CN115379445A - A key derivation method and device, and network equipment - Google Patents

Abstract

Translated fromChinese

本发明提供一种密钥派生方法及装置、网络设备，属于通信技术领域。所述方法包括：根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G‑AKA、可扩展认证协议EAP‑AKA’；基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。所述方法可解决现有技术中存在的以其中一种认证方式为跳板攻击以影响另外一种认证方式的情况，从而影响业务的连续性与安全性的问题。适应于鉴权认证的应用范围。

The invention provides a key derivation method and device, and network equipment, belonging to the technical field of communication. The method includes: according to the key derivation function KDF, respectively derive the secondary root key corresponding to each authentication mode in multiple authentication modes, wherein, the input parameters of KDF include root key, operator identification, authentication mode identification and time stamp , the authentication methods include Identity Verification and Key Agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA'; based on the secondary root key corresponding to each authentication method, the preset key derivation algorithm is selected to generate the target corresponding to each authentication method key. The method can solve the problem in the prior art that one of the authentication methods is used as a springboard to attack to affect the other authentication method, thereby affecting the continuity and safety of the business. Adapt to the scope of application of authentication.

Description

Translated fromChinese

一种密钥派生方法及装置、网络设备A key derivation method and device, and network equipment

技术领域technical field

本发明涉及通信技术领域，尤其涉及一种密钥派生方法及装置、网络设备。The present invention relates to the field of communication technology, in particular to a key derivation method and device, and network equipment.

背景技术Background technique

目前，5G(5th Generation mobile communication technology，第五代移动通信技术)网络在4G(4th Generation mobile communication technology，第四代移动通信技术)网络的基础上增强了身份认证机制，提出了两种认证方式：5G-AKA(Authenticationand Key Agreement，身份验证和密钥协议)和EAP-AKA’(Extensible AuthenticationProtocol，可扩展认证协议)。以上两种认证方式中涉及到密钥的派生均来自同一个根密钥K值派生出的CK(Cipher Key，加密密钥)值和IK(Integrity Key，完整性密钥)值，不同点在于EAP-AKA’是从CK值和IK值导出CK’和IK’值，然后再派生出鉴权服务功能密钥K_AUSF，而5GAKA则是从CK值和IK值导出K_AUSF，因此，根密钥K值在5G网络中占据重要地位。At present, the 5G (5th Generation mobile communication technology, fifth generation mobile communication technology) network has enhanced the identity authentication mechanism on the basis of the 4G (4th Generation mobile communication technology, fourth generation mobile communication technology) network, and proposed two authentication methods : 5G-AKA (Authentication and Key Agreement, identity verification and key agreement) and EAP-AKA' (Extensible Authentication Protocol, Extensible Authentication Protocol). The key derivation involved in the above two authentication methods comes from the CK (Cipher Key, encryption key) value and IK (Integrity Key, integrity key) value derived from the same root key K value. The difference is that EAP-AKA' derives the CK' and IK' values from the CK value and IK value, and then derives the authentication service function key K_AUSF , while 5GAKA derives the K_AUSF from the CK value and IK value, therefore, the root key The key K value plays an important role in the 5G network.

现有对于WLAN等接入的多采用EAP-AKA’认证方式，满足3GPP的多采用5G-AKA认证方式，然而，两种认证方式均高度依赖根密钥K值派生出的CK值、IK值，当其中一种认证方式被攻破发生CK值、IK值泄露，按照现有的加密算法，K值将会被逆向分析推出，从而导致另一种认证方式存在安全风险。故现有技术存在以其中一种认证方式为跳板攻击以影响另外一种认证方式的情况，从而影响业务的连续性与安全性的问题。Currently, the EAP-AKA' authentication method is mostly used for WLAN access, and the 5G-AKA authentication method is mostly used for 3GPP. However, both authentication methods are highly dependent on the CK value and IK value derived from the root key K value. , when one of the authentication methods is breached and the CK value and IK value are leaked, according to the existing encryption algorithm, the K value will be reversely analyzed and deduced, which will lead to a security risk in another authentication method. Therefore, there is a situation in the prior art that one of the authentication methods is used as a springboard to attack to affect the other authentication method, thereby affecting the continuity and security of services.

发明内容Contents of the invention

本发明所要解决的技术问题是针对现有技术的上述不足，提供一种密钥派生方法及装置、网络设备，以至少解决相关技术中存在的以其中一种认证方式为跳板攻击以影响另外一种认证方式的情况，从而影响业务的连续性与安全性的问题。The technical problem to be solved by the present invention is to provide a key derivation method, device, and network equipment for the above-mentioned deficiencies in the prior art, so as to at least solve the problem in the related art of using one of the authentication methods as a springboard attack to affect the other. The situation of this authentication method will affect the continuity and security of the business.

第一方面，本发明提供一种密钥派生方法，包括：根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’；基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。In the first aspect, the present invention provides a key derivation method, including: deriving the secondary root key corresponding to each authentication mode in multiple authentication modes according to the key derivation function KDF, wherein the input parameters of KDF include the root key , operator ID, authentication mode ID and time stamp, the authentication mode includes identity verification and key agreement 5G-AKA, extensible authentication protocol EAP-AKA'; The key derivation algorithm generates the target key corresponding to each authentication method.

优选地，在所述根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥之前，密钥派生方法还包括：将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。Preferably, before deriving the secondary root key corresponding to each of the multiple authentication methods according to the key derivation function KDF, the key derivation method further includes: respectively into the corresponding binary sequence.

优选地，密钥派生算法包括SM4算法。Preferably, the key derivation algorithm includes the SM4 algorithm.

优选地，所述基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥，具体包括：在密钥派生函数中选用预设的SM4算法，对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥，其中，目标密钥包括加密密钥、完整性密钥。Preferably, based on the secondary root key corresponding to each authentication method, selecting a preset key derivation algorithm to generate a target key corresponding to each authentication method respectively, specifically includes: selecting a preset SM4 algorithm in the key derivation function , calculate the input random number and the sub-root key corresponding to each authentication method, and generate target keys corresponding to each authentication method respectively, wherein the target key includes an encryption key and an integrity key.

优选地，在所述基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥之后，密钥派生方法还包括：根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。Preferably, after the secondary root key corresponding to each authentication method is selected and a preset key derivation algorithm is selected to generate target keys corresponding to each authentication method, the key derivation method further includes: The target key generates security keys corresponding to each authentication mode.

优选地，所述根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥，具体包括：根据各认证方式对应的目标密钥分别生成各认证方式对应的中间密钥；根据各中间密钥分别生成各认证方式对应的安全密钥。Preferably, said generating security keys corresponding to each authentication method according to target keys corresponding to each authentication method respectively includes: respectively generating intermediate keys corresponding to each authentication method according to target keys corresponding to each authentication method; The intermediate keys generate security keys corresponding to each authentication mode.

第二方面，本发明还提供一种密钥派生装置，包括派生模块和生成模块。In a second aspect, the present invention also provides a key derivation device, including a derivation module and a generation module.

派生模块，用于根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’。生成模块，与派生模块连接，用于基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。The derivation module is used to derive the secondary root key corresponding to each authentication method in multiple authentication methods according to the key derivation function KDF, wherein the input parameters of KDF include root key, operator identification, authentication method identification and time stamp , the authentication methods include identity verification and key agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA'. The generation module is connected with the derivation module, and is used for generating the target key corresponding to each authentication method based on the sub-root key corresponding to each authentication method and selecting a preset key derivation algorithm.

优选地，密钥派生装置还包括转化模块。转化模块，与派生模块连接，用于将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。Preferably, the key derivation device further includes a conversion module. The conversion module is connected with the derivation module, and is used to convert the operator identification, authentication mode identification and time stamp into corresponding binary sequences respectively.

优选地，密钥派生算法包括SM4算法。Preferably, the key derivation algorithm includes the SM4 algorithm.

优选地，生成模块包括选择单元和计算单元。选择单元，用于选用预设的SM4算法。计算单元，与选择单元连接，用于在密钥派生函数中选用预设的SM4算法对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥，其中，目标密钥包括加密密钥、完整性密钥。Preferably, the generation module includes a selection unit and a calculation unit. The selection unit is used for selecting a preset SM4 algorithm. The calculation unit is connected with the selection unit, and is used to select the preset SM4 algorithm in the key derivation function to calculate the input random number and the sub-root key corresponding to each authentication method, and generate target encryption keys corresponding to each authentication method. key, wherein the target key includes an encryption key and an integrity key.

优选地，密钥派生装置还包括次派生模块。次派生模块，与生成模块连接，用于根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。Preferably, the key derivation device further includes a secondary derivation module. The secondary derivation module is connected with the generation module, and is used to generate security keys corresponding to each authentication method according to target keys corresponding to each authentication method.

第三方面，本发明还提供一种网络设备，包括存储器和处理器，所述存储器中存储有计算机程序，所述处理器被设置为运行所述计算机程序以实现如第一方面中所述的密钥派生方法。In a third aspect, the present invention also provides a network device, including a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to implement the above described in the first aspect Key derivation method.

本发明提供的密钥派生方法及装置、网络设备，通过在密钥导出函数KDF的输入参数中引入认证方式标识、运营商标识、以及KDF派生次根密钥时的时间戳，以派生出不同认证方式对应的不同次根密钥值，继而根据不同的次根密钥值派生出不同认证方式对应的不同目标密钥，从而有效地实现多种认证方式下的密钥隔离，防止以其中一种认证方式为跳板攻击以影响另外一种认证方式并造成K值泄露，影响业务的连续性与安全性的情况发生，提升网络与终端的安全性。The key derivation method and device and network equipment provided by the present invention can derive different Different sub-root key values corresponding to authentication methods, and then derive different target keys corresponding to different authentication methods according to different sub-root key values, so as to effectively realize key isolation under multiple authentication methods and prevent one of them from One authentication method is a springboard attack to affect another authentication method and cause K value leakage, affecting business continuity and security, and improving network and terminal security.

附图说明Description of drawings

图1为本发明实施例1的一种密钥派生方法的流程示意图；FIG. 1 is a schematic flow diagram of a method for deriving a key according toEmbodiment 1 of the present invention;

图2为本发明实施例1的核心网侧基于SM4算法的密钥派生过程示意图；2 is a schematic diagram of a key derivation process based on the SM4 algorithm at the core network side inEmbodiment 1 of the present invention;

图3为本发明实施例1的终端侧基于SM4算法的密钥派生过程示意图；3 is a schematic diagram of a key derivation process based on the SM4 algorithm at the terminal side inEmbodiment 1 of the present invention;

图4为本发明实施例2的一种密钥派生装置的结构示意图；4 is a schematic structural diagram of a key derivation device according to Embodiment 2 of the present invention;

图5为本发明实施例3的一种网络设备的结构示意图。FIG. 5 is a schematic structural diagram of a network device according to Embodiment 3 of the present invention.

具体实施方式Detailed ways

为使本领域技术人员更好地理解本发明的技术方案，下面将结合附图对本发明实施方式作进一步地详细描述。In order to enable those skilled in the art to better understand the technical solution of the present invention, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

可以理解的是，此处描述的具体实施例和附图仅仅用于解释本发明，而非对本发明的限定。It should be understood that the specific embodiments and drawings described here are only for explaining the present invention, rather than limiting the present invention.

可以理解的是，在不冲突的情况下，本发明中的各实施例及实施例中的各特征可相互组合。It can be understood that, in the case of no conflict, each embodiment and each feature in the embodiment of the present invention can be combined with each other.

可以理解的是，为便于描述，本发明的附图中仅示出了与本发明相关的部分，而与本发明无关的部分未在附图中示出。It can be understood that, for the convenience of description, only the parts related to the present invention are shown in the drawings of the present invention, while the parts irrelevant to the present invention are not shown in the drawings.

可以理解的是，本发明的实施例中所涉及的每个单元、模块可仅对应一个实体结构，也可由多个实体结构组成，或者，多个单元、模块也可集成为一个实体结构。It can be understood that each unit and module involved in the embodiments of the present invention may only correspond to one physical structure, or may be composed of multiple physical structures, or multiple units and modules may also be integrated into one physical structure.

可以理解的是，在不冲突的情况下，本发明的流程图和框图中所标注的功能、步骤可按照不同于附图中所标注的顺序发生。It can be understood that, under the condition of no conflict, the functions and steps marked in the flowchart and block diagram of the present invention may occur in a sequence different from that marked in the drawings.

可以理解的是，本发明的流程图和框图中，示出了按照本发明各实施例的系统、装置、设备、方法的可能实现的体系架构、功能和操作。其中，流程图或框图中的每个方框可代表一个单元、模块、程序段、代码，其包含用于实现规定的功能的可执行指令。而且，框图和流程图中的每个方框或方框的组合，可用实现规定的功能的基于硬件的系统实现，也可用硬件与计算机指令的组合来实现。It can be understood that the flowcharts and block diagrams of the present invention show the system architecture, functions and operations of possible implementations of systems, devices, devices, and methods according to various embodiments of the present invention. Wherein, each block in the flowchart or block diagram may represent a unit, module, program segment, or code, which includes executable instructions for realizing specified functions. Furthermore, each block or combination of blocks in the block diagrams and flowcharts can be implemented by a hardware-based system which performs the specified function, or by a combination of hardware and computer instructions.

可以理解的是，本发明实施例中所涉及的单元、模块可通过软件的方式实现，也可通过硬件的方式来实现，例如单元、模块可位于处理器中。It can be understood that the units and modules involved in the embodiments of the present invention may be implemented by means of software or hardware, for example, the units and modules may be located in a processor.

实施例1：Example 1:

如图1所示，本实施例提供一种密钥派生方法，可应用于核心网侧和终端侧的鉴权认证过程，所述方法包括：As shown in Figure 1, this embodiment provides a key derivation method, which can be applied to the authentication and authentication process on the core network side and the terminal side, and the method includes:

步骤101，根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’。Step 101, according to the key derivation function KDF, respectively derive the secondary root key corresponding to each authentication method in multiple authentication methods, wherein, the input parameters of KDF include root key, operator identification, authentication method identification and time stamp, authentication Methods include identity authentication and key agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA'.

本实施例中，由于5G网络的两种认证方式(5G-AKA和EAP-AKA’)中涉及到密钥的派生均来自同一个根密钥K值派生出的CK值和IK值，故本实施例以所述两种认证方式为例进行方法说明，当存在两种以上的认证方式涉及到的密钥的派生来自同一个根密钥K值派生出的CK值和IK值，同样适应于本方法。In this embodiment, since the derivation of the key involved in the two authentication methods (5G-AKA and EAP-AKA') of the 5G network comes from the CK value and IK value derived from the same root key K value, so this The embodiment takes the two authentication methods as examples to illustrate the method. When there are more than two authentication methods, the key involved is derived from the CK value and IK value derived from the same root key K value, which is also applicable to this method.

具体地，根据密钥导出函数KDF由根密钥K值分别派生出两个次根密钥值K₁、K₂，例如K₁用于5G-AKA方式下的密钥派生，K₂用于EAP-AKA方式下密钥派生。K₁、K₂的计算公式如下：Specifically, according to the key derivation function KDF, two secondary root key values K₁ and K₂ are respectively derived from the root key K value, for example, K₁ is used for key derivation in 5G-AKA mode, and K₂ is used for Key derivation in EAP-AKA mode. The calculation formulas of K₁ and K₂ are as follows:

K₁＝KDF(K，运营商标识，5G-AKA，时间戳T₁)K₁ =KDF(K, operator identifier, 5G-AKA, time stamp T₁ )

K₂＝KDF(K，运营商标识，EAP-AKA，时间戳T₂)K₂ =KDF(K, operator identifier, EAP-AKA, time stamp T₂ )

其中，输入参数中的K值是初始固化的序列值，即原始的根密钥，存储于USIM(Universal Subscriber Identity Module，全球用户识别卡)卡和核心网网元UDM(Unified Data Management，统一数据管理)中；输入参数中引入运营商标识的目的为防止伪冒的运营商，且规范运营商管理，如联通运营商的标识为10010，或其他自定义标识，需将自定义的运营商标识转化为相应的二进制序列；认证方式标识用于标识认证方式，如5G-AKA的标识为0010，EAP-AKA’的标识为0011，或其他自定义标识，需将自定义的认证方式标识转化为相应的二进制序列；当密钥需要更新或者重置时，为了有效防止重放攻击的发生，故在输入参数中引入时间戳，时间戳可表示为年月日时分秒，如20211220122020，表示此时刻派生的次根密钥，需将时间戳转化为相应的二进制序列。故基于时间戳所派生的密钥是动态的，可有效防止密钥逆向攻击，同时也证明了K₁、K₂是不同的值，后续两个不同的认证方式根据各自不同的次根密钥值继续派生出对应的目标密钥，从而实现两种认证方式的密钥隔离，可防止以其中一种认证方式为跳板攻击以影响另外一种认证方式并造成K值泄露的情况发生。此外，KDF是一个哈希函数，也可以防止逆向攻击，有效保护K值的安全。以K₁值计算为例，如K值为2C D0 3E 42 68 E1 AF F2 90 56 B6 C2 F5 A1 32 DB，运营商标识为10010，5G-AKA标识为0010，时间戳20211220122020转化为相应的二进制序列为100100110000111001010100110001000100110100100，KDF是hash函数，一般用来将短密码变成长密码，原理是口令或者密钥加盐利用KDF函数计算出密钥值。本实施例派生出的次根密钥K₁值为：449e2e41be44d4166ce4e807d82b73fda3418918f9d9333a8530908edebbeb46。Among them, the K value in the input parameter is the initial solidified sequence value, that is, the original root key, which is stored in the USIM (Universal Subscriber Identity Module) card and the core network element UDM (Unified Data Management, unified data management); the purpose of introducing operator identification in the input parameters is to prevent counterfeit operators and standardize operator management. Converted into the corresponding binary sequence; the authentication method identifier is used to identify the authentication method, such as 5G-AKA’s identifier is 0010, EAP-AKA’’s identifier is 0011, or other custom identifiers, the custom authentication method identifier needs to be converted into Corresponding binary sequence; when the key needs to be updated or reset, in order to effectively prevent the occurrence of replay attacks, a time stamp is introduced in the input parameter. The time stamp can be expressed as year, month, day, hour, minute, and second, such as 20211220122020, indicating this moment The derived sub-root key needs to convert the timestamp into the corresponding binary sequence. Therefore, the key derived based on the timestamp is dynamic, which can effectively prevent the key reverse attack. It also proves that K₁ and K₂ are different values. The subsequent two different authentication methods are based on their different secondary root keys. The value continues to derive the corresponding target key, so as to realize the key isolation of the two authentication methods, which can prevent the occurrence of an attack using one of the authentication methods as a springboard to affect the other authentication method and cause K value leakage. In addition, KDF is a hash function, which can also prevent reverse attacks and effectively protect the security of K value. Take K₁ value calculation as an example, for example, the K value is2C D0 3E 42 68 E1 AF F2 90 56 B6 C2 F5 A1 32 DB, the operator ID is 10010, the 5G-AKA ID is 0010, and the timestamp 20211220122020 is converted into the corresponding binary The sequence is 100100110000111001010100110001000100110100100. KDF is a hash function, which is generally used to change a short password into a long password. The principle is to use the KDF function to calculate the key value by adding salt to the password or key. The value of the secondary root key K₁ derived in this embodiment is: 449e2e41be44d4166ce4e807d82b73fda3418918f9d9333a8530908edebbeb46.

可选地，为了便于KDF运算，在步骤101：根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥之前，密钥派生方法还包括：将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。Optionally, in order to facilitate the KDF calculation, before step 101: according to the key derivation function KDF to derive the secondary root key corresponding to each authentication method in the multiple authentication methods, the key derivation method also includes: the operator identification, The authentication mode identifier and timestamp are respectively converted into corresponding binary sequences.

步骤102，基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。Step 102, based on the secondary root key corresponding to each authentication method, select a preset key derivation algorithm to generate target keys corresponding to each authentication method.

本实施例中，密钥派生算法包括AES(Advanced Encryption Standard)算法、SM4算法、以及其他分组密码算法。现有5G网络的安全体系架构参考的是3GPP(he 3rdGeneration Partner Project，第三代合作伙伴计划)中的标准，3GPP标准中推荐MILENAGE算法簇作为3G的f系列算法，用于产生认证向量。MILENAGE函数使用分组加密，加密分组和密钥长度均为128比特，目前常规使用AES算法作为MILENAGE的核心算法来使用。在密钥派生时涉及到的算法通常为国际算法，如AES、SHA-256(哈希函数)等，在标准中很少涉及国产密码算法，如SM4算法、祖冲之算法集(ZUC算法)。目标密钥包括加密密钥CK、完整性密钥IK，由于上述实施例中次根密钥K₁、K₂分别对应5G-AKA和EAP-AKA’，则根据次根密钥生成的5G-AKA的目标密钥可标记为CK₁、IK₁，生成的EAP-AKA’的目标密钥可标记为CK₂、IK₂。In this embodiment, the key derivation algorithm includes AES (Advanced Encryption Standard) algorithm, SM4 algorithm, and other block cipher algorithms. The security architecture of the existing 5G network refers to the standards in the 3GPP (the 3rd Generation Partner Project). The 3GPP standard recommends the MILENAGE algorithm cluster as the 3G f-series algorithm for generating authentication vectors. The MILENAGE function uses block encryption, and the encrypted block and key length are both 128 bits. Currently, the AES algorithm is routinely used as the core algorithm of MILENAGE. The algorithms involved in key derivation are usually international algorithms, such as AES, SHA-256 (hash function), etc., and domestic encryption algorithms are rarely involved in standards, such as SM4 algorithm and Zu Chongzhi algorithm set (ZUC algorithm). The target key includes the encryption key CK and the integrity key IK. Since the secondary root keys K₁ and K₂ in the above embodiment correspond to 5G-AKA and EAP-AKA' respectively, the 5G-AKA generated according to the secondary root key The target key of AKA may be marked as CK₁ , IK₁ , and the target key of the generated EAP-AKA' may be marked as CK₂ , IK₂ .

可选地，所述基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥，具体包括：在密钥派生函数中选用预设的SM4算法，对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥。Optionally, based on the secondary root key corresponding to each authentication method, selecting a preset key derivation algorithm to generate a target key corresponding to each authentication method respectively, specifically includes: selecting a preset SM4 in the key derivation function The algorithm calculates the input random number and the subroot key corresponding to each authentication method, and generates the target key corresponding to each authentication method respectively.

本实施例中，由于在密钥派生时涉及到的算法通常为国际算法，为提高自主可控能力，在密钥派生函数中选用国密的对称分组加密SM4算法，对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥CK和IK，即选用SM4算法替代常规使用的AES算法，以增强密钥安全性，提升自主可控能力。在密钥派生中涉及的函数是MILENAGE，它包含f1-f5函数，涉及的部分变量包括：In this embodiment, since the algorithm involved in the key derivation is usually an international algorithm, in order to improve the autonomous controllability, the national secret symmetric block encryption SM4 algorithm is selected in the key derivation function, and the input random number and The secondary root key corresponding to each authentication method is calculated, and the target keys CK and IK corresponding to each authentication method are generated respectively, that is, the SM4 algorithm is selected to replace the conventionally used AES algorithm to enhance key security and self-controllability. The function involved in key derivation is MILENAGE, which contains f1-f5 functions, and some variables involved include:

(1)AK：一个48位的匿名密钥；(1) AK: a 48-bit anonymous key;

(2)AMF：鉴权管理域，一个16位身份验证管理字段；(2) AMF: Authentication Management Field, a 16-bit authentication management field;

(3)c1,c2,c3,c4,c5：128位常量，将其与中间变量进行XOR运算；(3) c1, c2, c3, c4, c5: 128-bit constants, perform XOR operation with intermediate variables;

(4)CK：一个128位的加密密钥，函数f3的输出；(4) CK: a 128-bit encryption key, the output of function f3;

(5)IK：一个128位的完整性密钥，函数f4的输出；(5) IK: a 128-bit integrity key, the output of function f4;

(6)K：128位用户密钥；(6) K: 128-bit user key;

(7)RAND：128位随机数；(7) RAND: 128-bit random number;

(8)SQN：48位序列号。(8) SQN: 48-bit serial number.

在MILENAGE函数系列中使用SM4算法替代常规的AES算法，建立基于SM4算法的密钥派生方法，相比于AES算法，SM4算法的优点在于算法实现较为简单，密钥调度和加密的算法基本相同，且解密时可使用同一程序，只需将程序中密钥的顺序倒置即可。而AES算法则使用了复杂的密钥调度算法，且解密算法需要另外编写程序代码，实现起来更复杂。因此，在密钥派生机制中使用SM4算法参与密钥派生，对提升自主可控能力具有重要的意义，对关键基础设施领域安全提升有重要的需求价值。由于核心网侧与终端侧在计算相关参数略有不同，对所有涉及AES算法的地方，均使用SM4算法进行替换。具体地，如图2所示的核心网侧基于SM4算法的密钥派生过程示例为：网络侧根据认证方式确定输入K₁或K₂、以及随机数RAND，经过f3函数(f3函数中使用SM4算法)运算生成加密密钥CK值，根据认证方式确定输入K₁或K₂、以及随机数RAND，经过f4函数(f4函数中使用SM4算法)运算生成完整性密钥IK值。如图3所示的终端侧基于SM4算法的密钥派生过程示例为：终端侧根据认证方式确定输入K₁或K₂、以及随机数RAND，经过f3函数(f3函数中使用SM4算法)运算生成加密密钥CK值，根据认证方式确定输入K₁或K₂、以及随机数RAND，经过f4函数(f4函数中使用SM4算法)运算生成完整性密钥IK值。The SM4 algorithm is used to replace the conventional AES algorithm in the MILENAGE function series, and a key derivation method based on the SM4 algorithm is established. Compared with the AES algorithm, the advantage of the SM4 algorithm is that the algorithm implementation is relatively simple, and the key scheduling and encryption algorithms are basically the same. And the same program can be used for decryption, just reverse the order of the keys in the program. The AES algorithm uses a complex key scheduling algorithm, and the decryption algorithm needs to write additional program codes, which is more complicated to implement. Therefore, using the SM4 algorithm to participate in key derivation in the key derivation mechanism is of great significance to improving the autonomous controllability, and has important demand value for the security improvement of key infrastructure fields. Since the core network side and the terminal side are slightly different in calculating related parameters, all places involving the AES algorithm are replaced by the SM4 algorithm. Specifically, an example of the key derivation process based on the SM4 algorithm on the core network side as shown in Figure 2 is: the network side determines the input K₁ or K₂ and the random number RAND according to the authentication method, and passes through the f3 function (the SM4 Algorithm) operation to generate encryption key CK value, input K₁ or K₂ and random number RAND are determined according to the authentication method, and integrity key IK value is generated through f4 function (SM4 algorithm is used in f4 function) operation. The example of the key derivation process based on the SM4 algorithm on the terminal side as shown in Figure 3 is: the terminal side determines the input K₁ or K₂ according to the authentication method, and the random number RAND, which is generated by the f3 function (the SM4 algorithm is used in the f3 function) The value of the encryption key CK is determined according to the authentication method as the input K₁ or K₂ and the random number RAND, and the value of the integrity key IK is generated through the f4 function (the SM4 algorithm is used in the f4 function).

可选地，在步骤102：基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥之后，密钥派生方法还包括：根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。Optionally, in step 102: after selecting a preset key derivation algorithm to generate target keys corresponding to each authentication method based on the secondary root key corresponding to each authentication method, the key derivation method further includes: according to each authentication method The corresponding target keys generate security keys corresponding to each authentication mode.

本实施例中，根据各认证方式对应的加密密钥CK值和完整性密钥IK值分别生成对应的安全密钥，安全密钥包括鉴权服务功能密钥K_AUSF、锚点密钥K_SEAF等。In this embodiment, the corresponding security keys are generated according to the encryption key CK value and the integrity key IK value corresponding to each authentication mode, and the security keys include the authentication service function key K_AUSF , the anchor key K_SEAF Wait.

可选地，所述根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥，具体包括：根据各认证方式对应的目标密钥分别生成各认证方式对应的中间密钥(如CK’和IK’)；根据各中间密钥生成各认证方式对应的安全密钥。Optionally, said generating security keys corresponding to each authentication method according to target keys corresponding to each authentication method respectively includes: respectively generating intermediate keys corresponding to each authentication method according to target keys corresponding to each authentication method (such as CK' and IK'); generate security keys corresponding to each authentication mode according to each intermediate key.

本实施例提供的密钥派生方法，通过在密钥导出函数KDF的输入参数中引入认证方式标识、运营商标识、以及KDF派生次根密钥时的时间戳，以派生出不同认证方式对应的不同次根密钥值，继而根据不同的次根密钥值派生出不同认证方式对应的不同目标密钥，从而有效地实现多种认证方式下的密钥隔离，防止以其中一种认证方式为跳板攻击以影响另外一种认证方式并造成K值泄露，影响业务的连续性与安全性的情况发生，提升网络与终端的安全性。特别地，在KDF的输入参数中引入时间戳，可有效防止重放攻击的发生，且派生的密钥是动态的，从而更好地实现多种认证方式的密钥隔离。另，KDF是一个哈希函数，也可以防止逆向攻击，有效保护K值的安全。此外，针对根密钥K值派生密钥过程中涉及的MILENAGE函数，在认证向量产生方面，目前使用代号为f1-f5的函数。3GPP中并未强制f1-f5应使用什么算法，因为所使用的算法应用于卡和AuC(Authentication Center，鉴权中心)之间，不涉及到运营商之间的互操作，所以可以由运营商决策具体使用何种算法。但同时，3GPP推荐了MILENAGE算法簇作为3G的f系列算法，用于产生认证向量。MILENAGE函数使用分组加密，加密分组和密钥长度均为128比特，故目前使用AES算法作为MILENAGE的核心算法来使用，本实施例中采用国密算法SM4算法替换AES算法，可增强密钥安全性，提升自主可控能力，且算法实现更为简单。In the key derivation method provided in this embodiment, by introducing the authentication mode identifier, the operator identifier, and the time stamp when the KDF derives the secondary root key into the input parameters of the key derivation function KDF, the keys corresponding to different authentication methods can be derived. Different sub-root key values, and then derive different target keys corresponding to different authentication methods according to different sub-root key values, so as to effectively realize key isolation under multiple authentication methods and prevent one of the authentication methods from being The springboard attack affects another authentication method and causes the leakage of the K value, which affects the continuity and security of the business and improves the security of the network and terminals. In particular, the introduction of time stamps into the input parameters of KDF can effectively prevent the occurrence of replay attacks, and the derived keys are dynamic, so as to better realize the key isolation of multiple authentication methods. In addition, KDF is a hash function, which can also prevent reverse attacks and effectively protect the security of K value. In addition, for the MILENAGE function involved in the process of deriving the key from the root key K value, in terms of authentication vector generation, functions code-named f1-f5 are currently used. 3GPP does not mandate which algorithm f1-f5 should use, because the algorithm used is applied between the card and AuC (Authentication Center, authentication center), and does not involve interoperability between operators, so it can be determined by the operator Decide which algorithm to use. But at the same time, 3GPP recommended the MILENAGE algorithm cluster as the f series algorithm of 3G, which is used to generate the authentication vector. The MILENAGE function uses block encryption, and the encrypted block and key length are both 128 bits. Therefore, the AES algorithm is currently used as the core algorithm of MILENAGE. In this embodiment, the national secret algorithm SM4 algorithm is used to replace the AES algorithm, which can enhance key security. , improve the autonomous controllability, and the algorithm implementation is simpler.

实施例2：Example 2:

如图4所示，本实施例提供一种密钥派生装置，包括派生模块41和生成模块42。As shown in FIG. 4 , this embodiment provides a key derivation device, including aderivation module 41 and ageneration module 42 .

派生模块41，用于根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’。Thederivation module 41 is used to derive the secondary root key corresponding to each authentication method in multiple authentication methods according to the key derivation function KDF, wherein, the input parameters of KDF include root key, operator identification, authentication method identification and time The authentication methods include identity verification and key agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA'.

生成模块42，与派生模块41连接，用于基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。Thegeneration module 42 is connected with thederivation module 41, and is used for generating the target key corresponding to each authentication method based on the sub-root key corresponding to each authentication method and selecting a preset key derivation algorithm.

可选地，密钥派生装置还包括转化模块43。Optionally, the key derivation device further includes aconversion module 43 .

转化模块43，与派生模块41连接，用于将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。Theconversion module 43 is connected with thederivation module 41, and is used to convert the operator identification, authentication mode identification and time stamp into corresponding binary sequences respectively.

可选地，密钥派生算法包括SM4算法。Optionally, the key derivation algorithm includes SM4 algorithm.

可选地，生成模块包括选择单元和计算单元。选择单元，用于选用预设的SM4算法。计算单元，与选择单元连接，用于在密钥派生函数中采用预设的SM4算法对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥，其中，目标密钥包括加密密钥、完整性密钥。Optionally, the generation module includes a selection unit and a calculation unit. The selection unit is used for selecting a preset SM4 algorithm. The calculation unit is connected with the selection unit, and is used to calculate the input random number and the sub-root key corresponding to each authentication method by using the preset SM4 algorithm in the key derivation function, and generate target encryption keys corresponding to each authentication method respectively. key, wherein the target key includes an encryption key and an integrity key.

可选地，密钥派生模块还包括次派生模块。次派生模块，与生成模块连接，用于根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。Optionally, the key derivation module further includes a secondary derivation module. The secondary derivation module is connected with the generation module, and is used to generate security keys corresponding to each authentication method according to target keys corresponding to each authentication method.

可选地，次派生模块包括第一派生单元和第二派生单元。第一派生单元，用于根据各认证方式对应的目标密钥分别生成各认证方式对应的中间密钥。第二派生单元，与第一派生单元连接，用于根据各中间密钥分别生成各认证方式对应的安全密钥。Optionally, the secondary derivation module includes a first derivation unit and a second derivation unit. The first derivation unit is configured to respectively generate intermediate keys corresponding to each authentication method according to the target key corresponding to each authentication method. The second derivation unit is connected with the first derivation unit, and is used to generate security keys corresponding to each authentication mode according to each intermediate key.

本实施例提供的密钥派生装置，用于在密钥导出函数KDF的输入参数中引入认证方式标识、运营商标识、以及KDF派生次根密钥时的时间戳，以派生出不同认证方式对应的不同次根密钥值，还用于根据不同的次根密钥值派生出不同认证方式对应的不同目标密钥，从而有效地实现多种认证方式下的密钥隔离，防止以其中一种认证方式为跳板攻击以影响另外一种认证方式并造成K值泄露，影响业务的连续性与安全性的情况发生，提升网络与终端的安全性。特别地，用于在KDF的输入参数中引入时间戳，可有效防止重放攻击的发生，且派生的密钥是动态的，从而更好地实现多种认证方式的密钥隔离。另，KDF是一个哈希函数，也可以防止逆向攻击，有效保护K值的安全。此外，用于选用国密算法SM4算法替换密钥派生函数中常用的AES算法，可增强密钥安全性，提升自主可控能力，且算法实现更为简单。The key derivation device provided in this embodiment is used to introduce the authentication mode identifier, the operator identifier, and the time stamp when KDF derives the secondary root key into the input parameters of the key derivation function KDF, so as to derive the corresponding Different sub-root key values are also used to derive different target keys corresponding to different authentication methods according to different sub-root key values, so as to effectively realize key isolation under multiple authentication methods and prevent one of them from The authentication method is a springboard attack to affect another authentication method and cause K value leakage, affecting business continuity and security, and improving network and terminal security. In particular, it is used to introduce timestamps into the input parameters of KDF, which can effectively prevent the occurrence of replay attacks, and the derived keys are dynamic, so as to better realize the key isolation of multiple authentication methods. In addition, KDF is a hash function, which can also prevent reverse attacks and effectively protect the security of K value. In addition, the national secret algorithm SM4 algorithm is used to replace the AES algorithm commonly used in the key derivation function, which can enhance key security, improve autonomous controllability, and the algorithm implementation is simpler.

实施例3：Example 3:

如图5所示，本实施例提供一种网络设备，包括存储器51和处理器52，所述存储器51中存储有计算机程序，所述处理器52被设置为运行所述计算机程序以实现如实施例1所述的密钥派生方法。As shown in Figure 5, this embodiment provides a network device, including amemory 51 and aprocessor 52, thememory 51 stores a computer program, and theprocessor 52 is configured to run the computer program to implement the The key derivation method described in Example 1.

本实施例提供的网络设备，用于在密钥导出函数KDF的输入参数中引入认证方式标识、运营商标识、以及KDF派生次根密钥时的时间戳，以派生出不同认证方式对应的不同次根密钥值，还用于根据不同的次根密钥值派生出不同认证方式对应的不同目标密钥，从而有效地实现多种认证方式下的密钥隔离，防止以其中一种认证方式为跳板攻击以影响另外一种认证方式并造成K值泄露，影响业务的连续性与安全性的情况发生，提升网络与终端的安全性。特别地，用于在KDF的输入参数中引入时间戳，可有效防止重放攻击的发生，且派生的密钥是动态的，从而更好地实现多种认证方式的密钥隔离。另，KDF是一个哈希函数，也可以防止逆向攻击，有效保护K值的安全。此外，用于选用国密算法SM4算法替换密钥派生函数中常用的AES算法，可增强密钥安全性，提升自主可控能力，且算法实现更为简单。The network device provided in this embodiment is used to introduce the authentication mode identifier, the operator identifier, and the time stamp when KDF derives the secondary root key into the input parameters of the key derivation function KDF, so as to derive different authentication methods corresponding to different authentication methods. The sub-root key value is also used to derive different target keys corresponding to different authentication methods according to different sub-root key values, so as to effectively realize key isolation under multiple authentication methods and prevent one of the authentication methods from It is used as a springboard attack to affect another authentication method and cause K value leakage, which affects business continuity and security, and improves the security of the network and terminals. In particular, it is used to introduce timestamps into the input parameters of KDF, which can effectively prevent the occurrence of replay attacks, and the derived keys are dynamic, so as to better realize the key isolation of multiple authentication methods. In addition, KDF is a hash function, which can also prevent reverse attacks and effectively protect the security of K value. In addition, the national secret algorithm SM4 algorithm is used to replace the AES algorithm commonly used in the key derivation function, which can enhance key security, improve autonomous controllability, and the algorithm implementation is simpler.

可以理解的是，以上实施方式仅仅是为了说明本发明的原理而采用的示例性实施方式，然而本发明并不局限于此。对于本领域内的普通技术人员而言，在不脱离本发明的精神和实质的情况下，可以做出各种变型和改进，这些变型和改进也视为本发明的保护范围。It can be understood that, the above embodiments are only exemplary embodiments adopted for illustrating the principle of the present invention, but the present invention is not limited thereto. For those skilled in the art, various modifications and improvements can be made without departing from the spirit and essence of the present invention, and these modifications and improvements are also regarded as the protection scope of the present invention.

Claims (10)

Translated fromChinese

1.一种密钥派生方法，其特征在于，包括：1. A key derivation method, characterized in that, comprising:根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’；According to the key derivation function KDF, the secondary root key corresponding to each authentication method in multiple authentication methods is derived respectively. The input parameters of KDF include the root key, operator identification, authentication method identification and time stamp, and the authentication method includes identity Authentication and Key Agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA';基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。Based on the secondary root key corresponding to each authentication method, a preset key derivation algorithm is selected to generate target keys corresponding to each authentication method.2.根据权利要求1所述的密钥派生方法，其特征在于，在所述根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥之前，还包括：2. The key derivation method according to claim 1, wherein, before the said key derivation function KDF respectively derives the secondary root key corresponding to each authentication method in a plurality of authentication methods, it also includes:将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。The operator identification, authentication mode identification and time stamp are respectively converted into corresponding binary sequences.3.根据权利要求1所述的密钥派生方法，其特征在于，密钥派生算法包括SM4算法，3. key derivation method according to claim 1, is characterized in that, key derivation algorithm comprises SM4 algorithm,所述基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥，具体包括：Based on the secondary root key corresponding to each authentication method, the preset key derivation algorithm is selected to generate the target key corresponding to each authentication method, specifically including:在密钥派生函数中选用预设的SM4算法，对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥，其中，目标密钥包括加密密钥、完整性密钥。Select the preset SM4 algorithm in the key derivation function, calculate the input random number and the subroot key corresponding to each authentication method, and generate the target key corresponding to each authentication method, wherein the target key includes encryption key, integrity key.4.根据权利要求1所述的密钥派生方法，其特征在于，在所述基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥之后，还包括：4. The key derivation method according to claim 1, wherein, in the secondary root key corresponding to each authentication method, a preset key derivation algorithm is selected to generate the target key corresponding to each authentication method respectively After that, also include:根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。A security key corresponding to each authentication method is generated respectively according to a target key corresponding to each authentication method.5.根据权利要求4所述的密钥派生方法，其特征在于，所述根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥，具体包括：5. The key derivation method according to claim 4, wherein said corresponding target key according to each authentication method generates a security key corresponding to each authentication method, specifically comprising:根据各认证方式对应的目标密钥分别生成认证方式对应的中间密钥；Generate the intermediate key corresponding to the authentication method according to the target key corresponding to each authentication method;根据中间密钥分别生成各认证方式对应的安全密钥。Generate security keys corresponding to each authentication mode according to the intermediate key.6.一种密钥派生装置，其特征在于，包括派生模块和生成模块，6. A key derivation device, characterized in that it comprises a derivation module and a generation module,派生模块，用于根据密钥导出函数KDF分别派生出多个认证方式中各认证方式对应的次根密钥，其中，KDF的输入参数包括根密钥、运营商标识、认证方式标识及时间戳，认证方式包括身份验证和密钥协议5G-AKA、可扩展认证协议EAP-AKA’，The derivation module is used to derive the secondary root key corresponding to each authentication method in multiple authentication methods according to the key derivation function KDF, wherein the input parameters of KDF include root key, operator identification, authentication method identification and time stamp , the authentication methods include identity verification and key agreement 5G-AKA, Extensible Authentication Protocol EAP-AKA',生成模块，与派生模块连接，用于基于各认证方式对应的次根密钥，选用预设的密钥派生算法分别生成各认证方式对应的目标密钥。The generation module is connected with the derivation module, and is used for generating the target key corresponding to each authentication method based on the sub-root key corresponding to each authentication method and selecting a preset key derivation algorithm.7.根据权利要求6所述的密钥派生装置，其特征在于，还包括转化模块，7. The key derivation device according to claim 6, further comprising a conversion module,转化模块，与派生模块连接，用于将运营商标识、认证方式标识及时间戳分别转化为相应的二进制序列。The conversion module is connected with the derivation module, and is used to convert the operator identification, authentication mode identification and time stamp into corresponding binary sequences respectively.8.根据权利要求6所述的密钥派生装置，其特征在于，密钥派生算法包括SM4算法，8. The key derivation device according to claim 6, wherein the key derivation algorithm comprises an SM4 algorithm,生成模块包括选择单元和计算单元，The generation module includes a selection unit and a calculation unit,选择单元，用于选用预设的SM4算法，The selection unit is used to select the preset SM4 algorithm,计算单元，与选择单元连接，用于在密钥派生函数中选用预设的SM4算法对所输入的随机数和各认证方式对应的次根密钥进行计算，分别生成各认证方式对应的目标密钥，其中，目标密钥包括加密密钥、完整性密钥。The calculation unit is connected with the selection unit, and is used to select the preset SM4 algorithm in the key derivation function to calculate the input random number and the sub-root key corresponding to each authentication method, and generate target encryption keys corresponding to each authentication method. key, wherein the target key includes an encryption key and an integrity key.9.根据权利要求8所述的密钥派生装置，其特征在于，还包括次派生模块，9. The key derivation device according to claim 8, further comprising a secondary derivation module,次派生模块，与生成模块连接，用于根据各认证方式对应的目标密钥分别生成各认证方式对应的安全密钥。The secondary derivation module is connected with the generation module, and is used to generate security keys corresponding to each authentication method according to target keys corresponding to each authentication method.10.一种网络设备，其特征在于，包括存储器和处理器，所述存储器中存储有计算机程序，所述处理器被设置为运行所述计算机程序以实现如权利要求1-5中任一项所述的密钥派生方法。10. A network device, characterized in that it comprises a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to achieve any one of claims 1-5 The key derivation method described.

Images