Nothing Special   »   [go: up one dir, main page]

CN115348583B - Communication method and system in high-speed mobile scene - Google Patents

Communication method and system in high-speed mobile scene Download PDF

Info

Publication number
CN115348583B
CN115348583B CN202211274147.0A CN202211274147A CN115348583B CN 115348583 B CN115348583 B CN 115348583B CN 202211274147 A CN202211274147 A CN 202211274147A CN 115348583 B CN115348583 B CN 115348583B
Authority
CN
China
Prior art keywords
authentication
relay node
access node
node
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211274147.0A
Other languages
Chinese (zh)
Other versions
CN115348583A (en
Inventor
周钢
刘镝
李世中
李大伟
关振宇
王旭东
张俊
孙茂鹏
司义品
高杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Travelsky Technology Co Ltd
Original Assignee
China Travelsky Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Travelsky Technology Co Ltd filed Critical China Travelsky Technology Co Ltd
Priority to CN202211274147.0A priority Critical patent/CN115348583B/en
Publication of CN115348583A publication Critical patent/CN115348583A/en
Application granted granted Critical
Publication of CN115348583B publication Critical patent/CN115348583B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/08Reselecting an access point

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application discloses a communication method in a high-speed mobile scene, which is applied to the field of communication safety, wherein in the method, user equipment and an authentication server carry out bidirectional authentication; the user equipment authenticates the relay node; the relay node and the authentication server perform bidirectional authentication; in the authentication process, the relay node and the user equipment negotiate a first session key, the relay node and the first access node negotiate a second session key, and communication is performed through the first session key and the second session key, so that the communication safety between the relay node and the first access node and between the relay node and the user equipment is guaranteed.

Description

Communication method and system in high-speed mobile scene
Technical Field
The present application relates to the field of communications security, and in particular, to a method and a system for communications in a high-speed mobile scenario.
Background
The switching authentication in the communication method under the high-speed moving scene has the characteristic of frequent and short-time requirement of massive parallel execution.
For a high-speed moving scene, a group-to-route switching authentication scheme based on track prediction, a group pre-switching authentication scheme and the like are proposed in the prior art, and the schemes are difficult to ensure the safety in the communication process when the attacks such as replay attack, relevance attack and the like are faced.
Disclosure of Invention
The embodiment of the application provides a communication method and a communication system in a high-speed mobile scene, which can guarantee the safety in the communication process.
The first aspect of the present application provides a communication method in a high-speed mobile scenario, including:
the user equipment receives a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticates the authentication server according to the first authentication vector;
the authentication server receives a first authentication response sent by the user equipment through the relay node and the first access node, and authenticates the user equipment according to the first authentication response;
the relay node receives a second authentication vector sent by the authentication server through the first access node, and authenticates the authentication server according to the second authentication vector;
the authentication server receives a second authentication response sent by the relay node through the first access node, and authenticates the relay node according to the second authentication response;
the user equipment receives a message authentication code sent by the relay node and authenticates the relay node according to the message authentication code;
after the user equipment passes the authentication of the relay node, the user equipment calculates a first session key of the user equipment and the relay node; after the authentication server authenticates the user equipment and the relay node, the relay node calculates a first session key of the relay node and the user equipment, wherein the first session key is used for the user equipment to communicate with the relay node;
when the relay node passes the authentication of the authentication server, the relay node calculates a second session key of the relay node and the first access node, and when the authentication server passes the authentication of the user equipment and the relay node, the authentication server calculates a second session key of the relay node and the first access node and sends the second session key to the first access node, wherein the second session key is used for the communication between the relay node and the first access node.
Optionally, the method further includes:
the relay node receives a switching request response sent by the authentication server through the first access node, and calculates a third session key of the relay node and a second access node according to the switching request response, wherein the third session key is used for communicating with the second access node when the user equipment is switched from the service area of the first access node to the service area of the second access node.
Optionally, the receiving, by the user equipment, a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticating the authentication server according to the first authentication vector, includes:
the user equipment sends a first user hidden identifier and a first identifier of the authentication server to the authentication server through the relay node and the first access node;
the authentication server calculates a first authentication vector and sends the first authentication vector to the first access node;
the first access node sends a first encrypted random number and a first authentication token to the user equipment through the relay node; and the user equipment authenticates the authentication server according to the first encrypted random number and the first authentication token.
Optionally, the receiving, by the relay node, a second authentication vector sent by the authentication server through the first access node, and authenticating the authentication server according to the second authentication vector, includes:
the relay node sending a second user hidden identifier and a first identifier of the authentication server to the first access node;
the first access node sends an authentication request to the authentication server according to the first identifier;
the authentication server calculating a second authentication vector and sending the second authentication vector to the first access node;
the first access node sends a second encrypted random number and a second authentication token to the relay node;
and the relay node authenticates the authentication server according to the second encrypted random number and the second authentication token.
Optionally, the method further includes:
when the first access node receives the first authentication response, the first access node authenticates the user equipment according to the first authentication response;
if the first access node authenticates the user equipment, the first access node sends the first authentication response to the authentication server;
when the first access node receives the second authentication response, the first access node authenticates the relay node according to the second authentication response;
and if the first access node passes the authentication of the relay node, the first access node sends the second authentication response to the authentication server.
Optionally, the method further includes:
after the authentication server passes the authentication of the user equipment and the relay node, calculating a second session key between the first access node and the relay node, and sending the second session key and a pre-stored user permanent identifier of the relay node to the first access node;
the first access node generates an authentication success message according to the second session key and sends the authentication success message to the relay node;
and after receiving the authentication success message, the relay node calculates a first session key of the relay node and the user equipment.
Optionally, the receiving, by the relay node, a handover request response sent by the authentication server through the first access node, and calculating a third session key between the relay node and a second access node of the second access node according to the handover request response, includes:
the relay node sending a handover request message to the first access node, the handover request message including a user permanent identifier of the relay node, a temporary identifier, and a first identifier of the authentication server;
the first access node updates the handover request message according to a second identifier of the first access node, and sends the updated handover request message to the authentication server, wherein the updated handover request message includes the user permanent identifier, the temporary identifier, the first identifier and the second identifier;
and the authentication server selects the second access node according to the switching request message and calculates a third session key between the relay node and the second access node.
Optionally, the method further includes:
the authentication server authenticates the relay node according to the switching request message;
if the authentication server completes authentication on the relay node, the authentication server generates a global unique temporary identifier;
the authentication server sends the globally unique temporary identifier and the third session key to the second access node;
and the second access node stores the globally unique temporary identifier and the third session key and sends a key confirmation message to the authentication server.
Optionally, the method further includes:
the authentication server sends a switching request response to the relay node through the first access node;
the relay node calculates the third session key according to the switching request response;
when the user equipment is switched from the service area of the first access node to the service area of the second access node, the relay node communicates with the second access node through the third session key.
A second aspect of the present application provides a communication system in a high-speed mobile scenario, the system comprising: the system comprises user equipment, a relay node, a first access node and an authentication server;
the user equipment is used for receiving a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticating the authentication server according to the first authentication vector; receiving a message authentication code sent by the relay node, and authenticating the relay node according to the message authentication code; after the user equipment passes the authentication of the relay node, the user equipment calculates a first session key of the user equipment and the relay node, wherein the first session key is used for the communication between the user equipment and the relay node;
the relay node is used for receiving a second authentication vector sent by the authentication server through the first access node and authenticating the authentication server according to the second authentication vector; after the authentication server authenticates the user equipment and the relay node, calculating a first session key of the relay node and the user equipment; after the authentication server passes the authentication, the relay node calculates a second session key of the relay node and the first access node, wherein the second session key is used for the relay node to communicate with the first access node;
the authentication server is configured to receive a first authentication response sent by the user equipment through the relay node and the first access node, and authenticate the user equipment according to the first authentication response; receiving a second authentication response sent by the relay node through the first access node, and authenticating the relay node according to the second authentication response; and after the user equipment and the relay node pass the authentication, calculating a second session key of the relay node and the first access node, and sending the second session key to the first access node.
The embodiment of the application describes a communication method in a high-speed mobile scene, in the method, user equipment and an authentication server perform bidirectional authentication; the user equipment authenticates the relay node; the relay node and the authentication server perform bidirectional authentication; after the user equipment passes the authentication of the relay node, the user equipment calculates a first session key of the user equipment and the relay node; after the authentication server authenticates the user equipment and the relay node, the relay node calculates a first session key of the relay node and the user equipment; after the authentication server passes the authentication of the relay node, the relay node calculates a second session key between the relay node and the first access node, and after the authentication server passes the authentication of the user equipment and the relay node, the relay node calculates a second session key between the relay node and the first access node and sends the second session key to the first access node. Therefore, in the authentication and key agreement stage, the user equipment and the relay node respectively realize bidirectional authentication with the authentication server, and the user equipment authenticates the relay node. Furthermore, the relay node and the first access node negotiate a second session key, the relay node and the user equipment negotiate a first session key, the second session key is used for ensuring the communication security between the relay node and the first access node, and the first session key is used for ensuring the communication security between the relay node and the user equipment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of an exemplary application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a communication method in a high-speed mobile scenario according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a handover method in a high-speed moving scene according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a communication system in a high-speed moving scene according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a communication method and a communication system in a high-speed mobile scene, which can guarantee the safety in the communication process.
As can be understood in conjunction with fig. 1, fig. 1 is a schematic diagram of an exemplary application scenario provided in the embodiment of the present application.
AS shown in fig. 1, a User Equipment (UE) is a User Equipment that has a network Access requirement in a high-speed train or airplane in a high-speed mobile scene, a Relay Node (RN) is fixed on the train or airplane to help the User Equipment connect to a ground network, an Access Node AP (AP) is an Access Point where the User Equipment connects to a core network, and may be a ground base station or a satellite, and an Authentication Server (AS) is a Server in the core network and is responsible for authenticating the User Equipment. When the user equipment UE in a high-speed moving scene is switched from the service area of the AP1 to the service area of the AP2, a large number of parallel executions need to be performed in a short time, and the penetration loss and doppler shift caused by the high-speed moving also cause the quality of a network link to deteriorate, thereby causing a large calculation overhead during the switching.
Referring to fig. 2, the figure is a schematic flowchart of a communication method in a high-speed moving scene according to an embodiment of the present application.
In the embodiment of the application, user Equipment (UE) receives a first authentication vector sent by an Authentication Server (AS) through a Relay Node (RN) and a first access node (AP 1), and authenticates the AS according to the first authentication vector; the AS receives a first authentication response sent by the UE through the RN and the AP1, and authenticates the UE according to the first authentication response; the RN receives a second authentication vector sent by the AS through the AP1 and authenticates the AS according to the second authentication vector; and the AS receives a second authentication response sent by the RN through the AP1 and authenticates the RN according to the second authentication response.
Specifically, the UE sends a first user hidden identifier SUCI to the AS through the RN and the AP1 UE And a first identifier ID of the AS AS (ii) a The AS calculates a first authentication vector and sends the first authentication vector to the AP 1; AP1 sends a first encrypted random number RAND to UE through RN UE And a first authentication token AUTN UE (ii) a UE according to RAND
Figure DEST_PATH_IMAGE001
UE And AUTN UE Authenticating the AS;
RN sends second user hidden identifier SUCI to AP1 RN And a first identifier ID of the AS AS (ii) a AP1 according to ID AS Sending an authentication request to the AS; the AS calculates a second authentication vector and sends the second authentication vector to the AP 1; AP1 sends a second encrypted random number RAND to RN
Figure 564358DEST_PATH_IMAGE001
RN And a second authentication token AUTN RN (ii) a RN according to RAND
Figure 950340DEST_PATH_IMAGE001
RN And AUTN RN And authenticating the AS.
The method comprises the following specific steps:
s201: the UE sends a temporary identifier GUTI of the UE and a first identifier ID of an AS to the RN AS
In the embodiment of the present application, the UE employs the public key PK AS AS input, a key encapsulation mechanism is used to generate the key between the UE and the ASIs given by UE And a first ciphertext parameter C 0 The formula is as follows:
Figure DEST_PATH_IMAGE002
UE encrypts a first user permanent identifier (SUPI) of the UE using a data encapsulation mechanism UE For obtaining a first user hidden identifier SUCI UE Wherein, SUCI UE For the AS to authenticate the UE, the formula is AS follows:
Figure DEST_PATH_IMAGE003
UE adopts public key PK RN As input, a shared key k between the UE and the RN is generated using a key encapsulation mechanism s And a second ciphertext parameter C 1 The formula is as follows:
Figure DEST_PATH_IMAGE004
the UE acquires a temporary identifier GUTI of the UE by using a data encapsulation mechanism, and the formula is as follows:
Figure DEST_PATH_IMAGE005
wherein, C 1 Is a second cipher text parameter UE, r s For random numbers generated by the UE, SUCI UE Hiding the identifier for the first user;
UE will GUTI and ID of AS AS And sending to the RN.
S202: the RN sends an authentication request to the AP1, wherein the authentication request comprises: second user hidden identifier SUCI RN First user hidden identifier SUCI UE And ID AS
In the embodiment of the application, the RN adopts the public key PK AS AS input, a shared key k between RN and AS is generated RN And a third ciphertext parameter C RN The formula is as follows:
Figure DEST_PATH_IMAGE006
the RN encrypts the second user permanent identifier SUPI of the RN using a data encapsulation mechanism RN To obtain a second user hidden identifier SUCI RN Wherein, SUCI RN For the AS to authenticate the RN, the formula is AS follows:
Figure DEST_PATH_IMAGE007
the RN analyzes the received GUTI to obtain C 1 And
Figure DEST_PATH_IMAGE008
the formula is as follows:
Figure DEST_PATH_IMAGE009
wherein, C 1 And
Figure DEST_PATH_IMAGE010
is an intermediate ciphertext parameter used to assist in decryption.
To C 1 Decrypting to obtain the shared key k between the RN and the UE s The concrete formula is as follows:
Figure DEST_PATH_IMAGE011
wherein sk RN Is the private key of the RN.
For is to
Figure DEST_PATH_IMAGE012
Performs decryption to obtain SUCI UE And a random number r s The formula is as follows:
Figure DEST_PATH_IMAGE013
wherein k is s Is a shared key between the RN and the UE.
RN then connects SUCI RN 、SUCI UE And ID AS To AP1.
S203: the AP1 sends the updated authentication request to the AS.
In the embodiment of the application, after receiving the authentication request sent by the RN, the AP1 sends the authentication request according to the ID in the authentication request AS An AS corresponding to the UE is selected. AP1 based on identifier ID AP1 Updating the authentication request to obtain an updated authentication request, and sending the updated authentication request to the AS, wherein the updated authentication request comprises SUCI RN 、SUCI UE 、ID AS And ID AP1
S204: AS calculates a first authentication vector AV UE And a second authentication vector AV RN And transmits AV to the AP1 UE And AV RN
In the embodiment of the application, the AS adopts the private key sk AS To received SUCI RN And SUCI UE Decrypting and respectively obtaining the shared secret key k of the AS and the UE UE And shared secret key k of AS and RN RN And according to the obtained k UE And k RN Decrypting to obtain SUPI UE And SUPI RN . The formula is as follows:
Figure DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE015
AS deriving function f from the secret key 5 Respectively generating a first anonymous key AK1 and a second anonymous key AK2, wherein the formula is as follows:
Figure DEST_PATH_IMAGE016
wherein k is ue A secret key which is shared by the AS and the UE for a long time;
Figure DEST_PATH_IMAGE017
a secret key which is long-term shared by the AS and the RN; RAND UE Generating a random number corresponding to the UE for the AS; RAND RN And generating a random number corresponding to the RN for the AS.
AS according to message authentication function f 2 Generating first expected responses XRES, respectively UE And a second expected response XRES RN (ii) a According to message authentication function f 1 Respectively generating first message verification codes MAC UE And a second message authentication code MAC RN The formula is as follows:
Figure DEST_PATH_IMAGE018
wherein,
Figure DEST_PATH_IMAGE019
is a sequence number generated by the AS for the UE and RN to verify the freshness of the message.
AS employing shared secret key k UE And k RN Separately pair encrypted RANDs UE And RAND RN Encrypting to obtain encrypted
Figure DEST_PATH_IMAGE020
And
Figure DEST_PATH_IMAGE021
according to
Figure 556508DEST_PATH_IMAGE020
And XRES UE Obtaining a first hash expected response HXRES UE According to
Figure 217297DEST_PATH_IMAGE021
And XRES RN Obtaining a second hash expected response HXRES RN According to
Figure DEST_PATH_IMAGE022
1、MAC UE And
Figure DEST_PATH_IMAGE023
generation of AUTN UE (ii) a According to
Figure 625144DEST_PATH_IMAGE022
2、MAC RN And
Figure 165716DEST_PATH_IMAGE023
generation of AUTN RN (ii) a The formula is as follows:
Figure DEST_PATH_IMAGE024
finally, AS is based on
Figure 370432DEST_PATH_IMAGE020
Figure DEST_PATH_IMAGE025
And
Figure DEST_PATH_IMAGE026
constructing a first authentication vector AV corresponding to the UE UE (ii) a According to
Figure 428387DEST_PATH_IMAGE021
Figure DEST_PATH_IMAGE027
And
Figure DEST_PATH_IMAGE028
constructing a second authentication vector AV corresponding to the RN RN The formula is as follows:
Figure DEST_PATH_IMAGE029
AV to be generated by AS UE And AV RN And is sent to AP1.
S205: after receiving the first authentication vector and the second authentication vector sent by the AS, the AP1 sends the first authentication vector and the second authentication vector to the AS
Figure 221900DEST_PATH_IMAGE020
Figure 684105DEST_PATH_IMAGE021
Figure 704014DEST_PATH_IMAGE025
And
Figure 182572DEST_PATH_IMAGE027
stores and corresponds to the UE and the RN
Figure 378061DEST_PATH_IMAGE020
Figure 276747DEST_PATH_IMAGE021
Figure DEST_PATH_IMAGE030
And
Figure DEST_PATH_IMAGE031
and sending to the RN.
S206: RN authenticates AS and sends to UE
Figure 643006DEST_PATH_IMAGE020
,AUTN UE And a third message authentication code MAC UE-RN
In the embodiment of the present application, RN first bases on shared secret key k s Calculating a third message authentication code MAC UE-RN The formula is as follows:
Figure DEST_PATH_IMAGE032
wherein r is s Generating a random number for UE prestored by RN;
Figure DEST_PATH_IMAGE033
hiding an identifier for a first user of a pre-stored UE;
RN sends to UE
Figure 573922DEST_PATH_IMAGE020
,AUTN UE And MAC UE-RN And starts authenticating the AS.
RN passes through shared key k RN To pair
Figure DEST_PATH_IMAGE034
Performs decryption to thereby acquire RAND RN Then through a key k that is long-term shared with the AS rn AK2 was calculated. RN uses AK2 from AUTN RN In-process analysis of SQN AS And MAC RN The formula is as follows:
Figure DEST_PATH_IMAGE035
then check the MAC RN Whether the following equation is satisfied:
Figure DEST_PATH_IMAGE036
and judge
Figure DEST_PATH_IMAGE037
Whether it is fresh or not, if
Figure DEST_PATH_IMAGE038
Satisfies the equation, and
Figure 528978DEST_PATH_IMAGE037
if the RN is fresh, judging that the check is passed, and if the RN successfully authenticates the AS; otherwise, the RN terminates the authentication process.
Subsequently, when the RN authenticates the AS, the RN generates a second authentication response RES based on the following equation RN
Figure DEST_PATH_IMAGE039
The RN calculates a second session key K with the AP1 based on the following equation AP1
Figure DEST_PATH_IMAGE040
S207: the UE carries out identity authentication on the RN and the AS and sends a first authentication response RES to the RN UE
In the embodiment of the application, the UE shares the key k UE To pair
Figure 926461DEST_PATH_IMAGE020
Performs decryption to obtain RAND UE Then through a key k that is long-term shared with the AS ue AK2 was calculated. RN uses AK2 from AUTN UE In-process analysis of SQN AS And MAC UE The formula is as follows:
Figure DEST_PATH_IMAGE041
then check the MAC UE Whether the following equation is satisfied:
Figure DEST_PATH_IMAGE042
and judge
Figure 780016DEST_PATH_IMAGE037
Whether it is fresh or not, if
Figure DEST_PATH_IMAGE043
Satisfy the equation, and
Figure 593251DEST_PATH_IMAGE037
if the authentication is fresh, the check is judged to be passed, and the UE successfully authenticates the AS; otherwise, the UE terminates the authentication procedure.
Subsequently, when the UE authenticates the AS, the UE generates a first authentication response RES based on the following equation UE
Figure DEST_PATH_IMAGE044
UE sends authentication response message to RNThe authentication response message includes the RES UE
In the embodiment of the application, the UE checks MAC UE-RN Whether the following equation is satisfied to authenticate the RN:
Figure DEST_PATH_IMAGE045
if MAC UE-RN If the equation is satisfied, the UE is judged to pass the RN authentication, and the UE calculates a session key K with the RN according to the following equation S-RN
Figure DEST_PATH_IMAGE046
S208: RN is according to RES RN Updating the received authentication response message, and sending the updated authentication response message to the AP1, wherein the updated authentication response message comprises RES UE And RES RN
S209: the AP1 authenticates the UE and the RN and sends the updated authentication response message to the AS.
In the embodiment of the present application, the AP1 is based on the received RES UE And pre-stored
Figure 215863DEST_PATH_IMAGE020
Calculating a hash value HRES of the first authentication response for the UE according to the following equation UE
Figure DEST_PATH_IMAGE047
AP1 based on received RES RN And pre-stored
Figure 908881DEST_PATH_IMAGE021
Calculating a hash value HRES of the second authentication response for the RN according to the following equation RN
Figure DEST_PATH_IMAGE048
AP1 will HRES UE And HERS RN Respectively with prestored HXRES UE And HXRES RN Making a comparison if HRES UE And HXRES UE Coincidence, HERS RN And HXRES RN And if the authentication result is consistent, the AP passes the authentication of the UE and the RN. The AP1 then sends the updated authentication response message to the AS for further authentication.
S210: the AS authenticates the UE and the RN and generates a second session key K between the AP1 and the RN AP1 And is combined with K AP1 And SUPI RN To AP1.
In the embodiment of the present application, the AS receives the RES from the AP1 UE And RES RN With previously generated XRES UE And XRES RN A comparison was made. If RES UE And XRES UE ,RES RN And XRES RN And if the authentication result is consistent, the AS passes the authentication of the UE and the RN.
In the embodiment of the application, the AS generates the session key K between the AP and the RN based on the following equation AP1
Figure 328361DEST_PATH_IMAGE040
AS will K AP1 And pre-stored SUPI RN Are sent to AP1 together.
S211: AP passes K AP1 And generating an authentication success message and sending the authentication success message to the RN. Wherein, K AP1 As a session key for AP1 to communicate with RN.
S212: after receiving the UE authentication success message sent by the AP1, the RN generates a session key K with the UE according to the following equation S-RN
Figure 679708DEST_PATH_IMAGE046
The embodiment of the application describes a communication method under a high-speed mobile scene, in the method, in an authentication and key agreement stage, UE and RN respectively realize bidirectional authentication with AS, and the UE and the RN realize the bidirectional authentication through the ASIn turn, RN and AP1 establish a session key K by negotiation AP1 The RN and the UE establish a session key K through negotiation S-RN The session key K AP1 For securing communication between RN and AP1, session key K S-RN For securing a communication channel between the RN and the UE.
Referring to fig. 3, the figure is a schematic flowchart of a handover method in a high-speed moving scene according to an embodiment of the present application.
In the embodiment of the application, the RN receives a switching request response sent by the AS through the AP1, and calculates a third session key K between the RN and a second access node AP2 according to the switching request response AP2 Third session key K AP2 The RN is used for communicating with the AP2 when the UE is switched from the service area of the AP1 to the service area of the AP 2.
Specifically, the RN sends a handover request message to the AP1, wherein the handover request message comprises a user permanent identifier (SUPI) of the RN RN Temporary identifier SUCI * And a first identifier of the AS
Figure DEST_PATH_IMAGE049
(ii) a The AP1 is according to the second identifier of the AP1
Figure DEST_PATH_IMAGE050
Updating the handover request message and transmitting the updated handover request message to the AS, wherein the updated handover request message includes SUPI RN 、SUCI *
Figure 484722DEST_PATH_IMAGE049
And
Figure 630532DEST_PATH_IMAGE050
(ii) a The AS selects the AP2 according to the switching request message and calculates a third session key K between the RN and the AP2 AP2
Specifically, the AS authenticates the RN according to the switching request message; if the AS completes the authentication of the RN, the AS generates a globally unique temporary identifier GUTI * (ii) a AS will GUTI * And K AP2 Sending the information to the AP2; a. TheP2 will GUTI * And K AP2 Storing and sending a key confirmation message to the AS. AS sends a switching request response to RN through AP 1; RN calculates K according to switching request response AP2 (ii) a When UE is switched to the service area of AP2 from the service area of AP1, RN passes through K AP2 Communicating with the AP 2.
The method comprises the following specific steps:
s301: the RN transmits a handover request message to the AP1.
RN establishes shared key k with AS in authentication stage RN Generating a temporary identifier SUCI * The formula is as follows:
Figure DEST_PATH_IMAGE051
wherein,
Figure DEST_PATH_IMAGE052
a user permanent identifier for the RN; r is a radical of hydrogen h A random number generated for the RN.
RN passing function f 1 And generating a message authentication code MAC, wherein the formula is as follows:
Figure DEST_PATH_IMAGE053
wherein k is a long-term shared key of the RN and the AS; SQN RN A pre-generated sequence number for RN.
RN uses key derivation function f 5 Calculating an anonymous key AK and generating an authentication token AUTN, according to the following formula:
Figure DEST_PATH_IMAGE054
Figure DEST_PATH_IMAGE055
RN sends a handover request message to AP1, wherein the handover request message comprises SUCI * AUTN and ID AS
S302:AP 1 Based on the second identifier
Figure 927522DEST_PATH_IMAGE050
Updating the received switching request message to obtain an updated switching request message, and sending the updated switching request message to a corresponding AS, wherein the updated switching request message comprises: SUCI * 、AUTN、ID AS And ID AP1
S303: AS determines access node AP2 and uses GUTI * And K AP2 Is sent to AP 2
In the embodiment of the application, the AS shares the key k with the RN RN For SUCI * Decrypting to obtain SUPI RN And a random number r h And is based on a random number r h And generating AK by using a secret key k which is long-term shared with the RN, and analyzing AUTN by using the AK to obtain SQN RN And MAC, the formula is as follows:
Figure DEST_PATH_IMAGE056
sSQN obtained by AS pair AS And checking the MAC to judge whether the MAC satisfies the following equation:
Figure DEST_PATH_IMAGE057
if MAC satisfies the following equation, and SQN RN If the RN is new, judging that the RN is authenticated by the AS, and generating a new temporary identifier GUTI for the RN by the AS according to the following equation *
Figure DEST_PATH_IMAGE058
AS selects a new access point AP 2 And calculates RN and AP according to the following equations 2 Session key K therebetween AP2
Figure DEST_PATH_IMAGE059
Then, AS will GUTI * And K AP2 Is sent to AP 2
S304: AP2 stores the received GUTI * And K AP2 And sends key confirmation information to the AS.
S305: the AS sends a handover response to AP1.
The AS generates a message authentication code MAC according to the following equation *
Figure DEST_PATH_IMAGE060
Wherein, ID AP2 Is an identifier of AP 2.
AS establishes AUNT according to the following formula *
Figure DEST_PATH_IMAGE061
The AS sends a switching request response to the AP1, wherein the switching request response comprises AUTN * And ID AP2
S306:AP 1 And sending the received switching request response to the RN.
S307: RN pairs received AUTN * Resolving to obtain SQN AS And MAC * The formula is as follows:
Figure DEST_PATH_IMAGE062
SQN obtained by RN pair AS And MAC * Checking to determine MAC * Whether the following equation is satisfied:
Figure DEST_PATH_IMAGE063
if MAC satisfies the following equation, and SQN RN Fresh, RN generates the temporary identifier GUTI according to the following equation *
Figure DEST_PATH_IMAGE064
The RN calculates a session key based on the following equation
Figure DEST_PATH_IMAGE065
For use with AP 2 And communication after that:
Figure DEST_PATH_IMAGE066
in the high-speed mobile scene, when the UE is in the service range of the AP1, namely before leaving the service range of the AP1 and entering the service range of the AP2, the RN negotiates a session key with the AP2 in advance with the help of the AP1 and the AS. In the authentication and key agreement stage, the UE already establishes a session key with the RN, the RN serves as a relay node between the UE and the AP, and for the UE, the RN plays the role of the AP and provides network service for the UE. Therefore, in the switching stage, the user equipment and the access node can be decoupled in the switching stage, seamless switching of the user equipment is realized, and the switching efficiency is greatly improved while the seamless switching of the UE is realized.
Based on the method provided by the above embodiment, the embodiment of the present application further provides a communication system in a high-speed mobile scene, and the system is described below with reference to the accompanying drawings.
Referring to fig. 4, the figure is a schematic structural diagram of a communication system in a high-speed moving scenario according to an embodiment of the present application.
The communication system in the high-speed mobile scene in the embodiment of the application comprises: user equipment 401, relay node 402, first access node 403, and authentication server 404.
The user equipment 401 is configured to receive a first authentication vector sent by an authentication server AS through a relay node RN and a first access node AP1, and authenticate the AS according to the first authentication vector; receiving a message authentication code sent by the RN, and authenticating the RN according to the message authentication code; after the UE passes the RN authentication, the UE calculates a first session key of the UE and the RN, and the first session key is used for the communication between the UE and the RN;
the relay node 402 is configured to receive, through the AP1, a second authentication vector sent by the AS, and authenticate the AS according to the second authentication vector; after the AS authenticates the UE and the RN, calculating a first session key of the RN and the UE; after the AS passes the authentication, the RN calculates a second session key of the RN and the AP1, wherein the second session key is used for the RN and the AP1 to communicate;
the authentication server 404 is configured to receive a first authentication response sent by the UE through the RN and the AP1, and authenticate the UE according to the first authentication response; receiving a second authentication response sent by the RN through the AP1, and authenticating the RN according to the second authentication response; and after the UE and the RN pass the authentication, calculating a second session key of the RN and the AP1, and sending the second session key to the AP1.
In a possible implementation manner, the relay node 403 is specifically configured to:
and receiving a switching request response sent by the AS through the AP1, and calculating a third session key of the RN and the second access node AP2 according to the switching request response, wherein the third session key is used for communicating the RN and the AP2 when the UE is switched from the service area of the AP1 to the service area of the AP 2.
In one possible implementation form of the method,
user equipment, in particular for sending a first user hidden identifier SUCI to an AS via an RN and an AP1 UE And a first identifier ID of the AS AS
An authentication server 404, specifically configured to calculate a first authentication vector and send the first authentication vector to AP 1;
a first access node 403, in particular for a sending a first encrypted random number, RAND, to a UE via an RN
Figure 968378DEST_PATH_IMAGE001
UE And a first authentication token AUTN UE (ii) a UE according to RAND
Figure 159057DEST_PATH_IMAGE001
UE And AUTN UE And authenticating the AS.
In one possible implementation form of the method,
a relay node 402, specifically configured to send a second hidden user identifier SUCI to AP1 RN And a first identifier ID of the AS AS
A first access node 403, in particular for determining according to the ID AS Sending an authentication request to the AS;
the authentication server 404 is specifically configured to calculate a second authentication vector and send the second authentication vector to the AP 1;
a first access node 403, in particular for sending a second cryptographic random number, RAND, to the RN
Figure 475768DEST_PATH_IMAGE001
RN And a second authentication token AUTN RN
Relay node 402, in particular for relaying according to RAND
Figure 869841DEST_PATH_IMAGE001
RN And AUTN RN And authenticating the AS.
In one possible implementation form of the method,
the first access node 403 is specifically configured to authenticate the UE according to the first authentication response when the AP1 receives the first authentication response;
if the AP1 passes the authentication of the UE, the AP1 sends a first authentication response to the AS;
when the AP1 receives the second authentication response, the AP1 authenticates the RN according to the second authentication response;
and if the AP1 passes the RN authentication, the AP1 sends a second authentication response to the AS.
In one possible implementation form of the method,
the authentication server 404 is specifically configured to calculate a second session key between the AP1 and the RN after the UE and the RN are authenticated, and send the second session key and a pre-stored user permanent identifier SUPI of the RN to the AP1 RN
The first access node 403 is specifically configured to generate an authentication success message according to the second session key, and send the authentication success message to the RN;
the relay node 402 is specifically configured to calculate a first session key of the RN and the UE after receiving the authentication success message.
In one possible implementation form of the method,
a relay node 402, in particular for sending a handover request message to the AP1, the handover request message comprising a user permanent identifier, SUPI, of the RN RN Temporary identifier SUCI * And a first identifier of the AS
Figure 359728DEST_PATH_IMAGE049
A first access node 403, in particular for a second identifier according to AP1
Figure 624487DEST_PATH_IMAGE050
Updating the handover request message and transmitting the updated handover request message to the AS, wherein the updated handover request message includes the SUPI RN 、SUCI *
Figure 626947DEST_PATH_IMAGE049
And
Figure DEST_PATH_IMAGE067
the authentication server 404 is specifically configured to select AP2 according to the handover request message, and calculate a third session key between RN and AP 2.
In one possible implementation form of the method,
an authentication server 404, specifically configured to authenticate the RN according to the handover request message; if the AS completes the authentication of the RN, the AS generates a globally unique temporary identifier GUTI * (ii) a AS will GUTI * And said
Figure DEST_PATH_IMAGE069
Sending the information to the AP2;
a second access node, in particular for mapping a GUTI * And
Figure DEST_PATH_IMAGE070
storing and sending a key confirmation message to the AS.
In one possible implementation form of the method,
an authentication server 404, specifically configured to send a handover request response to the RN through AP 1;
the relay node 402 is specifically configured to calculate a third session key according to the handover request response; when the UE switches from the service area of AP1 to the service area of AP2, the RN communicates with AP2 through the third session key.
Since the system is a device corresponding to the communication method in the high-speed moving scene provided by the above method embodiment, and the specific implementation of each unit of the system is the same concept as the above method embodiment, for the specific implementation of each unit of the system, reference may be made to the description part of the above method embodiment regarding the communication method in the high-speed moving scene, and details are not described here.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be implemented in other sequences than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, e.g., some features may be omitted, or not implemented.
The above embodiments are intended to explain the objects, aspects and advantages of the present invention in further detail, and it should be understood that the above embodiments are merely illustrative of the present invention.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A communication method in a high-speed moving scene is characterized by comprising the following steps:
the user equipment receives a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticates the authentication server according to the first authentication vector;
the authentication server receives a first authentication response sent by the user equipment through the relay node and the first access node, and authenticates the user equipment according to the first authentication response;
the relay node receives a second authentication vector sent by the authentication server through the first access node, and authenticates the authentication server according to the second authentication vector;
the authentication server receives a second authentication response sent by the relay node through the first access node, and authenticates the relay node according to the second authentication response;
the user equipment receives a message authentication code sent by the relay node and authenticates the relay node according to the message authentication code;
after the user equipment passes the authentication of the relay node, the user equipment calculates a first session key of the user equipment and the relay node; after the authentication server authenticates the user equipment and the relay node, the relay node calculates a first session key of the relay node and the user equipment, wherein the first session key is used for the communication between the user equipment and the relay node;
when the relay node passes the authentication of the authentication server, the relay node calculates a second session key between the relay node and the first access node, and when the authentication server passes the authentication of the user equipment and the relay node, the authentication server calculates a second session key between the relay node and the first access node and sends the second session key to the first access node, wherein the second session key is used for the communication between the relay node and the first access node.
2. The method of claim 1, further comprising:
the relay node receives a switching request response sent by the authentication server through the first access node, and calculates a third session key of the relay node and a second access node according to the switching request response, wherein the third session key is used for communicating with the second access node when the user equipment is switched from the service area of the first access node to the service area of the second access node.
3. The method of claim 1, wherein the ue receives a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticates the authentication server according to the first authentication vector, and the method comprises:
the user equipment sends a first user hidden identifier and a first identifier of the authentication server to the authentication server through the relay node and the first access node;
the authentication server calculates a first authentication vector and sends the first authentication vector to the first access node;
the first access node sends a first encrypted random number and a first authentication token to the user equipment through the relay node; and the user equipment authenticates the authentication server according to the first encrypted random number and the first authentication token.
4. The method of claim 1, wherein the relay node receives, via the first access node, a second authentication vector sent by the authentication server, and authenticates the authentication server according to the second authentication vector, and wherein the method comprises:
the relay node sending a second user hidden identifier and a first identifier of the authentication server to the first access node;
the first access node sends an authentication request to the authentication server according to the first identifier;
the authentication server calculating a second authentication vector and sending the second authentication vector to the first access node;
the first access node sends a second encrypted random number and a second authentication token to the relay node;
and the relay node authenticates the authentication server according to the second encrypted random number and the second authentication token.
5. The method of claim 1, further comprising:
when the first access node receives the first authentication response, the first access node authenticates the user equipment according to the first authentication response;
if the first access node passes the authentication of the user equipment, the first access node sends the first authentication response to the authentication server;
when the first access node receives the second authentication response, the first access node authenticates the relay node according to the second authentication response;
and if the first access node passes the authentication of the relay node, the first access node sends the second authentication response to the authentication server.
6. The method of claim 1, further comprising:
after the authentication server passes the authentication of the user equipment and the relay node, calculating a second session key between the first access node and the relay node, and sending the second session key and a pre-stored user permanent identifier of the relay node to the first access node;
the first access node generates an authentication success message according to the second session key and sends the authentication success message to the relay node;
and after receiving the authentication success message, the relay node calculates a first session key of the relay node and the user equipment.
7. The method of claim 2, wherein the step of the relay node receiving a handover request response sent by the authentication server through the first access node and calculating a third session key of the relay node and a second access node of a second access node according to the handover request response comprises:
the relay node sending a handover request message to the first access node, the handover request message including a user permanent identifier of the relay node, a temporary identifier, and a first identifier of the authentication server;
the first access node updates the handover request message according to a second identifier of the first access node, and sends the updated handover request message to the authentication server, wherein the updated handover request message includes the user permanent identifier, the temporary identifier, the first identifier and the second identifier;
and the authentication server selects the second access node according to the switching request message and calculates a third session key between the relay node and the second access node.
8. The method of claim 7, further comprising:
the authentication server authenticates the relay node according to the switching request message;
if the authentication server completes authentication on the relay node, the authentication server generates a global unique temporary identifier;
the authentication server sends the globally unique temporary identifier and the third session key to the second access node;
and the second access node stores the globally unique temporary identifier and the third session key and sends a key confirmation message to the authentication server.
9. The method of claim 8, further comprising:
the authentication server sends a switching request response to the relay node through the first access node;
the relay node calculates the third session key according to the switching request response;
when the user equipment is switched from the service area of the first access node to the service area of the second access node, the relay node communicates with the second access node through the third session key.
10. A communication system in a high-speed mobile scenario, the system comprising: the system comprises user equipment, a relay node, a first access node and an authentication server;
the user equipment is used for receiving a first authentication vector sent by an authentication server through a relay node and a first access node, and authenticating the authentication server according to the first authentication vector; receiving a message authentication code sent by the relay node, and authenticating the relay node according to the message authentication code; after the user equipment passes the authentication of the relay node, the user equipment calculates a first session key of the user equipment and the relay node, wherein the first session key is used for the user equipment to communicate with the relay node;
the relay node is used for receiving a second authentication vector sent by the authentication server through the first access node and authenticating the authentication server according to the second authentication vector; after the authentication server authenticates the user equipment and the relay node, calculating a first session key of the relay node and the user equipment; after the authentication server passes the authentication, the relay node calculates a second session key of the relay node and the first access node, wherein the second session key is used for the relay node to communicate with the first access node;
the authentication server is configured to receive a first authentication response sent by the user equipment through the relay node and the first access node, and authenticate the user equipment according to the first authentication response; receiving a second authentication response sent by the relay node through the first access node, and authenticating the relay node according to the second authentication response; and after the user equipment and the relay node pass the authentication, calculating a second session key of the relay node and the first access node, and sending the second session key to the first access node.
CN202211274147.0A 2022-10-18 2022-10-18 Communication method and system in high-speed mobile scene Active CN115348583B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211274147.0A CN115348583B (en) 2022-10-18 2022-10-18 Communication method and system in high-speed mobile scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211274147.0A CN115348583B (en) 2022-10-18 2022-10-18 Communication method and system in high-speed mobile scene

Publications (2)

Publication Number Publication Date
CN115348583A CN115348583A (en) 2022-11-15
CN115348583B true CN115348583B (en) 2023-01-03

Family

ID=83957457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211274147.0A Active CN115348583B (en) 2022-10-18 2022-10-18 Communication method and system in high-speed mobile scene

Country Status (1)

Country Link
CN (1) CN115348583B (en)

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040213237A1 (en) * 2000-06-29 2004-10-28 Toshikazu Yasue Network authentication apparatus and network authentication system
EP2448170A4 (en) * 2009-06-23 2015-06-24 Panasonic Ip Man Co Ltd Cryptogram-key distribution system
US8904167B2 (en) * 2010-01-22 2014-12-02 Qualcomm Incorporated Method and apparatus for securing wireless relay nodes
CN102143489A (en) * 2010-02-01 2011-08-03 华为技术有限公司 Method, device and system for authenticating relay node
CN102158860B (en) * 2010-02-12 2014-05-21 华为技术有限公司 Radio node network-accessing method and system as well as relay node
EP2555466B1 (en) * 2011-08-05 2014-07-02 SELEX ES S.p.A. System for distributing cryptographic keys
JP5944184B2 (en) * 2012-02-29 2016-07-05 株式会社東芝 Information notification apparatus, method, program, and system
JP6545966B2 (en) * 2015-01-27 2019-07-17 ルネサスエレクトロニクス株式会社 Relay device, terminal device and communication method
CN107579826B (en) * 2016-07-04 2022-07-22 华为技术有限公司 Network authentication method, transit node and related system
CN106961682B (en) * 2017-03-28 2019-10-22 西安电子科技大学 It is a kind of based on the group of mobile relay to path mobile handoff authentication method
CN109068325B (en) * 2018-10-29 2021-04-16 南京邮电大学 Key management and identity authentication method based on wireless sensor network
CN111447616B (en) * 2020-03-26 2021-04-13 西南交通大学 Group authentication and key agreement method for LTE-R mobile relay

Also Published As

Publication number Publication date
CN115348583A (en) 2022-11-15

Similar Documents

Publication Publication Date Title
CN101232376B (en) System and method for wireless mobile network authentication
KR100896365B1 (en) Method and apparatus for authentication of mobile device
RU2444861C2 (en) Secure wireless communication
CN101500229B (en) Method for establishing security association and communication network system
JP4712094B2 (en) How to provide security for relay stations
JP5225459B2 (en) How to derive the traffic encryption key
US8533461B2 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
JP5597676B2 (en) Key material exchange
US8423772B2 (en) Multi-hop wireless network system and authentication method thereof
CN101610241B (en) Method, system and device for authenticating binding
CN101500230B (en) Method for establishing security association and communication network
US20040236939A1 (en) Wireless network handoff key
US20080046732A1 (en) Ad-hoc network key management
CN107196920B (en) A kind of key generation distribution method towards wireless communication system
KR20070034060A (en) Communication handover method, communication message processing method, and communication control method
CN104683343B (en) A kind of method of terminal quick registration Wi-Fi hotspot
JP2008547304A (en) Method of assigning authentication key identifier for wireless portable internet system
CN104982053B (en) For obtaining the method and network node of the permanent identity of certification wireless device
CN112235792B (en) Multi-type terminal access and switching authentication method, system, equipment and application
CN103313242A (en) Secret key verification method and device
CN101951590A (en) Authentication method, device and system
JP2000115161A (en) Method for protecting mobile object anonymity
CN115348583B (en) Communication method and system in high-speed mobile scene
CN111526008B (en) Authentication method under mobile edge computing architecture and wireless communication system
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant