WO2025045112A1 - Private network security authentication method, apparatus and system, and electronic device, storage medium and computer program product - Google Patents

Abstract

Provided in the present application are a private network security authentication method, apparatus and system, and an electronic device, a storage medium and a computer program product. The method comprises: an SIM card sending card information to a service system by means of a short message gateway; the service system returning user information to the SIM card; the first terminal sending an intranet application access request to a private network; a gateway device intercepting the intranet application access request, and redirecting an identity authentication link to the first terminal; the first terminal acquiring the user information of the SIM card and sending same to the service system by means of the gateway device; and the service system performing identity authentication on a user of the first terminal on the basis of the user information.

Description

Private network security authentication method, device and system, electronic device, storage medium and computer program product

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based on the Chinese patent application with application number 202311113791.4 and application date August 30, 2023, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby introduced into this application in its entirety.

Technical Field

The present application relates to the field of communication technology, and in particular to a private network security authentication method, device and system, electronic equipment, storage medium and computer program product.

Background Art

At present, operators generally adopt the core network user plane function (UPF) sinking mode to build fifth-generation mobile communication technology (5G) private networks for industry users. This mode relies on the operator's core network and base stations, and the terminal access is opened by the operator. However, for industry users, the completed 5G private network is equivalent to the enterprise intranet. Only relying on the operator's one-time authentication in the 5G core network is not enough to meet the access security needs of industry users. In particular, for high-security scenarios for individual user access such as the party, government, military, public security, procuratorial, judicial, and financial sectors, relying solely on operators for security access management is far from meeting the needs of industry users.

The current 5G private network construction plan relies on the operator's core network and base stations. Terminal access is activated by the operator, and data contracts are configured on the operator side. For industry users, it is impossible to independently manage users' access rights to access business systems through 5G private networks.

Summary of the invention

The present application provides a private network security authentication method, device and system, electronic device, storage medium and computer program product. The technical solution of the present application is as follows:

In a first aspect, an embodiment of the present application provides a private network security authentication method, which is applied to a subscriber identity module (SIM) card, comprising:

In response to triggering the card information reporting operation, sending a first data SMS to the business system through the SMS gateway, wherein the first data SMS includes the card information;

Receiving a second data SMS sent by the business system through the SMS gateway, and acquiring and storing user information based on the second data SMS; wherein the user information includes a mobile phone number;

Receive a first instruction sent by a first terminal where the SIM card is located, and send the user information to the first terminal, so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction instructs to obtain the user information.

In some implementations, before responding to triggering the card information reporting operation, the step includes:

Registering with the first terminal to monitor network access events;

An event that the first terminal passes the first network access authentication is monitored, triggering a card information reporting operation.

In some implementations, sending the first data SMS to the service system through the SMS gateway includes:

Reading card information, and assembling the card information into a response data packet of the first data SMS;

A response data packet of the first data SMS is sent to the business system through the SMS gateway.

In some implementations, the receiving a second data SMS sent by the business system through the SMS gateway, and acquiring and storing user information based on the second data SMS, includes:

receiving a second data SMS sent by the business system and forwarded by the SMS gateway; wherein the second data SMS includes an application command message, and the application command message includes the user information;

Decrypting the second data SMS message to obtain SMS content in the application command message;

Parse the text message content, obtain and store the user information.

In some implementations, sending the user information to the first terminal includes:

Establishing a secure access channel with the first terminal;

Reading user information; and encrypting the user information to obtain a ciphertext of the user information;

The user information ciphertext is sent to the first terminal through the secure access channel.

In some implementations, the response data packet includes a card application main version number, a security parameter identifier, an application response data packet, and a media access control (MAC) address, the application response data packet includes the card information, and the security parameter identifier includes an encryption identifier and an environment identifier.

In some implementations, storing the user information includes:

The user information is stored in the secure storage space of the SIM card.

In a second aspect, an embodiment of the present application provides a private network security authentication method, the method is applied to a first terminal, the first terminal includes a SIM card; the method includes:

Sending an intranet application access request to a private network, wherein the intranet application access request indicates access to a business system;

Receive an identity authentication link redirected by a gateway device, and send a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs to obtain user information, the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number;

The user information sent by the SIM card is received, and first information is sent to the service system through the gateway device, and based on the user information in the first information, the service system is requested to perform identity authentication on the first terminal user.

In some implementations, before sending the intranet application access request to the private network, the process includes:

The first terminal sends an access request to the private network, where the access request instructs the private network to verify the authority of the first terminal.

In some implementations, the method further includes:

Receive a network access event monitoring registration request sent by the SIM card.

In a third aspect, an embodiment of the present application provides a private network security authentication method, which is applied to a gateway device and includes:

Intercepting an intranet application access request sent by a first terminal to a private network, and redirecting an identity authentication link to the first terminal; wherein the first terminal includes a SIM card, and the intranet application access request indicates access to a service system;

Receive first information sent by the first terminal, and send the first information to the business system, wherein the first information includes user information, and the user information is sent to the SIM card by the business system based on the card information reported by the SIM card, and the user information includes a mobile phone number, and the user information is used by the first terminal to request the business system to perform identity authentication on the first terminal user.

In a fourth aspect, an embodiment of the present application provides a private network security authentication method, which is applied to a business system in a private network, including:

Receiving a first data SMS sent by the SIM card through a SMS gateway, wherein the first data SMS includes card information;

Based on the first data SMS, obtain the mobile phone number and the card information corresponding to the SIM card, and record the binding relationship between the card information and the mobile phone number;

Sending a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes the mobile phone number;

Receive first information sent by the first terminal where the SIM card is located through a gateway device, and perform identity authentication on the first terminal user based on the user information in the first information.

In a fifth aspect, an embodiment of the present application provides a private network security authentication system, including a SIM card, a first terminal where the SIM card is located, a short message gateway, a gateway device, and a service system.

The SIM card is configured to execute the private network security authentication method according to the first aspect;

The first terminal where the SIM card is located is configured to execute the private network security authentication method described in the second aspect;

The gateway device is configured to execute the private network security authentication method according to the third aspect;

The business system is configured to execute the private network security authentication method described in the fourth aspect.

In a sixth aspect, an embodiment of the present application provides a private network security authentication device, the device being configured on a SIM card, comprising:

A card information reporting module, configured to send a first data SMS to a business system through a SMS gateway in response to triggering a card information reporting operation, wherein the first data SMS includes card information;

The card information reporting module is further configured to receive a second data SMS sent by the business system through the SMS gateway, and obtain and store user information based on the second data SMS; wherein the user information includes a mobile phone number;

The first transceiver module is configured to receive a first instruction sent by a first terminal where the SIM card is located, and send the user information to the first terminal, so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction instructs to obtain the user information.

In some implementations, the card information reporting module is further configured to:

In response to triggering the card information reporting operation, registering with the first terminal to monitor network access events;

An event that the first terminal passes the first network access authentication is monitored, triggering a card information reporting operation.

In some implementations, the card information reporting module is configured to:

Reading card information, and assembling the card information into a response data packet of the first data SMS;

A response data packet of the first data SMS is sent to the business system through the SMS gateway.

In some implementations, the card information reporting module is configured to:

receiving a second data SMS sent by the business system and forwarded by the SMS gateway; wherein the second data SMS includes an application command message, and the application command message includes the user information;

Decrypting the second data SMS message to obtain SMS content in the application command message;

Parse the text message content, obtain and store the user information.

In some implementations, the first transceiver module is configured to:

Establishing a secure access channel with the first terminal;

Reading user information; and encrypting the user information to obtain a ciphertext of the user information;

The user information ciphertext is sent to the first terminal through the secure access channel.

In some implementations, the response data packet includes a card application major version number, a security parameter identifier, an application response data packet and a MAC address, the application response data packet includes the card information, and the security parameter identifier includes an encryption identifier and an environment identifier.

In some implementations, the card information reporting module is configured to:

The user information is stored in the secure storage space of the SIM card.

In a seventh aspect, an embodiment of the present application provides a private network security authentication device, the device being configured in a first terminal, the first terminal including a SIM card, including:

A second transceiver module is configured to send an intranet application access request to the private network, wherein the intranet application access request indicates access to a business system;

The second transceiver module is further configured to receive an identity authentication link redirected by a gateway device, and send a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs to obtain user information, the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number;

The second transceiver module is further configured to receive the user information sent by the SIM card, send first information to the service system through the gateway device, and request the service system to perform identity authentication on the first terminal user based on the user information in the first information.

In some implementations, the second transceiver module is further configured to:

Before sending an intranet application access request to the private network, the first terminal sends an access request to the private network, where the access request instructs the private network to verify the authority of the first terminal.

In some implementations, the second transceiver module is further configured to:

Receive a network access event monitoring registration request sent by the SIM card.

In an eighth aspect, an embodiment of the present application provides a private network security authentication device, the device being configured in a gateway device, including:

The access gateway module is configured to intercept an intranet application access request sent by a first terminal to a private network, and redirect an identity authentication link to the first terminal; wherein the first terminal includes a SIM card, and the intranet application access request indicates access to a service system;

The control center module is configured to receive the first information sent by the first terminal and send the first information to the business system, wherein the first information includes user information, and the user information is sent to the SIM card by the business system based on the card information reported by the SIM card, and the user information includes a mobile phone number, and the user information is used by the first terminal to request the business system to authenticate the first terminal user.

In a ninth aspect, an embodiment of the present application provides a private network security authentication device, wherein the device is configured in a business system within the private network, including:

A third transceiver module is configured to receive a first data SMS sent by the SIM card through the SMS gateway, wherein the first data SMS includes card information;

a processing module configured to obtain the mobile phone number and the card information corresponding to the SIM card based on the first data SMS, and record the binding relationship between the card information and the mobile phone number;

The third transceiver module is further configured to send a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes the mobile phone number;

The identity authentication module is configured to receive first information sent by the first terminal where the SIM card is located through the gateway device, and perform identity authentication on the first terminal user based on the user information in the first information.

In the tenth aspect, an embodiment of the present application provides an electronic device, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the private network security authentication method described in any one of the embodiments of the first to fourth aspects of the present application.

In the eleventh aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are configured to enable the computer to execute the private network security authentication method described in any one of the embodiments of the first to fourth aspects of the present application.

In the twelfth aspect, an embodiment of the present application provides a computer program product, including computer instructions, which, when executed by a processor, implement the private network security authentication method described in any one of the embodiments of the first to fourth aspects of the present application.

The technical solution provided by the embodiments of the present application brings at least the following beneficial effects:

The SIM card reports the card information to the business system in the private network, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the gateway device redirects the identity authentication, and the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the user's access rights to the business system through the private network, and the identity authentication control on the private network enterprise side is realized.

It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present application.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings herein are incorporated into the specification and constitute a part of the specification, illustrate embodiments consistent with the present application, and together with the specification are used to explain the principles of the present application, and do not constitute improper limitations on the present application.

Fig. 1 is a flow chart showing a private network security authentication method according to an exemplary embodiment.

FIG. 2 is a schematic diagram of the structure of a first data SMS according to an example.

FIG. 3 is a schematic diagram of the structure of a response data packet according to an example.

FIG. 4 is a schematic diagram showing the structure of a second data SMS according to an example.

FIG. 5 is a schematic diagram of the structure of an application command message according to an example.

Fig. 6 is a flow chart showing a private network security authentication method according to another exemplary embodiment.

Fig. 7 is a flow chart showing a private network security authentication method according to yet another exemplary embodiment.

Fig. 8 is a flow chart showing a private network security authentication method according to yet another exemplary embodiment.

Fig. 9 is a flow chart showing a private network security authentication method according to yet another exemplary embodiment.

Fig. 10 is a block diagram showing a private network security authentication device according to an exemplary embodiment.

Fig. 11 is a block diagram showing a private network security authentication device according to another exemplary embodiment.

Fig. 12 is a block diagram of a private network security authentication device according to yet another exemplary embodiment.

Fig. 13 is a block diagram of a private network security authentication device according to yet another exemplary embodiment.

Fig. 14 is a block diagram of a private network security authentication system according to an exemplary embodiment.

Fig. 15 is a block diagram of an electronic device according to an exemplary embodiment.

DETAILED DESCRIPTION

In order to enable ordinary persons in the art to better understand the technical solution of the present application, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings.

It should be noted that the terms "first", "second", etc. in this application are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the application described here can be implemented in an order other than those illustrated or described here. The implementation methods described in the following exemplary embodiments do not represent all implementation methods consistent with the present application. On the contrary, they are merely examples of devices and methods consistent with some aspects of the present application as detailed in the attached claims.

Since its official commercial use, 5G networks have rapidly achieved popularization in the civilian stage. In the commercial field, the construction of 5G private networks by operators led by China Mobile has also developed rapidly. With the low latency, high bandwidth, and high capacity of private networks, it is highly consistent with the needs of digital transformation. It is a comprehensive integration and improvement of operation technology (OT, Operation Technology) + Internet technology (IT, Internet Technology) + communication technology (CT, Communication Technology), which can quickly help traditional industries, vertical public security, rail transit, social departments, etc. to achieve digital transformation.

5G private network is a local area network (LAN). Relying on 5G network slicing technology, it can create an exclusive network connection system for target customers and enterprises with unified connectivity, optimized service functions and guaranteed communication security in a specific area. As an exclusive service, the network's stability, serviceability and security are better guaranteed.

At present, operators generally adopt the core network UPF sinking mode to build 5G private networks for industry users. This mode relies on the core network and base stations of operators. Terminal access is opened by operators, and data contracts are configured on the operator side. However, for industry users, the completed 5G private network is equivalent to the enterprise intranet. Only relying on the operator's one-time authentication in the 5G core network is not enough to meet the access security needs of industry users, especially in the high-security level access scenario for individual users. Only relying on operators for security access management is far from meeting the needs of industry users, and it is impossible to independently manage the access rights of users to access business systems through 5G private networks.

In order to solve the above problems, the embodiments of the present application provide a private network security authentication method, device and system, electronic device, storage medium and computer program product. By introducing SIM cards and gateway devices as infrastructure and IT support, the secure identity authentication of the 5G private network at the CT layer is realized, and the problems of the inability to authenticate and control the 5G private network enterprise side, the need for frequent logins for secondary user identity control authentication, and low security levels are solved.

FIG1 is a flow chart of a private network security authentication method according to an exemplary embodiment. The method is applied to a private network security authentication system, which includes a SIM card, a first terminal where the SIM card is located, a short message gateway, a gateway device, and a service system in a private network, wherein the short message gateway and the gateway device are gateways of the private network. As shown in FIG1 , the private network security authentication method may include the following steps.

Step S101: In response to triggering a card information reporting operation, the SIM card sends a first data SMS to a service system through a SMS gateway, wherein the first data SMS includes card information.

First of all, it should be noted that the SIM card in the embodiment of the present application is a smart card that supports the ISO/IEC 7816-4 specification and the 3GPPTS 31.111 specification. Specifically, it supports the Application Protocol Data Unit (APDU) instruction and the connection-oriented Bearer Independent Protocol (BIP).

In some embodiments, the SIM card registers with the first terminal where the SIM card is located to monitor network access events; after monitoring the first terminal's first network access authentication passing event, a card information reporting operation is triggered.

Exemplarily, the SIM card registers a STATUS network access event monitor with the first terminal. When the first terminal passes the private network access authentication, the SIM card detects that the SIM card has successfully accessed the network for the first time, and automatically triggers a card information report, that is, triggers the SIM card to report the card information to the SMS gateway.

As an implementation manner, a card information reporting module of the SIM card registers with the first terminal where the SIM card is located to monitor the network access event.

As an implementation method, the SIM card reads the card information, assembles the card information into a response data packet of the first data SMS, and sends the response data packet of the first data SMS to the service system through the SMS gateway.

The SIM card sends a first data SMS to the SMS gateway. The first data SMS includes a response data packet. The response data packet includes card information. The SMS gateway transparently transmits the card information and the mobile phone number to the business system.

It should be noted that the data SMS is a digital identifier, which can be understood as an APDU instruction. When the SIM card sends the first data SMS to the business system through the SMS gateway, the SMS gateway needs to send the SMS to the SMS gateway through the mobile phone number. The gateway port can obtain the mobile phone number of the SIM card. That is, when the SIM card is connected to the network, it needs to access the mobile network through the mobile phone number. After receiving the first data SMS, the business system can obtain the mobile phone number corresponding to the SIM card. The mobile phone number is bound to the terminal user. Therefore, the business system can authenticate the terminal user based on the mobile phone number.

Optionally, the SIM card assembles card information such as the blank card serial number, integrated circuit card identification code (ICCID, Integrated Circuit Card Identity) (i.e., SIM card number), international mobile subscriber identity code (IMSI, International Mobile Subscriber Identity), and security element identifier (SEID, Security Element Identifier) in a response data packet as part of the first data message and sends it to the SMS gateway. The first data message is an uplink message. The SMS gateway receives the first data message, i.e., the card information reporting message, and the SMS gateway transparently transmits the card information and mobile phone number to the business system.

Exemplarily, FIG2 shows the structure of the first data SMS, which is an uplink SMS structure, and the uplink SMS structure includes an uplink message header, an SMS security field, and a response data packet. FIG3 shows the structure of the response data packet of the first data SMS. The response data packet includes the card application main version number (Ver(1Byte(B))), the security parameter identifier (Flag(1B)), the application response data packet (APP-DATA) and the MAC address. The application response data packet includes card information. Specifically, APP-DATA includes TAG (i.e., APP-DATA tag, 1B), length (i.e., APP-DATA length), card application sub-version number (2B), empty card serial number length (1B), empty card serial number (10B), IMSI length (1B), IMSI (9B), SEID length (1B), SEID (10B). Table 1 is a schematic diagram of the definition of the uplink SMS response data packet field, and Table 2 is a schematic diagram of the definition of the security parameter identifier field. The security parameter identifier includes an encryption identifier and an environment identifier.

Table 1

Among them, "XX" in Table 1 indicates that the length value of APP-DATA is variable.

Table 2

Among them, the security parameter identification field has a total of 1 Byte (8 bits), namely b1 to b8. In actual applications, two bits can be selected from b1 to b8 to indicate the security parameter identification field definition. For example, as shown in Table 2 above, b1 and b2 are selected and enabled, while b3 to b8 are not enabled yet (not enabled yet is indicated by 0). Exemplarily, when the security parameter identification includes an encryption identification, b1 is selected to be enabled (X indicates that the position value of b1 is variable, and the value can be 0 or 1, 0 indicates no encryption, and 1 indicates encryption); when the security parameter identification includes an environment identification, b2 is selected to be enabled (X indicates that the position value of b2 is variable, and the value can be 0 or 1, 0 indicates a test environment, and 1 indicates a production environment). It should be noted that b1 and b2 are not mutually exclusive, but independent of each other.

Step S102, the service system receives a first data SMS sent by the SIM card through the SMS gateway, obtains the mobile phone number and card information corresponding to the SIM card based on the first data SMS, and records the binding relationship between the card information and the mobile phone number.

It can be understood that after receiving the first data SMS, the business system can obtain the mobile phone number corresponding to the SIM card, and the business system can bind the received card information with the mobile phone number, and record the binding relationship between the card information and the mobile phone number. In other words, since the empty card serial number, ICCID, IMSI, etc. in the card information are unique, the mobile phone number is bound to these unique card information one by one, and the card information is associated with the mobile phone number through the SIM card, and the SIM card serves as the identity of the terminal user.

Step S103: the service system sends a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes a mobile phone number.

It can be understood that the business system assembles the second data SMS carrying the mobile phone number and requests the SMS gateway to send the second data SMS to the SIM card. The SMS gateway sends the second data SMS to the SIM card corresponding to the mobile phone number, and the second data SMS is a downlink SMS.

In some embodiments, the second data SMS includes an application command message, and the application command message includes a mobile phone number.

Exemplarily, FIG4 shows the structure of the second data message, and the structure of the second data message is a downlink message format, and the downlink message format includes a message header, an application command security field, and an application command message. FIG5 shows the structure of the application command message of the second data message, and the application command message includes main_Ver (i.e., the downlink message main version number, 1B), Flag (i.e., the downlink message identifier, 1B), APP-DATA (downlink message application data), and MAC address. Table 3 is a schematic diagram of the definition of the downlink message application data APP-DATA field, as shown in Table 3:

Table 3

Among them, "XX" in Table 3 respectively represents the length of the downlink SMS application data field (such as the length in Table 3), the length of the mobile phone number, and the variable value of the mobile phone number.

Step S104: The SIM card receives a second data SMS sent by the service system through the SMS gateway, and obtains and stores user information based on the second data SMS.

As an implementation method, the SIM card receives a second data SMS sent by a service system forwarded by an SMS gateway; decrypts the second data SMS to obtain SMS content in an application command message; and parses the SMS content to obtain and store user information.

It can be understood that the SIM card receives the second data SMS sent by the business system forwarded by the SMS gateway, performs a message authentication code verification on the second data SMS, decrypts the second data SMS after the verification passes, obtains the content of the second data SMS, parses the content, extracts user information such as the mobile phone number, and writes the user information into the storage.

Optionally, the SIM card stores the user information in a secure storage space of the SIM card.

Step S105: The first terminal sends an intranet application access request to the private network, wherein the intranet application access request indicates access to a business system.

It should be noted that the terminal corresponds to the private network. For example, when the business system belongs to the intranet application of the 5G private network, the first terminal is the 5G terminal.

In some embodiments, before the first terminal sends an intranet application access request to the private network, it also includes: the first terminal sends an access request to the private network, and the access request instructs the private network to verify the authority of the first terminal.

It can be understood that the terminal user accesses the private network through the first terminal, and the operator's core network implements one-time authentication of the private network by allocating the private network Internet Protocol (IP) address. After the authentication is passed, the first terminal sends an intranet application access request to the private network, and the terminal user's identity authentication verification will be triggered when requesting to access the enterprise intranet application.

In some embodiments, the first terminal receives a registration request for monitoring network access events sent by the SIM card, so that after the SIM card monitors an event that the first terminal passes the first network access authentication for the private network, a card information reporting operation is triggered.

Step S106: The gateway device intercepts the intranet application access request sent by the first terminal to the private network, and redirects the identity authentication link to the first terminal.

It can be understood that the gateway device intercepts the private network traffic and initiates the redirection request. Optionally, the access gateway module of the gateway device intercepts the private network traffic and initiates the redirection request.

Exemplarily, the network traffic of the intranet application access request sent by the first terminal is mirrored to the access gateway module of the gateway device via the switch/router. The access gateway module receives the mirrored intranet application access request of the switch/router, sends a transmission control protocol (TCP, Transmission Control Protocol) reset (RESET) blocking packet to the switch/router, and redirects the authentication link (access gateway 8081 port uniform resource locator (URL, Uniform Resource Locator)) to the first terminal.

Step S107: The first terminal receives the identity authentication link redirected by the gateway device, and sends a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs obtaining user information.

It can be understood that when the first terminal sends an intranet application access request to the private network, the gateway device intercepts the intranet application access request sent by the first terminal to the private network and redirects the identity authentication link to the first terminal.

It can be understood that after receiving the identity authentication link, the first terminal obtains the user information ciphertext from the SIM card.

Optionally, the first instruction is an APDU instruction, that is, the first terminal sends an APDU instruction to the SIM card, and the APDU instruction instructs obtaining user information.

Step S108: The SIM card receives the first instruction sent by the first terminal, and sends the user information to the first terminal.

It can be understood that when a user accesses a private network through a first terminal and requests an enterprise intranet application, user identity verification will be triggered. The first terminal then sends a first instruction request to the SIM card configured therein to obtain user information previously stored in the SIM card.

As an implementation method, the SIM card establishes a secure access channel with the first terminal; reads the stored user information, encrypts the user information, and obtains the user information ciphertext; and sends the user information ciphertext to the first terminal through the secure access channel.

Optionally, after receiving the first instruction, the SIM card reads the user information stored in the secure storage space, encrypts the user information using a key preset in the card, and obtains the user information ciphertext. Optionally, the key is preset during the SIM card manufacturing process and is only shared with the business system to ensure data security.

Step S109: The first terminal receives the user information sent by the SIM card, and sends first information to the service system through the gateway device; wherein the first information includes the user information.

In this embodiment, the "information" in the first information may also be a name such as a message, a signaling, or an instruction.

It should be noted that the user information in the first information is ciphertext of the user information.

As an implementation method, the first terminal receives the user information ciphertext sent by the SIM card, and sends a proxy identity authentication request including the user information ciphertext, accesses the gateway device through an access identity authentication link, and sends the proxy identity authentication request to the control center of the gateway device; wherein the proxy identity authentication request instructs the gateway device to transparently transmit the user information to the business system.

It can be understood that after the first terminal receives the user information ciphertext, it transparently transmits the user information ciphertext to the business system through the gateway device.

Step S110: The gateway device receives first information sent by the first terminal, and sends the first information to the service system.

As an implementation method, the gateway device receives a proxy identity authentication request sent by the first terminal and sends the user information to the business system; wherein the proxy identity authentication request instructs the gateway device to send the user information to the business system, and the proxy identity authentication request includes the first information.

In some embodiments, the control center of the gateway device receives the proxy identity authentication request sent by the first terminal through the identity authentication link, and transparently transmits the user information to the business system.

It should be noted that the first information includes ciphertext of user information.

As an implementation method, the control center receives the proxy authentication request and encapsulates the user information ciphertext into a general authentication interface protocol message; and sends the general authentication interface protocol message to the identity authentication platform of the business system of the enterprise intranet. Since the entire transmission process is encrypted, the secure transmission of user information is guaranteed.

Step S111: The service system receives first information sent by a first terminal where a SIM card is located through a gateway device, and performs identity authentication on a user of the first terminal based on user information in the first information.

That is, the business system receives the user information and performs identity authentication on the first terminal user based on the user information.

As an implementation method, the identity authentication platform of the business system parses the received general authentication interface protocol message to obtain the user information ciphertext; decrypts it through the local private key to obtain the user information; compares the user information with the user information whitelist configured by the local administrator, and only allows access after verification, that is, authorizes the first terminal user to access the business system.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the gateway device redirects the identity authentication, and the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and realize the identity authentication control on the private network enterprise side. The business system collects and binds user information through the SIM card and the SMS gateway, without the need for an interface to collect user information, and provides a good experience. User information is encrypted at the hard medium layer of the SIM card, and encrypted text is transmitted throughout the process to achieve secure authentication. User identity information verification is performed through gateway device redirection, which can cover all terminals and is easy to promote.

Based on the above embodiment, FIG6 is a flow chart of a private network security authentication method according to another exemplary embodiment. The method is applied to a SIM card. As shown in FIG6, the private network security authentication method may include the following steps.

Step S601, in response to triggering a card information reporting operation, sending a first data SMS to a business system through an SMS gateway, wherein the first data SMS includes card information.

Step S602, receiving a second data SMS sent by the business system through the SMS gateway, and acquiring and storing user information based on the second data SMS; wherein the user information includes a mobile phone number.

Step S603, receiving a first instruction sent by the first terminal where the SIM card is located, and sending user information to the first terminal, so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction instructs obtaining user information.

The user information is sent to the first terminal, so that the first terminal sends the user information to the business system through the gateway device to request the business system to perform identity authentication on the first terminal user.

It should be noted that in the embodiment of the present application, the implementation process of steps S601 to S603 can refer to the description of the implementation process of the corresponding steps in the embodiment shown in FIG. 1 of the present application, and will not be repeated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized. The business system collects and binds user information through the SIM card and the SMS gateway, without the need for an interface to collect user information, and provides a good experience. User information is encrypted at the hard medium layer of the SIM card, and encrypted text is transmitted throughout the process to achieve secure authentication.

Based on any of the above embodiments, Figure 7 is a flow chart of a private network security authentication method according to another exemplary embodiment. The method is applied to a first terminal, and the first terminal includes a SIM card; as shown in Figure 7, the private network security authentication method may include the following steps.

Step S701: Send an intranet application access request to a private network, wherein the intranet application access request indicates access to a business system.

The first terminal sends an intranet application access request to the private network, wherein the intranet application access request indicates access to a business system.

Step S702: receiving an identity authentication link redirected by a gateway device, and sending a first instruction to the SIM card based on the identity authentication link.

The first instruction instructs to obtain user information, where the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number.

Step S703: receiving user information sent by the SIM card, sending first information to the service system through the gateway device, and requesting the service system to perform identity authentication on the first terminal user based on the user information in the first information.

It should be noted that in the embodiment of the present application, the implementation process of steps S701 to S703 can refer to the description of the implementation process of the corresponding steps in the embodiment shown in FIG. 1 of the present application, and will not be repeated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the gateway device redirects the identity authentication, and the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized.

Based on any of the above embodiments, Fig. 8 is a flow chart of a private network security authentication method according to another exemplary embodiment. The method is applied to a gateway device; as shown in Fig. 8, the private network security authentication method may include the following steps.

Step S801, intercepting an intranet application access request sent by a first terminal to a private network, and redirecting an identity authentication link to the first terminal; wherein the first terminal includes a SIM card, and the intranet application access request indicates access to a service system.

Step S802, receiving the first information sent by the first terminal, and sending the first information to the business system, wherein the first information includes user information, the user information is sent to the SIM card by the business system based on the card information reported by the SIM card, the user information includes the mobile phone number, and the user information is used by the first terminal to request the business system to authenticate the first terminal user.

It should be noted that in the embodiment of the present application, the implementation process of step S801-step S802 can refer to the description of the implementation process of the corresponding steps in the embodiment shown in Figure 1 of the present application, and will not be repeated here.

By implementing this embodiment, when the first terminal where the SIM card is located requests to access the service system, the gateway device redirects the identity authentication, and the first terminal sends the user information returned by the service system stored in the SIM card based on the card information reported by the SIM card to the service system for identity authentication. The private network user side can independently manage the access rights of users to access the service system through the private network, and the identity authentication control on the private network enterprise side is realized. By redirecting the user identity information through the gateway device, it can cover all terminals and is easy to promote.

Based on any of the above embodiments, Figure 9 is a flow chart of a private network security authentication method according to another exemplary embodiment. The method is applied to a service system in a private network; as shown in Figure 9, the private network security authentication method may include the following steps.

Step S901: receiving a first data SMS sent by a SIM card via a SMS gateway, wherein the first data SMS includes card information.

Step S902: based on the first data SMS, obtain the mobile phone number and card information corresponding to the SIM card, and record the binding relationship between the card information and the mobile phone number.

Step S903: Send a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes a mobile phone number.

Step S904: receiving first information sent by the first terminal where the SIM card is located through the gateway device, and performing identity authentication on the first terminal user based on the user information in the first information.

It should be noted that in the embodiment of the present application, the implementation process of step S901 to step S904 can refer to the description of the implementation process of the corresponding steps in the embodiment shown in Figure 1 of the present application, and will not be repeated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the business system returns the user information to the SIM card; when the first terminal where the SIM card is located requests to access the business system, the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized. The business system collects and binds user information through the SIM card and the SMS gateway, without the need for an interface to collect user information, and provides a good experience.

Based on any of the above embodiments, FIG10 is a block diagram of a private network security authentication device according to an exemplary embodiment, and the device is configured in a SIM card. Referring to FIG10 , the private network security authentication device may include: a card information reporting module 1001 and a first transceiver module 1002 .

Specifically, the card information reporting module 1001 is configured to send a first data SMS to the business system through the SMS gateway in response to triggering the card information reporting operation, wherein the first data SMS includes the card information;

The card information reporting module 1001 is further configured to receive a second data SMS sent by the business system through the SMS gateway, and obtain and store user information based on the second data SMS; wherein the user information includes a mobile phone number;

The first transceiver module 1002 is configured to receive a first instruction sent by a first terminal where the SIM card is located, and send user information to the first terminal so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction indicates obtaining user information.

In some implementations, the card information reporting module 1001 is further configured to:

In response to triggering the card information reporting operation, registering with the first terminal to monitor network access events;

An event that the first terminal passes the first network access authentication is monitored, triggering a card information reporting operation.

In some implementations, the card information reporting module 1001 is configured to:

Read the card information and assemble the card information into a response data packet of the first data SMS; send the response data packet of the first data SMS to the business system through the SMS gateway.

In some implementations, the card information reporting module 1001 is configured to:

Receive a second data SMS sent by the service system forwarded by the SMS gateway; wherein the second data SMS includes an application command message, and the application command message includes user information;

Decrypt the second data SMS message to obtain SMS content in the application command message;

Parse SMS content, obtain and store user information.

In some implementations, the first transceiver module 1002 is configured to:

Establishing a secure access channel with the first terminal;

Read user information; and encrypt the user information to obtain the ciphertext of the user information;

The user information ciphertext is sent to the first terminal through a secure access channel.

In some implementations, the response data packet includes the card application major version number, the security parameter identifier, the application response data packet and the MAC address, the application response data packet includes the card information, and the security parameter identifier includes the encryption identifier and the environment identifier.

In some implementations, the card information reporting module 1001 is configured to:

Store user information in the secure storage space of the SIM card.

Regarding the device in the above embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be elaborated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control of the private network enterprise side is realized. The business system realizes user information through the SIM card and SMS gateway The user information is collected and bound without the need for an interface, providing a better experience. User information is encrypted through the hard medium layer of the SIM card, and the entire process is encrypted to achieve secure authentication.

Based on any of the above embodiments, FIG11 is a block diagram of a private network security authentication device according to another exemplary embodiment, the device is configured in a first terminal, and the first terminal includes a SIM card. Referring to FIG11 , the private network security authentication device may include: a second transceiver module 1101 .

Specifically, the second transceiver module 1101 is configured to send an intranet application access request to the private network, wherein the intranet application access request indicates access to the business system;

The second transceiver module 1101 is further configured to receive an identity authentication link redirected by the gateway device, and send a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs to obtain user information, the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number;

The second transceiver module 1101 is further configured to receive user information sent by the SIM card, send first information to the service system through the gateway device, and request the service system to perform identity authentication on the first terminal user based on the user information in the first information.

In some implementations, the second transceiver module 1101 is further configured to:

Before sending an intranet application access request to the private network, the first terminal sends an access request to the private network, where the access request instructs the private network to verify the authority of the first terminal.

In some implementations, the second transceiver module 1101 is further configured to:

Receive the registration request for monitoring network access events sent by the SIM card.

Regarding the device in the above embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be elaborated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the user information returned by the business system is stored in the SIM card; when the first terminal where the SIM card is located requests to access the business system, the gateway device redirects the identity authentication, and the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized.

Based on any of the above embodiments, FIG12 is a block diagram of a private network security authentication device according to another exemplary embodiment, and the device is configured in a gateway device. Referring to FIG12 , the private network security authentication device may include: an access gateway module 1201 and a control center module 1202 .

Specifically, the access gateway module 1201 is configured to intercept an intranet application access request sent by the first terminal to the private network, and redirect the identity authentication link to the first terminal; wherein the first terminal includes a SIM card, and the intranet application access request indicates access to the service system;

The control center module 1202 is configured to receive the first information sent by the first terminal and send the first information to the business system, wherein the first information includes user information, and the user information is sent to the SIM card by the business system based on the card information reported by the SIM card. The user information includes a mobile phone number, and the user information is used by the first terminal to request the business system to authenticate the identity of the first terminal user.

Regarding the device in the above embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be elaborated here.

By implementing this embodiment, when the first terminal where the SIM card is located requests to access the service system, the gateway device redirects the identity authentication, and the first terminal sends the user information returned by the service system stored in the SIM card based on the card information reported by the SIM card to the service system for identity authentication. The private network user side can independently manage the access rights of users to access the service system through the private network, and the identity authentication control on the private network enterprise side is realized. By redirecting the user identity information through the gateway device, it can cover all terminals and is easy to promote.

Based on any of the above embodiments, FIG13 is a block diagram of a private network security authentication device according to another exemplary embodiment, and the device is configured in a service system in a private network. Referring to FIG13 , the private network security authentication device may include: a third transceiver module 1301, a processing module 1302, and an identity authentication module 1303.

Specifically, the third transceiver module 1301 is configured to receive a first data SMS sent by the SIM card through the SMS gateway, wherein the first data SMS includes card information.

The processing module 1302 is configured to obtain the mobile phone number and card information corresponding to the SIM card based on the first data SMS, and record the binding relationship between the card information and the mobile phone number.

The third transceiver module 1301 is further configured to send a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes a mobile phone number.

The identity authentication module 1303 is configured to receive first information sent by the first terminal where the SIM card is located through the gateway device, and perform identity authentication on the first terminal user based on the user information in the first information.

Regarding the device in the above embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be elaborated here.

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the business system returns the user information to the SIM card; when the first terminal where the SIM card is located requests to access the business system, the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized. The business system collects and binds user information through the SIM card and the SMS gateway, without the need for an interface to collect user information, and provides a good experience.

Based on any of the above embodiments, Figure 14 is a block diagram of a private network security authentication system according to an exemplary embodiment. Referring to Figure 14, the private network security authentication system may include: a SIM card 1401, a first terminal (such as a 5G terminal) where the SIM card is located 1402, a SMS gateway 1403, a gateway device 1404 and a business system 1405.

Specifically, the SIM card 1401 is configured to execute the private network security authentication method shown in FIG6 ;

The first terminal 1402 where the SIM card is located is configured to execute the private network security authentication method shown in FIG7 ;

The gateway device 1404 is configured to execute the private network security authentication method shown in FIG8 ;

The business system 1405 is configured to execute the private network security authentication method shown in FIG. 9 .

By implementing this embodiment, the card information is reported to the business system in the private network through the SIM card, and the business system returns the user information to the SIM card; when the first terminal where the SIM card is located requests to access the business system, the first terminal sends the user information stored in the SIM card to the business system for identity authentication. The private network user side can independently manage the access rights of users to access the business system through the private network, and the identity authentication control on the private network enterprise side is realized. The business system collects and binds user information through the SIM card and the SMS gateway, without the need for an interface to collect user information, and provides a good experience.

According to an embodiment of the present application, the present application also provides an electronic device and a readable storage medium.

Figure 15 is a block diagram of an electronic device shown according to an exemplary embodiment, which is an electronic device for implementing a method for private network security authentication. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workbenches, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely examples and are not intended to limit the implementation of the present application described and/or required herein.

As shown in Figure 15, the electronic device includes: one or more processors 1501, a memory 1502, and interfaces for connecting various components, including high-speed interfaces and low-speed interfaces. The various components are connected to each other using different buses and can be installed on a common motherboard or installed in other ways as needed. The processor can process instructions executed in the electronic device, including instructions stored in or on the memory to display graphical information of a graphical user interface (GUI, Graphical User Interface) on an external input/output device (such as a display device coupled to the interface). In other embodiments, if necessary, multiple processors and/or multiple buses can be used with multiple memories. Similarly, multiple electronic devices can be connected, and each device provides some necessary operations (for example, as a server array, a group of blade servers, or a multi-processor system). Figure 15 takes a processor 1501 as an example.

The memory 1502 is the non-transitory computer-readable storage medium provided in the present application. The memory 1502 stores instructions executable by at least one processor 1501, so that the at least one processor 1501 performs the method for private network security authentication provided in the present application. The non-transitory computer-readable storage medium of the present application stores computer instructions, which are configured to enable a computer to perform the method for private network security authentication provided in the present application.

The memory 1502, as a non-transient computer-readable storage medium, can be used to store non-transient software programs, non-transient computer executable programs and modules, such as the program instructions/modules corresponding to the method for private network security authentication in the embodiment of the present application (for example, the access gateway module 1201 and the control center module 1202 shown in FIG. 12). The processor 1501 executes various functional applications and data processing of the server by running the non-transient software programs, instructions and modules stored in the memory 1502, that is, implements the method for private network security authentication in the above method embodiment.

The memory 1502 may include a program storage area and a data storage area, wherein the program storage area may store an operating system and at least one application required for a function; the data storage area may store data created based on the use of the electronic device with private network security authentication, etc. In addition, the memory 1502 may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some embodiments, the memory 1502 may optionally include a remote memory remotely located relative to the processor 1501, and these remote memories may be connected to the private network security authentication through a network. Electronic devices. Examples of the above network include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

The electronic device for private network security authentication may further include: an input device 1503 and an output device 1504. The processor 1501, the memory 1502, the input device 1503 and the output device 1504 may be connected via a bus or other means, and FIG15 takes the bus connection as an example.

The input device 1503 can receive input digital or character information, and generate key signal input related to user settings and function control of the electronic device with private network security authentication, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, an indicator rod, one or more mouse buttons, a trackball, a joystick and other input devices. The output device 1504 may include a display device, an auxiliary lighting device (e.g., a light emitting diode (LED)) and a tactile feedback device (e.g., a vibration motor). The display device may include, but is not limited to, a liquid crystal display (LCD), an LED display and a plasma display. In some embodiments, the display device may be a touch screen.

Various implementations of the systems and techniques described herein can be implemented in digital electronic circuit systems, integrated circuit systems, application specific integrated circuits (ASICs), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include: being implemented in one or more computer programs that can be executed and/or interpreted on a programmable system including at least one programmable processor, which can be a special purpose or general purpose programmable processor that can receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.

These computer programs (also referred to as programs, software, software applications, or code) include machine instructions for programmable processors and can be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, device, and/or device (e.g., disk, optical disk, memory, programmable logic device (PLD)) for providing machine instructions and/or data to a programmable processor, including machine-readable media that receives machine instructions as machine-readable signals. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.

To provide interaction with a user, the systems and techniques described herein can be implemented on a computer having: a display device (e.g., a cathode ray tube (CRT) or an LCD monitor) for displaying information to the user; and a keyboard and pointing device (e.g., a mouse or trackball) through which the user can provide input to the computer. Other types of devices can also be used to provide interaction with the user; for example, the feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including acoustic input, voice input, or tactile input).

The systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., a user computer with a graphical user interface or a web browser through which a user can interact with implementations of the systems and techniques described herein), or a computing system that includes any combination of such back-end components, middleware components, or front-end components. The components of the system may be interconnected by any form or medium of digital data communication (e.g., a communications network). Examples of communications networks include: LANs, Wide Area Networks (WANs), and the Internet.

A computer system may include clients and servers. Clients and servers are generally remote from each other and usually interact through a communication network. The relationship of client and server is generated by computer programs running on respective computers and having a client-server relationship to each other.

In an exemplary embodiment, the embodiment of the present application also provides a computer program product. When the instructions in the computer program product are executed by the processor 1501 of the electronic device, the processor 1501 of the electronic device can execute the above-mentioned private network security authentication method.

It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, this application is not limited to the order of the above steps, that is, the steps can be performed in the order mentioned in the embodiment, or in a different order from the embodiment, or several steps can be performed simultaneously.

Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the application disclosed herein. The present application is intended to cover any variations, uses or adaptations of the present application, which follow the general principles of the present application and include common knowledge or customary technical means in the art that are not disclosed in the present application. The specification and examples are intended to be exemplary only.

It should be understood that the present application is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present application is limited only by the appended claims.

Claims (20)

A private network security authentication method, the method is applied to a user identification module SIM card, comprising: In response to triggering the card information reporting operation, sending a first data SMS to the business system through the SMS gateway, wherein the first data SMS includes the card information; Receiving a second data SMS sent by the business system through the SMS gateway, and acquiring and storing user information based on the second data SMS; wherein the user information includes a mobile phone number; Receive a first instruction sent by a first terminal where the SIM card is located, and send the user information to the first terminal, so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction instructs to obtain the user information. The method according to claim 1, wherein before the responding to triggering the card information reporting operation, the method comprises: Registering with the first terminal to monitor network access events; An event that the first terminal passes the first network access authentication is monitored, triggering a card information reporting operation. The method according to claim 1, wherein sending the first data SMS to the business system through the SMS gateway comprises: Reading card information, and assembling the card information into a response data packet of the first data SMS; A response data packet of the first data SMS is sent to the business system through the SMS gateway. The method according to claim 1, wherein the receiving a second data SMS sent by the business system through the SMS gateway, and acquiring and storing user information based on the second data SMS, comprises: receiving a second data SMS sent by the business system and forwarded by the SMS gateway; wherein the second data SMS includes an application command message, and the application command message includes the user information; Decrypting the second data SMS message to obtain SMS content in the application command message; Parse the text message content, obtain and store the user information. The method according to claim 1, wherein sending the user information to the first terminal comprises: Establishing a secure access channel with the first terminal; Reading user information; and encrypting the user information to obtain a ciphertext of the user information; The user information ciphertext is sent to the first terminal through the secure access channel. The method according to claim 3, wherein the response data packet includes a card application major version number, a security parameter identifier, an application response data packet and a media access control MAC address, the application response data packet includes the card information, and the security parameter identifier includes an encryption identifier and an environment identifier. The method according to claim 4, wherein storing the user information comprises: The user information is stored in the secure storage space of the SIM card. A private network security authentication method, the method is applied to a first terminal, the first terminal includes a user identification module SIM card; the method includes: Sending an intranet application access request to a private network, wherein the intranet application access request indicates access to a business system; Receive an identity authentication link redirected by a gateway device, and send a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs to obtain user information, the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number; The user information sent by the SIM card is received, and first information is sent to the service system through the gateway device, and based on the user information in the first information, the service system is requested to perform identity authentication on the first terminal user. The method according to claim 8, wherein before sending the intranet application access request to the private network, the method further comprises: The first terminal sends an access request to the private network, where the access request instructs the private network to verify the authority of the first terminal. The method according to claim 8, wherein the method further comprises: Receive a network access event monitoring registration request sent by the SIM card. A private network security authentication method, the method is applied to a gateway device, comprising: Intercepting an intranet application access request sent by a first terminal to a private network, and redirecting an identity authentication link to the first terminal; wherein the first terminal includes a subscriber identity module SIM card, and the intranet application access request indicates access to a business system; receiving first information sent by the first terminal, and sending the first information to the business system, wherein the first The information includes user information, which is sent to the SIM card by the service system based on the card information reported by the SIM card. The user information includes a mobile phone number, and the user information is used by the first terminal to request the service system to perform identity authentication on the first terminal user. A private network security authentication method, the method is applied to a business system in a private network, comprising: Receiving a first data SMS sent by a subscriber identity module SIM card through a SMS gateway, wherein the first data SMS includes card information; Based on the first data SMS, obtain the mobile phone number and the card information corresponding to the SIM card, and record the binding relationship between the card information and the mobile phone number; Sending a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes the mobile phone number; Receive first information sent by the first terminal where the SIM card is located through a gateway device, and perform identity authentication on the first terminal user based on the user information in the first information. A private network security authentication system includes a customer identification module SIM card, a first terminal where the SIM card is located, a short message gateway, a gateway device and a business system. The SIM card is configured to execute the private network security authentication method according to any one of claims 1 to 7; The first terminal where the SIM card is located is configured to execute the private network security authentication method according to any one of claims 8 to 10; The gateway device is configured to execute the private network security authentication method according to claim 11; The business system is configured to execute the private network security authentication method as described in claim 12. A private network security authentication device, the device is configured in a user identification module SIM card, comprising: A card information reporting module, configured to send a first data SMS to a business system through a SMS gateway in response to triggering a card information reporting operation, wherein the first data SMS includes card information; The card information reporting module is further configured to receive a second data SMS sent by the business system through the SMS gateway, and obtain and store user information based on the second data SMS; wherein the user information includes a mobile phone number; The first transceiver module is configured to receive a first instruction sent by a first terminal where the SIM card is located, and send the user information to the first terminal, so that the first terminal requests the service system to perform identity authentication on the first terminal user based on the user information; wherein the first instruction instructs to obtain the user information. A private network security authentication device, the device is configured in a first terminal, the first terminal includes a user identification module SIM card, including: A second transceiver module is configured to send an intranet application access request to the private network, wherein the intranet application access request indicates access to a business system; The second transceiver module is further configured to receive an identity authentication link redirected by a gateway device, and send a first instruction to the SIM card based on the identity authentication link, wherein the first instruction instructs to obtain user information, the user information is sent to the SIM card by the service system based on the card information reported by the SIM card, and the user information includes a mobile phone number; The second transceiver module is further configured to receive the user information sent by the SIM card, send first information to the service system through the gateway device, and request the service system to perform identity authentication on the first terminal user based on the user information in the first information. A private network security authentication device, the device is configured in a gateway device, comprising: The access gateway module is configured to intercept an intranet application access request sent by the first terminal to the private network, and redirect the identity authentication link to the first terminal; wherein the first terminal includes a subscriber identity module SIM card, and the intranet application access request indicates access to a service system; The control center module is configured to receive the first information sent by the first terminal and send the first information to the business system, wherein the first information includes user information, and the user information is sent to the SIM card by the business system based on the card information reported by the SIM card, and the user information includes a mobile phone number, and the user information is used by the first terminal to request the business system to authenticate the first terminal user. A private network security authentication device, the device is configured in a business system in the private network, comprising: A third transceiver module is configured to receive a first data SMS sent by a subscriber identity module SIM card through a SMS gateway, wherein the first data SMS includes card information; a processing module configured to obtain the mobile phone number and the card information corresponding to the SIM card based on the first data SMS, and record the binding relationship between the card information and the mobile phone number; The third transceiver module is further configured to send a second data SMS to the SIM card through the SMS gateway, wherein the second data SMS includes user information, and the user information includes the mobile phone number; The identity authentication module is configured to receive first information sent by the first terminal where the SIM card is located through the gateway device, and perform identity authentication on the first terminal user based on the user information in the first information. An electronic device, comprising: at least one processor; and a memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the private network security authentication method described in any one of claims 1 to 12. A non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions are configured to cause the computer to execute the private network security authentication method according to any one of claims 1 to 12. A computer program product comprises computer instructions, wherein when the computer instructions are executed by a processor, the private network security authentication method according to any one of claims 1 to 12 is implemented.