[go: up one dir, main page]

CN116488853A - A trusted authentication method for mobile office scenarios - Google Patents

A trusted authentication method for mobile office scenarios Download PDF

Info

Publication number
CN116488853A
CN116488853A CN202310248254.4A CN202310248254A CN116488853A CN 116488853 A CN116488853 A CN 116488853A CN 202310248254 A CN202310248254 A CN 202310248254A CN 116488853 A CN116488853 A CN 116488853A
Authority
CN
China
Prior art keywords
authentication
terminal device
company server
operator
mobile office
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310248254.4A
Other languages
Chinese (zh)
Inventor
和建文
孔令南
冯国栋
冯林
李晢燊
傅磊毅
陈洲廷
李涛
张柳凤
钱振东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Yunnan Co Ltd
Original Assignee
China Mobile Group Yunnan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Yunnan Co Ltd filed Critical China Mobile Group Yunnan Co Ltd
Priority to CN202310248254.4A priority Critical patent/CN116488853A/en
Publication of CN116488853A publication Critical patent/CN116488853A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明涉及移动办公技术领域,尤其涉及一种移动办公场景的可信认证方法。步骤如下:将运营商和公司服务器之间安全通信通道的会话密钥用keyto‑cs表示;将终端设备在接入网络时通过超级SIM卡内置的GBA认证机制与运营商进行身份认证并协商出会话密钥keytd‑to。本发明提供的一种移动办公场景的可信认证方法,通过结合超级SIM卡的有关技术,将终端设备的网络接入认证和办公应用的用户登录认证结合在一起,可以有效阻止非法用户连接办公服务器的行为,能够在需要移动办公时,用户可以通过使用身边的终端设备实现用户身份认证,从运营商处获得需要申请的办公应用服务的认证凭证,从而方便快捷地向公司服务器进行认证。The invention relates to the field of mobile office technology, in particular to a trusted authentication method for a mobile office scene. The steps are as follows: the session key of the secure communication channel between the operator and the company server is represented by key to-cs ; when the terminal device accesses the network, it authenticates with the operator through the GBA authentication mechanism built into the super SIM card and negotiates the session key key td-to . The trusted authentication method of the mobile office scene provided by the present invention combines the network access authentication of the terminal equipment and the user login authentication of the office application by combining the relevant technology of the super SIM card, which can effectively prevent illegal users from connecting to the office server. When mobile office is required, the user can use the terminal equipment around him to realize the user identity authentication, and obtain the authentication certificate of the office application service that needs to be applied for from the operator, so as to conveniently and quickly authenticate to the company server.

Description

Trusted authentication method for mobile office scene
Technical Field
The invention relates to the technical field of mobile office, in particular to a trusted authentication method for a mobile office scene.
Background
In a traditional office scenario, people are at a fixed station and have specific office equipment; the access device of the office application is fixed and the identity of the user is trusted; with the rapid development of the mobile internet, the office scene of people is changed, and gradually changes from the traditional office scene into a novel digital, convenient and mobile office scene; in a mobile office scene, people can remotely office by using equipment nearby through a mobile internet access company server in a non-fixed place; the method provides a guarantee for full utilization of fragmentation time and efficient communication of work content;
but this also presents a safety issue; because of the non-stationarity of the devices and networks, corporate servers must perform trusted authentication of the accessed devices; in the traditional mobile office scene, a user can only use equipment appointed by a company to perform simple message interaction and small-range office service, and cannot have sufficient rights as in the traditional office scene; this is because the lack of effective authentication of the identity of the user prevents the opening of rights; the popularity of the mobile internet makes mobile application services an important component in daily life; in the traditional mobile internet, the authentication process of the device accessing the network and the authentication process of the user logging in the application service are completely independent; the login authentication of the application program mainly uses a user name and password mode;
however, the authentication mode has potential safety hazards; if the user name and the password of the user are revealed, the data security problems such as information disclosure, malicious operation and the like can be caused, and the user name and the password are difficult to be perceived; the mobile office is used as a specific scene of the mobile internet, the current network access authentication and office application service authentication are also independently carried out, and unified consideration is not carried out; when the terminal equipment required for office is accessed to the network, the terminal equipment is authenticated by an operator, and a user needs to pass the authentication of a company server when logging in an office application program; this results in a round of authentication of the terminal device first upon network entry; then, using corresponding account numbers and passwords for different office applications to pass the authentication of the company server so as to use application services;
for companies, the companies mainly wish to improve the working efficiency of staff through efficient and controllable mobile office services, increase the yield of achievements and further obtain higher profits; however, there is a potential security risk in current networks; how to ensure the credible authentication between the terminal equipment used by the user and the company server in the mobile office scene so as to prevent the leakage of the private information of the company due to the malicious invasion of the illegal user is a problem to be solved;
therefore, we design a trusted authentication method for mobile office scenario, which is used to provide another technical scheme for the technical problems.
Disclosure of Invention
Based on the above, it is necessary to provide a trusted authentication method for a mobile office scenario in view of the above technical problems.
In order to solve the technical problems, the invention adopts the following technical scheme:
a trusted authentication method for a mobile office scene comprises the following steps:
key for session key of secure communication channel between operator and company server to-cs A representation;
when the terminal equipment is accessed to a network, identity authentication is carried out between the terminal equipment and an operator through a GBA authentication mechanism built in a super SIM card, and a session key is negotiated td-to
The terminal device selects a random number R 1 By means of a random number R 1 The calculation of the Inf is performed,
the SE (-) represents a symmetric encryption algorithm built in the super SIM card, the DID represents a device identifier of the terminal device, the CID represents an identifier of a company needing to be accessed in mobile office, and the App represents an application program needing to be used;
verification information V by Inf calculation 0 And generates a time stamp t 0 Will { DID, inf, V 0 ,t 0 -sending to the operator;
operator at t 1 Time of day { DID, inf, V 0 ,t 0 After } verify t 1 -t 0 Whether the time threshold value delta t is smaller or not, calculating verification information V' 0 Judging V' 0 And V is equal to 0 Whether or not to be equal to verify the integrity of the information;
after the authentication certificate AC and the reply information RInf are calculated, a time stamp t is generated 2 And verification information V 1 And will { RInf, V 1 ,t 2 Transmitting to the terminal device;
the terminal device is at t 3 Time of day { RInf, V 1 ,t 2 After } verify t 3 -t 2 Whether or not is smaller than a time threshold Deltat, calculating verification information V 1 ' verification V 1 ' and V 1 Whether or not they are equal;
terminal equipment sends { DID, R 2 The terminal device selects a random number R to the operator on behalf of having received the authentication credentials 3 And calculates M, and then the terminal device generates a time stamp t 4 Will { M, V 2 ,t 4 -sending to a corporate server;
the corporate server at t 5 Time of receipt { M, V 2 ,t 4 After } verify t 5 -t 4 Whether or not it is smaller than the time threshold Δt, and calculate V' 2 =h (M), verifying the integrity of the message;
the company server decrypts M by using the private key, and the App checks whether the requested application program service is correct or not according to the CID;
the company server will select a random number R 4 The computer RM company server generates a time stamp t 6 And return { RM, V 3 ,t 6 -a terminal device;
the terminal device is at t 7 Time of receipt { RM, V 3 ,t 6 After } verify t 7 -t 6 If the time threshold delta t is smaller than the time threshold delta t, the terminal equipment decrypts the RM by using the private key to obtain R 4 And selects a random number R 5 The authentication message AM is calculated and the terminal device generates a time stamp t 8 Will { AM, V 4 ,t 8 -sending to a corporate server;
the corporate server at t 9 Time of receipt { AM, V 4 ,t 8 Verifying t 9 -t 8 If it is less than the time threshold Δt, the corporate server calculatesObtaining the authentication credentials and the authentication signature, verifying the authenticity of the authentication signature by the company server, and computing the RAM, the company server generating a time stamp t 10 And return { RAM, V 5 ,t 10 -a terminal device;
the terminal device is at t 11 Time of receipt { RAM, V 5 ,t 10 After } verify timeliness and integrity; calculation ofWhen RAM' =ram indicates that authentication is successful and office rights have been obtained.
The invention provides the credibility of the mobile office sceneA preferred embodiment of the authentication method verifies the information V 0 The calculation formula is as follows:
V 0 =H(Inf)
where H (·) represents the hash function.
As a preferred implementation mode of the trusted authentication method of the mobile office scene, when V' 0 And V is equal to 0 Equality, through verification, the operator then uses the session key td-to Decrypting Inf and obtaining DID, CID, app, R 1 Based on the CID and the SIM card number, the operator may look up the user representation UID inside the company like the company applies for the user.
As a preferred implementation mode of the trusted authentication method of the mobile office scene provided by the invention, the calculation formula of the authentication certificate AC is as follows:
wherein, key to-cs Representing a session key between the operator and the company server, T representing the expiration date of the authentication credentials;
the operator uses the signature private key skey to The authentication signature AS is calculated for the authentication credential AC AS follows:
where S· (·) represents the signature algorithm.
As a preferred implementation manner of the trusted authentication method of the mobile office scene provided by the invention, the calculation formula of the reply information RInf is as follows:
wherein R is 2 Is a random number;
verification information V 1 The calculation formula of (2) is as follows:
V 1 =H(RInf||R 1 )。
as a preferred implementation mode of the trusted authentication method of the mobile office scene provided by the invention, the verification information V 1 The' calculation formula is as follows:
V 1 '=H(RInf||R 1 );
when V is 1 '=V 1 And the terminal equipment decrypts the RInf to check whether the authentication content is wrong or not, and acquires the expiration date of the authentication certificate.
As a preferred implementation mode of the trusted authentication method of the mobile office scene provided by the invention, the calculation formula of M is as follows:
wherein AE is · (. Cndot.) represents an asymmetric encryption algorithm, pkey td And pkey cs Public keys respectively representing the terminal device and the company server;
and calculate V 2 =H(M)。
As a preferred implementation mode of the trusted authentication method of the mobile office scene, the calculation formula of RM is as follows:
and calculate V 3 =H(RM)。
As a preferred implementation mode of the trusted authentication method of the mobile office scene provided by the invention, the authentication message AM has the following calculation formula:
and calculate V 4 =H(AM)。
As a preferred implementation mode of the trusted authentication method of the mobile office scene provided by the invention, when the authentication signature is true, the key is utilized to-cs Decrypting the authentication credentials and assigning rights of the designated office application to the terminal device;
the calculation formula of the RAM is as follows:
and calculate V 5 =H(RAM)。
It can be clearly seen that the technical problems to be solved by the present application must be solved by the above-mentioned technical solutions of the present application.
Meanwhile, through the technical scheme, the invention has at least the following beneficial effects:
the credible authentication method of the mobile office scene ensures the safety in the information transmission process by prescribing the type, the sending sequence, the encryption mode and the like of data between an authentication initiator and an authenticator, and can effectively prevent the illegal user from connecting with an office server by combining the network access authentication of terminal equipment and the user login authentication of office application by combining the related technology of a super SIM card, so that the user can realize user identity authentication by using the terminal equipment at hand when the mobile office is required, and the authentication credentials of office application service required to be applied are obtained from an operator, thereby conveniently and rapidly authenticating the company server.
Detailed Description
The present invention will be further described in detail by the following description of the embodiments, which are to be clearly understood to be a technical solution and advantages of the present invention. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
It should be noted that, under the condition of no conflict, the embodiments of the present invention and the features and technical solutions in the embodiments may be combined with each other.
A trusted authentication method for a mobile office scene comprises the following steps:
the method comprises the steps of performing trusted authentication on Terminal equipment (Terminal device), an operator (Telecom operators) and a Company server (Company server).
A secure communication channel exists between the operator and the company server, and the key is used for the session key to-cs And (3) representing. Each terminal device performs identity authentication with an operator through a GBA authentication mechanism built in a super SIM card and negotiates a session key when accessing to a network td-to . When the user performs remote office, the terminal equipment performs trusted authentication with the company server with the assistance of an operator.
Process 1: the terminal device selects a random number R 1 And calculate
The SE (-) represents a symmetric encryption algorithm built in the super SIM card, the DID represents the equipment identifier of the terminal equipment, the CID represents the identifier of a company needing to be accessed by mobile office, and the App represents an application program needing to be used.
Then calculate the verification information V 0 =h (Inf), where H (·) represents a hash function. Finally generate a time stamp t 0 And will { DID, inf, V 0 ,t 0 And transmitted to the operator.
Process 2: operator at t 1 Time of day { DID, inf, V 0 ,t 0 After } it is first verified whether the timeliness t is satisfied 1 -t 0 < Δt, Δt representing the time threshold. Then calculate V' 0 =h (Inf), by judging V 0 ' and V 0 Whether equal to verify the integrity of the information. If it is verified, the operator uses the session key td-to Decrypting Inf and obtaining DID, CID, app, R 1 . Based on the CID and the SIM card number, the operator may look up the user representation UID inside the company like the company applies for the user.
Subsequently, authentication credentials are calculated
Wherein the key is to-cs Representing the session key between the operator and the corporate server, T representing the expiration date of the authentication credentials. The operator then uses the signature private key skey to Computing authentication signatures for authentication credentials ACWhere S· (·) represents the signature algorithm. Recalculating reply message->Wherein R is 2 Is a random number. Finally generate a time stamp t 2 And verification information V 1 =H(RInf||R 1 ) And will { RInf, V 1 ,t 2 And (3) sending to the terminal device.
Process 3: the terminal device is at t 3 Time of day { RInf, V 1 ,t 2 After } it is first verified whether the timeliness t is satisfied 3 -t 2 < Δt. Then calculate V 1 '=H(RInf||R 1 ) To verify integrity. If V is 1 '=V 1 And the terminal equipment decrypts the RInf to check whether the authentication content is wrong or not, and acquires the expiration date of the authentication certificate. The terminal device then transmits { DID, R 2 To the operator indicating that he has received authentication credentials. Then, the terminal device selects a random number R 3 And calculateAnd V 2 =h (M), where ae· (·) represents the asymmetric encryption algorithm, pkey td And pkey cs Representing the public keys of the terminal device and the company server, respectively. Finally, the terminal generates a time stamp t 4 Will { M, V 2 ,t 4 And transmitted to the corporate server.
Process 4: the corporate server at t 5 Time of receipt { M, V 2 ,t 4 After } verify if the timeliness t is satisfied 5 -t 4 < Δt. Then calculate V' 2 =h (M), verifying the integrity of the message. Subsequently, the company server decrypts M using the private key, and App checks whether the requested application service is correct according to the CID. If the request is correct, the company server will select a random number R 4 Calculation ofAnd V 3 =h (RM). Finally, the corporate server generates a time stamp t 6 And return { RM, V 3 ,t 6 And (3) to the terminal device.
Process 5: the terminal device is at t 7 Time of receipt { RM, V 3 ,t 6 After } timeliness and integrity are first verified. Then, the terminal device decrypts the RM using the private key to obtain R 4 And selects a random number R 5 . Computing authentication messagesR 4 And V 4 =h (AM). Finally, the terminal generates a time stamp t 8 Will { AM, V 4 ,t 8 And transmitted to the corporate server.
Process 5: the corporate server at t 9 Time of receipt { AM, V 4 ,t 8 }. After verifying timeliness and integrity, the corporate server calculatesAn authentication credential and an authentication signature are obtained. The corporate server then verifies the authenticity of the authentication signature. If the authentication signature is authentic, key is utilized to-cs Decrypting authentication credentialsAnd assigning the authority of the appointed office application to the terminal equipment. Immediately calculate +.>And V 5 =h (RAM). Finally, the corporate server generates a time stamp t 10 And return { RAM, V 5 ,t 10 And (3) to the terminal device.
Process 6: the terminal device is at t 11 Time of receipt { RAM, V 5 ,t 10 After } timeliness and integrity are first verified. Then calculateIf RAM' =ram, this indicates that authentication is successful and office rights have been obtained. The authentication process ends here.
Therefore, the security in the information transmission process can be ensured by specifying the types, the sending sequence, the encryption mode and the like of the data between the authentication initiator and the authenticator, and the network access authentication of the terminal equipment and the user login authentication of the office application are combined together by combining the related technology of the super SIM card, so that the behavior that an illegal user is connected with the office server can be effectively prevented, the user can realize the user identity authentication by using the terminal equipment nearby when the user needs to conduct mobile office, and the authentication credentials of the office application service which needs to be applied can be obtained from the operator, thereby conveniently and rapidly authenticating the company server.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made therein without departing from the spirit and scope of the invention, which is defined by the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1.一种移动办公场景的可信认证方法,其特征在于,步骤如下:1. A trusted authentication method of a mobile office scene, characterized in that the steps are as follows: 将运营商和公司服务器之间安全通信通道的会话密钥用keyto-cs表示;The session key of the secure communication channel between the operator and the company server is represented by key to-cs ; 将终端设备在接入网络时通过超级SIM卡内置的GBA认证机制与运营商进行身份认证并协商出会话密钥keytd-toWhen the terminal device accesses the network, it authenticates with the operator through the GBA authentication mechanism built into the super SIM card and negotiates a session key key td-to ; 终端设备选取一个随机数R1,通过随机数R1计算Inf, The terminal device selects a random number R 1 , and calculates Inf through the random number R 1 , 其中,SE·(·)表示超级SIM卡内置的对称加密算法,DID表示终端设备的设备标识,CID表示移动办公所需访问的公司的标识,App表示需要使用的应用程序;Among them, SE·(·) represents the built-in symmetric encryption algorithm of the Super SIM card, DID represents the device identification of the terminal device, CID represents the identification of the company that needs to be accessed for mobile office, and App represents the application program that needs to be used; 通过Inf计算验证信息V0,并生成时间戳t0,将{DID,Inf,V0,t0}发送给运营商;Calculate the verification information V 0 through Inf, generate a time stamp t 0 , and send {DID,Inf,V 0 ,t 0 } to the operator; 运营商在t1时刻收到{DID,Inf,V0,t0}后,验证t1-t0是否小于时间阈值Δt,计算验证信息V′0,判断V′0与V0是否相等来验证信息的完整性;After receiving {DID,Inf,V 0 ,t 0 } at time t 1 , the operator verifies whether t 1 -t 0 is less than the time threshold Δt, calculates the verification information V′ 0 , and verifies the integrity of the information by judging whether V′ 0 is equal to V 0 ; 计算认证凭证AC和回复信息RInf后,生成时间戳t2和验证信息V1,并将{RInf,V1,t2}发送至终端设备;After calculating the authentication credential AC and reply information RInf, generate timestamp t 2 and verification information V 1 , and send {RInf,V 1 ,t 2 } to the terminal device; 终端设备在t3时刻收到{RInf,V1,t2}后,验证t3-t2是否小于时间阈值Δt,计算验证信息V1'验证V1'与V1是否相等;After the terminal device receives {RInf, V 1 , t 2 } at time t 3 , it verifies whether t 3 -t 2 is less than the time threshold Δt, and calculates the verification information V 1 'verifies whether V 1 'is equal to V 1 ; 终端设备发送{DID,R2}给运营商,代表已经收到认证凭证,终端设备选取一个随机数R3,并计算M,然后终端设备生成一个时间戳t4,将{M,V2,t4}发送至公司服务器;The terminal device sends {DID, R 2 } to the operator, indicating that the authentication certificate has been received, the terminal device selects a random number R 3 , and calculates M, then the terminal device generates a time stamp t 4 , and sends {M,V 2 ,t 4 } to the company server; 公司服务器在t5时刻收到{M,V2,t4}后,验证t5-t4是否小于时间阈值Δt,并计算V2′=H(M),验证消息的完整性;After the company server receives {M, V 2 , t 4 } at time t 5 , it verifies whether t 5 -t 4 is less than the time threshold Δt, calculates V 2 ′=H(M), and verifies the integrity of the message; 公司服务器利用私钥解密M,根据CID,App检查请求的应用程序服务是否正确;The company server uses the private key to decrypt M, and checks whether the requested application service is correct according to the CID and App; 请求无误,公司服务器将选取一个随机数R4,计算RM公司服务器生成一个时间戳t6,并返回{RM,V3,t6}至终端设备;If the request is correct, the company server will select a random number R 4 , calculate the time stamp t 6 generated by the RM company server, and return {RM,V 3 ,t 6 } to the terminal device; 终端设备在t7时刻收到{RM,V3,t6}后,验证t7-t6是否小于时间阈值Δt,终端设备利用私钥解密RM获得R4并选取一个随机数R5,计算认证消息AM,终端设备生成一个时间戳t8,将{AM,V4,t8}发送至公司服务器;After the terminal device receives {RM, V 3 , t 6 } at time t 7 , it verifies whether t 7 -t 6 is less than the time threshold Δt, the terminal device uses the private key to decrypt RM to obtain R 4 and selects a random number R 5 , calculates the authentication message AM, the terminal device generates a time stamp t 8 , and sends {AM, V 4 , t 8 } to the company server; 公司服务器在t9时刻收到{AM,V4,t8},验证t9-t8是否小于时间阈值Δt,公司服务器计算获得认证凭证和认证签名,公司服务器验证认证签名的真实性,并计算RAM,公司服务器生成一个时间戳t10,并返回{RAM,V5,t10}至终端设备;The company server receives {AM,V 4 ,t 8 } at time t 9 , verifies whether t 9 -t 8 is less than the time threshold Δt, and the company server calculates Obtain the certification certificate and certification signature, the company server verifies the authenticity of the certification signature, and calculates RAM, the company server generates a time stamp t 10 , and returns {RAM,V 5 ,t 10 } to the terminal device; 终端设备在在t11时刻收到{RAM,V5,t10}后,验证时效性和完整性;计算当RAM′=RAM表明认证成功且已经获得办公权限。After the terminal device receives {RAM, V 5 , t 10 } at time t 11 , it verifies the timeliness and integrity; calculates When RAM'=RAM, it indicates that the authentication is successful and the office authority has been obtained. 2.根据权利要求1所述的一种移动办公场景的可信认证方法,其特征在于,验证信息V0计算公式如下:2. The credible authentication method of a kind of mobile office scene according to claim 1, is characterized in that, verification information V 0 computing formula is as follows: V0=H(Inf)V 0 =H(Inf) 其中,H(·)表示哈希函数。Among them, H(·) represents a hash function. 3.根据权利要求1所述的一种移动办公场景的可信认证方法,其特征在于,当V0′与V0相等,通过验证,运营商则利用会话密钥keytd-to解密Inf,并获得DID,CID,App,R1,根据CID和SIM卡号码,运营商可以像该公司申请查询该用户在公司内部的用户表示UID。3. The credible authentication method of a kind of mobile office scene according to claim 1, it is characterized in that, when V 0 ' is equal to V 0 , through verification, operator then utilizes session key key td-to to decrypt Inf, and obtains DID, CID, App, R 1 , according to CID and SIM card number, operator can apply to query this user's user representation UID in the company like this company. 4.根据权利要求3所述的一种移动办公场景的可信认证方法,其特征在于,认证凭证AC的计算公式如下:4. The trusted authentication method of a mobile office scene according to claim 3, wherein the calculation formula of the authentication credential AC is as follows: 其中,keyto-cs表示运营商和公司服务器之间的会话密钥,T表示认证凭证的失效日期;Among them, key to-cs indicates the session key between the operator and the company server, and T indicates the expiration date of the authentication certificate; 运营商利用签名私钥skeyto对认证凭证AC计算认证签名AS,公式如下:The operator uses the signature private key skey to to calculate the authentication signature AS for the authentication certificate AC, the formula is as follows: 其中,S·(·)表示签名算法。Among them, S · (·) represents the signature algorithm. 5.根据权利要求4所述的一种移动办公场景的可信认证方法,其特征在于,回复信息RInf的计算公式如下:5. The credible authentication method of a kind of mobile office scene according to claim 4, is characterized in that, the calculation formula of reply information RInf is as follows: 其中,R2是随机数;Wherein, R 2 is a random number; 验证信息V1的计算公式如下:The calculation formula of the verification information V 1 is as follows: V1=H(RInf||R1)。V 1 =H(RInf||R 1 ). 6.根据权利要求5所述的一种移动办公场景的可信认证方法,其特征在于,验证信息V1'的计算公式如下:6. The trusted authentication method of a mobile office scene according to claim 5, wherein the calculation formula of the verification information V 1 ' is as follows: V1'=H(RInf||R1);V 1 '=H(RInf||R 1 ); 当V1'=V1,终端设备则解密RInf查看认证内容是否有误,并获知认证凭证的失效日期。When V 1 ′=V 1 , the terminal device decrypts RInf to check whether the authentication content is correct, and obtains the expiration date of the authentication certificate. 7.根据权利要求1所述的一种移动办公场景的可信认证方法,其特征在于,M的计算公式如下:7. The trusted authentication method of a mobile office scene according to claim 1, wherein the calculation formula of M is as follows: 其中AE·(·)表示非对称加密算法,pkeytd和pkeycs分别代表终端设备和公司服务器的公钥;Among them, AE · (·) represents an asymmetric encryption algorithm, and pkey td and pkey cs represent the public key of the terminal device and the company server respectively; 并计算V2=H(M)。And calculate V 2 =H(M). 8.根据权利要求7所述的一种移动办公场景的可信认证方法,其特征在于,RM的计算公式如下:8. The trusted authentication method of a mobile office scene according to claim 7, wherein the calculation formula of RM is as follows: 9.根据权利要求1所述的一种移动办公场景的可信认证方法,其特征在于,认证消息AM计算公式如下:9. The trusted authentication method of a mobile office scene according to claim 1, wherein the calculation formula of the authentication message AM is as follows: 10.根据权利要求1所述的一种移动办公场景的可信认证方法,其特征在于,当认证签名真实,利用keyto-cs解密认证凭证,并为终端设备分配指定的办公应用的权限;10. The trusted authentication method of a mobile office scene according to claim 1, characterized in that, when the authentication signature is true, the authentication certificate is decrypted using key to-cs , and the authority of the office application assigned to the terminal device is assigned; RAM的计算公式如下:The calculation formula of RAM is as follows:
CN202310248254.4A 2023-03-15 2023-03-15 A trusted authentication method for mobile office scenarios Pending CN116488853A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310248254.4A CN116488853A (en) 2023-03-15 2023-03-15 A trusted authentication method for mobile office scenarios

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310248254.4A CN116488853A (en) 2023-03-15 2023-03-15 A trusted authentication method for mobile office scenarios

Publications (1)

Publication Number Publication Date
CN116488853A true CN116488853A (en) 2023-07-25

Family

ID=87214528

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310248254.4A Pending CN116488853A (en) 2023-03-15 2023-03-15 A trusted authentication method for mobile office scenarios

Country Status (1)

Country Link
CN (1) CN116488853A (en)

Similar Documents

Publication Publication Date Title
US8532620B2 (en) Trusted mobile device based security
CN101764803B (en) Methods of Participation and Certification of Computing Systems
US8689290B2 (en) System and method for securing a credential via user and server verification
KR101459802B1 (en) Delegation of authentication based on re-verification of encryption credentials
US8739260B1 (en) Systems and methods for authentication via mobile communication device
CN101212297B (en) WEB-based WLAN access authentication method and system
EP1714422B1 (en) Establishing a secure context for communicating messages between computer systems
JP5688087B2 (en) Method and apparatus for reliable authentication and logon
WO2019085531A1 (en) Method and device for network connection authentication
CN105791272A (en) A method and device for secure communication in the Internet of Things
CN101039181B (en) Method for Preventing Service Functional Entities in Universal Authentication Framework from Attacking
US8397281B2 (en) Service assisted secret provisioning
DK2414983T3 (en) Secure computer system
CN108809633B (en) Identity authentication method, device and system
CN107786515B (en) Method and device for certificate authentication
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN113726523A (en) Multi-identity authentication method and device based on Cookie and DR identity cryptosystem
KR101348079B1 (en) System for digital signing using portable terminal
KR101572598B1 (en) Secure User Authentication Scheme against Credential Replay Attack
US20090319778A1 (en) User authentication system and method without password
KR20170111809A (en) Bidirectional authentication method using security token based on symmetric key
CN116318637A (en) Method and system for secure network access communication of equipment
JP2017139026A (en) Method and apparatus for reliable authentication and logon
CN116488853A (en) A trusted authentication method for mobile office scenarios
CN113727059A (en) Multimedia conference terminal network access authentication method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication