Search

EP-4572227-B1 - METHOD FOR VERIFYING ACCESS REQUEST, USER TERMINAL, AND BASE STATION

EP4572227B1EP 4572227 B1EP4572227 B1EP 4572227B1EP-4572227-B1

Inventors

  • JI, Hongwei
  • YAN, XINCHENG
  • ZHOU, NA
  • JIANG, ZHIHONG

Dates

Publication Date
20260506
Application Date
20230628

Claims (13)

  1. A method, applied to a user terminal, for verifying an access request, comprising: generating an access request message, wherein the access request message carries a cipher text and a signature, the cipher text is determined based on a base station public key of a base station covering a cell where the user terminal is located and an identity identifier of the user terminal, and the signature is determined based on a terminal private key and the identity identifier of the user terminal; and sending the access request message to the base station, wherein the access request message is for the base station to determine whether the user terminal is legal based on the signature and the cipher text obtained by parsing the access request message to determine whether to allow the user terminal to access.
  2. The method according to claim 1, wherein the generating an access request message comprises: encrypting the identity identifier based on the base station public key to obtain the cipher text; performing a signature process on the identity identifier and a random number generated by the user terminal based on the terminal private key to obtain the signature; and generating the access request message carrying the cipher text, the signature and the random number.
  3. The method according to claim 2, wherein before the generating an access request message, the method further comprises: performing a point doubling operation on the terminal private key and the base station public key to obtain a shared encryption key; and deriving a master key based on the shared encryption key, wherein generating an access request message comprises: generating the access request message based on the master key.
  4. The method according to claim 3, wherein the generating the access request message based on the master key comprises: performing a symmetric encryption on the identity identifier based on a most significant bit of the master key to obtain the cipher text; performing a signature process on the identity identifier, the random number, and a terminal public key of the user terminal based on a least significant bit of the master key to obtain the signature; and generating the access request message carrying the cipher text, the signature, the random number and the terminal public key.
  5. The method according to any one of claims 1 to 4, wherein before the generating an access request message, the method further comprises: receiving a base station public key broadcasted by the base station.
  6. The method according to any one of claims 1 to 4, wherein before the generating an access request message, the method further comprises: generating a key acquisition request, wherein the key acquisition request carries a subscription permanent identifier and the identity identifier of the user terminal, and the identity identifier is determined based on the subscription permanent identifier; sending the key acquisition request to a combined public key management center; and receiving a terminal private key issued by the combined public key management center.
  7. A method, applied to a base station, for verifying an access request, comprising: receiving an access request message of a user terminal, wherein the access request message carries a cipher text and a signature, the cipher text is determined based on a base station public key of the base station and an identity identifier of the user terminal, and the signature is determined based on a terminal private key and the identity identifier of the user terminal; parsing the access request message based on a base station private key and a terminal public key of the user terminal to obtain the signature and the cipher text; and determining legality of the user terminal according to the signature and the cipher text obtained by parsing to determine whether to allow the user terminal to access.
  8. The method according to claim 7, wherein the determining legality of the user terminal according to the signature and the cipher text obtained by parsing to determine whether to allow the user terminal to access comprises: parsing the cipher text based on the base station private key to obtain a first verification information; decrypting the signature based on the terminal public key to obtain a second verification information; and determining legality of the user terminal according to consistency between the first verification information and the second verification information to determine whether to allow the user terminal to access.
  9. The method according to claim 8, wherein the access request message further carries a random number generated by the user terminal; wherein the parsing the cipher text based on the base station private key to obtain a first verification information comprises: parsing the cipher text based on the base station private key to obtain an identity identifier after parsing; and determining the first verification information, wherein the first verification information is a hash value of a combined message that comprises the identity identifier after parsing and the random number.
  10. The method according to claim 9, wherein before the receiving an access request message of a user terminal, the method further comprises: receiving a public key matrix issued by a combined public key management center; wherein before the decrypting the signature based on the terminal public key to obtain a second verification information, the method further comprises: generating a terminal public key based on the identity identifier after parsing and the public key matrix.
  11. The method according to claim 7, wherein the access request message further carries a terminal public key of the user terminal; and the determining legality of the user terminal according to the signature and the cipher text obtained by parsing to determine whether to allow the user terminal to access comprises: performing a point doubling operation on the base station private key and the terminal public key to obtain a shared encryption key; deriving a master key based on the shared encryption key; generating a signature to be verified based on the master key and the cipher text; and determining the legality of the user terminal based on consistency between the signature to be verified and the signature to determine whether to allow the user terminal to access.
  12. An electronic device, comprising a memory, a processor, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, implements steps of the method according to any one of claims 1 to 6 or any one of claims 7 to 11.
  13. A computer readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements steps of the method according to any one of claims 1 to 6 or any one of claims 7 to 11.

Description

TECHNICAL FIELD The present application relates to the field of network security, and particularly, to a method and a user terminal for verifying an access request, and a base station. BACKGROUND In the field of communication, when a Radio Resource Control (RRC) connection is initially established between a user terminal and a communication base station, an RRCConnectionRequest message may be used by the user terminal to apply for channel resources from the communication base station. Fig. 1 is a schematic view of an interaction between a user terminal and a communication base station. Since the communication base station cannot confirm an identity of the user terminal, under a condition that an attacker modifies a source code and frequently uses different random numbers as an identity identifier user equipment identity document (UE ID) of a malicious terminal to send the RRCConnectionRequest message to the base station, the malicious terminal will not reply wtih an RRCConnectionComple message after the base station assigns the channel resources and replies with the RRCConnection message. Under this condition, it is only not until the timer expires that the base station can release the channel resources. In case that a large number of malicious terminals initiate attacks on the base station, RRC connection resources of the communication base station are often far greater than the released resources, thereby causing an air interface Denial of Service (DoS) attack. How to improve verification validity of a network access request to prevent the DoS attack is a technical problem to be solved in the present application. CN111083131A discloses a method for lightweight identity authentication of a power Internet of things sensing terminal, which comprises the following steps that firstly, an Internet of things terminal sends ciphertext data and a signature value to an edge Internet of things agent and enters a second step; step two, the edge Internet of things agent unlocks the ciphertext data and verifies the signature value, and the step three is entered; step three, judging whether the ciphertext data decrypted by the edge Internet of things agent is correct or not, and judging whether the signature value verified by the edge Internet of things agent is correct or not: if the conditions that the ciphertext data decrypted by the edge internet of things agent is correct and the signature value verified by the edge internet of things agent is correct are met, entering a fourth step; and if the ciphertext data decrypted by the edge Internet of things agent is incorrect or the signature value verified by the edge Internet of things agent is incorrect, the edge Internet of things agent sends an alarm to the terminal and enters the step five, the alarm frequency N is defined, N is an integer, N = N + L, and L is a constant which is not 0. US2021135878A1 discloses a embodiment mutual authentication and security agreement (MASA) protocols may use independently generated integrity and/or encryption keys to securely communicate private information exchanged between UEs and various network side devices (e.g., base stations, MMEs, HSSs, etc.). In particular, embodiment MASA protocols may use an initial authentication request (IAR) encryption key to encrypt UE specific information (e.g., an IMSI, etc.) in an IAR message and/or an initial authentication response (IAS) encryption key to encrypt private information in an IAS message. Additionally, embodiment MASA protocols may use an IAR integrity protection key to verify the integrity of information in an IAR message and/or an IAS integrity protection key to verify the integrity of information in an IAS message. SUMMARY An object of embodiments of the present application is to provide a method and a user terminal for verifying an access request, and a base station. However, the claimed subject-matter is defined by the claims. It is further disclosed, a method, applied to a user terminal, for verifying an access request is provided, the method includes: generating an access request message, in which the access request message carries a cipher text and a signature, the cipher text is determined based on a base station public key of a base station covering the cell where the user terminal is located and an identity identifier of the user terminal, and the signature is determined based on a terminal private key and the identity identifier of the user terminal; and sending the access request message to the base station, in which the access request message is for the base station to determine whether the user terminal is legal based on the signature and the cipher text obtained by parsing the access request message to determine whether to allow the user terminal to access. It is further disclosed, a method, applied to a base station, for verifying an access request is provided, the method includes: receiving an access request message of a user terminal, in which the access request m