CN114006696A - Communication method, device, system and computer readable storage medium - Google Patents
Communication method, device, system and computer readable storage medium Download PDFInfo
- Publication number
- CN114006696A CN114006696A CN202111560638.7A CN202111560638A CN114006696A CN 114006696 A CN114006696 A CN 114006696A CN 202111560638 A CN202111560638 A CN 202111560638A CN 114006696 A CN114006696 A CN 114006696A
- Authority
- CN
- China
- Prior art keywords
- gateway
- key
- network element
- network
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000006854 communication Effects 0.000 title claims abstract description 49
- 238000004891 communication Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 claims abstract description 19
- 238000004590 computer program Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 13
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000009795 derivation Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000004846 x-ray emission Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a communication method, apparatus, system and computer readable storage medium, which relate to the technical field of communication, the method includes: a first gateway of the edge network generates a second key for communicating with a second gateway of the core network based on a first key for verifying the second gateway; the first gateway generates a third key based on the second key and the identifier of the virtualized first network element of the edge network; and the first gateway sends the third key to the first network element and the second gateway, so that the second gateway verifies the first network element based on the third key, and the first network element communicates with the second network element of the core network based on the third key after the verification is passed.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a communication method, apparatus, system, and computer-readable storage medium.
Background
With the development of 5G and 6G technologies, Network Function Virtualization (NFV) technologies are also continuously developing, and NFV technologies can realize cloud networking, have flexible network customization capabilities, and are widely applied to enterprise-oriented customized private networks. Part of the network elements of the customized private network are sunk and deployed at edge nodes such as cities, parks and the like, and the network elements belong to virtualized edge network elements.
In the related art, a virtualized edge network element accesses a core network using a pre-shared key.
Disclosure of Invention
The inventor has noted that the pre-shared key in the related art has a problem of low security. This is mainly because pre-sharing the key requires pre-distributing the key to the virtualized edge network element, the key is easily leaked, and thus the security is not high.
In order to solve the above problem, the embodiments of the present disclosure propose the following solutions.
According to an aspect of the embodiments of the present disclosure, there is provided a communication method, including: a first gateway of an edge network generates a second key for communicating with a second gateway of a core network based on a first key for verifying the second gateway; the first gateway generates a third key based on the second key and an identifier of a virtualized first network element of the edge network; and the first gateway sends the third key to the first network element and the second gateway, so that the second gateway verifies the first network element based on the third key, and the first network element communicates with a second network element of a core network based on the third key after the verification is passed.
In some embodiments, the first gateway receives a second parameter generated by the second gateway based on the first parameter and the first key; the first gateway generates a third parameter and a fourth parameter based on the first parameter and the first key; and the first gateway sends the fourth parameter to the second gateway under the condition that the second parameter is consistent with the third parameter, so that the second gateway returns a verification passing message to the first gateway under the condition that the fourth parameter is consistent with a fifth parameter, wherein the fifth parameter is generated by the second gateway based on the first parameter and the first key.
In some embodiments, in response to the authentication pass message, the first gateway generates the second key based on the first key.
In some embodiments, the first gateway receives second information generated by the first network element encrypting first information based on the third key; the first gateway encrypts the second information based on the second key to generate third information; and the first gateway sends the third information to the second gateway, so that the second gateway decrypts the third information based on the second key and the third key to obtain the first information and sends the first information to the second network element.
In some embodiments, the first gateway receives fifth information generated by the second gateway encrypting fourth information based on the second key and the third key; the first gateway decrypts the fifth information based on the second key to obtain sixth information; and the first gateway sends the sixth information to the first network element, so that the first network element decrypts the sixth information based on the third key to obtain the fourth information.
In some embodiments, the first key is from a subscriber identity card.
In some embodiments, the subscriber identity card is pluggably connected to the first gateway; before generating the second key, the first gateway sends a sixth parameter obtained based on the identifier of the first gateway and the identifier of the subscriber identity card to the second gateway, so that the second gateway determines whether the identifier of the first gateway and the identifier of the subscriber identity card are consistent with pre-configured binding information based on the sixth parameter.
In some embodiments, the subscriber identity card comprises at least one of a universal subscriber identity card (USIM) and an embedded SIM card (eSIM).
In some embodiments, the first gateway authenticates the first network element prior to generating the second key.
In some embodiments, the first gateway authenticates the first network element using at least one of a pre-shared key, a certificate authority certificate, and an authentication and key agreement protocol.
According to another aspect of the embodiments of the present disclosure, there is provided a communication apparatus including: a generation module configured to generate a second key for communicating with a second gateway of a core network based on a first key for authenticating the second gateway, and generate a third key based on the second key and an identification of a virtualized first network element of an edge network; a sending module configured to send the third key to the first network element and the second gateway, so that the second gateway authenticates the first network element based on the third key, and the first network element communicates with a second network element of a core network based on the third key after the authentication is passed.
According to still another aspect of the embodiments of the present disclosure, there is provided a communication apparatus including: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above embodiments based on instructions stored in the memory.
According to still another aspect of the embodiments of the present disclosure, there is provided a communication system including: a first gateway of an edge network, comprising the communication device according to any of the above embodiments; a second network element of the core network; a virtualized first network element of an edge network configured to communicate with the second network element based on a third key after authentication passes; and a second gateway of the core network configured to authenticate the first network element based on the third key.
According to a further aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium comprising computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method of any one of the above embodiments.
According to a further aspect of embodiments of the present disclosure, there is provided a computer program product comprising a computer program, wherein the computer program when executed by a processor implements the method of any one of the above.
In the embodiment of the disclosure, a first gateway of an edge network establishes a trust relationship with a core network based on a first key; generating a second key based on the first key, thereby transmitting the trust relationship to the second key; and finally, generating a third key based on the second key and the identifier of the first network element, so that the first gateway transmits the trust relationship to the first network element through the third key, thereby establishing the trust relationship between the first network element and the core network and ensuring the communication safety between the first network element and the core network.
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flow chart of a communication method according to some embodiments of the present disclosure;
FIG. 2 is a flow diagram of a verification method according to some embodiments of the present disclosure;
figure 3 is a flow chart of a communication process of a first network element and a second network element, according to some embodiments of the present disclosure;
fig. 4 is a flow chart of a communication process of a first network element and a second network element according to further embodiments of the present disclosure;
fig. 5 is a schematic structural diagram of a communication device according to some embodiments of the present disclosure;
FIG. 6 is a schematic block diagram of a communication device according to further embodiments of the present disclosure;
fig. 7 is a schematic structural diagram of a communication system according to some embodiments of the present disclosure;
fig. 8 is a schematic block diagram of a communication system according to further embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flow chart of a communication method according to some embodiments of the present disclosure.
At step 102, a first gateway of an edge network generates a second key for communicating with a second gateway of a core network based on a first key for authenticating the second gateway.
In some embodiments, the first key is a key that the second gateway authenticates the first gateway. The authentication method between the first gateway and the second gateway will be described later in connection with some embodiments.
According to some embodiments, the second key may be generated during the verification process or after the verification process, which will be described later in connection with different embodiments.
In step 104, the first gateway generates a third key based on the second key and an identification of the virtualized first network element of the edge network.
According to some embodiments, the identity of each first network element is different from the identity of the other first network elements, in which case the third keys generated for the different first network elements are also different.
According to some embodiments, the first gateway generates the third key using a Key Derivation Function (KDF) based on the second key and the identity of the first network element. The identification of the first network element comprises, for example, at least one of a name, a number and an IP address of the first network element.
In step 106, the first gateway sends the third key to the first network element and the second gateway, so that the second gateway verifies the first network element based on the third key, and the first network element communicates with the second network element of the core network based on the third key after the verification is passed.
According to some embodiments, the authentication of the first network element by the second gateway uses the same authentication method as the authentication of the second gateway by the first gateway.
According to some embodiments, the second gateway of the core network and the second network element of the core network are mutually trusted, and the plurality of second network elements of the core network are also mutually trusted without authentication.
The communication procedure between the first network element and the second network element will be described later in connection with some embodiments.
In the above embodiment, the first gateway of the edge network establishes a trust relationship with the core network based on the first key; generating a second key based on the first key, thereby transmitting the trust relationship to the second key; and finally, generating a third key based on the second key and the identifier of the first network element, so that the first gateway transmits the trust relationship to the first network element through the third key, thereby establishing the trust relationship between the first network element and the core network and ensuring the communication safety between the first network element and the core network.
Fig. 2 is a flow diagram of a verification method according to some embodiments of the present disclosure.
At step 202, the first gateway receives a second parameter generated by the second gateway based on the first parameter and the first key.
According to some embodiments, the first gateway and the second gateway each store the same first key,
according to some embodiments, the second gateway generates a random number R and sends the random number R as a first parameter to the first gateway.
According to some embodiments, the second gateway calculates the second parameter AUTN and the fifth parameter XRES by two methods (e.g., two functions) based on the first key and the first parameter R, and sends the second parameter AUTN to the first gateway.
In step 204, the first gateway generates third and fourth parameters based on the first parameter and the first key.
According to some embodiments, the first gateway calculates the third parameter AUTN-UE and the fourth parameter RES using two methods (e.g. two functions) based on the first key and the first parameter R.
In step 206, the first gateway sends the fourth parameter to the second gateway if the second parameter is consistent with the third parameter, so that the second gateway returns a verification passing message to the first gateway if the fourth parameter is consistent with a fifth parameter, where the fifth parameter is generated by the second gateway based on the first parameter and the first key.
According to some embodiments, the first gateway compares whether the second parameter AUTN and the third parameter AUTN-UE are consistent, and when the second parameter AUTN and the third parameter AUTN-UE are consistent, the second gateway is trusted, and at this time, the first gateway sends a fourth parameter RES to the second gateway; and the second gateway compares whether the second parameter XRES is consistent with the fifth parameter RES or not, and if so, the first gateway is credible, and at the moment, the second gateway returns an authentication passing message to the first gateway, so that the bidirectional authentication is realized.
It should be understood that the authentication method may also include other steps, for example, a Ciphering Key (CK), an Integrity Key (IK), an anchor key (Kseaf), or a Kamf key may be generated.
According to some embodiments, the verification method comprises authentication and key agreement protocol (AKA). For example, AKA includes 5G-AKA, extensible authentication protocol-authentication and key agreement protocol (EAP-AKA'), and internet key exchange protocol version 2-using extensible authentication protocol-authentication and key agreement protocol (IKEv2 EAP AKA), among others.
In the above embodiment, the bidirectional authentication between the first gateway and the second gateway is realized, which is beneficial for the first gateway and the second gateway to mutually confirm whether the other side is trusted, thereby ensuring the security of communication between the gateways.
Some embodiments of the manner in which the second key is generated are described below.
According to some embodiments, in response to the authentication pass message, the first gateway generates a second key based on the first key.
As some implementations, the first gateway generates the second key based on a first key and a Key Derivation Function (KDF), e.g., using CK and IK generated based on the first key in the authentication process to generate a second key K2, e.g., K2 ═ KDF (CK + IK + R), R being a random number. The KDF may employ a hash function, such as an algorithm like SM3 or SHA 256.
According to further embodiments, the first gateway uses the key generated during the authentication process as the second key, e.g. Kseaf or Kamf as the second key.
In accordance with some embodiments, the first gateway authenticates the first network element prior to generating the second key, e.g., the first gateway authenticates the first network element using at least one of a pre-shared key, a certificate authority certificate, and AKA.
In the above embodiment, the first gateway verifies the first network element, which is beneficial to determining whether the first network element is trusted, so that the security of communication is guaranteed.
Fig. 3 is a flow chart of a communication process of a first network element and a second network element according to some embodiments of the present disclosure.
In step 302, the first gateway receives second information generated by the first network element encrypting the first information based on the third key.
In step 304, the first gateway encrypts the second information based on the second key to generate third information.
In step 306, the first gateway sends the third information to the second gateway, so that the second gateway decrypts the third information based on the second key and the third key to obtain the first information and sends the first information to the second network element.
Fig. 4 is a flow chart of a communication process of a first network element and a second network element according to further embodiments of the present disclosure.
In step 402, the first gateway receives fifth information generated by the second gateway encrypting fourth information based on the second key and the third key.
At step 404, the first gateway decrypts the fifth information based on the second key to obtain the sixth information.
In step 406, the first gateway sends the sixth information to the first network element, so that the first network element decrypts the sixth information based on the third key to obtain the fourth information.
In the embodiments of fig. 3 and 4, data of a network layer (i.e., second information) between the first gateway and the second gateway is encrypted with the second key, and data of a transport layer (i.e., first information) between the first network element and the second network element is encrypted with the third key.
According to some embodiments, the second gateway and the second network element are mutually trusted and therefore do not need to be authenticated. According to further embodiments, authentication is also required between the second gateway and the second network element. For example, authentication is performed using the AKA authentication method. Further, after the verification is passed, the second gateway and the second network element communicate based on the key generated in the verification process or after the verification.
According to some embodiments, the communication of the first network element with the second network element is implemented using a network domain/IP (NDS/IP) mechanism. In some implementations, communication between the first gateway and the second gateway therein is implemented using internet security protocol (IPsec). For example, IPsec is implemented using Encapsulating Security Payload (ESP) and tunnel mode.
In the above embodiment, the encryption of the communication between the first network element and the second network element is beneficial to ensuring the communication security.
The source of the first key is described below in connection with some embodiments.
According to some embodiments, the first key is from a subscriber identity card. For example, the subscriber identity card includes at least one of a USIM and an eSIM. The USIM card or the eSIM card stores the first secret key, so that the security is high and the cost is low.
In the above embodiment, a plurality of virtualized edge network elements share hardware resources, and have the characteristics of dynamic loading and elastic expansion, that is, can be started or stopped according to service requirements. For the virtualized first network element with dynamic loading and elastic scaling characteristics, when the first network element is started or stopped as required, the third key is correspondingly generated or invalidated, and the key generation mode is convenient for management.
According to some embodiments, the subscriber identity card is built into the first gateway. In some implementations, the subscriber identity card and the second network element store the first key separately.
According to further embodiments, the subscriber identity card is removably connected to the first gateway, for example, the subscriber identity card is inserted into a USB port of the first gateway through a card reading device having a USB port. In this case, before generating the second key, the first gateway sends a sixth parameter obtained based on the identifier of the first gateway and the identifier of the subscriber identity card to the second gateway, so that the second gateway determines whether the identifier of the first gateway and the identifier of the subscriber identity card are consistent with the preconfigured binding information based on the sixth parameter. In some implementations, the subscriber identity card and the second gateway each store a first key.
According to some embodiments, the first gateway may submit the identity of the first gateway and the identity of the subscriber identity card to the second gateway in advance to configure binding information between the two identities. The identity of the first gateway comprises, for example, a device fingerprint of the first gateway, and the identity of the subscriber identity card comprises, for example, an International Mobile Subscriber Identity (IMSI) or a user permanent identifier (SUPI) number. In some embodiments, network access information may also be submitted to the second gateway, including, for example, port information of the first gateway.
According to some embodiments, before or during the verification of the first gateway and the second gateway, the first gateway sends a sixth parameter obtained based on the identifier of the first gateway and the identifier of the user identification card to the second gateway, the second gateway confirms whether the identifier of the first gateway and the identifier of the user identification card are consistent with the binding information based on the sixth parameter, and when the confirmation is consistent, the verification of the first gateway and the second gateway can be successful.
In the embodiment, the first gateway is bound with the user identification card, so that the user identification card can be effectively prevented from being stolen, and the communication safety can be guaranteed.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the device embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Fig. 5 is a schematic structural diagram of a communication device according to some embodiments of the present disclosure.
As shown in fig. 5, the communication apparatus 500 includes a generating module 501 and a transmitting module 502.
The generating module 501 is configured to generate a second key for communicating with a second gateway of the core network based on the first key for authenticating the second gateway, and to generate a third key based on the second key and an identification of the virtualized first network element of the edge network.
The sending module 502 is configured to send the third key to the first network element and the second gateway, so that the second gateway authenticates the first network element based on the third key, and enables the first network element to communicate with the second network element of the core network based on the third key after the authentication is passed.
Fig. 6 is a schematic block diagram of a communication device according to further embodiments of the present disclosure.
As shown in fig. 6, the communication device 600 includes a memory 601 and a processor 602 coupled to the memory 601, wherein the processor 602 is configured to execute the method of any of the foregoing embodiments based on instructions stored in the memory 601.
The memory 601 may include, for example, system memory, fixed non-volatile storage media, and the like. The system memory may store, for example, an operating system, application programs, a Boot Loader (Boot Loader), and other programs.
The communication apparatus 600 may further include an input-output interface 603, a network interface 604, a storage interface 605, and the like. The interfaces 603, 604, 605 and the memory 601 and the processor 602 may be connected by a bus 606, for example. The input/output interface 603 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 604 provides a connection interface for various networking devices. The storage interface 605 provides a connection interface for external storage devices such as an SD card and a usb disk.
Fig. 7 is a schematic structural diagram of a communication system according to some embodiments of the present disclosure.
As shown in fig. 7, the communication system 700 comprises a first gateway 710 of an edge network, a virtualized first network element 720 of the edge network, a second network element 730 of a core network, and a second gateway 740 of the core network. The first gateway 710 of the edge network may comprise a communication device as in any of the above embodiments, such as the communication device 500 or the communication device 600. The virtualized first network element 720 of the edge network is configured to communicate with the second network element based on the third key after the authentication passes. The second gateway 740 of the core network is configured to authenticate the first network element based on the third key.
Fig. 8 is a schematic block diagram of a communication system according to further embodiments of the present disclosure.
As shown in fig. 8, the communication system 800 comprises a first gateway 710 of an edge network, a virtualized first network element 720 of the edge network, a second network element 730 of a core network, and a second gateway 740 of the core network.
The first gateway 710 of the edge network comprises a secure access module 711, an Authentication Authorization Accounting (AAA) authentication module 712 and an internal verification module 713, the internal verification module 713 being configured to verify the virtualized first network element 720 of the edge network.
The second gateway 740 includes a secure access module 741 and an AAA server 742. The security access module 741 on the core network side is configured to implement encryption of communication between the first gateway 710 and the second gateway 740 in cooperation with the security access module 711 on the edge network side. The AAA server 742 is configured to enable authentication of the first gateway 710 to the second gateway 740 and to enable authentication of the second gateway 740 to the first network element 720 in cooperation with the AAA authentication module 712.
According to some embodiments, the second network element 730 comprises a key management network element (not shown in the figure) configured to store the first key. The key management network element is, for example, a unified data management function (UDM) network element. According to some embodiments, the second network element 730 comprises an authentication server function (AUSF) network element configured to enable authentication between the second network element 730 of the core network and the second gateway 740 of the core network.
The disclosed embodiments also provide a computer-readable storage medium comprising computer program instructions, which when executed by a processor, implement the method of any of the above embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program, wherein the computer program realizes the method of any one of the above when executed by a processor.
Thus, various embodiments of the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that the functions specified in one or more of the flows in the flowcharts and/or one or more of the blocks in the block diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be understood by those skilled in the art that various changes may be made in the above embodiments or equivalents may be substituted for elements thereof without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (15)
1. A method of communication, comprising:
a first gateway of an edge network generates a second key for communicating with a second gateway of a core network based on a first key for verifying the second gateway;
the first gateway generates a third key based on the second key and an identifier of a virtualized first network element of the edge network; and
and the first gateway sends the third key to the first network element and the second gateway, so that the second gateway verifies the first network element based on the third key, and the first network element communicates with a second network element of a core network based on the third key after the verification is passed.
2. The method of claim 1, wherein generating, by a first gateway of an edge network, a second key to communicate with a second gateway of a core network based on a first key to authenticate the second gateway comprises:
the first gateway receiving a second parameter generated by the second gateway based on the first parameter and the first key;
the first gateway generates a third parameter and a fourth parameter based on the first parameter and the first key; and
and the first gateway sends the fourth parameter to the second gateway under the condition that the second parameter is consistent with the third parameter, so that the second gateway returns a verification passing message to the first gateway under the condition that the fourth parameter is consistent with a fifth parameter, wherein the fifth parameter is generated by the second gateway based on the first parameter and the first key.
3. The method of claim 2, wherein generating, by a first gateway of an edge network, a second key to communicate with a second gateway of a core network based on a first key to authenticate the second gateway further comprises:
in response to the authentication pass message, the first gateway generates the second key based on the first key.
4. The method of claim 1, wherein the first network element communicating with a second network element of a core network based on the third key after authentication passes comprises:
the first gateway receives second information generated by the first network element by encrypting the first information based on the third key;
the first gateway encrypts the second information based on the second key to generate third information; and
and the first gateway sends the third information to the second gateway, so that the second gateway decrypts the third information based on the second key and the third key to obtain the first information and sends the first information to the second network element.
5. The method of claim 1, wherein the first network element communicating with a second network element of a core network based on the third key after authentication passes comprises:
the first gateway receives fifth information generated by the second gateway by encrypting fourth information based on the second key and the third key;
the first gateway decrypts the fifth information based on the second key to obtain sixth information; and
the first gateway sends the sixth information to the first network element, so that the first network element decrypts the sixth information based on the third key to obtain the fourth information.
6. The method of any of claims 1-5, wherein the first key is from a subscriber identity card.
7. The method of claim 6, wherein the subscriber identity card is pluggably connected to the first gateway;
the method further comprises the following steps: before generating the second key, the first gateway sends a sixth parameter obtained based on the identifier of the first gateway and the identifier of the subscriber identity card to the second gateway, so that the second gateway determines whether the identifier of the first gateway and the identifier of the subscriber identity card are consistent with pre-configured binding information based on the sixth parameter.
8. The method of claim 6, wherein the subscriber identity card comprises at least one of a USIM card and an eSIM card.
9. The method of any of claims 1-5, further comprising:
the first gateway authenticates the first network element before generating the second key.
10. The method of claim 9, wherein the first gateway authenticating the first network element comprises:
the first gateway verifies the first network element using at least one of a pre-shared secret, a certificate authority certificate, and a certificate and key agreement protocol.
11. A communication device, comprising:
a generation module configured to generate a second key for communicating with a second gateway of a core network based on a first key for authenticating the second gateway, and generate a third key based on the second key and an identification of a virtualized first network element of an edge network;
a sending module configured to send the third key to the first network element and the second gateway, so that the second gateway authenticates the first network element based on the third key, and the first network element communicates with a second network element of a core network based on the third key after the authentication is passed.
12. A communication device, comprising:
a memory; and
a processor coupled to the memory and configured to perform the method of any of claims 1-10 based on instructions stored in the memory.
13. A communication system, comprising:
a first gateway of an edge network comprising the communication device of claim 11 or 12;
a second network element of the core network;
a virtualized first network element of an edge network configured to communicate with the second network element based on a third key after authentication passes; and
a second gateway of a core network configured to authenticate the first network element based on the third key.
14. A computer readable storage medium comprising computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method of any of claims 1-10.
15. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the method of any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111560638.7A CN114006696A (en) | 2021-12-20 | 2021-12-20 | Communication method, device, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111560638.7A CN114006696A (en) | 2021-12-20 | 2021-12-20 | Communication method, device, system and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114006696A true CN114006696A (en) | 2022-02-01 |
Family
ID=79931870
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111560638.7A Pending CN114006696A (en) | 2021-12-20 | 2021-12-20 | Communication method, device, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006696A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104852896A (en) * | 2015-02-03 | 2015-08-19 | 四川通信科研规划设计有限责任公司 | Wi-Fi wireless node network access method and system |
| CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
| WO2020259212A1 (en) * | 2019-06-24 | 2020-12-30 | 华为技术有限公司 | Method for accessing mobile core network by means of fixed access device |
| CN113630244A (en) * | 2021-07-14 | 2021-11-09 | 国网河北省电力有限公司信息通信分公司 | End-to-end safety guarantee method facing communication sensor network and edge server |
-
2021
- 2021-12-20 CN CN202111560638.7A patent/CN114006696A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104852896A (en) * | 2015-02-03 | 2015-08-19 | 四川通信科研规划设计有限责任公司 | Wi-Fi wireless node network access method and system |
| CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
| WO2020259212A1 (en) * | 2019-06-24 | 2020-12-30 | 华为技术有限公司 | Method for accessing mobile core network by means of fixed access device |
| CN113630244A (en) * | 2021-07-14 | 2021-11-09 | 国网河北省电力有限公司信息通信分公司 | End-to-end safety guarantee method facing communication sensor network and edge server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| CN109309565B (en) | Security authentication method and device | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| EP2255507B1 (en) | A system and method for securely issuing subscription credentials to communication devices | |
| CN102595404B (en) | For storing and executing the method and device of access control clients | |
| US8539559B2 (en) | System for using an authorization token to separate authentication and authorization services | |
| KR101038064B1 (en) | Authenticating an application | |
| US8724819B2 (en) | Credential provisioning | |
| EP3425842B1 (en) | Communication system and communication method for certificate generation | |
| CN109729523B (en) | Terminal networking authentication method and device | |
| CN110770695A (en) | Internet of things (IOT) device management | |
| US20060212928A1 (en) | Method and apparatus to secure AAA protocol messages | |
| CA2879910C (en) | Terminal identity verification and service authentication method, system and terminal | |
| US9608971B2 (en) | Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers | |
| KR20150092719A (en) | Device and method certificate generation | |
| CN101841525A (en) | Secure access method, system and client | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| CN108352982B (en) | Communication device, communication method, and recording medium | |
| CN103024735A (en) | Method and equipment for service access of card-free terminal | |
| CN112995090B (en) | Authentication method, device and system for terminal application and computer readable storage medium | |
| CN111836260B (en) | Authentication information processing method, terminal and network equipment | |
| Rao et al. | Authenticating Mobile Users to Public Internet Commodity Services Using SIM Technology | |
| Urien et al. | A new convergent identity system based on eap-tls smart cards | |
| CN111835691A (en) | Authentication information processing method, terminal and network equipment | |
| CN115348077A (en) | Virtual machine encryption method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |