Disclosure of Invention
The invention aims to provide a method and a device for processing security information and a method and a device for acquiring security information, which solve the problem that in the prior art, different security algorithms and keys cannot be provided for different network slices, so that the security isolation between different network slices cannot be realized.
In order to achieve the above object, an embodiment of the present invention provides a method for processing security information, including:
the access control function entity generates safety information;
and sending the safety information to a control entity.
Wherein, the step of generating the security information by the access control function entity comprises:
and generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
Wherein, the processing method further comprises:
receiving a first request message sent by a control entity in a network slice, wherein the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used for requesting to acquire security information of the terminal;
and sending the security information of the terminal to a control entity in the network slice according to the first request message.
The crankshaft, the processing method further comprising:
and sending the security information of each network slice signed by the terminal to the terminal.
Wherein, the processing method further comprises:
receiving a second request message sent by a terminal, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and sending the security information of the network slice to the terminal according to the second request message.
Wherein the security information comprises a security algorithm and/or a key.
The embodiment of the invention also provides a method for acquiring the security information of the terminal, which is applied to network slicing and comprises the following steps:
receiving security information of a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a first request message to an access control function entity, wherein the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used for requesting to acquire security information of the terminal;
receiving the security information of the terminal sent by the access control function; alternatively, the first and second electrodes may be,
receiving an access request message of a terminal sent by an access device, wherein the access request message carries security information of the terminal.
Wherein the security information comprises a security algorithm and/or a key.
The embodiment of the invention also provides a method for acquiring the security information of the network slice, which is applied to a terminal and comprises the following steps:
receiving security information of each network slice signed by a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
sending a second request message to an access control function entity, wherein the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and receiving the security information of the network slice sent by the access control function entity.
The security information comprises a security algorithm and a secret key.
An embodiment of the present invention further provides a device for processing security information, including:
the generating module is used for accessing the control function entity to generate the safety information;
and the first sending module is used for sending the safety information to a control entity.
Wherein the generating module comprises:
and the generation submodule is used for generating different safety information for different network slices signed by the terminal according to the signing information of the terminal.
Wherein the processing device further comprises:
a first receiving module, configured to receive a first request message sent by a control entity in a network slice, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
and the second sending module is used for sending the security information of the terminal to a control entity in the network slice according to the first request message.
Wherein the processing device further comprises:
and the third sending module is used for sending the security information of each network slice signed by the terminal to the terminal.
Wherein the processing device further comprises:
a second receiving module, configured to receive a second request message sent by a terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fourth sending module is used for sending the security information of the network slice to the terminal according to the second request message.
Wherein the security information comprises a security algorithm and/or a key.
An embodiment of the present invention further provides an apparatus for acquiring security information of a terminal, including:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access a network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
Wherein the security information comprises a security algorithm and/or a key.
An embodiment of the present invention further provides an apparatus for acquiring security information of a network slice, including:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
Wherein the security information comprises a security algorithm and/or a key.
The technical scheme of the invention at least has the following beneficial effects:
in the security information processing method and device, and the security information acquisition method and device of the embodiments of the present invention, the access control function entity authenticates and authorizes the terminal, and is responsible for generating different security information for different network slices signed with the terminal, and the network slice processes the high-level information sent by the terminal by using the generated security information, so that the terminal is accessed to the network slice, thereby implementing security isolation between different network slices, and improving access security.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
First embodiment
As shown in fig. 2, a first embodiment of the present invention provides a processing method of security information, including:
step 101, an access control function entity generates security information;
and 102, sending the safety information to a control entity.
It should be noted that the access control function entity provided in the embodiment of the present invention may be an AAA or an HSS. Wherein, AAA is Authentication authorization Accounting, Authentication authorization Accounting; HSS is Home subscriber Server (Home subscriber Server)
Fig. 3 shows a system architecture of a method for accessing a terminal to a network slice according to an embodiment of the present invention, in which the system architecture extracts authentication and authorization functions from each network slice to form an independent function, that is, an access control function in fig. 3, where the access control function authenticates and authorizes the terminal under the trigger of an access network and is responsible for selecting security information for a network slice signed by the terminal; the network slice may include one or more control functions, and different control functions support different functions.
Specifically, step 101 is that the access control function entity generates different security information for different network slices subscribed by the terminal according to the subscription information of the terminal. For example, first security information is generated for a first network slice and second security information is generated for a second network slice.
Further, the security information in the first embodiment of the present invention includes a selected security algorithm and/or a generated key. The security algorithm comprises an encryption algorithm, an integrity protection algorithm and the like; correspondingly, the keys include an encryption algorithm key and an integrity protection algorithm key, and other security algorithms and corresponding keys are also applicable to the present application, which are not enumerated herein.
In the first embodiment of the present invention, the subscription information of the terminal may be stored in the access control function entity, or may be stored in another function entity, such as an HSS. Accordingly, the access control functional entity may obtain the subscription information of the terminal from its own storage area, or may obtain the subscription information from other functional entities, which is not limited herein.
Specifically, as shown in fig. 4, when the method for processing security information according to the first embodiment of the present invention is applied, the flow of the terminal accessing the network slice is as follows:
step 1, a terminal sends an access request message to access equipment in an access network, wherein the access request message comprises a network slice type requested by the equipment on the terminal, an identifier of the terminal and a high-level message of the terminal;
step 2, the access network firstly judges whether the context of the terminal is stored in the access network. If the access network stores the context of the terminal, skipping to execute the step 4; if not, the access network sends an access request message to the access control function, the message carries the terminal identifier and the network slice type (optional), the access control function judges whether the terminal passes the authentication, if so (for example, the terminal passes the authentication executed by other access networks), step 3b is executed, and the subscription information of the terminal is returned to the access network; if not, executing step 3a to authenticate the terminal.
And 3a, the access control function authenticates and authorizes the terminal, and if the terminal passes the authentication, the subscription information of the terminal is returned to the access network in the authentication process. The access control function also selects safety information for each network slice signed with the terminal;
and 3b, the terminal passes the authentication, and the access control function sends an access reply message to the access network, wherein the message carries the subscription information of the terminal.
And 4, the access network selects at least one network slice for the terminal according to the network slice type requested by the terminal and the subscription information of the terminal.
And 5, the access network sends the high-level message in the access request message to the selected network slice.
And 6, judging whether the terminal can be accessed to the network slice by the network slice according to the subscription information of the terminal, and if so, processing the high-level message and forming a confirmation message. The network slice processes the confirmation message (such as encrypting and integrity protecting the message) with the security information (security algorithm and key), and then returns the processed confirmation message to the terminal, and the terminal realizes the step of accessing the network slice at this time.
It should be noted that, in the present application, an access device generally refers to a device in a wireless access network, through a wireless interface, a terminal accesses to the network, for example, an eNB in LTE, a wireless network access device (implementing a function similar to the eNB) in a future 5G network, an AP or a TWAG of a WLAN, and the like.
Further, after the access control function entity generates different security information for different network slices subscribed by the terminal in the first embodiment of the present invention, the method further includes:
and 103, sending the security information of the terminal to each network slice signed by the terminal.
Specifically, after the terminal passes the authentication, the access control function generates security information for each network slice subscribed by the terminal according to the subscription information of the terminal, and then sends the security information of the terminal to the control entity in the network slice. If the terminal provides the requested network slice type in the authentication process, the access control function entity only sends the security information of the terminal to the network slice of the type after the authentication is successful. In another case, after selecting a network slice for a terminal, an access device of an access network sends information that the terminal is about to access the network slice to an access control function entity, and after receiving the information, the access control function sends security information of the terminal to the control entity of the network slice.
Note that, when the security information of the terminal is transmitted to each network slice subscribed to the terminal in step 103, the identifier of the portable terminal, the subscription information of the terminal, and the like are also written, and the method is not particularly limited herein.
Further, step 103 above represents a method for an access control function module to actively send security information of a terminal to a network slice, and a first embodiment of the present invention further provides a method for a control entity in the network slice to actively obtain security information of the terminal, as shown in fig. 5, the method further includes:
104, receiving a first request message sent by a control entity in a network slice, wherein the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used for requesting to acquire security information of the terminal;
and 105, sending the security information of the terminal to a control entity in the network slice according to the first request message.
Specifically, the use scenario of the method is as follows: a control entity in a network slice receives a request message (such as a request for accessing the network slice) from a terminal, the control entity does not find the context of the terminal locally, if the control entity in the network slice does not find the context of the terminal, the control entity in the network slice sends a first request message to an access control function entity to request to acquire the security information of the terminal; after receiving the request message, the access control function returns security information of the terminal, such as a security algorithm, a key, etc.
Note that, when the security information of the terminal is transmitted to the control entity in the network slice in step 105, the identifier of the mobile terminal, the subscription information of the terminal, and the like are also written, and the present invention is not limited to this.
Further, in the first embodiment of the present invention, after generating different security information for different network slices subscribed by the terminal, the processing method further includes:
and 106, sending the security information of each network slice signed by the terminal to the terminal. Specifically, the security information of each network slice subscribed to by the terminal may be sent to the terminal in the authentication process, or the security information of each network slice subscribed to by the terminal may be sent to the terminal after the authentication is completed, which is not limited herein.
Correspondingly, after the terminal acquires the network slice security information and receives the confirmation message sent by the network slice in the step 6, the terminal processes the confirmation message, such as the integrity of the decryption message and the confirmation message, according to the security algorithm and the key which are acquired by the terminal from the access control module and are related to the network slice, so that the terminal can perform security verification on the network slice again, thereby realizing bidirectional verification between the network slice and the terminal and further ensuring the security of the access network slice.
Note that, when the security information of the network slice is sent to the terminal in step 106, the identifier of the network slice, the subscription information of the network slice, and the like are also written, and the method is not particularly limited herein
Further, step 106 above represents a method for the access control function module to actively send the security information of the network slice to the terminal, and a first embodiment of the present invention further provides a method for the terminal to actively obtain the security information of the network slice, as shown in fig. 6, the method further includes:
step 107, receiving a second request message sent by the terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used for requesting to acquire security information of the network slice;
and step 108, sending the security information of the network slice to the terminal according to the second request message.
The information of the network slice refers to information that can indicate the identity of the network slice, such as an identifier of the network slice or an APN, and is not particularly limited herein. Specifically, the steps 107 and 108 describe that after the terminal passes the authentication, when the terminal accesses a new network slice, the terminal interacts with the access control function to acquire security information related to the network slice. The general application scenarios of the method are as follows: after the terminal successfully accesses a specific network slice, and the terminal does not have the security information of the network slice.
Note that, when the security information of the network slice is transmitted to the terminal in step 108, the identifier of the network slice, the subscription information of the network slice, and the like are also written and carried, and the description is not limited herein.
In summary, the first embodiment of the present invention authenticates and authorizes the terminal through the access control function and selects the security algorithm for the network slice signed with the terminal that passes the authentication, so that different network slices have different security algorithms, thereby implementing security isolation between different network slices and providing network security.
Second embodiment
A second embodiment of the present invention provides a method for acquiring security information of a terminal, which is applied to a network slice, and the method includes:
step 201, receiving security information of a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
step 301, sending a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
step 302, receiving the security information of the terminal sent by the access control function; alternatively, the first and second electrodes may be,
step 401, receiving an access request message of a terminal sent by an access device, where the access request message carries security information of the terminal.
Specifically, step 201 provides the access control entity with the information of the terminal to the network slice actively. Description of the method: the access control function sends information of the terminal, such as security algorithms, keys, subscription information of the terminal, etc., to a control entity within the network slice. Usage scenario/trigger condition of step 201: after the terminal passes the authentication, the access control function selects a security algorithm, generates a key and the like for each network slice signed by the terminal according to the signing information of the terminal, and then sends related information to the control function in the network slice.
Specifically, step 301 and step 302 actively request the information of the terminal from the access control entity for the network slice. Description of the method: and the control entity in the network slice sends a request message to the access control function to request for acquiring the information of the terminal. After receiving the request message, the access control function returns information of the terminal, such as a security algorithm, a key, subscription information of the terminal, and the like. Usage scenarios/trigger conditions of step 202 and step 203: the control function in the network slice receives a request message (for example, a request for accessing the network slice) from the terminal, the control function does not find the context of the terminal locally, and if the context of the terminal is not found, the control function and the access control function perform the interaction to obtain the information of the terminal.
Specifically, step 401 actively provides the access device with the security information of the terminal, and the method describes: after an access device in the access network selects a network slice for a terminal, an access request of the terminal is sent to a control entity of the network slice, and the access request of the terminal carries safety information of the terminal. In the usage scenario/trigger condition of step 204, after the access device of the access network selects a network slice for the terminal, the access device actively sends the security information of the terminal. It should be noted that the method can avoid further interaction between the network slice and the access control function entity, thereby increasing security and improving access efficiency.
Further, the security information in the second embodiment of the present invention includes a selected security algorithm and/or a generated key. The security algorithm comprises an encryption algorithm, an integrity protection algorithm and the like; correspondingly, the keys include an encryption algorithm key and an integrity protection algorithm key, and other security algorithms and corresponding keys are also applicable to the present application, which are not enumerated herein.
Third embodiment
A third embodiment of the present invention provides a method for acquiring security information of a network slice, which is applied to a terminal, and includes:
step 501, receiving security information of each network slice signed by a terminal sent by an access control function entity; alternatively, the first and second electrodes may be,
step 601, sending a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
step 602, receiving the security information of the network slice sent by the access control function entity.
Specifically, step 501 is actively provided for the access control function, which means that the access control function sends security information, such as a security algorithm and a key, of each network slice subscribed by the terminal to the terminal during the authentication process (or after the authentication is completed).
Specifically, step 601 and step 602 are actively acquired by the terminal, which means that the terminal sends a request message to the access control function, where the message carries a terminal identifier (optional) and network slice information. The access control function returns information related to the network slice, e.g. security algorithms, keys, to the terminal. The method occurs after the terminal successfully accesses a particular network slice, and the terminal does not have security information for that network slice.
Fourth embodiment
As shown in fig. 7, a fourth embodiment of the present invention provides a security information processing apparatus including:
a generating module 41, configured to access a control function entity to generate security information;
a first sending module 42, configured to send the safety information to a control entity.
Specifically, in the fourth embodiment of the present invention, the generating module includes:
and the generation submodule is used for generating different safety information for different network slices signed by the terminal according to the signing information of the terminal. For example, first security information is generated for a first network slice and second security information is generated for a second network slice.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
a first receiving module, configured to receive a first request message sent by a control entity in a network slice, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
and the second sending module is used for sending the security information of the terminal to a control entity in the network slice according to the first request message.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
and the third sending module is used for sending the security information of each network slice signed by the terminal to the terminal.
Specifically, in the fourth embodiment of the present invention, the processing apparatus further includes:
a second receiving module, configured to receive a second request message sent by the terminal, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to obtain security information of the network slice;
and the fourth sending module is used for sending the security information of the network slice to the terminal according to the second request message.
Specifically, the security information in the fourth embodiment of the present invention includes a security algorithm and/or a key.
It should be noted that the processing apparatus for security information according to the fourth embodiment of the present invention is a processing apparatus capable of implementing the processing method for security information according to the first embodiment, so that all embodiments of the processing method for security information according to the first embodiment are applicable to the fourth embodiment, and the same or similar advantageous effects can be achieved.
Fifth embodiment
In order to better achieve the above object, a fifth embodiment of the present invention further provides a security information processing apparatus, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the generating module is used for accessing the control function entity to generate the safety information;
and the first sending module is used for sending the safety information to a control entity.
It should be noted that the processing apparatus for security information according to the fourth embodiment of the present invention is a processing apparatus capable of implementing the processing method for security information according to the first embodiment, so that all embodiments of the processing method for security information according to the first embodiment are applicable to the fourth embodiment, and the same or similar advantageous effects can be achieved.
Sixth embodiment
A sixth embodiment of the present invention provides an apparatus for acquiring security information of a terminal, including:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
Specifically, the security information in the sixth embodiment of the present invention includes a security algorithm and/or a key.
It should be noted that, the apparatus for acquiring security information of a terminal according to the sixth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a terminal according to the second embodiment, so that all embodiments of the method for acquiring security information of a terminal according to the second embodiment are applicable to the sixth embodiment, and can achieve the same or similar beneficial effects.
Seventh embodiment
The seventh embodiment of the present invention further provides an apparatus for acquiring security information of a terminal, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the first safety information receiving module is used for receiving the safety information of the terminal sent by the access control function entity; and/or the presence of a gas in the gas,
a first request module, configured to send a first request message to an access control function entity, where the first request message carries an identifier of a terminal requesting to access the network slice, and the first request message is used to request to acquire security information of the terminal;
the second security information receiving module is used for receiving the security information of the terminal sent by the access control function; and/or the presence of a gas in the gas,
and the third security information receiving module is used for receiving an access request message of the terminal sent by the access equipment, wherein the access request message carries the security information of the terminal.
It should be noted that, the apparatus for acquiring security information of a terminal according to the seventh embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a terminal according to the second embodiment, so that all embodiments of the method for acquiring security information of a terminal according to the second embodiment are applicable to the seventh embodiment, and can achieve the same or similar beneficial effects.
Eighth embodiment
An eighth embodiment of the present invention provides an apparatus for acquiring security information of a network slice, including:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
Specifically, in the eighth embodiment of the present invention, the security information includes a security algorithm and/or a key.
It should be noted that, the apparatus for acquiring security information of a network slice according to the eighth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a network slice according to the third embodiment, so that all embodiments of the method for acquiring security information of a network slice according to the third embodiment are applicable to the eighth embodiment, and can achieve the same or similar beneficial effects.
Ninth embodiment
A ninth embodiment of the present invention provides an apparatus for acquiring security information of a network slice, including: a processor; and the memory is connected with the processor through a bus interface, the memory is used for storing programs and data used by the processor in executing operation, and when the processor calls and executes the programs and data stored in the memory, the following functional modules are realized:
the fourth security information receiving module is used for receiving the security information of each network slice signed by the terminal, which is sent by the access control function entity; and/or the presence of a gas in the gas,
a second request module, configured to send a second request message to an access control function entity, where the second request message carries information of a network slice accessed by the terminal, and the second request message is used to request to acquire security information of the network slice;
and the fifth security information receiving module is configured to receive the security information of the network slice sent by the access control function entity.
It should be noted that, the apparatus for acquiring security information of a network slice according to the ninth embodiment of the present invention is an acquiring apparatus capable of implementing the method for acquiring security information of a network slice according to the third embodiment, so that all embodiments of the method for acquiring security information of a network slice according to the third embodiment are applicable to the ninth embodiment, and can achieve the same or similar beneficial effects.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.