CN112291064A - Authentication system, registration and authentication method, device, storage medium and electronic equipment - Google Patents
Authentication system, registration and authentication method, device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN112291064A CN112291064A CN202011080623.6A CN202011080623A CN112291064A CN 112291064 A CN112291064 A CN 112291064A CN 202011080623 A CN202011080623 A CN 202011080623A CN 112291064 A CN112291064 A CN 112291064A
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- authentication
- public key
- information
- sim
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present disclosure relates to an authentication system, a registration and authentication method, an apparatus, a storage medium, and an electronic device. The authentication system includes: the system comprises a user management server and an authentication unit, wherein the user management server and the authentication unit are different nodes in the same block chain network, and each node stores a block chain consisting of a plurality of blocks; the authentication unit is used for acquiring an SIM public key from the block chain according to an SIM public key storage address in the authentication request under the condition of receiving the authentication request initiated by the mobile terminal, performing signature verification on first signature information in the authentication request according to the SIM public key, and feeding back reply information comprising a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed; the authentication unit is further used for accessing the mobile terminal to the mobile communication network when receiving the information that the reply information authentication of the mobile terminal passes. By adopting the system, the authentication security of the mobile terminal when accessing the mobile communication network can be improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an authentication system, a registration method, an authentication device, a storage medium, and an electronic device.
Background
With the rapid development of the internet of things technology, the application range of the mobile communication network is increasingly expanded. In order to ensure the security of the system and the user equipment that has accessed the network, the mobile communication service system needs to perform identity authentication on the user equipment that requests to access through a strict identity authentication process. And under the condition that the mobile communication service system passes the identity authentication of the user equipment, accessing the user equipment to the mobile communication network.
At present, a precondition for accessing a Mobile communication network by a ue is that each ue has an International Mobile Subscriber Identity (IMSI) and a secret key K, where the secret key K is a symmetric secret key. The key K of each ue is stored both on the ue and in a Subscriber Server (HSS) of the mobile communication service system. In the related art, in an initial attachment process of a user equipment, that is, in a process of connecting the user equipment to a mobile communication service system, the user equipment initiates an authentication request carrying an IMSI of the user equipment, and the mobile communication service system encrypts challenge information using a key K associated with the IMSI after receiving the authentication request and sends the challenge information to the user equipment. The user equipment responds to the challenge information with its stored key K, and after a successful response, the user equipment accesses the mobile communication service system. This initial attach procedure is specifically performed by a Mobile Management Entity server (MME) of the Mobile communication service system. It is because the MME is used as the front end of the HSS to complete the authentication procedure of the initial attach procedure, and thus the authentication request of each user equipment does not actually need to reach the HSS. Although the HSS is the only entity that knows the key on the mobile communication service system side, the MME stores a data structure generated by the HSS using the key. While even if the MME cannot derive keys from the data structures, these data structures are already sufficient for the MME to verify the identity of the user equipment.
Disclosure of Invention
The present disclosure provides an authentication system, a registration method, an authentication method, a registration apparatus, an authentication apparatus, a storage medium, and an electronic device, so as to improve the authentication security when a user equipment/mobile terminal accesses a mobile communication network.
In order to achieve the above object, a first part of the embodiments of the present disclosure provides an authentication system accessing a mobile communication network, including a user management server and an authentication unit, where the user management server and the authentication unit are different nodes in a same blockchain network, and each node stores a blockchain composed of a plurality of blocks;
the authentication unit is used for acquiring an SIM public key from the block chain according to the SIM public key storage address in the authentication request under the condition of receiving the authentication request initiated by the mobile terminal, and performs signature verification on the first signature information in the authentication request according to the SIM public key, feeding back reply information including a certificate of the authentication unit to the mobile terminal in a case where the signature verification of the first signature information passes, the certificate being used for the mobile terminal to authenticate the identity of the authentication unit, wherein, the SIM public key storage address is sent to the mobile terminal after the SIM public key carried in the mobile terminal registration request is stored in the block chain by the user management server when the mobile terminal is registered, the first signature information in the authentication request is signed by an SIM private key of the mobile terminal;
the authentication unit is further configured to access the mobile terminal to the mobile communication network when receiving information that the mobile terminal passes authentication of the reply information.
Optionally, the authentication unit is a mobility management server or a wireless access base station.
Optionally, the authentication unit is further configured to:
and under the condition that the SIM public key is not obtained from the block chain according to the SIM public key storage address in the authentication request, or under the condition that the signature verification of the first signature information in the authentication request is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
Optionally, the authentication request initiated by the mobile terminal further includes a timestamp for initiating the authentication request, and the authentication unit is further configured to:
and if the difference value between the time stamp in the authentication request and the current time stamp of the authentication unit is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
Optionally, the authentication request initiated by the mobile terminal further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
Optionally, the user management server is configured to receive a registration request of the authentication unit, and generate the certificate of the authentication unit according to an authentication public key carried in the registration request, where the certificate includes the authentication public key and an expiration time of the certificate, and the certificate is a certificate signed by the user management server with a system private key of the authentication system;
the user management server is further configured to store the certificate in the blockchain, and feed back a certificate storage address of the certificate in the blockchain to the authentication unit;
the authentication unit is further configured to store the certificate storage address.
Optionally, the authentication unit is further configured to, before feeding back the reply information to the mobile terminal, obtain the certificate from the blockchain according to the certificate storage address.
According to a second part of the embodiments of the present disclosure, there is provided a registration method for accessing a mobile communication network, the method being applied to a subscriber management server of an authentication system, the subscriber management server being a node in a blockchain network, each node storing a blockchain composed of a plurality of blocks, the method including:
receiving a registration request of a mobile terminal, wherein the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
storing the SIM public key in the blockchain; and the number of the first and second electrodes,
and feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
Optionally, the method further comprises:
receiving a registration request of an authentication unit of the authentication system, wherein the registration request of the authentication unit carries an authentication public key of the authentication unit, and the authentication unit is a node in the block chain network;
generating a certificate of the authentication unit according to the authentication public key, wherein the certificate comprises the authentication public key and the expiration time of the certificate, and the certificate is signed by the user management server by using a system private key of the authentication system;
and storing the certificate in the blockchain, and feeding back the certificate storage address of the certificate in the blockchain to the authentication unit so that the authentication unit stores the certificate storage address.
According to a third part of the embodiments of the present disclosure, there is provided an authentication method for accessing a mobile communication network, the method being applied to an authentication unit of an authentication system, the authentication unit being a node in a blockchain network, each of the nodes storing a blockchain composed of a plurality of blocks, the method including:
receiving an authentication request initiated by a mobile terminal, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain when the mobile terminal is registered;
acquiring the SIM public key from the block chain according to the SIM public key storage address;
performing signature verification on the first signature information according to the SIM public key, and feeding back reply information including a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and when receiving the information that the mobile terminal passes the authentication of the reply information, accessing the mobile terminal to the mobile communication network.
Optionally, the method further comprises:
and under the condition that the SIM public key is not acquired from the block chain according to the SIM public key storage address, or under the condition that the signature verification of the first signature information is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
Optionally, the first information further includes a timestamp for initiating the authentication request, and the method further includes:
and if the difference value between the timestamp and the current timestamp of the authentication unit is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
Optionally, the first information further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
According to a fourth aspect of the embodiments of the present disclosure, there is provided an authentication method for accessing a mobile communication network, the method being applied to a mobile terminal, the method including:
initiating an authentication request, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is used for storing an SIM public key carried in the mobile terminal registration request in a block chain and then sending the SIM public key to the mobile terminal by a user management server of an authentication system when the mobile terminal is registered;
and verifying the reply information under the condition of receiving the reply information fed back by an authentication unit of the authentication system, and sending authenticated information to the authentication unit under the condition of passing the verification so as to access the mobile communication network, wherein the reply information is generated under the condition of passing the signature verification of the first signature information by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
Optionally, the first information further includes a nonce and a timestamp for initiating the authentication request, the reply information includes a certificate of the authentication unit, and second signature information, the second signature information is information obtained by the authentication unit signing the nonce and the timestamp with an authentication private key of the authentication unit, and the verifying the reply information includes:
analyzing the certificate by using a system public key of the authentication system prestored on the mobile terminal to obtain an authentication public key of the authentication unit in the certificate and the expiration time of the certificate;
and under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, verifying the certificate by using the system public key, and under the condition that the certificate passes verification, performing signature verification on the second signature information in the reply information by using the authentication public key.
According to a fifth aspect of the embodiments of the present disclosure, there is provided a registration apparatus for accessing a mobile communication network, the apparatus being used for authenticating a subscriber management server of a system, the subscriber management server being a node in a blockchain network, each of the nodes storing a blockchain composed of a plurality of blocks, the apparatus comprising:
the mobile terminal comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a registration request of the mobile terminal, and the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
a first storage module, configured to store the SIM public key in the block chain;
and the first feedback module is used for feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
Optionally, the apparatus further comprises:
a third receiving module, configured to receive a registration request of an authentication unit, where the registration request of the authentication unit carries an authentication public key of the authentication unit;
the generating module is used for generating a certificate of the authentication unit according to the authentication public key, wherein the certificate comprises the authentication public key and the expiration time of the certificate, and the certificate is signed by the user management server by using a system private key of the authentication system;
and the second storage module is used for storing the certificate in the block chain and feeding back the certificate storage address of the certificate in the block chain to the authentication unit so that the authentication unit stores the certificate storage address.
According to a sixth aspect of the embodiments of the present disclosure, there is provided an authentication apparatus for accessing a mobile communication network, the apparatus being used for an authentication unit of an authentication system, the authentication unit being a node in a blockchain network, each of the nodes storing a blockchain composed of a plurality of blocks, the apparatus including:
a second receiving module, configured to receive an authentication request initiated by a mobile terminal, where the authentication request includes first information and first signature information, the first information includes an SIM public key storage address of the mobile terminal, and the first signature information is information obtained by signing the first information with an SIM private key of the mobile terminal, where the SIM public key storage address is used when the mobile terminal is registered, and a subscriber management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain and then sends the SIM public key to the mobile terminal;
the first obtaining module is used for obtaining the SIM public key from the block chain according to the SIM public key storage address;
the second feedback module is used for performing signature verification on the first signature information according to the SIM public key and feeding back reply information comprising a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and the access module is used for accessing the mobile terminal to the mobile communication network when receiving the information that the mobile terminal passes the authentication of the reply information.
Optionally, the apparatus further comprises:
and the third feedback module is used for feeding back information of authentication failure to the mobile terminal under the condition that the SIM public key is not obtained from the block chain according to the SIM public key storage address or under the condition that the signature verification of the first signature information is not passed according to the SIM public key.
Optionally, the authentication request further includes a timestamp for initiating the authentication request, and the apparatus further includes:
and the fourth feedback module is used for feeding back authentication failure information to the mobile terminal if the difference value between the timestamp and the current timestamp of the authentication unit is determined to exceed a preset threshold value.
Optionally, the authentication request further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
According to a seventh aspect of the embodiments of the present disclosure, there is provided an authentication apparatus for accessing a mobile communication network, the apparatus being applied to a mobile terminal, the apparatus including:
the system comprises an initiating module, a sending module and a sending module, wherein the initiating module is used for initiating an authentication request, the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of an authentication system stores an SIM public key carried in a mobile terminal registration request in a block chain when the mobile terminal is registered;
and the verification module is used for verifying the reply information under the condition that the reply information fed back by an authentication unit of the authentication system is received, and sending the information passing the authentication to the authentication unit under the condition that the reply information passes the authentication so as to access the mobile communication network, wherein the reply information is generated under the condition that the first signature information is signed and verified by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
Optionally, the first information further includes a random number and a timestamp initiating the authentication request, the reply information includes a certificate of the authentication unit and second signature information, the second signature information is information obtained by the authentication unit signing the random number and the timestamp with an authentication private key of the authentication unit, and the verification module is specifically configured to analyze the certificate with a system public key of the authentication system pre-stored on the mobile terminal, so as to obtain an authentication public key of the authentication unit in the certificate and expiration time of the certificate; and under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, verifying the certificate by using the system public key, and under the condition that the certificate passes verification, performing signature verification on the second signature information in the reply information by using the authentication public key.
According to an eighth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method of any one of the second or third aspects.
According to a ninth aspect of an embodiment of the present disclosure, there is provided an electronic apparatus including:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any of the second to fourth sections above.
By adopting the technical scheme, the following technical effects can be at least achieved:
the identity of the mobile terminal is authenticated by an authentication unit of the authentication system, and reply information used for authenticating the identity of the authentication unit by the mobile terminal is sent to the mobile terminal under the condition that the authentication unit authenticates the mobile terminal. The authentication unit accesses the mobile terminal to the mobile communication network after receiving the message that the mobile terminal passes the authentication of the reply message. Compared with the related technology, the bidirectional authentication mode that the authentication unit is used for carrying out identity authentication on the mobile terminal and the mobile terminal is used for carrying out identity authentication on the authentication unit further improves the authentication security when the mobile terminal accesses the mobile communication network. Moreover, the method of performing identity authentication using a public key and a private key (i.e., an asymmetric key) according to the present disclosure has higher security than the method of performing identity authentication using a symmetric key in the related art. Furthermore, compared with the prior art in which the symmetric key K is stored in the HSS, the way of storing the SIM public key in the blockchain of the present disclosure is safer because the SIM public key stored in the blockchain of the present disclosure cannot be changed. Therefore, the technical scheme of the disclosure improves the authentication security when the mobile terminal accesses the mobile communication network, so that only a legal mobile terminal can be accessed into the legal mobile communication network.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a block diagram illustrating an authentication system for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 2 is a block diagram illustrating another authentication system for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 3 is a schematic diagram illustrating an authentication system for a mobile terminal to access a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 4 is a flowchart illustrating a registration method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 5 is a flowchart illustrating an authentication method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 6 is a flowchart illustrating another authentication method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 7 is a flowchart illustrating an authentication method for a mobile terminal to access a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 8 is a block diagram illustrating a registration apparatus for accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 9 is a block diagram illustrating an authentication apparatus accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 10 is a block diagram illustrating another authentication apparatus accessing a mobile communication network according to an exemplary embodiment of the present disclosure.
Fig. 11 is a block diagram illustrating a mobile terminal according to an exemplary embodiment of the present disclosure.
Fig. 12 is a block diagram illustrating an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
In order to make the technical solutions of the present disclosure easier for those of ordinary skill in the art to understand, the following first briefly explains the technical terms related to the specific embodiments of the present disclosure.
The block chain is a decentralized, distrusted and open distributed database. The blockchain has the security characteristics of being unalterable, unforgeable and completely traceable. The immutable modification of the blockchain means that data stored on the blockchain cannot be changed. The block chain is maintained by all nodes in the block chain network, and consists of a series of data blocks generated based on a cryptography method, wherein each data block is one block in the block chain. The blocks are linked together in order according to the chronological order of the generation times, forming a chain of data, which is referred to visually as a chain of blocks. Each node in the blockchain network is a computer. Typically, any data is replicated on all nodes of the blockchain network.
Symmetric key, also known as private key encryption, i.e., a sender and receiver of information use a key to encrypt and decrypt data. The most important advantage is the fast encryption/decryption speed, which is suitable for encrypting large data volumes, and a big disadvantage of symmetric encryption is the management and distribution of keys, in other words, how to send keys to the hands of the objects needing to decrypt messages is a problem. In sending the key, there is a great risk that the key will be intercepted by a hacker.
Asymmetric key encryption, also known as public key encryption. Asymmetric encryption provides a very secure method for encryption and decryption of data, which uses a pair of keys, namely a public key (public key) and a private key (private key). The private key can only be safely kept by one party and cannot be leaked. While the public key can be issued to anyone. Asymmetric encryption uses one of the pair of keys for encryption/signing, while decryption requires the other key.
The user management server, which may be specifically referred to as a Base Station Subsystem (BSS) in the present disclosure, is a component of a conventional cellular phone network, and is responsible for processing communication traffic and signaling between a mobile phone and a network switching Subsystem. The BSS is responsible for transcoding traffic channels over the air interface, assigning radio channels to mobile phones, paging, transmission, and other radio network related tasks. Or the user management server may be an Operation Support System (OSS), or the user management server may also be a Business and Operation Support System (BOSS) server.
A mobility Management server, also called mobility Management server, specifically referred to as Mobility Management Entity (MME), is a key control node of a 3GPP protocol LTE access network, and is responsible for positioning, paging process, and relaying of idle mode User Equipment (User Equipment, UE), and simply, the MME is responsible for signaling processing. The MME has functions of access control such as security and admission control, mobility management, attach and detach, session management function, selection of SGW and PGW, and the like.
Attached means that the mobile terminal has to complete the registration procedure in the network before performing the actual service. The terminal with successful attachment can obtain the IP address allocated by the network, and provide the terminal with a permanent online IP connection.
A wireless access base station (Evolved Node B, abbreviated as eNodeB/eNB), that is, an Evolved Node B (Evolved Node B), a name of a base station in LTE. It involves the bearer activation/deactivation process and selects an sgw (serving gateway) for a UE when the UE initializes and connects. And authenticating the user through interaction with the HSS, and allocating a temporary ID for the user. The MME provides control function interfaces for 2G, 3G and other access networks.
Fig. 1 is a block diagram illustrating an authentication system accessing a mobile communication network according to an exemplary embodiment of the present disclosure, and as shown in fig. 1, an authentication system 100 includes a subscriber management server 110 and an authentication unit 120, where the subscriber management server 110 and the authentication unit 120 are different nodes in a same blockchain network, and each node stores a blockchain composed of a plurality of blocks;
the authentication unit 120 is configured to, upon receiving an authentication request initiated by a mobile terminal, obtaining a SIM public key from the block chain according to the SIM public key storage address in the authentication request, and performs signature verification on the first signature information in the authentication request according to the SIM public key, feeding back reply information including a certificate of the authentication unit to the mobile terminal in a case where the signature verification of the first signature information passes, the certificate being used for the mobile terminal to authenticate the identity of the authentication unit, wherein, the SIM public key storage address is sent to the mobile terminal after the SIM public key carried in the mobile terminal registration request is stored in the block chain by the user management server when the mobile terminal is registered, the first signature information in the authentication request is signed by an SIM private key of the mobile terminal; the authenticating unit 120 is further configured to access the mobile terminal to the mobile communication network when receiving the information that the mobile terminal passes authentication of the reply information.
The mobile terminal is also called a mobile communication terminal, and refers to a computer device that can be used in mobile, including a mobile phone, a tablet computer, an intelligent bracelet, and the like.
Specifically, in the process of initially attaching the mobile terminal to the mobile communication service system, that is, in the process of accessing the mobile terminal to the mobile communication network, the mobile terminal initiates an authentication request, where the authentication request includes an SIM public key storage address of the mobile terminal, and first signature information obtained by signing the SIM public key storage address by using an SIM private key of the mobile terminal. When the mobile terminal registers, the user management server 110 in the authentication system 100 stores the SIM public key carried in the mobile terminal registration request in the blockchain and then sends the stored SIM public key to the mobile terminal.
The authentication unit 120 obtains the SIM public key from the block chain according to the SIM public key storage address in the authentication request when receiving the authentication request initiated by the mobile terminal. Then, the authentication unit 120 performs signature verification on the first signature information in the authentication request according to the acquired SIM public key. Since the first signature information is signed by the mobile terminal using its SIM private key, the authentication unit 120 may perform signature verification on the first signature information according to the SIM public key. Further, in the case that the authentication unit 120 verifies the signature of the first signature information, the authentication unit 120 feeds back reply information including the certificate of the authentication unit 120 to the mobile terminal.
When the mobile terminal receives the reply information including the certificate of the authentication unit 120 fed back by the authentication unit 120, the mobile terminal performs signature authentication on the certificate of the authentication unit 120 to determine whether the identity of the authentication unit 120 is legal. When the mobile terminal authenticates the certificate of the authentication unit 120, the mobile terminal transmits information for authenticating the reply information to the authentication unit 120.
When receiving the information that the mobile terminal passes the authentication of the reply information, the authentication unit 120 accesses the mobile terminal to the mobile communication network.
In this method, the identity of the mobile terminal is authenticated by the authentication unit of the authentication system, and if the authentication unit authenticates the mobile terminal, a reply message for the mobile terminal to authenticate the identity of the authentication unit is sent to the mobile terminal. The authentication unit accesses the mobile terminal to the mobile communication network after receiving the message that the mobile terminal passes the authentication of the reply message. Compared with the related technology, the bidirectional authentication mode that the authentication unit is used for carrying out identity authentication on the mobile terminal and the mobile terminal is used for carrying out identity authentication on the authentication unit further improves the authentication security when the mobile terminal accesses the mobile communication network. Moreover, the method of performing identity authentication using a public key and a private key (i.e., an asymmetric key) according to the present disclosure has higher security than the method of performing identity authentication using a symmetric key in the related art. Furthermore, compared with the prior art in which the symmetric key K is stored in the HSS, the way of storing the SIM public key in the blockchain of the present disclosure is safer because the SIM public key stored in the blockchain of the present disclosure cannot be changed. Therefore, the technical scheme of the disclosure improves the authentication security when the mobile terminal accesses the mobile communication network, so that only a legal mobile terminal can be accessed into the legal mobile communication network.
Alternatively, as shown in fig. 2, the authentication unit 120 is a mobility management server 121 or a wireless access base station 122.
In an implementation manner, when the authentication unit 120 receives the message that the mobile terminal passes the authentication of the reply message, the mobile terminal may be assigned an IP address through the mobility management server 121 or the wireless access base station 122, so that the mobile terminal accesses the mobile communication network, and the mobile terminal is provided with a permanent IP online connection.
When the authentication unit 120 is the radio access base station 122, compared with the method of authenticating the identity of the mobile terminal through the MME in the related art, the above technical solution of the present disclosure enables the authentication process for the mobile terminal to be advanced to the radio access base station 122. This way, it is possible to reduce the pressure when the mobile management server 121 performs authentication on a large number of mobile terminals. Moreover, in an implementation manner, by performing identity authentication on the mobile terminal through the mobility management server 121 and the radio access base station 122, it is possible to relieve the pressure of the authentication system 100 when the mobile terminal is attached/detached at high concurrence, thereby ensuring the security of the authentication system 100.
Optionally, the authentication unit 120 is further configured to:
and under the condition that the SIM public key is not obtained from the block chain according to the SIM public key storage address in the authentication request, or under the condition that the signature verification of the first signature information in the authentication request is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
It is understood that, if the authentication unit 120 does not obtain the SIM public key from the blockchain according to the SIM public key storage address carried in the authentication request of the mobile terminal, it indicates that the mobile terminal is not registered with the authentication system 100, that is, the mobile terminal is an illegal user. In a case where it is determined that the mobile terminal is an illegal user, it is determined that the authentication request for the mobile terminal fails to be authenticated, and in this case, the authentication unit 120 feeds back information of the authentication failure to the mobile terminal and interrupts the subsequent process.
If the authentication unit 120 obtains the SIM public key from the blockchain according to the SIM public key storage address carried in the authentication request of the mobile terminal, it indicates that the SIM public key storage address is the valid address after the mobile terminal registers with the authentication system 100. Further, the authentication unit 120 performs signature verification on the first signature information in the mobile terminal authentication request according to the acquired SIM public key, and if the signature verification on the first signature information fails, it indicates that the acquired SIM public key is not matched with the signature SIM private key used by the first signature information. I.e. the SIM public key storage address may be information of other mobile terminals that the mobile terminal steals. In this case, it is determined that the mobile terminal is an illegal user, and the authentication unit 120 feeds back information of authentication failure to the mobile terminal and interrupts a subsequent process.
Optionally, the authentication request initiated by the mobile terminal further includes a timestamp for initiating the authentication request, and the authentication unit 120 is further configured to: and if the difference value between the timestamp in the authentication request and the current timestamp of the authentication unit 120 is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
In a possible case, when a difference between a timestamp in an authentication request initiated by a mobile terminal and a current timestamp of the authentication unit 120 exceeds a preset threshold, the authentication request initiated by the mobile terminal is likely to be an authentication request stolen/intercepted from another terminal, and in this case, the authentication unit 120 may feed back information of authentication failure to the mobile terminal and interrupt a subsequent process.
In an implementation manner, when the timestamp in the authentication request is a timestamp not signed by the SIM private key, the authentication unit 120 may determine whether a difference between the timestamp in the authentication request initiated by the mobile terminal and the current timestamp of the authentication unit exceeds a preset threshold before performing signature verification on the first signature information in the authentication request according to the SIM public key. If the difference between the timestamp in the authentication request initiated by the mobile terminal and the current timestamp of the authentication unit exceeds the preset threshold, the authentication unit 120 feeds back authentication failure information to the mobile terminal, and interrupts subsequent processes. If the difference value between the time stamp in the authentication request initiated by the mobile terminal and the current time stamp of the authentication unit 120 is determined not to exceed the preset threshold value, the authentication unit 120 performs signature verification on the first signature information in the authentication request according to the SIM public key. And under the condition that the signature verification of the first signature information is passed, feeding back reply information representing successful authentication to the mobile terminal.
It should be noted that the authentication request of the mobile terminal may include a storage address of the SIM public key, a timestamp, and first signature information obtained by signing the storage address of the SIM public key and the timestamp using the SIM private key.
Optionally, the authentication request initiated by the mobile terminal further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
It should be understood that when the random number and the timestamp in the reply message received by the mobile terminal are different from the random number and the timestamp when the mobile terminal initiated the authentication request, the authentication unit 120 is not trusted. In this case, the mobile terminal fails to authenticate the reply message transmitted by the authentication unit 120.
And when the random number and the timestamp in the reply message received by the mobile terminal are the same as those of the mobile terminal when initiating the authentication request, it indicates that the authentication unit 120 sending the reply message is reliable. In this case, the mobile terminal determines that the reply message sent by the authentication unit 120 corresponds to an authentication request initiated by the mobile terminal. Further, in the case where the mobile terminal authenticates the reply information transmitted by the authentication unit 120, information representing that the reply information is authenticated is transmitted to the authentication unit 120, so that the authentication unit 120 allows the mobile terminal to access the mobile communication network.
It should be noted that the authentication request of the mobile terminal may include a storage address of the SIM public key, a timestamp, a random number, and first signature information obtained by signing the storage address of the SIM public key, the timestamp, and the random number by using the SIM private key.
Optionally, the user management server 110 is configured to receive a registration request of the authentication unit 120, and generate the certificate of the authentication unit according to an authentication public key carried in the registration request, where the certificate includes the authentication public key and an expiration time of the certificate, and the certificate is a certificate signed by the user management server with a system private key of the authentication system; the user management server 110 is further configured to store the certificate in the blockchain, and feed back a certificate storage address of the certificate in the blockchain to the authentication unit; the authentication unit 120 is further configured to store the certificate storage address.
Specifically, when receiving the registration request of the authentication unit 120, the user management server 110 generates a certificate of the authentication unit according to the authentication public key carried in the registration request of the authentication unit 120. Specifically, the generated certificate includes the authentication public key of the authentication unit 120 and the expiration time of the certificate set for the authentication unit 120. Also, the user management server 110 may also sign the generated certificate with a system private key of the authentication system 100.
Further, the user management server 110 stores the certificate of the authentication unit 120 in the blockchain after generating the certificate, and feeds back the certificate storage address of the certificate in the blockchain to the authentication unit 120. After the authentication unit 120 receives the certificate storage address fed back by the user management server 110, the authentication unit 120 stores the certificate storage address.
Since the certificate of the authentication unit includes the expiration time of the certificate, in an implementation, the user management server 110 of the authentication system may periodically detect whether the certificate of each authentication unit expires. When it is determined that the certificate of a certain authentication unit expires, a new certificate is generated for the certain authentication unit again, or a prompt message indicating that the certificate expires is sent to the certain authentication unit, so that the certain authentication unit registers with the user management server 110 again. When the user management server 110 generates a new certificate for the authentication unit, the new certificate is stored in the blockchain, and the new certificate storage address is fed back to the authentication unit.
It should be noted that, when the certificate is the certificate signed by the system private key of the authentication system 100 by the user management server 110, the mobile terminal needs to store the system public key of the authentication system in advance, so that after the mobile terminal receives the reply information including the certificate of the authentication unit, which is fed back to the mobile terminal by the authentication unit 120, the mobile terminal can analyze the certificate signed by the system private key by using the system public key stored in advance, thereby performing signature verification on the certificate.
In detail, the specific process of the mobile terminal authenticating the reply message may be as follows:
firstly, the system public key of the authentication system pre-stored on the mobile terminal is used for analyzing the certificate in the reply message, and the authentication public key of the authentication unit in the certificate and the expiration time of the certificate are obtained.
Secondly, judging whether the certificate is expired according to the expiration time of the certificate, and if the certificate is determined to be expired, the mobile terminal does not pass the authentication of the reply information. In the case that it is determined that the certificate is not expired, the certificate is further verified by using a pre-stored system public key, and specifically, the certificate verification method is similar to the certificate verification method in the related art, and is not described herein again.
And then, under the condition that the certificate is verified, signature verification is carried out on the second signature information in the reply information by using the analyzed authentication public key so as to determine whether the reply information corresponds to the authentication request initiated by the mobile terminal.
Optionally, the authenticating unit 120 is further configured to, before feeding back the reply information to the mobile terminal, obtain the certificate from the blockchain according to the certificate storage address.
Specifically, the authentication unit 120 may acquire the certificate from the blockchain according to the certificate storage address before feeding back the reply information to the mobile terminal, and then feed back the reply information including the certificate to the mobile terminal.
Fig. 3 is a schematic diagram illustrating an authentication system for a mobile terminal to access a mobile communication network according to an exemplary embodiment of the present disclosure. As shown in fig. 3, the wireless access base station 121 serves as a bridge between the authentication system 100 and the mobile terminal, and establishes a communication connection between the mobile terminal and the authentication system 100.
In an implementation manner, the radio access base station 122 may be connected to the mobility management server 121, and when the radio access base station 122 receives an authentication request initiated by a mobile terminal, the radio access base station 122 forwards the authentication request to the mobility management server 121 for authentication processing.
Fig. 4 is a flowchart illustrating a registration method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, the method is applied to a subscriber management server of an authentication system, such as the subscriber management server 110 of the aforementioned authentication system 100, the subscriber management server is a node in a blockchain network, each node stores a blockchain composed of a plurality of blocks, as shown in fig. 4, and the method includes the following steps:
s31, receiving a registration request of a mobile terminal, wherein the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
s32, storing the SIM public key in the block chain;
s33, feeding back the storage address of the SIM public key in the block chain to the mobile terminal so that the mobile terminal stores the storage address of the SIM public key.
By adopting the method, the SIM public key of the mobile terminal is stored in the block chain, so that the SIM public key of the mobile terminal can be prevented from being tampered. And further, the reliability of the identity authentication of the mobile terminal when the mobile terminal is accessed to the mobile communication network can be improved.
Optionally, the method further comprises:
receiving a registration request of an authentication unit of the authentication system, wherein the registration request of the authentication unit carries an authentication public key of the authentication unit, and the authentication unit is a node in the block chain network; generating a certificate of the authentication unit according to the authentication public key, wherein the certificate comprises the authentication public key and the expiration time of the certificate, and the certificate is signed by the user management server by using a system private key of the authentication system; and storing the certificate in the blockchain, and feeding back the certificate storage address of the certificate in the blockchain to the authentication unit so that the authentication unit stores the certificate storage address.
Fig. 5 is a flowchart illustrating an authentication method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, the method is applied to an authentication unit of an authentication system, for example, the authentication unit 120 of the aforementioned authentication system 100, the authentication unit is a node in a blockchain network, each of the nodes stores a blockchain composed of a plurality of blocks, as shown in fig. 5, and the method includes the following steps:
s41, receiving an authentication request initiated by a mobile terminal, where the authentication request includes first information and first signature information, the first information includes a SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information with a SIM private key of the mobile terminal, and when the SIM public key storage address is registered at the mobile terminal, a user management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain and then sends the SIM public key to the mobile terminal;
s42, obtaining the SIM public key from the blockchain according to the SIM public key storage address;
s43, performing signature verification on the first signature information according to the SIM public key, and feeding back reply information including a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and S44, when receiving the information that the reply information is authenticated by the mobile terminal, accessing the mobile terminal to the mobile communication network.
By adopting the method, the bidirectional authentication mode that the authentication unit is used for carrying out identity authentication on the mobile terminal and the authentication unit is used for carrying out identity authentication on the mobile terminal is adopted, compared with the related technology, the authentication security of the mobile terminal when the mobile terminal accesses the mobile communication network is further improved. Moreover, the method of performing identity authentication using a public key and a private key (i.e., an asymmetric key) according to the present disclosure has higher security than the method of performing identity authentication using a symmetric key in the related art. Furthermore, compared with the prior art in which the symmetric key K is stored in the HSS, the way of storing the SIM public key in the blockchain of the present disclosure is safer because the SIM public key stored in the blockchain of the present disclosure cannot be changed. Therefore, the technical scheme of the disclosure improves the authentication security when the mobile terminal accesses the mobile communication network, so that only a legal mobile terminal can be accessed into the legal mobile communication network.
Optionally, the method further comprises:
and under the condition that the SIM public key is not acquired from the block chain according to the SIM public key storage address, or under the condition that the signature verification of the first signature information is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
Optionally, the first information further includes a timestamp for initiating the authentication request, and the method further includes:
and if the difference value between the timestamp and the current timestamp of the authentication unit is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
Optionally, the first information further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
Fig. 6 is a flowchart illustrating another authentication method for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, which is applied to a mobile terminal, as shown in fig. 6, and includes the following steps:
s51, initiating an authentication request, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of an authentication system stores an SIM public key carried in the mobile terminal registration request in a block chain when the mobile terminal is registered;
s52, verifying the reply information when receiving the reply information fed back by the authentication unit of the authentication system, and sending the information that passes authentication to the authentication unit when passing authentication, so as to access the mobile communication network, where the reply information is generated when the authentication unit obtains the SIM public key from the block chain according to the SIM public key storage address in the first information, and then signs and verifies the first signature information with the SIM public key.
By adopting the method, the bidirectional authentication mode that the authentication unit is used for carrying out identity authentication on the mobile terminal and the authentication unit is used for carrying out identity authentication on the mobile terminal is adopted, compared with the related technology, the authentication security of the mobile terminal when the mobile terminal accesses the mobile communication network is further improved. Moreover, the method of performing identity authentication using a public key and a private key (i.e., an asymmetric key) according to the present disclosure has higher security than the method of performing identity authentication using a symmetric key in the related art. Furthermore, compared with the prior art in which the symmetric key K is stored in the HSS, the way of storing the SIM public key in the blockchain of the present disclosure is safer because the SIM public key stored in the blockchain of the present disclosure cannot be changed. Therefore, the technical scheme of the disclosure improves the authentication security when the mobile terminal accesses the mobile communication network, so that only a legal mobile terminal can be accessed into the legal mobile communication network.
Optionally, the first information further includes a nonce and a timestamp for initiating the authentication request, the reply information includes a certificate of the authentication unit, and second signature information, the second signature information is information obtained by the authentication unit signing the nonce and the timestamp with an authentication private key of the authentication unit, and the verifying the reply information includes:
analyzing the certificate by using a system public key of the authentication system prestored on the mobile terminal to obtain an authentication public key of the authentication unit in the certificate and the expiration time of the certificate;
and under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, verifying the certificate by using the system public key, and under the condition that the certificate passes verification, performing signature verification on the second signature information in the reply information by using the authentication public key.
Fig. 7 is a flowchart illustrating an authentication method for a mobile terminal to access a mobile communication network according to an exemplary embodiment of the present disclosure. As shown in fig. 7, the method comprises the following steps:
s61, the mobile terminal generates a random number, acquires the time stamp, the SIM public key storage address and the IMSI information, and takes the random number, the time stamp, the SIM public key storage address and the IMSI information as first information.
Wherein, IMSI refers to an International Mobile Subscriber Identity, english is IMSI, and International Mobile Subscriber Identity. The IMSI is an identification code used to distinguish different users in a cellular network and is not repeated in all cellular networks.
And S62, the mobile terminal signs the first information by using the SIM private key to obtain first signature information.
S63, the mobile terminal initiates an authentication request, wherein the authentication request comprises the first information and the first signature information.
S64, the authentication unit receives the authentication request initiated by the mobile terminal, where the authentication request includes the first information and the first signature information.
S65, the authentication unit obtains the SIM public key from the blockchain according to the storage address of the SIM public key in the first information.
And S66, the authentication unit feeds back information of authentication failure to the mobile terminal under the condition that the SIM public key is not acquired from the block chain according to the SIM public key storage address.
S67, the authentication unit judges whether the difference value between the timestamp in the first information and the current timestamp of the authentication unit exceeds a preset threshold value under the condition that the SIM public key is obtained from the block chain according to the SIM public key storage address.
And S68, the authentication unit feeds back information of authentication failure to the mobile terminal under the condition that the difference value between the timestamp in the first information and the current timestamp in the authentication unit is determined to exceed a preset threshold value.
S69, the authentication unit performs signature verification on the first signature information according to the acquired SIM public key under the condition that the difference value between the timestamp in the first information and the current timestamp in the authentication unit does not exceed a preset threshold value.
S610, the authentication unit feeds back information of authentication failure to the mobile terminal when the signature verification of the first signature information fails.
S611, under the condition that the first signature information is signed and verified by the authentication unit, acquiring a certificate of the authentication unit from a block chain, signing the timestamp and the random number according to an authentication private key of the authentication unit to obtain second signature information, and sending the certificate and the second signature information to the mobile terminal, wherein the certificate is signed by a system private key of an authentication system.
And S612, the mobile terminal receives the certificate and the second signature information fed back by the authentication unit.
S613, the mobile terminal analyzes the certificate by using a system public key of the authentication system pre-stored on the mobile terminal to obtain the authentication public key of the authentication unit in the certificate and the expiration time of the certificate.
S614, the mobile terminal verifies the certificate by using the system public key under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, and performs signature verification on the second signature information in the reply information by using the authentication public key under the condition that the certificate passes the verification;
and S615, the mobile terminal sends the information of passing the authentication to the authentication unit under the condition that the second signature information in the reply information passes the signature verification.
S616, the authentication unit accesses the mobile terminal to the mobile communication network when receiving the information that the authentication sent by the mobile terminal passes.
The detailed implementation of the above steps has been described in detail in the embodiment of the authentication system 100 related to the method, and will not be described herein again.
Fig. 8 is a block diagram illustrating a registration apparatus for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, where the apparatus 600 is used for a subscriber management server of an authentication system, such as the subscriber management server 110 of the aforementioned authentication system 100, the subscriber management server is a node in a blockchain network, and each node stores a blockchain composed of a plurality of blocks, and the apparatus 600 includes:
a first receiving module 610, configured to receive a registration request of a mobile terminal, where the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
a first storing module 620, configured to store the SIM public key in the blockchain;
a first feedback module 630, configured to feed back, to the mobile terminal, a storage address of the SIM public key in the block chain, so that the mobile terminal stores the storage address of the SIM public key.
By adopting the device, the SIM public key of the mobile terminal is stored in the block chain, so that the SIM public key of the mobile terminal can be prevented from being tampered. And further, the reliability of the identity authentication of the mobile terminal when the mobile terminal is accessed to the mobile communication network can be improved.
Optionally, the apparatus 600 further comprises:
a third receiving module, configured to receive a registration request of an authentication unit, where the registration request of the authentication unit carries an authentication public key of the authentication unit;
the generating module is used for generating a certificate of the authentication unit according to the authentication public key, wherein the certificate comprises the authentication public key and the expiration time of the certificate, and the certificate is signed by the user management server by using a system private key of the authentication system;
and the second storage module is used for storing the certificate in the block chain and feeding back the certificate storage address of the certificate in the block chain to the authentication unit so that the authentication unit stores the certificate storage address.
Fig. 9 is a block diagram of an authentication apparatus for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, the apparatus 700 is used for an authentication unit of an authentication system, such as the authentication unit 120 of the aforementioned authentication system 100, the authentication unit is a node in a blockchain network, each node stores a blockchain composed of a plurality of blocks, and the apparatus 700 includes:
a second receiving module 710, configured to receive an authentication request initiated by a mobile terminal, where the authentication request includes first information and first signature information, the first information includes an SIM public key storage address of the mobile terminal, and the first signature information is information obtained by signing the first information with an SIM private key of the mobile terminal, where the SIM public key storage address is, when the mobile terminal is registered, a subscriber management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain and then sends the SIM public key to the mobile terminal;
a first obtaining module 720, configured to obtain the SIM public key from the blockchain according to the SIM public key storage address;
a second feedback module 730, configured to perform signature verification on the first signature information according to the SIM public key, and feed back reply information including a certificate of the authentication unit to the mobile terminal when the signature verification on the first signature information is passed, where the certificate is used for authenticating an identity of the authentication unit by the mobile terminal;
an access module 740, configured to access the mobile terminal to the mobile communication network when receiving the information that the mobile terminal passes authentication of the reply information.
By adopting the device, the bidirectional authentication mode that the authentication unit is used for carrying out identity authentication on the mobile terminal and the authentication unit is used for carrying out identity authentication on the mobile terminal is adopted, compared with the related technology, the authentication security of the mobile terminal when the mobile terminal accesses the mobile communication network is further improved. Moreover, the method of performing identity authentication using a public key and a private key (i.e., an asymmetric key) according to the present disclosure has higher security than the method of performing identity authentication using a symmetric key in the related art. Furthermore, compared with the prior art in which the symmetric key K is stored in the HSS, the way of storing the SIM public key in the blockchain of the present disclosure is safer because the SIM public key stored in the blockchain of the present disclosure cannot be changed. Therefore, the technical scheme of the disclosure improves the authentication security when the mobile terminal accesses the mobile communication network, so that only a legal mobile terminal can be accessed into the legal mobile communication network.
Optionally, the apparatus 700 further comprises:
and the third feedback module is used for feeding back information of authentication failure to the mobile terminal under the condition that the SIM public key is not obtained from the block chain according to the SIM public key storage address or under the condition that the signature verification of the first signature information is not passed according to the SIM public key.
Optionally, the authentication request further includes a timestamp for initiating the authentication request, and the apparatus further includes:
and the fourth feedback module is used for feeding back authentication failure information to the mobile terminal if the difference value between the timestamp and the current timestamp of the authentication unit is determined to exceed a preset threshold value.
Optionally, the authentication request further includes a random number, the reply information further includes second signature information, the second signature information is information obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
Fig. 10 is a block diagram illustrating another authentication apparatus for accessing a mobile communication network according to an exemplary embodiment of the present disclosure, where the apparatus 800 is applied to a mobile terminal, and the apparatus 800 includes:
an initiating module 810, configured to initiate an authentication request, where the authentication request includes first information and first signature information, the first information includes an SIM public key storage address of the mobile terminal, and the first signature information is information obtained by signing the first information with an SIM private key of the mobile terminal, where the SIM public key storage address is, when the mobile terminal is registered, a user management server of an authentication system stores an SIM public key carried in the mobile terminal registration request in a block chain and then sends the SIM public key to the mobile terminal;
a verification module 820, configured to verify the reply information when receiving reply information fed back by an authentication unit of the authentication system, and send authenticated information to the authentication unit when the reply information passes the verification, so as to access the mobile communication network, where the reply information is generated when the authentication unit obtains the SIM public key from the block chain according to the SIM public key storage address in the first information, and then signs and verifies the first signature information with the SIM public key.
Optionally, the first information further includes a random number and a timestamp initiating the authentication request, the reply information includes a certificate of the authentication unit and second signature information, the second signature information is information obtained by the authentication unit signing the random number and the timestamp with an authentication private key of the authentication unit, and the verification module is specifically configured to analyze the certificate with a system public key of the authentication system pre-stored on the mobile terminal, so as to obtain an authentication public key of the authentication unit in the certificate and expiration time of the certificate; and under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, verifying the certificate by using the system public key, and under the condition that the certificate passes verification, performing signature verification on the second signature information in the reply information by using the authentication public key.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The embodiments of the present disclosure also provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the authentication or registration method for accessing a mobile communication network in the above embodiments.
Fig. 11 is a block diagram illustrating a mobile terminal 700 according to an exemplary embodiment of the present disclosure. As shown in fig. 11, the mobile terminal 700 may include: a processor 701 and a memory 702. The mobile terminal 700 may also include one or more of a multimedia component 703, an input/output (I/O) interface 704, and a communications component 705.
The processor 701 is configured to control the overall operation of the mobile terminal 700, so as to complete all or part of the steps in the above-mentioned authentication method for accessing a mobile communication network. Memory 702 is used to store various types of data to support operation at the mobile terminal 700, such as instructions for any application or method operating on the mobile terminal 700 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and the like. The Memory 702 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk. The multimedia components 703 may include screen and audio components. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 702 or transmitted through the communication component 705. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 704 provides an interface between the processor 701 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 705 is used for wired or wireless communication between the mobile terminal 700 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or a combination of one or more of them, which is not limited herein. The corresponding communication component 705 may thus include: Wi-Fi module, Bluetooth module, NFC module, etc.
In an exemplary embodiment, the mobile terminal 700 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components for performing the above-described authentication method for accessing a mobile communication network.
In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the above-described authentication method of accessing a mobile communication network. For example, the computer readable storage medium may be the above-mentioned memory 702 comprising program instructions executable by the processor 701 of the mobile terminal 700 to perform the above-mentioned authentication method for accessing a mobile communication network.
Fig. 12 is a block diagram illustrating an electronic device 1900 in accordance with an exemplary embodiment of the present disclosure. For example, the electronic device 1900 may be provided as a server. Referring to fig. 12, an electronic device 1900 includes a processor 1922, which may be one or more in number, and a memory 1932 for storing computer programs executable by the processor 1922. The computer program stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processor 1922 may be configured to execute the computer program to perform the above-described registration or authentication method of accessing the mobile communication network on the authentication unit or the subscriber management server side.
Additionally, electronic device 1900 may also include a power component 1926 and a communication component 1950, the power component 1926 may be configured to perform power management of the electronic device 1900, and the communication component 1950 may be configured to enable communication, e.g., wired or wireless communication, of the electronic device 1900. In addition, the electronic device 1900 may also include input/output (I/O) interfaces 1958. Electronic device 1900 may be operationalOperating systems based on storage in memory 1932, e.g. Windows ServerTM,Mac OS XTM,UnixTM,LinuxTMAnd so on.
In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the above-described registration or authentication method for accessing a mobile communication network on the authentication unit or subscriber management server side. For example, the computer readable storage medium may be the above-mentioned memory 1932 comprising program instructions executable by the processor 1922 of the electronic device 1900 to perform the above-mentioned registration or authentication method for accessing the mobile communication network at the authentication unit or the subscriber management server side.
In another exemplary embodiment, a computer program product is also provided, which comprises a computer program executable by a programmable apparatus, the computer program having code portions for performing the above-mentioned registration or authentication method of accessing a mobile communication network on the authentication unit or subscriber management server side when executed by the programmable apparatus.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, various possible combinations will not be separately described in this disclosure.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.
Examples
1. An authentication system for accessing a mobile communication network comprises a user management server and an authentication unit, wherein the user management server and the authentication unit are different nodes in the same block chain network, and each node stores a block chain consisting of a plurality of blocks;
the authentication unit is used for acquiring an SIM public key from the block chain according to the SIM public key storage address in the authentication request under the condition of receiving the authentication request initiated by the mobile terminal, and performs signature verification on the first signature information in the authentication request according to the SIM public key, feeding back reply information including a certificate of the authentication unit to the mobile terminal in a case where the signature verification of the first signature information passes, the certificate being used for the mobile terminal to authenticate the identity of the authentication unit, wherein, the SIM public key storage address is sent to the mobile terminal after the SIM public key carried in the mobile terminal registration request is stored in the block chain by the user management server when the mobile terminal is registered, the first signature information in the authentication request is signed by an SIM private key of the mobile terminal;
the authentication unit is further configured to access the mobile terminal to the mobile communication network when receiving information that the mobile terminal passes authentication of the reply information.
2. According to the system of embodiment 1, the authentication unit is a mobility management server or a wireless access base station.
3. The system of embodiment 1, the authentication unit further to:
and under the condition that the SIM public key is not obtained from the block chain according to the SIM public key storage address in the authentication request, or under the condition that the signature verification of the first signature information in the authentication request is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
4. The system according to any of embodiments 1-3, wherein the authentication request initiated by the mobile terminal further includes a timestamp initiating the authentication request, and the authentication unit is further configured to:
and if the difference value between the time stamp in the authentication request and the current time stamp of the authentication unit is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
5. According to the system of embodiment 4, the authentication request initiated by the mobile terminal further includes a random number, the reply information further includes second signature information, the second signature information is obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
6. The system according to embodiment 1, wherein the user management server is configured to receive a registration request of the authentication unit, and generate the certificate of the authentication unit according to an authentication public key carried in the registration request, where the certificate includes the authentication public key and expiration time of the certificate, and the certificate is a certificate signed by the user management server with a system private key of the authentication system;
the user management server is further configured to store the certificate in the blockchain, and feed back a certificate storage address of the certificate in the blockchain to the authentication unit;
the authentication unit is further configured to store the certificate storage address.
7. The system of embodiment 6, wherein the authentication unit is further configured to obtain the certificate from the blockchain according to the certificate storage address before feeding back the reply message to the mobile terminal.
8. A registration method for accessing a mobile communication network, the method being applied to a subscriber management server of an authentication system, the subscriber management server being a node in a blockchain network, each of the nodes storing a blockchain consisting of a plurality of blocks, the method comprising:
receiving a registration request of a mobile terminal, wherein the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
storing the SIM public key in the blockchain; and the number of the first and second electrodes,
and feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
9. The method of embodiment 8, further comprising:
receiving a registration request of an authentication unit of the authentication system, wherein the registration request of the authentication unit carries an authentication public key of the authentication unit, and the authentication unit is a node in the block chain network;
generating a certificate of the authentication unit according to the authentication public key, wherein the certificate comprises the authentication public key and the expiration time of the certificate, and the certificate is signed by the user management server by using a system private key of the authentication system;
and storing the certificate in the blockchain, and feeding back the certificate storage address of the certificate in the blockchain to the authentication unit so that the authentication unit stores the certificate storage address.
10. An authentication method for accessing a mobile communication network, the method being applied to an authentication unit of an authentication system, the authentication unit being a node in a blockchain network, each of the nodes storing a blockchain composed of a plurality of blocks, the method comprising:
receiving an authentication request initiated by a mobile terminal, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain when the mobile terminal is registered;
acquiring the SIM public key from the block chain according to the SIM public key storage address;
performing signature verification on the first signature information according to the SIM public key, and feeding back reply information including a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and when receiving the information that the mobile terminal passes the authentication of the reply information, accessing the mobile terminal to the mobile communication network.
11. The method of embodiment 10, further comprising:
and under the condition that the SIM public key is not acquired from the block chain according to the SIM public key storage address, or under the condition that the signature verification of the first signature information is not passed according to the SIM public key, feeding back authentication failure information to the mobile terminal.
12. The method of embodiment 10, the first information further comprising a timestamp of the initiation of the authentication request, the method further comprising:
and if the difference value between the timestamp and the current timestamp of the authentication unit is determined to exceed a preset threshold value, feeding back authentication failure information to the mobile terminal.
13. The method according to embodiment 12, wherein the first information further includes a random number, the reply information further includes second signature information, the second signature information is obtained by signing the random number and the timestamp with an authentication private key of the authentication unit, and the second signature information in the reply information is used by the mobile terminal to verify whether the reply information corresponds to the authentication request.
14. An authentication method for accessing a mobile communication network, the method being applied to a mobile terminal, the method comprising:
initiating an authentication request, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is used for storing an SIM public key carried in the mobile terminal registration request in a block chain and then sending the SIM public key to the mobile terminal by a user management server of an authentication system when the mobile terminal is registered;
and verifying the reply information under the condition of receiving the reply information fed back by an authentication unit of the authentication system, and sending authenticated information to the authentication unit under the condition of passing the verification so as to access the mobile communication network, wherein the reply information is generated under the condition of passing the signature verification of the first signature information by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
15. The method according to embodiment 14, wherein the first information further includes a nonce and a timestamp that initiates the authentication request, the reply information includes a certificate of the authentication unit, and second signature information that is information obtained by the authentication unit signing the nonce and the timestamp with an authentication private key of the authentication unit, and the verifying the reply information includes:
analyzing the certificate by using a system public key of the authentication system prestored on the mobile terminal to obtain an authentication public key of the authentication unit in the certificate and the expiration time of the certificate;
and under the condition that the certificate is determined to be unexpired according to the expiration time of the certificate, verifying the certificate by using the system public key, and under the condition that the certificate passes verification, performing signature verification on the second signature information in the reply information by using the authentication public key.
16. A registration apparatus for accessing a mobile communication network, the apparatus being for authenticating a subscriber management server of a system, the subscriber management server being a node in a blockchain network, each of the nodes storing a blockchain made up of a plurality of blocks, the apparatus comprising:
the mobile terminal comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a registration request of the mobile terminal, and the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
a first storage module, configured to store the SIM public key in the block chain;
and the first feedback module is used for feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
17. An authentication apparatus for accessing a mobile communication network, the apparatus being for authenticating an authentication unit of a system, the authentication unit being a node in a blockchain network, each of the nodes storing a blockchain consisting of a plurality of blocks, the apparatus comprising:
a second receiving module, configured to receive an authentication request initiated by a mobile terminal, where the authentication request includes first information and first signature information, the first information includes an SIM public key storage address of the mobile terminal, and the first signature information is information obtained by signing the first information with an SIM private key of the mobile terminal, where the SIM public key storage address is used when the mobile terminal is registered, and a subscriber management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain and then sends the SIM public key to the mobile terminal;
the first obtaining module is used for obtaining the SIM public key from the block chain according to the SIM public key storage address;
the second feedback module is used for performing signature verification on the first signature information according to the SIM public key and feeding back reply information comprising a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and the access module is used for accessing the mobile terminal to the mobile communication network when receiving the information that the mobile terminal passes the authentication of the reply information.
18. An authentication apparatus for accessing a mobile communication network, the apparatus being applied to a mobile terminal, the apparatus comprising:
the system comprises an initiating module, a sending module and a sending module, wherein the initiating module is used for initiating an authentication request, the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of an authentication system stores an SIM public key carried in a mobile terminal registration request in a block chain when the mobile terminal is registered;
and the verification module is used for verifying the reply information under the condition that the reply information fed back by an authentication unit of the authentication system is received, and sending the information passing the authentication to the authentication unit under the condition that the reply information passes the authentication so as to access the mobile communication network, wherein the reply information is generated under the condition that the first signature information is signed and verified by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
19. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any of the embodiments 8-15.
20. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any of embodiments 8-15.
Claims (10)
1. An authentication system for accessing a mobile communication network is characterized by comprising a user management server and an authentication unit, wherein the user management server and the authentication unit are different nodes in the same block chain network, and each node stores a block chain consisting of a plurality of blocks;
the authentication unit is used for acquiring an SIM public key from the block chain according to the SIM public key storage address in the authentication request under the condition of receiving the authentication request initiated by the mobile terminal, and performs signature verification on the first signature information in the authentication request according to the SIM public key, feeding back reply information including a certificate of the authentication unit to the mobile terminal in a case where the signature verification of the first signature information passes, the certificate being used for the mobile terminal to authenticate the identity of the authentication unit, wherein, the SIM public key storage address is sent to the mobile terminal after the SIM public key carried in the mobile terminal registration request is stored in the block chain by the user management server when the mobile terminal is registered, the first signature information in the authentication request is signed by an SIM private key of the mobile terminal;
the authentication unit is further configured to access the mobile terminal to the mobile communication network when receiving information that the mobile terminal passes authentication of the reply information.
2. The system of claim 1, wherein the authentication unit is a mobility management server or a wireless access base station.
3. A registration method for accessing a mobile communication network, the method being applied to a subscriber management server of an authentication system, the subscriber management server being a node in a blockchain network, each node storing a blockchain consisting of a plurality of blocks, the method comprising:
receiving a registration request of a mobile terminal, wherein the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
storing the SIM public key in the blockchain; and the number of the first and second electrodes,
and feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
4. An authentication method for accessing a mobile communication network, the method being applied to an authentication unit of an authentication system, the authentication unit being a node in a blockchain network, each node storing a blockchain consisting of a plurality of blocks, the method comprising:
receiving an authentication request initiated by a mobile terminal, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain when the mobile terminal is registered;
acquiring the SIM public key from the block chain according to the SIM public key storage address;
performing signature verification on the first signature information according to the SIM public key, and feeding back reply information including a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and when receiving the information that the mobile terminal passes the authentication of the reply information, accessing the mobile terminal to the mobile communication network.
5. An authentication method for accessing a mobile communication network, the method being applied to a mobile terminal, the method comprising:
initiating an authentication request, wherein the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is used for storing an SIM public key carried in the mobile terminal registration request in a block chain and then sending the SIM public key to the mobile terminal by a user management server of an authentication system when the mobile terminal is registered;
and verifying the reply information under the condition of receiving the reply information fed back by an authentication unit of the authentication system, and sending authenticated information to the authentication unit under the condition of passing the verification so as to access the mobile communication network, wherein the reply information is generated under the condition of passing the signature verification of the first signature information by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
6. A registration apparatus for accessing a mobile communication network, the apparatus being used for authenticating a subscriber management server of a system, the subscriber management server being a node in a blockchain network, each node storing a blockchain consisting of a plurality of blocks, the apparatus comprising:
the mobile terminal comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a registration request of the mobile terminal, and the registration request of the mobile terminal carries an SIM public key of the mobile terminal;
a first storage module, configured to store the SIM public key in the block chain;
and the first feedback module is used for feeding back the SIM public key storage address of the SIM public key in the block chain to the mobile terminal so as to enable the mobile terminal to store the SIM public key storage address.
7. An authentication apparatus for accessing a mobile communication network, the apparatus being used for an authentication unit of an authentication system, the authentication unit being a node in a blockchain network, each node storing a blockchain consisting of a plurality of blocks, the apparatus comprising:
a second receiving module, configured to receive an authentication request initiated by a mobile terminal, where the authentication request includes first information and first signature information, the first information includes an SIM public key storage address of the mobile terminal, and the first signature information is information obtained by signing the first information with an SIM private key of the mobile terminal, where the SIM public key storage address is used when the mobile terminal is registered, and a subscriber management server of the authentication system stores an SIM public key carried in the mobile terminal registration request in the block chain and then sends the SIM public key to the mobile terminal;
the first obtaining module is used for obtaining the SIM public key from the block chain according to the SIM public key storage address;
the second feedback module is used for performing signature verification on the first signature information according to the SIM public key and feeding back reply information comprising a certificate of the authentication unit to the mobile terminal under the condition that the signature verification on the first signature information is passed, wherein the certificate is used for authenticating the identity of the authentication unit by the mobile terminal;
and the access module is used for accessing the mobile terminal to the mobile communication network when receiving the information that the mobile terminal passes the authentication of the reply information.
8. An authentication apparatus for accessing a mobile communication network, the apparatus being applied to a mobile terminal, the apparatus comprising:
the system comprises an initiating module, a sending module and a sending module, wherein the initiating module is used for initiating an authentication request, the authentication request comprises first information and first signature information, the first information comprises an SIM public key storage address of the mobile terminal, the first signature information is information obtained by signing the first information by using an SIM private key of the mobile terminal, and the SIM public key storage address is sent to the mobile terminal after a user management server of an authentication system stores an SIM public key carried in a mobile terminal registration request in a block chain when the mobile terminal is registered;
and the verification module is used for verifying the reply information under the condition that the reply information fed back by an authentication unit of the authentication system is received, and sending the information passing the authentication to the authentication unit under the condition that the reply information passes the authentication so as to access the mobile communication network, wherein the reply information is generated under the condition that the first signature information is signed and verified by using the SIM public key after the authentication unit acquires the SIM public key from the block chain according to the SIM public key storage address in the first information.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 3 to 5.
10. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to carry out the steps of the method of any one of claims 3 to 5.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011080623.6A CN112291064B (en) | 2020-10-10 | 2020-10-10 | Authentication system, registration and authentication method, device, storage medium and electronic equipment |
PCT/CN2021/119710 WO2022073420A1 (en) | 2020-10-10 | 2021-09-22 | Authentication system, registration and authentication method, apparatus, storage medium, and electronic device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011080623.6A CN112291064B (en) | 2020-10-10 | 2020-10-10 | Authentication system, registration and authentication method, device, storage medium and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112291064A true CN112291064A (en) | 2021-01-29 |
CN112291064B CN112291064B (en) | 2022-08-30 |
Family
ID=74422448
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011080623.6A Active CN112291064B (en) | 2020-10-10 | 2020-10-10 | Authentication system, registration and authentication method, device, storage medium and electronic equipment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112291064B (en) |
WO (1) | WO2022073420A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113194471A (en) * | 2021-05-21 | 2021-07-30 | 中国联合网络通信集团有限公司 | Wireless network access method, device and terminal based on block chain network |
CN113630244A (en) * | 2021-07-14 | 2021-11-09 | 国网河北省电力有限公司信息通信分公司 | End-to-end safety guarantee method facing communication sensor network and edge server |
WO2022073420A1 (en) * | 2020-10-10 | 2022-04-14 | 达闼机器人有限公司 | Authentication system, registration and authentication method, apparatus, storage medium, and electronic device |
CN114520976A (en) * | 2022-04-20 | 2022-05-20 | 北京时代亿信科技股份有限公司 | Authentication method and device for user identity identification card and nonvolatile storage medium |
CN115396165A (en) * | 2022-08-15 | 2022-11-25 | 中国联合网络通信集团有限公司 | File management method and device, electronic equipment and storage medium |
US11877218B1 (en) | 2021-07-13 | 2024-01-16 | T-Mobile Usa, Inc. | Multi-factor authentication using biometric and subscriber data systems and methods |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115242479B (en) * | 2022-07-15 | 2023-10-31 | 东软集团股份有限公司 | Communication method and device based on blockchain gateway, storage medium and electronic equipment |
CN115967563B (en) * | 2022-12-23 | 2024-05-28 | 四川启睿克科技有限公司 | Block chain-based energy data acquisition and uplink method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040158716A1 (en) * | 2001-02-08 | 2004-08-12 | Esa Turtiainen | Authentication and authorisation based secure ip connections for terminals |
CN101183932A (en) * | 2007-12-03 | 2008-05-21 | 宇龙计算机通信科技(深圳)有限公司 | Security identification system of wireless application service and login and entry method thereof |
CN103491540A (en) * | 2013-09-18 | 2014-01-01 | 东北大学 | Wireless local area network two-way access authentication system and method based on identity certificates |
CN108702622A (en) * | 2017-11-30 | 2018-10-23 | 深圳前海达闼云端智能科技有限公司 | Mobile network's access authentication method, device, storage medium and block chain node |
CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10826704B2 (en) * | 2018-08-31 | 2020-11-03 | Hewlett Packard Enterprise Development Lp | Blockchain key storage on SIM devices |
CN112291064B (en) * | 2020-10-10 | 2022-08-30 | 达闼机器人股份有限公司 | Authentication system, registration and authentication method, device, storage medium and electronic equipment |
-
2020
- 2020-10-10 CN CN202011080623.6A patent/CN112291064B/en active Active
-
2021
- 2021-09-22 WO PCT/CN2021/119710 patent/WO2022073420A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040158716A1 (en) * | 2001-02-08 | 2004-08-12 | Esa Turtiainen | Authentication and authorisation based secure ip connections for terminals |
CN101183932A (en) * | 2007-12-03 | 2008-05-21 | 宇龙计算机通信科技(深圳)有限公司 | Security identification system of wireless application service and login and entry method thereof |
CN103491540A (en) * | 2013-09-18 | 2014-01-01 | 东北大学 | Wireless local area network two-way access authentication system and method based on identity certificates |
CN108702622A (en) * | 2017-11-30 | 2018-10-23 | 深圳前海达闼云端智能科技有限公司 | Mobile network's access authentication method, device, storage medium and block chain node |
CN110493237A (en) * | 2019-08-26 | 2019-11-22 | 深圳前海环融联易信息科技服务有限公司 | Identity management method, device, computer equipment and storage medium |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022073420A1 (en) * | 2020-10-10 | 2022-04-14 | 达闼机器人有限公司 | Authentication system, registration and authentication method, apparatus, storage medium, and electronic device |
CN113194471A (en) * | 2021-05-21 | 2021-07-30 | 中国联合网络通信集团有限公司 | Wireless network access method, device and terminal based on block chain network |
CN113194471B (en) * | 2021-05-21 | 2023-04-07 | 中国联合网络通信集团有限公司 | Wireless network access method, device and terminal based on block chain network |
US11877218B1 (en) | 2021-07-13 | 2024-01-16 | T-Mobile Usa, Inc. | Multi-factor authentication using biometric and subscriber data systems and methods |
CN113630244A (en) * | 2021-07-14 | 2021-11-09 | 国网河北省电力有限公司信息通信分公司 | End-to-end safety guarantee method facing communication sensor network and edge server |
CN114520976A (en) * | 2022-04-20 | 2022-05-20 | 北京时代亿信科技股份有限公司 | Authentication method and device for user identity identification card and nonvolatile storage medium |
CN115396165A (en) * | 2022-08-15 | 2022-11-25 | 中国联合网络通信集团有限公司 | File management method and device, electronic equipment and storage medium |
CN115396165B (en) * | 2022-08-15 | 2024-05-14 | 中国联合网络通信集团有限公司 | File management method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2022073420A1 (en) | 2022-04-14 |
CN112291064B (en) | 2022-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112291064B (en) | Authentication system, registration and authentication method, device, storage medium and electronic equipment | |
US9485232B2 (en) | User equipment credential system | |
EP2868029B1 (en) | Key agreement for wireless communication | |
EP2528268B3 (en) | Cyptographic key generation | |
US7773973B2 (en) | Method for authentication between a mobile station and a network | |
US7472273B2 (en) | Authentication in data communication | |
KR100975685B1 (en) | Secure bootstrapping for wireless communications | |
US9654284B2 (en) | Group based bootstrapping in machine type communication | |
KR20000011999A (en) | Method for updating secret shared data in a wireless communication system | |
KR20010021127A (en) | Method and apparatus for performing a key update using bidirectional validation | |
JP2012034381A (en) | Generic key-decision mechanism for gaa | |
US10897707B2 (en) | Methods and apparatus for direct communication key establishment | |
CN112640385B (en) | non-SI device and SI device for use in SI system and corresponding methods | |
JP2023162296A (en) | Non-3GPP device access to core network | |
KR20080093449A (en) | Gsm authentication in a cdma network | |
CN108271154B (en) | Authentication method and device | |
CN111770496B (en) | 5G-AKA authentication method, unified data management network element and user equipment | |
WO2007025484A1 (en) | Updating negotiation method for authorization key and device thereof | |
KR101431214B1 (en) | Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication | |
CN108282775B (en) | Dynamic additional authentication method and system for mobile private network | |
CN106060810B (en) | The method for building up and system of connection relationship between mobile device | |
US11974131B2 (en) | Systems and methods for seamless cross-application authentication | |
WO2017022643A1 (en) | Communications system, communications device, communications method, and program | |
RU2779029C1 (en) | Access of a non-3gpp compliant apparatus to the core network | |
CN117678255A (en) | Edge enabler client identification authentication procedure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 201111 Building 8, No. 207, Zhongqing Road, Minhang District, Shanghai Applicant after: Dayu robot Co.,Ltd. Address before: 200245 2nd floor, building 2, no.1508, Kunyang Road, Minhang District, Shanghai Applicant before: Dalu Robot Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |