CN119997023A - Identity authentication method and system - Google Patents
Identity authentication method and system Download PDFInfo
- Publication number
- CN119997023A CN119997023A CN202510331864.XA CN202510331864A CN119997023A CN 119997023 A CN119997023 A CN 119997023A CN 202510331864 A CN202510331864 A CN 202510331864A CN 119997023 A CN119997023 A CN 119997023A
- Authority
- CN
- China
- Prior art keywords
- authentication
- ciphertext
- certificate
- random number
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The application relates to an identity authentication method and system. The method comprises the steps of receiving an access authentication request message from a terminal device, obtaining a second ciphertext contained in the access authentication request message, sending a certificate authentication request message to a first authentication device, wherein the certificate authentication request message comprises a first ciphertext and a second ciphertext, receiving a certificate authentication response message from the first authentication device, obtaining a third ciphertext contained in the certificate authentication response message, decrypting the third ciphertext by using a first random number to obtain a second random number, a first authentication result and a second authentication result, determining whether the terminal device is trusted or not according to the second authentication result, encrypting the first authentication result by using the second random number to obtain a fourth ciphertext, and sending the access authentication response message containing the fourth ciphertext to the terminal device. The method can improve the safety of the identity authentication process in the wireless network access scene.
Description
Technical Field
The present application relates to the field of communications security technologies, and in particular, to an identity authentication method and system.
Background
With the rapid development of communication technology, wireless networks are widely used in various scenarios. In order to improve the security and privacy of the wireless network environment, an identity authentication mechanism is introduced into an access scene of the wireless local area network. However, the identity authentication mechanism in the related art has information exposure risk, and it is difficult to provide sufficient security protection for wireless network access.
Disclosure of Invention
Based on the foregoing, it is necessary to provide an identity authentication method and system for solving the above technical problems.
In a first aspect, the present application provides an identity authentication method, applied to an access control device, including:
Receiving an access authentication request message from a terminal device, and obtaining a second ciphertext contained in the access authentication request message, wherein the second ciphertext contains a second certificate encrypted by a second public key and a second random number;
The method comprises the steps of sending a certificate authentication request message to first authentication equipment, wherein the certificate authentication request message comprises a first ciphertext and the second ciphertext, and the first ciphertext comprises a first certificate encrypted by a first public key and a first random number;
Receiving a certificate authentication response message from the first authentication device, and obtaining a third ciphertext contained in the certificate authentication response message, wherein the third ciphertext comprises a first authentication result encrypted by the first random number, a second authentication result and the second random number;
decrypting the third ciphertext by using the first random number to obtain the second random number, the first authentication result and the second authentication result;
encrypting the first authentication result by using the second random number to obtain a fourth ciphertext; and sending an access authentication response message containing the fourth ciphertext to the terminal equipment.
In one embodiment, the second ciphertext further comprises a second temporary public key encrypted by the second public key, the third ciphertext further comprises the second temporary public key encrypted by the first random number, the third ciphertext is decrypted by the first random number to obtain the second random number, the first authentication result and the second authentication result, the method comprises the steps of decrypting the third ciphertext by the first random number to obtain the second random number, the first authentication result, the second authentication result and the second temporary public key, the step of encrypting the first authentication result by the second random number to obtain a fourth ciphertext comprises the step of encrypting the first authentication result and the first temporary public key by the second random number to obtain a fourth ciphertext, the step of using the first temporary public key to calculate a shared key by the terminal equipment, the step of determining whether the terminal equipment is trusted according to the second authentication result, and the step of obtaining the temporary public key by the terminal equipment according to the second temporary public key if the terminal equipment is trusted.
In one embodiment, the access authentication request message further includes a second digest of the second certificate, and after the third ciphertext is decrypted by using the first random number to obtain the second random number, the first authentication result and the second authentication result, the access authentication request message further includes determining whether the second authentication result is trusted according to consistency of the digest value and the second digest if the second authentication result includes the digest value of the authenticated certificate, and calculating the digest value of the authenticated certificate if the second authentication result includes the authenticated certificate, and determining whether the second authentication result is trusted according to consistency of the digest value and the second digest.
In a second aspect, the present application further provides an identity authentication method, applied to a terminal device, including:
encrypting the second certificate and the second random number by using the second public key to obtain a second ciphertext;
sending an access authentication request message containing the second ciphertext to access control equipment;
Receiving an access authentication response message from the access control equipment, and acquiring a fourth ciphertext contained in the access authentication response message; the fourth ciphertext is obtained by encrypting the first authentication result by the access control equipment through the second random number; the second random number and the first authentication result are obtained by the access control device according to a certificate authentication response message received from the first authentication device; the first authentication result is obtained after the first authentication device verifies a first certificate of the access control device;
Decrypting the fourth ciphertext by using the second random number to obtain the first authentication result; and determining whether the access control equipment is trusted or not according to the first authentication result.
In one embodiment, the encrypting the second certificate and the second random number by using the second public key to obtain a second ciphertext includes encrypting the second certificate, the second random number and the second temporary public key by using the second public key to obtain a second ciphertext, wherein the second temporary public key is used for calculating a shared key by the access control device, the fourth ciphertext further includes a first temporary public key encrypted by the second random number, the decrypting the fourth ciphertext by using the second random number to obtain the first authentication result includes decrypting the fourth ciphertext by using the second random number to obtain the first authentication result and the first temporary public key, and the determining whether the access control device is trusted according to the first authentication result includes obtaining the shared key according to the first temporary public key and the second temporary private key corresponding to the second temporary public key if the access control device is trusted.
In one embodiment, before sending an access authentication request message including the second ciphertext to the access control device, the access control device includes receiving an authentication activation message from the access control device, where the authentication activation message includes a first digest of the first certificate, decrypting the fourth ciphertext with the second random number to obtain the first authentication result, and determining whether the first authentication result is trusted according to consistency of the digest value and the first digest if the first authentication result includes the digest value of the authenticated certificate, and calculating a digest value of the authenticated certificate if the first authentication result includes the authenticated certificate, and determining whether the first authentication result is trusted according to consistency of the digest value and the first digest.
In a third aspect, the present application further provides an identity authentication method, applied to a first authentication device, including:
the method comprises the steps of receiving a certificate authentication request message from access control equipment, and obtaining a first ciphertext and a second ciphertext which are contained in the certificate authentication request message, wherein the first ciphertext is obtained by encrypting a first certificate and a first random number by the access control equipment by using a first public key, and the second ciphertext is received from terminal equipment by the access control equipment;
decrypting the first ciphertext by using a first private key corresponding to the first public key to obtain the first certificate and the first random number;
The second random number is obtained by decrypting the second ciphertext by using a second private key corresponding to the second public key, and the second authentication result comprises a second verification result obtained by verifying the second certificate;
Obtaining a first authentication result of the first certificate according to the first authentication result and the second authentication result;
Encrypting the first authentication result, the second authentication result and the second random number by using the first random number to obtain a third ciphertext;
and sending a certificate authentication response message containing the third ciphertext to the access control equipment.
In one embodiment, the obtaining the first authentication result of the first certificate according to the first authentication result and the second authentication result includes calculating a digest value of the first certificate if the first authentication result and/or the second authentication result indicate that the authentication is not passed, obtaining the first authentication result according to the digest value and the first authentication result, obtaining the first authentication result according to the first certificate and the first authentication result if the first authentication result and the second authentication result indicate that the authentication is passed, and/or further including a digest value of the second certificate if the first authentication result and/or the second authentication result indicate that the authentication is not passed, and further including the second certificate if the first authentication result and the second authentication result indicate that the authentication is passed.
In one embodiment, the obtaining of the second random number and the second authentication result includes sending a roaming authentication request message to a second authentication device, where the roaming authentication request message includes the first public key, the first authentication result and the second ciphertext, receiving a roaming authentication response message from the second authentication device, obtaining a fifth ciphertext included in the roaming authentication response message, where the fifth ciphertext is obtained by encrypting the second random number and the second authentication result by the second authentication device using the first public key, where the second random number is obtained by decrypting the second ciphertext by the second authentication device using a second private key corresponding to the second public key, where the second authentication result includes a second authentication result obtained by authenticating the second certificate by the second authentication device, and decrypting the fifth ciphertext by using a first private key corresponding to the first public key, where the second random number and the second authentication result are obtained.
In a fourth aspect, the application also provides an identity authentication system, which comprises terminal equipment, access control equipment and first authentication equipment;
The terminal equipment is used for encrypting the second certificate and the second random number by using a second public key to obtain a second ciphertext;
the access control equipment is used for receiving the access authentication request message and acquiring the second ciphertext, and sending a certificate authentication request message to first authentication equipment, wherein the certificate authentication request message comprises a first ciphertext and the second ciphertext;
The first authentication device is used for receiving the certificate authentication request message, obtaining the first ciphertext and the second ciphertext contained in the certificate authentication request message, decrypting the first ciphertext by using a first private key corresponding to the first public key to obtain the first certificate and the first random number, verifying the first certificate to obtain a first verification result, obtaining the second random number and a second authentication result, wherein the second random number is obtained by decrypting the second ciphertext by using a second private key corresponding to the second public key, the second authentication result comprises a second verification result obtained by verifying the second certificate, obtaining a first authentication result of the first certificate according to the first verification result and the second verification result, encrypting the first authentication result, the second authentication result and the second random number by using the first random number to obtain a third ciphertext, and sending an authentication response certificate containing the third message to the access control device;
The access control device is also used for receiving the certificate authentication response message, obtaining the third ciphertext contained in the certificate authentication response message, decrypting the third ciphertext by using the first random number to obtain the second random number, the first authentication result and the second authentication result, determining whether the terminal device is trusted or not according to the second authentication result, encrypting the first authentication result by using the second random number to obtain a fourth ciphertext, and sending the access authentication response message containing the fourth ciphertext to the terminal device;
The terminal equipment is also used for receiving the access authentication response message, obtaining the fourth ciphertext, decrypting the fourth ciphertext by using the second random number to obtain the first authentication result, and determining whether the access control equipment is trusted or not according to the first authentication result.
In one embodiment, the system further comprises a second authentication device, the first authentication device is further used for sending a roaming authentication request message to the second authentication device, the roaming authentication request message comprises a first public key, a first authentication result and a second ciphertext, the second authentication device is used for receiving the roaming authentication request message and obtaining the first public key, the first authentication result and the second ciphertext, the second authentication device is further used for decrypting the second ciphertext by using a second private key corresponding to the second public key to obtain the second random number and the second certificate, verifying the second certificate to obtain the second authentication result, obtaining the second authentication result according to the second authentication result, encrypting the second random number and the second ciphertext by using the first public key to obtain a fifth ciphertext, sending a roaming response message comprising the fifth ciphertext to the first authentication device, and further used for receiving the second authentication result and obtaining the fifth ciphertext by using the second authentication result.
The identity authentication method and system firstly receives an access authentication request message from a terminal device and acquires a second ciphertext contained in the access authentication request message, wherein the second ciphertext contains a second certificate encrypted by a second public key and a second random number, then sends the authentication request message comprising a first ciphertext and the second ciphertext to a first authentication device, wherein the first ciphertext comprises a first certificate encrypted by the first public key and a first random number, then receives a certificate authentication response message from the first authentication device, acquires a third ciphertext contained in the certificate authentication response message, wherein the third ciphertext comprises a first authentication result encrypted by the first random number, a second authentication result and the second random number, decrypts the third ciphertext by the first random number to obtain the second random number, the first authentication result and the second authentication result, determines whether the terminal device is credible or not according to the second authentication result, encrypts the first authentication result by the second random number to obtain a fourth ciphertext, and sends the access authentication response message containing the fourth ciphertext to the terminal device.
The scheme is that the terminal equipment encrypts and provides the identity information and the protection random number to the access control equipment, then the access control equipment transmits the ciphertext information of the terminal equipment, the encrypted identity information and the protection random number to the authentication equipment, the authentication equipment decrypts and authenticates the identity information of the terminal equipment and the ciphertext information of the access control equipment respectively, and then the authentication result of the two parties and the protection random number of the terminal equipment are encrypted by the protection random number of the access control equipment and provided to the access control equipment, so that the access control equipment can acquire the authentication result of the two parties and the protection random number of the terminal equipment in a safe mode, and then the access control equipment can determine whether the terminal equipment is trusted or not according to the authentication result, and the authentication result of the terminal equipment is transmitted to the terminal equipment in a safe mode by the protection random number of the terminal equipment. In the identity authentication process, no clear text identity information and key transmission exists in the air interface domain, so that the safety of the identity authentication process can be effectively improved, and the information exposure risk is avoided. In addition, the two sides needing to carry out identity authentication in the scheme do not need to negotiate the protection information needed for confidentiality in the identity authentication process, so that the identity authentication process can be simplified, and the overall processing efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are needed in the description of the embodiments of the present application or the related technologies will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other related drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a schematic diagram of an identity authentication system in one embodiment;
FIG. 2 is a schematic diagram of an authentication system according to another embodiment;
FIG. 3 is a schematic diagram of an interaction flow of an authentication system in one embodiment;
FIG. 4 is a schematic diagram of the structure of the authentication result in one embodiment;
FIG. 5 is a flow chart of an identity authentication method according to one embodiment;
FIG. 6 is a flow chart of an authentication method according to another embodiment;
FIG. 7 is a flow chart of a method of authentication in yet another embodiment;
FIG. 8 is a block diagram of an identity authentication device in one embodiment;
FIG. 9 is a block diagram of an authentication device according to another embodiment;
FIG. 10 is a block diagram of an authentication device according to yet another embodiment;
FIG. 11 is an internal block diagram of a communication device in one embodiment;
fig. 12 is an internal structural diagram of a communication device in another embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Specifically, for secure access to a wireless lan, in the related art, identity authentication of both access parties is generally performed based on a wireless lan authentication and privacy Infrastructure (WAPI). The WAPI adopts a digital certificate to identify identities of a wireless Access Point (AP) and a wireless terminal (Station, STA), and the STA and the AP perform identity authentication through an authentication service network element (Authentication Service, AS) which is trusted by the STA and the AP together so AS to ensure the security of wireless Access. Based on the WAPI, the AP will not allow STAs that do not pass identity authentication to access the network nor will the STAs access the AP that do not pass identity authentication. In the WAPI identity authentication process, digital certificates representing the identities of the AP and the STA are typically transmitted in a plaintext manner on the network, so that there is a risk of information exposure.
In order to address this risk, a scheme is provided in the related art in which both sides of identity authentication negotiate an encryption key by exchanging a temporary public key, and then the encryption key is used to encrypt and transmit the identity information. However, the temporary public key exchanged by both sides of the identity authentication in the process is unencrypted, so that the temporary public key is easily cracked under quantum attack, and the exposure of the identity information is caused. In addition, in the related technical scheme, because the encryption key is required to be negotiated in advance, the negotiation required by identity authentication is increased, and the complexity is increased, so that the network access time is increased, and the user experience is affected.
Based on this, in one embodiment, as shown in FIG. 1, an identity authentication system is provided that may include a terminal device, an access control device, and a first authentication device.
The terminal device may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, projection devices and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The head-mounted device may be a Virtual Reality (VR) device, an augmented Reality (Augmented Reality, AR) device, smart glasses, or the like. The Access control device may be a wireless Access Point (AP). The first authentication device may be an authentication service network element (Authentication Service, AS), which may be a server, for example, an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides a cloud computing service.
The terminal device may be provided with a second authentication certificate of the authentication service network element trusted by the terminal device, and a second certificate issued by the authentication service network element for the terminal device. The authentication service network element trusted by the terminal device can be the first authentication device or other authentication devices. Wherein the second certificate may be used to represent identity information of the terminal device.
The access control device may be provided with a first authentication certificate of an authentication service network element trusted by the access control device, and a first certificate issued by the authentication service network element for the access control device. Wherein the authentication service network element trusted by the access control device may be the first authentication device. Wherein the first certificate may be used to represent identity information of the access control device.
The identity authentication system provided in this embodiment is further described below with reference to fig. 1.
And the terminal equipment is used for encrypting the second certificate and the second random number by using the second public key to obtain a second ciphertext, and sending an access authentication request message containing the second ciphertext to the access control equipment.
The second random number is a temporary random number generated by the terminal equipment. After generating the second random number, the terminal device may encrypt the data content including the second certificate and the second random number by using the second public key of the second authentication certificate installed by the terminal device to obtain a second ciphertext. The terminal device may then send an access authentication request message containing the second ciphertext to the access control device.
Alternatively, the terminal device may generate the second random number after receiving the authentication activation message from the access control device.
The access control device is used for receiving the access authentication request message, obtaining a second ciphertext and sending a certificate authentication request message to the first authentication device.
The access control device may receive an access authentication request message from the terminal device, and extract a second ciphertext included in the message. The access control device may further generate a first random number, and encrypt data content including the first certificate and the first random number by using a first public key of a first authentication certificate installed by the access control device to obtain a first ciphertext.
The access control device may then send a certificate authentication request message containing the first ciphertext and the second ciphertext to a first authentication device that it trusts.
The first authentication device is used for receiving a certificate authentication request message, obtaining a first ciphertext and a second ciphertext which are contained in the certificate authentication request message, decrypting the first ciphertext by using a first private key corresponding to a first public key to obtain a first certificate and a first random number, verifying the first certificate to obtain a first verification result, obtaining a second random number and a second authentication result, obtaining a first authentication result of the first certificate according to the first verification result and the second verification result, encrypting the first authentication result, the second authentication result and the second random number by using the first random number to obtain a third ciphertext, and sending a certificate authentication response message containing the third ciphertext to the access control device.
The first authentication device may receive a certificate authentication request message from the access control device, and extract a first ciphertext and a second ciphertext included in the message.
The first ciphertext is encrypted by using a first public key corresponding to a first authentication certificate of the first authentication device, so that the first authentication device can directly decrypt the first ciphertext by using a first private key corresponding to the first authentication certificate to obtain a first certificate and a first random number of the access control device. The first authentication device can verify the first certificate and obtain a corresponding first verification result because the first certificate is a certificate issued by the first authentication device. For example, the first verification result may include verification pass or verification fail.
Wherein when the first authentication device is an authentication service network element trusted by the terminal device, the second authentication certificate installed by the terminal device may be a certificate of the first authentication device (the second authentication certificate may be the same as or different from the first authentication certificate). The first authentication device can directly decrypt the second ciphertext by using the second private key corresponding to the second authentication certificate to obtain a second certificate and a second random number of the terminal device. Also in this case, the second certificate of the terminal device may be a certificate issued by the first authentication device. Therefore, the first authentication device can verify the second certificate and obtain a corresponding second verification result. For example, the second verification result may include verification pass or verification fail. After the second verification result is obtained, the first authentication device may obtain a second authentication result of the second certificate according to the first verification result and the second verification result. Alternatively, the second authentication result may include the second certificate and the second authentication result when both the first authentication result and the second authentication result indicate that authentication is passed, and the second authentication result may include the second authentication result without including the second certificate when either one of the first authentication result or the second authentication result indicates that authentication is not passed.
Wherein the first authentication device is unable to decrypt the second ciphertext when the first authentication device is not an authentication service network element trusted by the terminal device. In this case, the first authentication device may forward the first verification result and the second ciphertext to the authentication service network element trusted by the terminal device, for example, may be the second authentication device, and the second authentication device decrypts the second ciphertext by using a second private key corresponding to the second authentication certificate, so as to obtain a second certificate and a second random number of the terminal device, verifies the second certificate, and obtains a corresponding second verification result. Then, the second authentication device may obtain a second authentication result of the second certificate according to the first authentication result and the second authentication result. Alternatively, the second authentication result may include the second certificate and the second authentication result when both the first authentication result and the second authentication result indicate that authentication is passed, and the second authentication result may include the second authentication result without including the second certificate when either one of the first authentication result or the second authentication result indicates that authentication is not passed. The second authentication device may then send the second authentication result to the first authentication device along with the second random number. Alternatively, the second authentication result and the second random number may be sent to the first authentication device by encrypting the first public key of the first authentication certificate of the first authentication device, where the first authentication device may obtain the second authentication result and the second random number after decrypting the corresponding information.
After obtaining the second authentication result, the first authentication device may obtain a second authentication result included in the second authentication result, and obtain a first authentication result of the first certificate according to the first authentication result and the second authentication result. For example, when both the first authentication result and the second authentication result indicate that authentication is passed, the first authentication result may include the first certificate and the first authentication result, and when either the first authentication result or the second authentication result indicates that authentication is not passed, the first authentication result may include the first authentication result without including the first certificate.
The first authentication device may encrypt the data content including the first authentication result, the second authentication result, and the second random number by using the first random number obtained by decrypting the first ciphertext before, to obtain the third ciphertext. Then, a certificate authentication response message containing the third ciphertext may be sent to the access control device.
The access control device is also used for receiving the certificate authentication response message, obtaining a third ciphertext contained in the certificate authentication response message, decrypting the third ciphertext by using the first random number to obtain a second random number, a first authentication result and a second authentication result, determining whether the terminal device is credible or not according to the second authentication result, encrypting the first authentication result by using the second random number to obtain a fourth ciphertext, and sending the access authentication response message containing the fourth ciphertext to the terminal device.
The access control device may receive a certificate authentication response message from the first authentication device, and extract a third ciphertext included in the message. Then, the access control device may decrypt the third ciphertext using the first random number to obtain a second random number, a first authentication result, and a second authentication result included therein.
The access control device may obtain a second verification result included in the second authentication result, and determine whether the terminal device is trusted according to the second verification result. For example, when the second verification result indicates that the verification is passed, it may be determined that the terminal device is authentic. And when the second verification result indicates that the verification is not passed, it may be determined that the terminal device is not trusted.
The access control device may encrypt the data content including the first authentication result by using the second random number to obtain a fourth ciphertext, and then send the fourth ciphertext to the terminal device.
The terminal equipment is also used for receiving the access authentication response message to obtain a fourth ciphertext, decrypting the fourth ciphertext by using the second random number to obtain a first authentication result, and determining whether the access control equipment is credible or not according to the first authentication result.
The terminal device may receive the access authentication response message from the access control device, and extract a fourth ciphertext included in the message. Then, the terminal device may decrypt the fourth ciphertext using the second random number to obtain a first authentication result included therein.
The terminal device may obtain a first verification result included in the first authentication result, and determine whether the terminal device is trusted according to the first verification result. For example, the access control device may be determined to be trusted when the first authentication result indicates that authentication is passed. And when the first authentication result indicates that authentication is not passed, it may be determined that the access control device is not trusted.
The identity authentication system is characterized in that the terminal equipment encrypts and provides the identity information and the protection random number to the access control equipment, the access control equipment transmits the ciphertext information of the terminal equipment, the encrypted identity information and the protection random number to the authentication equipment, the authentication equipment decrypts and authenticates the ciphertext information of the terminal equipment and the access control equipment respectively, the authentication result of the two parties and the protection random number of the terminal equipment are encrypted by the protection random number of the access control equipment and provided to the access control equipment, so that the access control equipment can acquire the authentication result of the two parties and the protection random number of the terminal equipment in a safe mode, and then the access control equipment can determine whether the terminal equipment is credible or not according to the authentication result, and the authentication result of the terminal equipment is transmitted to the terminal equipment in a safe mode by the protection random number of the terminal equipment. In the identity authentication process, no clear text identity information and key transmission exists in the air interface domain, so that the safety of the identity authentication process can be effectively improved, and the information exposure risk is avoided. In addition, the two sides needing to carry out identity authentication in the scheme do not need to negotiate the protection information needed for confidentiality in the identity authentication process, so that the identity authentication process can be simplified, and the overall processing efficiency is improved.
In one exemplary embodiment, as shown in FIG. 2, an identity authentication system may include a terminal device, an access control device, a first authentication device, and a second authentication device. The second authentication device may be an authentication service network element (Authentication Service, AS) trusted by the terminal device, which may be a server, for example, an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides a cloud computing service.
The first authentication device is further configured to send a roaming authentication request message to the second authentication device.
The first authentication device may send a roaming authentication request message to the second authentication device trusted by the terminal device, where the first authentication device is not an authentication service network element trusted by the terminal device. The roaming authentication request message may include a first public key of the first authentication certificate, a first verification result corresponding to the first certificate, and a second ciphertext.
The second authentication device is used for receiving the roaming authentication request message, obtaining a first public key, a first authentication result and a second ciphertext, decrypting the second ciphertext by using a second private key corresponding to the second public key to obtain a second random number and a second certificate, authenticating the second certificate to obtain a second authentication result, obtaining the second authentication result according to the second authentication result, encrypting the second random number and the second authentication result by using the first public key to obtain a fifth ciphertext, and sending a roaming authentication response message containing the fifth ciphertext to the first authentication device.
The second authentication device may receive the roaming authentication request message from the first authentication device, and extract the first public key, the first verification result, and the second ciphertext included in the message.
The second ciphertext is encrypted by using a second public key corresponding to the second authentication certificate, so that the second authentication device can directly decrypt the second ciphertext by using a second private key corresponding to the second authentication certificate to obtain a second certificate and a second random number of the terminal device. Wherein, since the second certificate is a certificate issued by the second authentication device, the second authentication device can verify the second certificate and obtain a corresponding second verification result. For example, the second verification result may include verification pass or verification fail.
Illustratively, the second authentication device may obtain a second authentication result of the second certificate according to the first verification result and the second verification result. Alternatively, the second authentication result may include the second certificate and the second authentication result when both the first authentication result and the second authentication result indicate that authentication is passed, and the second authentication result may include the second authentication result without including the second certificate when either one of the first authentication result or the second authentication result indicates that authentication is not passed.
After the second authentication device obtains the second random number and the second authentication result, the second authentication device may encrypt the data content including the second random number and the second authentication result by using the first public key to obtain a fifth ciphertext. The second authentication device may then send a roaming authentication response message containing the fifth ciphertext to the first authentication device.
The first authentication device is further configured to receive the roaming authentication response message, obtain a fifth ciphertext, and decrypt the fifth ciphertext with a first private key corresponding to the first public key to obtain a second random number and a second authentication result.
The first authentication device may receive the roaming authentication response message from the second authentication device, and extract a fifth ciphertext included in the message. The first authentication device may then decrypt the fifth ciphertext using the first private key of the first authentication credential to obtain a second random number and a second authentication result contained therein.
In this embodiment, under the condition that authentication service network elements trusted by the terminal device and the access control device are different, the first authentication device transmits the second ciphertext to the second authentication device, the second authentication device is responsible for verifying the second certificate, and the obtained second authentication result and the second random number are encrypted and transmitted to the first authentication device, so that under the condition of ensuring data security, identity verification of the terminal device and acquisition of the second random number can be realized, and the overall security of the identity authentication process is improved.
In an exemplary embodiment, the terminal device and the access control device may also conduct a negotiation of the shared key during the authentication process. Wherein:
The terminal device is further configured to encrypt the second certificate, the second random number, and the second temporary public key with a second public key to obtain a second ciphertext, where the second temporary public key is used by the access control device to calculate the shared secret key.
And the first authentication device is used for encrypting the first authentication result, the second random number and the second temporary public key by using the first random number to obtain a third ciphertext.
The access control device is further configured to decrypt the third ciphertext by using the first random number to obtain a second random number, a first authentication result, a second authentication result, and a second temporary public key, and encrypt the first authentication result and the first temporary public key by using the second random number to obtain a fourth ciphertext.
The access control device is further configured to obtain the shared key according to the second temporary public key and the first temporary private key corresponding to the first temporary public key if the terminal device is trusted.
And the terminal equipment is also used for decrypting the fourth ciphertext by using the second random number to obtain a first authentication result and a first temporary public key, and obtaining the shared secret key according to the first temporary public key and a second temporary private key corresponding to the second temporary public key if the access control equipment is trusted.
In particular, to conduct a negotiation of the shared key, the terminal device may generate a second temporary public key and the access control device may generate a first temporary public key. The terminal device may encrypt the data content including the second certificate, the second random number, and the second temporary public key with the second public key to obtain a second ciphertext. Thus, as the second ciphertext is passed to the first authentication server and/or the second authentication server and decrypted, the first authentication server may be made to ultimately obtain the second temporary public key. After obtaining the first authentication result, the second random number, and the second temporary public key, the first authentication device may encrypt the data content including these contents using the first random number to obtain the third ciphertext. Thus, the certificate authentication response message containing the third ciphertext may be subsequently sent to the access control device.
The access control device receives a certificate authentication response message from the first authentication device, decrypts a third ciphertext contained in the certificate authentication response message by using the first random number, and then obtains a first authentication result, a second random number and a second temporary public key. Based on the above, the access control device may encrypt the data content including the first authentication result and the first temporary public key by using the second random number to obtain a fourth ciphertext, and then send an access authentication response message including the fourth ciphertext to the terminal device. Meanwhile, the access control device can also use information comprising the first temporary private key corresponding to the first temporary public key and the second temporary public key to perform key exchange calculation to generate a shared key under the condition that the terminal device is judged to be trusted according to the second authentication result.
After receiving the access authentication response message from the access control device, the terminal device decrypts the fourth ciphertext contained in the access authentication response message by using the second random number, so as to obtain a first authentication result and a first temporary public key. Under the condition that the access control equipment is judged to be trusted according to the second authentication result, the terminal equipment can use information comprising the first temporary public key and a second temporary private key corresponding to the second temporary public key to perform key exchange calculation to generate a shared key.
In this embodiment, exchange of the first temporary public key and the second temporary public key is implemented in the identity authentication process, so that interaction required for key negotiation between the terminal device and the access control device can be reduced, and the protocol process is simplified, and the protocol interaction efficiency is improved. The terminal equipment is enabled to add the second temporary public key to the second ciphertext, and the access control equipment is enabled to add the first temporary public key to the fourth ciphertext, so that encrypted transmission of the first temporary public key and the second temporary public key can be realized, and therefore, the transmission of the temporary public key without plaintext in an air interface domain in the identity authentication process is beneficial to improving the security of a protocol.
In an exemplary embodiment, the terminal device and the access control device may further verify the authenticity of the first authentication result or the second authentication result using the digest value of the certificate. Wherein:
The access control device is also used for sending an authentication activation message to the terminal device, wherein the authentication activation message comprises a first abstract of the first certificate.
The access control device may calculate summary information of the first certificate by using a summary algorithm, to obtain a first summary. The access control device may then send an authentication activation message containing the first digest to the terminal device. The authentication activation message may be, for example, sent by the access control device to the terminal device at the beginning of the identity authentication procedure.
The terminal equipment is also used for sending an access authentication request message to the access control equipment, wherein the access authentication request message comprises a second ciphertext and a second abstract of a second certificate.
After receiving the authentication activation message from the access control device, the terminal device may encrypt the second certificate and the second random number with the second public key to obtain a second ciphertext, and obtain a second digest of the second certificate with digest information of the second certificate obtained by calculation with a digest algorithm. Then, the terminal device may send the second ciphertext and the second digest of the second certificate to the access control device together through an access authentication request packet.
The first authentication device is further configured to calculate a digest value of the first certificate if the first authentication result and/or the second authentication result indicate that the authentication is not passed, obtain a first authentication result according to the digest value and the first authentication result, and obtain the first authentication result according to the first certificate and the first authentication result if the first authentication result and the second authentication result indicate that the authentication is passed.
The first authentication device may obtain a first authentication result according to the first authentication result, the second authentication result, and the first certificate. Specifically, when any one of the first verification result and the second verification result indicates that the corresponding certificate verification is not passed, the first authentication device may calculate a digest value of the first certificate and include the digest value and the first verification result in the first authentication result. And when the first verification result and the second verification result both indicate that the corresponding certificates pass, the first authentication device may include the first certificate and the first verification result in the first authentication result.
The first authentication device or the second authentication device is further configured to calculate a digest value of the second certificate if the first authentication result and/or the second authentication result indicate that the authentication is failed, obtain a second authentication result according to the digest value and the second authentication result, and obtain a second authentication result according to the second certificate and the second authentication result if the first authentication result and the second authentication result indicate that the authentication is passed.
The method is similar to the method for acquiring the first authentication result, and after the first authentication device or the second authentication device verifies the second certificate, the first authentication result, the second authentication result and the second certificate can be obtained to obtain the second authentication result. The second authentication result may include a digest value of the second certificate and the second authentication result when any one of the first authentication result and the second authentication result indicates that the corresponding certificate authentication fails, and the second authentication result may include the second certificate and the second authentication result when both the first authentication result and the second authentication result indicate that the corresponding certificate authentication fails.
The access control device is further configured to determine whether the second authentication result is authentic according to consistency of the digest value and the second digest if the second authentication result includes the digest value of the authenticated certificate, and calculate the digest value of the authenticated certificate if the second authentication result includes the authenticated certificate, and determine whether the second authentication result is authentic according to consistency of the digest value and the second digest.
Wherein, after obtaining the second authentication result, the access control device may first determine whether the second authentication result includes the authenticated certificate itself or a digest value of the authenticated certificate. Wherein the access control device may calculate a digest value of the authenticated certificate when the second authentication result contains the authenticated certificate.
The access control device may then compare the digest value of the authenticated certificate with the second digest of the second certificate. If the comparison is inconsistent, the second authentication result is proved to be the authentication result aiming at the second certificate, so that the result is credible, and if the comparison is inconsistent, the second authentication result is proved to be not the authentication result aiming at the second certificate, so that the result is not credible. In this case, the access control device may determine that the identity authentication has failed.
The terminal equipment is further used for determining whether the first authentication result is credible according to the consistency of the digest value and the first digest if the first authentication result comprises the digest value of the authenticated certificate, and calculating the digest value of the authenticated certificate if the first authentication result comprises the authenticated certificate and determining whether the first authentication result is credible according to the consistency of the digest value and the first digest.
After obtaining the first authentication result, the terminal device may first determine whether the first authentication result includes the authenticated certificate itself or a digest value of the authenticated certificate. Wherein the access control device may calculate a digest value of the authenticated certificate when the first authentication result contains the authenticated certificate.
The terminal device may then compare the digest value of the authenticated certificate with the first digest of the first certificate. If the comparison is inconsistent, the first authentication result is proved to be not to be the authentication result for the first certificate, and the result is not trusted. In this case, the terminal device may determine that the identity authentication has failed.
In this embodiment, the first authentication result and the second authentication result are obtained first, and the first authentication result and the second authentication result include the corresponding authenticated certificates when both the authentication result and the second authentication result pass, and the first authentication result and the second authentication result include the digest values of the corresponding authenticated certificates when either one of the authentication result and the second authentication result fails, so that no matter whether the authentication of the certificate of either one of the two sides of the identity authentication fails, the identity information is not exposed to the other side, which is beneficial to improving the security of the protocol. In addition, in the embodiment, the terminal device and the access control device verify the digest value of the authenticated certificate contained in the authentication result, so that the credibility evaluation of the authentication result can be realized, and the security of the protocol can be further improved.
In order to further illustrate the identification system of the present application, it is described below by way of detailed examples.
Referring to fig. 3, the identity authentication system in this embodiment may include a terminal device, an access control device, a first authentication device, and a second authentication device. The system can perform identity authentication between the terminal equipment and the access control equipment according to the following process:
Step S0, the access control device sends an authentication activation message to the terminal device.
Specifically, after the access control device establishes a wireless association with the terminal device, the access control device may send an authentication activation message to the terminal device to initiate access authentication. The authentication activation message comprises a first authentication identifier and a first abstract of a first certificate. Wherein the first authentication identifier may be a random number generated by the access control device when initiating the access authentication.
Step S1, a terminal device sends an access authentication request message to an access control device.
Specifically, the terminal device may generate the second random number, the second temporary public key, and the second authentication identifier after receiving the authentication activation message. Wherein the second authentication identifier may be a random number generated by the terminal device.
The terminal device may further use a private key corresponding to the second certificate to sign the content including the second random number, the second certificate and the second temporary public key, so as to obtain a second signature. The terminal device may also calculate a digest value of the second certificate using a digest algorithm, to obtain a second digest. The terminal device may then encrypt the second random number, the second temporary public key, the second certificate, the second signature using a second public key of the second authentication certificate, resulting in a second ciphertext. The terminal device may then send an access authentication request message containing the second ciphertext, the second digest of the second certificate, the first authentication identifier, and the second authentication identifier to the access control device.
Step S2, the access control device sends a certificate authentication request message to the first authentication device.
Specifically, the access control device may generate a first random number, a first temporary public key after receiving the certificate authentication request message. The access control device may further sign the content including the first random number and the first certificate by using a private key corresponding to the first certificate, so as to obtain a first signature. The access control device may then encrypt the first random number, the first certificate, the first signature using a first public key of the first authentication certificate to obtain a first ciphertext. Then, the access control device may send a certificate authentication request message including the first ciphertext, the second ciphertext, the first authentication identifier, and the second authentication identifier to the first authentication device.
Step S3, the first authentication device sends a roaming authentication request message to the second authentication device.
Specifically, after receiving the certificate authentication request message, the first authentication device may extract the first ciphertext, the second ciphertext, the first authentication identifier, and the second authentication identifier included in the certificate authentication request message.
The first authentication device may decrypt the first ciphertext using a first private key of the first authentication certificate to obtain the first random number, the first certificate, and the first signature. The first authentication device may first perform signature verification on the first signature, and if the signature verification fails, obtain a first verification result corresponding to the first certificate as verification failure. If the first signature passes the verification, the first authentication device may verify the first certificate and obtain a corresponding first verification result.
After obtaining the first verification result, the first authentication device may send a roaming authentication request message including the first authentication certificate, the first verification result, the second ciphertext, the second authentication identifier, and the roaming authentication request signature to the second authentication device. The roaming authentication request signature may be obtained by the first authentication device signing, by using a first private key corresponding to the first authentication certificate, other contents in the roaming authentication request message except for the roaming authentication request signature field.
Step S4, the second authentication device sends a roaming authentication response message to the first authentication device.
Specifically, after receiving the roaming authentication request message, the second authentication device may parse to obtain a first authentication certificate, a first verification result, a second ciphertext, a second authentication identifier, and a roaming authentication request signature. The second authentication device may first check the roaming authentication request signature, and discard the roaming authentication request signature if the roaming authentication request signature does not pass the second authentication device.
When the roaming authentication request signature passes through the verification, the second authentication device may decrypt the second ciphertext by using a second private key of the second authentication certificate to obtain a second random number, a second certificate, a second temporary public key and a second signature. The second authentication device may first perform signature verification on the second signature, and if the signature verification fails, obtain a second verification result corresponding to the second certificate as verification failure. And if the second signature passes the verification, the second authentication device can verify the second certificate and obtain a corresponding second verification result.
The second authentication device may obtain a second authentication result of the second certificate according to the first authentication result and the second authentication result. Wherein the second authentication result may include the second certificate and the second authentication result when both the first authentication result and the second authentication result indicate that the authentication is passed, and the second authentication result may include the digest value of the second certificate and the second authentication result when either the first authentication result or the second authentication result indicates that the authentication is not passed.
Alternatively, the structure of the authentication result in the present embodiment may be as shown in fig. 4. The authentication result may include, among other things, type, length, verification result, authentication identifier, authenticated credential information, and authenticator credentials. Wherein the type may be used to indicate that the information is an authentication result, the length may be used to indicate the length of the authentication result, and the authenticated credential information may be an authenticated credential or a digest value of the authenticated credential. The verification result may be a numerical value, when the verification result is 0, the verification result indicates that the verification is passed through the authentication certificate, and when the verification result is not 0, a different value may be adopted to indicate the reason that the verification is not passed through the authentication certificate. Taking the authentication result as a second authentication result as an example, the authentication result is a second authentication result corresponding to the second certificate, the authentication identifier is a second authentication identifier, the authenticated certificate information may be the second certificate obtained by the second authentication device, or the digest value of the second certificate calculated by the second authentication device by using a digest algorithm, and the authenticator certificate is the second authentication certificate.
After the second authentication device obtains the second authentication result, the second authentication device may use a second private key corresponding to the second authentication certificate to perform signature calculation on the second authentication result to form a second authentication result signature. The second authentication device may then encrypt the data content including the second random number, the second temporary public key, the second authentication result signature using the first public key of the first authentication certificate to obtain a fifth ciphertext. The second authentication device may then send a roaming authentication response message to the first authentication device containing the second authentication certificate, the fifth ciphertext, and the roaming authentication response signature. The roaming authentication response signature may be obtained by the second authentication device signing, by using a second private key corresponding to the second authentication certificate, other contents in the roaming authentication response message except for the roaming authentication response signature field.
Step S5, the first authentication device sends a certificate authentication response message to the access control device.
Specifically, after receiving the roaming authentication response message, the first authentication device may parse the roaming authentication response message to obtain a second authentication certificate, a fifth ciphertext, and a roaming authentication response signature. The first authentication device may first check the roaming authentication response signature, and discard the roaming authentication response signature if the roaming authentication response signature does not pass.
When the roaming authentication response signature passes the verification, the first authentication device can decrypt the fifth ciphertext by using the first private key of the first authentication certificate to obtain a second random number, a second temporary public key, a second authentication result and a second authentication result signature. The first authentication device may first use the second authentication certificate to sign the second authentication result signature, and discard the received message if the sign is not passed. Meanwhile, the first authentication device may further obtain an authentication identifier included in the second authentication result, and check whether the authentication identifier is identical to the second authentication identifier obtained from the certificate authentication request message. Wherein the first authentication device may use a second verification result included in the second authentication result when the second authentication result signature passes and the authentication identifier included in the second authentication result is identical to the second authentication identifier.
The first authentication device may obtain a first authentication result of the first certificate according to the first authentication result and the second authentication result. When the first verification result and the second verification result both indicate that the verification is passed, the first verification result may include the first certificate and the first verification result, and when either the first verification result or the second verification result indicates that the verification is not passed, the first verification result may include the digest value of the first certificate and the first verification result.
Alternatively, the first authentication result may also adopt a structure as shown in fig. 4, where the authentication result is a first authentication result corresponding to the first certificate, the authentication identifier is a first authentication identifier, the authenticated certificate information may be the first certificate obtained by the first authentication device, or a digest value of the first certificate calculated by the first authentication device using a digest algorithm, and the authenticator is the first authentication certificate.
After the first authentication device obtains the first authentication result, the first private key corresponding to the first authentication certificate may be used to perform signature calculation on the first authentication result to form a first authentication result signature. The first authentication device may then encrypt the data content comprising the second random number, the second temporary public key, the second authentication result signature, the first authentication result signature using the first random number to obtain a third ciphertext. The first authentication device may then send a certificate authentication response message containing the third ciphertext and the certificate authentication response signature to the access control device. The signature of the certificate authentication response may be obtained by the first authentication device signing other contents except the signature field of the certificate authentication response in the certificate authentication response message by using a first private key corresponding to the first authentication certificate.
Step S6, the access control equipment sends an access authentication response message to the terminal equipment.
Specifically, after receiving the certificate authentication response message, the access control device may parse to obtain a third ciphertext and a certificate authentication response signature. The access control device can firstly check the certificate authentication response signature, and discard the certificate authentication response signature if the certificate authentication response signature does not pass.
When the signature verification of the certificate authentication response passes, the access control device can decrypt the third message by using the first random number to obtain a second random number, a second temporary public key, a second authentication result signature, a first authentication result and a first authentication result signature.
The access control device may use the identifier certificate included in the second authentication result to check the signature of the second authentication result, and discard the received message if the check is not passed. Meanwhile, the access control device may further obtain an authentication identifier included in the second authentication result, and check whether the authentication identifier is consistent with the second authentication identifier obtained from the access authentication request message. Wherein the access control device may use the second authentication result when the second authentication result signature passes and the authentication identifier contained in the second authentication result is identical to the second authentication identifier.
Wherein the access control device may determine whether the authenticated credential information contained in the second authentication result corresponds to a digest value of the authenticated credential or to the authenticated credential itself. Wherein when the authenticated credential information corresponds to the authenticated credential, the access control device may calculate a digest value of the authenticated credential using a digest algorithm. The access control device may then compare the digest value of the authenticated certificate with a second digest of a second certificate previously obtained from the access authentication request message. If the comparison is inconsistent, the second authentication result is proved to be the authentication result aiming at the second certificate, so that the result is credible, and if the comparison is inconsistent, the second authentication result is proved to be not the authentication result aiming at the second certificate, so that the result is not credible. In this case, the access control device may directly determine that the identity authentication fails without continuing to process the second authentication result.
And under the condition that the second authentication result is determined to be credible, the access control device can continue to process the second authentication result, and determine whether the terminal device is credible according to a second verification result contained in the second authentication result. If the second verification result indicates that verification is passed, the terminal equipment can be determined to be trusted, otherwise, the terminal equipment can be determined to be not trusted.
Under the condition that the terminal equipment is determined to be credible, the access control equipment can use information comprising a first temporary private key corresponding to the first temporary public key and a second temporary public key to perform key exchange calculation to generate a shared key.
The access control device may further encrypt the data content including the first authentication result, the first authentication result signature, and the first temporary public key by using the second random number, to obtain a fourth ciphertext. Then, the access authentication response message may send the access authentication response message including the fourth ciphertext to the terminal device.
Step S7, the terminal equipment processes the access authentication response message.
Specifically, after receiving the access authentication response message, the terminal device may parse the access authentication response message to obtain a fourth ciphertext. Then, the fourth ciphertext is decrypted by using the second random number, and a first authentication result, a first authentication result signature and a first temporary public key can be obtained.
The terminal device can use the identifier certificate contained in the first authentication result to check the signature of the first authentication result, and if the check is not passed, the received message is discarded. Meanwhile, the terminal device can also obtain the authentication identifier contained in the first authentication result, and check whether the authentication identifier is consistent with the first authentication identifier obtained from the authentication activation message. When the signature passes through the first authentication result signature and the authentication identifier contained in the first authentication result is consistent with the first authentication identifier, the terminal device can use the first authentication result.
Wherein the terminal device may judge whether the authenticated certificate information contained in the first authentication result corresponds to a digest value of the authenticated certificate or corresponds to the authenticated certificate itself. Wherein when the authenticated credential information corresponds to the authenticated credential, the access control device may calculate a digest value of the authenticated credential using a digest algorithm. The terminal device may then compare the digest value of the authenticated certificate with the first digest of the first certificate previously obtained from the authentication activation message. If the comparison is inconsistent, the first authentication result is proved to be not to be the authentication result for the first certificate, and the result is not trusted. In this case, the terminal device may directly determine that the identity authentication fails without continuing to process the first authentication result.
Under the condition that the first authentication result is determined to be credible, the terminal equipment can continue to process the first authentication result, and whether the access control equipment is credible is determined according to the first authentication result contained in the first authentication result. If the first verification result indicates that the verification is passed, the access control equipment can be determined to be trusted, otherwise, the access control equipment can be determined to be not trusted.
Under the condition that the access control equipment is determined to be credible, the terminal equipment can use information comprising a second temporary private key corresponding to the second temporary public key and the first temporary public key to perform key exchange calculation to generate a shared key.
Optionally, in order to improve encryption and decryption efficiency, the encryption mode of the first ciphertext, the second ciphertext and the fifth ciphertext in the embodiment may be that the message encryptor uses a public key of the message decryptor to asymmetrically encrypt a random number in the content to be encrypted to form a first sub-ciphertext, uses the random number as a key to symmetrically encrypt other content to be encrypted to form a second sub-ciphertext, and when the message decryptor decrypts, firstly uses a private key corresponding to the public key of the decryptor to asymmetrically decrypt the first sub-ciphertext to obtain the random number, and then uses the random number to symmetrically decrypt the second sub-ciphertext to obtain the corresponding data content. The asymmetric encryption algorithm in this process may be an SM2 asymmetric encryption algorithm, and the symmetric encryption algorithm may be an SM4-GCM encryption algorithm, which has a message authentication code, so that if the second sub-ciphertext is modified or forged, the decryption party will fail to check the message authentication code when the second sub-ciphertext is checked, and meanwhile, if the first sub-ciphertext is modified or forged, the decryption party will fail to check the message authentication code when the decryption party decrypts the second sub-ciphertext using the encrypted random number. Wherein the message decrypting party may discard the received message in case the message authentication code check for the second sub-ciphertext fails.
It will be appreciated that the system may comprise only the terminal device, the access control device and the first authentication device when the authentication service network elements trusted by the terminal device and the access control device are identical. The first authentication device can respectively check the first signature and the second signature, respectively decrypt the first ciphertext and the second ciphertext, respectively verify the first certificate and the second certificate to obtain a first verification result and a second verification result which respectively correspond to the first certificate and the second certificate, respectively form a first authentication result and a second authentication result which correspond to the first authentication result and the second authentication result, and sign the first authentication result and the second authentication result.
In the embodiment, the authentication equipment decrypts the identity ciphertext and then performs identity authentication by transmitting ciphertext identity information to the authentication equipment, and returns an authentication result, a temporary protection random number and key negotiation information in a safe mode, so that the authentication equipment does not need to negotiate a message protection password required for keeping secret in the identity authentication process, the protocol process is simplified, the protocol interaction efficiency is improved, and no plaintext identity information and temporary public key are transmitted in an air interface field in the identity authentication process, and the identity is not exposed to the other authentication party when the identity of any party fails, thereby being beneficial to improving the security of the protocol. In addition, in the embodiment, the terminal equipment and the access control equipment verify the digest value of the authenticated certificate contained in the authentication result, so that the credibility evaluation of the authentication result can be realized, and the security of the protocol is further improved. Meanwhile, in the embodiment, the access control device generates the first authentication identifier, the terminal device generates the second authentication identifier, and the first authentication identifier and the second authentication identifier are added into the interaction information, so that the freshness of the identity authentication process can be ensured by verifying the authentication identifier. Further, in this embodiment, each device in the identity authentication process signs the information sent by the device, and the information processor performs signature verification on the signature, so that the reliability of the information source can be ensured, and the security of the identity authentication process can be further improved.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication method. The implementation of the solution provided by the method is similar to the implementation described in the system embodiment, so the specific limitation in one or more embodiments of the authentication method provided below may refer to the limitation of the authentication system described above, and will not be repeated here.
In an exemplary embodiment, as shown in fig. 5, there is provided an identity authentication method, which is described by taking an example that the method is applied to the access control device in fig. 1, and includes the following steps:
Step S501, receiving an access authentication request message from a terminal device, and obtaining a second ciphertext included in the access authentication request message. The second ciphertext comprises a second certificate encrypted by a second public key and a second random number.
Step S502, a certificate authentication request message is sent to a first authentication device, wherein the certificate authentication request message comprises a first ciphertext and a second ciphertext. The first ciphertext comprises a first certificate encrypted by a first public key and a first random number.
Step S503, receiving the certificate authentication response message from the first authentication device, and obtaining the third ciphertext included in the certificate authentication response message. The third ciphertext comprises a first authentication result, a second authentication result and a second random number which are encrypted by the first random number, wherein the first authentication result corresponds to the first certificate, and the second authentication result corresponds to the second certificate.
Step S504, the third ciphertext is decrypted by the first random number to obtain a second random number, a first authentication result and a second authentication result, and whether the terminal equipment is trusted is determined according to the second authentication result.
Step S505, encrypt the first authentication result with the second random number to obtain the fourth ciphertext, and send the access authentication response message containing the fourth ciphertext to the terminal equipment.
In one exemplary embodiment, the second ciphertext further comprises a second temporary public key encrypted with the second public key, and the third ciphertext further comprises a second temporary public key encrypted with the first random number. And decrypting the third ciphertext by using the first random number to obtain a second random number, a first authentication result and a second authentication result, wherein decrypting the third ciphertext by using the first random number to obtain the second random number, the first authentication result, the second authentication result and the second temporary public key. The method comprises the steps of encrypting a first authentication result by using a second random number to obtain a fourth ciphertext, wherein the fourth ciphertext is obtained by encrypting the first authentication result and a first temporary public key by using the second random number, the first temporary public key is used for calculating a shared secret key by terminal equipment, and the method further comprises the step of obtaining the shared secret key according to the second temporary public key and a first temporary private key corresponding to the first temporary public key after determining whether the terminal equipment is trusted according to the second authentication result.
In an exemplary embodiment, the access authentication request message further includes a second digest of the second certificate, and after decrypting the third ciphertext using the first random number to obtain the second random number, the first authentication result, and the second authentication result, the access authentication request message further includes determining whether the second authentication result is authentic according to consistency of the digest value and the second digest if the second authentication result includes the digest value of the authenticated certificate, and calculating the digest value of the authenticated certificate if the second authentication result includes the authenticated certificate, and determining whether the second authentication result is authentic according to consistency of the digest value and the second digest.
In an exemplary embodiment, as shown in fig. 6, there is provided an identity authentication method, which is illustrated by taking application of the method to the terminal device in fig. 1 as an example, and includes the following steps:
step S601, encrypting the second certificate and the second random number by using the second public key to obtain a second ciphertext.
Step S602, an access authentication request message containing the second ciphertext is sent to the access control device.
Step S603, receiving an access authentication response message from the access control device, and obtaining a fourth ciphertext included in the access authentication response message. The access control device is used for receiving a first authentication result, a second random number and a first authentication result, wherein the fourth ciphertext is obtained by encrypting the first authentication result by the access control device by using the second random number, the second random number and the first authentication result are obtained by the access control device according to a certificate authentication response message received from the first authentication device, and the first authentication result is obtained after the first authentication device verifies a first certificate of the access control device.
Step S604, decrypting the fourth ciphertext by using the second random number to obtain a first authentication result, and determining whether the access control device is trusted or not according to the first authentication result.
In an exemplary embodiment, the second certificate and the second random number are encrypted by using a second public key to obtain a second ciphertext, the second ciphertext is obtained by encrypting the second certificate, the second random number and the second temporary public key by using the second public key, the second temporary public key is used for calculating a shared key by an access control device, the fourth ciphertext further comprises a first temporary public key encrypted by the second random number, the fourth ciphertext is decrypted by using the second random number to obtain a first authentication result, and the first authentication result and the first temporary public key are obtained by decrypting the fourth ciphertext by using the second random number. After determining whether the access control device is trusted according to the first authentication result, if the access control device is trusted, obtaining the shared key according to the first temporary public key and a second temporary private key corresponding to the second temporary public key.
In an exemplary embodiment, before sending an access authentication request message containing a second ciphertext to an access control device, the method comprises the steps of receiving an authentication activation message from the access control device, wherein the authentication activation message comprises a first digest of a first certificate, decrypting a fourth ciphertext by using a second random number to obtain a first authentication result, and determining whether the first authentication result is trusted or not according to consistency of the digest value and the first digest if the first authentication result contains the digest value of the authenticated certificate, and calculating the digest value of the authenticated certificate if the first authentication result contains the authenticated certificate, and determining whether the first authentication result is trusted or not according to consistency of the digest value and the first digest.
In an exemplary embodiment, as shown in fig. 7, there is provided an identity authentication method, which is described by taking an example that the method is applied to the first authentication device in fig. 1, including the steps of:
Step S701, a certificate authentication request message from an access control device is received, and a first ciphertext and a second ciphertext included in the certificate authentication request message are obtained. The first ciphertext is obtained by encrypting the first certificate and the first random number by the access control equipment through a first public key, the second ciphertext is received by the access control equipment from the terminal equipment, and the second ciphertext is obtained by encrypting the second certificate and the second random number by the terminal equipment through a second public key.
Step S702, decrypting the first ciphertext by using a first private key corresponding to the first public key to obtain a first certificate and a first random number, and verifying the first certificate to obtain a first verification result.
Step S703, acquiring a second random number and a second authentication result. The second random number is obtained by decrypting a second ciphertext by using a second private key corresponding to the second public key, and the second authentication result comprises a second authentication result obtained by authenticating the second certificate.
Step S704, obtaining a first authentication result of the first certificate according to the first authentication result and the second authentication result.
Step S705, encrypt the first authentication result, the second authentication result and the second random number by using the first random number to obtain the third ciphertext.
Step S706, a certificate authentication response message containing the third ciphertext is sent to the access control device.
In an exemplary embodiment, the first authentication result of the first certificate is obtained according to the first authentication result and the second authentication result, and the method comprises the steps of calculating a digest value of the first certificate if the first authentication result and/or the second authentication result indicate that the authentication is not passed, obtaining the first authentication result according to the digest value and the first authentication result, obtaining the first authentication result according to the first certificate and the first authentication result if the first authentication result and the second authentication result indicate that the authentication is passed, and/or further comprising a digest value of the second certificate if the first authentication result and/or the second authentication result indicate that the authentication is not passed, and further comprising the second certificate if the first authentication result and the second authentication result indicate that the authentication is passed.
In an exemplary embodiment, a second random number and a second authentication result are obtained by the second authentication device after encrypting the second random number and the second authentication result by using a first public key, the second random number is obtained by the second authentication device after decrypting the second ciphertext by using a second private key corresponding to the second public key, the second authentication result comprises a second authentication result obtained by the second authentication device for verifying the second certificate, and the fifth ciphertext is obtained by decrypting the fifth ciphertext by using the first private key corresponding to the first public key.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an identity authentication device for realizing the identity authentication method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation of one or more embodiments of the identity authentication device provided below may be referred to the limitation of the identity authentication method hereinabove, and will not be repeated here.
In one exemplary embodiment, as shown in fig. 8, there is provided an identity authentication apparatus 800 comprising:
The first receiving module 801 is configured to receive an access authentication request message from a terminal device, and obtain a second ciphertext included in the access authentication request message, where the second ciphertext includes a second certificate encrypted by a second public key and a second random number.
The first sending module 802 is configured to send a certificate authentication request message to a first authentication device, where the certificate authentication request message includes a first ciphertext and a second ciphertext, and the first ciphertext includes a first certificate encrypted by a first public key and a first random number.
The second receiving module 803 is configured to receive a certificate authentication response message from the first authentication device, and obtain a third ciphertext included in the certificate authentication response message, where the third ciphertext includes a first authentication result encrypted by the first random number, a second authentication result, and a second random number, the first authentication result corresponds to the first certificate, and the second authentication result corresponds to the second certificate.
The decryption module 804 is configured to decrypt the third ciphertext by using the first random number to obtain a second random number, a first authentication result, and a second authentication result, and determine whether the terminal device is trusted according to the second authentication result.
And a third sending module 805, configured to encrypt the first authentication result with the second random number to obtain a fourth ciphertext, and send an access authentication response message containing the fourth ciphertext to the terminal device.
In an exemplary embodiment, the second ciphertext further comprises a second temporary public key encrypted by the second public key, the third ciphertext further comprises a second temporary public key encrypted by the first random number, a decryption module 804 is used for decrypting the third ciphertext by using the first random number to obtain a second random number, a first authentication result, a second authentication result and the second temporary public key, a third sending module 805 is used for encrypting the first authentication result and the first temporary public key by using the second random number to obtain a fourth ciphertext, the first temporary public key is used for calculating a shared key by the terminal equipment, and the device further comprises a key calculation module used for obtaining the shared key according to the second temporary public key and a first temporary private key corresponding to the first temporary public key if the terminal equipment is trusted.
In an exemplary embodiment, the access authentication request message further comprises a second digest of a second certificate, the device further comprises a first comparison module for determining whether the second authentication result is trusted according to consistency of the digest value and the second digest if the second authentication result comprises the digest value of the authenticated certificate, and a second comparison module for calculating the digest value of the authenticated certificate if the second authentication result comprises the authenticated certificate, and determining whether the second authentication result is trusted according to consistency of the digest value and the second digest.
In an exemplary embodiment, as shown in fig. 9, there is provided an identity authentication apparatus 900, including:
the encryption module 901 is configured to encrypt the second certificate and the second random number with the second public key to obtain a second ciphertext.
A sending module 902, configured to send an access authentication request packet including the second ciphertext to the access control device.
A receiving module 903, configured to receive an access authentication response message from the access control device, and obtain a fourth ciphertext included in the access authentication response message; the fourth ciphertext is obtained by encrypting the first authentication result by the access control equipment by using the second random number; the access control device obtains a second random number and a first authentication result according to a certificate authentication response message received from the first authentication device;
and the decryption module 904 is configured to decrypt the fourth ciphertext by using the second random number to obtain a first authentication result, and determine whether the access control device is trusted according to the first authentication result.
In an exemplary embodiment, the encryption module 901 is configured to encrypt a second certificate, a second random number, and a second temporary public key with a second public key to obtain a second ciphertext, the second temporary public key is used for calculating a shared key by an access control device, the fourth ciphertext further includes a first temporary public key encrypted with the second random number, the decryption module 904 is configured to decrypt the fourth ciphertext with the second random number to obtain a first authentication result and the first temporary public key, and the apparatus further includes a key calculation module is configured to obtain the shared key according to the first temporary public key and a second temporary private key corresponding to the second temporary public key if the access control device is trusted.
In an exemplary embodiment, the device further comprises an activation receiving module, a result obtaining module, a first comparing module and a second comparing module, wherein the activation receiving module is used for receiving an authentication activation message from the access control equipment, the authentication activation message comprises a first digest of a first certificate, the result obtaining module is used for obtaining a first verification result contained in the first authentication result, the first comparing module is used for determining whether the first authentication result is trusted according to consistency of the digest value and the first digest if the first authentication result contains the digest value of the authenticated certificate, and the second comparing module is used for calculating the digest value of the authenticated certificate if the first authentication result contains the authenticated certificate and determining whether the first authentication result is trusted according to consistency of the digest value and the first digest.
In one exemplary embodiment, as shown in fig. 10, there is provided an identity authentication device 1000 comprising:
The receiving module 1001 is configured to receive a certificate authentication request message from an access control device, obtain a first ciphertext and a second ciphertext that are included in the certificate authentication request message, where the first ciphertext is obtained by encrypting a first certificate and a first random number by the access control device using a first public key, the second ciphertext is received by the access control device from a terminal device, and the second ciphertext is obtained by encrypting a second certificate and a second random number by the terminal device using a second public key.
The decryption module 1002 is configured to decrypt the first ciphertext by using a first private key corresponding to the first public key to obtain a first certificate and a first random number, and verify the first certificate to obtain a first verification result.
The first obtaining module 1003 is configured to obtain a second random number and a second authentication result, where the second random number is obtained by decrypting a second ciphertext with a second private key corresponding to the second public key, and the second authentication result includes a second verification result obtained by verifying the second certificate.
The second obtaining module 1004 is configured to obtain a first authentication result of the first certificate according to the first authentication result and the second authentication result.
The encryption module 1005 is configured to encrypt the first authentication result, the second authentication result, and the second random number with the first random number to obtain a third ciphertext.
A sending module 1006, configured to send a certificate authentication response message including the third ciphertext to the access control device.
In an exemplary embodiment, the second obtaining module 1004 is configured to calculate a digest value of the first certificate if the first verification result and/or the second verification result indicate that verification is not passed, obtain a first authentication result according to the digest value and the first verification result, obtain a first authentication result according to the first certificate and the first verification result if the first verification result and the second verification result indicate that verification is passed, and/or in an exemplary embodiment, the second authentication result further includes a digest value of the second certificate if the first verification result and/or the second verification result indicate that verification is not passed, and the second authentication result further includes the second certificate if the first verification result and the second verification result indicate that verification is passed.
In an exemplary embodiment, the first obtaining module 1003 is configured to send a roaming authentication request packet to the second authentication device, where the roaming authentication request packet includes a first public key, a first verification result, and a second ciphertext, receive a roaming authentication response packet from the second authentication device, obtain a fifth ciphertext included in the roaming authentication response packet, where the fifth ciphertext is obtained by encrypting, by the second authentication device, the second random number and the second authentication result with the first public key, where the second random number is obtained by decrypting, by the second authentication device, the second ciphertext with a second private key corresponding to the second public key, where the second authentication result includes a second verification result obtained by verifying, by the second authentication device, the second certificate, and decrypt the fifth ciphertext with the first private key, where the second random number and the second authentication result are obtained.
The modules in the identity authentication device can be implemented in whole or in part by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the communication device, or may be stored in software in a memory in the communication device, so that the processor may call and execute operations corresponding to the above modules.
In an exemplary embodiment, a communication device is provided, which may be a server, and an internal structure thereof may be as shown in fig. 11. The communication device comprises a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the communication device is configured to provide computing and control capabilities. The memory of the communication device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the communication device is used to exchange information between the processor and the external device. The communication interface of the communication device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an identity authentication method.
In an exemplary embodiment, a communication device, which may be a terminal, is provided, and an internal structure thereof may be as shown in fig. 12. The communication device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the communication device is configured to provide computing and control capabilities. The memory of the communication device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the communication device is used to exchange information between the processor and the external device. The Communication interface of the Communication device is used for performing wired or wireless Communication with an external terminal, and the wireless Communication can be realized through WIFI, a mobile cellular network, near field Communication (NEAR FIELD Communication) or other technologies. The computer program is executed by a processor to implement an identity authentication method. The display unit of the communication device is used for forming a visually visible picture and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the communication equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the communication equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 11 or 12 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the communication device to which the present inventive arrangements are applied, and that a particular communication device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, there is also provided a communication device including a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method embodiments described above when executing the computer program.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are both information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to meet the related regulations.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program, which may be stored on a non-transitory computer readable storage medium and which, when executed, may comprise the steps of the above-described embodiments of the methods. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile memory and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (RESISTIVE RANDOM ACCESS MEMORY, reRAM), magneto-resistive Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computation, an artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) processor, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the present application.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (11)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510331864.XA CN119997023A (en) | 2025-03-20 | 2025-03-20 | Identity authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510331864.XA CN119997023A (en) | 2025-03-20 | 2025-03-20 | Identity authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119997023A true CN119997023A (en) | 2025-05-13 |
Family
ID=95646990
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510331864.XA Pending CN119997023A (en) | 2025-03-20 | 2025-03-20 | Identity authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119997023A (en) |
-
2025
- 2025-03-20 CN CN202510331864.XA patent/CN119997023A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110971415B (en) | An anonymous access authentication method and system for a space-earth integrated spatial information network | |
| US11533297B2 (en) | Secure communication channel with token renewal mechanism | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN109309566B (en) | An authentication method, device, system, device and storage medium | |
| CN114244502B (en) | Signature key generation method, device and computer equipment based on SM9 algorithm | |
| CN116708039B (en) | Access method, device and system based on zero-trust single-package authentication | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| JP2024500526A (en) | Identity authentication method, authentication access controller and requesting device, storage medium, program, and program product | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| CN117560150A (en) | Key determination method, device, electronic equipment and computer-readable storage medium | |
| WO2022135392A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| CN117041956A (en) | Communication authentication method, device, computer equipment and storage medium | |
| CN113595742A (en) | Data transmission method, system, computer device and storage medium | |
| CN114760040A (en) | Identity authentication method and device | |
| CN115529129B (en) | Encrypted communication method, system, computer device, readable storage medium, and program product | |
| CN114760044A (en) | Identity authentication method and device | |
| CN116015906B (en) | Node authorization method, node communication method and device for privacy calculation | |
| CN116233843A (en) | B5G/6G network slice authentication method for industrial Internet | |
| CN116055063A (en) | Vehicle networking communication method, device, computer equipment and storage medium | |
| WO2022135404A1 (en) | Identity authentication method and device, storage medium, program, and program product | |
| WO2022135383A1 (en) | Identity authentication method and apparatus | |
| CN119997023A (en) | Identity authentication method and system | |
| CN114760027A (en) | Identity authentication method and device | |
| CN114760035A (en) | Identity authentication method and device | |
| CN105049433A (en) | Identified card number information transmission verification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |