[go: up one dir, main page]

CN117915328A - Access authentication method adapting to network twinning scene - Google Patents

Access authentication method adapting to network twinning scene Download PDF

Info

Publication number
CN117915328A
CN117915328A CN202410117892.7A CN202410117892A CN117915328A CN 117915328 A CN117915328 A CN 117915328A CN 202410117892 A CN202410117892 A CN 202410117892A CN 117915328 A CN117915328 A CN 117915328A
Authority
CN
China
Prior art keywords
access
network
identity
terminal device
access point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410117892.7A
Other languages
Chinese (zh)
Inventor
周浩
朱家信
周雨晨
吴俊�
徐跃东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CN202410117892.7A priority Critical patent/CN117915328A/en
Publication of CN117915328A publication Critical patent/CN117915328A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention belongs to the technical field of future networks and access authentication, and particularly relates to an access authentication method suitable for a network twinning scene. The method comprises the following steps: in the terminal equipment registration stage, a terminal initiates a registration request to an authentication center to acquire an internet surfing identity; the identity and the network twinning establish a mapping relation so as to avoid the problem that equipment cannot be identified due to mobility; in the access stage, the terminal equipment initiates an access request to an access point and requests corresponding network twinned position information and access token information; the access point verifies legal information of the equipment, negotiates a safe session channel after verification and responds to a request of the terminal equipment for network twinning information; in the authentication stage, the terminal equipment completes bidirectional identity authentication with the network twinning through the access token and the random number, and negotiates a session key of subsequent communication; the method and the device are used for access authentication of the terminal equipment under the network twinning-based cloud primary network architecture, and can improve the safety of users, terminals and networks.

Description

Access authentication method adapting to network twinning scene
Technical Field
The invention belongs to the technical field of future networks and access authentication, and particularly relates to an access authentication method suitable for a network twinning scene.
Background
The OTT (over the top) mode, which is currently widely adopted by the internet, provides diverse applications and services. However, with the rapid development of leading edge technologies such as artificial intelligence, big data, cloud computing, and the internet of things, this conventional mode reveals a limitation that the changing business requirements cannot be satisfied. Network twinning-based cloud native networks are proposed to accommodate the trend of future network evolution from end-to-end connections to end-to-cloud connections. The network evolves the traditional three-layer network architecture, namely an access network, a bearing network and a data center network into a core cloud, an edge cloud and an edge cloud integrated architecture of terminal equipment, wherein a network twin of a user exists in the edge cloud which is close to the user, and the network twin is used for solving the problems of data transmission, mobility, security, digital asset validation and the like of the user terminal. Network twinning, as a communication assistant for devices and users, a netsurfing behavior recorder, and a digital asset manager, is a basic service deployed and running on an edge cloud. The user terminal performs identity authentication through own network twinning, is a distributed access authentication, and avoids performance bottlenecks of traditional centralized access authentication in terms of delay, load, success rate and the like. Under a cloud primary network architecture based on network twinning, the traditional access authentication method cannot adapt to the communication mode of the current architecture, so that a terminal access authentication method adapting to the network twinning scene needs to be designed.
Disclosure of Invention
The invention aims to provide a terminal access authentication method adapting to a network twinning scene.
The terminal access authentication method suitable for the network twinning scene comprises a terminal equipment registration stage, an access stage and an authentication stage. In the registration stage, the terminal initiates a registration request to a trusted authentication center to acquire an internet surfing identity identification hid. The mapping relation between the identity and the network twins can avoid the problem that equipment cannot be identified due to mobility, is convenient for the network twins to track the equipment behaviors, and avoids the anonymity problem. Meanwhile, the security of the user and the terminal is protected, and an attacker cannot steal the identity information of the user and the terminal only according to the identity. In the access stage, the terminal equipment initiates an access request to the access point and requests the corresponding network twinned position information and access token information. The access point is used for verifying legal information of the equipment, negotiating a safe session channel after verification and responding to a request of the equipment for network twinning information. And in the authentication stage, the terminal equipment completes bidirectional identity authentication with the network twinning through the access token and the random number, and negotiates a session key of subsequent communication. The method comprises the following specific steps:
(1) The terminal equipment registers an internet surfing identity identifier to a registration center and is used for accessing a cloud primary network;
The unregistered terminal firstly performs internet surfing identity registration with a trusted registration center for a subsequent access process. The registration center verifies the terminal information, and generates an internet surfing identity identifier by utilizing the terminal and user information through a hash algorithm, wherein main parameters comprise a device unique identifier, a user unique identifier and a random number; the mapping relation of the public key of the terminal equipment, the Internet surfing identity, the network twined ID and the like is saved;
the terminal surfing identity mark and the network twinning can track the equipment behavior in real time according to the terminal surfing identity mark, so that anonymous surfing of a user is avoided. And meanwhile, an attacker is prevented from stealing the true identity information of the user and the terminal equipment.
(2) The terminal equipment initiates an access request to an access point, and acquires network twinned position information and access token information;
The registered terminal device initiates an access request to the access point, which verifies the terminal information. When the terminal equipment is accessed for the first time, the access point presents information such as certificates, public keys and the like to the terminal equipment to prove the legitimacy of the access point. Meanwhile, the terminal equipment proves the legitimacy of the identity of the terminal equipment to the access point, and negotiates a session key after the two-way verification is passed; and encrypts the network twinned IP address and the access token to the terminal device using the key.
If the terminal has been previously accessed, the access point directly returns the location information and access token information of the network twinning of the access point without the need of repeatedly verifying the identity.
Here, the method for generating the network twinned access token is to generate a random number through the access point, encrypt the random number by using the session key twinned by the access point and the user network, and splice the hash value and the time stamp of the random number as the access token.
(3) The terminal equipment and the network twins perform bidirectional identity authentication to obtain a session encryption key;
The terminal device initiates an authentication request to its network twinning and carries an access token for verifying the identity of the terminal device. After the network twins receive the terminal request, identity verification is carried out, hash operation is carried out on random numbers in the access token, and meanwhile, hash values in the access token are compared, so that the validity of data sent by the terminal is determined. After the authentication is passed, the network twins send a data to the terminal to prove the integrity and validity of the data. The two parties encrypt the data through random numbers in the exchanged data by adopting AES (advanced encryption standard), and a new session encryption key is generated and used for a follow-up terminal to request cloud service through network twinning security, and confidentiality of data transmission is ensured.
When the token fails, the terminal device cannot authenticate with the network twinned identity, and the terminal device needs to re-request the access token from the access point.
The access authentication method adapting to network twinning realizes the access of the terminal equipment to the network through the network twinning safety, realizes the quick access of the terminal in the process of recovering access, and reduces the handshaking times. Meanwhile, the method can solve the mobility problem through the mapping of the terminal Internet surfing identification and the network twinning ID; the method can track the information of the user and the equipment through network twinning, and solves the problem of surfing the Internet in a real-name system.
Drawings
Fig. 1 is a general scheme diagram of a terminal device performing access authentication through network twinning according to the present invention.
Fig. 2 is a diagram illustrating an identity registration procedure of a terminal device according to the present invention with a trusted authentication center.
Fig. 3 is a diagram of a terminal device initiating an access request procedure to an access point in accordance with the present invention.
Fig. 4 is a diagram illustrating a process of a terminal device according to the present invention initiating identity authentication and performing key agreement to a network twinning.
Detailed Description
The access authentication method adapting to the network twinning scene provided by the invention is further described in detail below with reference to the accompanying drawings.
Referring to fig. 1, an overall method of access authentication of a terminal device in a network twinning scenario includes a terminal device registration phase, an access phase, and an authentication phase. After the registered terminal equipment completes identity registration through a registration center, an internet surfing identity identifier is generated, and network twinning information is requested to an access point through the identifier. And then the terminal and the network twinning complete the bidirectional identity authentication, thereby realizing the safe access function.
Referring to fig. 2, in the process of identity registration of a terminal device, the device initiates a registration request to a registration center through a secure channel, where the registration request carries a unique device identity ueid and a user identity uid. The registry always monitors the device request, when the request comes, the registry selects a random number r u, and returns an internet identity identification hid by combining the user uid and the device ueid through an identity identification generation algorithm H 1(uid,ueid,ru), and the identity identification is used for accessing when the subsequent device requests access. Meanwhile, a corresponding network twinning identifier ctid is generated through a twinning identifier generation algorithm H 2 (uid) according to the user uid and stored in the edge cloud. The specific identification generation algorithm H 1 and the twin identification generation algorithm H 2 are obtained by combining a hash algorithm and a plurality of bits before interception according to the input parameters. The registry will also return a series of supported key generation algorithms over the secure channel to be compatible with the key generation manner of the device. When the user equipment receives the response of the registry, a random number r c is generated, the equipment generates a private key SK ue of the equipment by adopting a key generation algorithm for subsequent data signing and decryption work, and simultaneously, the generated public key PK ue is sent to the registry through a secure channel. When the registration center receives the public key PK ue, the network surfing identity his, the public key PK ue and the network twinning unique identifier ctid triplets of the user equipment are stored in a database for subsequent equipment access authentication and network twinning creation. When a device access request comes from an identity hit, the access point can quickly poll the public key to verify the legitimacy of the device identity. The registration center returns the registration result to the user equipment, and the equipment receives response information of successful or failed registration.
Referring to fig. 3, the terminal initiates an access request procedure to the access point, and the terminal device UE sends a request access message (AccessHello) to the access point AP, indicating that the device wishes to establish a secure connection with the access point. The header of the request contains the message of the access, and the access point will take the corresponding request operation. After the access point monitors the access request of the user equipment, the access point will respond to the request of the equipment. The access point sends its own security Certificate, and public key PK ap. After receiving the response of the access point, the device verifies the validity of the access point through the certificate. After verifying the authenticity of the access point, the user equipment generates a random number r 1 and splices with the identity id hit generated in the registration process to obtain data hit|r 1||t1, encrypts the data hit|r 1||t1 by using the public key PK ap of the access point to obtain E PKap(hid||r1||t1), signs the hash value by using the private key SK ue to obtain S SKue(H(hid||r1||t1). The device then sends the data packet to the access point waiting for the access point to authenticate it. After receiving the response information of the user equipment, the access point uses the private key of the access point to decrypt and acquire the identity of the equipment. The access point inquires the hid information stored during registration, if the hid information does not exist, the identity of the equipment is illegal, and authentication is finished; if the public key PK ue corresponding to the hit exists, the encrypted data is decrypted to obtain the hit I r 1||t1, and the hash is performed. And comparing the obtained hash value with the hash value in the transmitted data, if the hash value is consistent with the hash value, generating a random number r 2, encrypting network twinning information through a public key PK ue, signing the network twinning information by using a private key of the network twinning information, and transmitting the network twinning information to equipment. The device also uses the public key of PK ap to decrypt the data, and hashes r 2, compares with the hash value in the signature, and if not, ends the verification, otherwise passes the verification. Both parties obtain a session key CK 1 by using an AES symmetric encryption algorithm through two random numbers of r 1 and r 2, and the session key CK 1 is used for data encryption. At this point, the terminal device needs to initiate a token request E CK1 (ctid), and after receiving the request, the access point informs the network that the twin device needs to access. Meanwhile, the access point generates a random number r 3, encrypts r 3 by using a session key CK 2 between the access point and the network twinning, performs hash calculation on r 3, and obtains an access token=E3534 after splicing, and sends the access token=E CK2(r3)||H(r3 to the device.
Referring to fig. 4, the access terminal initiates a process of authentication request to the network twins. Firstly, equipment initiates an authentication request to a network twinning and carries access token data token|t, after the network twinning receives data, the network twinning decrypts the data by utilizing a session key CK 2 between the network twinning and an access point to obtain r 3 ', hash calculation is carried out on the r 3 ' to obtain H (r 3 '), the H is compared with H (r 3) in the data, if the H is the same, the identity and the data of the equipment are credible, and otherwise, authentication is refused. Meanwhile, the network twins to generate a random number r 4, r 3 is used as a symmetric key to encrypt r 4, r 4 is subjected to hash operation, and the two are spliced to be used as response data E r3(r4)||H(r4) and returned to the device. The device decrypts the data using r 3 to obtain r 4' while performing the hash calculation, as compared to H (r 4). If the two types of information are completely consistent, the device trusts the network to twine, otherwise, the authentication is ended. A session key CK 3 is generated between the subsequent user equipment and the network twinning through r 3 and r 4, and all session data is transmitted in an encrypted manner, namely E CK3 (data).

Claims (6)

1.一种适应网络孪生场景的终端接入认证方法,其特征在于,包括终端设备注册阶段、接入阶段和认证阶段;其中,注册阶段,终端向可信认证中心发起注册请求,获取上网身份标识;该身份与网络孪生建立映射关系,以避免移动性带来的设备无法识别问题;接入阶段,终端设备向接入点发起接入请求,并请求对应的网络孪生的位置信息以及访问令牌信息;接入点验证设备合法信息,通过验证后协商出安全的会话通道并响应终端设备对网络孪生信息的请求;认证阶段,终端设备通过访问令牌以及随机数完成与网络孪生的双向身份认证,并协商出后续通信的会话密钥;具体步骤为:1. A terminal access authentication method adapted to network twin scenarios, characterized in that it includes a terminal device registration phase, an access phase, and an authentication phase; wherein, in the registration phase, the terminal initiates a registration request to a trusted authentication center to obtain an Internet access identity; a mapping relationship is established between the identity and the network twin to avoid the problem of device unrecognition caused by mobility; in the access phase, the terminal device initiates an access request to the access point, and requests the location information and access token information of the corresponding network twin; the access point verifies the legal information of the device, negotiates a secure session channel after verification, and responds to the terminal device's request for network twin information; in the authentication phase, the terminal device completes two-way identity authentication with the network twin through an access token and a random number, and negotiates a session key for subsequent communications; the specific steps are: (1)终端设备向注册中心注册上网身份标识,用于接入云原生网络;(1) The terminal device registers its Internet access identity with the registration center to access the cloud native network; 未注册过的终端首先向可信注册中心进行上网身份注册,用于后续接入过程;注册中心验证终端信息,并利用终端和用户信息通过哈希算法生成一个上网身份标识,其主要参数包括设备唯一标识、用户唯一标识以及随机数;并保存终端设备公钥、上网身份、网络孪生ID映射关系;Unregistered terminals first register their online identities with the trusted registration center for subsequent access. The registration center verifies the terminal information and uses the terminal and user information to generate an online identity through a hash algorithm. Its main parameters include the device unique identifier, user unique identifier, and random number. The registration center also saves the mapping relationship between the terminal device public key, online identity, and network twin ID. 网络孪生能够该根据终端上网身份标识,实时追踪设备行为,避免用户匿名上网,同时防止攻击者窃取用户和终端设备真实身份信息;Network twins can track device behavior in real time based on the terminal's Internet identity, preventing users from surfing the Internet anonymously and preventing attackers from stealing the real identity information of users and terminal devices. (2)终端设备向接入点发起接入请求,获取网络孪生的位置信息和访问令牌信息;(2) The terminal device initiates an access request to the access point to obtain the location information and access token information of the network twin; 已注册过的终端设备向接入点发起接入请求,接入点验证该终端设备信息;当终端设备首次接入时,接入点向该终端设备出示证书和公钥信息来证明自己的合法性;同时终端设备向接入点证明自己身份的合法性,得到双向验证通过后,协商出会话密钥;并利用密钥把网络孪生IP地址和访问令牌加密发给终端设备;The registered terminal device initiates an access request to the access point, and the access point verifies the terminal device information. When the terminal device accesses for the first time, the access point presents the certificate and public key information to the terminal device to prove its legitimacy. At the same time, the terminal device proves the legitimacy of its identity to the access point. After the two-way verification is passed, the session key is negotiated. The network twin IP address and access token are encrypted and sent to the terminal device using the key. (3)终端设备和网络孪生进行双向的身份认证,获得会话加密密钥;(3) The terminal device and the network twin perform two-way identity authentication to obtain the session encryption key; 终端设备向其网络孪生发起认证请求,并携带访问令牌,访问令牌用于验证终端设备的身份;网络孪生收到终端请求后,进行身份验证,并对访问令牌中的随机数进行哈希运算,同时与访问令牌中的哈希值做比较,从而确定终端发来数据的合法性;认证通过后,网络孪生向终端发送一个数据,以证明自身数据的完整性与合法性;双方通过交换的数据中的随机数,采用AES对成加密,生成新的会话加密密钥,用于后续终端通过网络孪生安全请求云服务,并保证数据传输的机密性。The terminal device initiates an authentication request to its network twin and carries an access token, which is used to verify the identity of the terminal device. After receiving the terminal request, the network twin performs identity authentication and hashes the random number in the access token, and compares it with the hash value in the access token to determine the legitimacy of the data sent by the terminal. After the authentication is passed, the network twin sends a piece of data to the terminal to prove the integrity and legitimacy of its own data. The two parties use AES to encrypt the random numbers in the exchanged data to generate a new session encryption key, which is used for subsequent terminals to securely request cloud services through the network twin and ensure the confidentiality of data transmission. 2.根据权利要求1的适应网络孪生场景的终端接入认证方法,其特征在于,步骤(2)中,当终端设备之前接入过,接入点直接返回其网络孪生的位置信息和访问令牌信息,不需要再重复验证身份。2. According to the terminal access authentication method adapted to the network twin scenario of claim 1, it is characterized in that, in step (2), when the terminal device has been accessed before, the access point directly returns the location information and access token information of its network twin, and there is no need to repeat the identity verification. 3.根据权利要求1的适应网络孪生场景的终端接入认证方法,其特征在于,步骤(2)中,生成网络孪生的访问令牌由如下方式形成:通过接入点生成一个随机数,并使用接入点与用户网络孪生的会话密钥加密,同时拼接该随机数的哈希值以及时间戳,形成访问令牌。3. According to the terminal access authentication method adapted to the network twin scenario of claim 1, it is characterized in that in step (2), the access token of the network twin is generated in the following manner: a random number is generated through the access point, and is encrypted using the session key of the access point and the user network twin, and the hash value and timestamp of the random number are spliced to form an access token. 4.根据权利要求1的适应网络孪生场景的终端接入认证方法,其特征在于,步骤(1)所述终端设备向注册中心注册上网身份标识,用于接入云原生网络,具体操作流程为:4. According to the terminal access authentication method adapted to the network twin scenario of claim 1, it is characterized in that in step (1), the terminal device registers an Internet access identity with a registration center for accessing the cloud native network, and the specific operation process is as follows: 终端设备通过安全信道向注册中心发起注册请求,携带终端设备唯一身份标识ueid以及用户身份标识uid;当注册中心有请求到来时,注册中心选择一个随机数ru,结合用户身份标识uid和身份标识生成算法H1返回一个上网身份标识hid,后续终端设备请求接入时将使用该身份标识进行接入;同时,根据用户身份标识uid通过孪生标识生成算法H2生成对应的网络孪生标识ctid,存储在边缘云中;注册中心还通过安全信道返回一系列支持的密钥生成算法,以兼容设备的密钥生成方式;当用户终端设备接收到注册中心的响应时,产生一个随机数rc,终端设备将采用密钥生成算法生成设备的私钥SKue,用于后续对数据签名以及解密工作,同时将生成的公钥PKue通过安全信道发送给注册中心;注册中心在收到公钥PKue时,将用户终端设备的上网身份hid、公钥PKue、网络孪生唯一标识ctid三元组存储到数据库中,用于后续的设备接入认证以及网络孪生的创建;当设备接入请求发来身份标识hid时,接入点快速查询公钥,来验证设备身份的合法性;注册中心将注册结果返回给用户终端设备,终端设备将接收到注册成功或失败的响应信息。The terminal device initiates a registration request to the registration center through a secure channel, carrying the terminal device's unique identity ueid and the user's identity uid; when a request arrives at the registration center, the registration center selects a random number r u , combines the user's identity uid and the identity generation algorithm H 1 to return an Internet identity hid, which will be used for access when the terminal device subsequently requests access; at the same time, the corresponding network twin identity ctid is generated through the twin identity generation algorithm H 2 based on the user identity uid, and stored in the edge cloud; the registration center also returns a series of supported key generation algorithms through a secure channel to be compatible with the key generation method of the device; when the user terminal device receives a response from the registration center, a random number r c is generated, and the terminal device will use the key generation algorithm to generate the device's private key SK ue for subsequent data signing and decryption, and at the same time send the generated public key PK ue to the registration center through a secure channel; when the registration center receives the public key PK ue , it sends the Internet identity hid and public key PK ue of the user terminal device , the network twin unique identifier ctid triplet is stored in the database for subsequent device access authentication and network twin creation; when the device access request sends the identity identifier hid, the access point quickly queries the public key to verify the legitimacy of the device identity; the registration center returns the registration result to the user terminal device, and the terminal device will receive a response message of registration success or failure. 5.根据权利要求4的适应网络孪生场景的终端接入认证方法,其特征在于,步骤(2)所述终端设备向接入点发起接入请求,获取网络孪生的位置信息和访问令牌信息,具体操作流程为:5. According to the terminal access authentication method adapted to the network twin scenario of claim 4, it is characterized in that in step (2), the terminal device initiates an access request to the access point to obtain the location information and access token information of the network twin, and the specific operation process is as follows: 终端设备UE向接入点AP发送请求接入消息,表明设备希望与接入点建立安全连接;请求的头部包含有接入的消息,接入点将采取相应的请求操作;接入点监听到用户设备的接入请求后,响应终端设备的请求;接入点发送自己的证书和公钥PKap;终端设备收到接入点的响应后,首先通过证书验证接入点的合法性;验证接入点的真实性后,终端设备产生随机数r1与注册过程生成的身份标识hid进行拼接,得到数据hid||r1||t1,并使用接入点的公钥PKap对其加密,使用自己的私钥SKue对其哈希值签名;然后,设备将该数据包发送给接入点,等待接入点对其进行身份验证;接入点收到用户设备的响应信息后,使用自己的私钥进行解密,获取设备的身份;接入点查询注册时保存的hid信息,若不存在,则该设备身份不合法,认证结束;若存在,查找hid对应的公钥PKue,将加密的数据解密获得hid||r1||t1,同时进行哈希,得到的哈希值与发来的数据中的哈希值进行比较,如果一致,则生成随机数r2,以及将网络孪生信息通过公钥PKue加密,并用自身私钥签名后发给设备;设备同样使用PKap的公钥进行数据解密,并对r2进行哈希运算,与签名中的哈希值做比较,如果不一致则结束验证,否则通过验证;双方利用AES对称加密算法通过r1和r2两个随机数得到一个会话密钥CK1,用于数据加密;此时终端设备发起令牌请求,接入点收到请求后,告知网络孪生有设备需要接入;同时接入点生成一个随机数r3,并利用接入点与网络孪生之间的会话密钥CK2对r3加密,并对r3的进行哈希计算,拼接后得到访问令牌,并发送给设备。The terminal device UE sends an access request message to the access point AP, indicating that the device hopes to establish a secure connection with the access point; the header of the request contains an access message, and the access point will take the corresponding request operation; after the access point monitors the access request of the user device, it responds to the request of the terminal device; the access point sends its own certificate and public key PK ap ; after the terminal device receives the response from the access point, it first verifies the legitimacy of the access point through the certificate; after verifying the authenticity of the access point, the terminal device generates a random number r 1 and concatenates it with the identity identifier hid generated during the registration process to obtain the data hid||r 1 ||t 1 , and encrypts it with the public key PK ap of the access point, and signs its hash value with its own private key SK ue ; then, the device sends the data packet to the access point and waits for the access point to authenticate it; after receiving the response information of the user device, the access point uses its own private key to decrypt it and obtain the identity of the device; the access point queries the hid information saved during registration. If it does not exist, the device identity is illegal and the authentication ends; if it exists, the public key PK ue corresponding to the hid is searched, and the encrypted data is decrypted to obtain hid||r 1 ||t 1 , and hash it at the same time, and compare the obtained hash value with the hash value in the sent data. If they are consistent, a random number r 2 is generated, and the network twin information is encrypted by the public key PK ue , and signed with its own private key and sent to the device; the device also uses the public key of PK ap to decrypt the data, and hashes r 2 , and compares it with the hash value in the signature. If it is inconsistent, the verification is ended, otherwise it passes the verification; both parties use the AES symmetric encryption algorithm to obtain a session key CK 1 through the two random numbers r 1 and r 2 for data encryption; at this time, the terminal device initiates a token request, and after receiving the request, the access point informs the network twin that a device needs to access; at the same time, the access point generates a random number r 3 , and uses the session key CK 2 between the access point and the network twin to encrypt r 3 , and hashes r 3 , and obtains the access token after splicing, and sends it to the device. 6.根据权利要求5的适应网络孪生场景的终端接入认证方法,其特征在于,步骤(3)所述终端设备和网络孪生进行双向的身份认证,获得会话加密密钥,具体操作流程为:6. According to the terminal access authentication method adapted to the network twin scenario of claim 5, it is characterized in that in step (3), the terminal device and the network twin perform two-way identity authentication to obtain a session encryption key, and the specific operation process is as follows: 首先终端设备向网络孪生发起认证请求,并携带访问令牌数据;网络孪生收到数据后,利用与接入点之间的会话密钥CK2解密数据,获得r3',并对其进行哈希计算,得到H(r3'),与数据中的H(r3)对比,如果相同,则设备的身份和数据可信,否则拒绝认证;同时,网络孪生生成一个随机数r4,使用随机数r3作为对称密钥将随机数r4加密,并对随机数r4进行哈希运算,将两者拼接后作为响应数据返回给设备;设备利用随机数r3对数据解密,获得r4',同时进行哈希计算,与H(r4)相比,如果完全一致,则设备信任网络孪生,否则结束认证。First, the terminal device initiates an authentication request to the network twin and carries the access token data; after receiving the data, the network twin uses the session key CK 2 between the access point to decrypt the data, obtain r 3 ', and perform a hash calculation on it to obtain H(r 3 '), and compares it with H(r 3 ) in the data. If they are the same, the identity and data of the device are credible, otherwise the authentication is rejected; at the same time, the network twin generates a random number r 4 , uses the random number r 3 as the symmetric key to encrypt the random number r 4 , and performs a hash operation on the random number r 4 , and concatenates the two and returns them to the device as response data; the device uses the random number r 3 to decrypt the data, obtains r 4 ', and performs a hash calculation at the same time. Compared with H(r 4 ), if they are completely consistent, the device trusts the network twin, otherwise the authentication ends.
CN202410117892.7A 2024-01-29 2024-01-29 Access authentication method adapting to network twinning scene Pending CN117915328A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410117892.7A CN117915328A (en) 2024-01-29 2024-01-29 Access authentication method adapting to network twinning scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410117892.7A CN117915328A (en) 2024-01-29 2024-01-29 Access authentication method adapting to network twinning scene

Publications (1)

Publication Number Publication Date
CN117915328A true CN117915328A (en) 2024-04-19

Family

ID=90697403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410117892.7A Pending CN117915328A (en) 2024-01-29 2024-01-29 Access authentication method adapting to network twinning scene

Country Status (1)

Country Link
CN (1) CN117915328A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118139042A (en) * 2024-05-06 2024-06-04 杭州天宽科技有限公司 Bidirectional encryption authentication method and system for decentralizing equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118139042A (en) * 2024-05-06 2024-06-04 杭州天宽科技有限公司 Bidirectional encryption authentication method and system for decentralizing equipment

Similar Documents

Publication Publication Date Title
CN110971415B (en) An anonymous access authentication method and system for a space-earth integrated spatial information network
CN110380852B (en) Two-way authentication method and communication system
KR101009330B1 (en) Methods, systems, and authentication centers for authentication in end-to-end communications based on mobile networks
US7181012B2 (en) Secured map messages for telecommunications networks
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
US20080137859A1 (en) Public key passing
CN101009919A (en) Authentication method based on the end-to-end communication of the mobile network
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN115766119B (en) Communication method, device, communication system and storage medium
WO2019178942A1 (en) Method and system for performing ssl handshake
CN116684093B (en) Identity authentication and key exchange method and system
CN113726523B (en) Multiple identity authentication method and device based on Cookie and DR identity cryptosystem
CN118102301A (en) Internet of vehicles identity authentication method, equipment and storage medium based on vehicle trust degree
WO2022001225A1 (en) Identity credential application method, identity authentication method, device, and apparatus
CN115484038A (en) A data processing method and device thereof
CN117915328A (en) Access authentication method adapting to network twinning scene
CN117729056A (en) Equipment identity authentication method and system
CN113839786A (en) SM9 key algorithm-based key distribution method and system
CN114765533A (en) Remote certification method, device and system based on quantum key communication
TWI751433B (en) Secure communication key negotiation method
CN114338012B (en) Key application method and device, electronic device, and computer-readable storage medium
CN118174902B (en) Distributed device authentication method and system based on pre-embedded secure asymmetric key
CN116488853A (en) A trusted authentication method for mobile office scenarios
CN119788436A (en) Data protection method, device and storage medium
CN116319051A (en) Heterogeneous network secure communication authentication method based on alliance chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination