CN112087412A - Service access processing method and device based on unique token - Google Patents
Service access processing method and device based on unique token Download PDFInfo
- Publication number
- CN112087412A CN112087412A CN201910514369.7A CN201910514369A CN112087412A CN 112087412 A CN112087412 A CN 112087412A CN 201910514369 A CN201910514369 A CN 201910514369A CN 112087412 A CN112087412 A CN 112087412A
- Authority
- CN
- China
- Prior art keywords
- token
- service
- unique
- sender
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
The embodiment of the invention discloses a service access processing method and a device based on a unique token, wherein the method comprises the following steps: obtaining a token with a unique identifier sent by a sender, wherein the token is generated according to the equipment name and the equipment address of each equipment host; decoding the token according to a preset key to obtain the load of the token; if the content of the load passes the verification, uniquely accessing the service corresponding to the token according to the token; wherein, each device host comprises a device host of a network storage function NRF and a device host of an application function NF. The sender generates a globally unique token and sends the globally unique token to the receiver, and the receiver decodes and verifies the token and uniquely accesses the corresponding service according to the token, so that the token can only be used from end to end, the security of authorization distribution under a 5G SBA architecture is enhanced, and the operation flow is greatly simplified.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a service access processing method and device based on a unique token.
Background
NRF (Network security Function) provides nrrf access token service, following "client credential" authorization, as specified in 3GPP (The 3rd Generation Partnership Project) TS (Technical Specification) 33.501. It discloses a "token endpoint" where NF (Network Function) service consumers can request access to a token request service.
The process of the NF service user using this service operation to request an OAuth2(Open Authorization) access token from the Authorization server is shown in fig. 1: the NF service user sends a POST request to the "token endpoint," URI: { nrfApiRoot }/oauth 2/token; after success, returning '200 OK', the responding payload body contains the requested access token and token type, and also contains the indicated expiration time of the token; if the access token request fails at the NRF, the NRF should return a "400 bad request" status code, including a JSON object in the response payload that provides detailed information of the particular error that occurred.
In the Access Token Request (Access Token Request) in the prior art, a Token (Token) is generated by using a source service type and a target service type, so that before accessing a service, the Token of the Access service type can be obtained only through one Access Token Request process, and since the service types of a plurality of source service processing units are consistent and the service types of target service processing units are consistent, the computed Token of the same source service type and target service type obtained by NRF is common, which brings great insecurity.
In addition, the existing service discovery process is shown in fig. 2: the NF service user should send http get request to the resource uri "NF entities" set resource, and the query parameter should include the input screening condition of the discovery request; after success, returning '200 OK', wherein the response body comprises a validity period during which the NF service user can cache the search result and all NF instances providing specific NF service names meeting the search screening condition; if the NF service user is not allowed to discover the NF service requesting the NF type provided in the query parameters, the NRF should return a "403 disable" response.
Taking fig. 3 as an example, when AMF (Access and Mobility Management Function) 1/AMF2 applies TOKEN to NRF to Access SMF (Session Management Function) service, NRF can only distinguish service but not different devices of the same service because the input parameters are consistent. They will apply for the same TOKEN. The same TOKEN will be used regardless of whether AMF1, AMF2, accessed SMF 1or SMF 2. If SMF1 specifically restricts access to AMF1, there is no way to differentiate the distribution of TOKEN to devices individually.
In summary, the following problems exist in the prior art: before various services are accessed, TOKEN required for accessing the corresponding service needs to be requested from the NRF. And the TOKEN requested is identical at least in the same type of service, causing the same TOKEN to access different service entities, bringing an insecure factor. In addition, at the beginning of registration, all the TOKENs of the service need to be acquired, and the device cannot acquire the services that need to be performed later because the UE (User Equipment) accesses the services, but all the TOKENs need to be acquired in advance, which causes cumbersome and redundant processes.
Disclosure of Invention
Because the existing method has the problems, the embodiment of the invention provides a service access processing method and device based on a unique token.
In a first aspect, an embodiment of the present invention provides a service access processing method based on a unique token, including:
obtaining a token with a unique identifier sent by a sender, wherein the token is generated according to the equipment name and the equipment address of each equipment host;
decoding the token according to a preset key to obtain the load of the token;
if the content of the load passes the verification, uniquely accessing the service corresponding to the token according to the token;
each equipment host comprises an equipment host with a network storage function NRF and an equipment host with an application function NF;
the load includes: a service combination of a token issuer, a token-oriented user, a token receiver, a token expiration time, and a token;
the token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
Optionally, if it is determined that the content of the load passes the verification, uniquely accessing the service corresponding to the token according to the token specifically includes:
if the token issuer of the token is the device name and the device address of the device host of the NRF, the token-oriented user of the token is the device name and the device address of the device host accessing the NF of the current service, and the token receiver of the token is the device name and the device address of the current service, determining that the content of the load passes verification, and uniquely accessing the service corresponding to the token according to the token.
Optionally, before obtaining a token with a unique identifier sent by a sender, and generating the token according to the device name and the device address of each device host, the method further includes:
if a hypertext transfer protocol (HTTP) message is received, initiating an access token request to a sender according to the message type of the HTTP message;
correspondingly, the obtaining of the token with the unique identifier sent by the sender specifically includes:
and if receiving an access token confirmation message returned by the sender, acquiring the token with the unique identifier according to the access token confirmation message.
Optionally, if it is determined that the content of the payload passes the verification, after uniquely accessing the service corresponding to the token according to the token, the method further includes:
in the service discovery process, if a service discovery request is received, a target token is obtained according to the service discovery request, and the target token is verified;
and if the target token is judged to pass the verification, acquiring at least one corresponding instance information according to the service discovery request, generating a corresponding token according to each instance information, and returning each token and the registration success information to the sender of the service discovery request.
In a second aspect, an embodiment of the present invention further provides a service access processing apparatus based on a unique token, including:
the token acquisition module is used for acquiring a token with a unique identifier sent by a sender, and the token is generated according to the equipment name and the equipment address of each equipment host;
the token analysis module is used for decoding the token according to a preset secret key to obtain the load of the token;
the service access module is used for uniquely accessing the service corresponding to the token according to the token if the content of the load is judged to pass the verification;
each equipment host comprises an equipment host with a network storage function NRF and an equipment host with an application function NF;
the load includes: a service combination of a token issuer, a token-oriented user, a token receiver, a token expiration time, and a token;
the token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
Optionally, the service access module is specifically configured to determine that the content of the payload passes verification if a token issuer of the token is the device name and the device address of the device host of the NRF, a token-oriented user of the token is the device name and the device address of the device host of the NF that accesses the current service, and a token receiver of the token is the device name and the device address of the current service, and uniquely access the service corresponding to the token according to the token.
Optionally, the apparatus further comprises:
the request initiating module is used for initiating an access token request to a sender according to the message type of the HTTP message if the HTTP message is received;
correspondingly, the token obtaining module is specifically configured to obtain the token with the unique identifier according to the access token confirmation message if the access token confirmation message returned by the sender is received.
Optionally, the apparatus further comprises:
the token checking module is used for acquiring a target token according to a service discovery request and checking the target token if the service discovery request is received in the service discovery process;
and the token returning module is used for acquiring at least one corresponding instance information according to the service discovery request if the target token is judged to pass the verification, generating a corresponding token according to each instance information, and returning each token and the registration success information to the sender of the service discovery request.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, which when called by the processor are capable of performing the above-described methods.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium storing a computer program, which causes the computer to execute the above method.
According to the technical scheme, the sender generates the globally unique token and sends the globally unique token to the receiver, and the receiver decodes and verifies the token and uniquely accesses the corresponding Service according to the token, so that the token can only be used from end to end, the security of authorization distribution under a 5G SBA (Service Based Architecture) Architecture is enhanced, and the operation flow is greatly simplified.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a request access token provided by the prior art;
FIG. 2 is a schematic flow chart of a service discovery provided by the prior art;
FIG. 3 is a schematic diagram of an architecture for token-based service access provided by the prior art;
fig. 4 is a flowchart illustrating a service access processing method based on a unique token according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating a method for controlling and generating tokens for different services according to an embodiment of the present invention;
fig. 6 is a schematic flow chart of a request access token according to an embodiment of the present invention;
FIG. 7 is a block diagram illustrating an architecture of unique token-based service access according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating an application function service management according to an embodiment of the present invention;
fig. 9 is a schematic flowchart of application function service discovery according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a service access processing apparatus based on a unique token according to an embodiment of the present invention;
fig. 11 is a logic block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 4 is a flowchart illustrating a unique token-based service access processing method provided in this embodiment, and includes:
s401, obtaining a token with a unique identifier sent by a sender, wherein the token is generated according to the device name and the device address of each device host.
Wherein, each device host comprises a device host of NRF and a device host of NF.
Specifically, when the sender generates the token, the token is generated according to the device name and the device address of each device host, and the device name and the device address of each device host are different, so that it can be ensured that the token generated each time is globally unique.
S402, decoding the token according to a preset key to obtain the load of the token.
Wherein the load comprises: a service combination of token issuer, token-oriented user, token receiver, token expiration time, and token.
The token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
The preset key is a key agreed by the receiver and the sender in advance.
And S403, if the content of the load is judged to pass the verification, uniquely accessing the service corresponding to the token according to the token.
Specifically, the load obtained by analysis is checked to determine whether the load meets the requirements; if the load passes the verification, the token can be normally used, so that the corresponding service can be uniquely accessed according to the token, and the condition that one token corresponds to a plurality of services to cause confusion does not exist.
In the embodiment, the sender generates the globally unique token and sends the globally unique token to the receiver, and the receiver uniquely accesses the corresponding Service according to the token after decoding and verifying the token, so that the token can only be used from end to end, the security of authorization distribution under a 5G SBA (Service Based Architecture) Architecture is enhanced, and meanwhile, the operation flow is greatly simplified.
Further, on the basis of the above method embodiment, S403 specifically includes:
if the token issuer of the token is the device name and the device address of the device host of the NRF, the token-oriented user of the token is the device name and the device address of the device host accessing the NF of the current service, and the token receiver of the token is the device name and the device address of the current service, determining that the content of the load passes verification, and uniquely accessing the service corresponding to the token according to the token.
In particular, the sender needs to be precise to name and address during the calculation of the token. The specific method is defined as follows:
device hostname of NRF:
< NRF-id > < IP: PORT >. nrf.5 gc.mnc.mnc < MNC >. MCC >.3 gppPage.org. Wherein: < NRF-id >: < network element name >; PORT > is: the address IP and port number of the particular network device.
Device hostname of NF:
< NF-id > < IP: PORT >. nf.5g c.mnc.mnc.mcc >.3g p network.org. Wherein: < NF-id >: < network element name >.
Specifically for 5G devices, the name identifier format is as follows:
device hostname of AMF:
< AMF-id > < IP: PORT >. amf.5gC.mnc < MNC >. MCC >.3 gppnetwork.org. Where < AMF-id > is the name identification of the particular AMF, and < MNC > and < MCC > are both fixed 3-digit decimal numbers.
Device hostname of SMF:
<SMF-id>.<IP:PORT>.smf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
device host name of UPF (User Plane Function):
<UPF-id>.<IP:PORT>.upf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
device host name of PCF (Policy Control Function):
<PCF-id>.<IP:PORT>.pcf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
device hostname of UDM:
<UDM-id>.<IP:PORT>.udm.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
device hostname of AUSF:
<AUSF-id>.<IP:PORT>.ausf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
device host name for NSSF:
<NSSF-id>.<IP:PORT>.nssf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
in the calculation process of the token, the following parameters are mainly included:
issuers, the issuer of TOKEN, needs to fill in the 5G device hostname composed of the device name and the device address as above:
<NRF-id>.<IP:PORT>.nrf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
subject the user for TOKEN needs to fill in the 5G NRF device hostname composed of device name and device address as above:
<NF-id>.<IP:PORT>.nf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
audio the party receiving TOKEN needs to fill in the 5G device hostname composed of device name and device address as above:
<NFservice-id>.<IP:PORT>.nf.5gc.mnc<MNC>.mcc<MCC>.3gppnetwork.org。
expiration time.
scope combination of multiple services, separated by commas, such as: "service register; service discovery ".
Wherein, the issuers, subjects and audios all need to fill in the information of the specific device, and the information consists of a device identifier and a suffix.
The parameters constitute a payload of the token, and the token is generated according to the payload as follows:
load (Payload)
Examples are:
the above fields follow the standard definition of JWT.
Base64 encoding the above JSON object can get the following string, which is called Payload of JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ 9.
Head (Header)
{
"typ":"JWT",
"alg":"HS256"
}
The Header is subjected to Base64 encoding, and the following character string becomes the Header (Header) of JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
The above payload and header encoded strings are concatenated together with period (header first) to form the following string:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0。
then the character string spliced above is encrypted by using an HS256 algorithm, a key is provided during encryption, and the encrypted content rSWamyAYwuHCo7IFAgd1oRPSP7nzL7BF5t7ItqpKViM is called a signature.
Finally, splicing the signature behind the signed character string to obtain the complete JWT (token):
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7ItqpKViM。
when the receiver receives the token, the same key is used to decode the header and the content of the payload, and the specific content in the payload is verified:
checking if the issuer of the token is the name and address of the NRF:
"issuer":"nrf123.192.168.1.102:8000.nrf.5gc.mnc000.mcc460.3gppnetwork.org"。
"subject":"amf123.192.168.1.103:8000.amf.5gc.mnc000.mcc460.3gppnetwork.org"。
and checking whether the user to which the token is directed is the name and address of the NF consume accessing the service, and if any one of the names and addresses is inconsistent, failing to obtain the service.
"audience":"smf123.192.168.1.104:8000.smf.5gc.mnc000.mcc460.3gppnetwork.org"。
Checking whether the user receiving the token is the name and address of its own service NF server, requiring confirmation of consistency, and failing if any one is inconsistent.
"scope": service register; service discovery ", checking whether the service accessed is within the range of the service list authorized by TOKEN. If not, it fails.
Check if Expiration has occurred.
If the verification steps are verified to be passed, the token is considered to be verified to be passed, and the service can be continuously provided.
In the embodiment, the calculation and verification of the token are improved, under an SBA architecture, the identification and address of a service consumer and the identification and address of a service provider are achieved, the token is globally unique and can only be used for a specific network function device to access a specific network service providing device; and the TOKEN is calculated according to the addresses and the identifications of the two ends in the process of service discovery, so that the TOKEN can only be used for specific end-to-end use, and the security of authorization distribution under the 5G SBA architecture is enhanced.
Further, on the basis of the above embodiment of the method, before S401, the method further includes:
s400, if a hypertext transfer protocol (HTTP) message is received, initiating an access token request to a sender according to the message type of the HTTP message;
correspondingly, S401 specifically includes:
and if receiving an access token confirmation message returned by the sender, acquiring the token with the unique identifier according to the access token confirmation message.
In the use, transmission and flow of the token, the NRF controls and generates tokens for accessing different services according to different flows, as shown in fig. 5; the NRF receives the HTTP message and carries out distribution processing according to the message type.
The NF Service Consumer (NF Service Consumer) initiates an Access Token Request, Access Token, Request procedure to the NRF prior to Service registration and Service discovery, as shown in fig. 6.
For example, as shown in fig. 6 and 7, AMF instance 1 transmits an AccessTokenRequest (access token request) message to the NRF, requesting access to the SMF.
If it is determined to be an Access Token Request (Access Token Request) process, the NRF generates and issues only a Token for service registration and service discovery. The method comprises the following specific operations: in scope of the token's payload, defined as "service register; service discovery "; the NRF sends an Access token response message to the AMF instance 1, and the message carries a token limited to the service registration and service discovery process.
The NF uses the TOKEN generated above in the subsequent nrf _ NFManagement Service (NF management Service) and nrrf _ NFDiscovery Service (NF discovery Service).
Further, on the basis of the above method embodiment, after S403, the method further includes:
s404, in the service discovery process, if a service discovery request is received, a target token is obtained according to the service discovery request, and the target token is verified.
S405, if the target token is judged to pass the verification, at least one corresponding instance information is obtained according to the service discovery request, a corresponding token is generated according to each instance information, and each token and the registration success information are returned to the sender of the service discovery request.
Specifically, as shown in fig. 8, the procedure of the NF management service is as follows:
the NF sends a registration request (PUT) to the NRF, the request message body containing information of the NF instance (NF Profile).
After the NRF receives the registration request of the NF, the TOKEN is checked. If successful, the subsequent process is carried out, and if failed, the process returns to 400.
And 3, NRF performs corresponding syntax detection on the registration request, and stores corresponding NF Profile after no error.
NRF returns message of successful registration (201Created), message body contains NF Profile.
As shown in fig. 9, the specific process of the NF discovery procedure is as follows:
and 1, the NF conditioner initiates an NF service discovery message to the NRF and requires to acquire information such as a service address of a corresponding network function. The message needs to carry a Service type that a NF Service Consumer (NF Service Consumer) wishes to discover and a token acquired through a nrf _ access token Service process.
And 2, after receiving the service discovery request of the NF, the NRF checks the token. If successful, the subsequent process is carried out, and if failed, the process returns to 400.
3. And discovering the corresponding NF instance information or NF instance information stored locally according to the information in the request.
4. A plurality of different tokens are generated based on each instance information, and the NF service consumer, respectively.
Wherein: in the TOKEN payload, the issuer "issuers" is NRF, the facing user "subject" is NF Service Consumer (NF Service Consumer), and the party "audio" receiving the TOKEN is represented as multiple NF instances in the Service discovery result. The scope "represents the type of Service that the present NF Service Consumer (NF Service Consumer) wishes to discover through the NRF.
And 5, the NRF returns a message of successful registration (201Created), wherein the message body comprises NF Profile and a token corresponding to each service discovery result.
In subsequent flow, a NF service consumer, when using a token generated in the service discovery process, can only access the specific address and identification service provider for the service consumer with the specific address and identification, and cannot be used by other NF service consumers even if the token is intercepted).
In the improved service authorization of the embodiment, TOKEN ACCESS is only allocated to TOKEN for service registration and service discovery, and is used for NF to ACCESS registration and discovery services provided by NRF; the TOKEN generated by TOKEN ACCESS process will be verified in the service discovery process and protected by TOKEN generated by TOKEN ACCESS.
The embodiment provides a method for 5G SBA authorization distribution, which refines and improves service-based authorization distribution of a 5G network, and calculates an end-to-end specific token according to a specific service unit device identifier and an address. The token requested by each device is different, and the tokens are different when the devices providing services are accessed, so that the security of service authorization is enhanced.
Fig. 10 is a schematic structural diagram illustrating a service access processing apparatus based on a unique token according to this embodiment, where the apparatus includes: a token obtaining module 1001, a token parsing module 1002, and a service access module 1003, wherein:
the token obtaining module 1001 is configured to obtain a token with a unique identifier sent by a sender, where the token is generated according to a device name and a device address of each device host;
the token parsing module 1002 is configured to decode the token according to a preset key to obtain a load of the token;
the service access module 1003 is configured to, if it is determined that the content of the load passes the verification, uniquely access the service corresponding to the token according to the token;
wherein, each device host comprises a device host of a network storage function NRF and a device host of an application function NF.
Specifically, the token obtaining module 1001 obtains a token with a unique identifier sent by a sender, where the token is generated according to a device name and a device address of each device host; the token analysis module 1002 decodes the token according to a preset key to obtain a load of the token; if the service access module 1003 determines that the content of the load passes the verification, the service corresponding to the token is uniquely accessed according to the token.
In the embodiment, the sender generates the globally unique token and sends the globally unique token to the receiver, and the receiver uniquely accesses the corresponding Service according to the token after decoding and verifying the token, so that the token can only be used from end to end, the security of authorization distribution under a 5G SBA (Service Based Architecture) Architecture is enhanced, and meanwhile, the operation flow is greatly simplified.
Further, on the basis of the above-mentioned embodiment of the apparatus, the load comprises: a service combination of a token issuer, a token-oriented user, a token receiver, a token expiration time, and a token;
the token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
Further, on the basis of the foregoing apparatus embodiment, the service access module 1003 is specifically configured to determine that the content of the payload passes verification and uniquely accesses the service corresponding to the token according to the token, if the token issuer of the token is the device name and the device address of the device host of the NRF, the token-oriented user of the token is the device name and the device address of the device host of the NF that accesses the current service, and the token receiver of the token is the device name and the device address of the current service.
Further, on the basis of the above embodiment of the apparatus, the apparatus further comprises:
the request initiating module is used for initiating an access token request to a sender according to the message type of the HTTP message if the HTTP message is received;
correspondingly, the token obtaining module 1001 is specifically configured to, if an access token confirmation message returned by the sender is received, obtain the token with the unique identifier according to the access token confirmation message.
Further, on the basis of the above embodiment of the apparatus, the apparatus further comprises:
the token checking module is used for acquiring a target token according to a service discovery request and checking the target token if the service discovery request is received in the service discovery process;
and the token returning module is used for acquiring at least one corresponding instance information according to the service discovery request if the target token is judged to pass the verification, generating a corresponding token according to each instance information, and returning each token and the registration success information to the sender of the service discovery request.
The service access processing apparatus based on the unique token described in this embodiment may be used to execute the above method embodiments, and the principle and technical effect are similar, and are not described herein again.
Referring to fig. 11, the electronic device includes: a processor (processor)1101, a memory (memory)1102, and a bus 1103;
wherein the content of the first and second substances,
the processor 1101 and the memory 1102 communicate with each other via the bus 1103;
the processor 1101 is configured to call program instructions in the memory 1102 to perform the methods provided by the above-described method embodiments.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the method embodiments described above.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
It should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A service access processing method based on a unique token is characterized by comprising the following steps:
obtaining a token with a unique identifier sent by a sender, wherein the token is generated according to the equipment name and the equipment address of each equipment host;
decoding the token according to a preset key to obtain the load of the token;
if the content of the load passes the verification, uniquely accessing the service corresponding to the token according to the token;
each equipment host comprises an equipment host with a network storage function NRF and an equipment host with an application function NF;
the load includes: a service combination of a token issuer, a token-oriented user, a token receiver, a token expiration time, and a token;
the token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
2. The unique token-based service access processing method according to claim 1, wherein if it is determined that the content of the payload passes the verification, after uniquely accessing the service corresponding to the token according to the token, the method further comprises:
in the service discovery process, if a service discovery request is received, a target token is obtained according to the service discovery request, and the target token is verified;
and if the target token is judged to pass the verification, acquiring at least one corresponding instance information according to the service discovery request, generating a corresponding token according to each instance information, and returning each token and the registration success information to the sender of the service discovery request.
3. The unique token-based service access processing method according to claim 2, wherein if it is determined that the content of the payload passes the verification, uniquely accessing the service corresponding to the token according to the token specifically includes:
if the token issuer of the token is the device name and the device address of the device host of the NRF, the token-oriented user of the token is the device name and the device address of the device host accessing the NF of the current service, and the token receiver of the token is the device name and the device address of the current service, determining that the content of the load passes verification, and uniquely accessing the service corresponding to the token according to the token.
4. The unique token-based service access processing method according to any one of claims 1 to 3, wherein before obtaining the token with the unique identifier sent by the sender, the token is generated according to the device name and the device address of each device host, the method further comprises:
if a hypertext transfer protocol (HTTP) message is received, initiating an access token request to a sender according to the message type of the HTTP message;
correspondingly, the obtaining of the token with the unique identifier sent by the sender specifically includes:
and if receiving an access token confirmation message returned by the sender, acquiring the token with the unique identifier according to the access token confirmation message.
5. A unique token based service access processing apparatus, comprising:
the token acquisition module is used for acquiring a token with a unique identifier sent by a sender, and the token is generated according to the equipment name and the equipment address of each equipment host;
the token analysis module is used for decoding the token according to a preset secret key to obtain the load of the token;
the service access module is used for uniquely accessing the service corresponding to the token according to the token if the content of the load is judged to pass the verification;
each equipment host comprises an equipment host with a network storage function NRF and an equipment host with an application function NF;
the load includes: a service combination of a token issuer, a token-oriented user, a token receiver, a token expiration time, and a token;
the token issuer, the user to which the token is directed, and the token receiver each include a device hostname composed from a device name and a device address.
6. The unique token-based service access processing apparatus of claim 5, the apparatus further comprising:
the token checking module is used for acquiring a target token according to a service discovery request and checking the target token if the service discovery request is received in the service discovery process;
and the token returning module is used for acquiring at least one corresponding instance information according to the service discovery request if the target token is judged to pass the verification, generating a corresponding token according to each instance information, and returning each token and the registration success information to the sender of the service discovery request.
7. The unique token-based service access processing apparatus according to claim 5, wherein the service access module is specifically configured to determine that the content of the payload is verified and uniquely access the service corresponding to the token according to the token, if the token issuer of the token is the device name and the device address of the device host of the NRF, the token-oriented user of the token is the device name and the device address of the device host of the NF that accesses the current service, and the token receiver of the token is the device name and the device address of the current service.
8. The unique token based service access handling apparatus according to any of claims 5-7, wherein the apparatus further comprises:
the request initiating module is used for initiating an access token request to a sender according to the message type of the HTTP message if the HTTP message is received;
correspondingly, the token obtaining module is specifically configured to obtain the token with the unique identifier according to the access token confirmation message if the access token confirmation message returned by the sender is received.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the unique token based service access processing method of any one of claims 1 to 4 when executing the program.
10. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the unique token based service access processing method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910514369.7A CN112087412B (en) | 2019-06-14 | 2019-06-14 | Service access processing method and device based on unique token |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910514369.7A CN112087412B (en) | 2019-06-14 | 2019-06-14 | Service access processing method and device based on unique token |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112087412A true CN112087412A (en) | 2020-12-15 |
| CN112087412B CN112087412B (en) | 2021-09-28 |
Family
ID=73733928
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910514369.7A Active CN112087412B (en) | 2019-06-14 | 2019-06-14 | Service access processing method and device based on unique token |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112087412B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022141132A1 (en) * | 2020-12-29 | 2022-07-07 | 华为技术有限公司 | Resource checking method for service-based interface and related device |
| CN114765622A (en) * | 2021-01-13 | 2022-07-19 | 诺基亚技术有限公司 | Network function request error handling |
| WO2023016255A1 (en) * | 2021-08-09 | 2023-02-16 | 华为技术有限公司 | Network function service authorization method and apparatus |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1460870A2 (en) * | 2003-03-18 | 2004-09-22 | FREQUENTIS GmbH | Method and apparatus for the transmission of radio signals between a communications system and radio transmitters/receivers via a data network |
| US8583915B1 (en) * | 2007-05-31 | 2013-11-12 | Bby Solutions, Inc. | Security and authentication systems and methods for personalized portable devices and associated systems |
| CN103716283A (en) * | 2012-09-29 | 2014-04-09 | 国际商业机器公司 | Web service OAuth certification method for processing call in process and system |
| WO2019011751A1 (en) * | 2017-07-14 | 2019-01-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Home network control of authentication |
| CN109428875A (en) * | 2017-08-31 | 2019-03-05 | 华为技术有限公司 | Discovery method and device based on serviceization framework |
| US10235226B1 (en) * | 2018-07-24 | 2019-03-19 | Cisco Technology, Inc. | System and method for message management across a network |
| CN109688586A (en) * | 2017-10-19 | 2019-04-26 | 中兴通讯股份有限公司 | A kind of method, apparatus and computer readable storage medium of network function certification |
| CN109861968A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Resource access control method, device, computer equipment and storage medium |
-
2019
- 2019-06-14 CN CN201910514369.7A patent/CN112087412B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1460870A2 (en) * | 2003-03-18 | 2004-09-22 | FREQUENTIS GmbH | Method and apparatus for the transmission of radio signals between a communications system and radio transmitters/receivers via a data network |
| US8583915B1 (en) * | 2007-05-31 | 2013-11-12 | Bby Solutions, Inc. | Security and authentication systems and methods for personalized portable devices and associated systems |
| CN103716283A (en) * | 2012-09-29 | 2014-04-09 | 国际商业机器公司 | Web service OAuth certification method for processing call in process and system |
| WO2019011751A1 (en) * | 2017-07-14 | 2019-01-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Home network control of authentication |
| CN109428875A (en) * | 2017-08-31 | 2019-03-05 | 华为技术有限公司 | Discovery method and device based on serviceization framework |
| CN109688586A (en) * | 2017-10-19 | 2019-04-26 | 中兴通讯股份有限公司 | A kind of method, apparatus and computer readable storage medium of network function certification |
| US10235226B1 (en) * | 2018-07-24 | 2019-03-19 | Cisco Technology, Inc. | System and method for message management across a network |
| CN109861968A (en) * | 2018-12-13 | 2019-06-07 | 平安科技(深圳)有限公司 | Resource access control method, device, computer equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| RANJIT KAUR: ""Enhanced cloud computing security and integrity verification via novel encryption techniques"", 《2014 INTERNATIONAL CONFERENCE ON ADVANCES IN COMPUTING, COMMUNICATIONS AND INFORMATICS (ICACCI)》 * |
| 赖俊宇: ""网络流量管理系统设计与实现"", 《中国优秀硕士学位论文全文数据库-信息科技辑》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022141132A1 (en) * | 2020-12-29 | 2022-07-07 | 华为技术有限公司 | Resource checking method for service-based interface and related device |
| CN114765622A (en) * | 2021-01-13 | 2022-07-19 | 诺基亚技术有限公司 | Network function request error handling |
| WO2023016255A1 (en) * | 2021-08-09 | 2023-02-16 | 华为技术有限公司 | Network function service authorization method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112087412B (en) | 2021-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10397239B2 (en) | Secure access to cloud-based services | |
| US8107623B2 (en) | Method for verifying a first identity and a second identity of an entity | |
| US8978100B2 (en) | Policy-based authentication | |
| JP5580401B2 (en) | Security key management in IMS-based multimedia broadcast and multicast services (MBMS) | |
| US8661257B2 (en) | Generic bootstrapping architecture usage with Web applications and Web pages | |
| US8869258B2 (en) | Facilitating token request troubleshooting | |
| US20100100950A1 (en) | Context-based adaptive authentication for data and services access in a network | |
| EP3120591B1 (en) | User identifier based device, identity and activity management system | |
| CN110800331A (en) | Network verification method, related equipment and system | |
| CN112087412B (en) | Service access processing method and device based on unique token | |
| JP2007528650A5 (en) | ||
| US10484869B2 (en) | Generic bootstrapping architecture protocol | |
| US11627467B2 (en) | Methods, systems, and computer readable media for generating and using single-use OAuth 2.0 access tokens for securing specific service-based architecture (SBA) interfaces | |
| CN110771116B (en) | Method, device, storage medium and system for identifying encrypted data stream | |
| WO2011144081A2 (en) | Method, system and server for user service authentication | |
| CN112261022A (en) | Security authentication method based on API gateway | |
| WO2013040957A1 (en) | Single sign-on method and system, and information processing method and system | |
| WO2016188224A1 (en) | Service authorization method, apparatus, system and router | |
| US9270771B2 (en) | System and method for performing a delegation operation | |
| WO2015003520A1 (en) | Method, device and system for verifying validity of user | |
| CN114339760A (en) | Authorization in a communication network | |
| CN110913011B (en) | Session holding method, session holding device, readable storage medium and electronic device | |
| CN113938474B (en) | Virtual machine access method and device, electronic equipment and storage medium | |
| GB2596306A (en) | Gateway server and method and DNS server | |
| CN117675271A (en) | Software definition boundary implementation method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |