Method and system for carrying information based on random number field
Technical Field
The invention relates to the technical field of information system security, in particular to a method and a system for carrying information based on a random number field.
Background
The mobile communication system has evolved from 2G to 5G as the most standardized information communication system on the ground, and has now entered the pre-commercialization stage. Compared with the prior mobile communication system, the 5G mobile communication system not only has great improvement on communication capacity, but also has great change on business model. Particularly, in the business model, the mobile communication is changed from a 2C model for providing general services for general public users to a 2B model for providing differentiated services for vertical industry users. Therefore, a high-security private network, which is represented by 5G mobile communication including satellite, etc., and which constructs wide-area coverage based on public information infrastructure has become a mainstream technical approach in various industries.
In particular, there are some key industries with high security requirements in the vertical industry, which need to solve the problem of building a relatively secure information system based on an untrusted infrastructure, and often provide end-to-end security enhancement capability by performing security enhancement on the UE and the home network element respectively.
As shown in fig. 1, taking a mobile communication system as an example, an end-to-end enhanced security model of a key industry with high security requirements includes a mobile terminal device (high security device) -a service network domain-a trusted network domain-a high security application, where the service network domain includes an access network and a core network visited network, and is completely dependent on a public infrastructure of the mobile communication system; the trusted network domain is mainly a core network home network and consists of a general function and a customized function of a key industry; the high-safety equipment is used for carrying out safety enhancement based on a universal mobile communication terminal; high security applications are fully customized application functions for critical industries. The end-to-end security enhancement capability of a signaling plane and a service plane is realized by respectively performing security enhancement on the trusted network domains of the UE side and the home location, and meanwhile, the effect of embedding a special security mechanism in a standard communication flow is achieved.
However, the establishment of a high-security private network based on public information infrastructure needs to be established under the precondition that the public standards such as international, domestic and industry are strictly followed, and meanwhile, the standards and protocols are not changed, and on the basis of an end-to-end enhanced security model, negotiation information required by a security enhancement mechanism of a key industry per se needs to be transmitted through a protocol channel specified by the public standards. However, the protocol channels specified by the published standards often do not reserve redundant fields to provide space for the industry to transfer additional information, and therefore, the difficult problem of carrying additional information based on the protocol fields specified by the published standards so as to facilitate negotiation between the UE and the home-based customized network element is urgently solved.
Disclosure of Invention
The purpose of the invention is: the method and the system can carry information based on the protocol field specified by the open standard without changing the open standard or the protocol specified by the open standard by carrying the ciphertext information obtained by encrypting the specific information in the random number field, thereby achieving the effect of end-to-end negotiation information between the UE and the attribution customized network element and meeting the requirement of constructing a high-safety private network in the key industry.
The invention provides a method for carrying information based on a random number field, which is characterized in that the information is interacted and negotiated by using a random number as a carrier through end-to-end matching of a terminal side functional component and a network side functional component, and the randomness of the random number is ensured by encrypting the information, and the method comprises the following steps:
(1) when the random number is transferred from the network side function component to the terminal side function component: the network side functional component converts the specific entrainment information into ciphertext information meeting the requirement of the specified length of the random number through an encryption mechanism, performs integrity protection, ensures that the ciphertext information has the characteristics of the random number, fills the ciphertext information in a random number section and transmits the ciphertext information to the terminal side functional component; the terminal side functional assembly encryption mechanism judges whether the random number field carries specific entrainment information or not, and if not, the standard processing flow is executed according to the common random number; if the random number is carried, extracting the ciphertext information from the random number section through an encryption mechanism, recovering the ciphertext information into plaintext information of specific entrained information after integrity verification, and then executing a standard processing flow by taking the random number section as a common random number after executing a related processing flow of the specific entrained information;
(2) when the random number is transferred from the terminal side function component to the network side function component: the terminal side functional component converts the specific entrainment information into ciphertext information meeting the requirement of the specified length of the random number through an encryption mechanism, performs integrity protection, ensures that the ciphertext information has the characteristics of the random number, fills the ciphertext information in a random number section, and transmits the ciphertext information to the network side functional component; the network side functional assembly encryption mechanism judges whether the random number field carries specific entrainment information or not, and if not, the standard processing flow is executed according to the common random number; if the random number is carried, extracting the ciphertext information from the random number section through an encryption mechanism, recovering the ciphertext information into plaintext information of the specific entrained information after integrity verification, and then executing a standard processing flow by taking the random number section as a common random number after executing a related processing flow of the specific entrained information.
Further, when the random number is transmitted from the network side function component to the terminal side function component, the execution process of the network side function component includes the following steps:
step S101, a network side functional component encodes specific entrained information and converts the specific entrained information into encoded plaintext information with the required encryption length;
step S102, the network side functional component uses the coded plaintext information to generate summary data;
step S103, the network side functional component inserts random information into the coded plaintext information and the abstract data to generate plaintext information which meets the requirement of the specified length of the random number;
step S104, the network side functional component carries out encryption operation on plaintext information meeting the requirement of the specified length of the random number to generate ciphertext information meeting the requirement of the specified length of the random number;
step S105, the network side functional component fills the cipher text information meeting the requirement of the random number on the specified length in the random number field and transmits the cipher text information to the terminal side functional component.
Further, when the random number is transmitted from the network side function component to the terminal side function component, the execution process of the terminal side function component includes the following steps:
step S201, the terminal side functional assembly assumes that the random number field contains the ciphertext information meeting the requirement of the specified length of the random number, and performs decryption operation on the random number field to obtain the plaintext information meeting the requirement of the specified length of the random number;
step S202, the terminal side functional assembly eliminates random information from the plaintext information meeting the specified length requirement to obtain encoded plaintext information and summary data;
step S203, the terminal side functional component generates abstract data by using the encoded plaintext information, and performs comparison verification with the abstract data analyzed from the random number field, and the verification result is used as a basis for distinguishing whether the random number carries specific entrained information, and is also used as a basis for integrity verification of the carried information:
a1, if the verification result is consistent, indicating that the random number field carries specific entrainment information and the entrainment information is not tampered in the transmission process, the terminal side functional component performs inverse coding conversion on the coded plaintext information to obtain the specific entrainment information;
a2, the terminal side functional assembly executes the relevant processing flow of the specific carried information, and finally, the random number field is used as the common random number to execute the standard processing flow;
b. and if the verification result is inconsistent, the random number field is indicated to be not carried with specific entrained information or the carried entrained information is tampered in the transmission process, and the terminal side functional component executes a standard processing flow of the common random number.
Further, when the random number is transferred from the terminal-side function component to the network-side function component, the execution process of the terminal-side function component includes the following steps:
step S111, the terminal side functional assembly encodes the specific entrained information and converts the specific entrained information into encoded plaintext information with the required encryption length;
step S112, the terminal side functional component uses the coded plaintext information to generate summary data;
step S113, the terminal side functional assembly inserts random information into the coded plaintext information and the abstract data to generate plaintext information which meets the requirement of the specified length of the random number;
step S114, the terminal side functional assembly carries out encryption operation on plaintext information meeting the requirement of the specified length of the random number to generate ciphertext information meeting the requirement of the specified length of the random number;
and step S115, the terminal side functional component fills the ciphertext information meeting the requirement of the specified length of the random number in a random number field and transmits the ciphertext information to the network side functional component.
Further, when the random number is transferred from the terminal side function component to the network side function component, the execution process of the network side function component includes the following steps:
step S211, the network side functional assembly assumes that the random number field contains the ciphertext information meeting the requirement of the specified length of the random number, and performs decryption operation on the random number field to obtain the plaintext information meeting the requirement of the specified length of the random number;
step S212, the network side functional component eliminates random information from the plaintext information meeting the specified length requirement to obtain encoded plaintext information and summary data;
step S213, the network side functional component generates abstract data by using the encoded plaintext information, and compares the abstract data with the abstract data analyzed from the random number field to check, so that the check result is used as a basis for distinguishing whether the random number carries specific entrained information, and is also used as a basis for checking the integrity of the carried information:
a1, if the verification result is consistent, indicating that the random number field carries specific entrainment information and the entrainment information is not tampered in the transmission process, the network side functional component performs inverse coding conversion on the coded plaintext information to obtain the specific entrainment information;
a2, the network side functional module executes the relevant processing flow of the specific carried information, and finally, the random number section is used as the common random number to execute the standard processing flow;
b. and if the verification result is inconsistent, the random number field is indicated to be not carried with specific entrained information or the carried entrained information is tampered in the transmission process, and the network side functional component executes a standard processing flow of the common random number.
The invention also provides a system based on the random number field carried information, which comprises a terminal side functional component and a network side functional component; the terminal side functional component and the network side functional component are used for executing the method for carrying information based on the random number field.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the method and the system for carrying information based on the random number field can carry specific information based on standard protocol parameters and can also interact private negotiation information based on a standard protocol negotiation channel, so that a terminal side and a network side can utilize the random number field to carry out end-to-end information interaction on the premise of not changing an end-to-end protocol format and flow and an intermediate information transmission network element.
2. The method and the system for carrying information based on the random number field have wide application range, are not only suitable for a mobile communication system, but also are suitable for any information system in principle. Particularly, the method and the system can provide powerful technical support for constructing a high-safety private network based on public infrastructure and implementing the military and civil fusion strategy.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a schematic diagram of a prior art end-to-end enhanced security model for a key industry with high security requirements.
Fig. 2 is a schematic flow chart of the method for carrying information based on the random number field according to the present invention, when the random number is transmitted from the network-side functional component to the terminal-side functional component.
Fig. 3 is a schematic flow chart of the method for carrying information based on the random number field according to the present invention, when the random number is transferred from the terminal-side functional component to the network-side functional component.
Fig. 4 is a schematic diagram of a method for carrying information based on a nonce field according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The invention relates to a system for carrying information based on a random number field, which comprises a terminal side functional component and a network side functional component; the terminal side functional component and the network side functional component are used for executing a method for carrying information based on a random number field as described below.
As shown in fig. 1, the method for carrying information based on a nonce field is to use a nonce as a carrier to interact and negotiate information through end-to-end cooperation between a terminal-side functional component and a network-side functional component, and to ensure randomness of the nonce itself by using encryption of the information, so as to achieve an effect of embedding a dedicated security mechanism in a standard communication flow, and includes:
(1) when the random number is transferred from the network side function component to the terminal side function component: the network side functional component converts the specific entrainment information into ciphertext information meeting the requirement of the specified length of the random number through an encryption mechanism, performs integrity protection, ensures that the ciphertext information has the characteristics of the random number, fills the ciphertext information in a random number section and transmits the ciphertext information to the terminal side functional component; the terminal side functional assembly encryption mechanism judges whether the random number field carries specific entrainment information or not, and if not, the standard processing flow is executed according to the common random number; if the random number is carried, extracting the ciphertext information from the random number section through an encryption mechanism, recovering the ciphertext information into plaintext information of specific entrained information after integrity verification, and then executing a standard processing flow by taking the random number section as a common random number after executing a related processing flow of the specific entrained information;
as shown in fig. 2, specifically:
A. the execution process of the network side functional component comprises the following steps:
step S101, a network side functional component encodes specific entrained information and converts the specific entrained information into encoded plaintext information with the required encryption length;
step S102, the network side functional component uses the coded plaintext information to generate summary data;
step S103, the network side functional component inserts random information into the coded plaintext information and the abstract data to generate plaintext information which meets the requirement of the specified length of the random number;
step S104, the network side functional component carries out encryption operation on plaintext information meeting the requirement of the specified length of the random number to generate ciphertext information meeting the requirement of the specified length of the random number;
step S105, the network side functional component fills the cipher text information meeting the requirement of the random number on the specified length in the random number field and transmits the cipher text information to the terminal side functional component.
B. The execution process of the terminal side functional component comprises the following steps:
step S201, the terminal side functional assembly assumes that the random number field contains the ciphertext information meeting the requirement of the specified length of the random number, and performs decryption operation on the random number field to obtain the plaintext information meeting the requirement of the specified length of the random number;
step S202, the terminal side functional assembly eliminates random information from the plaintext information meeting the specified length requirement to obtain encoded plaintext information and summary data;
step S203, the terminal side functional component generates abstract data by using the encoded plaintext information, and performs comparison verification with the abstract data analyzed from the random number field, and the verification result is used as a basis for distinguishing whether the random number carries specific entrained information, and is also used as a basis for integrity verification of the carried information:
a1, if the verification result is consistent, indicating that the random number field carries specific entrainment information and the entrainment information is not tampered in the transmission process, the terminal side functional component performs inverse coding conversion on the coded plaintext information to obtain the specific entrainment information;
a2, the terminal side functional assembly executes the relevant processing flow of the specific carried information, and finally, the random number field is used as the common random number to execute the standard processing flow;
b. and if the verification result is inconsistent, the random number field is indicated to be not carried with specific entrained information or the carried entrained information is tampered in the transmission process, and the terminal side functional component executes a standard processing flow of the common random number.
(2) When the random number is transferred from the terminal-side function module to the network-side function module, the functions of the terminal-side function module and the network-side function module are just opposite to the case when the random number is transferred from the network-side function module to the terminal-side function module: the terminal side functional component converts the specific entrainment information into ciphertext information meeting the requirement of the specified length of the random number through an encryption mechanism, performs integrity protection, ensures that the ciphertext information has the characteristics of the random number, fills the ciphertext information in a random number section, and transmits the ciphertext information to the network side functional component; the network side functional assembly encryption mechanism judges whether the random number field carries specific entrainment information or not, and if not, the standard processing flow is executed according to the common random number; if the random number is carried, extracting the ciphertext information from the random number section through an encryption mechanism, recovering the ciphertext information into plaintext information of the specific entrained information after integrity verification, and then executing a standard processing flow by taking the random number section as a common random number after executing a related processing flow of the specific entrained information.
As shown in fig. 3, specifically:
A. the execution process of the terminal side functional component comprises the following steps:
step S111, the terminal side functional assembly encodes the specific entrained information and converts the specific entrained information into encoded plaintext information with the required encryption length;
step S112, the terminal side functional component uses the coded plaintext information to generate summary data;
step S113, the terminal side functional assembly inserts random information into the coded plaintext information and the abstract data to generate plaintext information which meets the requirement of the specified length of the random number;
step S114, the terminal side functional assembly carries out encryption operation on plaintext information meeting the requirement of the specified length of the random number to generate ciphertext information meeting the requirement of the specified length of the random number;
and step S115, the terminal side functional component fills the ciphertext information meeting the requirement of the specified length of the random number in a random number field and transmits the ciphertext information to the network side functional component.
B. The execution process of the network side functional component comprises the following steps:
step S211, the network side functional assembly assumes that the random number field contains the ciphertext information meeting the requirement of the specified length of the random number, and performs decryption operation on the random number field to obtain the plaintext information meeting the requirement of the specified length of the random number;
step S212, the network side functional component eliminates random information from the plaintext information meeting the specified length requirement to obtain encoded plaintext information and summary data;
step S213, the network side functional component generates abstract data by using the encoded plaintext information, and compares the abstract data with the abstract data analyzed from the random number field to check, so that the check result is used as a basis for distinguishing whether the random number carries specific entrained information, and is also used as a basis for checking the integrity of the carried information:
a1, if the verification result is consistent, indicating that the random number field carries specific entrainment information and the entrainment information is not tampered in the transmission process, the network side functional component performs inverse coding conversion on the coded plaintext information to obtain the specific entrainment information;
a2, the network side functional module executes the relevant processing flow of the specific carried information, and finally, the random number section is used as the common random number to execute the standard processing flow;
b. and if the verification result is inconsistent, the random number field is indicated to be not carried with specific entrained information or the carried entrained information is tampered in the transmission process, and the network side functional component executes a standard processing flow of the common random number.
The features and properties of the present invention are described in further detail below with reference to examples.
In this embodiment, the terminal side functional component included in the system based on the random number segment carried information is a USIM card of a 5G UE (mobile terminal) and a functional component in the USIM card, and the network side functional component is a 5G UDM network function and a functional component in the UDM; the USIM card of the 5G UE communicates with a mobile communication base station through a mobile network; and the USIM card and the UDM network function perform authentication data interaction through a mobile communication core network data center. It should be noted that both the UDM network function and the USIM card need to be slightly customized to facilitate interaction with their respective functional components.
Fig. 2 is a schematic diagram of the embodiment that the RAND random number in the authentication AV vector is used to carry specific carried information in the mobile communication system, and specifically includes the following steps:
s01: UE initiates a network attachment request, the network attachment request reaches a mobile communication core network data center through a mobile communication base station, and the mobile communication core network data center acquires an authentication AV vector to a UDM network function;
s02: the authentication AV vector generated by the UDM network function comprises an RAND random number, and specific entrainment information is acquired from a functional component in the UDM at the moment;
s03: the functional component in the UDM processes the specific entrainment information according to the method, generates 128-bit ciphertext information RAND meeting the length requirement, and transmits the 128-bit ciphertext information RAND to the UDM network function;
s04: the UDM network function fills cipher text information RAND carrying specific carried information into an RAND field of the authentication AV vector and transmits the RAND field to a mobile communication core network data center;
s05: the data center of the mobile communication core network initiates a bidirectional authentication request to the UE by using the authentication AV vector;
s06: after receiving the bidirectional authentication request, the UE extracts an authentication AV vector and transmits an RAND field and an AUTN to the USIM card;
s07: the USIM card takes out the cipher text information RAND from the RAND field and transmits the cipher text information RAND to a functional component in the USIM card,
s08: after the functional component in the USIM card obtains the ciphertext information RAND, processing the ciphertext information according to the method, so as to analyze the specific entrainment information transmitted from the network side functional component (the 5G UDM network function and the functional component in the UDM), wherein if the specific entrainment information is successfully analyzed, the returned return value is successful; if the specific entrained information is found to be tampered due to factors such as error codes and the like in the transmission process, the returned return value is failure;
s09: and the USIM card continues the subsequent bidirectional authentication processing according to the return value of the functional component in the USIM card.
The beneficial effects of the invention are as follows:
1. the method and the system for carrying information based on the random number field can carry specific information based on standard protocol parameters and can also interact private negotiation information based on a standard protocol negotiation channel, so that a terminal side and a network side can utilize the random number field to carry out end-to-end information interaction on the premise of not changing an end-to-end protocol format and flow and an intermediate information transmission network element.
2. The method and the system for carrying information based on the random number field have wide application range, are not only suitable for a mobile communication system, but also are suitable for any information system in principle. Particularly, the method and the system can provide powerful technical support for constructing a high-safety private network based on public infrastructure and implementing the military and civil fusion strategy.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.