CN115802341A - Communication method and device for 5G system, electronic device and storage medium - Google Patents

Communication method and device for 5G system, electronic device and storage medium Download PDF

Info

Publication number
CN115802341A
CN115802341A CN202310045194.6A CN202310045194A CN115802341A CN 115802341 A CN115802341 A CN 115802341A CN 202310045194 A CN202310045194 A CN 202310045194A CN 115802341 A CN115802341 A CN 115802341A
Authority
CN
China
Prior art keywords
data
authenticated
text file
production control
area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310045194.6A
Other languages
Chinese (zh)
Inventor
伍轶聪
陈海霞
吴桦
王志刚
彭志彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yaxin Xingyuan Technology Co ltd
Original Assignee
Beijing Yaxin Xingyuan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yaxin Xingyuan Technology Co ltd filed Critical Beijing Yaxin Xingyuan Technology Co ltd
Priority to CN202310045194.6A priority Critical patent/CN115802341A/en
Publication of CN115802341A publication Critical patent/CN115802341A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the application provides a communication method and device of a 5G system, the 5G system, electronic equipment and a storage medium, and relates to the technical field of 5G communication. The method comprises the following steps: receiving a first text file sent by an enterprise production control large area, wherein the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control large area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network; analyzing the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator; and encrypting the second data to be authenticated, and sending the encrypted second data to be authenticated to an operator public network. The embodiment of the application ensures the absolute safety of the data of the enterprise production control large area and meets the power protocol.

Description

Communication method and device for 5G system, electronic device and storage medium
Technical Field
The present application relates to the field of 5G communication technologies, and in particular, to a communication method and apparatus for a 5G system, an electronic device, and a storage medium.
Background
The arrival of the 5G era has led to further development of communication technology, and the "kite" solution is a solution dedicated to the public network based on the operator 5G network, and the private network of the "kite" solution includes models of S (small), M (medium) and L (large) specifications. The M mode and the L mode of the 'kite' scheme adopt embedded deployment, a private network is placed inside an enterprise/park, and user data are guaranteed not to leave the park. An emergency Core network control Plane CP (Core network control Plane) is also deployed in the private network besides a Core network User Plane network element UPF (User Plane Function) of the private network, when the connection between the private network and the public network is interrupted accidentally, the emergency CP can temporarily replace the CP of the public network, temporarily takes over the service between the private network and the CP of the public network of the operator, ensures the normal operation of related services in the line interruption process, synchronizes the data in the emergency CP to the CP of the public network of the operator after the connection between the private network and the public network of the operator is restored, disconnects the connection between the emergency CP and the private network, and continues to interact with the CP of the public network of the operator by the network elements (UPF and gNB) of the private network to restore the normal working state.
However, no matter the UPF, the gNB or the emergency CP of the private network is directly connected to the public network of the operator, when data transmission is performed between the private network and the public network of the operator, a link for transmitting data belongs to a link of the public network of the operator, which causes that the transmitted data is easy to leak, and once the transmitted data is leaked, a rule for transmitting data inside the private network is likely to be leaked, so that a data security problem exists.
Disclosure of Invention
The embodiment of the application provides a communication method and device of a 5G system, the 5G system, electronic equipment, a computer readable storage medium and a computer program product, which are used for solving the technical problems in the background art.
According to an aspect of an embodiment of the present application, a communication method of a 5G system is provided, where the 5G system includes an enterprise production control large area, a secure access area, and an operator public network, the method includes:
receiving a first text file sent by an enterprise production control area, wherein the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
analyzing the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator;
and encrypting the second data to be authenticated, and sending the encrypted second data to be authenticated to the public network of the operator.
In a possible implementation manner, the sending the encrypted second data to be authenticated to the operator public network further includes:
receiving a target signaling returned by the operator public network aiming at the encrypted second data to be authenticated, wherein the target signaling comprises an authentication result obtained by decrypting and authenticating the second data to be authenticated by the operator public network;
and generating a second text file corresponding to the target signaling, and sending the second text file to the enterprise production control area.
In one possible implementation mode, a forward isolation network gate and a reverse isolation network gate are included between the enterprise production control large area and the safety access area;
receiving a first text file sent by an enterprise production control area, wherein the first text file comprises:
receiving a first text file ferred by an enterprise production control large area through a forward isolation network gate;
sending the second text file to an enterprise production control area, comprising:
and ferrying the second text file to an enterprise production control large area through a reverse isolation gateway.
In one possible implementation manner, the security access area comprises a file synchronization area and a front network element;
the file synchronization area is used for receiving a first text file which is ferried by the enterprise production control area through the forward isolation gatekeeper and sending the first text file to the front-end network element;
the preposed network element is used for analyzing the first text file to obtain second data to be authenticated, encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to an operator public network;
the preposed network element is also used for receiving a target signaling sent by an operator public network, generating a second text file corresponding to the target signaling and sending the second text file to the file synchronization area;
the file synchronization area is also used for ferrying the second text file to the enterprise production control area through the reverse isolation gatekeeper.
In one possible implementation manner, the first data to be authenticated includes at least one of user registration data, user authentication data, alarm information in a private network, and index information.
According to another aspect of the embodiments of the present application, there is provided a secure access area of a 5G system, the 5G system further includes an enterprise production control domain and an operator public network, the secure access area includes:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a first text file sent by an enterprise production control large area, the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control large area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
the first analysis module is used for analyzing the first text file to obtain second data to be authenticated, and the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator;
and the second sending module is used for encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to the public network of the operator.
According to another aspect of the embodiments of the present application, there is provided a 5G system, the 5G system comprising a 5G system including an enterprise production control area, a secure access area, and a carrier public network, wherein,
the enterprise production control area is used for generating and sending a first text file to the security access area, the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
the security access area is used for receiving and analyzing the first text file to obtain second data to be authenticated, the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator, the second data to be authenticated is encrypted, and the encrypted second data to be authenticated is sent to the public network of the operator.
In a possible implementation manner, the operator public network is configured to receive the encrypted second data to be authenticated, decrypt and authenticate the encrypted second data to be authenticated, obtain and generate a target signaling corresponding to an authentication result, and return the target signaling to the secure access area;
and the safety access area is also used for generating a second text file corresponding to the target signaling and sending the second text file to the enterprise production control area.
According to another aspect of embodiments of the present application, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory, the processor implementing the steps of the method as provided in the first aspect when executing the program.
According to a further aspect of embodiments of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method as provided by the first aspect.
According to an aspect of embodiments of the present application, there is provided a computer program product, the computer program product comprising computer instructions stored in a computer-readable storage medium, which, when read by a processor of a computer device from the computer-readable storage medium, cause the processor to execute the computer instructions, so that the computer device performs the steps of implementing the method as provided by the first aspect.
The technical scheme provided by the embodiment of the application has the following beneficial effects:
the embodiment of the application sets up the safety access district in enterprise production control big district and operator public network, the safety access district is first text file from enterprise production control big district receipt, the safety access district obtains the second after resolving first text file and treats the authentication data, treat the authentication data with the second and encrypt, treat the authentication data transmission to operator public network with the second after encrypting, it carries out data transmission to need not to carry out data transmission based on data transmission agreement between private network and the public network, the absolute security of the data in enterprise production control big district has been guaranteed, and satisfy the electric power stipulation.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic connection diagram between a network element in a private network and a network element in a public network when a connection between a UPF in the private network and the public network provided in the embodiment of the present application is normal;
fig. 2 is a schematic connection diagram between a network element in a private network and a network element in a public network when a connection between a UPF in the private network and the public network is abnormal according to an embodiment of the present application;
fig. 3 is a schematic diagram of a system architecture for implementing the 5G communication method according to an embodiment of the present application;
fig. 4 is a flowchart illustrating a communication method of a 5G system according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of network elements in an enterprise production control large area, network elements in a secure access area, and network elements in an operator public network in a 5G communication system according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a secure access area according to an embodiment of the present application;
fig. 7 is a schematic diagram of an interaction between an enterprise production control domain, a secure access domain, and an operator public network according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below in conjunction with the drawings in the present application. It should be understood that the embodiments set forth below in connection with the drawings are exemplary descriptions for explaining technical solutions of the embodiments of the present application, and do not limit the technical solutions of the embodiments of the present application.
As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in connection with embodiments of the present application, specify the presence of stated features, information, data, steps, operations, elements, and/or components (but do not preclude the presence or addition of other features, information, data, steps, operations, elements, components, and/or groups thereof, that are supported by the art).
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
First, the terms related to the embodiments of the present application will be explained:
an operator public network, referred to as a public network for short, also called an operator core network, is a network maintained by an operator, and may serve the public, such as current internet service, telecommunication, iron service, and the like, and the public network in the following text refers to a 5G public network.
A private network, referred to as a private network for short, is a network inside a certain system, generally covers a specific area, and serves only the system, such as a railway system private network, a public security system private network, a flood prevention private network, a military private network, and the like, and any other person or enterprise cannot enter the private network, so that the private network ensures the security and integrity of information flow, and hereinafter, the private network refers to a 5G private network. The difference between public and private networks is that public networks serve the public in society, while private networks serve specific objects. Meanwhile, the private network also has an interface to the public network, and can send data to the public network and be supervised by the public network.
The application provides a communication method and apparatus for a 5G system, an electronic device, a computer-readable storage medium, and a computer program product, which aim to solve the above technical problems in the prior art.
In the technical field of 5G communication, a kite scheme is proposed for companies, and is based on a 5G network public network special scheme of an operator, wherein the kite scheme comprises modes of S (small), M (medium) and L (large) specifications, and has two deployment modes of parking and sharing, and the deployment modes are used for meeting the reliability requirements of different users. The M mode and the L mode of the kite scheme adopt embedded deployment, and an MEC/5GC private network is placed in an enterprise/park, so that the situation that user data does not leave the park is guaranteed. Many enterprises apply private networks to production links, the requirements on the stability and reliability of the networks are extremely high, and service interruption cannot be tolerated. In order to ensure that the service is not interrupted, in the private networks corresponding to the M mode and the L mode of the kite scheme, an emergency core network control plane is also deployed in addition to a core network user plane network element UPF of the private network, so as to realize real-time data synchronization with the public network of an operator.
As shown in fig. 1, a schematic connection diagram between network elements in the private network and network elements in the public network is exemplarily shown when a connection between a UPF in the private network and the public network is normal, where the network elements in the private network include network elements such as a Mobile Edge Computing MEC (Mobile Edge Computing), a user plane function UPF, a terminal, a next Generation base station (the next Generation Node B) gNB, and an emergency core network control plane CP, and the network elements in the public network include network elements such as a 5G core network control plane (abbreviated as 5 GC-CP), a UPF, an MEC, a terminal, and a gNB.
When the connection between the UPF of the private network and the public network is unexpectedly interrupted, the emergency CP immediately performs an emergency seamless take-over of the related services of the private network, that is, the emergency CP will temporarily replace the CP of the public network of the operator, take over the services between the CP of the public network of the operator and the private network, ensure the steady-state service inertial operation, the normal access of the new services, and the normal processing of the switched services, that is, ensure "network outage is not interrupted", continuing the above example, as shown in fig. 2, which exemplarily shows a schematic connection diagram between the network elements in the private network and the network elements in the public network when the connection between the UPF of the private network and the public network is abnormal, as shown in fig. 2, the connection between the network elements in the private network and the network elements in the public network is disconnected, the emergency CP of the public network will temporarily replace the CP of the public network, and the services between the temporary private network and the CP of the public network of the operator are taken over until the connection between the private network and the public network is restored.
However, no matter the UPF, the gNB or the emergency CP of the private network is directly connected to the public network of the operator, when data transmission is performed between the private network and the public network of the operator, a link for transmitting data belongs to a link of the public network of the operator, which causes that the transmitted data is easy to leak, and once the transmitted data is leaked, a rule for transmitting data inside the private network is also likely to be leaked, so that a data security problem exists.
The technical solutions of the embodiments of the present application and the technical effects produced by the technical solutions of the present application will be described below through descriptions of several exemplary embodiments. It should be noted that the following embodiments may be referred to, referred to or combined with each other, and the description of the same terms, similar features, similar implementation steps, etc. in different embodiments is not repeated.
Fig. 3 is a schematic diagram of a system architecture for implementing a 5G communication method according to an embodiment of the present application, where the system architecture includes an enterprise production control large area 301, a secure access area 302, and an operator public network 303, where a private network is deployed in the enterprise production control large area 301, the secure access area 302 is located between the enterprise production control large area 301 and the operator public network 303, and the enterprise production control large area 301 and the operator public network 303 are prevented from being directly connected, the enterprise production control large area 302 may receive a first text file sent by the enterprise production control large area, the first text file is generated based on first to-be-authenticated data generated by the private network deployed in the enterprise production control large area, and a protocol type of the first to-be-authenticated data is a protocol type inside the private network; analyzing the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator; and encrypting the second data to be authenticated, and sending the encrypted second data to be authenticated to the public network of the operator.
In an embodiment of the present application, a communication method of a 5G system is provided, where the 5G system includes an enterprise production control large area, a secure access area, and an operator public network, and the method is applied to the secure access area, as shown in fig. 4, the method includes the following steps:
step S401, a first text file sent by the enterprise production control area is received, the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control area, and the protocol type of the first to-be-authenticated data is a protocol type inside the private network.
The enterprise production control large area is a safe area which has data acquisition and control functions and is formed by longitudinally connecting click monitoring systems using private networks or private network channels, is also called an uncontrolled safe II area, and is provided with a 5G private network.
The operator public network in the embodiment of the present application refers to a network that is maintained by an operator and can serve the public.
The security access area provided by the embodiment of the application is deployed in a security protection and supervision area of an enterprise production control area and an operator public network, and the communication method of the 5G system provided by the embodiment of the application is executed by the security access area.
A private network is deployed in the enterprise production control area, some information of the private network is managed and supervised by the operator public network, and belongs to data to be authenticated, for example, the private network cannot authenticate user registration data or authenticate authentication data, the authentication of the user registration data and the authentication data is performed by the public network, and for example, northbound data such as index information (for example, access rate and switching rate) of the private network and alarm information and the like are also supervised by the operator public network.
The first to-be-authenticated data in the embodiment of the application comprises the user registration data, the user authentication data, the alarm information, the index information and the like, the data format of the first to-be-authenticated data is packaged according to the data format inside a private network, namely the protocol type of the first to-be-authenticated data is the protocol type inside the private network, when the private network and an operator public network interact with the first to-be-verified data in the existing scheme, the first to-be-verified data is transmitted based on a data transmission protocol, so that the first to-be-verified data can be captured by a hacker, the data format in the first to-be-verified data can be analyzed, the data transmission protocol leakage and the data packaging format leakage in the private network can be easily caused, and further the data leakage in the private network can be caused.
In order to avoid the above problem, in the embodiment of the present application, when the enterprise production control area interacts with the public network of the operator, the first data to be verified is not directly sent, but a first text file generated based on the first data to be authenticated is sent, where the first text file is a plain text file.
Specifically, a data portion in the first data to be verified may be extracted, and the data portion is stored in a blank plain text to obtain a first text file.
According to the embodiment of the application, the safety access area is set in the enterprise production control area and the operator public network, the enterprise production control area can directly send the first text file to the safety control area, and the first text file is a pure text file, so that when the enterprise production control area sends the first text file to the safety control area, a network transmission protocol is not required to be followed, and hard transmission is performed between the first text file and the safety control area, so that data leakage can be effectively prevented.
Step S402, the first text file is analyzed to obtain second data to be authenticated, and the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator.
After receiving the first text file, the security access area of the embodiment of the application analyzes the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is a protocol type suitable for an operator public network.
And analyzing the first text, specifically, reading the first text file based on a preset analysis rule, and then packaging each data to obtain second data to be authenticated, wherein the data parts of the second data to be authenticated and the corresponding first data to be authenticated represent the same content.
And step S403, encrypting the second data to be authenticated, and sending the encrypted second data to be authenticated to the public network of the operator.
After the second data to be authenticated is obtained, the second data to be authenticated is encrypted, so that the second data to be authenticated can be further prevented from being leaked, and the second data to be authenticated can be based on any encryption mode, such as symmetric encryption or asymmetric encryption, which is not limited by the embodiment of the present application.
And after obtaining the encrypted second data to be authenticated, the secure access area sends the encrypted second data to be authenticated to the public network of the operator.
The embodiment of the application sets up the safety access district in enterprise production control big district and operator public network, the safety access district is first text file from enterprise production control big district receipt, the safety access district obtains the second after resolving first text file and treats the authentication data, treat the authentication data with the second and encrypt, treat the authentication data transmission to operator public network with the second after encrypting, it carries out data transmission to need not to carry out data transmission based on data transmission agreement between private network and the public network, the absolute security of the data in enterprise production control big district has been guaranteed, and satisfy the electric power stipulation.
The embodiment of the present application provides a possible implementation manner, where the encrypted second data to be authenticated is sent to an operator public network, and then the implementation manner further includes:
receiving a target signaling returned by the operator public network aiming at the encrypted second data to be authenticated, wherein the target signaling comprises an authentication result obtained by decrypting and authenticating the second data to be authenticated by the operator public network;
and generating a second text file corresponding to the target signaling, and sending the second text file to the enterprise production control area.
After receiving the encrypted second data to be authenticated, the operator public network decrypts the encrypted second data to be authenticated and authenticates the decrypted second authentication data, and specifically, the operator public network may authenticate the second data to be authenticated based on at least one of a unified data management function UDM, an operator pipe network platform OMC, a session management function SMF, an authentication management function AMF, and the like in the operator public network.
The public network of the operator in the embodiment of the application decrypts the decrypted second data to be authenticated to obtain an authentication result, and if the second data to be authenticated is user registration data, the authentication result may include authentication success or authentication failure; if the second data to be authenticated is user authentication data, the authentication result may include authentication success or authentication failure; if the second data to be authenticated is alarm information or index information, the authentication result may be that the index is qualified or that the index is not qualified.
After the authentication result is obtained, the embodiment of the application can also generate and send a target signaling corresponding to the authentication result to the secure access area, specifically, for user registration data, for example, if the authentication result is authentication failure, the target signaling can indicate a private network in the enterprise production control large area to reject the registration of a certain user; if the authentication result is that the authentication is successful, the target signaling can be a private network for indicating a certain user to access the enterprise production control area. For the user authentication data, if the authentication result is successful, the target signaling can indicate that the corresponding user is allowed to perform a certain service; if the authentication result is authentication failure, the target signaling can indicate that the corresponding user is rejected to perform a certain service. For the alarm information or the index data, if the authentication result is that the index is qualified, the target signaling can instruct the private network to continuously detect the related alarm information or the index information; if the authentication result is that the index is unqualified, the target signaling can indicate the related configuration information of the index unqualified due to the change of the private network, so that the index is recovered to be normal.
And after receiving the second storage file, the enterprise production control area converts the second text file into a protocol type signaling suitable for the private network and executes the signaling.
The embodiment of the application provides a possible implementation mode, wherein a forward isolation gatekeeper and a reverse isolation gatekeeper are arranged between an enterprise production control large area and a safety access area;
receiving a first text file sent by an enterprise production control area, wherein the first text file comprises:
and receiving a first text file ferried by the enterprise production control area through the forward isolation network gate.
Sending the second text file to an enterprise production control area, comprising:
and ferrying the second text file to an enterprise production control large area through a reverse isolation network gate.
According to the embodiment of the application, a forward isolation gatekeeper and a reverse isolation gatekeeper are arranged between the enterprise production control large area and the security access area, so that physical isolation exists between the network of the enterprise production control large area and the network of the security access area, the enterprise production control large area can ferry the first text file to the security access area through the forward isolation gatekeeper, and the enterprise production control large area can send the first text file to the security access area in a forward single mode. In addition, the second text file can be ferried to the enterprise production control large area by the safety access area through the reverse isolation gateway, so that the first text file is sent to the enterprise production control large area by the safety access area in a reverse single mode.
The embodiment of the application provides a possible implementation mode, wherein a security access area comprises a file synchronization area and a preposed network element;
the file synchronization area is used for receiving a first text file which is ferried by the enterprise production control area through the forward isolation gatekeeper and sending the first text file to the preposed network element.
The preposed network element is used for analyzing the first text file to obtain second data to be authenticated, encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to an operator public network.
The preposed network element is also used for receiving a target signaling sent by an operator public network, generating a second text file corresponding to the target signaling and sending the second text file to the file synchronization area;
the file synchronization zone is also used for ferrying the second text file to the enterprise production control large zone through the reverse isolation gatekeeper.
The file synchronization area can receive a first text file sent by an enterprise production control area and send the first text file to a preposed network element, and can also receive a second text file sent by the preposed network element and send the second text file to the enterprise production control area.
The method and the device have the advantages that the preposed network element mainly completes interaction with a signaling plane network element of an operator public network, can receive a first text file sent by a file synchronization area, analyzes the first text file to obtain second data to be verified, encrypts the second data to be authenticated, sends the encrypted second data to be authenticated to the operator public network, can also receive a target signaling returned by the operator public network aiming at the encrypted second data to be authenticated, generates a second text file corresponding to the target signaling, and sends the second text file to the file synchronization area, so that the safety problem caused by real-time signaling interaction between a private network and the operator public network is avoided.
The embodiment of the present application provides a possible implementation manner, where the first to-be-authenticated data includes at least one of user registration data, user authentication data, alarm information in a private network, and index information. When the first to-be-authenticated data comprises northbound data such as alarm information or index information, the prepositive network element sends the first authentication data to the operator public network through the northbound interface.
As shown in fig. 5, which schematically shows a schematic structural diagram between each network element in an enterprise production control large area, each network element in a secure access area, and each network element in an operator public network in a 5G communication system provided by an embodiment of the present application, wherein, the enterprise production Control area comprises a Network Slice Selection Function NSSF (Network Slice Selection Function), an authentication service Function AUSF (authentication Server Function), an Access and Mobility Management Function AMF (Access and Mobility Management Function), a session Management Function SMF (Session Management Function), a Policy Control Function PCF (Policy Control Function), a User terminal UE (User Equipment), a Radio Access Network RAN (Radio Access Network), a UPF (UPF) and a universal data Management UDM (Unified data Management), the security Access area comprises a file synchronization area and a front-end, the Network element operator public Network UDM, an operation Maintenance Center OMC (operation and Maintenance Center), an AMF and an SMF, wherein the UDM in the enterprise production control area can acquire first data to be verified generated by UPF, generating first data to be verified corresponding to the first data to be verified, ferrying the first text file to a file synchronization area in a security access area through a forward isolation gateway, sending the first text file to a front-end network element by the file synchronization area, analyzing the first text file by the front-end network element to obtain second data to be authenticated, encrypting the second data to be authenticated, sending the encrypted second data to be authenticated to at least one of UDM, OMC, AMF and SMF in an operator public network to authenticate the second data to be authenticated to obtain an authentication result, and generating and sending a target signaling corresponding to the authentication result to the front-end network element of the security access area; the preposed network element is also used for receiving a target signaling sent by an operator public network, generating a second text file corresponding to the target signaling and sending the second text file to the file synchronization area; and the file synchronization area ferries the second text file to the UDM in the enterprise production control large area through a reverse isolation gatekeeper.
An embodiment of the present application provides a secure access area of a 5G system, where the 5G system further includes an enterprise production control large area and an operator public network, as shown in fig. 6, which exemplarily shows a schematic structural diagram of the secure access area provided in the embodiment of the present application, and the secure access area 60 includes:
a first receiving module 610, configured to receive a first text file sent by an enterprise production control large area, where the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control large area, and a protocol type of the first to-be-authenticated data is a protocol type inside the private network;
the first parsing module 620 is configured to parse the first text file to obtain second data to be authenticated, where a protocol type of the second data to be authenticated is a protocol type applicable to an operator public network;
the first sending module 620 is configured to encrypt the second data to be authenticated, and send the encrypted second data to be authenticated to the operator public network.
According to the embodiment of the application, the safety access area is arranged in the enterprise production control area and the operator public network, the first text file is received from the enterprise production control area by the safety access area, the second data to be authenticated is obtained after the first text file is analyzed by the safety access area, the second data to be authenticated is encrypted, and the encrypted second data to be authenticated is sent to the operator public network, so that data transmission is not required between the private network and the public network based on a data transmission protocol, the absolute safety of the data of the enterprise production control area is guaranteed, and a power protocol is met.
In the embodiment of the present application, a possible implementation manner is provided, and the apparatus further includes:
the second receiving module is used for receiving a target signaling returned by the operator public network aiming at the encrypted second data to be authenticated, wherein the target signaling comprises an authentication result obtained by decrypting and authenticating the second data to be authenticated by the operator public network;
and the second sending module is used for generating a second text file corresponding to the target signaling and sending the second text file to the enterprise production control area.
The embodiment of the application provides a possible implementation mode, wherein a forward isolation gatekeeper and a reverse isolation gatekeeper are arranged between an enterprise production control large area and a safety access area;
the first receiving module is provided with a first text file for receiving the ferry of the enterprise production control area through the forward isolation network gate;
the second sending module is specifically used for ferrying the second text file to an enterprise production control large area through a reverse isolation gateway.
The embodiment of the application provides a possible implementation manner, wherein a security access area comprises a file synchronization area and a preposed network element; the file synchronization area is used for receiving a first text file which is ferried by the enterprise production control area through the forward isolation gatekeeper and sending the first text file to the front-end network element; the preposed network element is used for analyzing the first text file to obtain second data to be authenticated, encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to an operator public network; the preposed network element is also used for receiving a target signaling sent by an operator public network, generating a second text file corresponding to the target signaling and sending the second text file to the file synchronization area; the file synchronization zone is also used for ferrying the second text file to the enterprise production control large zone through the reverse isolation gatekeeper.
In the embodiment of the present application, a possible implementation manner is provided, where the first data to be authenticated includes at least one of user registration data, user authentication data, alarm information in a private network, and index information.
The apparatus of the embodiment of the present application may execute the method provided by the embodiment of the present application, and the implementation principle is similar, the actions executed by the modules in the apparatus of the embodiments of the present application correspond to the steps in the method of the embodiments of the present application, and for the detailed functional description of the modules of the apparatus, reference may be specifically made to the description in the corresponding method shown in the foregoing, and details are not repeated here.
In an embodiment of the present application, a 5G system is provided, where the 5G system includes a 5G system including an enterprise production control area, a secure access area, and an operator public network, as shown in fig. 7, which illustrates an interaction diagram between the enterprise production control area, the secure access area, and the operator public network, where,
the enterprise production control domain may perform the following step S701.
Step S701, generating and sending a first text file to a security access area, wherein the first text file is generated based on first to-be-authenticated data generated by a private network deployed in an enterprise production control large area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
the security access area is used for executing the following steps S702 to S703.
Step S702, receiving and analyzing the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator;
step S703 encrypts the second data to be authenticated, and sends the encrypted second data to be authenticated to the operator public network.
The operator public network is used to perform the following step S704.
Step S704, receiving the encrypted second data to be authenticated, decrypting and authenticating the encrypted second data to be authenticated, obtaining and generating a target signaling corresponding to the authentication result, and returning the target signaling to the secure access area.
The secure access area is further configured to perform step S705 as follows.
Step S705, a second text file corresponding to the target signaling is generated, and the second text file is sent to the enterprise production control area.
The specific implementation manner of steps S701 to S705 is consistent with the foregoing embodiments, and details of the embodiments of the present application are not repeated herein.
The embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory, where the processor executes the computer program to implement the steps of the communication method of the 5G system, and compared with the prior art, the method can implement: the embodiment of the application sets up the safety access district in enterprise production control big district and operator public network, the safety access district is first text file from enterprise production control big district receipt, the safety access district obtains the second after resolving first text file and treats the authentication data, treat the authentication data with the second and encrypt, treat the authentication data transmission to operator public network with the second after encrypting, it carries out data transmission to need not to carry out data transmission based on data transmission agreement between private network and the public network, the absolute security of the data in enterprise production control big district has been guaranteed, and satisfy the electric power stipulation.
In an alternative embodiment, an electronic device is provided, as shown in FIG. 8, the electronic device 8000 shown in FIG. 8 including: a processor 8001 and memory 8003. Processor 8001 and memory 8003 are connected, such as by bus 8002. Optionally, the electronic device 8000 may further include a transceiver 8004, and the transceiver 8004 may be used for data interaction between the electronic device and other electronic devices, such as transmission of data and/or reception of data. In addition, the transceiver 8004 is not limited to one in practical applications, and the structure of the electronic device 8000 does not limit the embodiment of the present application.
Processor 8001 may be a CPU (Central Processing Unit), general purpose Processor, DSP (Digital Signal Processor), ASIC (Application Specific Integrated Circuit), FPGA (field programmable Gate Array), or other programmable logic device, transistor logic, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. Processor 8001 may also be a combination that implements computing functionality, e.g., comprising one or more microprocessor combinations, DSP and microprocessor combinations, and so forth.
Bus 8002 may include a path to transfer information between the aforementioned components. The bus 8002 may be a PCI (peripheral component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 8002 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
The Memory 8003 may be a ROM (Read Only Memory) or other types of static storage devices that can store static information and instructions, a RAM (Random Access Memory) or other types of dynamic storage devices that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (compact Read Only Memory) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium, other magnetic storage devices, or any other medium that can be used to carry or store a computer program and that can be Read by a computer, without limitation.
The memory 8003 is used to store computer programs for executing the embodiments of the present application, and is controlled by the processor 8001 to execute the programs. The processor 8001 is used to execute computer programs stored in the memory 8003 to implement the steps shown in the foregoing method embodiments.
The electronic device package may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle mounted terminal (e.g., car navigation terminal), etc., and a stationary terminal such as a digital TV, a desktop computer, etc., among others. The electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
Embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, and when being executed by a processor, the computer program may implement the steps and corresponding contents of the foregoing method embodiments. Compared with the prior art, the method can realize that: the embodiment of the application sets up the safety access district in enterprise production control big district and operator public network, the safety access district is first text file from enterprise production control big district receipt, the safety access district obtains the second after resolving first text file and treats the authentication data, treat the authentication data with the second and encrypt, treat the authentication data transmission to operator public network with the second after encrypting, it carries out data transmission to need not to carry out data transmission based on data transmission agreement between private network and the public network, the absolute security of the data in enterprise production control big district has been guaranteed, and satisfy the electric power stipulation.
It should be noted that the computer readable medium of the present disclosure may be a computer readable signal medium or a computer readable medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
Embodiments of the present application further provide a computer program product, which includes a computer program, and when the computer program is executed by a processor, the steps and corresponding contents of the foregoing method embodiments can be implemented. Compared with the prior art, the method can realize that: the embodiment of the application sets up the safety access district in enterprise production control big district and operator public network, the safety access district is first text file from enterprise production control big district receipt, the safety access district obtains the second after resolving first text file and treats the authentication data, treat the authentication data with the second and encrypt, treat the authentication data transmission to operator public network with the second after encrypting, it carries out data transmission to need not to carry out data transmission based on data transmission agreement between private network and the public network, the absolute security of the data in enterprise production control big district has been guaranteed, and satisfy the electric power stipulation.
The terms "first," "second," "third," "fourth," "1," "2," and the like in the description and claims of this application and in the preceding drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in other sequences than illustrated or otherwise described herein.
It should be understood that, although each operation step is indicated by an arrow in the flowchart of the embodiment of the present application, the implementation order of the steps is not limited to the order indicated by the arrow. In some implementation scenarios of the embodiments of the present application, the implementation steps in the flowcharts may be performed in other sequences as desired, unless explicitly stated otherwise herein. In addition, some or all of the steps in each flowchart may include multiple sub-steps or multiple stages based on an actual implementation scenario. Some or all of these sub-steps or stages may be performed at the same time, or each of these sub-steps or stages may be performed at different times, respectively. Under the scenario that the execution time is different, the execution sequence of the sub-steps or phases may be flexibly configured according to the requirement, which is not limited in the embodiment of the present application.
The above are only optional embodiments of partial implementation scenarios in the present application, and it should be noted that, for those skilled in the art, other similar implementation means based on the technical idea of the present application are also within the scope of protection of the embodiments of the present application without departing from the technical idea of the present application.

Claims (10)

1. A communication method of a 5G system, wherein the 5G system comprises an enterprise production control large area, a secure access area and an operator public network, and the method is applied to the secure access area, and the method comprises the following steps:
receiving a first text file sent by an enterprise production control large area, wherein the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control large area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
analyzing the first text file to obtain second data to be authenticated, wherein the protocol type of the second data to be authenticated is the protocol type suitable for the public network of the operator;
and encrypting the second data to be authenticated, and sending the encrypted second data to be authenticated to an operator public network.
2. The method according to claim 1, wherein the sending the encrypted second data to be authenticated to an operator public network further comprises:
receiving a target signaling returned by the operator public network for the encrypted second data to be authenticated, wherein the target signaling comprises an authentication result obtained by decrypting and authenticating the second data to be authenticated by the operator public network;
and generating a second text file corresponding to the target signaling, and sending the second text file to the enterprise production control area.
3. The method of claim 2, wherein a forward isolation gatekeeper and a reverse isolation gatekeeper are included between the enterprise production control large area and the secure access area;
the receiving of the first text file sent by the enterprise production control area comprises:
receiving the first text file ferried by the enterprise production control large area through the forward isolation gatekeeper;
the sending the second text file to the enterprise production control area comprises:
and ferrying the second text file to the enterprise production control area through a reverse isolation network gate.
4. The method of claim 3, wherein the security access area comprises a file synchronization area and a pre-network element;
the file synchronization area is used for receiving a first text file ferred by the enterprise production control area through the forward isolation gatekeeper and sending the first text file to the preposed network element;
the preposed network element is used for analyzing the first text file to obtain second data to be authenticated, encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to an operator public network;
the preposed network element is also used for receiving a target signaling sent by an operator public network, generating a second text file corresponding to the target signaling and sending the second text file to the file synchronization area;
the file synchronization area is further used for ferrying the second text file to the enterprise production control area through a reverse isolation gatekeeper.
5. The method according to any of claims 1-4, wherein the first data to be authenticated comprises at least one of user registration data, user authentication data, alarm information in private networks, and indicator information.
6. A secure access area of a 5G system, wherein the 5G system further comprises an enterprise production control large area and an operator public network, and the secure access area comprises:
the system comprises a first receiving module, a first authentication module and a second receiving module, wherein the first receiving module is used for receiving a first text file sent by an enterprise production control large area, the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control large area, and the protocol type of the first to-be-authenticated data is the protocol type inside the private network;
the first analysis module is used for analyzing the first text file to obtain second data to be authenticated, and the protocol type of the second data to be authenticated is the protocol type suitable for the operator public network;
and the second sending module is used for encrypting the second data to be authenticated and sending the encrypted second data to be authenticated to the public network of the operator.
7. A5G system, characterized in that the 5G system comprises a 5G system comprising an enterprise production control area, a secure access area and an operator public network,
the enterprise production control area is used for generating and sending a first text file to the security access area, the first text file is generated based on first to-be-authenticated data generated by a private network deployed in the enterprise production control area, and the protocol type of the first to-be-authenticated data is the protocol type in the private network;
the security access area is used for receiving and analyzing the first text file to obtain second data to be authenticated, the protocol type of the second data to be authenticated is the protocol type suitable for the operator public network, the second data to be authenticated is encrypted, and the encrypted second data to be authenticated is sent to the operator public network.
8. The system according to claim 7, wherein the operator public network is configured to receive the encrypted second data to be authenticated, decrypt and authenticate the encrypted second data to be authenticated, obtain and generate a target signaling corresponding to an authentication result, and return the target signaling to the secure access area;
and the safety access area is also used for generating a second text file corresponding to the target signaling and sending the second text file to the enterprise production control area.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory, characterized in that the processor executes the computer program to implement the steps of the method according to any of claims 1-5.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.
CN202310045194.6A 2023-01-30 2023-01-30 Communication method and device for 5G system, electronic device and storage medium Pending CN115802341A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310045194.6A CN115802341A (en) 2023-01-30 2023-01-30 Communication method and device for 5G system, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310045194.6A CN115802341A (en) 2023-01-30 2023-01-30 Communication method and device for 5G system, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN115802341A true CN115802341A (en) 2023-03-14

Family

ID=85429213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310045194.6A Pending CN115802341A (en) 2023-01-30 2023-01-30 Communication method and device for 5G system, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN115802341A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060230266A1 (en) * 2005-03-30 2006-10-12 Oracle International Corporation Secure communications across multiple protocols
CN107733747A (en) * 2017-07-28 2018-02-23 国网江西省电力公司上饶供电分公司 Towards the common communication access system of multiple service supporting
CN108810011A (en) * 2018-06-29 2018-11-13 南京南瑞继保电气有限公司 A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN113518347A (en) * 2021-06-16 2021-10-19 国网青海省电力公司信息通信公司 Safety protection system
CN113794714A (en) * 2021-09-13 2021-12-14 西安热工研究院有限公司 Network safety system for intelligent power plant architecture
CN114268457A (en) * 2021-11-23 2022-04-01 贵州电网有限责任公司 Multi-protocol multi-service public network security access method
CN114339841A (en) * 2022-01-05 2022-04-12 深圳渊联技术有限公司 Private network 5G base station, 5G network, 5G communication method and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060230266A1 (en) * 2005-03-30 2006-10-12 Oracle International Corporation Secure communications across multiple protocols
CN107733747A (en) * 2017-07-28 2018-02-23 国网江西省电力公司上饶供电分公司 Towards the common communication access system of multiple service supporting
CN108810011A (en) * 2018-06-29 2018-11-13 南京南瑞继保电气有限公司 A kind of universal network secure accessing sound zone system and message processing method suitable for power private network
CN113518347A (en) * 2021-06-16 2021-10-19 国网青海省电力公司信息通信公司 Safety protection system
CN113794714A (en) * 2021-09-13 2021-12-14 西安热工研究院有限公司 Network safety system for intelligent power plant architecture
CN114268457A (en) * 2021-11-23 2022-04-01 贵州电网有限责任公司 Multi-protocol multi-service public network security access method
CN114339841A (en) * 2022-01-05 2022-04-12 深圳渊联技术有限公司 Private network 5G base station, 5G network, 5G communication method and storage medium

Similar Documents

Publication Publication Date Title
CN110336774B (en) Mixed encryption and decryption method, equipment and system
CN101340443B (en) Session key negotiating method, system and server in communication network
CN106789015B (en) Intelligent power distribution network communication safety system
EP3487197A1 (en) Method and apparatus for secure communication between vehicle-to-everything terminals
CN107342861B (en) Data processing method, device and system
CN112671710B (en) Security encryption device based on national cryptographic algorithm, bidirectional authentication and encryption method
CN111355684B (en) Internet of things data transmission method, device and system, electronic equipment and medium
CN109905371A (en) Two-way encrypted authentication system and its application method
CN111786785B (en) Block chain-based power distribution Internet of things node switching method and device
WO2021103772A1 (en) Data transmission method and apparatus
Karimi et al. Enhancing security and confidentiality in location-based data encryption algorithms
CN110808834A (en) Quantum key distribution method and quantum key distribution system
US20180199191A1 (en) Method and apparatus for key management of end encrypted transmission
CN114223233A (en) Data security for network slice management
CN110730447A (en) User identity protection method, user terminal and core network
KR20080046129A (en) Method and apparatus for performing security error recovery in a wireless communications system
CN113055361A (en) Secure communication method, device and system for DC interconnection
CN112118568B (en) Method and equipment for authenticating equipment identity
US20090319792A1 (en) Resynchronization for push message security using secret keys
CN115802341A (en) Communication method and device for 5G system, electronic device and storage medium
Wu et al. Efficient authentication for Internet of Things devices in information management systems
CN105636025A (en) Secure data transmission method and system
CN111698263B (en) Beidou satellite navigation data transmission method and system
CN111935112B (en) Cross-network data security ferrying device and method based on serial
CN113992379A (en) Communication method, communication system, medium and electronic device for active identification device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination