CN-122028043-A - System and method for large-scale terminal access authentication of star-ground fusion network

Abstract

The application discloses a large-scale terminal access authentication system and method for a satellite-ground fusion network, wherein the system comprises a ground core network, a satellite-borne base station and a plurality of terminal groups; each terminal group comprises a group leader and at least one group member, and the group leader initiates a request and forwards the request to a ground core network through an on-board base station. The core network calculates the verification point set and the session key by using a secret sharing mechanism based on polynomial interpolation, and sends back the verification point set and the session key to the satellite-borne base station. The satellite-borne base station locally stores the session key and generates a temporary identity, and forwards the verification point set to the group leader. Each group member recovers the session key by using the received verification point and combining the secret share of each group member, generates a temporary identity and transmits the temporary identity back to the group owner. And the group leader aggregates the effective identification and then sends the effective identification to the satellite-borne base station for verification. After verification, the satellite-borne base station establishes secure communication connection with all legal group members in batches. Therefore, the application can meet the sustainable large-scale access capability in the satellite-ground fusion scene.

Inventors

• NAN GUOSHUN
• Ban Jianlong
• Cao xinye
• DU HAITAO
• TAO XIAOFENG

Assignees

• 北京邮电大学

Dates

Publication Date

20260512

Application Date

20260304

Claims (10)

1. 1. A large-scale terminal access authentication system for a star-to-ground converged network, the system comprising: The system comprises a ground core network, a satellite-borne base station and a plurality of terminal groups; each terminal group includes a group leader and at least one group member; The group leader is used for creating an access authentication request and sending the access authentication request to the satellite-borne base station; the satellite-borne base station is used for creating a second message by combining with the self identifier and forwarding the second message to the ground core network; the ground core network is used for verifying the validity of the satellite-borne base station and the validity of the second message; after verification is passed, an additional verification point set and a session key of each group member are constructed by adopting a secret sharing mechanism based on polynomial interpolation, and a device identifier of each group member, the session key, the verification point set and a randomly generated group key are used as a third message to be sent to the satellite-borne base station; the satellite-borne base station is also used for storing the session key of each group member and generating a temporary identity for each group member; constructing a fourth message containing the verification point set according to the third message, and sending the fourth message to the group leader; the group leader is further configured to broadcast the fourth message to each group member; each group member is configured to calculate a current temporary identifier according to the verification point set in the fourth message, and broadcast the current temporary identifier to the group leader; the group leader is further configured to collect and verify the current temporary identifier of each group member, aggregate the verified current temporary identifier into a target message, and send the target message to the on-board base station; The satellite-borne base station is further used for verifying the target message through a pre-stored temporary identity, and after verification, the target message and all group members in the target message are connected in a safe communication mode.
2. 2. The system of claim 1, wherein the creating an access authentication request comprises: acquiring a group identifier and a current timestamp of the terminal group; Calculating a first hash value of the group identifier, the current timestamp, and a group leader key of the group leader; Encapsulating the group identifier, the current timestamp, and the first hash value as a first message; And integrating the first message into a request for access authentication to obtain an access authentication request.
3. 3. The system of claim 2, wherein the creating the second message in conjunction with the self-identifier comprises: Acquiring a self identifier of the satellite-borne base station; And adding the self identifier of the satellite-borne base station to the first message to obtain a second message.
4. 4. A system according to claim 3, wherein said verifying the validity of said second message, the validity of said on-board base station, comprises: Verifying the legitimacy of the satellite-borne base station through the self identifier of the satellite-borne base station; and verifying the hash value of the group identifier and the current timestamp through the group leader key of the group leader to determine the validity of the second message.
5. 5. The system of claim 1, wherein constructing an additional set of verification points, session keys for each group member, using a polynomial interpolation based secret sharing mechanism, comprises: Randomly generating a group key; Querying a database to obtain a device identifier and a secret point pre-assigned to each group member, the secret point being a long-term key of each group member; Constructing n times of polynomials according to the group key by combining a secret sharing mechanism based on polynomial interpolation to obtain a target polynomial; Generating an additional set of verification points according to the secret points of each group member and the target polynomial; And generating a session key for each group member by using a key distribution function according to the secret point of each group member and the group key to obtain the session key of each group member.
6. 6. The system of claim 5, wherein the expression of the target polynomial is: Wherein, the Is the object of construction A second order polynomial, when the independent variable Taking the specific value, the function value f (x) of the polynomial is a verification point, For representing that all operations are performed over a finite field, p is a preselected, disclosed large prime number, Is a polynomial, used to represent the number of group members, Is the device identifier in each secret point, Is that The corresponding function value is used for generating a corresponding function value, Is an argument of a polynomial, which will be used when reconstructing a secret By substituting 0 into the polynomial, the polynomial can be obtained by a known point , ) The group key is recovered and the group key is recovered, Is the first Public identification value of individual group members.
7. 7. The system of claim 1, wherein said generating a temporary identity for each of said group members comprises: Calculating a second hash value of the group key and a device identifier of each group member; And generating a temporary identity by taking the second hash value as each group member.
8. 8. The system of claim 1, wherein constructing a fourth message containing the set of verification points from the third message comprises: calculating a third hash value of the verification point set contained in the third message; And packaging the verification point set, the current timestamp, the third hash value and the group key contained in the third message to obtain a fourth message containing the verification point set.
9. 9. The system of claim 8, wherein said calculating a current temporary identifier from said set of verification points in said fourth message comprises: Acquiring an initial secret point which is pre-allocated to the user; Reconstructing a target polynomial through Lagrange interpolation operation according to the initial secret point and a verification point set contained in the fourth message so as to recover a local group key; verifying the current timestamp, the third hash value to determine whether the local group key is correct; if so, calculating a session key and a current temporary identifier according to the local group key.
10. 10. A method for large-scale terminal access authentication for a star-to-ground converged network implemented using the system of any one of claims 1 to 9, wherein the method is applied to a network architecture comprising a ground core network, a satellite-based base station, and a plurality of terminal groups, each terminal group comprising a group leader and at least one group member, the method comprising: The group leader creates an access authentication request and sends the access authentication request to the satellite-borne base station; The satellite-borne base station creates a second message by combining with the self identifier and forwards the second message to the ground core network; The ground core network verifies the validity of the satellite-borne base station and the validity of the second message; after verification is passed, an additional verification point set and a session key of each group member are constructed by adopting a secret sharing mechanism based on polynomial interpolation, and a device identifier of each group member, the session key, the verification point set and a randomly generated group key are used as a third message to be sent to the satellite-borne base station; The satellite-borne base station stores the session key of each group member and generates a temporary identity for each group member; constructing a fourth message containing the verification point set according to the third message, and sending the fourth message to the group leader; The group leader broadcasting the fourth message to each group member; Each group member calculates a current temporary identifier according to the verification point set in the fourth message and broadcasts the current temporary identifier to the group leader; The group leader collects and verifies the current temporary identifier of each group member, aggregates the verified current temporary identifier into a target message and sends the target message to the satellite-borne base station; And the satellite-borne base station verifies the target message through a pre-stored temporary identity, and establishes secure communication connection with all group members in the target message after verification.

Description

System and method for large-scale terminal access authentication of star-ground fusion network Technical Field The application relates to the technical field of communication, in particular to a large-scale terminal access authentication system and method for a star-ground fusion network. Background With the evolution of mobile communication technology to 5G-Advanced and 6G, a star-to-ground converged network (also called non-terrestrial network, NTN) has become an indispensable key enabling architecture for realizing ubiquitous connection without dead angles in the world. The network aims to provide continuous service for wide area sea areas, remote areas and high-speed mobile platforms by integrating space segments such as low earth orbit satellites, medium orbit satellites, geostationary orbit satellites and the like with a ground cellular network, and supports large-scale concurrent access of mass terminals in future application scenes such as Internet of things, industrial Internet and the like. A typical satellite-ground fusion network architecture includes a space segment, a ground segment, and a user segment, where low-orbit satellites become key nodes for carrying user plane data and control plane signaling with their lower propagation delays. In the application scene, the terminal equipment needs to access the network through a satellite-borne base station or an on-board regenerated load, and a wireless link between a satellite and a ground terminal has the inherent characteristics of prolonged propagation time, strong link quality time variability, intermittent coverage and the like. In the related art, authentication and key negotiation mechanisms based on 5G-AKA or its evolution are commonly adopted. In order to cope with the signaling storm problem caused by large-scale terminal access, the prior art further provides a group authentication scheme. Specifically, the network side divides the terminal into a plurality of groups according to the geographic position or service attribute of the terminal, and distributes a group identifier and a group key for each group. When the authentication is accessed, the group representative node (or called the head of the group) represents the whole group to carry out authentication signaling interaction with the network side, and after the network side verifies the validity of the group identity, the group representative node broadcasts the acquired authentication vector or session key material in the group, thereby avoiding the network side and each terminal from carrying out complete authentication flow one by one. According to the technical scheme, the repeated processing overhead of the core network side is reduced to a certain extent through aggregation interaction. However, when applied to the foregoing large-scale access scenario of the star-to-ground converged network, the above prior art still has the following drawbacks: First, authentication latency and reliability issues. In the existing group authentication scheme, although the interaction times are reduced, the fixed multi-round interaction flow is obviously amplified on a satellite-to-ground long-time delay link, so that the access time delay of a terminal is too long. Meanwhile, on a satellite link with a high error rate, the loss or overtime of an authentication message is very easy to trigger the retransmission of a terminal, so that the chain reaction of failure, retry and network congestion is caused, and the success rate and the reliability of the access of a large-scale terminal in a high dynamic environment are seriously reduced. Second, the computational and energy consumption overhead problem. The existing scheme is to realize group authentication and key negotiation, and is mostly dependent on public key cryptographic operation based on elliptic curve or bilinear peer-to-peer computation intensive operation. The method forms a heavy burden on the internet of things terminal with limited calculation, storage and energy, and accumulated energy consumption shortens the terminal endurance. More importantly, on-board processing units are limited by stringent size, weight and power consumption constraints, and their limited computational resources are difficult to handle such complex operations in real time, becoming a performance bottleneck supporting the density of future millions of connections. Finally, privacy protection and security risk problems. Satellite broadcast channels have natural openness, and signals are easy to intercept. In the existing group authentication scheme, the identities of group members are transmitted in the clear text with long-term identities or appear with associatable pseudo-identities, so that an attacker can implement link attack through flow analysis, and the positions and the behavior patterns of the terminals are tracked for a long time, which constitutes a serious threat to the deployment of high-security-level services such as emergency communicatio