CN111669748A

Movatterモバイル変換

Info

Publication number: CN111669748A
Application number: CN202010431084.XA
Authority: CN
Inventors: 张振峰; 王宇辰
Original assignee: Institute of Software of CAS
Current assignee: Institute of Software of CAS
Priority date: 2020-05-20
Filing date: 2020-05-20
Publication date: 2020-09-15
Anticipated expiration: 2040-05-20
Also published as: CN111669748B

Abstract

The invention provides a mobile communication authentication method for privacy protection, which belongs to the technical field of communication technology and information security and aims to enhance the privacy protection in mobile communication authentication.A session key is generated and stored by negotiation between user equipment and a mobile operator through a key encapsulation mechanism in the initialization stage of a 5G-AKA protocol; in a challenge-response stage of a 5G-AKA protocol, a mobile operator randomly selects a challenge value R, encrypts the challenge value R by adopting a session key, and generates an authentication vector according to the encrypted challenge value R'; after receiving the authentication vector, the user equipment decrypts the R' by adopting the session key to obtain a decrypted challenge value, and generates information corresponding to the execution state of the SIM card according to the decrypted challenge value; and the mobile operator selects a corresponding processing mode according to the information type.

Description

Translated fromChinese

一种隐私保护的移动通信认证方法A privacy-preserving mobile communication authentication method

技术领域technical field

本发明属于通信技术与信息安全技术领域，旨在增强移动通信认证中的隐私保护，具体表现为一种隐私保护的移动通信认证方法。The invention belongs to the technical field of communication technology and information security, aims to enhance privacy protection in mobile communication authentication, and is embodied in a privacy protection mobile communication authentication method.

背景技术Background technique

3GPP联盟目前正在着手于第五代移动通信技术(5G)的标准化，并针对5G提出了新版本的认证和密钥建立协议，即5G-AKA协议。与3G和4G时代的AKA协议相比，5G-AKA的一个重要改进是通过ECIES公钥加密算法保护用户标识符(即SUPI)，从而阻止敌手通过窃听无线信道获取该标识符，达到保护用户隐私的目的。然而，近年来的一系列研究表明，5G-AKA协议不能阻止敌手通过设立伪基站及主动发送移动信号的方式区分不同用户并链接同一用户的多次会话，因此仍然会泄露用户隐私。基于此，一种能够抵抗敌手链接同一用户的会话、提供用户之间不可区分性的移动通信认证机制是被高度期望的。The 3GPP Alliance is currently working on the standardization of the fifth generation mobile communication technology (5G), and has proposed a new version of the authentication and key establishment protocol for 5G, namely the 5G-AKA protocol. Compared with the AKA protocol in the 3G and 4G era, an important improvement of 5G-AKA is to protect the user identifier (ie SUPI) through the ECIES public key encryption algorithm, thereby preventing the adversary from obtaining the identifier by eavesdropping on the wireless channel to protect user privacy. the goal of. However, a series of studies in recent years have shown that the 5G-AKA protocol cannot prevent the adversary from distinguishing different users and linking multiple sessions of the same user by setting up pseudo base stations and actively sending mobile signals, so it will still leak user privacy. Based on this, a mobile communication authentication mechanism that can resist adversaries to link sessions of the same user and provide indistinguishability between users is highly desired.

近年来，密钥封装机制(KEM)已被广泛应用于安全协议中，此类机制能够在未预先共享秘密信息的通信实体之间，在零往返的情况下建立会话密钥。在NIST征集的后量子密码学标准化项目提案中，相当一部分提案以抗量子计算机攻击的KEM方案的形式提出。简要而言，一个KEM方案主要由密钥封装算法Encap和解封装算法Decap组成，其中Encap以KEM方案的公钥为输入，输出密钥封装信息c和会话密钥k；Decap以KEM方案的私钥和密钥封装信息c为输入，输出对应的会话密钥k。5G-AKA协议中用到的ECIES算法由一个KEM和一个数据封装机制(DEM)构成，本发明简记为ECIES-KEM和ECIES-DEM，其中ECIES-KEM用于在用户设备和移动运营商之间协商一个对称密钥，ECIES-DEM使用该对称密钥对实际传输的数据进行加密及解密。In recent years, Key Encapsulation Mechanisms (KEM) have been widely used in security protocols, such mechanisms can establish session keys with zero round-trips between communicating entities that do not share secret information in advance. Among the proposals for post-quantum cryptography standardization projects solicited by NIST, a considerable number of proposals are presented in the form of KEM schemes that are resistant to quantum computer attacks. Briefly, a KEM scheme is mainly composed of the key encapsulation algorithm Encap and the decapsulation algorithm Decap. Encap takes the public key of the KEM scheme as input, and outputs the key encapsulation information c and session key k; Decap uses the private key of the KEM scheme. and the key encapsulation information c as input, and output the corresponding session key k. The ECIES algorithm used in the 5G-AKA protocol is composed of a KEM and a data encapsulation mechanism (DEM). Negotiate a symmetric key between them, ECIES-DEM uses the symmetric key to encrypt and decrypt the data actually transmitted.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提出一种隐私保护的移动通信认证方法，利用密钥封装机制协商的密钥作为会话密钥保护用户隐私。The purpose of the present invention is to propose a privacy protection mobile communication authentication method, which uses the key negotiated by the key encapsulation mechanism as the session key to protect user privacy.

为实现上述目的，本发明采用以下技术方案：To achieve the above object, the present invention adopts the following technical solutions:

一种隐私保护的移动通信认证方法，包括以下步骤：A privacy-protected mobile communication authentication method, comprising the following steps:

在5G-AKA协议的初始化阶段，用户设备和移动运营商之间通过密钥封装机制协商生成会话密钥，双方保存该会话密钥；During the initialization phase of the 5G-AKA protocol, a session key is generated through negotiation between the user equipment and the mobile operator through a key encapsulation mechanism, and both parties save the session key;

在5G-AKA协议的挑战-响应阶段执行以下步骤：The following steps are performed during the challenge-response phase of the 5G-AKA protocol:

移动运营商随机选取挑战值R，采用会话密钥对挑战值R加密得到R'，根据R'计算符合5G-AKA协议的XHRES信息，并根据R'和XHRES信息生成认证向量，其中XHRES的含义和3GPP TS 33.501标准规定一致；The mobile operator randomly selects the challenge value R, encrypts the challenge value R with the session key to obtain R', calculates the XHRES information conforming to the 5G-AKA protocol according to R', and generates an authentication vector according to R' and XHRES information, where the meaning of XHRES Consistent with the 3GPP TS 33.501 standard;

用户设备收到认证向量后，采用会话密钥解密R'得到解密后的挑战值，并根据解密后的挑战值生成对应SIM卡执行状态的信息；After receiving the authentication vector, the user equipment uses the session key to decrypt R' to obtain a decrypted challenge value, and generates information corresponding to the execution state of the SIM card according to the decrypted challenge value;

移动运营商根据对应SIM卡执行状态的信息内容来选择是直接按照5G-AKA协议对信息进行处理，还是先使用会话密钥对其中包含的R'进行解密后再按照5G-AKA协议对信息进行处理。According to the information content of the corresponding SIM card execution state, the mobile operator chooses whether to process the information directly according to the 5G-AKA protocol, or to use the session key to decrypt the R' contained in it, and then to process the information according to the 5G-AKA protocol. deal with.

进一步地，封装密钥机制包括基于ECIES-KEM算法的密钥封装机制、基于抵抗量子计算机攻击的KEM算法的密钥封装机制；其中，ECIES-KEM算法与3GPP TS 33.501标准规定一致，抵抗量子计算机攻击的KEM算法包括NewHope算法、Frodo算法等。Further, the encapsulation key mechanism includes a key encapsulation mechanism based on the ECIES-KEM algorithm and a key encapsulation mechanism based on the KEM algorithm that resists quantum computer attacks; wherein, the ECIES-KEM algorithm is consistent with the 3GPP TS 33.501 standard and is resistant to quantum computers. The attacked KEM algorithms include NewHope algorithm, Frodo algorithm, etc.

进一步地，通过基于ECIES-KEM算法的密钥封装机制协商生成会话密钥的步骤包括：Further, the step of negotiating and generating the session key through the key encapsulation mechanism based on the ECIES-KEM algorithm includes:

ECIES-KEM算法表示为KEM_ECIES＝(Encap_ECIES,Decap_ECIES)，其中Encap_ECIES和Decap_ECIES分别为ECIES-KEM算法中的密钥封装算法和密钥解封装算法；The ECIES-KEM algorithm is expressed as KEM_ECIES = (Encap_ECIES , Decap_ECIES ), where Encap_ECIES and Decap_ECIES are the key encapsulation algorithm and the key decapsulation algorithm in the ECIES-KEM algorithm, respectively;

用户设备执行Encap_ECIES算法，获得密钥封装信息c和会话密钥k_UE，根据5G-AKA协议使用k_UE和对应的数据封装算法对用户标识符SUPI加密成SUCI并发送给移动运营商，同时保存k_UE作为挑战-响应阶段的会话密钥；The user equipment executes the Encap_ECIES algorithm to obtain the key encapsulation information c and the session key k_UE , and uses k_UE and the corresponding data encapsulation algorithm to encrypt the user identifier SUPI into SUCI according to the 5G-AKA protocol and send it to the mobile operator. Save k_UE as the session key in the challenge-response phase;

移动运营商收到SUCI后，根据5G-AKA协议执行Decap_ECIES算法解密得到SUPI，同时保存Decap_ECIES的输出会话密钥k_HN作为挑战-响应阶段的会话密钥。After receiving the SUCI, the mobile operator performs Decap_ECIES algorithm decryption according to the 5G-AKA protocol to obtain SUPI, and saves the output session key k_HN of Decap_ECIES as the session key in the challenge-response phase.

进一步地，通过基于抵抗量子计算机攻击的KEM算法的密钥封装机制协商生成会话密钥的步骤包括：Further, the step of negotiating and generating the session key through the key encapsulation mechanism based on the KEM algorithm that is resistant to quantum computer attacks includes:

抵抗量子计算机攻击的KEM算法表示为KEM_PQ＝(Encap_PQ,Decap_PQ)，其中Encap_PQ和Decap_PQ分别为抵抗量子计算机攻击的的KEM算法中的密钥封装算法和密钥解封装算法；The KEM algorithm that resists quantum computer attacks is expressed as KEM_PQ = (Encap_PQ , Decap_PQ ), where Encap_PQ and Decap_PQ are the key encapsulation algorithm and the key decapsulation algorithm in the KEM algorithm that resists quantum computer attacks, respectively;

用户设备通过调用Encap_PQ算法获得密钥封装信息c和会话密钥k_UE，并将c通过5G-AKA的信息流发送给移动运营商；The user equipment obtains the key encapsulation information c and the session key k_UE by invoking the Encap_PQ algorithm, and sends c to the mobile operator through the 5G-AKA information flow;

移动运营商受到c后，通过调用Decap_PQ算法获取k_HN。After receiving c, the mobile operator obtains k_HN by calling the Decap_PQ algorithm.

进一步地，采用AES-128算法对挑战值R加密。Further, the challenge value R is encrypted by using the AES-128 algorithm.

进一步地，根据R'计算符合5G-AKA协议的XHRES信息的步骤包括：首先按照5G-AKA协议计算AUTN、XRES和K_seaf信息，然后以R'和XRES为输入，按照5G-AKA的协议计算HXRES信息；其中AUTN、XRES和K_seaf信息的含义与3GPP TS 33.501标准规定的一致。Further, the step of calculating the XHRES information conforming to the 5G-AKA protocol according to R' includes: first calculating the AUTN, XRES and K_seaf information according to the 5G-AKA protocol, and then using R' and XRES as inputs, calculating according to the 5G-AKA protocol. HXRES information; the meanings of AUTN, XRES and K_seaf information are consistent with those specified in the 3GPP TS 33.501 standard.

进一步地，将R'、XHRES、AUTN和K_seaf信息组成的四元组作为认证向量。Further, a quadruple consisting of R', XHRES, AUTN and K_seaf information is used as an authentication vector.

进一步地，根据解密后的挑战值生成对应SIM卡执行状态的的信息，是指用户设备将解密后的挑战值和AUTN作为SIM卡AUTHENTICATE命令(该命令的含义与3GPP TS 33.102标准规定的一致)的输入，执行命令；若该命令执行失败，则发送“Mac_Failure”信息；若该命令执行成功并输出AUTS，则发送“Sync_Failure”和AUTS信息；若该命令执行成功并输出RES和K_seaf，则发送RES信息。Further, according to the challenge value after decryption, the information of the corresponding SIM card execution state is generated, which means that the user equipment uses the challenge value after decryption and AUTN as the SIM card AUTHENTICATE command (the meaning of this command is consistent with the 3GPP TS 33.102 standard regulation) If the command is executed successfully and output AUTS, then send "Sync_Failure" and AUTS information; if the command is executed successfully and output RES and K_seaf , then Send RES information.

进一步地，若信息为“Mac_Failure”或者RES，则移动运营商按照5G-AKA协议对该信息进行处理；若信息包含“Sync_Failure”、R'、AUTS和SUCI，则使用会话密钥对其中包含的R'进行解密后再按照5G-AKA协议对信息进行处理。Further, if the information is "Mac_Failure" or RES, the mobile operator processes the information according to the 5G-AKA protocol; if the information contains "Sync_Failure", R', AUTS and SUCI, the session key is used to pair the information contained in it. R' decrypts and then processes the information according to the 5G-AKA protocol.

进一步地，用户设备与移动运营商之间通过基站传递信息。Further, information is transferred between the user equipment and the mobile operator through the base station.

和现有技术相比，本发明的主要优势体现在:Compared with the prior art, the main advantage of the present invention is embodied in:

1)在考虑攻击者能够设立伪基站以及通过伪基站主动发送信息的情况下，仍然能够阻止其区分不同用户以及链接同一用户的多个会话，保护用户隐私。1) Considering that the attacker can set up a pseudo base station and actively send information through the pseudo base station, it can still prevent it from distinguishing different users and linking multiple sessions of the same user, so as to protect user privacy.

2)与目前3G/4G SIM卡中提供的AUTHENTICATE命令相兼容，能够在不更换用户持有的3G/4G SIM卡的情况下部署。2) Compatible with the AUTHENTICATE command provided in the current 3G/4G SIM card, and can be deployed without replacing the 3G/4G SIM card held by the user.

3)不需要对5G-AKA协议的信息格式进行修改，能够用于现有的5G移动通信基站。3) There is no need to modify the information format of the 5G-AKA protocol, and it can be used for existing 5G mobile communication base stations.

4)具有多种部署方式，既能够利用5G-AKA协议中的已包含的密码学算法作为密钥封装机制，在不引入5G标准之外密码学算法的前提下进行部署；也可使用抵抗量子计算机攻击的密钥封装机制进行部署，实现长期的用户隐私保护。4) There are a variety of deployment methods, which can use the cryptographic algorithm included in the 5G-AKA protocol as a key encapsulation mechanism to deploy without introducing cryptographic algorithms other than the 5G standard; it can also use quantum-resistant The key encapsulation mechanism for computer attacks is deployed to achieve long-term user privacy protection.

附图说明Description of drawings

图1是本发明实施例中的隐私保护的移动通信认证方法流程图。FIG. 1 is a flowchart of a mobile communication authentication method for privacy protection in an embodiment of the present invention.

图中：含下划线的文字部分为5G-AKA协议原有步骤，不含下划线的文字部分为本发明方法特有步骤，pk和sk表示移动运营商持有的公钥和私钥，Enc_ECIES和Dec_ECIES表示ECIES方案的加密和解密算法，Enc和Dec表示现有的对称加密机制的加密和解密算法，SHA256表示SHA-256密码学杂凑函数。In the figure: the text part with the underline is the original steps of the 5G-AKA protocol, the text part without the underline is the unique steps of the method of the present invention, pk and sk represent the public and private keys held by the mobile operator, Enc_ECIES and Dec_ECIES represents the encryption and decryption algorithm of the ECIES scheme, Enc and Dec represent the encryption and decryption algorithms of the existing symmetric encryption mechanism, and SHA256 represents the SHA-256 cryptographic hash function.

具体实施方式Detailed ways

为使本发明的上述内容、特征和优势更加明显易懂，下面通过具体实施例对本发明做进一步说明。In order to make the above-mentioned contents, features and advantages of the present invention more obvious and easy to understand, the present invention will be further described below through specific embodiments.

实施例1.应用5G-AKA协议中已包含的ECIES算法实施本发明提出的一种隐私保护的移动通信认证方法。ECIES算法包含的KEM方案记为KEM_ECIES＝(Encap_ECIES,Decap_ECIES)。Embodiment 1. The ECIES algorithm included in the 5G-AKA protocol is used to implement a privacy protection mobile communication authentication method proposed by the present invention. The KEM scheme included in the ECIES algorithm is denoted as KEM_ECIES =(Encap_ECIES , Decap_ECIES ).

本方法的流程如图1所示，具体描述如下：The process of this method is shown in Figure 1, and the specific description is as follows:

1)在5G-AKA协议的初始化阶段，用户设备将自己的用户标识符(SUPI)通过ECIES算法加密发送给移动运营商(加密后的SUPI记作SUCI)。1) In the initialization phase of the 5G-AKA protocol, the user equipment encrypts its user identifier (SUPI) and sends it to the mobile operator through the ECIES algorithm (the encrypted SUPI is recorded as SUCI).

1-1)用户设备执行Encap_ECIES算法，获得{c,k_UE}。之后其除了按照5G-AKA协议的规定使用k_UE和对应的数据封装算法对SUPI进行加密，并将SUCI发往移动运营商之外，还要保存k_UE作为挑战-响应阶段的会话密钥。1-1) The user equipment executes the Encap_ECIES algorithm to obtain {c, k_UE }. After that, in addition to encrypting SUPI using k_UE and the corresponding data encapsulation algorithm according to the 5G-AKA protocol, and sending SUCI to the mobile operator, it also saves k_UE as the session key in the challenge-response phase.

1-2)移动运营商收到SUCI之后，除了按照5G-AKA协议的规定执行Decap_ECIES算法并解密得到SUPI之外，还需要保存Decap_ECIES的输出k_HN作为挑战-响应阶段的会话密钥。1-2) After the mobile operator receives SUCI, in addition to executing the Decap_ECIES algorithm and decrypting to obtain SUPI according to the 5G-AKA protocol, it also needs to save the output k_HN of Decap_ECIES as the session key in the challenge-response phase.

2)在5G-AKA协议的挑战-响应阶段，移动运营商在按照5G-AKA协议中规定的步骤产生认证向量(Authenticator Vector)时，需要执行以下步骤：2) In the challenge-response phase of the 5G-AKA protocol, the mobile operator needs to perform the following steps when generating an Authenticator Vector according to the steps specified in the 5G-AKA protocol:

2-1)随机选取挑战值R，使用步骤1)中保存的会话密钥通过AES-128算法加密该挑战值(加密后的挑战值记作R′)。2-1) Randomly select the challenge value R, and encrypt the challenge value with the AES-128 algorithm using the session key saved in step 1) (the encrypted challenge value is denoted as R').

2-2)按照5G-AKA协议中的规定计算AUTN,XRES和K_seaf信息。2-2) Calculate AUTN, XRES and K_seaf information as specified in the 5G-AKA protocol.

2-3)以R′和XRES为输入，按照5G-AKA的协议规定计算HXRES。2-3) Using R' and XRES as inputs, calculate HXRES according to the 5G-AKA protocol.

2-4)将R′,AUTN,XHRES,K_seaf组成的四元组作为认证向量发送给移动通信基站。2-4) Send the quadruple consisting of R', AUTN, XHRES, K_seaf as the authentication vector to the mobile communication base station.

3)基站收到认证向量后，将R′,AUTN按照5G-AKA协议的规定发送给用户设备。3) After the base station receives the authentication vector, it sends R', AUTN to the user equipment according to the provisions of the 5G-AKA protocol.

4)用户设备在收到基站发送的信息之后，采用步骤1)存储的会话密钥解密加密后的挑战值R‘。之后将解密后的挑战值和AUTN作为SIM卡AUTHENTICATE命令的输入，执行命令。4) After receiving the information sent by the base station, the user equipment uses the session key stored in step 1) to decrypt the encrypted challenge value R'. Then use the decrypted challenge value and AUTN as the input of the SIM card AUTHENTICATE command, and execute the command.

4-1)若该命令执行失败，用户设备按照5G-AKA协议的规定，向基站发送“Mac_Failure”信息。4-1) If the execution of the command fails, the user equipment sends "Mac_Failure" information to the base station according to the stipulations of the 5G-AKA protocol.

4-2)若该命令执行成功并输出AUTS，用户设备按照5G-AKA协议的规定，向基站发送“Sync_Failure”和AUTS信息。4-2) If the command is executed successfully and AUTS is output, the user equipment sends "Sync_Failure" and AUTS information to the base station according to the stipulations of the 5G-AKA protocol.

4-3)若该命令执行成功并输出RES和K_seaf，用户设备按照5G-AKA协议的规定，向基站发送RES信息。4-3) If the command is successfully executed and RES and K_seaf are output, the user equipment sends RES information to the base station according to the stipulations of the 5G-AKA protocol.

5)当基站收到用户发送的信息后，按照5G-AKA协议的规定对信息进行处理，并向运营商发送对应的信息。5) When the base station receives the information sent by the user, it processes the information according to the provisions of the 5G-AKA protocol, and sends the corresponding information to the operator.

6)运营商收到基站发送的信息后，若该信息为“Mac_Failure”或者RES，则按照5G-AKA协议规定的流程对信息进行处理；若该信息包含“Sync_Failure”、R‘、AUTS和SUCI，则先使用步骤1)中存储的会话密钥对R‘解密后再进行处理。6) After the operator receives the information sent by the base station, if the information is "Mac_Failure" or RES, it will process the information according to the procedures specified in the 5G-AKA protocol; if the information contains "Sync_Failure", R', AUTS and SUCI , then use the session key stored in step 1) to decrypt R' before processing.

实施例2.使用抵抗量子计算机攻击的KEM方案实施本发明提出的一种隐私保护的移动通信认证方法。Example 2. A privacy-protected mobile communication authentication method proposed by the present invention is implemented using the KEM scheme that resists quantum computer attacks.

本实施例应用抵抗量子计算机攻击的KEM方案对5G移动通信系统中的用户隐私进行保护。记KEM_PQ＝(Encap_PQ,Decap_PQ)为能够抵抗量子计算机攻击的KEM方案，该实施例的具体描述如下：This embodiment applies the KEM scheme that resists quantum computer attacks to protect user privacy in the 5G mobile communication system. Denote KEM_PQ = (Encap_PQ , Decap_PQ ) as the KEM scheme that can resist quantum computer attacks. The specific description of this embodiment is as follows:

1)在5G-AKA协议的初始化阶段，用户设备和移动运营商通过KEM_PQ协商会话密钥：1) In the initialization phase of the 5G-AKA protocol, the user equipment and the mobile operator negotiate the session key through KEM_PQ :

1-1)用户设备通过调用Encap_PQ算法获得{c,k_UE}，储存k_UE，并将c通过5G-AKA的信息流发送给移动运营商。1-1) The user equipment obtains {c, k_UE } by calling the Encap_PQ algorithm, stores k_UE , and sends c to the mobile operator through the information flow of 5G-AKA.

1-2)移动运营商通过调用Decap_PQ算法获取k_HN，并存储k_HN。1-2) The mobile operator obtains k_HN by calling the Decap_PQ algorithm, and stores k_HN .

2)在5G-AKA协议的挑战-响应阶段，用户设备、移动运营商及通信基站按照实施例1中的步骤2)到步骤6)执行。2) In the challenge-response phase of the 5G-AKA protocol, the user equipment, the mobile operator, and the communication base station perform steps 2) to 6) in Embodiment 1.

本发明所提到的AUTN、XRES、Kseaf、RES、AUTS、AUTHENTICATE命令、Mac_Failure、Sync_Failure等术语的含义与3GPP TS 33.102标准规定的一致，属于本领域的公知常识，本领域技术人员应可理解。The meanings of terms such as AUTN, XRES, Kseaf, RES, AUTS, AUTHENTICATE command, Mac_Failure, Sync_Failure mentioned in the present invention are consistent with those specified in the 3GPP TS 33.102 standard, which belong to common knowledge in the art, and should be understood by those skilled in the art.

以上实施例仅用以说明本发明的技术方案而非对其进行限制，本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换，而不脱离本发明的精神和范围，本发明的保护范围应以权利要求书所述为准。The above embodiments are only used to illustrate the technical solutions of the present invention rather than limit them. Those of ordinary skill in the art can modify or equivalently replace the technical solutions of the present invention without departing from the spirit and scope of the present invention. The scope of protection shall be subject to what is stated in the claims.