of the basic architecture of GBA, which includes: a user's home network server (Home Subscribe Server, HSS), a bootstrapping server function (Bootstrapping Server Function, BSF), a network application function (Network Application Function, NAF) Or wireless access node (Access Point, AP) function, ALG, it needs to be understood that NAF is used to perform the same function as AP, that is, AP or NAF only needs to exist. The ALG establishes TLS channels with the UE and the AP respectively, and performs authentication. As shown in Figure 2, the UE negotiates a TLS connection with the ALG, confirms the cipher suite used, and the cipher suite finally used is "yyzz". The UE sends a service request (HTTP GET) to the ALG, the ALG negotiates a TLS connection with the AP, and confirms the cipher suite used. The cipher suite finally used is "aabb". The ALG forwards the HTTP GET to the AP. After the AP responds with 401Unauthorized to the UE, the UE generates the first Ks_NAF/Ks_int_NAF according to the TLS cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/Ks_int_NAF as the key ( key) to calculate the first response (response), and send the first response to the AP through the ALG. The AP obtains the second Ks_NAF/Ks_int_NAF from the BSF according to the TLS cipher suite ("aabb") negotiated with the ALG and other parameters, and then The second Ks_NAF/Ks_int_NAF is used as the key to calculate the second response. The AP compares the second response calculated by itself with the first response sent by the UE. If the second response is consistent with the first response, the authentication is successful, but because the AP uses the The TLS cipher suite is inconsistent with the TLS cipher suite used by the UE, and the calculated Ks_NAF/Ks_int_NAF and responses will also be inconsistent, resulting in AP authentication failure.
为了解决UE与AP分别和ALG建立TLS隧道后,使用不同的秘钥算法套件,导致鉴权失败,从而影响AP对UE的认证鉴权的问题,本公开提供一种应用于用户终端(UE)侧的基于GBA的鉴权方法,请参见图3,其包括步骤S301至S302。In order to solve the problem that after the UE and the AP establish TLS tunnels with the ALG respectively, different key algorithm suites are used, which leads to authentication failure, thus affecting the authentication and authentication of the AP to the UE, the present disclosure provides a user terminal (UE) The GBA-based authentication method on the side is shown in FIG. 3, which includes steps S301 to S302.
在步骤S301,与应用层网关(ALG)进行安全传输层协议(TSL)协商,确认使用的秘钥算法套件。In step S301, negotiate with the application layer gateway (ALG) on the transport layer protocol (TSL) to confirm the key algorithm suite to be used.
在步骤S302,通过ALG将秘钥算法套件应用到无线访问节点(AP),使得AP使用该秘钥算法套件进行鉴权。In step S302, the key algorithm suite is applied to the wireless access node (AP) through the ALG, so that the AP uses the key algorithm suite for authentication.
UE与ALG协商TLS连接,确认UE与ALG使用的秘钥算法套件(Cipher Suite)。需要理解的是,本公开并不限定UE与ALG协商TSL的方式,最终能确定出UE与ALG之间能用的秘钥算法套件即可。The UE negotiates a TLS connection with the ALG, and confirms the Cipher Suite used by the UE and the ALG. It should be understood that the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
在本公开中,将UE与ALG确定好的秘钥算法套件应用到AP包括但不限于以下两种方式:In the present disclosure, applying the key algorithm suite determined by the UE and the ALG to the AP includes but is not limited to the following two ways:
第一种方式:通过ALG将秘钥算法套件转发到AP,从而将秘钥算法套件应用到AP;The first way: forward the key algorithm suite to the AP through the ALG, so as to apply the key algorithm suite to the AP;
第二种方式:通过ALG使用秘钥算法套件与AP进行安全传输层协议协商,从而将秘钥算法套件应用到AP。The second way: use the secret key algorithm suite to negotiate the security transport layer protocol with the AP through the ALG, so as to apply the secret key algorithm suite to the AP.
上述第一种方式可以包括:发送业务请求到ALG;通过ALG转发业务请求到AP,ALG转发业务请求到AP时携带秘钥算法套件。UE发送业务请求到ALG,ALG将UE侧使用的秘钥算法套件通过扩展参数发送给AP,AP鉴权时根据ALG发送的秘钥算法套件进行鉴权。例如,如图4所示步骤1至步骤10。The above-mentioned first manner may include: sending the service request to the ALG; forwarding the service request to the AP through the ALG, and the ALG carrying the key algorithm suite when forwarding the service request to the AP. The UE sends a service request to the ALG, and the ALG sends the secret key algorithm suite used by the UE side to the AP through extended parameters. When the AP authenticates, the authentication is performed according to the secret key algorithm suite sent by the ALG. For example, steps 1 to 10 are shown in FIG. 4 .
在步骤1至2,UE与ALG协商安全传输层协议(TLS)连接,确认UE与ALG使用的秘钥算法套件(Cipher Suite)为“yyzz”。In steps 1 to 2, the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the Cipher Suite used by the UE and the ALG is "yyzz".
在步骤3,UE发起业务请求(HTTP GET)到ALG。In step 3, the UE initiates a service request (HTTP GET) to the ALG.
在步骤4至5,ALG与AP协商TLS连接,确认AP侧使用的cipher suite,确认AP侧最终使用的cipher suite为“aabb”;In steps 4 to 5, the ALG negotiates a TLS connection with the AP, confirms the cipher suite used on the AP side, and confirms that the cipher suite finally used on the AP side is "aabb";
在步骤6,ALG转发UE的HTTP GET请求,并将UE侧使用的cipher suite“yyzz”通过扩展参数发送给AP,使得AP根据ALG携带的UE与ALG使用的cipher suite(“yyzz”)来进行鉴权,即,通过ALG将cipher suite应用到AP,使得AP使用与UE相同的cipher suite(“yyzz”)实现鉴权。In step 6, the ALG forwards the HTTP GET request of the UE, and sends the cipher suite "yyzz" used by the UE side to the AP through the extended parameters, so that the AP performs the processing according to the UE carried by the ALG and the cipher suite ("yyzz") used by the ALG. Authentication, that is, applying the cipher suite to the AP through the ALG, so that the AP uses the same cipher suite ("yyzz") as the UE to achieve authentication.
在步骤7至8,AP接收到UE侧使用的cipher suite“yyzz”后,发送401未授权(unauthorized)响应给ALG,并经ALG转发给UE。In steps 7 to 8, after receiving the cipher suite "yyzz" used by the UE side, the AP sends a 401 unauthorized (unauthorized) response to the ALG, and forwards it to the UE via the ALG.
在步骤9,UE根据与ALG协商的UE侧cipher suite(“yyzz”)和其他参数生成第一Ks_NAF/KS_int_NAF,再将第一Ks_NAF/KS_int_NAF当做密钥计算第一响应(response),发给ALG,再经ALG转发给AP。In step 9, the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), and sends it to the ALG , and then forwarded to the AP via the ALG.
在步骤10,AP根据ALG携带的UE侧使用的cipher suite(“yyzz”)和其他参数从BSF获取第二KS_NAF/KS_int_NAF,再将第二KS_NAF/KS_int_NAF当做密钥计算第二响应,AP比较第一响应和第二响应,如果第二响应和第一响应一致,则鉴权成功,因为AP使用的cipher suite与UE使用的cipher suite一致,计算Ks_NAF/Ks_int_NAF、响应也会一致,最终AP鉴权成功。In step 10, the AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the cipher suite ("yyzz") used by the UE side carried by the ALG and other parameters, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response, and the AP compares the first The first response and the second response, if the second response is consistent with the first response, the authentication is successful, because the cipher suite used by the AP is the same as the cipher suite used by the UE, the calculation of Ks_NAF/Ks_int_NAF and the response will also be consistent, and the final AP authentication success.
上述第一种方式还可以包括:发送业务请求到ALG,业务请求中携带秘钥算法套件;通过ALG将业务请求转发到AP。UE发送业务请求到ALG时,UE将UE侧使用的秘钥算法套件通过扩展参数携带在业 务请求中发送给ALG,ALG将该业务请求转发给AP,AP鉴权时根据UE发送的业务请求中的秘钥算法套件进行鉴权。例如,如图5所示步骤1至步骤10。The above-mentioned first manner may further include: sending a service request to the ALG, where the service request carries the key algorithm suite; and forwarding the service request to the AP through the ALG. When the UE sends the service request to the ALG, the UE carries the key algorithm suite used by the UE side in the service request and sends it to the ALG, and the ALG forwards the service request to the AP. Key algorithm suite for authentication. For example, steps 1 to 10 are shown in FIG. 5 .
在步骤1至2,UE与ALG协商安全传输层协议(TLS)连接,确认UE与ALG使用的秘钥算法套件(Cipher Suite)为“yyzz”。In steps 1 to 2, the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the Cipher Suite used by the UE and the ALG is "yyzz".
在步骤3,UE发起业务请求(HTTP GET)到ALG,该业务请求中通过扩展参数携带了确定出的cipher suite(“yyzz”)。In step 3, the UE initiates a service request (HTTP GET) to the ALG, and the service request carries the determined cipher suite ("yyzz") through extended parameters.
在步骤4至5,ALG与AP协商TLS连接,确认AP侧使用的cipher suite为“aabb”;In steps 4 to 5, the ALG negotiates a TLS connection with the AP, and confirms that the cipher suite used on the AP side is "aabb";
在步骤6,ALG转发UE的HTTP GET请求时,透传UE发送cipher suite(“yyzz”)扩展参数给AP,使得AP根据ALG携带的UE与ALG使用的cipher suite(“yyzz”)来进行鉴权,即,通过ALG将cipher suite应用到AP,使得AP使用与UE相同的cipher suite(“yyzz”)实现鉴权。In step 6, when the ALG forwards the HTTP GET request of the UE, it transparently transmits the cipher suite ("yyzz") extended parameters sent by the UE to the AP, so that the AP can authenticate the UE according to the UE carried by the ALG and the cipher suite ("yyzz") used by the ALG. That is, the cipher suite is applied to the AP through the ALG, so that the AP uses the same cipher suite ("yyzz") as the UE to achieve authentication.
在步骤7至8,AP发送401未授权(unauthorized)响应给ALG,并经ALG发送给UE。At steps 7 to 8, the AP sends a 401 unauthorized response to the ALG and to the UE via the ALG.
在步骤9,UE根据与ALG协商的UE侧cipher suite(“yyzz”)和其他参数生成第一Ks_NAF/KS_int_NAF,再将第一Ks_NAF/KS_int_NAF当做密钥计算第一响应(response)发给ALG,此时同样可以在第一响应中通过扩展参数携带cipher suite(“yyzz”)。In step 9, the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response) to the ALG, At this time, the cipher suite ("yyzz") can also be carried in the first response through the extended parameter.
步骤10,ALG转发UE的HTTP GET请求,透传UE发送cipher suite(“yyzz”)扩展参数给AP,AP根据ALG携带的UE侧使用的cipher suite(“yyzz”)和其他参数从BSF获取第二KS_NAF/KS_int_NAF,再将第二KS_NAF/KS_int_NAF当做密钥计算第二响应,AP比较第一响应和第二响应,如果第二响应和第一响应一致,则鉴权成功,因为AP使用的cipher suite与UE使用的cipher suite一致,计算Ks_NAF/Ks_int_NAF、响应也会一致,最终AP鉴权成功。Step 10: The ALG forwards the HTTP GET request of the UE, and transparently transmits the cipher suite ("yyzz") extended parameters sent by the UE to the AP. The AP obtains the first cipher suite ("yyzz") from the BSF according to the cipher suite ("yyzz") and other parameters carried by the ALG and used by the UE side. Two KS_NAF/KS_int_NAF, and then use the second KS_NAF/KS_int_NAF as the key to calculate the second response, the AP compares the first response and the second response, if the second response and the first response are consistent, the authentication is successful, because the cipher used by the AP The suite is the same as the cipher suite used by the UE. The calculation of Ks_NAF/Ks_int_NAF and the response will also be the same. Finally, the AP authentication succeeds.
第二种方式,即,通过ALG使用秘钥算法套件与AP进行安全传输层协议协商,从而将秘钥算法套件应用到AP,例如,如图6所示 的步骤1至步骤10。The second way is to use the secret key algorithm suite to negotiate the security transport layer protocol with the AP through the ALG, so as to apply the secret key algorithm suite to the AP, for example, steps 1 to 10 shown in FIG. 6 .
在步骤1至2,UE与ALG协商安全传输层协议(TLS)连接,确认UE侧使用的cipher suite为“yyzz”。In steps 1 to 2, the UE negotiates a Transport Layer Security (TLS) connection with the ALG, and confirms that the cipher suite used by the UE side is "yyzz".
在步骤3,UE发起业务请求(HTTP GET)到ALG。In step 3, the UE initiates a service request (HTTP GET) to the ALG.
在步骤4至5,ALG与AP协商TLS连接时,携带UE侧使用的cipher suite(“yyzz”),确保AP侧能使用UE侧相同的cipher suite(“yyzz”),使得AP侧使用的cipher suite也为“yyzz”,AP使用与UE相同的cipher suite(“yyzz”)实现鉴权。In steps 4 to 5, when the ALG negotiates a TLS connection with the AP, carry the cipher suite ("yyzz") used by the UE side to ensure that the AP side can use the same cipher suite ("yyzz") on the UE side, so that the cipher suite ("yyzz") used by the AP side can be used. The suite is also "yyzz", and the AP uses the same cipher suite ("yyzz") as the UE to implement authentication.
在步骤6,ALG转发UE的HTTP GET请求。At step 6, the ALG forwards the UE's HTTP GET request.
在步骤7至8,AP发送401未授权(unauthorized)响应,经ALG发送给UE。In steps 7 to 8, the AP sends a 401 Unauthorized response to the UE via the ALG.
在步骤9至10,UE根据与ALG协商的UE侧cipher suite(“yyzz”)和其他参数生成第一Ks_NAF/KS_int_NAF,再将第一Ks_NAF/KS_int_NAF当做密钥计算第一响应(response),发给ALG,再经ALG转发给AP。AP根据AP侧使用的TLS cipher suite(“yyzz”)和其他参数从BSF获取第二KS_NAF/KS_int_NAF,再将第二KS_NAF/KS_int_NAF当做密钥计算第二response,AP比较第一响应和第二响应,如果第二响应和第一响应一致,则鉴权成功,因为AP使用的TLS cipher suite与UE使用的TLS cipher suite一致,计算Ks_NAF/Ks_int_NAF、响应也会一致,最终AP鉴权成功。In steps 9 to 10, the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite ("yyzz") negotiated with the ALG and other parameters, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), and sends to the ALG, and then forwarded to the AP via the ALG. The AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the TLS cipher suite ("yyzz") and other parameters used by the AP side, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response, and the AP compares the first response with the second response , if the second response is consistent with the first response, the authentication is successful, because the TLS cipher suite used by the AP is the same as the TLS cipher suite used by the UE, the calculation of Ks_NAF/Ks_int_NAF and the response will also be consistent, and the final AP authentication succeeds.
与ALG进行TLS协商,确认使用的秘钥算法套件包括:与ALG进行TSL协商,确认支持的秘钥算法套件集合(cipher suite list),秘钥算法套件集合中包括至少两个能够使用的秘钥算法套件,并且通过ALG使用秘钥算法套件与AP进行TLS协商包括:通过ALG使用秘钥算法套件集合与AP进行安全传输层协议协商,确定出ALG与AP使用的秘钥算法套件。例如,如图7所示的步骤1至步骤10。Perform TLS negotiation with the ALG, and confirm the key algorithm suite used includes: perform TSL negotiation with the ALG, confirm the supported cipher suite list, and the cipher suite list includes at least two usable keys Algorithm suite, and performing TLS negotiation with the AP using the secret key algorithm suite through the ALG includes: performing the secure transport layer protocol negotiation with the AP using the secret key algorithm suite set through the ALG, and determining the secret key algorithm suite used by the ALG and the AP. For example, steps 1 to 10 as shown in FIG. 7 .
在步骤1,UE发起到ALG的TLS协商,Client Hello携带UE侧支持的cipher suite list(0xC030,0x0035,0x002D)。In step 1, the UE initiates TLS negotiation to the ALG, and the Client Hello carries the cipher suite list (0xC030, 0x0035, 0x002D) supported by the UE side.
在步骤2,ALG发起到AP的TLS协商,Client Hello使用UE和ALG支持cipher suite list的交集(0xC030,0x002D),使得 AP侧使用的cipher suite一定是UE侧能够使用的cipher suite。In step 2, the ALG initiates the TLS negotiation with the AP. The Client Hello uses the intersection of the UE and the ALG to support the cipher suite list (0xC030, 0x002D), so that the cipher suite used by the AP side must be the cipher suite that the UE side can use.
在步骤3,ALG收到AP的Server Hello,确认AP侧使用的cipher suite(0xC030)。In step 3, the ALG receives the AP's Server Hello and confirms the cipher suite (0xC030) used by the AP.
在步骤4,ALG返回Server Hello到UE,使用AP侧使用的cipher suite(0xC030),使得UE侧使用与AP侧相同的cipher suite。In step 4, the ALG returns Server Hello to the UE, and uses the cipher suite (0xC030) used by the AP side, so that the UE side uses the same cipher suite as the AP side.
在步骤5至6,UE发起业务请求(HTTP GET),ALG转发UE的HTTP GET请求。In steps 5 to 6, the UE initiates a service request (HTTP GET), and the ALG forwards the UE's HTTP GET request.
在步骤7至8,AP发送401未授权(unauthorized)响应,经ALG发送给UE。In steps 7 to 8, the AP sends a 401 Unauthorized response to the UE via the ALG.
在步骤9,UE根据与ALG协商的UE侧cipher suite(0xC030)和其他参数生成第一Ks_NAF/KS_int_NAF,再将第一Ks_NAF/KS_int_NAF当做密钥计算第一响应(response),发给ALG,再经ALG转发给AP。In step 9, the UE generates the first Ks_NAF/KS_int_NAF according to the UE side cipher suite (0xC030) and other parameters negotiated with the ALG, and then uses the first Ks_NAF/KS_int_NAF as the key to calculate the first response (response), sends it to the ALG, and then It is forwarded to the AP via the ALG.
在步骤10,AP转发UE的第一响应给AP。AP根据AP侧使用的cipher suite(0xC030)和其他参数从BSF获取第二KS_NAF/KS_int_NAF,再将第二KS_NAF/KS_int_NAF当做密钥计算第二响应。AP比较自己计算的第二响应和UE发来的第一响应,如果第二响应和第一响应一致,则鉴权成功,因为AP使用的cipher suite与UE使用的cipher suite一致,计算出的Ks_NAF/Ks_int_NAF、响应也会一致,最终AP鉴权成功。In step 10, the AP forwards the first response of the UE to the AP. The AP obtains the second KS_NAF/KS_int_NAF from the BSF according to the cipher suite (0xC030) and other parameters used by the AP side, and then uses the second KS_NAF/KS_int_NAF as the key to calculate the second response. The AP compares the second response calculated by itself with the first response sent by the UE. If the second response is consistent with the first response, the authentication is successful, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, and the calculated Ks_NAF /Ks_int_NAF, the response will be the same, and the final AP authentication is successful.
本公开提供的应用于UE侧的基于GBA的鉴权方法,通过与ALG进行TSL协商,确认使用的秘钥算法套件;通过ALG将秘钥算法套件应用到AP,使得AP使用秘钥算法套件进行鉴权,即,UE与AP分别和ALG建立TLS隧道后,通过ALG将UE侧使用的秘钥算法套件应用到AP侧,使得AP侧与UE侧使用相同的秘钥算法套件计算得到鉴权参数进行鉴权,避免了UE与AP分别和ALG建立TLS隧道后,使用不同的秘钥算法套件,导致鉴权失败,从而影响AP对UE的鉴权的问题,提升了用户体验。The GBA-based authentication method applied to the UE side provided by the present disclosure confirms the key algorithm suite used by performing TSL negotiation with the ALG; and applies the key algorithm suite to the AP through the ALG, so that the AP uses the Authentication, that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the ALG applies the secret key algorithm suite used by the UE side to the AP side, so that the AP side and the UE side use the same secret key algorithm suite to calculate the authentication parameters. Performing authentication avoids the problem of using different secret key algorithm suites after the UE and AP establish TLS tunnels with the ALG respectively, resulting in authentication failure, which affects the AP's authentication of the UE, and improves the user experience.
本公开还提供一种应用于应用层网关(ALG)侧的基于GBA的鉴权方法,请参见图8所示,该方法包括步骤S801至S802。The present disclosure also provides a GBA-based authentication method applied to the application layer gateway (ALG) side, as shown in FIG. 8 , the method includes steps S801 to S802.
在步骤S801,与用户终端(UE)进行安全传输层协议(TLS)协商,确认UE使用的秘钥算法套件。In step S801, a Transport Layer Security (TLS) negotiation is performed with a user terminal (UE) to confirm the secret key algorithm suite used by the UE.
在步骤S802,将秘钥算法套件应用到无线访问节点(AP),使得AP使用该秘钥算法套件进行鉴权。In step S802, the secret key algorithm suite is applied to the wireless access node (AP), so that the AP uses the secret key algorithm suite for authentication.
ALG与UE协商TLS连接,确认UE与ALG使用的秘钥算法套件Cipher Suite。需要理解的是,本公开并不限定UE与ALG协商TSL的方式,最终能确定出UE与ALG之间能用的秘钥算法套件即可。The ALG negotiates the TLS connection with the UE, and confirms the Cipher Suite of the key algorithm suite used by the UE and the ALG. It should be understood that the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
将秘钥算法套件应用到AP,使得AP使用秘钥算法套件进行鉴权的方法与上述示例中的方法相同,在此不再一一赘述。The secret key algorithm suite is applied to the AP, so that the method for the AP to use the secret key algorithm suite for authentication is the same as the method in the above example, which will not be repeated here.
本公开提供的应用于ALG侧的基于GBA的鉴权方法,与UE进行TSL协商,确认UE使用的秘钥算法套件;将秘钥算法套件应用到AP,使得AP使用秘钥算法套件进行鉴权,即,UE与AP分别和ALG建立TLS隧道后,使得AP侧与UE侧使用相同的秘钥算法套件计算得到鉴权参数进行鉴权,避免了UE与AP分别和ALG建立TLS隧道后,使用不同的秘钥算法套件,导致鉴权失败,从而影响AP对UE的鉴权的问题,提升了用户体验。The GBA-based authentication method applied to the ALG side provided by the present disclosure performs TSL negotiation with the UE to confirm the secret key algorithm suite used by the UE; applies the secret key algorithm suite to the AP, so that the AP uses the secret key algorithm suite for authentication , that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side and the UE side use the same secret key algorithm suite to calculate and obtain the authentication parameters for authentication, which prevents the UE and the AP from establishing TLS tunnels with the ALG respectively, using Different key algorithm suites lead to authentication failure, which affects the authentication of the AP to the UE and improves the user experience.
本公开还提供一种应用于无线访问节点(AP)侧的基于GBA的鉴权方法,该方法包括但不限于:使用由应用层网关(ALG)应用到AP的秘钥算法套件进行鉴权,该秘钥算法套件为ALG与用户终端(UE)进行安全传输层协议(TSL)协商确认的UE使用的秘钥算法套件。The present disclosure also provides a GBA-based authentication method applied to a wireless access node (AP) side, the method including but not limited to: performing authentication using a key algorithm suite applied to the AP by an application layer gateway (ALG), The secret key algorithm suite is the secret key algorithm suite used by the UE for which the ALG and the User Terminal (UE) perform Transport Layer Security (TSL) negotiation and confirmation.
ALG与UE协商TLS连接,确认UE与ALG使用的秘钥算法套件(Cipher Suite)后,将该秘钥算法套件应用到AP,使得AP根据该秘钥算法套件进行鉴权。需要理解的是,本公开并不限定UE与ALG协商TSL的方式,最终能确定出UE与ALG之间能用的秘钥算法套件即可。The ALG negotiates a TLS connection with the UE, and after confirming the cipher suite (Cipher Suite) used by the UE and the ALG, applies the cipher suite to the AP, so that the AP performs authentication according to the cipher suite. It should be understood that the present disclosure does not limit the manner in which the UE and the ALG negotiate the TSL, and the key algorithm suite that can be used between the UE and the ALG can finally be determined.
将秘钥算法套件应用到AP,使得AP使用秘钥算法套件进行鉴权的方法与上述示例中的方法相同,在此不再一一赘述。The secret key algorithm suite is applied to the AP, so that the method for the AP to use the secret key algorithm suite for authentication is the same as the method in the above example, which will not be repeated here.
本公开提供的应用于AP侧的基于GBA的鉴权方法,使用由ALG应用到AP的秘钥算法套件进行鉴权;秘钥算法套件为ALG与UE进行TLS协商确认的UE使用的秘钥算法套件,即,UE与AP分别和ALG 建立TLS隧道后,AP侧使用与UE侧相同的秘钥算法套件计算得到鉴权参数进行鉴权,避免了UE与AP分别和ALG建立TLS隧道后,使用不同的秘钥算法套件,导致鉴权失败,从而影响AP对UE的鉴权的问题,提升了用户体验。The GBA-based authentication method applied to the AP side provided by the present disclosure uses the secret key algorithm suite applied by the ALG to the AP for authentication; the secret key algorithm suite is the secret key algorithm used by the UE for TLS negotiation and confirmation between the ALG and the UE Suite, that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side uses the same secret key algorithm suite as the UE side to calculate the authentication parameters for authentication, which avoids the need for the UE and AP to establish TLS tunnels with the ALG respectively. Different key algorithm suites lead to authentication failure, which affects the authentication of the AP to the UE and improves the user experience.
本公开还提供了一种终端,包括第一处理器901、第一存储器902及第一通信总线903。The present disclosure also provides a terminal including a first processor 901 , a first memory 902 and a first communication bus 903 .
第一通信总线903用于实现第一处理器901和第一存储器902之间的连接通信。The first communication bus 903 is used to realize the connection communication between the first processor 901 and the first memory 902 .
第一处理器901用于执行第一存储器902中存储的一个或者多个计算机程序,以实现本公开的由用户终端侧执行的基于GBA的鉴权方法。The first processor 901 is configured to execute one or more computer programs stored in the first memory 902 to implement the GBA-based authentication method executed by the user terminal side of the present disclosure.
本反馈还提供了一种网关,包括第二处理器1001、第二存储器1002及第二通信总线1003。This feedback also provides a gateway, including a second processor 1001 , a second memory 1002 and a second communication bus 1003 .
第二通信总线1003用于实现第二处理器1001和第二存储器1002之间的连接通信。The second communication bus 1003 is used to realize the connection communication between the second processor 1001 and the second memory 1002 .
第二处理器1001用于执行第二存储器1002中存储的一个或者多个计算机程序,以实现本公开的由应用层网关侧执行的基于GBA的鉴权方法。The second processor 1001 is configured to execute one or more computer programs stored in the second memory 1002 to implement the GBA-based authentication method executed by the application layer gateway side of the present disclosure.
本公开还提供了一种无线访问节点,包括第三处理器1101、第三存储器1102及第三通信总线1103。The present disclosure also provides a wireless access node including a third processor 1101 , a third memory 1102 and a third communication bus 1103 .
第三通信总线1103用于实现第三处理器1101和第三存储器1102之间的连接通信。The third communication bus 1103 is used to realize the connection communication between the third processor 1101 and the third memory 1102 .
第三处理器1101用于执行第三存储器1102中存储的一个或者多个计算机程序,以实现本公开的由无线访问节点侧执行的基于GBA的鉴权方法。The third processor 1101 is configured to execute one or more computer programs stored in the third memory 1102 to implement the GBA-based authentication method performed by the wireless access node side of the present disclosure.
本公开还提供了一种计算机可读存储介质,该计算机可读存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、计算机程序模块或其他数据)的任何方法或技术中实施的易失性或非易失性、可移除或不可移除的介质。计算机可读存储介质包括但不限于RAM(Random Access Memory,随机存取存储器),ROM(Read-Only Memory, 只读存储器),EEPROM(Electrically Erasable Programmable read only memory,带电可擦可编程只读存储器)、闪存或其他存储器技术、CD-ROM(Compact Disc Read-Only Memory,光盘只读存储器),数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。The present disclosure also provides a computer-readable storage medium embodied in any method or technology for storage of information, such as computer-readable instructions, data structures, computer program modules, or other data Volatile or nonvolatile, removable or non-removable media. Computer-readable storage media include but are not limited to RAM (Random Access Memory, random access memory), ROM (Read-Only Memory, read only memory), EEPROM (Electrically Erasable Programmable read only memory, electrically erasable programmable read only memory) ), flash memory or other memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, Or any other medium that can be used to store the desired information and that can be accessed by a computer.
本公开中的计算机可读存储介质可用于存储一个或者多个计算机程序,其存储的一个或者多个计算机程序可被处理器执行,以实现本公开的应用于终端侧、网关侧或无线访问节点侧的基于GBA的鉴权方法。The computer-readable storage medium in the present disclosure can be used to store one or more computer programs, and the stored one or more computer programs can be executed by a processor to implement the application of the present disclosure to a terminal side, a gateway side or a wireless access node GBA-based authentication method on the side.
本领域的技术人员应该明白,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件(可以用计算装置可执行的计算机程序代码来实现)、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。Those skilled in the art should understand that all or some of the steps in the methods disclosed above, the functional modules/units in the system and the device can be implemented as software (can be implemented by computer program codes executable by the computing device), firmware, hardware, and their appropriate combination. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、计算机程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。所以,本公开不限制于任何特定的硬件和软件结合。In addition, communication media typically embodies computer readable instructions, data structures, computer program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery, as is well known to those of ordinary skill in the art medium. Therefore, the present disclosure is not limited to any particular combination of hardware and software.
以上内容是结合具体的实施方式对本公开实施例所作的进一步详细说明,不能认定本公开的具体实施只局限于这些说明。对于本公开所属技术领域的普通技术人员来说,在不脱离本公开构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本公开的保护范围。The above content is a further detailed description of the embodiments of the present disclosure in combination with specific implementations, and it cannot be considered that the specific implementation of the present disclosure is limited to these descriptions. For those of ordinary skill in the technical field to which the present disclosure belongs, without departing from the concept of the present disclosure, some simple deductions or substitutions can be made, which should be regarded as belonging to the protection scope of the present disclosure.

Claims (11)

  1. 一种基于通用引导架构GBA的鉴权方法,包括:An authentication method based on the general bootstrap architecture GBA, comprising:
    与应用层网关进行安全传输层协议协商,确认使用的秘钥算法套件;以及Secure transport layer protocol negotiation with the application layer gateway to confirm the key algorithm suite used; and
    通过所述应用层网关将所述秘钥算法套件应用到无线访问节点,使得所述无线访问节点使用所述秘钥算法套件进行鉴权。The secret key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node uses the secret key algorithm suite for authentication.
  2. 如权利要求1所述的基于GBA的鉴权方法,其中,通过所述应用层网关将所述秘钥算法套件应用到无线访问节点的步骤包括:The GBA-based authentication method according to claim 1, wherein the step of applying the secret key algorithm suite to the wireless access node through the application layer gateway comprises:
    通过所述应用层网关将所述秘钥算法套件转发到所述无线访问节点,从而将所述秘钥算法套件应用到所述无线访问节点;forwarding the secret key algorithm suite to the wireless access node through the application layer gateway, so as to apply the secret key algorithm suite to the wireless access node;
    和/或,and / or,
    通过所述应用层网关使用所述秘钥算法套件与所述无线访问节点进行安全传输层协议协商,从而将所述秘钥算法套件应用到无线访问节点。The application layer gateway uses the secret key algorithm suite to negotiate a secure transport layer protocol with the wireless access node, so as to apply the secret key algorithm suite to the wireless access node.
  3. 如权利要求2所述的基于GBA的鉴权方法,其中,通过所述应用层网关将所述秘钥算法套件转发到所述无线访问节点的步骤包括:The GBA-based authentication method according to claim 2, wherein the step of forwarding the key algorithm suite to the wireless access node through the application layer gateway comprises:
    发送业务请求到所述应用层网关;以及sending a service request to the application layer gateway; and
    通过所述应用层网关将所述业务请求转发到所述无线访问节点,其中,所述应用层网关转发所述业务请求到所述无线访问节点时携带所述秘钥算法套件。The service request is forwarded to the wireless access node through the application layer gateway, wherein the application layer gateway carries the secret key algorithm suite when forwarding the service request to the wireless access node.
  4. 如权利要求2所述的基于GBA的鉴权方法,其中,通过所述应用层网关将所述秘钥算法套件转发到所述无线访问节点的步骤包括:The GBA-based authentication method according to claim 2, wherein the step of forwarding the key algorithm suite to the wireless access node through the application layer gateway comprises:
    发送业务请求到所述应用层网关,其中,所述业务请求中携带所述秘钥算法套件;sending a service request to the application layer gateway, wherein the service request carries the secret key algorithm suite;
    通过所述应用层网关将所述业务请求转发到所述无线访问节点。The service request is forwarded to the wireless access node through the application layer gateway.
  5. 如权利要求2所述的基于GBA的鉴权方法,其中,与应用层网关进行安全传输层协议协商,确认使用的秘钥算法套件的步骤包括:The authentication method based on GBA as claimed in claim 2, wherein, carrying out security transport layer protocol negotiation with the application layer gateway, the step of confirming the used key algorithm suite comprises:
    与所述应用层网关进行安全传输层协议协商,确认支持的秘钥算法套件集合,其中,所述秘钥算法套件集合包括至少两个秘钥算法套件,Negotiating a secure transport layer protocol with the application layer gateway to confirm the supported set of key algorithm suites, wherein the set of secret key algorithm suites includes at least two key algorithm suites,
    并且通过所述应用层网关使用所述秘钥算法套件与所述无线访问节点进行安全传输层协议协商的步骤包括:And the step of using the secret key algorithm suite to negotiate a security transport layer protocol with the wireless access node through the application layer gateway includes:
    通过所述应用层网关使用所述秘钥算法套件集合与所述无线访问节点进行安全传输层协议协商,确定出所述应用层网关与所述无线访问节点使用的秘钥算法套件。The key algorithm suite used by the application layer gateway and the wireless access node is determined by performing the security transport layer protocol negotiation with the wireless access node by the application layer gateway using the key algorithm suite set.
  6. 一种基于通用引导架构GBA的鉴权方法,包括:An authentication method based on the general bootstrap architecture GBA, comprising:
    与用户终端进行安全传输层协议协商,确认所述用户终端使用的秘钥算法套件;以及negotiating a secure transport layer protocol with the user terminal to confirm the key algorithm suite used by the user terminal; and
    将所述秘钥算法套件应用到无线访问节点,使得所述无线访问节点使用所述秘钥算法套件进行鉴权。The key algorithm suite is applied to the wireless access node, so that the wireless access node uses the key algorithm suite for authentication.
  7. 一种基于通用引导架构GBA的鉴权方法,包括:An authentication method based on the general bootstrap architecture GBA, comprising:
    使用由应用层网关应用到无线访问节点的秘钥算法套件进行鉴权,use the secret key algorithm suite applied by the application layer gateway to the wireless access node for authentication,
    其中,所述秘钥算法套件为所述应用层网关与用户终端进行安全传输层协议协商确认的所述用户终端使用的秘钥算法套件。Wherein, the secret key algorithm suite is the secret key algorithm suite used by the user terminal that is negotiated and confirmed by the application layer gateway and the user terminal for the security transport layer protocol.
  8. 一种终端,包括第一处理器和第一存储器,A terminal, comprising a first processor and a first memory,
    所述第一处理器用于执行第一存储器中存储的一个或者多个计算机程序,以实现如权利要求1至5中任一项所述的基于GBA的鉴权方法。The first processor is configured to execute one or more computer programs stored in the first memory to implement the GBA-based authentication method according to any one of claims 1 to 5.
  9. 一种网关,包括第二处理器和第二存储器,A gateway includes a second processor and a second memory,
    所述第二处理器用于执行第二存储器中存储的一个或者多个计算机程序,以实现如权利要求6所述的基于GBA的鉴权方法。The second processor is configured to execute one or more computer programs stored in the second memory to implement the GBA-based authentication method as claimed in claim 6 .
  10. 一种无线访问节点,包括第三处理器和第三存储器,A wireless access node includes a third processor and a third memory,
    所述第三处理器用于执行第三存储器中存储的一个或者多个计算机程序,以实现如权利要求7所述的基于GBA的鉴权方法。The third processor is configured to execute one or more computer programs stored in the third memory to implement the GBA-based authentication method as claimed in claim 7 .
  11. 一种计算机可读存储介质,其上存储有一个或者多个计算机程序,所述一个或者多个计算机程序被一个或者多个处理器执行时,使得所述一个或者多个处理器实现如权利要求1-7中任一项所述的基于GBA的鉴权方法。A computer-readable storage medium having stored thereon one or more computer programs that, when executed by one or more processors, cause the one or more processors to implement the invention as claimed in the claims The GBA-based authentication method described in any one of 1-7.
PCT/CN2021/101804 2020-08-14 2021-06-23 General bootstrapping architecture-based authentication method and corresponding device WO2022033186A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010819512.6A CN114143016A (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device
CN202010819512.6 2020-08-14

Publications (1)

Publication Number Publication Date
WO2022033186A1 true WO2022033186A1 (en) 2022-02-17

Family

ID=80247635

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/101804 WO2022033186A1 (en) 2020-08-14 2021-06-23 General bootstrapping architecture-based authentication method and corresponding device

Country Status (2)

Country Link
CN (1) CN114143016A (en)
WO (1) WO2022033186A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework
US10673820B2 (en) * 2013-09-13 2020-06-02 Vodafone Ip Licensing Limited Communicating with a machine to machine device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1265607C (en) * 2003-12-08 2006-07-19 华为技术有限公司 Method for building up service tunnel in wireless local area network
GB0414421D0 (en) * 2004-06-28 2004-07-28 Nokia Corp Authenticating users
CN101156412B (en) * 2005-02-11 2011-02-09 诺基亚公司 Method and apparatus for providing bootstrapping procedures in a communication network
CN1929371B (en) * 2005-09-05 2010-09-08 华为技术有限公司 Method for negotiating key share between user and peripheral apparatus
CN100479570C (en) * 2006-01-18 2009-04-15 华为技术有限公司 Connection set-up method, system, network application entity and user terminal
CN102625306A (en) * 2011-01-31 2012-08-01 电信科学技术研究院 Method, system and equipment for authentication
WO2015072899A1 (en) * 2013-11-15 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Methods and devices for bootstrapping of resource constrained devices
GB2537377B (en) * 2015-04-13 2021-10-13 Vodafone Ip Licensing Ltd Security improvements in a cellular network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework
US10673820B2 (en) * 2013-09-13 2020-06-02 Vodafone Ip Licensing Limited Communicating with a machine to machine device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS) (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.222, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V16.0.0, 10 July 2020 (2020-07-10), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 42, XP051924917 *

Also Published As

Publication number Publication date
CN114143016A (en) 2022-03-04

Similar Documents

Publication Publication Date Title
EP3767984B1 (en) Communicating with a machine to machine device
US9467432B2 (en) Method and device for generating local interface key
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
JP4643657B2 (en) User authentication and authorization in communication systems
EP3065334A1 (en) Key configuration method, system and apparatus
US20070283430A1 (en) Negotiating vpn tunnel establishment parameters on user's interaction
US20130110920A1 (en) Network-assisted peer-to-peer secure communication establishment
CN108886688B (en) Method, apparatus and readable medium operable in a service provider, SP, network connected to a wireless communication network
CN101455053A (en) Authenticating an application
US10462671B2 (en) Methods and arrangements for authenticating a communication device
JP6067651B2 (en) Method and apparatus for incorporating dual-stack operation authorization
CN113518348B (en) Service processing method, device, system and storage medium
US20160149869A1 (en) Key establishment for constrained resource devices
US20110016312A1 (en) System and method for accessing host computer via remote computer
US20200396088A1 (en) System and method for securely activating a mobile device storing an encryption key
CN112311543A (en) GBA key generation method, terminal and NAF network element
WO2022033186A1 (en) General bootstrapping architecture-based authentication method and corresponding device
WO2012126299A1 (en) Combined authentication system and authentication method
CA2595191C (en) Negotiating vpn tunnel establishment parameters on user's interaction
US9602493B2 (en) Implicit challenge authentication process
TWI448128B (en) Method and apparatus for interworking authorization of dual stack operation
WO2023011702A1 (en) Establishment of forward secrecy during digest authentication
CN118200913A (en) Authentication method, authentication device, and storage medium

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07/07/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21855241

Country of ref document: EP

Kind code of ref document: A1