CN114760350A - Service implementation method and device in indirect communication scene, electronic equipment and medium - Google Patents
Service implementation method and device in indirect communication scene, electronic equipment and medium Download PDFInfo
- Publication number
- CN114760350A CN114760350A CN202210376251.4A CN202210376251A CN114760350A CN 114760350 A CN114760350 A CN 114760350A CN 202210376251 A CN202210376251 A CN 202210376251A CN 114760350 A CN114760350 A CN 114760350A
- Authority
- CN
- China
- Prior art keywords
- service
- network
- function
- storage function
- network storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 127
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000004044 response Effects 0.000 claims abstract description 85
- 238000004519 manufacturing process Methods 0.000 claims abstract description 30
- 230000006870 function Effects 0.000 claims description 284
- 238000012795 verification Methods 0.000 claims description 20
- 230000003993 interaction Effects 0.000 abstract description 4
- 239000003795 chemical substances by application Substances 0.000 description 25
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000010076 replication Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The disclosure provides a service implementation method, device, electronic device and medium in an indirect communication scenario, wherein the method comprises the following steps: receiving a service discovery request, wherein the service discovery request comprises a network function type; generating network storage function authentication according to a local private key, wherein the network storage function authentication comprises candidate example identification of a network function service production end, a network function type, a network function setting identification and example identification of a network function service consumption end; and sending a service discovery response to the network function service consumer side according to the communication mode or forwarding the service discovery response to the network function service consumer side through the service communication agent, wherein the service discovery response comprises network storage function authentication so that the network function service consumer side can verify the network storage function authentication through a prestored public key of the network storage function. By the aid of the method and the device, timeliness and reliability of malicious network function discovery are improved, and safety and reliability of data interaction in an indirect communication scene are improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for implementing a service in an indirect communication scenario.
Background
Currently, in 5G networks, a Service Communication Proxy (SCP) includes one or more of the following functions, a single instance of which may support some or all of the SCP functions including:
(1) and (4) indirect communication.
(2) And (6) delegating discovery.
(3) The message is forwarded and routed to a target NF (Network Function) or target NF service.
(4) The message is forwarded and routed to the next hop SCP.
(5) Communication security (e.g., an Application Program Interface (API) authorizing a network function service consumer to access a network function service producer), load balancing, monitoring, overload control, etc.
(6) Optionally interacting with UDRs (Unified Data Repository, Unified Data warehousing).
In the related art, in an indirect communication scenario, a TLS (Transport Layer Security Protocol) connection is not directly established between NFc (network function service consumer) and NFp (network function service producer), so that NFc cannot directly verify the authenticity of NFp. Is controlled at SCP (Service Communication Proxy)
However, in the case that the SCP is intrusion-controlled, the SCP can use malicious NFp to provide service for NFc, which may cause sensitive information of NFc to be leaked or the service cannot be normally performed, and thus, the security and reliability of the 5G network are seriously affected.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may contain information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of the present disclosure is to provide a service implementation method, apparatus, electronic device and medium in an indirect communication scenario, which are used to overcome, at least to some extent, a problem of low security of a 5G network in the indirect communication scenario due to limitations and defects of the related art.
According to a first aspect of the embodiments of the present disclosure, a method for implementing a service in an indirect communication scenario is provided, which is applicable to a network storage function, and the method for implementing the service in the indirect communication scenario includes: receiving a service discovery request, the service discovery request including a network function type; generating network storage function authentication according to a local private key, wherein the network storage function authentication comprises candidate example identification of a network function service production end, the network function type, setting identification of a network function and example identification of a network function service consumption end; and sending a service discovery response to a network function service consuming side according to the communication mode or forwarding the service discovery response to the network function service consuming side through a service communication agent, wherein the service discovery response comprises the network storage function authentication so that the network function service consuming side can verify the network storage function authentication through a pre-stored public key of the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: receiving an access token request, the access token request including the network storage function authentication; verifying the instance identifier of the network function service consuming side contained in the network storage function authentication; and if the verification is passed, sending an access token response.
According to a second aspect of the embodiments of the present disclosure, a method for implementing a service in an indirect communication scenario is provided, which is applicable to a network function service production end, and the method for implementing the service in the indirect communication scenario includes: receiving a service request sent by a service communication agent, wherein the service request comprises network storage function authentication, and the network storage function authentication comprises an example identifier of a candidate network function service production end, a network function type, a network function setting identifier and an example identifier of a network function service consumption end; verifying the instance identifier of the network function service consuming side contained in the network storage function authentication; the service communication agent sends a service response, the service response including the network storage function authentication.
According to a third aspect of the embodiments of the present disclosure, a method for implementing a service in an indirect communication scenario is provided, which is applicable to a network function service consumer, and the method for implementing the service in the indirect communication scenario includes: sending a service discovery request to a network storage function or to the network storage function via a service communication agent, the service discovery request including a network function type; receiving a service discovery response sent by the network storage function, wherein the service discovery response comprises network storage function authentication, and the network storage function authentication comprises an example identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an example identifier of a network function service consumption end; and verifying the network storage function authentication through a pre-stored public key of the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: and after the network storage function authentication is confirmed to pass verification, recording a network function service production end contained in the service discovery response.
In an exemplary embodiment of the present disclosure, further comprising: sending an access token request to the network storage function or to the network storage function via the service communication agent, the access token request including the network storage function authentication; and receiving an access token response sent by the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: sending a service request to the network function service producer or to the network function service producer via the service communication agent, the service request including the network storage function certificate; and receiving a service response sent by the network function service production end through a service communication agent, wherein the service response comprises the network storage function authentication.
According to a fourth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario, which is suitable for a network storage function, the service implementation apparatus in the indirect communication scenario including: a receiving module configured to receive a service discovery request, the service discovery request including a network function type; the generation module is used for generating network storage function authentication according to a local private key, wherein the network storage function authentication comprises candidate example identifiers of a network function service production end, the network function type, a network function setting identifier and a network function service consumption end; and the authentication module is configured to send a service discovery response to a network function service consuming side according to a communication mode or forward the service discovery response to the network function service consuming side through a service communication agent, wherein the service discovery response comprises the network storage function authentication so that the network function service consuming side can verify the network storage function authentication through a pre-stored public key of the network storage function.
According to a fifth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario, which is suitable for a network function service production side, the service implementation apparatus in the indirect communication scenario including: the receiving module is used for receiving a service request sent by a service communication agent, wherein the service request comprises network storage function authentication, and the network storage function authentication comprises candidate example identifiers of network function service production terminals, candidate example identifiers of network function service consumption terminals and the network function types; the verification module is used for verifying the example identifier of the network function service consumption end contained in the network storage function authentication; a sending module configured to send a service response to the service communication agent, where the service response includes the network storage function authentication.
According to a sixth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario, which is suitable for a network function service consumer, the service implementation apparatus in the indirect communication scenario including: a sending module configured to send a service discovery request to a network storage function or to the network storage function via a service communication agent, the service discovery request including a network function type; a receiving module, configured to receive a service discovery response sent by the network storage function, where the service discovery response includes the network storage function authentication; and the verification module is set to verify the network storage function authentication through a pre-stored public key of the network storage function.
According to a seventh aspect of the present disclosure, there is provided an electronic apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above based on instructions stored in the memory.
According to an eighth aspect of the present disclosure, there is provided a computer-readable storage medium, on which a program is stored, the program, when executed by a processor, implementing a method for implementing a service in an indirect communication scenario as described in any one of the above.
The embodiment of the present disclosure carries an NRF (NF replication Function) CCA (Function verification procedure) in a service discovery response (message), where the NRF CCA (abbreviated as network storage Function authentication) includes instance ID, setID, NF type of the candidate NFp, and instanceID of NFc, and returns the NRF CCA to NFc, so that NFc can record correct NFp, thereby effectively verifying NFp, and avoiding that NFc is guided to a service provided by malicious NFp in a case where the SCP is maliciously controlled.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure. It should be apparent that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived by those of ordinary skill in the art without inventive effort.
FIG. 1 is a flow chart of a method for service implementation in an indirect communication scenario in an exemplary embodiment of the disclosure;
FIG. 2 is a flow chart of a method for service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 3 is a flow chart of a method for service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 4 is a flow chart of a method of service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 5 is a flow chart of a method of service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 6 is a flow chart of a method of service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 7 is a flow chart of a method for service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 8 is an interaction diagram of a service implementation in an indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 9 is an interaction diagram of a service implementation in another indirect communication scenario in an exemplary embodiment of the present disclosure;
FIG. 10 is a block diagram of a service implementation apparatus in an indirect communication scenario in an exemplary embodiment of the disclosure;
FIG. 11 is a block diagram of a service implementation apparatus in another indirect communication scenario in an exemplary embodiment of the disclosure;
FIG. 12 is a block diagram of a service implementation apparatus in another indirect communication scenario in an exemplary embodiment of the disclosure;
fig. 13 is a block diagram of an electronic device in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Fig. 1 is a flowchart of a service implementation method in an indirect communication scenario in an exemplary embodiment of the present disclosure.
Referring to fig. 1, a method for implementing a service in an indirect communication scenario may include:
step S102, receiving a service discovery request, wherein the service discovery request comprises a network function type.
And step S104, generating a network storage function authentication according to the local private key, wherein the network storage function authentication comprises candidate example identifications of the network function service production end, the network function type, the network function setting identification and the network function service consumption end.
Step S106, sending a service discovery response to a network function service consuming side according to a communication mode or forwarding the service discovery response to the network function service consuming side through a service communication agent, wherein the service discovery response comprises the network storage function authentication so that the network function service consuming side can verify the network storage function authentication through a pre-stored public key of the network storage function.
The embodiment of the present disclosure, by carrying an NRF (NF replication Function) CCA (functional verification procedure) in a service discovery response (message), the NRF CCA includes instance ID, setID, NF type of the candidate NFp, and instanceID of NFc, and returns the NRF CCA to NFc, so that NFc can record correct NFp, thereby effectively verifying NFp, and avoiding NFc from being guided to a service provided by NFp maliciously in a case where an SCP is maliciously controlled.
In the following, each step of the service implementation method in the indirect communication scenario is described in detail.
In an exemplary embodiment of the present disclosure, as shown in fig. 2, the method for implementing a service in an indirect communication scenario further includes:
step S202, receiving an access token request, wherein the access token request comprises the network storage function authentication.
Step S204, the example identification of the network function service consuming side contained in the network storage function authentication is verified.
And step S206, if the verification is passed, sending an access token response.
In the above embodiment, by receiving the access token request and verifying the instance identifier of the network function service consuming side in the access token request, on one hand, it can be determined whether the network function service consuming side corresponding to the instance identifier is safe, on the other hand, the verified access token is fed back to the network function service consuming side through the access token response, and thus in the subsequent service interaction process, both the service request and the service response guarantee reliability and safety by carrying the access token and CCA (network storage function authentication).
Fig. 3 is a flowchart of a service implementation method in an indirect communication scenario in an exemplary embodiment of the present disclosure.
Referring to fig. 3, a method for implementing a service in an indirect communication scenario may include:
step S302, receiving a service request sent by a service communication agent, wherein the service request comprises a network storage function authentication, and the network storage function authentication comprises an example identifier of a candidate network function service production end, the network function type, a network function setting identifier and an example identifier of a network function service consumption end.
Step S304, verifying the instance identifier of the network function service consumer included in the network storage function authentication.
Step S306, sending a service response to the service communication agent, where the service response includes the network storage function authentication.
In the embodiment, the network storage function authentication and the verified access token are carried in the service request and the service response, so that the reliability and the safety of the network function service providing end are improved, the reliability and the safety of the network function service consuming end are improved, and in addition, whether the SCP is maliciously infringed or not can be detected in time.
Fig. 4 is a flowchart of a service implementation method in an indirect communication scenario in an exemplary embodiment of the present disclosure.
Referring to fig. 4, a method for implementing a service in an indirect communication scenario may include:
step S402, sending a service discovery request to a network storage function or to the network storage function through a service communication agent, wherein the service discovery request comprises a network function type.
Step S404, receiving a service discovery response sent by the network storage function, where the service discovery response includes a network storage function authentication, and the network storage function authentication includes an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function, and an instance identifier of a network function service consumption end.
Step S406, verifying the authentication of the network storage function through a pre-stored public key of the network storage function.
In the above embodiment, by carrying an NRF (network storage Function) CCA (Function verification procedure) in the service discovery request (message), the NRF CCA contains instance ID, setID, NF type of the candidate NFp and instanceID of NFc, and returns the NRF CCA to NFc, so that NFc can record correct NFp, thereby effectively verifying NFp, avoiding that NFc is directed to a service provided by malicious NFp in case that the SCP is maliciously controlled.
In an exemplary embodiment of the present disclosure, as shown in fig. 5, the method for implementing a service in an indirect communication scenario further includes:
step S502, after the network storage function authentication is confirmed to pass the verification, the network function service production end contained in the service discovery response is recorded.
In an exemplary embodiment of the present disclosure, as shown in fig. 6, further includes:
step S602, sending an access token request to the network storage function or to the network storage function via the service communication agent, where the access token request includes the network storage function authentication.
And step S604, receiving an access token response sent by the network storage function.
In an exemplary embodiment of the present disclosure, as shown in fig. 7, further includes:
step S702, sending a service request to the network function service production end or to the network function service production end via the service communication agent, where the service request includes the network storage function authentication.
Step S704, receiving a service response sent by the network function service production end through a service communication agent, where the service response includes the network storage function authentication.
In an exemplary embodiment of the present disclosure, as shown in fig. 8, an architecture of a service implementation scheme in an indirect communication scenario in a MODEL D scenario includes NFc 802, SCP 804, NRF806, and NFp 808, and specifically includes the following steps:
1. NFc 802 sends a service request to SCP 804, the service request including NF type, NFc CCA, etc.
2. The SCP 804 transmits a service analysis request to the NRF806, the service request including an NF type and the like.
3. NRF806 generates a CCA for the NRF that includes at least NFp and NFc, among others.
4. The NRF806 feeds back a service discovery response to the SCP 804, the service discovery response including NFp, CCA of NRF, and the like.
5. The SCP 804 feeds back NFc 802 a service notification, which includes CCA of NFR, etc.
6. NFc 802 verifies the CCA of the NRF and records NFp contained therein.
7. NFc 802 sends a verification success notification to SCP 804.
8. The SCP 804 transmits an access token request including the CCA of NFc and the like to the NRF 806.
9. NRF 806 verifies NFc the CCA.
10. NRF 806 sends an access token response to SCP 804, including the access token and the like.
11. SCP 804 sends NFp 808 a service request including an access token and a CCA of NFc.
12. NFp 808 verifies the access token and NFc CCA.
13. NFp 808 feeds back a service response to SCP 804, the service response including a CCA of NFc.
14. The SCP 804 feeds back NFc 802 a service response, which includes a CCA of NFc.
15. NFc 802 verifies NFp that the CCA contains an NF identity consistent with the previous one.
In an exemplary embodiment of the present disclosure, as shown in fig. 9, an architecture of a service implementation scheme in an indirect communication scenario in a MODEL C scenario includes NFc 902, SCP 904, NRF906, and NFp 908, and specifically includes the following steps:
1. NFc 902 sends a service discovery request to the NRF906, the service discovery request including an NF type and the like.
2. And generating CCA of NRF, wherein the CCA at least comprises NFp, NFc and the like.
3. NRF 906 feeds back NFc 902 a service discovery response including NFp, CCA of NRF, etc.
4. NFc 902 verifies the CCA of the NRF and records NFp contained therein.
5. NFc 902 sends an access token request to NRF 906 including NFc CCA, etc.
6. NRF 906 verifies NFc the CCA.
7. NRF 906 sends NFc 902 an access token response including an access token and the like.
8. NFc 902 sends a service request to SCP 904, the service request comprising an access token and NFc CCA.
9. SCP 904 sends NFp 908 a service request containing the access token and the CCA of NFc.
10. NFp 908 validates the access token and NFc of the CCA.
11. NFp 908 feeds back a service response to the SCP 904, the service response including a CCA of NFc.
12. The SCP 904 feeds back NFc 902 a service response, including a CCA of NFc.
13. NFc 902 verifies NFp that the CCA contains an NF identity consistent with the previous one.
In an exemplary embodiment of the disclosure, an NRF CCA is carried in the service discovery response message, and the NRF CCA includes instanceID of candidate NFp, setID, NF type, and instanceID of NFc, and returns the NRF CCA to NFc, so that NFc can record correct NFp, thereby effectively verifying NFp, where the main flow includes:
(1) And (5) service discovery verification flow.
(1.1) after receiving the service discovery request, the NRF uses a local private key signature to generate an NRF CCA, wherein the NRF CCA comprises instanceID, setID, NF type of the candidate NFp and instanceID of NFc.
(1.2) in a model D and a model C scene transferred by the SCP, the NRF sends a service discovery response message carrying the CCA of the NRF to the SCP, and the SCP forwards the message to NFc. In model C scenario without SCP switch, NRF sends the message directly to NFc.
(1.3) NFc verifies with the public key of NRF whether NRF CCA was actually issued by NRF, and records candidate NFp information contained in NRF CCA if it is true.
(2) And (5) service request verification flow.
(2.1) upon completion NFc of the requested service, the SCP forwards a service response message containing the NFp CCA to NFc.
(2.2) NFc, verifying whether the NFp instanceID and setID contained in the NFp CCA belong to the candidate NFp information set recorded in the service discovery verification flow NFc, and if so, NFc considers that the service request is successful. This service request is considered unsuccessful when it does not belong, or because no candidate NFp information was recorded by NFc as a result of the intrusion controlled SCP not forwarding the service discovery response message to NFc.
Compared with the prior art, the method has the following advantages and effects:
1. The safety is high: the conventional scheme can only verify the NF type level of MODEL D, and the technical scheme disclosed by the invention can verify the specific NF instanceID and setID, so that the reliability and the safety of 5G communication are improved.
2. The coverage scene is wide: the existing scheme is not suitable for a scenario in which the communication between NRF and NFc passes through SCP in the MODEL C, and the technical scheme of the present disclosure is suitable for a scenario in which the communication between NRF and NFc passes through SCP or not.
Corresponding to the method embodiment, the present disclosure further provides a service implementation apparatus in an indirect communication scenario, which may be used to implement the method embodiment.
Fig. 10 is a block diagram of a service implementation apparatus in an indirect communication scenario in an exemplary embodiment of the disclosure.
Referring to fig. 10, the service implementing apparatus 1000 in the indirect communication scenario may include:
a receiving module 1002 configured to receive a service discovery request, where the service discovery request includes a network function type.
The generating module 1004 is configured to generate a network storage function authentication according to the local private key, where the network storage function authentication includes an instance identifier of a candidate network function service production end, the network function type, a network function setting identifier, and an instance identifier of a network function service consumption end.
The authentication module 1006 is configured to send a service discovery response to a network function service consumer or forward the service discovery response to the network function service consumer via a service communication agent according to a communication mode, where the service discovery response includes the network storage function authentication, so that the network function service consumer verifies the network storage function authentication through a pre-stored public key of the network storage function.
In an exemplary embodiment of the present disclosure, the service implementation apparatus 1000 in the indirect communication scenario is further configured to: receiving an access token request, the access token request including the network storage function authentication; verifying the instance identification of the network function service consuming side contained in the network storage function authentication; and if the verification is passed, sending an access token response.
Fig. 11 is a block diagram of a service implementation apparatus in an indirect communication scenario in an exemplary embodiment of the disclosure.
Referring to fig. 11, a service implementation apparatus 1100 in an indirect communication scenario may include:
the receiving module 1102 is configured to receive a service request sent by a service communication agent, where the service request includes a network storage function authentication, and the network storage function authentication includes an instance identifier of a candidate network function service production end, the network function type, a network function setting identifier, and an instance identifier of a network function service consumption end.
A verification module 1104 configured to verify the instance identifier of the network function service consumer included in the network storage function authentication.
A sending module 1106 configured to send a service response to the service communication agent, the service response including the network storage function authentication.
Fig. 12 is a block diagram of a service implementation apparatus in an indirect communication scenario in an exemplary embodiment of the disclosure.
Referring to fig. 12, a service implementation apparatus 1200 in an indirect communication scenario may include:
a sending module 1202 configured to send a service discovery request to a network storage function or to the network storage function via a service communication agent, the service discovery request including a network function type.
A receiving module 1204, configured to receive a service discovery response sent by the network storage function, where the service discovery response includes a network storage function certificate, and the network storage function certificate includes an instance identifier of a candidate network function service producer, the network function type, a network function setting identifier, and an instance identifier of a network function service consumer.
The verifying module 1206 is configured to verify the authentication of the network storage function through a pre-stored public key of the network storage function.
In an exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in the indirect communication scenario is further configured to: and after the network storage function authentication is confirmed to pass verification, recording a network function service production end contained in the service discovery response.
In an exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in the indirect communication scenario is further configured to: sending an access token request to the network storage function or to the network storage function via the service communication agent, the access token request including the network storage function authentication; and receiving an access token response sent by the network storage function.
In an exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in the indirect communication scenario is further configured to: sending a service request to the network function service producer or to the network function service producer via the service communication agent, the service request including the network storage function certificate; and receiving a service response sent by the network function service production end through a service communication agent, wherein the service response comprises the network storage function authentication.
Since each function of the service implementation apparatus 1000 in the indirect communication scenario, the service implementation apparatus 1100 in the indirect communication scenario, and the service implementation apparatus 1200 in the indirect communication scenario has been described in detail in the corresponding method embodiments, details of the disclosure are not repeated herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Accordingly, various aspects of the present invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects may all be referred to herein collectively as a "circuit," module, "or" system.
An electronic device 1300 according to this embodiment of the invention is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present invention.
As shown in fig. 13, electronic device 1300 takes the form of a general-purpose computing device. The components of the electronic device 1300 may include, but are not limited to: the at least one processing unit 1310, the at least one memory unit 1320, and the bus 1330 connecting the various system components including the memory unit 1320 and the processing unit 1310.
Wherein the memory unit stores program code that is executable by the processing unit 1310 to cause the processing unit 1310 to perform steps according to various exemplary embodiments of the present invention as described in the "exemplary methods" section above in this specification. For example, the processing unit 1310 may perform a method as shown in the embodiments of the present disclosure.
The memory unit 1320 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)13201 and/or a cache memory unit 13202, and may further include a read only memory unit (ROM) 13203.
The electronic device 1300 may also communicate with one or more external devices 1340 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1300, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur over input/output (I/O) interfaces 1350. Also, the electronic device 1300 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) through the network adapter 1360. As shown, the network adapter 1360 communicates with the other modules of the electronic device 1300 via the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and contains several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary method" of this description, when said program product is run on said terminal device.
The program product for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and contain program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this respect, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may contain a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily appreciated that the processes illustrated in the above figures are not intended to indicate or limit the temporal order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (12)
1. A service implementation method in an indirect communication scenario is applicable to a network storage function, and the service implementation method in the indirect communication scenario includes:
receiving a service discovery request, the service discovery request including a network function type;
Generating network storage function authentication according to a local private key, wherein the network storage function authentication comprises candidate example identifiers of a network function service production end, the network function types, the setting identifiers of the network functions and example identifiers of a network function service consumption end;
and sending a service discovery response to a network function service consumer according to a communication mode or forwarding the service discovery response to the network function service consumer through a service communication agent, wherein the service discovery response comprises the network storage function authentication so that the network function service consumer verifies the network storage function authentication through a pre-stored public key of the network storage function.
2. The method for implementing services in an indirect communication scenario of claim 1, further comprising:
receiving an access token request, the access token request including the network storage function authentication;
verifying the instance identification of the network function service consuming side contained in the network storage function authentication;
and if the verification is passed, sending an access token response.
3. A service implementation method in an indirect communication scenario is applicable to a network function service production end, and comprises the following steps:
Receiving a service request sent by a service communication agent, wherein the service request comprises network storage function authentication, and the network storage function authentication comprises an example identifier of a candidate network function service production end, a network function type, a network function setting identifier and an example identifier of a network function service consumption end;
verifying the instance identifier of the network function service consuming side contained in the network storage function authentication;
sending a service response to the service communication agent, the service response including the network storage function authentication.
4. A service implementation method in an indirect communication scenario is applicable to a network function service consumer, and the service implementation method in the indirect communication scenario includes:
sending a service discovery request to a network storage function or to the network storage function via a service communication agent, the service discovery request including a network function type;
receiving a service discovery response sent by the network storage function, wherein the service discovery response comprises network storage function authentication, and the network storage function authentication comprises an example identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an example identifier of a network function service consumption end;
And verifying the authentication of the network storage function through a pre-stored public key of the network storage function.
5. The method for implementing services in an indirect communication scenario of claim 4, further comprising:
and after the network storage function authentication is confirmed to pass verification, recording a network function service production end contained in the service discovery response.
6. The method for implementing services in an indirect communication scenario of claim 4, further comprising:
sending an access token request to the network storage function or to the network storage function via the service communication agent, the access token request including the network storage function authentication;
and receiving an access token response sent by the network storage function.
7. The method for implementing services in an indirect communication scenario of claim 4, further comprising:
sending a service request to the network function service producer or to the network function service producer via the service communication agent, the service request including the network storage function certificate;
and receiving a service response sent by the network function service production end through a service communication agent, wherein the service response comprises the network storage function authentication.
8. A service implementation device in an indirect communication scenario is applicable to a network storage function, and comprises:
a receiving module configured to receive a service discovery request, the service discovery request including a network function type;
the generation module is used for generating network storage function authentication according to a local private key, wherein the network storage function authentication comprises candidate example identifiers of a network function service production end, the network function type, a network function setting identifier and a network function service consumption end;
and the authentication module is configured to send a service discovery response to a network function service consuming side according to a communication mode or forward the service discovery response to the network function service consuming side through a service communication agent, wherein the service discovery response comprises the network storage function authentication so that the network function service consuming side can verify the network storage function authentication through a pre-stored public key of the network storage function.
9. A service implementation device in an indirect communication scenario is applicable to a network function service production end, and the service implementation device in the indirect communication scenario includes:
The receiving module is used for receiving a service request sent by a service communication agent, wherein the service request comprises network storage function authentication, and the network storage function authentication comprises candidate example identifiers of network function service production terminals, candidate example identifiers of network function service consumption terminals and the network function types;
the verification module is used for verifying the example identifier of the network function service consumption end contained in the network storage function authentication;
a sending module configured to send a service response to the service communication agent, where the service response includes the network storage function authentication.
10. A service implementation device in an indirect communication scenario is applicable to a network function service consumer, and the service implementation device in the indirect communication scenario includes:
a sending module configured to send a service discovery request to a network storage function or to the network storage function via a service communication agent, the service discovery request including a network function type;
a receiving module, configured to receive a service discovery response sent by the network storage function, where the service discovery response includes the network storage function authentication;
And the verification module is used for verifying the network storage function authentication through a prestored public key of the network storage function.
11. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform a method of service implementation in an indirect communication scenario as claimed in any of claims 1-7 based on instructions stored in the memory.
12. A computer-readable storage medium on which a program is stored, which when executed by a processor implements a service implementation method in an indirect communication scenario according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376251.4A CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376251.4A CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760350A true CN114760350A (en) | 2022-07-15 |
| CN114760350B CN114760350B (en) | 2024-02-06 |
Family
ID=82329828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210376251.4A Active CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760350B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020202043A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for reselection of a network function (nf) service instance of a nf service producer |
| CN111770123A (en) * | 2019-04-02 | 2020-10-13 | 华为技术有限公司 | Communication method, apparatus and storage medium |
| CN112566072A (en) * | 2019-09-26 | 2021-03-26 | 华为技术有限公司 | NF-based communication method, device and storage medium |
| CN113748699A (en) * | 2019-04-27 | 2021-12-03 | 诺基亚技术有限公司 | Service authorization for indirect communication in a communication system |
-
2022
- 2022-04-11 CN CN202210376251.4A patent/CN114760350B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020202043A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for reselection of a network function (nf) service instance of a nf service producer |
| CN111770123A (en) * | 2019-04-02 | 2020-10-13 | 华为技术有限公司 | Communication method, apparatus and storage medium |
| CN113748699A (en) * | 2019-04-27 | 2021-12-03 | 诺基亚技术有限公司 | Service authorization for indirect communication in a communication system |
| CN112566072A (en) * | 2019-09-26 | 2021-03-26 | 华为技术有限公司 | NF-based communication method, device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| SAMSUNG: "\"S3-213141\"", 3GPP TSG_SA\\WG3_SECURITY * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760350B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112055024B (en) | Authority verification method and device, storage medium and electronic equipment | |
| CN111918274B (en) | Code number configuration and management method and device, electronic equipment and readable storage medium | |
| CN111698312B (en) | Service processing method, device, equipment and storage medium based on open platform | |
| CN112838951B (en) | Operation and maintenance method, device and system of terminal equipment and storage medium | |
| CN112714158A (en) | Transaction processing method, relay network, cross-link gateway, system, medium, and device | |
| CN113225351A (en) | Request processing method and device, storage medium and electronic equipment | |
| CN114662071A (en) | Data access control method and device, storage medium and electronic equipment | |
| CN114125027A (en) | Communication establishing method and device, electronic equipment and storage medium | |
| CN110830479B (en) | Multi-card-based one-key login method, device, equipment and storage medium | |
| CN109379378B (en) | Method, device, server, system and storage medium for sending internet short messages | |
| CN110719590B (en) | One-key login method, device, equipment and storage medium based on mobile phone number | |
| KR20100019165A (en) | System and method for providing internet banking service | |
| CN114760350B (en) | Service realization method, device, equipment and medium in 5G network indirect communication scene | |
| CN114867003A (en) | Cross-network request method, system, device, equipment and storage medium | |
| CN112966286B (en) | Method, system, device and computer readable medium for user login | |
| CN115334356A (en) | Video playing method and system, video security platform and communication equipment | |
| CN113099025A (en) | Method and device for adding friends in social application | |
| CN115086428A (en) | Network request sending method and device and electronic equipment | |
| CN112084485A (en) | Data acquisition method, device, equipment and computer storage medium | |
| CN114978551B (en) | Access token issuing method, access token obtaining method, access token issuing device, access token obtaining system, access token issuing equipment and access token issuing medium | |
| CN116546500B (en) | Terminal capability identification method, system, electronic equipment and medium | |
| CN117528519B (en) | Method and device for realizing expansion of smart card | |
| CN116545777B (en) | User category switching method and device, storage medium and electronic equipment | |
| CN114124547B (en) | Authentication control method and device, storage medium and electronic equipment | |
| CN113676482B (en) | Data transmission system and method and data transmission system and method based on double-layer SSL |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |