[go: up one dir, main page]

CN119342471A - Distributed power supply service terminal authentication method, system, equipment, medium and product - Google Patents

Distributed power supply service terminal authentication method, system, equipment, medium and product Download PDF

Info

Publication number
CN119342471A
CN119342471A CN202411544283.6A CN202411544283A CN119342471A CN 119342471 A CN119342471 A CN 119342471A CN 202411544283 A CN202411544283 A CN 202411544283A CN 119342471 A CN119342471 A CN 119342471A
Authority
CN
China
Prior art keywords
terminal
message
key
authentication
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411544283.6A
Other languages
Chinese (zh)
Inventor
蒋承伶
李维
陆忞
周昶
刘海璇
史筱玮
汪春
滕菲
李秋生
孙佳炜
郦竞伟
李天一
杨林青
季钰款
戴然
李静雅
朱红勤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI, Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202411544283.6A priority Critical patent/CN119342471A/en
Publication of CN119342471A publication Critical patent/CN119342471A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种分布式电源业务终端认证方法、系统、设备、介质及产品。方法应用于分布式电源业务终端认证系统,分布式电源业务终端认证系统包括至少一个终端、5G网关和认证服务器,方法包括:利用用户名和密码启动终端认证,基于密钥生成中心建立TLS通道,以及终端和认证服务器进行挑战应答的进行认证,通过受保护的可扩展的身份验证协议结合密钥生成中心实现对终端身份的认证,该方案无需额外增加外设,在不增加成本的情况下,有效的提升了认证效率和安全性。

The present invention discloses a distributed power business terminal authentication method, system, device, medium and product. The method is applied to a distributed power business terminal authentication system, which includes at least one terminal, a 5G gateway and an authentication server. The method includes: starting terminal authentication using a user name and password, establishing a TLS channel based on a key generation center, and authenticating the terminal and the authentication server by challenge response, and authenticating the terminal identity through a protected scalable identity authentication protocol combined with a key generation center. The solution does not require additional peripherals and effectively improves authentication efficiency and security without increasing costs.

Description

Distributed power supply service terminal authentication method, system, equipment, medium and product
Technical Field
The embodiment of the invention relates to the technical field of communication safety, in particular to a distributed power supply service terminal authentication method, a system, equipment, a medium and a product.
Background
As distributed power sources (Distributed Generation, DG) such as photovoltaic and wind power are accessed into a power grid on a large scale, the safety and stability of the power grid face challenges. These distributed power sources have a number of widely distributed features. Through the cross-domain fusion networking of the 5G and the WiFi, the advantages of the 5G and the WiFi can be fully exerted, and the requirement of the distributed power supply business cluster regulation and control on a communication network is met.
Currently, non-3GPP networks can be connected to a 5G core network through a Non-3GPP interworking function (Non-3GPP InterWorking Function,N3IWF). The user terminal is first connected to an untrusted non-3GPP network, such as Wi-Fi, and then accesses the 5G core network through the N3IWF secure 5G gateway. The N3IWF is respectively connected to the control plane and the user plane functions of the 5G core network through an N2 interface and an N3 interface, so that the terminal can be accessed to the 5G core network from a non-trusted non-3GPP network. In the face of the situation that a mass of distributed power supply service terminals are accessed into a 5G+WiFi converged network, how to realize unified network authentication of the terminals becomes a problem to be solved.
In the cross-domain fusion of 5G and non-3 GPP networks, two access authentication modes of EAP-AKA and 5G-AKA are supported at present. However, these two authentication methods rely on the SIM card for identity verification, involving complex communication and key derivation processes with the authentication center and the home location register, and the authentication process is relatively complex and inefficient. Meanwhile, the two authentication modes have higher requirements on equipment, so that the problems of low authentication efficiency, poor security and high cost are caused.
Disclosure of Invention
The invention provides a distributed power supply service terminal authentication method, a system, equipment, a medium and a product, which are used for solving the problems of low authentication efficiency, poor safety and high cost of the existing terminal authentication method.
According to an aspect of the present invention, there is provided a distributed power service terminal authentication method applied to a distributed power service terminal authentication system, the distributed power service terminal authentication system including at least one terminal, a 5G gateway and an authentication server, the method including:
After receiving a Protected Extensible Authentication Protocol (PEAP) start authentication message sent by a 5G gateway, the terminal sends a PEAP terminal Hello response message to the authentication server through the 5G gateway, wherein the PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm;
The authentication server generates a first message, and performs signcryption on the first message by using a server private key and a terminal public key to obtain a first signcryption message, and sends the first signcryption message and a server Hello message to the terminal through the 5G gateway, wherein the server Hello message at least comprises a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter;
the terminal generates a second message based on a terminal private key, a server public key and the first secret key, and performs secret signing on the second message by using the terminal private key and the server public key to obtain a second secret key message, and sends the second secret key message to the authentication server, wherein the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter;
The terminal encrypts a premaster secret key by utilizing the server public key under the condition that the authentication server confirms that the terminal is legal based on the second secret key message to obtain an encrypted premaster secret key, sends the encrypted premaster secret key to the authentication server through the 5G gateway, and calculates the premaster secret key and the random number by utilizing the target encryption algorithm to obtain a first session secret key;
The authentication server decrypts the encrypted premaster secret key by using the server private key to obtain the premaster secret key, determines a second session key by using the target encryption algorithm based on the premaster secret key and the random number, and sends a TSL confirmation message to the terminal through the 5G gateway, wherein the TSL confirmation message comprises the second session key and TLS FINISHED messages;
After receiving the TSL confirmation message, the terminal sends TLSOK messages to the authentication server through a 5G gateway to determine that the TSL channel is successfully established;
And the authentication server generates a first challenge message after receiving TLSOK messages, encrypts the first challenge message through the second session key, sends the obtained first encrypted challenge message to the terminal, and sends an EAP success message to the terminal after receiving challenge success messages sent by the terminal, so as to finish the authentication of the terminal.
According to another aspect of the present invention, there is provided a distributed power service-based terminal authentication system, which is characterized by comprising at least one terminal, a 5G gateway, and an authentication server, wherein:
the terminal is used for sending a PEAP terminal Hello response message to the authentication server through the 5G gateway after receiving a Protected Extensible Authentication Protocol (PEAP) start authentication message sent by the 5G gateway, wherein the PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm;
The authentication server is configured to generate a first message, and sign-encrypt the first message by using a server private key and a terminal public key to obtain a first signed message, and send the first signed message and a server Hello message to the terminal through the 5G gateway, where the server Hello message at least includes a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter;
The terminal is configured to generate a second message when determining that the authentication server is legal based on a terminal private key, a server public key and the first secret signature message, and sign-encrypt the second message by using the terminal private key and the server public key to obtain a second secret signature message, and send the second secret signature message to the authentication server, where the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter;
The terminal is configured to encrypt a premaster key with the server public key to obtain an encrypted premaster key when the authentication server confirms that the terminal is legal based on the second secret key message, send the encrypted premaster key to the authentication server through the 5G gateway, and calculate the premaster key and the random number with the target encryption algorithm to obtain a first session key;
the authentication server is configured to decrypt the encrypted premaster secret key with the server private key to obtain the premaster secret key, determine a second session key with the target encryption algorithm based on the premaster secret key and the random number, and send a TSL acknowledgement message to the terminal through the 5G gateway, where the TSL acknowledgement message includes the second session key and TLS FINISHED messages;
the terminal is used for sending TLSOK messages to the authentication server through a 5G gateway after receiving the TSL confirmation message, and determining that the TSL channel is established successfully;
The authentication server is configured to generate a first challenge message after receiving TLSOK a message, encrypt the first challenge message with the second session key, send the obtained first encrypted challenge message to the terminal, and send an EAP success message to the terminal after receiving a challenge success message sent by the terminal, so as to complete authentication of the terminal.
According to another aspect of the present invention, there is provided an electronic device configured as a terminal or an authentication server in a distributed power service terminal authentication system, the electronic device comprising:
At least one processor, and
A memory communicatively coupled to the at least one processor, wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the corresponding steps in the distributed power service terminal authentication method according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the distributed power service terminal authentication method according to any one of the embodiments of the present invention when executed.
According to another aspect of the present invention, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the distributed power service terminal authentication method according to any of the embodiments of the present invention.
According to the technical scheme provided by the embodiment of the invention, the user name and the password are utilized to start the terminal authentication, the TLS channel is established based on the key generation center, the terminal and the authentication server perform authentication of challenge response, and the authentication of the terminal identity is realized by combining the protected expandable identity authentication protocol with the key generation center.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a distributed power service terminal authentication method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a method for generating a key based on an unlicensed bookmark secret according to an embodiment of the present invention;
Fig. 3 is a schematic diagram of a distributed power service terminal authentication procedure according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a distributed power service terminal authentication system according to a second embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a distributed power service terminal authentication method according to a first embodiment of the present invention, where the present embodiment is applicable to a case of authenticating a distributed power service terminal, the method may be performed by a distributed power service terminal authentication system, the distributed power service terminal authentication system may be implemented in a form of hardware and/or software, and the distributed power service terminal authentication system may be configured in an electronic device. The distributed power supply service terminal authentication system comprises at least one terminal, a 5G gateway and an authentication server. As shown in fig. 1, the method includes:
S110, after receiving a Protected Expandable Authentication Protocol (PEAP) start authentication message sent by a 5G gateway, the terminal sends a PEAP terminal Hello response message to the authentication server through the 5G gateway, wherein the PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm.
In this embodiment, a protected extensible authentication protocol (Protected Extensible Authentication Protocol, PEAP) is used to securely transfer authentication credentials by creating an encrypted tunnel in a wireless network. The open authentication message is used to initiate the PEAP authentication process, and may be, for example, an EAP-Request/PEAP/Start message. The PEAP terminal Hello Response message is used to indicate to the authentication server that the terminal is ready for authentication, and may be, for example, an EAP-Response/Client Hello message. The PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm, and can also comprise a TLS protocol version, a session ID and the like.
Specifically, after receiving the PEAP start authentication message sent by the 5G gateway, the terminal generates a PEAP terminal Hello response message, where the PEAP terminal Hello response message is used to encapsulate the contents such as the random number, the encryption algorithm list supported by the terminal, the TLS protocol version, the session ID, the compression algorithm, and the like, and send the PEAP terminal Hello response message to the 5G gateway, and the 5G gateway sends the received PEAP terminal Hello response message to the authentication server.
S120, the authentication server generates a first message, and performs signcryption on the first message by using a server private key and a terminal public key to obtain a first signcryption message, and the first signcryption message and a server Hello message are sent to the terminal through the 5G gateway, wherein the server Hello message at least comprises a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter.
In this embodiment, the first message is used to verify the legitimacy of the identity of the authentication server. The key generation center is a device responsible for generating and managing keys, and is disposed on an authentication server in the present invention. The server Hello message is the first response message sent by the authentication server to the client in the TLS handshake process, and is used for confirming contents such as an encryption algorithm and a compression algorithm, for example, the server Hello message is a ServerHello message. The server Hello message includes at least a target encryption algorithm and a compression algorithm, wherein the target encryption algorithm is one encryption algorithm selected from a list of encryption algorithms.
Specifically, after PEAP authentication starts, a transport layer security protocol (Transport Layer Security, TLS) channel needs to be established, and during the establishment process, the validity of the authentication server and the terminal needs to be determined. Firstly, determining the validity of an authentication server, after the authentication server receives a PEAP terminal Hello response message, determining a server private key of the authentication server by using a system parameter in a key generation center and a first initial private key generated by the key generation center, and receiving a terminal public key sent by the key center, wherein the terminal public key is determined by a terminal based on the system parameter. After the server private key and the terminal public key are obtained, the authentication server generates a first message, and the first message is signed based on an elliptic curve finite field by utilizing the server private key and the terminal public key to obtain a first secret signature message, and then the first secret signature message and the server Hello message are sent to the terminal through the 5G gateway.
S130, the terminal generates a second message under the condition that the authentication server is legal based on a terminal private key, a server public key and the first secret signature message, and performs signature on the second message by utilizing the terminal private key and the server public key to obtain a second secret signature message, and sends the second secret signature message to the authentication server, wherein the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter.
In this embodiment, the terminal private key is determined by the terminal based on the system parameter and a second initial private key, which is generated by the key generation center and sent to the terminal. The server public key is determined by the authentication server based on the system parameters and is sent to the terminal through the key generation center.
Specifically, after receiving the first secret sign message, the terminal decrypts the first secret sign message by using the terminal private key and the server public key to obtain a decryption result, further judges the validity of the authentication server based on the decryption result, and generates a second message under the condition that the authentication server is legal, so that the authentication server confirms the validity of the terminal. And then, the terminal private key and the server public key are utilized to carry out signcryption on the second message, so as to obtain a second signcryption message, and the second signcryption message is sent to the authentication server.
And S140, when the authentication server confirms that the terminal is legal based on the second secret key message, encrypting a premaster secret key by utilizing the server public key to obtain an encrypted premaster secret key, transmitting the encrypted premaster secret key to the authentication server through the 5G gateway, and calculating the premaster secret key and the random number by utilizing the target encryption algorithm to obtain a first session secret key.
In this embodiment, the premaster secret is a temporary secret generated during the TLS channel handshake phase, and is used to derive a subsequent session key to ensure communication security, for example, the premaster secret may be PREMASTERSCERET.
Specifically, after receiving the second secret sign message, the authentication server decrypts the second secret sign message, judges the validity of the terminal by using the result after decryption, and sends a relevant message to the terminal under the condition that the terminal is determined to be legal so as to inform the terminal that verification is successful.
After receiving the related message, the terminal encrypts the premaster secret key by using the server public key to obtain an encrypted premaster secret key, and sends the encrypted premaster secret key to the authentication server through the 5G gateway. Meanwhile, the terminal calculates the premaster secret key and the random number through a target encryption algorithm to obtain a first session secret key, so as to be used for encryption work when the subsequent terminal and the authentication server conduct session.
S150, the authentication server decrypts the encrypted premaster secret key by using the server private key to obtain the premaster secret key, determines a second session key by using the target encryption algorithm based on the premaster secret key and the random number, and sends a TSL confirmation message to the terminal through the 5G gateway, wherein the TSL confirmation message comprises the second session key and TLS FINISHED messages.
In this embodiment, TLS FINISHED messages are used to confirm that the TSL handshake is complete.
Specifically, after receiving the encrypted premaster secret key, the authentication server decrypts the encrypted premaster secret key by using a server private key to obtain the premaster secret key, and further calculates the premaster secret key and the random number by using a target encryption algorithm to obtain the second session secret key. And packaging the second session key and TLS FINISHED information into a TSL confirmation information, packaging the TSL confirmation information into an access-challenge of an EAP over RADIUS message, sending the TSL confirmation information to the 5G gateway, and sending the TSL confirmation information to the terminal through the 5G gateway in an EAP-Request message.
And S160, after receiving the TSL confirmation message, the terminal sends TLSOK a message to the authentication server through a 5G gateway to determine that the TSL channel is successfully established.
In this embodiment, the TLSOK message is used to indicate that the TLS security channel has been successfully established, for example, the TLSOK message may be an EAP-Response/TLSOK message.
Specifically, after receiving the TSL acknowledgement message, the terminal sends TLSOK a message to the authentication server through the 5G gateway, thereby completing the establishment of the TSL channel.
S170, the authentication server generates a first challenge message after receiving TLSOK messages, encrypts the first challenge message through the second session key, sends the obtained first encrypted challenge message to the terminal, and sends an EAP success message to the terminal after receiving challenge success messages sent by the terminal, so that terminal authentication is completed.
In this embodiment, the EAP Success message is used to indicate that the authentication of the terminal is successful, for example, the EAP Success message may be an EAP-Success message.
Specifically, after the TSL channel is successfully established, the session security is ensured through the mutual authentication of the authentication server and the terminal. After receiving TLSOK messages, the authentication server generates first challenge information, such as EAP-Request/EAP-MS-CHAP-V2 challenge information, encrypts the first challenge information through a second session key, sends the obtained first encrypted challenge information to the terminal, and then the terminal carries out challenge response, and after receiving challenge success information sent by the terminal, sends EAP success information to the terminal to finish terminal authentication.
According to the technical scheme provided by the embodiment of the invention, the user name and the password are utilized to start the terminal authentication, the TLS channel is established based on the key generation center, the terminal and the authentication server perform authentication of challenge response, and the authentication of the terminal identity is realized by combining the protected expandable identity authentication protocol with the key generation center.
In some embodiments, the terminal determines a first private value based on the system parameter and the identity ID of the terminal, determines a terminal public key based on the system parameter and the first private value, determines a terminal private key based on the system parameter, the first initial private key and the first private value, determines a second private value based on the system parameter and the IP address of the authentication server, determines a server public key based on the system parameter and the second private value, and determines a server private key based on the system parameter, the second initial private key and the second private value.
Specifically, in the process of establishing the TSL channel, a certificateless signcryption mechanism is introduced, namely, in the invention, a key generation center is only responsible for generating partial private keys, and a complete private key and a complete public key are generated by a terminal and an authentication server. The generation process is as follows:
a key generation center (Key Generation Center, KGC) selects a master key and security parameters as input and outputs system parameters, wherein the KGC independently reserves the master key L (not disclosed) and discloses the system parameters;
Generating a first initial private key (namely a part of private key) of the terminal by KGC according to the identity ID of the terminal, the master key and the system parameters, and sending the first initial private key to the terminal; the terminal uses the identity ID, the system parameters and the first secret value to generate a terminal public key, wherein the terminal uses the identity ID, the system parameters and the first secret value as a terminal public key, and the terminal public key is a complete public key and announces the terminal public key to an authentication server through KGC;
The method comprises the steps of generating a second initial private key (namely a part of private key) of an authentication server by KGC according to an IP address, a main key and system parameters of the authentication server, generating a second private value by the authentication server by using the IP address and the system parameters as a long-term private key, wherein the private key is completely secret to the KGC, obtaining an authentication server private key by the authentication server by using the IP address, the second initial private key and the second private value through calculation, wherein the authentication server private key is a complete private key and is not disclosed, obtaining a server public key by the authentication server by using the IP address, the system parameters and the second private value, and informing the server public key to a terminal through the KGC.
By the technical scheme, the certificate-free signcryption system is introduced, compared with the traditional public key cryptosystem, certificate management, key escrow and complex cryptographic operation are avoided, the complexity of calculation and the consumption of storage space are reduced, the operation efficiency is improved, and the safety and low-delay transmission of distributed power supply business data are effectively ensured.
For example, taking a transmitting end as a terminal and a receiving end as an authentication server as an example, fig. 2 is a schematic diagram of generating a key based on an unlicensed bookmark secret system according to an embodiment of the present invention. As shown in fig. 2, KGC generates partial keys of a transmitting end and a receiving end respectively, the transmitting end and the receiving end generate respective secret values respectively, and further generate respective private keys based on the respective secret values and the partial keys, and simultaneously generate respective public keys respectively, in the information message transmission process, the transmitting end uses the private keys of the transmitting end and the public keys of the opposite end to carry out signcryption, and then the private keys of the transmitting end and the public keys of the opposite end are transmitted to the receiving end through a channel, and the receiving end uses the private keys of the transmitting end and the public keys of the opposite end to carry out signcryption.
In some embodiments, before receiving the PEAP start authentication message sent by the 5G gateway, the terminal further comprises a user name and a password input by a user, generates an authentication request based on the user name and the password, and sends the authentication request to the 5G gateway, the 5G gateway sends user identity request information to the terminal after receiving the authentication request, the user identity request information comprises request information of the terminal identity ID, the terminal responds to the user identity request information and sends user identity response information to the authentication server through the 5G gateway, the user identity response information comprises the terminal identity ID, the authentication server judges whether the terminal identity ID exists in a preset equipment list or not after receiving the user identity response information, and if so, the 5G gateway sends the PEAP start authentication message to the terminal.
In this embodiment, the user Identity Request information is used to Request the user Identity information, where the information includes Request information of the terminal Identity ID, for example, the user Identity Request information may be an EAP-Request/Identity data frame. The user Identity Response information is used for replying to the user Identity request information, and the data frame includes a terminal Identity ID, for example, the user Identity Response information may be an EAP-Response/Identity data frame. The preset device list is preset and is used for storing and utilizing the MD5 algorithm to generate irreversible HASH values for the user name, the password and the terminal identity ID. The PEAP initiation authentication message is used to initiate PEAP authentication, for example, the PEAP initiation authentication message may be an EAP-Request/Start data frame.
Specifically, when the terminal is accessed into the 5G+WiFi converged networking, the user name and the password are utilized to start PECLAP authentication and authentication initialization, namely the terminal receives the user name and the password input by the user, generates an authentication request based on the user name and the password, sends the authentication request to the 5G gateway, and after receiving the authentication request, the 5G gateway sends user identity request information to the terminal to request user identity information, and the terminal replies user identity response information to the 5G gateway, wherein the information comprises the user name, the password and a terminal identity ID. And after receiving the user identity response information, the authentication server calculates a HASH value through an MD5 algorithm by using a user name, a password and a terminal identity ID in the user identity response information, searches in a preset list, and if the HASH value is found, sends a PEAP start authentication message to the terminal through the 5G gateway. The terminal authentication opening and initialization are realized, and a foundation is laid for further authentication.
In some embodiments, after the authentication server sends the obtained first encrypted challenge message to the terminal, the authentication server further comprises decrypting the first encrypted challenge message by using the first session key, generating a first response message of the first challenge message by using a secure hash algorithm operation based on the user name, the password, the identity ID of the terminal and the random number, encrypting the first response message and the second challenge message by using the first session key, sending the obtained first encrypted response message and the second encrypted challenge message to the authentication server, decrypting the first encrypted response message and the second encrypted challenge message by using the second session key, obtaining a first response message and a second response message, and sending a verification passing message to the terminal through the 5G gateway when the first response message is confirmed to be correct, wherein the verification passing message comprises the second challenge message, the verification passing message is the second challenge message, and after the first challenge message passes the decryption key, the authentication passing message is successfully authenticated by the first challenge message and the authentication server.
In this embodiment, the secure hash algorithm is a series of cryptographic hash functions capable of converting data of arbitrary length into a fixed length hash value, typically used to ensure the integrity of the data and to generate digital signatures. For example, the secure hash algorithm may be a SHA-1 hash algorithm.
Specifically, after receiving the first encrypted Challenge information, the terminal decrypts the first encrypted Challenge information by using a first session key to obtain first Challenge information, further responds to the Challenge by using a SHA-1 hash algorithm based on information such as a user name, a password, a terminal identity ID, a random number and the like, generates a first response message and a second Challenge message of the first Challenge message, encrypts the first response message and the second Challenge message by using the first session key to obtain a first encrypted response message and a second encrypted Challenge message, and sends the two encrypted messages to an authentication server, the authentication server decrypts the first encrypted response message and the second encrypted Challenge message by using the second session key to obtain the first response message and the second response message, and judges whether the first response message is correct, and sends a verification passing message to the terminal by using a 5G gateway under the condition of confirming that the first response message is correct, wherein the verification passing message can be a radio Access-change/EAP-Request/EAP-ExtensionsSuccessResultTLV, and the authentication server sends the first Challenge message to the authentication server by using the second session key to verify that the first Challenge message passes through the authentication server, and if the authentication server is successful, and the authentication of the first Challenge message is successful, and if the authentication server passes through the authentication of the first Challenge message is successful, and the authentication server is completed. Through the technical scheme, the security problem caused by directly sending the user name and the password is effectively avoided, and the security and the high efficiency of the bidirectional authentication of the terminal and the authentication server are ensured.
In some embodiments, the identity ID of the terminal is determined based on a physical unclonable function.
In this embodiment, the physical unclonable function (PHYSICALLY UNCLONABLE FUNCTIONS, PUF) is a secure technology that exploits the inherent physical randomness of semiconductor devices to produce unclonable and unique identifiers. In this embodiment for generating a unique identity ID for the terminal. The identity verification mechanism with high security is provided, and the irreproducibility and unpredictability of the identity ID of the terminal are ensured, so that the security and the attack resistance of the terminal equipment are enhanced.
In certain embodiments, the first message is generated based on the random number, a terminal identity ID and a first timestamp, the terminal identity ID is sent to the authentication server by the terminal, the terminal generates a second message when determining that the authentication server is legal based on the terminal private key, the server public key and the first secret signature message, the terminal uses the terminal private key and the server public key to decrypt the first secret signature message to obtain a decryption result, and the authentication server is determined to be legal when the terminal identity ID and the terminal identity ID are identical in the decryption result, and the second message is generated based on the decryption result, the terminal identity ID and the second timestamp.
In this embodiment, the first message is a challenge code generated by the authentication server using the random number, the terminal ID, and the first timestamp, where the terminal ID is sent to the authentication server by the terminal.
Specifically, the authentication server generates a first message by using a random number, a terminal identity ID and a first timestamp, then performs signing on the first message by using an elliptic curve finite field based on a server private key and a terminal public key to obtain a first signing message, then selects a group of encryption algorithms from an encryption algorithm list as a target encryption algorithm, combines the contents such as a compression algorithm and the like to form a server Hello message, for example, serverHello sends the first signing message and the server Hello message to the terminal through the 5G gateway, and the terminal performs signing on the first signing message by using the terminal private key and the server public key to obtain a signing result, further judges whether the terminal identity ID in the signing result is consistent with the terminal local identity ID, and generates a second message by using the terminal private key and the authentication server public key under the condition that the signing result, the terminal local identity ID and the second timestamp are consistent, and sends the second message to the authentication server after signing, so that the authentication server confirms the identity of the terminal is legal. Through the technical scheme, the authentication safety is effectively improved.
Fig. 3 is a schematic diagram of a distributed power service terminal authentication procedure according to an embodiment of the present invention, where the schematic diagram is shown in fig. 3:
In the authentication initialization stage, a terminal sends EAPol Start message to a 5G gateway to start PEAP authentication, wherein the EAPol Start message comprises a user name and a password (not shown in the figure) input by a user, the 5G gateway sends an EAP-Request/Identity message to the terminal to Request user Identity information after receiving EAPol Start message, the terminal sends an EAP-Response/Identity message to the 5G gateway after receiving the EAP-Request/Identity message, the message comprises the user information such as the user name, the password and the terminal Identity ID, and further, the 5G gateway sends the EAP-Response/Identity message to an authentication Server (RADIUS) in a message format of EAP over RADIUS, and carries relevant RADIUS attribute (not shown in the figure), and after receiving the EAP-Response/Identity message, the authentication Server calculates a preset value of the user name, the password and the terminal Identity ID in the EAP-Response/Identity message through an MD5 HASS algorithm, and then sends the EAP-Response/Identity message to a Server (RADIUS Server) to generate a preset value (map, if the preset value is not shown in the map is generated, and the user name/Identity is sent to the terminal 35;
In the stage of establishing TLS channel, after receiving EAP-Request/PEAP/Start message, the terminal generates a random number, a list of encryption algorithm supported by the terminal, TLS protocol version, session ID and compression method, etc., and encapsulates the message in EAP-Response/Client Hello message to send to 5G gateway;
Further, a terminal private key, a terminal public key, a server private key and a server public key (not shown in the figure) are confirmed by introducing a certificate-free system, after the public key and the private key are obtained, an authentication server generates a first message by utilizing a random number, a terminal identity ID and a time stamp, the authentication server uses the private key of the authentication server and the public key of a distributed power service terminal to carry out signature based on an elliptic curve finite field, and the authentication server selects a group of encryption algorithms, combines the contents such as a Session ID and a compression algorithm of the authentication server to form a ServerHello, encapsulates the first message after the ServerHello is added with the signature in an Access-Challenge message and sends the Access-Challenge message to a 5G gateway, and the 5G gateway further encapsulates the first message in an EAP-Request and sends the EAP-Request to the distributed power service terminal;
The distributed power supply business terminal uses the terminal private key and the server public key to conduct decryption, the terminal judges whether the terminal identity ID obtained after decryption is consistent with the local identity ID, if the terminal is consistent, the terminal identity ID and the time stamp are added to the result obtained after decryption to generate a second message, the terminal private key and the server public key are used for conducting decryption, and then the second message is sent to the authentication server, so that the authentication server can confirm the validity of the terminal identity. After determining that the authentication server is legal, the terminal generates PREMASTERSCERET, encrypts the authentication server by using a server public key and encapsulates the encrypted information in a message access-challenge of EAP-Response/TLS OK to be sent to a 5G gateway, the 5G gateway sends the EAP-Response/TLS OK to the authentication server in a message format of EAP over RADIUS, the authentication server verifies the correctness of the message, the authentication server decrypts by using a private key of the authentication server to obtain PERMASTERSCERET, both communication parties respectively use a target encryption algorithm based on PERMASTERSCERET and a random number to obtain a session key, the authentication server encapsulates a second session key and TLS FINISHED message in a message access-challenge of EAP over RADIUS to be sent to the 5G gateway, the 5G gateway further encapsulates the second session key and TLS FINISHED message in a message access-challenge to be sent to a distributed power service terminal, and the terminal replies-Response/TLSOK (not shown in the figure);
In the authentication stage, after repeated challenge responses are sent through the authentication server and the terminal, an EAP-Success message is sent to the 5G gateway through the authentication server, and the EAP-Success message is forwarded to the terminal through the 5 gateways, so that the authentication is successful, and the terminal is successfully connected with the 5G gateway through WiFi.
Example two
Fig. 4 is a schematic structural diagram of a distributed power service terminal authentication system according to a second embodiment of the present invention. As shown in fig. 4, the distributed power service terminal authentication system includes at least one terminal 200, a 5G gateway 210, and an authentication server 220, only one terminal is shown for illustration, wherein:
The terminal 200 is configured to send a PEAP terminal Hello response message to the authentication server 220 through the 5G gateway 210 after receiving a protected extensible authentication protocol PEAP start authentication message sent by the 5G gateway 210, where the PEAP terminal Hello response message includes at least a random number, an encryption algorithm list and a compression algorithm;
the authentication server 220 is configured to generate a first message, and sign-encrypt the first message with a server private key and a terminal public key to obtain a first signed message, and send the first signed message and a server Hello message to the terminal 200 through the 5G gateway 210, where the server Hello message includes at least a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter;
The terminal 200 is configured to generate a second message when determining that the authentication server 220 is legal based on a terminal private key, a server public key and the first secret signature message, and sign-encrypt the second message by using the terminal private key and the server public key to obtain a second secret signature message, and send the second secret signature message to the authentication server 220, where the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter;
The terminal 200 is configured to encrypt a premaster key with the server public key to obtain an encrypted premaster key, send the encrypted premaster key to the authentication server 220 through the 5G gateway 210, and calculate the premaster key and the random number with the target encryption algorithm to obtain a first session key when the authentication server 220 confirms that the terminal 200 is legal based on the second secret key message;
The authentication server 220 is configured to decrypt the encrypted premaster secret using the server private key to obtain the premaster secret, determine a second session key using the target encryption algorithm based on the premaster secret and the random number, and send a TSL acknowledgement message to the terminal 200 through the 5G gateway 210, where the TSL acknowledgement message includes the second session key and TLS FINISHED messages;
The terminal 200 is configured to send TLSOK a message to the authentication server 220 through the 5G gateway 210 after receiving the TSL confirmation message, to determine that TSL channel establishment is successful;
the authentication server 220 is configured to generate a first challenge message after receiving TLSOK the message, encrypt the first challenge message with the second session key, send the obtained first encrypted challenge message to the terminal 200, and send an EAP success message to the terminal 200 after receiving a challenge success message sent by the terminal 200, so as to complete authentication of the terminal 200.
According to the technical scheme provided by the second embodiment of the invention, no additional peripheral is required, and the authentication efficiency and the security are effectively improved under the condition of not increasing the cost.
Optionally, the distributed power service terminal authentication system further includes:
The terminal 200 is configured to determine a first private value based on the system parameter and an ID of the terminal 200, determine a public key of the terminal based on the system parameter and the first private value, and determine a private key of the terminal based on the system parameter, the first initial private key and the first private value;
The authentication server 220 is configured to determine a second private value based on the system parameter and the IP address of the authentication server 220, determine a server public key based on the system parameter and the second private value, and determine a server private key based on the system parameter, the second initial private key and the second private value.
Optionally, the distributed power service terminal authentication system further includes:
the terminal 200 is configured to receive a user name and a password input by a user, generate an authentication request based on the user name and the password, and send the authentication request to the 5G gateway 210;
the 5G gateway 210 is configured to send user identity request information to the terminal 200 after receiving the authentication request, where the user identity request information includes request information of the terminal ID;
the terminal 200 is configured to send, in response to the user identity request information, user identity response information to the authentication server 220 through the 5G gateway 210, where the user identity response information includes a terminal identity ID;
the authentication server 220 is configured to determine whether the terminal ID exists in a preset device list after receiving the user ID response information, and if so, send a PEAP start authentication message to the terminal 200 through the 5G gateway 210.
Optionally, the distributed power service terminal authentication system further includes:
The terminal 200 is configured to decrypt the first encrypted challenge information using the first session key, generate a first response message of the first challenge message using a secure hash algorithm based on the user name, the password, the ID of the terminal 200, and the random number, encrypt the first response message and the second challenge message using the first session key, and send the obtained first encrypted response message and second encrypted challenge message to the authentication server 220;
The authentication server 220 is configured to decrypt the first encrypted response message and the second encrypted challenge message by using the second session key to obtain a first response message and a second response message, and send, when the first response message is confirmed to be correct, a verification passing message to the terminal 200 through the 5G gateway 210, where the verification passing message includes the second challenge message, and the verification passing message is a message encrypted by the second session key;
The terminal 200 is configured to decrypt the authentication passing message through the first session key, and send a challenge success message to the authentication server 220 after determining that a second challenge message in the decrypted authentication passing message is consistent with a second challenge message local to the terminal 200.
Optionally, the identity ID of the terminal 200 is determined based on a physical unclonable function.
Optionally, the first message is generated based on the random number, a terminal identity ID, and a first timestamp, the terminal identity ID being sent by the terminal 200 to the authentication server 220;
Optionally, the terminal 200 is configured to perform decryption on the first secret key by using the private key of the terminal 200 and the public key of the server to obtain a decryption result, determine that the authentication server 220 is legal if the terminal ID and the terminal ID of the terminal 200 are identical in the decryption result, and generate a second message based on the decryption result, the terminal ID of the terminal 200 and a second timestamp.
The distributed power supply service terminal authentication system provided by the embodiment of the invention can execute the distributed power supply service terminal authentication method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 5 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention. The electronic device is configured as a terminal or authentication server in a distributed power service terminal authentication system and is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including an input unit 16, such as a keyboard, mouse, etc., an output unit 17, such as various types of displays, speakers, etc., a storage unit 18, such as a magnetic disk, optical disk, etc., and a communication unit 19, such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the corresponding steps in a distributed power service terminal authentication method.
In some embodiments, the corresponding steps in the distributed power service terminal authentication method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the distributed power service terminal authentication method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the respective steps in the distributed power service terminal authentication method in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), a blockchain network, and the Internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
The embodiments of the present application also provide a computer program product comprising a computer program and/or instructions which, when executed by a processor, implements a distributed power service terminal authentication method as provided by any of the embodiments of the present application.
Computer program product in the implementation, the computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (10)

1. The distributed power supply service terminal authentication method is characterized by being applied to a distributed power supply service terminal authentication system, wherein the distributed power supply service terminal authentication system comprises at least one terminal, a 5G gateway and an authentication server, and the method comprises the following steps:
After receiving a Protected Extensible Authentication Protocol (PEAP) start authentication message sent by a 5G gateway, the terminal sends a PEAP terminal Hello response message to the authentication server through the 5G gateway, wherein the PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm;
The authentication server generates a first message, and performs signcryption on the first message by using a server private key and a terminal public key to obtain a first signcryption message, and sends the first signcryption message and a server Hello message to the terminal through the 5G gateway, wherein the server Hello message at least comprises a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter;
the terminal generates a second message based on a terminal private key, a server public key and the first secret key, and performs secret signing on the second message by using the terminal private key and the server public key to obtain a second secret key message, and sends the second secret key message to the authentication server, wherein the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter;
The terminal encrypts a premaster secret key by utilizing the server public key under the condition that the authentication server confirms that the terminal is legal based on the second secret key message to obtain an encrypted premaster secret key, sends the encrypted premaster secret key to the authentication server through the 5G gateway, and calculates the premaster secret key and the random number by utilizing the target encryption algorithm to obtain a first session secret key;
The authentication server decrypts the encrypted premaster secret key by using the server private key to obtain the premaster secret key, determines a second session key by using the target encryption algorithm based on the premaster secret key and the random number, and sends a TSL confirmation message to the terminal through the 5G gateway, wherein the TSL confirmation message comprises the second session key and TLS FINISHED messages;
After receiving the TSL confirmation message, the terminal sends TLSOK messages to the authentication server through a 5G gateway to determine that the TSL channel is successfully established;
And the authentication server generates a first challenge message after receiving TLSOK messages, encrypts the first challenge message through the second session key, sends the obtained first encrypted challenge message to the terminal, and sends an EAP success message to the terminal after receiving challenge success messages sent by the terminal, so as to finish the authentication of the terminal.
2. The method as recited in claim 1, further comprising:
The terminal determines a first private value based on the system parameter and the identity ID of the terminal, determines a terminal public key based on the system parameter and the first private value, and determines a terminal private key based on the system parameter, the first initial private key and the first private value;
The authentication server determines a second private value based on the system parameter and the IP address of the authentication server, determines a server public key based on the system parameter and the second private value, and determines a server private key based on the system parameter, the second initial private key and the second private value.
3. The method of claim 1, wherein the terminal, before receiving the PEAP turn-on authentication message sent by the 5G gateway, further comprises:
The terminal receives a user name and a password input by a user, generates an authentication request based on the user name and the password, and sends the authentication request to a 5G gateway;
After receiving the authentication request, the 5G gateway sends user identity request information to the terminal, wherein the user identity request information comprises request information of the terminal identity ID;
the terminal responds to the user identity request information and sends user identity response information to the authentication server through a 5G gateway, wherein the user identity response information comprises a terminal identity ID;
And after receiving the user identity response information, the authentication server judges whether the terminal identity ID exists in a preset equipment list, and if so, the authentication server sends a PEAP start authentication message to the terminal through the 5G gateway.
4. A method according to claim 3, wherein after the authentication server sends the resulting first encryption challenge message to the terminal, further comprising:
The terminal decrypts the first encryption challenge information by using the first session key, calculates by using a secure hash algorithm based on the user name, the password, the identity ID of the terminal and the random number, generates a first response message of the first challenge message, encrypts the first response message and the second challenge message by using the first session key, and sends the obtained first encryption response message and the second encryption challenge message to the authentication server;
The authentication server decrypts the first encrypted response message and the second encrypted challenge message by using the second session key to obtain a first response message and a second response message, and sends a verification passing message to the terminal through the 5G gateway under the condition that the first response message is confirmed to be correct, wherein the verification passing message comprises the second challenge message, and the verification passing message is a message encrypted by the second session key;
The terminal decrypts the verification passing message through the first session key, and sends a challenge success message to the authentication server after determining that a second challenge message in the decrypted verification passing message is consistent with a second challenge message local to the terminal.
5. The method according to claim 1, characterized in that the identity ID of the terminal is determined based on a physical unclonable function.
6. The method of claim 1, wherein the first message is generated based on the random number, a terminal identity, ID, and a first timestamp, the terminal identity, ID being sent by the terminal to the authentication server;
the terminal generates a second message based on the terminal private key, the server public key and the first secret signature message under the condition that the authentication server is legal, and the method comprises the following steps:
the terminal uses the terminal private key and the server public key to perform decryption on the first secret signature message to obtain a decryption result, and determines that the authentication server is legal under the condition that the terminal identity ID is consistent with the terminal identity ID in the decryption result, and generates a second message based on the decryption result, the terminal identity ID and a second timestamp.
7. The terminal authentication system based on the distributed power supply service is characterized by comprising at least one terminal, a 5G gateway and an authentication server, wherein:
the terminal is used for sending a PEAP terminal Hello response message to the authentication server through the 5G gateway after receiving a Protected Extensible Authentication Protocol (PEAP) start authentication message sent by the 5G gateway, wherein the PEAP terminal Hello response message at least comprises a random number, an encryption algorithm list and a compression algorithm;
The authentication server is configured to generate a first message, and sign-encrypt the first message by using a server private key and a terminal public key to obtain a first signed message, and send the first signed message and a server Hello message to the terminal through the 5G gateway, where the server Hello message at least includes a target encryption algorithm and the compression algorithm, the target encryption algorithm is determined based on the encryption algorithm list, the server private key is determined based on a system parameter of a key generation center and a first initial private key, and the terminal public key is determined based on the system parameter;
The terminal is configured to generate a second message when determining that the authentication server is legal based on a terminal private key, a server public key and the first secret signature message, and sign-encrypt the second message by using the terminal private key and the server public key to obtain a second secret signature message, and send the second secret signature message to the authentication server, where the terminal private key is determined based on the system parameter and a second initial private key, and the server public key is determined based on the system parameter;
The terminal is configured to encrypt a premaster key with the server public key to obtain an encrypted premaster key when the authentication server confirms that the terminal is legal based on the second secret key message, send the encrypted premaster key to the authentication server through the 5G gateway, and calculate the premaster key and the random number with the target encryption algorithm to obtain a first session key;
the authentication server is configured to decrypt the encrypted premaster secret key with the server private key to obtain the premaster secret key, determine a second session key with the target encryption algorithm based on the premaster secret key and the random number, and send a TSL acknowledgement message to the terminal through the 5G gateway, where the TSL acknowledgement message includes the second session key and TLS FINISHED messages;
the terminal is used for sending TLSOK messages to the authentication server through a 5G gateway after receiving the TSL confirmation message, and determining that the TSL channel is established successfully;
The authentication server is configured to generate a first challenge message after receiving TLSOK a message, encrypt the first challenge message with the second session key, send the obtained first encrypted challenge message to the terminal, and send an EAP success message to the terminal after receiving a challenge success message sent by the terminal, so as to complete authentication of the terminal.
8. An electronic device configured as a terminal or authentication server in a distributed power service terminal authentication system, the electronic device comprising:
At least one processor, and
A memory communicatively coupled to the at least one processor, wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the respective steps in the distributed power service terminal authentication method according to any one of claims 1-6.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the distributed power service terminal authentication method according to any of claims 1-6.
10. A computer program product, characterized in that it comprises a computer program which, when executed by a processor, implements the distributed power service terminal authentication method according to any of claims 1-6.
CN202411544283.6A 2024-10-31 2024-10-31 Distributed power supply service terminal authentication method, system, equipment, medium and product Pending CN119342471A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411544283.6A CN119342471A (en) 2024-10-31 2024-10-31 Distributed power supply service terminal authentication method, system, equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411544283.6A CN119342471A (en) 2024-10-31 2024-10-31 Distributed power supply service terminal authentication method, system, equipment, medium and product

Publications (1)

Publication Number Publication Date
CN119342471A true CN119342471A (en) 2025-01-21

Family

ID=94272662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411544283.6A Pending CN119342471A (en) 2024-10-31 2024-10-31 Distributed power supply service terminal authentication method, system, equipment, medium and product

Country Status (1)

Country Link
CN (1) CN119342471A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023193565A1 (en) * 2022-04-06 2023-10-12 北京字节跳动网络技术有限公司 Network access control method and apparatus, device and storage medium
CN117728985A (en) * 2023-11-23 2024-03-19 四川中电启明星信息技术有限公司 Method, system, equipment and medium for cross-domain identity authentication in cloud environment
CN117879873A (en) * 2023-12-08 2024-04-12 四川省肿瘤医院 Data encryption transmission method and system based on transport layer security protocol
CN117998356A (en) * 2022-10-31 2024-05-07 中信科智联科技有限公司 Identity authentication method and device and user equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023193565A1 (en) * 2022-04-06 2023-10-12 北京字节跳动网络技术有限公司 Network access control method and apparatus, device and storage medium
CN117998356A (en) * 2022-10-31 2024-05-07 中信科智联科技有限公司 Identity authentication method and device and user equipment
CN117728985A (en) * 2023-11-23 2024-03-19 四川中电启明星信息技术有限公司 Method, system, equipment and medium for cross-domain identity authentication in cloud environment
CN117879873A (en) * 2023-12-08 2024-04-12 四川省肿瘤医院 Data encryption transmission method and system based on transport layer security protocol

Similar Documents

Publication Publication Date Title
US10419430B2 (en) Mutual authentication method and authentication apparatus
US9621545B2 (en) System and method for connecting client devices to a network
EP2792100B1 (en) Method and device for secure communications over a network using a hardware security engine
US10516654B2 (en) System, apparatus and method for key provisioning delegation
CN106788989B (en) Method and equipment for establishing secure encrypted channel
US11375369B2 (en) Message authentication method and communication method of communication network system, and communication network system
CN108111301A (en) The method and its system for realizing SSH agreements are exchanged based on rear quantum key
CN104378374B (en) A kind of method and system that communication is set up based on SSL
CN101459506A (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
CN112468983B (en) A low-power power Internet of Things smart device access authentication method and auxiliary device
CN114945171A (en) A terminal secondary authentication method and system
CN115695007A (en) A lightweight authenticated key exchange method for metaverse power transactions
CN110519225B (en) Anti-quantum computation HTTPS communication method and system based on asymmetric key pool and certificate cryptography
CN114650533A (en) Wireless communication method and communication device
JP2014147039A (en) Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program
CN116599719A (en) User login authentication method, device, equipment and storage medium
CN116760530A (en) A lightweight authentication key agreement method for power Internet of Things terminals
CN115883183A (en) A cross-domain secure interconnection method and device for an industrial control system
CN119342471A (en) Distributed power supply service terminal authentication method, system, equipment, medium and product
CN114760042A (en) Identity authentication method and device
CN113422753A (en) Data processing method and device, electronic equipment and computer storage medium
CN119562258B (en) Power WLAN security reinforcement method, system and equipment based on trusted computing
WO2022135385A1 (en) Identity authentication method and apparatus
Zhang Authenticated Key Exchange Protocols with Unbalanced Computational Requirements

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination