CN114650165B

CN114650165B - System security control method based on network slice and certificate-free public key cryptosystem

Info

Publication number: CN114650165B
Application number: CN202210107499.0A
Authority: CN
Inventors: 王文帝; 朱红; 周冬旭; 谢国涛; 王首媛; 管立军; 许洪华; 钱欣; 余昊
Original assignee: China Information Technology Designing and Consulting Institute Co Ltd; Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Current assignee: China Information Technology Designing and Consulting Institute Co Ltd; Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Priority date: 2022-01-28
Filing date: 2022-01-28
Publication date: 2023-09-15
Anticipated expiration: 2042-01-28
Also published as: CN114650165A

Abstract

A system security control method based on network slice and certificateless public key cryptosystem includes: establishing a CLA key management center, a security and routing strategy control center, a network slice selection strategy module and a security authentication gateway; each application static group obtains a unique CLA user identifier and generates a gateway CLA public-private key pair; the security and routing policy control center dynamically groups the applications for sending the messages to obtain a unique mapping relation, and the network slice selection policy module selects virtual applications and sends service system messages to the security authentication gateway; and the security authentication gateway sends the service system information passing through the identity authentication to the corresponding service system. The invention utilizes the high efficiency of CLA in the application of the Internet of things to realize the security of service data and logic link, ensures the differentiated channel resources of the service and realizes flexible and high-efficiency security policy control.

Description

System security control method based on network slice and certificate-free public key cryptosystem

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a system security control method based on a network slice and a certificate-free public key cryptosystem.

Background

Network slicing is an on-demand networking manner, which essentially divides a physical network of an operator into a plurality of virtual networks, and each virtual network is divided according to different service requirements, such as time delay, bandwidth, security, reliability, and the like, so as to flexibly cope with different network application scenarios.

In the prior art, a system (Certificateless Authentication, CLA) for certificateless authentication and key management based on SM2 is a key generation and key use mechanism which fuses a self-certification public key cryptosystem (Public Key Infrastructure, PKI) and a certificateless public key cryptosystem (Certificateless Pbulic Key Cryptography, CLPKC), and a novel public key infrastructure is constructed by referring to a management system architecture of a PKI/CA (Certification Authority, certificate authority) system. The existing SM2 elliptic curve cryptography algorithm (Elliptic Curve Cryptography, ECC) is adopted, a digital certificate is not used, bilinear pairing operation is not used, and the advantages of PKI/CA and IBC (Indentity Based Cryptography, public key cryptosystem based on identification) are achieved. The method generates the digital signature data packet with short format, is suitable for various signature applications, does not need the support of a key management center when verifying the signature, and can directly verify the signature by a signer, thereby greatly facilitating the verification of the signature by a receiver. The method has the advantages of low construction cost, high calculation efficiency and less occupied resources, can be used for key management of massive users, and meets the requirements of safety application such as large-scale and large-scale cloud computing, identity authentication, data tamper resistance, repudiation resistance and the like in the environments of the Internet of things and the mobile Internet.

In the prior art 1 (CN 104539423 a) 'a method for implementing a non-certificate public key cryptosystem without bilinear pairing operation', firstly, a user sets a private value and calculates a temporary public key, then a key generation center generates another part of key for the user and binds the two parts, and finally the user synthesizes an own actual public-private key pair. The invention overcomes the defects that the public key is replaced and the signature is forged possibly existing in the common certificate-free cipher system, the user has complete control right on the private key, the secret key can be withdrawn and regenerated, and the user signature has non-repudiation. The invention adopts standard elliptic curve public key cryptographic algorithm, does not use bilinear pairing operation, has high calculation efficiency, less occupied resources and strong safety, and can be separated from a key generation center to operate when being applied to signature, authentication and key negotiation. In the prior art 1, the technical tertiary section of 'user identification' is provided to meet the requirements of identity authentication, communication confidentiality and anti-repudiation application of large-scale systems and low-power consumption equipment, but the cooperation and application of the user identification and the CLA are not involved.

Prior art 2 (CN 110506439 a) "create network slice selection policy rules", creates a network slice part policy (Network security situation prediction, NSSP) rule for each application identifier in the list of application identifiers, the NSSP rule containing the application identifier and the associated one or more network slice identifiers. Prior art 1 provides a specific way of slice selection but does not focus on the dynamic compliance of slice service level agreements (Service Level Agreement, SLA) with message SLAs.

Prior art 3 (CN 112738800 a) "a method for implementing data security transmission of network slice", after User access authentication is successful, AUSF (Authentication Server Function ) generates a network slice anchor key K for UE (User Equipment); the AUSF sends and stores the mapping relation between the network slice identifier S-NSSAI (Single Network Slice Selection Assistance Information, single network slice selection auxiliary information) and the network slice anchoring key K to the AMF (Authentication Management Function ); the AUSF returns a network slice identifier S-NSSAI which needs to encrypt user plane data and an indication of data transmission security protection to the UE; and the UE generates a network slice anchoring key K for the network slice identifier S-NSSAI according to the indication, and stores the mapping relation between the network slice identifier S-NSSAI and the network slice anchoring key K. The method realizes the purpose of safe transmission of the network slice data by generating a user plane safety key for the appointed network slice and using the safety key to carry out confidentiality and/or integrity protection on the data transmitted by the user plane of the network slice. Prior art 3 achieves protection of user data confidentiality/integrity on network slices, with emphasis on whether network slices are secure, i.e. network pipe security, without considering the logical security at the application system level.

In summary, in the prior art, the password system based on CLA can only realize the security of service data and logic link, but cannot combine channel resources to realize the guarantee of service differentiated channel resources; meanwhile, the channel security of the network slice cannot be combined with a specific service scene, and more flexible security policy control cannot be realized. Therefore, there is a need to study system security control methods based on network slice and certificateless public key cryptosystems.

Disclosure of Invention

In order to solve the defects existing in the prior art, the invention aims to provide a system security control method based on a network slice and a certificate-free public key cryptosystem, based on a CLA system, simultaneously introduce the concept of user identification, construct CLA user identification, fully utilize the advantages of network slice differentiated channel resource guarantee and the high efficiency of CLA in the application of the Internet of things, ensure the service differentiated channel resource while realizing the security of service data and logic links, and finally realize more flexible and efficient security policy control.

The invention adopts the following technical scheme.

A system security control method based on network slice and certificateless public key cryptosystem includes:

step 1, establishing a system; the system comprises: the CLA key management center, the security and routing policy control center, the network slice selection policy module and the security authentication gateway;

Step 2, the application system client uses the security and routing policy control center and the network slice selection policy module to carry out static grouping on the applications, and enables each application static grouping to obtain a unique CLA user identifier, wherein the CLA user identifier is an identifier of the virtual application; the application system client side then utilizes the CLA key management center and the security authentication gateway to generate a gateway CLA public-private key pair of the application system client side based on the CLA user identification;

step 3, when the system operates, the application system client uses the security and routing strategy control center to dynamically group the application for sending the service system information to obtain a unique mapping relation; the application system client side then utilizes the network slice selection strategy module to select a corresponding virtual application based on the CLA user identification, and utilizes the selected virtual application to send the service system message to the security authentication gateway;

and 4, the security authentication gateway performs identity authentication on the service system information, and the service system information through the identity authentication is sent to the corresponding service system.

Preferably, step 2 comprises:

step 2.1, the security and routing policy control center sends application static grouping configuration information to a security module of an application system client; the security module divides the application into a plurality of applications based on the application static grouping configuration information Application group, the identity of which is denoted ID _{APP group} ；

Step 2.2, the network slice selection strategy module sends a network slice identifier S-NSSAI to a security module of an application system client;

step 2.3, based on the application group configuration information and the network slice identification, generating a virtual application by the security module of the application system client, wherein the identification of the virtual application is marked as ID _{Virtual APP} ；

Step 2.4, virtual application identification ID based _{Virtual APP} Generation of CLA user identification ID by security module _CLA ；

Step 2.5, the security module interacts with the CLA key management center, using the CLA user identification ID _CLA Generating virtual application identification ID by CLA key management center _{Virtual APP} A corresponding public-private key pair;

step 2.6, the CLA key management center interacts with the security authentication gateway, ID _{Virtual APP} And after the corresponding public and private key pair is authenticated by the security authentication gateway, obtaining the gateway CLA public and private key pair.

Further, in step 2.2, the network slice identifier S-NSSAI includes: the network slice behavior identifiers SST (Slice Service Type) characterizing the corresponding slice characteristics and traffic expectations distinguish between multiple slice identifiers SD (Slice Differentiator) of the same SST.

Further, in step 2.3, the identity ID of the virtual application _{Virtual APP} Comprising the following steps: identification ID of application group _{APP group} And a network slice identifier S-NSSAI.

Further, in step 2.4, the security module generates a CLA user identification ID _CLA The method of (1) comprises:

1) Identifying ID by virtual application _{Virtual APP} Directly as CLA user identification ID _CLA ；

2) Based on unified rules, identification ID is applied to virtual application _{Virtual APP} After adding the characteristic identifier, generating CLA user identifier ID _CLA 。

Preferably, step 3 comprises:

step 3.1, when the system is running, the application sends the service system to the security moduleUnified messaging, security model identifies sender ID _APP ；

Step 3.2, based on the application static grouping configuration information and the current running state of the system, the security and routing strategy control center sends the application dynamic grouping configuration information to the security module; according to the application dynamic grouping configuration information, the security module establishes a unique mapping relation between the application sending the service system message and the application group, namely determines the application group identification ID _{APP group} ；

Step 3.3, the security and routing policy control center sends the application group SLA (Service Level Agreement ) parameters to the security module, which based on the application group network slice parameters and the application group identification ID _{APP group} Determining a network slice identifier S-NSSAI; and, the security module identifies the ID according to the application group _{APP group} And network slice identification S-NSSAI, determining virtual application;

step 3.4, the service system information sent by the application is sent to the network slice selection strategy module through the determined virtual application;

step 3.5, the business system information is transmitted to the security authentication gateway through the 5G communication network from the network slice selection strategy module;

step 3.6, the security authentication gateway performs identity authentication on the service system message; and forwarding the service system information passing through the identity authentication to a corresponding service system.

Further, step 3.4 includes:

step 3.4.1, the determined virtual application is based on its identification ID _{Virtual APP} Signing the business system message by the corresponding CLA private key;

step 3.4.2, the determined virtual application encrypts the service system message based on the public key of the message receiver according to the message encryption requirement acquired from the security policy control center;

and 3.4.3, after signing and encrypting the service system information, sending the service system information to a network slice selection strategy module.

Further, in step 3.5, the security authentication gateway includes an authentication module, and the authentication module performs signature verification on the signed service system message and decrypts the encrypted service system message.

Further, step 3.6 includes:

step 3.6.1, the service system information is directly forwarded to the corresponding service system without identity authentication;

step 3.6.2, if the service system information only needs identity authentication, the identity authentication is carried out on the service system information based on the CLA authentication algorithm; after passing the identity authentication, forwarding the identity authentication to a corresponding service system; the identity authentication does not pass, and authentication failure information is returned;

step 3.6.2, the business system information needs identity authentication and needs to verify the legality of the information sender, the identity authentication is firstly carried out on the business system information based on a CLA authentication algorithm, and after the identity authentication is passed, whether the information sender is legal or not is verified; after the identity validity of the message sender is judged successfully, the service system message is forwarded to the corresponding service system; if the identity validity of the message sender fails to judge, the identity validity failure information is returned; and finally, identity authentication is not considered to pass, and authentication failure information is returned.

Further, in step 3.6.2, the sender identity is legal means that the sender identity ID _APP Belongs to the white list and does not belong to the black list.

The invention has the beneficial effects that compared with the prior art: the invention realizes dynamic and rich security control and network service by taking information as granularity in an application system layer through the technologies of APP static grouping, APP dynamic grouping adaptation, virtual APP abstraction, identity authentication and access control of a security authentication gateway and the like.

The beneficial effects include:

1) The invention uses the CLA system and references the concept of 'user identification', realizes 'CLA user identification', and based on the user identification, namely the ID of the virtual APP, the virtual APP and the CLA system cooperate to generate a virtual APP key pair, thereby realizing more flexible and efficient security policy control;

2) The frequency of the dynamic change of the message SLA is considered to be obviously larger than the change frequency of the slice SLA which can be borne by an operator, so that the dynamic coincidence degree of the slice SLA and the message SLA is more concerned; the invention is based on the abstraction of the virtual APP, can select the virtual APP with the network SLA attribute based on the dynamic SLA requirement of the message, and the network SLA attribute of the virtual APP can be consistent with the slice SLA of the virtual APP;

3) After the virtual APP sends the message to the module, when the NSSP module in the module selects a specific slice, the invention regards the slice as a pipeline with SLA attribute, namely the message sent by the message bucket of the virtual APP1 is generally carried by the slice 1;

4) The invention improves the logic safety of the application system level; the dynamic security policy control of the message is realized through the security policy center; based on the identity authentication and access control strategy of the security authentication gateway of the security and routing strategy control center, the message identity authentication and the validity verification of a message sender are carried out through the security authentication gateway; the invention can realize message signature/signature verification, encryption/decryption and validity verification of a message sender; meanwhile, the flexible security policy at the message level is realized through the dynamic security policy control of the security and routing policy control center.

Drawings

FIG. 1 is a system architecture and interaction diagram based on network slice and a public key cryptosystem without certificates in embodiment 1 of the present invention;

the reference numerals in fig. 1 are explained as follows:

101-CLA key management center; 102-a security and routing policy control center; 103-network slice selection policy module (NSSP); 104-a secure authentication gateway; 104 a-authentication; 104 b-routing; 105-a security module; 106-User Equipment (UE); 107-5G network;

201-a first application; 202-a second application; 203-a first virtual application; 204-a second virtual impact; 205-a first business system; 206-a second business system;

1-NSSP and a first interaction interface of the security module;

an interactive interface between the 2-CLA key management center and the security module;

3-interaction interface of security and routing policy control center and security module;

an interactive interface between the 4-CLA key management center and the security authentication gateway;

5-interaction interface of security and routing policy control center and security authentication gateway;

6-an interactive interface of the security module with the first application;

7-an interactive interface of the security module with a second application;

a second interactive interface of the 8-NSSP and the security module;

an interactive interface of the 9-NSSP and a 5G network;

an interactive interface between the 10-5G network and the security authentication gateway;

11-an interaction interface of the security authentication gateway and the first service system;

12-an interactive interface between the security authentication gateway and the second service system;

FIG. 2 is a block diagram of the steps of the system security control method based on the network slice and the certificateless public key cryptosystem according to the present application;

fig. 3 is a schematic diagram of the architecture based on the network slice and the public key cryptosystem without certificate in embodiment 2 of the present application.

Detailed Description

The application is further described below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and are not intended to limit the scope of the present application.

Example 1.

First three identifiers are described:

1) Application identification: characterization of applications with clear boundaries and business cohesion applications, which are typically composed in a B/S (Browser/Server) architecture, include client APP and application systems, called IDs _APP The method comprises the steps of carrying out a first treatment on the surface of the A subset of the application set, called the APP group, is identified as ID _{APP group} The method comprises the steps of carrying out a first treatment on the surface of the Hereinafter, the security module in the UE is referred to as virtual application, referred to as virtual APP, the identity of which is denoted ID _{Virtual APP} 。

2) Slice identity, S-nsai (Single Network Slice Selection Assistance Information ) identity, which further comprises two parts of information:

2.1 Slice/Service Type (SST), characterizing network Slice behavior corresponding to Slice characteristics and traffic expectations;

2.2 Slice Differentiator (SD), optionally supplementing SST, further distinguishing multiple slices of the same SST.

3) CLA user identity, i.e. information in the CLA system used to identify the identity of a user entity, is called ID _CLA 。

The invention is mainly realized by the following ideas of CLA user identification ID _CLA The slice identity (S-NSSAI) of the network slice may be fused to provide a slice identity (S-NSSAI) and an application Identity (ID) _APP ) Combining to form a CLA subscriber Identity (ID) _CLA ) Realizing a slice identification and differentiation security authentication scheme; the advantages are that: the differentiation guarantee of the bottom communication link is realized through the 5G end-to-end slice SLA, and the service identification adaptation is realized; and taking the slice S-NSSAI as a bridge, and associating the multi-service differentiated security with the slice differentiated SLA as a part of the user security identifier to realize the custom differentiated security policy under the multi-slice scene. The specific structure and interaction diagram are shown in fig. 1.

As shown in fig. 2, a system security control method based on a network slice and a certificateless public key cryptosystem includes steps 1 to 4.

Step 1, establishing a system; the system comprises: CLA key management center 101, security and routing policy control center 102, network slice selection policy module 103, and security authentication gateway 104.

In the preferred embodiment 1 of the present invention, the system is established in the initialization phase.

As shown in fig. 1, the security and routing policy control center 102 groups the application first application 201 and the application second application 202 to form a plurality of application groups, and the application groups are subsets of an application set; the application group may be empty, i.e. not contain any applications, or contain all applications; the security module 105 in the UE obtains application packet configuration information from the security and routing policy control center 102 based on the interaction interface 3 of the security and routing policy control center and the security module; the security and routing policy control is referred to as: application system static grouping configuration.

The security module 105 in the UE interacts with the NSSP103, and acquires an S-NSSAI list supported by the UE and network slice SLA parameter information identified by the S-NSSAI based on a first interaction interface 1 of the NSSP and the security module;

the security module 105 in the UE generates a virtual APP list based on the static grouping configuration information of the application system and the S-NSSAI list information supported by the UE, and the corresponding combined strategy is acquired from the security and route strategy control center 102 based on the interaction interface 3 of the security and route strategy control center and the security module; wherein, virtual APP identifications formed based on the combination policy are shown in table 1:

Table 1 virtual APP identification formed based on combining policies

The security module 105 in the UE identifies the ID with a virtual APP _{Virtual APP} As CLA user identification ID _CLA Or as CLA user identification ID _CLA Other identifications can be added based on unified rules when in actual application, such as in ID _{APP group 1} The front part or the rear part of the S-NSSAI 1' identifier is added with the UE characteristic identifier, and interacts with the CLA key management center 101 through the interaction interface 2 of the CLA key management center and the security module to finally generate ID _{Virtual APP} A corresponding public-private key pair;

security authentication gateway 104 uses CLA user ID of gateway _CLA Interaction with the CLA key management center 101 is performed through an interaction interface 4 between the CLA key management center and the security authentication gateway, and finally a gateway CLA public-private key pair is generated.

Step 2, the application system client uses the security and routing policy control center and the network slice selection policy module to carry out static grouping on the applications, and enables each application static grouping to obtain a unique CLA user identifier, wherein the CLA user identifier is an identifier of the virtual application; and the application system client uses the CLA key management center and the security authentication gateway to generate a gateway CLA public-private key pair of the application system client based on the CLA user identifier.

Specifically, step 2 includes:

step 2.1, the security and routing policy control center sends application static grouping configuration information to a security module of an application system client; based on the static grouping configuration information of the application, the security module divides the application into a plurality of application groups, and the identification of the application groups is marked as ID _{APP group} 。

And 2.2, the network slice selection policy module sends a network slice identifier S-NSSAI to a security module of the application system client.

Further, in step 2.2, the network slice identifier S-NSSAI includes: the network slice behavior identifiers SST corresponding to the slice characteristics and traffic expectations are characterized, and a plurality of slice identifiers SD of the same SST are distinguished.

Step 2.3, based on the application group configuration information and the network slice identification, generating a virtual application by the security module of the application system client, wherein the identification of the virtual application is marked as ID _{Virtual APP} 。

Step 2.4, virtual application identification ID based _{Virtual APP} Generation of CLA user identification ID by security module _CLA 。

Step 2.5, the security module is intersected with the CLA key management centerMutual utilization of CLA user identification ID _CLA Generating virtual application identification ID by CLA key management center _{Virtual APP} A corresponding public-private key pair.

Step 3, when the system operates, the application system client uses the security and routing strategy control center to dynamically group the application for sending the service system information to obtain a unique mapping relation; and the application system client uses the network slice selection strategy module to select a corresponding virtual application based on the CLA user identification, and sends the service system message to the security authentication gateway by using the selected virtual application.

Specifically, step 3 includes:

step 3.1, when the system is running, the application sends service system information to the security module, and the security module identifies the identity ID of the sender _APP 。

Step 3.2, based on the application static grouping configuration information and the current running state of the system, the security and routing strategy control center sends the application dynamic grouping configuration information to the security module; according to the application dynamic grouping configuration information, the security module establishes a unique mapping relation between the application sending the service system message and the application group, namely determines the application group identification ID _{APP group} 。

Step 3.3, the security and routing policy control center sends the application group SLA parameters to the security module, and the security module is used for controlling the security module according to the application group network slice parameters and the application group identification ID _{APP group} Determining a network slice identifier S-NSSAI; and, the security module identifies the ID according to the application group _{APP group} And network slice identification S-NSSAI, determine the virtual application.

In the preferred embodiment 1 of the present invention, the CLA is a key generation and key usage mechanism that merges a self-certification public key cryptosystem and a non-certification public key cryptosystem, and a novel public key infrastructure is constructed by referencing the management architecture of the PKI/CA system. The existing SM2 elliptic curve cryptography algorithm is adopted, a digital certificate is not used, bilinear pairing operation is not used, and the advantages of PKI/CA and IBC are achieved. The method generates the digital signature data packet with short format, is suitable for various signature applications, does not need the support of a key management center when verifying the signature, and can directly verify the signature by a signer, thereby greatly facilitating the verification of the signature by a receiver. The method has the advantages of low construction cost, high calculation efficiency and less occupied resources, can be used for key management of massive users, and meets the requirements of safety application such as large-scale and large-scale cloud computing, identity authentication, data tamper resistance, repudiation resistance and the like in the environments of the Internet of things and the mobile Internet.

The CLA user identifier, namely the user entity A identifier IDA, is used for identifying the user identity, is used for identifying the virtual APP identity in the invention, and is cooperated with the CLA system to generate the CLA key pair of the virtual APP.

And 3.4, sending the service system information sent by the application to the network slice selection policy module through the determined virtual application.

Further, step 3.4 includes:

And 3.5, the service system message is sent to the security authentication gateway from the network slice selection policy module through the 5G communication network.

Further, step 3.6 includes:

In the preferred embodiment of the present invention, in the system operation stage, as shown in fig. 1, a first application 201 and a second application 202 in the ue send information to be sent to the service system to the security module 105 through the interaction interface 6 between the security module and the first application and the interaction interface 7 between the security module and the second application, respectively;

the security module 105 in the UE obtains the message sent by the application and can identify the sender ID _APP Based on the application grouping configuration information obtained from the security and routing policy control center 102 in the initialization stage, and in combination with the mapping preference policy between the applications and the application groups configured by the security and routing policy control center 102 in the current operation stage of the system, which is called application system message dynamic grouping preference configuration, a unique mapping relationship between the applications and the application groups, namely ID, is determined _APP →ID _{APP group} I.e. messages that occur during run-time can only belong to a certain application system group;

the security module 105 in the UE acquires the SLA parameters of the application group configured by the security and routing policy control center 102 through the interaction interface 3 of the security and routing policy control center and the security module, and selects proper virtual application; the selection process mainly comprises the following steps: by ID determined in the run-time of the system _{APP group} Based on the SLA parameter requirements of the application group configured by the security and routing policy control center 102, and combining with the SLA parameter information of the network slice, the network slice identifier S-NSSAI is determined, based on the ID _{APP group} And S-NSSAI, determining ID _{Virtual APP} The method comprises the steps of carrying out a first treatment on the surface of the Finally, the message is passed through the ID _{Virtual APP} The corresponding virtual application is sent out;

the security module 105 in the UE sends the message of the virtual application to the NSSP through the second interaction interface 8 of the NSSP and the security module, the NSSP slices the message through the network based on the slice selection policy, and sends the message to the 5G network 107 through the interaction interface 9 of the NSSP and the 5G network;

the 5G network 107 routes the message to the secure authentication gateway 104 via the 5G network's interaction interface 10 with the secure authentication gateway.

A security authentication gateway 104, which authenticates the received message through the interaction interface 5 between the security and routing policy control center and the security authentication gateway, and the identity authentication and access control policy obtained from the security and routing policy control center 102; the following situations may be included:

a) The message is directly forwarded without authentication;

b) The message only requires identity authentication; based on the CLA authentication algorithm, carrying out identity authentication on the message; after the identity authentication is passed, forwarding; the identity authentication does not pass, and authentication failure information is returned;

c) The message requires identity authentication and verification of the legitimacy of the message sender (e.g., whether the message sender is on a white list and not on a black list); after passing the identity authentication, it is verified whether the message sender is legal (e.g., message sender ID _APP Or ID _{APP group} Belonging to white list and message sender ID _APP Or ID _{APP group} The group does not belong to the blacklist), the identity validity of the sender is judged successfully, the message is forwarded, and the sender isThe identity validity failure information is returned after the judgment is failed; the identity authentication does not pass, and authentication failure information is returned;

in this case, the CLA-based identity authentication can identify the message sender (ID _APP ) Application group ID where it is located _{APP group} ) Whether it is an application group already registered in the system; and the identity validity judgment is based on a fine-grained access control strategy after the identity authentication is passed.

The security authentication gateway 104 forwards the information passing through the identity authentication and the access control to the corresponding service system through the interaction interface 11 between the security authentication gateway and the first service system and the interaction interface 12 between the security authentication gateway and the second service system.

In fig. 1, UE, which is a terminal part in an application system, includes a 5G module, which has 5G communication capability and network slice application capability, and relates to a part of the present invention, and it is to be noted that the UE is mainly three modules, which are an application system client (referred to as APP), a security module, and an NSSP module, respectively;

1.1, an application system client, namely a part of the application system client, can interact with a service part of the application system or other application system clients;

1.2, a security module, namely a module mainly responsible for message routing and security policy control in UE, wherein a virtual APP is a container with message encryption, signature, decryption and signature verification, and can be dynamically selected according to a message virtual APP identifier (which is determined by an application group to which a message belongs and a network slice identifier determined by a message dynamic SLA requirement); for both the case of message transmission and message reception, the following is followed:

1.2.1 for message sending, the security module determines the application group to which the message sent by the application client belongs based on the application grouping strategy (application static grouping configuration, application message dynamic grouping preference configuration) obtained from the security policy control center, and records the message I D _APP And ID _{APP group} The mapping relation between the virtual APP and the message dynamic SLA is used for determining a network slice identifier together with a security policy control center according to the message dynamic SLA requirement, so that a message virtual APP identifier is determined, and a virtual APP is selected; based on the message signature requirement obtained from the security policy control center, signing the message by using a CLA private key corresponding to the virtual APP identifier of the virtual APP; encrypting the message with the public key of the message receiver (i.e., the application system security authentication gateway, or the application system itself) based on the message encryption requirement obtained from the security policy control center; after the safety module finishes the message processing, the message is sent to the NSSP module; the NSSP module selects a network slice and sends out a message; when the message is sent out, based on the dynamic message SLA strategy of the application system of the security strategy control center, the overall scheduling can be carried out on the messages of a plurality of virtual APPs or a plurality of messages sent by one virtual APP according to the virtual APP identification;

1.2.2, for message reception, the NSSP module or the communication module indicated by NSSP sends the message to the security module; the security module performs signature verification on the message with the signature, and decrypts the encrypted message; discarding or returning failure processing to the message with the check or decryption error; after successful message security processing (possibly including verification, decryption), the message is based on the message ID _APP And ID _{APP group} The mapping relation among groups, or the information contained in the information itself, routes the information to the application system client APP; when the message is routed, based on the dynamic message SLA strategy of the application system of the security strategy control center, the total scheduling can be carried out on the messages of a plurality of virtual APPs or a plurality of messages sent by one virtual APP according to the virtual APP identification.

1.3, 5G network 107 includes AMF/SMF/UPF, corresponding to AMF, SMF, UPF etc. network elements in 5G network respectively; the present invention relies on network routing capabilities and network slicing capabilities, which 5G networks possess.

1.4, a security authentication gateway is a component for realizing the security policy control of the application system server in the system, and certainly, the security policy control function of the application system server can be realized without limiting the existing modes (independent equipment, application programs and modules); for both the message reception and the message transmission, the following is followed:

1.4.1, for message receiving, authenticating an authentication module in a security authentication gateway, checking a signed message, and decrypting an encrypted message; at the same time, based on the validity verification of the message sender obtained from the security policy control center, it is verified whether the message sender is legal (e.g., message sender ID _APP Or ID _{APP group} Belonging to white list and message sender ID _APP Or ID _{APP group} Not belonging to the blacklist); discarding or returning failure processing is carried out on the message with errors in verification, decryption and validity verification of the message sender; message security processing (which may include verification, decryption, and message sender validation) is successful based on message ID _APP And ID _{APP group} The mapping relation between the messages or the information contained in the messages are used for routing the messages to the application system server through a routing module in the security authentication gateway; when the message is routed, based on the dynamic message SLA strategy of the application system of the security strategy control center, the overall scheduling can be carried out on the messages of a plurality of virtual APPs or a plurality of messages sent by one virtual APP according to the virtual APP identification;

1.4.2, for message transmission, processing according to an identity authentication policy or a dependent protocol when receiving the message, for example, signing the message with a CLA private key of a security authentication gateway for a return message of the message requiring verification when receiving the message; when the message is routed, based on the dynamic message SLA strategy of the application system of the security strategy control center, the total scheduling can be carried out on the messages of a plurality of virtual APPs or a plurality of messages sent by one virtual APP according to the virtual APP identification.

1.5, the application system server is the server part of the application system;

1.6, a CLA key management center, namely a service end for providing CLA key management service for a virtual APP and a security authentication gateway in UE, wherein the service end comprises key distribution, updating, revocation and other services; for example, a virtual APP in the UE generates a CLA public-private key pair by a virtual APP identifier and matching with a CLA key management center; the security authentication gateway generates a CLA public-private key pair by using a gateway application identifier and matching with a CLA key management center;

1.7, a security policy control center, namely a service end providing security policy configuration service for a security module and a security authentication gateway in the UE, wherein the specific service comprises:

1.7.1, application system static grouping configuration: grouping the application systems, each grouping being a subset of the set of application systems;

1.7.2, application system message dynamic grouping preference configuration: for each application system client sent message, it must belong to a certain application group; the security policy control center designates the dynamic grouping preference (including direct designation of course) of the application system message, and the security module in the UE finally determines the application system grouping to which the application system message belongs according to the static grouping configuration of the application system and the dynamic grouping preference configuration of the application system message;

1.7.3, apply system message dynamic SLA policy: based on the SLA parameters of the network slice supported by the whole system and the SLA requirements of the application system on the information, making a dynamic SLA strategy of the application system information; the security module in the UE selects a proper virtual APP (corresponding to a certain network slice) according to the strategy, and simultaneously combines the strategy to realize the routing scheduling of the message; the routing module in the security authentication gateway combines with the policy to realize the routing scheduling of the message;

1.7.4, message signing and encryption policy: formulating a security mechanism when the message is sent, including whether the message is signed, whether the message is encrypted, and the like;

1.7.5 identity authentication and access control policy of security authentication gateway: making a message authentication mechanism of the security authentication gateway, including whether to perform message identity authentication, message sender validity verification and the like;

1.7.6, virtual application system identification generation policy: making how the virtual application system identification is generated; virtual application system Identification (ID) _{Virtual APP} ) Including application system group identification (ID _{APP group} ) And a network slice identity (S-nsai), possibly including other identities (e.g., UE identity), forming a globally unique identity to form a CLA public-private key For characterizing unique identities in a system (e.g., in signing messages using private keys, signing messages in a message signature, based on a CLA signing algorithm, the message sender-application system identification ID of a virtual APP can be determined) _{Virtual APP} )。

Example 2.

In the preferred embodiment 2 of the present invention, the network slice-based and certificate-free public key cryptosystem includes two application software, such as fig. 3, whose client software is APP1 and APP2, respectively;

the security and routing strategy control center groups application software to realize two groups, namely an APP group 1 comprising APP1 and APP2; APP packet 2, including APP1;

the security module obtains the network slices supported by the UE as slice 1 (S-nsai 1) and slice 2 (S-nsai 2), forming four virtual APPs, virtual APP1, virtual APP2, virtual APP3, virtual APP4, respectively, the virtual APP IDs in this example comprising various combinations of APP group IDs and slice IDs (in this example two APP groups, two slices, and thus four). The security module cooperates with the CLA system to generate a corresponding key pair based on the virtual APP ID.

When the system operates, a security module on the UE discovers that 'APP 1' and 'APP 2' are both included in 'APP 1', and meanwhile, based on 'application system message dynamic packet preference configuration' of a security and routing policy control center, judges 'message 1' from APP1, and belongs to the 'APP 1', and the 'message 1' is belongs to 'APP 2' without losing the general assumption; meanwhile, a security module on the UE performs message processing based on an 'application system message dynamic SLA strategy' of a security and routing strategy control center and finally selects one of a 'virtual APP 1' or a 'virtual APP 2' to be used according to the conforming degree of SLA of the slice 1 and the slice 2 and the message SLA; and a security module on the UE signs and encrypts the message based on a message signature and encryption strategy of a security and routing strategy control center, and sends the message out through a communication module.

While the applicant has described and illustrated the embodiments of the present invention in detail with reference to the drawings, it should be understood by those skilled in the art that the above embodiments are only preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not to limit the scope of the present invention, but any improvements or modifications based on the spirit of the present invention should fall within the scope of the present invention.

Claims

1. A system security control method based on network slice and certificateless public key cryptosystem is characterized in that,

the method comprises the following steps:

2. The method for controlling system security based on network slice and certificateless public key cryptosystem as set forth in claim 1, wherein,

the step 2 comprises the following steps:

step 2.1, anThe full-and-route strategy control center sends application static grouping configuration information to a security module of an application system client; based on the static grouping configuration information of the application, the security module divides the application into a plurality of application groups, and the identification of the application groups is marked as ID _{APP group} ；

3. The method for controlling system security based on network slice and certificateless public key cryptosystem as set forth in claim 2, wherein,

in step 2.2, the network slice identifier S-NSSAI includes: the network slice behavior identifiers SST corresponding to the slice characteristics and traffic expectations are characterized, and a plurality of slice identifiers SD of the same SST are distinguished.

4. The method for controlling system security based on network slice and certificateless public key cryptosystem as set forth in claim 2, wherein,

in step 2.3, the identity ID of the virtual application _{Virtual APP} Comprising the following steps: identification ID of application group _{APP group} And a network slice identifier S-NSSAI.

5. The method for controlling system security based on network slice and certificateless public key cryptosystem as set forth in claim 2, wherein,

In step 2.4, the security module generates a CLA user identification ID _CLA The method of (1) comprises:

6. The method for controlling system security based on network slice and certificateless public key cryptosystem as set forth in claim 2, wherein,

the step 3 comprises the following steps:

step 3.1, when the system is running, the application sends service system information to the security module, and the security module identifies the identity ID of the sender _APP ；

Step 3.3, the security and routing policy control center sends the application group SLA parameters to the security module, and the security module is used for controlling the security module according to the application group network slice parameters and the application group identification ID _{APP group} Determining a network slice identifier S-NSSAI; and, the security module identifies the ID according to the application group _{APP group} And network slice identification S-NSSAI, determining virtual application;

7. The method for system security control based on network slice and certificateless public key cryptosystem as set forth in claim 6, wherein,

step 3.4 comprises:

8. The method for system security control based on network slice and certificateless public key cryptosystem as set forth in claim 6, wherein,

In step 3.5, the security authentication gateway includes an authentication module, and the authentication module performs signature verification on the service system message with the signature and decrypts the encrypted service system message.

9. The method for system security control based on network slice and certificateless public key cryptosystem as set forth in claim 6, wherein,

step 3.6 comprises:

10. The method for system security control based on network slice and certificateless public key cryptosystem as set forth in claim 7, wherein,

in step 3.6.2, the legal sender identity means that the sender ID _APP Belongs to the white list and does not belong to the black list.