CN120358491A

CN120358491A - Communication method and communication device

Info

Publication number: CN120358491A
Application number: CN202410095116.1A
Authority: CN
Inventors: 王东晖; 刘斐; 宋雨容
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2024-01-22
Filing date: 2024-01-22
Publication date: 2025-07-22
Also published as: WO2025157070A1

Abstract

The application provides a communication method and a communication device, the method comprises the steps of receiving first indication information from the communication device, wherein the first indication information indicates at least one key negotiation algorithm, and sending second indication information to the communication device, wherein the second indication information indicates a first key negotiation algorithm, the first key negotiation algorithm is one of the at least one key negotiation algorithm, the first key negotiation algorithm is used for determining a first key, and the first key is used for encrypting or decrypting a message transmitted between the communication device and an authentication network element. The key negotiation algorithm in the authentication process is determined through negotiation between the verification network element and the communication device, so that the key negotiation algorithm in the authentication process is more flexible to select and adapt to more application scenes.

Description

Communication method and communication device

Technical Field

The present application relates to the field of communications, and more particularly, to a communication method and a communication apparatus.

Background

In terms of network security, the tasks of the network include identity authentication and authorization of a terminal accessing the network, so that the terminal accesses the operator network, and further, air interface encryption of service communication of the terminal is started. The terminal and the network generate a shared key by elliptic curve Difei-Hellman (ECDH) key negotiation, and the terminal transmits the identification information of the terminal based on the shared key so that the network side acquires a root key corresponding to the identification information of the terminal equipment, thereby completing the identity authentication of the two parties. In the scheme, the network side and the terminal generate the shared key by using a fixed key exchange algorithm, so that the application scene is limited.

Disclosure of Invention

The application provides a communication method and a communication device, which can improve the flexibility of a user in accessing a network.

In a first aspect, a communication method is provided, which may be performed by an authentication network element, or may also be performed by a component (e.g. a chip or a circuit) of the authentication network element, which is not limited, and for convenience of description, will be described below with reference to the embodiment performed by the authentication network element.

The method includes receiving first indication information from a communication device, the first indication information indicating at least one key agreement algorithm, and transmitting second indication information to the communication device, the second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of the at least one key agreement algorithm, the first key agreement algorithm being used to determine a first key, the first key being used to encrypt or decrypt messages transmitted between the communication device and the authentication network element.

Based on the above scheme, the authentication network element and the communication device can determine the key negotiation algorithm in the authentication process through negotiation, so that the selection of the key negotiation algorithm in the authentication process is more flexible, and the communication device is suitable for more application scenarios, namely, the communication device indicates at least one key negotiation algorithm to the authentication network element, and the authentication network element determines a first key negotiation algorithm from the at least one key negotiation algorithm, wherein the first key negotiation algorithm is used for the first key.

In certain implementations of the first aspect, the first key agreement algorithm is determined according to first information and the first indication information, the first information including at least one of a security level corresponding to the key agreement algorithm, a computational complexity of the key agreement algorithm, a network type of the communication device, and a computational capability of the communication device.

Based on the above scheme, by determining the first key negotiation algorithm according to the first information, the first key negotiation algorithm can be adapted to at least one of different security levels, computational complexity, network type, type of communication device, and computational capability of the communication device.

In certain implementations of the first aspect, the at least one key agreement algorithm includes at least one of:

Elliptic curve Diffie-Hellman (ECDH) key agreement algorithm, temporary elliptic curve Diffie-Hellman (EPHEMERAL ELLIPTIC cut-Hellman, ECDHE) key agreement algorithm, post-quantum cryptography (post-quantumcryptography, PQC) based key agreement algorithm, PQC and ECDH based key agreement algorithm, PQC and ECDHE based key agreement algorithm, and preset key based key agreement algorithm.

In certain implementations of the first aspect, the first key is determined based on the first key agreement algorithm.

In certain implementations of the first aspect, the first key agreement algorithm is the ECDHE key agreement algorithm, and in the ECDHE key agreement algorithm, the authentication network element receives a first public key from the communication device, the first public key being a public key of a first temporary public-private key pair generated by the communication device, the authentication network element determines the first key based on the first public key and a second private key, the second private key being a private key of a second temporary public-private key pair generated by the authentication network element.

Based on the above scheme, the authentication network element and the communication device can negotiate to determine to use ECDHE a key negotiation algorithm, and in ECDHE the authentication network element and the communication device use a temporary public key generated by the other party to generate the first key, so that the security of key exchange is improved. And secondly, the calculation complexity of the key negotiation algorithm is low, and the key negotiation algorithm can be suitable for a communication scene with low calculation complexity and high security requirement on the key negotiation algorithm.

In certain implementations of the first aspect, the authentication network element sends a second public key to the communication device, the second public key being a public key of the second temporary public-private key pair. By sending the second public key to the communication device, the communication device may be caused to determine the first key based on the second public key.

In certain implementations of the first aspect, the first key agreement algorithm is the PQC-based key agreement algorithm, in which the verification network element receives a third public key from the communication device, the third public key being a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, and the verification network element inputs the third public key into the post-quantum algorithm to generate ciphertext and the first key.

Based on the scheme, the verification network element and the communication device can negotiate to determine to use a key negotiation algorithm based on the PQC, and in the key negotiation algorithm based on the PQC, the verification network element and the communication device use the PQC to generate the first key, so that the security of key exchange can be improved. The key negotiation algorithm can be suitable for communication scenes with higher requirements on security.

In certain implementations of the first aspect, the authentication network element sends the ciphertext to the communication device. By transmitting the ciphertext to the communication device, the communication device may be caused to determine the first key based on the ciphertext.

In certain implementations of the first aspect, the first key agreement algorithm is the PQC and ECDH based key agreement algorithm, in which the verification network element receives a first public key and a third public key from the communication device, the first public key being a public key in a first temporary public-private key pair generated by the communication device, the third public key being a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the verification network element determines a second key based on the first public key and a private key of the verification network element, and inputs the third public key into the post-quantum algorithm to generate ciphertext and a third key, and the verification network element determines the first key based on the second key and the third key.

Based on the scheme, the verification network element and the communication device can negotiate to determine to use the key negotiation algorithm based on the PQC and the ECDH, and in the key negotiation algorithm based on the PQC and the ECDH, the verification network element and the communication device can generate the first key based on the key generated by the PQC and the key generated by the ECDH, so that the security of key exchange is improved. The key agreement algorithm may be applicable in communication scenarios where security is a higher requirement than a PQC-based key agreement algorithm.

In certain implementations of the first aspect, the authentication network element sends the public key of the authentication network element and the ciphertext to the communication device, the public key of the authentication network element and the ciphertext being used by the communication device to determine the first key.

In certain implementations of the first aspect, the first key agreement algorithm is the PQC and ECDHE based key agreement algorithm, in the PQC and ECDHE based key agreement algorithm, the verifying network element receives a first public key and a third public key from the communication device, the first public key being a public key of a first temporary public-private key pair generated by the communication device, the third public key being a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the verifying network element determines a second key based on the first public key and the second private key, the second private key being a private key of the second temporary public-private key pair generated by the verifying network element, and inputs the third public key into the post-quantum algorithm to generate ciphertext and a third key, the verifying network element determines the first key based on the second key and the third key.

Based on the scheme, the verification network element and the communication device can negotiate to determine to use the key negotiation algorithm based on the PQC and ECDHE, and in the key negotiation algorithm based on the PQC and the ECDH, the verification network element and the communication device can generate the first key based on the key generated by the PQC and the key generated by the communication device based on the ECDHE, so that the security of key exchange is improved. Wherein ECDHE has forward security, the key agreement algorithm is applicable to communication scenarios with higher requirements for security than the key agreement algorithms based on PQC and ECDH.

In certain implementations of the first aspect, the authentication network element sends a second public key and the ciphertext to the communication device, the second public key being a public key of the second temporary public-private key pair, and by sending the second public key and the ciphertext to the communication device, the communication device may be caused to determine the first key based on the second public key and the ciphertext.

In certain implementations of the first aspect, the authentication network element sends a first digital signature to the communication device, the first digital signature being a signature of a first message by a private key of the authentication network element, the first message including a message interacted with the communication device by the authentication network element, and sends a certificate of the authentication network element to the communication device, the certificate including a public key of the authentication network element, the public key of the authentication network element being used by the communication device to authenticate the first digital signature.

The message interacted with the communication device by the authentication element may illustratively comprise the last message sent by the authentication element to the terminal device, e.g. the message carrying the first digital signature, or the interacted message may comprise all messages interacted with the communication device before the authentication element sent the last message to the communication device (e.g. the communication device sent the first public key or the third public key to the authentication element, denoted message #1, to the authentication element sent the first digitally signed message denoted message #2, the interacted message may comprise the message #1 and message # 2). Optionally, the verifying network element may store the message interacted with the communication device before the verifying network element sends the first digital signature to the communication device.

Illustratively, verifying the message interacted with by the network element and the communication device may further include sending the first digitally signed message. For example, the message that sends the first digital signature is a radio resource control (radio resource control, RRC) message or a (non-access stratum, NAS) message.

Based on the scheme, the communication device can be enabled to authenticate the authentication network element by sending the certificate of the authentication network element and the first digital signature to the communication device, so that the flow of the authentication network element of the communication device is simplified, and the signaling overhead can be saved.

In certain implementations of the first aspect, a request message from the communication device is received, the request message for requesting access to a network, the request message including a first identity encrypted by the first key, the first identity having a correspondence with authentication information of the communication device, the verifying network element obtaining first authentication information of the authentication information from the first identity, and authenticating the communication device based on the first authentication information.

Based on the scheme, the authentication network element obtains the authentication information required by the communication device corresponding to the first identifier based on the first identifier, and authenticates the communication device according to the authentication information, so that the flexibility of authentication of the communication device can be improved.

In certain implementations of the first aspect, before the receiving the request message from the communication device, third indication information from the communication device is received, the third indication information indicating at least one authentication mode, the authentication information of the communication device indicated by each of the at least one authentication mode being independent of each other, and fourth indication information is sent to the communication device, the fourth indication information indicating a first authentication mode, the first authentication mode being one of the at least one authentication mode, the first authentication mode corresponding to the first authentication information.

Based on the above scheme, the authentication mode can be determined through negotiation between the verification network element and the communication device, so that the selection of the authentication mode is more flexible, and the communication device is suitable for more application scenes, namely, the communication device indicates at least one authentication mode to the verification network element, and the verification network element determines a first authentication mode from the at least one authentication mode.

In certain implementations of the first aspect, the authentication information includes any one of a credential of the communication device including a public key of the communication device, a cryptographic algorithm including a signature algorithm applicable to the communication device.

Based on the above scheme, the first authentication mode is determined according to the third information, so that the first authentication mode can be applicable to different credentials and cryptographic algorithms of the communication device.

In certain implementations of the first aspect, the type of the first identifier indicated by each of the at least one authentication means is different, and the first identifier includes at least one of a first type identifier of the communication device, a second type identifier of the communication device, an identifier of a block or an identifier of a transaction, and a virtual identifier of the communication device, where the first type identifier has a first correspondence with a root key of the communication device, the second type identifier has a second correspondence with at least one credential of the communication device, and the identifier of the block or the identifier of the transaction is used to obtain the second correspondence stored on a blockchain, and the virtual identifier has a correspondence with the second type identifier.

Based on the scheme, the verification network element can acquire the authentication information of the communication device based on different identifiers, so that the authentication process can be applicable to various scenes. The first type of identification may be compatible with the 5G communication system, the second type of identification may be applied in a scenario where personal information security is a high requirement, and in some scenarios, the security of the communication may be further improved by using a virtual identification, as compared to the first type of identification.

In certain implementations of the first aspect, the first authentication means is determined according to second information and the third indication information, the second information including at least one of an issuer of the credentials of the communication device, a security level of the credentials of the communication device, and a cryptographic algorithm corresponding to the credentials of the communication device.

Based on the scheme, the verification network element can select at least one of the issuing party of the credentials of the communication device and the security level of the credentials of the communication device, which are used in the authentication process, so that the authentication process is more flexible.

In certain implementations of the first aspect, the first authentication information includes a first credential of the communication device, the first credential is verified based on a credential of an issuer of the first credential, a second digital signature from the communication device is received, the second digital signature being a signature of a second message by a private key of the communication device, the second message including a message interacted by the communication device with the verification network element, and the second digital signature is verified based on a public key corresponding to the first credential.

The message interacted by the communication device and the authentication element may, for example, comprise the last message sent by the communication device to the authentication element, e.g. the interacted message may comprise a message carrying the second digital signature, or the interacted message may comprise a message after the communication device sent the request message to the authentication element (comprising the request message) and before the last message sent to the authentication element (may comprise the last message sent to the authentication element), e.g. the last message sent is a message carrying the second digital signature. Alternatively, the communication device may store the message interacted with the verifying network element before the communication device sends the second digital signature to the verifying network element.

The message carrying the first digital signature may be an RRC message or a NAS message.

Based on the scheme, the verification network element can verify the signature of the communication device on the interacted message by using the first certificate, and the security of the first certificate can be determined by verifying the first certificate through the certificate of the issuer of the first certificate, so that the security of the authentication process is improved.

In a second aspect, a communication method is provided, which may be performed by the authentication network element, or may also be performed by a component (e.g. a chip or a circuit) of the authentication network element, which is not limited, and for convenience of description, will be described below with reference to the embodiment performed by the authentication network element.

The method includes receiving a temporary public key from a communication device, the temporary public key being a public key of a temporary public-private key pair generated by the communication device, authenticating the communication device based on a first key, the first key being determined based on the temporary public key and a second private key, the second private key being a private key of the authentication network element or a private key of a temporary public-private key pair generated by the authentication network element, or the first key being generated by inputting the temporary public key into a post-quantum algorithm.

Based on the scheme, the verification network element can authenticate the communication device based on the first key, wherein the first key is determined based on the temporary public key of the communication device and the private key of the verification network element or the private key in the temporary public-private key pair generated by the verification network element, or the first key is generated by inputting the temporary public key through a quantum algorithm, so that the security of the first key is ensured, and the security of authenticating the communication device based on the first key is improved.

In certain implementations of the second aspect, if the first key is determined based on the temporary public key and a second private key, the second private key is a private key in a temporary public-private key pair generated by the authentication network element, the authentication network element sends a second public key to the communication device, the second public key including a public key in the temporary public-private key pair generated by the authentication network element, the second public key being used by the communication device to determine the first key.

Based on the scheme, the verification network element sends the public key of the temporary public-private key pair generated by the verification network element to the communication device, so that the communication device can determine the first key based on the temporary public key, the security of the first key determined by the communication device is improved, and the authentication security can be improved.

In certain implementations of the second aspect, the temporary public key is a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being generated by inputting the third public key into the post-quantum algorithm.

Based on the scheme, the first secret key is obtained through the quantum algorithm after the temporary public key of the communication device is input, so that the safety of the first secret key can be improved, and the safety of authentication is improved.

In certain implementations of the second aspect, a ciphertext is transmitted to the communication device, the ciphertext generated by inputting the third public key into the post quantum algorithm, the ciphertext being used by the communication device to determine the first key.

Based on the scheme, the ciphertext is generated by inputting the third public key into the post quantum algorithm, so that the communication device can generate the first key based on the ciphertext, the safety of the first key can be improved, and the safety of authentication is improved.

In certain implementations of the second aspect, the temporary public key includes a first public key that is a public key of a first temporary public-private key pair generated by the communication device and a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being determined based on a second key and a third key, the second key being determined from the second private key and the first public key, the third key being generated by inputting the third public key into the post-quantum algorithm.

Based on the scheme, the verification network element can generate the second key based on the first public key generated by the communication device and generate the third key according to the third public key generated by the communication device based on the post quantum algorithm, and the security of the first key can be improved by generating the first key based on the second key and the third key, so that the security of authentication is improved.

In certain implementations of the second aspect, a ciphertext generated by inputting the third public key into the post-quantum algorithm and a second public key are transmitted to the communication device, the second public key comprising a public key of the authentication network element or a public key of a temporary public-private key pair generated by the authentication network element, the ciphertext and the second public key being used by the communication device to determine the first key.

Based on the scheme, the communication device can generate the first key based on the ciphertext and the second public key by sending the ciphertext and the second public key to the communication device, so that the security of the first key can be improved, and the security of authentication can be improved.

In certain implementations of the second aspect, the temporary public key is transmitted in accordance with second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of at least one key agreement algorithm, the first indication information from the communication device being received before the receiving of the temporary public key from the communication device, the first indication information indicating the at least one key agreement algorithm, the second indication information being transmitted to the communication device.

Based on the scheme, the key negotiation algorithm in the authentication process can be determined through negotiation between the verification network element and the communication device, so that the key negotiation algorithm in the authentication process is more flexible to select, and the method is suitable for more application scenes.

In certain implementations of the second aspect, the first key agreement algorithm is determined according to first information and the first indication information, the first information including at least one of a security level to which the key agreement algorithm corresponds, a computational complexity of the key agreement algorithm, a network format, a type of the communication device, and a computational capability of the communication device.

Wherein the at least one key agreement algorithm refers to the description in the first aspect.

In certain implementations of the second aspect, a first digital signature is sent to the communication device, the first digital signature being a signature of a first message by a private key of the authentication network element, the first message comprising a message interacted with the communication device by the authentication network element, and a certificate of the authentication network element is sent to the communication device, the certificate comprising a public key of the authentication network element, the public key of the authentication network element being used by the communication device to authenticate the first digital signature. Wherein the messages interacted with by the authentication network element and the communication device may be as described in the first aspect.

Based on the above scheme, by sending the first digital signature and the certificate of the verification network element to the communication device, the communication device can verify the first digital signature based on the certificate of the verification network element, thereby further verifying the verification network element. The authentication method simplifies the authentication flow and can save signaling overhead.

In certain implementations of the second aspect, a request message from the communication device is received, the request message for requesting access to a network, the request message including a first identity encrypted by the first key, the first identity having a correspondence with authentication information of the communication device, the verifying network element obtaining first authentication information of the authentication information from the first identity, and authenticating the communication device based on the first authentication information.

In some implementations of the second aspect, before the receiving the request message from the communication device, third indication information from the communication device is received, the third indication information indicating at least one authentication mode, the authentication information corresponding to each of the at least one authentication mode being independent of each other, and fourth indication information indicating a first authentication mode, the first authentication mode being one of the at least one authentication mode, the first authentication mode corresponding to the first authentication information, is sent to the communication device.

In certain implementations of the second aspect, the authentication information indicates any one of a credential of the communication device, a cryptographic algorithm, wherein the credential of the communication device includes a public key of the communication device, and the cryptographic algorithm includes a signature algorithm applicable to the communication device.

In certain implementations of the second aspect, the type of the first identifier indicated by each of the at least one authentication means is different, and the first identifier includes at least one of a first type identifier of the communication device, a second type identifier of the communication device, an identifier of a block, or an identifier of a transaction, and a virtual identifier of the communication device, where the first type identifier has a first correspondence with a root key of the communication device, the second type identifier has a second correspondence with at least one credential of the communication device, and the identifier of the block or the identifier of the transaction is used to obtain the second correspondence stored on a blockchain, and the virtual identifier has a correspondence with the second type identifier.

Based on the scheme, the verification network element can acquire the authentication information of the communication device based on different identifiers, so that the authentication process can be applicable to various scenes.

In certain implementations of the second aspect, the first authentication mode is determined according to second information and the third indication information, the second information including at least one of an issuer of the credentials of the communication device, a security level of the credentials of the communication device, and a cryptographic algorithm corresponding to the credentials of the communication device.

In certain implementations of the second aspect, the first authentication information includes a first credential of the communication device, the first credential being verified based on a credential of a issuer of the first credential, receiving a second digital signature from the communication device, the second digital signature being a signature of a second message by the communication device, the second message including a message interacted with the verification network element by the communication device, and verifying the second digital signature based on a public key corresponding to the first credential. Wherein the message interacted by the communication device with the authentication network element may be as described in the first aspect.

In a third aspect, a communication method is provided, which may be performed by a communication apparatus or may also be performed by a component (e.g., a chip or a circuit) of the communication apparatus, which is not limited, and for convenience of description, an example of the method performed by the communication apparatus will be described below.

The method includes sending first indication information to an authentication network element, the first indication information indicating at least one key agreement algorithm, receiving second indication information from the authentication network element, the second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of the at least one key agreement algorithm, the first key agreement algorithm being used to determine a first key, the first key being used to encrypt or decrypt messages transmitted between the communication device and the authentication network element.

In certain implementations of the third aspect, the first key agreement algorithm is determined according to first information and the first indication information, the first information including at least one of a security level to which the key agreement algorithm corresponds, a computational complexity of the key agreement algorithm, a network type of the communication device, a computational capability of the communication device.

In certain implementations of the third aspect, the first key is determined based on the first key agreement algorithm.

In certain implementations of the third aspect, the first key agreement algorithm is the ECDHE key agreement algorithm, the ECDHE key agreement algorithm is performed by receiving a second public key from the authentication network element, the second public key being a public key of a second temporary public-private key pair generated by the authentication network element, determining the first key based on the second public key and the first private key, the first private key being a private key of the first temporary public-private key pair generated by the communication device.

Based on the scheme, the first key is determined according to the public key in the second temporary public-private key pair generated by the received verification network element and the private key in the first temporary public-private key pair generated by the communication device, so that the security of the first key can be improved, and the security of authentication is improved.

In certain implementations of the third aspect, a first public key is sent to the authentication network element, the first public key being a public key of the first temporary public-private key pair, the first public key being used by the authentication network element to determine the first key.

In certain implementations of the third aspect, the first key agreement algorithm is the PQC-based key agreement algorithm, in which a ciphertext from the authentication network element is received, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, the ciphertext and a third private key are input to the post-quantum algorithm to generate the first key, the third private key being a private key of a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm.

Based on the scheme, according to the received ciphertext generated by the verification network element, the communication device determines the first key based on the private key in the third temporary public-private key pair generated by the post quantum algorithm, so that the security of the first key can be improved, and the security of authentication is improved.

In certain implementations of the third aspect, a third public key is sent to the authentication network element, the third public key being a public key of the third temporary public-private key pair, the third public key being used by the authentication network element to determine the first key.

In certain implementations of the third aspect, the first key agreement algorithm is the PQC and ECDH based key agreement algorithm, in which ciphertext from the authentication network element and a public key of the authentication network element are received, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, a second key is determined based on the public key and a first private key of the authentication network element, the first private key being a private key of a first temporary public key pair generated by the communication device, the ciphertext and a third private key being input to the post-quantum algorithm to generate a third key, the third private key being a private key of a third temporary public key pair generated by the communication device based on the post-quantum algorithm, the first key being determined based on the second key and the third key.

Based on the scheme, the communication device determines the second key according to the received public key of the verification network element and the private key of the first temporary public-private key pair generated by the communication device, determines the third key according to the received ciphertext generated by the verification network element and the private key of the third temporary public-private key pair generated by the post-quantum algorithm, and determines the first key according to the second key and the third key, so that the security of the first key can be improved, and the security of authentication is improved.

In certain implementations of the third aspect, the first key agreement algorithm is the PQC and ECDHE based key agreement algorithm, in the PQC and ECDHE based key agreement algorithm, ciphertext and a second public key from the authentication network element are received, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, the second public key being a public key in a second temporary public-private key pair generated by the authentication network element, the second key being determined based on the second public key and a first private key, the first private key being a private key in a first temporary public-private key pair generated by the communication device, the ciphertext and a third private key being input to the post-quantum algorithm, the third private key being a private key in a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm, the first key being determined based on the second key and the third key.

Based on the scheme, the communication device determines the second key according to the received public key in the second temporary public-private key pair generated by the verification network element and the private key in the first temporary public-private key pair generated by the communication device, determines the third key according to the received ciphertext generated by the verification network element and the third key in the third temporary public-private key pair generated by the post-quantum algorithm, and determines the first key according to the second key and the third key, so that the security of the first key can be improved, and the security of authentication is improved.

In certain implementations of the third aspect, a first public key and a third public key are sent to the authentication network element, the first public key being a public key of the first temporary public-private key pair, the third public key being a public key of the third temporary public-private key pair, the first public key and the third public key being used by the authentication network element to determine the first key.

In certain implementations of the third aspect, a first digital signature from the authentication element is received, the first digital signature being a signature of a first message by a private key of the authentication element, the first message comprising a message interacted with by the authentication element and the communication device, a certificate of the authentication element from the authentication element is received, the certificate comprising a public key of the authentication element, and the first digital signature is authenticated based on the public key of the authentication element. Wherein the messages interacted with by the authentication network element and the communication device may be as described in the first aspect.

Based on the scheme, the communication device can authenticate the verification network element by receiving the certificate of the verification network element and the first digital signature, so that the flow of the communication device for authenticating the verification network element is simplified, and the signaling overhead can be saved.

In certain implementations of the third aspect, a request message is sent to the authentication network element, the request message being for requesting access to the network, the request message including a first identity encrypted by the first key, the first identity having a correspondence with authentication information of the communication device, the authentication information including first authentication information, the first authentication information being used for authenticating the communication device.

Based on the scheme, the authentication network element can acquire the authentication information required by the communication device corresponding to the first identifier based on the first identifier by sending the request message to the authentication network element, and authenticate the communication device according to the authentication information, so that the flexibility of authentication of the communication device can be improved.

In some implementations of the third aspect, before the sending of the request message to the verifying network element, sending third indication information to the verifying network element, the third indication information indicating at least one authentication mode, the authentication information indicated by each of the at least one authentication mode being independent of each other, receiving fourth indication information from the verifying network element, the fourth indication information indicating a first authentication mode, the first authentication mode being one of the at least one authentication mode, the first authentication mode corresponding to the first authentication information.

In certain implementations of the third aspect, the authentication information includes any one of a credential of the communication device including a public key of the communication device, a cryptographic algorithm including a signature algorithm applicable to the communication device.

Based on the above scheme, by determining the first authentication mode according to the third information, the first authentication mode can be applied to different credentials and cryptographic algorithms of the communication device.

In some implementations of the third aspect, the type of the first identifier indicated by each of the at least one authentication means is different, and the first identifier includes at least one of a first type identifier of the communication device, a second type identifier of the communication device, an identifier of a block, or an identifier of a transaction, and a virtual identifier of the communication device, where the first type identifier has a first correspondence with a root key of the communication device, the second type identifier has a second correspondence with at least one credential of the communication device, and the identifier of the block or the identifier of the transaction is used to obtain the second correspondence stored on a blockchain, and the virtual identifier has a correspondence with the second type identifier.

Based on the scheme, the verification network element can acquire the authentication information of the communication device based on different identifiers, so that the authentication process can be applicable to various scenes. Wherein each identification applies to the scene described in the first aspect.

In certain implementations of the third aspect, the first authentication means is determined according to second information and the third indication information, the second information including at least one of an issuer of the credentials of the communication device, a security level of the credentials of the communication device, and a cryptographic algorithm corresponding to the credentials of the communication device.

In certain implementations of the third aspect, a second digital signature is sent to the authentication network element, the second digital signature being a signature of a second message by a private key of the communication device, the second message comprising a message interacted with the authentication network element by the communication device, the second digital signature being used by the authentication network element to authenticate the communication device. Wherein the message interacted by the communication device with the authentication network element may be as described in the first aspect.

Based on the scheme, the second digital signature is sent to the verification network element, so that the verification network element can verify the signature of the communication device on the interacted message by using the first certificate, the communication device is verified, the security of the first certificate can be determined by verifying the first certificate through the certificate of the issuer of the first certificate, and the security of the authentication process is improved.

In a fourth aspect, a communication method is provided, which may be performed by a communication apparatus or may also be performed by a component (e.g., a chip or a circuit) of the communication apparatus, which is not limited, and for convenience of description, an example of the method performed by the communication apparatus will be described below.

The method comprises the steps of sending a temporary public key to the verification network element, wherein the temporary public key is a public key in a temporary public-private key pair generated by the communication device, the temporary public key is used for determining a first secret key, the first secret key is used for the verification network element to authenticate the communication device, the first secret key is determined based on the temporary public key and a second secret key, the second secret key is a private key of the verification network element or a private key in a temporary public-private key pair generated by the verification network element, or the first secret key is generated through a quantum algorithm after the temporary public key is input.

Based on the scheme, the authentication network element can determine the first key based on the temporary public key and authenticate the communication device based on the first key by sending the temporary public key to the authentication network element, wherein the first key is determined based on the temporary public key of the communication device and the private key of the authentication network element or the private key of the temporary public-private key pair generated by the authentication network element, or the first key is generated by inputting the temporary public key through a quantum algorithm, so that the security of the first key is ensured, and the security of authenticating the communication device based on the first key is improved.

In some implementations of the fourth aspect, if the first key is determined based on a temporary public key of a communication device and a private key of a temporary public-private key pair generated by the authentication network element, the method further includes receiving a second public key from the authentication network element, the second public key being a public key of a second temporary public-private key pair generated by the authentication network element, determining the first key based on a first private key and the second public key, the first public key being a private key of the first temporary public-private key pair.

Based on the scheme, the device can determine the first key based on the temporary public key generated by the verification network element, so that the security of the first key is improved, and the security of authentication can be improved.

In certain implementations of the fourth aspect, the temporary public key is a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being generated by inputting the third public key into the post-quantum algorithm.

In some implementations of the fourth aspect, the method further includes receiving a ciphertext from the authentication network element, the ciphertext generated by inputting the third public key into the post quantum algorithm, and inputting the ciphertext and a third private key into the post quantum algorithm to generate the first key, the third private key being a private key of the third temporary public-private key pair.

Based on the scheme, the ciphertext is sent to the communication device, and the first secret key is generated by inputting the ciphertext and the third private key into the post quantum algorithm, so that the safety of the first secret key can be improved, and the safety of authentication is improved.

In certain implementations of the fourth aspect, the temporary public key includes a first public key that is a public key of a first temporary public-private key pair generated by the communication device and a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being determined based on a second key and a third key, the second key being determined from the second private key and the first public key, the third key being generated by inputting the third public key into the post-quantum algorithm.

Based on the scheme, the security of the first key can be improved by generating the first key based on the second key and the third key, so that the security of authentication is improved.

In certain implementations of the fourth aspect, a ciphertext and a second public key from the authentication network element are received, the second public key comprising a public key of the authentication network element or of a temporary public-private key generated by the authentication network element, the ciphertext being generated by inputting the third public key into the post-quantum algorithm, a second key is generated based on a first private key and the second public key, the first private key being a private key in the first public-private key pair, the ciphertext and the third private key being a private key in the third public-private key pair, the third key being determined based on the second key and the third key.

Based on the scheme, the communication device determines a second key according to the received public key of the verification network element or the public key in the temporary public-private key generated by the verification network element and the private key in the first temporary public-private key pair generated by the communication device, and determines a third key according to the received ciphertext generated by the verification network element based on the private key in the third temporary public-private key pair generated by the post quantum algorithm, and determines the first key according to the second key and the third key, so that the security of the first key can be improved, and the security of authentication can be improved.

In certain implementations of the fourth aspect, the temporary public key is sent according to second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of at least one key agreement algorithm, the first indication information indicating the at least one key agreement algorithm being sent to the authentication network element before the receiving the temporary public key from the communication device, the second indication information being received from the authentication network element.

In some implementations of the fourth aspect, the first key agreement algorithm is determined according to first information and the first indication information, the first information including at least one of a security level corresponding to the key agreement algorithm, a computational complexity of the key agreement algorithm, a network format, a type of the communication device, and a computational capability of the communication device.

In certain implementations of the fourth aspect, the method further includes receiving a first digital signature from the authentication element, the first digital signature being a signature of a first message by a private key of the authentication element, the first message including a message interacted with the communication device by the authentication element, receiving a certificate from the authentication element, the certificate including a public key of the authentication element, and authenticating the first digital signature based on the public key of the authentication element. Wherein the messages interacted with by the authentication network element and the communication device may be as described in the first aspect.

Based on the above scheme, by receiving the first digital signature from the verification network element and the certificate of the verification network element, the communication device can verify the first digital signature based on the certificate of the verification network element, thereby further verifying the verification network element. The authentication method simplifies the authentication flow and can save signaling overhead.

In certain implementations of the fourth aspect, a request message is sent to the verification network element, the request message being for requesting access to a network, the request message including a first identification encrypted by the communication device using the first key, the first identification having a correspondence with authentication information of the communication device, the authentication information including first authentication information, the first authentication information being used for authenticating the communication device.

Based on the above scheme, by sending the request message to the verification network element, the authentication network element can obtain the authentication information required by the communication device corresponding to the first identifier based on the first identifier, and authenticate the communication device according to the authentication information, so that the flexibility of authentication of the communication device can be improved.

In some implementations of the fourth aspect, before the sending of the request message to the verification network element, sending third indication information to the verification network element, where the third indication information indicates at least one authentication mode, and the authentication information corresponding to each of the at least one authentication mode is independent of each other, receiving fourth indication information from the verification network element, where the fourth indication information indicates a first authentication mode, where the first authentication mode is one of the at least one authentication mode, and where the first authentication mode corresponds to the first authentication information.

In certain implementations of the fourth aspect, the authentication information indicates any one of a credential of the communication device, a cryptographic algorithm, wherein the credential of the communication device includes a public key of the communication device, and the cryptographic algorithm includes a signature algorithm applicable to the communication device.

Based on the above scheme, by determining the first authentication mode according to the third information, the first authentication mode can be applied to different credentials and/or cryptographic algorithms of the communication device.

In some implementations of the fourth aspect, the type of the first identifier indicated by each of the at least one authentication means is different, and the first identifier includes at least one of a first type identifier of the communication device, a second type identifier of the communication device, an identifier of a block, or an identifier of a transaction, and a virtual identifier of the communication device, where the first type identifier has a first correspondence with a root key of the communication device, the second type identifier has a second correspondence with at least one credential of the communication device, and the identifier of the block or the identifier of the transaction is used to obtain the second correspondence stored on a blockchain, and the virtual identifier has a correspondence with the second type identifier.

Based on the scheme, the authentication information of the communication device can be acquired based on different identifications, and the authentication process can be applicable to various scenes. Wherein different types of identification applicable scenarios may refer to the description in the first aspect.

In certain implementations of the fourth aspect, the first authentication means is determined according to second information and the third indication information, the second information including at least one of an issuer of the credentials of the communication device, a security level of the credentials of the communication device, and a cryptographic algorithm corresponding to the credentials of the communication device.

In certain implementations of the fourth aspect, a second digital signature is sent to the authentication network element, the second digital signature being a signature of a second message by a private key of the communication device, the second message comprising a message interacted with the authentication network element by the communication device, the second digital signature being used by the authentication network element to authenticate the communication device. Wherein the message interacted by the communication device and the authentication network element may be as described in the first aspect.

Based on the scheme, the verification network element can verify the signature of the communication device on the interacted message by using the first certificate by sending the second digital signature to the verification network element, so that the communication device is verified, and the security of the first certificate can be determined by verifying the first certificate through the certificate of the issuer of the first certificate, so that the security of the authentication process is improved.

In a fifth aspect, a communication device is provided, which may be used in the authentication network element of the first aspect, or may be a device (for example, a chip, or a system on a chip, or a circuit) in the authentication network element, or may be a device that can be used in cooperation with the authentication network element, or may be a logic module or software that can implement all or part of the functions of the authentication network element.

In a possible implementation, the communication apparatus may include modules or units corresponding to each other in a one-to-one manner to perform the method/operation/step/action described in the first aspect, where the modules or units may be hardware circuits, or software, or implemented by using hardware circuits in combination with software.

In a possible implementation, the apparatus includes a transceiver unit configured to receive first indication information from a communication apparatus, the first indication information indicating at least one key agreement algorithm, and to send second indication information to the communication apparatus, the second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of the at least one key agreement algorithm, the first key agreement algorithm being configured to determine a first key, the first key being configured to encrypt or decrypt messages transmitted between the communication apparatus and the apparatus.

In certain implementations of the fifth aspect, the first key agreement algorithm is determined from first information and the first indication information, the first information being referred to the description in the first aspect.

In certain implementations of the fifth aspect, the at least one key agreement algorithm refers to the description in the first aspect.

In certain implementations of the fifth aspect, the apparatus further includes a processing unit to determine the first key based on the first key agreement algorithm.

In certain implementations of the fifth aspect, the first key agreement algorithm is the ECDHE key agreement algorithm, in the ECDHE key agreement algorithm, the transceiver unit is specifically configured to receive a first public key from the communication device, the first public key being a public key of a first temporary public-private key pair generated by the communication device, and the processing unit is specifically configured to determine the first key based on the first public key and a second private key, the second private key being a private key of a second temporary public-private key pair generated by the device.

In certain implementations of the fifth aspect, the transceiver unit is further configured to send a second public key to the communication device, where the second public key is a public key in the second temporary public-private key pair. By sending the second public key to the communication device, the communication device may be caused to determine the first key based on the second public key.

In certain implementations of the fifth aspect, the first key agreement algorithm is the PQC-based key agreement algorithm, in which the transceiving unit is specifically configured to receive a third public key from the communication device, the third public key being a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, and the processing unit is specifically configured to input the third public key into the post-quantum algorithm to generate ciphertext and the first key.

In certain implementations of the fifth aspect, the transceiver unit is further configured to send the ciphertext to the communication device. By transmitting the ciphertext to the communication device, the communication device may be caused to determine the first key based on the ciphertext.

In certain implementations of the fifth aspect, the first key agreement algorithm is the PQC-and ECDH-based key agreement algorithm, in which the transceiving unit is specifically configured to receive a first public key and a third public key from the communication device, the first public key being a public key in a first temporary public-private key pair generated by the communication device, the third public key being a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the processing unit is specifically configured to determine a second key based on the first public key and a private key of the device, and to input the third public key into the post-quantum algorithm to generate a ciphertext and a third key, and the processing unit is further configured to determine the first key based on the second key and the third key.

In certain implementations of the fifth aspect, the transceiver unit is further configured to send the public key of the device and the ciphertext to the communication device, the public key of the device and the ciphertext being used by the communication device to determine the first key.

In certain implementations of the fifth aspect, the first key agreement algorithm is the PQC and ECDHE based key agreement algorithm, the transceiving unit is specifically configured to receive a first public key and a third public key from the communication device in the PQC and ECDHE based key agreement algorithm, the first public key is a public key in a first temporary public-private key pair generated by the communication device, the third public key is a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the processing unit is specifically configured to determine a second key based on the first public key and the second private key, the second private key is a private key in a second temporary public-private key pair generated by the device, and the third public key is input to the post-quantum algorithm to generate ciphertext and a third key, and the processing unit is further configured to determine the first key based on the second key and the third key.

In certain implementations of the fifth aspect, the transceiver unit is further configured to send a second public key and the ciphertext to the communication device, where the second public key is a public key in the second temporary public-private key pair, and by sending the second public key and the ciphertext to the communication device, the communication device may be caused to determine the first key based on the second public key and the ciphertext.

In certain implementations of the fifth aspect, the transceiver unit is further configured to send a first digital signature to the communication device, the first digital signature being a signature of a first message by a private key of the device, the first message including a message that the device and the communication device interacted with, and send a certificate of the device to the communication device, the certificate including a public key of the device, the public key of the device being used by the communication device to verify the first digital signature.

In certain implementations of the fifth aspect, the transceiver unit is further configured to receive a request message from the communication device, where the request message is used to request access to a network, the request message includes a first identifier encrypted by the first key, the first identifier has a correspondence with authentication information of the communication device, obtain first authentication information in the authentication information according to the first identifier, and the processing unit is further configured to authenticate the communication device based on the first authentication information.

In some implementations of the fifth aspect, before the receiving the request message from the communication device, the transceiver unit is further configured to receive third indication information from the communication device, where the third indication information indicates at least one authentication mode, and the third information indicated by each of the at least one authentication modes is different, and send fourth indication information to the communication device, where the fourth indication information indicates a first authentication mode, where the first authentication mode is one of the at least one authentication modes, and the first authentication mode corresponds to the first authentication information.

In certain implementations of the fifth aspect, the authentication information refers to the description in the first aspect.

In certain implementations of the fifth aspect, the type of first identifier indicated by each of the at least one authentication means is different, the first identifier being as described in the first aspect.

In certain implementations of the fifth aspect, the first authentication means is determined from second information and the third indication information, the second information being referred to the description in the first aspect.

In certain implementations of the fifth aspect, the first authentication information includes a first credential of the communication device, the first credential being verified based on a credential of an issuer of the first credential, the transceiver unit is further configured to receive a second digital signature from the communication device, the second digital signature being a signature of a second message by a private key of the communication device, the second message including a message interacted with the device by the communication device, and the processing unit is further configured to verify the second digital signature based on a public key corresponding to the first credential.

In a sixth aspect, a communications device is provided, which may be used in the authentication element of the second aspect, the communications device may be an authentication element, a device (e.g. a chip, or a system on a chip, or a circuit) in the authentication element, or a device capable of being used in combination with the authentication element, or a logic module or software capable of implementing all or part of the functions of the authentication element.

In a possible implementation, the communication apparatus may include modules or units corresponding to each other in a one-to-one manner to perform the method/operation/step/action described in the second aspect, where the modules or units may be hardware circuits, or software, or implemented by using hardware circuits in combination with software.

In a possible implementation, the device includes a transceiver unit configured to receive a temporary public key from a first communication device, the temporary public key being a public key of a temporary public-private key pair generated by the first communication device, and a processing unit configured to authenticate the first communication device based on a first key determined based on the temporary public key and a second private key, the second private key being a private key of the authentication network element or a private key of a temporary public-private key pair generated by the authentication network element, or the first key being generated by inputting the temporary public key into a post-quantum algorithm.

In certain implementations of the sixth aspect, if the first key is determined based on the temporary public key and a second private key, the second private key is a private key of a temporary public-private key pair generated by the authentication network element, and the transceiver unit is further configured to send a second public key to the first communication device, the second public key including a public key of the temporary public-private key pair generated by the authentication network element, the second public key being used by the first communication device to determine the first key.

In certain implementations of the sixth aspect, the temporary public key is a third public key that is a public key of a third temporary public-private key pair generated by the first communication device based on a post-quantum algorithm, the first key being generated by inputting the third public key into the post-quantum algorithm.

In certain implementations of the sixth aspect, the transceiver unit is further configured to send a ciphertext to the first communication device, the ciphertext being generated by inputting the third public key into the post quantum algorithm, the ciphertext being used by the first communication device to determine the first key.

In certain implementations of the sixth aspect, the temporary public key includes a first public key that is a public key of a first temporary public-private key pair generated by the first communication device and a third public key that is a public key of a third temporary public-private key pair generated by the first communication device based on a post-quantum algorithm, the first key being determined based on a second key and a third key, the second key being determined from the second private key and the first public key, the third key being generated by inputting the third public key into the post-quantum algorithm.

In certain implementations of the sixth aspect, the transceiver unit is further configured to send to the first communication device a ciphertext and a second public key, where the second public key includes a public key of the authentication network element or a public key of a temporary public-private key pair generated by the authentication network element, the ciphertext is generated by inputting the third public key into the post-quantum algorithm, and the ciphertext and the second public key are used by the first communication device to determine the first key.

In certain implementations of the sixth aspect, the temporary public key is transmitted according to second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of at least one key agreement algorithm, the transceiving unit being further configured to receive first indication information from the first communication device before the receiving of the temporary public key from the first communication device, the first indication information indicating the at least one key agreement algorithm, the transceiving unit being further configured to transmit the second indication information to the first communication device.

In certain implementations of the sixth aspect, the first key agreement algorithm is determined from first information and the first indication information, the first information being referred to the description of the second aspect.

In certain implementations of the sixth aspect, the transceiver unit is further configured to send a first digital signature to the first communication device, the first digital signature being a signature of a first message by a private key of the authentication network element, the first message including a message that the authentication network element interacted with the first communication device, send a certificate of the authentication network element to the first communication device, the certificate including a public key of the authentication network element, the public key of the authentication network element being used by the first communication device to authenticate the first digital signature.

In certain implementations of the sixth aspect, the transceiver unit is further configured to receive a request message from the first communication device, where the request message is used to request access to a network, the request message includes a first identifier encrypted by the first communication device using the first key, the first identifier has a correspondence with authentication information of the first communication device, the processing unit is further configured to decrypt the encrypted first identifier based on the first key, obtain first authentication information in the authentication information according to the first identifier, and authenticate the first communication device based on the first authentication information.

In some implementations of the sixth aspect, before the receiving the request message from the first communication device, the transceiver unit is further configured to receive third indication information from the first communication device, where the third indication information indicates at least one authentication mode, and authentication information corresponding to each of the at least one authentication mode is independent of each other, and the transceiver unit is further configured to send fourth indication information to the first communication device, where the fourth indication information indicates a first authentication mode, where the first authentication mode is one of the at least one authentication mode, and the first authentication mode corresponds to the first authentication information.

In certain implementations of the sixth aspect, the authentication information refers to the description in the second aspect.

In certain implementations of the sixth aspect, the type of first identifier indicated by each of the at least one authentication means is different, which may refer to the description of the second aspect.

In certain implementations of the sixth aspect, the first authentication means is determined from second information and the third indication information, the second information being referred to the description in the second aspect.

In certain implementations of the sixth aspect, the first authentication information includes a first credential of the first communication device, the first credential is verified based on a credential of a credential issuer, the transceiver unit is further configured to receive a second digital signature from the first communication device, the second digital signature being a signature of a second message by the first communication device, the second message including a message interacted by the first communication device with the verification network element, and the processing unit is further configured to verify the second digital signature based on a public key corresponding to the first credential.

In a seventh aspect, a communication apparatus is provided, where the communication apparatus may be used in the communication apparatus of the third aspect, where the communication apparatus may be a terminal device, an apparatus (for example, a chip, or a chip system, or a circuit) in the terminal device, or an apparatus that can be used in cooperation with the terminal device, or a logic module or software that can implement all or part of the functions of the terminal device.

In a possible implementation, the communication apparatus may include modules or units corresponding to each other in a one-to-one manner to perform the method/operation/step/action described in the third aspect, where the modules or units may be hardware circuits, or software, or implemented by using hardware circuits in combination with software.

In a possible implementation, the device comprises a transceiver unit for sending a first indication information to the authentication network element, the first indication information indicating at least one key agreement algorithm, the transceiver unit further being for receiving a second indication information from the authentication network element, the second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of the at least one key agreement algorithm, the first key agreement algorithm being for determining a first key for encrypting or decrypting a message transmitted between the communication device and the authentication network element.

In certain implementations of the seventh aspect, the first key agreement algorithm is determined according to first information and the first indication information, the first information including at least one of a security level to which the key agreement algorithm corresponds, a computational complexity of the key agreement algorithm, a network format, a type of the communication device, and a computational capability of the communication device.

In certain implementations of the seventh aspect, the apparatus further includes a processing unit to determine the first key based on the first key agreement algorithm.

In certain implementations of the seventh aspect, the first key agreement algorithm is the ECDHE key agreement algorithm, in ECDHE the transceiving unit is further configured to receive a second public key from the authentication network element, the second public key being a public key of a second temporary public-private key pair generated by the authentication network element, and the processing unit is specifically configured to determine the first key based on the second public key and a first private key, the first private key being a private key of the first temporary public-private key pair generated by the communication device.

In certain implementations of the seventh aspect, the transceiver unit is further configured to send a first public key to the authentication network element, where the first public key is a public key in the first temporary public-private key pair, and the first public key is used by the authentication network element to determine the first secret key.

In certain implementations of the seventh aspect, the first key agreement algorithm is the PQC-based key agreement algorithm, in which the transceiving unit is further configured to receive a ciphertext from the authentication network element, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, and the processing unit is further configured to input the ciphertext and a third private key into the post-quantum algorithm to generate the first key, the third private key being a private key of a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm.

In certain implementations of the seventh aspect, the transceiver unit is further configured to send a third public key to the authentication network element, where the third public key is a public key in the third temporary public-private key pair, and the third public key is used by the authentication network element to determine the first key.

In certain implementations of the seventh aspect, the first key agreement algorithm is the key agreement algorithm based on PQC and ECDH, the transceiver unit is further configured to receive ciphertext from the authentication network element and a public key of the authentication network element, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, the processing unit is further configured to determine a second key based on the public key of the authentication network element and a first private key, the first private key being a private key of a first temporary public-private key pair generated by the communication device, input the ciphertext and a third private key to the post-quantum algorithm, the third private key being a private key of a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm, and the processing unit is further configured to determine the first key based on the second key and the third key.

In certain implementations of the seventh aspect, the first key agreement algorithm is the key agreement algorithm based on PQC and ECDHE, the transceiving unit is further configured to receive, in the key agreement algorithm based on PQC and ECDHE, ciphertext and a second public key from the authentication network element, the ciphertext being generated by the authentication network element based on a post-quantum algorithm, the second public key being a public key in a second temporary public-private key pair generated by the authentication network element, the processing unit is further configured to determine a second key based on the second public key and a first private key, the first private key being a private key in a first temporary public-private key pair generated by the communication device, the processing unit is further configured to input the ciphertext and a third private key into the post-quantum algorithm, the third private key being a private key in a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm, and to determine the first key based on the second key and the third key.

In certain implementations of the seventh aspect, the transceiver unit is further configured to send a first public key and a third public key to the authentication network element, where the first public key is a public key in the first temporary public-private key pair, the third public key is a public key in the third temporary public-private key pair, and the first public key and the third public key are used by the authentication network element to determine the first key.

In certain implementations of the seventh aspect, the transceiver unit is further configured to receive a first digital signature from the authentication element, the first digital signature being a signature of a first message by a private key of the authentication element, the first message including a message interacted with by the authentication element and the communication device, receive a certificate from the authentication element, the certificate including a public key of the authentication element, and the processor unit is further configured to verify the first digital signature based on the public key of the authentication element.

In certain implementations of the seventh aspect, the transceiver unit is further configured to send a request message to the authentication network element, where the request message is used to request access to a network, the request message includes a first identifier encrypted by the first key, the first identifier has a correspondence with authentication information of the communication device, and the authentication information includes first authentication information, where the first authentication information is used to authenticate the communication device.

In some implementations of the seventh aspect, before the sending the request message to the verification network element, the transceiver unit is further configured to send third indication information to the verification network element, where the third indication information indicates at least one authentication mode, and the authentication information indicated by each of the at least one authentication modes is independent of each other, receive fourth indication information from the verification network element, where the fourth indication information indicates a first authentication mode, where the first authentication mode is one of the at least one authentication modes, and the first authentication mode corresponds to the first authentication information.

Wherein the authentication information is described with reference to the third aspect.

In certain implementations of the seventh aspect, the type of the first identity indicated by each of the at least one authentication means is different, several types of the first identity being referred to in the description of the third aspect.

In certain implementations of the seventh aspect, the first authentication mode is determined according to the second information and the third indication information. The second information is described with reference to the third aspect.

In certain implementations of the seventh aspect, the transceiver unit is further configured to send a second digital signature to the authentication network element, the second digital signature being a signature of a second message by a private key of the communication device, the second message including a message that the communication device interacted with the authentication network element, the second digital signature being used by the authentication network element to authenticate the communication device.

In an eighth aspect, a communication apparatus is provided, where the communication apparatus may be used in the communication apparatus of the fourth aspect, where the communication apparatus may be a terminal device, a device (for example, a chip, or a chip system, or a circuit) in the terminal device, or a device that can be used in cooperation with the terminal device, or a logic module or software that can implement all or part of the functions of the terminal device.

In a possible implementation, the communication apparatus may include modules or units corresponding to each other in a one-to-one manner to perform the method/operation/step/action described in the fourth aspect, where the modules or units may be hardware circuits, or software, or implemented by using hardware circuits in combination with software.

In a possible implementation, the device comprises a transceiver unit, the transceiver unit is configured to send a temporary public key to the verification network element, the temporary public key is a public key in a temporary public-private key pair generated by the communication device, the temporary public key is used for determining a first key, the first key is used for the verification network element to authenticate the communication device, the first key is determined based on the temporary public key and a second private key, the second private key is a private key of the verification network element or a private key in the temporary public-private key pair generated by the verification network element, or the first key is generated by inputting the temporary public key into a post-quantum algorithm.

In some implementations of the eighth aspect, if the first key is determined based on a temporary public key of the communication device and a private key of a temporary public-private key pair generated by the authentication network element, the transceiver is further configured to receive a second public key from the authentication network element, the second public key being a public key of a second temporary public-private key pair generated by the authentication network element, and the device further includes a processing unit configured to determine the first key based on the first private key and the second public key, the first public key being a private key of the first temporary public-private key pair.

In certain implementations of the eighth aspect, the temporary public key is a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being generated by inputting the third public key into the post-quantum algorithm.

In some implementations of the eighth aspect, the transceiver unit is further configured to receive a ciphertext from the authentication network element, the ciphertext being generated by inputting the third public key into the post-quantum algorithm, and the processing unit is further configured to input the ciphertext and a third private key into the post-quantum algorithm to generate the first key, the third private key being a private key of the third temporary public-private key pair.

In certain implementations of the eighth aspect, the temporary public key includes a first public key that is a public key of a first temporary public-private key pair generated by the communication device and a third public key that is a public key of a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm, the first key being determined based on a second key and a third key, the second key being determined from the second private key and the first public key, the third key being generated by inputting the third public key into the post-quantum algorithm.

In certain implementations of the eighth aspect, the transceiver unit is further configured to receive a ciphertext from the authentication network element and a second public key, where the second public key includes a public key of the authentication network element or a public key of a temporary public key generated by the authentication network element, the ciphertext is generated by inputting the third public key into the post-quantum algorithm, the processor unit is further configured to generate a second key based on a first private key and the second public key, the first private key is a private key in the first public key pair, input the ciphertext and a third private key into the post-quantum algorithm to generate a third key, the third private key is a private key in the third public key pair, and determine the first key based on the second key and the third key.

In certain implementations of the eighth aspect, the temporary public key is sent according to second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of at least one key agreement algorithm, the transceiving unit being further configured to send first indication information to the authentication network element before the receiving of the temporary public key from the communication device, the first indication information indicating the at least one key agreement algorithm, and to receive the second indication information from the authentication network element.

In certain implementations of the eighth aspect, the first key agreement algorithm is determined from first information and the first indication information, the first information being referred to the description in the fourth aspect.

In certain implementations of the eighth aspect, the transceiver unit is further configured to receive a first digital signature from the authentication element, the first digital signature being a signature of a first message by a private key of the authentication element, the first message including a message interacted with by the authentication element and the communication device, receive a certificate from the authentication element, the certificate including a public key of the authentication element, and the processor unit is further configured to verify the first digital signature based on the public key of the authentication element.

In certain implementations of the eighth aspect, the transceiver unit is further configured to send a request message to the authentication network element, where the request message is used to request access to a network, the request message includes a first identifier encrypted by the communication device using the first key, the first identifier has a correspondence with authentication information of the communication device, and the authentication information includes first authentication information, where the first authentication information is used to authenticate the communication device.

In some implementations of the eighth aspect, before the sending the request message to the verification network element, the transceiver unit is further configured to send third indication information to the verification network element, where the third indication information indicates at least one authentication mode, and authentication information corresponding to each of the at least one authentication mode is independent of each other, receive fourth indication information from the verification network element, where the fourth indication information indicates a first authentication mode, where the first authentication mode is one of the at least one authentication mode, and the first authentication mode corresponds to the first authentication information.

Wherein the authentication information refers to the description in the fourth aspect.

In certain implementations of the eighth aspect, the type of the first identity indicated by each of the at least one authentication means is different, several types of the first identity being referred to in the description of the fourth aspect.

In certain implementations of the eighth aspect, the first authentication means is determined according to second information and the third indication information, the second information being referred to the description in the fourth aspect.

In certain implementations of the eighth aspect, the transceiver unit is further configured to send a second digital signature to the authentication network element, where the second digital signature is a signature of a second message by a private key of the communication device, the second message including a message that the communication device interacted with the authentication network element, the second digital signature being used by the authentication network element to authenticate the communication device.

A ninth aspect provides a communications apparatus comprising a processor for causing the apparatus to carry out any one of the above-mentioned first to fourth aspects, and any one of the possible implementations of the first to fourth aspects, by executing a computer program (or computer executable instructions) stored in a memory, and/or by logic circuitry.

Optionally, the apparatus further comprises a memory, which may be disposed separately from the processor or may be disposed centrally.

Optionally, the apparatus further comprises a communication interface, the processor being coupled to the communication interface. The communication interface may be a transceiver, or an input/output interface.

In one implementation, the device is an authentication network element, or a chip configured in the authentication network element, and may also be a logic module or software that can implement all or part of the functions of the authentication network element. When the device is a chip, the communication interface may be an input/output interface, interface circuitry, output circuitry, input circuitry, pins, or related circuitry on the chip or system-on-chip. The processor may also be embodied as processing circuitry or logic circuitry.

In another implementation manner, the device is a terminal device, or a chip configured in the terminal device, and may also be a logic module or software capable of implementing all or part of the functions of the terminal device. When the device is a chip, the communication interface may be an input/output interface, interface circuitry, output circuitry, input circuitry, pins, or related circuitry on the chip or system-on-chip. The processor may also be embodied as processing circuitry or logic circuitry.

Alternatively, the transceiver may be a transceiver circuit. Alternatively, the input/output interface may be an input/output circuit.

In a specific implementation process, the processor may be one or more chips, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be, but not limited to, received by and input to the receiver, the output signal output by the output circuit may be, but not limited to, output to and transmitted by the transmitter, and the input circuit and the output circuit may be the same circuit, which functions as the input circuit and the output circuit, respectively, at different times. The embodiment of the application does not limit the specific implementation modes of the processor and various circuits.

In a tenth aspect, a system on a chip is provided, the processor being configured to execute a computer program or instructions in the memory, such that the system on a chip implements any one of the first to fourth aspects and the method of any one of the possible implementations of the first to fourth aspects.

An eleventh aspect provides a communication system comprising at least one of an authentication network element for performing the method of the first and second aspects and any one of the possible implementations of the first and second aspects and a terminal device for performing the method of the third and fourth aspects and any one of the possible implementations of the third and fourth aspects.

In a twelfth aspect, there is provided a computer readable storage medium storing a computer program (which may also be referred to as code, or instructions) which, when run on a computer, causes the computer to perform any one of the above-described first and second aspects, and a method in any one of the possible implementations of the first and second aspects.

A thirteenth aspect provides a computer program product comprising a computer program (which may also be referred to as code, or instructions) which, when run, causes a computer to perform the method of any one of the first to fourth aspects and any one of the possible implementations of the first to fourth aspects.

The advantageous effects of the fifth to thirteenth aspects described above may be referred to the description of the advantageous effects of the first to fourth aspects, and are not described here again.

Drawings

Fig. 1 is a schematic diagram of a communication network architecture suitable for use with embodiments of the present application.

Fig. 2 is a schematic diagram of a communication system architecture suitable for use in embodiments of the present application.

Fig. 3 is a schematic flow chart of an authentication procedure based on the EAP-AKA' architecture.

Fig. 4 is a schematic flow chart of a communication method 400 provided by the present application.

Fig. 5 is a schematic flow chart of a method of negotiating keys provided by the present application.

Fig. 6 is a schematic flow chart diagram of a communication method 600 provided by the present application.

Fig. 7 is a schematic block diagram of a communication device 700 provided by the present application.

Fig. 8 is a schematic block diagram of a communication device 800 provided by the present application.

Fig. 9 is a schematic block diagram of a chip system 900 provided by the present application.

Detailed Description

The technical scheme of the application will be described below with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, such as a long term evolution (long term evolution, LTE) system, an LTE frequency division duplex (frequency division duplex, FDD) system, an LTE time division duplex (time division duplex, TDD), a fifth generation (5th generation,5G) system, a sixth generation (6th generation,6G) system and other communication systems which evolve after 5G.

Fig. 1 is a schematic diagram of a communication network architecture suitable for use in embodiments of the present application. As shown in fig. 1, the respective parts involved in the network architecture are described separately below.

Terminal device (terminal equipment) 110 the terminal device in embodiments of the present application may be a device that provides voice and/or data connectivity to a user, or a handheld device with wireless connectivity, or other processing device connected to a wireless modem.

A terminal device can also be called a terminal, access terminal, subscriber unit, user Equipment (UE), subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. A terminal device is a device that includes wireless communication functionality (providing voice/data connectivity to a user). For example, a handheld device having a wireless connection function, an in-vehicle device, or the like. The terminals in embodiments of the present application may be mobile phones (mobile phones), tablet computers (pads), computers with wireless transceiving functions, trains, airplanes, mobile internet devices (mobile INTERNET DEVICE, MID), virtual Reality (VR) terminals, augmented reality (augmented reality, AR) terminals, point of sale (POS) terminals, customer-terminal devices (customer-premises equipment, CPE), lightweight terminal devices (light UEs), reduced capability user devices (reduced capability UEs, REDCAP UEs), wireless terminals (e.g. robots, etc.) in industrial control (industrial control), wireless terminals in the internet of vehicles (e.g. in-vehicle devices, in-vehicle modules, vehicles, in-vehicle chips, in-vehicle units (on-board units), OBU) or internet of vehicles terminal BOX (TELEMATICS BOX, T-BOX), etc.), a wireless terminal in unmanned (SELF DRIVING), a wireless terminal in telemedicine (remote media), a wireless terminal in smart grid (SMART GRID), a wireless terminal in transportation security (transportation safety), a wireless terminal in smart city (SMART CITY), a wireless terminal in smart city (SMART CITY), a wireless terminal in smart home (smart home), a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal DIGITAL ASSISTANT, PDA), a handheld device with wireless communication functionality, a computing device or other processing device connected to a wireless modem, a wearable device, a terminal in a 5G network or a terminal in a network that evolves after 5G, etc. It will be appreciated that all or part of the functionality of the terminal device in the present application may also be implemented by software functions running on hardware or by virtualized functions instantiated on a platform, such as a cloud platform.

The wearable device can also be called as a wearable intelligent device, and is a generic name for intelligently designing daily wearing and developing wearable devices by applying a wearable technology, such as glasses, gloves, watches, clothes, shoes and the like. The wearable device is a portable device that is worn directly on the body or integrated into the clothing or accessories of the user. The wearable device is not only a hardware device, but also can realize a powerful function through software support, data interaction and cloud interaction. The generalized wearable intelligent device comprises full functions, large size and complete or partial functions which can be realized independently of a smart phone, such as a smart watch, a smart glasses and the like, and is only focused on certain application functions, and needs to be matched with other devices such as the smart phone for use, such as various smart bracelets, smart jewelry and the like for physical sign monitoring.

The terminal device of the application may also be a module or unit for implementing terminal functions, such as a universal integrated circuit card (universal integrated circuit card, UICC). It should be understood that the UICC card is only used for example, and in practical implementation, the UICC card may also be replaced with a device having a similar function to the UICC card, for example, an embedded universal integrated circuit card (embedded universal integrated circuit card, eUICC). The UICC card may be any other name such as a blockchain universal integrated circuit card (blockchain UICC, B-UICC), as the application is not limited in this regard.

The (radio) access network (radio access network, R) AN node 120 is configured to provide AN access function for terminal devices in a specific area, and can use transmission tunnels of different qualities according to the level of the terminal devices, the service requirements, and the like. The RAN node can manage radio resources, provide access service for the terminal device, and further complete forwarding of control signals and terminal device data between the terminal device and the core network.

In one possible scenario, the RAN node may be a base station (base station), an evolved NodeB (eNodeB), an Access Point (AP), a transmission and reception point (transmission reception point, TRP), a next generation NodeB (gNB), a base station in a 6G mobile communication system, a base station in a future mobile communication system, or an access node in a WiFi system, etc. The RAN node may be a macro base station, a micro base station or an indoor station, a relay node or a donor node, or a radio controller in the context of a cloud radio access network (cloud radio access network, CRAN). Alternatively, the RAN node may also be a server, a wearable device, a vehicle or on-board device, etc. For example, the access network device in the V2X technology may be a Road Side Unit (RSU). All or part of the functionality of the RAN node in the present application may also be implemented by software functions running on hardware or by virtualized functions instantiated on a platform (e.g. a cloud platform). The RAN node in the present application may also be a logical node, a logical module or software capable of implementing all or part of the functions of the RAN node.

In another possible scenario, a plurality of RAN nodes cooperate to assist a terminal in implementing radio access, and different RAN nodes implement part of the functions of a base station, respectively. For example, the RAN node may be a Centralized Unit (CU), a Distributed Unit (DU), a CU-Control Plane (CP), a CU-User Plane (UP), or a Radio Unit (RU), etc. The CUs and DUs may be provided separately or may be included in the same network element, e.g. in a baseband unit (BBU). The RU may be included in a radio frequency device or unit, such as in a remote radio unit (remote radio unit, RRU), an active antenna processing unit (ACTIVE ANTENNA unit, AAU), or a remote radio head (remote radio head, RRH).

In different systems, CUs (or CU-CP and CU-UP), DUs or RUs may also have different names, but the meaning will be understood by those skilled in the art. For example, in an open-radio access network (O-RAN) system, a CU may also be referred to as an open-central unit (O-CU), a DU may also be referred to as an open-distributed unit (O-DU), a CU-CP may also be referred to as an O-CU-CP, a CU-UP may also be referred to as an O-CU-UP, and a RU may also be referred to as an O-RU. For convenience of description, the present application is described by taking CU, CU-CP, CU-UP, DU and RU as examples. Any unit of CU (or CU-CP, CU-UP), DU and RU in the present application may be implemented by a software module, a hardware module, or a combination of software and hardware modules.

User plane network element 130, quality of service (quality of service, qoS) handling for packet routing and forwarding, user plane data, etc.

In a 5G communication system, the user plane network element may be a user plane function (user plane function, UPF) network element. In the communication system evolving after 5G, the user plane network element may still be a UPF network element, or may have other names, which is not limited by the present application.

A Data Network (DN) 140, a data network providing business services for users, typically a client is located at the UE and a server is located at the data network. The data network may be a private network, such as a local area network, or an external network not under the control of an operator, such as the Internet, or a proprietary network co-deployed by an operator, such as a network providing Internet protocol (Internet protocol, IP) multimedia subsystem (IP multimedia subsystem, IMS) services.

In a communication system that evolves after 5G, DN in a 5G communication system may be used, and it is also possible to replace entities with similar functions with other names, which is not limited by the present application.

The authentication server (authentication server) 150 is used for authenticating the service and generating a secret key to realize bidirectional authentication on the terminal equipment, and supports a unified authentication framework.

In a 5G communication system, the authentication server may be an authentication server function (authentication server function, AUSF) network element. In the communication system evolving after 5G, the authentication server function network element may still be AUSF network elements, or may also have other names, which is not limited by the present application.

The access management (ACCESS MANAGEMENT) network element 160 is mainly used for mobility management and access management, such as access authorization/authentication, etc.

In a 5G communication system, the access management network element may be an access management function (ACCESS AND mobility management function, AMF) network element. In the communication system evolving after 5G, the access management network element may still be an AMF network element, or may have other names, which is not limited by the present application.

Session management (session management) network element 170 is mainly used for session management, network interconnection protocol (internet protocol, IP) address allocation and management of terminal devices, termination point for selecting manageable user plane functions, policy control and charging function interfaces, and downstream data notification, etc.

In a 5G communication system, the session management network element may be a session management function (session management function, SMF) network element. In the communication system evolving after 5G, the session management network element may still be an SMF network element, or may have other names, which is not limited by the present application.

Slice selection (slice selection) network element 180 for selecting a set of network slice instances of the service terminal device, determining a set of access management network elements of the service terminal device.

In a 5G communication system, the network element may be a network slice selection function (network slice selection function, NSSF) network element. In the communication system evolving after 5G, the network element may be NSSF network elements, or may have other names, which is not limited by the present application.

A network opening (network exposure) element 190 for opening network capabilities to third party applications may enable friendly interfacing of network capabilities with service requirements.

In a 5G communication system, the network opening network element may be a network opening function (network exposure function, NEF) network element. In the communication system evolving after 5G, the network element may be a NEF network element, or may have other names, which is not limited by the present application.

The network stores (network repository) the network element 1100, real-time information for maintaining all network function services in the network.

In a 5G communication system, the network storage element may be a network registration function (network repository function, NRF) element. In the communication system evolving after 5G, the network storage network element may still be an NRF network element, or may have other names, which is not limited by the present application.

Policy control (policy control) element 1110 a unified policy framework for guiding network behavior, providing policy rule information for control plane function elements (e.g., AMF, SMF elements, etc.), etc.

In the 4G communication system, the policy control network element may be a Policy and Charging Rules Function (PCRF) network element. In a 5G communication system, the policy control element may be a policy control function (policy control function, PCF) element. In the communication system evolving after 5G, the policy control network element may still be a PCF network element, or may have other names, which is not limited by the present application.

The data management (DATA MANAGEMENT) network element 1120 is used for processing terminal equipment identification, access authentication, registration, mobility management, etc.

In a 5G communication system, the data management network element may be a unified data management (unified DATA MANAGEMENT, UDM) network element. In the communication system evolving after 5G, the unified data management may still be a UDM network element, or may have other names, which is not limited by the present application.

Application (application) network element 1130 is used for data routing for application impact, accessing the network, interacting with policy frameworks for policy control, etc.

In a 5G communication system, the application network element may be an application function (application function, AF) network element. In the communication system evolving after 5G, the application network element may still be an AF network element, or may have other names, which is not limited by the present application.

In the network architecture described above, authentication credential storage and processing functions (authentication credential repository and processing function, ARPF) network elements, security anchor functions (security anchor function, SEAF) network elements, and the like (not shown in the figures) may also be included. The ARPF is mainly used for storing a root key of a user and authenticated related subscription data, calculating a 5G authentication vector and the like. SEAF is mainly used for deducing non-access stratum (NAS) and Access Stratum (AS) keys of the lower layer according to the anchor point key, and comparing authentication results.

In the above network architecture, N1, N2, N3, N4, N6, nnssf, nnef, nnrf, npcf, nudm, naf, nausf, namf, and Nsmf are interface serial numbers. The meaning of the above-mentioned interface serial number can be referred to the meaning defined in 3GPP standard protocol, and the present application is not limited to the meaning of the above-mentioned interface serial number.

The N2 interface is an interface between the RAN and the access management network element, and is used for sending radio parameters and NAS signaling, the N3 interface is an interface between the RAN and the user plane function network element, and is used for transmitting data of the user plane, and the N4 interface is an interface between the session management function network element and the user plane function network element, and is used for transmitting information such as a service policy, tunnel identification information of N3 connection, data buffer indication information, and downlink data notification information. The N6 interface is an interface between the DN and the user plane function network element, and is used for transmitting data of the user plane and the like.

Nnssf, nnef, nnrf, npcf, nudm, naf, nausf, namf and Nsmf are service interfaces, and information interaction can be performed between network elements through the service interfaces.

It should be noted that the interface names between the network functions in the figures are merely an example, and in a specific implementation, the interface names of the system architecture may also be other names, which is not limited by the present application. Furthermore, the names of the transmitted messages (or signaling) between the various network elements described above are also merely an example, and do not constitute any limitation on the function of the message itself.

It should be understood that the network architecture applied to the embodiments of the present application is merely an exemplary network architecture described from the perspective of a conventional point-to-point architecture and a service architecture, and the network architecture to which the embodiments of the present application are applicable is not limited thereto, and any network architecture capable of implementing the functions of the respective network elements described above is applicable to the embodiments of the present application.

It should be noted that, the names of each network element and interface in the present application are only an example, and the present application does not exclude the case that each network element is another name and functions between each network element are combined. With the evolution of the communication system, any device or network element capable of implementing the functions of the above network elements is within the protection scope of the present application.

It will be appreciated that the network elements or functions described above may be either network elements in a hardware device, software functions running on dedicated hardware, or virtualized functions instantiated on a platform (e.g., a cloud platform). The network elements or functions may be divided into one or more services, and further, services that exist independently of the network functions may also occur.

As shown in fig. 2, the communication system includes at least one node (nodes 101a to 101 i) and a storage system 102.

Wherein the storage system 102 may include one or more storage nodes.

The storage system 102 may include one or more of a blockchain system, a distributed storage system, or a communication system.

The blockchain system may include one or more blockchain nodes, that is, the storage node corresponding to the blockchain system may be a blockchain node, the distributed storage system may include one or more distributed storage devices, that is, the storage node corresponding to the distributed storage system may be a distributed storage device, and the communication system may include a communication device corresponding to an operator, that is, the storage node corresponding to the communication system may be a communication device corresponding to an operator.

It should be appreciated that the blockchain nodes, storage devices in the distributed storage system, and communication devices may be end devices or network devices.

Each of the at least one node (nodes 101a through 101 i) may interact with the storage system 102. Optionally, if at least one node includes a plurality of nodes, information interaction can be directly performed between nodes in the plurality of nodes. The nodes of the at least one node (nodes 101a to 101 i) may comprise terminal devices and/or network devices. The network equipment can be equipment corresponding to a card merchant or a terminal manufacturer, equipment corresponding to a trusted third party, an over-the-air card writing server, equipment corresponding to an operator or equipment corresponding to an authority. Terminal manufacturers may also be referred to as equipment vendors, equipment providers, and the like.

The device corresponding to the card merchant or the terminal manufacturer can be a device for realizing the service of the card merchant or the terminal manufacturer, such as a device for writing a card by the card merchant or the terminal manufacturer, the device corresponding to the operator is a device for providing the service of the operator, such as a server of the operator, a core network element of the operator, or an access network device, etc., the device corresponding to the authority is a device for providing the service of the authority, such as a server belonging to the authority, a host, etc., and the device corresponding to the trusted third party can be a device for providing the service of the trusted third party, such as a server belonging to the trusted third party, a host, etc.

It will be appreciated that a card vendor, terminal vendor, trusted third party, operator or authority are for example purposes, and that other organizations or institutions may exist in actual implementations.

In order to facilitate understanding of the technical solutions of the embodiments of the present application, some terms or concepts that may be related to the embodiments of the present application will be first described briefly.

1. Key(s)

A key is a parameter that is input in an algorithm that converts plaintext into ciphertext or converts ciphertext into plaintext.

2. Public and private keys

The public key and the private key are a key pair (namely a public key and a private key) obtained through an algorithm, wherein one of the key pair is disclosed to the outside and is called a public key, and the other key pair is reserved by itself and is called a private key. The key pairs obtained by the algorithm can be guaranteed to be unique worldwide. When using this key pair, if a piece of data is encrypted with one of the keys, it must be decrypted with the other key. For example, if data is encrypted with the public key of a key pair, decryption with the private key of the key pair is required, and vice versa, otherwise decryption will not succeed.

3. Block chain (blockchain, BC)

Transactions in the network are generated and stored in blocks and are linked in a time sequence in a chained configuration. The validated and proven transactions in the network are linked from the beginning blockchain to the latest blockchain of the blockchain, and the ledgers formed by linking the blocks together are called blockchains.

The blockchain technology realizes a chained data structure formed by sequentially connecting data and information blocks according to time sequence, and the distributed storage is not tamperable and not counterfeitable and ensured in a cryptography mode. In general, the data and information in a blockchain may be referred to as "transactions".

Blockchain technology is not a single technology, but is a system that integrates applications of point-to-point transmission, consensus mechanisms, distributed data storage, and cryptographic principles, with the technical characteristics of full disclosure and tamper resistance.

1) And the nodes participating in the blockchain are independent and peer-to-peer, and the synchronization of data and information is realized by a point-to-point transmission technology. The nodes can be different physical machines and also can be cloud-end different examples.

2) The block chain consensus mechanism refers to a process that nodes participated in by multiple parties agree on specific data and information through interaction among the nodes under a preset logic rule. The consensus mechanism needs to rely on well designed algorithms, so there is a certain difference in the performance of different consensus mechanisms, such as throughput transactions per second (transaction per second, TPS) of transactions, time delays to reach consensus, consumed computing resources, consumed transmission resources, etc.

3) And the distributed storage in the block chain is that the nodes participating in the block chain respectively store independent and complete data, so that the data storage is fully disclosed among the nodes. Unlike conventional distributed data storage, which performs backup or synchronous storage by dividing data into multiple parts according to a certain rule, the blockchain distributed data storage relies on the common knowledge among nodes with peer-to-peer positions in the blockchain to realize high-consistency data storage.

4) Cryptography principles blockchain is typically based on asymmetric encryption techniques to enable trusted information dissemination, verification, etc.

The concept of "block" is to organize one or more data records in the form of "blocks", the size of which can be customized according to the actual application scenario, and "chain" is a data structure in which "blocks" storing data records are connected in time sequence and by a hash technique. In the blockchain, each 'block' comprises two parts of a 'block header' and a 'block body', wherein the 'block body' comprises transaction records packed into a 'block', and the 'block header' comprises the root HASH of all transactions in the 'block' and the HASH of the previous 'block'. The data structure of the blockchain ensures that the data stored on the blockchain is tamper-proof.

4. Information/data uplink

Information/data uplink refers to the fact that information/data is packaged in a block by a consensus mechanism as a new block and linked to the previous block as non-tamperable information/data on the chain.

5. Intelligent contract

An intelligent contract is a computer protocol that aims to propagate, verify, or execute contracts in an informative manner. All users on the blockchain can see the blockchain-based intelligence contract. But this may result in all vulnerabilities including security vulnerabilities being visible and may not be quickly repaired.

The intelligent contracts in the blockchain field have the following characteristics:

The rule disclosure is transparent, rules and data within the contract are externally visible, all transactions are publicly visible, and no spurious or hidden transactions exist.

Blockchain technology has the characteristics of "public transparency" and "non-tamperable" and is characterized in that intelligent contracts are endowed to blockchains. Smart contracts allow trusted transactions to be made without third parties, which transactions are queriable and irreversible. Intelligent contracts are based on non-tamperable data that can be automated to execute some predefined rules and terms.

6. Self-control identity (scID)

ScID may be used to identify identity information of a first node (e.g., any of nodes 101a through 101 i). scID can be a decentralized root certificate/credentials (decentralized root credentials, DRC), a decentralized identity certificate/credentials (decentralized IDENTITY CREDENTIALS, DIC), or a decentralized self-controlling identity (decentralized self-control credentials, DSCC). scID may be generated by the first node or by other nodes than the first node. For example, if scID is a DRC, the DRC may be generated by a trusted node other than the first node, and if scID is a DIC or DSCC, the DSCC may be generated by the first node.

ScID may correspond to different traffic scenarios, for example, in traffic scenarios where personal information security requirements are high, scID may be DRC, i.e. the traffic may be completed using DRC. As another example, in a scenario where trust requirements for the first node are low, the SID may be a DIC or DSCC, i.e., the service may be completed using the DIC or DSCC.

In the current mobile communication network, before the UE accesses the network, the network side performs identity authentication on the UE. Illustratively, the UE and the network generate the key k using ECDH key agreement. The ECDH is based on the principle that a public key of a network is preset in a UE, the UE generates a temporary public-private key pair of the UE before the UE accesses the network, the UE calculates and generates a key k by using the temporary private key of the UE and the public key of the network, the UE encrypts a user permanent identifier (subscription PERMANENT IDENTIFIER, SUPI) by using the key k, and sends a ciphertext of the SUPI, a temporary public key of the UE and a user hidden identifier (subscription concealed identifier, SUCI) to a network side, and the network side calculates the key k by using the private key of the network and the temporary public key of the UE. Subsequently, the network side decrypts SUCI with the key k to obtain the SUPI, queries the corresponding root key after the SUPI, and performs identity authentication by using the root key in both directions (refer to the description of fig. 3 for details).

Fig. 3 is a schematic flow chart of an authentication procedure based on the extensible authentication protocol (extensible authentication protocol, EAP) AKA'. The authentication process includes the following.

S301, UDM/ARPF determines an authentication vector (authentication vector, AV).

After the UDM/ARPF receives the UE ID and service network name (SN name) sent by AUSF, it determines the AV from the received information. The AV may include, among other things, an authentication random number (random, RAND), an authentication token (authentication token, AUTN), an expected response parameter (expected response, XRES), an encryption key (CIPHER KEY, CK), an integrity key (INTEGRITY KEY, IK). The generation process of the AV parameters is shown in fig. 6, and the specific flow thereof may refer to the existing flow, which is not described herein.

Next, UDM/ARPF updates the AV according to SN name and key derivation function (key derivation function, KDF) algorithm, specifically, calculates CK 'and IK' according to SN name and KDF algorithm, and replaces CK and IK in the original AV with the CK 'and IK'.

S302, the UDM/ARPF sends UE identity authentication response to AUSF.

The UE identity authentication Response sent by UDM/ARPF to AUSF may be Nudm _ UEAuthentication _get Response, which may include an updated authentication vector (denoted AV '), which may include parameters for authentication (RAND, AUTN, XRES, CK ', IK ').

S303, AUSF sends a UE identity authentication response to SEAF.

The UE identity authentication response sent by AUSF to SEAF may be an EAP request (EAP request) message or an AKA ' challenge (AKA ' -challenge) message, where the EAP request or AKA ' -challenge includes RAND and AUTN.

S304, SEAF sends an authentication request to the UE.

The authentication request (authentication request) sent by SEAF to the UE may be a forwarded EAP-request or AKA' -challenge received in step S303, including RAND and AUTN.

Specifically, SEAF forwards the EAP-request or AKA' -challenge to the USIM of the UE.

S305, the UE calculates an authentication response.

Specifically, after the USIM of the UE receives RAND and AUTN in EAP-request or AKA ' -challenge, the USIM verifies whether the AUTN is correct, if so, the USIM calculates replies RES, CK and IK, then sends the RES, CK and IK to the ME of the UE, and the ME calculates CK ' and IK ' according to SN name and KDF algorithm. Wherein CK 'and IK' may be used for the UE to generate a key corresponding to key AUSF.

And S306, the UE sends an authentication response to SEAF.

The authentication response sent by the UE to SEAF may be an EAP response (EAP-response) message or an AKA ' challenge (AKA ' -challenge) message, where the EAP-response and AKA ' -challenge include RES.

S307, SEAF forwards the message received in step S306 to AUSF.

S308, AUSF verifies the response.

Wherein AUSF may compare whether RES and RES stored by itself are equal, if so AUSF verifies that the UE is successful.

Optionally, AUSF and UE may also exchange an EAP-request/AKA ' notification (AKA ' -notification) message and an EAP-response/AKA ' -notification message through step S309.

S310, AUSF sends a UE identity authentication response to SEAF.

Wherein AUSF can generate an extended master session key (extended master session key, EMSK) from CK 'and IK' and use the first 256 bits (bits) of EMSK as a key for AUSF (denoted as K _AUSF), then derive key K _SEAF for SEAF from K _AUSF and send EAP success message and K _SEAF to SEAF.

S311, SEAF sends an N1 message to the UE.

Wherein, the N1 message may be an EAP success message.

In the scheme, the network side and the terminal use a fixed key exchange algorithm to generate the shared key, so that the application scene is limited. For example, for some low power consumption terminal devices, the computational complexity of ECDH key agreement is high. As another example, ECDH key agreement may not be able to meet an application scenario with high security requirements. Specifically, in the ECDH key negotiation process, the terminal side uses the fixed public key of the network side to calculate the shared key, so the key negotiation algorithm does not have forward security.

As the application scenarios (e.g., different security requirements) of the terminal and the network in the mobile communication system increase, how to improve the flexibility of the authentication procedure of the terminal and the network is a problem to be considered.

In view of the above, the present application proposes a communication method and a communication device, which are beneficial to the improvement or solution of the above-mentioned problems.

In order to facilitate understanding of the embodiments of the present application, the following description is made.

First, in the present application, "for indicating" may be understood as "enabling" which may include direct enabling and indirect enabling. When describing that a certain information is used to enable a, it may be included that the information directly enables a or indirectly enables a, and does not necessarily represent that a is carried in the information.

In the specific implementation process, the information to be enabled may be enabled in various ways, for example, but not limited to, the information to be enabled may be directly enabled, such as the information to be enabled itself or an index of the information to be enabled. The information to be enabled may also be indirectly enabled by enabling other information, where an association exists between the other information and the information to be enabled. It is also possible to enable only a part of the information to be enabled, while other parts of the information to be enabled are known or agreed in advance. For example, the enabling of specific information may also be implemented by means of a pre-agreed (e.g., protocol-specified) arrangement sequence of the respective information, thereby reducing the enabling overhead to some extent. And meanwhile, the universal parts of the information can be identified and enabled uniformly, so that the enabling expense caused by independently enabling the same information is reduced.

Second, the first, second, and various numerical numbers (e.g., "#1", "#2", etc.) shown in the present application are for convenience of description only, and are not intended to limit the scope of the embodiments of the present application. For example, distinguishing between different messages, etc. Rather than to describe a particular order or sequence. It is to be understood that the objects so described may be interchanged under appropriate circumstances so as to be able to describe aspects other than the embodiments of the application.

Third, in the present application, "pre-configuration" may include pre-definition, e.g., protocol definition. Where "predefined" may be implemented by pre-storing corresponding codes, tables, or other means that may be used to indicate relevant information in the device (e.g., including the respective network elements), the application is not limited to a specific implementation thereof.

Fourth, the term "and/or" is merely an association relationship describing the association object, and means that three relationships may exist, for example, a and/or B, and that a exists alone, while a and B exist alone, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

Fifth, in the embodiment of the present application, the information (e.g., information # 1) includes another information (e.g., information # 2), which may be understood that the information #1 is displayed to carry or implicitly carry the information #2, for example, the information #1 directly carries the information #2, and for example, the information #1 carries indication information indicating the information #2, and the receiving end device receiving the information #1 may obtain the information #2 according to the indication information, where the indication information is used to indicate that the information #2 may be predefined or specified by a protocol, or may be displayed or implicitly indicated.

In the following, the communication method provided by the embodiment of the application is described in detail by taking interaction among network elements as an example without losing generality.

Fig. 4 is a schematic flow chart of a communication method provided by an embodiment of the present application. As shown in fig. 4 (a), the method may include the following steps.

S410, the terminal device (an example of a communication apparatus) negotiates with the authentication network element to determine a first key negotiation algorithm.

The verification network element may be an access network device that serves the terminal device, or in case that a CU and a DU of the access network device are separated, the verification network element may be a CU of the access network device, or the verification network element may be an edge computing node, such as an edge application server (edge application server, EAS) deployed in an edge data network (edge data network, EDN), or the verification network element may be a core network element belonging to an operator #1, such as AMF, AUSF, UDM, etc. The operator #1 may be an operator subscribed to the terminal device or other operators, and is not limited.

The first key agreement algorithm is one of at least one key agreement algorithm. The first key negotiation algorithm is used for the terminal equipment and the verification network element to carry out key negotiation subsequently to determine a first key. The first key may be used to encrypt or decrypt messages transmitted between the terminal device and the authentication network element.

Illustratively, the at least one key agreement algorithm may include at least one of the following:

Elliptic curve Diffie-Hellman (ECDH) key agreement algorithm, temporary elliptic curve Diffie-Hellman (EPHEMERAL ELLIPTIC cut Diffie-Hellman, ECDHE) key agreement algorithm, post-quantum cryptography (post-quantum cryptography, PQC) based key agreement algorithm, PQC and ECDH based key agreement algorithm, PQC and ECDHE based key agreement algorithm, and preset shared key (pre-SHARED KEY, PSK) based key agreement algorithm.

I.e. the first key agreement algorithm determined by the terminal device and the authentication network element negotiations is any one of the above key agreement algorithms.

It will be appreciated that the security level, computational complexity, corresponding to the algorithm is different for the at least one key agreement algorithm. For example, the ordering of the security levels corresponding to the algorithms may be from high to low, a key agreement algorithm based on PQCs and ECDHE, a key agreement algorithm based on PQCs and ECDH, a key agreement algorithm based on PQCs, a ECDHE key agreement algorithm, an ECDH key agreement algorithm, and a key agreement algorithm based on PSK. The ordering of the computational complexity corresponding to the algorithm is similar to the ordering of the security level corresponding to the algorithm.

Optionally, the at least one key negotiation algorithm may also correspond to a different network system, or each key negotiation algorithm in the at least one key negotiation algorithm may be applicable to one or more network systems.

For example, a 5G network may correspond to an ECDH key agreement algorithm, a ECDHE key agreement algorithm, and a PSK-based key agreement algorithm, and a network in a communication system evolving after 5G, e.g., a 6G network, may correspond to a ECDHE key agreement algorithm, a PQC-based key agreement algorithm, a PQC-and ECDH-based key agreement algorithm, and a PQC-and ECDHE-based key agreement algorithm.

For another example, a 5G network may correspond to an ECDH key agreement algorithm, a ECDHE key agreement algorithm, and a PSK-based key agreement algorithm, and a network in a communication system evolving after 5G, e.g., a 6G network, may correspond to a PQC-based key agreement algorithm, a PQC-and ECDH-based key agreement algorithm, and a PQC-and ECDHE-based key agreement algorithm.

It should be understood that the above correspondence between the key negotiation algorithm and the network system is merely an example, which is not limited by the present application.

Specifically, the terminal device and the authentication network element may negotiate to determine a first key negotiation algorithm by:

In one manner, the authentication network element determines the first key negotiation algorithm from the at least one key negotiation algorithm, and the specific process may include S411a and S412a.

S411a, the terminal device transmits the instruction information #1 (an example of the first instruction information) to the authentication network element. Accordingly, the authentication network element receives the first indication information from the terminal device.

The indication information #1 indicates at least one key negotiation algorithm or the indication information #1 indicates a first key negotiation algorithm determined from the at least one key negotiation algorithm.

Optionally, the indication information #1 may further indicate that the first key negotiation algorithm is determined.

S412a, the authentication network element transmits the instruction information #2 (an example of the second instruction information) to the terminal device. Accordingly, the terminal device receives the indication information #2 from the authentication network element.

The indication information #2 indicates the first key agreement algorithm, which is one of the at least one key agreement algorithm described above.

Specifically, the authentication network element determines the first key agreement algorithm from at least one key agreement algorithm and indicates the first key agreement algorithm to the terminal device.

Illustratively, the verifying network element may determine the first key agreement algorithm based on the first information and the indication information # 1.

The first information may include at least one of a security level corresponding to a key negotiation algorithm, a computational complexity of the key negotiation algorithm, a network type, a type of a terminal device, and a computational capability of the terminal device.

Illustratively, the authentication network element may determine the first key agreement algorithm based on some item of the first information.

For example, if it is determined that the security level requirements of the current communication between the terminal device and the authentication network element are low, the authentication network element may select a key agreement algorithm with a low security level, such as a key agreement algorithm for selecting an ECDH.

For another example, if it is determined that the computing power of the terminal device is low, or the terminal device is a low-power terminal device, the authentication network element may select a key exchange algorithm with low computing complexity, such as an ECDH key agreement algorithm or a PSK-based key agreement algorithm.

For another example, if the current network is a 5G network, the authentication network element may select one of a key negotiation algorithm corresponding to the 5G network, such as an ECDH key negotiation algorithm, ECDHE key negotiation algorithm, and a PSK-based key negotiation algorithm, and if the current network is a network in a communication system that evolves after 5G, the authentication network element may select one of an ECDH key negotiation algorithm, ECDHE key negotiation algorithm, and a PQC-based key negotiation algorithm, a PQC-and ECDH-based key negotiation algorithm, and a PQC-and ECDHE-based key negotiation algorithm.

Or the authentication network element determines the first key agreement algorithm based on a plurality of information in the first information.

For example, the verification network element may determine the current network system, select a key negotiation algorithm adapted to the network system, and select a key negotiation algorithm with a higher security level or a key negotiation algorithm with a lower computation complexity according to a security level requirement or a computing capability of the terminal device on the basis of the current network system. If the current network is determined to be a 5G network, the verification network element can select ECDHE key negotiation algorithm with higher security level to ensure the security of communication, or select key negotiation algorithm based on PSK with lower calculation complexity to reduce the power consumption of the terminal equipment.

In the second mode, the terminal device determines a first key negotiation algorithm from at least one key negotiation algorithm, and indicates the first key negotiation algorithm to the authentication network element, and the specific process may include S411b and S412b.

S411b, the terminal device sends the indication information #3 to the authentication network element. Accordingly, the authentication network element receives the indication information #3 from the terminal device.

The indication information #3 indicates the first key negotiation algorithm or the indication information #3 indicates whether to confirm whether to use the first key negotiation algorithm.

Specifically, the terminal device determines the first key agreement algorithm from at least one key agreement algorithm and indicates the first key agreement algorithm to the authentication network element.

The terminal device may determine the first key agreement algorithm from the at least one key agreement algorithm based on the first information. The first information may refer to the description in S411 a.

A specific example of the terminal device determining the first key agreement algorithm from the first information is described with reference to S411 a. For example, the terminal device may select a key agreement algorithm corresponding to the security level according to the security level of the current communication. For another example, the terminal device selects a key negotiation algorithm corresponding to the computing capability according to its computing capability or type. For another example, the terminal device selects a key negotiation algorithm corresponding to the network system according to the network system.

Optionally, S412b, the authentication network element sends a message #1 to the terminal device. Accordingly, the terminal device receives the message #1 from the authentication network element.

The message #1 may be an acknowledgement message or a rejection message. The message #1 is sent according to the indication information #3, i.e. the authentication network element determines whether the first key agreement algorithm indicated by the indication information #3 is used. If the first key negotiation algorithm is confirmed to be used, the confirmation message can be sent to the terminal equipment, otherwise, the rejection message is sent to the terminal equipment.

For example, if the first key negotiation algorithm selected by the terminal device satisfies a predetermined security level, network system, etc., a confirmation message may be sent to the terminal device, and conversely, a rejection message may be sent to the terminal device.

Optionally, if the verification network element sends a rejection message to the terminal device, the rejection message may also carry a reject reason, for example, the reject reason may be that the security level is insufficient, or the requirement of the network system is not satisfied, and after receiving the rejection message, the terminal device may redetermine the first key negotiation algorithm according to the reject reason.

Optionally, the method further comprises:

s420, the verification network element and the terminal equipment determine the first key based on the first key negotiation algorithm.

In an exemplary case where the first key agreement algorithm is the ECDH key agreement algorithm, the terminal device sends a public key of a first temporary public-private key pair (denoted as a first public key) generated by the terminal device to the authentication network element, which determines the first key based on the first public key and the private key of the authentication network element.

Optionally, the verification network element sends the public key of the verification network element to the terminal device, or the public key of the verification network element may be preset in the terminal device, and the terminal device generates the first key according to the generated private key (denoted as the first private key) in the first temporary public-private key pair, and the public key of the verification network element.

The specific process of verifying the network element and the terminal device to generate the first key based on the ECDHE key negotiation algorithm may be as described in (a) of fig. 5.

And under the condition that the first key negotiation algorithm is the ECDHE key negotiation algorithm, the terminal equipment sends a first public key of a first temporary public-private key pair generated by the terminal equipment to the verification network element, and the verification network element determines the first key based on the first public key and a private key (recorded as a second private key) of a second temporary public-private key pair generated by the verification network element.

Optionally, the authentication network element sends a public key of the second temporary public-private key pair (denoted as a second public key) to the terminal device, which generates the first key based on the second public key and a first private key of the first temporary public-private key pair.

The specific process of verifying the network element and the terminal device to generate the first key based on the ECDHE key negotiation algorithm may be as described in (b) of fig. 5.

And under the condition that the first key negotiation algorithm is the key negotiation algorithm based on the PQC, the terminal equipment sends a public key (marked as a third public key) in a third temporary public-private key pair generated based on a post quantum algorithm to the verification network element, and the verification network element inputs the third public key into the post quantum algorithm to generate ciphertext and the first key.

Optionally, the verification network element sends the ciphertext to the terminal equipment, and the terminal equipment inputs the ciphertext and the third private key to obtain the first key by a quantum algorithm.

The specific procedure for the authentication network element and the terminal device to generate the first key according to the PQC-based key agreement algorithm may be described with reference to fig. 5 (c).

In case the first key agreement algorithm is the key agreement algorithm based on PQC and ECDH, the terminal device sends a first public key and a third public key to the authentication network element, the first public key and the third public key being described above with reference to the description, the authentication network element determines a second key based on the first public key and a private key of the authentication network element, and inputs the third public key into the post-quantum algorithm to generate a ciphertext and a third key, and the authentication network element determines the first key based on the second key and the third key.

Optionally, the authentication network element sends the public key of the authentication network element and the ciphertext to the terminal device, the terminal device generates the second key based on the first private key and the public key of the authentication network element, inputs the ciphertext and the third private key into the post-quantity algorithm to obtain the third key, and the terminal device determines the first key according to the second key and the third key.

The specific procedure for the authentication network element and the terminal device to generate the first key according to the PQC-and ECDH-based key agreement algorithm may be described with reference to fig. 5 (d).

In case the first key agreement algorithm is the PQC and ECDHE based key agreement algorithm, the terminal device sends a first public key and a third public key to the authentication network element, the first public key and the third public key referring to the description above, the authentication network element determines a second key based on the first public key and a second private key, and inputs the third public key to the post quantum algorithm to generate a ciphertext and a third key, wherein the second private key refers to the description above, and the authentication network element determines the first key based on the second key and the third key.

Optionally, the authentication network element sends a second public key and the ciphertext to the terminal device, the terminal device generates the second key based on the first private key and the second public key, inputs the ciphertext and the third private key into the post algorithm to obtain the third key, and the terminal device determines the first key according to the second key and the third key. Wherein the second public key and the first private key are as described above.

The specific procedure for the authentication network element and the terminal device to generate the first key according to the PQC-based key agreement algorithm ECDHE may be described with reference to fig. 5 (e).

In the case that the first key negotiation algorithm is the PSK-based key negotiation algorithm, at least one key is preset in the terminal device and the authentication network element before key negotiation, and the at least one key corresponds to the at least one identifier one by one, or in other words, a correspondence (denoted as a correspondence # 2) between the at least one key and the at least one identifier is preset in the terminal device and the authentication network element. The terminal device sends the identification corresponding to the first key to the verification network element, wherein the first key is one of the at least one key, and the verification network element determines the first key according to the identification of the first key and the corresponding relation # 2.

The specific procedure for generating the first key by the authentication network element and the terminal device according to the PSK-based key agreement algorithm may be described with reference to fig. 5 (f).

Optionally, the method further comprises the authentication network element sending the authentication network element's certificate to the terminal device (or the authentication network element's certificate is preset in the terminal device), and the authentication network element's private key digitally signing the first message (an example of the first digital signature). The first message may include a message that the authentication network element interacted with the terminal device, and the terminal device verifies the first digital signature according to the certificate of the authentication network element, thereby verifying the authentication network element.

For example, if the certificate of the authentication element is issued by the operator, or the signature of the certificate of the authentication element is generated by using the private key of the operator, the terminal device may verify the certificate of the authentication element based on the certificate of the operator, and further, the terminal device verifies the first digital signature based on the public key in the certificate of the authentication element, thereby authenticating the authentication element.

For example, the terminal device may preset the certificate of the operator or receive the certificate of the operator from the authentication network element, where the certificate of the operator includes the public key of the operator, the terminal device may use the public key in the certificate of the operator to authenticate the signature of the certificate of the authentication network element by the private key of the operator, and further authenticate the first digital signature based on the public key of the authentication network element. If the above processes are all successful in verification, the authentication of the terminal equipment to the verification network element is successful.

Or the terminal device may authenticate the authentication network element by verifying the first digital signature based on a public key in a certificate of the authentication network element.

It should be understood that the sending of the certificate of the authentication network element and/or the first digital signature by the authentication network element to the terminal device may be performed during the key negotiation, for example, while the authentication network element sends the public key or the second public key or the ciphertext of the authentication network element to the terminal device, or may be performed independently of the key negotiation process, which is not limited by the present application.

The certificate of the verification network element may include an identifier of the verification network element, a public key of the verification network element, information of an issuer of the certificate, such as an identifier of the issuer, a signature of the issuer, and the like, and information of the certificate, such as a validity period, a version number, and the like of the certificate.

It should be understood that if the certificate of the authentication network element is preset in the terminal device, the step of the authentication network element sending the certificate of the authentication network element to the terminal device may not be performed.

It should be understood that the certificate of the verifying network element and the first digital signature may be carried in the same message transmission, or transmitted separately, without limitation. For example, the RRC message or NAS message, or other downlink signaling, is not limited.

Optionally, the method further comprises:

s430, the terminal equipment and the verification network element negotiate to determine a first authentication mode.

The first authentication method is one of at least one authentication method. The authentication information corresponding to each authentication mode in the at least one authentication mode is independent of each other. For example, the authentication information corresponding to each authentication method is different, and/or the authentication flow corresponding to each authentication method is different.

The authentication information may include, for example, at least one of credentials of the terminal device and a cryptographic algorithm.

The credentials of the terminal device may include at least one verifiable credential (verifiable credential, VC) or at least one verifiable credential (verifiable attestation, VA) of the terminal device. The credential information corresponding to different credentials is different. The credential information may include information of the issuer of the credential, the public key of the terminal device, the validity time of the credential, etc.

The information of the issuer of the credential may include the public key of the issuer of the credential, the identity and/or name of the issuer of the credential, e.g., the issuer of the credential may be a different carrier, card vendor, terminal vendor, authority, third party trusted authority, or over the air card server, etc.

Wherein the cryptographic algorithm may also be referred to as a cryptographic suite. The cryptographic algorithm includes at least one of a key length, an encryption algorithm, a decryption algorithm, a signature algorithm, or a public parameter.

Or the authentication information may include a root key of the terminal device, an authentication vector (authentication vector, AV) of the terminal device, or an address of the smart contract. Wherein the authentication vector is determined based on the root key of the terminal device, and the address of the smart contract may be used to obtain the authentication vector of the terminal device stored on the smart contract. For example, the authentication vector may be an extensible authentication and key agreement protocol (extensible authentication protocol-authentication AND KEY AGREEMENT, EAP-AKA) AV, or a 5G home environment authentication vector (5G home environment authentication vector,5G HE AV).

It should be understood that the above authentication vector is only an example, and the present application is not limited thereto.

Optionally, the type of the first identifier indicated by each authentication mode of the at least one authentication mode is different.

Wherein the first identifier has a correspondence relationship (denoted as a correspondence relationship # 1) with the authentication information of the terminal device, and the first identifier may be used to obtain the authentication information of the terminal device.

For example, the correspondence #1 may be stored in a storage system, such as the previously stored system 102. Specifically, the data may be stored in a storage node corresponding to the storage system. For example, if the storage system is a blockchain system, the storage node may be a blockchain node, for example, the correspondence may be stored on the blockchain node in a blockwise or transactional manner, i.e., information is uplink, and if the storage system is a distributed storage system, the storage node may be a node in the distributed storage system. In some possible scenarios, the distributed storage node may be a blockchain node, and if the storage system is a communication system, the storage node may be a communication device in the communication system, for example, the communication device is a functional network element capable of storing subscription data of the terminal device.

The first identifier may be any one of a first type of identifier, a second type of identifier, a block identifier or a transaction identifier, and a virtual (pseudo) identifier.

Wherein the first type of identification includes, but is not limited to, the following:

A user permanent identity (subscription PERMANENT IDENTIFIER, SUPI), a user hidden identifier (subscription concealed identifier, SUCI), a general public user identity (generic public subscription identifier, GPSI), a permanent device identifier (PERMANENT EQUIPMENT IDENTIFIER, PEI) or (mobile subscriber international ISDN/PSTN number, MSISDN), wherein ISDN is an integrated services digital Network (INTEGRATED SERVICE DIGITAL Network), PSTN is a public switched telephone Network (public switched telephone Network), etc.

The second type of identification is scID of the terminal device and may be DRC, DIC, or DSCC.

The first type of identifier may be understood as an identifier allocated to the terminal device by the network side or the access network side, or a permanent identifier of the terminal device, where the first type of identifier has universality and may be suitable for authentication of the terminal device in a 5G communication system or a communication system before 5G, and the second type of identifier may be generated by the terminal device or other trusted nodes (e.g. a storage node as shown in fig. 2) except the terminal device, and compared with the first type of identifier, the second type of identifier may be more flexible to generate, and second, the second type of identifier may be applied in a service scenario with high security requirements for personal information.

The identity of the chunk or the identity of the transaction may be used to obtain the correspondence #1 stored on the blockchain. In other words, when the first identification is an identification of a block or an identification of a transaction, the correspondence #1 stored on a blockchain can be acquired through the first identification.

The virtual identifier has a correspondence with the identifier of the second type. That is, when the first identifier is a virtual identifier, the identifier of the second type is determined through the correspondence between the virtual identifier and the identifier of the second type. The security of the communication may be further improved by using the virtual identifier compared to directly using the second type of identifier.

Specifically, the terminal device and the verification network element may negotiate to determine the first authentication mode by:

in one mode, the first authentication mode is determined from the at least one authentication mode by the verifying network element. The specific process may include S431a and S432a.

S431a, the terminal device transmits the instruction information #4 (an example of the third instruction information) to the authentication network element. Accordingly, the authentication network element receives the indication information #4 from the terminal device.

The indication information #4 may indicate at least one authentication method, or the indication information #4 may indicate that the first authentication method is determined from the at least one authentication method.

Or the indication information #4 indicates that the first authentication method is determined.

S432a, the authentication network element transmits the instruction information #5 (an example of the fourth instruction information) to the terminal device. Accordingly, the terminal device receives the indication information #5 from the authentication network element.

Wherein the indication information #5 indicates the first authentication method.

In particular, the verifying network element may determine the first authentication mode from the at least one authentication mode based on the second information.

The second information may include at least one of information of an issuer of the credential, a security level of a cryptographic algorithm, and a computational complexity of the cryptographic algorithm.

For example, if the credentials of the terminal device include the credentials issued by the card vendor, the credentials issued by the operator. The authentication network element may select the credentials issued by the operator to which the network to which the present access belongs for authentication. That is, the first authentication method may correspond to a credential issued by an operator to which the network to which the present access belongs.

As another example, if the terminal device has two certificates, one is a post-quantum certificate, and one is a non-post-quantum certificate (e.g., a li-steter-samor-adman (rivest-shamir-adleman, RSA) certificate, elliptic curve digital signature algorithm (elliptic curve digital signature algorithm, ECDSA) certificate), the verifying network element may select a certificate with a higher security level (e.g., a post-quantum certificate) based on the security level of the certificate. I.e. the first authentication means may correspond to a post quantum certificate of the terminal device.

And in the second mode, the terminal equipment determines the first authentication mode from the at least one authentication mode and indicates the first authentication mode to the verification network element. Specific determination manners may include S431b and S432b:

s431b, the terminal device sends the indication information #6 to the authentication network element. Accordingly, the authentication network element receives the indication information #6 from the terminal device.

The instruction information #6 instructs the first authentication method, or the instruction information #6 instructs to confirm whether the first authentication method is used.

Specifically, the terminal device determines the first authentication mode from the at least one authentication mode according to the second information, and sends the indication information #6 to the verification network element.

A specific example of the terminal device determining the first authentication method according to the second information is described with reference to S432 a.

Optionally, S432b, the authentication network element sends a message #2 to the terminal device. Accordingly, the terminal device receives the message #2 from the authentication network element.

The message #2 may be an acknowledgement message or a rejection message. The message #2 is sent according to the indication information #6, i.e. the verifying network element determines whether the first authentication method indicated by the indication information #6 is used. If the first authentication mode is confirmed to be used, the confirmation message can be sent to the terminal equipment, otherwise, the rejection message is sent to the terminal equipment.

For example, when the second information corresponding to the first authentication method selected by the terminal device satisfies the predetermined requirement (for example, the issuer of the required credential, the security level of the required credential, etc.) of the network, a confirmation message may be sent to the terminal device, and conversely, a rejection message may be sent to the terminal device.

Optionally, if the verification network element sends a rejection message to the terminal device, the rejection message may also carry a reason for rejection, for example, the reason for rejection may be that the security level of the credential is insufficient, or that the issuer of the credential is not required, and after receiving the rejection message, the terminal device may re-determine the first authentication manner according to the reason for rejection.

It should be understood that the present application is not limited to determining the timing of the authentication mode execution, i.e., the execution timing of S430 is not limited, for example, S430 may be executed before or after S410.

Optionally, the method further comprises:

s440, the terminal device sends request information to the verification network element. Accordingly, the authentication network element receives the request message from the terminal device.

Wherein the request message is for requesting access to the network, the request message comprising the first identity encrypted by the first key, i.e. a key determined by the terminal device according to a first key agreement algorithm.

The format of the request message may be as shown in fig. 4 (b), for example. The request message may include a plaintext portion and a ciphertext portion.

The plaintext portion may carry the type of the first identifier, where the type of the first identifier may be any of the type of the first identifier, the type of the second identifier, or the type of the virtual identifier, and it may be understood that the type of the first identifier may be determined by the first authentication manner, an identifier (network identifier) of the network (e.g., an identifier of the network is an identifier of a subscription operator of the terminal device), a public key of the network side (or an identifier of a public key of the network side) that is used by the terminal device, for example, a public key of an authentication network element used by the terminal device, for example, a public key of the authentication network element used by the terminal device in an ECDH key negotiation algorithm, ECDHE key negotiation algorithm, a public key used by the terminal device based on PQC and ECDH, and a key negotiation algorithm based on PQC and ECDHE, for example, a temporary public key of the terminal device used by the terminal device is stored in a temporary key block chain of the terminal device, for example, in the temporary key block chain, or a temporary key of the terminal device used by the terminal device is stored in the temporary block chain, for example, in the current block of the authentication chain, or the temporary block chain. The ciphertext portion of the request message may include the encrypted first identification. Optionally, the ciphertext portion may further include a session identifier that identifies the key agreement.

Optionally, the terminal device sends a second digital signature to the verification network element, the second digital signature being a signature of the second message or a hash value of the second message by a private key of the terminal device. The second message may include a message interacted by the terminal device and the authentication network element.

The message interacted by the terminal device and the authentication element may comprise, for example, a last message sent by the terminal device to the authentication element, e.g. the interacted message may comprise a message carrying the second digital signature, or the interacted message may comprise a message after the terminal device sends the request message to the authentication element (comprising the request message) and before the last message sent to the authentication element (may comprise a last message sent to the authentication element), e.g. the last message sent is a message carrying the second digital signature. Alternatively, the terminal device may store the message interacted with the authentication network element before the terminal device sends the second digital signature to the authentication network element.

The terminal device may determine, according to the first authentication method, a private key of the terminal device corresponding to the first authentication method, and sign the second message or the hash value of the second message with the private key. The terminal device may also determine a signature algorithm used for the signature based on the first authentication mode.

The second digital signature may be carried in the request message, or other upstream message, without limitation.

S450, the verification network element acquires the first authentication information of the terminal equipment according to the first identifier.

Specifically, after receiving the request message from the terminal device, the verification network element may decrypt the first identifier based on the first key (i.e. the key determined by the verification network element according to the first key negotiation algorithm), and obtain the first authentication information of the terminal device according to the first identifier.

For example, if the first identifier is a first type of identifier, the verification network element may obtain a root key of the terminal device or obtain an authentication vector of the terminal device based on the user permanent identifier. I.e. the first authentication information may comprise a root key or an authentication vector of the terminal device.

If the first identifier is a second type identifier, the verification network element obtains a first certificate of the terminal device according to the second type identifier and the corresponding relation #1, wherein the first certificate is one of at least one certificate of the terminal device. Illustratively, the verifying network element may determine the first credential from the at least one credential based on the first authentication manner. I.e. the first authentication information may comprise the first credentials.

If the first identifier is the identifier of the block or the identifier of the transaction, the verification network element obtains the corresponding relation #1 stored on the block chain based on the identifier of the block or the identifier of the transaction, and selects the first certificate from at least one certificate of the terminal equipment. Illustratively, the verifying network element may determine the first credential from the at least one credential based on the first authentication manner. I.e. the first authentication information may comprise the first credentials.

If the first identifier is a virtual identifier, the verification network element determines the identifier of the second type according to the virtual identifier and the corresponding relation between the virtual identifier and the identifier of the second type, and further, the verification network element acquires the first certificate according to the identifier of the second type and the corresponding relation # 1. Illustratively, the verifying network element may determine the first credential from the at least one credential based on the first authentication manner. I.e. the first authentication information may comprise the first credentials.

S460, the verification network element authenticates the communication device based on the first authentication information.

In a possible implementation, the verification network element authenticates the terminal device based on its root key or authentication vector.

For example, the verifying network element may generate an authentication vector based on the root key, send a part of parameters in the authentication vector to the terminal device to enable the terminal device to determine other part of parameters in the authentication vector, and compare the other part of parameters in the stored authentication vector with the other part of parameters determined by the terminal device to determine whether authentication of the terminal device is successful.

In another possible implementation, the authentication network element authenticates the terminal device based on the first credentials.

The verification network element may verify the first credential based on the credential of the first credential issuer (including the public key of the credential issuer), that is, verify the signature of the first credential by the first credential issuer through the public key of the first credential issuer, and if the verification is successful, further verify the second digital signature based on the public key corresponding to the first credential, thereby determining whether the authentication of the terminal device is successful.

Alternatively, the verifying network element may verify the second digital signature directly based on the public key corresponding to the first credential, thereby determining whether the authentication of the terminal device is successful.

The specific determination of the first key is described below in connection with fig. 5 when the first key negotiation algorithm is a different algorithm. It should be understood that the present application is not limited to the specific names of the algorithms below.

Fig. 5 (a) shows a manner of determining the first key based on the ECDH key agreement algorithm, that is, the first key agreement algorithm is the ECDH key agreement algorithm. As shown in fig. 5 (a), determining the first key based on the first key negotiation algorithm may include the steps of:

S501a, the terminal device sends a first public key to the verification network element. Accordingly, the authentication network element receives the first public key from the communication device.

The terminal device generates a temporary public-private key pair (denoted as a first temporary public-private key pair) and sends the public key of the first temporary public-private key pair to the authentication network element. I.e. the first public key is the public key of the first temporary public-private key pair.

For example, the terminal device may generate a random number (denoted as random number # 1) as the private key (denoted as first private key) of the first public-private key pair, and generate the public key of the first public-private key pair, i.e. the first public key, based on an elliptic curve algorithm.

Illustratively, the first public key may be carried in a message #1, where the message #1 may be an RRC message or a NAS message, or other uplink signaling, which is not limited by the present application.

Optionally, the terminal device sends the identification #1 to the authentication network element. The identifier #1 is used to identify the key exchange, or the identifier #1 may be used as a unique identifier in the key exchange process.

Illustratively, the identifier #1 may be carried in the message #1 at the same time as the first public key, or may be sent separately, which is not limited by the present application.

S502 a, the authentication network element determines the first key based on the first public key and the private key of the authentication network element (denoted private key # 1).

Illustratively, the private key #1 may be a private key of the authentication network element. The public key of the authentication network element corresponding to the private key #1 (denoted as public key # 1) may be preset in the terminal device. The public key #1 is a public key of an authentication network element preset in the terminal device.

Optionally, the authentication network element sends the certificate of the authentication network element to the terminal device. The certificate of the authentication network element may refer to the description in S420, for example.

Optionally, the certificate of the authentication network element may also be preset in the terminal device. It should be understood that if the certificate of the authentication network element is preset in the terminal device, the step of the authentication network element sending the certificate of the authentication network element to the terminal device may not be performed.

Optionally, S503a, the verifying network element sends the first digital signature to the terminal device.

The first digital signature is a digital signature of the first message by a private key of the verification network element. The first message may comprise a message, e.g. the message #1, that the authentication network element interacted with the terminal device.

The certificate of the verification network element and the signature of the private key of the verification network element on the first message may be carried in the message #2 at the same time or sent separately, which is not limited. The message #2 may be an RRC message or a NAS message, or other downlink signaling, without limitation.

S504 a, the terminal device determines the first key based on the public key #1 and the first private key.

Optionally, S505a, the terminal device verifies the first digital signature based on the public key of the verifying network element, thereby authenticating the verifying network element.

Based on the above scheme, the computational complexity in the key negotiation process can be reduced by using the ECDH key negotiation algorithm, that is, the terminal device generates the first key by using the public key of the authentication network element and the private key in the temporary public-private key pair generated by the terminal device, and the authentication network element generates the first key based on the private key of the authentication network element and the temporary public key generated by the terminal device, which can reduce the computational complexity.

Fig. 5 (b) shows the manner in which the first key is determined based on ECDHE key agreement algorithm, i.e., the first key agreement algorithm is ECDHE key agreement algorithm. As shown in fig. 5 (b), determining the first key based on the first key negotiation algorithm may include the steps of:

s501b, the terminal device sends the first public key to the authentication network element. Accordingly, the authentication network element receives the first public key from the communication device.

This step can be specifically referred to the description of S501 a.

S502b, the authentication network element determines the first key based on the first public key and the second private key.

Illustratively, the verifying network element generates a temporary public-private key pair (denoted as a second temporary public-private key pair) that is a private key of the second public-private key pair, and the verifying network element calculates the first key based on the first public key and the second private key.

For example, the authentication element may generate a random number (denoted as random number # 2) as the private key of the second public-private key pair, i.e. the second private key, and generate the public key of the second public-private key pair (denoted as second public key) based on the elliptic curve algorithm.

And S503 b, the verification network element sends the second public key to the terminal equipment. Accordingly, the terminal device receives the second public key from the authentication network element.

Illustratively, the second public key may be carried in a message #3, where the message #3 may be a NAS message, an RRC message, or other downlink signaling, without limitation.

Optionally, the authentication network element sends the certificate of the authentication network element to the terminal device. The certificate of the authentication network element may refer to the description in S502 a.

Optionally, the verification network element sends a digital signature of the first message by the private key of the verification network element to the terminal device. The first message may comprise a message, e.g. the message #1 and/or the message #3, that the authentication network element interacted with the terminal device.

The terminal device determines a first key based on the second public key and the first private key S504 b.

The terminal equipment calculates the first key based on the public key of the temporary public-private key pair generated by the received verification network element and the private key of the temporary public-private key pair generated by the terminal equipment.

Optionally, the terminal device verifies the first digital signature based on a certificate of the verifying network element, thereby authenticating the verifying network element.

Based on the scheme, by using ECDHE key negotiation algorithm, the authentication network element and the terminal equipment use the temporary public key generated by the other party to generate the first key, so that the security of key exchange is improved. And secondly, the calculation complexity of the key negotiation algorithm is lower, the key negotiation algorithm can be suitable for a communication scene with lower calculation complexity and higher security requirement on the key negotiation algorithm, and meanwhile, the key negotiation algorithm can be compatible with a 5G communication system or a communication system before 5G.

Fig. 5 (c) shows a manner in which the first key is determined by the PQC-based key agreement algorithm, that is, the first key agreement algorithm is the PQC-based key agreement algorithm. As shown in fig. 5 (c), the PQC-based key agreement algorithm determining the first key may include the following steps:

S501c, the terminal device sends the third public key to the authentication network element. Accordingly, the authentication network element receives the third public key from the terminal device.

Illustratively, the terminal device generates a temporary public-private key pair (denoted as a third temporary public-private key pair) based on the post-quantum algorithm, and the terminal device sends the public key of the third temporary public-private key pair to the authentication network element. I.e. the third public key is the public key of the third temporary public-private key pair.

The third public key may be carried in a message #3, where the message #3 may be an RRC message or a NAS message, or other uplink signaling, which is not limited by the present application.

Optionally, the terminal device sends the identification #1 to the authentication network element. The identifier #1 is used to identify the key exchange. Illustratively, the identifier #1 may be carried in the message #1 at the same time as the first public key, or may be sent separately, which is not limited by the present application.

And S502c, the verification network element generates ciphertext and the first key based on the post quantum algorithm and the third public key.

Illustratively, the authentication network element uses the third public key as an input to a post-quantum algorithm to obtain the ciphertext and the first key. In a specific calculation process, the verification network element randomly selects one m, encrypts the m to obtain the ciphertext, and performs hash operation on the ciphertext and the random number to obtain the first key.

And S503c, the verification network element sends the ciphertext to the terminal equipment. Accordingly, the terminal device receives the ciphertext from the authentication network element.

Illustratively, the second ciphertext may be carried in message #4, where message #4 may be a NAS message, an RRC message, or other downlink signaling, without limitation.

Optionally, the authentication network element sends the certificate of the authentication network element to the terminal device. The certificate of the authentication network element may be used for the terminal device to authenticate the authentication network element. Or the certificate of the authentication network element may also be preset in the terminal device. The certificate may refer to the description in S3 of fig. 5 (b).

Optionally, the verification network element sends a digital signature of the first message by the private key of the verification network element to the terminal device. The first message may comprise a message, e.g. the message #1, that the authentication network element interacted with the terminal device.

The certificate of the verification network element and the signature of the private key of the verification network element on the first message may be carried in the message #4 at the same time or sent separately, which is not limited.

And S504c, the terminal equipment generates a first key based on the ciphertext and the post quantum algorithm.

The terminal device uses the ciphertext and a private key (denoted as a third private key) in the third temporary public-private key as input of a post-quantum algorithm to calculate and obtain the first key.

Based on the scheme, the authentication network element and the terminal equipment can generate the first key by using the PQC-based key negotiation algorithm, so that the security of key exchange can be improved. The key negotiation algorithm can be suitable for communication scenes with higher requirements on security.

Fig. 5 (d) shows a manner in which the first key is determined based on a key negotiation algorithm of PQC and ECDH (or a key negotiation algorithm called a combination of PQC and ECDH), that is, the first key negotiation algorithm is a key negotiation algorithm based on PQC and ECDH. As shown in fig. 5 (d), the PQC and ECDHE based key agreement algorithm may include the following steps:

S501d, the terminal equipment sends the first public key and the third public key to the verification network element. Accordingly, the authentication network element receives the first public key and the third public key from the terminal device.

The first public key is illustratively the public key of the first temporary public-private key pair, and the third public key is the public key of the third temporary public-private key pair.

The first temporary public-private key pair is a public key of a temporary public-private key pair generated by the terminal device based on an elliptic curve algorithm, and concretely can refer to the first public key in S501b, and the third public key is a public key of a temporary public-private key pair generated by the terminal device based on a post-quantum algorithm, and concretely can refer to the third public key in S501 c.

S502d, the verification network element generates a second key based on the first public key and the private key of the verification network element, and generates a third key based on the third public key.

The public key of the authentication network element (denoted as public key # 1) corresponding to the private key of the authentication network element may be preset in the terminal device.

And the verification network element takes the third public key as the input of a post quantum algorithm to obtain the ciphertext and the third secret key. The description of the first key generated based on the third public key in S502c may be referred to in detail.

And S503d, the verification network element generates the first key based on the second key and the third key.

And S504d, the verification network element sends the ciphertext to the terminal equipment. Accordingly, the terminal device receives the ciphertext from the authentication network element.

This step may refer to the description in S503 c.

Optionally, if the public key #1 is not preset in the terminal device, the authentication network element sends the public key #1 to the terminal device.

Optionally, the authentication network element sends the certificate of the authentication network element to the terminal device. The certificate of the authentication network element may be used for the terminal device to authenticate the authentication network element. Or the certificate of the authentication network element may also be preset in the terminal device. The certificate may refer to the description in S3 of fig. 5 (a).

Optionally, the verification network element sends a digital signature of the first message by the private key of the verification network element to the terminal device. The first message may comprise a message that the authentication network element interacted with the terminal device.

And S505d, the terminal equipment generates a first key based on the ciphertext and the post quantum algorithm.

The terminal device generates the second key, illustratively based on the first private key and the public key of the authentication network element, namely public key # 1. The first private key is the private key of the first temporary public private key pair.

The terminal equipment takes the ciphertext and the third private key as the input of a post quantum algorithm, and calculates to obtain the third key. Further, the terminal device generates the first key based on the second key and the third key.

Based on the scheme, by using the key negotiation algorithm based on the PQC and the ECDH, the authentication network element and the communication device can generate the first key based on the key generated by the PQC and the key generated by the ECDH, and compared with the key negotiation algorithm based on the PQC, the security of key exchange is further improved. The key negotiation algorithm can be applied to communication scenes with higher requirements on security.

Fig. 5 (e) shows the manner in which the first key is determined based on the key agreement algorithm of PQC and ECDHE (alternatively referred to as the key agreement algorithm of PQC and ECDHE fusion), i.e., the first key agreement algorithm is the key agreement algorithm based on PQC and ECDHE. As shown in fig. 5 (d), the PQC and ECDHE based key agreement algorithm may include the following steps:

s501e, the terminal equipment sends the first public key and the third public key to the verification network element. Accordingly, the authentication network element receives the first public key and the third public key from the terminal device.

This step may refer to S501d.

S502e, the authentication network element generates a second key based on the first public key and the second private key, and generates a third key based on the third public key.

The second private key may be a private key of a temporary public-private key pair generated by the authentication network element.

The specific process of generating the third key by the authentication network element based on the third public key may refer to S502c, where a description of the first key is generated based on the third public key.

S503e, the authentication network element generates the first key based on the second key and the third key.

And S504e, the verification network element sends the ciphertext and the second public key to the terminal equipment. Accordingly, the terminal device receives the ciphertext and the second public key from the authentication network element.

The second public key may be a public key of a temporary public-private key pair generated by the authentication network element.

Optionally, the verifying network element sends a digital signature of the first message (an example of the first digital signature) to the terminal device by the private key of the verifying network element. The first message may comprise a message that the authentication network element interacted with the terminal device.

S505e, the terminal equipment generates a first key based on the ciphertext and the post quantum algorithm.

The terminal device generates the second key based on the first private key and the second public key. The first private key is the private key of the first temporary public private key pair.

The terminal equipment takes the ciphertext and the third private key as the input of a post quantum algorithm, and calculates to obtain the third key. Further, the terminal device generates the first key based on the two keys and the third key.

Based on the above scheme, by using the key agreement algorithm based on PQC and ECDHE, the authentication network element and the terminal device can generate the first key based on the key generated by PQC and the key generated by ECDHE. Wherein ECDHE has forward security, the key agreement algorithm is applicable to communication scenarios with higher requirements for security than the key agreement algorithms based on PQC and ECDH.

Fig. 5 (f) shows a manner in which the first key is determined by the PSK-based key negotiation algorithm, that is, the first key negotiation algorithm is the PSK-based key negotiation algorithm. Before key negotiation, at least one key is preset in the terminal device and the verification network element, and the at least one key corresponds to the at least one identifier one by one, or, a corresponding relationship (denoted as a corresponding relationship # 2) between the at least one key and the at least one identifier is preset in the terminal device and the verification network element.

Illustratively, when the terminal device signs up with the operator, the operator node may write the correspondence #2 into the terminal device by over-the-air card writing.

S501 f, the terminal device sends an identification #1 to the authentication network element. Accordingly, the authentication network element receives the identification #1 from the terminal device.

The identification #1 is one of the at least one identification, the identification #1 being used to identify one of the at least one key (denoted as key k). It will be appreciated that the key k is the first key determined by the terminal device.

S502 f, the verification network element determines the first key based on the identification #1 and the corresponding relation # 1.

Illustratively, the verifying network element may query the key corresponding to the identifier #1 from the correspondence #1 based on the identifier #1, i.e. the verifying network element determines the first key.

Based on the scheme, the authentication network element and the terminal equipment can use the preset key to generate the first key by using the key negotiation algorithm based on PSK, and the key negotiation algorithm has lower calculation complexity and can be suitable for a communication scene with lower calculation complexity of the key negotiation algorithm.

Fig. 6 is a schematic flow chart of a communication method provided by an embodiment of the present application. The method may comprise the following steps.

S610, the terminal device (an example of the terminal device) sends the temporary public key to the authentication network element. Accordingly, the authentication network element receives the temporary public key from the terminal device.

The temporary public key is a public key in a temporary public-private key pair generated by the terminal equipment. The temporary public-private key pair may include a first temporary public-private key pair and/or a third temporary public-private key pair, respectively, with reference to the descriptions in S501b and S501 c. Accordingly, the temporary public key may comprise the first public key and/or the third public key, respectively, as described above with reference to the above.

Optionally, the method further comprises the authentication network element determining the first key based on the temporary public key. Determining the first key by the authentication network element based on the temporary public key may include the following examples:

example #1, the temporary public key is a first public key that the authentication network element determines based on an ECDH key agreement algorithm.

In this example, the authentication network element determines the first key based on the first public key and a private key of the authentication network element.

Optionally, the terminal device determines the first secret key according to the first secret key and the public key of the verification network element, wherein the first secret key is the secret key in the first temporary public-secret key pair.

The specific procedure for verifying the first key by the network element and the terminal device may be as described in fig. 5 (a).

Example #2, the temporary public key is a first public key that the authentication network element determines based on ECDHE key agreement algorithm.

In this example, the authentication network element determines the first key based on the first public key and the privacy of a second temporary public-private key pair generated by the authentication network element.

Optionally, the authentication network element sends a second public key to the terminal device, the second public key is a public key in the second temporary public-private key pair, and the terminal device determines the first key according to the second public key.

The specific procedure for verifying the first key by the network element and the terminal device may be as described in fig. 5 (b).

Example #3, the temporary public key is a third public key, and the authentication network element determines the first key based on a PQC key negotiation algorithm.

In this example, the authentication network element enters the third public key into the post quantum algorithm to generate ciphertext and the first key.

Optionally, the authentication network element sends the ciphertext to the terminal device, and the terminal device obtains the first key by inputting the third private key and the ciphertext into a post quantum algorithm.

The specific procedure for verifying the first key by the network element and the terminal device may be as described in (c) of fig. 5.

Example #4, the temporary public key comprising a first public key and a third public key, the authentication network element determining the first key based on the PQC and ECDH key agreement algorithm.

In this example, the authentication network element determines a second key based on the first public key and a private key of the authentication network element, and inputs the third public key into the post-quantum algorithm to generate ciphertext and a third key, and the authentication network element determines the first key based on the second key and the third key.

Optionally, the authentication network element sends the public key and the ciphertext of the authentication network element to the terminal device, the terminal device can generate the second key according to the public key and the first private key (refer to the description above) of the authentication network element, and input the third private key (refer to the description above) and the ciphertext into the post quantum algorithm to obtain the third key, and the terminal device determines the first key according to the second key and the third key.

The specific procedure for verifying the network element and the terminal device to determine the first key may be as described in (d) of fig. 5.

Example #5, the temporary public key comprising a first public key and a third public key, the authentication network element determining the first key based on the PQC and ECDHE key agreement algorithm.

In this example, the authentication network element determines a second key based on the first public key and a second private key, and inputs the third public key into the post quantum algorithm to generate ciphertext and a third key, wherein the second private key is as described above, and the authentication network element determines the first key based on the second key and the third key.

Optionally, the authentication network element sends the second public key and the ciphertext to the terminal device, the terminal device may generate the second key according to the second public key and the first private key (refer to the description above), and input the third private key (refer to the description above) and the ciphertext into the post-quantum algorithm to obtain the third key, and the terminal device determines the first key according to the second key and the third key.

The specific procedure for verifying the network element and the terminal device to determine the first key may be as described in (e) of fig. 5.

Optionally, the terminal device indicates to the authentication network element an identifier corresponding to a key k (an example of a first key), where the key k is one of at least one key preset by the terminal device, and the at least one key has a correspondence (denoted as a correspondence # 2) with the at least one identifier, and the authentication network element determines the first key based on a psk key negotiation algorithm. Specifically, the corresponding relation #2 can be preset in the verification network element, and the verification network element determines the first key according to the identification of the key k and the corresponding relation # 2. Specific procedures may be described with reference to fig. 5 (f).

For example, the terminal device may determine to transmit the temporary public key according to the second indication information. Wherein the second indication information is from the authentication network element, the second indication information indicating a first key agreement algorithm, the first key agreement algorithm being one of at least one key agreement algorithm. The at least one key agreement algorithm refers to the description in S410.

In particular, the terminal device and the authentication network element may negotiate to determine the first key negotiation algorithm, i.e. the terminal device receives the second indication information from the authentication network element during negotiating the first key negotiation algorithm. The specific process of the terminal device and the authentication network element negotiation to determine the first key negotiation algorithm refers to the description in S410, and will not be described in detail.

S620, the authentication network element authenticates the terminal device based on the first key.

Specifically, the authentication network element receives a request message from the terminal device, the request message being for requesting access to the network, the request message comprising a first identity encrypted by the terminal device using the first key. The verification network element decrypts the encrypted first identifier based on the first key and acquires first authentication information according to the first identifier, and the verification network element authenticates the terminal equipment based on the first authentication information.

The specific implementation of the above steps may refer to the descriptions in S440 to S460, and will not be repeated.

The first authentication information is authentication information corresponding to the first authentication mode. Before sending the request message to the verification network element, the terminal device and the verification network element negotiate to determine the first authentication mode, and the specific process may refer to the description in S430.

Illustratively, the first authentication information includes a first credential of the terminal device, the verifying network element authenticating the terminal device based on the first credential. The specific way for the verification network element to authenticate the terminal device based on the first credentials is described in S460.

Optionally, the method further includes S630 and S640:

and S630, the verification network element sends the first digital signature to the terminal equipment. Accordingly, the terminal device receives the first digital signature from the verifying network element.

The first digital signature is a signature of a private key of the verification network element on a first message, wherein the first message comprises a message interacted by the verification network element and the terminal equipment.

Optionally, if the terminal device does not preset the certificate of the verification network element, the verification network element sends the certificate of the verification network element to the terminal device, where the certificate includes a public key of the verification network element, and the public key of the verification network element is used for verifying the first digital signature by the terminal device.

And S640, the terminal equipment verifies the first digital signature according to the certificate of the verification network element.

That is, the terminal device verifies the first digital signature according to the certificate of the verification network element, thereby verifying the verification network element. The process of the terminal device verifying the verification network element may refer to the description in S420.

The communication method provided by the embodiment of the application is described in detail above with reference to fig. 4 to 6. It should be understood that the sequence numbers of the above processes do not mean the order of execution, and the execution order of the processes should be determined by the functions and internal logic of the processes, and should not be construed as limiting the implementation process of the embodiments of the present application.

It is also to be understood that in the various embodiments of the application, where no special description or logic conflict exists, the terms and/or descriptions between the various embodiments are consistent and may reference each other, and features of the various embodiments may be combined to form new embodiments in accordance with their inherent logic relationships.

It will be appreciated that in the foregoing embodiments of the method, the method and operations implemented by the device (e.g., the authentication network element and the terminal device described above) may also be implemented by a component (e.g., a chip or a circuit) of the device.

The above communication method is mainly described in terms of interaction between the network elements. It will be appreciated that each network element, in order to implement the above-described functions, includes corresponding hardware structures and/or software modules that perform each function.

The following describes in detail the communication device provided in the embodiment of the present application with reference to fig. 7 to 9. It should be understood that the descriptions of the apparatus embodiments and the descriptions of the method embodiments correspond to each other, and thus, descriptions of details not described may be referred to the above method embodiments, which are not repeated herein for brevity.

Fig. 7 shows a schematic diagram of a communication device 700 according to an embodiment of the present application.

The apparatus 700 comprises an interface unit 710, which interface unit 710 may be adapted to implement corresponding communication functions, the interface unit 710 may also be referred to as a communication interface, a communication unit or a transceiver unit.

Optionally, the apparatus 700 may further comprise a processing unit 720, and the processing unit 720 may be configured to perform data processing.

Optionally, the apparatus 700 further includes a storage unit, where the storage unit may be configured to store instructions and/or data, and the processing unit 720 may read the instructions and/or data in the storage unit, so that the apparatus implements the actions of the different devices in the foregoing method embodiments.

In one possible design, the apparatus 700 may be the authentication element in the foregoing embodiment, or may be a component (e.g., a chip) of the authentication element. The apparatus 700 may implement steps or procedures corresponding to those performed by the authentication network element in the method embodiments above. The interface unit 710 may be configured to perform operations related to the authentication of the network element in the above method embodiment, and the processing unit 720 may be configured to perform operations related to the authentication of the network element in the above method embodiment.

In another possible design, the apparatus 700 may be a terminal device in the foregoing embodiment, or may be a component (such as a chip) of the terminal device. The apparatus 700 may implement steps or procedures corresponding to those performed by the terminal device in the above method embodiments. The interface unit 710 may be configured to perform operations related to the transceiving of the terminal device in the above method embodiment, and the processing unit 720 may be configured to perform operations related to the processing of the terminal device in the above method embodiment.

Fig. 8 is a schematic block diagram of a communication device 800 provided in an embodiment of the present application.

The apparatus 800 includes a processor 810, the processor 810 being coupled to a memory 820. Optionally, a memory 820 is also included. The memory 820 is used to store computer programs or instructions and/or data, and the processor 810 is used to execute the computer programs or instructions stored in the memory 820 or to read the data stored in the memory 820 to perform the methods in the method embodiments above.

Optionally, the processor 810 is one or more.

Optionally, the memory 820 is one or more.

Alternatively, the memory 820 may be integrated with the processor 810 or provided separately.

Optionally, as shown in fig. 8, the apparatus 800 further comprises a communication interface 830, the communication interface 830 being used for receiving and/or transmitting signals. For example, the processor 810 is configured to control the communication interface 830 to receive and/or transmit signals.

By way of example, communication interface 830 may be a transceiver, circuit, bus, module, or other type of communication interface. Communication interface 830 may also be referred to as an interface.

As an alternative, the apparatus 800 is configured to implement the operations performed by the authentication network element in the method embodiments above.

For example, processor 810 is configured to execute computer programs or instructions stored in memory 820 to implement the relevant operations for verifying network elements in the various method embodiments above.

Alternatively, the apparatus 800 is configured to implement the operations performed by the terminal device in the above method embodiments.

For example, the processor 810 is configured to execute computer programs or instructions stored in the memory 820 to implement the relevant operations of the terminal device in the above respective method embodiments.

In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 810. The method disclosed in connection with the embodiments of the present application may be directly embodied as a hardware processor executing or may be executed by a combination of hardware and software modules in the processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. Which is located in a memory 820, and a processor 810 reads information in the memory 820 and performs the steps of the above method in combination with its hardware. To avoid repetition, a detailed description is not provided herein.

It should be appreciated that in embodiments of the present application, the processor may be one or more integrated circuits configured to execute associated programs to perform embodiments of the methods of the present application.

A processor (e.g., processor 810) may include one or more processors and be implemented as a combination of computing devices. The processor may each include one or more of a microprocessor, a microcontroller, a digital signal processor (DIGITAL SIGNAL processor, DSP), a digital signal processing device (DIGITAL SIGNAL processing device, DSPD), an Application SPECIFIC INTEGRATED Circuit (ASIC), a field programmable gate array (field programmable GATE ARRAY, FPGA), a programmable logic device (programmable logic device, PLD), gating logic, transistor logic, discrete hardware circuits, processing circuits, or other suitable hardware, firmware, and/or combinations of hardware and software for performing the various functions described in this disclosure. The processor may be a general purpose processor or a special purpose processor. For example, the processor 810 may be a baseband processor or a central processing unit. The baseband processor may be used to process communication protocols and communication data. The central processor may be used to cause the device to execute a software program and process data in the software program. In addition, a portion of the processor may also include nonvolatile random access memory. The processor may also store information of the device type, for example.

The program in the present application is used in a broad sense to represent software. Non-limiting examples of software include program code, programs, subroutines, instructions, instruction sets, code segments, software modules, applications, or software applications, among others. The program may run in a processor and/or a computer. Such that the device performs the various functions and/or processes described herein.

The memory (e.g., memory 820) may store data required by a processor (e.g., processor 810) when executing software. The memory may be implemented using any suitable memory technology. For example, memory may be any available storage media that can be accessed by a processor and/or computer. Non-limiting examples of storage media include random access memory (random access memory, RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), compact disk-ROM (CD-ROM), static random access memory (STATIC RAM, SRAM), dynamic random access memory (DYNAMIC RAM, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (doubledata RATE SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNCHLINK DRAM, SLDRAM), and direct memory bus random access memory (direct rambus RAM, DR RAM), removable media, optical disk memory, magnetic disk storage media, magnetic storage devices, flash memory, registers, status memory, remote mounted memory, local or remote memory components, or any other media capable of carrying or storing software, data, or information and being accessed by a processor/computer. It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

The memory (e.g., memory 820) and the processor (e.g., processor 810) may be provided separately or integrated together. The memory may be used in connection with the processor such that the processor can read information from, store information in, and/or write information to the memory. The memory may be integrated in the processor. The memory and processor may be provided in an integrated circuit (e.g., the integrated circuit may be provided in a UE or other network node).

Fig. 9 is a schematic block diagram of a chip system 900 according to an embodiment of the present application. The system-on-chip 900 (or may also be referred to as a processing system) includes logic 910 and input/output interface 920.

Logic 910 may be a processing circuit in system on a chip 900. Logic 910 may be coupled to a memory unit to invoke instructions in the memory unit so that system-on-chip 900 can implement the methods and functions of embodiments of the present application. The input/output interface 920 may be an input/output circuit in the chip system 900, outputting information processed by the chip system 900, or inputting data or signaling information to be processed into the chip system 900 for processing.

As an option, the chip system 900 is configured to implement the operations performed by the authentication network element in the above method embodiments.

For example, the logic 910 is configured to implement the processing related operations performed by the authentication network element in the above method embodiments, and the input/output interface 920 is configured to implement the sending and/or receiving related operations performed by the authentication network element in the above method embodiments.

Alternatively, the chip system 900 is configured to implement the operations performed by the terminal device in the above method embodiments.

For example, the logic 910 is configured to implement the operations related to the processing performed by the terminal device in the above method embodiment, and the input/output interface 920 is configured to implement the operations related to the transmission and/or reception performed by the terminal device in the above method embodiment.

The embodiment of the application also provides a computer readable storage medium, on which computer instructions for implementing the method executed by the communication device (such as the authentication network element and the terminal device) in the above method embodiments are stored.

The embodiment of the application also provides a computer program product, which contains instructions, and the instructions are executed by a computer to realize the method executed by the communication device (such as the verification network element and the terminal equipment) in each method embodiment.

The embodiment of the application also provides a communication system, which comprises at least one of the authentication network element and the terminal equipment in the above embodiments.

The explanation and beneficial effects of the related content in any of the above-mentioned devices can refer to the corresponding method embodiments provided above, and are not repeated here.

In the various embodiments described above, terms and/or descriptions of the various embodiments are consistent and may refer to each other in the absence of a particular explanation or logic conflict, and features of the various embodiments may be combined to form new embodiments in accordance with their inherent logic relationships.

In embodiments of the application, words such as "exemplary," "for example," and the like are used to indicate by way of example, illustration, or description. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.

It should be appreciated that reference throughout this specification to "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, various embodiments are not necessarily referring to the same embodiments throughout the specification. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The names of all nodes and messages in the present application are only names set for the convenience of description of the present application, and names in actual networks may be different, and it should not be understood that the present application is limited to the names of various nodes and messages, but any names having the same or similar functions as those of the nodes or messages used in the present application are regarded as methods or equivalent alternatives of the present application, and are within the scope of protection of the present application.

It should also be understood that, in the present application, "when.+ -.)," if "and" if "all mean that the network element will make the corresponding treatment under some objective condition, and are not limited in time, nor do they require that the network element must have a judgment in its implementation act, nor are they meant to have other limitations.

It should be noted that, in the embodiment of the present application, the "preset", "preconfiguration" and the like may be implemented by pre-storing corresponding codes, tables or other modes that may be used to indicate relevant information in a device (for example, a terminal device), and the present application is not limited to a specific implementation manner thereof, for example, a preset rule, a preset constant and the like in the embodiment of the present application.

In addition, the terms "system" and "network" are often used interchangeably herein.

The term "at least one of". Or ". The term" means all or any combination of the listed items, e.g., "at least one of A, B and C", may mean that a alone, B alone, C alone, a and B together, B and C together, A, B and C together. The term "at least one" as used herein means one or more. "plurality" means two or more.

It should be understood that in embodiments of the present application, "B corresponding to a" means that B is associated with a from which B may be determined. It should also be understood that determining B from a does not mean determining B from a alone, but may also determine B from a and/or other information.

In addition, "of", "corresponding (corresponding, relevant)", "corresponding (corresponding)" and "associated (associate)" may sometimes be used in combination, and it should be noted that the meaning to be expressed is consistent when the distinction is not emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. The storage medium includes various media capable of storing program codes such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk or an optical disk.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A communication method, characterized in that it is applied to verify a network element, the method comprising:

Receiving first indication information from a communication device, wherein the first indication information indicates at least one key agreement algorithm;

Send second indication information to the communication device, wherein the second indication information indicates a first key negotiation algorithm, where the first key negotiation algorithm is one of the at least one key negotiation algorithm, and the first key negotiation algorithm is used to determine a first key, and the first key is used to encrypt or decrypt messages transmitted between the communication device and the verification network element.

2. The method according to claim 1, wherein the first key agreement algorithm is determined according to first information and the first indication information, and the first information includes at least one of the following information:

The security level corresponding to the key negotiation algorithm, the computational complexity of the key negotiation algorithm, the network standard, the type of the communication device, and the computing capability of the communication device.

3. The method according to claim 1 or 2, characterized in that the at least one key agreement algorithm comprises at least one of the following:

Elliptic Curve Diffie-Hellman ECDH key agreement algorithm, temporary Elliptic Curve Diffie-Hellman ECDHE key agreement algorithm, key agreement algorithm based on post-quantum cryptography PQC, key agreement algorithm based on post-quantum cryptography PQC and Elliptic Curve Diffie-Hellman ECDH, key agreement algorithm based on post-quantum cryptography PQC and temporary Elliptic Curve Diffie-Hellman ECDHE, and key agreement algorithm based on pre-set keys.

4. The method according to claim 3, characterized in that the method further comprises:

The first key is determined based on the first key agreement algorithm.

5. The method according to claim 4, wherein the first key agreement algorithm is the ECDHE key agreement algorithm, and determining the first key based on the first key agreement algorithm comprises:

receiving a first public key from the communication device, where the first public key is a public key in a first temporary public-private key pair generated by the communication device;

The first key is determined based on the first public key and the second private key, where the second private key is a private key in a second temporary public-private key pair generated by the verification network element.

6. The method according to claim 5, characterized in that the method further comprises:

A second public key is sent to the communication device, where the second public key is a public key in the second temporary public-private key pair, and the second public key is used by the communication device to determine the first key.

7. The method according to claim 4, wherein the first key agreement algorithm is the PQC-based key agreement algorithm, and determining the first key based on the first key agreement algorithm comprises:

Receiving a third public key from the communication device, where the third public key is a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm;

The third public key is input into the post-quantum algorithm to generate a ciphertext and the first key.

8. The method according to claim 7, characterized in that the method further comprises:

The ciphertext is sent to the communication device, and the ciphertext is used by the communication device to determine the first key.

9. The method according to claim 4, wherein the first key agreement algorithm is the key agreement algorithm based on PQC and ECDH, and the determining the first key based on the first key agreement algorithm comprises:

Receiving a first public key and a third public key from the communication device, wherein the first public key is a public key in a first temporary public-private key pair generated by the communication device, and the third public key is a public key in a third temporary public-private key pair generated by the communication device based on a post-quantum algorithm;

Determine a second key based on the first public key and the private key of the verification network element;

Inputting the third public key into the post-quantum algorithm to generate a ciphertext and a third key;

The first key is determined based on the second key and the third key.

10. The method according to claim 9, characterized in that the method further comprises:

The public key of the verification network element and the ciphertext are sent to the communication device, and the public key of the verification network element and the ciphertext are used by the communication device to determine the first key.

11. The method according to claim 4, wherein the first key agreement algorithm is the key agreement algorithm based on PQC and ECDHE, and the determining the first key based on the first key agreement algorithm comprises:

Determine a second key based on the first public key and the second private key, where the second private key is a private key in a second temporary public-private key pair generated by the verification network element;

The first key is determined based on the second key and the third key.

12. The method according to claim 11, characterized in that the method further comprises:

A second public key and the ciphertext are sent to the communication device, where the second public key is a public key in the second temporary public-private key pair, and the second public key and the ciphertext are used by the communication device to determine the first key.

13. The method according to any one of claims 1 to 12, characterized in that the method further comprises:

Sending a first digital signature to the communication device, where the first digital signature is a signature of a first message by a private key of the verification network element, where the first message includes a message that the verification network element and the communication device have interacted with;

The certificate of the verification network element is sent to the communication device, where the certificate includes the public key of the verification network element, and the public key of the verification network element is used by the communication device to verify the first digital signature.

14. The method according to any one of claims 1 to 13, characterized in that the method further comprises:

receiving a request message from the communication device, the request message being used to request access to a network, the request message comprising a first identifier encrypted by the first key, the first identifier corresponding to the authentication information of the communication device;

Acquire first authentication information in the authentication information according to the first identifier;

The communication device is authenticated based on the first authentication information.

15. The method according to claim 14, characterized in that before receiving the request message from the communication device, the method further comprises:

receiving third indication information from the communication device, wherein the third indication information indicates at least one authentication mode, and the authentication information indicated by each authentication mode in the at least one authentication mode is independent of each other;

Fourth indication information is sent to the communication device, where the fourth indication information indicates a first authentication method, where the first authentication method is one of the at least one authentication method, and the first authentication method corresponds to the first authentication information.

16. The method according to claim 14 or 15, characterized in that the authentication information includes any one of the following information:

The credentials of the communication device, the cryptographic algorithm;

The credential of the communication device includes a public key of the communication device, and the cryptographic algorithm includes a signature algorithm applicable to the communication device.

17. The method according to claim 15 or 16, characterized in that the type of the first identifier indicated by each authentication method in the at least one authentication method is different, and the first identifier includes at least one of the following:

an identifier of the first type of the communication device, an identifier of the second type of the communication device, an identifier of a block or an identifier of a transaction, and a virtual identifier of the communication device;

Among them, the first type of identifier has a first corresponding relationship with the root key of the communication device, the second type of identifier has a second corresponding relationship with at least one certificate of the communication device, the block identifier or the transaction identifier is used to obtain the second corresponding relationship stored on the blockchain, and the virtual identifier has a corresponding relationship with the second type of identifier.

18. The method according to any one of claims 15 to 17, wherein the first authentication mode is determined according to second information and the third indication information, and the second information includes at least one of the following information:

The issuer of the certificate of the communication device, the security level of the certificate of the communication device, and the cryptographic algorithm corresponding to the certificate of the communication device.

19. The method according to any one of claims 14 to 18, wherein the first authentication information comprises a first credential of the communication device, and the authenticating the communication device based on the first authentication information comprises:

verifying the first credential based on credentials of an issuer of the first credential;

Receiving a second digital signature from the communication device, where the second digital signature is a signature of a second message by a private key of the communication device, and the second message includes a message that the communication device has interacted with the verification network element;

The second digital signature is verified based on a public key corresponding to the first credential.

20. A communication method, characterized in that it is applied to a communication device, the method comprising:

Sending first indication information to the verification network element, where the first indication information indicates at least one key agreement algorithm;

Receive second indication information from the verification network element, where the second indication information indicates a first key negotiation algorithm, where the first key negotiation algorithm is one of the at least one key negotiation algorithm, where the first key negotiation algorithm is used to determine a first key, and where the first key is used to encrypt or decrypt messages transmitted between the communication device and the verification network element.

21. The method according to claim 20, wherein the first key agreement algorithm is determined according to first information and the first indication information, and the first information includes at least one of the following information:

22. The method according to claim 20 or 21, characterized in that the at least one key agreement algorithm comprises at least one of the following:

23. The method according to claim 22, characterized in that the method further comprises:

The first key is determined based on the first key agreement algorithm.

24. The method according to claim 23, wherein the first key agreement algorithm is the ECDHE key agreement algorithm, and determining the first key based on the first key agreement algorithm comprises:

Receiving a second public key from the verification network element, where the second public key is a public key in a second temporary public-private key pair generated by the verification network element;

The first key is determined based on the second public key and a first private key, where the first private key is a private key in a first temporary public-private key pair generated by the communication device.

25. The method according to claim 22 or 23, characterized in that before determining the first key based on the first key agreement algorithm, the method further comprises:

A first public key is sent to the verification network element, where the first public key is a public key in a first temporary public-private key pair generated by the communication device, and the first public key is used by the verification network element to determine the first key.

26. The method according to claim 23, wherein the first key agreement algorithm is the PQC-based key agreement algorithm, and determining the first key based on the first key agreement algorithm comprises:

receiving a ciphertext from the verification network element, where the ciphertext is generated by the verification network element based on a post-quantum algorithm;

The ciphertext and the third private key are input into the post-quantum algorithm to generate the first key, and the third private key is the private key in the third temporary public-private key pair generated by the communication device based on the post-quantum algorithm.

27. The method according to claim 26, characterized in that before determining the first key based on the first key agreement algorithm, the method further comprises:

A third public key is sent to the verification network element, where the third public key is a public key in the third temporary public-private key pair, and the third public key is used by the verification network element to determine the first key.

28. The method according to claim 23, wherein the first key agreement algorithm is the key agreement algorithm based on PQC and ECDH, and the determining the first key based on the first key agreement algorithm comprises:

Receiving a ciphertext from the verification network element and a public key of the verification network element, wherein the ciphertext is generated by the verification network element based on a post-quantum algorithm;

Determine a second key based on the public key of the verification network element and a first private key, where the first private key is a private key in a first temporary public-private key pair generated by the communication device;

Inputting the ciphertext and the third private key into the post-quantum algorithm to generate a third key, wherein the third private key is a private key in a third temporary public-private key pair generated by the communication device based on the post-quantum algorithm;

The first key is determined based on the second key and the third key.

29. The method according to claim 23, wherein the first key agreement algorithm is the key agreement algorithm based on PQC and ECDHE, and determining the first key based on the first key agreement algorithm comprises:

Receiving a ciphertext and a second public key from the verification network element, where the ciphertext is generated by the verification network element based on a post-quantum algorithm, and the second public key is a public key in a second temporary public-private key pair generated by the verification network element;

Determine a second key based on the second public key and a first private key, where the first private key is a private key in a first temporary public-private key pair generated by the communication device;

The first key is determined based on the second key and the third key.

30. The method according to claim 28 or 29, characterized in that before determining the first key based on the first key agreement algorithm, the method further comprises:

A first public key and a third public key are sent to the verification network element, where the first public key is the public key in the first temporary public-private key pair, and the third public key is the public key in the third temporary public-private key pair. The first public key and the third public key are used by the verification network element to determine the first key.

31. The method according to any one of claims 20 to 30, characterized in that the method further comprises:

Receiving a first digital signature from the verification network element, where the first digital signature is a signature of a private key of the verification network element on a first message, where the first message includes a message that the verification network element and the communication device have interacted with;

receiving a certificate of the verification network element from the verification network element, the certificate including a public key of the verification network element;

The first digital signature is verified based on the public key of the verification network element.

32. The method according to any one of claims 20 to 31, characterized in that the method further comprises:

A request message is sent to the verification network element, where the request message is used to request access to the network, where the request message includes a first identifier encrypted by the first key, where the first identifier corresponds to the authentication information of the communication device, where the authentication information includes first authentication information, and where the first authentication information is used to authenticate the communication device.

33. The method according to claim 32, characterized in that before sending the request message to the verification network element, the method further comprises:

Sending third indication information to the verification network element, where the third indication information indicates at least one authentication mode, and the authentication information indicated by each authentication mode in the at least one authentication mode is independent of each other;

Receive fourth indication information from the verification network element, where the fourth indication information indicates a first authentication method, where the first authentication method is one of the at least one authentication method, and the first authentication method corresponds to the first authentication information.

34. The method according to claim 32 or 33, wherein the authentication information includes any one of the following information:

Credentials of communication devices, cryptographic algorithms;

35. The method according to claim 33 or 34, characterized in that the type of the first identifier indicated by each authentication method in the at least one authentication method is different, and the first identifier includes at least one of the following:

36. The method according to any one of claims 33 to 35, characterized in that the first authentication mode is determined according to second information and the third indication information, and the second information includes at least one of the following information:

37. The method according to any one of claims 32 to 36, characterized in that the method further comprises:

A second digital signature is sent to the verification network element, where the second digital signature is a signature of a second message using the private key of the communication device, where the second message includes messages that the communication device has interacted with the verification network element, and the second digital signature is used by the verification network element to authenticate the communication device.

38. A communication device, characterized in that the device is used to execute the method as claimed in any one of claims 1 to 37.

39. A communication device, comprising:

A processor, wherein the processor is configured to cause the apparatus to perform the method according to any one of claims 1 to 37 by executing a computer program stored in a memory and/or by a logic circuit.

40. The device according to claim 39, characterized in that the device also includes the memory.

41. A communication device, comprising:

Processor and communication interface;

Wherein, the communication interface is used to receive code instructions and transmit them to the processor, and the processor is used to enable the device to perform the method as described in any one of claims 1 to 37 by executing a computer program stored in a memory and/or through a logic circuit.

42. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a computer program or instructions, and when the computer program or instructions are executed on a computer, the computer executes the method according to any one of claims 1 to 37.

43. A computer program product, characterized in that the computer program product comprises a computer program or instructions, and when the computer program or instructions are run on a computer, the computer is caused to execute the method according to any one of claims 1 to 37.

44. A communication system, characterized by comprising an authentication entity and a first terminal device, the authentication entity being used to execute the method as described in any one of claims 1 to 19, and the first terminal device being used to execute the method as described in any one of claims 20 to 37.