CN107094127B - Processing method and device, and obtaining method and device of security information - Google Patents

Processing method and device, and obtaining method and device of security information Download PDF

Info

Publication number
CN107094127B
CN107094127B CN201610091142.2A CN201610091142A CN107094127B CN 107094127 B CN107094127 B CN 107094127B CN 201610091142 A CN201610091142 A CN 201610091142A CN 107094127 B CN107094127 B CN 107094127B
Authority
CN
China
Prior art keywords
terminal
security information
network slice
request message
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610091142.2A
Other languages
Chinese (zh)
Other versions
CN107094127A (en
Inventor
侯云静
徐晖
艾明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Telecommunications Technology CATT
Datang Mobile Communications Equipment Co Ltd
Original Assignee
China Academy of Telecommunications Technology CATT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Telecommunications Technology CATT filed Critical China Academy of Telecommunications Technology CATT
Priority to CN201610091142.2A priority Critical patent/CN107094127B/en
Publication of CN107094127A publication Critical patent/CN107094127A/en
Application granted granted Critical
Publication of CN107094127B publication Critical patent/CN107094127B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols

Abstract

The invention provides a method and a device for processing safety information and a method and a device for acquiring the safety information, wherein the method for processing the safety information comprises the following steps: the access control function entity generates safety information; and sending the safety information to a control entity. The embodiment of the invention authenticates and authorizes the terminal through the access control function entity, and is responsible for generating different safety information for different network slices signed with the terminal, and the network slices process the high-level information sent by the terminal by utilizing the generated safety information to enable the terminal to be accessed into the network slices, thereby realizing the safety isolation among different network slices, improving the access safety and realizing the safety isolation among different network slices.

Description

Processing method and device, and obtaining method and device of security information
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for processing security information, and a method and an apparatus for acquiring security information.
Background
While a Mobile communication network supports a conventional Mobile Broadband (MBB) scenario, it also needs to support a new scenario. New scenarios place different demands on the network, e.g. different demands on functions like charging, policy control, security and mobility. Mobile broadband scenarios may require application-dependent charging and policy control, whereas other scenarios may require simpler charging or policy.
To better support different scenarios, it is necessary to isolate the traffic of the different scenarios. With network slicing techniques, a single physical network can be divided into multiple virtual networks. For example, a large number of electronic sensor failures cannot affect MBB users. Each network slice includes a set of logical network functions that support the communication traffic needs of a particular scenario. The logical function may be a location management function, a handover control function, a session management function, etc. The specific logic functions included in the network slice are different according to the services provided by the network slice, for example, a network slice supporting mobile broadband services needs to support the above 3 functions, while a network slice supporting networking services does not need to support a location management function and a handover control function.
Specifically, as shown in fig. 1, which is an exemplary diagram of a network slice, the network slice is composed of 3 layers: a service instance layer, a network slice instance layer and a resource layer. The three layers are described as follows:
1. the service instance layer represents the supported service (end user service or business service). Each service instance represents a service. Generally, services may be provided by a network operator or a third party. Thus, a service instance may represent an operator service or a service provided by a third party.
2. The network slice instance provides the service instance with its required network characteristics. Multiple service instances provided by a network operator may share one network slice instance. The network slice instances may include 0, 1, or more subnet instances that may be shared by other network slice instances. A subnet instance consists of a set of network functions that run on top of physical/logical resources.
3. The resource layer includes physical resources and logical resources. Where the physical resource is a collection of computers, storage and transmission resources (including radio access). A logical resource is a physical resource that is specifically partitioned for a network function, or shared by a group of network functions
In the existing method, a security algorithm (such as an encryption algorithm and an integrity protection algorithm) and a secret key are negotiated between a mobility management entity MME and a user terminal in an authentication process. After the network slice is introduced, in order to avoid that the terminal executes an authentication process every time the terminal accesses one network slice, the authentication function is separated from the network slice to form an independent authentication function. When the terminal is authenticated by using an independent authentication function, the existing method cannot provide different security algorithms and keys for different network slices (namely, when an operator deploys a plurality of network slices, the terminal can be simultaneously accessed into the plurality of network slices, and when a unified authentication system is used, the terminal can be accessed into different network slices only by performing authentication and authorization once on the terminal), so that the security isolation between different network slices cannot be realized.
Disclosure of Invention
The invention aims to provide a method and a device for processing security information and a method and a device for acquiring security information, which solve the problem that in the prior art, different security algorithms and keys cannot be provided for different network slices, so that the security isolation between different network slices cannot be realized.
In order to achieve the above object, an embodiment of the present invention provides a method for processing security information, including:
the access control function entity generates safety information;
and sending the safety information to a control entity.
Wherein, the step of generating the security information by the access control function entity comprises:
and generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
Wherein, the processing method further comprises:
receiving a first request message sent by a control entity in a network slice, wherein the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used for requesting to acquire security information of the terminal;
and sending the security information of the terminal to a control entity in the network slice according to the first request message.
The crankshaft, the processing method further comprising:
and sending the security information of each network slice signed by the terminal to the terminal.
Wherein, the processing method further comprises:
receiving a second request message sent by a terminal, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and sending the security information of the network slice to the terminal according to the second request message.
Wherein the security information comprises a security algorithm and/or a key.
The embodiment of the invention also provides a method for acquiring the security information of the terminal, which is applied to network slicing and comprises the following steps:
receiving security information of a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a first request message to an access control function entity, wherein the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used for requesting to acquire security information of the terminal;
receiving the security information of the terminal sent by the access control function; alternatively, the first and second electrodes may be,
receiving an access request message of a terminal sent by an access device, wherein the access request message carries security information of the terminal.
Wherein the security information comprises a security algorithm and/or a key.
The embodiment of the invention also provides a method for acquiring the security information of the network slice, which is applied to a terminal and comprises the following steps:
receiving security information of each network slice signed by a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a second request message to an access control function entity, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and receiving the security information of the network slice sent by the access control function entity.
The security information comprises a security algorithm and a secret key.
An embodiment of the present invention further provides a device for processing security information, including:
the generating module is used for accessing the control function entity to generate the safety information;
and the first sending module is used for sending the safety information to a control entity.
Wherein the generating module comprises:
and the generation submodule is used for generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
Wherein the processing device further comprises:
a first receiving module, configured to receive a first request message sent by a control entity in a network slice, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
and the second sending module is used for sending the security information of the terminal to a control entity in the network slice according to the first request message.
Wherein the processing device further comprises:
and the third sending module is used for sending the security information of each network slice signed by the terminal to the terminal.
Wherein the processing device further comprises:
a second receiving module, configured to receive a second request message sent by a terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fourth sending module is used for sending the security information of the network slice to the terminal according to the second request message.
Wherein the security information comprises a security algorithm and/or a key.
An embodiment of the present invention further provides an apparatus for acquiring security information of a terminal, including:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
Wherein the security information comprises a security algorithm and/or a key.
An embodiment of the present invention further provides an apparatus for acquiring security information of a network slice, including:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
Wherein the security information comprises a security algorithm and/or a key.
The technical scheme of the invention at least has the following beneficial effects:
in the security information processing method and device, and the security information acquisition method and device of the embodiments of the present invention, the access control function entity authenticates and authorizes the terminal, and is responsible for generating different security information for different network slices signed with the terminal, and the network slice processes the high-level information sent by the terminal by using the generated security information, so that the terminal is accessed to the network slice, thereby implementing security isolation between different network slices, and improving access security.
Drawings
FIG. 1 is a schematic diagram of a prior art network slice;
fig. 2 is a flow chart illustrating basic steps of a method for processing security information according to a first embodiment of the present invention;
fig. 3 is a system architecture diagram illustrating a method for a terminal to access a network slice in an embodiment of the present invention;
fig. 4 is a flowchart illustrating the detailed steps of the terminal accessing the network slice in the embodiment of the present invention;
fig. 5 shows a flow chart of the interaction of network slicing and access control functions in a first embodiment of the invention;
fig. 6 shows a flowchart of the interaction of a terminal with an access control function in a first embodiment of the invention;
fig. 7 is a schematic structural diagram of a security information processing apparatus according to a fourth embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
First embodiment
As shown in fig. 2, a first embodiment of the present invention provides a processing method of security information, including:
step 101, an access control function entity generates security information;
and 102, sending the safety information to a control entity.
It should be noted that the access control function entity provided in the embodiment of the present invention may be an AAA or an HSS. Wherein, AAA is Authentication authorization Accounting, Authentication authorization Accounting; HSS is Home subscriber Server (Home subscriber Server)
Fig. 3 shows a system architecture of a method for accessing a terminal to a network slice according to an embodiment of the present invention, in which the system architecture extracts authentication and authorization functions from each network slice to form an independent function, that is, an access control function in fig. 3, where the access control function authenticates and authorizes the terminal under the trigger of an access network and is responsible for selecting security information for a network slice signed by the terminal; the network slice may include one or more control functions, and different control functions support different functions.
Specifically, step 101 is that the access control function entity generates different security information for different network slices subscribed by the terminal according to the subscription information of the terminal. For example, first security information is generated for a first network slice and second security information is generated for a second network slice.
Further, the security information in the first embodiment of the present invention includes a selected security algorithm and/or a generated key. The security algorithm comprises an encryption algorithm, an integrity protection algorithm and the like; correspondingly, the keys include an encryption algorithm key and an integrity protection algorithm key, and other security algorithms and corresponding keys are also applicable to the present application, which are not enumerated herein.
In the first embodiment of the present invention, the subscription information of the terminal may be stored in the access control function entity, or may be stored in another function entity, such as an HSS. Accordingly, the access control functional entity may obtain the subscription information of the terminal from its own storage area, or may obtain the subscription information from other functional entities, which is not limited herein.
Specifically, as shown in fig. 4, when the method for processing security information according to the first embodiment of the present invention is applied, the flow of the terminal accessing the network slice is as follows:
step 1, a terminal sends an access request message to access equipment in an access network, wherein the access request message comprises a network slice type requested by the equipment on the terminal, an identifier of the terminal and a high-level message of the terminal;
step 2, the access network firstly judges whether the context of the terminal is stored in the access network. If the access network stores the context of the terminal, skipping to execute the step 4; if not, the access network sends an access request message to the access control function, the message carries the terminal identifier and the network slice type (optional), the access control function judges whether the terminal passes the authentication, if so (for example, the terminal passes the authentication executed by other access networks), step 3b is executed, and the subscription information of the terminal is returned to the access network; if not, executing step 3a to authenticate the terminal.
And 3a, the access control function authenticates and authorizes the terminal, and if the terminal passes the authentication, the subscription information of the terminal is returned to the access network in the authentication process. The access control function also selects safety information for each network slice signed with the terminal;
and 3b, the terminal passes the authentication, and the access control function sends an access reply message to the access network, wherein the message carries the subscription information of the terminal.
And 4, the access network selects at least one network slice for the terminal according to the network slice type requested by the terminal and the subscription information of the terminal.
And 5, the access network sends the high-level message in the access request message to the selected network slice.
And 6, judging whether the terminal can be accessed to the network slice by the network slice according to the subscription information of the terminal, and if so, processing the high-level message and forming a confirmation message. The network slice processes the confirmation message (such as encrypting and integrity protecting the message) with the security information (security algorithm and key), and then returns the processed confirmation message to the terminal, and the terminal realizes the step of accessing the network slice at this time.
It should be noted that, in the present application, an access device generally refers to a device in a wireless access network, through a wireless interface, a terminal accesses to the network, for example, an eNB in LTE, a wireless network access device (implementing a function similar to the eNB) in a future 5G network, an AP or a TWAG of a WLAN, and the like.
Further, after the access control function entity generates different security information for different network slices subscribed by the terminal in the first embodiment of the present invention, the method further includes:
and 103, sending the security information of the terminal to each network slice signed by the terminal.
Specifically, after the terminal passes the authentication, the access control function generates security information for each network slice subscribed by the terminal according to the subscription information of the terminal, and then sends the security information of the terminal to the control entity in the network slice. If the terminal provides the requested network slice type in the authentication process, the access control function entity only sends the security information of the terminal to the network slice of the type after the authentication is successful. In another case, after selecting a network slice for a terminal, an access device of an access network sends information that the terminal is about to access the network slice to an access control function entity, and after receiving the information, the access control function sends security information of the terminal to the control entity of the network slice.
Note that, when the security information of the terminal is transmitted to each network slice subscribed to the terminal in step 103, the identifier of the portable terminal, the subscription information of the terminal, and the like are also written, and the method is not particularly limited herein.
Further, step 103 above represents a method for an access control function module to actively send security information of a terminal to a network slice, and a first embodiment of the present invention further provides a method for a control entity in the network slice to actively obtain security information of the terminal, as shown in fig. 5, the method further includes:
104, receiving a first request message sent by a control entity in a network slice, wherein the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used for requesting to acquire security information of the terminal;
and 105, sending the security information of the terminal to a control entity in the network slice according to the first request message.
Specifically, the use scenario of the method is as follows: a control entity in a network slice receives a request message (such as a request for accessing the network slice) from a terminal, the control entity does not find the context of the terminal locally, if the control entity in the network slice does not find the context of the terminal, the control entity in the network slice sends a first request message to an access control function entity to request to acquire the security information of the terminal; after receiving the request message, the access control function returns security information of the terminal, such as a security algorithm, a key, etc.
Note that, when the security information of the terminal is transmitted to the control entity in the network slice in step 105, the identifier of the mobile terminal, the subscription information of the terminal, and the like are also written, and the present invention is not limited to this.
Further, in the first embodiment of the present invention, after generating different security information for different network slices subscribed by the terminal, the processing method further includes:
and 106, sending the security information of each network slice signed by the terminal to the terminal. Specifically, the security information of each network slice subscribed to by the terminal may be sent to the terminal in the authentication process, or the security information of each network slice subscribed to by the terminal may be sent to the terminal after the authentication is completed, which is not limited herein.
Correspondingly, after the terminal acquires the network slice security information and receives the confirmation message sent by the network slice in the step 6, the terminal processes the confirmation message, such as the integrity of the decryption message and the confirmation message, according to the security algorithm and the key which are acquired by the terminal from the access control module and are related to the network slice, so that the terminal can perform security verification on the network slice again, thereby realizing bidirectional verification between the network slice and the terminal and further ensuring the security of the access network slice.
Note that, when the security information of the network slice is sent to the terminal in step 106, the identifier of the network slice, the subscription information of the network slice, and the like are also written, and the method is not particularly limited herein
Further, step 106 above represents a method for the access control function module to actively send the security information of the network slice to the terminal, and a first embodiment of the present invention further provides a method for the terminal to actively obtain the security information of the network slice, as shown in fig. 6, the method further includes:
step 107, receiving a second request message sent by the terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and step 108, sending the security information of the network slice to the terminal according to the second request message.
The information of the network slice refers to information that can indicate the identity of the network slice, such as an identifier of the network slice or an APN, and is not particularly limited herein. Specifically, the steps 107 and 108 describe that after the terminal passes the authentication, when the terminal accesses a new network slice, the terminal interacts with the access control function to acquire security information related to the network slice. The general application scenarios of the method are as follows: after the terminal successfully accesses a specific network slice, and the terminal does not have the security information of the network slice.
Note that, when the security information of the network slice is transmitted to the terminal in step 108, the identifier of the network slice, the subscription information of the network slice, and the like are also written and carried, and the description is not limited herein.
In summary, the first embodiment of the present invention authenticates and authorizes the terminal through the access control function and selects the security algorithm for the network slice signed with the terminal that passes the authentication, so that different network slices have different security algorithms, thereby implementing security isolation between different network slices and providing network security.
Second embodiment
A second embodiment of the present invention provides a method for acquiring security information of a terminal, which is applied to a network slice, and the method includes:
step 201, receiving security information of a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
step 301, sending a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
step 302, receiving the security information of the terminal sent by the access control function; alternatively, the first and second electrodes may be,
step 401, receiving an access request message of a terminal sent by an access device, where the access request message carries security information of the terminal.
Specifically, step 201 provides the access control entity with the information of the terminal to the network slice actively. Description of the method: the access control function sends information of the terminal, such as security algorithms, keys, subscription information of the terminal, etc., to a control entity within the network slice. Usage scenario/trigger condition of step 201: after the terminal passes the authentication, the access control function selects a security algorithm, generates a key and the like for each network slice signed by the terminal according to the signing information of the terminal, and then sends related information to the control function in the network slice.
Specifically, step 301 and step 302 actively request the information of the terminal from the access control entity for the network slice. Description of the method: and the control entity in the network slice sends a request message to the access control function to request for acquiring the information of the terminal. After receiving the request message, the access control function returns information of the terminal, such as a security algorithm, a key, subscription information of the terminal, and the like. Usage scenarios/trigger conditions of step 202 and step 203: the control function in the network slice receives a request message (for example, a request for accessing the network slice) from the terminal, the control function does not find the context of the terminal locally, and if the context of the terminal is not found, the control function and the access control function perform the interaction to obtain the information of the terminal.
Specifically, step 401 actively provides the access device with the security information of the terminal, and the method describes: after an access device in the access network selects a network slice for a terminal, an access request of the terminal is sent to a control entity of the network slice, and the access request of the terminal carries safety information of the terminal. In the usage scenario/trigger condition of step 204, after the access device of the access network selects a network slice for the terminal, the access device actively sends the security information of the terminal. It should be noted that the method can avoid further interaction between the network slice and the access control function entity, thereby increasing security and improving access efficiency.
Further, the security information in the second embodiment of the present invention includes a selected security algorithm and/or a generated key. The security algorithm comprises an encryption algorithm, an integrity protection algorithm and the like; correspondingly, the keys include an encryption algorithm key and an integrity protection algorithm key, and other security algorithms and corresponding keys are also applicable to the present application, which are not enumerated herein.
Third embodiment
A third embodiment of the present invention provides a method for acquiring security information of a network slice, which is applied to a terminal, and includes:
step 501, receiving security information of each network slice signed by a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
step 601, sending a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
step 602, receiving the security information of the network slice sent by the access control function entity.
Specifically, step 501 is actively provided for the access control function, which means that the access control function sends security information, such as a security algorithm and a key, of each network slice subscribed by the terminal to the terminal during the authentication process (or after the authentication is completed).
Specifically, step 601 and step 602 are actively acquired by the terminal, which means that the terminal sends a request message to the access control function, where the message carries a terminal identifier (optional) and network slice information. The access control function returns information related to the network slice, e.g. security algorithms, keys, to the terminal. The method occurs after the terminal successfully accesses a particular network slice, and the terminal does not have security information for that network slice.
Fourth embodiment
As shown in fig. 7, a fourth embodiment of the present invention provides a security information processing apparatus including:
a generating module 41, configured to access a control function entity to generate security information;
a first sending module 42, configured to send the safety information to a control entity.
Specifically, in the fourth embodiment of the present invention, the generating module includes:
and the generation submodule is used for generating different safety information for different network slices signed by the terminal according to the signing information of the terminal. For example, first security information is generated for a first network slice and second security information is generated for a second network slice.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
a first receiving module, configured to receive a first request message sent by a control entity in a network slice, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
and the second sending module is used for sending the security information of the terminal to a control entity in the network slice according to the first request message.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
and the third sending module is used for sending the security information of each network slice signed by the terminal to the terminal.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
a second receiving module, configured to receive a second request message sent by the terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to obtain security information of the network slice;
and the fourth sending module is used for sending the security information of the network slice to the terminal according to the second request message.
Specifically, the security information in the fourth embodiment of the present invention includes a security algorithm and/or a key.
It should be noted that the processing apparatus for security information according to the fourth embodiment of the present invention is a processing apparatus capable of implementing the processing method for security information according to the first embodiment, so that all embodiments of the processing method for security information according to the first embodiment are applicable to the fourth embodiment, and the same or similar advantageous effects can be achieved.
Fifth embodiment
In order to better achieve the above object, a fifth embodiment of the present invention further provides a security information processing apparatus, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the generating module is used for accessing the control function entity to generate the safety information;
and the first sending module is used for sending the safety information to a control entity.
It should be noted that the processing apparatus for security information according to the fourth embodiment of the present invention is a processing apparatus capable of implementing the processing method for security information according to the first embodiment, so that all embodiments of the processing method for security information according to the first embodiment are applicable to the fourth embodiment, and the same or similar advantageous effects can be achieved.
Sixth embodiment
A sixth embodiment of the present invention provides an apparatus for acquiring security information of a terminal, including:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
Specifically, the security information in the sixth embodiment of the present invention includes a security algorithm and/or a key.
It should be noted that, the apparatus for acquiring security information of a terminal according to the sixth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a terminal according to the second embodiment, so that all embodiments of the method for acquiring security information of a terminal according to the second embodiment are applicable to the sixth embodiment, and can achieve the same or similar beneficial effects.
Seventh embodiment
The seventh embodiment of the present invention further provides an apparatus for acquiring security information of a terminal, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
It should be noted that, the apparatus for acquiring security information of a terminal according to the seventh embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a terminal according to the second embodiment, so that all embodiments of the method for acquiring security information of a terminal according to the second embodiment are applicable to the seventh embodiment, and can achieve the same or similar beneficial effects.
Eighth embodiment
An eighth embodiment of the present invention provides an apparatus for acquiring security information of a network slice, including:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
Specifically, in the eighth embodiment of the present invention, the security information includes a security algorithm and/or a key.
It should be noted that, the apparatus for acquiring security information of a network slice according to the eighth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a network slice according to the third embodiment, so that all embodiments of the method for acquiring security information of a network slice according to the third embodiment are applicable to the eighth embodiment, and can achieve the same or similar beneficial effects.
Ninth embodiment
A ninth embodiment of the present invention provides an apparatus for acquiring security information of a network slice, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
It should be noted that, the apparatus for acquiring security information of a network slice according to the ninth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a network slice according to the third embodiment, so that all embodiments of the method for acquiring security information of a network slice according to the third embodiment are applicable to the ninth embodiment, and can achieve the same or similar beneficial effects.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (20)

1. A method for processing security information, comprising:
the access control function entity generates safety information for the terminal, wherein the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements;
and sending the safety information to a control entity.
2. The method for processing security information according to claim 1, wherein the step of generating the security information by the access control function entity comprises:
and generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
3. The method for processing security information according to claim 1, further comprising:
receiving a first request message sent by a control entity in a network slice, wherein the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used for requesting to acquire security information of the terminal;
and sending the security information of the terminal to a control entity in the network slice according to the first request message.
4. The method for processing security information according to claim 2, further comprising:
and sending the security information of each network slice signed by the terminal to the terminal.
5. The method for processing security information according to claim 1, further comprising:
receiving a second request message sent by a terminal, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and sending the security information of the network slice to the terminal according to the second request message.
6. Method for processing security information according to any of claims 1 to 5, characterized in that the security information comprises a security algorithm and/or a key.
7. A method for acquiring security information of a terminal is applied to network slicing and is characterized by comprising the following steps:
receiving security information of a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a first request message to an access control function entity, wherein the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used for requesting to acquire security information of the terminal;
receiving security information of the terminal sent by the access control function entity; alternatively, the first and second electrodes may be,
receiving an access request message of a terminal sent by access equipment, wherein the access request message carries safety information of the terminal;
the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements.
8. The method for acquiring security information of a terminal according to claim 7, wherein the security information comprises a security algorithm and/or a key.
9. A method for acquiring security information of a network slice is applied to a terminal, and is characterized by comprising the following steps:
receiving security information of each network slice signed by a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a second request message to an access control function entity, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
receiving security information of the network slice sent by the access control function entity;
the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements.
10. The method for acquiring security information of a network slice according to claim 9, wherein the security information comprises a security algorithm and/or a key.
11. An apparatus for processing security information, comprising:
the generating module is used for accessing the control function entity to generate safety information for the terminal, wherein the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements;
and the first sending module is used for sending the safety information to the control entity.
12. The apparatus for processing security information according to claim 11, wherein the generating module comprises:
and the generation submodule is used for generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
13. The apparatus for processing security information according to claim 11, further comprising:
a first receiving module, configured to receive a first request message sent by a control entity in a network slice, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
and the second sending module is used for sending the security information of the terminal to a control entity in the network slice according to the first request message.
14. The apparatus for processing security information according to claim 12, further comprising:
and the third sending module is used for sending the security information of each network slice signed by the terminal to the terminal.
15. The apparatus for processing security information according to claim 11, further comprising:
a second receiving module, configured to receive a second request message sent by a terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fourth sending module is used for sending the security information of the network slice to the terminal according to the second request message.
16. The apparatus for processing security information according to any of claims 11-15, wherein the security information comprises a security algorithm and/or a key.
17. An apparatus for acquiring security information of a terminal, comprising:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a third security information receiving module, configured to receive an access request message of a terminal sent by an access device, where the access request message carries security information of the terminal;
the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements.
18. The apparatus for acquiring security information of a terminal according to claim 17, wherein the security information comprises a security algorithm and/or a key.
19. An apparatus for acquiring security information of a network slice, comprising:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
a fifth security information receiving module, configured to receive the security information of the network slice sent by the access control function entity;
the terminal is simultaneously accessed into a plurality of network slices, different services of the terminal are respectively accessed into different network slices, and the network function in each network slice is a combination of specific logic network functions aiming at specific service requirements.
20. The apparatus for acquiring security information of a network slice according to claim 19, wherein the security information includes a security algorithm and a key.
CN201610091142.2A 2016-02-18 2016-02-18 Processing method and device, and obtaining method and device of security information Active CN107094127B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610091142.2A CN107094127B (en) 2016-02-18 2016-02-18 Processing method and device, and obtaining method and device of security information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610091142.2A CN107094127B (en) 2016-02-18 2016-02-18 Processing method and device, and obtaining method and device of security information

Publications (2)

Publication Number Publication Date
CN107094127A CN107094127A (en) 2017-08-25
CN107094127B true CN107094127B (en) 2020-02-28

Family

ID=59648747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610091142.2A Active CN107094127B (en) 2016-02-18 2016-02-18 Processing method and device, and obtaining method and device of security information

Country Status (1)

Country Link
CN (1) CN107094127B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109600246B (en) * 2017-09-30 2021-09-21 华为技术有限公司 Network slice management method and device
WO2019080070A1 (en) * 2017-10-26 2019-05-02 Oppo广东移动通信有限公司 Wireless communication method and device
CN110086757B (en) * 2018-01-26 2020-08-07 华为技术有限公司 Communication method and communication device
CN110392370A (en) * 2018-04-19 2019-10-29 上海华为技术有限公司 A kind of machinery of consultation of security algorithm and device
CN110677884B (en) * 2018-07-03 2022-03-01 中国电信股份有限公司 Terminal, network access method, device, system and computer readable storage medium
CN111031486B (en) * 2018-10-10 2021-05-11 电信科学技术研究院有限公司 Positioning service key distribution method and device
CN112752265B (en) * 2019-10-31 2023-09-22 华为技术有限公司 Access control method, device and storage medium for network slice
WO2023236093A1 (en) * 2022-06-08 2023-12-14 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice isolation
CN117858075A (en) * 2022-09-30 2024-04-09 中兴通讯股份有限公司 Bearer establishment processing method, device, system and base station

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505470A (en) * 2008-02-04 2009-08-12 华为技术有限公司 Policy control method and equipment
CN101631354A (en) * 2008-07-18 2010-01-20 华为技术有限公司 Method, device and system for selecting packet data network
CN103067245A (en) * 2012-12-28 2013-04-24 中兴通讯股份有限公司 Flow table spatial isolation device and method for network virtualization
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505470A (en) * 2008-02-04 2009-08-12 华为技术有限公司 Policy control method and equipment
CN101631354A (en) * 2008-07-18 2010-01-20 华为技术有限公司 Method, device and system for selecting packet data network
CN103067245A (en) * 2012-12-28 2013-04-24 中兴通讯股份有限公司 Flow table spatial isolation device and method for network virtualization
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN

Also Published As

Publication number Publication date
CN107094127A (en) 2017-08-25

Similar Documents

Publication Publication Date Title
CN107094127B (en) Processing method and device, and obtaining method and device of security information
CN111669276B (en) Network verification method, device and system
EP1994715B1 (en) Sim based authentication
CN102111766B (en) Network accessing method, device and system
US11246033B2 (en) Authentication method, and related device and system
CN109922474B (en) Method for triggering network authentication and related equipment
CN109716724A (en) The method and system authenticated with double nets of the communication equipment of server communication
KR20180057665A (en) Access method, device and system for user equipment (UE)
CN110944319B (en) 5G communication identity verification method, equipment and storage medium
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN113556227A (en) Network connection management method and device, computer readable medium and electronic equipment
EP3284232B1 (en) Wireless communications
CN112492590A (en) Communication method and device
CN105763517A (en) Router security access and control method and system
CN112738800A (en) Method for realizing data security transmission of network slice
US20240089728A1 (en) Communication method and apparatus
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
US20230232228A1 (en) Method and apparatus for establishing secure communication
WO2018076298A1 (en) Security capability negotiation method and related device
CN113302958B (en) Communication method and device
CN102202291B (en) Card-free terminal, service access method and system thereof, terminal with card and bootstrapping server function (BSF)
CN114338132B (en) Secret-free login method, client application, operator server and electronic equipment
CN113302895B (en) Method and apparatus for authenticating a group of wireless communication devices
US11381562B2 (en) Detection of a user equipment type related to access, services authorization and/or authentication
CN115706997A (en) Authorization verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee after: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20210610

Address after: 100085 1st floor, building 1, yard 5, Shangdi East Road, Haidian District, Beijing

Patentee after: DATANG MOBILE COMMUNICATIONS EQUIPMENT Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY

TR01 Transfer of patent right