CN113055829A - Privacy protection method and device for network broadcast information and readable storage medium - Google Patents

Privacy protection method and device for network broadcast information and readable storage medium Download PDF

Info

Publication number
CN113055829A
CN113055829A CN202110289720.4A CN202110289720A CN113055829A CN 113055829 A CN113055829 A CN 113055829A CN 202110289720 A CN202110289720 A CN 202110289720A CN 113055829 A CN113055829 A CN 113055829A
Authority
CN
China
Prior art keywords
npn
plmn
cag
pni
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110289720.4A
Other languages
Chinese (zh)
Other versions
CN113055829B (en
Inventor
成荣
孙志伟
韦凯
王隆杰
梁广民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Polytechnic
Original Assignee
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Polytechnic filed Critical Shenzhen Polytechnic
Priority to CN202110289720.4A priority Critical patent/CN113055829B/en
Publication of CN113055829A publication Critical patent/CN113055829A/en
Application granted granted Critical
Publication of CN113055829B publication Critical patent/CN113055829B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention provides a privacy protection method, a privacy protection device, equipment and a computer readable storage medium for network broadcast information, wherein the method comprises the following steps: receiving network information sent by a base station, wherein the network information comprises a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID corresponding to a first SNPN and a first NPN ID based on a Bloom Filter principle; acquiring a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN which the user equipment expects to access; and confirming whether the second CAG ID belongs to the first CAG ID or not based on the Bloom Filter principle and a preset BF parameter, if so, representing that the second CAG ID is consistent with the first CAG ID, accessing the first PNI-NPN through the first CAG ID, or confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, if so, representing that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and accessing the first SNPN through the first PLMN ID and the first NPN ID. The invention can improve the network security when broadcasting the network information.

Description

Privacy protection method and device for network broadcast information and readable storage medium
[ technical field ] A method for producing a semiconductor device
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for protecting privacy of network broadcast information.
[ background of the invention ]
In 5G networks, 3GPP (3rd Generation Partnership Project) introduced a new network organization, namely PNI-NPN (public-non public network), which is a non-independent non-public network. The PNI-NPN is a private network established based on an operator network, and for example, UEs (User Equipment) held by employees of company a may form a PNI-NPN, where the UEs may be terminals accessing the operator network. In practical applications, by configuring a USIM (Universal Subscriber Identity Module) of each UE, the UEs all belong to a member of the PNI-NPN of company a, and after accessing the operator network, the UEs can use the PNI-NPN services, such as sharing the data of company a. In order to enable the UE to sense the PNI-NPN, an operator may allocate different CAGs (Closed Access groups) to the PNI-NPN over an Air Interface (Air Interface), for example, after the UE receives information (such as a CAG ID, where the ID is an abbreviation of Identity Document and is translated into an Identity number) broadcast by the base station, the CAG supporting the CAG ID by the base station may Access the corresponding PNI-NPN.
Of course, in a 5G network, not only PNI-NPN, but also another network organization situation, i.e., SNPN (Stand-alone non-public network) is included. In practical applications, the SNPN UE may also access the operator network through the SNPN key, and at this time, the operator network is required to support the access of the SNPN UE. In order to make the UE know that the operator allows the SNPN UE to access, the base station of the operator also broadcasts a PLMN ID (Public Land Mobile Network) and an NPN ID (Non-Public Network), where the PLMN ID and the NPN ID may also be used to identify the SNPN, and then the UE may obtain the PLMN ID and the NPN ID through broadcasting to determine whether the SNPN can be accessed through a key corresponding to the PLMN ID and the NPN ID.
In the prior art, network information (the network information here is CAG ID or PLMN ID and NPN ID) is easily leaked by a base station directly broadcasting the network information in plaintext regardless of PNI-NPN or SNPN, so that an illegal person can judge which company the current operator network signs a contract with according to the leaked network information, which not only affects privacy of customers, but also greatly affects network security.
Therefore, it is necessary to protect privacy security when broadcasting network information.
[ summary of the invention ]
The technical problem to be solved by the invention is as follows: the method, the device and the equipment for protecting the privacy of the network broadcast information and the computer readable storage medium are provided, and the problem of network security deficiency caused by network information broadcasting in the prior art is solved.
In order to solve the technical problems, the invention adopts the technical scheme that:
a first aspect of an embodiment of the present invention provides a privacy protection method for network broadcast information, which is applied to data interaction between user equipment and a base station, and includes:
receiving network information sent by the base station, wherein the network information comprises a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID corresponding to a first SNPN and a first NPN ID based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
acquiring a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN which the user equipment desires to access;
confirming whether the second CAG ID belongs to the first CAG ID or not based on a Bloom Filter principle and a preset BF parameter, if so, representing that the second CAG ID is consistent with the first CAG ID, and accessing the first PNI-NPN through the first CAG ID, or confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID or not, if so, representing that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and accessing the first SNPN through the first PLMN ID and the first NPN ID;
the BF parameter is a hash function used by a second bit string obtained when the second CAG ID corresponding to the second PNI-NPN or the second PLMN ID corresponding to the second SNPN and the second NPN ID are converted based on a Bloom Filter principle.
In some embodiments, the confirming whether the second CAG ID belongs to the first CAG ID based on the Bloom Filter principle and a preset BF parameter includes:
calculating the second CAG ID by utilizing the hash function based on the Bloom Filter principle to obtain certain first positions in the first bit string;
and judging whether some first positions in the obtained first bit string are all 1, if so, confirming that the second CAG ID belongs to the first CAG ID.
In some embodiments, the confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID based on the Bloom Filter principle and a preset BF parameter includes:
calculating the second PLMN ID and the second NPN ID by utilizing the hash function based on a Bloom Filter principle to obtain certain second positions in the first bit string;
and judging whether some second positions in the obtained first bit string are all 1, if so, confirming that the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID.
In some embodiments, the method for protecting privacy of network broadcast information further comprises: and if the second CAG ID does not belong to the first CAG ID or the second PLMN ID and the second NPN ID do not belong to the first PLMN ID and the first NPN ID, receiving network information sent by other base stations.
In some embodiments, the receiving the network information sent by the base station further comprises: and sending request information to the current service network through the base station, wherein the request information is used for requesting the current service network to send the BF parameter through the base station.
In some embodiments, the request information comprises a sui of the user equipment and/or the second PNI-NPN or the second SNPN, and the subsequent step of the base station receiving the request information comprises:
the base station sends the request information to the AMF;
the AMF generates authentication information based on the request information and sends the authentication information to the AUSF;
the AUSF sends the authentication information to the UDM;
the UDM generates authentication feedback information according to the authentication information and sends the authentication feedback information to the AUSF, wherein the authentication feedback information comprises SUPI of the user equipment, and the SUPI is encrypted to obtain the SUCI;
the AUSF, the AMF and the user equipment execute bidirectional authentication according to the authentication feedback information, and if the bidirectional authentication is successful, the AUSF sends the SUPI and the second PNI-NPN or the second SNPN to the AMF;
the AMF generates subscription request information based on the SUPI and the second PNI-NPN or the second SNPN, and sends the subscription request information to the UDM;
the UDM confirms whether the user equipment supports the second PNI-NPN or the second SNPN access according to the subscription request information, generates subscription feedback information according to a confirmation result, and sends the subscription feedback information to the AMF;
when the user equipment supports the access of the second PNI-NPN or the second SNPN, the AMF establishes an NAS security protection mechanism with the user equipment;
and the AMF converts the second CAG ID or the second PLMN ID and the second NPN ID to obtain a second bit string based on a Bloom Filter principle, and sends the hash function used for obtaining the second bit string and the name of the current service network to the base station, wherein the name of the current service network corresponds to the hash function used for obtaining the second bit string.
In some embodiments, the receiving the network information sent by the base station further comprises: and receiving the hash function used for obtaining the second bit string and the name of the current service network, which are sent by the base station by the current service network.
In some embodiments, the UDM generating authentication feedback information according to the authentication information and sending the authentication feedback information to the AUSF includes:
the UDM decrypts the SUCI to obtain the SUPI;
determining a root key corresponding to the SUPI according to the SUPI, and generating authentication feedback information according to the SUPI, the root key and the second PNI-NPN or the second SNPN;
and sending the authentication feedback information to the AUSF.
A second aspect of the embodiments of the present invention provides a privacy protection apparatus for network broadcast information, which is applied to data interaction between user equipment and a base station, and includes:
a receiving module, configured to receive network information sent by the base station, where the network information includes a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to a first SNPN based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
an obtaining module, configured to obtain a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN to which the user equipment desires to access;
a confirming module, configured to confirm whether the second CAG ID belongs to the first CAG ID based on a Bloom Filter principle and a preset BF parameter, if so, characterize that the second CAG ID is consistent with the first CAG ID, and access the first PNI-NPN through the first CAG ID, or confirm that the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, if so, characterize that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and access the first SNPN through the first PLMN ID and the first NPN ID;
the BF parameter is a hash function used by a second bit string obtained when the second CAG ID corresponding to the second PNI-NPN or the second PLMN ID corresponding to the second SNPN and the second NPN ID are converted based on a Bloom Filter principle.
A third aspect of an embodiment of the present invention provides a privacy protection device for network broadcast information, including: a storage device for storing one or more programs and one or more processors, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method according to the first aspect of an embodiment of the present invention.
A fourth aspect of embodiments of the present invention provides a computer-readable storage medium having stored thereon executable instructions that, when executed, perform a method according to the first aspect of embodiments of the present invention.
From the above description, compared with the prior art, the invention has the following beneficial effects:
the network information broadcasted by the base station is a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to a first SNPN based on a Bloom Filter principle, and after the user equipment receives the network information broadcasted by the base station, whether a second CAG ID of a second PNI-NPN which the user equipment desires to access belongs to the first CAG ID or not can be confirmed based on the Bloom Filter principle and a preset BF parameter, or whether a second PLMN ID of the second SNPN which the user equipment desires to access belongs to the first PLMN ID and the first NPN ID or not can be confirmed, so that the user equipment can complete the access of the PNI-NPN or the SNPN. In the process, the network information broadcasted by the base station is always presented in the form of the first bit string, and an illegal person does not know that the first bit string is converted from which PNI-NPN CAG ID or from which SNPN PLMN ID and NPN ID, that is, the current operator network signs a contract with which company, so that the privacy of the client is protected, and the network security when the network information is broadcasted is improved to a great extent.
[ description of the drawings ]
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is to be understood that the drawings in the following description are of some, but not all, embodiments of the invention. For a person skilled in the art, other figures can also be obtained from the provided figures without inventive effort.
Fig. 1 is a schematic flowchart of a privacy protection method for network broadcast information according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a subsequent step of receiving request information by a base station according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of the connection to step 24 in FIG. 2 according to an embodiment of the present invention;
fig. 4 is a block diagram of a privacy protecting apparatus for network broadcast information according to an embodiment of the present invention;
fig. 5 is a block diagram of a privacy protecting apparatus for network broadcast information according to an embodiment of the present invention;
fig. 6 is a block diagram of a computer-readable storage medium according to an embodiment of the present invention.
[ detailed description ] embodiments
For purposes of promoting a clear understanding of the objects, aspects and advantages of the invention, reference will now be made in detail to the present embodiments of the invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements throughout. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
In the prior art, network information (the network information here is CAG ID or PLMN ID and NPN ID) is easily leaked by a base station directly broadcasting the network information in plaintext regardless of PNI-NPN or SNPN, so that an illegal person can judge which company the current operator network signs a contract with according to the leaked network information, which not only affects privacy of customers, but also greatly affects network security. For this problem, if the network information broadcasted by the base station is directly encrypted, then there is a phenomenon that it is difficult for the UE to configure a corresponding decryption key, thereby affecting PNI-NPN or SNPN access.
Referring to fig. 1, fig. 1 is a flowchart illustrating a privacy protection method for network broadcast information according to an embodiment of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a privacy protection method for network broadcast information, where the method is applied to data interaction between a UE and a base station, and the method includes the following steps 11 to 13.
Step 11, receiving network information sent by a base station, wherein the network information includes a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to a first SNPN based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
in practical application, the base station broadcasts a first CAG ID corresponding to the first PNI-NPN, and when the user equipment recognizes that the first CAG ID is the CAG ID of the PNI-NPN which the user equipment desires to access, the user equipment accesses the first PNI-NPN through the first CAG ID. Similarly, the base station broadcasts the first PLMN ID and the first NPN ID corresponding to the first SNPN, and when the user equipment recognizes that the first PLMN ID and the first NPN ID are the PLMN ID and the NPN ID of the SNPN that the user equipment desires to access, the user equipment accesses the first SNPN through the first PLMN ID and the first NPN ID. As can be seen, the key of privacy protection when the base station broadcasts the network information is that an illegal person cannot easily identify the CAG ID, the PLMN ID, and the NPN ID broadcasted by the base station, and therefore, in step 11, the CAG ID, the PLMN ID, and the NPN ID broadcasted by the base station are set as the first bit string based on the Bloom Filter principle. The Bloom Filter principle is explained below.
Bloom Filter (a Bloom Filter, a binary vector data structure, space and time efficient, is used to detect whether an element is a member of a set). For example, if a group X includes members (X1, X2, X3, …, X100), if a user a wants to determine whether the user a belongs to the group X, the simplest method is that the user a first obtains the member list of the group X, and then matches the identifier of the user a with all identifiers in the group X one by one to determine whether the user a belongs to the group X.
The Bloom Filter sacrifices partial matching accuracy, but can achieve efficient verification and save bandwidth. Still taking the example shown in the previous paragraph as an example, 3 hash functions, such as h1, h2, and h3, may be selected, and these 3 hash functions may map a number of arbitrary length to an integer within 1-200. Assuming that there is a bit string of 1 to 200, the values at positions 1 to 200 are defined as the values of the bit string, and the value at each position of the initial preset bit string is 0. At this time, h1 may be used to calculate hash value h1(X1) corresponding to X1, and h1(X1) is used as the position of the bit string, and the value of the position corresponding to h1(X1) in the bit string is set to 1, for example, when h1(X1) is 100, the value at the 100 th position in the bit string is set to 1. Similarly, each member of group X is calculated using h1, and the calculated bit string is set to 1 at each position, and then the same operation is performed using h2 and h 3. So far, the values of a plurality of positions in the bit strings from 1 to 200 are set to 1, if it is determined whether the user a is in the group X, only h1(a), h2(a) and h3(a) need to be calculated, it is determined whether the values of the positions in the bit strings corresponding to h1(a), h2(a) and h3(a) are 1, if all the values are 1, it can be determined that the user a belongs to the group X at a high probability, and conversely, if at least one position is not 1, it can be determined that the user a is not in the group X. It should be noted that the size of the specific probability that the user a belongs to the group X is related to the length of the bit string and the number of hash functions, and will not be described herein again.
Step 12, acquiring a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN which the user equipment desires to access;
after receiving the network information sent by the base station, it is necessary to acquire a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN to which the user equipment desires to access, so as to determine whether the second CAG ID belongs to the first CAG ID or not based on a Bloom Filter principle, or determine whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID. As can be seen from the above description, if the second CAG ID belongs to the first CAG ID, the first CAG ID is the CAG ID of the PNI-NPN to which the user equipment desires to access; similarly, if the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, the first PLMN ID and the first NPN ID are the PLMN ID and the NPN ID of the SNPN that the user equipment desires to access.
And step 13, confirming whether the second CAG ID belongs to the first CAG ID or not based on the Bloom Filter principle and preset BF parameters, if so, representing that the second CAG ID is consistent with the first CAG ID, accessing the first PNI-NPN through the first CAG ID, or confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, if so, representing that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and accessing the first SNPN through the first PLMN ID and the first NPN ID.
In step 13, a BF parameter is used, and the BF parameter is a hash function for a second bit string obtained when a second CAG ID corresponding to a second PNI-NPN or a second PLMN ID and a second NPN ID corresponding to a second SNPN are converted based on the Bloom Filter principle. Actually, the ue sends the second CAG ID of the second PNI-NPN or the second PLMN ID of the second SNPN and the second NPN ID that the ue desires to access to the network through the base station, the network generates the second bit string based on the second CAG ID or the second PLMN ID and the second NPN ID, and transmits the hash function used for obtaining the second bit string back to the ue as the BF parameter, so that the ue confirms whether the second CAG ID belongs to the first CAG ID or the second PLMN ID and whether the second NPN ID belongs to the first PLMN ID and the first NPN ID by using the obtained BF parameter after subsequently receiving the first bit string sent by the base station, so as to complete the PNI-NPN or SNPN access.
Specifically, based on the principle of Bloom Filter described above, the confirmation whether the second CAG ID belongs to the first CAG ID may be: calculating a second CAG ID by utilizing a hash function based on the Bloom Filter principle to obtain certain first positions in the first bit string; and judging whether some first positions in the obtained first bit string are all 1, and if so, confirming that the second CAG ID belongs to the first CAG ID. Similarly, determining whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID may be: calculating a second PLMN ID and a second NPN ID by utilizing a hash function based on a Bloom Filter principle to obtain certain second positions in the first bit string; and judging whether some second positions in the obtained first bit string are both 1, and if so, confirming that the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID.
More specifically, in step 13, if the second CAG ID does not belong to the first CAG ID or the second PLMN ID and the second NPN ID do not belong to the first PLMN ID and the first NPN ID, the network information sent by other base stations needs to be received, and step 12 and step 13 are executed again until the ue accesses the PNI-NPN or SNPN desired by the ue.
In the privacy protection method for network broadcast information provided in the embodiment of the present invention, the network information broadcast by the base station is a first bit string obtained by converting a first CAG ID corresponding to the first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to the first SNPN based on a Bloom Filter principle, and after receiving the network information broadcast by the base station, the user equipment may determine whether a second CAG ID of the second PNI-NPN that the user equipment desires to access belongs to the first CAG ID or whether a second PLMN ID and a second ID of the second SNPN that the user equipment desires to access belong to the first PLMN ID and the first NPN ID based on the Bloom Filter principle and a preset BF parameter, so that the user equipment may complete PNI-NPN or SNPN access. In the process, the network information broadcasted by the base station is always presented in the form of the first bit string, and an illegal person does not know that the first bit string is converted from which PNI-NPN CAG ID or from which SNPN PLMN ID and NPN ID, that is, the current operator network signs a contract with which company, so that the privacy of the client is protected, and the network security when the network information is broadcasted is improved to a great extent.
As a possible implementation manner, before the step 11 described above, request information may be further sent to the base station, where the request information is used to request the base station to send the BF parameter, and the request information includes a SUCI (SUbscription conditional Identifier) of the user equipment and/or a second PNI-NPN or second SNPN. It should be understood that after the request information is sent to the base station, the BF parameter generated by the base station according to the request information is necessarily received, so as to facilitate the execution of step 13.
Further, as shown in fig. 2 and fig. 3, fig. 2 is a flowchart illustrating a subsequent step of receiving request information by a base station according to an embodiment of the present invention, and fig. 3 is a flowchart illustrating a connection between step 24 in fig. 2 according to an embodiment of the present invention, and as can be seen from fig. 2 and fig. 3, the subsequent step of receiving request information by the base station includes the following steps 21 to 29.
Step 21, the base station sends the request information to an AMF (Access and Mobility Management Function);
step 22, the AMF generates Authentication information based on the request information, and sends the Authentication information to an AUSF (Authentication Server Function);
step 23, the AUSF sends the authentication information to the UDM (Unified Data Management, Unified Data Management function);
step 24, the UDM generates authentication feedback information according to the authentication information, and sends the authentication feedback information to the AUSF, wherein the authentication feedback information includes a SUPI (user Permanent Identifier) of the user equipment;
here, it should be noted that the sui is encrypted to obtain the sui.
Specifically, the UDM generates the authentication feedback information according to the authentication information, and sends the authentication feedback information to the AUSF, where the authentication feedback information may be: the UDM decrypts the SUCI to obtain SUPI; determining a root key corresponding to the SUPI according to the SUPI, and generating authentication feedback information according to the SUPI, the root key and the second PNI-NPN or the second SNPN; and sending the authentication feedback information to the AUSF.
Step 25, performing bidirectional authentication between the AUSF, the AMF and the user equipment according to the authentication feedback information, and if the bidirectional authentication is successful, the AUSF sends the SUPI and the second PNI-NPN or the second SNPN to the AMF;
step 26, the AMF generates signing request information based on the SUPI and the second PNI-NPN or the second SNPN, and sends the signing request information to the UDM;
step 27, the UDM confirms whether the user equipment supports the second PNI-NPN or second SNPN access according to the subscription request information, generates subscription feedback information according to the confirmation result, and sends the subscription feedback information to the AMF;
step 28, when the user equipment supports the access of the second PNI-NPN or the second SNPN, the AMF establishes an NAS (Network Attached Storage) security protection mechanism with the user equipment;
step 29, the AMF converts the second CAG ID or the second PLMN ID and the second NPN ID to obtain a second bit string based on the Bloom Filter principle, and sends a hash function (i.e., BF parameter) used for obtaining the second bit string and a name of the current service network to the base station, where the name of the current service network corresponds to the hash function used for obtaining the second bit string.
As can be seen from the above description, in step 29, the name of the current serving network and the BF parameter have a corresponding relationship, so, as an example, the AMF may send the BF parameter and the name of the current serving network to the user equipment by using the base station as a bridge. Of course, the AMF uses the base station as the bridge to send the information to the ue, but in other embodiments, the AMF may use the base station as the bridge to send only the name of the current service network to the ue, and after receiving the name of the current service network, the ue may determine a hash function according to the correspondence between the name of the current service network and the BF parameter, so as to perform step 13 by using the determined hash function. It should be understood that the form of the information sent by the AMF to the user equipment by using the base station as a bridge is determined according to an actual application scenario, which is not limited in this embodiment of the present invention.
Referring to fig. 4, fig. 4 is a block diagram of a privacy protecting apparatus for network broadcast information according to an embodiment of the present invention.
As shown in fig. 4, corresponding to the above method for protecting privacy of network broadcast information provided in the embodiment of the present invention, an embodiment of the present invention further provides a privacy protection apparatus 100 for network broadcast information, including:
a receiving module 110, configured to receive network information sent by a base station, where the network information includes a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to a first SNPN based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
an obtaining module 120, configured to obtain a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN that the user equipment desires to access;
a confirming module 130, configured to confirm whether the second CAG ID belongs to the first CAG ID based on the Bloom Filter principle and a preset BF parameter, if so, characterize that the second CAG ID is consistent with the first CAG ID, and access the first PNI-NPN through the first CAG ID, or confirm whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, if so, characterize that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and access the first SNPN through the first PLMN ID and the first NPN ID.
Specifically, the BF parameter is a hash function used for a second bit string obtained when a second CAG ID corresponding to a second PNI-NPN or a second PLMN ID and a second NPN ID corresponding to a second SNPN are converted based on the Bloom Filter principle.
Referring to fig. 5, fig. 5 is a block diagram of a privacy protecting apparatus for network broadcast information according to an embodiment of the present invention.
As shown in fig. 5, an embodiment of the present invention further provides a privacy protecting apparatus 200 for network broadcast information, including a storage device 210 and one or more processors 220, where the storage device 210 is configured to store one or more programs, and when the one or more programs are executed by the one or more processors 220, the one or more processors 220 are configured to execute the privacy protecting method for network broadcast information according to the embodiment of the present invention.
Specifically, the privacy protecting apparatus 200 for network broadcast information further includes a bus 230 for communication connection between the storage device 210 and the one or more processors 220.
Referring further to fig. 6, fig. 6 is a block diagram of a computer-readable storage medium according to an embodiment of the present invention.
As shown in fig. 6, an embodiment of the present invention further provides a computer-readable storage medium 300, where the computer-readable storage medium 300 stores executable instructions 310, and when the executable instructions 310 are executed, the method for protecting privacy of network broadcast information according to the embodiment of the present invention is performed.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk), among others.
It should be noted that, in the summary of the present invention, each embodiment is described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the product class embodiment, since it is similar to the method class embodiment, the description is relatively simple, and for the relevant points, refer to the partial description of the method class embodiment.
It is further noted that, in the present disclosure, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined in this disclosure may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A privacy protection method for network broadcast information is applied to data interaction between user equipment and a base station, and comprises the following steps:
receiving network information sent by the base station, wherein the network information comprises a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID corresponding to a first SNPN and a first NPN ID based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
acquiring a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN which the user equipment desires to access;
confirming whether the second CAG ID belongs to the first CAG ID or not based on a Bloom Filter principle and a preset BF parameter, if so, representing that the second CAG ID is consistent with the first CAG ID, and accessing the first PNI-NPN through the first CAG ID, or confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID or not, if so, representing that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and accessing the first SNPN through the first PLMN ID and the first NPN ID;
the BF parameter is a hash function used by a second bit string obtained when the second CAG ID corresponding to the second PNI-NPN or the second PLMN ID corresponding to the second SNPN and the second NPN ID are converted based on a Bloom Filter principle.
2. The method for protecting privacy of network broadcast information according to claim 1, wherein the confirming whether the second CAG ID belongs to the first CAG ID based on Bloom Filter principle and preset BF parameters comprises:
calculating the second CAG ID by utilizing the hash function based on the Bloom Filter principle to obtain certain first positions in the first bit string;
and judging whether some first positions in the obtained first bit string are all 1, if so, confirming that the second CAG ID belongs to the first CAG ID.
3. The method for protecting privacy of network broadcast information according to claim 1, wherein the confirming whether the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID based on a Bloom Filter principle and a preset BF parameter comprises:
calculating the second PLMN ID and the second NPN ID by utilizing the hash function based on a Bloom Filter principle to obtain certain second positions in the first bit string;
and judging whether some second positions in the obtained first bit string are all 1, if so, confirming that the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID.
4. The privacy protection method for network broadcast information according to claim 1, further comprising: and if the second CAG ID does not belong to the first CAG ID or the second PLMN ID and the second NPN ID do not belong to the first PLMN ID and the first NPN ID, receiving network information sent by other base stations.
5. The method for protecting privacy of network broadcast information according to claim 1, wherein the receiving the network information transmitted by the base station further comprises: and sending request information to the current service network through the base station, wherein the request information is used for requesting the current service network to send the BF parameter through the base station.
6. The privacy protection method for network broadcast information according to claim 5, wherein the request information includes SUCI and/or the second PNI-NPN or the second SNPN of the user equipment, and the subsequent step of the base station receiving the request information includes:
the base station sends the request information to the AMF;
the AMF generates authentication information based on the request information and sends the authentication information to the AUSF;
the AUSF sends the authentication information to the UDM;
the UDM generates authentication feedback information according to the authentication information and sends the authentication feedback information to the AUSF, wherein the authentication feedback information comprises SUPI of the user equipment, and the SUPI is encrypted to obtain the SUCI;
the AUSF, the AMF and the user equipment execute bidirectional authentication according to the authentication feedback information, and if the bidirectional authentication is successful, the AUSF sends the SUPI and the second PNI-NPN or the second SNPN to the AMF;
the AMF generates subscription request information based on the SUPI and the second PNI-NPN or the second SNPN, and sends the subscription request information to the UDM;
the UDM confirms whether the user equipment supports the second PNI-NPN or the second SNPN access according to the subscription request information, generates subscription feedback information according to a confirmation result, and sends the subscription feedback information to the AMF;
when the user equipment supports the access of the second PNI-NPN or the second SNPN, the AMF establishes an NAS security protection mechanism with the user equipment;
and the AMF converts the second CAG ID or the second PLMN ID and the second NPN ID to obtain a second bit string based on a Bloom Filter principle, and sends the hash function used for obtaining the second bit string and the name of the current service network to the base station, wherein the name of the current service network corresponds to the hash function used for obtaining the second bit string.
7. The method for protecting privacy of network broadcast information according to claim 6, wherein the receiving the network information transmitted by the base station further comprises: and receiving the hash function used for obtaining the second bit string and the name of the current service network, which are sent by the base station by the current service network.
8. The method for protecting privacy of network broadcast information according to claim 6, wherein the UDM generates authentication feedback information according to the authentication information and sends the authentication feedback information to the AUSF, including:
the UDM decrypts the SUCI to obtain the SUPI;
determining a root key corresponding to the SUPI according to the SUPI, and generating authentication feedback information according to the SUPI, the root key and the second PNI-NPN or the second SNPN;
and sending the authentication feedback information to the AUSF.
9. The privacy protection device for network broadcast information is applied to data interaction between user equipment and a base station, and comprises:
a receiving module, configured to receive network information sent by the base station, where the network information includes a first bit string obtained by converting a first CAG ID corresponding to a first PNI-NPN or a first PLMN ID and a first NPN ID corresponding to a first SNPN based on a Bloom Filter principle, and each bit in the first bit string is 0 or 1;
an obtaining module, configured to obtain a second CAG ID of a second PNI-NPN or a second PLMN ID and a second NPN ID of a second SNPN to which the user equipment desires to access;
a confirming module, configured to confirm whether the second CAG ID belongs to the first CAG ID based on a Bloom Filter principle and a preset BF parameter, if so, characterize that the second CAG ID is consistent with the first CAG ID, and access the first PNI-NPN through the first CAG ID, or confirm that the second PLMN ID and the second NPN ID belong to the first PLMN ID and the first NPN ID, if so, characterize that the second PLMN ID and the second NPN ID are consistent with the first PLMN ID and the first NPN ID, and access the first SNPN through the first PLMN ID and the first NPN ID;
the BF parameter is a hash function used by a second bit string obtained when the second CAG ID corresponding to the second PNI-NPN or the second PLMN ID corresponding to the second SNPN and the second NPN ID are converted based on a Bloom Filter principle.
10. A computer-readable storage medium having stored thereon executable instructions that, when executed, perform the method of any one of claims 1-8.
CN202110289720.4A 2021-03-16 2021-03-16 Privacy protection method and device for network broadcast information and readable storage medium Expired - Fee Related CN113055829B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110289720.4A CN113055829B (en) 2021-03-16 2021-03-16 Privacy protection method and device for network broadcast information and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110289720.4A CN113055829B (en) 2021-03-16 2021-03-16 Privacy protection method and device for network broadcast information and readable storage medium

Publications (2)

Publication Number Publication Date
CN113055829A true CN113055829A (en) 2021-06-29
CN113055829B CN113055829B (en) 2022-04-19

Family

ID=76513454

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110289720.4A Expired - Fee Related CN113055829B (en) 2021-03-16 2021-03-16 Privacy protection method and device for network broadcast information and readable storage medium

Country Status (1)

Country Link
CN (1) CN113055829B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809182A (en) * 2015-04-17 2015-07-29 东南大学 Method for web crawler URL (uniform resource locator) deduplicating based on DSBF (dynamic splitting Bloom Filter)
WO2016082275A1 (en) * 2014-11-27 2016-06-02 中国科学院计算机网络信息中心 Bgp route authentication method based on hop-by-hop monitoring
US20170034285A1 (en) * 2015-07-29 2017-02-02 Cisco Technology, Inc. Service discovery optimization in a network based on bloom filter
CN107925953A (en) * 2015-09-07 2018-04-17 瑞典爱立信有限公司 For receiving within a wireless communication network and the wireless device of transmission system information, network node and method therein
CN110719159A (en) * 2019-09-24 2020-01-21 河南师范大学 Multi-party privacy set intersection method for resisting malicious enemies
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malicious software detection method, system, storage medium and application
CN111698734A (en) * 2019-03-11 2020-09-22 中国移动通信有限公司研究院 Access method of non-public network, terminal and base station
CN111726808A (en) * 2019-03-21 2020-09-29 华为技术有限公司 Communication method and device
CN111866989A (en) * 2019-04-28 2020-10-30 华为技术有限公司 Communication method, device and system
CN111866872A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Communication method and device
CN111918308A (en) * 2020-08-04 2020-11-10 中兴通讯股份有限公司 Non-public network measuring method, device, equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016082275A1 (en) * 2014-11-27 2016-06-02 中国科学院计算机网络信息中心 Bgp route authentication method based on hop-by-hop monitoring
CN104809182A (en) * 2015-04-17 2015-07-29 东南大学 Method for web crawler URL (uniform resource locator) deduplicating based on DSBF (dynamic splitting Bloom Filter)
US20170034285A1 (en) * 2015-07-29 2017-02-02 Cisco Technology, Inc. Service discovery optimization in a network based on bloom filter
CN107925953A (en) * 2015-09-07 2018-04-17 瑞典爱立信有限公司 For receiving within a wireless communication network and the wireless device of transmission system information, network node and method therein
CN111698734A (en) * 2019-03-11 2020-09-22 中国移动通信有限公司研究院 Access method of non-public network, terminal and base station
CN111726808A (en) * 2019-03-21 2020-09-29 华为技术有限公司 Communication method and device
CN111866989A (en) * 2019-04-28 2020-10-30 华为技术有限公司 Communication method, device and system
CN111866872A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Communication method and device
CN110719159A (en) * 2019-09-24 2020-01-21 河南师范大学 Multi-party privacy set intersection method for resisting malicious enemies
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malicious software detection method, system, storage medium and application
CN111918308A (en) * 2020-08-04 2020-11-10 中兴通讯股份有限公司 Non-public network measuring method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113055829B (en) 2022-04-19

Similar Documents

Publication Publication Date Title
CN109803251B (en) Method and apparatus for privacy management entity selection in a communication system
CN103416082B (en) Method for being authenticated using safety element to distant station
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
US10880291B2 (en) Mobile identity for single sign-on (SSO) in enterprise networks
CN111147421B (en) Authentication method based on general guide architecture GBA and related equipment
US20180270662A1 (en) Method and apparatus for passpoint eap session tracking
EP2829096A1 (en) Method and apparatus for subscription sharing
JP5536628B2 (en) Wireless LAN connection method, wireless LAN client, and wireless LAN access point
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN111246474B (en) Base station authentication method and device
WO2019169738A1 (en) Terminal information transfer method and relevant products
US20150163675A1 (en) Provisioning subscriptions to user devices
CN111212425A (en) Access method, server and terminal
CN111263361B (en) Connection authentication method and device based on block chain network and micro base station
CN100479570C (en) Connection set-up method, system, network application entity and user terminal
KR20200130141A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
KR20200130106A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
CN108737431B (en) Confusion-based hierarchical distributed authentication method, device and system in IoT (Internet of things) scene
EP3758401A1 (en) Method and device for obtaining local domain name
KR101517096B1 (en) Record creation for resolution of application identifier to connectivity identifier
CN113055829B (en) Privacy protection method and device for network broadcast information and readable storage medium
CN108737432B (en) Confusion-based distributed authentication method, device and system in IoT (Internet of things) scene
CN111800791B (en) Authentication method, core network equipment and terminal
WO2018119608A1 (en) Application processing method, network device and terminal device
CN115665742A (en) BF parameter checking method, network access method, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220419

CF01 Termination of patent right due to non-payment of annual fee