Disclosure of Invention
Aiming at the problem that chain leakage is possibly caused by attackers who acquire or access unauthorized according to the existing information association when the existing 5G user data is centrally associated and stored in the UDR, the invention provides a 5G user data disassociation storage system and an access method, wherein different types of data and different expression forms of the same type of data are logically and physically disassociated and separately stored, and the hidden danger of information leakage caused by user information association storage is eliminated by utilizing the modes of physical disassociation and separation, weak association analysis and disassociation storage.
In a first aspect, the present invention provides a 5G user data disassociation storage system, comprising: an index control unit and a plurality of child UDR nodes; wherein:
the index control unit is used for classifying the user data, determining indexes for the obtained various data, encrypting the indexes of the various data and storing the association relation among the encrypted index values; when receiving a data access request sent by a data access service providing unit, judging the access authority of the data access service providing unit to user data;
the plurality of sub-UDR nodes are used for storing various types of data obtained after user data are classified; and when receiving a data access request sent by the data access service providing unit, returning corresponding data according to the index of the data to be accessed.
Further, the index control unit is located at the back end of the data access service providing unit.
In a second aspect, the present invention provides a disassociation storage method based on the above 5G user data disassociation storage system, the method including:
step 1.1, an index control unit classifies user data and stores various obtained data to sub UDR nodes;
and step 1.2, the index control unit determines indexes for various data according to the node information of each sub UDR node, encrypts the indexes of the various data respectively, and stores the association relation among the encrypted index values.
In a third aspect, the present invention provides a data reading method based on the above 5G user data disassociation storage system, including:
step 2.1, when receiving a data access request sent by a data access service providing unit, an index control unit judges the access authority of the data access service providing unit to user data;
step 2.2, if the data access service providing unit is judged to have the access right to the data of the category to be accessed, the index control unit searches the index of the data of the category to be accessed, and the sub UDR node returns corresponding data according to the index of the data of the category to be accessed;
step 2.3, if the data access service providing unit is judged to have access authority to other types of data except the to-be-accessed type of data, the index control unit determines the index of the to-be-accessed type of data according to the incidence relation between the other types of data and the encryption index value of the to-be-accessed type of data, and the sub UDR node returns corresponding data according to the index of the to-be-accessed type of data;
and 2.4, if the data access service providing unit is judged not to have access to all types of data, discarding the data access request.
Further, the index control unit in step 2.3 determines, according to the association relationship between the other category data and the encryption index value of the category data to be accessed, that the index of the category data to be accessed specifically is: the index control unit searches indexes of the other types of data with access authority, encrypts the indexes of the other types of data, determines the encrypted index value of the type of the data to be accessed according to the incidence relation between the encrypted index value of the other types of data and each encrypted index value, decrypts the encrypted index value of the type of the data to be accessed to obtain the index of the type of the data to be accessed, and the sub UDR node returns corresponding data according to the indexes.
The invention has the beneficial effects that:
the invention provides a 5G user data disassociation storage system and an access method, wherein the storage system is provided with an index control unit and a plurality of sub UDR nodes, the index control unit classifies user data according to a preset classification method, and then stores different types of user data to each sub UDR node; then the index control unit determines the index, encrypts the indexes of various data and stores the association relationship among the encrypted index values of the same user. When receiving an access request, the index control unit judges the access authority of the DAP for accessing user data, directly searches and returns the user data according to the index for the data type which is requested to be accessed, and searches the encrypted index value of the data type which is requested to be accessed according to the encrypted index and the association relation, and then decrypts to obtain the index, searches and returns the user data. Through the arrangement, the index control unit only knows the association relation of various data encryption index values of the same user but does not know specific user data, and each sub UDR node only knows the content and the index of certain user data and cannot associate and predict other user data, so that the information leakage risk caused by the association storage of user information is effectively reduced.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic diagram of a 3GPP 5G user data storage architecture provided in the prior art. Fig. 2 and fig. 3 are two schematic structural diagrams of a 5G user data disassociation storage system according to an embodiment of the present invention. Fig. 2 differs from fig. 3 in that the index control unit may set the internal back-end of the data access service provision unit. As shown in fig. 2 and 3, the storage system includes: an index control unit 101 and N child UDR nodes 102; wherein:
the index control unit 101 is configured to classify user data, determine an index for each obtained type of data, encrypt the index of each type of data, and store an association relationship between encrypted index values; when receiving a data access request sent by a data access service providing unit, judging the access authority of the data access service providing unit to user data;
the plurality of sub-UDR nodes 102 are configured to store various types of data obtained by classifying user data; and when receiving a data access request sent by the data access service providing unit, returning corresponding data according to the index of the data to be accessed.
Specifically, the index control unit is located at the back end of a Data Access service providing unit (DAP), and is configured to classify user Data according to a preset classification method, determine indexes in a database for different types of Data, encrypt indexes of various types of Data, and store an association relationship between encrypted index values of the same user; the index control unit is also used for judging the access authority of the DAP for accessing the user data and judging whether the DAP has the right to access the user data of a certain category.
The sub-UDR nodes are used for storing user data of each category, searching and returning corresponding user data according to the index when receiving a DAP request, and are physically isolated from each other and only interact data with the DAP.
The index control unit is matched with each sub UDR node, logical classification and physical disassociation storage of user data are achieved, it is guaranteed that users with different permission levels cannot access data classes beyond the permission range of the users, and the possibility that attackers conduct association analysis and steal private data of the users in a chain mode is eliminated.
In the 5G user data disassociation storage system provided by the embodiment of the invention, data of the same user are classified through the index control unit, indexes of various types of data are established, and indexes of various types of data are encrypted, then, the association relation among the encrypted index values is stored in the index control unit, and the specific content of various types of data is stored in each sub UDR node. Therefore, the index control unit only knows the incidence relation of various data encryption index values of the same user but does not know specific user data, and each sub-UDR node only knows the content and the index of a certain type of user data, so that an attacker cannot know the specific content of the user data even if the attacker steals information from the index control unit; even if partial information of a user is further acquired from a certain sub UDR node, other types of user data cannot be associated and estimated, and therefore the risk of information leakage caused by user information association storage is effectively reduced.
On the basis of the above embodiment, the storage method of the 5G user data disassociation storage system provided by the embodiment of the present invention includes the following steps:
s101, classifying user data by an index control unit, and storing the obtained various data to each sub UDR node;
specifically, the classification principle of the index control unit for classifying the user data is specifically as follows: data which has relatively independent functions and easily causes the leakage of user privacy information after being stored in an associated mode are separately placed. As an implementation manner, the data with relatively independent functions and the association degree greater than the preset threshold are classified into different categories.
S102, the index control unit determines indexes for various data according to the node information of each sub UDR node, encrypts the indexes of the various data respectively, and stores the association relation among the encrypted index values.
Fig. 4 is a schematic diagram of a 5G user data disassociation storage method according to an embodiment of the present invention. With reference to fig. 4, the embodiment of the present invention classifies 5G user data into 3 (i.e., N ═ 3) classes.
The 5G user database UDR stores all registration information of the mobile user, such as identification information (MDN/SUPI), location information (5G-GUTI number, cell ID), status information (power on, power off), qualification information, subscription information (including security parameters, call and roaming authority, subscription service), etc., of the mobile user, and further stores information such as a slice identifier (NSSAI, NSI ID) which embodies a service scenario.
Since the SUPI of the user is not externally published as an implicit communication identifier, the data such as the location information, the service information (subscription information), and the like of the user are stored together with the SUPI, and thus, leakage of important information is not caused. The user's MDN number is used as the information disclosed to the outside when opening an account, and can be stored with other information disclosed and related to the called service processing.
Meanwhile, in combination with new user data generated by a new application scene of the 5G network, the 5G user data can be divided into three categories according to the association degree of different types of user identifications:
(1) subscriber called service related data
The MDN is used as an INDEX and contains user information related to the user calling process, and the encryption INDEX value obtained by encrypting the MDN is INDEX 1.
(2) Data relating to a subscriber calling service
SUPI is used as an index, SUPI number is used as a mobile user identification code, the SUPI number is distributed when a mobile user opens an account and is not published externally, the SUPI number is used as an identity in a mobile communication network, and the SUPI number has the main functions of completing authentication, charging, mobility management and the like of a network to a user. And at the same time, the system contains authentication information, state information, position information, subscription information related to roaming and charging, and the like of the user. The encryption SUPI results in an encryption INDEX value of INDEX 2.
(3)5G service related data
The NSI ID is used as an INDEX, the service related to the slice and the charging related information are simultaneously contained, certain expandability is realized according to different user requirements and service scenes, and an encryption INDEX value obtained by encrypting the NSI ID is INDEX 3.
According to the classification method and the storage method, after single information is lost, an intruder cannot determine the real identity information of a user because the MDN of a target user cannot be associated with the SUPI, and cannot perform other operations such as positioning and the like on the user through the MDN or the SUPI of the user, and the separation storage method effectively eliminates the association between the public user identification and the private user identification, eliminates the direct association between the public user identification and the user data, and can ensure the safety of the user information.
When receiving a data access request from the data access service providing unit, the user data may be read according to the reading flow shown in fig. 5, which is not described herein again.
The 5G UDR has strict requirements on communication time delay when meeting the service requirements of a carrier level, the classification mode not only ensures the logical disassociation of 5G user data and meets the safety requirements, but also fully considers the problem of communication efficiency, ensures the mutual independence of services, improves the communication efficiency by reducing the interactive operation of cross-child UDR nodes, and ensures the availability of the services.
Fig. 5 is a schematic flowchart of a 5G user data reading method according to an embodiment of the present invention. As shown in fig. 5, the method comprises the steps of:
s201, when a data access request sent by a data access service providing unit is received, an index control unit judges the access authority of the data access service providing unit to user data;
for example, the index control unit classifies the user data into N classes in advance according to a set data classification method. The DAP initiates a data reading request to a storage system UDR, and the data requested to be read belongs to the jth class (j is more than or equal to 1 and less than or equal to N); the index control unit performs access check on the DAP and judges whether the DAP has the right to access the jth class of user data.
S202, if the data access service providing unit is judged to have access authority to the to-be-accessed category data, the index control unit searches the index of the to-be-accessed category data, and the sub UDR node returns corresponding data according to the index of the to-be-accessed category data; otherwise, executing step S203;
for example, if the DAP is judged to have the access right of the jth class of user data, the data access service providing unit directly reads and returns the corresponding user data in the jth sub-UDR;
s203, if the data access service providing unit is judged to have access authority to other types of data except the to-be-accessed type of data, the index control unit determines the index of the to-be-accessed type of data according to the association relation between the other types of data and the encryption index value of the to-be-accessed type of data, and the sub UDR node returns corresponding data according to the index of the to-be-accessed type of data; otherwise, go to step S204;
specifically, the index control unit determines, according to the association relationship between the other category data and the encrypted index value of the category data to be accessed, that the index of the category data to be accessed is specifically: the index control unit searches indexes of the other types of data with access authority, encrypts the indexes of the other types of data, determines the encrypted index value of the data type to be accessed according to the association relation between the encrypted index value of the other types of data and each encrypted index value, decrypts the encrypted index value of the data type to be accessed to obtain the index of the data type to be accessed, and the sub UDR node returns corresponding data according to the indexes.
For example, if the DAP is determined to have access to the ith type (i is not less than 1 and not more than N, and i is not equal to j) user data, the INDEX control unit encrypts the INDEX of the ith type user data to obtain an encrypted INDEX value INDEX i;
the INDEX control unit obtains an encrypted INDEX value INDEX j of the jth class of user data according to the stored association relation, and then decrypts the encrypted INDEX value INDEX j to obtain an INDEX of the jth class of user data;
and according to the index of the jth class of user data, the data access service providing unit reads and returns corresponding user data in the jth sub-UDR.
S204, if the data access service providing unit is judged not to have access to all types of data, the data access request is discarded.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.