WO2019140789A1 - Data validation method, network device, ue, and computer storage medium - Google Patents

Data validation method, network device, ue, and computer storage medium Download PDF

Info

Publication number
WO2019140789A1
WO2019140789A1 PCT/CN2018/081469 CN2018081469W WO2019140789A1 WO 2019140789 A1 WO2019140789 A1 WO 2019140789A1 CN 2018081469 W CN2018081469 W CN 2018081469W WO 2019140789 A1 WO2019140789 A1 WO 2019140789A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
data stream
random number
identifier
network device
Prior art date
Application number
PCT/CN2018/081469
Other languages
French (fr)
Chinese (zh)
Inventor
唐海
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN201880037291.8A priority Critical patent/CN110710183B/en
Publication of WO2019140789A1 publication Critical patent/WO2019140789A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

Disclosed are a data validation method, a network device, a user equipment (UE), and a computer storage medium, comprising: obtaining from a server side a public key corresponding to a service; receiving a random number and an identifier of the service, sent from a user equipment (UE); said random number being the information updated each time an HTTP connection is established; on the basis of said public key, random number, and service identifier, validating the data stream of the service.

Description

一种数据验证方法、网络设备、UE及计算机存储介质Data verification method, network device, UE and computer storage medium 技术领域Technical field
本发明涉及信息处理技术领域,尤其涉及一种数据验证方法、网络设备、用户设备(UE)及计算机存储介质。The present invention relates to the field of information processing technologies, and in particular, to a data verification method, a network device, a user equipment (UE), and a computer storage medium.
背景技术Background technique
HTTP2.0时代,所有的HTTP及以上的应用层数据都将通过TLS协议进行加密,运营商移动网络无法识别。此外,原本可以借助TLS层的SNI等明文标识在TLS协议握手时候进行加密流量的识别,但是后续的TLS协议将不再设明文标志,此外明文标志容易产生盗用流量的问题,所以需要一种鉴权方法来准确、安全的识别加密流量。In the HTTP 2.0 era, all HTTP and above application layer data will be encrypted by the TLS protocol, which is not recognized by the carrier mobile network. In addition, the plaintext identifier such as SNI of the TLS layer can be used to identify the encrypted traffic during the TLS protocol handshake, but the subsequent TLS protocol will no longer have the plaintext flag. In addition, the plaintext flag is prone to the problem of stolen traffic, so a proof is needed. The right method to accurately and securely identify encrypted traffic.
发明内容Summary of the invention
为解决上述技术问题,本发明实施例提供了一种数据验证方法、网络设备、用户设备(UE)及计算机存储介质。To solve the above technical problem, an embodiment of the present invention provides a data verification method, a network device, a user equipment (UE), and a computer storage medium.
本发明实施例提供一种数据验证方法,应用于网络设备,所述方法包括:The embodiment of the invention provides a data verification method, which is applied to a network device, and the method includes:
从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The public key and/or the application identification request message corresponding to the service is obtained from the server side.
本发明实施例提供一种数据验证方法,应用于UE,所述方法包括:An embodiment of the present invention provides a data verification method, which is applied to a UE, where the method includes:
从服务器侧获取业务对应的公共密钥以及随机数;Obtaining a public key corresponding to the service and a random number from the server side;
将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立HTTP连接时均更新的信息。Sending the random number and the identifier of the service to the network side; wherein the random number is information updated every time an HTTP connection is established.
本发明实施例提供一种网络设备,所述网络设备包括:The embodiment of the invention provides a network device, where the network device includes:
第一通信单元,从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The first communication unit acquires a public key and/or an application identification request message corresponding to the service from the server side.
本发明实施例提供一种UE,所述UE包括:An embodiment of the present invention provides a UE, where the UE includes:
第二通信单元,从服务器侧获取业务对应的公共密钥以及随机数;将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立 HTTP连接时均更新的信息。The second communication unit acquires a public key corresponding to the service and a random number from the server side, and sends the random number and the identifier of the service to the network side, where the random number is information updated every time the HTTP connection is established. .
本发明实施例提供的一种网络设备,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,A network device provided by an embodiment of the present invention includes: a processor and a memory for storing a computer program capable of running on a processor,
其中,所述处理器用于运行所述计算机程序时,执行前述方法的步骤。Wherein the processor is configured to perform the steps of the foregoing method when the computer program is run.
本发明实施例提供的一种UE,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,A UE provided by an embodiment of the present invention includes: a processor and a memory for storing a computer program capable of running on the processor,
其中,所述处理器用于运行所述计算机程序时,执行前述方法的步骤。Wherein the processor is configured to perform the steps of the foregoing method when the computer program is run.
本发明实施例提供的一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令,所述计算机可执行指令被执行时实现前述方法步骤。A computer storage medium is provided by the embodiment of the present invention. The computer storage medium stores computer executable instructions, and the foregoing method steps are implemented when the computer executable instructions are executed.
本发明实施例的技术方案,就能够基于公共密钥和/或应用识别请求消息对业务的数据流进行验证;从而实现了为了检测加密数据,进行扩展引入新的变量来识别加密数据的方案,如此,能够避免由明文来识别数据流容易产生盗用流量的问题,能够使得传输的数据流更加准确、安全。According to the technical solution of the embodiment of the present invention, the data stream of the service can be verified based on the public key and/or the application identification request message; thereby implementing a scheme for detecting the encrypted data, and introducing a new variable to identify the encrypted data. In this way, it is possible to avoid the problem that the data stream is easily generated by the plaintext and the fraudulent traffic is generated, and the transmitted data stream can be made more accurate and secure.
附图说明DRAWINGS
图1为本发明实施例提供的一种数据验证方法流程示意图1;1 is a schematic flowchart 1 of a data verification method according to an embodiment of the present invention;
图2a为一种PFD交互处理流程示意图1;2a is a schematic diagram 1 of a PFD interaction processing flow;
图2b为一种PFD交互处理流程示意图2;Figure 2b is a schematic diagram 2 of a PFD interaction processing flow;
图2c为一种PFD交互处理流程示意图3;Figure 2c is a schematic diagram 3 of a PFD interaction processing flow;
图3为本发明实施例提供的一种数据验证方法流程示意图2;3 is a schematic flowchart 2 of a data verification method according to an embodiment of the present invention;
图4为本发明实施例网络设备组成结构示意图;4 is a schematic structural diagram of a network device according to an embodiment of the present invention;
图5为本发明实施例用户设备UE组成结构示意图;FIG. 5 is a schematic structural diagram of a user equipment UE according to an embodiment of the present invention;
图6为本发明实施例的一种硬件架构示意图;FIG. 6 is a schematic diagram of a hardware architecture according to an embodiment of the present invention; FIG.
图7为本发明实施例一种数据验证方法流程示意图3。FIG. 7 is a schematic flowchart 3 of a data verification method according to an embodiment of the present invention.
具体实施方式Detailed ways
为了能够更加详尽地了解本发明实施例的特点与技术内容,下面结合附图对本发明实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本发明实施例。The embodiments of the present invention are described in detail below with reference to the accompanying drawings.
实施例一、Embodiment 1
本发明实施例提供了一种数据验证方法,应用于网络设备,所述方法包括:The embodiment of the invention provides a data verification method, which is applied to a network device, and the method includes:
从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The public key and/or the application identification request message corresponding to the service is obtained from the server side.
下面分别针对获取到的公共密钥、获取到应用识别请求消息进行说明:The following describes the obtained public key and the application identification request message:
当从服务器获取业务对应的公共密钥的时候,如图1所示,包括:When the public key corresponding to the service is obtained from the server, as shown in FIG. 1, the method includes:
步骤101:从服务器侧获取业务对应的公共密钥;Step 101: Obtain a public key corresponding to the service from the server side.
步骤102:接收用户设备UE发来的随机数以及业务的标识;其中,所述随机数为每次建立HTTP连接时均更新的信息;Step 102: Receive a random number sent by the user equipment UE and an identifier of the service, where the random number is information updated every time an HTTP connection is established;
步骤103:基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证。Step 103: Verify the data flow of the service based on the public key, the random number, and the identifier of the service.
可以看出,本实施例提供的技术方案,与现有技术相比,引入了新的参数,具体包括有:新的鉴权参数公共秘钥(Public Key),随机数(Random),两者可以通过特定算法计算出结果Result;并且引入了业务的标识(Service ID)来指示特定的业务。It can be seen that the technical solution provided in this embodiment introduces new parameters compared with the prior art, and specifically includes: a new authentication parameter Public Key, and a random number (Random). The result Result can be calculated by a specific algorithm; and a Service ID is introduced to indicate a specific service.
需要理解的是,所述随机数,为不同时间和/或不同地点能够发生改变的数字。It should be understood that the random number is a number that can change at different times and/or at different locations.
比如,包括以下至少之一:当时的时间戳、端口号。For example, include at least one of the following: a timestamp and a port number at the time.
另外,其他至少一种参数中可以有一种或多种结合使用来与公共密钥一起采用对应的算法进行验证;比如,公共密钥与时间戳、端口号共同进行验证计算;或者公共密钥仅与其中的时间戳或端口号中的一种基于验证算法进行计算。In addition, one or more of the other at least one parameter may be used in combination with the public key to perform verification using a corresponding algorithm; for example, the public key is jointly verified with the timestamp and the port number; or the public key is only The calculation is performed based on one of the timestamps or port numbers therein.
需要理解的是,业务的标识可以为应用标识,比如APP ID;并且,在系统中,由于服务器与核心网中标识同一个应用的不同,可以采用不同的APP ID,但是同一个应用会具备一个APP ID的映射关系的,也就是说,在核心网的网络设备中会保存一个应用标识的映射表,其中,用于表明在不同的系统中同一个应用的不同标识。It should be understood that the identifier of the service may be an application identifier, such as an APP ID. In the system, because the server and the core network identify the same application, different APP IDs may be used, but the same application may have one. The mapping relationship of the APP ID, that is to say, a mapping table of application identifiers is stored in the network device of the core network, wherein different identifiers of the same application are indicated in different systems.
执行步骤101之前,还可以包括,通过OTT服务器生成参数公共秘钥(Public Key),随机数(Random)。Before performing step 101, the method further includes: generating, by using an OTT server, a parameter Public Key, a random number (Random).
其中,所述随机数为每次建立HTTP连接时均更新的信息;也就是说,每次进行HTTP连接建立时生成一个新的Random。The random number is information updated every time an HTTP connection is established; that is, a new Random is generated each time an HTTP connection is established.
另外,Public Key不需要每次HTTP连接建立就生成新的,保持的周期较长,Public Key作为PFD的一种,由OTT通过PFD下发给核心网侧进行保存和使用;相应的,网络侧的所述网络设备基于预设周期,获取更新后的公共密钥。其中,所述预设周期可以为根据实际情况进行设置,比如,可以为设置为1天,或者还可以设置为1周,由网络侧(或者OTT服务器 侧)根据实际情况进行设置。In addition, the Public Key does not need to be generated every time the HTTP connection is established, and the retention period is long. The Public Key is used as a PFD and is saved and used by the OTT through the PFD to the core network. Correspondingly, the network side The network device acquires the updated public key based on the preset period. The preset period may be set according to actual conditions, for example, may be set to 1 day, or may also be set to 1 week, and is set by the network side (or the OTT server side) according to actual conditions.
具体来说,所述从服务器侧获取业务对应的公共密钥,包括:Specifically, the obtaining the public key corresponding to the service from the server side includes:
基于与服务器侧进行PFD交互的流程,获取所述业务对应的至少一个PFD;Acquiring at least one PFD corresponding to the service based on a process of performing PFD interaction with the server side;
从所述业务对应的至少一个PFD中,提取所述公共密钥。Extracting the public key from at least one PFD corresponding to the service.
比如,参见图2a、2b以及2c,其中,图2a中,OTT服务器发来PFD管理请求信息,其中,一个业务可以对应有一个或多个PFD,图中的PFD管理请求信息可以为其中的一个PFD对应的管理请求信息;在所述PFD管理请求信息中可以携带有三元组、URL、以及业务所对应的公共密钥等信息,这里不进行穷举。图2b中,可以将SMF以及PFDF两个网元均理解为本实施例中的网络设备,然后从UDR中获取至少一个PFD,并从UDR中获取相应的响应信息;其中,PFD中可以包含有公共密钥等信息。图2c示出进行PFD管理的流程,只需要在SMF网元以及PFDF网元中发起PFD管理信息通知即可,进行PFD中的信息的修改。For example, referring to FIG. 2a, 2b, and 2c, in FIG. 2a, the OTT server sends PFD management request information, where one service may correspond to one or more PFDs, and the PFD management request information in the figure may be one of them. The management request information corresponding to the PFD; the PFD management request information may carry information such as a triplet, a URL, and a public key corresponding to the service, and is not exhaustive. In Figure 2b, both the SMF and the PFDF network elements can be understood as the network device in the embodiment, and then at least one PFD is obtained from the UDR, and corresponding response information is obtained from the UDR; wherein the PFD can include Information such as public key. FIG. 2c shows a process of performing PFD management, and only needs to initiate PFD management information notification in the SMF network element and the PFDF network element, and the information in the PFD is modified.
进一步地,所述接收用户设备UE发来的随机数以及业务的标识时,所述方法还包括:接收所述UE发来与业务的标识对应的第一结果。Further, when the receiving the random number sent by the user equipment UE and the identifier of the service, the method further includes: receiving a first result that is sent by the UE and corresponding to the identifier of the service.
其中,所述基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证,所述方法还包括:The method for verifying the data flow of the service based on the public key, the random number, and the identifier of the service, the method further includes:
基于所述随机数以及所述公共密钥计算得到第二结果;当所述第一结果与所述第二结果相同时,确定所述UE发送的业务数据流为可信数据流。Calculating a second result based on the random number and the public key; determining that the service data stream sent by the UE is a trusted data stream when the first result is the same as the second result.
所述基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证之后,所述方法还包括:After the verifying the data flow of the service based on the public key, the random number, and the identifier of the service, the method further includes:
基于业务数据流生成对应的过滤器;基于所述过滤器对所述UE发来的数据流进行检测以及统计。Generating a corresponding filter based on the service data flow; detecting and counting the data flow sent by the UE based on the filter.
具体来说,本实施例中提供的几种参数的使用方法如下:每次HTTP连接建立后,OTT服务器将Public Key和Random通过建立好的隧道发送给UE,UE计算出Result-1(也就是第一结果);Specifically, the method for using several parameters provided in this embodiment is as follows: after each HTTP connection is established, the OTT server sends the Public Key and the Random to the UE through the established tunnel, and the UE calculates Result-1 (that is, First result);
然后UE将随机数Random和Result-1传给网络侧,并携带指代业务的标识Service ID以及描述该业务数据流的信息(可以是IP地址等);Then, the UE transmits the random number Random and Result-1 to the network side, and carries the identifier Service ID of the service and the information describing the service data flow (which may be an IP address, etc.);
网络侧使用网络侧保存的Public Key和得到的Random计算出Result-2(也就是第二结果),若Result-1=Result-2,则网络侧认为该UE上报的Service ID以及数据流信息可信,后续按照数据流信息生成Filter过滤器进行数据流的检测和统计。The network side calculates the Result-2 (that is, the second result) by using the Public Key saved by the network side and the obtained Random. If Result-1=Result-2, the network side considers that the Service ID and data flow information reported by the UE can be The letter then generates a Filter filter according to the data stream information to detect and count the data stream.
前述方案的基础之前,本实施例还会检测数据流的结束,具体包括以下几种方式:Before the basis of the foregoing solution, the embodiment further detects the end of the data stream, and specifically includes the following methods:
方式一、当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。也就是说,当该HTTP连接对应的TCP连接断开时,网络认为该业务的数据流传递结束,网络侧删除掉之前安装的过滤器(Filter)。Manner 1: When the TCP connection corresponding to the HTTP connection is disconnected, it is confirmed that the service data stream transmission of the UE ends, and the filter is deleted. That is to say, when the TCP connection corresponding to the HTTP connection is disconnected, the network considers that the data flow of the service ends, and the network side deletes the previously installed filter.
方式二:当所述业务数据流传递结束HTTP连接断开时,接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;基于所述PDU会话修改请求删除对应的用户面过滤器的绑定信息。Manner 2: receiving a PDU session modification request sent by the UE when the service data flow is terminated, and the PDU session modification request carries the identifier of the service; The modification request deletes the binding information of the corresponding user plane filter.
也就是说,当该业务数据流传递结束后,HTTP连接会断开,UE向网络侧发起PDU Session修改请求携带Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is to say, after the service data stream is delivered, the HTTP connection is disconnected, and the UE initiates a PDU session modification request to the network side to carry the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
方式三:当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。Manner 3: After the service data stream is transmitted, the data stream deletion request sent by the server side is received; wherein the data stream deletion request includes at least the identifier of the service; and the data stream deletion request is deleted according to the Binding information of the user plane filter corresponding to the identifier of the service.
也就是说,当该数据流传递结束后,OTT侧向网络侧发起数据流删除请求包含Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is, after the data stream is delivered, the OTT side initiates the data stream deletion request to the network side to include the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
下面针对应用识别请求信息的使用进行说明:The following describes the use of application identification request information:
所述应用识别请求消息,包含以下至少一种信息:第一特征信息、有效时长、应用标识。The application identification request message includes at least one of the following information: first feature information, valid duration, and application identifier.
所述第一特征信息包括以下至少一种:IP源地址、IP源端口号、IP目的地址、IP目的端口号、MAC源地址、IP源端口号、MAC目的地址、MAC目的端口号、协议类型、和VLAN标签。The first feature information includes at least one of the following: an IP source address, an IP source port number, an IP destination address, an IP destination port number, a MAC source address, an IP source port number, a MAC destination address, a MAC destination port number, and a protocol type. , and VLAN tags.
基于前述的应用识别请求消息,本实施例所提供的方案还可以包括:Based on the foregoing application identification request message, the solution provided in this embodiment may further include:
接收服务器的请求消息,对所述请求消息进行验证;Receiving a request message of the server, and verifying the request message;
所述请求消息验证通过后,根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。After the request message is verified, the data stream filter is configured to identify the traffic of the application data stream according to the first feature information.
具体来说,包括有基于第一特征信息、有效时长、应用标识,比如,其中的IP地址的相关信息,MAC地址的相关信息以及协议类型等内容,对请求消息进行验证,然后再根据第一特征信息配置数据流过滤器,基于 数据流过滤器进行应用数据流的流量识别。Specifically, the request message is verified based on the first feature information, the effective duration, the application identifier, for example, the related information of the IP address, the related information of the MAC address, and the protocol type, and then according to the first The feature information configures a data stream filter to perform traffic identification of the application data stream based on the data stream filter.
需要说明的是,接收所述服务器发送的应用识别请求消息;其中,所述应用识别请求消息发生在TLS握手建立中、或TLS握手成功后。It should be noted that the application identification request message sent by the server is received; wherein the application identification request message occurs in a TLS handshake setup or after a TLS handshake is successful.
另外,接收所述服务器接收到TLS握手完成消息之后发送的应用识别请求消息。In addition, an application identification request message sent after the server receives the TLS handshake completion message is received.
比如,可以参见图7,步骤0、当UE与网络侧的OTT服务器(也就是前述服务器)侧TLS握手完成之后,交互TLS握手完成信息;For example, referring to FIG. 7, step 0, after the UE completes the TLS handshake with the OTT server (that is, the foregoing server) on the network side, the TLS handshake completion information is exchanged;
步骤1:OTT服务器与SCEF发送AAR应用检测请求,由SCEF进行信息校验,也就是请求消息的验证;Step 1: The OTT server and the SCEF send an AAR application detection request, and the SCEF performs information verification, that is, verification of the request message;
步骤2:SCEF针对应用识别请求消息的验证通过后,向5GC/EPC的控制面发送RAR应用检测请求;然后5GC/EPC的控制面以及5GC/EPC的用户面进行交互安装数据流过滤器;Step 2: After the verification of the application identification request message by the SCEF is passed, the RAR application detection request is sent to the control plane of the 5GC/EPC; then the control plane of the 5GC/EPC and the user plane of the 5GC/EPC are mutually installed to install the data stream filter;
步骤3、然后网络侧基于安装的数据流过滤器进行加密业务检测,也就是根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。Step 3: The network side then performs encrypted service detection based on the installed data stream filter, that is, configures the data stream filter to identify the traffic of the application data stream according to the first feature information.
进一步地,所述数据流过滤器在所述有效时长内生效,有效时长结束后自动释放所述数据流过滤器。Further, the data stream filter takes effect within the valid duration, and the data stream filter is automatically released after the effective duration ends.
也就是说,可以针对数据流过滤器进行定时,可以通过计时器来进行控制,比如,当开始使用数据流过滤器的时候就开启计时器,然后当计时器的计时时长达到预设时长门限值的时候,自动释放数据流过滤;其中,预设时长门限值可以根据需求进行设置,比如,可以设置10分钟,当然还可以更长或者更短,这里不做穷举。That is to say, the data stream filter can be timed and can be controlled by a timer, for example, when the data stream filter is started, the timer is turned on, and then the timer duration reaches the preset time threshold. When the value is used, the data stream is automatically released. The preset time limit can be set according to requirements. For example, it can be set for 10 minutes. Of course, it can be longer or shorter.
然后,可以收到所述服务器发起释放请求消息,根据所述消息释放所述数据过滤器。即当确定释放数据流过滤器的时候,接收服务器发来的数据流过滤器的释放信息。所述服务器为应用服务器。Then, the server initiates a release request message, and the data filter is released according to the message. That is, when it is determined that the data stream filter is released, the release information of the data stream filter sent by the server is received. The server is an application server.
进一步结合图7,步骤4、完成数据流的流量识别之后,OTT服务器向SCEF发送AAR应用检测释放信息。After the traffic identification of the data flow is completed, the OTT server sends the AAR application detection release information to the SCEF.
步骤5、SCEF向5GC/EPC的控制面发送RAR应用检测请求,以释放数据流过滤器;然后5GC/EPC的控制面以及5GC/EPC的用户面进行交互,移除数据流过滤器。Step 5: The SCEF sends a RAR application detection request to the control plane of the 5GC/EPC to release the data stream filter; then the control plane of the 5GC/EPC and the user plane of the 5GC/EPC interact to remove the data stream filter.
可见,通过采用上述方案,就能够基于公共密钥和/或应用识别请求消息对业务的数据流进行验证;从而实现了为了检测加密数据,进行扩展引入新的变量来识别加密数据的方案,如此,能够避免由明文来识别数据流容易产生盗用流量的问题,能够使得传输的数据流更加准确、安全。It can be seen that, by adopting the above scheme, it is possible to verify the data stream of the service based on the public key and/or the application identification request message; thereby implementing a scheme for detecting the encrypted data and expanding to introduce a new variable to identify the encrypted data, so that It can avoid the problem that the data stream is easy to generate misappropriation traffic by plaintext, and the transmitted data stream can be made more accurate and safe.
实施例二、Embodiment 2
本发明实施例提供了一种数据验证方法,应用于UE,如图3所示,包括:An embodiment of the present invention provides a data verification method, which is applied to a UE, as shown in FIG. 3, and includes:
步骤301:从服务器侧获取业务对应的公共密钥以及随机数;Step 301: Obtain a public key corresponding to the service and a random number from the server side.
步骤302:将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立HTTP连接时均更新的信息。Step 302: Send the random number and the identifier of the service to the network side, where the random number is information updated every time an HTTP connection is established.
可以看出,本实施例提供的技术方案,与现有技术相比,引入了新的参数,具体包括有:新的鉴权参数公共秘钥(Public Key),随机数(Random),两者可以通过特定算法计算出结果Result;并且引入了业务的标识(Service ID)来指示特定的业务。It can be seen that the technical solution provided in this embodiment introduces new parameters compared with the prior art, and specifically includes: a new authentication parameter Public Key, and a random number (Random). The result Result can be calculated by a specific algorithm; and a Service ID is introduced to indicate a specific service.
需要理解的是,业务的标识可以为应用标识,比如APP ID;并且,在系统中,由于服务器与核心网中标识同一个应用的不同,可以采用不同的APP ID,但是同一个应用会具备一个APP ID的映射关系的,也就是说,在核心网的网络设备中会保存一个应用标识的映射表,其中,用于表明在不同的系统中同一个应用的不同标识。It should be understood that the identifier of the service may be an application identifier, such as an APP ID. In the system, because the server and the core network identify the same application, different APP IDs may be used, but the same application may have one. The mapping relationship of the APP ID, that is to say, a mapping table of application identifiers is stored in the network device of the core network, wherein different identifiers of the same application are indicated in different systems.
需要理解的是,所述随机数,为不同时间和/或不同地点能够发生改变的数字。It should be understood that the random number is a number that can change at different times and/or at different locations.
比如,包括以下至少之一:当时的时间戳、端口号。For example, include at least one of the following: a timestamp and a port number at the time.
执行步骤301之前,还可以包括,通过OTT服务器生成参数公共秘钥(Public Key),随机数(Random)。Before performing step 301, the method further includes: generating, by the OTT server, a parameter Public Key, a random number (Random).
其中,所述随机数为每次建立HTTP连接时均更新的信息;也就是说,每次进行HTTP连接建立时生成一个新的Random。The random number is information updated every time an HTTP connection is established; that is, a new Random is generated each time an HTTP connection is established.
另外,Public Key不需要每次HTTP连接建立就生成新的,保持的周期较长,Public Key作为PFD的一种,由OTT通过PFD下发给核心网侧进行保存和使用;相应的,网络侧的所述网络设备基于预设周期,获取更新后的公共密钥。其中,所述预设周期可以为根据实际情况进行设置,比如,可以为设置为1天,或者还可以设置为1周,由网络侧(或者OTT服务器侧)根据实际情况进行设置。In addition, the Public Key does not need to be generated every time the HTTP connection is established, and the retention period is long. The Public Key is used as a PFD and is saved and used by the OTT through the PFD to the core network. Correspondingly, the network side The network device acquires the updated public key based on the preset period. The preset period may be set according to an actual situation, for example, may be set to 1 day, or may also be set to 1 week, and is set by the network side (or the OTT server side) according to actual conditions.
具体来说,所述从服务器侧获取业务对应的公共密钥以及随机数之后,所述方法还包括:基于所述随机数以及公共密钥,计算得到第一结果。Specifically, after the obtaining the public key corresponding to the service and the random number from the server side, the method further includes: calculating the first result based on the random number and the public key.
所述将所述随机数以及业务的标识发送至网络侧时,所述方法还包括:向所述网络侧发送与业务的标识对应的第一结果。When the random number and the identifier of the service are sent to the network side, the method further includes: sending, to the network side, a first result corresponding to the identifier of the service.
所述基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证之后,所述方法还包括:After the verifying the data flow of the service based on the public key, the random number, and the identifier of the service, the method further includes:
基于业务数据流生成对应的过滤器;基于所述过滤器对所述UE发来的数据流进行检测以及统计。Generating a corresponding filter based on the service data flow; detecting and counting the data flow sent by the UE based on the filter.
具体来说,本实施例中提供的几种参数的使用方法如下:每次HTTP连接建立后,OTT服务器将Public Key和Random通过建立好的隧道发送给UE,UE计算出Result-1(也就是第一结果);Specifically, the method for using several parameters provided in this embodiment is as follows: after each HTTP connection is established, the OTT server sends the Public Key and the Random to the UE through the established tunnel, and the UE calculates Result-1 (that is, First result);
然后UE将随机数Random和Result-1传给网络侧,并携带指代业务的标识Service ID以及描述该业务数据流的信息(可以是IP地址等);Then, the UE transmits the random number Random and Result-1 to the network side, and carries the identifier Service ID of the service and the information describing the service data flow (which may be an IP address, etc.);
网络侧使用网络侧保存的Public Key和得到的Random计算出Result-2(也就是第二结果),若Result-1=Result-2,则网络侧认为该UE上报的Service ID以及数据流信息可信,后续按照数据流信息生成Filter过滤器进行数据流的检测和统计。The network side calculates the Result-2 (that is, the second result) by using the Public Key saved by the network side and the obtained Random. If Result-1=Result-2, the network side considers that the Service ID and data flow information reported by the UE can be The letter then generates a Filter filter according to the data stream information to detect and count the data stream.
前述方案的基础之前,本实施例还会检测数据流的结束,具体包括以下几种方式:Before the basis of the foregoing solution, the embodiment further detects the end of the data stream, and specifically includes the following methods:
方式一、当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。也就是说,当该HTTP连接对应的TCP连接断开时,网络认为该业务的数据流传递结束,网络侧删除掉之前安装的过滤器(Filter)。Manner 1: When the TCP connection corresponding to the HTTP connection is disconnected, it is confirmed that the service data stream transmission of the UE ends, and the filter is deleted. That is to say, when the TCP connection corresponding to the HTTP connection is disconnected, the network considers that the data flow of the service ends, and the network side deletes the previously installed filter.
方式二:当所述业务数据流传递结束HTTP连接断开时,向网络侧发送PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识。Manner 2: When the service data flow is terminated, the HTTP connection is disconnected, and the PDU session modification request is sent to the network side, where the PDU session modification request carries the identifier of the service.
相应的,网络侧当所述业务数据流传递结束HTTP连接断开时,接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;基于所述PDU会话修改请求删除对应的用户面过滤器的绑定信息。Correspondingly, the network side receives the PDU session modification request sent by the UE when the service data flow is terminated and the HTTP connection is disconnected; wherein the PDU session modification request carries the identifier of the service; The PDU session modification request deletes the binding information of the corresponding user plane filter.
也就是说,当该业务数据流传递结束后,HTTP连接会断开,UE向网络侧发起PDU Session修改请求携带Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is to say, after the service data stream is delivered, the HTTP connection is disconnected, and the UE initiates a PDU session modification request to the network side to carry the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
方式三:当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。Manner 3: After the service data stream is transmitted, the data stream deletion request sent by the server side is received; wherein the data stream deletion request includes at least the identifier of the service; and the data stream deletion request is deleted according to the Binding information of the user plane filter corresponding to the identifier of the service.
也就是说,当该数据流传递结束后,OTT侧向网络侧发起数据流删除请求包含Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is, after the data stream is delivered, the OTT side initiates the data stream deletion request to the network side to include the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
可见,通过采用上述方案,就能够基于公共密钥和/或应用识别请求消息对业务的数据流进行验证;从而实现了为了检测加密数据,进行扩展引入新的变量来识别加密数据的方案,如此,能够避免由明文来识别数据流容易产生盗用流量的问题,能够使得传输的数据流更加准确、安全。It can be seen that, by adopting the above scheme, it is possible to verify the data stream of the service based on the public key and/or the application identification request message; thereby implementing a scheme for detecting the encrypted data and expanding to introduce a new variable to identify the encrypted data, so that It can avoid the problem that the data stream is easy to generate misappropriation traffic by plaintext, and the transmitted data stream can be made more accurate and safe.
实施例三、Embodiment 3
本发明实施例提供了一种网络设备,包括:The embodiment of the invention provides a network device, including:
第一通信单元,从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The first communication unit acquires a public key and/or an application identification request message corresponding to the service from the server side.
下面分别针对获取到的公共密钥、获取到应用识别请求消息进行说明:The following describes the obtained public key and the application identification request message:
当从服务器获取业务对应的公共密钥的时候,如图4所示,包括:When the public key corresponding to the service is obtained from the server, as shown in FIG. 4, the method includes:
第一通信单元41,从服务器侧获取业务对应的公共密钥;接收用户设备UE发来的随机数以及业务的标识;其中,所述随机数为每次建立HTTP连接时均更新的信息;The first communication unit 41 acquires the public key corresponding to the service from the server side, and receives the random number sent by the user equipment UE and the identifier of the service; wherein the random number is information updated every time the HTTP connection is established;
第一处理单元42,基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证。The first processing unit 42 verifies the data stream of the service based on the public key, the random number, and the identifier of the service.
需要理解的是,所述随机数,为不同时间和/或不同地点能够发生改变的数字。It should be understood that the random number is a number that can change at different times and/or at different locations.
比如,包括以下至少之一:当时的时间戳、端口号。For example, include at least one of the following: a timestamp and a port number at the time.
另外,其他至少一种参数中可以有一种或多种结合使用来与公共密钥一起采用对应的算法进行验证;比如,公共密钥与时间戳、端口号共同进行验证计算;或者公共密钥仅与其中的时间戳或端口号中的一种基于验证算法进行计算。In addition, one or more of the other at least one parameter may be used in combination with the public key to perform verification using a corresponding algorithm; for example, the public key is jointly verified with the timestamp and the port number; or the public key is only The calculation is performed based on one of the timestamps or port numbers therein.
可以看出,本实施例提供的技术方案,与现有技术相比,引入了新的参数,具体包括有:新的鉴权参数公共秘钥(Public Key),随机数(Random),两者可以通过特定算法计算出结果Result;并且引入了业务的标识(Service ID)来指示特定的业务。It can be seen that the technical solution provided in this embodiment introduces new parameters compared with the prior art, and specifically includes: a new authentication parameter Public Key, and a random number (Random). The result Result can be calculated by a specific algorithm; and a Service ID is introduced to indicate a specific service.
需要理解的是,业务的标识可以为应用标识,比如APP ID;并且,在系统中,由于服务器与核心网中标识同一个应用的不同,可以采用不同的APP ID,但是同一个应用会具备一个APP ID的映射关系的,也就是说,在 核心网的网络设备中会保存一个应用标识的映射表,其中,用于表明在不同的系统中同一个应用的不同标识。It should be understood that the identifier of the service may be an application identifier, such as an APP ID. In the system, because the server and the core network identify the same application, different APP IDs may be used, but the same application may have one. The mapping relationship of the APP ID, that is to say, a mapping table of application identifiers is stored in the network device of the core network, wherein different identifiers of the same application are indicated in different systems.
所述随机数为每次建立HTTP连接时均更新的信息;也就是说,每次进行HTTP连接建立时生成一个新的Random。The random number is information that is updated each time an HTTP connection is established; that is, a new Random is generated each time an HTTP connection is established.
另外,Public Key不需要每次HTTP连接建立就生成新的,保持的周期较长,Public Key作为PFD的一种,由OTT通过PFD下发给核心网侧进行保存和使用;相应的,网络侧的所述网络设备基于预设周期,获取更新后的公共密钥。其中,所述预设周期可以为根据实际情况进行设置,比如,可以为设置为1天,或者还可以设置为1周,由网络侧(或者OTT服务器侧)根据实际情况进行设置。In addition, the Public Key does not need to be generated every time the HTTP connection is established, and the retention period is long. The Public Key is used as a PFD and is saved and used by the OTT through the PFD to the core network. Correspondingly, the network side The network device acquires the updated public key based on the preset period. The preset period may be set according to an actual situation, for example, may be set to 1 day, or may also be set to 1 week, and is set by the network side (or the OTT server side) according to actual conditions.
具体来说,所述第一通信单元41,基于与服务器侧进行PFD交互的流程,获取所述业务对应的至少一个PFD;Specifically, the first communication unit 41 acquires at least one PFD corresponding to the service based on a process of performing PFD interaction with the server side;
第一处理单元42,从所述业务对应的至少一个PFD中,提取所述公共密钥。The first processing unit 42 extracts the public key from at least one PFD corresponding to the service.
比如,参见图2,OTT服务器发来PFD管理请求信息,其中,一个业务可以对应有一个或多个PFD,图中的PFD管理请求信息可以为其中的一个PFD对应的管理请求信息。For example, referring to FIG. 2, the OTT server sends PFD management request information, where one service may correspond to one or more PFDs, and the PFD management request information in the figure may be management request information corresponding to one of the PFDs.
在所述PFD管理请求信息中可以携带有三元组、URL、以及业务所对应的公共密钥等信息,这里不进行穷举。The PFD management request information may carry information such as a triplet, a URL, and a public key corresponding to the service, and is not exhaustive.
进一步地,所述第一通信单元41,接收所述UE发来与业务的标识对应的第一结果。Further, the first communication unit 41 receives a first result sent by the UE corresponding to the identifier of the service.
所述第一处理单元42,基于所述随机数以及所述公共密钥计算得到第二结果;当所述第一结果与所述第二结果相同时,确定所述UE发送的业务数据流为可信数据流。The first processing unit 42 calculates a second result based on the random number and the public key; when the first result is the same as the second result, determining that the service data flow sent by the UE is Trusted data stream.
所述基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证之后,所述方法还包括:After the verifying the data flow of the service based on the public key, the random number, and the identifier of the service, the method further includes:
第一处理单元42,基于业务数据流生成对应的过滤器;基于所述过滤器对所述UE发来的数据流进行检测以及统计。The first processing unit 42 generates a corresponding filter based on the service data flow, and detects and counts the data flow sent by the UE based on the filter.
具体来说,本实施例中提供的几种参数的使用方法如下:每次HTTP连接建立后,OTT服务器将Public Key和Random通过建立好的隧道发送给UE,UE计算出Result-1(也就是第一结果);Specifically, the method for using several parameters provided in this embodiment is as follows: after each HTTP connection is established, the OTT server sends the Public Key and the Random to the UE through the established tunnel, and the UE calculates Result-1 (that is, First result);
然后UE将随机数Random和Result-1传给网络侧,并携带指代业务的标识Service ID以及描述该业务数据流的信息(可以是IP地址等);Then, the UE transmits the random number Random and Result-1 to the network side, and carries the identifier Service ID of the service and the information describing the service data flow (which may be an IP address, etc.);
网络侧使用网络侧保存的Public Key和得到的Random计算出Result-2(也就是第二结果),若Result-1=Result-2,则网络侧认为该UE上报的Service ID以及数据流信息可信,后续按照数据流信息生成Filter过滤器进行数据流的检测和统计。The network side calculates the Result-2 (that is, the second result) by using the Public Key saved by the network side and the obtained Random. If Result-1=Result-2, the network side considers that the Service ID and data flow information reported by the UE can be The letter then generates a Filter filter according to the data stream information to detect and count the data stream.
前述方案的基础之前,本实施例还会检测数据流的结束,具体包括以下几种方式:Before the basis of the foregoing solution, the embodiment further detects the end of the data stream, and specifically includes the following methods:
方式一、第一处理单元42,当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。也就是说,当该HTTP连接对应的TCP连接断开时,网络认为该业务的数据流传递结束,网络侧删除掉之前安装的过滤器(Filter)。The first processing unit 42 confirms that the service data stream transmission of the UE ends and deletes the filter when the TCP connection corresponding to the HTTP connection is disconnected. That is to say, when the TCP connection corresponding to the HTTP connection is disconnected, the network considers that the data flow of the service ends, and the network side deletes the previously installed filter.
方式二:第一处理单元42,当所述业务数据流传递结束HTTP连接断开时,通过第一通信单元接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;基于所述PDU会话修改请求删除对应的用户面过滤器的绑定信息。Manner 2: The first processing unit 42 is configured to receive, by the first communication unit, a PDU session modification request sent by the UE, when the service data flow is terminated, and the PDU session modification request is carried in the PDU session modification request. The identifier of the service; deleting the binding information of the corresponding user plane filter based on the PDU session modification request.
也就是说,当该业务数据流传递结束后,HTTP连接会断开,UE向网络侧发起PDU Session修改请求携带Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is to say, after the service data stream is delivered, the HTTP connection is disconnected, and the UE initiates a PDU session modification request to the network side to carry the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
方式三:第一处理单元42,当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。Manner 3: The first processing unit 42 receives a data stream deletion request sent by the server side after the end of the service data stream transmission; wherein the data stream deletion request includes at least the identifier of the service; The data stream deletion request deletes the binding information of the user plane filter corresponding to the identifier of the service.
也就是说,当该数据流传递结束后,OTT侧向网络侧发起数据流删除请求包含Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is, after the data stream is delivered, the OTT side initiates the data stream deletion request to the network side to include the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
下面针对应用识别请求信息的使用进行说明:The following describes the use of application identification request information:
所述应用识别请求消息,包含以下至少一种信息:第一特征信息、有效时长、应用标识。The application identification request message includes at least one of the following information: first feature information, valid duration, and application identifier.
所述第一特征信息包括以下至少一种:IP源地址、IP源端口号、IP目的地址、IP目的端口号、MAC源地址、IP源端口号、MAC目的地址、MAC目的端口号、协议类型、和VLAN标签。The first feature information includes at least one of the following: an IP source address, an IP source port number, an IP destination address, an IP destination port number, a MAC source address, an IP source port number, a MAC destination address, a MAC destination port number, and a protocol type. , and VLAN tags.
基于前述的应用识别请求消息,本实施例所提供的方案还可以包括:Based on the foregoing application identification request message, the solution provided in this embodiment may further include:
第一通信单元41,接收服务器的请求消息;The first communication unit 41 receives a request message of the server;
第一处理单元42,对所述请求消息进行验证;所述请求消息验证通过 后,根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。The first processing unit 42 verifies the request message. After the request message is verified, the data stream filter is configured to identify the traffic of the application data stream according to the first feature information.
具体来说,包括有基于第一特征信息、有效时长、应用标识,比如,其中的IP地址的相关信息,MAC地址的相关信息以及协议类型等内容,对请求消息进行验证,然后再根据第一特征信息配置数据流过滤器,基于数据流过滤器进行应用数据流的流量识别。Specifically, the request message is verified based on the first feature information, the effective duration, the application identifier, for example, the related information of the IP address, the related information of the MAC address, and the protocol type, and then according to the first The feature information configures a data stream filter to perform traffic identification of the application data stream based on the data stream filter.
需要说明的是,第一通信单元41,接收所述服务器发送的应用识别请求消息;其中,所述应用识别请求消息发生在TLS握手建立中、或TLS握手成功后。It should be noted that the first communication unit 41 receives an application identification request message sent by the server, where the application identification request message occurs in a TLS handshake setup or after a TLS handshake is successful.
另外,接收所述服务器接收到TLS握手完成消息之后发送的应用识别请求消息。In addition, an application identification request message sent after the server receives the TLS handshake completion message is received.
比如,可以参见图7,步骤0、当UE与网络侧的OTT服务器(也就是前述服务器)侧TLS握手完成之后,交互TLS握手完成信息;For example, referring to FIG. 7, step 0, after the UE completes the TLS handshake with the OTT server (that is, the foregoing server) on the network side, the TLS handshake completion information is exchanged;
步骤1:OTT服务器与SCEF发送AAR应用检测请求,由SCEF进行信息校验,也就是请求消息的验证;Step 1: The OTT server and the SCEF send an AAR application detection request, and the SCEF performs information verification, that is, verification of the request message;
步骤2:SCEF针对应用识别请求消息的验证通过后,向5GC/EPC的控制面发送RAR应用检测请求;然后5GC/EPC的控制面以及5GC/EPC的用户面进行交互安装数据流过滤器;Step 2: After the verification of the application identification request message by the SCEF is passed, the RAR application detection request is sent to the control plane of the 5GC/EPC; then the control plane of the 5GC/EPC and the user plane of the 5GC/EPC are mutually installed to install the data stream filter;
步骤3、然后网络侧基于安装的数据流过滤器进行加密业务检测,也就是根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。Step 3: The network side then performs encrypted service detection based on the installed data stream filter, that is, configures the data stream filter to identify the traffic of the application data stream according to the first feature information.
进一步地,所述数据流过滤器在所述有效时长内生效,有效时长结束后自动释放所述数据流过滤器。Further, the data stream filter takes effect within the valid duration, and the data stream filter is automatically released after the effective duration ends.
也就是说,可以针对数据流过滤器进行定时,可以通过计时器来进行控制,比如,当开始使用数据流过滤器的时候就开启计时器,然后当计时器的计时时长达到预设时长门限值的时候,自动释放数据流过滤;其中,预设时长门限值可以根据需求进行设置,比如,可以设置10分钟,当然还可以更长或者更短,这里不做穷举。That is to say, the data stream filter can be timed and can be controlled by a timer, for example, when the data stream filter is started, the timer is turned on, and then the timer duration reaches the preset time threshold. When the value is used, the data stream is automatically released. The preset time limit can be set according to requirements. For example, it can be set for 10 minutes. Of course, it can be longer or shorter.
然后,可以收到所述服务器发起释放请求消息,根据所述消息释放所述数据过滤器。即当确定释放数据流过滤器的时候,接收服务器发来的数据流过滤器的释放信息。所述服务器为应用服务器。Then, the server initiates a release request message, and the data filter is released according to the message. That is, when it is determined that the data stream filter is released, the release information of the data stream filter sent by the server is received. The server is an application server.
进一步结合图7,步骤4、完成数据流的流量识别之后,OTT服务器向SCEF发送AAR应用检测释放信息。After the traffic identification of the data flow is completed, the OTT server sends the AAR application detection release information to the SCEF.
步骤5、SCEF向5GC/EPC的控制面发送RAR应用检测请求,以释放数据流过滤器;然后5GC/EPC的控制面以及5GC/EPC的用户面进行交互, 移除数据流过滤器。Step 5: The SCEF sends a RAR application detection request to the control plane of the 5GC/EPC to release the data stream filter; then the 5GC/EPC control plane and the 5GC/EPC user plane interact to remove the data stream filter.
可见,通过采用上述方案,就能够基于公共密钥和/或应用识别请求消息对业务的数据流进行验证;从而实现了为了检测加密数据,进行扩展引入新的变量来识别加密数据的方案,如此,能够避免由明文来识别数据流容易产生盗用流量的问题,能够使得传输的数据流更加准确、安全。It can be seen that, by adopting the above scheme, it is possible to verify the data stream of the service based on the public key and/or the application identification request message; thereby implementing a scheme for detecting the encrypted data and expanding to introduce a new variable to identify the encrypted data, so that It can avoid the problem that the data stream is easy to generate misappropriation traffic by plaintext, and the transmitted data stream can be made more accurate and safe.
实施例四、Embodiment 4
本发明实施例提供了一种UE,如图5所示,包括:An embodiment of the present invention provides a UE, as shown in FIG. 5, including:
第二通信单元51,从服务器侧获取业务对应的公共密钥以及随机数;将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立HTTP连接时均更新的信息。The second communication unit 51 acquires a public key corresponding to the service and a random number from the server side, and sends the random number and the identifier of the service to the network side, where the random number is updated every time the HTTP connection is established. information.
可以看出,本实施例提供的技术方案,与现有技术相比,引入了新的参数,具体包括有:新的鉴权参数公共秘钥(Public Key),随机数(Random),两者可以通过特定算法计算出结果Result;并且引入了业务的标识(Service ID)来指示特定的业务。It can be seen that the technical solution provided in this embodiment introduces new parameters compared with the prior art, and specifically includes: a new authentication parameter Public Key, and a random number (Random). The result Result can be calculated by a specific algorithm; and a Service ID is introduced to indicate a specific service.
需要理解的是,业务的标识可以为应用标识,比如APP ID;并且,在系统中,由于服务器与核心网中标识同一个应用的不同,可以采用不同的APP ID,但是同一个应用会具备一个APP ID的映射关系的,也就是说,在核心网的网络设备中会保存一个应用标识的映射表,其中,用于表明在不同的系统中同一个应用的不同标识。It should be understood that the identifier of the service may be an application identifier, such as an APP ID. In the system, because the server and the core network identify the same application, different APP IDs may be used, but the same application may have one. The mapping relationship of the APP ID, that is to say, a mapping table of application identifiers is stored in the network device of the core network, wherein different identifiers of the same application are indicated in different systems.
所述随机数为每次建立HTTP连接时均更新的信息;也就是说,每次进行HTTP连接建立时生成一个新的Random。The random number is information that is updated each time an HTTP connection is established; that is, a new Random is generated each time an HTTP connection is established.
需要理解的是,所述随机数,为不同时间和/或不同地点能够发生改变的数字。It should be understood that the random number is a number that can change at different times and/or at different locations.
比如,包括以下至少之一:当时的时间戳、端口号。For example, include at least one of the following: a timestamp and a port number at the time.
另外,Public Key不需要每次HTTP连接建立就生成新的,保持的周期较长,Public Key作为PFD的一种,由OTT通过PFD下发给核心网侧进行保存和使用;相应的,网络侧的所述网络设备基于预设周期,获取更新后的公共密钥。其中,所述预设周期可以为根据实际情况进行设置,比如,可以为设置为1天,或者还可以设置为1周,由网络侧(或者OTT服务器侧)根据实际情况进行设置。In addition, the Public Key does not need to be generated every time the HTTP connection is established, and the retention period is long. The Public Key is used as a PFD and is saved and used by the OTT through the PFD to the core network. Correspondingly, the network side The network device acquires the updated public key based on the preset period. The preset period may be set according to an actual situation, for example, may be set to 1 day, or may also be set to 1 week, and is set by the network side (or the OTT server side) according to actual conditions.
具体来说,述UE还包括:Specifically, the UE further includes:
第二处理单元52,基于所述随机数以及公共密钥,计算得到第一结果。The second processing unit 52 calculates a first result based on the random number and the public key.
所述第二通信单元51,向所述网络侧发送与业务的标识对应的第一结果。The second communication unit 51 sends a first result corresponding to the identifier of the service to the network side.
具体来说,本实施例中提供的几种参数的使用方法如下:每次HTTP连接建立后,OTT服务器将Public Key和Random通过建立好的隧道发送给UE,UE计算出Result-1(也就是第一结果);Specifically, the method for using several parameters provided in this embodiment is as follows: after each HTTP connection is established, the OTT server sends the Public Key and the Random to the UE through the established tunnel, and the UE calculates Result-1 (that is, First result);
然后UE将随机数Random和Result-1传给网络侧,并携带指代业务的标识Service ID以及描述该业务数据流的信息(可以是IP地址等);Then, the UE transmits the random number Random and Result-1 to the network side, and carries the identifier Service ID of the service and the information describing the service data flow (which may be an IP address, etc.);
网络侧使用网络侧保存的Public Key和得到的Random计算出Result-2(也就是第二结果),若Result-1=Result-2,则网络侧认为该UE上报的Service ID以及数据流信息可信,后续按照数据流信息生成Filter过滤器进行数据流的检测和统计。The network side calculates the Result-2 (that is, the second result) by using the Public Key saved by the network side and the obtained Random. If Result-1=Result-2, the network side considers that the Service ID and data flow information reported by the UE can be The letter then generates a Filter filter according to the data stream information to detect and count the data stream.
前述方案的基础之前,本实施例还会检测数据流的结束,具体包括以下几种方式:Before the basis of the foregoing solution, the embodiment further detects the end of the data stream, and specifically includes the following methods:
方式一、当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。也就是说,当该HTTP连接对应的TCP连接断开时,网络认为该业务的数据流传递结束,网络侧删除掉之前安装的过滤器(Filter)。Manner 1: When the TCP connection corresponding to the HTTP connection is disconnected, it is confirmed that the service data stream transmission of the UE ends, and the filter is deleted. That is to say, when the TCP connection corresponding to the HTTP connection is disconnected, the network considers that the data flow of the service ends, and the network side deletes the previously installed filter.
方式二:所述第二通信单元51,当所述业务数据流传递结束HTTP连接断开时,向网络侧发送PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识。Manner 2: The second communication unit 51 sends a PDU session modification request to the network side when the service data flow is terminated and the HTTP connection is disconnected. The PDU session modification request carries the identifier of the service.
相应的,网络侧当所述业务数据流传递结束HTTP连接断开时,接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;基于所述PDU会话修改请求删除对应的用户面过滤器的绑定信息。Correspondingly, the network side receives the PDU session modification request sent by the UE when the service data flow is terminated and the HTTP connection is disconnected; wherein the PDU session modification request carries the identifier of the service; The PDU session modification request deletes the binding information of the corresponding user plane filter.
也就是说,当该业务数据流传递结束后,HTTP连接会断开,UE向网络侧发起PDU Session修改请求携带Service ID,网络侧根据请求删除该Service ID对应的用户面Filter绑定信息。That is to say, after the service data stream is delivered, the HTTP connection is disconnected, and the UE initiates a PDU session modification request to the network side to carry the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
方式三:当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。Manner 3: After the service data stream is transmitted, the data stream deletion request sent by the server side is received; wherein the data stream deletion request includes at least the identifier of the service; and the data stream deletion request is deleted according to the Binding information of the user plane filter corresponding to the identifier of the service.
也就是说,当该数据流传递结束后,OTT侧向网络侧发起数据流删除请求包含Service ID,网络侧根据请求删除该Service ID对应的用户面Filter 绑定信息。That is, after the data stream is delivered, the OTT side initiates the data stream deletion request to the network side to include the Service ID, and the network side deletes the user plane Filter binding information corresponding to the Service ID according to the request.
可见,通过采用上述方案,就能够基于公共密钥和/或应用识别请求消息对业务的数据流进行验证;从而实现了为了检测加密数据,进行扩展引入新的变量来识别加密数据的方案,如此,能够避免由明文来识别数据流容易产生盗用流量的问题,能够使得传输的数据流更加准确、安全。It can be seen that, by adopting the above scheme, it is possible to verify the data stream of the service based on the public key and/or the application identification request message; thereby implementing a scheme for detecting the encrypted data and expanding to introduce a new variable to identify the encrypted data, so that It can avoid the problem that the data stream is easy to generate misappropriation traffic by plaintext, and the transmitted data stream can be made more accurate and safe.
本发明实施例还提供了一种用户设备、或接收方设备的硬件组成架构,如图6所示,包括:至少一个处理器61、存储器62、至少一个网络接口63。各个组件通过总线系统64耦合在一起。可理解,总线系统64用于实现这些组件之间的连接通信。总线系统64除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图6中将各种总线都标为总线系统64。The embodiment of the present invention further provides a hardware component architecture of the user equipment or the receiver device. As shown in FIG. 6, the method includes at least one processor 61, a memory 62, and at least one network interface 63. The various components are coupled together by a bus system 64. It will be appreciated that bus system 64 is used to implement connection communication between these components. The bus system 64 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus. However, for clarity of description, various buses are labeled as bus system 64 in FIG.
可以理解,本发明实施例中的存储器62可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。It is to be understood that the memory 62 in the embodiments of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
在一些实施方式中,存储器62存储了如下的元素,可执行模块或者数据结构,或者他们的子集,或者他们的扩展集:In some embodiments, memory 62 stores elements, executable modules or data structures, or a subset thereof, or their extension set:
操作系统621和应用程序622。 Operating system 621 and application 622.
其中,所述处理器61配置为:能够处理前述实施例一的方法步骤,这里不再进行赘述。The processor 61 is configured to be able to process the method steps of the foregoing first embodiment, and details are not described herein.
本发明实施例提供的一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令,所述计算机可执行指令被执行时实施前述实施例一的方法步骤。The embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions, and when the computer executable instructions are executed, the method steps of the foregoing first embodiment are implemented.
本发明实施例上述装置如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。Embodiments of the Invention The above apparatus may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
相应地,本发明实施例还提供一种计算机存储介质,其中存储有计算机程序,该计算机程序配置为执行本发明实施例的数据调度方法。Correspondingly, an embodiment of the present invention further provides a computer storage medium, wherein a computer program is configured, and the computer program is configured to execute a data scheduling method according to an embodiment of the present invention.
尽管为示例目的,已经公开了本发明的优选实施例,本领域的技术人员将意识到各种改进、增加和取代也是可能的,因此,本发明的范围应当不限于上述实施例。While the preferred embodiments of the present invention have been disclosed for purposes of illustration, those skilled in the art will recognize that various modifications, additions and substitutions are possible, and the scope of the invention should not be limited to the embodiments described above.

Claims (51)

  1. 一种数据验证方法,应用于网络设备,所述方法包括:A data verification method is applied to a network device, and the method includes:
    从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The public key and/or the application identification request message corresponding to the service is obtained from the server side.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    接收用户设备UE发来的随机数以及业务的标识;其中,所述随机数为每次建立HTTP连接时均更新的信息;Receiving a random number sent by the user equipment UE and an identifier of the service; where the random number is information updated every time an HTTP connection is established;
    基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证。The data stream of the service is verified based on the public key, the random number, and the identity of the service.
  3. 根据权利要求2所述的方法,其中,所述随机数,为不同时间和/或不同地点能够发生改变的数字。The method of claim 2, wherein the random number is a number that can change at different times and/or at different locations.
  4. 根据权利要求2所述的方法,其中,所述对业务的数据流进行验证之后,所述方法还包括:The method of claim 2, wherein after the verifying the data stream of the service, the method further comprises:
    基于业务数据流生成对应的过滤器;Generating a corresponding filter based on the service data stream;
    基于所述过滤器对所述UE发来的数据流进行检测以及统计。The data stream sent by the UE is detected and counted based on the filter.
  5. 根据权利要求4所述的方法,其中,所述基于业务数据流生成对应的过滤器之后,所述方法还包括:The method of claim 4, wherein after the generating the corresponding filter based on the service data stream, the method further comprises:
    当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。When the TCP connection corresponding to the HTTP connection is disconnected, it is confirmed that the service data stream transmission of the UE ends, and the filter is deleted.
  6. 根据权利要求4所述的方法,其中,所述方法还包括:The method of claim 4 wherein the method further comprises:
    当所述业务数据流传递结束HTTP连接断开时,接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;And receiving, by the UE, a PDU session modification request sent by the UE, where the PDU session modification request carries the identifier of the service;
    基于所述PDU会话修改请求删除对应的用户面过滤器的绑定信息。Deleting binding information of the corresponding user plane filter based on the PDU session modification request.
  7. 根据权利要求4所述的方法,其中,所述方法还包括:The method of claim 4 wherein the method further comprises:
    当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;After the service data stream is transmitted, the data stream deletion request sent by the server is received; wherein the data stream deletion request includes at least the identifier of the service;
    根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。Binding information of the user plane filter corresponding to the identifier of the service is deleted according to the data stream deletion request.
  8. 根据权利要求1所述的方法,其中,所述从服务器侧获取业务对应的公共密钥,包括:The method according to claim 1, wherein the obtaining the public key corresponding to the service from the server side comprises:
    基于与服务器侧进行PFD交互的流程,获取所述业务对应的至少一个PFD;Acquiring at least one PFD corresponding to the service based on a process of performing PFD interaction with the server side;
    从所述业务对应的至少一个PFD中,提取所述公共密钥。Extracting the public key from at least one PFD corresponding to the service.
  9. 根据权利要求2所述的方法,其中,所述接收用户设备UE发来的 随机数以及业务的标识时,所述方法还包括:The method according to claim 2, wherein when the receiving the random number sent by the user equipment UE and the identifier of the service, the method further includes:
    接收所述UE发来与业务的标识对应的第一结果。Receiving a first result sent by the UE corresponding to an identifier of the service.
  10. 根据权利要求9所述的方法,其中,所述基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证,所述方法还包括:The method of claim 9, wherein the verifying the data stream of the service based on the public key, the random number, and the identifier of the service, the method further comprising:
    基于所述随机数以及所述公共密钥计算得到第二结果;Calculating a second result based on the random number and the public key;
    当所述第一结果与所述第二结果相同时,确定所述UE发送的业务数据流为可信数据流。When the first result is the same as the second result, determining that the service data stream sent by the UE is a trusted data stream.
  11. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    基于预设周期,获取更新后的公共密钥。The updated public key is obtained based on the preset period.
  12. 根据权利要求1所述的方法,其中,所述应用识别请求消息,包含以下至少一种信息:第一特征信息、有效时长、应用标识。The method according to claim 1, wherein the application identification request message includes at least one of the following information: first feature information, valid duration, and application identifier.
  13. 根据权利要求12所述的方法,其中,第一特征信息包括以下至少一种:IP源地址、IP源端口号、IP目的地址、IP目的端口号、MAC源地址、IP源端口号、MAC目的地址、MAC目的端口号、协议类型、和VLAN标签。The method according to claim 12, wherein the first feature information comprises at least one of the following: an IP source address, an IP source port number, an IP destination address, an IP destination port number, a MAC source address, an IP source port number, and a MAC destination. Address, MAC destination port number, protocol type, and VLAN tag.
  14. 根据权利要求12或13所述的方法,其中,所述方法还包括:The method of claim 12 or 13, wherein the method further comprises:
    接收服务器的请求消息,对所述请求消息进行验证;Receiving a request message of the server, and verifying the request message;
    所述请求消息验证通过后,根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。After the request message is verified, the data stream filter is configured to identify the traffic of the application data stream according to the first feature information.
  15. 根据权利要求12所述方法,其中,所述数据流过滤器在所述有效时长内生效,有效时长结束后自动释放所述数据流过滤器。The method of claim 12, wherein the data stream filter is valid for the effective duration, and the data stream filter is automatically released after the valid duration ends.
  16. 根据权利要求12所述方法,其中,所述方法还包括:The method of claim 12 wherein said method further comprises:
    收到所述服务器发起释放请求消息,根据所述消息释放所述数据过滤器。Receiving the server initiate release request message, releasing the data filter according to the message.
  17. 根据权利要求12所述的方法,其中,所述服务器为应用服务器。The method of claim 12 wherein the server is an application server.
  18. 根据权利要求12所述的方法,其中,所述方法还包括:The method of claim 12, wherein the method further comprises:
    接收所述服务器发送的应用识别请求消息;其中,所述应用识别请求消息发生在TLS握手建立中、或TLS握手成功后。Receiving an application identification request message sent by the server; wherein the application identification request message occurs in a TLS handshake setup, or after a TLS handshake is successful.
  19. 根据权利要求18所述的方法,其中,所述方法还包括:The method of claim 18, wherein the method further comprises:
    接收所述服务器接收到TLS握手完成消息之后发送的应用识别请求消息。Receiving an application identification request message sent after the server receives the TLS handshake completion message.
  20. 一种数据验证方法,应用于UE,所述方法包括:A data verification method is applied to a UE, and the method includes:
    从服务器侧获取业务对应的公共密钥以及随机数;Obtaining a public key corresponding to the service and a random number from the server side;
    将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立HTTP连接时均更新的信息。Sending the random number and the identifier of the service to the network side; wherein the random number is information updated every time an HTTP connection is established.
  21. 根据权利要求20所述的方法,其中,所述随机数,为不同时间和/或不同地点能够发生改变的数字。The method of claim 20, wherein the random number is a number that can change at different times and/or at different locations.
  22. 根据权利要求21所述的方法,其中,所述方法还包括:The method of claim 21, wherein the method further comprises:
    当所述业务数据流传递结束HTTP连接断开时,向网络侧发送PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识。When the service data flow is terminated, the HTTP connection is disconnected, and the PDU session modification request is sent to the network side, where the PDU session modification request carries the identifier of the service.
  23. 根据权利要求21所述的方法,其中,所述从服务器侧获取业务对应的公共密钥以及随机数之后,所述方法还包括:The method according to claim 21, wherein after the obtaining the public key corresponding to the service and the random number from the server side, the method further comprises:
    基于所述随机数以及公共密钥,计算得到第一结果。A first result is calculated based on the random number and the public key.
  24. 根据权利要求23所述的方法,其中,所述将所述随机数以及业务的标识发送至网络侧时,所述方法还包括:The method according to claim 23, wherein when the sending the random number and the identifier of the service to the network side, the method further comprises:
    向所述网络侧发送与业务的标识对应的第一结果。Sending a first result corresponding to the identity of the service to the network side.
  25. 一种网络设备,所述网络设备包括:A network device, the network device comprising:
    第一通信单元,从服务器侧获取业务对应的公共密钥和/或应用识别请求消息。The first communication unit acquires a public key and/or an application identification request message corresponding to the service from the server side.
  26. 根据权利要求25所述的网络设备,其中,所述网络设备还包括:The network device according to claim 25, wherein the network device further comprises:
    第一处理单元,基于所述公共密钥、随机数以及业务的标识对业务的数据流进行验证;The first processing unit performs verification on the data flow of the service based on the public key, the random number, and the identifier of the service;
    所述第一通信单元,接收用户设备UE发来的随机数以及业务的标识;其中,所述随机数为每次建立HTTP连接时均更新的信息。The first communication unit receives the random number sent by the user equipment UE and the identifier of the service; wherein the random number is information updated every time the HTTP connection is established.
  27. 根据权利要求26所述的网络设备,其中,所述随机数,为不同时间和/或不同地点能够发生改变的数字。The network device of claim 26, wherein the random number is a number that can change at different times and/or at different locations.
  28. 根据权利要求26所述的网络设备,其中,所述第一处理单元,基于业务数据流生成对应的过滤器;基于所述过滤器对所述UE发来的数据流进行检测以及统计。The network device according to claim 26, wherein the first processing unit generates a corresponding filter based on the service data stream; and detects and counts the data stream sent by the UE based on the filter.
  29. 根据权利要求26所述的网络设备,其中,所述第一处理单元,当所述HTTP连接对应的TCP连接断开时,确认所述UE的业务数据流传输结束,删除所述过滤器。The network device according to claim 26, wherein the first processing unit confirms that the service data stream transmission of the UE ends and deletes the filter when the TCP connection corresponding to the HTTP connection is disconnected.
  30. 根据权利要求28所述的网络设备,其中,所述第一处理单元,当所述业务数据流传递结束HTTP连接断开时,通过第一通信单元接收所述UE发来的PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识;基于所述PDU会话修改请求删除对应的用户面过滤器的绑定 信息。The network device according to claim 28, wherein the first processing unit receives the PDU session modification request sent by the UE by using the first communication unit when the service data stream delivery ends the HTTP connection disconnection; The PDU session modification request carries the identifier of the service; and the binding information of the corresponding user plane filter is deleted according to the PDU session modification request.
  31. 根据权利要求28所述的网络设备,其中,所述第一处理单元,当所述业务数据流传输结束后,接收服务器侧发来的数据流删除请求;其中,所述数据流删除请求中至少包括所述业务的标识;根据所述数据流删除请求删除与所述业务的标识对应的用户面过滤器的绑定信息。The network device according to claim 28, wherein the first processing unit receives a data stream deletion request sent by the server side after the end of the service data stream transmission; wherein the data stream deletion request is at least And including the identifier of the service; deleting the binding information of the user plane filter corresponding to the identifier of the service according to the data stream deletion request.
  32. 根据权利要求25所述的网络设备,其中,The network device according to claim 25, wherein
    所述第一通信单元,基于与服务器侧进行PFD交互的流程,获取所述业务对应的至少一个PFD;The first communication unit acquires at least one PFD corresponding to the service based on a process of performing PFD interaction with the server side;
    所述第一处理单元,从所述业务对应的至少一个PFD中,提取所述公共密钥。The first processing unit extracts the public key from at least one PFD corresponding to the service.
  33. 根据权利要求26所述的网络设备,其中,The network device according to claim 26, wherein
    所述第一通信单元,接收所述UE发来与业务的标识对应的第一结果。The first communication unit receives a first result that is sent by the UE and corresponds to an identifier of the service.
  34. 根据权利要求33所述的网络设备,其中,The network device according to claim 33, wherein
    所述第一处理单元,基于所述随机数以及所述公共密钥计算得到第二结果;当所述第一结果与所述第二结果相同时,确定所述UE发送的业务数据流为可信数据流。The first processing unit calculates a second result based on the random number and the public key; when the first result is the same as the second result, determining that the service data flow sent by the UE is Letter data stream.
  35. 根据权利要求34所述的网络设备,其中,The network device according to claim 34, wherein
    所述第一通信单元,基于预设周期,获取更新后的公共密钥。The first communication unit acquires the updated public key based on the preset period.
  36. 根据权利要求25所述的网络设备,其中,所述应用识别请求消息,包含以下至少一种信息:第一特征信息、有效时长、应用标识。The network device according to claim 25, wherein the application identification request message includes at least one of the following: first feature information, valid duration, and application identifier.
  37. 根据权利要求36所述的网络设备,其中,第一特征信息包括以下至少一种:IP源地址、IP源端口号、IP目的地址、IP目的端口号、MAC源地址、IP源端口号、MAC目的地址、MAC目的端口号、协议类型、和VLAN标签。The network device according to claim 36, wherein the first feature information comprises at least one of the following: an IP source address, an IP source port number, an IP destination address, an IP destination port number, a MAC source address, an IP source port number, and a MAC address. Destination address, MAC destination port number, protocol type, and VLAN tag.
  38. 根据权利要求36或37所述的网络设备,其中,A network device according to claim 36 or 37, wherein
    所述第一通信单元,接收服务器的请求消息;The first communication unit receives a request message of the server;
    所述第一处理单元,对所述请求消息进行验证;所述请求消息验证通过后,根据所述第一特征信息配置数据流过滤器识别应用数据流的流量。The first processing unit verifies the request message; after the request message is verified, the data stream filter is configured to identify the traffic of the application data stream according to the first feature information.
  39. 根据权利要求38所述网络设备,其中,所述数据流过滤器在所述有效时长内生效,有效时长结束后自动释放所述数据流过滤器。The network device according to claim 38, wherein the data stream filter is valid within the effective duration, and the data stream filter is automatically released after the valid duration ends.
  40. 根据权利要求36所述网络设备,其中,The network device according to claim 36, wherein
    所述第一通信单元,收到所述服务器发起释放请求消息;The first communication unit receives the server initiate release request message;
    所述第一处理单元,根据所述消息释放所述数据过滤器。The first processing unit releases the data filter according to the message.
  41. 根据权利要求36所述的网络设备,其中,所述服务器为应用服务器。The network device of claim 36, wherein the server is an application server.
  42. 根据权利要求36所述的网络设备,其中,所述第一通信单元,接收所述服务器发送的应用识别请求消息;其中,所述应用识别请求消息发生在TLS握手建立中、或TLS握手成功后。The network device according to claim 36, wherein the first communication unit receives an application identification request message sent by the server; wherein the application identification request message occurs in a TLS handshake establishment or after a TLS handshake is successful .
  43. 根据权利要求32所述的网络设备,其中,所述第一通信单元,接收所述服务器接收到TLS握手完成消息之后发送的应用识别请求消息。The network device according to claim 32, wherein said first communication unit receives an application identification request message transmitted after said server receives a TLS handshake completion message.
  44. 一种UE,所述UE包括:A UE, the UE includes:
    第二通信单元,从服务器侧获取业务对应的公共密钥以及随机数;将所述随机数以及业务的标识发送至网络侧;其中,所述随机数为每次建立HTTP连接时均更新的信息。The second communication unit acquires a public key corresponding to the service and a random number from the server side, and sends the random number and the identifier of the service to the network side, where the random number is information updated every time the HTTP connection is established. .
  45. 根据权利要求44所述的UE,其中,所述随机数,为不同时间和/或不同地点能够发生改变的数字。The UE of claim 44, wherein the random number is a number that can change at different times and/or at different locations.
  46. 根据权利要求44所述的UE,其中,所述第二通信单元,当所述业务数据流传递结束HTTP连接断开时,向网络侧发送PDU会话修改请求;其中,所述PDU会话修改请求中携带所述业务的标识。The UE according to claim 44, wherein the second communication unit transmits a PDU session modification request to the network side when the service data stream delivery ends the HTTP connection disconnection; wherein the PDU session modification request is Carry the logo of the service.
  47. 根据权利要求46所述的UE,其中,所述UE还包括:The UE of claim 46, wherein the UE further comprises:
    第二处理单元,基于所述随机数以及公共密钥,计算得到第一结果。The second processing unit calculates a first result based on the random number and the public key.
  48. 根据权利要求47所述的UE,其中,所述第二通信单元,向所述网络侧发送与业务的标识对应的第一结果。The UE according to claim 47, wherein said second communication unit transmits a first result corresponding to the identity of the service to said network side.
  49. 一种网络设备,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,A network device comprising: a processor and a memory for storing a computer program capable of running on the processor,
    其中,所述处理器用于运行所述计算机程序时,执行权利要求1-19任一项所述方法的步骤。Wherein the processor is operative to perform the steps of the method of any one of claims 1-19 when the computer program is run.
  50. 一种UE,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,A UE includes: a processor and a memory for storing a computer program capable of running on the processor,
    其中,所述处理器用于运行所述计算机程序时,执行权利要求20-24任一项所述方法的步骤。Wherein the processor is operative to perform the steps of the method of any one of claims 20-24 when the computer program is run.
  51. 一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令,所述计算机可执行指令被执行时实现权利要求1-24任一项所述方法的步骤。A computer storage medium storing computer executable instructions that, when executed, implement the steps of the method of any of claims 1-24.
PCT/CN2018/081469 2018-01-16 2018-03-30 Data validation method, network device, ue, and computer storage medium WO2019140789A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201880037291.8A CN110710183B (en) 2018-01-16 2018-03-30 Data verification method, network equipment, UE and computer storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNPCT/CN2018/072883 2018-01-16
PCT/CN2018/072883 WO2019140554A1 (en) 2018-01-16 2018-01-16 Data verification method, network device, user equipment and computer storage medium

Publications (1)

Publication Number Publication Date
WO2019140789A1 true WO2019140789A1 (en) 2019-07-25

Family

ID=67300906

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/CN2018/072883 WO2019140554A1 (en) 2018-01-16 2018-01-16 Data verification method, network device, user equipment and computer storage medium
PCT/CN2018/081469 WO2019140789A1 (en) 2018-01-16 2018-03-30 Data validation method, network device, ue, and computer storage medium

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/072883 WO2019140554A1 (en) 2018-01-16 2018-01-16 Data verification method, network device, user equipment and computer storage medium

Country Status (2)

Country Link
CN (1) CN110710183B (en)
WO (2) WO2019140554A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145908A (en) * 2006-09-14 2008-03-19 华为技术有限公司 System, device and method for guaranteeing service network security
CN103415008A (en) * 2013-07-24 2013-11-27 牟大同 Encryption communication method and encryption communication system
WO2016146609A1 (en) * 2015-03-17 2016-09-22 British Telecommunications Public Limited Company Learned profiles for malicious encrypted network traffic identification
CN107360159A (en) * 2017-07-11 2017-11-17 中国科学院信息工程研究所 A kind of method and device for identifying abnormal encryption flow

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100811419B1 (en) * 2000-12-07 2008-03-07 주식회사 케이티 Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
CN101753303B (en) * 2008-12-03 2011-10-12 北京天融信科技有限公司 Double-factor authentication method
CN101896010A (en) * 2009-05-18 2010-11-24 大唐移动通信设备有限公司 Equipment and method for filtering information
CN102571547B (en) * 2010-12-29 2015-07-01 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic
CN103905400B (en) * 2012-12-27 2017-06-23 中国移动通信集团公司 A kind of service authentication method, apparatus and system
JP2015194879A (en) * 2014-03-31 2015-11-05 富士通株式会社 Authentication system, method, and provision device
CN107404461B (en) * 2016-05-19 2021-01-26 阿里巴巴集团控股有限公司 Data secure transmission method, client and server method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145908A (en) * 2006-09-14 2008-03-19 华为技术有限公司 System, device and method for guaranteeing service network security
CN103415008A (en) * 2013-07-24 2013-11-27 牟大同 Encryption communication method and encryption communication system
WO2016146609A1 (en) * 2015-03-17 2016-09-22 British Telecommunications Public Limited Company Learned profiles for malicious encrypted network traffic identification
CN107360159A (en) * 2017-07-11 2017-11-17 中国科学院信息工程研究所 A kind of method and device for identifying abnormal encryption flow

Also Published As

Publication number Publication date
WO2019140554A1 (en) 2019-07-25
CN110710183B (en) 2021-05-04
CN110710183A (en) 2020-01-17

Similar Documents

Publication Publication Date Title
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
CN112218294B (en) 5G-based access method and system for Internet of things equipment and storage medium
CN108737430B (en) Encryption communication method and system for block chain node
CN109246053B (en) Data communication method, device, equipment and storage medium
US11177967B2 (en) Template based credential provisioning
US9094823B2 (en) Data processing for securing local resources in a mobile device
US10834170B2 (en) Cloud authenticated offline file sharing
CN109309685B (en) Information transmission method and device
CN111869249A (en) Safe BLE JUST WORKS pairing method for man-in-the-middle attack
CN108809940B (en) Interactive encryption method for power grid system server and client
CN113572728B (en) Method, device, equipment and medium for authenticating Internet of things equipment
CN108366176B (en) Charging method, device and system for terminal application
CN102946333A (en) DPD method and equipment based on IPsec
KR20190033380A (en) Authenticating a networked camera using a certificate having device binding information
CN104836784A (en) Information processing method, client, and server
CN111831974A (en) Interface protection method and device, electronic equipment and storage medium
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
EP3381208B1 (en) Charging record authentication for anonymized network service utilization
CN111611574B (en) Information acquisition method, device, equipment and system
KR101692161B1 (en) System and method for authorization using beacon transmitter and one-time password
WO2019140789A1 (en) Data validation method, network device, ue, and computer storage medium
WO2017206185A1 (en) Method, apparatus and system for verifying legitimacy of application program
CN105610667B (en) The method and apparatus for establishing Virtual Private Network channel
WO2017219886A1 (en) Simple network protocol authentication method and device
CN112118206B (en) Decryption method, device, system, medium and equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18901197

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18901197

Country of ref document: EP

Kind code of ref document: A1