CN113518349A - Service management method, device, system and storage medium - Google Patents
Service management method, device, system and storage medium Download PDFInfo
- Publication number
- CN113518349A CN113518349A CN202011148625.4A CN202011148625A CN113518349A CN 113518349 A CN113518349 A CN 113518349A CN 202011148625 A CN202011148625 A CN 202011148625A CN 113518349 A CN113518349 A CN 113518349A
- Authority
- CN
- China
- Prior art keywords
- gba
- network element
- service
- naf
- authentication request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title abstract description 113
- 238000013475 authorization Methods 0.000 claims abstract description 67
- 238000012795 verification Methods 0.000 claims abstract description 52
- 230000004044 response Effects 0.000 claims description 25
- 238000000034 method Methods 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 7
- 230000001360 synchronised effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 239000000284 extract Substances 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a service management method, a device, a system and a storage medium. The service management method comprises the following steps: receiving authentication request information of a Generic Bootstrapping Architecture (GBA) sent by a Network Application Function (NAF) network element, the authentication request information comprising: an application service identifier; and performing authorization verification on the GBA access right of the application server based on the application service identification. The embodiment of the invention verifies the GBA access authority of the application server based on the application service identifier carried by the GBA authentication request information sent by the NAF network element, can realize server-level service authorization management, and avoids GBA from being randomly called by an external application server, thereby improving the capacity of the GBA system for safely providing service to the outside.
Description
Technical Field
The present invention relates to the field of service management, and in particular, to a method, an apparatus, a system, and a storage medium for service management.
Background
To facilitate management of open services, the 3GPP (third generation partnership project) organization has proposed GBA (Generic Bootstrapping Architecture), which describes how to use an Authentication and Key Agreement (AKA) based mechanism in a mobile context environment to provide a shared Key for communication between a user equipment and a network application entity, e.g., to provide complete security Authentication and encryption services for application layer services.
The GBA system may be configured on a 4G or 5G network, and a networking architecture of the GBA system in a 4G network environment is shown in fig. 1, where the GBA system includes: user Equipment (UE), a Bootstrapping Server Function (BSF), a Home Subscriber Server (HSS), and a Network Application Function (NAF). The system architecture under the 5G network is similar to that of the above network, and the HSS is replaced with a Unified Data Management (UDM). The BSF network element has the capability of performing identity authentication on the UE and generating a GBA session key. And the NAF network element deployed at the external application server side and the BSF network element deployed at the mobile communication network side interact through a Zn interface to obtain the GBA session key generated by the BSF network element, so that the security association is established with the UE. In the existing GBA system architecture, the GBA security capability of a network is directly opened to an external service provider (namely, an application server) for use, and once a Zn interface is opened, the service provider can conveniently and freely call the network capability of an operator through a NAF network element to acquire the service. In addition, the operator cannot manage and control the service behavior of the user, and cannot realize service management operations such as service provisioning, authorization, statistics, charging, auditing and the like.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, a system, and a storage medium for service management, which aim to improve the management capability of managing services based on GBA.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a service management method, which comprises the following steps:
receiving authentication request information of a Generic Bootstrapping Architecture (GBA) sent by a Network Application Function (NAF) network element, the authentication request information comprising: an application service identifier;
and performing authorization verification on the GBA access right of the application server based on the application service identification.
An embodiment of the present invention further provides a service management apparatus, including:
a receiving module, configured to receive authentication request information of a GBA sent by a NAF network element, where the authentication request information includes: an application service identifier;
and the verification module is used for performing authorization verification on the GBA access right of the application server based on the application service identification.
An embodiment of the present invention further provides a service management device, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor, when running the computer program, is adapted to perform the steps of the method according to any of the embodiments of the present invention.
An embodiment of the present invention further provides a GBA system, including: the invention relates to a BSF network element, a NAF network element and a service management device in the embodiment of the invention, wherein the service management device is respectively in communication connection with the BSF network element and the NAF network element.
The embodiment of the present invention further provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the method according to the embodiment of the present invention are implemented.
According to the technical scheme provided by the embodiment of the invention, the GBA access right of the application server is verified based on the application service identifier carried by the GBA authentication request information sent by the NAF network element, the server-level service authorization management can be realized, the GBA is prevented from being randomly called by an external application server, and the capacity of the GBA system for safely providing the service to the outside is improved.
Drawings
Fig. 1 is a schematic diagram of a conventional GBA system networking architecture;
fig. 2 is a schematic diagram of a networking architecture of a GBA system according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a service management method according to an embodiment of the present invention;
FIG. 4 is a flow chart of a service management method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a service management apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a service management device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a GBA system according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Before introducing the service management method according to the embodiment of the present invention, a GBA system according to the embodiment of the present invention is described. As shown in fig. 2, the GBA system according to the embodiment of the present invention introduces a GBA service management platform based on the GBA system shown in fig. 1, where the GBA service management platform interacts with a BSF network element and a NAF network element through a Zn interface, and is responsible for forwarding Zn interface messages between the NAF network element and the BSF network element, so as to have no influence on the Zn interface implementation of the existing BSF network element and NAF network element.
It should be noted that, the NAF network element shown in fig. 2 is deployed outside the mobile communication network of the operator, and the NAF network element may also be deployed inside the mobile communication network of the operator, that is, the deployment location of the NAF network element does not affect the implementation of the service management method according to the embodiment of the present invention.
As shown in fig. 3, an embodiment of the present invention provides a service management method, which is applied to a GBA service management platform, and the service management method includes:
here, after receiving the service Request sent by the user equipment, the NAF network element sends authentication Request information to the GBA service management platform based on the received service Request, where the authentication Request information may be Bootstrapping-Info Request (BIR) information. Illustratively, the BIR information may include: a Bootstrapping Temporary Identification (B-TID) and a network application function Identification (NAF _ ID); the service request sent by the user equipment carries the B-TID, the B-TID is used as temporary identification information for protecting identity information of the user equipment from being leaked, and the B-TID is distributed to the user equipment by a BSF network element.
In practical application, the implementation of GBA includes: initialization, boot and security association. The initialization phase is used for mutually confirming that the user equipment and the application server use GBA to carry out authentication; the boot phase is the essential phase for completing the GBA authentication and session key generation; and the security association stage is the stage that the NAF network element obtains the session key from the operator network. Specifically, in an initialization stage, the user equipment sends a first access request to a NAF network element on an application server side, and the NAF network element indicates the user equipment to complete authentication based on GBA; in the booting stage, the user equipment can interact with the BSF network element, the user equipment and the BSF network element complete bidirectional verification, a GBA transaction identity identifier B-TID for the user is generated, and the user equipment and the BSF network element derive a GBA session intermediate key Ks respectively; the BSF network element side deduces Ks depending on the authentication vector AV of the user, and if the BSF network element does not store the authentication vector AV of the user, the BSF network element side deduces Ks to obtain the authentication vector AV of the user from the HSS network element through the Zh interface. The B-TID is a temporary Identity allocated by the BSF network element to the ue, and in some embodiments, the B-TID is composed of a random number and a domain name of the BSF, and does not include Identity information of the ue, that is, the B-TID is not associated with a Mobile phone number of the ue, an IMSI (International Mobile Subscriber Identity), and the like, so that anonymity of the ue Identity can be maintained for the application server; in the security association stage, once having Ks, the user equipment and the BSF network element may generate a session key Ks _ NAF for a specific application, and when the user accesses the NAF network element of the application server, the NAF network element may obtain the Ks _ NAF from the BSF network element through a secure channel (e.g., TLS, dedicated line); and the Ks _ NAF is used as an application layer session key, and the B-TID is used as a temporary user identity, so that user identity authentication, communication channel security encryption and subsequent service interaction can be performed. It will be appreciated that the session key Ks _ NAF is the GBA session key.
And step 302, performing authorization verification on the GBA access right of the application server based on the application service identification.
The service management method of the embodiment of the invention verifies the GBA access right of the application server based on the application service identifier carried by the GBA authentication request information sent by the NAF network element, can realize server-level service authorization management, and avoids GBA from being randomly called by an external application server, thereby improving the capacity of a GBA system for safely providing service to the outside.
In some embodiments, the application service identification is NAF _ ID, and the authorization verification of GBA access right of the application server based on the application service identification includes:
acquiring a Fully Qualified Domain Name (FQDN) of an application server based on the NAF _ ID;
and performing authorization verification on the GBA access right of the application server based on the FQDN of the application server.
In practical application, the GBA service management platform may determine whether the application server has permission to access and use GBA-related services according to a service activation state of the application server. Specifically, the GBA service management platform may pre-configure a corresponding relationship between the FQDN of the application server and the service provisioning state, for example, configure a state table of the service provisioning state, and the GBA service management platform may query the corresponding service provisioning state in the state table according to the obtained FQDN of the application server, and if the service provisioning state is provisioned, determine that the application server passes the authorization verification; and if the service opening state is not opened, judging that the application server does not pass the authorization verification. Therefore, server-level service authorization management can be realized, GBA is prevented from being randomly called by an external application server, and the capacity of the GBA system for safely providing service for the outside is improved.
It should be noted that, at this time, the GBA service management platform cannot acquire the identifier of the user equipment, and cannot perform service authorization management at the user equipment level.
In some embodiments, the service management method further comprises:
determining that the application server passes authorization verification, and sending the authentication request information to a BSF network element; or,
and determining that the application server fails the authorization verification, and returning first response information rejecting the authentication request to the NAF network element.
Here, if the application server passes the authorization verification, the GBA service management platform sends the authentication request information to the BSF network element, that is, sends BIR information to the BSF network element, so as to obtain authentication response information corresponding to the bootstrapping temporary identifier; if the application server fails the authorization verification, the GBA service management platform returns first response information for rejecting the authentication request to the NAF network element, and rejects the service request of the application server.
To further enhance the service management capability of the GBA service management platform, in some embodiments, the authentication request information further includes: after guiding the temporary identifier and sending the authentication request information to the BSF network element, the method further includes:
receiving authentication response information returned by the BSF network element, wherein the authentication response information comprises: user security configuration information;
acquiring a terminal identifier of user equipment corresponding to the guiding temporary identifier based on the user security configuration information;
and performing authorization verification on the GBA access right of the user equipment based on the terminal identification.
It can be understood that, after receiving the authentication request information, the BSF network element may determine, based on the bootstrapping temporary identifier of the authentication request information, user security configuration information corresponding to the authentication request information, and generate a Ks _ NAF application layer session key for NAF.
Here, the GBA service management platform receives that the authentication response information returned by the BSF network element is BIA (Bootstrapping-Info Answer) information corresponding to the BIR information. The BIA information may include: user security configuration information ussList; the ussList includes IMPU (Public User ID) information of the User equipment. The GBA service management platform may extract IMPU information of the user equipment from the ussList, and perform authorization verification on GBA access right of the user equipment based on the IMPU information of the user equipment.
In some embodiments, the authentication response information further comprises: the session key is GBA session key determined by the BSF network element, the GBA service management platform determines that the user equipment passes authorization verification and forwards authentication response information including the GBA session key to the NAF network element, so that the NAF network element can use the GBA session key as an application layer session key and the B-TID as a user temporary identity to perform user identity authentication, communication channel security encryption and subsequent service interaction.
In practical application, the GBA service management platform may determine whether the user equipment has the right to access and use the GBA-related service according to the service activation state of the user equipment. Specifically, the GBA service management platform may pre-configure a corresponding relationship between IMPU information of the user equipment and a service provisioning state, for example, configure a state table of the service provisioning state, and the GBA service management platform may query, according to the obtained IMPU information of the user equipment, a corresponding service provisioning state in the state table, and if the service provisioning state is provisioned, determine that the user equipment passes authorization verification; and if the service opening state is not opened, judging that the user equipment does not pass the authorization verification. Therefore, the terminal-level service authorization management can be realized, the GBA is prevented from being randomly called by external user equipment, and the capacity of the GBA system for safely providing service for the outside is improved.
In some embodiments, the service management method further comprises:
determining that the user equipment passes authorization verification, and sending the authentication response information to the NAF network element; or,
and determining that the user equipment does not pass the authorization verification, and returning second response information for rejecting the authentication request to the NAF network element.
Here, if the user equipment passes the authorization verification, the GBA service management platform forwards the BIA information to the NAF network element, so that the application server can obtain the GBA session key, and the application server and the user equipment can conveniently perform identity authentication, secure encryption of a communication channel and subsequent service interaction based on the GBA session key; if the user equipment does not pass the authorization verification, the GBA service management platform returns second response information for rejecting the authentication request to the NAF network element, thereby avoiding the GBA from being abused.
Therefore, according to the service management method provided by the embodiment of the invention, the GBA service management platform can realize the service authorization management related to the GBA at the server level and the terminal level, so that the service management and control of the security capability of the GBA network which is open to the outside are realized, the network capability of a service provider which is randomly called by the service provider through the NAF network element can be effectively avoided after the Zn interface is opened, the management and control of the services related to the GBA can be enhanced through the GBA service management platform, and the capability of the GBA system for safely providing service for the outside is improved.
In some embodiments, the traffic management method further comprises at least one of:
counting the GBA related services passing the authorization verification;
charging the GBA related service passing the authorization verification;
and auditing the GBA related traffic which passes the authorization verification.
Here, the GBA service management platform may perform service management operations such as statistics, charging, and/or auditing on GBA-related services managed by server-level and terminal-level service authorization, so as to provide a new value-added service to the outside, thereby enriching service capabilities of the existing GBA system, and the application server side still cannot acquire a terminal identifier of the user equipment, so as to well satisfy privacy protection requirements of user information.
The present invention will be described in further detail with reference to the following application examples.
As shown in fig. 4, in the service management method of this embodiment of the application, in the security association stage of the GBA, the GBA service management platform can obtain the identity information of the user equipment, and perform service authorization and statistics on the GBA network security capability invocation request according to the service state of the user. As shown in fig. 4, the service management method includes:
step 401, a NAF network element receives a service request;
here, after the NAF network element receives the HTTP GET request sent by the user equipment, the NAF network element sends a BIR message to the GBA service management platform to request to acquire information in the aspects of GBA session key, user security configuration, and the like.
Step 402, the GBA service management platform receives a BIR message;
here, the BIR message includes information such as B-TID, NAF _ ID, and the like;
step 403, extracting FQDN, authorizing the Server request according to the service authority;
here, the GBA service management platform extracts the FQDN of the Server (application Server) from the NAF-ID, and authorizes and counts GBA service requests according to the service authority of the service provider, thereby implementing service-level service authorization. For example, the GBA service management platform may determine whether the NAF or the Server of the service provider has the right to access and use the GBA service according to the service provisioning status. At this time, since the identifier of the user terminal cannot be obtained, the service authority of the terminal is not authorized and counted. If the authorization is passed, go to step 404; if the authorization is not passed, step 405 is performed.
Step 404, the GBA service management platform sends BIR message;
if the authorization is passed, the GBA service management platform forwards the BIR message to the BSF network element.
Step 405, the GBA service management platform returns first response information;
if the authorization is NOT passed, a DIAMETER _ ERROR _ NOT _ AUTHORIZED (5402) message is sent to reject the service request of the NAF network element.
Step 406, the GBA service management platform receives the BIA message;
after receiving the BIR message forwarded by the GBA service management platform, the BSF network element sends the BIA message to the GBA service management platform, where the BIA message includes a session key KeyMaterial and user security configuration information ussList, and the ussList includes IMPU information of the user equipment.
Step 407, extracting the IMPU, authorizing the terminal request according to the service authority, and counting;
the GBA service management platform extracts IMPU from the ussList, requests the GBA service for authorization and statistics according to the service authority of the user equipment, and realizes the service authorization at the terminal level. For example, the GBA service management platform may determine whether the user equipment has permission to access and use the GBA service according to the service provisioning state of the user equipment. If the authorization is passed, go to step 408; if the authorization is not passed, step 409 is performed.
Step 408, the GBA service management platform forwards the BIA message;
if the authorization is passed, the GBA service management platform forwards the BIA message to the NAF network element.
In step 409, the GBA service management platform returns the second response information.
If the authorization is not passed, a DIAMETER _ ERROR _ IDENTITY _ UNKNOWN (5401) message is sent, and the service request of the terminal is rejected to the NAF network element.
In order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a service management apparatus, where the service management apparatus corresponds to the service management method, and each step in the embodiment of the service management method is also completely applicable to the embodiment of the service management apparatus.
As shown in fig. 5, the service management apparatus 500 includes: a receiving module 501 and a verifying module 502, wherein the receiving module 501 is configured to receive authentication request information of a GBA sent by a NAF network element, where the authentication request information includes: an application service identifier; the verification module 502 is configured to perform authorization verification on the GBA access right of the application server based on the application service identifier.
In some embodiments, the application service identifier is a network application function identifier (NAF _ ID), and the verification module 502 is specifically configured to:
obtaining a Fully Qualified Domain Name (FQDN) of an application server based on the NAF _ ID;
and performing authorization verification on the GBA access right of the application server based on the FQDN of the application server.
In some embodiments, the service management apparatus 500 further includes: a sending module 503, where the sending module 503 is configured to:
determining that the application server passes authorization verification, and sending the authentication request information to a BSF network element; or,
and determining that the application server fails the authorization verification, and returning first response information rejecting the authentication request to the NAF network element.
In some embodiments, the authentication request information further comprises: the guiding temporary identifier, the receiving module 501 is further configured to: receiving authentication response information returned by the BSF network element, wherein the authentication response information comprises: user security configuration information; the verification module 502 is further configured to: acquiring a terminal identifier of user equipment based on the user security configuration information; and performing authorization verification on the GBA access right of the user equipment based on the terminal identification.
In some embodiments, the authentication response information further comprises: a session key. Here, the session key is the GBA session key.
In some embodiments, the sending module 503 is further configured to:
determining that the user equipment passes authorization verification, and sending the authentication response information to the NAF network element; or,
and determining that the user equipment does not pass the authorization verification, and returning second response information for rejecting the authentication request to the NAF network element.
In some embodiments, the service management apparatus 500 further includes: a traffic management module 504, the traffic management module 504 configured to at least one of:
counting the GBA related services passing the authorization verification;
charging the GBA related service passing the authorization verification;
and auditing the GBA related traffic which passes the authorization verification.
In actual application, the receiving module 501, the verifying module 502, the sending module 503 and the service management module 504 may be implemented by a processor in the service management device 500. Of course, the processor needs to run a computer program in memory to implement its functions.
It should be noted that: in the service management device provided in the above embodiment, when performing service management, only the division of each program module is illustrated, and in practical applications, the processing allocation may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the service management apparatus and the service management method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides a service management device (i.e., the aforementioned GBA service management platform). Fig. 6 shows only an exemplary structure of the service management apparatus, not the entire structure, and a part of or the entire structure shown in fig. 6 may be implemented as necessary.
As shown in fig. 6, a service management apparatus 600 provided in an embodiment of the present invention includes: at least one processor 601, memory 602, user interface 603, and at least one network interface 604. The various components in the business management device 600 are coupled together by a bus system 605. It will be appreciated that the bus system 605 is used to enable communications among the components. The bus system 605 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 605 in fig. 6.
The user interface 603 may include, among other things, a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, or a touch screen.
The memory 602 in embodiments of the present invention is used to store various types of data to support the operation of the traffic management device. Examples of such data include: any computer program for operating on a traffic management device.
The service management method disclosed by the embodiment of the invention can be applied to the processor 601 or realized by the processor 601. The processor 601 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the service management method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the processor 601. The Processor 601 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 601 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 602, and the processor 601 reads the information in the memory 602, and performs the steps of the service management method provided by the embodiment of the present invention in combination with the hardware thereof.
In an exemplary embodiment, the traffic management Device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), FPGAs, general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.
It will be appreciated that the memory 602 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The described memory for embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
An embodiment of the present invention further provides a GBA system, as shown in fig. 7, where the GBA system includes: BSF network element 701, NAF network element 702, and the service management apparatus 600 according to the foregoing embodiments, the service management apparatus 600 is in communication connection with BSF network element 701 and NAF network element 702, respectively. In practical application, the service management device 600 is communicatively connected to the BSF network element 701 and the NAF network element 702 through Zn interfaces, the BSF network element 701 is connected to the HSS network element 704 through a Zh interface, the BSF network element 701 is connected to the User Equipment (UE)703 through a Ub interface, and the NAF network element 702 is connected to the user equipment 703 through a Ua interface. The service management method executed by the service management device 600 may refer to the foregoing method embodiments, and is not described herein again.
It should be noted that, the NAF network element 702 shown in fig. 7 is deployed outside the mobile communication network of the operator, and the NAF network element 702 may also be deployed inside the mobile communication network of the operator, that is, the deployment location of the NAF network element 702 does not affect the implementation of the service management method according to the embodiment of the present invention.
In an exemplary embodiment, the embodiment of the present invention further provides a storage medium, that is, a computer storage medium, which may be specifically a computer readable storage medium, for example, including a memory 602 storing a computer program, where the computer program is executable by a processor 601 of a service management device 600 to perform the steps described in the method of the embodiment of the present invention. The computer readable storage medium may be a ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM, among others.
It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In addition, the technical solutions described in the embodiments of the present invention may be arbitrarily combined without conflict.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (11)
1. A method for service management, comprising:
receiving authentication request information of a Generic Bootstrapping Architecture (GBA) sent by a Network Application Function (NAF) network element, wherein the authentication request information comprises: an application service identifier;
and performing authorization verification on the GBA access right of the application server based on the application service identification.
2. The method of claim 1, wherein the application service identifier is a network application function identifier nafjd, and wherein the authorization verification of GBA access rights of the application server based on the application service identifier comprises:
acquiring a fully qualified domain name FQDN of the application server based on the NAF _ ID;
and performing authorization verification on the GBA access right of the application server based on the FQDN of the application server.
3. The method of claim 1, further comprising:
determining that the application server passes authorization verification, and sending the authentication request information to a BSF network element; or,
and determining that the application server fails the authorization verification, and returning first response information rejecting the authentication request to the NAF network element.
4. The method of claim 3, wherein the authentication request information further comprises: and after the temporary identifier is guided, after the authentication request information is sent to the BSF network element, the method further includes:
receiving authentication response information returned by the BSF network element, wherein the authentication response information comprises: user security configuration information;
acquiring a terminal identifier of user equipment based on the user security configuration information;
and performing authorization verification on the GBA access right of the user equipment based on the terminal identification.
5. The method of claim 4, further comprising:
determining that the user equipment passes authorization verification, and sending the authentication response information to the NAF network element; or,
and determining that the user equipment does not pass the authorization verification, and returning second response information for rejecting the authentication request to the NAF network element.
6. The method of claim 4, wherein the authentication response information further comprises: a session key.
7. The method of claim 5, further comprising at least one of:
counting the GBA related services passing the authorization verification;
charging the GBA related service passing the authorization verification;
and auditing the GBA related traffic which passes the authorization verification.
8. A traffic management apparatus, comprising:
a receiving module, configured to receive authentication request information of a GBA sent by a NAF network element, where the authentication request information includes: an application service identifier;
and the verification module is used for performing authorization verification on the GBA access right of the application server based on the application service identification.
9. A traffic management device, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,
the processor, when executing the computer program, is adapted to perform the steps of the method of any of claims 1 to 7.
10. A GBA system, comprising: BSF network element, NAF network element and the service management apparatus according to claim 9, wherein the service management apparatus is communicatively connected to the BSF network element and the NAF network element, respectively.
11. A storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011148625.4A CN113518349A (en) | 2020-10-23 | 2020-10-23 | Service management method, device, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011148625.4A CN113518349A (en) | 2020-10-23 | 2020-10-23 | Service management method, device, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113518349A true CN113518349A (en) | 2021-10-19 |
Family
ID=78060874
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011148625.4A Pending CN113518349A (en) | 2020-10-23 | 2020-10-23 | Service management method, device, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113518349A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023227057A1 (en) * | 2022-05-25 | 2023-11-30 | 中国移动通信有限公司研究院 | Service authorization method, apparatus, network function, and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007104245A1 (en) * | 2006-03-16 | 2007-09-20 | Huawei Technologies Co., Ltd. | An identity web service framework system and authentication method thereof |
| CN101729998A (en) * | 2008-10-29 | 2010-06-09 | 华为技术有限公司 | Information transmission, common guide architecture, and authentication method, system and device |
| US20150065089A1 (en) * | 2012-04-26 | 2015-03-05 | Telefonaktiebolaget L M Ericsson (Publ) | Network application function authorisation in a generic bootstrapping architecture |
| CN104854835A (en) * | 2013-01-17 | 2015-08-19 | 英特尔Ip公司 | DASH-aware network application function (D-NAF) |
| CN104954391A (en) * | 2004-04-30 | 2015-09-30 | 诺基亚公司 | Apparatus and method for verifying a first identity and a second identity of an entity |
| CN104980434A (en) * | 2009-04-01 | 2015-10-14 | 瑞典爱立信有限公司 | Security Key Management In IMS-based Multimedia Broadcast And Multicast Services (MBMS) |
| CN105792167A (en) * | 2014-12-15 | 2016-07-20 | 中国移动通信集团公司 | Method, device and apparatus for initializing trusted execution environment |
| US20190098498A1 (en) * | 2016-03-09 | 2019-03-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for using gba for services used by multiple functions on the same device |
| US20190223009A1 (en) * | 2016-05-26 | 2019-07-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Network application function registration |
| CN111050322A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | GBA-based client registration and key sharing method, device and system |
| CN113518348A (en) * | 2020-06-30 | 2021-10-19 | 中国移动通信有限公司研究院 | Service processing method, device, system and storage medium |
-
2020
- 2020-10-23 CN CN202011148625.4A patent/CN113518349A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954391A (en) * | 2004-04-30 | 2015-09-30 | 诺基亚公司 | Apparatus and method for verifying a first identity and a second identity of an entity |
| WO2007104245A1 (en) * | 2006-03-16 | 2007-09-20 | Huawei Technologies Co., Ltd. | An identity web service framework system and authentication method thereof |
| CN101729998A (en) * | 2008-10-29 | 2010-06-09 | 华为技术有限公司 | Information transmission, common guide architecture, and authentication method, system and device |
| CN104980434A (en) * | 2009-04-01 | 2015-10-14 | 瑞典爱立信有限公司 | Security Key Management In IMS-based Multimedia Broadcast And Multicast Services (MBMS) |
| US20150065089A1 (en) * | 2012-04-26 | 2015-03-05 | Telefonaktiebolaget L M Ericsson (Publ) | Network application function authorisation in a generic bootstrapping architecture |
| CN104854835A (en) * | 2013-01-17 | 2015-08-19 | 英特尔Ip公司 | DASH-aware network application function (D-NAF) |
| CN105792167A (en) * | 2014-12-15 | 2016-07-20 | 中国移动通信集团公司 | Method, device and apparatus for initializing trusted execution environment |
| US20190098498A1 (en) * | 2016-03-09 | 2019-03-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for using gba for services used by multiple functions on the same device |
| US20190223009A1 (en) * | 2016-05-26 | 2019-07-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Network application function registration |
| CN111050322A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | GBA-based client registration and key sharing method, device and system |
| CN113518348A (en) * | 2020-06-30 | 2021-10-19 | 中国移动通信有限公司研究院 | Service processing method, device, system and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| CHINA MOBILE: "S2-2007159 "AUSF/UDM discovery based SUCI information"", 3GPP TSG_SA\\WG2_ARCH, no. 2 * |
| CHINA MOBILE: "S3-192207 "Evaluation of solution#1- Introducing third party key to AKMA"", 3GPP TSG_SA\\WG3_SECURITY, no. 3 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023227057A1 (en) * | 2022-05-25 | 2023-11-30 | 中国移动通信有限公司研究院 | Service authorization method, apparatus, network function, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11956361B2 (en) | Network function service invocation method, apparatus, and system | |
| EP3691215B1 (en) | Access token management method, terminal and server | |
| US10349272B2 (en) | Virtual SIM card cloud platform | |
| US8782759B2 (en) | Identification and access control of users in a disconnected mode environment | |
| US11917404B2 (en) | Cellular network authentication utilizing unlinkable anonymous credentials | |
| US11658963B2 (en) | Cooperative communication validation | |
| KR20220156970A (en) | Processing electronic tokens | |
| GB2454792A (en) | Controlling user access to multiple domains on a terminal using a removable storage means | |
| US11070376B2 (en) | Systems and methods for user-based authentication | |
| CN104717648A (en) | Unified authentication method and device based on SIM card | |
| CN112769735A (en) | Resource access method, device and system | |
| CN105075182B (en) | For allowing the method for lawful intercept by providing safety information | |
| CN113518348A (en) | Service processing method, device, system and storage medium | |
| CN114928460A (en) | Multi-tenant application integration framework system based on micro-service architecture | |
| CN112528268A (en) | Cross-channel applet login management method and device and related equipment | |
| US20170257364A1 (en) | Systems and methods for authentication using authentication votes | |
| CN113518349A (en) | Service management method, device, system and storage medium | |
| CN112039857B (en) | Calling method and device of public basic module | |
| KR20100060130A (en) | System for protecting private information and method thereof | |
| US20230292127A1 (en) | Wireless device privacy within wireless mobile | |
| US20200396600A1 (en) | Device activation enablement | |
| CN117177205A (en) | Service authorization method, device, network function and storage medium | |
| CN115860017A (en) | Data processing method and related device | |
| CN114222006A (en) | Processing method based on capability open platform and capability open platform | |
| Dias | Identity Management for Hyper-Linked Entities in reTHINK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |