[go: up one dir, main page]

CN114143016B - Authentication method based on general guide architecture GBA and corresponding device - Google Patents

Authentication method based on general guide architecture GBA and corresponding device Download PDF

Info

Publication number
CN114143016B
CN114143016B CN202010819512.6A CN202010819512A CN114143016B CN 114143016 B CN114143016 B CN 114143016B CN 202010819512 A CN202010819512 A CN 202010819512A CN 114143016 B CN114143016 B CN 114143016B
Authority
CN
China
Prior art keywords
key algorithm
access node
wireless access
application layer
suite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010819512.6A
Other languages
Chinese (zh)
Other versions
CN114143016A (en
Inventor
刘小军
缪永生
张宝健
李如俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202010819512.6A priority Critical patent/CN114143016B/en
Priority to PCT/CN2021/101804 priority patent/WO2022033186A1/en
Publication of CN114143016A publication Critical patent/CN114143016A/en
Application granted granted Critical
Publication of CN114143016B publication Critical patent/CN114143016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides an authentication method based on a general guide architecture GBA, which confirms a secret key algorithm suite used by a user terminal through carrying out secure transport layer protocol negotiation with the user terminal; applying the key algorithm suite to the wireless access node so that the wireless access node uses the key algorithm suite to authenticate; in some implementation processes, after the UE and the AP respectively establish the TLS tunnel with the ALG, the AP side and the UE side use the same key algorithm suite to calculate to obtain authentication parameters, authentication is carried out, the problem that authentication failure is caused and authentication of the UE by the AP is affected due to the fact that different key algorithm suites are used after the UE and the AP respectively establish the TLS tunnel with the ALG is avoided, and user experience is improved.

Description

Authentication method based on general guide architecture GBA and corresponding device
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to an authentication method based on a general guide architecture GBA and a corresponding device.
Background
With the development of communication technologies, in many communication services, many applications require interaction between a UE (User Equipment) and an AS (Access Stratum), such AS service activation, service setting, service Access, and the like. In order to guarantee the security of service applications, two-way authentication is required between UE and AS, and if UE and AS interact directly, there are two serious problems: independent authentication is required between the UE and each AS, including negotiation of an authentication mechanism and management of a secret key; every time the UE logs in different AS, the key is required to be input, and the user experience is poor. The 3GPP (The ThirdGeneration Partnership Project, third generation partnership project) standards organization therefore proposes the concept of a generic authentication architecture, where GBA (General Bootstrapping Architecture, generic bootstrapping architecture) is a generic authentication architecture based on shared keys. The GBA provides a mechanism of key sharing, mutual Authentication and service protection for the UE and the network by using Authentication and key agreement (AKA, authentication AND KEY AGREEMENT, authentication and key agreement protocol) of the third generation mobile communication network, which has higher security and universality.
The GBA provides a public network service address to the outside, and in consideration of factors such as security, an ALG (Application LAYER GATEWAY ), also called Application layer gateway, is introduced into the actual networking, and access control, such as firewall, anti-virus, intrusion detection, active authentication of user access, and other functions, is implemented by the ALG, so as to provide an omnibearing access security management scheme for the GBA, and after the ALG is introduced, the UE and the AP establish TLS (Transport Layer Security, transport layer security protocol) tunnels with the ALG respectively, thereby affecting authentication of the AP to the UE.
Disclosure of Invention
The authentication method based on the general guide architecture GBA and the corresponding device mainly solve the technical problems that after the UE and the AP respectively establish TLS tunnels with the ALG, different key algorithm suites are used, authentication failure is caused, and authentication of the AP to the UE are affected.
In order to solve the above technical problems, an embodiment of the present invention provides a generic bootstrapping architecture GBA-based authentication applied to a terminal side, including:
negotiating a secure transport layer protocol with an application layer gateway, and confirming a used secret key algorithm suite;
And applying the key algorithm suite to a wireless access node through the application layer gateway so that the wireless access node uses the key algorithm suite for authentication.
Based on the same inventive concept, the embodiment of the invention also provides an authentication method applied to the gateway side and based on the general guide architecture GBA, comprising the following steps:
Negotiating a secure transport layer protocol with a user terminal, and confirming a secret key algorithm suite used by the user terminal;
and applying the key algorithm suite to a wireless access node, so that the wireless access node uses the key algorithm suite for authentication.
Based on the same inventive concept, the embodiment of the invention also provides an authentication method applied to the wireless access node side and based on the general guide architecture GBA, comprising the following steps:
Authentication is performed by using a key algorithm suite applied to the wireless access node by the application layer gateway;
the key algorithm suite is used for carrying out secure transport layer protocol negotiation between the application layer gateway and the user terminal, and the user terminal is confirmed to use the key algorithm suite.
The embodiment of the invention also provides a terminal, which comprises a first processor, a first memory and a first communication bus;
the first communication bus is used for realizing connection communication between the first processor and the first memory;
the first processor is configured to execute one or more computer programs stored in the first memory, so as to implement the steps of the generic bootstrapping architecture GBA-based authentication method applied to terminal measurement as described above;
the embodiment of the invention also provides a gateway, which comprises a second processor, a second memory and a second communication bus;
the second communication bus is used for realizing connection communication between the second processor and the second memory;
the second processor is configured to execute one or more computer programs stored in the second memory to implement the steps of the generic bootstrapping architecture GBA based authentication method applied to the gateway side as described above.
The embodiment of the invention also provides a wireless access node, which comprises a third processor, a third memory and a third communication bus;
the third communication bus is used for realizing connection communication between the third processor and the third memory;
the third processor is configured to execute one or more computer programs stored in the third memory to implement the steps of the generic bootstrapping architecture GBA based authentication method applied to the radio access node side as described above
Embodiments of the present invention also provide a computer storage medium storing one or more programs executable by one or more processors to implement the steps of the generic bootstrapping architecture GBA based authentication method applied to a terminal side, gateway side or wireless access node side as described above.
According to the authentication method based on the general guide architecture GBA and the corresponding device provided by the embodiment of the invention, the key algorithm suite used by the user terminal is confirmed by carrying out secure transport layer protocol negotiation with the user terminal; applying the key algorithm suite to the wireless access node so that the wireless access node uses the key algorithm suite to authenticate; in some implementation processes, after the UE and the AP respectively establish the TLS tunnel with the ALG, the AP side and the UE side use the same key algorithm suite to calculate to obtain authentication parameters, authentication is carried out, the problem that authentication failure is caused and authentication of the UE by the AP is affected due to the fact that different key algorithm suites are used after the UE and the AP respectively establish the TLS tunnel with the ALG is avoided, and user experience is improved.
Additional features and corresponding advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic view of a GBA basic architecture according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a basic authentication flow of GBA according to the first embodiment of the present invention;
fig. 3 is a flowchart of an authentication method of a generic bootstrapping architecture GBA according to an embodiment of the present invention;
Fig. 4 is a basic flow chart of a key algorithm suite applied to a wireless access node by an application layer gateway according to a first embodiment of the present invention;
Fig. 5 is a schematic flow chart of a key algorithm suite applied to a wireless access node by an application layer gateway according to still another embodiment of the present invention;
fig. 6 is a schematic diagram of a basic flow of applying a key algorithm set to a wireless access node through an application layer gateway according to a first embodiment of the present invention;
fig. 7 is a schematic diagram of a basic flow of applying a key algorithm set to a wireless access node through an application layer gateway according to another embodiment of the present invention;
fig. 8 is a basic flow diagram of an authentication method of a generic bootstrapping architecture GBA according to a second embodiment of the present invention;
Fig. 9 is a schematic diagram of the basic structure of a terminal according to a third embodiment of the present invention;
Fig. 10 is a basic structural schematic diagram of a gateway according to a third embodiment of the present invention;
fig. 11 is a schematic diagram of a basic structure of a radio access node according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following detailed description of the embodiments of the present invention is given with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Embodiment one:
In the related art, as shown in fig. 1, fig. 1 is a schematic view of a GBA basic architecture, which includes: HSS (Home Subscribe Server, user home network server), BSF (Bootstrapping Server Function, bootstrapping service function), NAF (Network Application Function ) or AP (Access Point) function, ALG, it should be understood that the NAF is used to perform the same function as the AP, i.e. one of the AP or the NAF exists; wherein, the ALG establishes TLS channels with the UE and the AP respectively, and authenticates, as shown in figure 2, the UE negotiates TLS connection with the ALG, confirms that the used cipher suite is yyzz, the UE sends a service request (HTTP GET) to the ALG, the ALG negotiates TLS connection with the AP, confirms that the used cipher suite is aabb, the ALG forwards the HTTP GET to the AP, after the AP responds 401Unauthorized to the UE, the UE generates a first Ks_NAF/Ks_int_NAF according to TLS CIPHER suite ' yyzz negotiated with the ALG and other parameters, and then calculates the first response by taking the first Ks_NAF/Ks_int_NAF as key, and the first response is sent to the AP through the ALG, the AP acquires a second Ks_NAF/Ks_int_NAF from the BSF according to the ALG negotiation TLS CIPHER suite ' aabb ' and other parameters, then calculates a second response by taking the second Ks_NAF/Ks_int_NAF as a key, the AP compares the second response calculated by the AP with the first response sent by the UE, if the second response is consistent with the first response, the authentication is successful, because TLS CIPHER suite used by the AP is inconsistent with TLS CIPHER suite used by the UE, the calculated Ks_NAF/Ks_int_NAF and the response are inconsistent, and the authentication failure of the AP is further caused.
In order to solve the problem that in the related art, after a TLS tunnel is established between a UE and an AP and an ALG, different key algorithm suites are used to cause authentication failure and affect authentication of the AP to the UE, an embodiment of the present invention provides an authentication method based on a generic bootstrapping architecture GBA applied to a user terminal side, please refer to fig. 3, which includes but is not limited to:
s301, carrying out secure transport layer protocol negotiation with an application layer gateway, and confirming a used secret key algorithm suite;
S302, the key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node uses the key algorithm suite for authentication.
In some embodiments, the UE negotiates a secure transport layer protocol TLS connection with the ALG, and confirms a key algorithm Suite Cipher Suite used by the UE and the ALG; it should be understood that the present embodiment does not limit the manner in which the user terminal negotiates the secure transport layer protocol with the application layer gateway, and can finally determine the key algorithm suite that can be used between the user terminal and the application layer gateway.
In this embodiment, applying the key algorithm suite determined by the ue and the application layer gateway to the radio access node AP includes, but is not limited to, the following two ways:
the first way is: forwarding the key algorithm suite to the wireless access node through the application layer gateway, thereby applying the key algorithm suite to the wireless access node;
the second way is: and negotiating a secure transport layer protocol with the wireless access node by using the key algorithm suite through the application layer gateway, thereby applying the key algorithm suite to the wireless access node.
In some embodiments, the first manner described above includes, but is not limited to: sending a service request to an application layer gateway; and forwarding the service request to the wireless access node through the application layer gateway, wherein the application layer gateway carries a secret key algorithm suite when forwarding the service request to the wireless access node. The user terminal sends a service request to the application layer gateway, the application layer gateway sends a key algorithm suite used by the user terminal side to the wireless access node through the expansion parameters, and the wireless access node authenticates according to the key algorithm suite sent by the ALG during authentication; for example, as shown in FIG. 4,
Step 1-2, the user terminal UE negotiates the secure transport layer protocol TLS connection with the application layer gateway ALG, and confirms that a key algorithm Suite Cipher Suite used by the UE and the ALG is yyzz;
step 3, the user terminal initiates a service request (HTTP GET) to the application layer gateway;
Step 4-5, the application layer gateway negotiates TLS connection with the AP, confirms the cipher suite used by the AP side, and confirms that the cipher suite finally used by the AP side is 'aabb';
Step 6, the ALG forwards the HTTP GET request of the UE, and brings the cipher suite "yyzz" used by the UE side to the AP through the extension parameter, so that the AP performs authentication according to the UE carried by the ALG and the key algorithm suite "yyzz" used by the ALG, that is, the key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node uses the same key algorithm suite "yyzz" as the user terminal to implement authentication;
Specifically, the method for enabling the wireless access node to use the same key algorithm suite "yyzz" as the user terminal to implement authentication includes the following steps:
step 7-8, after receiving the cipher suite "yyzz" used by the UE side, the ap sends 401unauthorized a response to the ALG, and forwards the response to the UE through the ALG;
step 9, the UE generates a first Ks_NAF/KS_int_NAF according to a UE side circuit "yyzz" negotiated with the ALG and other parameters, and then calculates a first response by taking the first Ks_NAF/KS_int_NAF as a key, sends the response to the ALG and forwards the response to the AP;
Step 10, the AP acquires a second KS_NAF/KS_int_NAF from the BSF according to a cipher suite ("yyzz") and other parameters carried by the ALG and used by the UE side, then calculates a second response by taking the second KS_NAF/KS_int_NAF as a key, compares the first response with the second response, and if the first response and the second response are the same, the authentication is successful, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, the Ks_NAF/Ks_int_NAF and the response are also consistent, and finally the authentication of the AP is successful.
In some embodiments, the first manner described above includes, but is not limited to: sending a service request to an application layer gateway, wherein the service request carries a secret key algorithm suite; the service request is forwarded to the radio access node by the application layer gateway. When the user terminal sends a service request to the application layer gateway, the user terminal carries a secret key algorithm suite used by the user terminal side in the service request through an expansion parameter and sends the service request to the application layer gateway, the application layer gateway forwards the service request to a wireless access node, and the wireless access node performs authentication according to the secret key algorithm suite in the service request sent by the UE during authentication; for example, as shown in FIG. 5,
Step 1-2, the user terminal UE negotiates the secure transport layer protocol TLS connection with the application layer gateway ALG, and confirms that a key algorithm Suite Cipher Suite used by the UE and the ALG is yyzz;
step 3, the UE initiates a service request (HTTP GET) to ALG, wherein the HTTP GET request carries a determined key algorithm suite ('yyzz') through an expansion parameter;
Step 4-5, the application layer gateway negotiates TLS connection with the AP, confirms the cipher suite used by the AP side, and confirms that the cipher suite used by the AP side is 'aabb';
step 6, when the ALG forwards the HTTP GET request of the UE, the extension parameters of the cipher suite ("yyzz") sent by the UE are transmitted to the AP; the AP authenticates according to the UE carried by the ALG and the key algorithm suite 'yyzz' used by the ALG, namely, the key algorithm suite is applied to the wireless access node through the application layer gateway, so that the wireless access node uses the same key algorithm suite 'yyzz' as the user terminal to realize authentication;
It should be appreciated that, in some examples, after the cipher suite ("yyzz") extension parameter sent by the UE is transmitted to the AP, the method for enabling the wireless access node to implement authentication by using the same key algorithm suite "yyzz" as the UE includes the following steps:
step 7-8, the AP sends 401unauthorized a response to the ALG, and sends the response to the UE through the ALG;
Step 9, the UE generates a first ks_naf/ks_int_naf according to the UE side cipher suite negotiated with the ALG and other parameters, and then calculates a first response by using the first ks_naf/ks_int_naf as a key, where the first response may also carry cipher suite ("yyzz") through an extension parameter and send to the ALG,
Step 10, the ALG forwards the HTTP GET request of the UE, specifically, when the ALG forwards the HTTP GET request of the UE, the extending parameters of the cipher suite ("yyzz") sent by the UE are transmitted to the AP; the AP acquires a second KS_NAF/KS_int_NAF from the BSF according to a cipher suite ("yyzz") and other parameters carried by the ALG and used by the UE side, then calculates a second response by taking the second KS_NAF/KS_int_NAF as a key, and the AP compares the first response with the second response, if the first response and the second response are the same, the authentication is successful, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, the Ks_NAF/Ks_int_NAF and the response are also consistent, and finally the authentication of the AP is successful.
In some embodiments, the second way is to apply the key algorithm suite to the wireless access node by the application layer gateway using the key algorithm suite to conduct secure transport layer protocol negotiation with the wireless access node; for example, as shown in FIG. 6,
Step 1-2, the UE negotiates TLS connection with the ALG, confirms the cipher suite used by the UE side, and confirms that the cipher suite finally used is yyzz;
step 3, the UE initiates a service request (HTTP GET) to the ALG;
And 4-5, when the ALG negotiates TLS connection with the AP, only carrying a cipher suite 'yyzz' used by the UE side, ensuring that the AP side can only use the same cipher suite 'yyzz' used by the UE side, so that the cipher suite used by the AP side is also 'yyzz', and the wireless access node AP uses the same secret key algorithm suite 'yyzz' as the user terminal UE to realize authentication.
Specifically, the authentication is implemented by using the same secret key algorithm suite "yyzz" as the user terminal UE by the wireless access node AP, so that the cipher suite used by the AP side is also "yyzz", and the steps include:
step 6, ALG forwards HTTP GET request of UE;
Step 7-8, the AP sends 401unauthorized a response, and sends the response to the UE through the ALG;
Step 9-10, the UE generates a first Ks_NAF/KS_int_NAF according to a UE side circuit suite 'yyzz' negotiated by the ALG and other parameters, and then calculates a first response by taking the first Ks_NAF/KS_int_NAF as a key, sends the response to the ALG and forwards the response to the AP;
In step 11, the AP acquires a second ks_naf/ks_int_naf from the BSF according to TLS CIPHER suite ("yyzz") and other parameters used by the AP side, and then calculates a second response by using the second ks_naf/ks_int_naf as a key, and the AP compares the first response with the second response, and if the first response and the second response are the same, authentication is successful, because TLS CIPHER suite used by the AP is consistent with TLS CIPHER suite used by the UE, and the calculated ks_naf/ks_int_naf and the response are also consistent, and finally the AP authentication is successful.
In some embodiments, the secure transport layer protocol negotiation is performed with the application layer gateway, and the validation key algorithm suite comprises: carrying out secure transport layer protocol negotiation with an application layer gateway, and confirming a supported secret key algorithm suite set, wherein the secret key algorithm suite set comprises at least two secret key algorithm suites which can be used; the secure transport layer protocol negotiation with the wireless access node by the application layer gateway using the key algorithm suite includes: and carrying out secure transport layer protocol negotiation with the wireless access node through the application layer gateway by using the secret key algorithm suite set, and determining the secret key algorithm suite used by the application layer gateway and the wireless access node. For example, as shown in FIG. 7,
Step 1, the UE initiates TLS negotiation to ALG, where Client Hello carries a key algorithm suite set cipher suite list (0 xc030,0x0035,0x 002d) supported by the UE side;
in step 2, ALG initiates TLS negotiation with the AP, specifically, client Hello uses the intersection (0 xc030,0x 002d) of UE and ALG support cipher suite list, so that the cipher suite used by the AP side must be a cipher suite that can be used by the UE side.
And 3, receiving the Server Hello of the AP by the ALG, and confirming the cipher suite (0 xC 030) used by the AP side.
And 4, ALG (application specific gateway) returns Server Hello to the UE, and uses the cipher suite (0 xC 030) used by the AP side, so that the UE side uses the same cipher suite as the AP side.
And 5-6, the UE initiates a service request (HTTP GET), and the ALG forwards the HTTP GET request of the UE.
In steps 7-8, the ap sends 401unauthorized a response to the UE via ALG.
Step 9, the UE generates a first Ks_NAF/KS_int_NAF according to a UE side sphere suite (0 xC 030) negotiated with the ALG and other parameters, and then calculates a first response by taking the first Ks_NAF/KS_int_NAF as a key, sends the response to the ALG and forwards the response to the AP;
in step 10, the AP forwards the first response request of the UE to the AP.
And step 11, the AP acquires a second KS_NAF/KS_int_NAF from the BSF according to the cipher suite (0 xC 030) and other parameters used by the AP side, and calculates a second response by taking the second KS_NAF/KS_int_NAF as a key. The AP compares the second response calculated by the AP with the first response sent by the UE, and authentication is successful if the second response is the same as the first response, because the cipher suite used by the AP is consistent with the cipher suite used by the UE, the calculated Ks_NAF/Ks_int_NAF and the response are also consistent, and finally the authentication of the AP is successful.
The authentication method based on the general guide architecture GBA applied to the user terminal side confirms the key algorithm suite used by carrying out secure transport layer protocol negotiation with the application layer gateway; applying the key algorithm suite to the wireless access node through the application layer gateway, so that the wireless access node uses the key algorithm suite for authentication; that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the key algorithm suite used by the UE side is applied to the AP side through the ALG, so that the AP side and the UE side use the same key algorithm suite to calculate to obtain authentication parameters, perform authentication, avoid the problem that authentication failure is caused by using different key algorithm suites after the UE and the AP establish TLS tunnels with the ALG respectively, affect authentication of the AP to the UE, and improve user experience.
Embodiment two:
The embodiment of the invention also provides an authentication method applied to the application layer gateway side and based on the general guide architecture GBA, as shown in FIG. 8, the method comprises but not limited to:
s801, carrying out secure transport layer protocol negotiation with a user terminal, and confirming a secret key algorithm suite used by the user terminal;
S802, the key algorithm suite is applied to the wireless access node, so that the wireless access node uses the key algorithm suite for authentication.
In some embodiments, the application layer gateway ALG negotiates a secure transport layer protocol TLS connection with the user terminal UE, acknowledging the key algorithm Suite Cipher Suite used by the UE and the ALG; it should be understood that the present embodiment does not limit the manner in which the user terminal negotiates the secure transport layer protocol with the application layer gateway, and can finally determine the key algorithm suite that can be used between the user terminal and the application layer gateway.
In some embodiments, the key algorithm suite is applied to the wireless access node, so that the method for the wireless access node to authenticate by using the key algorithm suite is the same as the method in the above example, and will not be described in detail herein.
The authentication method based on the general guide architecture GBA, which is applied to the application layer gateway side, carries out secure transport layer protocol negotiation with the user terminal, and confirms a secret key algorithm suite used by the user terminal; applying the key algorithm suite to the wireless access node so that the wireless access node uses the key algorithm suite to authenticate; that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side and the UE side use the same key algorithm suite to calculate to obtain authentication parameters, so as to perform authentication, thereby avoiding the problem that authentication failure is caused and the authentication of the AP to the UE is affected due to the use of different key algorithm suites after the UE and the AP establish TLS tunnels with the ALG respectively, and improving user experience.
The embodiment of the invention also provides an authentication method applied to the wireless access node side and based on the general guide architecture GBA, which comprises the following steps: authentication is performed by using a key algorithm suite applied to the wireless access node by the application layer gateway, wherein the key algorithm suite is used for performing secure transport layer protocol negotiation between the application layer gateway and the user terminal, and the user terminal is confirmed to use the key algorithm suite.
In some embodiments, an application layer gateway ALG negotiates a secure transport layer protocol TLS connection with a user terminal UE, and after confirming a key algorithm Suite Cipher Suite used by the UE and the ALG, applies the key algorithm Suite to a wireless access node, so that the wireless access node performs authentication according to the key algorithm Suite; it should be understood that the present embodiment does not limit the manner in which the user terminal negotiates the secure transport layer protocol with the application layer gateway, and can finally determine the key algorithm suite that can be used between the user terminal and the application layer gateway.
In some embodiments, the key algorithm suite is applied to the wireless access node, so that the method for the wireless access node to authenticate by using the key algorithm suite is the same as the method in the above example, and will not be described in detail herein.
The authentication method based on the general guide architecture GBA applied to the wireless access node side uses the secret key algorithm suite applied to the wireless access node by the application layer gateway to authenticate; the key algorithm suite is used by the user terminal which is confirmed by the application layer gateway and the user terminal for carrying out the secure transport layer protocol negotiation; that is, after the UE and the AP establish TLS tunnels with the ALG respectively, the AP side calculates the authentication parameters by using the same key algorithm suite as that of the UE side, and performs authentication, so that the problem that authentication failure is caused and the authentication of the AP to the UE is affected due to the fact that different key algorithm suites are used after the UE and the AP establish TLS tunnels with the ALG respectively is avoided, and user experience is improved.
Embodiment III:
The present embodiment also provides a terminal including a first processor 901, a first memory 902, and a first communication bus 903;
The first communication bus 903 is used to implement connection communication between the first processor 901 and the first memory 902;
The first processor 901 is configured to execute one or more computer programs stored in the first memory 902 to implement the steps of the authentication method based on the generic bootstrapping architecture GBA, as performed by the user terminal side in the first and second embodiments.
The present embodiment also provides a gateway, which includes a second processor 1001, a second memory 1002, and a second communication bus 1003;
the second communication bus 1003 is used to implement connection communication between the second processor 1001 and the second memory 1002;
The second processor 1001 is configured to execute one or more computer programs stored in the second memory 1002 to implement the steps of the generic bootstrapping architecture GBA based authentication method performed by the application layer gateway side as in the first and second embodiments.
The present embodiment also provides a wireless access node, where the wireless access node includes a third processor 1101, a third memory 1102, and a third communication bus 1103;
The third communication bus 1103 is used to implement connection communication between the third processor 1101 and the third memory 1102;
The third processor 1101 is configured to execute one or more computer programs stored in the third memory 1102 to implement the steps of the generic bootstrapping architecture GBA based authentication method as performed by the radio access node side in embodiment one, embodiment two.
The present embodiments also provide a computer-readable storage medium including volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media includes, but is not limited to, RAM (Random Access Memory ), ROM (Read-Only Memory), EEPROM (ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY, charged erasable programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact Disc Read-Only Memory), digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
The computer readable storage medium in this embodiment may be used to store one or more computer programs, where the stored one or more computer programs may be executed by a processor to implement at least one step of the authentication method based on the generic bootstrapping architecture GBA applied to the terminal side, the gateway side or the radio access node side in the above-described first and second embodiments.
It will be apparent to one skilled in the art that all or some of the steps of the methods, systems, functional modules/units in the apparatus disclosed above may be implemented as software (which may be implemented in computer program code executable by a computing apparatus), firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit.
Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, computer program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and may include any information delivery media. Therefore, the present invention is not limited to any specific combination of hardware and software.
The foregoing is a further detailed description of embodiments of the invention in connection with the specific embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims (11)

1. An authentication method based on a general guide architecture GBA is applied to a user terminal side and comprises the following steps:
after the user terminal and the wireless access node respectively establish a transport layer security protocol TLS channel with the application layer gateway, carrying out security transport layer protocol negotiation with the application layer gateway, and confirming a used secret key algorithm suite;
And applying the key algorithm suite to a wireless access node through the application layer gateway so that the wireless access node uses the key algorithm suite for authentication.
2. The generic bootstrapping architecture GBA-based authentication method of claim 1 wherein applying the key algorithm suite to a wireless access node through the application-layer gateway comprises:
Forwarding, by the application layer gateway, the key algorithm suite to the wireless access node, thereby applying the key algorithm suite to the wireless access node;
And/or the number of the groups of groups,
And carrying out secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite through the application layer gateway, so as to apply the key algorithm suite to the wireless access node.
3. The generic bootstrapping architecture GBA-based authentication method of claim 2 wherein forwarding the key algorithm suite to the wireless access node through the application-layer gateway comprises:
sending a service request to the application layer gateway;
and forwarding the service request to the wireless access node through the application layer gateway, wherein the application layer gateway carries the secret key algorithm suite when forwarding the service request to the wireless access node.
4. The generic bootstrapping architecture GBA-based authentication method of claim 2 wherein forwarding the key algorithm suite to the wireless access node through the application-layer gateway comprises:
sending a service request to the application layer gateway, wherein the service request carries the secret key algorithm suite;
And forwarding the service request to the wireless access node through the application layer gateway.
5. The GBA-based authentication method according to claim 2, wherein the negotiating a secure transport layer protocol with the application layer gateway, and validating the key algorithm set used comprises:
Carrying out secure transport layer protocol negotiation with the application layer gateway, and confirming a supported secret key algorithm suite set, wherein the secret key algorithm suite set comprises at least two secret key algorithm suites which can be used;
the performing, by the application layer gateway, secure transport layer protocol negotiation with the wireless access node using the key algorithm suite includes:
And carrying out secure transport layer protocol negotiation with the wireless access node by using the key algorithm suite set by the application layer gateway, and determining the key algorithm suite used by the application layer gateway and the wireless access node.
6. An authentication method based on a general guide architecture GBA is applied to an application layer gateway side and comprises the following steps:
after a user terminal and a wireless access node respectively establish a transport layer security protocol TLS channel with an application layer gateway, carrying out security transport layer protocol negotiation with the user terminal, and confirming a key algorithm suite used by the user terminal;
the key algorithm set is applied to a wireless access node such that the wireless access node uses the key algorithm set for authentication.
7. An authentication method based on a general guide architecture GBA is applied to wireless access node measurement and comprises the following steps:
after the user terminal and the wireless access node respectively establish a transport layer security protocol TLS channel with the application layer gateway, authenticating by using a secret key algorithm suite applied to the wireless access node by the application layer gateway;
the key algorithm suite is used for carrying out secure transport layer protocol negotiation between the application layer gateway and the user terminal, and the user terminal is confirmed to use the key algorithm suite.
8. A terminal comprising a first processor, a first memory, and a first communication bus;
the first communication bus is used for realizing connection communication between the first processor and the first memory;
The first processor is configured to execute one or more computer programs stored in the first memory to implement the steps of the generic bootstrapping architecture GBA based authentication method according to any of claims 1 to 5.
9. A gateway comprising a second processor, a second memory, and a second communication bus;
the second communication bus is used for realizing connection communication between the second processor and the second memory;
The second processor is configured to execute one or more computer programs stored in the second memory to implement the steps of the generic bootstrapping architecture GBA based authentication method according to claim 6.
10. A wireless access node comprising a third processor, a third memory, and a third communication bus;
the third communication bus is used for realizing connection communication between the third processor and the third memory;
The third processor is configured to execute one or more computer programs stored in the third memory to implement the steps of the generic bootstrapping architecture GBA based authentication method according to claim 7.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium
Stored are one or more computer programs executable by one or more processors to implement the steps of the generic bootstrapping architecture GBA based authentication method as claimed in any one of claims 1 to 5, as claimed in claim 6 or as claimed in claim 7.
CN202010819512.6A 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device Active CN114143016B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010819512.6A CN114143016B (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device
PCT/CN2021/101804 WO2022033186A1 (en) 2020-08-14 2021-06-23 General bootstrapping architecture-based authentication method and corresponding device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010819512.6A CN114143016B (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device

Publications (2)

Publication Number Publication Date
CN114143016A CN114143016A (en) 2022-03-04
CN114143016B true CN114143016B (en) 2024-09-24

Family

ID=80247635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010819512.6A Active CN114143016B (en) 2020-08-14 2020-08-14 Authentication method based on general guide architecture GBA and corresponding device

Country Status (2)

Country Link
CN (1) CN114143016B (en)
WO (1) WO2022033186A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1265607C (en) * 2003-12-08 2006-07-19 华为技术有限公司 Method for building up service tunnel in wireless local area network
GB0414421D0 (en) * 2004-06-28 2004-07-28 Nokia Corp Authenticating users
CN101156412B (en) * 2005-02-11 2011-02-09 诺基亚公司 Method and apparatus for providing a bootstrap procedure in a communication network
CN1929371B (en) * 2005-09-05 2010-09-08 华为技术有限公司 Method for User and Peripheral to Negotiate a Shared Key
CN100479570C (en) * 2006-01-18 2009-04-15 华为技术有限公司 Connection set-up method, system, network application entity and user terminal
CN102625306A (en) * 2011-01-31 2012-08-01 电信科学技术研究院 Method, system and equipment for authentication
GB2518255A (en) * 2013-09-13 2015-03-18 Vodafone Ip Licensing Ltd Communicating with a machine to machine device
WO2015072899A1 (en) * 2013-11-15 2015-05-21 Telefonaktiebolaget L M Ericsson (Publ) Methods and devices for bootstrapping of resource constrained devices
GB2537377B (en) * 2015-04-13 2021-10-13 Vodafone Ip Licensing Ltd Security improvements in a cellular network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921682A (en) * 2005-08-26 2007-02-28 华为技术有限公司 Method for enhancing key negotiation in universal identifying framework

Also Published As

Publication number Publication date
WO2022033186A1 (en) 2022-02-17
CN114143016A (en) 2022-03-04

Similar Documents

Publication Publication Date Title
US12335727B2 (en) Methods and systems for authenticating devices using 3GPP network access credentials for providing MEC services
CN110299996B (en) Authentication method, equipment and system
US10880291B2 (en) Mobile identity for single sign-on (SSO) in enterprise networks
JP5579872B2 (en) Secure multiple UIM authentication and key exchange
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
EP3197190B1 (en) Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks
US11316670B2 (en) Secure communications using network access identity
US20130239189A1 (en) Bootstrap Authentication Framework
CN102056077B (en) Method and device for applying smart card by key
US20180069836A1 (en) Tiered attestation for resource-limited devices
US20200396088A1 (en) System and method for securely activating a mobile device storing an encryption key
CN107820242A (en) A kind of machinery of consultation of authentication mechanism and device
CN110999215A (en) Secure device access token
EP3381208B1 (en) Charging record authentication for anonymized network service utilization
EP3637815A1 (en) Data transmission method, and device and system related thereto
CN114143016B (en) Authentication method based on general guide architecture GBA and corresponding device
CN117580036A (en) Communication network security authentication method, device and storage medium
CN114786179B (en) Non-cellular terminal authentication method, device, equipment and medium
US9602493B2 (en) Implicit challenge authentication process
TWI776982B (en) Reliable server management method and device supporting wireless network switching
CN114697055B (en) Service access method, device, equipment and system
US20240340164A1 (en) Establishment of forward secrecy during digest authentication
KR100734856B1 (en) Universal authentication method using SAS
EP4356634A1 (en) Digest access authentication for a client device
CN113132338A (en) Authentication processing method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant