CN118803751A - Authentication method, device, network equipment and storage medium - Google Patents

Abstract

The present invention provides an authentication method, device, network device and storage medium. The method includes: obtaining a first parameter of at least one second device used for performing network authentication and/or key derivation on a terminal, the first parameter being used to indicate the cryptographic algorithm supported by the corresponding second device; determining a target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter; and performing related operations of network authentication and/or key derivation according to the target cryptographic algorithm. Using this method, the cryptographic algorithm supported by the corresponding second device is determined according to the first parameter of the at least one second device obtained, and the first device can adaptively determine the cryptographic algorithm used to be compatible with different cryptographic algorithms and realize the interconnection requirements of different cryptographic algorithms.

Description

Authentication method, device, network equipment and storage medium

Technical Field

The present invention relates to the field of wireless technology, and in particular to an authentication method, device, network equipment and storage medium.

Background Art

With the rapid development of Internet technology, the network security risks of information systems continue to increase, and the threat challenges are becoming increasingly severe. Cryptographic security is an important foundation for information security and can be used to effectively protect the data security of network information systems. my country's commercial cryptographic algorithms (hereinafter referred to as commercial cryptographic algorithms) are the core technologies and important means to protect network information systems.

Currently, the 5G communication network authentication protocol uses an international cryptographic algorithm, which is not compatible with commercial encryption algorithms. Authentication network elements cannot achieve interoperability between commercial encryption algorithms and international algorithms. As a result, when a terminal that supports commercial encryption roams to a service network that does not support commercial encryption, network authentication cannot be completed due to algorithm incompatibility.

Summary of the invention

The technical solution of the present invention aims to provide an authentication method, device, network equipment and storage medium, which are used to adaptively be compatible with different cryptographic algorithms according to the status of the network and the terminal, and realize the interconnection and interoperability requirements of different cryptographic algorithms.

One embodiment of the present invention provides an authentication method, wherein the method is performed by a first device and includes:

Acquire a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters;

According to the target cryptographic algorithm, network authentication and/or key derivation related operations are performed.

Optionally, the authentication method, wherein determining a target cryptographic algorithm according to a cryptographic algorithm supported by the first device and/or the first parameter, includes:

If it is determined that the first device does not support a commercial cryptographic algorithm according to the cryptographic algorithms supported by the first device, determining that the target cryptographic algorithm is an international cryptographic algorithm;

In the case that the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, the target cryptographic algorithm is determined according to the first parameters.

Optionally, in the authentication method, the at least one second device includes one or more of the following:

Mobile equipment ME, Universal Subscriber Identity Module USIM and Security Anchor Function SEAF.

Optionally, in the authentication method, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by a third device during a process of performing network authentication and/or key derivation on a terminal, wherein the first message includes at least one first parameter of the second device;

A first parameter of the second device is obtained according to the subscription data of the second device.

Optionally, in the authentication method, when the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes an AUSF, and the second device includes at least one of an ME, a USIM and a SEAF;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Obtaining a first message sent by the AUSF, where the first message includes a first parameter of the ME and/or the SEAF;

A first parameter of the USIM is obtained according to the subscription data of the USIM.

Optionally, in the authentication method, when the first device is an AUSF, the third device includes a UDM, an ARPF and/or a SEAF, and the second device includes at least one of a ME, a USIM and a SEAF;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by SEAF, wherein the first message includes a first parameter of ME and a first parameter of SEAF;

Another first message sent by the UDM or the ARPF is acquired, where the another first message includes a first parameter of the USIM.

Optionally, in the authentication method, when the first device is a SEAF, the third device includes a ME and/or an AUSF, and the second device includes at least one of a ME and a USIM;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by the ME, where the first message includes a first parameter of the ME;

Obtain another first message sent by the AUSF, wherein the another first message includes a first parameter of the USIM.

Optionally, in the authentication method, when the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes:

A first message sent by SEAF is obtained, where the first message includes a first parameter of SEAF and a first parameter of USIM.

Optionally, the authentication method further comprises:

A second message is sent to a fourth device, wherein the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, in the authentication method, when the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, in the authentication method, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, and the first parameter of the at least one second device includes a first parameter of a USIM and a first parameter of a ME;

In a case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, determining the target cryptographic algorithm according to the first parameter includes:

In the first parameter of the USIM, if the supported cryptographic algorithms include commercial cryptographic algorithms, a first target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, and the first target cryptographic algorithm is used to calculate the authentication vector for the terminal to perform network authentication and authorization; in the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, a second target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise, the second target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the second target cryptographic algorithm is used to calculate the authentication parameters for the terminal to perform network authentication and authorization;

In the first parameter of the USIM, when the supported cryptographic algorithms include international cryptographic algorithms, it is determined that the first target cryptographic algorithm and the second target cryptographic algorithm in the target cryptographic algorithms are international cryptographic algorithms respectively.

Optionally, in the authentication method, the first device is an AUSF, and the first parameter of the at least one second device includes a first parameter of a USIM, a first parameter of a ME, and a first parameter of a SEAF;

In a case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, determining the target cryptographic algorithm according to the first parameter includes:

In the case where the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, a third target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the third target cryptographic algorithm is used to calculate the first authentication parameter;

In the first parameter of the USIM and the first parameter of the ME, when the supported cryptographic algorithms both include commercial cryptographic algorithms, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the first parameter of the USIM and the first parameter of the ME, when any of the supported cryptographic algorithms does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the fourth target cryptographic algorithm is used to calculate the second authentication parameter.

Optionally, in the authentication method, the first device is a ME, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a SEAF;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes:

In the first parameter of the USIM, if the supported cryptographic algorithm includes a commercial cryptographic algorithm, determining that a fifth target cryptographic algorithm in the target cryptographic algorithm is a commercial cryptographic algorithm, otherwise determining that the fifth target cryptographic algorithm in the target cryptographic algorithm is an international cryptographic algorithm; the fifth target cryptographic algorithm is used to calculate a third authentication parameter of the terminal;

In the first parameter of the SEAF, when the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the sixth target cryptographic algorithm is used to calculate the fourth authentication parameter.

Optionally, the authentication method further comprises:

In a case where the acquired first parameters of at least one second device do not include the first parameters of the USIM, an algorithm support status query interface of the USIM is called to generate the first parameters of the USIM.

Optionally, in the authentication method, the first device is a SEAF, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a ME;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a seventh target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm; otherwise, determining that the seventh target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the seventh target cryptographic algorithm is used to calculate a fifth authentication parameter;

In the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the eighth target cryptographic algorithm is used to calculate the sixth authentication parameter.

Optionally, in the authentication method, wherein the first device is a SEAF, determining a target cryptographic algorithm according to cryptographic algorithms supported by the first device includes:

In a case where the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, determining that the target cryptographic algorithm is a commercial cryptographic algorithm;

In a case where the cryptographic algorithms supported by the first device do not include commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm.

Optionally, in the authentication method, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the authentication method, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

Optionally, in the authentication method, the first parameter is included in a reserved field in the first message, or the first parameter is an additional parameter in the first message.

Optionally, in the authentication and authorization method, the first parameter is included in the authentication management field AMF in the first message.

One embodiment of the present invention further provides an authentication method, wherein the method is performed by a third device and includes:

During the process of network authentication and/or key derivation of a terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device.

Optionally, in the authentication and authorization method, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes AUSF, and the second device includes at least one of ME and SEAF.

Optionally, in the authentication method, the first device is an AUSF, the third device is a SEAF, and the second device includes at least one of a ME and a SEAF; or

The first device is an AUSF, the third device is an UDM or an ARPF, and the second device includes a USIM.

Optionally, in the authentication method, the first device is a SEAF, the third device is a ME, and the second device includes the ME; or

The first device is a SEAF, the third device is an AUSF, and the second device includes a USIM.

Optionally, in the authentication method, the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM.

Optionally, in the authentication method, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the authentication method, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

One embodiment of the present invention further provides a network device, wherein the network device is a first device, comprising a processor, wherein the processor is used to:

Acquire a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters;

According to the target cryptographic algorithm, network authentication and/or key derivation related operations are performed.

One embodiment of the present invention further provides a network device, wherein the network device is a third device, comprising a transceiver, wherein the transceiver is used to:

During the process of network authentication and/or key derivation of a terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device.

One embodiment of the present invention further provides an authentication device, which is applied to a first device and includes:

An acquisition module, used to acquire a first parameter of at least one second device used to perform network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

a determination module, configured to determine a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters;

The authentication module is used to perform network authentication and/or key derivation related operations according to the target cryptographic algorithm.

One embodiment of the present invention further provides an authentication device, which is applied to a third device, and the device includes:

The first sending module is used to send a first message to a first device during network authentication and/or key derivation of a terminal; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device.

One embodiment of the present invention further provides a network device, which includes a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program implements the authentication method as described in any one of the above items when executed by the processor.

One embodiment of the present invention further provides a readable storage medium, wherein the readable storage medium stores a program, and when the program is executed by a processor, the steps in the authentication method as described in any one of the above items are implemented.

At least one of the above technical solutions of the present invention has the following beneficial effects:

By adopting the authentication method described in the embodiment of the present invention, the cryptographic algorithm supported by the corresponding second device is determined according to the first parameter of at least one second device obtained. In this way, the first device can adaptively determine the cryptographic algorithm to be adopted based on the supported cryptographic algorithms and/or the cryptographic algorithms supported by the second device that performs network authentication on the terminal, so as to be compatible with different cryptographic algorithms and realize the interconnection requirements of different cryptographic algorithms.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a flow chart of an authentication method according to one embodiment of the present invention;

FIG2 is a schematic diagram of a specific implementation of the method according to an embodiment of the present invention;

FIG3 is a schematic diagram of a flow chart of an authentication method according to another embodiment of the present invention;

FIG4 is a schematic diagram of the structure of a network device according to one embodiment of the present invention;

5 is a schematic diagram of the structure of a network device according to another embodiment of the present invention;

FIG6 is a schematic diagram of the structure of an authentication device according to one embodiment of the present invention;

FIG. 7 is a schematic diagram of the structure of an authentication device according to another embodiment of the present invention.

DETAILED DESCRIPTION

In order to make the technical problems, technical solutions and advantages to be solved by the present invention more clear, a detailed description will be given below with reference to the accompanying drawings and specific embodiments.

The terms "first", "second", etc. in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the terms used in this way are interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first" and "second" are generally of the same type, and the number of objects is not limited. For example, the first object can be one or more. In addition, "and/or" in the specification and claims represents at least one of the connected objects, and the character "/" generally represents that the objects associated with each other are in an "or" relationship.

In order to adaptively be compatible with different cryptographic algorithms according to the status of the network and the terminal and realize the interconnection and interoperability requirements of different cryptographic algorithms, an embodiment of the present invention provides an authentication and authorization method, which determines the cryptographic algorithm supported by the corresponding second device according to the first parameter of at least one second device obtained, so that the first device can adaptively determine the cryptographic algorithm to be adopted based on the supported cryptographic algorithms and/or the cryptographic algorithms supported by the second device that performs network authentication and/or key derivation on the terminal, so as to be compatible with different cryptographic algorithms and realize the interconnection and interoperability requirements of different cryptographic algorithms.

One embodiment of the present invention provides an authentication method, which is performed by a first device, as shown in FIG1 , and the method includes:

S110, obtaining a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, where the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

S120, determining a target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter;

S130, performing network authentication and/or key derivation related operations according to the target cryptographic algorithm.

In the embodiment of the present invention, optionally, the first device is any device capable of performing network authentication and/or key derivation on the terminal.

The first device and the second device may respectively include at least one of the following: a Universal Subscriber Identity Module (USIM), a Mobile Equipment (ME), a Security Anchor Function (SEAF), an Authentication Server Function (AUSF), a Unified Data Management Function (UDM)/Authentication Credential Repository and Processing Function (ARPF), wherein:

(1) USIM: stores the user's core key K and identifier data.

(2) ME: cooperates with USIM to complete network authentication. ME and USIM are collectively referred to as User Equipment (UE).

(3) SEAF: Access network to authenticate UE.

(4)AUSF: The home network authenticates the UE.

(5) UDM/ARP: stores user contract information, authentication data K, etc.

Optionally, the first device and the second device may respectively be devices supporting international cryptographic algorithms and/or commercial cryptographic algorithms, and the supported cryptographic algorithms and target cryptographic algorithms include international cryptographic algorithms and/or commercial cryptographic algorithms respectively.

Optionally, international cryptographic algorithms may include but are not limited to Advanced Encryption Standard (AES), SHA256, etc.

Optionally, the commercial cryptographic algorithm may include but is not limited to SM4, SM3, SM2, etc.

In this embodiment, operations related to network authentication and/or key derivation include but are not limited to calculating parameters required for network authentication according to the target cryptographic algorithm, including but not limited to RES*, KAUSF, KSEAF, KAMF, various keys subsequently used for communication with other network elements such as AMF, gNB, XRES*, KAUSF, HRES*, HXRES*, 5G HE AV, etc.

By adopting the authentication method described in the embodiment of the present invention, the first device can obtain the first parameter of at least one second device and determine the cryptographic algorithm supported by the corresponding second device. In this way, the first device can adaptively determine the cryptographic algorithm to be adopted based on the supported cryptographic algorithm and/or the cryptographic algorithm supported by the second device that performs network authentication and/or key derivation on the terminal to be compatible with different cryptographic algorithms. Therefore, even if a terminal that supports commercial cryptographic algorithms roams to a service network that does not support commercial cryptographic algorithms, when the first device does not support commercial cryptographic algorithms, the first device can also determine the target cryptographic algorithm based on the supported cryptographic algorithms and the cryptographic algorithms supported by at least one second device, thereby ensuring that relevant devices in the network authentication and/or key derivation process in various scenarios can be interconnected.

Optionally, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

For example, the preset indicator bit includes 1 bit. When the preset indicator bit is a first value (such as 1), it indicates that the second device supports the commercial encryption algorithm. When the preset indicator bit is a second value (such as 0), it indicates that the second device does not support the commercial encryption algorithm.

In another implementation manner, optionally, the first parameter includes one or more of the following:

A first bit array includes a plurality of first indicator bits, each first indicator bit corresponds to a type of encryption cryptographic algorithm, and is used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm; for example, the first bit array includes 2 first indicator bits, the 0th bit of the 2 first indicator bits corresponds to the encryption cryptographic algorithm AES, indicating whether AES is supported; if the 0th bit is a first value (such as 1), it indicates that AES is supported, and if it is a second value (such as 0), it indicates that AES is not supported; the 1st bit of the 2 second indicator bits corresponds to the encryption cryptographic algorithm SM4, indicating whether SM4 is supported; if the 0th bit is a first value (such as 1), it indicates that SM4 is supported, and if it is a second value (such as 0), it indicates that SM4 is not supported;

The second bit array includes a plurality of second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm. Optionally, the hash algorithm includes a hash algorithm and a corresponding hmac algorithm. For example, the second bit array includes two second indicator bits, the 0th bit of the two second indicator bits corresponds to the SHA256 algorithm and/or the HAMC_SHA256 algorithm, indicating whether the corresponding SHA256 algorithm and/or the HAMC_SHA256 algorithm are supported. If the 0th bit is a first value (such as 1), it indicates that the corresponding SHA256 algorithm and/or the HAMC_SHA256 algorithm are supported; if it is a second value (such as 0), it indicates that the corresponding SHA256 algorithm and/or the HAMC_SHA256 algorithm are not supported; the first bit of the two second indicator bits corresponds to the SM3 algorithm and/or the HMAC_SM3 algorithm, indicating whether the corresponding SM3 algorithm and/or the HMAC_SM3 algorithm are supported. If the first bit is a first value (such as 1), it indicates that the corresponding SM3 algorithm and/or the HMAC_SM3 algorithm are supported; if it is a second value (such as 0), it indicates that the corresponding SM3 algorithm and/or the HMAC_SM3 algorithm are not supported.

In an embodiment of the present invention, optionally, the first parameter of a device (including a first device and a second device) can be expressed as XX_AS, and the first parameters of different devices are USIM_AS, ME_AS, SEAF_AS, etc., respectively, indicating the cryptographic algorithms supported by the corresponding devices in authentication and key derivation. If the first parameter XX_AS of one of the devices does not exist, it indicates that the corresponding device only supports international cryptographic algorithms and does not support commercial cryptographic algorithms.

In the embodiment of the present invention, in step S120, determining a target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter includes:

If it is determined that the first device does not support a commercial cryptographic algorithm according to the cryptographic algorithms supported by the first device, determining that the target cryptographic algorithm is an international cryptographic algorithm;

In the case that the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, the target cryptographic algorithm is determined according to the first parameters.

Optionally, the first device and the second device mentioned in the embodiments of the present invention (including but not limited to USIM, ME, SEAF, AUSF, UDM/ARPF) need to support international cryptographic algorithms and commercial cryptographic algorithms.

Optionally, a USIM that supports commercial cryptographic algorithms should use commercial cryptographic algorithms (that is, determined as target cryptographic algorithms) to calculate authentication parameters and provide an algorithm support status query interface. The ME can query whether the USIM supports commercial cryptographic algorithms through this interface. If this interface is not supported, it is considered that commercial cryptographic algorithms are not supported.

The UDM/ARPF that supports commercial cryptographic algorithms shall preferentially use the commercial cryptographic algorithms (that is, determined as the target cryptographic algorithms) to calculate the authentication parameters.

Optionally, AUSF and UDM/ARPF, AUSF and UDM/ARPF should support commercial cryptographic algorithms at the same time or not support commercial cryptographic algorithms.

In the embodiment of the present invention, optionally, the first device is one of USIM, ME, SEAF, AUSF, UDM/ARPF, and the at least one second device includes one or more of ME, USIM and SEAF.

Optionally, the first device is UDM/ARPF, and when UDM/ARPF does not support commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm, and the international cryptographic algorithm is used to perform network authentication and/or key derivation related operations. In the case that UDM/ARPF supports commercial cryptographic algorithms, it is necessary to determine the target cryptographic algorithm for performing network authentication and/or key derivation related operations based on the first parameter of the USIM and the first parameter of the ME.

In this implementation manner, optionally, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, and the first parameter of the at least one second device includes a first parameter of a USIM and a first parameter of a ME;

In a case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, determining the target cryptographic algorithm according to the first parameter includes:

In the first parameter of the USIM, if the supported cryptographic algorithms include commercial cryptographic algorithms, the first target cryptographic algorithm in the target cryptographic algorithm is determined to be a commercial cryptographic algorithm, and the first target cryptographic algorithm is used to calculate the authentication vector of the terminal for network authentication and authentication (such as calculating 5G HE AV); in the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the second target cryptographic algorithm in the target cryptographic algorithm is determined to be a commercial cryptographic algorithm, otherwise, the second target cryptographic algorithm in the target cryptographic algorithm is determined to be an international cryptographic algorithm; the second target cryptographic algorithm is used to calculate the authentication parameters of the terminal for network authentication and authentication (such as calculating K _AUSF and XRES*);

In the first parameter of the USIM, when the supported cryptographic algorithms include international cryptographic algorithms, it is determined that the first target cryptographic algorithm and the second target cryptographic algorithm in the target cryptographic algorithms are international cryptographic algorithms respectively.

Optionally, the first device is AUSF, and when AUSF does not support commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm, and the international cryptographic algorithm is used to perform network authentication and/or key derivation related operations. In the case where AUSF supports commercial cryptographic algorithms, it is necessary to determine the target cryptographic algorithm for performing network authentication and/or key derivation related operations based on the first parameter of SEAF, the first parameter of USIM, and the first parameter of ME.

In this implementation manner, optionally, in the case where the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, a third target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the third target cryptographic algorithm is used to calculate the first authentication parameter (such as calculating HXRES*);

In the case where the supported cryptographic algorithms in the first parameter of the USIM and the first parameter of the ME both include commercial cryptographic algorithms, a fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the supported cryptographic algorithms in the first parameter of the USIM and the first parameter of the ME does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the fourth target cryptographic algorithm is used to calculate a second authentication parameter of the terminal (such as calculating K _SEAF ).

Optionally, the first device is a USIM that supports commercial cryptographic algorithms, determines that the target cryptographic algorithm is a commercial cryptographic algorithm, and uses the commercial cryptographic algorithm to perform network authentication and/or key derivation related operations.

Optionally, the first device is a ME, and when the ME does not support a commercial cryptographic algorithm, the target cryptographic algorithm is determined to be an international cryptographic algorithm, and the international cryptographic algorithm is used to perform network authentication and/or key derivation related operations. In the case where the ME supports a commercial cryptographic algorithm, it is necessary to determine the target cryptographic algorithm for performing network authentication and/or key derivation related operations according to the first parameter of the USIM and/or the first parameter of the SEAF.

In this implementation manner, optionally, the first device is an ME, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a SEAF;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a fifth target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm, otherwise determining that the fifth target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the fifth target cryptographic algorithm is used to calculate a third authentication parameter (such as used to calculate one or more of RES*, K _AUSF , and K _SEAF );

In the first parameter of the SEAF, when the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the sixth target cryptographic algorithm is used to calculate the fourth authentication parameter (such as calculating _KAMF ).

Optionally, in this implementation manner, when the first device is a ME, the method further includes:

In a case where the acquired first parameters of at least one second device do not include the first parameters of the USIM, an algorithm support status query interface of the USIM is called to generate the first parameters of the USIM.

Optionally, the first device is SEAF, and when SEAF does not support commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm, and the international cryptographic algorithm is used to perform network authentication and/or key derivation related operations. In the case that SEAF supports commercial cryptographic algorithms, it is necessary to determine the target cryptographic algorithm for performing network authentication and/or key derivation related operations based on the first parameter of the USIM and/or the first parameter of the ME.

In this implementation manner, optionally, the first device is a SEAF, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a ME;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a seventh target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm; otherwise, determining that the seventh target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the seventh target cryptographic algorithm is used to calculate a fifth authentication parameter (such as calculating HRES*);

In the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the eighth target cryptographic algorithm is used to calculate the sixth authentication parameter (such as calculating _KAMF ).

In another implementation manner in the embodiment of the present invention, optionally, when the first device is a SEAF, the target cryptographic algorithm is determined according to the cryptographic algorithms supported by the first device;

Wherein, determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes:

In a case where the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, determining that the target cryptographic algorithm is a commercial cryptographic algorithm;

In a case where the cryptographic algorithms supported by the first device do not include commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm.

In the embodiment of the present invention, optionally, in step S110, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by a third device during a process of performing network authentication and/or key derivation on a terminal, wherein the first message includes at least one first parameter of the second device;

A first parameter of the second device is obtained according to the subscription data of the second device.

In one implementation manner, optionally, when the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes an AUSF, and the second device includes at least one of an ME, a USIM, and a SEAF;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Obtaining a first message sent by the AUSF, where the first message includes a first parameter of the ME and/or the SEAF;

A first parameter of the USIM is obtained according to the subscription data of the USIM.

In one implementation manner, optionally, when the first device is an AUSF, the third device includes a UDM, an ARPF and/or a SEAF, and the second device includes at least one of a ME, a USIM and a SEAF;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by SEAF, wherein the first message includes a first parameter of ME and a first parameter of SEAF;

Another first message sent by the UDM or the ARPF is acquired, where the another first message includes a first parameter of the USIM.

In one implementation manner, optionally, when the first device is a SEAF, the third device includes a ME and/or an AUSF, and the second device includes at least one of a ME and a USIM;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following:

Acquire a first message sent by the ME, where the first message includes a first parameter of the ME;

Obtain another first message sent by the AUSF, wherein the another first message includes a first parameter of the USIM.

In one implementation manner, optionally, when the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM;

Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes:

A first message sent by SEAF is obtained, where the first message includes a first parameter of SEAF and a first parameter of USIM.

In the embodiment of the present invention, optionally, the first parameter is included in a reserved field in the first message, or the first parameter is an additional parameter in the first message.

Optionally, the first parameter is included in the authentication management field AMF in the first message.

In an embodiment of the present invention, in one implementation mode, optionally, the method further includes:

A second message is sent to a fourth device according to the first message, wherein the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, when the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

The following describes the specific implementation process of the authentication method according to the embodiment of the present invention in conjunction with the authentication process of the user equipment.

As shown in FIG. 2 , the implementation process of the authentication method according to the embodiment of the present invention includes:

1) ME will send an Initial Registration Request to the Security Anchor Function SEAF.

Optionally, when the ME needs to start the registration and authentication process, a first parameter ME_AS is generated according to the algorithm support status of the device, that is, a parameter indicating the cryptographic algorithms supported by the ME is generated.

Among them, ME_AS represents the cryptographic algorithms supported by ME in authentication and key derivation, including the status of related algorithms supported by the ME device itself, which can be all supported encryption algorithms, a list of hash algorithms, or the status of whether commercial secret algorithms are supported.

Optionally, ME_AS may be used as a newly added parameter of the initial registration request, or a reserved field in the initial registration request may be used. If a reserved field is used, it may be stored in a reserved field of UE security capability in the Registration Request message.

For example, the 7th to 9th bytes of the UE security capability defined in the protocol are reserved fields. Several fixed bits can be selected to store ME_AS. A bit set to 1 indicates support for commercial encryption algorithms (SM3 or SM4, etc.), and if set to 0, it indicates that the corresponding algorithm is not supported. If these bits are not used or do not exist, it indicates that the corresponding algorithm is not supported.

The ME sends the ME_AS to the SEAF via an Initial Registration Request. If the ME does not support the commercial encryption algorithm, the request may not include the ME_AS.

In this implementation, the ME may be the first device, and sends an initial registration request (Initial Registration Request) to the SEAF (the fourth device). That is, the initial registration request (Initial Registration Request) may be a second message, including the first parameter ME_AS of the ME.

2) SEAF sends the relevant parameters of ME's Initial Registration Request to AUSF through the terminal authentication request Nausf_UEAuthentication_Authenticate Request.

Optionally, when SEAF supports commercial cryptographic algorithms, ME_AS is identified and saved, and ME_AS and the first parameter SEAF_AS of SEAF (used to indicate the cryptographic algorithms supported by SEAF) are sent to AUSF through Nausf_UEAuthentication_Authenticate Request.

Optionally, SEAF_AS can be a new parameter in Nausf_UEAuthentication_Authenticate Request or a reserved field in the message; optionally, if SEAF does not support the commercial encryption algorithm or cannot identify ME_AS, this parameter can be ignored. SEAF may not generate SEAF_AS, but AUSF may determine through SEAF ID or maintain a SEAF list that supports the commercial encryption algorithm to replace SEAF_AS and determine whether SEAF supports the commercial encryption algorithm.

In this implementation, optionally, SEAF can be the first device, and obtain an initialization registration request (first message) sent by ME (second device), and the initialization registration request includes the first parameter ME_AS of ME. Optionally, SEAF also sends a terminal authentication request Nausf_UEAuthentication_Authenticate Request (second message) to AUSF (fourth device), and the terminal authentication request includes the first parameter of SEAF (first device) and/or the first parameter ME_AS of ME (second device).

In one implementation manner, the AUSF sends the ME_AS to the UDM/ARPF via a terminal authentication information acquisition request Nudm_UEAuthentication_Get Request.

Optionally, if AUSF supports commercial encryption algorithms, ME_AS and SEAF_AS are identified and saved, and ME_AS is sent to UDM/ARPF (ME_AS can be used as a new parameter, or a reserved field in the message can be used, etc.); if AUSF does not support commercial encryption algorithms, or cannot identify ME_AS, this parameter can be ignored.

In this implementation, AUSF may be the first device, and obtains the terminal authentication request Nausf_UEAuthentication_Authenticate Request (first message) sent by SEAF, and the terminal authentication request includes the first parameter of SEAF (second device) and/or the first parameter ME_AS of ME (second device). AUSF also sends a terminal authentication information acquisition request Nudm_UEAuthentication_Get Request (second message) to UDM/ARPF (fourth device), and the terminal authentication information acquisition request includes the first parameter ME_AS of ME.

3) UDM/ARPF creates a 5G HE AV (RAND, AUTN, XRES, CK, IK) for each Nudm_Authenticate_Get Request message. To do this, UDM/ARPF first generates an authentication vector with the "separation bit" of the Authentication Management Field (AMF) as 1. Then, UDM/ARPF shall derive K _AUSF and XRES*. Finally, UDM/ARPF shall create a 5G HE AV containing RAND, AUTN, XRES* and K _AUSF .

In the embodiment of the present application, optionally, if the UDM/ARPF does not support the commercial cryptographic algorithm, the international cryptographic algorithm is used to calculate 5G HE AV, and the international cryptographic algorithm is used to calculate K _AUSF and XRES*. That is, the UDM/ARPF that does not support the commercial cryptographic algorithm determines that the target cryptographic algorithm is the international cryptographic algorithm, which is used to perform network authentication and/or key derivation related operations.

Optionally, UDM/ARPF that supports commercial cryptographic algorithms performs the following processing:

According to the subscription data of USIM, query the commercial encryption algorithm support status of USIM corresponding to SUCI and generate USIM_AS.

Optionally, USIM_AS can be a newly added field, or a reserved field can be used. If the reserved field is used, USIM_AS can be saved in AMF. AMF is subsequently used to calculate 5G HE AV (RAND, AUTN, XRES, CK, IK), where AMF is included in AUTN. Since bits 8-15 of AMF (Authentication Management Field) are reserved bits, the default is 0. Several fixed bits can be selected to save USIM_AS. If a bit is set to 1, it means that a certain algorithm of commercial encryption (SM3 or SM4, etc.) is supported. If it is set to 0, it means that the corresponding algorithm is not supported. If the bits are not extended or do not exist, it means that the corresponding algorithm is not supported.

Optionally, when UDM/ARPF supports commercial cryptographic algorithms, the following processing is performed: If USIM_AS supports commercial cryptographic algorithms: 5G HE AV should be calculated using commercial cryptographic algorithms; that is, the first target cryptographic algorithm in the target cryptographic algorithm is a commercial cryptographic algorithm; If ME_AS supports commercial cryptographic algorithms, K _AUSF and XRES* should be calculated using commercial cryptographic algorithms, that is, the second target cryptographic algorithm in the target cryptographic algorithm is determined to be a commercial cryptographic algorithm, otherwise K _AUSF and XRES* are calculated using international algorithms, that is, otherwise the second target cryptographic algorithm is determined to be an international cryptographic algorithm. If USIM_AS does not support commercial cryptographic algorithms, 5G HE AV, K _AUSF and XRES* should be calculated using international cryptographic algorithms, that is, the first target cryptographic algorithm and the second target algorithm of the target cryptographic algorithm are determined to be international cryptographic algorithms, respectively.

In this implementation, optionally, UDM/ARPF can be the first device, and obtain the terminal authentication information acquisition request Nudm_UEAuthentication_Get Request (first message) sent by AUSF, including the first parameter ME_AS of ME (second device); in addition, UDM/ARPF can query the commercial encryption algorithm support status of the USIM corresponding to SUCI through the contract data of USIM, and generate the first parameter USIM_AS of USIM (second device).

4) UDM returns the requested 5G HE AV to AUSF in the Nudm_UEAuthentication_Get Response message and indicates that 5G HE AV is used for 5G AKA. If the Nudm_UEAuthentication_Get request contains the Subscription concealed identifier (SUCI), UDM will include the Subscription Permanent Identifier (SUPI) in the Nudm_UEAuthentication_Get response.

Optionally, the UDM supporting the commercial encryption algorithm includes USIM_AS in the terminal authentication information acquisition request response Nudm_UEAuthentication_Get Response message. Optionally, USIM_AS may be included in a reserved field in the message, or may be an additional field or parameter in the message.

In this implementation, the UDM may be the first device, and the terminal authentication information acquisition request response Nudm_UEAuthentication_Get Response message sent to the AUSF is the second message, including the first parameter of the USIM (second device).

5) AUSF shall temporarily save XRES* and the received SUCI or SUPI. AUSF may save K _AUSF .

6) AUSF shall generate a 5G AV based on the 5G HE AV received from UDM/ARPF, calculate HXRES* from XRES*, derive K _SEAF from K _AUSF , and then replace XRES* and K _AUSF in the 5G HE AV with HXRES* and K _SEAF respectively.

Optionally, if AUSF does not support commercial encryption algorithms, AUSF uses international encryption algorithms to calculate the above parameters; AUSF that supports commercial encryption algorithms can obtain and save USIM_AS from the message. If USIM_AS is saved in the AMF reserved field, AMF is obtained from the AUTN of 5G HE AV, and USIM_AS is obtained from AMF.

In this implementation, optionally, AUSF can be the first device, and obtains the first message (terminal authentication information acquisition request response Nudm_UEAuthentication_Get Response message) sent by UDM/ARPF (third device), including the first parameter USIM_AS of USIM (second device).

Optionally, when AUSF supports commercial cryptographic algorithms, the following processing is performed:

If SEAF_AS and USIM_AS support commercial cryptographic algorithms, the commercial cryptographic algorithms shall be used to calculate HXRES*, otherwise the international cryptographic algorithms shall be used to calculate HXRES*. That is, when the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, the third target cryptographic algorithm in the target cryptographic algorithms (used to calculate the first authentication parameter HXRES*) is determined to be a commercial cryptographic algorithm; when any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms (used to calculate the first authentication parameter HXRES*) is determined to be an international cryptographic algorithm.

If the ME_AS and the USIM_AS support commercial cryptographic algorithms, the commercial cryptographic algorithms shall be used to calculate K _SEAF , otherwise the international cryptographic algorithms shall be used for calculation. That is, when the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the ME both include commercial cryptographic algorithms, the fourth target cryptographic algorithm (used to calculate the second authentication parameter K _SEAF ) in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; when any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the ME does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm (used to calculate the second authentication parameter K _SEAF ) in the target cryptographic algorithms is determined to be an international cryptographic algorithm.

7) AUSF removes K _SEAF and sends 5G SE AV (RAND, AUTN, HXRES*) to SEAF through the terminal authentication Nausf_UEAuthentication_Authenticate response message.

Optionally, when AUSF supports the commercial encryption algorithm, the terminal authentication Nausf_UEAuthentication_Authenticate response message includes USIM_AS. Optionally, the USIM_AS can be an additional field or additional parameter in the response message, or a reserved field in the response message (such as a reserved field of AMF in AUTN).

In this implementation, optionally, the AUSF may be the first device, and sends a second message (terminal authentication Nausf_UEAuthentication_Authenticate response message) to the SEAF (the fourth device), including the first parameter of the USIM (the second device).

8) SEAF shall send RAND and AUTN to UE via NAS message (Auth-Req). The message shall also contain ngKSI used by UE and AMF to identify _KAMF and part of the native security context. The message shall also include ABBA parameters (for protection against downgrade attacks on security functions that may be introduced). ME shall forward RAND and AUTN in NAS message (Auth-Req) to USIM.

Optionally, when SEAF supports commercial encryption algorithms, SEAF_AS and USIM_AS should be sent to ME (SEAF_AS and USIM_AS can be added as parameters, or reserved fields in the message can be used, etc.), otherwise the parameter may not be included; ME that supports commercial encryption algorithms should identify and save SEAF_AS and USIM_AS (if USIM_AS is saved in the reserved field of AMF, USIM_AS is identified from AMF of AUTN), otherwise the parameter may be ignored. Optionally, SEAF may not generate SEAF_AS, but ME may determine through SEAF ID or maintain a list of SEAFs that support commercial encryption algorithms to replace SEAF_AS to determine whether SEAF supports commercial encryption algorithms.

In this implementation, optionally, SEAF may be the first device, and sends a second message (NAS message (Auth-Req)) to UE (fourth device), including a first parameter of SEAF (first device) and a first parameter of USIM (second device).

9) After the USIM receives RAND and AUTN, the USIM shall check whether the AUTN is accepted to verify whether the authentication vector is up to date. If the verification is successful, the USIM shall calculate the response RES and return RES, CK, and IK to the ME. Optionally, the USIM calculates Kc (i.e., GPRS Kc) from CK and IK using the conversion function c3 and sends it to the ME. The ME shall ignore the GPRS Kc, and the GPRS Kc shall not be stored on the USIM or ME.

Optionally, a USIM supporting commercial cryptographic algorithms shall use a commercial cryptographic algorithm to calculate AUTN (or select a corresponding algorithm based on the USIM_AS in the AMF of AUTN) and respond with RES, CK, IK and Kc, otherwise use an international cryptographic algorithm to calculate AUTN.

10) The ME shall calculate RES* from RES. The ME shall derive K _AUSF from CK||IK. The ME shall derive K _SEAF from K _AUSF . The ME accessing 5G shall check during authentication whether the "separation bit" of the AMF field of AUTN is set to 1. The "separation bit" is the 0th bit of the AMF field of AUTN. NOTE: This "separation bit" in the AMF of AUTN can no longer be used for operator specific purposes.

Optionally, if the ME does not support commercial encryption algorithms, the ME uses international encryption algorithms to calculate the above parameters; if the ME supports commercial encryption algorithms, the following processing is performed: If there is no USIM_AS parameter, the algorithm support status query interface of the USIM card can be called to generate USIM_AS.

If USIM_AS supports commercial cryptographic algorithms, RES*, KAUSF and KSEAF shall be calculated using the commercial cryptographic algorithms, otherwise RES*, KAUSF and KSEAF shall be calculated using international algorithms. That is, in the first parameter USIM_AS of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, the fifth target cryptographic algorithm (used to calculate the third authentication parameters RES*, KAUSF and KSEAF) in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise the fifth target cryptographic algorithm (used to calculate the third authentication parameters RES*, KAUSF and KSEAF) in the target cryptographic algorithms is determined to be an international cryptographic algorithm.

If SEAF_AS supports commercial cryptographic algorithms, _KAMF shall be calculated using the commercial cryptographic algorithms, otherwise, KAMF shall be calculated using the international algorithms. That is, in the first parameter of the SEAF, when the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm (used to calculate the fourth authentication parameter _KAMF ) in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise, the sixth target cryptographic algorithm (used to calculate the fourth authentication parameter _KAMF ) in the target cryptographic algorithms is determined to be an international cryptographic algorithm.

11) The UE returns RES* to SEAF in the NAS message authentication response.

12) SEAF calculates HRES* from RES* and compares HRES* with HXRES*. If the two values are consistent, SEAF shall consider the authentication successful from the perspective of the serving network. If the UE is unreachable and SEAF never receives RES*, SEAF shall consider the authentication failed and indicate the failure to AUSF.

Optionally, if SEAF does not support commercial cryptographic algorithms, SEAF uses international cryptographic algorithms to calculate the above parameters; Optionally, SEAF that supports commercial cryptographic algorithms performs the following processing:

If the USIM_AS supports commercial cryptographic algorithms, HRES* shall be calculated using the commercial cryptographic algorithms; otherwise, HRES* shall be calculated using the international algorithms.

13) SEAF shall send the corresponding SUCI or SUPI from the UE to AUSF via the terminal authentication information request Nausf_UEAuthentication_Authenticate Request message.

14) Upon receiving a Nausf_UEAuthentication_Authenticate Request message containing a RES*, the AUSF may verify whether the AV has expired. If the AV has expired, the AUSF may consider the authentication unsuccessful from the perspective of the home network. The AUSF shall compare the received RES* with the stored XRES*. If the RES* and XRES* are consistent, the AUSF shall consider the authentication successful from the perspective of the home network.

15) The AUSF indicates to SEAF whether the authentication is successful via the Nausf_UEAuthentication_Authenticate Response response message of the terminal authentication information request. If the authentication is successful, K _SEAF shall be sent to SEAF via Nausf_UEAuthentication_Authenticate Response. If the AUSF receives SUCI from SEAF when starting authentication and the authentication is successful, the AUSF shall also include SUPI in the Nausf_UEAuthentication_AuthenticateResponse.

If authentication is successful, SEAF shall use the key K _SEAF received from the Nausf_UEAuthentication_Authenticate Response message as the anchor key. SEAF shall then derive _KAMF from K _SEAF , ABBA parameters and SUPI, and provide ngKSI and _KAMF to AMF.

Optionally, if SEAF does not support commercial cryptographic algorithms, SEAF uses international cryptographic algorithms to calculate the above parameters; SEAF that supports commercial cryptographic algorithms performs the following processing:

If ME_AS supports commercial cryptographic algorithms, it shall use the commercial cryptographic algorithms to calculate _KAMF ; otherwise, it shall use the international cryptographic algorithms to calculate _KAMF .

Optionally, if SUCI is used for this authentication, the SEAF shall provide the ngKSI and _KAMF to the AMF only after receiving the Nausf_UEAuthentication_Authenticate Response message containing the SUPI; no communication service shall be provided to the UE until the serving network knows the SUPI.

The authentication method described in the embodiment of the present invention is used to transmit messages between devices for network authentication and/or key derivation, including the cryptographic algorithms supported by the devices (such as one or more of USIM_AS, ME_AS and SEAF_AS). In this way, each device can adaptively adopt the corresponding cryptographic algorithm to perform related operations of network authentication and/or key derivation according to the cryptographic algorithm support status of the corresponding device, so as to adaptively be compatible with different cryptographic algorithms and realize the interconnection and interoperability requirements of different cryptographic algorithms.

One embodiment of the present invention further provides an authentication method, which is performed by a third device, as shown in FIG3 , and the method includes:

S310, during the process of network authentication and/or key derivation of the terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device.

Optionally, the first device, the second device and the third device respectively include one or more of USIM, ME, SEAF, AUSF, UDM/ARPF.

The authentication method described in the embodiment of the present invention is used to transmit messages between devices for network authentication and/or key derivation, including the cryptographic algorithms supported by the devices (such as one or more of USIM_AS, ME_AS and SEAF_AS). In this way, each device can adaptively adopt the corresponding cryptographic algorithm to perform related operations of network authentication and/or key derivation according to the cryptographic algorithm support status of the corresponding device, so as to adaptively be compatible with different cryptographic algorithms and realize the interconnection and interoperability requirements of different cryptographic algorithms.

Optionally, in the authentication and authorization method, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes AUSF, and the second device includes at least one of ME and SEAF.

Optionally, in the authentication method, the first device is an AUSF, the third device is a SEAF, and the second device includes at least one of a ME and a SEAF; or

The first device is an AUSF, the third device is an UDM or an ARPF, and the second device includes a USIM.

Optionally, in the authentication method, the first device is a SEAF, the third device is a ME, and the second device includes the ME; or

The first device is a SEAF, the third device is an AUSF, and the second device includes a USIM.

Optionally, in the authentication method, the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM.

Optionally, in the authentication method, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the authentication method, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

The specific implementation of the authentication method described in the embodiment of the present invention when applied to the third device can be combined with the detailed description of the specific implementation when applied to the first device, and will not be repeated here.

One embodiment of the present invention further provides a network device, wherein the network device is a first device. As shown in FIG. 4 , the first device 400 includes a processor 410, wherein the processor 410 is configured to:

Acquire a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters;

According to the target cryptographic algorithm, network authentication and/or key derivation related operations are performed.

Optionally, in the network device, the processor 410 determines the target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter, including:

If it is determined that the first device does not support a commercial cryptographic algorithm according to the cryptographic algorithms supported by the first device, determining that the target cryptographic algorithm is an international cryptographic algorithm;

In the case that the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, the target cryptographic algorithm is determined according to the first parameters.

Optionally, in the network device, the at least one second device includes one or more of the following:

Mobile equipment ME, Universal Subscriber Identity Module USIM and Security Anchor Function SEAF.

Optionally, in the network device, the processor 410 obtains a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by a third device during a process of performing network authentication and/or key derivation on a terminal, wherein the first message includes at least one first parameter of the second device;

A first parameter of the second device is obtained according to the subscription data of the second device.

Optionally, in the network device, when the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes an AUSF, and the second device includes at least one of an ME, a USIM and a SEAF;

The processor 410 obtains a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Obtaining a first message sent by the AUSF, where the first message includes a first parameter of the ME and/or the SEAF;

A first parameter of the USIM is obtained according to the subscription data of the USIM.

Optionally, in the network device, when the first device is an AUSF, the third device includes a UDM, an ARPF and/or a SEAF, and the second device includes at least one of a ME, a USIM and a SEAF;

The processor 410 obtains a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by SEAF, wherein the first message includes a first parameter of ME and a first parameter of SEAF;

Another first message sent by the UDM or the ARPF is acquired, where the another first message includes a first parameter of the USIM.

Optionally, in the network device, when the first device is a SEAF, the third device includes a ME and/or an AUSF, and the second device includes at least one of a ME and a USIM;

The processor 410 obtains a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by the ME, where the first message includes a first parameter of the ME;

Obtain another first message sent by the AUSF, wherein the another first message includes a first parameter of the USIM.

Optionally, in the network device, when the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM;

The processor 410 obtains a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal, including:

A first message sent by SEAF is obtained, where the first message includes a first parameter of SEAF and a first parameter of USIM.

Optionally, the network device further comprises a transceiver 420, which is used to:

A second message is sent to a fourth device, wherein the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, the network device, wherein, when the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, the network device, wherein the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, and the first parameter of the at least one second device includes a first parameter of a USIM and a first parameter of a ME;

In the case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the processor 410 determines the target cryptographic algorithm according to the first parameter, including:

In the first parameter of the USIM, if the supported cryptographic algorithms include commercial cryptographic algorithms, a first target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, and the first target cryptographic algorithm is used to calculate the authentication vector for the terminal to perform network authentication and authorization; in the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, a second target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise, the second target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the second target cryptographic algorithm is used to calculate the authentication parameters for the terminal to perform network authentication and authorization;

In the first parameter of the USIM, when the supported cryptographic algorithms include international cryptographic algorithms, it is determined that the first target cryptographic algorithm and the second target cryptographic algorithm in the target cryptographic algorithms are international cryptographic algorithms respectively.

Optionally, the network device, wherein the first device is an AUSF, and the first parameter of the at least one second device includes a first parameter of a USIM, a first parameter of a ME, and a first parameter of a SEAF;

In the case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the processor 410 determines the target cryptographic algorithm according to the first parameter, including:

In the case where the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, a third target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the third target cryptographic algorithm is used to calculate the first authentication parameter;

In the first parameter of the USIM and the first parameter of the ME, when the supported cryptographic algorithms both include commercial cryptographic algorithms, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the first parameter of the USIM and the first parameter of the ME, when any of the supported cryptographic algorithms does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the fourth target cryptographic algorithm is used to calculate the second authentication parameter.

Optionally, the network device, wherein the first device is a ME, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a SEAF;

The processor 410 determines a target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a fifth target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm, otherwise determining that the fifth target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the fifth target cryptographic algorithm is used to calculate a third authentication parameter;

In the first parameter of the SEAF, when the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the sixth target cryptographic algorithm is used to calculate the fourth authentication parameter.

Optionally, in the network device, the processor 410 is further configured to:

In a case where the acquired first parameters of at least one second device do not include the first parameters of the USIM, an algorithm support status query interface of the USIM is called to generate the first parameters of the USIM.

Optionally, the network device, wherein the first device is a SEAF, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a ME;

The processor 410 determines a target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a seventh target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm; otherwise, determining that the seventh target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the seventh target cryptographic algorithm is used to calculate a fifth authentication parameter;

In the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the eighth target cryptographic algorithm is used to calculate the sixth authentication parameter.

Optionally, in the network device, wherein the first device is a SEAF, the processor 410 determines the target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In a case where the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, determining that the target cryptographic algorithm is a commercial cryptographic algorithm;

In a case where the cryptographic algorithms supported by the first device do not include commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm.

Optionally, in the network device, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the network device, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

Optionally, in the network device, the first parameter is included in a reserved field in the first message, or the first parameter is an additional parameter in the first message.

Optionally, the network device, wherein the first parameter is included in the authentication management field AMF in the first message.

One embodiment of the present invention further provides a network device, wherein the network device is a third device, as shown in FIG5 , the third device 500 includes a transceiver 510, wherein the transceiver 510 is used to:

During network authentication and/or key derivation of a terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device.

Optionally, the network device, wherein the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes AUSF, and the second device includes at least one of ME and SEAF.

Optionally, the network device, wherein the first device is an AUSF, the third device is a SEAF, and the second device includes at least one of a ME and a SEAF; or

The first device is an AUSF, the third device is an UDM or an ARPF, and the second device includes a USIM.

Optionally, in the network device, the first device is a SEAF, the third device is a ME, and the second device includes the ME; or

The first device is a SEAF, the third device is an AUSF, and the second device includes a USIM.

Optionally, the network device, wherein the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM.

Optionally, in the network device, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the network device, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

One embodiment of the present invention further provides an authentication device, which is applied to a first device, as shown in FIG6 , and includes:

An acquisition module 610 is used to acquire a first parameter of at least one second device used to perform network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device;

A determination module 620, configured to determine a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters;

The authentication module 630 is used to perform network authentication and/or key derivation related operations according to the target cryptographic algorithm.

Optionally, in the authentication device, the determination module 620 determines the target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter, including:

If it is determined that the first device does not support a commercial cryptographic algorithm according to the cryptographic algorithms supported by the first device, determining that the target cryptographic algorithm is an international cryptographic algorithm;

In the case that the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, the target cryptographic algorithm is determined according to the first parameters.

Optionally, in the authentication apparatus, the at least one second device includes one or more of the following:

Mobile equipment ME, Universal Subscriber Identity Module USIM and Security Anchor Function SEAF.

Optionally, in the authentication device, the acquisition module 610 acquires a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by a third device during a process of performing network authentication and/or key derivation on a terminal, wherein the first message includes at least one first parameter of the second device;

A first parameter of the second device is obtained according to the subscription data of the second device.

Optionally, in the authentication and authorization apparatus, when the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes an AUSF, and the second device includes at least one of an ME, a USIM and a SEAF;

The acquisition module 610 acquires a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Obtaining a first message sent by the AUSF, where the first message includes a first parameter of the ME and/or the SEAF;

A first parameter of the USIM is obtained according to the subscription data of the USIM.

Optionally, in the authentication device, when the first device is an AUSF, the third device includes a UDM, an ARPF and/or a SEAF, and the second device includes at least one of a ME, a USIM and a SEAF;

The acquisition module 610 acquires a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by SEAF, wherein the first message includes a first parameter of ME and a first parameter of SEAF;

Another first message sent by the UDM or the ARPF is acquired, where the another first message includes a first parameter of the USIM.

Optionally, in the authentication device, when the first device is a SEAF, the third device includes a ME and/or an AUSF, and the second device includes at least one of a ME and a USIM;

The acquisition module 610 acquires a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, including at least one of the following:

Acquire a first message sent by the ME, where the first message includes a first parameter of the ME;

Obtain another first message sent by the AUSF, wherein the another first message includes a first parameter of the USIM.

Optionally, in the authentication device, when the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM;

The acquisition module 610 acquires a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, including:

A first message sent by SEAF is obtained, where the first message includes a first parameter of SEAF and a first parameter of USIM.

Optionally, the authentication device further comprises:

The second sending module 640 is configured to send a second message to a fourth device, wherein the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, in the authentication apparatus, when the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the second message includes a first parameter of the first device and/or at least one first parameter of the second device.

Optionally, in the authentication and authorization device, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, and the first parameter of the at least one second device includes a first parameter of a USIM and a first parameter of a ME;

In the case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the determination module 620 determines the target cryptographic algorithm according to the first parameter, including:

In the first parameter of the USIM, if the supported cryptographic algorithms include commercial cryptographic algorithms, a first target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, and the first target cryptographic algorithm is used to calculate the authentication vector for the terminal to perform network authentication and authorization; in the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, a second target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise, the second target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the second target cryptographic algorithm is used to calculate the authentication parameters for the terminal to perform network authentication and authorization;

In the first parameter of the USIM, when the supported cryptographic algorithms include international cryptographic algorithms, it is determined that the first target cryptographic algorithm and the second target cryptographic algorithm in the target cryptographic algorithms are international cryptographic algorithms respectively.

Optionally, in the authentication device, the first device is an AUSF, and the first parameter of the at least one second device includes a first parameter of a USIM, a first parameter of a ME, and a first parameter of a SEAF;

In the case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the determination module 620 determines the target cryptographic algorithm according to the first parameter, including:

In the case where the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, a third target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the third target cryptographic algorithm is used to calculate the first authentication parameter;

In the first parameter of the USIM and the first parameter of the ME, when the supported cryptographic algorithms both include commercial cryptographic algorithms, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the first parameter of the USIM and the first parameter of the ME, when any of the supported cryptographic algorithms does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the fourth target cryptographic algorithm is used to calculate the second authentication parameter.

Optionally, in the authentication device, the first device is a ME, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a SEAF;

The determination module 620 determines a target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a fifth target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm, otherwise determining that the fifth target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the fifth target cryptographic algorithm is used to calculate a third authentication parameter;

In the first parameter of the SEAF, if the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the sixth target cryptographic algorithm is used to calculate the fourth authentication parameter.

Optionally, in the authentication device, the authentication module 630 is further used to:

In a case where the acquired first parameters of at least one second device do not include the first parameters of the USIM, an algorithm support status query interface of the USIM is called to generate the first parameters of the USIM.

Optionally, in the authentication device, the first device is a SEAF, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a ME;

The determination module 620 determines a target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a seventh target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm; otherwise, determining that the seventh target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the seventh target cryptographic algorithm is used to calculate a fifth authentication parameter;

In the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the eighth target cryptographic algorithm is used to calculate the sixth authentication parameter.

Optionally, in the authentication apparatus, wherein the first device is a SEAF, the determination module 620 determines the target cryptographic algorithm according to the cryptographic algorithms supported by the first device, including:

In a case where the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, determining that the target cryptographic algorithm is a commercial cryptographic algorithm;

In a case where the cryptographic algorithms supported by the first device do not include commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm.

Optionally, in the authentication device, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the authentication device, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

Optionally, in the authentication device, the first parameter is included in a reserved field in the first message, or the first parameter is an additional parameter in the first message.

Optionally, in the authentication and authorization device, the first parameter is included in the authentication management field AMF in the first message.

One embodiment of the present invention further provides an authentication device, which is applied to a third device, as shown in FIG7 , and the device includes:

The first sending module 710 is used to send a first message to a first device during network authentication and/or key derivation of a terminal; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device.

Optionally, in the authentication and authorization apparatus, the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes AUSF, and the second device includes at least one of ME and SEAF.

Optionally, in the authentication apparatus, the first device is an AUSF, the third device is a SEAF, and the second device includes at least one of a ME and a SEAF; or

The first device is an AUSF, the third device is an UDM or an ARPF, and the second device includes a USIM.

Optionally, in the authentication apparatus, the first device is a SEAF, the third device is a ME, and the second device includes the ME; or

The first device is a SEAF, the third device is an AUSF, and the second device includes a USIM.

Optionally, in the authentication apparatus, the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM.

Optionally, in the authentication device, the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm.

Optionally, in the authentication device, the first parameter includes one or more of the following:

a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm;

The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm.

One embodiment of the present invention further provides a network device, which includes a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program implements the authentication method as described in any one of the above items when executed by the processor.

Among them, the specific implementation method of executing the authentication method by the program running on the processor of the network device can refer to the detailed description when the authentication method is applied to the first device and the third device, and will not be repeated here.

In addition, a specific embodiment of the present invention further provides a readable storage medium on which a computer program is stored, wherein when the program is executed by a processor, the steps in the authentication method described in any one of the above items are implemented.

Specifically, the readable storage medium is applied to the first device or the third device mentioned above. When applied to the first device and the third device, the execution steps in the corresponding authentication method are as described in detail above and will not be repeated here.

In the several embodiments provided in the present application, it should be understood that the disclosed methods and devices can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of hardware plus software functional units.

The above-mentioned integrated unit implemented in the form of a software functional unit can be stored in a computer-readable storage medium. The above-mentioned software functional unit is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform some steps of the sending and receiving methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, referred to as ROM), random access memory (Random Access Memory, referred to as RAM), disk or optical disk and other media that can store program codes.

The above is a preferred embodiment of the present invention. It should be pointed out that for ordinary personnel in this technical field, several improvements and modifications can be made without departing from the principles of the present invention. These improvements and modifications should also be regarded as the scope of protection of the present invention.

Claims (33)

1. An authentication method, characterized in that it is performed by a first device, and the method comprises: Acquire a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device; Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters; According to the target cryptographic algorithm, network authentication and/or key derivation related operations are performed. 2. The authentication method according to claim 1, characterized in that determining a target cryptographic algorithm according to the cryptographic algorithm supported by the first device and/or the first parameter comprises: If it is determined that the first device does not support a commercial cryptographic algorithm according to the cryptographic algorithms supported by the first device, determining that the target cryptographic algorithm is an international cryptographic algorithm; In the case that the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, the target cryptographic algorithm is determined according to the first parameters. 3. The authentication method according to claim 1, wherein the at least one second device comprises one or more of the following: Mobile equipment ME, Universal Subscriber Identity Module USIM and Security Anchor Function SEAF. 4. The authentication method according to claim 1, wherein obtaining the first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal comprises at least one of the following: Acquire a first message sent by a third device during a process of performing network authentication and/or key derivation on a terminal, wherein the first message includes at least one first parameter of the second device; A first parameter of the second device is obtained according to the subscription data of the second device. 5. The authentication method according to claim 4, characterized in that when the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes an AUSF, and the second device includes at least one of an ME, a USIM and a SEAF; Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following: Obtaining a first message sent by the AUSF, where the first message includes a first parameter of the ME and/or the SEAF; A first parameter of the USIM is obtained according to the subscription data of the USIM. 6. The authentication method according to claim 4, characterized in that when the first device is AUSF, the third device includes UDM, ARPF and/or SEAF, and the second device includes at least one of ME, USIM and SEAF; Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following: Acquire a first message sent by SEAF, wherein the first message includes a first parameter of ME and a first parameter of SEAF; Another first message sent by the UDM or the ARPF is acquired, where the another first message includes a first parameter of the USIM. 7. The authentication method according to claim 4, characterized in that when the first device is a SEAF, the third device includes an ME and/or an AUSF, and the second device includes at least one of an ME and a USIM; Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes at least one of the following: Acquire a first message sent by the ME, where the first message includes a first parameter of the ME; Obtain another first message sent by the AUSF, wherein the another first message includes a first parameter of the USIM. 8. The authentication method according to claim 4, characterized in that when the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM; Wherein, obtaining a first parameter of at least one second device for performing network authentication and/or key derivation on the terminal includes: A first message sent by SEAF is obtained, where the first message includes a first parameter of SEAF and a first parameter of USIM. 9. The authentication method according to claim 1 or 4, characterized in that the method further comprises: A second message is sent to a fourth device, wherein the second message includes a first parameter of the first device and/or at least one first parameter of the second device. 10. The authentication method according to claim 9 is characterized in that, when the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, the second message includes a first parameter of the first device and/or at least one first parameter of the second device. 11. The authentication method according to claim 2, characterized in that the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, and the first parameter of the at least one second device includes a first parameter of a USIM and a first parameter of a ME; In a case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, determining the target cryptographic algorithm according to the first parameter includes: In the first parameter of the USIM, if the supported cryptographic algorithms include commercial cryptographic algorithms, a first target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, and the first target cryptographic algorithm is used to calculate the authentication vector for the terminal to perform network authentication and authorization; in the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, a second target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm, otherwise, the second target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the second target cryptographic algorithm is used to calculate the authentication parameters for the terminal to perform network authentication and authorization; In the first parameter of the USIM, when the supported cryptographic algorithms include international cryptographic algorithms, it is determined that the first target cryptographic algorithm and the second target cryptographic algorithm in the target cryptographic algorithms are international cryptographic algorithms respectively. 12. The authentication method according to claim 2, wherein the first device is an AUSF, and the first parameter of the at least one second device comprises a first parameter of a USIM, a first parameter of a ME, and a first parameter of a SEAF; In a case where the cryptographic algorithm supported by the first device includes a commercial cryptographic algorithm, determining the target cryptographic algorithm according to the first parameter includes: In the case where the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF both include commercial cryptographic algorithms, a third target cryptographic algorithm in the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the case where any of the cryptographic algorithms supported in the first parameter of the USIM and the first parameter of the SEAF does not include a commercial cryptographic algorithm, the third target cryptographic algorithm in the target cryptographic algorithms is determined to be an international cryptographic algorithm; the third target cryptographic algorithm is used to calculate the first authentication parameter; In the first parameter of the USIM and the first parameter of the ME, when the supported cryptographic algorithms both include commercial cryptographic algorithms, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; in the first parameter of the USIM and the first parameter of the ME, when any of the supported cryptographic algorithms does not include a commercial cryptographic algorithm, the fourth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the fourth target cryptographic algorithm is used to calculate the second authentication parameter. 13. The authentication method according to claim 2, characterized in that the first device is an ME, and the first parameter of the at least one second device includes a first parameter of a USIM and/or a first parameter of a SEAF; Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes: In the first parameter of the USIM, if the supported cryptographic algorithm includes a commercial cryptographic algorithm, determining that a fifth target cryptographic algorithm in the target cryptographic algorithm is a commercial cryptographic algorithm, otherwise determining that the fifth target cryptographic algorithm in the target cryptographic algorithm is an international cryptographic algorithm; the fifth target cryptographic algorithm is used to calculate a third authentication parameter of the terminal; In the first parameter of the SEAF, when the supported cryptographic algorithms include commercial cryptographic algorithms, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the sixth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the sixth target cryptographic algorithm is used to calculate the fourth authentication parameter. 14. The authentication method according to claim 13, characterized in that the method further comprises: In a case where the acquired first parameters of at least one second device do not include the first parameters of the USIM, an algorithm support status query interface of the USIM is called to generate the first parameters of the USIM. 15. The authentication method according to claim 2, wherein the first device is a SEAF, and the first parameter of the at least one second device comprises a first parameter of a USIM and/or a first parameter of a ME; Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device includes: In the first parameter of the USIM, when the supported cryptographic algorithms include commercial cryptographic algorithms, determining that a seventh target cryptographic algorithm in the target cryptographic algorithms is a commercial cryptographic algorithm; otherwise, determining that the seventh target cryptographic algorithm in the target cryptographic algorithms is an international cryptographic algorithm; the seventh target cryptographic algorithm is used to calculate a fifth authentication parameter; In the first parameter of the ME, if the supported cryptographic algorithms include commercial cryptographic algorithms, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be a commercial cryptographic algorithm; otherwise, the eighth target cryptographic algorithm among the target cryptographic algorithms is determined to be an international cryptographic algorithm; the eighth target cryptographic algorithm is used to calculate the sixth authentication parameter. 16. The authentication method according to claim 1, wherein the first device is a SEAF, and determining a target cryptographic algorithm according to cryptographic algorithms supported by the first device comprises: In a case where the cryptographic algorithms supported by the first device include commercial cryptographic algorithms, determining that the target cryptographic algorithm is a commercial cryptographic algorithm; In a case where the cryptographic algorithms supported by the first device do not include commercial cryptographic algorithms, the target cryptographic algorithm is determined to be an international cryptographic algorithm. 17. The authentication method according to claim 1, characterized in that the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm. 18. The authentication method according to claim 1, wherein the first parameter comprises one or more of the following: a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm; The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm. 19. The authentication method according to claim 4, characterized in that the first parameter is included in a reserved field in the first message, or the first parameter is an additional parameter in the first message. 20. The authentication method according to claim 4 or 19, characterized in that the first parameter is included in the authentication management field AMF in the first message. 21. An authentication method, characterized in that it is performed by a third device, and the method comprises: During the process of network authentication and/or key derivation of a terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device. 22. The authentication method according to claim 21 is characterized in that the first device is a unified data management function UDM or an authentication credential repository and processing function ARPF, the third device includes AUSF, and the second device includes at least one of ME and SEAF. 23. The authentication method according to claim 21, wherein the first device is an AUSF, the third device is a SEAF, and the second device includes at least one of a ME and a SEAF; or The first device is an AUSF, the third device is an UDM or an ARPF, and the second device includes a USIM. 24. The authentication method according to claim 21, wherein the first device is a SEAF, the third device is a ME, and the second device includes the ME; or The first device is a SEAF, the third device is an AUSF, and the second device includes a USIM. 25. The authentication method according to claim 21, characterized in that the first device is a ME, the third device includes a SEAF, and the second device includes at least one of a SEAF and a USIM. 26. The authentication method according to claim 21 is characterized in that the first parameter includes a preset indication bit for indicating whether the corresponding second device supports a commercial cryptographic algorithm. 27. The authentication method according to claim 21, wherein the first parameter includes one or more of the following: a first bit array, comprising a plurality of first indicator bits, each first indicator bit corresponding to a type of encryption cryptographic algorithm, and used to indicate whether the second device supports the corresponding type of encryption cryptographic algorithm; The second bit array includes multiple second indicator bits, each second indicator bit corresponds to a type of hash algorithm, and is used to indicate whether the second device supports the corresponding type of hash algorithm. 28. A network device, wherein the network device is a first device, comprising a processor, wherein the processor is used to: Acquire a first parameter of at least one second device used for performing network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device; Determining a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters; According to the target cryptographic algorithm, network authentication and/or key derivation related operations are performed. 29. A network device, wherein the network device is a third device, comprising a transceiver, wherein the transceiver is used for: During the process of network authentication and/or key derivation of a terminal, a first message is sent to a first device; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device. 30. An authentication device, characterized in that it is applied to a first device, and the device comprises: An acquisition module, used to acquire a first parameter of at least one second device used to perform network authentication and/or key derivation on the terminal, wherein the first parameter is used to indicate a cryptographic algorithm supported by the corresponding second device; a determination module, configured to determine a target cryptographic algorithm according to the cryptographic algorithms supported by the first device and/or the first parameters; The authentication module is used to perform network authentication and/or key derivation related operations according to the target cryptographic algorithm. 31. An authentication device, characterized in that it is applied to a third device, and the device comprises: The first sending module is used to send a first message to a first device during network authentication and/or key derivation of a terminal; wherein the first message includes a first parameter of at least one second device; the first parameter is used to indicate the cryptographic algorithm supported by the corresponding second device. 32. A network device, characterized in that it comprises a processor, a memory, and a program stored in the memory and executable on the processor, wherein when the program is executed by the processor, it implements the authentication and authorization method as described in any one of claims 1 to 20, or implements the authentication and authorization method as described in any one of claims 21 to 27. 33. A readable storage medium, characterized in that a program is stored on the readable storage medium, and when the program is executed by a processor, it implements the steps in the authentication and authentication method as described in any one of claims 1 to 20, or implements the steps in the authentication and authentication method as described in any one of claims 21 to 27.