CN114760350B - Service realization method, device, equipment and medium in 5G network indirect communication scene - Google Patents
Service realization method, device, equipment and medium in 5G network indirect communication scene Download PDFInfo
- Publication number
- CN114760350B CN114760350B CN202210376251.4A CN202210376251A CN114760350B CN 114760350 B CN114760350 B CN 114760350B CN 202210376251 A CN202210376251 A CN 202210376251A CN 114760350 B CN114760350 B CN 114760350B
- Authority
- CN
- China
- Prior art keywords
- service
- network
- function
- authentication
- network function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 117
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000006870 function Effects 0.000 claims abstract description 290
- 230000004044 response Effects 0.000 claims abstract description 77
- 238000004519 manufacturing process Methods 0.000 claims abstract description 44
- 230000003993 interaction Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 13
- 238000012795 verification Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The disclosure provides a service implementation method, a device, an electronic device and a medium in an indirect communication scene, wherein the method comprises the following steps: receiving a service discovery request, wherein the service discovery request comprises a network function type; generating a network storage function authentication according to the local private key, wherein the network storage function authentication comprises a candidate instance identifier of a network function service production end, a network function type, a network function setting identifier and a network function service consumption end; and sending a service discovery response to the network function service consumer according to the communication mode or forwarding the service discovery response to the network function service consumer through the service communication proxy, wherein the service discovery response comprises network storage function authentication so that the network function service consumer can verify the network storage function authentication through a pre-stored public key of the network storage function. According to the embodiment of the disclosure, timeliness and reliability of finding malicious network functions are improved, and safety and reliability of data interaction in an indirect communication scene are improved.
Description
Technical Field
The disclosure relates to the technical field of communication, and in particular relates to a service implementation method, device, equipment and medium in a 5G network indirect communication scene.
Background
Currently, in 5G networks the service communication proxy (Service Communication Proxy, SCP) comprises one or more of the following functions, a single instance of the SCP possibly supporting some or all of the SCP functions including:
(1) Indirect communication in 5G networks.
(2) Delegated discovery.
(3) The message is forwarded and routed to the target NF (Network Function) or target NF service.
(4) The message is forwarded and routed to the next hop SCP.
(5) Communication security (e.g., API (Application Program Interface, application program interface) that grants network function service consumer access to network function service producer), load balancing, monitoring, overload control, etc.
(6) Optionally with UDR (Unified Data Repository, unified data warehouse functions).
In the related art, in an indirect communication scenario in the 5G network, a TLS (Transport Layer Security Protocol, secure transport layer protocol) connection is not directly established between NFc (network function service consumer) and NFp (network function service producer), and thus NFc cannot directly verify NFp the authenticity.
However, in the case that the SCP is intrusion controlled, the SCP may use malicious NFp to provide services for NFc, which causes leakage of sensitive information of NFc or failure of normal service, and the security and reliability of the 5G network are seriously affected.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may contain information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to a method, apparatus, device, and medium for implementing a service in an indirect communication scenario of a 5G network, which are used to overcome, at least to some extent, the problem of low security of the 5G network in the indirect communication scenario in the 5G network due to limitations and drawbacks of the related art.
According to a first aspect of embodiments of the present disclosure, there is provided a service implementation method in an indirect communication scenario in a 5G network, adapted to a network storage function, the service implementation method in the indirect communication scenario in the 5G network includes: receiving a service discovery request, wherein the service discovery request comprises a network function type; generating a network storage function authentication according to a local private key, wherein the network storage function authentication comprises a candidate instance identifier of a network function service production end, the network function type, a network function setting identifier and a network function service consumption end; and sending a service discovery response to a network function service consumer terminal according to a communication mode or forwarding the service discovery response to the network function service consumer terminal through a service communication proxy, wherein the service discovery response comprises the network storage function authentication so that the network function service consumer terminal can verify the network storage function authentication through a prestored public key of the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: receiving an access token request, wherein the access token request comprises the network storage function authentication; verifying the instance identifier of the network function service consumption terminal contained in the network storage function authentication; and if the authentication is passed, sending an access token response.
According to a second aspect of the embodiments of the present disclosure, there is provided a service implementation method in an indirect communication scenario in a 5G network, which is applicable to a network function service production end, where the service implementation method in the indirect communication scenario in the 5G network includes: receiving a service request sent by a service communication agent, wherein the service request comprises network storage function authentication, and the network storage function authentication comprises an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an instance identifier of a network function service consumption end; verifying the instance identifier of the network function service consumption contained in the network storage function authentication; the service communication proxy sends a service response including the network storage function authentication.
According to a third aspect of the embodiments of the present disclosure, there is provided a service implementation method in an indirect communication scenario in a 5G network, applicable to a network function service consumer, where the service implementation method in the indirect communication scenario in the 5G network includes: sending a service discovery request to a network storage function or to the network storage function via a service communication proxy, the service discovery request comprising a network function type; receiving a service discovery response sent by the network storage function, wherein the service discovery response comprises network storage function authentication, and the network storage function authentication comprises a candidate instance identifier of a network function service production end, the network function type, a network function setting identifier and a network function service consumption end; and verifying the authentication of the network storage function through a pre-stored public key of the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: and after the network storage function authentication is confirmed to pass the verification, recording a network function service production end contained in the service discovery response.
In an exemplary embodiment of the present disclosure, further comprising: sending an access token request to the network storage function or to the network storage function via the service communication proxy, the access token request comprising the network storage function authentication; and receiving an access token response sent by the network storage function.
In an exemplary embodiment of the present disclosure, further comprising: sending a service request to the network function service production end or to the network function service production end through the service communication proxy, wherein the service request comprises the network storage function authentication; and receiving a service response sent by the network function service production end through a service communication proxy, wherein the service response comprises the network storage function authentication.
According to a fourth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario in a 5G network, adapted to a network storage function, the service implementation apparatus in an indirect communication scenario in a 5G network including: a receiving module configured to receive a service discovery request, the service discovery request comprising a network function type; the generation module is used for generating network storage function authentication according to the local private key, wherein the network storage function authentication comprises candidate instance identifications of the network function service production end, the network function type, the network function setting identification and the network function service consumption end; the authentication module is configured to send a service discovery response to a network function service consumption end according to a communication mode or forward the service discovery response to the network function service consumption end through a service communication proxy, wherein the service discovery response comprises the network storage function authentication so that the network function service consumption end can verify the network storage function authentication through a pre-stored public key of the network storage function.
According to a fifth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario in a 5G network, adapted to a network function service production end, where the service implementation apparatus in the indirect communication scenario in the 5G network includes: the receiving module is configured to receive a service request sent by a service communication proxy, wherein the service request comprises a network storage function authentication, and the network storage function authentication comprises an instance identifier of a candidate network function service production end, an instance identifier of a network function service consumption end and the network function type; the verification module is used for verifying the instance identifier of the network function service consumption terminal contained in the network storage function authentication; and the sending module is used for sending a service response to the service communication proxy, wherein the service response comprises the network storage function authentication.
According to a sixth aspect of the embodiments of the present disclosure, there is provided a service implementation apparatus in an indirect communication scenario in a 5G network, adapted to a network function service consumer, where the service implementation apparatus in the indirect communication scenario in the 5G network includes: a sending module configured to send a service discovery request to a network storage function or to the network storage function via a service communication proxy, the service discovery request comprising a network function type; the receiving module is configured to receive a service discovery response sent by the network storage function, wherein the service discovery response comprises the network storage function authentication; and the verification module is used for verifying the authentication of the network storage function through a pre-stored public key of the network storage function.
According to a seventh aspect of the present disclosure, there is provided an electronic device comprising: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above based on instructions stored in the memory.
According to an eighth aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a program which, when executed by a processor, implements a service implementation method in an indirect communication scenario in a 5G network as set forth in any one of the above.
By carrying NRF (NF Repository Function, network storage function) CCA (function verification procedure) in a service discovery response (message), the NRF CCA (simply referred to as network storage function authentication) contains instance IDs of candidates NFp, setids, NF types, and instereids of NFc, and returns the NRF CCA to NFc, so that NFc can record the correct NFp, thereby effectively verifying NFp, avoiding NFc from being directed to services provided by malicious NFp in the case that the SCP is maliciously controlled.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
Fig. 1 is a flowchart of a service implementation method in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure;
FIG. 2 is a flow chart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 3 is a flow chart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 4 is a flow chart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 5 is a flow chart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 6 is a flow chart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 7 is a flowchart of a service implementation method in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
FIG. 8 is an interactive schematic diagram of a service implementation in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure;
FIG. 9 is an interactive schematic diagram of a service implementation in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
fig. 10 is a block diagram of a service implementation apparatus in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure;
fig. 11 is a block diagram of a service implementation apparatus in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
fig. 12 is a block diagram of a service implementation apparatus in an indirect communication scenario in another 5G network in an exemplary embodiment of the present disclosure;
fig. 13 is a block diagram of an electronic device in an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present disclosure. One skilled in the relevant art will recognize, however, that the aspects of the disclosure may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are only schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
The following describes example embodiments of the present disclosure in detail with reference to the accompanying drawings.
Fig. 1 is a flowchart of a service implementation method in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation method in the indirect communication scenario in the network of reference diagram 1,5G may include:
step S102, a service discovery request is received, wherein the service discovery request comprises a network function type.
Step S104, generating network storage function authentication according to the local private key, wherein the network storage function authentication comprises candidate instance identifications of the network function service production end, the network function type, the network function setting identification and the network function service consumption end.
Step S106, a service discovery response is sent to a network function service consumption end or forwarded to the network function service consumption end through a service communication proxy according to the communication mode, wherein the service discovery response comprises the network storage function authentication, so that the network function service consumption end can verify the network storage function authentication through a pre-stored public key of the network storage function.
By carrying NRF (NF Repository Function, network storage function) CCA (function verification procedure) in a service discovery response (message), the NRF CCA contains instance IDs of candidate NFp, setID, NF type and NFc instance IDs, and returns NRF CCA to NFc so that NFc can record the correct NFp, thereby effectively verifying NFp, avoiding NFc being directed to services provided by malicious NFp in case the SCP is maliciously controlled.
Next, each step of the service implementation method in the indirect communication scenario in the 5G network will be described in detail.
In an exemplary embodiment of the present disclosure, as shown in fig. 2, the service implementation method in an indirect communication scenario in a 5G network further includes:
step S202, receiving an access token request, where the access token request includes the network storage function authentication.
Step S204, verifying the instance identifier of the network function service consumer included in the network storage function authentication.
Step S206, if the authentication is passed, sending an access token response.
In the above embodiment, by receiving the access token request and verifying the instance identifier of the network function service consumer in the access token request, on one hand, it can be determined whether the network function service consumer corresponding to the instance identifier is secure, and on the other hand, the authenticated access token is fed back to the network function service consumer through the access token response, so that in the subsequent service interaction process, the reliability and security are ensured by carrying the access token and the CCA (network storage function authentication) in both the service request and the service response.
Fig. 3 is a flowchart of a service implementation method in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation method in the indirect communication scenario in the network of reference diagram 3,5G may include:
step S302, a service request sent by a service communication agent is received, wherein the service request comprises a network storage function authentication, and the network storage function authentication comprises an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an instance identifier of a network function service consumption end.
Step S304, verifying the instance identifier of the network function service consumer contained in the network storage function authentication.
And step S306, sending a service response to the service communication proxy, wherein the service response comprises the network storage function authentication.
In the above embodiment, by carrying the network storage function authentication and the access token passing the authentication in the service request and the service response, the reliability and the security of the network function service providing end are improved, the reliability and the security of the network function service consuming end are also improved, and in addition, whether the SCP is maliciously infringed can be timely detected.
Fig. 4 is a flowchart of a service implementation method in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation method in the indirect communication scenario in the network of reference diagram 4,5G may include:
step S402, a service discovery request is sent to a network storage function or to the network storage function via a service communication proxy, the service discovery request comprising a network function type.
Step S404, receiving a service discovery response sent by the network storage function, wherein the service discovery response comprises network storage function authentication, and the network storage function authentication comprises candidate instance identifications of network function service production ends, the network function types, network function setting identifications and network function service consumption end instance identifications.
Step S406, verifying the authentication of the network storage function through a pre-stored public key of the network storage function.
In the above embodiment, by carrying NRF (NF Repository Function, network storage function) CCA (function verification procedure) in the service discovery request (message), NRF CCA contains instance ID of candidate NFp, setID, instance ID of NF type and NFc, and NRF CCA is returned to NFc so that NFc can record correct NFp, thereby effectively verifying NFp, avoiding NFc from being directed to service provided by malicious NFp in case SCP is maliciously controlled.
In an exemplary embodiment of the present disclosure, as shown in fig. 5, the service implementation method in an indirect communication scenario in a 5G network further includes:
step S502, after the network storage function authentication is confirmed to pass verification, the network function service production end contained in the service discovery response is recorded.
In an exemplary embodiment of the present disclosure, as shown in fig. 6, further comprising:
step S602, sending an access token request to the network storage function or to the network storage function via the service communication proxy, the access token request comprising the network storage function authentication.
Step S604, receiving an access token response sent by the network storage function.
In an exemplary embodiment of the present disclosure, as shown in fig. 7, further comprising:
step S702, a service request is sent to the network function service production end or to the network function service production end via the service communication proxy, where the service request includes the network storage function authentication.
Step S704, receiving a service response sent by the network function service production end through a service communication proxy, where the service response includes the network storage function authentication.
In an exemplary embodiment of the present disclosure, as shown in fig. 8, the architecture of the service implementation in the indirect communication scenario in the 5G network in the mode D scenario includes NFc 802, SCP 804, NRF 806 and NFp 808, specifically including the following steps:
1. NFc 802 sends a service request to SCP 804, which contains NF type, NFc CCA, etc.
2. The SCP 804 sends a service analysis request to the NRF 806, the service request including NF type and the like.
3. NRF 806 generates a CCA of NRF, which includes at least NFp and NFc.
4. The NRF 806 feeds back a service discovery response to the SCP 804, the service discovery response including NFp, CCA of the NRF, etc.
5. The SCP 804 feeds back to NFc 802 a service announcement including the CCA of the NFR, etc.
6. NFc 802 verifies the CCA of the NRF and records NFp contained therein.
7. NFc 802 sends a verification success notification to SCP 804.
8. The SCP 804 sends an access token request to the NRF 806, including the CCA of NFc, etc.
9. NRF 806 verifies the CCA of NFc.
10. NRF 806 sends an access token response to SCP 804, including an access token, etc.
11. The SCP 804 sends a service request to NFp 808, the service request including the access token and the CCA of NFc.
12. NFp 808 verifies the access token and the CCA of NFc.
13. NFp 808 feeds back to the SCP 804 a service response comprising the CCA of NFp.
14. The SCP 804 feeds back a service response to NFc 802, which includes the CCA of NFp.
15. NFc 802 verifies that NFp the CCA contains NFp identity in agreement with the previous one.
In an exemplary embodiment of the present disclosure, as shown in fig. 9, the architecture of the service implementation in the indirect communication scenario in the 5G network in the modem C scenario includes NFc 902, SCP 904, NRF 906 and NFp 908, specifically including the following steps:
1. NFc 902 the service discovery request to the NRF 906 includes NF type and the like.
2. A CCA including at least NFp and NFc is formed for NRF.
3. The NRF 906 feeds back a service discovery response to the NFc 902, which includes NFp, CCA of NRF, and the like.
4. NFc 902 verifies the CCA of the NRF and records NFp contained therein.
5. NFc 902 sends an access token request to NRF 906, which includes NFc CCA and the like.
6. NRF 906 verifies the CCA of NFc.
7. The NRF 906 transmits an access token response to the NFc 902, the access token response including an access token or the like.
8. NFc 902 sends a service request to the SCP 904, the service request including an access token and a CCA of NFc.
9. The SCP 904 sends a service request to the NFp 908, the service request containing the access token and the CCA of NFc.
10. NFp 908 verifies the access token and NFc CCA.
11. NFp 908 feeds back to SCP 904 a service response comprising the CCA of NFp.
12. The SCP 904 feeds back a service response to NFc 902, which includes the CCA of NFp.
13. NFc 902 verifies that the CCA of NFp contains NFp identity in agreement with the previous one.
In an exemplary embodiment of the present disclosure, NRF CCA is carried in a service discovery response message, where NRF CCA contains instanceID, setID of candidate NFp, NF type and instanceID of NFc, and NRF CCA is returned to NFc so that NFc can record the correct NFp, thereby effectively verifying NFp, and the main flow includes:
(1) Service discovery verification process.
(1.1) after the NRF receives the service discovery request, generating NRF CCA with a local private key signature, where NRF CCA contains the instanceids of instanceID, setID, NF type, and NFc of candidates NFp.
(1.2) in the model D and model C scenarios with SCP switchover, the NRF sends a service discovery response message carrying the NRF CCA to the SCP, which forwards the message to NFc. In a model C scenario without SCP switching, the NRF directly forwards the message to NFc.
(1.3) NFc verifying with the public key of the NRF whether the NRF CCA is truly issued by the NRF, and if so, recording the candidate NFp information contained in the NRF CCA.
(2) Service request authentication flow.
(2.1) after completion of the service requested by NFc, the SCP forwards a service response message containing the NFp CCA to NFc.
(2.2) NFc verifies if the NFp instanceID and setID contained in the NFp CCA belong to NFc the candidate NFp information set recorded in the service discovery verification procedure, and if so, NFc considers the service request to be successful. When not, or because the service discovery response message is not forwarded by the intrusion controlled SCP to NFc, no candidate NFp information is recorded NFc, the service request is considered unsuccessful.
Compared with the prior art, the method has the following advantages and effects:
1. the safety is high: the conventional scheme only can verify NF type level for MODEL D, and the technical scheme disclosed by the invention can verify specific NF instanceID and setID, so that the reliability and safety of 5G communication are improved.
2. And the coverage scene is wide: the existing scheme is not suitable for the scene when the communication between the NRF and the NFc passes through the SCP by the modem C, and the technical scheme of the present disclosure is suitable for the scene of the modem C regardless of whether the communication between the NRF and the NFc passes through the SCP or not.
Corresponding to the above method embodiment, the present disclosure further provides a service implementation apparatus in an indirect communication scenario in a 5G network, which may be used to perform the above method embodiment.
Fig. 10 is a block diagram of a service implementation apparatus in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation apparatus 1000 in the indirect communication scenario in the network with reference to fig. 10,5G may include:
a receiving module 1002 is arranged to receive a service discovery request, the service discovery request comprising a network function type.
The generating module 1004 is configured to generate a network storage function authentication according to the local private key, where the network storage function authentication includes the candidate instance identifier of the network function service production end, the network function type, the setting identifier of the network function, and the instance identifier of the network function service consumption end.
An authentication module 1006, configured to send a service discovery response to a network function service consumer according to a communication mode or forward the service discovery response to the network function service consumer via a service communication proxy, where the service discovery response includes the network storage function authentication, so that the network function service consumer verifies the network storage function authentication by using a pre-stored public key of the network storage function.
In one exemplary embodiment of the present disclosure, the service implementation apparatus 1000 in an indirect communication scenario in a 5G network is further configured to: receiving an access token request, wherein the access token request comprises the network storage function authentication; verifying the instance identifier of the network function service consumption terminal contained in the network storage function authentication; and if the authentication is passed, sending an access token response.
Fig. 11 is a block diagram of a service implementation apparatus in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation apparatus 1100 in the indirect communication scenario in the network with reference to fig. 11,5G may include:
the receiving module 1102 is configured to receive a service request sent by a service communication proxy, where the service request includes a network storage function authentication, and the network storage function authentication includes an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function, and an instance identifier of a network function service consumption end.
The verification module 1104 is configured to verify an instance identifier of the network function service consumer included in the network storage function authentication.
A sending module 1106 configured to send a service response to the service communication proxy, the service response comprising the network storage function authentication.
Fig. 12 is a block diagram of a service implementation apparatus in an indirect communication scenario in a 5G network in an exemplary embodiment of the present disclosure.
The service implementation apparatus 1200 in the indirect communication scenario in the network with reference to fig. 12,5G may include:
a sending module 1202 arranged to send a service discovery request to a network storage function or to the network storage function via a service communication proxy, the service discovery request comprising a network function type.
The receiving module 1204 is configured to receive a service discovery response sent by the network storage function, where the service discovery response includes a network storage function authentication, and the network storage function authentication includes an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function, and an instance identifier of a network function service consumer end.
A verification module 1206 is configured to verify the network storage function authentication by means of a pre-stored public key of the network storage function.
In one exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in an indirect communication scenario in a 5G network is further configured to: and after the network storage function authentication is confirmed to pass the verification, recording a network function service production end contained in the service discovery response.
In one exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in an indirect communication scenario in a 5G network is further configured to: sending an access token request to the network storage function or to the network storage function via the service communication proxy, the access token request comprising the network storage function authentication; and receiving an access token response sent by the network storage function.
In one exemplary embodiment of the present disclosure, the service implementation apparatus 1200 in an indirect communication scenario in a 5G network is further configured to: sending a service request to the network function service production end or to the network function service production end through the service communication proxy, wherein the service request comprises the network storage function authentication; and receiving a service response sent by the network function service production end through a service communication proxy, wherein the service response comprises the network storage function authentication.
Since the functions of the service implementation apparatus 1000 in the indirect communication scenario in the 5G network, the service implementation apparatus 1100 in the indirect communication scenario in the 5G network, and the service implementation apparatus 1200 in the indirect communication scenario in the 5G network have been described in detail in the corresponding method embodiments, the disclosure is not repeated herein.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (containing firmware, microcode, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 1300 according to this embodiment of the invention is described below with reference to fig. 13. The electronic device 1300 shown in fig. 13 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 13, the electronic device 1300 is embodied in the form of a general purpose computing device. The components of the electronic device 1300 may include, but are not limited to: the at least one processing unit 1310, the at least one memory unit 1320, and a bus 1330 connecting the different system components (including the memory unit 1320 and the processing unit 1310).
Wherein the storage unit stores program code that is executable by the processing unit 1310 such that the processing unit 1310 performs steps according to various exemplary embodiments of the present invention described in the above section of the "exemplary method" of the present specification. For example, the processing unit 1310 may perform methods as shown in embodiments of the present disclosure.
The memory unit 1320 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 13201 and/or cache memory 13202, and may further include Read Only Memory (ROM) 13203.
The storage unit 1320 may also contain a program/utility 13204 having a set (at least one) of program modules 13205, such program modules 13205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1330 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 1300 may also communicate with one or more external devices 1340 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1300, and/or any device (e.g., router, modem, etc.) that enables the electronic device 1300 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1350. Also, the electronic device 1300 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, for example, the Internet, through a network adapter 1360. As shown, the network adapter 1360 communicates with other modules of the electronic device 1300 over the bus 1330. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1300, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and contains several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
The program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and contain program code and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may comprise a data signal embodied in baseband or propagated as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described figures are only illustrative of the processes involved in the method according to exemplary embodiments of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (6)
1. A method for implementing services in an indirect communication scenario in a 5G network, comprising:
the network storage function terminal receives a service discovery request sent by a service communication proxy, wherein the service discovery request comprises a network function type;
the network storage function end generates network storage function authentication according to a local private key, wherein the network storage function authentication comprises an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an instance identifier of a network function service consumption end;
the network storage function end sends service discovery response to the service communication proxy according to the communication mode and forwards the service discovery response to the network function service consumer end through the service communication proxy,
the service discovery response comprises the network storage function authentication, so that the network function service consumption end verifies the network storage function authentication through a prestored public key of the network storage function end, and records a network function service production end contained in the network storage function authentication;
the network function service production end receives a service request sent by a service communication proxy, wherein the service request comprises an access token and authentication of the network function service consumption end;
the network function service production end verifies the authentication of the access token and the network function service consumption end;
the network function service production end sends a service response to the service communication proxy, wherein the service response comprises authentication of the network function service production end;
the service communication proxy sends the service response to the network function service consumption end so that the network function service consumption end can verify the identity of the network function service production end in the authentication of the network function service production end based on the recorded network function service production end contained in the network storage function authentication.
2. The service implementation method in an indirect communication scenario in a 5G network according to claim 1, further comprising:
the network storage function end receives an access token request sent by the service communication proxy, wherein the access token request comprises authentication of the network function service consumption end;
the network storage function end verifies the authentication of the network function service consumption end;
and if the authentication is passed, the network storage function end sends an access token response to the service communication proxy, wherein the access token response comprises the access token.
3. A method for implementing services in an indirect communication scenario in a 5G network, comprising:
the network storage function end receives a service discovery request sent by a network function service consumption end, wherein the service discovery request comprises a network function type;
the network storage function end generates network storage function authentication according to a local private key, wherein the network storage function authentication comprises an instance identifier of a candidate network function service production end, the network function type, a setting identifier of a network function and an instance identifier of a network function service consumption end;
the network storage function end sends a service discovery response to a network function service consumption end according to a communication mode, wherein the service discovery response comprises the network storage function authentication, so that the network function service consumption end verifies the network storage function authentication through a pre-stored public key of the network storage function end, and records a network function service production end contained in the network storage function authentication;
the network function service production end receives a service request sent by the service communication proxy, wherein the service request corresponds to an access request sent to the service communication proxy by the network function service consumption end, and the service request comprises an access token and authentication of the network function service consumption end;
the network function service production end verifies the authentication of the access token and the network function service consumption end;
the network function service production end sends a service response to the network function service consumption end through the service communication proxy, wherein the service response comprises authentication of the network function service production end, so that the network function service consumption end can verify the identity of the network function service production end in the authentication of the network function service production end based on the recorded network function service production end contained in the network storage function authentication.
4. A service implementation method in an indirect communication scenario in a 5G network according to claim 3, further comprising:
the network storage function end receives an access token request sent by the network function service consumption end, wherein the access token request comprises authentication of the network function service consumption end;
the network storage function end verifies the authentication of the network function service consumption end;
and if the authentication is passed, the network storage function end sends an access token response to the network function service consumption end, wherein the access token response comprises the access token.
5. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the service implementation method in an indirect communication scenario in a 5G network according to any of claims 1-4 based on instructions stored in the memory.
6. A computer readable storage medium having stored thereon a program which when executed by a processor implements a service implementation method in an indirect communication scenario in a 5G network according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376251.4A CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376251.4A CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760350A CN114760350A (en) | 2022-07-15 |
| CN114760350B true CN114760350B (en) | 2024-02-06 |
Family
ID=82329828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210376251.4A Active CN114760350B (en) | 2022-04-11 | 2022-04-11 | Service realization method, device, equipment and medium in 5G network indirect communication scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760350B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020202043A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for reselection of a network function (nf) service instance of a nf service producer |
| CN111770123A (en) * | 2019-04-02 | 2020-10-13 | 华为技术有限公司 | Communication method, apparatus and storage medium |
| CN112566072A (en) * | 2019-09-26 | 2021-03-26 | 华为技术有限公司 | NF-based communication method, device and storage medium |
| CN113748699A (en) * | 2019-04-27 | 2021-12-03 | 诺基亚技术有限公司 | Service authorization for indirect communication in a communication system |
-
2022
- 2022-04-11 CN CN202210376251.4A patent/CN114760350B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020202043A1 (en) * | 2019-04-02 | 2020-10-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for reselection of a network function (nf) service instance of a nf service producer |
| CN111770123A (en) * | 2019-04-02 | 2020-10-13 | 华为技术有限公司 | Communication method, apparatus and storage medium |
| CN113748699A (en) * | 2019-04-27 | 2021-12-03 | 诺基亚技术有限公司 | Service authorization for indirect communication in a communication system |
| CN112566072A (en) * | 2019-09-26 | 2021-03-26 | 华为技术有限公司 | NF-based communication method, device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| Samsung. "S3-213141".3GPP tsg_sa\wg3_security.2021,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760350A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112055024B (en) | Authority verification method and device, storage medium and electronic equipment | |
| TWI778314B (en) | An electronic payment method, device, system and storage medium | |
| CN110839087B (en) | Interface calling method and device, electronic equipment and computer readable storage medium | |
| WO2020011194A1 (en) | Wireless connection method and device | |
| CN110831005B (en) | Equipment adding method of Mesh network, gateway equipment and storage medium | |
| CN111918274B (en) | Code number configuration and management method and device, electronic equipment and readable storage medium | |
| CN110958119A (en) | Identity verification method and device | |
| CN112714158A (en) | Transaction processing method, relay network, cross-link gateway, system, medium, and device | |
| US20220207499A1 (en) | Payment processing method, device and system | |
| CN110113747A (en) | It is a kind of for connecting the method and apparatus of hiding wireless access point | |
| CN110830479B (en) | Multi-card-based one-key login method, device, equipment and storage medium | |
| CN109379378B (en) | Method, device, server, system and storage medium for sending internet short messages | |
| CN114760350B (en) | Service realization method, device, equipment and medium in 5G network indirect communication scene | |
| CN110149211B (en) | Service authentication method, service authentication device, medium, and electronic device | |
| US20150156607A1 (en) | Mobile device location | |
| US20220174490A1 (en) | System, method, storage medium and equipment for mobile network access | |
| CN115801299A (en) | Meta-universe identity authentication method, device, equipment and storage medium | |
| CN115022074A (en) | User authentication and authorization method, device, medium and equipment | |
| US10454920B2 (en) | Non-transitory computer-readable recording medium, connection management method, and connection management device | |
| CN114978551B (en) | Access token issuing method, access token obtaining method, access token issuing device, access token obtaining system, access token issuing equipment and access token issuing medium | |
| CN114760133B (en) | RESTful interface authentication method, device, system, equipment and medium | |
| CN117528519B (en) | Method and device for realizing expansion of smart card | |
| CN115967935B (en) | Method, device, equipment and readable medium for 5G base station to communicate with 5GC through NAT gateway | |
| CN116545777B (en) | User category switching method and device, storage medium and electronic equipment | |
| KR102286000B1 (en) | Device, system and method for providing local service based on sound signal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |