CN114040404A - Data distribution method, system, device and storage medium - Google Patents
Data distribution method, system, device and storage medium Download PDFInfo
- Publication number
- CN114040404A CN114040404A CN202111312467.6A CN202111312467A CN114040404A CN 114040404 A CN114040404 A CN 114040404A CN 202111312467 A CN202111312467 A CN 202111312467A CN 114040404 A CN114040404 A CN 114040404A
- Authority
- CN
- China
- Prior art keywords
- desensitization
- data
- authorization token
- intermediate node
- identity information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000009826 distribution Methods 0.000 title claims abstract description 63
- 238000003860 storage Methods 0.000 title claims abstract description 26
- 238000000586 desensitisation Methods 0.000 claims abstract description 226
- 238000013475 authorization Methods 0.000 claims abstract description 104
- 238000012795 verification Methods 0.000 claims description 30
- 238000012545 processing Methods 0.000 claims description 24
- 238000004891 communication Methods 0.000 claims description 12
- 230000002457 bidirectional effect Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/61—Time-dependent
Abstract
The invention provides a data distribution method, a system, equipment and a storage medium, wherein the method comprises the following steps: carrying out information synchronization between a desensitization device of an application end and a data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with an access device and an intermediate node; the intermediate node requests a data source to acquire an authorization token of an associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device; the desensitization device desensitizes the sensitive data based on identity information and an authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node; the method and the device solve the problem that the security of the sensitive data cannot be guaranteed after the sensitive data are settled to the given network control or MEC in the conventional data distribution method.
Description
Technical Field
The present invention relates to the field of 5G communication technologies, and in particular, to a data distribution method, system, device, and storage medium.
Background
For large-scale industry customers with high safety requirements of operators, a relatively closed, controllable and exclusive 5G network is established, data can not be exported from a park, and the safety of sensitive service information of the customers is guaranteed. The 5G customized network and the MEC (Multi-Access Edge Computing) are important technologies for operators to face industrial customers and meet the requirements of digital transformation and upgrading of the customers.
For a 5G customized network, many customers have the requirements of cross-park interconnection, external network access according to needs and the like, the park 5G network also relates to the problems of code number management, wireless spectrum management and the like, and the customers still need to open through a public network and manage through unified code numbers. Therefore, it is a common deployment scheme to deploy a customized 5G core network (i.e. 5GC network) in a customer park and implement verification through a public network AUSF/UDM network element. However, for customers with high requirements on service continuity, such as customers for mining production by deploying a 5G network under a mine, the method still has the risk that network breakdown of a garden will be caused by communication interruption of a public network.
In order to avoid the risk, the prior art adopts a technical means: namely, the UDM network elements are deployed in the public network and the customized network at the same time, and the two UDM network elements are synchronized. Therefore, when the public network is interrupted, the UDM network element of the customized network can be used for maintaining the service. The scheme requires the issuing of key sensitive information such as a user key and the like, and the security can only depend on the guarantee of a virtualized network element, so that the sensitive information has a larger leakage risk, for example, a hacker can clone the identity of a user stolen by a USIM card. On the other hand, because the core key is a symmetric key, if information leakage occurs, it is impossible to define whether the key is leaked in the public network or the customized network.
For the MEC technology, sensitive data of the core network is also sunk in order to meet the application of low delay. After the sensitive data sinks, the security problem of data open use also exists, namely how to ensure the security of the sensitive data. For applications requiring large Network coordination and using Network openness, 3GPP and ETSI define functions/Network elements of a Local NEF (Network Exposure Function) role to meet the requirement of opening the Network capability by low-latency applications, and how to ensure the security of sensitive data is also a difficult problem for a scene where the Local NEF needs to process large Network sensitive data.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a data distribution method, a system, equipment and a storage medium, and solves the problem that the security of sensitive data cannot be ensured after the sensitive data is settled to a given network control or MEC in the conventional data distribution method.
In order to achieve the above object, the present invention provides a data distribution method, comprising the steps of:
carrying out information synchronization between a desensitization device of an application end and a data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with an access device and an intermediate node;
the intermediate node requests a data source to acquire an authorization token of an associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
and the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
Optionally, the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token, including:
and desensitizing the sensitive data by the desensitizing device based on the identity information, the authorization token and the received desensitizing parameters, and calculating to obtain corresponding desensitizing data.
Optionally, the information synchronization between the desensitization apparatus of the application end and the data source includes:
bidirectional verification is carried out between the data source and the desensitization device, and a first safety channel is established;
and the desensitization device carries out sensitive data synchronization and authorization strategy synchronization operation.
Optionally, the requesting, by the intermediate node, from the data source to obtain the authorization token associated with the desensitization device includes:
performing bidirectional verification between the intermediate node and the data source, and establishing a second secure channel;
the intermediate node sends first request information for obtaining an authorization token to the data source;
the data source sends an authorization token to the intermediate node based on the first request message and the second secure channel, the authorization token having a token validity period.
Optionally, the sending the authorization token and the received identity information of the associated access device to the desensitization apparatus further includes:
the access equipment sends identity information and second request information about request for establishing communication or acquiring data to the intermediate node;
the intermediate node sends the authorization token and the identity information to a desensitization device based on the second request information.
Optionally, the desensitization device generates desensitization data by calculation according to the identity information and the authorization token, and includes:
the desensitization device judges whether the access equipment has the authority of obtaining desensitization data or not according to the authorization strategy;
and if so, the desensitization device calculates and generates desensitization data according to the identity information, the authorization token and the received desensitization parameters.
Optionally, the desensitizing device stores sensitive data; the desensitization device generates desensitization data by calculation based on the identity information, the authorization token and the received desensitization parameters, and comprises:
and the desensitization device calculates and generates desensitization data according to the sensitive data, the identity information, the authorization token and the received desensitization parameters.
Optionally, the second network domain is a customized network based on a 5G core network, and the first network domain is a public network based on the 5G core network; the intermediate node is provided with a UDM network element and an AUSF network element; the method comprises the following steps:
the UDM network element requests a data source to acquire an authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
the desensitization device calculates a first intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the first intermediate key to the UDM network element;
the UDM network element calculates to obtain an authentication vector based on the first intermediate key;
and the AUSF network element verifies the access equipment based on the authentication vector.
Optionally, the second Network domain is a 5G SNPN (Stand-alone Non-Public Network), the first Network domain is a Network where a credential holder is located, and the first Network domain has an AAA (Authentication, Authorization, Accounting, Authentication, Authorization, and Accounting) server, and the credential holder may be a 5G Network operator or another third party; the intermediate node is provided with a UDM Network element, an AUSF Network element and an NSSAAF (Network Slice Specific and SNPN Authentication and Authorization Function, Network Slice selection and Authentication and Authorization Function of a non-public Network) Network element; the method comprises the following steps:
the NSSAAF network element requests a data source to acquire an authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
the desensitization device calculates a fourth intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the fourth intermediate key to the NSSAAF network element;
and the NSSAAF network element calculates an authentication vector based on the fourth intermediate key, verifies the access equipment and returns a verification result to the AUSF network element.
Optionally, the desensitization apparatus provides only an access interface to the outside world; the desensitization device desensitizes the sensitive data based on the identity information, the authorization token and the received desensitization parameters, and comprises:
the identity information, the authorization token and the received desensitization parameters are input into the desensitization device from the access interface, and the desensitization device calculates desensitization data corresponding to the sensitive data.
Optionally, the desensitization data is a second intermediate key; the method further comprises the steps of:
the intermediate node authenticates the access device based on the second intermediate key.
The invention also provides a data distribution system, which comprises a data source and an application end, wherein the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is provided with an intermediate node, access equipment and a desensitization device;
the desensitization device is set to perform information synchronization with a data source to obtain sensitive data, perform desensitization processing on the sensitive data according to received identity information and an authorization token of associated access equipment to obtain desensitization data, and return the desensitization data to the intermediate node;
the intermediate node is set to request the data source to acquire the authorization token of the associated desensitization device and send the authorization token and the received identity information of the associated access equipment to the desensitization device.
The invention also provides a data distribution system, which is used for realizing the data distribution method and comprises the following steps:
the information synchronization module is used for carrying out information synchronization between the desensitization device of the application end and the data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with an access device and an intermediate node;
the intermediate node requests the data source to acquire an authorization token of the associated desensitization device and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
and the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
The present invention also provides a data distribution apparatus, comprising:
a processor;
a memory having stored therein an executable program of the processor;
wherein the processor is configured to perform the steps of any of the data distribution methods described above via execution of the executable program.
The present invention also provides a computer-readable storage medium storing a program which, when executed by a processor, performs the steps of any of the data distribution methods described above.
Compared with the prior art, the invention has the following advantages and prominent effects:
the data distribution method, the system, the equipment and the storage medium provided by the invention realize that the sensitive data are not required to be stored in the intermediate node, only the desensitized data after desensitization are distributed to the intermediate node through the independent desensitization device when the intermediate node needs to acquire the sensitive data, and the desensitization device only exposes necessary interfaces, thereby realizing operation and authorized use in a closed environment, and further realizing that the safety of the sensitive data can be ensured after the sensitive data sink to a given network or MEC.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a data distribution method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart illustrating step S120 of a data distribution method according to an embodiment of the present invention;
FIG. 3 is a schematic view of a scenario in which the data distribution method disclosed in the embodiment of the present invention is applied;
FIG. 4 is a diagram illustrating a data distribution method according to another embodiment of the present invention;
FIG. 5 is a diagram illustrating a data distribution method according to another embodiment of the present invention;
FIG. 6 is a schematic diagram of another scenario in which the data distribution method disclosed in the embodiment of the present invention is applied;
FIG. 7 is a diagram illustrating a data distribution method according to another embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a data distribution system according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a token obtaining and sending module in a data distribution system according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a data distribution device according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their repetitive description will be omitted.
As shown in fig. 1, an embodiment of the present invention discloses a data distribution method, which is used for data distribution and data use between a data source and an application. The method provided by the application can only cause the network disconnection condition in the direct communication between the access equipment and the data source; the method can also be carried out in any case.
The application terminal may include a desensitization apparatus, an access device, a base station, and an intermediate node. The data source is located in a first network domain, and the application terminal is located in a second network domain. In this embodiment, the method includes the steps of:
and S110, carrying out information synchronization between the desensitization device and a data source to obtain sensitive data. In this embodiment, the step may include:
and S111, performing bidirectional authentication between the data source and the desensitization device, and establishing a first secure channel. And
and S112, the desensitization device performs sensitive data synchronization and authorization policy synchronization operations.
Specifically, the desensitization device needs to be authenticated by the desensitization device, and the desensitization device needs to authenticate the data source, and then a first secure channel is established between the data source and the desensitization device. Based on the first secure channel, the desensitization device requests the data source to perform sensitive data synchronization and authorization policy synchronization operations. The above-mentioned bidirectional verification can be realized by using the prior art, and is not described in detail in this application. After the desensitization device is synchronized, the desensitization device is loaded or upgraded according to the synchronization content, so that the desensitization device has data desensitization capability.
In one embodiment, the desensitizing device has safety safeguards. The desensitization device is a hardware device with physical attack prevention, and only provides necessary access interfaces for the outside.
In an embodiment, the data source includes a security module, and step S110 is to perform information synchronization between the desensitizing device and the security module.
In this embodiment, the authorization policy may include information such as an authorization token decryption policy (including information such as a decryption key and a decryption request entry), a synchronization period, and a synchronization interrupt handling policy. This is not limited by the present application and can be set as desired by one skilled in the art.
Illustratively, the second network domain may be a customized network based on a 5G core network. The first network domain may be a public network based on a 5G core network. The application may be a customer park. The intermediate node may be a network node in the customer park. This is not limited by the present application.
And S120, the intermediate node requests a data source to acquire an authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device. Specifically, as shown in fig. 2, in the present embodiment, the step S120 includes:
and S121, performing bidirectional authentication between the intermediate node and the data source, and establishing a second secure channel.
And S122, the intermediate node sends first request information for obtaining the authorization token to the data source.
And S123, the data source sends an authorization token to the intermediate node based on the first request message and the second secure channel. The authorization token comprises sensitive data use authorization and token validity period and is encrypted.
S124, the access device sends the identity information and second request information about a request to establish communication or obtain data to the intermediate node. And
s125, the intermediate node sends the authorization token and the identity information to a desensitization device based on the second request information.
Specifically, the intermediate node needs to verify the data source, and the data source also needs to verify the intermediate node, and the bidirectional verification process can be implemented by referring to the prior art, which is not described herein again. And the intermediate node sends first request information about requesting to acquire the authorization token to the data source based on the second secure channel.
The data source responds to the first request information after receiving the first request information, and returns an authorization token to the intermediate node, wherein the authorization token is used for allowing the intermediate node to access the desensitization device, namely authorizing the intermediate node, and the intermediate node can normally use the desensitization device in an authorized valid period and process access to various access devices by using the desensitization device.
The second request message indicates that the access device needs to establish communication with the intermediate node or obtain data. The identity information is associated with the access device. It should be noted that the data requested to be acquired by the access device is desensitization data obtained based on sensitive data, may be desensitization data calculated by the desensitization apparatus, or may be data obtained by processing the intermediate node based on desensitization data.
In an embodiment, the data source includes a security module, and data interaction between the intermediate node and the data source is specifically data interaction between the intermediate node and the security module.
And S130, the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
Specifically, the authorization policy illustratively contains a white list of access devices that are capable of communicating with the intermediate node. The desensitization device stores sensitive data associated with the access device obtained by synchronization. And the desensitization device judges whether the access equipment has the authority of acquiring desensitization data or not according to the white list of the authorization strategy and the identity information of the current access equipment, namely whether the white list contains the identity information of the access equipment or not, if so, the access equipment has the authority of acquiring desensitization data, and then the desensitization device performs desensitization calculation on the sensitive data according to the identity information, the authorization token and the received desensitization parameters to obtain desensitization data and returns the desensitization data to the intermediate node. And the intermediate node judges whether to return desensitization data to the access equipment according to actual requirements or process the desensitization data to obtain a data result and return the data result to the access equipment. And if the access device does not have the authority to acquire desensitized data, ending the process.
In the application, the desensitization parameters can be directly generated by the intermediate node and sent to the desensitization device, or generated by the access device and sent to the intermediate node, and then sent to the desensitization device by the intermediate node. The desensitization parameter may be generated in a preset manner or in a calculation manner. This is not limited by the present application.
In another embodiment of the present application, another data distribution method is disclosed. The method is based on the above embodiment, and the desensitization data is the second intermediate key. The method further comprises the steps of:
and S140, the intermediate node verifies the access device based on the second intermediate key. Specifically, in this embodiment, the intermediate node receives desensitization data, that is, the second intermediate key, sent by the desensitization device, and calculates, using the second intermediate key, to obtain a first authentication vector, where the first authentication vector includes a bidirectional authentication code between the access device and the intermediate node (that is, an authentication code of the access device to the intermediate node and an authentication code of the intermediate node to the access device). And the intermediate node sends the verification code of the access device to the intermediate node and other parameters to the access device. Since the access device also stores the sensitive data locally, and can also receive or self-generate the desensitization parameter, the access device can also calculate a third intermediate key according to the desensitization parameter and the sensitive data, and then calculate a second authentication vector by using the third intermediate key. Similarly, the second authentication vector contains the two-way verification codes of the access device and the intermediate node (i.e. the verification code of the access device to the intermediate node and the verification code of the intermediate node to the access device), and the access device performs validity verification on the intermediate node based on the received verification codes and the corresponding verification codes calculated based on the third intermediate key; and after the verification is passed, the verification code of the intermediate node to the access device, which is calculated based on the third intermediate key, is sent to the intermediate node. And the intermediate node carries out validity verification on the access equipment based on the verification code and the corresponding verification code obtained by calculation based on the second intermediate key. After the authentication is passed, the access device may be allowed to communicate with the intermediate node. Otherwise the access device is not allowed to establish a communication connection.
For example, the above verification process may be that the intermediate node compares whether the verification code calculated based on the second intermediate key and the corresponding verification code calculated based on the third intermediate key are the same, and if the verification codes are the same, the verification is passed, otherwise, the verification is not passed. The above verification process, the implementation manner of obtaining the first authentication vector by using the second intermediate key to calculate, and the implementation manner of obtaining the second authentication vector by using the third intermediate key to calculate may also be implemented with reference to the prior art, which is not limited in this application.
Therefore, sensitive data do not need to be stored in the intermediate node, the desensitization data after desensitization are distributed to the intermediate node by the independent desensitization device when the access device needs to communicate with the intermediate node, and the desensitization data are used for verification, so that the safety of the sensitive data after sinking is ensured. After communication between the customized network and the public network is interrupted, the access equipment can still continue to communicate based on the desensitization device and the customized network, work by using sensitive data, and avoid influencing the normal operation of a customer park.
In another embodiment of the present application, as shown in fig. 3, the intermediate node 34 has a UDM (Unified Data Management) network element 35 and an AUSF (Authentication Server Function) network element 36. The first network domain in which the corresponding data source 31 is located may be a public network based on a 5G core network. The data source 31 has a security module 32. The security module 32, the desensitization device 33 and the intermediate node 34 communicate with each other, and the access device 37 communicates with the intermediate node 34 through the base station. As shown in fig. 4, this embodiment also discloses a data distribution method. The method includes steps S210, S220, S230, and S240.
In this embodiment, step S210 is: the desensitizing device 33 and the security module 32 synchronize information to obtain sensitive data.
Step S220 is: the UDM network element 35 requests the data source 31 to obtain an authorization token associated with the desensitising apparatus 33 and sends the authorization token and the received identity information of the associated access device 37 to the desensitising apparatus 33.
Step S230 is: the desensitization device 33 performs desensitization processing on the sensitive data according to the identity information, the authorization token and the received desensitization parameter to obtain a first intermediate key, and returns the first intermediate key to the intermediate node 34.
Step S240 is: the UDM network element 35 calculates an authentication vector based on the first intermediate key. The AUSF network element 36 verifies the access device 37 based on the authentication vector.
In another embodiment of the present application, the second network domain is a 5G SNPN network. The first network domain is a network where a credential holder is located and has an AAA server. The credential holder may be a 5G network operator or other third party network. The intermediate node is provided with a UDM network element, an AUSF network element and a NSSAAF network element. As shown in fig. 5, this embodiment also discloses a data distribution method. The method comprises the step S110, and the steps S320, S330 and S340.
In this embodiment, step S320 is: and the NSSAAF network element requests the data source to acquire the authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device.
Step S330 is: and the desensitization device calculates a fourth intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the fourth intermediate key to the NSSAAF network element.
Step S340 is: and the NSSAAF network element obtains an authentication vector by calculation based on the fourth intermediate key, verifies the access equipment and returns a verification result to the AUSF network element. And after the verification is passed, allowing the access device to communicate with the SNPN network. Otherwise, the access device is not allowed to communicate with the SNPN network, and the process is finished.
In another embodiment of the present application, as shown in fig. 6, the intermediate node 34 is an MEC node 38. The first network domain in which the corresponding data source 31 is located may be a 5G core network. The data source 31 has a security module 32. The security module 32, the desensitization device 33 and the MEC node 38 communicate with each other, and the access device 37 communicates with the MEC node 38 through the base station. As shown in fig. 7, this embodiment also discloses a data distribution method. The method includes steps S410, S420, and S430.
In this embodiment, step S410 is: the desensitizing device 33 synchronizes information with the security module 32.
Step S420 is: the MEC node 38 requests the data source 31 to obtain an authorization token associated with the desensitization apparatus 33, and sends the authorization token and the received identity information of the associated access device 37 to the desensitization apparatus 33.
Step S430 is: after determining that the access device has the access right according to the identity information and the authorization token, the desensitization device 33 performs desensitization processing on the sensitive data to obtain desensitization data, and returns the desensitization data to the MEC node 38. The MEC node 38 may then return desensitization data to the access device 37 as needed, or based on results of desensitization data processing.
It should be noted that the desensitization device and the security module of the data source in all the above embodiments may be implemented by hardware, such as a physical gateway, or by software, or by a combination of software and hardware, and the desensitization device only exposes necessary interfaces to implement operation and authorized use in a closed environment, and has high security.
It should be noted that, in other embodiments, the data source may also be located in a 6G core network or a public network based on the 6G core network. Accordingly, other roles of the above embodiments may also be based on 6G networks. This application is not repeated.
According to the embodiment of the application, sensitive data do not need to be stored in the intermediate node, when the access equipment needs to communicate with the intermediate node through the independent desensitization device, desensitization data after desensitization or a result after desensitization data processing is sent to the access equipment, the desensitization device only exposes necessary interfaces, operation and authorized use in a closed environment are achieved, and then the security of the sensitive data can be guaranteed after the sensitive data sink to a given network or MEC.
It should be noted that all the above embodiments disclosed in the present application can be freely combined, and the technical solutions obtained by combining them are also within the scope of the present application.
An embodiment of the invention also discloses a data distribution system, which comprises a data source and an application end. The data source is located in a first network domain, and the application end is located in a second network domain; the application end is provided with an intermediate node, an access device and a desensitization device.
The desensitization device is configured to perform information synchronization with a data source to obtain sensitive data, perform desensitization processing on the sensitive data according to the received identity information and the authorization token of the associated access device to obtain desensitization data, and return the desensitization data to the intermediate node.
The intermediate node is configured to request the data source to acquire the authorization token of the associated desensitization device, and send the authorization token and the received identity information of the associated access device to the desensitization device.
As shown in fig. 8, an embodiment of the present invention further discloses a data distribution system 5, which includes:
and the information synchronization module 51 performs information synchronization between the data source and the desensitization device of the application end to obtain sensitive data. The data source is located in a first network domain, and the application end is located in a second network domain; the application terminal is also provided with an access device and an intermediate node.
The token obtaining and sending module 52, the above-mentioned intermediate node requests the data source to obtain the authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access device to the desensitization device. And
and a desensitization processing module 53, in which the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
In another embodiment of the present application, the desensitization processing module 53 includes:
desensitization data generation module 531, the desensitization device calculates desensitization data according to the identity information and the authorization token, and returns the desensitization data to the intermediate node. And
and an access device authentication module 532, where the intermediate node authenticates the access device based on the desensitization data, and establishes communication between the intermediate node and the access device after the authentication is passed.
As shown in fig. 9, in another embodiment of the present application, the token obtaining and sending module 52 may include:
and a second secure channel establishing unit 521, performing bidirectional authentication between the intermediate node and the data source, and establishing a second secure channel.
The intermediate node transmits first request information for obtaining an authorization token to the data source, in a first request information transmitting unit 522.
A token sending unit 523, configured to send, by the data source, an authorization token to the intermediate node based on the first request information and the second secure channel, where the authorization token has a token validity period.
A second request information sending unit 524, where the access device sends the identity information and second request information for requesting to establish communication or obtain desensitization data to the intermediate node. And
and an encryption request unit 525, which is configured to send, by the intermediate node, the authorization token and the identity information to the desensitization device based on the second request information.
It will be appreciated that the data distribution system of the present invention also includes other existing functional modules that support the operation of the data distribution system. The data distribution system shown in fig. 8 is only an example, and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.
The data distribution system in this embodiment is used to implement the data distribution method, so for specific implementation steps of the data distribution system, reference may be made to the description of the data distribution method, and details are not described here again.
The embodiment of the invention also discloses data distribution equipment, which comprises a processor and a memory, wherein the memory stores the executable program of the processor; the processor is configured to perform the steps of the above-described data distribution method via execution of the executable program. Fig. 10 is a schematic structural diagram of the data distribution device disclosed in the present invention. An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 10. The electronic device 600 shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 10, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different platform components (including the memory unit 620 and the processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code which can be executed by the processing unit 610 such that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention as described in the above-mentioned data distribution method section of the present specification. For example, processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms, to name a few.
The invention also discloses a computer readable storage medium for storing a program, which when executed implements the steps in the data distribution method. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above-mentioned data distribution method of the present description, when the program product is run on the terminal device.
As shown above, when the program of the computer-readable storage medium of this embodiment is executed, it is realized that the sensitive data does not need to be stored in the intermediate node, when the access device needs to communicate with the intermediate node, the desensitized data after desensitization is distributed to the access device through the independent desensitization device, and the desensitization data is used for authentication, and the desensitization device only exposes necessary interfaces, so that the operations and authorized use in a closed environment are realized, and further, after the sensitive data sinks to a given network or MEC, the security of the sensitive data can be ensured.
Fig. 11 is a schematic structural diagram of a computer-readable storage medium of the present invention. Referring to fig. 11, a program product 800 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The data distribution method, the system, the equipment and the storage medium provided by the embodiment of the invention realize that unnecessary sensitive data is not required to be stored in the intermediate node, only desensitized data after desensitization is distributed to the intermediate node when the intermediate node needs to acquire the sensitive data through the independent desensitization device, and the desensitization device only exposes necessary interfaces, thereby realizing operation and authorized use in a closed environment, and further realizing that the safety of the sensitive data can be ensured after the sensitive data is sunk to a given network or MEC.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (14)
1. A method for data distribution, comprising the steps of:
carrying out information synchronization between a desensitization device of an application end and a data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with an access device and an intermediate node;
the intermediate node requests a data source to acquire an authorization token of an associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
and the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
2. The data distribution method of claim 1, wherein the desensitization device desensitizes the sensitive data based on the identity information and the authorization token, comprising:
and desensitizing the sensitive data by the desensitizing device based on the identity information, the authorization token and the received desensitizing parameters, and calculating to obtain corresponding desensitizing data.
3. The data distribution method of claim 1, wherein the information synchronization between the desensitization device of the application and the data source comprises:
bidirectional verification is carried out between the data source and the desensitization device, and a first safety channel is established;
and the desensitization device carries out sensitive data synchronization and authorization strategy synchronization operation.
4. The data distribution method of claim 1, wherein the intermediate node requesting from the data source an authorization token to associate with the desensitization device, comprising:
performing bidirectional verification between the intermediate node and the data source, and establishing a second secure channel;
the intermediate node sends first request information for obtaining an authorization token to the data source;
the data source sends an authorization token to the intermediate node based on the first request message and the second secure channel, the authorization token having a token validity period.
5. The data distribution method of claim 1, wherein sending the authorization token and the received identity information of the associated access device to a desensitization apparatus further comprises:
the access equipment sends identity information and second request information about request for establishing communication or acquiring data to the intermediate node;
the intermediate node sends the authorization token and the identity information to a desensitization device based on the second request information.
6. The data distribution method of claim 3, wherein the desensitization device computationally generates desensitization data based on the identity information and the authorization token, comprising:
the desensitization device judges whether the access equipment has the authority of obtaining desensitization data or not according to the authorization strategy;
and if so, the desensitization device calculates and generates desensitization data according to the identity information, the authorization token and the received desensitization parameters.
7. The data distribution method according to claim 2, wherein the desensitizing means stores sensitive data; the desensitization device generates desensitization data by calculation based on the identity information, the authorization token and the received desensitization parameters, and comprises:
and the desensitization device calculates and generates desensitization data according to the sensitive data, the identity information, the authorization token and the received desensitization parameters.
8. The data distribution method according to claim 2, wherein the second network domain is a customized network based on a 5G core network, and the first network domain is a public network based on the 5G core network; the intermediate node is provided with a UDM network element and an AUSF network element; the method comprises the following steps:
the UDM network element requests a data source to acquire an authorization token of the associated desensitization device, and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
the desensitization device calculates a first intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the first intermediate key to the UDM network element;
the UDM network element calculates to obtain an authentication vector based on the first intermediate key;
and the AUSF network element verifies the access equipment based on the authentication vector.
9. A data distribution method according to claim 2, wherein the desensitising apparatus provides only an access interface to the outside world; the desensitization device desensitizes the sensitive data based on the identity information, the authorization token and the received desensitization parameters, and comprises:
the identity information, the authorization token and the received desensitization parameters are input into the desensitization device from the access interface, and the desensitization device calculates desensitization data corresponding to the sensitive data.
10. The data distribution method of claim 2, wherein the desensitization data is a second intermediate key; the method further comprises the steps of:
the intermediate node authenticates the access device based on the second intermediate key.
11. A data distribution system is characterized in that the system comprises a data source and an application end, wherein the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is provided with an intermediate node, access equipment and a desensitization device;
the desensitization device is set to perform information synchronization with a data source to obtain sensitive data, perform desensitization processing on the sensitive data according to received identity information and an authorization token of associated access equipment to obtain desensitization data, and return the desensitization data to the intermediate node;
the intermediate node is set to request the data source to acquire the authorization token of the associated desensitization device and send the authorization token and the received identity information of the associated access equipment to the desensitization device.
12. A data distribution system for implementing the data distribution method according to claim 1, the system comprising:
the information synchronization module is used for carrying out information synchronization between the desensitization device of the application end and the data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with an access device and an intermediate node;
the intermediate node requests the data source to acquire an authorization token of the associated desensitization device and sends the authorization token and the received identity information of the associated access equipment to the desensitization device;
and the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitization data, and returns the desensitization data to the intermediate node.
13. A data distribution apparatus, characterized by comprising:
a processor;
a memory having stored therein an executable program of the processor;
wherein the processor is configured to perform the steps of the data distribution method of any one of claims 1 to 10 via execution of the executable program.
14. A computer-readable storage medium storing a program which, when executed by a processor, implements the steps of the data distribution method of any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111312467.6A CN114040404A (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111312467.6A CN114040404A (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114040404A true CN114040404A (en) | 2022-02-11 |
Family
ID=80143161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111312467.6A Pending CN114040404A (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114040404A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114900879A (en) * | 2022-03-29 | 2022-08-12 | 中国电信股份有限公司 | Data synchronization method and system, information intercommunication gateway and network equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225091B1 (en) * | 2004-03-30 | 2012-07-17 | Crimson Corporation | Systems and methods for protecting sensitive files from unauthorized access |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Tables of data access method, device, computer equipment and storage medium |
| CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
| CN110750786A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Method and system for detecting abnormal access behavior of account to sensitive data |
| CN112115482A (en) * | 2020-09-16 | 2020-12-22 | 安徽长泰信息安全服务有限公司 | Big data-based data security monitoring system for protecting data |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
| CN113591119A (en) * | 2021-08-09 | 2021-11-02 | 国家工业信息安全发展研究中心 | Cross-domain identification analysis node data privacy protection and safety sharing method and system |
-
2021
- 2021-11-08 CN CN202111312467.6A patent/CN114040404A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225091B1 (en) * | 2004-03-30 | 2012-07-17 | Crimson Corporation | Systems and methods for protecting sensitive files from unauthorized access |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Tables of data access method, device, computer equipment and storage medium |
| CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
| CN110750786A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Method and system for detecting abnormal access behavior of account to sensitive data |
| CN112115482A (en) * | 2020-09-16 | 2020-12-22 | 安徽长泰信息安全服务有限公司 | Big data-based data security monitoring system for protecting data |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
| CN113591119A (en) * | 2021-08-09 | 2021-11-02 | 国家工业信息安全发展研究中心 | Cross-domain identification analysis node data privacy protection and safety sharing method and system |
Non-Patent Citations (1)
| Title |
|---|
| 庄小君、杨波、王旭、彭晋: "移动边缘计算安全研究", 电信工程技术与标准化, vol. 31, no. 255 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114900879A (en) * | 2022-03-29 | 2022-08-12 | 中国电信股份有限公司 | Data synchronization method and system, information intercommunication gateway and network equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102377187B1 (en) | Method and apparatus for processing privacy data of block chain, device, storage medium | |
| AU2018250465B2 (en) | Secondary device as key for authorizing access to resources | |
| KR102424055B1 (en) | Apparatus and Method for Providing API Authentication using Two API Tokens | |
| US9374360B2 (en) | System and method for single-sign-on in virtual desktop infrastructure environment | |
| EP2999189B1 (en) | Network authentication method for secure electronic transactions | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| KR20150045790A (en) | Method and Apparatus for authenticating and managing an application using trusted platform module | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| CN111200593A (en) | Application login method and device and electronic equipment | |
| CN113674456A (en) | Unlocking method, unlocking device, electronic equipment and storage medium | |
| US20080313720A1 (en) | System, Device and Method for Conducting Secure Economic Transactions | |
| KR20180087543A (en) | Key management method and fido authenticator software authenticator | |
| CN111431840A (en) | Security processing method and device | |
| CN114040404A (en) | Data distribution method, system, device and storage medium | |
| CN114286342A (en) | Authentication method, system, electronic device, and computer-readable storage medium | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| CN109995774B (en) | Key authentication method, system, device and storage medium based on partial decryption | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| KR20150096979A (en) | Apparatus and Method for providing home network access control | |
| CN114885326A (en) | Bank mobile operation safety protection method, device and storage medium | |
| CN110493236B (en) | Communication method, computer equipment and storage medium | |
| KR20130101640A (en) | Apparatus and method for drm/cas service using security context | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN111079109A (en) | Local security authorization login method and system compatible with multiple browsers | |
| KR102498688B1 (en) | Method and system for providing authentication service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |