WO2024021580A1

WO2024021580A1 - Security authentication method for user terminal to access network, apparatus, and electronic device

Info

Publication number: WO2024021580A1
Application number: PCT/CN2023/077193
Authority: WO
Inventors: 李燕
Original assignee: 中兴通讯股份有限公司
Priority date: 2022-07-29
Filing date: 2023-02-20
Publication date: 2024-02-01
Also published as: CN117527280A

Abstract

The present disclosure relates to a security authentication method for a user terminal to access a network, an apparatus, and an electronic device. The method is applied to a security algorithm negotiation function (SANF) network element, and the method comprises: when a user terminal accesses a network, acquiring security information of the user terminal and of the accessed network, the security information comprising the terminal type of the user terminal, a user subscription identifier of the user terminal, and the type of the accessed network; according to the terminal type, the user subscription identifier and the type of the accessed network, determining configuration parameters for generating a security configuration file; and generating the security configuration file according to the configuration parameters, and sending the security configuration file to the user terminal, so as to allow the user terminal to complete the security authentication process of the accessed network according to the security configuration file.

Description

Security authentication method, device and electronic equipment for user terminal access to network

Cross-references to related applications

This disclosure claims priority to Chinese patent application CN202210909822.6 titled "Security Authentication Method, Device and Electronic Equipment for User Terminal Access Network" submitted on July 29, 2022, the entire content of which is incorporated into this disclosure by reference. middle.

Technical field

The present disclosure relates to the field of mobile communication technology, and in particular, to a security authentication method, device and electronic equipment for user terminal access to the network.

Background technique

The fifth generation mobile communication technology (5G) network has introduced three major business scenarios. The three major business scenarios have different security requirements based on their own characteristics. They will subsequently evolve to the sixth generation mobile communication technology (5G). The 6th Generation Mobile Communication Technology (6G) network will further expand application scenarios, thus further increasing the personalized demand for security.

Currently, the existing 5G security authentication process uses the same level of security authentication and key agreement processes, which is no longer flexible enough to meet the personalized security needs of a variety of different business scenarios. Therefore, how to negotiate and implement differentiated security authentication based on the capabilities and security requirements of user terminals and access networks has become an urgent technical issue to be solved.

Contents of the invention

The present disclosure provides a security authentication method, device and electronic equipment for user terminal access to the network to solve the problem that the existing 5G security authentication process uses the same level of security authentication and key agreement processes, and its flexibility is no longer sufficient. Issues related to personalized security requirements for a variety of different business scenarios.

In a first aspect, the present disclosure provides a security authentication method for user terminal access to the network, which is applied to the security algorithm negotiation function SANF network element. The method includes: when the user terminal accesses the network, obtaining the user terminal and the access network The security information includes the terminal type of the user terminal, the user subscription ID of the user terminal, and the type of access network; determine the configuration parameters used to generate the security configuration file based on the terminal type, user subscription ID, and access network type. ; Generate a security configuration file based on the configuration parameters, and pass the security configuration file to the user terminal, so that the user terminal can complete the security authentication process for accessing the network based on the security configuration file.

In a second aspect, the present disclosure also provides a security authentication device for user terminal access to the network, which is applied to the security algorithm negotiation function SANF network element. The device includes: an acquisition module, a determination module, and a transfer module.

The acquisition module is configured to obtain the security information of the user terminal and the access network. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of access network; the determination module is configured to obtain the security information based on the terminal type and the user subscription identification. and the type of access network to determine the configuration parameters used to generate the security configuration file; the delivery module is configured to generate the security configuration file based on the configuration parameters and deliver the security configuration file to the user terminal for the user terminal to complete according to the security configuration file Security authentication process for accessing the network.

In a third aspect, the present disclosure also provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus; the memory is used to store the computer. Program; processor, used to implement the steps of the security authentication method for user terminal access to the network according to any embodiment of the first aspect when executing the program stored in the memory.

In a fourth aspect, the present disclosure also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the user terminal accesses the network as described in any embodiment of the first aspect. Steps of security authentication method.

Description of drawings

The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.

In order to more clearly illustrate the technical solutions in the present disclosure or the prior art, the drawings needed to be used in the embodiments or description of the prior art will be briefly introduced below. It is obvious that for those of ordinary skill in the art, Other drawings can also be obtained based on these drawings without incurring any creative effort.

Figure 1 is a schematic flow chart of a security authentication method for user terminal access to the network provided by the present disclosure;

Figure 2 is a schematic structural diagram of a security algorithm negotiation function SANF network element provided by the present disclosure;

Figure 3 is a schematic flowchart of generating a security configuration file provided by the present disclosure;

Figure 4 is a schematic flow chart of a user terminal authentication response provided by the present disclosure;

Figure 5 is a schematic flowchart of obtaining security information provided by the present disclosure;

Figure 6 is a schematic structural diagram of a security authentication device for user terminal access to the network provided by the present disclosure;

Figure 7 is a schematic structural diagram of an electronic device provided by the present disclosure.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present disclosure clearer, the technical solutions in the present disclosure will be clearly and completely described below in conjunction with the accompanying drawings in the present disclosure. Obviously, the described embodiments are part of the implementation of the present disclosure. examples, not all examples. Based on the embodiments in this disclosure, all other embodiments obtained by those of ordinary skill in the art without any creative efforts fall within the scope of protection of this disclosure.

Referring to Figure 1, Figure 1 is a schematic flow chart of a security authentication method for user terminal access to a network provided by the present disclosure. The security authentication method for user terminal access to the network is applied to the security algorithm negotiation function SANF network element, and the method may include the following steps 101 to 103.

Step 101: When the user terminal accesses the network, obtain the security information of the user terminal and the access network. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of the access network.

It should be noted that the security authentication method for user terminal access to the network is applied to the Security Algorithm Negotiation Function (SANF) network element. The SANF network element can be the Unified Data Management (Unified Data) network element on the home network side. Management, referred to as UDM), or a logical function independent of UDM network elements. The main functional modules of the SANF network element may include a user and network security information collection module, a security algorithm analysis and decision-making module, and a security differentiated configuration file delivery module. Among them, the user and network security information collection module is configured to collect information such as the terminal type of the user terminal (User Equipment, referred to as UE), the type of access network, and the user subscription identification of the user terminal. The security algorithm analysis and decision-making module is configured to analyze and make judgments on the collected user information and security capabilities, combined with network-related information, and select appropriate authentication mode, security algorithm, key length and other security information data. The security differentiated configuration file delivery module is configured to generate differentiated security configuration files from the selected security information data, and provides guidance and configuration for subsequent user terminal authentication, key negotiation, and security algorithm negotiation. The internal structure of the SANF network element is shown in Figure 2.

In an exemplary embodiment, when the user terminal accesses the network, the SANF network element can obtain the security information of the user terminal and the access network. The security information here may include but is not limited to information such as the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of access network. It should be noted that the terminal types of user terminals can be divided into low-energy terminals, medium-energy terminals, high-energy terminals, etc. according to the terminal capabilities. The user subscription identifier of the user terminal may include a user permanent subscription identifier (Subscription Permanent Identifier, referred to as SUPI) and a user hidden subscription identifier (Subscription Concealed Identifier, referred to as SUCI), where SUCI is the encrypted output result from SUPI. The types of access networks may include 3GPP access networks and Non-3GPP access networks, where the 3GPP access network The access network refers to the access network defined by the 3GPP organization, such as 3GPP Long Term Evolution (LTE), Wideband Code Division Multiple Access (WCDMA), Time Division Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access, TD-SCDMA for short), Global System for Mobile Communications (GSM for short), etc. Non-3GPP access network refers to the access network defined by non-3GPP organizations. Access networks, such as Wireless Local Area Networks (WLAN for short), High Rate Packet Data (HRPD for short), etc.

Step 102: Determine configuration parameters for generating a security configuration file based on the terminal type, user subscription identification, and access network type.

In this step, the SANF network element can determine the capabilities of the user terminal and access network based on the terminal type, user subscription identification and access network type, as well as the security requirements of the user terminal in the current business scenario, and then determine the security requirements of the user terminal according to the user Based on the capabilities of the terminal and access network, as well as the security requirements of the user terminal in the current business scenario, the configuration parameters of the security profile corresponding to the user terminal are determined. In an exemplary embodiment, the configuration parameters of the security profile may include, but are not limited to, parameters used to characterize the authentication mode type, parameters used to characterize the key derivation algorithm, parameters used to characterize the key length, and the like. It should be noted that the authentication mode types here can include the existing 5G-AKA and EAP-AKA', and other authentication modes can also be introduced, such as EAP-TLS, or even to adapt to different application scenarios and different Security requirements can introduce lightweight authentication mode or heavy authentication mode; the key derivation algorithm here can include national secret algorithms SM3, SM4, and other key derivation algorithms required or specified by enterprises or operators; Key length supports 128bits, 256bits, 512bits, etc.

Step 103: Generate a security configuration file based on the configuration parameters, and pass the security configuration file to the user terminal, so that the user terminal can complete the security authentication process for accessing the network based on the security configuration file.

In this step, the SANF network element can generate a security profile (SP for short) based on the configuration parameters and pass the security profile to the user terminal. The user terminal performs security configuration production based on the security profile and generates own security configuration file, and use its own security configuration file to generate the parameters required for authentication and key derivation, thereby completing the security authentication process for accessing the network, as well as subsequent security processing and security protection processes, to achieve secure access to user terminals. Enter the network.

In this embodiment, a security algorithm negotiation function SANF network element can be added to the network side. The SANF network element generates a network element that matches the user terminal and the access network according to the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of access network. The security profile of the access network capabilities and security requirements, and the security profile is passed to the user terminal, so that The user terminal completes the security authentication process for accessing the network based on the security configuration file. In this way, differentiated security configuration files can be generated for different terminal types, different access network types, and different user subscription IDs in different business scenarios to achieve differentiated security authentication.

In an exemplary embodiment, the above step 102, determining the configuration parameters for generating a security configuration file according to the terminal type, user subscription identification and access network type, includes: receiving the user subscription sent by the unified data management UDM network element message and the authentication mode type supported by the user terminal and the access network. The user subscription message is obtained by the UDM network element based on the user subscription identifier. The authentication mode type supported by the user terminal and the access network is obtained by the UDM network element based on the user subscription. The identification is obtained from the authentication credential storage ARPF network element; based on the user subscription message, the authentication mode type supported by the user terminal and access network, as well as the obtained terminal type and access network type, determine the security configuration file used to generate Configuration parameters.

In one embodiment, the SANF network element can interact with the unified data management UDM network element to determine configuration parameters for generating a security configuration file. In an exemplary embodiment, the UDM network element can obtain the user subscription message based on the user subscription identifier, and the UDM network element can also obtain the user subscription message from the Authentication Credential Repository and Processing Function (ARPF) network element based on the user subscription identifier. After obtaining the authentication mode type supported by the user terminal and the access network, the UDM network element can then cancel the user subscription, the authentication mode type supported by the user terminal and the access network, and the obtained terminal type and access network type. Sent to the SANF network element, the SANF network element determines the method used to generate the security configuration file based on the user subscription message, the authentication mode type supported by the user terminal and the access network, and the obtained terminal type and access network type. Configuration parameters, as shown in Figure 3. It should be noted that the user subscription messages here include but are not limited to application layer authentication and key management subscription (i.e. AMKA subscription), authentication subscription (i.e. Authentication subscription), and key derivation algorithm subscription (i.e. Key derivation algorithm subscription) , Key length subscription (ie Key length subscription), etc.

In an exemplary embodiment, when the user subscription identifier is a user-hidden subscription identifier type, the UDM network element needs to decrypt the user subscription identifier through the subscription identifier decryption function SIDF network element, and based on the decrypted user subscription The identification obtains user subscription messages, user credentials, and authentication mode types supported by user terminals and access networks. The SIDF network element decrypts the user subscription identity based on the user credentials. The user credentials are obtained by the UDM network element from ARPF based on the user subscription identity. Obtained by the network element; when the user subscription identifier is the user permanent subscription identifier, the UDM network element directly obtains the user subscription message, user credentials, and the authentication mode type supported by the user terminal and access network based on the user subscription identifier.

Continuing to refer to Figure 3, when the user subscription identifier is the user hidden subscription identifier type (ie SUCI), the UDM network element You can also use field information such as protection scheme ID and home network public key ID in SUCI to obtain user credentials and authentication supported by the user terminal and access network from the ARPF network element. Schema type. The UDM network element can also decrypt the user subscription identifier from the Subscription Identifier De-concealing Function (SIDF) network element based on the user credentials, and then use the decrypted user subscription identifier to obtain the user subscription message.

When the user subscription identifier is a user permanent subscription identifier type (that is, SUPI), the UDM network element can also directly obtain the user credentials and the authentication mode type supported by the user terminal and access network from the ARPF network element based on the SUPI. UDM network elements can also directly obtain user subscription messages based on user subscription identifiers.

In an exemplary embodiment, the above step 103, transmitting the security configuration file to the user terminal, includes: transmitting the security configuration file to the UDM network element, where the UDM network element is used to use the security configuration file as a new information element field, perform integrity protection processing on the newly added information element field, and pass the integrity-protected information element field to the user terminal through the authentication server function AUSF network element and the security anchor function SEAF network element in sequence.

In one embodiment, after the SANF network element generates a security configuration file, the security configuration file can be passed to the UDM network element. In this way, the UDM network element can use the security configuration file as a new information element (Information Element) field. (i.e. SP IE), perform integrity protection processing on the newly added information element fields, and pass the integrity-protected information element fields through the Authentication Server Function (AUSF) network element and security anchor in turn Function (SEcurity Anchor Function, SEAF for short) network element is delivered to the user terminal, as shown in Figure 4. In this way, the user terminal can generate relevant security configuration files and subsequent key derivation according to the instructions of the SP IE, and reply to the network side authentication response message.

In an exemplary embodiment, the UDM network element is also configured to generate a home environment authentication vector according to the security configuration file, and pass the authentication token and the information element field after integrity protection processing in the home environment authentication vector through the AUSF network element in sequence. and SEAF network element to the user terminal; wherein, the AUSF network element is used to determine the service environment authentication vector based on the home environment authentication vector, and send the service environment authentication vector and the information element field after integrity protection processing to the SEAF network element; SEAF The network element is used to send the service environment authentication vector and the information element field after integrity protection processing to the user terminal; the service environment authentication vector includes the authentication token; the user terminal is used to perform timeliness verification based on the authentication token and verify the integrity The protected information element fields are subjected to integrity verification. If the timeliness verification and integrity verification are successful, the security authentication process of the access network is completed based on the information element fields with successful integrity verification.

Referring to Figure 4, the UDM network element can also generate a home environment authentication vector (5G Home Environment Authentication Vector, referred to as 5G HE AV), and uses the authentication token (Authentication Token, referred to as AUTN) in the home environment authentication vector and the information element field after integrity protection processing as the authentication response message (i.e. in Figure 4 Nudm_UEAuthentication_Get Response) is passed to the AUSF network element. The AUSF network element can determine the service environment authentication vector (5G Service Environment Authentication Vector, referred to as 5G SE AV) based on the home environment authentication vector, and combine the authentication token in the service environment authentication vector with The information element field after integrity protection is sent to the SEAF network element as an authentication response message (i.e., Nausf_UEAuthentication_Authenticate Response in Figure 4); the SEAF network element can use the service environment authentication vector and the information element field after integrity protection as an authentication request. (i.e., the Authentication Request in Figure 4) is sent to the user terminal; finally, the user terminal can perform timeliness verification based on the authentication token and integrity verification of the information element field after integrity protection processing. In an exemplary embodiment, The network side uses the private key related to the user terminal to protect the integrity of the SP IE. After receiving the authentication request (ie, Authentication Request) from the network side, the user terminal verifies the timeliness of the authentication request message through the AUTN in the authentication request. After confirming that the timeliness of the authentication request message is acceptable, the integrity of the SP IE is verified through the public key of the network side. If the integrity verification fails, an authentication failure reply is sent to the network side; if the integrity verification is successful, the SP IE is Generate relevant security configuration files and subsequent key derivation for information element fields with successful sexual verification, and reply to the network side authentication response message (i.e. Authentication Response in Figure 4), thereby completing the security authentication process of the access network. Through this This method can effectively prevent SP IE from being tampered with during the transmission process and improve the security of secure configuration file transmission.

In an exemplary embodiment, the above step 101, when the user terminal accesses the network, obtains the security information of the user terminal and the access network, including: when the user terminal requests to access the network, receiving the UDM network element The security information sent, wherein the UDM network element is used to parse the first authentication request sent by the AUSF network element to obtain the security information carried in the first authentication request, and transfer the security information Sent to the SANF network element; where the first authentication request is generated by the AUSF network element after receiving the second authentication request sent by the SEAF network element, and the second authentication request is generated by the SEAF network element after receiving the registration sent by the user terminal. The second authentication request carries the terminal type, user subscription identification and access network type. The registration request is generated when the user terminal accesses the network. The registration request carries the terminal type and user Subscription ID.

In an embodiment, when the user terminal requests to access the network, the SANF network element can obtain security information from the UDM network element. In an exemplary embodiment, as shown in Figure 5, the user terminal UE initiates a registration request (i.e. Register Request in Figure 5) on the access network, and the registration request message carries the terminal type UE type, SUCI or 5G global temporary UE identifier (5G Globally Unique Temporary UE Identity, referred to as 5G-GUTI), the registration request is sent to the security anchor function (SEAF, SEcurity Anchor Function) network element of the service network. The SEAF network element sends a second authentication request (i.e., the Nausf_UEAuthentication_Authenticate Request message in Figure 5) calls the Nausf_UEAuthentication service to the AUSF network element. The second authentication request carries SUCI or SUPI mapping 5G-GUTI, and the Serving Network Name (SNN for short), where the Serving Network Name It may include the service network identifier (ie SN ID) and the access network type (ie access network type). After receiving the second authentication message, the AUSF network element verifies the service network by comparing whether the service network name carried in the second authentication request message is consistent with the default service network name of the service network where the user terminal is located. Whether the SEAF network element has the right to use the service network name in the second authentication request message, and at the same time verify the type of the corresponding access network. If the service network is not authorized to use the service network name in the second authentication request message, then "the service network is not authorized" is replied. Otherwise, the AUSF network element considers that the service network is authorized to use the service network name in the second authentication request message. At this time, the AUSF network element initiates a first authentication request (ie, the Nudm_UEAuthentication_Get Request message in Figure 5) to the UDM network element. The first authentication request carries SUCI or SUPI, and the service network name. After receiving the Nudm_UEAuthentication_Get Request message, the UDM network element sends the security information carried in the message to the SANF network element, and the SANF network element generates a security profile (Security profile).

It should be noted that Figure 5 is an improvement made in the existing 5G security authentication process. For example, a SANF network element is added to the existing process, and when the user terminal initiates a registration request on the access network, in addition to carrying SUCI or 5G- In addition to GUTI, it can also carry UE type. When the SEAF network element sends the second authentication request to the AUSF network element and the AUSF network element sends the first authentication request to the UDM network element, in addition to carrying the SN ID, SUCI or SUPI In addition, you can also carry access network type.

In an exemplary embodiment, the configuration parameters include parameters used to characterize the authentication mode type, parameters used to characterize the key derivation algorithm, and parameters used to characterize the key length.

The following takes the intensive access scenario of mMTC as an example. In this scenario, 5G requires an access volume of millions per square kilometer, while 6G requires an access volume of tens of millions per square kilometer. Such intensive terminal access will have a significant impact on network access authentication. There are doubts about whether the existing 5G unified certification architecture process can meet the subsequent capacity expansion of mobile networks. The introduction of SANF network elements can flexibly configure the user's Security Profile and select the appropriate authentication mode and security processing based on the terminal type or user subscription data.

In an exemplary embodiment, when accessing the network, the UE initiates a registration request carrying the terminal type, which is a certain type of low-energy terminal in the mMTC. After receiving the registration request from the UE, the network side selects a matching lightweight access authentication mode, a simplified key derivation algorithm, and appropriate key length and other security configurations for the UE based on the UE's terminal type and subscription data information. Security profile; the network side generates a simplified 5G HE AV based on the generated Security profile, and indicates the SP information to the UE through the SP IE; finally, the UE side completes the interaction with the network side based on the SP IE indication information and the authentication information of the network side. Security certification process.

In this disclosure, the security capability negotiation between the UE and the network is processed in a unified manner, the UE's own capabilities and subscription information are comprehensively considered, and differentiated automatic matching is formed based on the UE's capabilities, UE classification, and user subscription tendencies. In this way, the following technical effects are achieved.

1. The authentication mode can be expanded into multiple authentication modes, not only including the existing 5G-AKA and EAP-AKA', but also other authentication modes can be introduced, such as EAP-TLS, even to adapt to different application scenarios. Based on different security requirements, lightweight authentication mode or heavy authentication mode can be introduced.

2. It can support flexible expansion of key derivation algorithms. The current key derivation algorithm is solidified. By extending the key derivation algorithm, the national secret algorithms SM3 and SM4 can be introduced into the key derivation algorithm. Even to meet the special needs of industry private networks, key derivation algorithms required or specified by enterprises or operators can be introduced.

3. Easy to expand the key length upwards. The current key length used in 5G authentication and key negotiation is 128 bits, and the key length is one of the parameters that directly reflects security capabilities. This encryption algorithm with a fixed key length cannot reflect the differences in security requirements. For scenarios with high security requirements, such as applications that prevent quantum attacks, 128 bits can no longer meet the security requirements, so longer key lengths need to be supported. The scalable key length does not mean arbitrarily specifying the key length, but supports multiple key lengths (such as supporting 128bits, 256bits, etc.). According to the scenario and security requirements, the key length can be selected to meet current needs.

4. Flexibly support the expansion of other security capabilities. Security capability expansion includes but is not limited to the three parameters described above, and can be flexibly expanded according to subsequent needs. For the flexible expansion of this security capability and the support of multi-level security capabilities, it is very necessary to introduce an arbitration negotiation function to match and negotiate security capabilities according to security requirements, and provide optimal security combinations for different application scenarios. . The introduction of the Full Algorithm Negotiation Function (SANF) can automatically match the parameters described above according to the user's subscription mechanism, terminal type or access network type.

Compared with the existing technology, this disclosure is not a combination of simple technologies, but uses the concept of big data to collect data such as users' security capabilities and subscription information. Through comprehensive analysis and decision algorithms, it can provide differences for different terminals and different user tendencies. Safe matching.

Referring to Figure 6, Figure 6 shows a security authentication device for user terminal access to the network provided by the present disclosure, which is applied to the security algorithm negotiation function SANF network element. The device 600 includes: an acquisition module 601, a determination module 602, and a transfer module 603.

The acquisition module 601 is configured to obtain the security information of the user terminal and the access network. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal and the type of access network; the determination module 602 is configured to obtain the security information according to the terminal type. type, user subscription identification and access network type to determine the configuration parameters used to generate a security configuration file; the delivery module 603 is configured to generate a security configuration file based on the configuration parameters and deliver the security configuration file to the user terminal for use by the user. The terminal completes the security authentication process for accessing the network based on the security configuration file.

In an exemplary embodiment, the determining module 602 includes: a first receiving sub-module configured to receive a user subscription message sent by the unified data management UDM network element and the authentication mode type supported by the user terminal and the access network, wherein the user The subscription message is obtained by the UDM network element based on the user subscription identifier. The authentication mode type supported by the user terminal and access network is obtained by the UDM network element from the authentication certificate storage ARPF network element based on the user subscription identifier; the determination sub-module is configured to be based on The user subscription message, the authentication mode type supported by the user terminal and the access network, and the acquired terminal type and access network type determine the configuration parameters used to generate the security configuration file.

In an exemplary embodiment, the transfer module 603 includes: a transfer sub-module configured to transfer the security configuration file to the UDM network element, where the UDM network element is used to use the security configuration file as a new information element field, and The newly added information element fields are processed for integrity protection, and the information element fields after integrity protection are sequentially delivered to the user terminal through the authentication server function AUSF network element and the security anchor function SEAF network element.

In an exemplary embodiment, the acquisition module 601 includes: a second receiving submodule configured to receive the security information sent by the UDM network element when the user terminal requests to access the network, wherein the UDM network element is used to receive In the case of the first authentication request sent by the AUSF network element, the first authentication request is parsed to obtain the security information carried in the first authentication request, and the security information is sent to the SANF network element; where the first authentication request is AUSF The network element generates the second authentication request when it receives the second authentication request sent by the SEAF network element. The second authentication request is generated by the SEAF network element when it receives the registration request sent by the user terminal. The second authentication request carries Terminal type, user subscription identification and access network type. The registration request is generated when the user terminal accesses the network. The registration request carries the terminal type and user subscription identification.

It should be noted that the security authentication device 600 for user terminal access to the network can implement the steps of the security authentication method for user terminal access to the network as provided in any of the foregoing method embodiments, and can achieve the same technical effect, which will not be discussed here. Let’s go over them one by one.

As shown in Figure 7, the present disclosure provides an electronic device, including a processor 711, a communication interface 712, a memory 713, and a communication bus 714. The processor 711, the communication interface 712, and the memory 713 complete interactions with each other through the communication bus 714. communication, the memory 713 is used to store computer programs; in one embodiment of the present disclosure, the processor 711 is used to implement the user terminal access network provided by any of the foregoing method embodiments when executing the program stored on the memory 713 The security authentication method includes: when the user terminal accesses the network, obtaining security information of the user terminal and the access network. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal and the type of the access network; Determine the configuration parameters used to generate a security configuration file based on the terminal type, user subscription identification and access network type; generate a security configuration file based on the configuration parameters, and pass the security configuration file to the user terminal for the user terminal to configure according to the security configuration The file completes the security authentication process for accessing the network.

The present disclosure also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of the security authentication method for user terminal access to the network as provided in any of the foregoing method embodiments are implemented.

In this disclosure, when the user terminal accesses the network, the security information of the user terminal and the access network is obtained. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal and the type of access network; according to The terminal type, user subscription ID and access network type determine the configuration parameters used to generate security configuration files; Generate a security configuration file based on the configuration parameters, and pass the security configuration file to the user terminal, so that the user terminal can complete the security authentication process for accessing the network based on the security configuration file. In this way, the security algorithm negotiation function SANF network element can be added to the network side. The SANF network element generates a network element that matches the user terminal and the type of the access network based on the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of access network. Access network capabilities and security requirements security configuration file, and pass the security configuration file to the user terminal, so that the user terminal completes the security authentication process of accessing the network based on the security configuration file. In this way, differentiated security configuration files can be generated for different terminal types, different access network types, and different user subscription IDs in different business scenarios to achieve differentiated security authentication. In this way, the newly added SANF network elements can be used to generate differentiated security configuration files based on different terminal types, different access network types, and different user subscription IDs in different business scenarios, thereby achieving differentiated security authentication.

It should be noted that in this article, relational terms such as “first” and “second” are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these Any such actual relationship or sequence exists between entities or operations. Furthermore, the terms "comprises," "comprises," or any other variation thereof are intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus that includes a list of elements includes not only those elements, but also those not expressly listed other elements, or elements inherent to the process, method, article or equipment. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article, or apparatus that includes the stated element.

The above descriptions are only specific embodiments of the present disclosure, enabling those skilled in the art to understand or implement the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be practiced in other embodiments without departing from the spirit or scope of the disclosure. Therefore, the present disclosure is not to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features claimed herein.

Claims

A security authentication method for user terminal access to the network, applied to the security algorithm negotiation function SANF network element, the method includes:

When the user terminal accesses the network, the security information of the user terminal and the access network is obtained. The security information includes the terminal type of the user terminal, the user subscription identification of the user terminal and the access network. type;

Determine configuration parameters for generating a security configuration file according to the terminal type, the user subscription identification and the type of access network;

The security configuration file is generated according to the configuration parameters, and the security configuration file is delivered to the user terminal, so that the user terminal completes the security authentication process of accessing the network according to the security configuration file.
The method according to claim 1, wherein determining configuration parameters for generating a security configuration file based on the terminal type, the user subscription identification and the type of access network includes:

Receive a user subscription message sent by a unified data management UDM network element and an authentication mode type supported by the user terminal and the access network, wherein the user subscription message is obtained by the UDM network element based on the user subscription identification It is obtained that the authentication mode type supported by the user terminal and the access network is obtained by the UDM network element from the authentication certificate storage ARPF network element based on the user subscription identifier;

Determine the configuration for generating a security configuration file according to the user subscription message, the authentication mode type supported by the user terminal and the access network, and the acquired terminal type and access network type. parameter.
The method according to claim 2, wherein when the user subscription identification is a user-hidden subscription identifier type, the UDM network element needs to use the subscription identifier decryption function SIDF network element to perform decryption of the user subscription identification. Decrypt, and obtain the user subscription message, the user credentials, and the authentication mode type supported by the user terminal and the access network based on the decrypted user subscription identification, wherein the SIDF network element is based on the user credentials Decrypt the user subscription identification, and the user credential is obtained by the UDM network element from the ARPF network element based on the user subscription identification;

When the user subscription identifier is a user permanent subscription identifier, the UDM network element directly obtains the user subscription message, the user credential, the user terminal and the access network based on the user subscription identifier. Supported authentication mode types.
The method of claim 2, wherein said transmitting the security configuration file to the user terminal, include:

Pass the security configuration file to the UDM network element, where the UDM network element is used to use the security configuration file as a new information element field, and perform integrity check on the new information element field. Protection processing: transmit the information element fields after integrity protection processing to the user terminal through the authentication server function AUSF network element and the security anchor point function SEAF network element in sequence.
The method according to claim 4, wherein the UDM network element is further configured to generate a home environment authentication vector according to the security configuration file, and combine the authentication token in the home environment authentication vector with the integrity protection The processed information element fields are delivered to the user terminal through the AUSF network element and the SEAF network element in sequence;

Wherein, the AUSF network element is configured to determine a service environment authentication vector according to the home environment authentication vector, and send the service environment authentication vector and the information element field after integrity protection processing to the SEAF network element; The SEAF network element is configured to send the service environment authentication vector and the information element field after integrity protection processing to the user terminal; the service environment authentication vector includes the authentication token; the user The terminal is configured to perform timeliness verification according to the authentication token and integrity verification of the information element field after the integrity protection process. When the timeliness verification is successful and the integrity verification is successful, according to The information element fields whose integrity verification is successful complete the security authentication process of the access network.
The method according to claim 4, wherein when the user terminal accesses the network, obtaining the security information of the user terminal and the access network includes:

When the user terminal requests to access the network, receive the security information sent by the UDM network element, wherein the UDM network element is configured to receive the first authentication request sent by the AUSF network element. In this case, the first authentication request is parsed to obtain the security information carried in the first authentication request, and the security information is sent to the SANF network element; wherein the first authentication request is The AUSF network element generates the second authentication request when the SEAF network element receives the second authentication request sent by the SEAF network element. The second authentication request is generated when the SEAF network element receives the registration request sent by the user terminal. generated under the condition that the second authentication request carries the terminal type, the user subscription identification and the type of the access network, and the registration request is generated when the user terminal accesses the network, The registration request carries the terminal type and the user subscription identification.
The method according to claim 1, wherein the configuration parameters include parameters used to characterize the authentication mode type, parameters used to characterize the key derivation algorithm, and parameters used to characterize the key length.
A security authentication device for user terminal access to the network, applied to the security algorithm negotiation function SANF network element, the Devices include:

An acquisition module configured to acquire security information of the user terminal and the access network, where the security information includes the terminal type of the user terminal, the user subscription identification of the user terminal, and the type of the access network;

a determination module configured to determine configuration parameters for generating a security configuration file according to the terminal type, the user subscription identification, and the type of access network;

A delivery module configured to generate the security configuration file according to the configuration parameters, and deliver the security configuration file to the user terminal, so that the user terminal completes security authentication for accessing the network based on the security configuration file. process.
An electronic device includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus;

Memory, used to store computer programs;

The processor is configured to implement the steps of the security authentication method for user terminal access to the network described in any one of claims 1 to 7 when executing a program stored in the memory.
A computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of the security authentication method for a user terminal accessing a network according to any one of claims 1 to 7 are implemented.