WO2022042417A1 - Procédé, appareil et système d'authentification - Google Patents

Procédé, appareil et système d'authentification Download PDF

Info

Publication number
WO2022042417A1
WO2022042417A1 PCT/CN2021/113523 CN2021113523W WO2022042417A1 WO 2022042417 A1 WO2022042417 A1 WO 2022042417A1 CN 2021113523 W CN2021113523 W CN 2021113523W WO 2022042417 A1 WO2022042417 A1 WO 2022042417A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal device
network element
blockchain system
identifier
Prior art date
Application number
PCT/CN2021/113523
Other languages
English (en)
Chinese (zh)
Inventor
张艳平
洪佳楠
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022042417A1 publication Critical patent/WO2022042417A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the present application relates to the field of communication technologies, and in particular, to an authentication method, device and system.
  • AKMA application-layer authentication and key management
  • the AKMA authentication function (AKMA authentication function, AAuF) network element is between the authentication service function (Authentication Server Function) network element and the AKMA application function (AKMA application function, AApF) network element.
  • the AApF network element searches for the AUSF network element through the AAuF network element.
  • the terminal device accesses the mobile network, after the authentication between the terminal device and the AUSF network element is successful, the AUSF network element and the terminal device negotiate to generate a key between the terminal device and the AUSF network element, and generate a key based on the key. Key used for secure communication between terminal equipment and AApF network elements.
  • the AApF network element can obtain a key for secure communication between the terminal device and the AApF network element from the AUSF network element, and use the key when the terminal device accesses a third-party application. That is to say, the AKMA architecture reuses the result of authentication of the terminal device by the mobile network, and only needs to perform an authentication process when the terminal device accesses the mobile network to realize secure communication.
  • the AApF network elements on the application side need to be configured with the Interfaces and interface addresses of AAuF NEs in different networks.
  • the AApF network element needs to add or delete the interface and interface address of the AAuF network element in the private network, which obviously increases the implementation complexity of third-party applications.
  • the embodiments of the present application provide an authentication method, device, and system, which can simplify the configuration of third-party applications.
  • an authentication method comprising: a blockchain system receiving a first message from an application server, where the first message includes a first identifier, and parameters encrypted by the terminal device using the first key and/or message; the blockchain system determines the user context of the terminal device according to the first identifier; the blockchain system determines the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key, as The third-party application corresponding to the application server verifies the legitimacy of the terminal device.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the user context of the terminal device includes the first key
  • the blockchain system determines the user context of the terminal device according to the first identifier includes: the blockchain system determines the user context of the terminal device according to the first identifier. identification, to determine the first key.
  • the blockchain system verifies the third-party application corresponding to the application server for the third-party application of the terminal device according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the legality includes: the blockchain system uses the first key to decrypt the parameters and/or messages encrypted by the first key for the terminal device, and obtains the decrypted parameters and/or messages; when the decrypted parameters and/or messages are obtained; Conform to the preconfigured parameter format or value used by the terminal device and the blockchain system interactively, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the blockchain system interactively, block
  • the chain system determines that the end device is legitimate. Based on this solution, the legitimacy verification of the terminal device can be realized.
  • the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key, where the second key is the terminal device and the authentication service function The key generated after successful authentication between network elements.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the communication method provided by the embodiment of the present application further includes: after the blockchain system verifies that the terminal device is legal, the blockchain system obtains a third key, and the third key is used for The key for secure communication between the terminal device and the application server; the blockchain system sends the third key to the application server. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained through the blockchain system, so as to realize the secure communication between the terminal device and the application server.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, It enables the application server to interact with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the third-party application Configuration, and avoid the third-party application side and the operator to negotiate one by one, and deploy network elements to plan routes, improve the efficiency of the third-party application side.
  • the user context of the terminal device includes the first key; the blockchain system obtains the third key, including: the blockchain system generates a third key, wherein generating the third key
  • the first key is included in the input parameters of the three-key. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained by the blockchain system, and the legality of the terminal device can be verified by the blockchain system for the third-party application corresponding to the application server.
  • acquiring the third key by the blockchain system includes: the blockchain system sends a second message to the authentication service function network element, where the second message includes the first identifier, the first identifier Used to determine the user context of the terminal device, the user context of the terminal device includes the first key or the second key, and the second key is generated after successful authentication between the terminal device and the authentication service function network element
  • the blockchain system receives the third key from the authentication service function network element, wherein the input parameters for generating the third key include the first key or the second key. That is to say, in the embodiment of the present application, the blockchain system can verify the legitimacy of the terminal device for the third-party application corresponding to the application server, and obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
  • the input parameter for generating the third key further includes a second identifier and/or a decrypted parameter, wherein the second identifier is an application identifier of the third-party application, and the decrypted
  • the latter parameter is a parameter obtained by decrypting the parameter encrypted by the terminal device using the first key using the first key.
  • the authentication method provided in this embodiment of the present application further includes: the blockchain system receives a third message from the authentication service function network element message, the third message requests to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device; the blockchain system uses the first key, the first key, the An identity and the address of the authentication service function network element are stored in the user context of the terminal device.
  • the authentication service function network element can send the data to the blockchain system.
  • the information required by the application server to perform secure operations through the blockchain system (such as the first key, the first identifier, and the address of the authentication service function network element), so that subsequent application servers can perform secure operations through the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, it can be directly accessed from the terminal. The address of the authentication service function network element is obtained from the user context of the device, which simplifies the processing logic of the blockchain system.
  • the authentication method provided in this embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle.
  • the authentication service function network element can send the data to the blockchain system.
  • the information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • an authentication method includes: an authentication service function network element obtains indication information, the indication information indicates that a secure operation is performed through a blockchain system; and an authentication service function network element, according to the indication information, sends the The block chain system sends a third message, the third message includes first information, and is used to request that the first information be stored in the user context of the terminal device, wherein the first information is the application server through the block chain system. Information required for safe operation.
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the first information includes a first identifier and an address of the authentication service function network element, where the first identifier is used to determine the user context of the terminal device.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
  • the first information includes the first identifier and the first key.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first information includes the first identifier, the first key, and the address of the authentication service function network element.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
  • the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
  • obtaining the indication information by the authentication service function network element includes: the authentication service function network element receiving the indication information from the terminal device; or, the authentication service function network element receiving the indication information from the unified data management network element of this indication.
  • the method further includes: the authentication service function network element receives data from the blockchain system The second message includes the first identifier; the authentication service function network element determines the user context of the terminal device according to the first identifier, and the user context of the terminal device includes the first key or the second key ; The first key is derived from the second key, and the second key is a key generated after the authentication between the terminal device and the authentication service function network element is successful; the authentication service function network element Generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key; the authentication service function network element sends the third key to the blockchain system.
  • the authentication service function network element may generate the security parameter (eg, the third key) for communication between the application server and the terminal device. Furthermore, the application server can obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
  • the security parameter eg, the third key
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
  • the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted
  • the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal
  • the message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
  • performing the security operation through the blockchain system includes obtaining security parameters of the communication between the application server and the terminal device through the blockchain system.
  • performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
  • an authentication method includes: the blockchain system receives a first message from an application server, where the first message includes a first identifier; and the blockchain system determines a terminal device according to the first identifier The user context of the terminal device includes a first key; the blockchain system generates a third key, and the third key is a key used for the secure communication between the terminal device and the application server, wherein the generated The input parameter of the third key includes the first key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is an application identifier of a third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the communication method provided by the embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle.
  • the authentication service function network element can send the data to the blockchain system.
  • the information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • an authentication method comprising: an authentication service function network element receiving a second message from a blockchain system, the second message including a first identifier; and an authentication service function network element according to the first identifier, Determine the user context of the terminal device.
  • the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the second key is used for the terminal device and the authentication service.
  • the key input parameter includes the first key or the second key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
  • the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted
  • the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal
  • the message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
  • a communication device for implementing the above method.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above
  • the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • a communication device comprising: a processor and a memory; the memory is used for storing computer instructions, and when the processor executes the instructions, the communication device executes the method described in any one of the above aspects.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above.
  • a communication device comprising: a processor; the processor is configured to be coupled to a memory, and after reading an instruction in the memory, execute the method according to any one of the preceding aspects according to the instruction.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above.
  • a communication device comprising: a processor and an interface circuit; the interface circuit is used to receive a computer program or instruction and transmit it to the processor; the processor is used to execute the computer program or instruction to enable the communication
  • the apparatus performs a method as described in any of the above aspects.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above
  • a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer can execute the method described in any one of the above aspects.
  • a computer program product comprising instructions which, when run on a computer, enable the computer to perform the method of any of the preceding aspects.
  • a communication apparatus for example, the communication apparatus may be a chip or a chip system
  • the communication apparatus includes a processor for implementing the functions involved in any of the above aspects.
  • the communication device further includes a memory for storing necessary program instructions and data.
  • the communication device is a chip system, it may be constituted by a chip, or may include a chip and other discrete devices.
  • a twelfth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier and a terminal The parameters and/or messages encrypted by the device using the first key; the blockchain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device , and the parameters and/or messages encrypted by the terminal device using the first key to verify the legitimacy of the terminal device for a third-party application corresponding to the application server.
  • the twelfth aspect reference may be made to the above-mentioned first aspect, which is not repeated here.
  • a thirteenth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier; a block chain The chain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, generate a third key, where the third key is used for the secure communication between the terminal device and the application server. .
  • the user context of the terminal device includes the first key, and the input parameter for generating the third key includes the first key.
  • a communication system in a fourteenth aspect, includes an authentication service function network element and a blockchain system; the authentication service function network element is used to obtain indication information indicating that security is performed through the blockchain system operate.
  • the authentication service function network element is further configured to send a third message to the blockchain system according to the indication information, where the third message includes the first information and is used to request to store the first information in the user context of the terminal device, wherein, The first information is the information required by the application server to perform secure operations through the blockchain system.
  • the blockchain system is used for receiving the third message from the authentication service function network element, and storing the first information in the user context of the terminal device.
  • Figure 1 is a schematic diagram of the existing AKMA architecture
  • FIG. 2 is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of another communication system provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of the architecture of a 5G network provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 6 is an interactive schematic diagram 1 of an authentication method provided by an embodiment of the present application.
  • FIG. 7 is a second interactive schematic diagram of an authentication method provided by an embodiment of the present application.
  • FIG. 8 is an interactive schematic diagram 3 of the authentication method provided by the embodiment of the present application.
  • FIG. 9 is a schematic flowchart 1 of an authentication method provided by an embodiment of the present application.
  • FIG. 10 is a second schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 11 is a third schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 12 is a fourth schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a communication apparatus provided by an embodiment of the present application.
  • Blockchain technology also known as distributed ledger technology, is an emerging technology in which several computing devices jointly participate in "bookkeeping" (ie, record transaction data) and jointly maintain a complete distributed database. Because blockchain technology has the characteristics of decentralization (that is, no central node), openness and transparency, each computing device can participate in database records, and data synchronization between computing devices can be performed quickly, blockchain technology has been used in Widely used in many fields.
  • the blockchain can be divided into: public chain and alliance chain according to the deployment method.
  • a public chain refers to a blockchain that can be read by any device in the world, or a blockchain in which any device can participate in the consensus verification process of transactions.
  • Consortium chains also known as consortium blockchains, refer to a consortium formed by participating members of a designated blockchain, and the business transaction information between members is recorded in the blockchain, which limits the scale of use and authority.
  • the blockchain system in the embodiments of the present application may also be referred to as a blockchain for short.
  • the blockchain system includes one or more blockchain devices, such as blockchain security processing modules.
  • the blockchain security processing module in the embodiment of the present application may be, for example, a blockchain smart contract module, and the blockchain smart contract module is a smart contract module in the blockchain system that processes the security operations of users accessing third-party applications. , which is described here uniformly, and will not be repeated below.
  • At least one item(s) below or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s).
  • at least one item (a) of a, b, or c may represent: a, b, c, ab, ac, bc, or abc, where a, b, and c may be single or multiple .
  • words such as "first" and "second” are used to distinguish the same items or similar items that have basically the same function and effect.
  • words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like are not necessarily different.
  • words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as “exemplary” or “such as” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as “exemplary” or “such as” is intended to present the related concepts in a specific manner to facilitate understanding.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
  • the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • a communication system 20 is provided in an embodiment of the present application.
  • the communication system 20 includes a blockchain system 201 and an application server 202 .
  • the blockchain system 201 and the application server 202 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application.
  • the application server 202 may interact with the blockchain system 201 through a newly added blockchain handling function (BCHF) network element in the current 5G communication system, which is not specifically described in this embodiment of the present application. limited.
  • BCHF blockchain handling function
  • the BCHF network element in the embodiment of the present application can be used as the one between the application server 202 and the blockchain system 201 when the application server 202 does not have the blockchain processing function (it can also be understood as not supporting blockchain-related operations).
  • the intermediary agent interacts with the blockchain system 201 on behalf of the application server 202 .
  • the BCHF network element is responsible for publishing network processing information as transactions to the blockchain system, and at the same time publishing the blockchain system and network-related things to the network.
  • the functions of BCHF network elements include but are not limited to: publishing transactions, recording blocks or executing one or more of smart contracts.
  • the BCHF network element in the embodiment of the present application can also act as an agent between the first network element and the blockchain system when other network elements do not have the blockchain processing function, and interact with the blockchain system on behalf of other network elements .
  • the BCHF network element can act as a proxy between the authentication service function network element 301 and the blockchain system 302 when the authentication service function network element 301 does not have the blockchain processing function,
  • the interaction between the network element 301 representing the authentication service function and the blockchain system 302 is described in a unified manner here, and will not be repeated below.
  • the application server 202 is configured to send a first message to the blockchain system 201, where the first message includes the first identifier and the first message used by the terminal device. A key to encrypt parameters and/or messages.
  • the blockchain system 201 is used for receiving the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device and the parameters encrypted by the terminal device using the first key and/or message to verify the legitimacy of the terminal device for the third-party application corresponding to the application server 202 .
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the application server 202 is configured to send a first message to the blockchain system 201 , where the first message includes the first identifier.
  • the blockchain system 201 is used to receive the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, generate a third key, and the third key is used for the security of the terminal device and the application server. Communication key.
  • the user context of the terminal device includes the first key
  • the input parameter for generating the third key includes the first key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the application server interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of the terminal device for third-party applications), so not only simplifies the configuration of third-party applications, but also avoids third-party applications.
  • the application side negotiates with the operator one by one and deploys network elements to plan routes, which improves the efficiency of the third-party application side.
  • a communication system 30 is provided in an embodiment of the present application.
  • the communication system 30 includes an authentication service function network element 301 and a blockchain system 302 .
  • the authentication service function network element 301 and the blockchain system 302 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application.
  • the authentication service function network element 301 may interact with the blockchain system 302 through the newly added BCHF network element in the current 5G communication system, which is not specifically limited in this embodiment of the present application.
  • the authentication service function network element 301 is used to obtain indication information, where the indication information indicates that the security operation is performed through the blockchain system.
  • the authentication service function network element 301 is further configured to send a third message to the blockchain system 302 according to the indication information, where the third message includes the first information and is used to request that the first information be stored in the user context of the terminal device, wherein, the first information is the information required by the application server to perform a secure operation through the blockchain system 302 .
  • the blockchain system 302 is configured to receive the third message from the authentication service function network element 301, and store the first information in the user context of the terminal device.
  • performing the security operation through the blockchain system 302 includes obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system 302 .
  • performing the security operation through the blockchain system 302 includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system 302 .
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the "third party” in the “third party application” in the embodiment of the present application is relative to the operator's transmission network, such as a mobile transmission network.
  • the "third-party application” in this embodiment of the present application may be any current runnable application, which is uniformly described here, and will not be repeated below.
  • the communication system 20 shown in FIG. 2 or the communication system 30 shown in FIG. 3 may be applied to the current 5G network or other future networks, which is not specifically limited in this embodiment of the present application.
  • the application server 202 in the communication system 20 shown in FIG. 4 may be an application function (AF) network element in the 5G network architecture, and the network element or entity corresponding to the authentication service function network element in the communication system shown in FIG. 3 may be the 5G network architecture.
  • the current 5G network can also include access network equipment, access and mobility management function (core access and mobility management function, AMF) network elements, session management function (session management function, SMF) Network element, BCHF network element, user plane function (UPF) network element, network slice selection function (NSSF) network element, network exposure function (NEF) network element, network function Storage function (network exposure function Repository Function, NRF) network element, policy control function (policy control function, PCF) network element, unified data management (unified data management, UDM) network element, etc., which are not specifically limited in this embodiment of the present application .
  • AMF access and mobility management function
  • SMF session management function
  • BCHF user plane function
  • UPF user plane function
  • NSSF network slice selection function
  • NEF network exposure function
  • NRF network exposure function Repository Function
  • policy control function policy control function
  • PCF policy control function
  • UDM unified data management
  • the terminal device accesses the 5G network through the access network device, the terminal device communicates with the AMF network element through the N1 interface (N1 for short); the access network device communicates with the AMF network element through the N2 interface (N2 for short) Communication; the access network equipment communicates with the UPF network element through the N3 interface (N3 for short), the SMF network element communicates with the UPF network element through the N4, and the UPF network element accesses the data network through the N6 interface (N6 for short).
  • N1 N1 for short
  • the access network device communicates with the AMF network element through the N2 interface (N2 for short) Communication
  • the access network equipment communicates with the UPF network element through the N3 interface (N3 for short)
  • the SMF network element communicates with the UPF network element through the N4
  • the UPF network element accesses the data network through the N6 interface (N6 for short).
  • control plane networks such as AUSF network elements, AMF network elements, SMF network elements, NSSF network elements, NEF network elements, NRF network elements, PCF network elements, UDM network elements, AF network elements, or BCHF network elements shown in Figure 4 Elements can also use service interfaces to interact.
  • the service interface provided by the AUSF network element can be Nausf; the service interface provided by the AMF network element can be Namf; the service interface provided by the SMF network element can be Nsmf; the service interface provided by the NSSF network element It can be Nnssf; the service interface provided by the NEF network element can be Nnef; the service interface provided by the NRF network element can be Nnrf; the service interface provided by the PCF network element can be Npcf; the service provided by the UDM network element externally
  • the service interface can be Nudm; the service interface provided by the AF network element can be Naf, and the service interface provided by the BCHF network element can be Nbchf.
  • the BCHF network element in the embodiment of the present application may be an independent function module, which is independently deployed independently of the 5G network element, or may be a distributed function module and a 5G network element deployed in one, which is not implemented in this embodiment of the present application. Specific restrictions.
  • the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may also be referred to as a communication device or a communication device, which may be a general-purpose device or a special-purpose device. This is not specifically limited.
  • the relevant functions of the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may be implemented by one device, or may be implemented jointly by multiple devices, or may be implemented by one device in one device. or multiple functional modules, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
  • FIG. 5 is a schematic structural diagram of a communication device 500 according to an embodiment of the present application.
  • the communication device 500 includes one or more processors 501, a communication line 502, and at least one communication interface (in FIG. 5, the communication interface 504 and one processor 501 are used as an example for illustration), optional may also include memory 503 .
  • the processor 501 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • Communication line 502 may include a path for connecting the various components.
  • the communication interface 504 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like.
  • the transceiver module may be a device such as a transceiver or a transceiver.
  • the communication interface 504 may also be a transceiver circuit located in the processor 501 to implement signal input and signal output of the processor.
  • the memory 503 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions
  • the dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this.
  • the memory may exist independently and be connected to the processor through communication line 502 .
  • the memory can also be integrated with the processor.
  • the memory 503 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 501 .
  • the processor 501 is configured to execute the computer-executed instructions stored in the memory 503, thereby implementing the authentication method provided in the embodiment of the present application.
  • the processor 501 may also perform processing-related functions in the authentication methods provided in the following embodiments of the present application, and the communication interface 504 is responsible for communicating with other devices or communication networks.
  • the embodiment does not specifically limit this.
  • the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.
  • the processor 501 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 5 .
  • the communication device 500 may include multiple processors, such as the processor 501 and the processor 508 in FIG. 5 .
  • processors can be a single-core processor or a multi-core processor.
  • the processor here may include, but is not limited to, at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or artificial intelligence Processors and other types of computing devices that run software, each computing device may include one or more cores for executing software instructions to perform operations or processing.
  • the communication device 500 may further include an output device 505 and an input device 506 .
  • the output device 505 is in communication with the processor 501 and can display information in a variety of ways.
  • the output device 505 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait.
  • Input device 506 is in communication with processor 501 and can receive user input in a variety of ways.
  • the input device 506 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
  • the above-mentioned communication device 500 may also be sometimes referred to as a communication device, which may be a general-purpose device or a dedicated device.
  • the communication device 500 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, an embedded device, the above-mentioned terminal device, the above-mentioned network device, or a 5 devices of similar structure.
  • PDA personal digital assistant
  • This embodiment of the present application does not limit the type of the communication device 500 .
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the terminal device sends a registration request (registration request) to the AMF network element.
  • the AMF network element receives the registration request from the terminal device.
  • the registration request is used for the terminal device to register with the mobile network.
  • the registration request in this embodiment of the present application may further include indication information 1 .
  • the instruction information 1 indicates that the security operation is performed through the blockchain system.
  • performing the security operation through the blockchain system includes obtaining, through the blockchain system, security parameters (such as security keys) for communication between the AF network element corresponding to the third-party application and the terminal device.
  • performing the security operation through the blockchain system also includes verifying the legitimacy of the terminal device for a third-party application through the blockchain system, which is described here uniformly and will not be repeated below.
  • the value of a certain cell may indicate that a secure operation needs to be performed through the blockchain system. For example, when the value of a certain cell is "1", it can indicate that the security operation needs to be carried out through the blockchain system; or, when the value of a certain cell is "0", it can indicate that the blockchain system needs to be carried out. for safe operation.
  • whether a certain information element exists may indicate that a secure operation needs to be performed through the blockchain system. For example, when a certain cell exists, it can represent the need for a secure operation through the blockchain system.
  • the AMF network element sends an authentication request (authentication request) to the AUSF network element.
  • the AUSF network element receives the authentication request from the AMF network element.
  • the authentication request in step S602 when the registration request in step S601 includes indication information 1, the authentication request in step S602 also includes indication information 1, which is described here uniformly and will not be repeated below.
  • the AUSF network element sends an authentication get request (authentication get request) to the UDM network element.
  • the UDM network element receives the authentication acquisition request from the AUSF network element.
  • the authentication acquisition request is used to request to acquire authentication data of the terminal device.
  • the UDM network element sends an authentication get response (authentication get response) to the AUSF network element.
  • the UDM network element receives the authentication acquisition response from the AUSF network element.
  • the authentication acquisition response includes authentication data of the terminal device.
  • the authentication acquisition response may include the above-mentioned indication information 1 .
  • the instruction information 1 indicates that the security operation is performed through the blockchain system.
  • the implementation of the indication information 1 may refer to step S601, which will not be repeated here.
  • the indication information 1 obtained by the AUSF network element may be sent by the terminal device through the AMF network element, or may be sent by the UDM network element, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element and the terminal device perform mutual authentication, and negotiate to generate a key between the terminal device and the AUSF network element (in the embodiment of this application, the key between the terminal device and the AUSF network element is denoted as Kausf); and , the AUSF network element assigns the key identifier (KID) corresponding to Kausf to the terminal device
  • the terminal device and the AUSF network element may also derive a key according to Kausf (in this embodiment of the present application, a key derived from Kausf will be used.
  • the key is denoted as Kchain).
  • the manner of deriving the key according to Kausf may include, for example: generating Kchain according to Kausf and the global blockchain identifier of the terminal device.
  • the global blockchain identifier of the terminal device is used to uniquely identify the terminal device in the blockchain system, which may be sent by the UDM network element to the AUSF network element, or may be sent by the AMF network element to the AUSF network element, which is not specifically limited in this embodiment of the present application.
  • the global blockchain identifier of the terminal device may be, for example, the identifier allocated by the blockchain system to the terminal device, or may be a generic public subscription identifier (GPSI) or a subscription permanent identifier (subscription permanent identifier). , SUPI).
  • the subsequent steps in this embodiment of the present application are described by taking the communication between the AF network element and the terminal device using the key derived in the mobile network as an example for description. Since the AF network element and the terminal device can communicate using the key derived in the mobile network before obtaining the key for secure communication between the terminal device and the AF network element, the service security of the terminal device is improved.
  • the terminal device may register with the mobile network. Further, the authentication method provided by the embodiment of the present application may further include the following step S606:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element registers the first identifier and Kchain in the blockchain system.
  • the first identifier is used to locate the user context of the terminal device.
  • the first identifier may be at least one of a global blockchain identifier or a KID of the terminal device, which is described here uniformly and will not be repeated below.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system.
  • the processes in the processing module are uniformly described here, and will not be repeated below.
  • the blockchain security processing module reference may be made to the preamble of the specific implementation manner, which will not be repeated here.
  • the AUSF network element when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain The blockchain security processing module of the system stores the encrypted Kchain.
  • the manner in which the AUSF network element encrypts the Kchain may, for example, include: the AUSF network element encrypts the Kchain using the public key allocated by the blockchain system to the blockchain security processing module.
  • the blockchain security processing module uses the private key corresponding to the public key allocated by the blockchain system to the blockchain security processing module to decrypt the encrypted Kchain to obtain the Kchain. No longer.
  • the Kchain can also be encrypted and the encrypted Kchain can be decrypted in other ways, which are not specifically limited in the embodiment of the present application.
  • the AUSF network element may directly interact with the blockchain system, and may also interact with the blockchain system through the BCHF network element, which is not specifically limited in the embodiment of the present application.
  • the BCHF network element can register the address of the BCHF network element with the blockchain system, so that the subsequent blockchain system can be based on the BCHF network element address. Interact with the BCHF network element, which is not specifically limited in this embodiment of the present application.
  • the BCHF network element when the BCHF network element interacts with the blockchain system, it may also be forwarded by the NEF network element, which is not specifically limited in the embodiment of the present application.
  • the NEF network element which is not specifically limited in the embodiment of the present application.
  • the above description is also applicable to the embodiments shown in the subsequent FIG. 7 and FIG. 8 , and is described in a unified manner here, and will not be repeated below.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • the terminal device sends a login request to the AF network element.
  • the AF network element receives the login request from the terminal device.
  • the login request is used for requesting to log in to the third-party application corresponding to the AF network element.
  • the login request includes the first identifier.
  • the login request may further include parameters and/or messages encrypted using Kchain.
  • the parameters and/or messages encrypted by Kchain can mean: there are parameters encrypted by Kchain alone, messages encrypted by Kchain are present alone, and parameters and messages encrypted by Kchain exist simultaneously.
  • a unified description is provided here, and the description is applicable to all the embodiments of the present application, and details are not repeated below.
  • the encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in the embodiment of the present application.
  • the encrypted message may be, for example, a registration message.
  • the first identifier reference may be made to the foregoing step S606, which is not repeated here.
  • the AF network element sends a verification request (validate request) 1 to the blockchain system.
  • the blockchain system receives the verification request 1 from the AF network element.
  • the verification request 1 includes the first identifier in step S607.
  • the verification request 1 may further include parameters and/or messages encrypted using Kchain in step S607.
  • the verification request 1 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
  • the authentication method provided by the embodiment of the present application further includes the following step S609:
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application.
  • the blockchain system may determine the user context of the terminal device according to the first identifier. Furthermore, the blockchain system can verify the legitimacy of the terminal device for third-party applications based on the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the blockchain system determining the user context of the terminal device according to the first identifier includes: the blockchain system determining the Kchain stored in the blockchain system according to the first identifier.
  • the blockchain system can determine the user context of the terminal device stored in the blockchain system according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal device, and further blockchain The system can determine the Kchain in the user context of the terminal device (that is, the Kchain stored by the AUSF network element in the blockchain system).
  • determining the Kchain in the user context of the terminal device by the blockchain system may include, for example: the blockchain system may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
  • the blockchain system verifies the legitimacy of the terminal device for third-party applications according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the blockchain system can use Kchain to decrypt Parameters and/or messages encrypted with Kchain sent by end devices.
  • the terminal device sends parameters encrypted with Kchain but does not send messages encrypted with Kchain, if the decrypted parameters conform to the parameter format or value preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, or If the decrypted parameters conform to the parameters agreed by the terminal device and the blockchain system, the terminal device is considered legal.
  • the terminal device sends a message encrypted with Kchain and does not send parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, it is considered that The end device is legal.
  • the terminal device When the terminal device sends a message encrypted with Kchain and sends parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system; and the decryption If the latter parameters conform to the parameter format or value used by the terminal device preconfigured by the blockchain system and the blockchain system interact, or if the decrypted parameters conform to the parameters agreed upon between the terminal device and the blockchain system, the terminal device is considered legal.
  • the terminal device determines whether the decrypted parameter is the same as the APP sent by the AF network element. If the IDs are consistent, the terminal device is considered legal; if they are inconsistent, the terminal device is considered illegal.
  • the terminal device can obtain the APP ID through a domain name system (domain name system, DNS) query.
  • domain name system domain name system, DNS
  • the terminal device can also obtain the APP ID through other methods, which is not specifically described in this embodiment of the application. limited.
  • the blockchain system after the blockchain system receives the verification request 1 from the AF network element, it needs to provide a security key for the communication between the AF network element corresponding to the third-party application and the terminal device, including the following steps:
  • the blockchain system generates a key for secure communication between the terminal device and the AF network element according to Kchain (in this embodiment of the present application, the key for the secure communication between the terminal device and the AF network element is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain stored by the AUSF network element in the blockchain system.
  • step S609 after the blockchain system verifies that the terminal device is legal, the blockchain system generates Kapp according to Kchain. Otherwise, if the blockchain system verifies that the terminal device is illegal, the process of accessing the third-party application by the terminal device can be terminated. Based on this solution, the access process can be terminated in time when the terminal device is illegal to access the third-party application, which avoids the block chain system still generating Kapp and delivering the Kapp to the AF network element when the terminal device is illegal to access the third-party application. resource consumption and signaling waste.
  • the blockchain system may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not the case in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the blockchain system sends a validation response (validate response) 1 to the AF network element.
  • the AF network element receives the verification response 1 from the blockchain system.
  • the verification response 1 includes the above Kapp.
  • the verification response 1 may further include the validity period of the Kapp.
  • the validity period of the Kapp expires, the terminal device and the AF network element can initiate the Kapp renegotiation process, so that the AF network element obtains the Kapp through the blockchain system again.
  • the verification response 1 when the verification request 1 includes parameters and/or messages encrypted using Kchain, the verification response 1 may also include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the AF network element sends a login response to the terminal device.
  • the terminal device receives the login response from the AF network element.
  • the login response when the login request includes a message encrypted using Kchain, such as a registration request, the login response may include a registration acceptance message obtained according to the registration request decrypted using Kchain.
  • the registration acceptance message when the verification response 1 includes the validity period of the Kapp, the registration acceptance message may include the validity period of the Kapp.
  • the login response when the login request includes parameters encrypted using Kchain, the login response may include parameters decrypted using Kchain.
  • the terminal device can read the parameters decrypted by Kchain included in the login response, and compare the parameters decrypted by Kchain included in the login response with the parameters that have not been decrypted before the terminal device sends the login request to the AF network element. The encrypted parameters are compared, and if the two are consistent, it is considered that the terminal device has passed the verification on the network side (that is, the terminal device confirms the network security).
  • the message or parameter in the login response may be encrypted using Kapp, so as to ensure secure communication between the terminal device and the AF network element.
  • the terminal device after the terminal device receives the login response, it can encrypt key information by using the locally generated Kapp in the subsequent information exchange process with the AF network element.
  • the way in which the terminal device generates Kapp is the same as the way in which the blockchain system generates Kapp, and will not be repeated here.
  • the legitimacy of the terminal device can also be verified through subsequent procedures. .
  • the terminal device when the login response does not include the parameters decrypted using Kchain, since both the subsequent terminal device and the AF network element can use Kapp to encrypt the information, the terminal device can also pass the subsequent message interactive verification. Whether the network side is legal is not specifically limited in this embodiment of the present application.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S601 to S612 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method is provided in this embodiment of the present application, and the method includes the following: step:
  • S701-S705 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
  • the terminal device may register with the mobile network. Further, the authentication method provided in the embodiment of the present application may further include the following step S706:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the first identifier and the Kchain can be registered.
  • the AUSF network element can obtain the Kchain
  • the address, the first identifier and the Kchain of the AUSF network element can be registered.
  • the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system.
  • the process in the processing module; the process of the AUSF network element registering the AUSF network element's address, first identifier and Kchain in the blockchain system can be understood as the AUSF network element storing the AUSF network element's address, first identifier and Kchain in the block chain.
  • the process in the blockchain security processing module of the chain system is uniformly described here, and will not be repeated below.
  • the AUSF network element when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain
  • the blockchain security processing module of the system stores the encrypted Kchain.
  • step S606 in the embodiment shown in FIG. 6 , and details are not described herein again.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • the terminal device sends a login request to the AF network element.
  • the AF network element receives the login request from the terminal device.
  • the login request is used for requesting to log in to the third-party application corresponding to the AF network element.
  • the login request includes the first identifier, parameters and/or messages encrypted using Kchain.
  • the encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in this embodiment of the present application.
  • the encrypted message may be, for example, a registration message.
  • the first identifier reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
  • the AF network element sends a verification request (validate request) 1 to the blockchain system.
  • the blockchain system receives the verification request 1 from the AF network element.
  • the verification request 1 includes the first identifier in step S607, and parameters and/or messages encrypted using Kchain.
  • the verification request 1 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application.
  • step S709 may refer to step S609 in the embodiment shown in FIG. 6 , which will not be repeated here.
  • the blockchain system After the blockchain system verifies that the terminal device is legal, the blockchain system sends a verification request 2 to the AUSF network element. Correspondingly, the AUSF network element receives the verification request 2 from the blockchain system.
  • the verification request 2 includes the first identifier.
  • the verification request 2 may further include an application identifier (APP ID) of a third-party application.
  • the verification request 2 may further include parameters and/or messages encrypted using Kchain and sent by the terminal device, which are not specifically limited in this embodiment of the present application.
  • the blockchain system can send the verification request 2 to the AUSF network element according to the first
  • the identity determines the corresponding user context.
  • the user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element.
  • the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
  • the login request and the verification request 1 in the embodiment of the present application may also include the service The network ID of the end device.
  • the AUSF network element serving the terminal device may be determined according to the network identifier, which is not specifically limited in this embodiment of the present application.
  • the network identifier in the embodiment of the present application may be, for example, a public land mobile network (public land mobile network, PLMN), or a domain name (such as CMCC.com), which is not specifically limited in the embodiment of the present application.
  • the network identifier in the embodiment of the present application may be an independent information element, or may be information included in other information elements, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may directly interact with the AUSF network element, or may interact with the AUSF network element through the BCHF network element, which is not specifically limited in the embodiment of the present application.
  • the above two implementation manners are both illustratively described by taking the blockchain system addressing AUSF network elements as an example.
  • the blockchain system can also address the BCHF network element in a similar manner, which will not be repeated in this embodiment of the present application.
  • the AUSF network element generates a key used for the secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key used for the secure communication between the terminal device and the AF network element in the embodiment of this application is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain or Kausf generated by the AUSF network element.
  • the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the AUSF network element sends a verification response 2 to the blockchain system.
  • the blockchain system receives the verification response 2 from the AUSF network element.
  • the verification response 2 includes Kapp.
  • the verification response 2 may further include the validity period of the Kapp.
  • the verification response 2 when the verification request 2 includes parameters and/or messages encrypted using Kchain, the verification response 2 may also include parameters and/or messages decrypted using Kchain, and the verification response 2 may include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the blockchain system sends a verification response 1 to the AF network element.
  • the AF network element receives the verification response 1 from the blockchain system.
  • the verification response 1 includes the parameters in the verification response 2 in step S712, such as Kapp, the validity period of the Kapp (optional), and parameters and/or messages decrypted using Kchain (optional).
  • the verification response 1 may also include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the AF network element sends a login response to the terminal device.
  • the terminal device receives the login response from the AF network element.
  • step S714 For the specific implementation of step S714, reference may be made to step S612 in the embodiment shown in FIG. 6 , which will not be repeated here.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally.
  • the AUSF network element still generates Kapp and sends the Kapp to the AF network element through the blockchain system, the resource consumption and signaling waste caused by it.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S701 to S714 may be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method is provided in this embodiment of the application, and the method includes the following: step:
  • S801-S805 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description may refer to the embodiment shown in FIG. 6 , which will not be repeated here.
  • the terminal device may register with the mobile network. Further, optionally, the authentication method provided in this embodiment of the present application may further include the following step S806:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element registers the first identifier and the address of the AUSF network element in the blockchain system.
  • the first identifier reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the process of registering the first identifier and the address of the AUSF network element in the blockchain system by the AUSF network element can be understood as the AUSF network element storing the first identifier and the address of the AUSF network element in the area.
  • the process in the blockchain security processing module of the blockchain system is described here in a unified manner, and will not be repeated below.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • S807-S808 are the same as steps S607-S608 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
  • the blockchain system sends a verification request 2 to the AUSF network element.
  • the AUSF network element receives the verification request 2 from the blockchain system.
  • the verification request 2 includes the parameters in the verification request 1 in step S808, such as the first identifier, and parameters and/or messages encrypted by Kchain (optional).
  • the verification request 2 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the blockchain system can determine the corresponding AUSF network element according to the first identifier before sending the verification request 2 to the AUSF network element.
  • the user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element.
  • the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
  • the login request and the verification request 1 in the embodiment of the present application may further include the network identifier of the service terminal device. Furthermore, before the blockchain system sends the verification request 2 to the AUSF network element, the AUSF network element serving the terminal device may be determined according to the network identifier. For related description, reference may be made to step S710 in the embodiment shown in FIG. 7 , and details are not repeated here.
  • the AUSF network element generates a key for secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key for secure communication between the terminal device and the AF network element in the embodiment of the present application is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain or Kausf generated by the AUSF network element.
  • the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the AUSF network element when the terminal device sends parameters and/or messages encrypted with Kchain, and the verification request 2 includes parameters and/or messages encrypted with Kchain, the AUSF network element may also be the first The third-party application verifies the legitimacy of the terminal device. After the AUSF network element verifies that the terminal device is legal, the AUSF network element generates a Kapp according to Kchain or Kausf. If the AUSF network element verifies that the terminal device is illegal, the process of the terminal device accessing the third-party application can be terminated. .
  • the access process can be terminated in time when the terminal device is illegal to access the third-party application, so that when the terminal device is illegal to access the third-party application, the AUSF network element still generates Kapp and downloads it to the AF network element through the blockchain system. Resource consumption and signaling waste caused by sending Kapps.
  • the manner in which the AUSF network element verifies the legitimacy of the terminal device for the third-party application may be, for example, the AUSF network element may determine the user context of the terminal device according to the first identifier. Further, the AUSF network element can verify the legitimacy of the terminal device for the third-party application according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the AUSF network element determining the user context of the terminal device according to the first identifier includes: the AUSF network element determining the Kchain stored in the AUSF network element according to the first identifier.
  • the AUSF network element may determine the user context of the terminal equipment stored in the AUSF network element according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal equipment, and further AUSF network elements may determine Kchain in the user context of the end device.
  • the AUSF network element determining the Kchain in the user context of the terminal device may include, for example: the AUSF network element may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
  • the AUSF network element verifies the legitimacy of the terminal device for the third-party application according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the AUSF network element can use the Kchain to decrypt the terminal device. Sent parameters and/or messages encrypted with Kchain. Wherein, when the terminal device sends parameters encrypted by Kchain but does not send messages encrypted by Kchain, if the decrypted parameters conform to the preconfigured parameter format or value used by the terminal device and the AUSF network element for interaction, or the decrypted If the parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal.
  • the terminal device When the terminal device sends a message encrypted by Kchain but does not send parameters encrypted by Kchain, if the format of the decrypted message conforms to the preconfigured message format used by the terminal device and the AUSF network element for interaction, the terminal device is considered legitimate.
  • the terminal device sends a message encrypted by Kchain and sends parameters encrypted by Kchain, if the decrypted message format conforms to the preconfigured message format used by the terminal device and the AUSF network element interactively; and the decrypted parameters conform to the preconfigured message format. If the configured parameter format or value used by the terminal device and the AUSF network element for interaction, or if the decrypted parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal.
  • the terminal device may obtain the APP ID through DNS query.
  • the terminal device may also obtain the APP ID through other methods, which is not specifically limited in this embodiment of the present application.
  • S811-S813 are the same as steps S712-S714 in the embodiment shown in FIG. 7 , and the related description can refer to the embodiment shown in FIG. 7 , and details are not repeated here.
  • the legality of the terminal device may also be verified through subsequent procedures. For example, since Kapp is derived from Kchain, if the terminal device is legal, the terminal device can obtain the correct Kchain, and the Kapp generated by the terminal device is the same as the Kapp obtained by the AF network element. Secure communication will succeed. Conversely, if the terminal device is illegal, the terminal device cannot obtain the correct Kchain, and the Kapp generated by the terminal device is different from the Kapp obtained by the AF network element. The subsequent secure communication between the terminal device and the AF network element using Kapp will fail. The interests of legitimate terminal equipment are protected.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S801 to S813 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the blockchain system receives a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6 or FIG. 7
  • the blockchain system in the embodiment of the present application may be, for example, the one shown in FIG. 6 or FIG. 7 .
  • the first message in the embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 ; or, the first message in the embodiment of the present application may be, for example, the one shown in FIG. 7 . In the embodiment of the verification request 2 in step S708.
  • the blockchain system determines the user context of the terminal device according to the first identifier.
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • steps S902-S903 reference may be made to step S609 in the embodiment shown in FIG. 6 or step S709 in the embodiment shown in FIG. 7 , and details are not repeated here.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (such as continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface allows the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), so not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the actions of the blockchain system in the above steps S901 to S903 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the blockchain system receives a first message from an application server, where the first message includes a first identifier.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6
  • the blockchain system in the embodiment of the present application may be, for example, the network element in the embodiment shown in FIG. blockchain system.
  • the first message in this embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 .
  • the blockchain system determines a user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key.
  • the first key in this embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 6 .
  • the blockchain system generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
  • the third key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 6 .
  • steps S1002-S1003 For the specific implementation of steps S1002-S1003, reference may be made to step S610 in the embodiment shown in FIG. 6, and details are not described herein again.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the blockchain system in the above steps S1001 to S1003 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the authentication service function network element obtains instruction information, where the instruction information indicates that a secure operation is performed through a blockchain system.
  • the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiments shown in FIG. 6 to FIG. 8
  • the blockchain system in the embodiment of the present application may be, for example, FIG. 6 to The blockchain system in the embodiment shown in FIG. 8 .
  • step S604 in the embodiment shown in FIG. 6 for the manner in which the authentication service function network element obtains the indication information, which will not be repeated here.
  • the authentication service function network element sends a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first The information is the information required by the application server to perform secure operations through the blockchain system.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiments shown in FIG. 6 to FIG. 8 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S606 of the embodiment shown in FIG. 6 .
  • the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S606 of the embodiment shown in FIG. 6 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S706 of the embodiment shown in FIG. 7 .
  • the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S706 of the embodiment shown in FIG. 7 , or the first information may be step S706 of the embodiment shown in FIG. 7 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S806 of the embodiment shown in FIG. 8 .
  • the first information may be the first identifier of the AUSF network element registered in the blockchain system in step S806 of the embodiment shown in FIG. 8 and the address of the AUSF network element.
  • step S1102 may refer to step S606 in the embodiment shown in FIG. 6 or step S706 in the embodiment shown in FIG. 7 or step S806 in the embodiment shown in FIG. 8 , and details are not repeated here.
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface, and perform safe operations through the blockchain system, which not only simplifies the third party It also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the authentication service function network element in the above steps S1101 to S1102 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute.
  • the example does not impose any restrictions on this.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the authentication service function network element receives a second message from the blockchain system, where the second message includes the first identifier.
  • the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiment shown in FIG. 7 or FIG. 8
  • the blockchain system in the embodiment of the present application may be, for example, FIG. 7 or The blockchain system in the embodiment shown in FIG. 8 .
  • the second message in the embodiment of the present application may be, for example, the verification request 2 in step S710 in the embodiment shown in FIG. 7 ; or, the second message in the embodiment of the present application may be, for example, as shown in FIG. 8 .
  • the authentication service function network element determines the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first key in the embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 7 or FIG. 8
  • the second key may be, for example, the Kchain in the embodiment shown in FIG. 7 or FIG. 8 .
  • the authentication service function network element generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the third key. Second key.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 7 or FIG. 8 .
  • the first key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 7 or FIG. 8 .
  • steps S1202-S1203 reference may be made to step S711 in the embodiment shown in FIG. 7 or step S810 in the embodiment shown in FIG. 8, and details are not repeated here.
  • the authentication service function network element sends the third key to the blockchain system.
  • step S1204 For the specific implementation of step S1204, reference may be made to step S712 in the embodiment shown in FIG. 7 or step S811 in the embodiment shown in FIG. 8 , and details are not repeated here.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the authentication service function network element in the above steps S1201 to S1204 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute.
  • the example does not impose any restrictions on this.
  • the methods and/or steps implemented by the blockchain system may also be implemented by components that can be used in the blockchain system (for example, one of the blockchain systems). or multiple blockchain devices); implemented by the authentication service function network element (the AUSF network element in the embodiment shown in FIG. 6 to FIG. 8 , or the authentication service in the embodiment shown in FIG. 11 to FIG. 12 )
  • the methods and/or steps implemented by the functional network element may also be implemented by a component (for example, a chip or a circuit) that can be used to authenticate the service functional network element.
  • an embodiment of the present application further provides a communication device
  • the communication device may be one or more blockchain devices in the blockchain system in the above method embodiments, or a device including the above blockchain system, or It is a component that can be used in the above-mentioned blockchain device; or, the communication device can be an authentication service function network element in the above method embodiment, or a device including the above-mentioned authentication service function network element, or can be used for the authentication service function network element. components.
  • the communication apparatus includes corresponding hardware structures and/or software modules for executing each function.
  • FIG. 13 shows a schematic structural diagram of a communication device 130 .
  • the communication device 130 includes a transceiver module 1301 and a processing module 1302 .
  • the transceiver module 1301 may also be referred to as a transceiver unit to implement a transceiver function, for example, a transceiver circuit, a transceiver, a transceiver or a communication interface.
  • the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in a possible implementation manner:
  • the transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier.
  • the processing module 1302 is further configured to verify the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the user context of the terminal device includes the first key
  • the processing module 1302, configured to determine the user context of the terminal device according to the first identifier includes: determining the first key according to the first identifier.
  • the processing module 1302 is configured to verify the legitimacy of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key, including: Use the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain the decrypted parameters and/or messages; when the decrypted parameters meet the pre-configured interaction between the terminal device and the blockchain system
  • the parameter format or value used, and/or the decrypted message conforms to the pre-configured message format used by the terminal device and the blockchain system for interaction, and the terminal device is determined to be legal.
  • the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key
  • the second key is the authentication between the terminal device and the authentication service function network element. The key generated after success.
  • the first key is derived from the second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to obtain a third key after verifying that the terminal device is legal, where the third key is a key used for secure communication between the terminal device and the application server.
  • the transceiver module 1301 is further configured to send the third key to the application server.
  • the user context of the terminal device includes the first key; the processing module 1302, configured to obtain the third key, includes: being used to generate the third key, wherein the input parameters for generating the third key include: first key.
  • the processing module 1302, configured to obtain the third key includes: sending a second message to the authentication service function network element through the transceiver module 1301, where the second message includes a first identifier, and the first identifier is used to determine the terminal
  • the user context of the device, the user context of the terminal device includes the first key or the second key, and the second key is the key generated after the authentication between the terminal device and the authentication service function network element is successful; 1301 Receive a third key from an authentication service function network element, wherein the input parameter for generating the third key includes the first key or the second key.
  • the input parameters for generating the third key also include the second identifier and/or the decrypted parameter, wherein the second identifier is the application identifier of the third-party application, and the decrypted parameter is to use the first key pair.
  • the parameters obtained by the terminal device after decrypting the parameters encrypted by the first key are included in the input parameters for generating the third key.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, the third message requests the first key, the first identifier and the authentication service.
  • the addresses of the functional network elements are stored in the user context of the terminal device.
  • the processing module 1302 is further configured to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal.
  • the processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
  • the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in another possible implementation manner :
  • the transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
  • the first key is derived from the second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal. in the user context of the device.
  • the processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
  • the processing module 1302 is configured to obtain instruction information, the instruction information indicates that a secure operation is performed through the blockchain system.
  • the transceiver module 1301 is configured to send a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first information is Information required by the application server to operate securely through the blockchain system.
  • the first information includes a first identifier and an address of an authentication service function network element; or, the first information includes a first identifier and a first key; or, the first information includes a first identifier, a first key, and a first key.
  • the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
  • the processing module 1302, configured to obtain the indication information includes: for receiving the indication information from the terminal device through the transceiver module 1301; or for receiving the indication information from the unified data management network element through the transceiver module 1301.
  • the transceiver module 1301 is further configured to receive a second message from the blockchain system after sending the third message to the blockchain system, where the second message includes the first identifier.
  • the processing module 1302 is further configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key.
  • the transceiver module 1301 is further configured to send a third key to the blockchain system.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
  • the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages;
  • the configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
  • performing the security operation through the blockchain system includes obtaining security parameters for communication between the application server and the terminal device through the blockchain system.
  • performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
  • the transceiver module 1301 is configured to receive a second message from the blockchain system, where the second message includes the first identifier.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the first key is derived from the second key.
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key.
  • the transceiver module 1301 is further configured to send a third key to the blockchain system.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
  • the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages;
  • the configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
  • the communication apparatus 130 is presented in the form of dividing each functional module in an integrated manner.
  • Module herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
  • the communication apparatus 130 may take the form of the communication device 500 shown in FIG. 5 .
  • the processor 501 in the communication device 500 shown in FIG. 5 may invoke the computer execution instructions stored in the memory 503 to cause the communication device 500 to execute the authentication method in the above method embodiment.
  • the functions/implementation process of the transceiver module 1301 and the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503 .
  • the function/implementation process of the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503, and the function of the transceiver module 1301 in FIG. 13 can be implemented.
  • the implementation process may be implemented through the communication interface 504 in the communication device 500 shown in FIG. 5 .
  • the communication device 130 provided in this embodiment can execute the above authentication method, the technical effect obtained by the communication device 130 can refer to the above method embodiment, which is not repeated here.
  • one or more of the above modules or units may be implemented by software, hardware or a combination of both.
  • the software exists in the form of computer program instructions and is stored in the memory, and the processor can be used to execute the program instructions and implement the above method flow.
  • the processor can be built into a SoC (system on chip) or an ASIC, or it can be an independent semiconductor chip.
  • SoC system on chip
  • ASIC application specific integrated circuit
  • the internal processing of the processor may further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (Programmable Logic Device) , or a logic circuit that implements dedicated logic operations.
  • FPGA field programmable gate array
  • PLD Programmable Logic Device
  • the hardware can be CPU, microprocessor, digital signal processing (DSP) chip, microcontroller unit (MCU), artificial intelligence processor, ASIC, Any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
  • DSP digital signal processing
  • MCU microcontroller unit
  • ASIC any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
  • an embodiment of the present application further provides a communication apparatus (for example, the communication apparatus may be a chip or a chip system), where the communication apparatus includes a processor for implementing the method in any of the foregoing method embodiments.
  • the communication device further includes a memory.
  • the memory is used to store necessary program instructions and data, and the processor can call the program code stored in the memory to instruct the communication apparatus to execute the method in any of the above method embodiments.
  • the memory may also not be in the communication device.
  • the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente demande concerne un procédé, un appareil et un système d'authentification, qui peuvent simplifier les configurations d'une application tierce. Le procédé comprend les étapes suivantes : un système de chaîne de blocs reçoit un premier message d'un serveur d'application, le premier message comprenant un premier identifiant, et un paramètre et/ou un message chiffré par un dispositif terminal à l'aide d'une première clé ; le système de chaîne de blocs détermine le contexte utilisateur du dispositif terminal en fonction du premier identifiant ; et en fonction du contexte utilisateur du dispositif terminal et du paramètre et/ou du message chiffré par le dispositif terminal à l'aide de la première clé, le système de chaîne de blocs vérifie la légitimité du dispositif terminal pour une application tierce correspondant au serveur d'application. La présente demande peut s'appliquer au domaine technique des communications.
PCT/CN2021/113523 2020-08-27 2021-08-19 Procédé, appareil et système d'authentification WO2022042417A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010880356.4 2020-08-27
CN202010880356.4A CN114205072B (zh) 2020-08-27 2020-08-27 认证方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2022042417A1 true WO2022042417A1 (fr) 2022-03-03

Family

ID=80352621

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/113523 WO2022042417A1 (fr) 2020-08-27 2021-08-19 Procédé, appareil et système d'authentification

Country Status (2)

Country Link
CN (1) CN114205072B (fr)
WO (1) WO2022042417A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928617B (zh) * 2022-06-15 2023-07-21 中国电信股份有限公司 专网签约数据管理方法、装置、设备及介质
CN115801914B (zh) * 2022-11-29 2024-04-30 重庆长安汽车股份有限公司 一种多协议网络数据交换方法

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737418A (zh) * 2018-05-22 2018-11-02 飞天诚信科技股份有限公司 一种基于区块链的身份认证方法及系统
WO2019086127A1 (fr) * 2017-11-03 2019-05-09 Motorola Mobility Llc Authentification d'utilisateur grâce à des informations de connexion fournies par un réseau de chaîne de blocs
CN109829720A (zh) * 2019-01-31 2019-05-31 中国—东盟信息港股份有限公司 一种基于区块链交易数据的身份实名认证方法
US20200084018A1 (en) * 2018-09-07 2020-03-12 Sap Se Blockchain-incorporating distributed authentication system
WO2020091278A1 (fr) * 2018-10-31 2020-05-07 주식회사 스위클 Système et procédé de fourniture d'informations personnelles utilisant une clé privée à usage unique basée sur une chaîne de blocs de preuve d'utilisation
CN111132165A (zh) * 2019-12-30 2020-05-08 全链通有限公司 基于区块链的5g通信无卡接入方法、设备及存储介质
CN111464287A (zh) * 2019-01-21 2020-07-28 华为技术有限公司 生成密钥的方法和装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492590A (zh) * 2017-11-14 2021-03-12 华为技术有限公司 一种通信方法及装置
CN110798833B (zh) * 2018-08-03 2023-10-24 华为技术有限公司 一种鉴权过程中验证用户设备标识的方法及装置

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019086127A1 (fr) * 2017-11-03 2019-05-09 Motorola Mobility Llc Authentification d'utilisateur grâce à des informations de connexion fournies par un réseau de chaîne de blocs
CN108737418A (zh) * 2018-05-22 2018-11-02 飞天诚信科技股份有限公司 一种基于区块链的身份认证方法及系统
US20200084018A1 (en) * 2018-09-07 2020-03-12 Sap Se Blockchain-incorporating distributed authentication system
WO2020091278A1 (fr) * 2018-10-31 2020-05-07 주식회사 스위클 Système et procédé de fourniture d'informations personnelles utilisant une clé privée à usage unique basée sur une chaîne de blocs de preuve d'utilisation
CN111464287A (zh) * 2019-01-21 2020-07-28 华为技术有限公司 生成密钥的方法和装置
CN109829720A (zh) * 2019-01-31 2019-05-31 中国—东盟信息港股份有限公司 一种基于区块链交易数据的身份实名认证方法
CN111132165A (zh) * 2019-12-30 2020-05-08 全链通有限公司 基于区块链的5g通信无卡接入方法、设备及存储介质

Also Published As

Publication number Publication date
CN114205072A (zh) 2022-03-18
CN114205072B (zh) 2023-04-28

Similar Documents

Publication Publication Date Title
JP7457173B2 (ja) モノのインターネット(iot)デバイスの管理
US11838841B2 (en) System, apparatus and method for scalable internet of things (IOT) device on-boarding with quarantine capabilities
US9923715B2 (en) System, apparatus and method for group key distribution for a network
TWI455559B (zh) 虛擬用戶識別模組
CN109479049B (zh) 用于密钥供应委托的系统、设备和方法
CN109314705B (zh) 使用组加密密钥的用于大规模可伸缩动态多点虚拟私有网络的系统、装置和方法
EP3437249B1 (fr) Enregistrement de dispositifs dans un domaine sécurisé
US10382213B1 (en) Certificate registration
WO2019041809A1 (fr) Procédé et appareil d'enregistrement basés sur une architecture orientée service
KR20120004528A (ko) 다수의 도메인 및 도메인 소유권을 갖는 시스템
EP2767029B1 (fr) Communication sécurisée
KR20070097736A (ko) 지역 도메인 관리 모듈을 가진 장치를 이용하여 도메인을지역적으로 관리하는 장치 및 방법
WO2022042417A1 (fr) Procédé, appareil et système d'authentification
JP2022541760A (ja) コアネットワークドメインにおける証明書ハンドリングのための技法
CN113544672A (zh) 隐私保护的自主证实
JP2018517367A (ja) サービスプロバイダ証明書管理
KR20230078706A (ko) 포스트 양자 암호화를 사용하는 인증서 기반 보안
CN112187709A (zh) 鉴权方法、设备及服务器
WO2021088882A1 (fr) Procédé de partage de données, dispositif, et système
US11489822B2 (en) Cloud key management for AFU security
US20240039707A1 (en) Mobile authenticator for performing a role in user authentication
CN114650182B (zh) 身份认证方法、系统、装置、网关设备、设备和终端
JP6353412B2 (ja) Idパスワード認証方法、パスワード管理サービスシステム、情報端末、パスワード管理サービス装置、利用端末及びそれらのプログラム
CN116561820B (zh) 可信数据处理方法及相关装置
WO2023160632A1 (fr) Procédé de définition d'autorisations d'accès à un service en nuage d'instance d'enclave, et plateforme de gestion en nuage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21860255

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21860255

Country of ref document: EP

Kind code of ref document: A1