Search

CN-122002283-A - Communication method, device, equipment and storage medium

CN122002283ACN 122002283 ACN122002283 ACN 122002283ACN-122002283-A

Abstract

The application discloses a communication method, a device, equipment and a storage medium, and belongs to the technical field of network security. In the application, the first communication device performs identity authentication and session key negotiation with the second communication device based on the first random identity information and the first shared key. The first random identity information is the identity information adopted by the first communication equipment in the current session with the second communication equipment, and after the session key is negotiated, the first communication equipment updates the first random identity information into the second random identity information so as to be used for identity authentication in the next session. That is, in each session, the first communication device may use a piece of cooperative random identity information to perform identity authentication with the second communication device and obtain a session key, thereby reducing the risk of revealing the user identity information.

Inventors

  • LI YONG

Assignees

  • 华为技术有限公司

Dates

Publication Date
20260508
Application Date
20241106

Claims (20)

  1. 1. A communication method applied to a first communication device, the method comprising: Acquiring first random identity information and a first shared key of the first communication equipment, wherein the first random identity information is the identity information adopted by the first communication equipment in the current session with the second communication equipment, and the first shared key is a master key shared by the first communication equipment and the second communication equipment in the first communication equipment; Authenticating identity with the second communication device based on the first random identity information and the first shared key; After passing the identity authentication with the second communication device, generating a first session key based on the first shared key, and updating the first random identity information into second random identity information based on the first session key, wherein the second random identity information is the identity information adopted by the first communication device in the next session with the second communication device, and the first session key is the shared session key of the first communication device and the second communication device in the current session.
  2. 2. The method of claim 1, wherein the authenticating with the second communication device based on the first random identity information and the first shared key comprises: Generating a first Message Authentication Code (MAC) based on the first shared key, first auxiliary information, the first random identity information and the identity information of the second communication device; transmitting a first message to the second communication device, the first message including the first assistance information, the first random identity information, and the first MAC; Receiving a second message, wherein the second message comprises a second MAC (media access control), and the second MAC is generated by the second communication equipment based on a second shared key, the first auxiliary information, second auxiliary information, the first random identity information and the identity information of the second communication equipment when the second communication equipment passes the verification of the first MAC, and the second shared key is a main key shared by the second communication equipment and the first communication equipment; and authenticating the identity of the second communication device based on the first shared key, the first auxiliary information, the second auxiliary information, the first random identity information, the identity information of the second communication device and the second MAC.
  3. 3. The method of claim 2, wherein the first assistance information comprises a first random number and a first count value C1, wherein C1 is a current count value of a first counter in the first communication device, wherein the first shared key is obtained by the first communication device by updating the initial shared key C1 times, wherein the second assistance information comprises a second random number and a second count value C2, wherein C2 is a current count value of a second counter in the second communication device, wherein the second shared key is obtained by the second communication device by updating the initial shared key C2 times, wherein the second message further comprises the C2, and wherein the initial shared key is an initial master key shared by the first communication device and the second communication device.
  4. 4. The method of claim 3, wherein the authenticating the second communication device based on the first shared key, the first assistance information, the second assistance information, the first random identity information, the identity information of the second communication device, and the second MAC comprises: If the current count value of the first counter is not smaller than the C2, generating an authentication MAC corresponding to the second MAC based on the first shared key, the first auxiliary information, the second auxiliary information, the first random identity information and the identity information of the second communication equipment; and if the second MAC is equal to the corresponding verification MAC, passing the identity authentication of the second communication equipment.
  5. 5. The method of claim 3, wherein the authenticating the second communication device based on the first shared key, the first assistance information, the second assistance information, the first random identity information, the identity information of the second communication device, and the second MAC comprises: If the current count value of the first counter is smaller than the C2, updating the first shared key for D1 times based on a difference value D1 between the C2 and the current count value of the first counter, and updating the current count value of the first counter to the C2; Generating an authentication MAC corresponding to the second MAC based on the updated first shared key, the first auxiliary information, the second auxiliary information, the first random identity information and the identity information of the second communication device; and if the second MAC is equal to the corresponding verification MAC, passing the identity authentication of the second communication equipment.
  6. 6. The method according to claim 4 or 5, wherein after passing the identity authentication of the second communication device, the method further comprises: Generating a third MAC based on the first shared key, the first random number, the second random number, a third count value C3, the C2, the first random identity information, and the identity information of the second communication device, the C3 being equal to a current count value of the first counter; and sending a third message to the second communication device, wherein the third message comprises the third MAC and the C3, and the third message is used for carrying out identity authentication on the first communication device.
  7. 7. The method according to any of claims 3 to 6, wherein the first shared key is a master key shared by the first communication device with the second communication device in a current session with the second communication device, and wherein after generating the first session key based on the first shared key, further comprises: updating the first shared key for N times to obtain a third shared key, wherein the third shared key is a master key shared by the first communication equipment and the second communication equipment in the next session with the second communication equipment, and N is a preset value; Updating the current count value of the first counter based on the N.
  8. 8. The method of any of claims 3 to 7, wherein the second message further comprises the second random number.
  9. 9. The method according to any of claims 3 to 7, wherein prior to said obtaining the first random identity information and the first shared key of the first communication device, further comprising: and receiving a broadcast message of the second communication device, wherein the broadcast message comprises the second random number.
  10. 10. The method according to any of the claims 3 to 9, wherein said updating the first random identity information to second random identity information based on the first session key comprises: Generating the second random identity information based on the first session key, the first random number, and the second random number; and replacing the first random identity information with the second random identity information.
  11. 11. The method according to any of claims 1 to 10, wherein the first communication device communicates with the second communication device via a third communication device, and wherein during authentication with the second communication device based on the first random identity information and the first shared key, the method further comprises: Generating a third session key based on the first shared key; Based on the third session key, the identity information of the third communication device and the fixed identity information of the first communication device, carrying out identity authentication with the third communication device; After passing the identity authentication with the third communication device, determining the third session key as a shared session key with the third communication device.
  12. 12. The method of claim 11, wherein the authenticating with the third communication device based on the third session key, the identity information of the third communication device, and the fixed identity information of the first communication device comprises: Receiving a fourth MAC sent by the third communication device, wherein the fourth MAC is generated by the third communication device based on a second session key, the identity information of the third communication device and the fixed identity information of the first communication device, and the second session key is generated by the second communication device based on a second shared key; Authenticating the identity of the third communication device based on the third session key, the identity information of the third communication device, the fixed identity information of the first communication device, and the fourth MAC; If the identity authentication of the third communication equipment passes, generating a fifth MAC (media access control) based on the third session key, the identity information of the third communication equipment and the fixed identity information of the first communication equipment; Transmitting the fifth MAC to the third communication device, wherein the fifth MAC is used for carrying out identity authentication on the first communication device; and if a fourth message sent by the third communication device is received, determining that the identity authentication with the third communication device is passed, wherein the fourth message is used for indicating that the identity authentication of the third communication device to the first communication device is passed.
  13. 13. The method according to any of the claims 1 to 12, wherein the first random identity information is initial random identity information of the first communication device, the method further comprising: Negotiating the initial random identity information with the second communication device based on an initial shared key, the fixed identity information of the first communication device, and the identity information of the second communication device, wherein the initial shared key is an initial master key shared by the first communication device and the second communication device.
  14. 14. The method of claim 13, wherein negotiating the initial random identity information with the second communication device based on an initial shared key, fixed identity information of the first communication device, identity information of the second communication device, comprises: generating a sixth MAC based on the initial shared key, the fixed identity information of the first communication device, the identity information of the second communication device, and a third random number; Transmitting a fifth message to the second communication device, the fifth message including the fixed identity information of the first communication device, the third random number, and the sixth MAC; Receiving a sixth message of the second communication device, wherein the sixth message comprises a fourth random number and a seventh MAC, and the seventh MAC is generated by the second communication device based on the initial shared key, the fixed identity information of the first communication device, the identity information of the second communication device, the third random number and the fourth random number when the second communication device passes the verification of the sixth MAC; Verifying the seventh MAC based on the initial shared key, the fixed identity information of the first communication device, the identity information of the second communication device, the third random number and the fourth random number; And if the verification of the seventh MAC is passed, generating the initial random identity information based on the initial shared secret key, the third random number and the fourth random number, and storing the initial random identity information.
  15. 15. A communication method applied to a second communication device, the method comprising: Carrying out identity authentication with a first communication device based on first random identity information and a second shared key, wherein the first random identity information is the identity information adopted by the first communication device in the current session with the second communication device, and the second shared key is a master key shared by the second communication device in the second communication device and the first communication device; After the identity authentication with the first communication device passes, a first session key is generated based on the second shared key, and the first random identity information is updated to second random identity information based on the first session key, wherein the second random identity information is the random identity information adopted by the first communication device in the next session with the second communication device, and the first session key is the shared session key of the second communication device and the first communication device in the current session.
  16. 16. The method of claim 15, wherein authenticating with the first communication device based on the first random identity information and the second shared key comprises: Receiving a first message sent by the first communication device, wherein the first message comprises first auxiliary information, first random identity information and a first MAC (media access control), and the first MAC is generated based on a first shared key, the first auxiliary information, the first random identity information and identity information of the second communication device, and the first shared key is a main key shared by the first communication device and the second communication device in the first communication device; Acquiring the second shared key based on the first random identity information; verifying the first MAC based on the second shared key, the first assistance information, the first random identity information, and the identity information of the second communication device; if the first MAC passes the verification, generating a second MAC based on the second shared key, the first auxiliary information, the second auxiliary information, the first random identity information and the identity information of the second communication equipment; and sending a second message to the first communication device, wherein the second message comprises the second MAC, and the second message is used for carrying out identity authentication on the second communication device.
  17. 17. The method of claim 16, wherein the first assistance information comprises a first random number and a first count value C1, the C1 being a current count value of a first counter in the first communication device, the first shared key being obtained by the first communication device updating an initial shared key C1 times, the initial shared key being an initial master key shared by the first communication device and the second communication device; And if the authentication of the first MAC is passed, generating a second MAC based on the second shared key, the first auxiliary information, second auxiliary information, the first random identity information, and the identity information of the second communication device, including: If the first MAC verification is passed, judging whether the C1 is larger than the current count value of a second counter in the second communication equipment; If the C1 is not greater than the current count value of the second counter, generating the second MAC based on the second shared key, the first auxiliary information, the second auxiliary information, the first random identity information and the identity information of the second communication device, where the second auxiliary information includes a second random number and a second count value C2, the C2 is equal to the current count value of the second counter, the second shared key is obtained by updating the initial shared key by the second communication device for C2 times, and the second message further includes the C2.
  18. 18. The method of claim 17, wherein the method further comprises: if the C1 is greater than the current count value of the second counter, updating the second shared key D2 times based on a difference value D2 between the C1 and the current count value of the second counter, and updating the current count value of the second counter to the C1; Generating the second MAC based on the updated second shared key, the first auxiliary information, the second auxiliary information, the first random identity information, and the identity information of the second communication device, where the second auxiliary information includes the second random number and a second count value C2, where C2 is equal to a current count value of the second counter, and where the second message further includes the C2.
  19. 19. The method according to claim 17 or 18, wherein after said sending the second message to the first communication device, further comprising: Receiving a third message sent by the first communication device, wherein the third message comprises a third MAC and a third count value C3, the third MAC is generated by the first communication device after the identity authentication of the second communication device passes, and the third MAC is generated based on the first shared key, the first random number, the second random number, the C2, the C3, the first random identity information and the identity information of the second communication device, and the C3 is equal to the current count value of the first counter; verifying the third MAC based on the second shared secret key, the first random number, the second random number, the C2, the C3, the first random identity information and the identity information of the second communication device, and judging whether the current count value of the second counter is equal to the C3; And if the verification of the third MAC is passed and the current count value of the second counter is equal to C3, the identity authentication of the first communication equipment is passed.
  20. 20. The method according to any of claims 17 to 19, wherein the second shared key is a master key shared by the second communication device with the first communication device in a current session with the first communication device, and wherein after generating the first session key based on the second shared key, further comprises: Updating the second shared key for N times to obtain a third shared key, wherein the third shared key is a master key shared by the second communication equipment and the first communication equipment in the next session with the first communication equipment, and N is a preset value; Updating the current count value of the second counter based on the N.

Description

Communication method, device, equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a communication method, apparatus, device, and storage medium. Background Currently, in a wireless communication system, when a terminal and core network equipment establish a session, mutual identity authentication and key negotiation can be performed, so as to realize secure communication. For example, in the fifth generation (5th generation,5G) mobile communication system, the terminal and core network devices may also perform authentication and key agreement using a pre-shared key (pre-SHARED KEY, PSK) based 5G authentication and key agreement (5G-authentication AND KEY AGREEMENT, 5G-AKA). In 5G-AKA, the terminal uses the public key of the core network side provided by the core network equipment to conceal the identity information of the terminal, and transmits the concealed identity information to the core network equipment. In this case, if the public key at the core network side is revealed, the identity information of the terminal may also be revealed, so that it can be seen that 5G-AKA risks revealing the user identity information. In addition, in 5G-AKA, if a message carrying hidden identity information transmitted from a terminal to a core network device is intercepted by a network attacker, the network attacker may obtain the association between sessions by replaying the intercepted message to the core network device, thereby threatening the privacy security of the user. Disclosure of Invention The application provides a communication method, a device, equipment and a storage medium, which can realize safe communication and protect user identity information from being revealed. In order to achieve the above purpose, the application adopts the following technical scheme: In a first aspect, a communication method is provided and applied to a first communication device, the method comprises the steps of obtaining first random identity information and a first shared key of the first communication device, wherein the first random identity information is the identity information adopted by the first communication device in a current session with a second communication device, the first shared key is a master key shared by the first communication device and the second communication device in the first communication device, identity authentication is conducted with the second communication device based on the first random identity information and the first shared key, after the identity authentication with the second communication device is passed, a first session key is generated based on the first shared key, the first random identity information is updated to second random identity information based on the first session key, the second random identity information is the identity information adopted by the first communication device in a next session with the second communication device, and the first session key is the first session key shared by the first communication device and the first communication device in the current session with the second communication device. The first communication device may be a client device, and the second communication device may be a server device. For example, the first communication device may be a terminal in a wireless communication system, and the second communication device may be a core network device in the wireless communication system. Or the first communication device is a client device in a data communication system and the second communication device is a server in the data communication system. Or the first communication device is a client device in a cloud computing environment, the second communication device is a cloud server in the cloud computing environment, and the like. In the application, the first communication equipment performs identity authentication with the second communication equipment based on the first random identity information and the first shared key, and after the identity authentication passes, the first communication equipment generates a session key shared with the second communication equipment based on the first shared key. The first random identity information is identity information adopted by the first communication equipment in a current session with the second communication equipment, and after a session key shared in the current session is generated, the first communication equipment updates the first random identity information into second random identity information for identity authentication in the next session. Therefore, in the application, the first communication equipment can interact with the second communication equipment by adopting the negotiated random identity information in each session with the second communication equipment, so that mutual identity authentication and key negotiation are realized, and the protection of the real