Authentication method and apparatus

By collaborating with cloud phone servers and messaging systems, and utilizing SIM card identifiers to obtain GBA authentication information, the problem of GBA authentication being impossible for terminals without SIM cards is solved, thus enabling verification of the identity and legitimacy of terminals without SIM cards.

CN119865814BActive Publication Date: 2026-07-10CHINA MOBILE INTERNET CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE INTERNET CO LTD
Filing Date
2024-12-31
Publication Date
2026-07-10

Smart Images

  • Figure CN119865814B_ABST
    Figure CN119865814B_ABST
Patent Text Reader

Abstract

This application provides an authentication method and apparatus. The method, applied to a messaging system, specifically includes: receiving a first authentication request from a service server requesting GBA authentication information from a cloud phone server; receiving a second authentication request from the cloud phone server requesting GBA authentication information; sending a third authentication request to a BSF server based on the SIM card identifier; receiving GBA authentication information from the BSF server; and sending the GBA authentication information back to the cloud phone server, so that the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the service server, so that the service server can perform GBA authentication on the cloud phone based on the GBA authentication information. This application solves the problem of terminals without SIM cards being able to use GBA authentication.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the technical field of cloud phone general bootstrapping architecture (GBA) mechanism, and particularly relates to an authentication method and device. Background Technology

[0002] In a mobile network environment, when a user accesses certain services using a terminal, the service provider can use the General Bootstrapping Architecture (GBA) technology, which is based on the Subscriber Identity Module (SIM card), to reliably authenticate the user's identity and ensure that the user can access the services legitimately.

[0003] In existing technologies, GBA authentication is typically achieved between a terminal with a SIM card carrying a pre-installed key and the service provider's server via HyperText Transfer Protocol (HTTP). However, this method only performs GBA authentication on terminals with SIM cards to verify the legitimacy of the user's identity; it cannot use GBA authentication to fully verify the legitimacy of the user's identity on third-party devices that do not carry SIM cards. Summary of the Invention

[0004] This application provides an authentication method and apparatus that solves the problem of using GBA authentication for terminals without SIM cards.

[0005] In a first aspect, embodiments of this application provide an authentication method applied to a messaging system, the method comprising:

[0006] When the cloud phone server receives a first authentication request from the business server to request GBA authentication information, it receives a second authentication request from the cloud phone server to request GBA authentication information. The second authentication request includes the SIM card identifier. The first authentication request is sent by the business server after determining that there is no GBA authentication information in the business access request sent by the cloud phone through the cloud phone server.

[0007] Based on the SIM card identifier, a third authentication request is sent to the BSF server. The third authentication request includes authentication request parameters.

[0008] Receive GBA authentication information sent by the BSF server. The GBA authentication information is determined based on the authentication request parameters.

[0009] Send GBA authentication information to the cloud phone server so that the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the business server so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0010] Secondly, an authentication method is provided for use on a cloud phone server, the method comprising:

[0011] When the cloud phone server receives a first authentication request from the business server requesting GBA authentication information, it sends a second authentication request to the messaging system to request GBA authentication information. The second authentication request includes a SIM card identifier, which the messaging system uses to send a third authentication request to the BSF server based on the SIM card identifier. The third authentication request includes authentication request parameters and receives GBA authentication information from the BSF server. The GBA authentication information is determined based on the authentication request parameters. The first authentication request is sent by the business server when it determines that there is no GBA authentication information in the business access request sent by the cloud phone through the cloud phone server.

[0012] Receive GBA authentication information sent by the message system;

[0013] A fourth authentication request carrying GBA authentication information is sent to the business server so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0014] Thirdly, an authentication device is provided for use in a messaging system, the device comprising:

[0015] The receiving module is used to receive a second authentication request sent by the cloud phone server to request GBA authentication information when the cloud phone server receives a first authentication request sent by the service server to request GBA authentication information. The second authentication request includes a SIM card identifier. The first authentication request is sent by the service server after determining that there is no GBA authentication information in the service access request sent by the cloud phone through the cloud phone server.

[0016] The sending module is used to send a third authentication request to the BSF server based on the SIM card identifier. The third authentication request includes authentication request parameters.

[0017] The receiving module is also used to receive GBA authentication information sent by the BSF server. The GBA authentication information is determined based on the authentication request parameters.

[0018] The sending module is also used to send GBA authentication information to the cloud phone server, so that the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0019] Fourthly, an authentication device is provided for use on a cloud mobile phone server, the device comprising:

[0020] The sending module is used to send a second authentication request to the messaging system to request GBA authentication information when the cloud phone server receives a first authentication request from the business server to request GBA authentication information. The second authentication request includes a SIM card identifier, so that the messaging system can send a third authentication request to the BSF server based on the SIM card identifier. The third authentication request includes authentication request parameters and receives GBA authentication information sent by the BSF server. The GBA authentication information is determined based on the authentication request parameters. The first authentication request is sent by the business server when it is determined that there is no GBA authentication information in the business access request sent by the cloud phone through the cloud phone server.

[0021] The receiving module is used to receive GBA authentication information sent by the messaging system;

[0022] The sending module is also used to send a fourth authentication request carrying GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0023] Fifthly, an electronic device is provided, comprising: a memory for storing computer program instructions; and a processor for reading and executing the computer program instructions stored in the memory to perform an authentication method provided by any optional embodiment of the first or second aspect.

[0024] In a sixth aspect, a computer storage medium is provided, on which computer program instructions are stored, wherein when the computer program instructions are executed by a processor, the authentication method provided by any optional implementation of the first or second aspect is implemented.

[0025] In a seventh aspect, a computer program product is provided, the computer program product including a computer program, which, when executed by a processor, implements the authentication method provided by any optional implementation of the first aspect or the second aspect.

[0026] In this embodiment, the messaging system, upon receiving a first authentication request from the service server requesting GBA authentication information from the cloud phone server, can also receive a second authentication request from the cloud phone server requesting GBA authentication information. Since the second authentication request includes a SIM card identifier, the messaging system can send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. This third authentication request can include authentication request parameters. After the BSF server determines the GBA authentication information based on these parameters, it can receive the GBA authentication information from the BSF server and send it back to the cloud phone server. This allows the cloud phone server to send a fourth authentication request carrying the GBA authentication information to the service server, enabling the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without a SIM card, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the corresponding SIM card identifier, effectively solving the problem of GBA authentication being available for terminals without SIM cards. Attached Figure Description

[0027] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0028] Figure 1 This is one of the flowcharts illustrating an authentication method provided in an embodiment of this application;

[0029] Figure 2 This is a second schematic flowchart of an authentication method provided in an embodiment of this application;

[0030] Figure 3 This is the third flowchart illustrating an authentication method provided in this application embodiment;

[0031] Figure 4 This is the fourth flowchart illustrating an authentication method provided in this application embodiment;

[0032] Figure 5 This is a schematic diagram of the structure of an authentication device provided in an embodiment of this application;

[0033] Figure 6 This is a schematic diagram of another authentication device provided in an embodiment of this application;

[0034] Figure 7 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0035] The features and exemplary embodiments of various aspects of this application will be described in detail below. To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only intended to explain this application and not to limit it. For those skilled in the art, this application can be implemented without some of these specific details. The following description of the embodiments is merely to provide a better understanding of this application by illustrating examples.

[0036] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising..." does not exclude the presence of additional identical elements in the process, method, article, or apparatus that includes the element.

[0037] In this article, the term "and / or" is merely a description of the relationship between related objects, indicating that there can be three relationships. For example, A and / or B can represent three situations: A exists alone, A and B exist simultaneously, and B exists alone.

[0038] As described in the background section, to address the problem in existing technologies where terminals without SIM cards cannot use GBA authentication, this application provides an authentication method and apparatus. The messaging system, upon receiving a first authentication request from a service server requesting GBA authentication information from a cloud phone server, can then receive a second authentication request from the cloud phone server requesting GBA authentication information. Since the second authentication request includes a SIM card identifier, the messaging system can send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. This third authentication request can include authentication request parameters. After the BSF server determines the GBA authentication information based on these parameters, it can receive the GBA authentication information from the BSF server and send it back to the cloud phone server. This allows the cloud phone server to send a fourth authentication request carrying the GBA authentication information to the service server, enabling the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without SIM cards, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the corresponding SIM card identifier, effectively solving the problem of terminals without SIM cards being able to use GBA authentication.

[0039] The authentication method provided in this application embodiment, with reference to the accompanying drawings, will be described in detail below.

[0040] Figure 1 This is one of the flowcharts illustrating the authentication method provided in the embodiments of this application.

[0041] like Figure 1 As shown, the executing entity of this method can be a messaging system. Based on this, the authentication method provided in this application embodiment may specifically include the following steps:

[0042] S110: When the cloud phone server receives the first authentication request sent by the business server for requesting GBA authentication information, it receives the second authentication request sent by the cloud phone server for requesting to obtain GBA authentication information.

[0043] In some embodiments, the second authentication request includes a SIM card identifier, which may refer to a user number, and is not specifically limited thereto. Additionally, the first authentication request is sent by the service server after determining that the service access request sent by the cloud phone through the cloud phone server does not contain GBA authentication information.

[0044] Specifically, when a cloud phone wants to access certain services, it needs to send a service access request to the service server through the cloud phone server. If the service server determines that the service access request sent by the cloud phone through the cloud phone server does not contain GBA authentication information, it can send a first authentication request to the cloud phone server to request GBA authentication information for GBA authentication. Subsequently, the cloud phone server can send a second authentication request to the messaging system. In this way, the messaging system can receive the second authentication request sent by the cloud phone server to obtain GBA authentication information after the cloud phone server receives the first authentication request sent by the service server.

[0045] S120 sends a third authentication request to the BSF server based on the SIM card identifier.

[0046] In some embodiments, the third authentication request may include authentication request parameters.

[0047] Specifically, since the second authentication request may include the SIM card identifier, the messaging system can send a third authentication request to the Bootstrapping Server Function (BSF) server based on the SIM card identifier in the second authentication request after receiving it, thereby interacting with the BSF server to obtain GBA authentication information.

[0048] S130 receives GBA authentication information sent by the BSF server.

[0049] In some embodiments, the GBA authentication information may be determined based on the authentication request parameters in the third authentication request.

[0050] Specifically, after the messaging system sends a third authentication request to the BSF server based on the SIM card identifier in the second authentication request, the BSF server can determine the GBA authentication information based on the authentication request parameters in the third authentication request, and then send the GBA authentication information to the messaging system. In this way, the messaging system can receive the GBA authentication information sent by the BSF server.

[0051] S140, send GBA authentication information to the cloud phone server, so that the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0052] Specifically, after the messaging system receives the GBA authentication information, it can send the GBA authentication information to the cloud phone server. In this way, the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0053] More specifically, after the messaging system receives the GBA authentication information, it can send the GBA authentication information to the cloud phone server. The cloud phone server can then store this GBA authentication information locally and send a fourth authentication request carrying the GBA authentication information to the business server. The business server can then interact with the BSF server according to the GBA authentication process to obtain verification information used to verify the GBA authentication information. This verification information is also essentially GBA authentication information. If this verification information matches the aforementioned GBA authentication information, the cloud phone server and the business server complete subsequent business process interactions. It should be noted that if the GBA authentication information that the messaging system can send to the cloud phone server is encrypted, the cloud phone server needs to decrypt it using the corresponding key and algorithm.

[0054] In this embodiment, the messaging system, upon receiving a first authentication request from the service server requesting GBA authentication information from the cloud phone server, can also receive a second authentication request from the cloud phone server requesting GBA authentication information. Since the second authentication request includes a SIM card identifier, the messaging system can send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. This third authentication request can include authentication request parameters. After the BSF server determines the GBA authentication information based on these parameters, it can receive the GBA authentication information from the BSF server and send it back to the cloud phone server. This allows the cloud phone server to send a fourth authentication request carrying the GBA authentication information to the service server, enabling the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without a SIM card, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the SIM card identifier in the authentication request sent by the corresponding cloud phone server, effectively solving the problem of GBA authentication being available for terminals without SIM cards.

[0055] In one embodiment, the messaging system may include a messaging platform and at least one messaging terminal, each messaging terminal carrying a SIM card.

[0056] Based on this, the steps described above for sending a third authentication request to the Boot Service Function (BSF) server based on the SIM card identifier may specifically include:

[0057] The target messaging terminal is identified from at least one messaging terminal through the messaging platform based on the SIM card identifier;

[0058] The target message terminal sends a third-party authentication request to the BSF server.

[0059] Specifically, since the messaging system includes a messaging platform and at least one messaging terminal, and each messaging terminal carries a SIM card, the messaging system can determine the target messaging terminal carrying a SIM card corresponding to the aforementioned SIM card identifier from at least one messaging terminal through the messaging platform based on the SIM card identifier, and then send a second authentication request to the BSF server through the target messaging terminal to request the corresponding GBA authentication information.

[0060] In this embodiment, when the messaging system includes a messaging platform and at least one messaging terminal carrying a SIM card, the target messaging terminal corresponding to the SIM card identifier in the second authentication request is first determined. Then, the target messaging terminal can interact with the BSF server to accurately and effectively obtain the GBA authentication information corresponding to the cloud phone.

[0061] In one embodiment, the first authentication request further includes a GBA identifier and initial authentication request parameters. These initial authentication request parameters include a SIM card identifier, which is obtained by the cloud phone server encrypting the data using a preset encryption algorithm and a first public key. The preset encryption algorithm can be pre-set based on practical experience and is not specifically limited here. Additionally, the authentication request parameters in the third authentication request may include these initial authentication request parameters.

[0062] Based on this, before determining the target messaging terminal from at least one messaging terminal through the messaging platform based on the SIM card identifier, the authentication method provided in this application embodiment further includes:

[0063] The first private key corresponding to the GBA identifier was retrieved through the messaging platform based on the GBA identifier.

[0064] After decrypting the authentication request information using the first private key, the decrypted initial authentication request parameters are obtained.

[0065] Specifically, since the first authentication request also includes a GBA identifier and initial authentication request parameters, and the authentication request information includes a SIM card identifier, the initial authentication request parameters are obtained by the cloud phone server using a preset encryption algorithm and the first public key. Therefore, the message system can query the first private key corresponding to the GBA identifier through the message platform, and use the first private key to decrypt the authentication request information to obtain the decrypted initial authentication request parameters.

[0066] In this embodiment, the initial authentication request parameters can be encrypted before the cloud phone server sends the second authentication request, and then decrypted using a private key through the messaging system. This effectively prevents the authentication request parameters from being tampered with during transmission and ensures their accuracy.

[0067] In one embodiment, before sending a third authentication request to the BSF server via the target messaging terminal, the authentication method provided in this application embodiment further includes:

[0068] The fifth authentication request is sent to the target messaging terminal through the messaging platform. The fifth authentication request includes the initial authentication request parameters and the GBA information flag.

[0069] Based on this, the above-mentioned sending of a third authentication request to the BSF server via the target message terminal includes:

[0070] The initial authentication request parameters are obtained by identifying the GBA information flag bit by the target message terminal;

[0071] The target message terminal sends a third-party authentication request to the BSF server.

[0072] Specifically, a fifth authentication request can be sent to the target message terminal through the messaging platform. The fifth authentication request includes initial authentication request parameters and GBA information flags. The target message terminal can then identify the GBA information flags and parse the initial authentication request parameters. Since the authentication request parameters in the third authentication request can be determined based on the initial authentication request parameters, a second authentication request can be sent to the BSF server through the target message terminal.

[0073] In one example, the initial authentication request parameters involved in this embodiment may include nonce, opaque, realm, nsf_fqdn, and SIM card identifier. Here, nonce, opaque, and realm are parameters returned by the service server to the cloud phone server, and nsf_fqdn refers to the access domain name of the service server, i.e., a parameter in the first authentication request. Furthermore, the authentication request parameters involved in this embodiment may, in addition to the above initial authentication request parameters, also include information such as the GBA information flag and the operation type of gba_req.

[0074] In this embodiment, after the target messaging terminal is determined, an authentication request can be sent to the target messaging terminal through the messaging platform, so that the target messaging terminal can establish an interaction with the BSF server, and the target messaging terminal can accurately and effectively obtain GBA authentication information from the BSF server.

[0075] In some embodiments, the fifth authentication request may further include a second public key, which is used by the target messaging terminal to encrypt GBA authentication information, and a second private key corresponding to the second public key is stored in the messaging platform and used to decrypt the GBA authentication information sent by the target messaging terminal.

[0076] It should be noted that, in order to enable GBA authentication for third-party system HTTP requests during message communication between the messaging platform and the messaging terminal, the message protocol and message structure need to be extended to facilitate the communication of GBA authentication information. Therefore, the XML message body carries a GBA information flag, and the postback.data of the suggestion button or reply message carries the operation type of gba_req, as well as the corresponding operation parameters nonce, opaque, nsf_fqdn, and public key public_key. Here, public_key is the public key issued by the messaging platform to the user's messaging terminal, which is used for encrypting the GBA authentication information returned by the messaging terminal.

[0077] In this embodiment, a public key can be provided to the target messaging terminal in advance. After obtaining the GBA authentication information, the target messaging terminal can use this public key to encrypt the GBA authentication information and store a second private key corresponding to the second public key in the messaging platform for decrypting the GBA authentication information sent by the target messaging terminal. This effectively ensures the accuracy of the GBA authentication information during transmission.

[0078] To provide a detailed description of the authentication method provided in the embodiments of this application, in one embodiment, the initial authentication request parameters include a SIM card identifier; before sending the fifth authentication request to the target messaging terminal through the messaging platform, the method further includes:

[0079] A second public key is generated based on a preset key generation function and the SIM card identifier;

[0080] A second private key is generated based on a preset key generation function, the SIM card identifier, and a random number.

[0081] The preset key generation function can be pre-set based on practical experience or circumstances, and is not specifically limited here. For example, the preset key generation function can be a hash function.

[0082] Specifically, since the authentication request may include the SIM card identifier, the messaging system can generate a second public key based on a preset key generation function and the SIM card identifier, and then generate a second private key based on the preset key generation function, the SIM card identifier, and a random number.

[0083] In one example, the second public key and the second private key can be generated as follows: The messaging platform can select addition clusters W1 and W2 on an elliptic curve, where the generator of cluster W1 is p and the order is q greater than or equal to 2l, where l is the security factor, and the generator of cluster W2 is p.

[0084] The target message terminal UE1 selects a bilinear mapping e: W1*W2→W2, a hash function F1: {0,1}*→W1*, F2: {0,1}*→Zq*, F3: W2→Zq*, F4: W1→Zq*, selects a master key X∈Zq* in Zq*, and calculates the corresponding public key Y=xP.

[0085] Thus, the token coefficient library constructed by the messaging platform is {W1, W2, q, p, e, F1, F2, F3, F4, Y}. Based on this, the messaging platform generates public and private tokens corresponding to the user ID (corresponding to the SIM card identifier mentioned above), with the second public key = F1(ID) and the second private key = xF1(ID), and records and stores them. It should be noted that the above public and private key generation algorithm is based on elliptic curve algorithm, combined with the user login number ID of 5G messaging and a fixed random number as the key for generating the secret key, thereby enabling different users to have isolated private secure encrypted content when transmitting GBA authentication information.

[0086] In this embodiment, a second public key can be generated based on a preset key generation function and the SIM card identifier, and then a second private key can be generated based on the preset key generation function, the SIM card identifier, and a random number. Thus, by generating an accurate key using the SIM card identifier and a random number, the accuracy of GBA authentication information during transmission can be effectively guaranteed, enabling different users to have isolated, secure, encrypted content when transmitting GBA authentication information.

[0087] In order to accurately describe the authentication method provided in the embodiments of this application, in one embodiment, the step of receiving GBA authentication information sent by the BSF server may specifically include:

[0088] Receive GBA authentication information sent by the BSF server through the target message terminal;

[0089] Based on this, the steps described above for sending GBA authentication information to the cloud phone server may specifically include:

[0090] Send GBA authentication information to the messaging platform via the target messaging terminal;

[0091] Send GBA authentication information to the cloud phone server through the messaging platform.

[0092] Specifically, since the messaging system can include a messaging platform and at least one messaging terminal, the messaging system can receive GBA authentication information sent by the BSF server through the target messaging terminal, and can send GBA authentication information to the messaging platform through the target messaging terminal, and then send GBA authentication information to the cloud phone server through the messaging platform.

[0093] It should be noted that, in the above embodiments, the GBA authentication information is determined by the BSF server based on the authentication request parameters, which may include nonce, opaque, realm, nsf_fqdn, and public_key. Thus, the target message terminal can initiate a GBA authentication request to the BSF server according to the 5G message interface specification. The BSF server returns a 401 response carrying the nonce. Here, nonce = "base64(RAND+AUTN+server specific data)", where base64 refers to the encoding method, RAND is a random number, AUTN is the authentication token number, and server specific data refers to a server-specific number. The target message terminal calculates and generates RES (response value) based on the BSF server's shared key K and RAND, and re-initiates a GBA authentication request to the BSF server, this time carrying RES. After the BSF server verifies the validity of RES, it generates a B-TID based on RAND. This B-TID is the guiding transaction identifier and stores IMPI, IK, and CK, where IMPI is the IP Multimedia Private Identity, IK is the integrity key, and CK is the encryption key. Then, a 200 OK response is returned to the target messaging terminal, carrying the B-TID and the validity period of Ks. The target messaging terminal generates a session key Ks_NAF according to the FQDN-based 5G messaging terminal platform interface specification. The target messaging terminal encrypts the authentication information, including B-TID, Ks_NAF, Ks_NAF validity period, IMPI, etc., into a postback field value and sends it uplink to the 5G messaging platform using public_key. This message body also carries the GBA message flag bit of the GBA authentication message. Here, public_key is the public key; GBA authentication information M = {B-TID, RES, Ks_NAF, Ks_NAF validity period, IMPI…} GBA-related authentication information.

[0094] Thus, after receiving the uplink message, the messaging platform identifies the GBA message flag and parses the `postback.data` part of the message body to determine that the `type` is a successful GBA authentication. It then decrypts the message information using the second private key to obtain the GBA authentication information `M` of the target messaging terminal. Furthermore, the messaging platform can call back the cloud phone server's GBA authentication interface, with the interface parameters carrying authentication information encrypted using the symmetric key `pKey` and the SM4 algorithm. In this embodiment, after identifying the target messaging terminal corresponding to the SIM card identifier, the terminal can interact with the BSF server to obtain GBA authentication information, effectively solving the problem of terminals without SIM cards being able to use GBA authentication.

[0095] In some embodiments, the messaging platform may include a 5G messaging platform, and correspondingly, the messaging terminal may be a 5G messaging terminal.

[0096] In this embodiment, when devices such as cloud phones that do not carry SIM cards need to perform GBA authentication, the 5G messaging platform can identify a 5G messaging terminal with a SIM card to replace the cloud phone in interacting with the BSF server to obtain GBA authentication information, effectively solving the problem that terminals without SIM cards can use GBA authentication.

[0097] Figure 2 This is a second schematic flowchart of an authentication method provided in an embodiment of this application.

[0098] like Figure 2 As shown, the execution entity of this method can be a cloud phone server. Based on this, the authentication method can specifically include the following steps:

[0099] S210: When the cloud phone server receives the first authentication request sent by the business server for requesting GBA authentication information, it sends a second authentication request to the messaging system for requesting to obtain GBA authentication information. This allows the messaging system to send a third authentication request to the BSF server based on the SIM card identifier and receive the GBA authentication information sent by the BSF server.

[0100] The second authentication request includes the SIM card identifier. Additionally, the first authentication request is sent by the service server after determining that the service access request sent by the cloud phone through the cloud phone server does not contain GBA authentication information.

[0101] S220 receives GBA authentication information sent by the message system.

[0102] S230 sends a fourth authentication request carrying GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0103] Specifically, the cloud phone can send a service access request to the service server through the cloud phone server. The service server can determine whether the service access request contains GBA authentication information. If the service server determines that the service access request sent by the cloud phone through the cloud phone server does not contain GBA authentication information, it can send the first authentication request to the cloud phone server. In this way, the cloud phone server can send a first authentication request to the messaging system to request the acquisition of the universal authentication mechanism GBA authentication information. The messaging system can then send a third authentication request to the bootstrap service function (BSF) server based on the SIM card identifier included in the second authentication request, and receive the GBA authentication information sent by the BSF server. Subsequently, the cloud phone server can receive the GBA authentication information sent by the messaging system to the cloud phone server, and then send a fourth authentication request carrying GBA authentication information to the service server, so that the service server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0104] In this embodiment, the cloud phone server can send a first authentication request to the messaging system to request GBA authentication information. The second authentication request includes a SIM card identifier, which the messaging system uses to send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. The server then receives the GBA authentication information from the BSF server, receives the GBA authentication information sent by the messaging system to the cloud phone server, and sends a fourth authentication request carrying the GBA authentication information to the service server. This allows the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without a SIM card, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the corresponding SIM card identifier, effectively solving the problem of GBA authentication being available for terminals without SIM cards.

[0105] In one embodiment, sending a first authentication request to the messaging system to request retrieval of GBA authentication information includes:

[0106] Receive service access requests sent by the cloud phone;

[0107] Forward business access requests to the business server;

[0108] If the business server determines that there is no GBA authentication information in the business access request, it receives the first authentication request sent by the business server.

[0109] Specifically, the cloud phone server can receive service access requests sent by the cloud phone and forward them to the service server. In this way, if the service server determines that there is no GBA authentication information in the service access request, it can receive the first authentication request sent by the service server.

[0110] In this embodiment, the cloud phone server can forward the cloud phone's service access request to the service server. If the service server determines that the service access request does not contain GBA authentication information, it can then receive the first authentication request sent by the service server. This allows for accurate and effective determination of whether GBA authentication information exists in the service access request.

[0111] In one embodiment, the messaging system includes a messaging platform and at least one messaging terminal; sending a first authentication request to the messaging system to request the acquisition of GBA authentication information may specifically include:

[0112] Send a first authentication request to the messaging platform so that the messaging platform can determine the target messaging terminal from at least one messaging terminal based on the SIM card identifier, and send a second authentication request to the BSF server through the target messaging terminal, and receive GBA authentication information sent by the BSF server through the target messaging terminal, and send GBA authentication information to the messaging platform through the target messaging terminal;

[0113] The above-mentioned S220 may specifically include the following steps:

[0114] The system receives GBA authentication information sent through the messaging platform.

[0115] Specifically, since the messaging system includes a messaging platform and at least one messaging terminal, and each messaging terminal carries a SIM card, the cloud phone server can send a first authentication request to the messaging platform. This allows the messaging platform to identify the target messaging terminal from the at least one messaging terminal based on the SIM card identifier. The target messaging terminal then sends a second authentication request to the BSF server and receives GBA authentication information from the BSF server. The target messaging terminal then sends GBA authentication information to the messaging platform, which in turn sends GBA authentication information to the cloud phone server. Thus, the cloud phone server can receive the GBA authentication information sent by the messaging system through the messaging platform.

[0116] In this embodiment, for cloud phones without SIM cards, the corresponding terminal with a SIM card can be identified based on its corresponding SIM card identifier. The terminal can then interact with the BSF server to obtain GBA authentication information, effectively solving the problem that terminals without SIM cards can use GBA authentication.

[0117] In some embodiments, the messaging platform may include a 5G messaging platform, and correspondingly, the messaging terminal may be a 5G messaging terminal.

[0118] In this embodiment, when devices such as cloud phones that do not carry SIM cards need to perform GBA authentication, the 5G messaging platform can identify a 5G messaging terminal with a SIM card to replace the cloud phone in interacting with the BSF server to obtain GBA authentication information, effectively solving the problem that terminals without SIM cards can use GBA authentication.

[0119] In order to fully describe the authentication method provided by the embodiments of this application, in a complete embodiment, such as Figure 3 As shown, the authentication method provided in this application embodiment may specifically include the following steps:

[0120] S301, the cloud phone sends a service access request to the cloud phone server.

[0121] S302, the cloud mobile server forwards business access requests to the business server.

[0122] S303, the business server queries whether GBA authentication information exists in the business access request.

[0123] S304: If the business access request does not contain GBA authentication information, the business server sends the first authentication request to the cloud phone.

[0124] S305, the cloud phone server sends a second authentication request to the messaging platform to request GBA authentication information.

[0125] S306, using the messaging platform to determine the target messaging terminal from at least one messaging terminal based on the SIM card identifier.

[0126] S307, send a fifth authentication request to the target message terminal.

[0127] S308 sends a third authentication request to the BSF server through the target message terminal.

[0128] S309 receives GBA authentication information sent by the BSF server through the target message terminal.

[0129] S310 sends GBA authentication information to the messaging platform through the target messaging terminal.

[0130] S311 sends GBA authentication information to the cloud phone server through the messaging platform.

[0131] S312, the cloud phone server sends a fourth authentication request to the business server.

[0132] S313, the service server authenticates the cloud phone based on GBA authentication information.

[0133] The specific processes of S301 to S313 described above can be found in the embodiments provided in this application, and will not be elaborated further here.

[0134] In this embodiment, when a cloud phone wants to access certain services, it sends a service access request to a cloud phone server. The cloud phone server then forwards the request to a service server. The service server checks if the service access request contains GBA authentication information. If not, it sends a first authentication request to the cloud phone. The cloud phone server then sends a second authentication request to a messaging platform to request GBA authentication information. The messaging platform, based on the SIM card identifier, identifies a target messaging terminal from at least one messaging terminal. The target messaging terminal then sends a third authentication request to the BSF server and receives the GBA authentication information from the BSF server. The target messaging terminal can then send GBA authentication information back to the messaging platform and the messaging platform, which in turn sends GBA authentication information to the cloud phone server. This allows the cloud phone to send a fourth authentication request to the service server, enabling the service server to perform GBA authentication on the cloud phone based on this fourth authentication request. In this way, even cloud phones without a SIM card can obtain GBA authentication information through interaction between the messaging system and the BSF server based on their corresponding SIM card identifier, effectively solving the problem of GBA authentication for terminals without SIM cards.

[0135] Since the authentication method provided in this application embodiment may include a 5G messaging platform, and correspondingly, the messaging terminal may include a 5G messaging terminal, based on this, in one embodiment, such as Figure 4 As shown, the authentication method provided in this application embodiment may specifically include the following steps:

[0136] S401, the cloud phone sends a service access request to the cloud phone server.

[0137] S402, the cloud mobile server forwards business access requests to the business server.

[0138] S403, the business server queries whether GBA authentication information exists in the business access request.

[0139] S404: If the business access request does not contain GBA authentication information, the business server sends the first authentication request to the cloud phone server.

[0140] S405, the cloud phone server sends a second authentication request to the 5G messaging platform to request GBA authentication information.

[0141] S406, using a 5G messaging platform to identify a target 5G messaging terminal from at least one 5G messaging terminal based on the SIM card identifier.

[0142] S407, sends a fifth authentication request to the target 5G messaging terminal.

[0143] S408 sends a third authentication request to the BSF server through the target 5G messaging terminal.

[0144] S409 receives GBA authentication information sent by the BSF server through the target 5G messaging terminal.

[0145] S410 sends GBA authentication information to the 5G messaging platform through the target 5G messaging terminal.

[0146] S411 sends GBA authentication information to the cloud phone server via the 5G messaging platform.

[0147] S412, the cloud phone server sends a fourth authentication request to the business server.

[0148] S413, the business server authenticates the cloud phone based on GBA authentication information.

[0149] Specifically, when a cloud phone wants to access certain services, it can send a service access request to the cloud phone server. The cloud phone server then forwards the request to the service server to request access to the service. However, since the cloud phone does not have a SIM card and cannot perform GBA authentication, the service access request does not include GBA authentication information.

[0150] Based on this, after receiving the service request, the service server will check whether GBA authentication information exists in the service request. If GBA authentication information is not found in the service access request, the service server will send a first authentication request to the cloud phone server to request GBA authentication information. Then, the cloud phone server can send a second authentication request to the 5G messaging platform to request GBA authentication information. Since the second authentication request can be identified by the SIM card, the 5G messaging platform can filter out the target 5G messaging terminal corresponding to the SIM card identifier from at least one 5G messaging terminal carrying a SIM card, and send a fifth authentication request to the target 5G messaging terminal.

[0151] Thus, after receiving the fifth authentication request, the target 5G messaging terminal can send a third authentication request to the BSF server to request the GBA authentication information of the cloud phone. In this way, the target 5G messaging terminal can receive the GBA authentication information sent by the BSF server and forward the GBA authentication information to the 5G messaging platform. The 5G messaging platform can then send the GBA authentication information to the cloud phone server, so that the cloud phone server can send a fourth authentication request to the service server, enabling the service server to authenticate the cloud phone based on the GBA authentication information.

[0152] Additionally, it should be noted that the aforementioned messaging platform can also be a 4G messaging platform, and correspondingly, the aforementioned messaging terminal can be a 4G messaging terminal. This application does not impose specific limitations on the embodiments herein.

[0153] In this embodiment, when devices such as cloud phones that do not carry SIM cards need to perform GBA authentication, the 5G messaging platform can identify a 5G messaging terminal with a SIM card to replace the cloud phone in interacting with the BSF server to obtain GBA authentication information, effectively solving the problem that terminals without SIM cards can use GBA authentication.

[0154] Based on the same inventive concept, embodiments of this application also provide an authentication device applied to a messaging system. (Specifically combined with...) Figure 5 The authentication device provided in the embodiments of this application will be described in detail.

[0155] Figure 5 This is a schematic diagram of the structure of an authentication device provided in an embodiment of this application.

[0156] like Figure 5 As shown, the authentication device 500 may include:

[0157] The receiving module 510 is used to receive a second authentication request sent by the cloud phone server to request GBA authentication information when the cloud phone server receives a first authentication request sent by the service server to request GBA authentication information. The second authentication request includes a SIM card identifier. The first authentication request is sent by the service server when it is determined that there is no GBA authentication information in the service access request sent by the cloud phone through the cloud phone server.

[0158] The sending module 520 is used to send a third authentication request to the BSF server based on the SIM card identifier. The third authentication request includes authentication request parameters.

[0159] The receiving module 510 is also used to receive GBA authentication information sent by the BSF server, the GBA authentication information being determined based on the authentication request parameters;

[0160] The sending module 520 is also used to send GBA authentication information to the cloud phone server, so that the cloud phone server can send a fourth authentication request carrying the GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0161] In one embodiment, the messaging system includes a messaging platform and each messaging terminal carrying a user identification module (SIM card); the authentication method provided in this application embodiment further includes:

[0162] The determination module is used to determine the target messaging terminal from at least one messaging terminal based on the SIM card identifier through the messaging platform.

[0163] The sending module is specifically used to send a third-party authentication request to the BSF server through the target message terminal.

[0164] In one embodiment, the first authentication request further includes a GBA identifier and initial authentication request parameters, wherein the initial authentication request parameters include a SIM card identifier, and the initial authentication request parameters are obtained by the cloud phone server encrypting the data using a first public key based on a preset encryption algorithm; based on this, the authentication device provided in this application embodiment further includes:

[0165] The query module is used to query the first private key corresponding to the GBA identifier through the message platform based on the GBA identifier;

[0166] The decryption module is used to decrypt the request authentication information using the first private key to obtain the decrypted initial authentication request parameters.

[0167] In one embodiment, the authentication device provided in this application may further include:

[0168] The sending module is also used to send a fifth authentication request to the target message terminal through the message platform. The fifth authentication request includes initial authentication request parameters and GBA information flag bits.

[0169] The identification module is used to identify the GBA information flag bits through the target message terminal and parse them to obtain the initial authentication request parameters;

[0170] The sending module is also used to send a third authentication request to the BSF server through the target message terminal. The third authentication request includes the initial authentication request parameters.

[0171] In one embodiment, the fifth authentication request further includes a second public key, which is used by the target messaging terminal to encrypt GBA authentication information, and a second private key corresponding to the second public key is stored in the messaging platform and used to decrypt the GBA authentication information sent by the target messaging terminal.

[0172] In one embodiment, the initial authentication request parameters include a SIM card identifier; the authentication device provided in this application embodiment may further include:

[0173] The generation module is used to generate a second public key based on a preset key generation function and the SIM card identifier;

[0174] The generation module is also used to generate a second private key based on a preset key generation function, SIM card identifier, and random number.

[0175] In one embodiment, the receiving module is specifically used to receive GBA authentication information sent by the BSF server through the target message terminal;

[0176] The sending module is specifically used to send GBA authentication information to the messaging platform through the target messaging terminal;

[0177] Send GBA authentication information to the cloud phone server through the messaging platform.

[0178] In some embodiments, the messaging platform includes a 5G messaging platform, and the messaging terminal includes a 5G messaging terminal.

[0179] In this embodiment, the messaging system, upon receiving a first authentication request from the service server requesting GBA authentication information from the cloud phone server, can also receive a second authentication request from the cloud phone server requesting the acquisition of GBA authentication information. Since the second authentication request includes a SIM card identifier, the messaging system can send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. This allows it to receive the GBA authentication information from the BSF server and send the GBA authentication information back to the cloud phone server. The cloud phone server then sends a fourth authentication request carrying the GBA authentication information to the service server, enabling the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without a SIM card, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the corresponding SIM card identifier, effectively solving the problem of GBA authentication being available for terminals without a SIM card.

[0180] The various modules in the authentication device provided in this application embodiment can achieve... Figure 1 The method steps of the illustrated embodiment, and the corresponding technical effects they achieve, will not be described in detail here for the sake of brevity.

[0181] Based on the same inventive concept, this application also provides an authentication device applied to a cloud phone server. (Specifically combined with...) Figure 6 The authentication device provided in the embodiments of this application will be described in detail.

[0182] Figure 6 This is a schematic diagram of the structure of an authentication device provided in an embodiment of this application.

[0183] like Figure 6 As shown, the authentication device 600 may include:

[0184] The sending module 610 is used to send a second authentication request to the messaging system to request the acquisition of the General Authentication Mechanism (GBA) authentication information when the cloud phone server receives a first authentication request from the business server to request the GBA authentication information. The second authentication request includes a SIM card identifier, which is used by the messaging system to send a third authentication request to the Bootstrap Service Function (BSF) server based on the SIM card identifier. The third authentication request includes authentication request parameters and receives the GBA authentication information sent by the BSF server. The GBA authentication information is determined based on the authentication request parameters. The first authentication request is sent by the business server when it is determined that there is no GBA authentication information in the business access request sent by the cloud phone through the cloud phone server.

[0185] The receiving module 620 is used to receive GBA authentication information sent by the messaging system;

[0186] The sending module 610 is also used to send a fourth authentication request carrying GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

[0187] In one embodiment, the authentication method provided in this application may further include the following steps:

[0188] The receiving module is also used to receive service access requests sent by the cloud phone;

[0189] The forwarding module is used to forward business access requests to the business server;

[0190] The receiving module is also used to receive the first authentication request sent by the business server when the business server determines that there is no GBA authentication information in the business access request.

[0191] In one embodiment, the messaging system includes a messaging platform and at least one messaging terminal, each messaging terminal carrying a SIM card; the sending module is specifically used to send a first authentication request to the messaging platform, so that the messaging platform can determine the target messaging terminal from the at least one messaging terminal based on the SIM card identifier, and send a second authentication request to the BSF server through the target messaging terminal, and receive GBA authentication information sent by the BSF server through the target messaging terminal, and send GBA authentication information to the messaging platform through the target messaging terminal;

[0192] The sending module is specifically used to send GBA authentication information to the cloud phone server through the messaging platform.

[0193] In some embodiments, the messaging platform includes a 5G messaging platform, and the messaging terminal includes a 5G messaging terminal.

[0194] In this embodiment, the cloud phone server can send a first authentication request to the messaging system to request GBA authentication information. The second authentication request includes a SIM card identifier, which the messaging system uses to send a third authentication request to the Bootstrap Service (BSF) server based on the SIM card identifier. The server then receives the GBA authentication information from the BSF server, receives the GBA authentication information sent by the messaging system to the cloud phone server, and sends a fourth authentication request carrying the GBA authentication information to the service server. This allows the service server to perform GBA authentication on the cloud phone based on the GBA authentication information. Thus, for cloud phones without a SIM card, GBA authentication information can be obtained through interaction between the messaging system and the BSF server based on the corresponding SIM card identifier, effectively solving the problem of GBA authentication being available for terminals without SIM cards.

[0195] The various modules in the authentication device provided in this application embodiment can achieve... Figure 2 The method steps of the illustrated embodiment, and the corresponding technical effects they achieve, will not be described in detail here for the sake of brevity.

[0196] Figure 7 A schematic diagram of the hardware structure of the electronic device provided in an embodiment of this application is shown.

[0197] An electronic device may include a processor 701 and a memory 702 storing computer program instructions.

[0198] Specifically, the processor 701 may include a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits that can be configured to implement the embodiments of this application.

[0199] Memory 702 may include mass storage for data or instructions. For example, and not limitingly, memory 702 may include a hard disk drive (HDD), floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or Universal Serial Bus (USB) drive, or a combination of two or more of these. Where appropriate, memory 702 may include removable or non-removable (or fixed) media. Where appropriate, memory 702 may be internal or external to the integrated gateway disaster recovery device. In a particular embodiment, memory 702 is non-volatile solid-state memory.

[0200] Memory may include read-only memory (ROM), random access memory (RAM), disk storage media devices, optical storage media devices, flash memory devices, and electrical, optical, or other physical / tangible memory storage devices. Therefore, typically, memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software including computer-executable instructions, and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the methods according to one aspect of this disclosure.

[0201] The processor 701 implements any of the authentication methods described in the above embodiments by reading and executing computer program instructions stored in the memory 702.

[0202] In one example, the electronic device may also include a communication interface 703 and a bus 710. For example, Figure 7 As shown, the processor 701, memory 702, and communication interface 703 are connected through bus 710 and complete communication with each other.

[0203] The communication interface 703 is mainly used to realize communication between various modules, devices, units and / or equipment in the embodiments of this application.

[0204] Bus 710 includes hardware, software, or both, that couples components of an online data traffic metering device together. For example, and not limitingly, the bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an Infinite Bandwidth Interconnect, a Low Pin Count (LPC) bus, a memory bus, a Microchannel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local (VLB) bus, or other suitable buses, or combinations of two or more of these. Where appropriate, bus 710 may include one or more buses. Although specific buses are described and illustrated in embodiments of this application, any suitable bus or interconnect is contemplated herein.

[0205] Furthermore, in conjunction with the authentication methods described in the above embodiments, this application embodiment can provide a computer storage medium for implementation. This computer storage medium stores computer program instructions; when these computer program instructions are executed by a processor, they implement the authentication method provided in this application embodiment.

[0206] This application also provides a computer program product, which includes a computer program that is executed by a processor to implement the authentication method provided in this application.

[0207] It should be clarified that this application is not limited to the specific configurations and processes described above and shown in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of this application is not limited to the specific steps described and shown. Those skilled in the art can make various changes, modifications, and additions, or change the order of steps, after understanding the spirit of this application.

[0208] The functional blocks shown in the above block diagram can be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, they can be, for example, electronic circuits, application-specific integrated circuits (ASICs), appropriate firmware, plug-ins, function cards, etc. When implemented in software, the elements of this application are programs or code segments used to perform the required tasks. Programs or code segments can be stored on a machine-readable medium or transmitted over a transmission medium or communication link via data signals carried on a carrier wave. "Machine-readable medium" can include any medium capable of storing or transmitting information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, etc. Code segments can be downloaded via computer networks such as the Internet, intranets, etc.

[0209] It should also be noted that the exemplary embodiments mentioned in this application describe methods or systems based on a series of steps or apparatus. However, this application is not limited to the order of the above steps; that is, the steps can be performed in the order mentioned in the embodiments, or in a different order, or several steps can be performed simultaneously.

[0210] The aspects of this disclosure have been described above with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It should be understood that each block in the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable authorized means to produce a machine such that these instructions, executable via the processor of the computer or other programmable authorized means, enable the implementation of the functions / actions specified in one or more blocks of the flowchart illustrations and / or block diagrams. Such a processor can be, but is not limited to, a general-purpose processor, a special-purpose processor, a special application processor, or a field-programmable logic circuit. It is also understood that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can also be implemented by special-purpose hardware performing the specified functions or actions, or can be implemented by a combination of special-purpose hardware and computer instructions.

[0211] The above are merely specific embodiments of this application. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, modules, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here. It should be understood that the protection scope of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the protection scope of this application.

Claims

1. An authentication method, characterized in that, Applied to a messaging system, the messaging system including a messaging platform and at least one messaging terminal, each messaging terminal carrying a SIM card, the method includes: When the cloud phone server receives a first authentication request from the service server for requesting GBA authentication information, it receives a second authentication request from the cloud phone server for requesting to obtain GBA authentication information. The second authentication request includes a SIM card identifier. The first authentication request is sent by the service server after determining that there is no GBA authentication information in the service access request sent by the cloud phone through the cloud phone server. The messaging platform determines a target messaging terminal from the at least one messaging terminal based on the SIM card identifier; the target messaging terminal sends a third authentication request to the BSF server; the third authentication request includes authentication request parameters. The target message terminal receives GBA authentication information sent by the BSF server; the GBA authentication information is determined based on the authentication request parameters. The target messaging terminal sends the GBA authentication information to the messaging platform; the messaging platform sends the GBA authentication information to the cloud phone server; the cloud phone server sends a fourth authentication request carrying the GBA authentication information to the service server, so that the service server can perform GBA authentication on the cloud phone based on the GBA authentication information.

2. The method according to claim 1, characterized in that, The first authentication request also includes a GBA identifier and initial authentication request parameters. The initial authentication request parameters include the SIM card identifier. The initial authentication request parameters are obtained by the cloud phone server encrypting the data using a first public key based on a preset encryption algorithm. The authentication request parameters include the initial authentication request parameters. Before determining the target messaging terminal from the at least one messaging terminal through the messaging platform based on the SIM card identifier, the method further includes: The message platform retrieves the first private key corresponding to the GBA identifier based on the GBA identifier; After decrypting the initial authentication request parameters using the first private key, the decrypted initial authentication request parameters are obtained.

3. The method according to claim 2, characterized in that, Before sending a third authentication request to the BSF server via the target messaging terminal, the method further includes: A fifth authentication request is sent to the target messaging terminal through the messaging platform. The fifth authentication request includes initial authentication request parameters and GBA information flag bits. Sending a third authentication request to the BSF server via the target message terminal includes: The initial authentication request parameters are obtained by identifying the GBA information flag bit through the target message terminal; The target message terminal sends a third authentication request to the BSF server, the third authentication request including the initial authentication request parameters.

4. The method according to claim 3, characterized in that, The fifth authentication request also includes a second public key, which is used by the target messaging terminal to encrypt the GBA authentication information. A second private key corresponding to the second public key is stored in the messaging platform and used to decrypt the GBA authentication information sent by the target messaging terminal.

5. The method according to claim 4, characterized in that, The initial authentication request parameters include the SIM card identifier; before sending the fifth authentication request to the target messaging terminal via the messaging platform, the method further includes: A second public key is generated based on a preset key generation function and the SIM card identifier; A second private key is generated based on the preset key generation function, the SIM card identifier, and the random number.

6. The method according to any one of claims 1 to 5, characterized in that, The messaging platform includes a 5G messaging platform, and the messaging terminal includes a 5G messaging terminal.

7. An authentication method, characterized in that, Applied to cloud phone servers, the method includes: When the cloud phone server receives a first authentication request from the service server requesting GBA authentication information, it sends a second authentication request to the messaging system to request GBA authentication information. The second authentication request includes a SIM card identifier, used by the messaging platform in the messaging system to determine a target messaging terminal from at least one messaging terminal in the messaging system based on the SIM card identifier. A third authentication request is then sent to the BSF server through the target messaging terminal. The third authentication request includes authentication request parameters and receives GBA authentication information from the BSF server through the target messaging terminal. The GBA authentication information is determined based on the authentication request parameters. The first authentication request is sent by the service server when it determines that GBA authentication information is not present in the service access request sent by the cloud phone through the cloud phone server. Each messaging terminal carries a SIM card and receives GBA authentication information sent by the messaging system. The GBA authentication information is sent by the messaging system to the messaging platform through the target messaging terminal, and then sent to the cloud phone server through the messaging platform. A fourth authentication request carrying GBA authentication information is sent to the business server so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.

8. The method according to claim 7, characterized in that, Before sending the first authentication request to the messaging system to request GBA authentication information, the method further includes: Receive the service access request sent by the cloud phone; Forward the service access request to the service server; If the service server determines that there is no GBA authentication information in the service access request, it receives the first authentication request sent by the service server.

9. The method according to claim 7, characterized in that, The messaging system includes a messaging platform and at least one messaging terminal, each messaging terminal carrying a SIM card; the first authentication request sent to the messaging system to request the acquisition of GBA authentication information includes... The first authentication request is sent to the messaging platform so that the messaging platform can determine the target messaging terminal from the at least one messaging terminal based on the SIM card identifier, and send a second authentication request to the BSF server through the target messaging terminal, and receive GBA authentication information sent by the BSF server through the target messaging terminal, and send the GBA authentication information to the messaging platform through the target messaging terminal; The receipt of the GBA authentication information sent by the messaging system includes: The receiving message system sends the GBA authentication information through the message platform.

10. The method according to claim 9, characterized in that, The messaging platform includes a 5G messaging platform, and the messaging terminal includes a 5G messaging terminal.

11. An authentication device, characterized in that, The device is applied to a messaging system, which includes a messaging platform and at least one messaging terminal, each of which carries a SIM card. The device includes: The receiving module is configured to receive a second authentication request sent by the cloud phone server to request GBA authentication information when the cloud phone server receives a first authentication request sent by the service server to request GBA authentication information. The second authentication request includes a SIM card identifier. The first authentication request is sent by the service server when it is determined that there is no GBA authentication information in the service access request sent by the cloud phone through the cloud phone server. The sending module is used to determine the target message terminal from the at least one message terminal based on the SIM card identifier through the message platform; The sending module is further configured to send a third authentication request to the BSF server through the target message terminal; the third authentication request includes authentication request parameters; The receiving module is also configured to receive GBA authentication information sent by the BSF server through the target message terminal; the GBA authentication information is determined based on the authentication request parameters; The sending module is further configured to send the GBA authentication information to the messaging platform via the target messaging terminal; send the GBA authentication information to the cloud phone server via the messaging platform; and for the cloud phone server to send a fourth authentication request carrying the GBA authentication information to the service server, so that the service server can perform GBA authentication on the cloud phone based on the GBA authentication information.

12. An authentication device, characterized in that, The device, applied to cloud phone servers, includes: The sending module is configured to, upon receiving a first authentication request from a service server requesting GBA authentication information from the cloud phone server, send a second authentication request to the messaging system requesting to obtain GBA authentication information. The second authentication request includes a SIM card identifier, used by the messaging platform in the messaging system to determine a target messaging terminal from at least one messaging terminal in the messaging system based on the SIM card identifier. The module then sends a third authentication request to the BSF server through the target messaging terminal. The third authentication request includes authentication request parameters and receives GBA authentication information from the BSF server through the target messaging terminal. The GBA authentication information is determined based on the authentication request parameters. The first authentication request is sent by the service server after determining that GBA authentication information is not present in the service access request sent by the cloud phone through the cloud phone server. Each messaging terminal carries a SIM card. The receiving module is used to receive GBA authentication information sent by the messaging system; the GBA authentication information is sent by the messaging system to the messaging platform through the target messaging terminal, and then sent to the cloud mobile phone server through the messaging platform. The sending module is also used to send a fourth authentication request carrying GBA authentication information to the business server, so that the business server can perform GBA authentication on the cloud phone based on the GBA authentication information.