CN106612267B - Verification method and verification device - Google Patents

Verification method and verification device Download PDF

Info

Publication number
CN106612267B
CN106612267B CN201510707418.0A CN201510707418A CN106612267B CN 106612267 B CN106612267 B CN 106612267B CN 201510707418 A CN201510707418 A CN 201510707418A CN 106612267 B CN106612267 B CN 106612267B
Authority
CN
China
Prior art keywords
service
verification
enabler
integrity
service enabler
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510707418.0A
Other languages
Chinese (zh)
Other versions
CN106612267A (en
Inventor
庄小君
左敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201510707418.0A priority Critical patent/CN106612267B/en
Publication of CN106612267A publication Critical patent/CN106612267A/en
Application granted granted Critical
Publication of CN106612267B publication Critical patent/CN106612267B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a verification method and a device, wherein the verification method comprises the following steps: receiving a first message comprising service chain path information and verification label information; verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result; and processing the first message according to the verification result. The scheme of the invention can ensure that the message between the user equipment and the application platform is transmitted according to the service chain path information which is not tampered, prevent the message from passing through a certain service enabler in a selected service chain or a certain service enabler in a selected service chain, ensure the integrity of the service chain path even in an open cloud environment, ensure that the message is forwarded and processed according to the set service path, and avoid potential safety risks.

Description

一种验证方法及验证装置A verification method and verification device

技术领域technical field

本发明涉及网络与信息安全技术领域,特别是涉及一种针对业务链的验证方法及验证装置。The invention relates to the technical field of network and information security, in particular to a verification method and verification device for a business chain.

背景技术Background technique

现有技术中,为应对数据流量的快速发展,常在用户设备和应用平台之间部署多个业务使能器,例如URL过滤器、video优化器和协议优化器等,以实现数据流量的过滤、优化和安全,并提升用户体验,减少带宽压力及提供增值服务等。In the prior art, in order to cope with the rapid development of data traffic, multiple service enablers, such as URL filters, video optimizers, and protocol optimizers, are often deployed between user equipment and application platforms to filter data traffic. , optimization and security, and improve user experience, reduce bandwidth pressure and provide value-added services.

其中,在同一业务中,数据经过的多个业务使能器组成一条业务链。当前的业务链,包括由静态的业务使能器组成的业务链和由动态的可编排的业务功能SF实例(也可被称为,业务使能器)组成的业务链,常被攻击者篡改业务链规则,即流量引导策略,使得用户和应用平台之间的数据不经过选定业务链中的某个业务使能器,导致用户体验变差,且易导致潜在的安全风险。Among them, in the same service, multiple service enablers through which data passes form a service chain. The current service chain, including the service chain composed of static service enablers and the service chain composed of dynamic choreographed service function SF instances (also called service enablers), is often tampered with by attackers The business chain rule, that is, the traffic guidance strategy, prevents the data between the user and the application platform from passing through a certain business enabler in the selected business chain, resulting in poor user experience and potential security risks.

参见图1所示,表示一业务链的攻击图。具体的,移动接入和核心网域中的策略与计费规则功能单元(Policyand Charging Rules Function,简称PCRF)根据用户的签约信息、业务等信息确定出用户设备UE和应用平台之间的流量引导策略,所述流量引导策略为数据流量在移动业务域,需要依次经过负载均衡设备LB、防火墙FW和DPI设备这3个业务使能器(图1中直线所示)。Referring to Figure 1, an attack graph of a business chain is shown. Specifically, the Policy and Charging Rules Function (PCRF) in the mobile access and core network domains determines the traffic guidance between the user equipment UE and the application platform according to the user's subscription information, services and other information The traffic steering strategy is that data traffic in the mobile service domain needs to pass through the load balancing device LB, the firewall FW and the DPI device in sequence three service enablers (as shown by the straight line in FIG. 1 ).

但是,攻击者可以在PCRF和IDF之间的传输路径上或在IDF到FW的传输路径上篡改流量引导策略,使得UE和应用平台之间的数据流量不经过FW(图1中曲线所示),这会给UE和应用平台之间的通信带来安全风险。However, an attacker can tamper with the traffic steering policy on the transmission path between PCRF and IDF or on the transmission path from IDF to FW, so that the data traffic between the UE and the application platform does not pass through the FW (shown by the curve in Figure 1) , which brings security risks to the communication between the UE and the application platform.

为了防止攻击者篡改流量引导策略,现有技术中常通过将移动业务域部署成一个封闭网络,且移动业务域和移动核心网域之间采用专网保护,使得攻击者没有篡改流量引导策略的入口,以避免安全风险。In order to prevent attackers from tampering with the traffic steering policy, in the prior art, the mobile service domain is often deployed as a closed network, and private network protection is adopted between the mobile service domain and the mobile core network domain, so that the attacker does not tamper with the traffic steering policy. , to avoid security risks.

但是,随着云计算、软件定义网络SDN技术和网络功能虚拟化NFV技术的发展,移动业务域和移动核心域都有可能部署在云中。这样,攻击者可以通过云中的其他虚拟机或者被控制的Hypervisor(一种在虚拟环境中的“元”操作系统)来发现业务链,并通过攻击通信链路或者业务使能器等来实现对业务流的业务路径的篡改,使得在开放的云环境中,不易保证业务链路径的完整性。However, with the development of cloud computing, software-defined network SDN technology, and network function virtualization NFV technology, both the mobile service domain and the mobile core domain are likely to be deployed in the cloud. In this way, an attacker can discover the service chain through other virtual machines in the cloud or a controlled hypervisor (a "meta" operating system in a virtual environment), and achieve this by attacking the communication link or service enabler, etc. The tampering of the service path of the service flow makes it difficult to ensure the integrity of the service chain path in an open cloud environment.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提供一种验证方法及验证装置,用于解决现有技术中的在开放的云环境中,不易保证业务链路径的完整性的技术问题。The purpose of the present invention is to provide a verification method and a verification device, which are used to solve the technical problem in the prior art that it is difficult to ensure the integrity of the service chain path in an open cloud environment.

为了实现上述的目的,本发明提供一种验证方法,包括:In order to achieve the above-mentioned purpose, the present invention provides a kind of verification method, comprising:

接收包括业务链路径信息和验证标签信息的第一报文;receiving a first message including service chain path information and verification label information;

根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改,得到一验证结果;According to the verification label information and the service chain path information, verifying whether the service path of the first packet has been tampered with, and obtaining a verification result;

根据所述验证结果,对所述第一报文进行处理。According to the verification result, the first packet is processed.

优选的,所述验证标签信息包括完整性标签和完整性验证标签,所述完整性标签是流量引导策略产生者对其产生的业务链路径信息进行编码得到,所述完整性验证标签是业务链中的业务使能器对其身份标识进行编码得到;Preferably, the verification label information includes an integrity label and an integrity verification label, the integrity label is obtained by encoding the service chain path information generated by the traffic steering policy generator, and the integrity verification label is a service chain The service enabler in the code is obtained by encoding its identity;

所述根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改的步骤包括:The step of verifying whether the service path of the first packet has been tampered with according to the verification label information and the service chain path information includes:

根据所述完整性标签和业务链路径信息,验证所述业务链路径信息是否被篡改;Verifying whether the service chain path information has been tampered with according to the integrity label and the service chain path information;

在所述业务链路径信息没有被篡改的情况下,验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器;In the case that the service chain path information has not been tampered with, verifying the integrity verification label, and determining whether the first packet passes through the service enabler in the corresponding service chain;

其中,只有在所述业务链路径信息没有被篡改且所述第一报文经过对应的业务链中的业务使能器时,才能得到所述第一报文的业务路径没有被篡改的验证结果。The verification result that the service path of the first packet has not been tampered can be obtained only when the service chain path information has not been tampered with and the first packet has passed through the service enabler in the corresponding service chain. .

优选的,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,Preferably, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler,

所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;The verification tag information includes at least one second integrity verification tag, and the at least one second integrity verification tag corresponds to the at least one second service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述至少一个第二完整性验证标签,确定所述第一报文是否经过所述至少一个第二业务使能器;或verifying the at least one second integrity verification tag to determine whether the first packet has passed through the at least one second service enabler; or

仅验证与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。Only the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler is verified, and it is determined whether the first packet passes through the adjacent second service enabler.

优选的,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,Preferably, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler,

所述验证标签信息仅包括与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签;The verification label information only includes the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。Verifying the second integrity verification label, and determining whether the first packet passes through the adjacent second service enabler.

优选的,所述根据所述验证结果,对所述第一报文进行处理的步骤包括:Preferably, the step of processing the first message according to the verification result includes:

在所述验证结果为所述第一报文的业务路径没有被篡改的情况下,生成第一完整性验证标签并插入至所述第一报文,得到第二报文;When the verification result is that the service path of the first packet has not been tampered with, generating a first integrity verification label and inserting it into the first packet to obtain a second packet;

将所述第二报文发送至下一业务节点,所述下一业务节点为业务使能器、用户设备或应用平台。The second message is sent to the next service node, where the next service node is a service enabler, a user equipment or an application platform.

优选的,所述完整性验证标签是所述业务使能器利用自身的私钥,对由自身的身份标识和一新鲜值进行哈希运算得到的哈希值,进行签名生成的。Preferably, the integrity verification label is generated by the service enabler using its own private key to sign a hash value obtained by hashing its own identity and a fresh value.

优选的,当所述验证方法应用于用户设备或应用平台,且所述第一报文在到达所述用户设备或应用平台之前,已经经过至少一个业务使能器时,Preferably, when the verification method is applied to the user equipment or the application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or the application platform,

所述验证标签信息包括至少一个第三完整性验证标签,所述至少一个第三完整性验证标签与所述至少一个业务使能器对应;The verification tag information includes at least one third integrity verification tag, and the at least one third integrity verification tag corresponds to the at least one service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述至少一个第三完整性验证标签,确定所述第一报文是否经过所述至少一个业务使能器。Verifying the at least one third integrity verification tag, and determining whether the first packet passes through the at least one service enabler.

本方法还提供一种验证装置,包括:The method also provides a verification device, comprising:

接收模块,用于接收包括业务链路径信息和验证标签信息的第一报文;a receiving module, configured to receive a first message including service chain path information and verification label information;

验证模块,用于根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改,得到一验证结果;a verification module, configured to verify whether the service path of the first packet has been tampered with according to the verification label information and the service chain path information, and obtain a verification result;

处理模块,用于根据所述验证结果,对所述第一报文进行处理。A processing module, configured to process the first packet according to the verification result.

优选的,所述验证标签信息包括完整性标签和完整性验证标签,所述完整性标签是流量引导策略产生者对其产生的业务链路径信息进行编码得到,所述完整性验证标签是业务链中的业务使能器对其身份标识进行编码得到;Preferably, the verification label information includes an integrity label and an integrity verification label, the integrity label is obtained by encoding the service chain path information generated by the traffic steering policy generator, and the integrity verification label is a service chain The service enabler in the code is obtained by encoding its identity;

所述验证模块包括:The verification module includes:

第一验证模块,用于根据所述完整性标签和业务链路径信息,验证所述业务链路径信息是否被篡改;a first verification module, configured to verify whether the service chain path information has been tampered with according to the integrity label and the service chain path information;

第二验证模块,用于在所述业务链路径信息没有被篡改的情况下,验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器;a second verification module, configured to verify the integrity verification label under the condition that the service chain path information has not been tampered with, and determine whether the first packet has passed through the service enabler in the corresponding service chain;

其中,只有在所述业务链路径信息没有被篡改且所述第一报文经过对应的业务链中的业务使能器时,才能得到所述第一报文的业务路径没有被篡改的验证结果。The verification result that the service path of the first packet has not been tampered can be obtained only when the service chain path information has not been tampered with and the first packet has passed through the service enabler in the corresponding service chain. .

优选的,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,Preferably, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler,

所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;The verification tag information includes at least one second integrity verification tag, and the at least one second integrity verification tag corresponds to the at least one second service enabler;

所述第二验证模块具体用于:The second verification module is specifically used for:

验证所述至少一个第二完整性验证标签,确定所述第一报文是否经过所述至少一个第二业务使能器;或verifying the at least one second integrity verification tag to determine whether the first packet has passed through the at least one second service enabler; or

仅验证与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。Only the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler is verified, and it is determined whether the first packet passes through the adjacent second service enabler.

优选的,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,Preferably, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler,

所述验证标签信息仅包括与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签;The verification label information only includes the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler;

所述第二验证模块具体用于:验证所述第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。The second verification module is specifically configured to: verify the second integrity verification tag, and determine whether the first packet passes through the adjacent second service enabler.

优选的,所述处理模块包括:Preferably, the processing module includes:

生成模块,用于在验证结果为所述第一报文的业务路径没有被篡改的情况下,生成第一完整性验证标签并插入至所述第一报文,得到第二报文;a generating module, configured to generate a first integrity verification label and insert it into the first message to obtain a second message when the verification result is that the service path of the first message has not been tampered with;

发送模块,用于将所述第二报文发送至下一业务节点,所述下一业务节点为业务使能器、用户设备或应用平台。A sending module, configured to send the second message to the next service node, where the next service node is a service enabler, a user equipment or an application platform.

优选的,所述完整性验证标签是所述业务使能器利用自身的私钥,对由自身的身份标识和一新鲜值进行哈希运算得到的哈希值,进行签名生成的。Preferably, the integrity verification label is generated by the service enabler using its own private key to sign a hash value obtained by hashing its own identity and a fresh value.

优选的,当所述验证方法应用于用户设备或应用平台,且所述第一报文在到达所述用户设备或应用平台之前,已经经过至少一个业务使能器时,Preferably, when the verification method is applied to the user equipment or the application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or the application platform,

所述验证标签信息包括至少一个第三完整性验证标签,所述至少一个第三完整性验证标签与所述至少一个业务使能器对应;The verification tag information includes at least one third integrity verification tag, and the at least one third integrity verification tag corresponds to the at least one service enabler;

所述第二验证模块具体用于:验证所述至少一个第三完整性验证标签,确定所述第一报文是否经过所述至少一个业务使能器。The second verification module is specifically configured to: verify the at least one third integrity verification tag, and determine whether the first packet passes through the at least one service enabler.

通过本发明的上述技术方案,本发明的有益效果在于:Through the above-mentioned technical solutions of the present invention, the beneficial effects of the present invention are:

本发明的验证方法,能够保证用户设备和应用平台之间的报文按照没有被篡改的业务链路径信息进行传递,防止其不经过选定的业务链中的某个业务使能器或者经过不在选定的业务链中的某个业务使能器,即使在开放的云环境中,也能保证业务链路径的完整性,保证报文按照设定的业务路径进行转发和处理,避免潜在的安全风险。The verification method of the present invention can ensure that the message between the user equipment and the application platform is transmitted according to the service chain path information that has not been tampered with, preventing it from not passing through a certain service enabler in the selected service chain or passing through a non-tampered service chain. A service enabler in the selected service chain, even in an open cloud environment, can ensure the integrity of the service chain path, ensure that packets are forwarded and processed according to the set service path, and avoid potential security risk.

附图说明Description of drawings

图1表示现有技术中一业务链的攻击图。FIG. 1 shows an attack diagram of a business chain in the prior art.

图2表示本发明实施例的验证方法的流程图。FIG. 2 shows a flowchart of a verification method according to an embodiment of the present invention.

图3表示本发明实施例的验证装置的结构示意图。FIG. 3 is a schematic structural diagram of a verification apparatus according to an embodiment of the present invention.

图4表示本发明第一优选实施例的验证方法的流程图。FIG. 4 shows a flow chart of the verification method according to the first preferred embodiment of the present invention.

图5表示本发明第二优选实施例的验证方法的流程图。FIG. 5 shows a flow chart of the verification method according to the second preferred embodiment of the present invention.

图6表示本发明第三优选实施例的验证方法的流程图。FIG. 6 shows a flow chart of the verification method according to the third preferred embodiment of the present invention.

图7表示本发明第四优选实施例的验证方法的流程图。FIG. 7 shows a flowchart of a verification method according to a fourth preferred embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合附图对具体实施例进行详细描述。In order to make the objectives, technical solutions and advantages of the embodiments of the present invention clearer, the specific embodiments will be described in detail below with reference to the accompanying drawings.

参见图2所述,本发明实施例提供一种验证方法,包括:Referring to FIG. 2, an embodiment of the present invention provides a verification method, including:

S201:接收包括业务链路径信息和验证标签信息的第一报文;S201: Receive a first packet including service chain path information and verification label information;

S202:根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改,得到一验证结果;S202: According to the verification label information and the service chain path information, verify whether the service path of the first packet has been tampered with, and obtain a verification result;

S203:根据所述验证结果,对所述第一报文进行处理。S203: Process the first packet according to the verification result.

本发明实施例的验证方法,能够防止用户设备和应用平台之间的报文的业务路径被篡改,使其按照完整的业务链路径进行传递,即使在开放的云环境中,也能保证报文按照设定的业务路径进行转发和处理,避免潜在的安全风险。The verification method of the embodiment of the present invention can prevent the service path of the message between the user equipment and the application platform from being tampered with, so that it is transmitted according to the complete service chain path, and even in an open cloud environment, the message can be guaranteed Forwarding and processing are performed according to the set service path to avoid potential security risks.

其中,本发明实施例的验证方法主要应用于业务使能器、用户设备或应用平台。当所述验证方法应用于业务使能器时,如果验证出报文的业务路径没有被篡改,就将报文发送至下一业务节点,否则,向业务管理系统报错。当所述验证方法应用于用户设备或应用平台时,如果验证出报文的业务路径没有被篡改,就执行相应的业务请求,否则,拒绝执行相应的业务请求。Wherein, the verification method of the embodiment of the present invention is mainly applied to a service enabler, a user equipment or an application platform. When the verification method is applied to the service enabler, if it is verified that the service path of the message has not been tampered with, the message is sent to the next service node, otherwise, an error is reported to the service management system. When the verification method is applied to the user equipment or the application platform, if it is verified that the service path of the message has not been tampered with, the corresponding service request is executed; otherwise, the execution of the corresponding service request is refused.

所述报文是用户设备和应用平台之间通信的报文,可以是用户设备到应用平台的上行报文,也可以是应用平台到的用户设备上行报文,本发明不对其进行限制。所述业务链路径信息是流量引导策略产生者,例如PCRF或service orchestration,翻译由其产生的流量引导策略而成的,用于引导用户设备和应用平台之间的报文的传递。The message is a message communicated between the user equipment and the application platform, and may be an uplink message from the user equipment to the application platform, or may be an uplink message from the application platform to the user equipment, which is not limited in the present invention. The service chain path information is obtained by a traffic steering policy generator, such as PCRF or service orchestration, by translating the traffic steering policy generated by it, and is used to guide the transmission of packets between the user equipment and the application platform.

实际应用中,攻击者可以通过篡改业务链路径信息,改变用户设备和应用平台之间的报文的业务路径,也可以在不篡改业务链路径信息的情况下,通过攻击业务链或业务链中的业务使能器,使报文不经过选定的业务链中的某个业务使能器或者经过不在选定的业务链中的某个业务使能器,实现对业务路径的篡改。In practical applications, an attacker can change the service path of packets between the user equipment and the application platform by tampering with the service chain path information, or attack the service chain or service chain without tampering with the service chain path information. The service enabler is selected, so that the message does not pass through a service enabler in the selected service chain or through a service enabler that is not in the selected service chain, so as to tamper with the service path.

例如,用户设备和应用平台之间的报文,按照其内的业务链路径信息需要传递到防火墙FW,攻击者可以通过攻击所述FW,使得所述报文虽然传递到FW,但FW并未对所述报文进行相应的处理,即不经过FW。For example, the packets between the user equipment and the application platform need to be transmitted to the firewall FW according to the service chain path information in them. An attacker can attack the FW so that although the packets are transmitted to the FW, the FW does not Corresponding processing is performed on the packet, that is, it does not pass through the FW.

为了避免对报文的业务路径的篡改,本发明实施例引入了由流量引导策略产生者生成的完整性标签和由业务使能器生成的完整性验证标签,通过验证机制,保证业务链路径的完整性。In order to avoid tampering with the service path of the packet, the embodiment of the present invention introduces an integrity label generated by a traffic steering policy generator and an integrity verification label generated by a service enabler. Through the verification mechanism, the service chain path is ensured. completeness.

具体的,本发明实施例中,所述验证标签信息包括完整性标签和完整性验证标签,所述完整性标签是流量引导策略产生者对其产生的业务链路径信息进行编码得到,所述完整性验证标签是业务链中的业务使能器对其身份标识进行编码得到;Specifically, in this embodiment of the present invention, the verification label information includes an integrity label and an integrity verification label, and the integrity label is obtained by encoding the service chain path information generated by the traffic steering policy generator. The identity verification label is obtained by encoding the identity of the service enabler in the service chain;

所述根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改的步骤包括:The step of verifying whether the service path of the first packet has been tampered with according to the verification label information and the service chain path information includes:

根据所述完整性标签和业务链路径信息,验证所述业务链路径信息是否被篡改;Verifying whether the service chain path information has been tampered with according to the integrity label and the service chain path information;

在所述业务链路径信息没有被篡改的情况下,验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器;In the case that the service chain path information has not been tampered with, verifying the integrity verification label, and determining whether the first packet passes through the service enabler in the corresponding service chain;

其中,只有在所述业务链路径信息没有被篡改且所述第一报文经过对应的业务链中的业务使能器时,才能得到所述第一报文的业务路径没有被篡改的验证结果。The verification result that the service path of the first packet has not been tampered can be obtained only when the service chain path information has not been tampered with and the first packet has passed through the service enabler in the corresponding service chain. .

这样,不仅能够防止业务链路径信息被篡改,也能够防止用户设备和应用平台之间的报文不经过选定的业务链中的某个业务使能器或者经过不在选定的业务链中的某个业务使能器,保证业务链路径的完整性。In this way, it can not only prevent the service chain path information from being tampered with, but also prevent the packets between the user equipment and the application platform from not passing through a service enabler in the selected service chain or passing through a service enabler that is not in the selected service chain. A service enabler to ensure the integrity of the service chain path.

具体的,所述完整性标签例如是所述流量引导策略产生者利用其的私钥,对由其生成的业务链路径信息和一新鲜值(可以是随机数N)进行哈希运算得到的哈希hash值,进行签名生成的。也可以是所述流量引导策略产生者使用HMAC(密钥相关的哈希运算消息认证码),对其生成的业务链路径信息进行编码得到,以对所述业务链路径信息进行完整性保护,但本发明不对其进行限制,只要能够实现对业务链路径信息的完整性保护即可。Specifically, the integrity label is, for example, obtained by the traffic steering policy generator using its private key to perform a hash operation on the service chain path information generated by it and a fresh value (which can be a random number N). The hash value is generated by signature. It can also be that the traffic steering policy generator uses HMAC (key-related hash operation message authentication code) to encode the service chain path information generated by it, so as to perform integrity protection on the service chain path information, However, the present invention does not limit it, as long as the integrity protection of the service chain path information can be realized.

举例来说,流量引导策略产生者PCRF产生的业务链路径信息为“SF1SF2SF3”,新鲜值为“8”,哈希运算的函数为f(x),则利用f(x)对“SF1SF2SF3”和“8”进行哈希运算,得到(SF1SF2SF3,8)的hash值,并利用自身私钥对所述hash值进行签名,得到与“SF1SF2SF3”对应的完整性标签。For example, the service chain path information generated by the traffic steering policy generator PCRF is "SF1SF2SF3", the fresh value is "8", and the hash operation function is f(x). Perform hash operation on "8" to obtain the hash value of (SF1SF2SF3, 8), and use its own private key to sign the hash value to obtain an integrity label corresponding to "SF1SF2SF3".

在这种情况下,根据所述完整性标签和业务链路径信息,验证所述业务链路径信息是否被篡改主要是:利用公钥解密所述完整性标签,得到一hash值,同时利用f(x)对接收到的业务链路径信息和新鲜值进行哈希运算,得到另一hash值,并比较两个hash值是否相等;如果两个hash值相等,则所述业务链路径信息没有被篡改,否则,所述业务链路径信息被篡改。In this case, according to the integrity label and the service chain path information, verifying whether the service chain path information has been tampered is mainly: decrypt the integrity label with the public key to obtain a hash value, and use f( x) Perform a hash operation on the received service chain path information and the fresh value to obtain another hash value, and compare whether the two hash values are equal; if the two hash values are equal, the service chain path information has not been tampered with , otherwise, the service chain path information is tampered with.

需要说明的是,上述验证过程中所使用的f(x)或新鲜值可以是通过报文传递得到的,也可以是预先配置好的,本发明不对其进行限制,只要能够达到本发明的验证目的即可。It should be noted that the f(x) or fresh value used in the above verification process may be obtained through message transmission, or may be pre-configured, which is not limited in the present invention, as long as the verification of the present invention can be achieved purpose.

其中,所述完整性验证标签例如是所述业务使能器利用自身的私钥,对由自身的身份标识和一新鲜值进行哈希运算得到的哈希值,进行签名生成的。The integrity verification label is, for example, generated by the service enabler using its own private key to sign a hash value obtained by performing a hash operation on its own identity identifier and a fresh value.

而验证所述完整性验证标签的方式是:业务使能器的下一业务节点,利用公钥解密所述完整性验证标签,得到一hash值,同时利用同一函数对接收到的身份标识和新鲜值进行哈希运算,得到另一hash值,并比较两个hash值是否相等;如果两个hash值相等,则确定报文经过对应的业务使能器,否的,没有经过对应的业务使能器。其中,所述身份标识和新鲜值例如与完整性验证标签一样,都是通过插入报文进行传递的。The method of verifying the integrity verification label is: the next service node of the service enabler decrypts the integrity verification label with the public key to obtain a hash value, and uses the same function to compare the received identity and freshness. Hash the value to obtain another hash value, and compare whether the two hash values are equal; if the two hash values are equal, it is determined that the packet has passed the corresponding service enabler, otherwise, it has not passed the corresponding service enabler device. Wherein, the identity identifier and the fresh value are, for example, the same as the integrity verification label, and are transmitted by inserting the message.

需要说明的是,业务使能器的身份标识可以是电信运营商或服务提供商分配给所述业务使能器的全网唯一标识,也可以是提前配置到相关的业务使能器上的全网唯一标识。It should be noted that the identity of the service enabler may be a network-wide unique identifier assigned to the service enabler by a telecommunication operator or service provider, or may be an all-in-one identifier pre-configured on the relevant service enabler. Network unique identifier.

具体来说,在本发明实施例中,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;Specifically, in this embodiment of the present invention, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler In the case of a service enabler, the verification tag information includes at least one second integrity verification tag, and the at least one second integrity verification tag corresponds to the at least one second service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述至少一个第二完整性验证标签,确定所述第一报文是否经过所述至少一个第二业务使能器。Verifying the at least one second integrity verification label, and determining whether the first packet passes through the at least one second service enabler.

这样,可以保证报文经过了需要经过的业务使能器,避免攻击者通过攻击业务链或业务使能器,来篡改报文的实际业务路径。In this way, it can be ensured that the packet passes through the service enabler that needs to pass through, and an attacker can avoid tampering with the actual service path of the packet by attacking the service chain or the service enabler.

具体的,当业务链路径特别长时,如果业务链中靠后的业务使能器需要验证业务链中其前面的所有业务使能器的完整性验证标签,就会给靠后的这些业务使能器带来一定的负荷。为了减轻靠后的这些业务使能器的负荷,本发明实施例中,可以让业务使能器仅验证与其相邻的业务使能器对应的完整性验证标签。Specifically, when the service chain path is particularly long, if the service enabler at the back of the service chain needs to verify the integrity verification labels of all the service enablers in front of it in the service chain, the service enablers at the back of the service chain will be enabled. The energy device brings a certain load. In order to reduce the load of these later service enablers, in this embodiment of the present invention, the service enabler may only verify the integrity verification tag corresponding to its adjacent service enabler.

基于上述内容,在本发明实施例中,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;Based on the above content, in this embodiment of the present invention, when the verification method is applied to the first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler In the case of a service enabler, the verification tag information includes at least one second integrity verification tag, and the at least one second integrity verification tag corresponds to the at least one second service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

仅验证与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器,以减轻部分业务使能器的验证负担。verifying only the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler, and determining whether the first packet passes through the adjacent second service enabler, To reduce the verification burden of some service enablers.

此外,当业务链路径特别长时,如果每经过一个业务使能器,就在用户设备和应用平台之间的报文中插入一个完整性验证标签,就会对报文的长度带来一定的影响。为了避免用户设备和应用平台之间的报文过长,本发明实施例采用利用当前业务使能器生成的完整性验证标签,替换报文中的与当前业务使能器相邻的业务使能器的完整性验证标签的方式来实现,即所述验证标签信息中会仅包括一个完整性验证标签。In addition, when the service chain path is particularly long, if an integrity verification label is inserted into the packet between the user equipment and the application platform every time a service enabler passes through, it will bring a certain amount of delay to the length of the packet. influences. In order to avoid excessively long packets between the user equipment and the application platform, the embodiment of the present invention adopts the integrity verification label generated by the current service enabler to replace the service enabler adjacent to the current service enabler in the packet. It is implemented by means of the integrity verification tag of the device, that is, the verification tag information will include only one integrity verification tag.

即在本发明实施例中,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,所述验证标签信息仅包括与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签;That is, in this embodiment of the present invention, when the verification method is applied to the first service enabler, and the first packet has been enabled by at least one second service before reaching the first service enabler When the device is activated, the verification label information only includes the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。Verifying the second integrity verification label, and determining whether the first packet passes through the adjacent second service enabler.

本发明实施例中,所述根据所述验证结果,对所述第一报文进行处理的步骤包括:In the embodiment of the present invention, the step of processing the first packet according to the verification result includes:

在所述验证结果为所述第一报文的业务路径没有被篡改的情况下,生成第一完整性验证标签并插入至所述第一报文,得到第二报文;When the verification result is that the service path of the first packet has not been tampered with, generating a first integrity verification label and inserting it into the first packet to obtain a second packet;

将所述第二报文发送至下一业务节点,所述下一业务节点为业务使能器、用户设备或应用平台。The second message is sent to the next service node, where the next service node is a service enabler, a user equipment or an application platform.

这样,能够实现对报文的业务路径的完整验证。In this way, complete verification of the service path of the packet can be achieved.

本发明实施例中,为减轻业务链中的业务使能器的工作负担,也可以设置业务使能器仅负责插入完整性验证标签,所有的验证工作由用户设备或应用平台负责。In the embodiment of the present invention, in order to reduce the workload of the service enabler in the service chain, the service enabler can also be set to only be responsible for inserting the integrity verification label, and all verification work is performed by the user equipment or the application platform.

具体的,当所述验证方法应用于用户设备或应用平台,且所述第一报文在到达所述用户设备或应用平台之前,已经经过至少一个业务使能器时,所述验证标签信息包括至少一个第三完整性验证标签,所述至少一个第三完整性验证标签与所述至少一个业务使能器对应;Specifically, when the verification method is applied to a user equipment or application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or application platform, the verification label information includes at least one third integrity verification tag, the at least one third integrity verification tag corresponds to the at least one service enabler;

所述验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器的步骤包括:The step of verifying the integrity verification label and determining whether the first packet passes through the service enabler in the corresponding service chain includes:

验证所述至少一个第三完整性验证标签,确定所述第一报文是否经过所述至少一个业务使能器。Verifying the at least one third integrity verification tag, and determining whether the first packet passes through the at least one service enabler.

需要说明的是,所述第一完整性验证标签、第二完整性验证标签和第三完整性验证标签与上述的完整性验证标签一样,都是由业务链中的业务使能器生成,以对报文的实际业务路径进行验证。It should be noted that, the first integrity verification label, the second integrity verification label and the third integrity verification label are all generated by the service enabler in the service chain, the same as the above-mentioned integrity verification label. Verify the actual service path of the packet.

其中,验证过程中所使用的公私钥,本发明可采用以下方式进行配置,但本发明不对其进行限制:Among them, the public and private keys used in the verification process can be configured in the following ways, but the present invention does not limit them:

(1)由电信运营商产生公私钥对,并将私钥分别配置到流量引导策略产生者或业务使能器(即SF)上,同时,将公钥配置到用户设备、应用平台和业务使能器上;(1) A public-private key pair is generated by the telecom operator, and the private key is configured on the traffic steering policy generator or service enabler (ie SF) respectively, and at the same time, the public key is configured on the user equipment, application platform and service enabler. on the energy device;

(2)由流量引导策略产生者或业务使能器产生公私钥对,私钥保存在自身设备上,公钥被电信运营商获取,并将这些公钥配置到用户设备、应用平台和业务使能器上;(2) The public-private key pair is generated by the traffic steering policy generator or service enabler, the private key is stored on its own device, the public key is obtained by the telecom operator, and these public keys are configured to the user equipment, application platform and service enabler on the energy device;

(3)当公钥由证书承载时,流量引导策略产生者或业务使能器自己产生公私钥对,并向CA申请证书,将自己的公钥证书与完整性验证标签一同发送给下一业务节点;用户设备、应用平台和业务使能器可以提前配置上这些证书的根证书,用于验证证书的有效性,再从证书中提取公钥,用于验证完整性标签的有效性;而证书的吊销状态可通过CRL(Certificate Revocation List,证书吊销列表)或OCSP(Online Certificate StatusProtocol,在线证书状态协议)进行查询。(3) When the public key is carried by the certificate, the traffic steering policy generator or service enabler generates a public-private key pair by itself, applies for a certificate from the CA, and sends its own public key certificate and integrity verification label to the next service Node; user equipment, application platform and service enabler can configure the root certificate of these certificates in advance to verify the validity of the certificate, and then extract the public key from the certificate to verify the validity of the integrity label; while the certificate The revocation status can be queried through CRL (Certificate Revocation List, certificate revocation list) or OCSP (Online Certificate Status Protocol, online certificate status protocol).

参见图3,本发明实施例还提供一种验证装置,与图2所示的验证方法相对应,所述验证装置包括:Referring to FIG. 3, an embodiment of the present invention further provides a verification apparatus, corresponding to the verification method shown in FIG. 2, the verification apparatus includes:

接收模块31,用于接收包括业务链路径信息和验证标签信息的第一报文;a receiving module 31, configured to receive a first message including service chain path information and verification label information;

验证模块32,用于根据所述验证标签信息和业务链路径信息,验证所述第一报文的业务路径是否被篡改,得到一验证结果;A verification module 32, configured to verify whether the service path of the first packet has been tampered with according to the verification label information and the service chain path information, and obtain a verification result;

处理模块33,用于根据所述验证结果,对所述第一报文进行处理。The processing module 33 is configured to process the first packet according to the verification result.

本发明实施例的验证装置,能够防止用户设备和应用平台之间的报文的业务路径被篡改,使其按照完整的业务链路径进行传递,即使在开放的云环境中,也能保证报文按照设定的业务路径进行转发和处理,避免潜在的安全风险。The verification device of the embodiment of the present invention can prevent the service path of the message between the user equipment and the application platform from being tampered with, so that it is transmitted according to the complete service chain path, and even in an open cloud environment, the message can be guaranteed Forwarding and processing are performed according to the set service path to avoid potential security risks.

实际应用中,攻击者可以通过篡改业务链路径信息,改变用户设备和应用平台之间的报文的业务路径,也可以在不篡改业务链路径信息的情况下,通过攻击业务链或业务链中的业务使能器,使报文不经过选定的业务链中的某个业务使能器或者经过不在选定的业务链中的某个业务使能器,实现对业务路径的篡改。In practical applications, an attacker can change the service path of packets between the user equipment and the application platform by tampering with the service chain path information, or attack the service chain or service chain without tampering with the service chain path information. The service enabler is selected, so that the message does not pass through a service enabler in the selected service chain or through a service enabler that is not in the selected service chain, so as to tamper with the service path.

为了避免对报文的业务路径的篡改,本发明实施例引入了由流量引导策略产生者生成的完整性标签和由业务使能器生成的完整性验证标签,通过验证机制,保证业务链路径的完整性。In order to avoid tampering with the service path of the packet, the embodiment of the present invention introduces an integrity label generated by a traffic steering policy generator and an integrity verification label generated by a service enabler. Through the verification mechanism, the service chain path is ensured. completeness.

具体的,本发明实施例中,所述验证标签信息包括完整性标签和完整性验证标签,所述完整性标签是流量引导策略产生者对其产生的业务链路径信息进行编码得到,所述完整性验证标签是业务链中的业务使能器对其身份标识进行编码得到;Specifically, in this embodiment of the present invention, the verification label information includes an integrity label and an integrity verification label, and the integrity label is obtained by encoding the service chain path information generated by the traffic steering policy generator. The identity verification label is obtained by encoding the identity of the service enabler in the service chain;

所述验证模块包括:The verification module includes:

第一验证模块,用于根据所述完整性标签和业务链路径信息,验证所述业务链路径信息是否被篡改;a first verification module, configured to verify whether the service chain path information has been tampered with according to the integrity label and the service chain path information;

第二验证模块,用于在所述业务链路径信息没有被篡改的情况下,验证所述完整性验证标签,确定所述第一报文是否经过对应的业务链中的业务使能器;a second verification module, configured to verify the integrity verification label under the condition that the service chain path information has not been tampered with, and determine whether the first packet has passed through the service enabler in the corresponding service chain;

其中,只有在所述业务链路径信息没有被篡改且所述第一报文经过对应的业务链中的业务使能器时,才能得到所述第一报文的业务路径没有被篡改的验证结果。The verification result that the service path of the first packet has not been tampered can be obtained only when the service chain path information has not been tampered with and the first packet has passed through the service enabler in the corresponding service chain. .

这样,不仅能够防止业务链路径信息被篡改,也能够防止用户设备和应用平台之间的报文不经过选定的业务链中的某个业务使能器或者经过不在选定的业务链中的某个业务使能器,保证业务链路径的完整性。In this way, it can not only prevent the service chain path information from being tampered with, but also prevent the packets between the user equipment and the application platform from not passing through a service enabler in the selected service chain or passing through a service enabler that is not in the selected service chain. A service enabler to ensure the integrity of the service chain path.

具体的,所述完整性验证标签是所述业务使能器利用自身的私钥,对由自身的身份标识和一新鲜值进行哈希运算得到的哈希值,进行签名生成的。Specifically, the integrity verification label is generated by the service enabler using its own private key to sign a hash value obtained by hashing its own identity identifier and a fresh value.

具体来说,在本发明实施例中,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;Specifically, in this embodiment of the present invention, when the verification method is applied to a first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler In the case of a service enabler, the verification tag information includes at least one second integrity verification tag, and the at least one second integrity verification tag corresponds to the at least one second service enabler;

所述第二验证模块具体用于:The second verification module is specifically used for:

验证所述至少一个第二完整性验证标签,确定所述第一报文是否经过所述至少一个第二业务使能器。Verifying the at least one second integrity verification label, and determining whether the first packet passes through the at least one second service enabler.

这样,可以保证报文经过了需要经过的业务使能器,避免攻击者通过攻击业务链或业务使能器,来篡改报文的实际业务路径。In this way, it can be ensured that the packet passes through the service enabler that needs to pass through, and an attacker can avoid tampering with the actual service path of the packet by attacking the service chain or the service enabler.

此外,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,所述验证标签信息包括至少一个第二完整性验证标签,所述至少一个第二完整性验证标签与所述至少一个第二业务使能器对应;In addition, when the verification method is applied to the first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler, the verification The tag information includes at least one second integrity verification tag, the at least one second integrity verification tag corresponding to the at least one second service enabler;

所述第二验证模块具体用于:仅验证与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器,以减轻部分业务使能器的验证负担。The second verification module is specifically configured to: verify only the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler, and determine whether the first packet has passed the the adjacent second service enabler, so as to reduce the verification burden of some service enablers.

当业务链路径特别长时,如果每经过一个业务使能器,就在用户设备和应用平台之间的报文中插入一个完整性验证标签,就会对报文的长度带来一定的影响。为了避免用户设备和应用平台之间的报文过长,本发明实施例采用利用当前业务使能器生成的完整性验证标签,替换报文中的与当前业务使能器相邻的业务使能器的完整性验证标签的方式来实现,即所述验证标签信息中会仅包括一个完整性验证标签。When the service chain path is particularly long, if an integrity verification label is inserted into the packet between the user equipment and the application platform every time a service enabler passes through, the length of the packet will be affected to a certain extent. In order to avoid excessively long packets between the user equipment and the application platform, the embodiment of the present invention adopts the integrity verification label generated by the current service enabler to replace the service enabler adjacent to the current service enabler in the packet. It is implemented by means of the integrity verification tag of the device, that is, the verification tag information will include only one integrity verification tag.

基于上述内容,在本发明实施例中,当所述验证方法应用于第一业务使能器,且所述第一报文在到达所述第一业务使能器之前,已经经过至少一个第二业务使能器时,Based on the above content, in this embodiment of the present invention, when the verification method is applied to the first service enabler, and the first packet has passed through at least one second service enabler before reaching the first service enabler service enabler when

所述验证标签信息仅包括与所述第一业务使能器相邻的第二业务使能器对应的第二完整性验证标签;The verification label information only includes the second integrity verification label corresponding to the second service enabler adjacent to the first service enabler;

所述第二验证模块具体用于:验证所述第二完整性验证标签,确定所述第一报文是否经过所述相邻的第二业务使能器。The second verification module is specifically configured to: verify the second integrity verification tag, and determine whether the first packet passes through the adjacent second service enabler.

具体的,所述处理模块包括:Specifically, the processing module includes:

生成模块,用于在所述验证结果为所述第一报文的业务路径没有被篡改的情况下,生成第一完整性验证标签并插入至所述第一报文,得到第二报文;a generating module, configured to generate a first integrity verification label and insert it into the first packet to obtain a second packet when the verification result is that the service path of the first packet has not been tampered with;

发送模块,用于将所述第二报文发送至下一业务节点,所述下一业务节点为业务使能器、用户设备或应用平台。A sending module, configured to send the second message to the next service node, where the next service node is a service enabler, a user equipment or an application platform.

本发明实施例中,为减轻业务链中的业务使能器的工作负担,也可以设置业务使能器仅负责插入完整性验证标签,所有的验证工作由用户设备或应用平台负责。In the embodiment of the present invention, in order to reduce the workload of the service enabler in the service chain, the service enabler can also be set to only be responsible for inserting the integrity verification label, and all verification work is performed by the user equipment or the application platform.

具体的,当所述验证方法应用于用户设备或应用平台,且所述第一报文在到达所述用户设备或应用平台之前,已经经过至少一个业务使能器时,Specifically, when the verification method is applied to the user equipment or the application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or the application platform,

所述验证标签信息包括至少一个第三完整性验证标签,所述至少一个第三完整性验证标签与所述至少一个业务使能器对应;The verification tag information includes at least one third integrity verification tag, and the at least one third integrity verification tag corresponds to the at least one service enabler;

所述第二验证模块具体用于:验证所述至少一个第三完整性验证标签,确定所述第一报文是否经过所述至少一个业务使能器。The second verification module is specifically configured to: verify the at least one third integrity verification tag, and determine whether the first packet passes through the at least one service enabler.

为便于理解上述实施例的实现过程,以下优选实施例结合图4-图7,对本发明实施例提供的验证方法进行进一步的描述。In order to facilitate the understanding of the implementation process of the foregoing embodiments, the following preferred embodiments further describe the verification method provided by the embodiments of the present invention with reference to FIGS. 4 to 7 .

图4表示本发明第一优选实施例的验证方法的流程图,参见图4所示,所述验证方法包括:FIG. 4 shows a flowchart of the verification method according to the first preferred embodiment of the present invention. Referring to FIG. 4 , the verification method includes:

S401:流量引导策略产生者PCRF产生流量引导策略,并翻译成业务链路径信息,生成完整性标签;S401: The traffic steering policy generator PCRF generates a traffic steering policy, translates it into service chain path information, and generates an integrity label;

S402:PCRF通过TDF传输包括业务链路径信息和完整性标签的流量报文至业务使能器1(即SF1);S402: The PCRF transmits the traffic packet including the service chain path information and the integrity label to the service enabler 1 (ie SF1) through the TDF;

S403:SF1验证业务链路径信息的完整性,并在业务链路径信息完整的情况下,在流量报文中插入完整性验证标签1;S403: SF1 verifies the integrity of the service chain path information, and inserts an integrity verification label 1 into the traffic packet when the service chain path information is complete;

S404:SF1通过交换机传输包括业务链路径信息、完整性标签和完整性验证标签1的流量报文至SF2;S404: SF1 transmits the traffic packet including service chain path information, integrity label and integrity verification label 1 to SF2 through the switch;

S405:SF2验证业务链路径信息的完整性及完整性验证标签1,并在业务链路径信息完整且完整性验证标签1正常的情况下,在流量报文中插入完整性验证标签2;S405: SF2 verifies the integrity of the service chain path information and the integrity verification label 1, and inserts the integrity verification label 2 into the traffic packet when the service chain path information is complete and the integrity verification label 1 is normal;

S406:SF2通过交换机传输包括业务链路径信息、完整性标签、完整性验证标签1和完整性验证标签2的流量报文至SF3;S406: SF2 transmits the traffic packet including service chain path information, integrity label, integrity verification label 1 and integrity verification label 2 to SF3 through the switch;

S407:SF3验证业务链路径信息的完整性、完整性验证标签1及完整性验证标签2,并在业务链路径信息完整且完整性验证标签1和2正常的情况下,在流量报文中插入完整性验证标签3;……S407: SF3 verifies the integrity of the service chain path information, the integrity verification label 1 and the integrity verification label 2, and inserts the information into the traffic packet when the service chain path information is complete and the integrity verification labels 1 and 2 are normal. Integrity Verification Label 3;  …

后续的业务使能器以此类推进行处理。而最后的业务节点用户设备或应用平台在确认流量的处理时,按照自身需求进行执行。Subsequent service enablers are processed by analogy. And the last service node user equipment or application platform executes according to its own needs when confirming the processing of the traffic.

图5表示本发明第二优选实施例的验证方法的流程图,参见图5所示,所述验证方法包括:FIG. 5 shows a flowchart of a verification method according to a second preferred embodiment of the present invention. Referring to FIG. 5 , the verification method includes:

S501:PCRF产生流量引导策略,并翻译成业务链路径信息,生成完整性标签;S501: PCRF generates a traffic guidance policy, translates it into service chain path information, and generates an integrity label;

S502:PCRF通过TDF传输包括业务链路径信息和完整性标签的流量报文至SF1;S502: PCRF transmits traffic packets including service chain path information and integrity labels to SF1 through TDF;

S503:SF1验证业务链路径信息的完整性,并在业务链路径信息完整的情况下,在流量报文中插入完整性验证标签1;S503: SF1 verifies the integrity of the service chain path information, and inserts an integrity verification label 1 into the traffic packet when the service chain path information is complete;

S504:SF1通过交换机传输包括业务链路径信息、完整性标签和完整性验证标签1的流量报文至SF2;S504: SF1 transmits the traffic packet including service chain path information, integrity label and integrity verification label 1 to SF2 through the switch;

S505:SF2验证业务链路径信息的完整性及完整性验证标签1,并在业务链路径信息完整且完整性验证标签1正常的情况下,在流量报文中插入完整性验证标签2;S505: SF2 verifies the integrity of the service chain path information and the integrity verification label 1, and inserts the integrity verification label 2 into the traffic packet when the service chain path information is complete and the integrity verification label 1 is normal;

S506:SF2通过交换机传输包括业务链路径信息、完整性标签、完整性验证标签1和完整性验证标签2的流量报文至SF3;S506: SF2 transmits the traffic packet including service chain path information, integrity label, integrity verification label 1 and integrity verification label 2 to SF3 through the switch;

S507:SF3验证业务链路径信息的完整性及完整性验证标签2,并在业务链路径信息完整且完整性验证标签2正常的情况下,在流量报文中插入完整性验证标签3;S507: SF3 verifies the integrity of the service chain path information and the integrity verification label 2, and inserts the integrity verification label 3 into the traffic packet when the service chain path information is complete and the integrity verification label 2 is normal;

……...

后续的业务使能器以此类推进行处理。而最后的业务节点用户设备或应用平台确认流量的处理时,按照自身的需求进行执行。Subsequent service enablers are processed by analogy. When the last service node user equipment or application platform confirms the processing of the traffic, it executes according to its own needs.

相比上述的第一优选实施例,所述第二优选实施例能够减轻业务链中靠后的业务使能器的工作负担。Compared with the above-mentioned first preferred embodiment, the second preferred embodiment can reduce the workload of the service enabler at the back of the service chain.

图6表示本发明第三优选实施例的验证方法的流程图,参见图6所示,所述验证方法包括:FIG. 6 shows a flowchart of a verification method according to a third preferred embodiment of the present invention. Referring to FIG. 6 , the verification method includes:

S601:PCRF产生流量引导策略,并翻译成业务链路径信息,生成完整性标签;S601: PCRF generates a traffic steering policy, translates it into service chain path information, and generates an integrity label;

S602:PCRF通过TDF传输包括业务链路径信息和完整性标签的流量报文至SF1;S602: PCRF transmits traffic packets including service chain path information and integrity labels to SF1 through TDF;

S603:SF1验证业务链路径信息的完整性,并在业务链路径信息完整的情况下,在流量报文中插入完整性验证标签1;S603: SF1 verifies the integrity of the service chain path information, and inserts an integrity verification label 1 into the traffic packet when the service chain path information is complete;

S604:SF1通过交换机传输包括业务链路径信息、完整性标签和完整性验证标签1的流量报文至SF2;S604: SF1 transmits the traffic packet including service chain path information, integrity label and integrity verification label 1 to SF2 through the switch;

S605:SF2验证业务链路径信息的完整性及完整性验证标签1,并在业务链路径信息完整且完整性验证标签1正常的情况下,使用完整性验证标签2替换完整性验证标签1,以将完整性验证标签2插入至流量报文;S605: SF2 verifies the integrity of the service chain path information and the integrity verification tag 1, and when the service chain path information is complete and the integrity verification tag 1 is normal, replaces the integrity verification tag 1 with the integrity verification tag 2 to replace the integrity verification tag 1 with the integrity verification tag 2. Insert the integrity verification label 2 into the traffic packet;

S606:SF2通过交换机传输包括业务链路径信息、完整性标签和完整性验证标签2的流量报文至SF3;S606: SF2 transmits the traffic packet including service chain path information, integrity label and integrity verification label 2 to SF3 through the switch;

S607:SF3验证业务链路径信息的完整性及完整性验证标签2,并在业务链路径信息完整且完整性验证标签2正常的情况下,使用完整性验证标签3替换完整性验证标签2,以将完整性验证标签3插入至流量报文;S607: SF3 verifies the integrity of the service chain path information and the integrity verification tag 2, and when the service chain path information is complete and the integrity verification tag 2 is normal, replaces the integrity verification tag 2 with the integrity verification tag 3 to replace the integrity verification tag 2 with the integrity verification tag 2. Insert the integrity verification label 3 into the traffic packet;

……...

后续的业务使能器以此类推进行处理。而最后的业务节点用户设备或应用平台确认流量的处理时,按照自身的需求进行执行。Subsequent service enablers are processed by analogy. When the last service node user equipment or application platform confirms the processing of the traffic, it executes according to its own needs.

相比第一或二优选实施例,所述第三优选实施例能够避免用户设备和应用平台之间的流量报文过长,防止给其带来不利影响。Compared with the first or second preferred embodiments, the third preferred embodiment can prevent the traffic packets between the user equipment and the application platform from being too long, and prevent them from being adversely affected.

图7表示本发明第四优选实施例的验证方法的流程图,参见图7所示,所述验证方法包括:FIG. 7 shows a flowchart of a verification method according to a fourth preferred embodiment of the present invention. Referring to FIG. 7 , the verification method includes:

S701:PCRF产生流量引导策略,并翻译成业务链路径信息,生成完整性标签;S701: PCRF generates a traffic steering policy, translates it into service chain path information, and generates an integrity label;

S702:PCRF通过TDF传输包括业务链路径信息和完整性标签的流量报文至SF1;S702: PCRF transmits traffic packets including service chain path information and integrity labels to SF1 through TDF;

S703:SF1在流量报文中插入完整性验证标签1;S703: SF1 inserts integrity verification label 1 into the traffic packet;

S704:SF1通过交换机传输包括业务链路径信息、完整性标签和完整性验证标签1的流量报文至SF2;S704: SF1 transmits the traffic packet including service chain path information, integrity label and integrity verification label 1 to SF2 through the switch;

S705:SF2在流量报文中插入完整性验证标签2;S705: SF2 inserts integrity verification label 2 into the traffic packet;

S706:SF2通过交换机传输包括业务链路径信息、完整性标签、完整性验证标签1和完整性验证标签2的流量报文至SF3;S706: SF2 transmits traffic packets including service chain path information, integrity label, integrity verification label 1 and integrity verification label 2 to SF3 through the switch;

……(后续的业务使能器以此类推进行处理)... (subsequent service enablers are processed by analogy)

S707:用户设备UE或应用平台验证业务链路径信息的完整性及完整性验证标签1、2……,并在业务链路径信息完整且完整性验证标签1、2……正常的情况下,执行请求的业务。S707: The user equipment UE or the application platform verifies the integrity of the service chain path information and the integrity verification tags 1, 2, . . . requested business.

相比第一、二或三优选实施例,所述第四优选实施例能够减轻业务链中的业务使能器的的工作负担,提高业务速度。Compared with the first, second or third preferred embodiments, the fourth preferred embodiment can reduce the workload of the service enabler in the service chain and improve the service speed.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are only the preferred embodiments of the present invention. It should be pointed out that for those skilled in the art, without departing from the principles of the present invention, several improvements and modifications can be made. It should be regarded as the protection scope of the present invention.

Claims (12)

1. A method of authentication, comprising:
receiving a first message comprising service chain path information and verification label information;
verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
processing the first message according to the verification result;
the verification tag information comprises an integrity tag and an integrity verification tag, wherein the integrity tag is obtained by encoding the traffic chain path information generated by a traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the step of verifying whether the service path of the first packet is tampered according to the verification tag information and the service link path information includes:
verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
under the condition that the service chain path information is not tampered, verifying the integrity verification label, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
2. The authentication method according to claim 1, characterized in that when said authentication method is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
3. The authentication method according to claim 1, characterized in that when said authentication method is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
4. The authentication method according to claim 2 or 3, wherein the step of processing the first packet according to the authentication result comprises:
generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and sending the second message to a next service node, wherein the next service node is a service enabler, user equipment or an application platform.
5. The verification method according to claim 1, wherein the integrity verification tag is generated by the service enabler signing a hash value obtained by hashing a new value and its own id with its own private key.
6. The authentication method according to claim 1, wherein when the authentication method is applied to a user equipment or an application platform and the first message has passed at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
7. An authentication apparatus, comprising:
the receiving module is used for receiving a first message comprising service chain path information and verification label information;
the verification module is used for verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
the processing module is used for processing the first message according to the verification result;
the verification tag information comprises an integrity tag and an integrity verification tag, wherein the integrity tag is obtained by encoding the traffic chain path information generated by a traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the authentication module includes:
the first verification module is used for verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
the second verification module is used for verifying the integrity verification label under the condition that the service chain path information is not tampered, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
8. The authentication device according to claim 7, wherein when said authentication device is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the second verification module is specifically configured to:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
9. The authentication device according to claim 7, wherein when said authentication device is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the second verification module is specifically configured to: and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
10. The authentication device according to claim 8 or 9, wherein the processing module comprises:
the generating module is used for generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and the sending module is used for sending the second message to a next service node, and the next service node is a service enabler, user equipment or an application platform.
11. The apparatus according to claim 7, wherein the integrity verification tag is generated by the service enabler signing a hash value obtained by hashing a new value and its own id with its own private key.
12. The authentication apparatus according to claim 7, wherein when the authentication apparatus is applied to a user equipment or an application platform and the first packet has passed at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the second verification module is specifically configured to: and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
CN201510707418.0A 2015-10-27 2015-10-27 Verification method and verification device Active CN106612267B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510707418.0A CN106612267B (en) 2015-10-27 2015-10-27 Verification method and verification device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510707418.0A CN106612267B (en) 2015-10-27 2015-10-27 Verification method and verification device

Publications (2)

Publication Number Publication Date
CN106612267A CN106612267A (en) 2017-05-03
CN106612267B true CN106612267B (en) 2020-01-21

Family

ID=58614292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510707418.0A Active CN106612267B (en) 2015-10-27 2015-10-27 Verification method and verification device

Country Status (1)

Country Link
CN (1) CN106612267B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768958B (en) * 2018-05-07 2022-01-14 上海海事大学 Verification method for data integrity and source based on no leakage of verified information by third party
CN110620724B (en) * 2018-06-19 2021-09-14 中国电信股份有限公司 Method, node and communication system for realizing service chain path tracking
CN112448915B (en) * 2019-08-28 2023-03-24 华为技术有限公司 Verification method and device for configuration message and computer storage medium
CN112511437B (en) * 2020-04-22 2024-03-22 中兴通讯股份有限公司 Method for verifying service chain, transmitting node, forwarding node and service function node
CN113709160B (en) * 2021-08-30 2022-10-04 浙江大学 Software-defined network topology defense method based on forwarding routing integrity verification
CN115022042B (en) * 2022-06-02 2025-02-28 贵州数据宝网络科技有限公司 A compliance code verification method and computer-readable medium for protecting data privacy

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136049A (en) * 2011-04-01 2011-07-27 奇智软件(北京)有限公司 Terminal application safety management method and system
CN104333511A (en) * 2013-07-22 2015-02-04 华为技术有限公司 Method, device and system for determining service transmission path
WO2015149620A1 (en) * 2014-04-04 2015-10-08 华为技术有限公司 Encapsulation method for service routing packet, service forwarding entity and control plane

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105099915B (en) * 2014-04-28 2018-11-30 华为技术有限公司 A kind of method and apparatus for establishing service path

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136049A (en) * 2011-04-01 2011-07-27 奇智软件(北京)有限公司 Terminal application safety management method and system
CN104333511A (en) * 2013-07-22 2015-02-04 华为技术有限公司 Method, device and system for determining service transmission path
WO2015149620A1 (en) * 2014-04-04 2015-10-08 华为技术有限公司 Encapsulation method for service routing packet, service forwarding entity and control plane

Also Published As

Publication number Publication date
CN106612267A (en) 2017-05-03

Similar Documents

Publication Publication Date Title
CN106612267B (en) Verification method and verification device
JP6625211B2 (en) Key exchange through partially trusted third parties
CN107567704B (en) Network path pass authentication using in-band metadata
CN105376216B (en) A remote access method, proxy server and client
Agborubere et al. OpenFlow communications and TLS security in software-defined networks
CN102710759B (en) Web server, business logging method and system
EP2947845B1 (en) Border property validation for named data networks
CN106130716B (en) Key exchange system and method based on authentication information
CN105721153B (en) Key exchange system and method based on authentication information
CN105141636B (en) Suitable for the HTTP safety communicating methods and system of CDN value-added service platforms
KR20150141362A (en) Network node and method for operating the network node
CN110662091B (en) Third-party live video access method, storage medium, electronic device and system
US10911581B2 (en) Packet parsing method and device
CN101867473B (en) Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal
CN107920081A (en) Login authentication method and device
Len et al. Interoperability in end-to-end encrypted messaging
Hesse et al. Password-authenticated TLS via OPAQUE and post-handshake authentication
US20200322334A1 (en) Authentication of network devices based on extensible access control protocols
CN105516070B (en) A kind of method and device that Service Ticket substitutes
CN112217862B (en) A data communication method, device, terminal equipment and storage medium
US12224978B2 (en) Packet processing method and apparatus
AU2012210978B2 (en) Controlled security domains
Eltaief Flex-CC: A flexible connected chains scheme for multicast source authentication in dynamic SDN environment
EP4156622A1 (en) Method for checking application information, message processing method and device
CN109150919B (en) Network attack prevention method and network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant