CN106612267B - Verification method and verification device - Google Patents
Verification method and verification device Download PDFInfo
- Publication number
- CN106612267B CN106612267B CN201510707418.0A CN201510707418A CN106612267B CN 106612267 B CN106612267 B CN 106612267B CN 201510707418 A CN201510707418 A CN 201510707418A CN 106612267 B CN106612267 B CN 106612267B
- Authority
- CN
- China
- Prior art keywords
- service
- verification
- message
- enabler
- integrity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Abstract
The invention provides a verification method and a device, wherein the verification method comprises the following steps: receiving a first message comprising service chain path information and verification label information; verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result; and processing the first message according to the verification result. The scheme of the invention can ensure that the message between the user equipment and the application platform is transmitted according to the service chain path information which is not tampered, prevent the message from passing through a certain service enabler in a selected service chain or a certain service enabler in a selected service chain, ensure the integrity of the service chain path even in an open cloud environment, ensure that the message is forwarded and processed according to the set service path, and avoid potential safety risks.
Description
Technical Field
The present invention relates to the field of network and information security technologies, and in particular, to a verification method and a verification apparatus for a service chain.
Background
In the prior art, in order to deal with rapid development of data traffic, a plurality of service enablers, such as a URL filter, a video optimizer, a protocol optimizer, and the like, are often deployed between a user equipment and an application platform, so as to implement filtering, optimization, and security of data traffic, improve user experience, reduce bandwidth pressure, provide value-added services, and the like.
In the same service, a plurality of service enablers through which data passes form a service chain. Current service chains, including service chains consisting of static service enablers and service chains consisting of dynamically orchestratable service function SF instances (which may also be referred to as service enablers), are subject to tampering by attackers with the service chain rules, i.e., traffic steering policies, such that data between a user and an application platform does not pass through a service enabler in a selected service chain, resulting in a poor user experience and potential security risks.
Referring to fig. 1, a diagram of a service chain attack is shown. Specifically, a Policy and Charging Rules Function (PCRF) in the mobile access and core network domain determines a traffic guidance policy between the UE and the application platform according to subscription information, service and other information of the user, where the traffic guidance policy is that data traffic needs to pass through 3 service enablers, i.e., a load balancing device LB, a firewall and a DPI device in sequence in the mobile service domain (shown by a straight line in fig. 1).
However, an attacker may tamper with the traffic steering policy on the transmission path between the PCRF and the IDF or on the transmission path from the IDF to the FW, so that data traffic between the UE and the application platform does not pass through the FW (shown by the curve in fig. 1), which may pose a security risk to the communication between the UE and the application platform.
In order to prevent an attacker from tampering with the traffic guidance policy, in the prior art, the mobile service domain is usually deployed as a closed network, and private network protection is adopted between the mobile service domain and the mobile core network domain, so that the attacker does not tamper with an entrance of the traffic guidance policy, thereby avoiding security risk.
However, with the development of cloud computing, Software Defined Network (SDN) technology, and Network Function Virtualization (NFV) technology, it is possible for both mobile service domains and mobile core domains to be deployed in the cloud. In this way, an attacker can discover the service chain through other virtual machines in the cloud or the controlled Hypervisor (a "meta" operating system in the virtual environment), and tamper the service path of the service flow by attacking the communication link or the service enabler, so that in an open cloud environment, the integrity of the service chain path is not easily guaranteed.
Disclosure of Invention
The invention aims to provide a verification method and a verification device, which are used for solving the technical problem that the integrity of a service chain path is not easy to guarantee in an open cloud environment in the prior art.
In order to achieve the above object, the present invention provides an authentication method comprising:
receiving a first message comprising service chain path information and verification label information;
verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
and processing the first message according to the verification result.
Preferably, the verification tag information includes an integrity tag and an integrity verification tag, where the integrity tag is obtained by encoding the traffic chain path information generated by the traffic steering policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the step of verifying whether the service path of the first packet is tampered according to the verification tag information and the service link path information includes:
verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
under the condition that the service chain path information is not tampered, verifying the integrity verification label, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
Preferably, when the verification method is applied to a first service enabler and the first packet has passed at least one second service enabler before reaching the first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
Preferably, when the verification method is applied to a first service enabler and the first packet has passed at least one second service enabler before reaching the first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
Preferably, the step of processing the first packet according to the verification result includes:
generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and sending the second message to a next service node, wherein the next service node is a service enabler, user equipment or an application platform.
Preferably, the integrity verification tag is generated by the service enabler signing a hash value obtained by performing hash operation on the identity of the service enabler and a fresh value by using a private key of the service enabler.
Preferably, when the authentication method is applied to a user equipment or an application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
The method also provides a verification device comprising:
the receiving module is used for receiving a first message comprising service chain path information and verification label information;
the verification module is used for verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
and the processing module is used for processing the first message according to the verification result.
Preferably, the verification tag information includes an integrity tag and an integrity verification tag, where the integrity tag is obtained by encoding the traffic chain path information generated by the traffic steering policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the authentication module includes:
the first verification module is used for verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
the second verification module is used for verifying the integrity verification label under the condition that the service chain path information is not tampered, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
Preferably, when the verification method is applied to a first service enabler and the first packet has passed at least one second service enabler before reaching the first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the second verification module is specifically configured to:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
Preferably, when the verification method is applied to a first service enabler and the first packet has passed at least one second service enabler before reaching the first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the second verification module is specifically configured to: and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
Preferably, the processing module comprises:
the generating module is used for generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and the sending module is used for sending the second message to a next service node, and the next service node is a service enabler, user equipment or an application platform.
Preferably, the integrity verification tag is generated by the service enabler signing a hash value obtained by performing hash operation on the identity of the service enabler and a fresh value by using a private key of the service enabler.
Preferably, when the authentication method is applied to a user equipment or an application platform, and the first packet has passed through at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the second verification module is specifically configured to: and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
Through the technical scheme, the invention has the beneficial effects that:
the verification method can ensure that the message between the user equipment and the application platform is transmitted according to the service chain path information which is not tampered, prevent the message from not passing through a certain service enabler in a selected service chain or a certain service enabler in the selected service chain, ensure the integrity of the service chain path even in an open cloud environment, ensure that the message is forwarded and processed according to the set service path, and avoid potential safety risks.
Drawings
Fig. 1 shows a prior art attack diagram of a traffic chain.
Fig. 2 shows a flow chart of a verification method of an embodiment of the invention.
Fig. 3 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present invention.
Fig. 4 shows a flow chart of the authentication method of the first preferred embodiment of the present invention.
Fig. 5 shows a flow chart of a verification method according to a second preferred embodiment of the present invention.
Fig. 6 shows a flow chart of a verification method according to a third preferred embodiment of the invention.
Fig. 7 shows a flow chart of a verification method according to a fourth preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the following detailed description of the embodiments is provided with reference to the accompanying drawings.
Referring to fig. 2, an embodiment of the present invention provides a verification method, including:
s201: receiving a first message comprising service chain path information and verification label information;
s202: verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
s203: and processing the first message according to the verification result.
The verification method of the embodiment of the invention can prevent the service path of the message between the user equipment and the application platform from being tampered, so that the message is transmitted according to the complete service chain path, even in an open cloud environment, the message can be ensured to be forwarded and processed according to the set service path, and the potential safety risk is avoided.
The verification method of the embodiment of the invention is mainly applied to a service enabler, user equipment or an application platform. When the verification method is applied to the service enabler, if the service path of the message is verified to be not tampered, the message is sent to the next service node, otherwise, an error is reported to the service management system. When the verification method is applied to user equipment or an application platform, if the service path of the message is verified to be not tampered, the corresponding service request is executed, otherwise, the corresponding service request is refused to be executed.
The message is a message for communication between the user equipment and the application platform, and may be an uplink message from the user equipment to the application platform or an uplink message from the application platform to the user equipment. The service chain path information is generated by translating the traffic guiding policy generated by a traffic guiding policy generator, such as PCRF or service organization, and is used for guiding the transmission of the message between the user equipment and the application platform.
In practical application, an attacker can change the service path of a message between user equipment and an application platform by tampering the service chain path information, and can also tamper the service path by attacking a service enabler in a service chain or a service chain without tampering the service chain path information, so that the message does not pass through a certain service enabler in a selected service chain or a certain service enabler not in the selected service chain.
For example, a message between the user equipment and the application platform needs to be transferred to the firewall FW according to the service chain path information in the message, and an attacker can attack the FW, so that although the message is transferred to the FW, the FW does not perform corresponding processing on the message, that is, the message does not pass through the FW.
In order to avoid tampering on the service path of the packet, the embodiment of the present invention introduces an integrity tag generated by a traffic steering policy generator and an integrity verification tag generated by a service enabler, and guarantees the integrity of the service link path through a verification mechanism.
Specifically, in the embodiment of the present invention, the verification tag information includes an integrity tag and an integrity verification tag, where the integrity tag is obtained by encoding the traffic chain path information generated by the traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the step of verifying whether the service path of the first packet is tampered according to the verification tag information and the service link path information includes:
verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
under the condition that the service chain path information is not tampered, verifying the integrity verification label, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
Therefore, the method can prevent the service chain path information from being tampered, and can also prevent the message between the user equipment and the application platform from not passing through a certain service enabler in the selected service chain or a certain service enabler not in the selected service chain, thereby ensuring the integrity of the service chain path.
Specifically, the integrity label is generated by, for example, the traffic steering policy generator performing a signature on a hash value obtained by performing a hash operation on the generated traffic chain path information and a freshness value (which may be a random number N) by using a private key of the traffic steering policy generator. The traffic guidance policy generator may encode the generated traffic chain path information using an HMAC (hash operation message authentication code associated with a key) to perform integrity protection on the traffic chain path information, but the present invention does not limit the traffic chain path information, as long as the integrity protection on the traffic chain path information can be achieved.
For example, if the traffic chain path information generated by the PCRF is "SF 1SF2SF 3", the fresh value is "8", and the hash operation function is f (x), the hash operation is performed on "SF 1SF2SF 3" and "8" by using f (x) to obtain a hash value of (SF1SF2SF3, 8), and the hash value is signed by using its own private key to obtain an integrity label corresponding to "SF 1SF2SF 3".
In this case, according to the integrity label and the traffic chain path information, verifying whether the traffic chain path information is tampered with mainly comprises: decrypting the integrity label by using a public key to obtain a hash value, performing hash operation on the received service chain path information and the fresh value by using f (x) to obtain another hash value, and comparing whether the two hash values are equal; and if the two hash values are equal, the service chain path information is not tampered, otherwise, the service chain path information is tampered.
It should be noted that, the f (x) or the fresh value used in the verification process may be obtained through message transmission, or may be configured in advance, and the present invention is not limited thereto as long as the verification purpose of the present invention can be achieved.
The integrity verification tag is generated, for example, by the service enabler signing a hash value obtained by performing hash operation on an identity of the service enabler and a fresh value by using a private key of the service enabler.
And the way to verify the integrity verification tag is: the next service node of the service enabler decrypts the integrity verification label by using the public key to obtain a hash value, and simultaneously performs hash operation on the received identity and the fresh value by using the same function to obtain another hash value, and compares whether the two hash values are equal; and if the two hash values are equal, determining that the message passes through the corresponding service enabler, and if not, determining that the message does not pass through the corresponding service enabler. The identity and the freshness value are transferred by inserting a message, for example, as with an integrity check tag.
It should be noted that the identity of the service enabler may be a network-wide unique identifier assigned to the service enabler by a telecommunication operator or a service provider, or may be a network-wide unique identifier configured in advance to the relevant service enabler.
Specifically, in this embodiment of the present invention, when the verification method is applied to a first service enabler and the first packet passes through at least one second service enabler before reaching the first service enabler, the verification tag information includes at least one second integrity verification tag, where the at least one second integrity verification tag corresponds to the at least one second service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the at least one second integrity verification label, and determining whether the first message passes through the at least one second service enabler.
Therefore, the message can be ensured to pass through the service enabler which needs to pass through, and an attacker is prevented from tampering the actual service path of the message by attacking the service chain or the service enabler.
Specifically, when the path of the service chain is extremely long, if the latter service enabler in the service chain needs to verify the integrity verification tags of all the former service enablers in the service chain, a certain load is brought to the latter service enablers. In order to reduce the load of these subsequent service enablers, in the embodiment of the present invention, the service enabler may only verify the integrity verification tag corresponding to its adjacent service enabler.
Based on the above, in the embodiment of the present invention, when the verification method is applied to a first service enabler, and the first packet passes through at least one second service enabler before reaching the first service enabler, the verification tag information includes at least one second integrity verification tag, where the at least one second integrity verification tag corresponds to the at least one second service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler, so as to reduce the verification burden of part of service enablers.
In addition, when the service link path is very long, if an integrity verification tag is inserted into the packet between the user equipment and the application platform every time a service enabler passes through, a certain influence is brought to the length of the packet. In order to avoid an excessively long message between the user equipment and the application platform, the embodiment of the present invention is implemented by replacing the integrity verification tag of the service enabler adjacent to the current service enabler in the message with the integrity verification tag generated by the current service enabler, that is, the verification tag information only includes one integrity verification tag.
That is, in the embodiment of the present invention, when the verification method is applied to a first service enabler and the first packet has passed through at least one second service enabler before reaching the first service enabler, the verification tag information only includes a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
In this embodiment of the present invention, the step of processing the first packet according to the verification result includes:
generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and sending the second message to a next service node, wherein the next service node is a service enabler, user equipment or an application platform.
Therefore, the complete verification of the service path of the message can be realized.
In the embodiment of the present invention, in order to reduce the workload of the service enabler in the service chain, the service enabler may also be configured to be only responsible for inserting the integrity verification tag, and all verification operations are responsible for the user equipment or the application platform.
Specifically, when the verification method is applied to a user device or an application platform, and the first packet passes through at least one service enabler before reaching the user device or the application platform, the verification tag information includes at least one third integrity verification tag, and the at least one third integrity verification tag corresponds to the at least one service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
It should be noted that, the first integrity verification tag, the second integrity verification tag, and the third integrity verification tag are all generated by the service enabler in the service chain, as with the integrity verification tags described above, so as to verify the actual service path of the packet.
The public and private keys used in the verification process can be configured in the following manner, but the invention is not limited to the following manner:
(1) a public and private key pair is generated by a telecom operator, the private key is respectively configured on a flow guide strategy generator or a service enabler (namely SF), and meanwhile, the public key is configured on user equipment, an application platform and the service enabler;
(2) a public and private key pair is generated by a flow guide strategy generator or a service enabler, a private key is stored on self equipment, a public key is obtained by a telecom operator, and the public keys are configured on user equipment, an application platform and the service enabler;
(3) when the public key is borne by the certificate, the traffic guide strategy generator or the service enabler generates a public and private key pair by itself, applies for the certificate to CA, and sends the public key certificate of itself and the integrity verification label to the next service node; the user equipment, the application platform and the service enabler can be configured with root certificates of the certificates in advance for verifying the validity of the certificates, and then a public key is extracted from the certificates for verifying the validity of the integrity labels; the Revocation status of the Certificate may be queried through a CRL (Certificate Revocation List) or an OCSP (Online Certificate status protocol).
Referring to fig. 3, an embodiment of the present invention further provides an authentication apparatus, corresponding to the authentication method shown in fig. 2, where the authentication apparatus includes:
a receiving module 31, configured to receive a first packet including service link path information and verification tag information;
the verification module 32 is configured to verify whether the service path of the first packet is tampered according to the verification tag information and the service link path information, so as to obtain a verification result;
and the processing module 33 is configured to process the first packet according to the verification result.
The verification device of the embodiment of the invention can prevent the service path of the message between the user equipment and the application platform from being tampered, so that the message is transmitted according to the complete service chain path, even in an open cloud environment, the message can be ensured to be forwarded and processed according to the set service path, and potential safety risks are avoided.
In practical application, an attacker can change the service path of a message between user equipment and an application platform by tampering the service chain path information, and can also tamper the service path by attacking a service enabler in a service chain or a service chain without tampering the service chain path information, so that the message does not pass through a certain service enabler in a selected service chain or a certain service enabler not in the selected service chain.
In order to avoid tampering on the service path of the packet, the embodiment of the present invention introduces an integrity tag generated by a traffic steering policy generator and an integrity verification tag generated by a service enabler, and guarantees the integrity of the service link path through a verification mechanism.
Specifically, in the embodiment of the present invention, the verification tag information includes an integrity tag and an integrity verification tag, where the integrity tag is obtained by encoding the traffic chain path information generated by the traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the authentication module includes:
the first verification module is used for verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
the second verification module is used for verifying the integrity verification label under the condition that the service chain path information is not tampered, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
Therefore, the method can prevent the service chain path information from being tampered, and can also prevent the message between the user equipment and the application platform from not passing through a certain service enabler in the selected service chain or a certain service enabler not in the selected service chain, thereby ensuring the integrity of the service chain path.
Specifically, the integrity verification tag is generated by the service enabler signing a hash value obtained by performing hash operation on an identity of the service enabler and a fresh value by using a private key of the service enabler.
Specifically, in this embodiment of the present invention, when the verification method is applied to a first service enabler and the first packet passes through at least one second service enabler before reaching the first service enabler, the verification tag information includes at least one second integrity verification tag, where the at least one second integrity verification tag corresponds to the at least one second service enabler;
the second verification module is specifically configured to:
and verifying the at least one second integrity verification label, and determining whether the first message passes through the at least one second service enabler.
Therefore, the message can be ensured to pass through the service enabler which needs to pass through, and an attacker is prevented from tampering the actual service path of the message by attacking the service chain or the service enabler.
Furthermore, when the verification method is applied to a first service enabler and the first packet has passed at least one second service enabler before reaching the first service enabler, the verification tag information includes at least one second integrity verification tag, which corresponds to the at least one second service enabler;
the second verification module is specifically configured to: and only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler, so as to reduce the verification burden of part of service enablers.
When the service link path is very long, if an integrity verification tag is inserted into a message between the user equipment and the application platform every time a service enabler passes through, a certain influence is brought to the length of the message. In order to avoid an excessively long message between the user equipment and the application platform, the embodiment of the present invention is implemented by replacing the integrity verification tag of the service enabler adjacent to the current service enabler in the message with the integrity verification tag generated by the current service enabler, that is, the verification tag information only includes one integrity verification tag.
Based on the above, in the embodiment of the present invention, when the verification method is applied to a first service enabler and the first packet has passed through at least one second service enabler before reaching the first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the second verification module is specifically configured to: and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
Specifically, the processing module includes:
a generating module, configured to generate a first integrity verification tag and insert the first integrity verification tag into the first packet to obtain a second packet when the verification result indicates that the service path of the first packet is not tampered;
and the sending module is used for sending the second message to a next service node, and the next service node is a service enabler, user equipment or an application platform.
In the embodiment of the present invention, in order to reduce the workload of the service enabler in the service chain, the service enabler may also be configured to be only responsible for inserting the integrity verification tag, and all verification operations are responsible for the user equipment or the application platform.
In particular, when the verification method is applied to a user equipment or an application platform and the first message passes through at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the second verification module is specifically configured to: and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
In order to facilitate understanding of the implementation process of the above embodiment, the following preferred embodiment further describes the verification method provided by the embodiment of the present invention with reference to fig. 4 to 7.
Fig. 4 shows a flow chart of a verification method according to a first preferred embodiment of the present invention, which is shown in fig. 4 and includes:
s401: the PCRF generates a traffic guidance strategy, translates the traffic guidance strategy into service chain path information and generates an integrity label;
s402: the PCRF transmits a traffic message including the traffic chain path information and the integrity label to the traffic enabler 1 via the TDF (i.e., SF 1);
s403: SF1 verifies the integrity of the traffic chain path information, and inserts integrity verification tag 1 into the traffic message when the traffic chain path information is complete;
s404: the SF1 transmits a flow message including service link path information, an integrity tag and an integrity verification tag 1 to SF2 through the switch;
s405: SF2 verifies integrity of the traffic chain path information and integrity verification tag 1, and inserts integrity verification tag 2 into the traffic message under the condition that the traffic chain path information is complete and integrity verification tag 1 is normal;
s406: the SF2 transmits a traffic message including service link path information, an integrity tag, an integrity verification tag 1 and an integrity verification tag 2 to SF3 through the switch;
s407: SF3 verifies integrity of the traffic chain path information, integrity verification tag 1 and integrity verification tag 2, and inserts integrity verification tag 3 into the traffic message under the condition that the traffic chain path information is complete and integrity verification tags 1 and 2 are normal; … …
The subsequent service enablers proceed with the same process. And the final service node user equipment or the application platform executes according to the self requirement when confirming the flow processing.
Fig. 5 shows a flow chart of a verification method according to a second preferred embodiment of the present invention, which, referring to fig. 5, comprises:
s501: the PCRF generates a traffic guiding strategy, translates the traffic guiding strategy into service chain path information and generates an integrity label;
s502: the PCRF transmits a traffic message including the service chain path information and the integrity label to SF1 through the TDF;
s503: SF1 verifies the integrity of the traffic chain path information, and inserts integrity verification tag 1 into the traffic message when the traffic chain path information is complete;
s504: the SF1 transmits a flow message including service link path information, an integrity tag and an integrity verification tag 1 to SF2 through the switch;
s505: SF2 verifies integrity of the traffic chain path information and integrity verification tag 1, and inserts integrity verification tag 2 into the traffic message under the condition that the traffic chain path information is complete and integrity verification tag 1 is normal;
s506: the SF2 transmits a traffic message including service link path information, an integrity tag, an integrity verification tag 1 and an integrity verification tag 2 to SF3 through the switch;
s507: SF3 verifies integrity of the traffic chain path information and integrity verification tag 2, and inserts integrity verification tag 3 into the traffic message under the condition that the traffic chain path information is complete and integrity verification tag 2 is normal;
……
the subsequent service enablers proceed with the same process. And when the final service node user equipment or the application platform confirms the processing of the flow, the execution is carried out according to the self requirement.
Compared with the first preferred embodiment described above, the second preferred embodiment can reduce the workload of the later service enabler in the service chain.
Fig. 6 shows a flow chart of a verification method according to a third preferred embodiment of the present invention, which is shown in fig. 6 and includes:
s601: the PCRF generates a traffic guiding strategy, translates the traffic guiding strategy into service chain path information and generates an integrity label;
s602: the PCRF transmits a traffic message including the service chain path information and the integrity label to SF1 through the TDF;
s603: SF1 verifies the integrity of the traffic chain path information, and inserts integrity verification tag 1 into the traffic message when the traffic chain path information is complete;
s604: the SF1 transmits a flow message including service link path information, an integrity tag and an integrity verification tag 1 to SF2 through the switch;
s605: SF2 verifies integrity of the traffic chain path information and integrity verification tag 1, and under the condition that the traffic chain path information is complete and integrity verification tag 1 is normal, integrity verification tag 2 is used to replace integrity verification tag 1, so as to insert integrity verification tag 2 into the traffic message;
s606: the SF2 transmits a flow message including service link path information, an integrity label and an integrity verification label 2 to the SF3 through the switch;
s607: SF3 verifies integrity of the traffic chain path information and integrity verification tag 2, and under the condition that the traffic chain path information is complete and integrity verification tag 2 is normal, integrity verification tag 3 is used to replace integrity verification tag 2, so as to insert integrity verification tag 3 into the traffic message;
……
the subsequent service enablers proceed with the same process. And when the final service node user equipment or the application platform confirms the processing of the flow, the execution is carried out according to the self requirement.
Compared with the first or second preferred embodiment, the third preferred embodiment can avoid the overlong flow message between the user equipment and the application platform, and prevent adverse effects from being brought to the user equipment and the application platform.
Fig. 7 shows a flow chart of a verification method according to a fourth preferred embodiment of the present invention, which is shown in fig. 7 and includes:
s701: the PCRF generates a traffic guiding strategy, translates the traffic guiding strategy into service chain path information and generates an integrity label;
s702: the PCRF transmits a traffic message including the service chain path information and the integrity label to SF1 through the TDF;
s703: SF1 inserts integrity verification tag 1 in the flow message;
s704: the SF1 transmits a flow message including service link path information, an integrity tag and an integrity verification tag 1 to SF2 through the switch;
s705: SF2 inserts integrity verification tag 2 in the flow message;
s706: the SF2 transmits a traffic message including service link path information, an integrity tag, an integrity verification tag 1 and an integrity verification tag 2 to SF3 through the switch;
… … (subsequent service enabler handles by analogy)
S707: the user equipment UE or the application platform verifies the integrity of the service link path information and the integrity verification tags 1 and 2 … …, and executes the requested service under the condition that the service link path information is complete and the integrity verification tags 1 and 2 … … are normal.
Compared with the first, second or third preferred embodiment, the fourth preferred embodiment can reduce the workload of the service enabler in the service chain and improve the service speed.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (12)
1. A method of authentication, comprising:
receiving a first message comprising service chain path information and verification label information;
verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
processing the first message according to the verification result;
the verification tag information comprises an integrity tag and an integrity verification tag, wherein the integrity tag is obtained by encoding the traffic chain path information generated by a traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the step of verifying whether the service path of the first packet is tampered according to the verification tag information and the service link path information includes:
verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
under the condition that the service chain path information is not tampered, verifying the integrity verification label, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
2. The authentication method according to claim 1, characterized in that when said authentication method is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
3. The authentication method according to claim 1, characterized in that when said authentication method is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
4. The authentication method according to claim 2 or 3, wherein the step of processing the first packet according to the authentication result comprises:
generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and sending the second message to a next service node, wherein the next service node is a service enabler, user equipment or an application platform.
5. The verification method according to claim 1, wherein the integrity verification tag is generated by the service enabler signing a hash value obtained by hashing a new value and its own id with its own private key.
6. The authentication method according to claim 1, wherein when the authentication method is applied to a user equipment or an application platform and the first message has passed at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the step of verifying the integrity verification tag and determining whether the first packet passes through a service enabler in a corresponding service chain includes:
and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
7. An authentication apparatus, comprising:
the receiving module is used for receiving a first message comprising service chain path information and verification label information;
the verification module is used for verifying whether the service path of the first message is tampered according to the verification label information and the service chain path information to obtain a verification result;
the processing module is used for processing the first message according to the verification result;
the verification tag information comprises an integrity tag and an integrity verification tag, wherein the integrity tag is obtained by encoding the traffic chain path information generated by a traffic guidance policy generator, and the integrity verification tag is obtained by encoding the identity of a traffic enabler in a traffic chain;
the authentication module includes:
the first verification module is used for verifying whether the service chain path information is tampered or not according to the integrity label and the service chain path information;
the second verification module is used for verifying the integrity verification label under the condition that the service chain path information is not tampered, and determining whether the first message passes through a service enabler in a corresponding service chain;
and obtaining a verification result that the service path of the first message is not tampered only when the service chain path information is not tampered and the first message passes through a service enabler in a corresponding service chain.
8. The authentication device according to claim 7, wherein when said authentication device is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information comprises at least one second integrity verification tag corresponding to the at least one second service enabler;
the second verification module is specifically configured to:
verifying the at least one second integrity verification tag, and determining whether the first packet passes through the at least one second service enabler; or
And only verifying a second integrity verification label corresponding to a second service enabler adjacent to the first service enabler, and determining whether the first message passes through the adjacent second service enabler.
9. The authentication device according to claim 7, wherein when said authentication device is applied to a first service enabler and said first packet has passed at least one second service enabler before reaching said first service enabler,
the verification tag information includes only a second integrity verification tag corresponding to a second service enabler adjacent to the first service enabler;
the second verification module is specifically configured to: and verifying the second integrity verification label and determining whether the first message passes through the adjacent second service enabler.
10. The authentication device according to claim 8 or 9, wherein the processing module comprises:
the generating module is used for generating a first integrity verification label and inserting the first integrity verification label into the first message to obtain a second message under the condition that the verification result is that the service path of the first message is not tampered;
and the sending module is used for sending the second message to a next service node, and the next service node is a service enabler, user equipment or an application platform.
11. The apparatus according to claim 7, wherein the integrity verification tag is generated by the service enabler signing a hash value obtained by hashing a new value and its own id with its own private key.
12. The authentication apparatus according to claim 7, wherein when the authentication apparatus is applied to a user equipment or an application platform and the first packet has passed at least one service enabler before reaching the user equipment or the application platform,
the verification tag information comprises at least one third integrity verification tag corresponding to the at least one service enabler;
the second verification module is specifically configured to: and verifying the at least one third integrity verification label, and determining whether the first message passes through the at least one service enabler.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510707418.0A CN106612267B (en) | 2015-10-27 | 2015-10-27 | Verification method and verification device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510707418.0A CN106612267B (en) | 2015-10-27 | 2015-10-27 | Verification method and verification device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106612267A CN106612267A (en) | 2017-05-03 |
| CN106612267B true CN106612267B (en) | 2020-01-21 |
Family
ID=58614292
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510707418.0A Active CN106612267B (en) | 2015-10-27 | 2015-10-27 | Verification method and verification device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106612267B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768958B (en) * | 2018-05-07 | 2022-01-14 | 上海海事大学 | Verification method for data integrity and source based on no leakage of verified information by third party |
| CN110620724B (en) * | 2018-06-19 | 2021-09-14 | 中国电信股份有限公司 | Method, node and communication system for realizing service chain path tracking |
| CN112448915B (en) * | 2019-08-28 | 2023-03-24 | 华为技术有限公司 | Verification method and device for configuration message and computer storage medium |
| CN112511437B (en) * | 2020-04-22 | 2024-03-22 | 中兴通讯股份有限公司 | Method for verifying service chain, transmitting node, forwarding node and service function node |
| CN113709160B (en) * | 2021-08-30 | 2022-10-04 | 浙江大学 | Software defined network topology defense method based on forwarding route integrity verification |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136049A (en) * | 2011-04-01 | 2011-07-27 | 奇智软件(北京)有限公司 | Terminal application safety management method and system |
| CN104333511A (en) * | 2013-07-22 | 2015-02-04 | 华为技术有限公司 | Method, device and system for determining service transmission path |
| WO2015149620A1 (en) * | 2014-04-04 | 2015-10-08 | 华为技术有限公司 | Encapsulation method for service routing packet, service forwarding entity and control plane |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099915B (en) * | 2014-04-28 | 2018-11-30 | 华为技术有限公司 | A kind of method and apparatus for establishing service path |
-
2015
- 2015-10-27 CN CN201510707418.0A patent/CN106612267B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136049A (en) * | 2011-04-01 | 2011-07-27 | 奇智软件(北京)有限公司 | Terminal application safety management method and system |
| CN104333511A (en) * | 2013-07-22 | 2015-02-04 | 华为技术有限公司 | Method, device and system for determining service transmission path |
| WO2015149620A1 (en) * | 2014-04-04 | 2015-10-08 | 华为技术有限公司 | Encapsulation method for service routing packet, service forwarding entity and control plane |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106612267A (en) | 2017-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106612267B (en) | Verification method and verification device | |
| CN105577637B (en) | Calculating equipment, method and machine readable storage medium for being communicated between secured virtual network function | |
| CN106034104B (en) | Verification method, device and system for network application access | |
| CN105721153B (en) | Key exchange system and method based on authentication information | |
| DE102018216915A1 (en) | System and method for secure communications between controllers in a vehicle network | |
| US20220231859A1 (en) | Systems and methods for verifying a route taken by a communication | |
| CN107920081B (en) | Login authentication method and device | |
| CN104255009A (en) | Systems and methods for segment integrity and authenticity for adaptive streaming | |
| US20220030034A1 (en) | Secure network device management in a telecommunications network | |
| CN109005032B (en) | Routing method and device | |
| CN110662091B (en) | Third-party live video access method, storage medium, electronic device and system | |
| JP2020514863A (en) | Certificate acquisition method, authentication method and network device | |
| CN106941404A (en) | Cryptographic key protection method and device | |
| CN110740038B (en) | Blockchain and communication method, gateway, communication system and storage medium thereof | |
| CN106254355A (en) | The security processing of a kind of the Internet protocol data bag and system | |
| CN110839036B (en) | Attack detection method and system for SDN (software defined network) | |
| CN114666040B (en) | Radio frequency identification authentication system and method based on quantum cryptography network | |
| CN105516070B (en) | A kind of method and device that Service Ticket substitutes | |
| CN110771087B (en) | Private key update | |
| CN111641651B (en) | Access verification method and device based on Hash chain | |
| KR101690093B1 (en) | Controlled security domains | |
| CN112182551B (en) | PLC equipment identity authentication system and PLC equipment identity authentication method | |
| CN104486082A (en) | Authentication method and router | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| CN110855694A (en) | Improved network authentication detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |