CN114173327B - Authentication method and terminal based on private network in 5G industry - Google Patents
Authentication method and terminal based on private network in 5G industry Download PDFInfo
- Publication number
- CN114173327B CN114173327B CN202111475908.4A CN202111475908A CN114173327B CN 114173327 B CN114173327 B CN 114173327B CN 202111475908 A CN202111475908 A CN 202111475908A CN 114173327 B CN114173327 B CN 114173327B
- Authority
- CN
- China
- Prior art keywords
- terminal
- autn
- execution environment
- supi
- trusted execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000008569 process Effects 0.000 claims description 15
- 239000002131 composite material Substances 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 19
- 230000002093 peripheral effect Effects 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 150000001875 compounds Chemical class 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
The disclosure relates to an authentication method based on a private network in the 5G industry, a terminal and a computer storage medium, and relates to the technical field of networks. The authentication method based on the private network of the 5G industry is executed in a trusted execution environment of a terminal, wherein the trusted execution environment of the terminal is independent of a rich execution environment of the terminal, and the authentication method comprises the following steps: acquiring a user permanent identifier SUPI of the terminal; generating a user hidden identifier SUCI according to the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by the core network equipment; receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the trusted execution environment of the terminal is successfully authenticated according to SUCI; and authenticating the core network equipment according to the AUTN. According to the method and the device, the safety of the trusted execution environment of the terminal can be improved.
Description
Technical Field
The disclosure relates to the field of network technology, and in particular relates to an authentication method, a terminal and a computer storage medium based on a private network in the 5G industry.
Background
TEE (Trusted execution environment ) is a secure intelligent terminal operating system proposed by ARM corporation. The TEE is a trusted execution environment that is independent of the REEs (Rich Execution Environment, rich execution environments) of the Android system, etc., and that can run in parallel with the REEs. The TEE is mainly applied to the fields of security sensitive production, security payment and the like. Applications with high security requirements can be run in a trusted execution environment, and the REE running environment of an unsafe component can be separated from the TEE running environment of the safe component.
Disclosure of Invention
Aiming at the application scene, the invention provides a solution which can improve the safety of the trusted execution environment of the terminal.
According to a first aspect of the present disclosure, there is provided an authentication method based on a private network of a 5G industry, performed in a trusted execution environment of a terminal, the trusted execution environment of the terminal being independent of a rich execution environment of the terminal, the authentication method comprising: acquiring a user permanent identifier SUPI of the terminal; generating a user hidden identifier SUCI according to the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by the core network equipment; receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the trusted execution environment of the terminal is successfully authenticated according to SUCI; and authenticating the core network equipment according to the AUTN.
In some embodiments, the global user identity module USIM card of the terminal is deployed in a trusted execution environment of the terminal, and obtaining the user permanent identifier SUPI of the terminal includes: and acquiring SUPI of the terminal from the USIM card.
In some embodiments, the trusted execution environment of the terminal is deployed with an industry private network terminal database, where the industry private network terminal database stores related data required by an authentication process, and generating the user hidden identifier SUCI according to the SUPI of the terminal includes: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating SUCI according to the SQN and the SUPI.
In some embodiments, generating the SUCI from the SQN and the SUPI comprises: and encrypting the SQN and the SUPI by utilizing an encryption algorithm which is pre-shared by the trusted execution environment of the terminal and the core network equipment, so as to generate SUCI.
In some embodiments, encrypting the SQN and the SUPI, generating the SUCI comprises: merging the SQN and the SUPI to obtain a composite field; and encrypting the composite field by using the encryption algorithm to obtain SUCI.
In some embodiments, the SUPI is in international mobile subscriber identity, IMSI, format or network access identifier, NAI, format.
In some embodiments, the AUTN is an encrypted AUTN, the encrypted AUTN includes an updated SQN, and authenticating the core network device according to the AUTN includes: decrypting the encrypted AUTN according to a preset encryption and decryption strategy shared by the trusted execution environment of the terminal and the core network equipment to obtain the decrypted AUTN; and verifying whether the decrypted AUTN is valid, wherein the authentication of the core network device by the trusted execution environment of the terminal is successful under the condition that the decrypted AUTN is valid.
In some embodiments, the preset encryption and decryption policy includes: generating a target key according to the SQN before updating, the SUPI of the terminal and a preset initial key, wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal.
In some embodiments, the authentication method further comprises: under the condition that the authentication of the trusted execution environment of the terminal to the core network equipment is successful, acquiring the updated SQN according to the decrypted AUTN; deleting the SQN before updating; and storing the updated SQN to the industry private network terminal database.
According to a second aspect of the present disclosure, there is provided a terminal based on a private network of a 5G industry, including: a trusted execution environment and a rich execution environment that are independent of each other, the trusted execution environment comprising: an acquisition module configured to acquire a user permanent identifier SUPI of the terminal; a generating module configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, where the SUCI is used for authenticating a trusted execution environment of the terminal by a core network device; a receiving module configured to receive an authentication token AUTN from the core network device, the AUTN being generated by the core network device if the trusted execution environment authentication of the terminal according to the SUCI is successful; and the authentication module is configured to authenticate the core network equipment according to the AUTN.
In some embodiments, the trusted execution environment further comprises: the global user identity module USIM card is configured to store SUPI of the terminal, and the acquisition module is further configured to acquire SUPI of the terminal from the USIM card.
In some embodiments, the trusted execution environment further comprises: an industry private network terminal database configured to store related data required for an authentication process, the related data including a SQN of the terminal; the generation module is further configured to: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating SUCI according to the SQN and the SUPI.
According to a third aspect of the present disclosure, there is provided a terminal based on a private network of the 5G industry, including: a memory; and a processor coupled to the memory, the processor configured to perform the 5G industry private network-based authentication method of any of the embodiments above based on instructions stored in the memory.
According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the private network-based authentication method according to any of the above embodiments.
In the embodiment, the security of the trusted execution environment of the terminal can be improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a flow chart illustrating an authentication method according to some embodiments of the present disclosure;
fig. 2a is a schematic diagram illustrating the structure of an IMSI according to some embodiments of the present disclosure;
Fig. 2b is a schematic diagram illustrating the structure of a compound field IMSI' according to some embodiments of the present disclosure;
FIG. 2c is a schematic diagram illustrating the structure of SUCI of some embodiments of the present disclosure;
Fig. 3 is a block diagram illustrating a terminal according to some embodiments of the present disclosure;
Fig. 4 is a block diagram illustrating a terminal according to further embodiments of the present disclosure;
fig. 5 is a block diagram illustrating a terminal according to still further embodiments of the present disclosure;
FIG. 6 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless it is specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective parts shown in the drawings are not drawn in actual scale for convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
Fig. 1 is a flow chart illustrating an authentication method according to some embodiments of the present disclosure.
As shown in fig. 1, the authentication method based on the private network of the 5G industry comprises steps S1 to S4. The authentication method is executed in a trusted execution environment of the terminal, and the trusted execution environment of the terminal is independent of a rich execution environment of the terminal.
In step S1, the SUPI (description PERMANENT IDENTIFIER) of the terminal is acquired, the user permanent identifier.
In some embodiments, a USIM (Universal Subscriber Identity Module ) card of the terminal is deployed in a trusted execution environment of the terminal, and the SUPI of the terminal may be obtained from the USIM card. By disposing the USIM card in the trusted execution environment of the terminal, the SUPI obtaining process of the terminal is completely executed in the trusted execution environment, and the security of the trusted execution environment of the terminal can be further improved.
In some embodiments, the SUPI is in IMSI (International Mobile Subscriber Identity ) format or NAI (Network ACCESS IDENTIFIER, network access identifier) format.
In step S2, SUCI is generated (Subscription Concealed Identifier, user hidden identifier) from the SUPI of the terminal. SUCI is used for the core network device to authenticate the trusted execution environment of the terminal.
In some embodiments, the trusted execution environment of the terminal is deployed with an industry private network terminal database that stores relevant data required for the authentication process. Under the condition, the serial number SQN of the terminal can be obtained from an industry private network terminal database; and generates SUCI from the SQN and SUPI. By combining with a 5G AKA authentication mechanism, the SQN is different in different authentication processes, namely the SQN is variable, and by generating SUCI according to the variable SQN, the SUCI is added with random disturbance in each authentication process, so that the security of the trusted execution environment of the terminal can be further improved, and particularly the security of the authentication process of the core network equipment to the terminal is improved.
In some embodiments, the SQN and SUPI may be encrypted using an encryption algorithm that is pre-shared with the core network device by the trusted execution environment of the terminal, generating SUCI. The pre-shared encryption algorithm is also used for decrypting SUCI by the core network device to complete authentication of the terminal by the core network device.
In some embodiments, encrypting the SQN and SUPI may be accomplished as follows, generating SUCI.
First, the SQN and SUPI are combined to obtain a composite field.
Fig. 2a is a schematic diagram illustrating the structure of an IMSI according to some embodiments of the present disclosure.
Taking the SUPI as an IMSI format, as shown in fig. 2a, the SUPI in the IMSI format includes an MCC (Mobile Country Code, mobile country number) field, an MNC (Mobile Network Code, mobile network number) field, and an MSIN (Mobile Subscriber Identification Number, mobile subscriber identity) field. The MCC field and MNC field are network and route information, and the MSIN field is used for identifying user information. Upon generation SUCI, the MSIN field is cryptographically protected.
Fig. 2b is a schematic diagram illustrating the structure of a compound field IMSI' according to some embodiments of the present disclosure.
As shown in fig. 2b, the composite field includes, in addition to the three fields shown in fig. 2a, a SQN, denoted as SQN1, incorporated in the MSIN field. For example, the composite field marks the IMSI'.
Then, the composite field is encrypted using an encryption algorithm to obtain SUCI. In some embodiments, the encryption algorithm is an ECC (Elliptic Curve Cryptography, elliptic curve encryption) algorithm.
Fig. 2c is a schematic diagram illustrating the structure of SUCI of some embodiments of the present disclosure.
As shown in fig. 2c, SUCI includes SUPI type, home network identifier, routing identifier, protection algorithm ID, home network public key, SUPI ciphertext (scheme Output). The MSIN and SQN in FIG. 2b are encrypted using an encryption algorithm and stored in the SUPI ciphertext field.
Taking SUPI as NAI format as an example, NAI and SQN can be spliced, and then the spliced result is encrypted to obtain SUCI.
Returning to fig. 1, in step S3, an AUTN (Authentication Token ) is received from the core network device. The AUTN is generated by the core network device if the trusted execution environment authentication of the terminal according to SUCI is successful. In some embodiments, the AUTN is an encrypted AUTN of the core network device, the encrypted AUTN including an updated SQN. For example, the core network device first generates an original AUTN, denoted AUTN1. Then, the core network device encrypts the AUTN 1to obtain an encrypted AUTN, denoted as AUTN2. Based on the 5G AKA mechanism, those skilled in the art will understand that after the core network device successfully authenticates the trusted execution environment of the terminal, the SQN corresponding to the trusted execution environment of the terminal is updated and encapsulated in the AUTN, which will not be described herein. In addition, in addition to the updated SQN, other information such as AK used for authenticating the core network is encapsulated in the AUTN, which is implemented by those skilled in the art based on a 5G AKA authentication mechanism, and will not be described in detail.
In step S4, the core network device is authenticated according to the AUTN.
For example, taking the example where the encrypted AUTN includes an updated SQN, step S4 may be implemented as follows.
Firstly, decrypting the encrypted AUTN according to a preset encryption and decryption strategy shared by a trusted execution environment of a terminal and core network equipment to obtain the decrypted AUTN. For example, AUTN2 is decrypted to obtain AUTN1.
In some embodiments, the preset encryption and decryption policy includes: and generating a target key according to the SQN before updating, the SUPI of the terminal and a preset initial key (for example, shown as K), wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal. The target key for encrypting and decrypting the AUTN is generated based on the variable SQN, so that random disturbance is added in the target key, and the target key in each authentication process is different, thereby further improving the security of the trusted execution environment of the terminal, and particularly further improving the security of the authentication process of the trusted execution environment of the terminal to the core network equipment.
In some embodiments, an exclusive OR operation is performed on the SUPI and the initial key; and then, performing tandem connection operation on the result of the exclusive OR operation and the SQN before updating to obtain the target key.
For example, the target Key is denoted as Key Autn. Taking the initial key as K and the pre-update value of the SQN of the terminal as SQN1 as an example, the target key can be calculated by the following formula
Then, it is verified whether the decrypted AUTN is valid. And under the condition that the decrypted AUTN is effective, the trusted execution environment of the terminal successfully authenticates the core network equipment. For example, key information such as AK is obtained according to the decrypted AUTN to perform authentication. In some embodiments, it is determined from the decrypted AUTN whether it is a valid AUTN. In the case that the decrypted AUTN is a valid AUTN, the authentication is successful, and a completion response RES is calculated (here, a mechanism is already available for 5G AKA, and will not be described here). If the decrypted AUTN is an invalid AUTN, it is determined that authentication is invalid, and a man-in-the-middle attack is possible.
In the above embodiment, the authentication of the trusted execution environment of the terminal to the core network device is performed based on the encrypted AUTN, so that the AUTN can be prevented from revealing information closely related to authentication in the transmission process to a certain extent, thereby further improving the security of the trusted execution environment of the terminal, and particularly further improving the security of the trusted execution environment of the terminal to the authentication process of the core network device.
In some embodiments, under the condition that the authentication of the trusted execution environment of the terminal to the core network device is successful, acquiring an updated SQN according to the decrypted AUTN; deleting the SQN before updating; and storing the updated SQN to an industry private network terminal database. The updated SQN can also be used in the next authentication and authentication process, so that the variability of the SQN is reflected again, and the added variable SQN in SUCI is supplemented and explained, so that the security of the trusted execution environment of the terminal can be improved.
In the above embodiment, the trusted execution environment is enhanced, and the security of the trusted execution environment of the terminal is improved by implementing bidirectional Authentication between the trusted execution environment of the terminal and the core network device based on the Authentication and key agreement Authentication mechanism of 5G AKA (Authentication AND KEY AGREEMENT) in the trusted execution environment of the terminal of the private network in the 5G industry.
Fig. 3 is a block diagram illustrating a terminal according to some embodiments of the present disclosure.
As shown in fig. 3, the 5G industry private network-based terminal 3 includes a trusted execution environment 31 and a rich execution environment 32. The trusted execution environment 31 and the rich execution environment 32 are independent of each other.
The trusted execution environment 31 includes an acquisition module 311, a generation module 312, a reception module 313, and an authentication module 314.
The acquisition module 311 is configured to acquire the user permanent identifier SUPI of the terminal, for example, performing step S1 as shown in fig. 1.
The generating module 312 is configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, and the SUCI is used for the core network device to authenticate the trusted execution environment of the terminal, for example, to perform step S2 shown in fig. 1.
The receiving module 313 is configured to receive an authentication token AUTN from the core network device, which AUTN is generated by the core network device if the authentication of the trusted execution environment of the terminal according to the SUCI is successful, e.g. performing step S3 as shown in fig. 1.
The authentication module 314 is configured to authenticate the core network device according to the AUTN, for example, by performing step S4 shown in fig. 1.
In some embodiments, trusted execution environment 31 also includes USIM card 315.USIM card 315 is configured to store the SUPI of the terminal. The acquisition module 311 is further configured to acquire the SUPI of the terminal from the USIM card 315.
In some embodiments, trusted execution environment 31 further includes industry private network terminal database 316. The industry private network terminal database 316 is configured to store relevant data required for the authentication process, including the SQN of the terminal. The generating module 312 is further configured to obtain a serial number SQN of the terminal from the industry private network terminal database; SUCI is generated from the SQN and SUPI.
Fig. 4 is a block diagram illustrating a terminal according to further embodiments of the present disclosure.
As shown in fig. 4, the 5G industry private network-based terminal 4 includes a trusted execution environment 41 and a rich execution environment 42. The trusted execution environment 41 and the rich execution environment 42 are independent of each other.
The trusted execution environment 41 includes a TEE user layer 411, TEE internal APIs (Application Programming Interface, application program interfaces) 412, TEE system kernel 413, and trusted peripherals 414.
TEE user layer 411 includes one or more trusted applications 4111. The TEE internal API412 is used for communication interactions between the TEE user layer 411 and the TEE system kernel 413.
The TEE system core 413 includes a 5G industry private network authentication control unit 4131, an industry private network terminal database 4132, an AUTN decryption engine 4133, a SUPI encryption engine 4134, and a key generator 4135.
The trusted peripheral 414 includes a 5G module 4141 and a USIM card 4142. The USIM card 4142 is configured to store the SUPI of the terminal.
The trusted application 4111 of the TEE user layer 411 triggers the 5G industry private network authentication and authorization control unit 4131 to perform an authentication and authorization process in the 5G network with the 5G core network device through the 5G module 4141 through the TEE internal API 412.
The 5G industry private network authentication control unit 4131 notifies the SUPI encryption engine module 4134 to generate SUCI. The SUPI encryption engine module 4134 obtains the SUPI from the USIM card 4142 in response to the notification of the generation SUCI being received, obtains the SQN of the terminal from the industry private network terminal database 4132 through the 5G industry private network authentication control unit 4131, and encrypts the SQN and the SUPI to obtain SUCI. The SUPI encryption engine module 4134 sends SUCI G industry private network authentication control unit 4131. The private network authentication control unit 4131 of the 5G industry sends SUCI to the core network device through the 5G module 4141.
The 5G industry private network authentication control unit 4131 also receives the encrypted AUTN from the core network device through the 5G module 4141, and sends the encrypted AUTN to the AUTN decryption engine 4133. The AUTN decryption engine 4133 notifies the key generator 4135 to generate the target key for decrypting the AUTN.
The key generator 4135 generates a target key and sends the target key to the AUTN decryption engine 4133. The specific target key generation may be implemented by the method steps described in the foregoing embodiments, which are not described herein.
The AUTN decryption engine 4133 decrypts the encrypted AUTN using the target key, and sends the decrypted AUTN to the 5G industry private network authentication and authorization control unit 4131.
The private network authentication control unit 4131 of the 5G industry authenticates the core network device according to the decrypted AUTN. The authentication procedure may be implemented, for example, by the method steps as described in the foregoing embodiments, which are not described in detail herein.
In some embodiments, TEE system kernel 413 also includes TEE trust module 4136.
The rich execution environment 42 includes a REE user layer 421, TEE client APIs 422, and REE system kernel 423, common peripherals 424.
The REE user layer 421 includes one or more 5G industry applications 4211 and one or more general applications 4212.
The REE system kernel 423 includes a hardware driver 4231, a network protocol stack 4232, and a TEE driver 4233.
The hardware driver 4231, network protocol stack 4232 is configured to provide driver resources and network resources for the REE user layer 421. The generic peripheral devices 424 are configured to provide hardware support for the REE user layer 421 and the REE system kernel 423.
For example, in the case where the user starts the 5G industry application 4211 of the REE user layer 421, the 5G industry application 4211 triggers the TEE driver 4233 to switch to the TEE trust module 4136 through the security Monitor (security Monitor) module 43 of the terminal 4 through the TEE client API422, and the TEE trust module 4136 then triggers the 5G industry private network authentication control unit 4131 and the 5G core network device to perform the authentication procedure in the 5G network through the TEE internal API 412 to trigger the trusted application 4111 through the TEE internal API 412.
In the above embodiment, the common peripheral 424 and the trusted peripheral 412 together constitute a hardware platform of the terminal 4, as indicated by the dashed box in fig. 4.
Fig. 5 is a block diagram illustrating a terminal according to still further embodiments of the present disclosure.
As shown in fig. 5, the 5G industry private network-based terminal 5 includes a memory 51; and a processor 52 coupled to the memory 51. The memory 51 is used for storing instructions for executing a corresponding embodiment of the authentication method based on the private network of the 5G industry. Processor 52 is configured to perform the 5G industry private network-based authentication method in any of the embodiments of the present disclosure based on instructions stored in memory 51.
FIG. 6 is a block diagram illustrating a computer system for implementing some embodiments of the present disclosure.
As shown in FIG. 6, computer system 60 may be in the form of a general purpose computing device. Computer system 60 includes a memory 610, a processor 620, and a bus 600 that connects the various system components.
The memory 610 may include, for example, system memory, non-volatile storage media, and the like. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), and other programs. The system memory may include volatile storage media, such as Random Access Memory (RAM) and/or cache memory. The non-volatile storage medium stores, for example, instructions to perform a corresponding embodiment of at least one of the 5G industry private network-based authentication methods. Non-volatile storage media include, but are not limited to, disk storage, optical storage, flash memory, and the like.
The processor 620 may be implemented as discrete hardware components such as a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gates or transistors, or the like. Accordingly, each of the modules, such as the judgment module and the determination module, may be implemented by a Central Processing Unit (CPU) executing instructions of the corresponding steps in the memory, or may be implemented by a dedicated circuit that performs the corresponding steps.
Bus 600 may employ any of a variety of bus architectures. For example, bus structures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, and a Peripheral Component Interconnect (PCI) bus.
Computer system 60 may also include input-output interface 630, network interface 640, storage interface 650, and the like. These interfaces 630, 640, 650 and the memory 610 and processor 620 may be connected by a bus 600. The input output interface 630 may provide a connection interface for input output devices such as a display, mouse, keyboard, etc. Network interface 640 provides a connection interface for various networking devices. The storage interface 650 provides a connection interface for external storage devices such as a floppy disk, a USB flash disk, an SD card, and the like.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor, create means for implementing the functions specified in the flowchart and/or block diagram block or blocks.
These computer readable program instructions may also be stored in a computer readable memory that can direct a computer to function in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture including instructions which implement the function specified in the flowchart and/or block diagram block or blocks.
The present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects.
By the authentication method based on the private network of the 5G industry, the terminal and the computer storage medium in the embodiment, the security of the trusted execution environment of the terminal can be improved.
So far, the authentication method based on the private network of the 5G industry, the terminal and the computer storage medium have been described in detail according to the present disclosure. In order to avoid obscuring the concepts of the present disclosure, some details known in the art are not described. How to implement the solutions disclosed herein will be fully apparent to those skilled in the art from the above description.
Claims (12)
1. An authentication method based on a private network in the 5G industry, which is executed in a trusted execution environment of a terminal, wherein the trusted execution environment of the terminal is independent of a rich execution environment of the terminal, the authentication method comprising:
acquiring a user permanent identifier SUPI of the terminal;
Generating a user hidden identifier SUCI according to the SUPI of the terminal, including: generating SUCI according to the sequence number SQN and the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by a core network device;
Receiving an authentication token AUTN from the core network equipment, wherein the AUTN is generated by the core network equipment under the condition that the trusted execution environment of the terminal is successfully authenticated according to SUCI, the AUTN is encrypted, and the encrypted AUTN comprises an updated SQN;
authenticating the core network device according to the AUTN, including:
decrypting the encrypted AUTN according to a preset encryption and decryption policy shared by the trusted execution environment of the terminal and the core network device to obtain a decrypted AUTN, including: performing an exclusive-or operation on the SUPI of the terminal and the initial key, and performing a concatenation operation on the result of the exclusive-or operation and the SQN before updating to obtain a target key, wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal;
and verifying whether the decrypted AUTN is valid, wherein the authentication of the core network device by the trusted execution environment of the terminal is successful under the condition that the decrypted AUTN is valid.
2. The authentication method of claim 1, wherein the global subscriber identity module USIM card of the terminal is deployed in a trusted execution environment of the terminal, and obtaining the subscriber permanent identifier SUPI of the terminal comprises:
and acquiring SUPI of the terminal from the USIM card.
3. The authentication method according to claim 1 or 2, wherein the trusted execution environment of the terminal is deployed with an industry private network terminal database, the industry private network terminal database storing related data required for an authentication process, and generating the SUCI according to the serial number SQN of the terminal and the SUPI comprises:
The SQN of the terminal is obtained from the industry private network terminal database;
And generating SUCI according to the SQN and the SUPI.
4. The authentication method of claim 3, wherein generating the SUCI from the SQN and the SUPI comprises:
And encrypting the SQN and the SUPI by utilizing an encryption algorithm which is pre-shared by the trusted execution environment of the terminal and the core network equipment, so as to generate SUCI.
5. The authentication method of claim 4, wherein encrypting the SQN and the SUPI, generating the SUCI comprises:
Merging the SQN and the SUPI to obtain a composite field;
and encrypting the composite field by using the encryption algorithm to obtain SUCI.
6. The authentication method of claim 1, wherein the SUPI is in an international mobile subscriber identity, IMSI, format or a network access identifier, NAI, format.
7. The authentication method of claim 3, further comprising:
under the condition that the authentication of the trusted execution environment of the terminal to the core network equipment is successful, acquiring the updated SQN according to the decrypted AUTN;
Deleting the SQN before updating;
and storing the updated SQN to the industry private network terminal database.
8. A terminal based on a 5G industry private network, comprising: a trusted execution environment and a rich execution environment that are independent of each other, the trusted execution environment comprising:
An acquisition module configured to acquire a user permanent identifier SUPI of the terminal;
a generating module configured to generate a user hidden identifier SUCI according to the SUPI of the terminal, including: generating SUCI according to the sequence number SQN and the SUPI of the terminal, wherein the SUCI is used for authenticating the trusted execution environment of the terminal by a core network device;
A receiving module configured to receive an authentication token AUTN from the core network device, where the AUTN is generated by the core network device when the trusted execution environment of the terminal is authenticated according to the SUCI, the AUTN is an encrypted AUTN, and the encrypted AUTN includes an updated SQN;
an authentication module configured to authenticate the core network device according to the AUTN, including:
decrypting the encrypted AUTN according to a preset encryption and decryption policy shared by the trusted execution environment of the terminal and the core network device to obtain a decrypted AUTN, including: performing an exclusive-or operation on the SUPI of the terminal and the initial key, and performing a concatenation operation on the result of the exclusive-or operation and the SQN before updating to obtain a target key, wherein the target key is used for encrypting the AUTN by the core network equipment and decrypting the encrypted AUTN by the trusted execution environment of the terminal;
and verifying whether the decrypted AUTN is valid, wherein the authentication of the core network device by the trusted execution environment of the terminal is successful under the condition that the decrypted AUTN is valid.
9. The terminal of claim 8, wherein the trusted execution environment further comprises:
a universal subscriber identity module USIM card configured to store SUPI of the terminal,
The acquisition module is further configured to acquire the SUPI of the terminal from the USIM card.
10. The terminal of claim 8 or 9, wherein the trusted execution environment further comprises:
An industry private network terminal database configured to store related data required for an authentication process, the related data including a SQN of the terminal;
The generation module is further configured to: acquiring a serial number SQN of the terminal from the industry private network terminal database; and generating SUCI according to the SQN and the SUPI.
11. A terminal based on a 5G industry private network, comprising:
A memory; and
A processor coupled to the memory, the processor configured to perform the 5G industry private network-based authentication method of any one of claims 1 to 7 based on instructions stored in the memory.
12. A computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the 5G industry private network-based authentication method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111475908.4A CN114173327B (en) | 2021-12-06 | 2021-12-06 | Authentication method and terminal based on private network in 5G industry |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111475908.4A CN114173327B (en) | 2021-12-06 | 2021-12-06 | Authentication method and terminal based on private network in 5G industry |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114173327A CN114173327A (en) | 2022-03-11 |
| CN114173327B true CN114173327B (en) | 2024-08-23 |
Family
ID=80483207
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111475908.4A Active CN114173327B (en) | 2021-12-06 | 2021-12-06 | Authentication method and terminal based on private network in 5G industry |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114173327B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117177238B (en) * | 2023-11-02 | 2024-01-23 | 中国电子科技集团公司第三十研究所 | Method and system for initiating control instruction by terminal |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108848495A (en) * | 2018-05-18 | 2018-11-20 | 兴唐通信科技有限公司 | A kind of user identity update method using preset key |
| CN109451483A (en) * | 2019-01-03 | 2019-03-08 | 中国联合网络通信集团有限公司 | ESIM data processing method, equipment and readable storage medium storing program for executing |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070192602A1 (en) * | 2004-12-17 | 2007-08-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Clone resistant mutual authentication in a radio communication network |
| EP3468130A1 (en) * | 2017-10-06 | 2019-04-10 | Gemalto Sa | A method for transmitting to a physical or virtual element of a telecommunications network an encrypted subscription identifier stored in a security element, corresponding security element, physical or virtual element and terminal cooperating with this security element |
| EP3912377A4 (en) * | 2019-01-15 | 2022-01-12 | ZTE Corporation | Method and device for preventing user tracking, storage medium and electronic device |
| CN111641498B (en) * | 2019-03-01 | 2022-12-20 | 中兴通讯股份有限公司 | Key determination method and device |
-
2021
- 2021-12-06 CN CN202111475908.4A patent/CN114173327B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108848495A (en) * | 2018-05-18 | 2018-11-20 | 兴唐通信科技有限公司 | A kind of user identity update method using preset key |
| CN109451483A (en) * | 2019-01-03 | 2019-03-08 | 中国联合网络通信集团有限公司 | ESIM data processing method, equipment and readable storage medium storing program for executing |
Non-Patent Citations (2)
| Title |
|---|
| 3GPP. "33846-080".3GPP specs\archive.2020,27-35页. * |
| 李娜,陈辉.基于随机矩阵的物理层安全研究过程.北京邮电大学出版社,2021,(第1版),10-15. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114173327A (en) | 2022-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107743133B (en) | Mobile terminal and access control method and system based on trusted security environment | |
| CN108140093B (en) | Migrating secrets using a hardware root of trust for a device | |
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| CN108140085B (en) | Apparatus and method for providing a trusted platform | |
| CN109714176B (en) | Password authentication method, device and storage medium | |
| TWI776404B (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
| CN111614621B (en) | Internet of things communication method and system | |
| US11424919B2 (en) | Protecting usage of key store content | |
| CN109495268B (en) | Two-dimensional code authentication method and device and computer readable storage medium | |
| CN110545252B (en) | Authentication and information protection method, terminal, control function entity and application server | |
| CN114157415A (en) | Data processing method, computing node, system, computer device and storage medium | |
| KR20150045790A (en) | Method and Apparatus for authenticating and managing an application using trusted platform module | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN114173327B (en) | Authentication method and terminal based on private network in 5G industry | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| US20240106633A1 (en) | Account opening methods, systems, and apparatuses | |
| CN111949996B (en) | Method, system, equipment and medium for generating and encrypting security private key | |
| CN116709312A (en) | Safety protection method and device and electronic equipment | |
| CN111836260A (en) | Authentication information processing method, terminal and network equipment | |
| CN116033415A (en) | Reference station data transmission method and device, reference station, server and medium | |
| CN114329522A (en) | Private key protection method, device, system and storage medium | |
| CN118233218B (en) | Remote authentication system and method based on distributed trusted execution environment application | |
| CN114079924B (en) | Message processing method, device, related equipment and storage medium | |
| CN109474624B (en) | Application program authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |