Search

CN-122028038-A - Authentication method, authentication device, authentication system, authentication storage medium and authentication computer program product

CN122028038ACN 122028038 ACN122028038 ACN 122028038ACN-122028038-A

Abstract

The application discloses an authentication method which is applied to network equipment and comprises the steps of generating a password value after determining that the terminal equipment passes static identity authentication, encrypting the password value by adopting a first encryption key to obtain first encryption information, and sending the first encryption information and a first identity of the network equipment to the terminal equipment so that the terminal equipment requests a management server to perform dynamic identity authentication on the terminal equipment based on the first encryption information and the first identity. The application also discloses an authentication device, an authentication system, a storage medium and a computer program product.

Inventors

  • YANG XINMIAO
  • ZHUANG XIAOJUN
  • DU HAITAO

Assignees

  • 中国移动通信有限公司研究院
  • 中国移动通信集团有限公司

Dates

Publication Date
20260512
Application Date
20260109

Claims (18)

  1. 1. An authentication method, the method being applied to a network device, the method comprising: After the terminal equipment is confirmed to pass the static identity authentication, a password value is generated; Encrypting the password value by adopting a first encryption key to obtain first encryption information; And sending the first encryption information and the first identity of the network equipment to the terminal equipment so that the terminal equipment requests a management server to carry out dynamic identity authentication on the terminal equipment based on the first encryption information and the first identity.
  2. 2. The method of claim 1, wherein after said sending the first encryption information and the first identity of the network device to the terminal device, the method further comprises: the method comprises the steps of obtaining a first dynamic code, wherein the first dynamic code is generated by the management server; and carrying out identity authentication on the terminal equipment based on the first dynamic code and the password value to obtain an authentication result, wherein the authentication result is used for indicating whether the terminal equipment passes dynamic identity authentication or not.
  3. 3. The method according to claim 2, wherein the authenticating the terminal device based on the first dynamic code and the password value, to obtain an authentication result, includes: Checking the validity of the password value; If the password value is currently in effective timeliness, verifying whether the first dynamic code is matched with the password value or not to obtain a matching result; and determining the verification result based on the matching result.
  4. 4. A method according to claim 3, characterized in that the method further comprises: if the verification result indicates that the terminal equipment passes dynamic authentication, resetting the password value; and generating authentication log information based on the equipment information of the terminal equipment, the password value and the verification result.
  5. 5. A method according to claim 3, characterized in that the method further comprises: And sending the verification result to the terminal equipment.
  6. 6. The method according to any one of claims 1 to 5, further comprising: before the network equipment leaves the factory, a first request for applying identity information is sent to a management server, so that the management server distributes a first identity identifier and the first encryption key for the network equipment to a network management end; Receiving the first identity identifier and the first encryption key sent by the network management end; Storing the first identity and the first encryption key.
  7. 7. The method according to any one of claims 1 to 5, further comprising: And sending an update request to a network management end so that the network management end sends the update request to a management server to request the update of the encryption key, wherein the update request at least comprises the first identity identifier.
  8. 8. The method of claim 7, wherein the method further comprises: Receiving a second encryption key sent by the network management end, wherein the second encryption key is key information which is generated by the management server based on the first identity and then sent to the network management end; updating the current encryption key of the network device to the first encryption information.
  9. 9. An authentication method, wherein the method is applied to a management server, the method comprising: receiving first encryption information and a first identity identifier sent by terminal equipment, wherein the first identity identifier is used for identifying network equipment, and the first encryption information is dynamic encryption information generated by the network equipment and used for verifying the identity information of the terminal equipment; Decrypting the first encrypted information based on the first decryption information corresponding to the first identity identifier to obtain a first dynamic code; Outputting the first dynamic code to enable the network equipment to realize dynamic identity authentication of the terminal equipment through the first dynamic code.
  10. 10. The method of claim 9, wherein said outputting said first dynamic code comprises: Outputting the first dynamic code to the terminal equipment, or And outputting the first dynamic code to a display interface of the management server.
  11. 11. The method according to claim 9 or 10, characterized in that the method further comprises: And if a first request sent by the network equipment is received, sending the first request to a network management end, wherein the first request is used for distributing an identity and an encryption key for the network equipment.
  12. 12. The method according to claim 9 or 10, wherein before receiving the first encrypted information and the first identity sent by the terminal device, the method further comprises: and receiving an update request sent by a network management end, wherein the update request is a request sent by the network equipment to the network management end for requesting to update the encryption key of the network equipment, and the update request at least comprises a first identity identification of the network equipment.
  13. 13. The method according to claim 12, wherein the method further comprises: Generating a key pair based on the first identity included in the update request, wherein the key pair includes a second encryption key and a second decryption key; And sending the second encryption key to the network management end so that the network management end sends the second encryption key to the network equipment to realize encryption key updating.
  14. 14. The first authentication device is characterized in that the device is applied to network equipment and comprises a generation unit, an encryption unit and a first sending unit, wherein: the generating unit is used for generating a password value after the terminal equipment passes the static identity authentication; The encryption unit is used for encrypting the password value by adopting a first encryption key to obtain first encryption information; the first sending unit is configured to send the first encryption information and a first identity identifier of the network device to the terminal device, so that the terminal device requests the management server to perform dynamic identity authentication on the terminal device based on the first encryption information and the first identity identifier.
  15. 15. A second authentication apparatus, characterized in that the apparatus is applied to a management server, the apparatus comprising a first receiving unit, a decrypting unit and an output unit, wherein: The first receiving unit is used for receiving first encryption information and a first identity identifier sent by the terminal equipment, wherein the first identity identifier is used for identifying network equipment, and the first encryption information is dynamic encryption information generated by the network equipment; The decryption unit is used for decrypting the first encrypted information based on the first decryption information corresponding to the first identity identifier to obtain a first dynamic code; the output unit is configured to output the first dynamic code, so that the network device implements dynamic identity authentication on the terminal device through the first dynamic code.
  16. 16. An authentication system is characterized in that the system at least comprises a terminal device, a network device and a management server, wherein: The terminal equipment is used for carrying out equipment maintenance on the network equipment; The network device for implementing the steps of the authentication method according to any one of claims 1 to 8; The management server for implementing the steps of the authentication method according to any one of claims 9 to 13.
  17. 17. A storage medium having stored thereon an authentication program, which when executed is adapted to carry out the steps of the authentication method according to any one of claims 1 to 8 or 9 to 13.
  18. 18. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the authentication method according to any one of claims 1 to 8, or 9 to 13.

Description

Authentication method, authentication device, authentication system, authentication storage medium and authentication computer program product Technical Field The present application relates to the field of wireless communications, and in particular, to an authentication method, apparatus, system, storage medium, and computer program product. Background Along with the long-term iterative evolution of mobile communication technology, wireless base stations with wireless access function have evolved into various types, mainly including macro base stations, micro base stations, pico base stations, femto base stations, etc. The wireless base station hardware is mainly composed of three major types of devices, including core processing Unit devices, such as a baseband processing Unit (Building Base band Unite, BBU), a Centralized Unit (CU), a Distributed Unit (DU), an active antenna Unit (ACTIVE ANTENNA Unit, AAU) in a radio frequency and antenna system, a conventional radio frequency Unit (Radio Remote Unit, RRU), and supporting hardware, such as a power supply system, a heat dissipation system, and a transmission device. The core devices of the wireless base stations such as BBU, CU, DU, AAU, RRU are provided with management ports, so that technicians can perform corresponding operation and maintenance management operations through local connection login devices. When operation and maintenance management operation is realized, a static account password authentication mechanism is generally adopted, namely authentication is carried out through an operation and maintenance management account and a password preset for equipment, the preset operation and maintenance management account and password can be known and used by more operation and maintenance technicians, a higher leakage risk exists, the wireless base station equipment is positioned at the edge of a mobile communication network and is generally deployed in an open or semi-open area, a local operation and maintenance management port reserved by the equipment is easily contacted and utilized by an attacker, and if the attacker acquires the leaked operation and maintenance management account and password, the attacker can easily invade the equipment and take the control right of an equipment system, so that attack is initiated on other equipment in the mobile communication network, and the safety of the mobile communication network is threatened. How to solve the above-mentioned risk problem becomes the technical problem that needs to be solved at present. Disclosure of Invention In order to solve the technical problems, the application provides an authentication method, an authentication device, an authentication system, a storage medium and a computer program product, which solve the problem that a static account password authentication mechanism is easy to be broken to cause security threat in the operation and maintenance process of the current wireless base station equipment. The technical scheme of the application is realized as follows: The embodiment of the application provides an authentication method, which is applied to network equipment and comprises the following steps: After the terminal equipment is confirmed to pass the static identity authentication, a password value is generated; Encrypting the password value by adopting a first encryption key to obtain first encryption information; And sending the first encryption information and the first identity of the network equipment to the terminal equipment so that the terminal equipment requests a management server to carry out dynamic identity authentication on the terminal equipment based on the first encryption information and the first identity. Optionally, after the sending the first encryption information and the first identity of the network device to the terminal device, the method further includes: the method comprises the steps of obtaining a first dynamic code, wherein the first dynamic code is generated by the management server; and carrying out identity authentication on the terminal equipment based on the first dynamic code and the password value to obtain an authentication result, wherein the authentication result is used for indicating whether the terminal equipment passes dynamic identity authentication or not. Optionally, the authenticating the terminal device based on the first dynamic code and the password value to obtain an authentication result includes: Checking the validity of the password value; If the password value is currently in effective timeliness, verifying whether the first dynamic code is matched with the password value or not to obtain a matching result; and determining the verification result based on the matching result. Optionally, the method further comprises: if the verification result indicates that the terminal equipment passes dynamic authentication, resetting the password value; and generating authentication log information based on the equipment infor