CN114978698A - Network access method, target terminal, certificate management network element and verification network element - Google Patents
Network access method, target terminal, certificate management network element and verification network element Download PDFInfo
- Publication number
- CN114978698A CN114978698A CN202210569753.9A CN202210569753A CN114978698A CN 114978698 A CN114978698 A CN 114978698A CN 202210569753 A CN202210569753 A CN 202210569753A CN 114978698 A CN114978698 A CN 114978698A
- Authority
- CN
- China
- Prior art keywords
- network
- networks
- public key
- identifications
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The application provides a network access method, a target terminal, a certificate management network element and a verification network element, relates to the field of communication, and can solve the problem that in the prior art, network access efficiency of a terminal in multiple networks is low. The method comprises the following steps: sending network identifications of a plurality of networks to a credential management network element; receiving a network certificate generated by a certificate management network element according to network identifications of a plurality of networks; the network certificate comprises a network identification signature and a first public key; sending verification request information to a verification network element of a first network so that the verification network element obtains a verification result based on the verification request information; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; and receiving a verification result sent by the verification network element, and determining whether to access the first network according to the verification result. The method and the device can improve the network access efficiency of the terminal in a plurality of networks.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a network access method, a target terminal, a credential management network element, and a verification network element.
Background
In the prior art, when a terminal accesses a network of a different network, the terminal needs to perform identity authentication according to an access authentication protocol specified in the corresponding network, so as to access the network. However, each network defines a respective access authentication protocol, and the terminal needs to register an identity in each network separately to be able to perform an access authentication procedure defined by each network to implement network access, which results in inefficient network access of the terminal in multiple networks.
Disclosure of Invention
The application provides a network access method, a target terminal, a certificate management network element and a verification network element, which can improve the network access efficiency of the terminal in a plurality of networks.
In order to achieve the purpose, the following technical scheme is adopted in the application:
in a first aspect, the present application provides a network access method, including: sending network identifications of a plurality of networks to a credential management network element; receiving a network certificate generated by a certificate management network element according to network identifications of a plurality of networks; the network certificate comprises a network identification signature and a first public key; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; sending verification request information to a verification network element of the first network so that the verification network element obtains a verification result based on the verification request information; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network; and receiving a verification result sent by the verification network element, and determining whether to access the first network according to the verification result.
The scheme at least has the following beneficial effects: in the network access method provided by the application, the target terminal can obtain the network identifier signatures and the first public key of the network identifiers of the multiple networks from the certificate management network element as the network certificate based on the network identifiers of the multiple networks. When the target terminal needs to access any one of the networks, the target terminal only needs to send the network identifier signatures of the networks, the first public key, the network identifier of the network and other network encrypted network identifiers to the verification network element of the network, so that the verification network element can verify the authenticity of the network identifier of the network based on the information, and further determine whether the target terminal can access the network. Therefore, the target terminal in the application can realize the network access of any one of the plurality of networks through the unified network access method, and the network access efficiency is improved.
With reference to the first aspect, in a possible implementation manner, the method further includes: creating decentralized identity DID information, wherein the DID information comprises network identifications of a plurality of networks; and generating a second public key and a second private key corresponding to the DID information, and encrypting the network identifications of the plurality of networks according to the second private key.
With reference to the foregoing first aspect, in a possible implementation manner, the method includes: and sending the network identifications and the second public key after the plurality of network encryptions to a certificate management network element.
In a second aspect, the present application provides a network access method, including: receiving network identifications of a plurality of networks sent by a target terminal; generating a network certificate according to the network identifications of the plurality of networks; the network certificate comprises a network identification signature and a first public key; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; and sending the network certificate to the target terminal.
With reference to the second aspect, in one possible implementation manner, the method includes: receiving a plurality of network encrypted network identifications and a second public key sent by a target terminal; and decrypting the network identifications encrypted by the plurality of networks according to the second public key.
With reference to the second aspect, in one possible implementation manner, the method includes: randomly generating a first private key and generating a corresponding first public key according to the first private key; determining network identification signatures of the network identifications of the plurality of networks according to the first private key, the first public key and the network identifications of the plurality of networks; and generating a network certificate according to the first public key and the network identification signature.
In a third aspect, the present application provides a network access method, including: receiving verification request information sent by a target terminal; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network; verifying the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network to obtain a verification result; wherein the verification result comprises allowing access to the first network or prohibiting access to the first network; and sending a verification result to the target terminal.
With reference to the third aspect, in a possible implementation manner, the method includes: under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network meet a preset formula, determining that the verification result is that the first network is allowed to be accessed; and under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network do not meet a preset formula, determining that the verification result is that the access to the first network is forbidden.
With reference to the third aspect, in a possible implementation manner, the method includes: the preset formula is as follows:
wherein, (e, s, v) is a network identification signature, (a) 1 ,a 2 ,a 3 ,……a L B, c, n) is a first public key, m 1 Is a network identification of the first network,
is the network identification of the second network.
In a fourth aspect, the present application provides a target terminal comprising a communication unit and a processing unit; a communication unit, configured to send network identifiers of multiple networks to a credential management network element; the communication unit is also used for receiving a network certificate generated by the certificate management network element according to the network identifications of the plurality of networks; the network certificate comprises a network identification signature and a first public key; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; the communication unit is further used for sending verification request information to a verification network element of the first network so that the verification network element obtains a verification result based on the verification request information; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network; the communication unit is also used for receiving the verification result sent by the verification network element; and the processing unit is used for determining whether to access the first network according to the verification result.
With reference to the fourth aspect, in a possible implementation manner, the processing unit is further configured to create decentralized identity DID information, where the DID information includes network identifiers of multiple networks; generating a second public key and a second private key corresponding to the DID information, and encrypting the network identifications of the plurality of networks according to the second private key; and the communication unit is further used for sending the network identifications and the second public keys after the plurality of network encryptions to the certificate management network element.
In a fifth aspect, the present application provides a credential management network element, including a communication unit and a processing unit; the communication unit is used for receiving network identifications of a plurality of networks sent by a target terminal; a processing unit, configured to generate a network credential according to network identifiers of multiple networks; the network certificate comprises a network identification signature and a first public key; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; and the communication unit is also used for sending the network certificate to the target terminal.
With reference to the fifth aspect, in a possible implementation manner, the communication unit is further configured to receive a network identifier and a second public key, which are sent by the target terminal and encrypted by multiple networks; and the processing unit is also used for decrypting the network identifications after the plurality of network encryptions according to the second public key.
With reference to the fifth aspect, in a possible implementation manner, the processing unit is configured to randomly generate a first private key, and generate a corresponding first public key according to the first private key; determining network identification signatures of the network identifications of the plurality of networks according to the first private key, the first public key and the network identifications of the plurality of networks; and generating a network certificate according to the first public key and the network identification signature.
In a sixth aspect, the present application provides an authentication network element, including a communication unit and a processing unit; the communication unit is used for receiving the verification request information sent by the target terminal; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network; the processing unit is used for verifying the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network to obtain a verification result; wherein the verification result comprises allowing access to the first network or prohibiting access to the first network; and the communication unit is also used for sending the verification result to the target terminal.
With reference to the sixth aspect, in a possible implementation manner, the processing unit is configured to determine that the verification result is that the access to the first network is allowed when the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network satisfy a preset formula; and under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network do not meet a preset formula, determining that the verification result is that the access to the first network is forbidden.
With reference to the sixth aspect, in a possible implementation manner, the preset formula is:
wherein, (e, s, v) is a network identification signature, (a) 1 ,a 2 ,a 3 ,……a L B, c, n) is a first public key, m 1 Is a network identification of the first network,
is the network identification of the second network.
In a seventh aspect, the present application provides a target terminal, including: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the network access method as described in the first aspect and any possible implementation manner of the first aspect.
In an eighth aspect, the present application provides a credential management network element, including: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the network access method as described in the second aspect and any possible implementation of the second aspect.
In a ninth aspect, the present application provides an authentication network element, comprising: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the network access method as described in the third aspect and any possible implementation manner of the third aspect.
In a tenth aspect, the present application provides a computer-readable storage medium having stored therein instructions that, when executed on a terminal, cause the terminal to perform the network access method as described in the first aspect and any one of the possible implementations of the first aspect, any one of the possible implementations of the second aspect and the second aspect, and any one of the possible implementations of the third aspect and the third aspect.
In an eleventh aspect, the present application provides a computer program product containing instructions that, when run on a target terminal, cause the target terminal to perform the network access method as described in the first aspect and any one of the possible implementations of the first aspect.
In a twelfth aspect, the present application provides a computer program product comprising instructions that, when run on a credential management network element, cause the credential management network element to perform a network access method as described in the second aspect and any one of the possible implementations of the second aspect.
In a thirteenth aspect, the present application provides a computer program product comprising instructions that, when run on an authentication network element, cause the authentication network element to perform the network access method as described in the third aspect and any one of the possible implementations of the third aspect.
In a fourteenth aspect, the present application provides a chip comprising a processor and a communication interface, the communication interface being coupled to the processor, the processor being configured to execute a computer program or instructions to implement the network access method as described in any one of the possible implementations of the first aspect and the first aspect, any one of the possible implementations of the second aspect and the second aspect, and any one of the possible implementations of the third aspect and the third aspect.
In particular, the chip provided herein further comprises a memory for storing computer programs or instructions.
It should be noted that all or part of the computer instructions may be stored on the computer readable storage medium. The computer readable storage medium may be packaged with or without a processor of the apparatus, and is not limited in this application.
In a fifteenth aspect, the present application provides a network access system, comprising: a target terminal for performing the network access method as described in the first aspect and any one of the possible implementations of the first aspect, a credential management network element for performing the network access method as described in the second aspect and any one of the possible implementations of the second aspect, and a verification network element for performing the network access method as described in any one of the possible implementations of the third aspect.
For the description of the second aspect to the fifteenth aspect in the present invention, reference may be made to the detailed description of the first aspect; moreover, the beneficial effects described in the second to fifteenth aspects may refer to the beneficial effect analysis of the first aspect, and are not described herein again.
In the present application, the names of the target terminal, the credential management network element, and the authentication network element do not limit the device or the function module itself, and in an actual implementation, the device or the function module may appear by other names. Insofar as the functions of the respective devices or functional blocks are similar to those of the present invention, they are within the scope of the claims of the present invention and their equivalents.
These and other aspects of the invention will be more readily apparent from the following description.
Drawings
Fig. 1 is an architecture diagram of a network access system according to an embodiment of the present application;
fig. 2 is a diagram illustrating a structure of a network credential according to an embodiment of the present application;
fig. 3 is an architecture diagram of another network access system provided in an embodiment of the present application;
fig. 4 is a structural diagram of a credential management network element according to an embodiment of the present application;
fig. 5 is a flowchart of a network access method according to an embodiment of the present application;
fig. 6 is a flowchart of another network access method according to an embodiment of the present application;
fig. 7 is a flowchart of another network access method according to an embodiment of the present application;
fig. 8 is a structural diagram of a target terminal according to an embodiment of the present application;
fig. 9 is a block diagram of another credential management network element according to an embodiment of the present application;
fig. 10 is a structural diagram of an authentication network element according to an embodiment of the present application;
fig. 11 is a block diagram of a network access device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the present application, the meaning of "a plurality" means two or more unless otherwise specified.
Hereinafter, terms related to the embodiments of the present application are explained for the convenience of the reader.
(1) Decentralized identity (decentralized ID, DID)
DID is a concept with respect to centralized identity. A centralized identity is one that is managed and controlled by an authority and assigned to each individual. In contrast to centralized identity, DID is completely owned and controlled by an individual. Thus, in contrast to centralized identity, DID can protect private data of individuals while facilitating cross-platform identity authentication.
The DID function includes management-related interface and user-related interface. For example, the DID function interface may be in the form of:
creating a wallet interface:
interface name: create _ wall
Interface function: creating a wallet
Interface parameters:
and returning a value:
errorcode: error code
Opening a wallet interface:
interface name: create _ wall
Interface function: opening a wallet, and subsequently storing DID information using the wallet open handle
Interface parameters:
and returning a value:
errorcode: error code
WaleltHandle: handle for opening wallet
Closing the wallet interface:
interface name: close _ wallet
Interface function: wallet capable of being closed and opened
Interface parameters:
WaleltHandle: handle for opening wallet
And returning a value:
errorcode: error code
Deleting the wallet interface:
interface name: delete _ wallet
And (3) interface functions: delete local wallet information and clear locally stored data
Interface parameters:
and returning a value:
errorcode: error code
Creating a key pair:
interface name: create _ key
Interface function: creating keys for DID use
Interface parameters:
and returning a value:
errorcode: error code
Turning: compression encoded public key information
Signing the interface using a key:
interface name: crypton _ sign
Interface function: signing data using a specified key pair
Interface parameters:
WaleltHandle: handle for opening wallet
signer _ vk: signing public key, signing with private key corresponding to public key stored in wallet
message _ raw: data to be signed
message _ len: data length of substitute signature
And returning a value:
errorcode: error code
signature _ raw: signature data
signature _ len: signature data length
And (3) verifying a signature interface:
interface name: crypto _ verify
Interface function: verifying whether the signature is correct
Interface parameters:
WaleltHandle: handle for opening wallet
signer _ vk: signature public key
message _ raw: data to be signed
message _ len: data length of substitute signature
message _ raw: data to be signed
message _ len: data length of generation signature
And returning a value:
errorcode: error code
valid: whether the signature is legal or not
Creating a DID interface:
interface name: create _ and _ store _ my _ did
Interface function: creating and locally saving DID information
Interface parameters:
and returning a value:
start updating DID key interface:
interface name: replace _ keys _ start
Interface function: setting DID New Key information, but not validating New keys locally
Interface parameters:
and returning a value:
errorcode: error code
Turning: compression encoded public key information
Update DID key validation interface:
interface name: replace _ keys _ apply
Interface function: the DID updated key is enabled to take effect locally, and before the interface is called, a user can call the blockchain interface to submit new public key information to the blockchain platform.
Interface parameters:
wall _ handle: wallet handle opened
And d: DID string information
And returning a value:
errorcode: error code
Generating a submit DID blockchain transaction request interface:
interface name: build _ nym _ request
Interface function: generating a submit DID blockchain transaction request
Interface parameters:
submitter _ did: presenter DID string
target _ did: submitted DID string
Turning: public key information
alias: alias, default null, may not set
role: character information
And returning a value:
errorcode: error code
request _ json: requesting json data, the data structure referencing the blockchain intelligent contract structure
Generating a query DID blockchain transaction request interface:
interface name: build _ get _ nym _ request
Interface function: generating query DID blockchain transaction requests
Interface parameters:
wallet _ handle: open wallet handle
submitter _ did: presenter DID string
target _ did: submitted DID string
And returning a value:
errorcode: error code
request _ json: requesting json data, the data structure referencing the blockchain intelligent contract structure
Sign the transaction and submit the transaction to the blocklink interface:
interface name: sign _ and _ submit _ request
Interface function: signature transactions and submission to blockchain platform
Interface parameters:
wall _ handle: open wallet handle
submitter _ did: presenter DID string
request _ json: requesting json data, the data structure referencing the blockchain intelligent contract structure
And returning a value:
errorcode: error code
Analyzing a DID server interface:
interface name: http(s): // ip: port/resolver/{ did }
Interface function: resolving DID
Requesting a Method: GET (GET tool)
Interface parameters:
and d: DID strings, such as DID: bid: XXXXXX
And returning a value:
DIDDocument document
And (3) removing the DID resource information interface:
interface name:
http(s): // ip: port/resolver/dereference/{ did }? (key | service ═ yy) interface functions: dereferenceDID resource
Requesting a Method: GET (GET tool)
Interface parameters:
and d: DID strings, such as DID: bid: XXXXXX
key: the name of the key is used to determine,
service: service name
And returning a value:
resource json information
Defining a credential schema interface:
interface name: http(s): // ip: port/schema
Interface function: schema information for defining VC
Requesting a Method: POST (positive position transducer)
Interface parameters: JSON format
And returning a value:
json format
Defining a credential issuer information interface:
interface name: http(s): // ip: port/hierarchy-definitions
Interface function: defining credential issuer information
Requesting a Method: POST (POST)
Interface parameters: JSON format
And returning a value:
json format
A voucher preview information interface:
interface name: http(s): // ip: port/independent/send-offer
Interface function: mechanism sends credential preview information to holder
Requesting a Method: POST (positive position transducer)
Interface parameters: JSON format
And returning a value:
json format
And issuing a formal certificate information interface:
interface name: http(s): // ip: port/issue-credit/{ cred _ ex _ id }/send-request
Interface function: organization issues formal credentials to a bearer
Requesting a Method: POST (positive position transducer)
Interface parameters:
request Path parameter:
and returning a value:
json format
Lifting the certificate interface:
interface name: http(s): // ip: port/revocation/revoke
Interface function: voucher issued by crane pin
Requesting a Method: POST (positive position transducer)
Interface parameters: JSON format
And returning a value: json { }returning empty correctly
Generating a certification information interface:
interface name: pro _ create _ proof
Interface function: locally generating attestation information by a prover
Interface parameters:
wall _ handle: open wallet handle
proof _ request _ json: proof attribute information requested by examiner
request _ critical _ json: preparing credential information to generate a proof
master _ secret: credential attribute master key
schema _ json: schema information of certificate to be proved
creattial _ defs _ json: binding information for a to-be-certified credential
rev _ states _ json: credential pinning status
And returning a value:
errorcode: error code
proof _ json: proving json data
The verification certification information interface:
interface name: verifier _ verify _ proof
Interface function: the verifier locally checks the interface parameters of the certification information:
wall _ handle: open wallet handle
proof _ request _ json: proof attribute information requested by examiner
proof _ json: credential attestation information
master _ secret: credential attribute master key
schema _ json: schema information of certificate to be proved
creattial _ defs _ json: binding information for a to-be-certified credential
rev _ reg _ defs _ json: credential revocation list definition
rev _ regs _ json: details of voucher revocation lists
And returning a value:
errorcode: error code
valid: certificate checking whether correct
Saving the credential information interface:
interface name: server _ store _ createntry
Interface function: credential information locally stored by a licensee
Interface parameters:
wall _ handle: open wallet handle
Seed _ id: credential Id, may be left blank or randomly generated
CRED _ req _ metadata _ json: creating base information for credentials
Seed _ json: credential json data received from a certificate issuing authority
CRed _ def _ json: credential definition information
rev _ reg _ def _ json: credential revocation registry definition information
And returning a value:
errorcode: error code
out _ crid _ id: id information for locally stored credentials
Delete credential information interface:
interface name: server _ delete _ createntry
Interface function: the bearer deletes locally stored credential information
Interface parameters:
wall _ handle: wallet handle opened
Seed _ id: credential Id to be deleted
And returning a value:
errorcode: error code
Backup DID information interface:
interface name: http(s): // ip: port/app/did/backup
Interface function: backup of DID private key information of user at server
Interface parameters: in json form
And (4) returning a value:
and D, recovering the DID information interface:
interface name: http(s): // ip: port/app/did/recovery
Interface function: restoring DID information backed up at a server
Interface parameters: in json form
And returning a value:
(2) block chain (block chain) technology
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm, and has the characteristics of being incapable of being forged, having trace in the whole process, being traceable, being public and transparent, being maintained collectively and the like.
The blockchain comprises intelligent contracts, and the intelligent contracts on the blockchain can be used for storing information such as DIDs (digital information devices) and Verifiable Certificates (VCs). The data format may be a json format.
For example, the storage function interface of the smart contract may be in the form of:
wherein, txn represents the content corresponding to the current interface of the DID/VC intelligence, txnMetaData represents the metadata corresponding to the current transaction, including: txnTime: transaction time, seqNo: transaction number, txnId: transaction Id, and reqSignature: signature information for the transaction. The signature information of the transaction comprises: type: algorithm of signatures, values: signature value, from: signature initiator, and value: a signature value.
The newly added DID interface may be in the following form:
interface name is addDID, and the interface function is for newly-increased DID in to intelligent contract, and intelligent contract parameter includes: function name: addDID and parameter list. Wherein, the parameters are exemplified as follows:
the dest is a newly added DID character string, the key is a public key corresponding to the newly added DID, and the role is an identity attribute of the newly added DID.
The query DID interface may be of the form:
the interface name is getDID, the interface function is inquiry intelligent contract DID, and the intelligent contract parameters comprise: function name: getDID and parameter list. The parameter value is the corresponding Id value of the current Method in the DID character string.
The data structure is as follows:
the DID attribute interface may be of the form:
the interface name is updateDIDAttr, and the interface function is to store the attribute information of the DID separately, so that the attribute information can be added to a certain DID. The intelligent contract parameters include: function name: updateDIDAttr, parameter list. The parameter is updated attribute information.
The data structure is as follows:
the credential mode (schema) data interface may be of the form: the interface name is createSchema, and the interface function is basic information for defining the voucher, such as attribute list, name and the like of the voucher.
The intelligent contract parameters include function name: createSchema, parameter List. The parameter value is Schema information defining the credential.
The data structure is as follows:
the query credential mode (schema) data interface may be of the form:
interface name: getSchema, interface function: inquiring the certificate Schema, and intelligently contracting the parameters: function name: getSchema, parameter list. The parameter value is the schema id.
The data structure is as follows:
the credential claim definition interface may be in the form of:
interface name: credDef
Interface function: defining issuer information corresponding to a credential
Intelligent contract parameters: the function name: credDef, parameter List. The parameter value is updated attribute information.
The data structure is as follows:
query credential claim information interface:
interface name: getCredDef
Interface function: query credential claim information
Intelligent contract parameters:
-a function name: getCredDef
-list of parameters: one parameter, the parameter value is credDefId
The data structure is as follows:
credential revoke definition interface:
interface name: credRovDef
Interface function: basic information defining certificate revocation registries
Intelligent contract parameters:
-function name: credRovDef
-list of parameters: the updated attribute information.
The data structure is as follows:
query credential revocation list interface:
interface name: getCredRovDef
Interface function: query credential claim information
Intelligent contract parameters:
-function name: getCredRovDef
-list of parameters: parameter value is revocRegDefId
The data structure is as follows:
newly adding a certificate lifting pin interface:
interface name: CredRovEntry
Interface function: updating credential list information when issuing or revoking credentials
Intelligent contract parameters:
-function name: CredRovEntry
-list of parameters: the updated attribute information.
The data structure is as follows:
in the prior art, when a terminal accesses a network of a different network, the terminal needs to perform identity authentication according to an access authentication protocol specified in the corresponding network, so as to access the network. However, each network defines a respective access authentication protocol, and the terminal needs to register an identity in each network separately to be able to perform an access authentication procedure defined by each network to implement network access, which results in inefficient network access of the terminal in multiple networks.
In view of this, the present application provides a network access method, where a target terminal may obtain, from a credential management network element, signatures and corresponding public keys of identification attributes of multiple networks based on the identification attributes of the multiple networks, and use the obtained signatures and public keys as a network credential. When the target terminal needs to access any one of the networks, the verification network element of the network can verify the authenticity of the identification attribute of the network based on the information of the network credential, and further determine the network access authority of the target terminal. Therefore, the target terminal can realize the network access of any one of the networks through the unified network access method, and the network access efficiency is improved.
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings.
Fig. 1 is an architecture diagram of a network access system 10 according to an embodiment of the present application. As shown in fig. 1, the network access system 10 includes: a target terminal 101, a credential management network element 102, an authentication network element 103, and a data storage center 104. The target terminal 101 is connected to the credential management network element 102, the verification network element 103, and the data storage center 104 through communication links. The credential management network element 102 is connected to the target terminal 101 and the data storage center 104 through communication links, respectively. The verification network element 103 is connected to the target terminal 101 and the data storage center 104 through communication links, respectively. The data storage center 104 is connected to the target terminal 101, the credential management network element 102, and the authentication network element 103 through communication links, respectively. The communication link may be a wired communication link or a wireless communication link, which is not limited in this application.
It should be noted that the credential management network element 102, the verification network element 103, and the data storage center 104 in the present application may be one or multiple ones. For ease of understanding, only one credential management network element 102, authentication network element 103, and data storage center 104 are shown in fig. 1.
The target terminal 101 is configured to send network identifications of multiple networks to the credential management network element 102. Accordingly, the credential management network element receives the network identifications of the plurality of networks sent by the target terminal 101.
Illustratively, the plurality of networks includes 2G, 3G, 4G, 5G networks defined by the third generation partnership project (3 GPP) and future-oriented communication technologies, wireless fidelity (WIFI) communication technologies defined in the IEEE802.11 standard, and bluetooth (blue tooth) communication technologies. Wherein the plurality of networks may also comprise communication networks of different operators. The plurality of networks may also include an industrial Internet, such as an Internet of things (IoT) device to Internet interworking, long range radio (LoRa) network. The multiple networks may also include other network communication technologies, not to be enumerated here.
It should be noted that, for an internet of things system, since the number of IoT devices is often large, the access of the system to these devices lacks a complete authentication procedure. For example, the IoT device may be authorized to access the network only through the intranet IP address, and meanwhile, the internet of things system is difficult to monitor the behavior of the IoT device for collecting the user privacy data, so that there is a serious security risk.
The network identifier may be identification information of each of the plurality of networks to the terminal, for example, the network identifier may be an International Mobile Subscriber Identity (IMSI), an International Mobile Equipment Identity (IMEI), or the like.
The credential management network element 102 is configured to generate a corresponding network credential according to the network identifiers of the multiple networks, and send the generated network credential to the target terminal 101. Accordingly, the target terminal 101 receives the network credential sent by the credential management network element 102.
Wherein the generated network credentials are used to prove authenticity of the network identifications of the plurality of networks. The network credential may include a network identification signature of a network identification of the plurality of networks and a first public key of the network identification of the plurality of networks. The first public key is determined by the credential management network element 102 based on a randomly generated first private key. The network identification signatures of the network identifications of the plurality of networks are generated by the credential management network element 102 based on the network identifications of the plurality of networks, the first private key, and the first public key.
It should be noted that, because the credential management network element 102 does not disclose the first private key to other devices, at the same time, other devices cannot reversely derive the first private key based on the first public key. Therefore, other devices can determine the authenticity of the network identifications of the multiple networks according to the first public key and the network identification signature, and the network identifications of the multiple networks cannot be tampered with.
Illustratively, the network credential may be a Verifiable Credential (VC). As shown in fig. 2, the VC includes credential data (credential metadata), declaration information (claim (s)), and certification information (proof (s)). The voucher data includes the identification of the VC, the DID of the voucher management network element 102 that issued the VC, and the basic information such as the issuance time. The declaration information includes information such as the DID of the target terminal 101, network identifiers of a plurality of networks, and the first public key. The certification information includes information such as network identification signatures of network identifications of a plurality of networks.
Illustratively, after the credential management network element 102 generates the network credential, the following operations are performed to store the relevant data generated by generating the network credential:
1. the credential management network element 102 creates mode (schema) information for the network credentials, e.g., the mode information includes a network identification, a name of the network credentials, a version number of the network credentials, etc.
2. The credential management network element 102 binds the created mode information with the DID.
3. The credential management network element 102 can determine whether the network credential supports credential revocation. If the revocation of the certificate is supported, the certificate management network element 102 initializes a revocation list of the network certificate, and predefines the maximum number of issued certificates of the network certificate and a tail file.
Illustratively, the credential management network element may also create a network credential revocation list via a cryptographic accumulator algorithm.
In a possible implementation manner, the credential management network element 102 may further submit the mode information of the network credential, the binding relationship between the mode information and the DID, the maximum number of certificates issued, and the end document address to the data storage center 104.
The target terminal 101 is further configured to send authentication request information to the authentication network element 103 of the first network. Correspondingly, the authentication network element 103 of the first network receives the authentication request information sent by the target terminal.
The verification request information comprises network identification signatures of the network identifications of the multiple networks, first public keys of the network identifications of the multiple networks, the network identification of the first network and the encrypted network identification of the second network. The first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network.
It should be noted that, the verifying network element 103 may verify the authenticity of the network identifier of the first network through the network identifier signatures of the network identifiers of the multiple networks, the first public keys of the network identifiers of the multiple networks, the network identifier of the first network, and the encrypted network identifier of the second network, and meanwhile, avoid information leakage of the network identifiers of other networks of the target terminal 101, and ensure the user information security of the target terminal 101.
The verification network element 103 is configured to verify the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network, obtain a verification result, and send the verification result to the target terminal. Accordingly, the target terminal 101 receives the verification result.
Wherein the authentication result comprises allowing access to the first network or prohibiting access to the first network.
The target terminal 101 is further configured to determine whether to access the first network according to the verification result.
In a possible implementation manner, the target terminal 101 is further configured to create DID information and generate a second public key and a second private key corresponding to the DID.
Wherein the DID information includes network identifications of the plurality of networks.
When the target terminal 101 sends data to another device, the second private key may encrypt the data, and send the encrypted data and the second public key to the corresponding device. In this way, the target terminal 101 can avoid the data from being tampered in the transmission process, and the security of data transmission is ensured.
Illustratively, the representation of the DID information may be a DID document (DID document) including an identifier of the DID and attributes corresponding to the DID (e.g., network identifiers of multiple networks). The DID id includes a protocol header field, a DID method field, and a DID method id, and is generally represented by the following form:
did:example:123456789abcdefghi
the DID information corresponds to a DID address (DID url), and the related devices (e.g., the target terminal 101, the credential management network element 102, the verification network element 103, etc.) can resolve the corresponding DID information through the DID address.
Illustratively, the DID document may be represented by the following form:
the data storage center 104 is used for storing data generated by the target terminal 101, the credential management network element 102 and the verification network element 103 during communication.
For example, the data storage center 104 may store DID information of the target terminal, where the DID corresponds to the second public key, the DID information of the credential management network element 102, the network credential generated by the credential management network element 102, the DID information of the verification network element 103, the verification result, and the like.
In one possible implementation, the data storage center 104 may be a centralized storage device, such as a centralized storage server. The data storage center 104 may also be a decentralized storage device, such as a blockchain device.
Fig. 3 is an architecture diagram of a network access system 30 according to an embodiment of the present application. As shown in fig. 3, the network access system 30 includes: a target terminal 101, a credential management network element 102, an authentication network element 103, a data storage center 104, and a relay node 105. Among them, the relay node 105 is disposed between the communication links of the target terminal 101 and the credential management network element 102, between the communication links of the target terminal 101 and the authentication network element 103, between the communication links of the target terminal 101 and the data storage center 104, between the communication links of the credential management network element 102 and the data storage center, and between the communication links of the authentication network element 103 and the data storage center.
In the network access system 30, two devices need to communicate through the relay node 105. The following describes a technical solution in the present application by taking communication between the target terminal 101 and the credential management network element 102 as an example.
The target terminal 101 is configured to obtain a communication address of the relay node 105 of the credential management network element 102, and send network identifiers of multiple networks to the relay node 105 according to the communication address. Accordingly, the relay node 105 receives the network identifications of the plurality of networks and forwards the network identifications of the plurality of networks to the credential management network element 102.
Illustratively, the target terminal 101 may encrypt the network identifications of the plurality of networks through a crypto _ box function in the libsodium library. The target terminal 101 may generate a preset key according to a private key of its DID, a public key of the DID of the credential management network element 102, and a randomly generated temporary value (nonce value), and encrypt the network identifiers of the plurality of networks according to the preset key. The relay node 105 is configured to forward the encrypted network identifications of the plurality of networks. The credential management network element 102 recovers the same preset key by using its own DID private key, the public key of the target terminal 101 and the randomly generated temporary value (nonce value), and decrypts the encrypted network identifications of the plurality of networks by using the preset key.
In one possible implementation, the relay node 105 may be coupled in the credential management network element 102 as a relay module included in the credential management network element 102.
As a possible embodiment, fig. 4 is a block diagram of a credential management network element 102 provided in an embodiment of the present application. As shown in fig. 4, the credential management network element 102 includes a proxy interface 1021, a management module 1022, and a storage interface 1023.
Where each service provider (e.g., service providers of different networks) has a respective business system 106 (only one shown in fig. 4), the service provider deploys its own business service proxy through the credential management network element 102. When the credential management network element 102 needs to verify the authenticity of a received attribute (e.g., a network identification), the credential management network element 102 may send the relevant attribute to the corresponding business system 106 through the proxy interface 1021. The business system 106 verifies the authenticity of the attribute and feeds back the verification result to the credential management network element 102 through the proxy interface 1021.
Illustratively, the proxy interface may be a WebHooks interface.
The management module 1022 is used for managing the credential information, managing the DID information, and managing the connection information of the credential management network element 102. For example, the management module 1022 may query the issued credential information, revoke the issued credential, update the private key and the public key of the DID information, set the connection relationship with other devices, and the like.
The storage interface 1023 is connected to the data storage center 104 and is used for sending and storing data information generated by the credential management network element 102 to the data storage center 104, for example, credential information issued by the credential management network element 102, DID information of the credential management network element 102, and the like.
It should be noted that the embodiments of the present application may be referred to or referred to with respect to each other, for example, the same or similar steps, method embodiments, system embodiments, and apparatus embodiments may be referred to with respect to each other, without limitation.
Fig. 5 is a flowchart of a network access method according to an embodiment of the present application. As shown in fig. 5, the method comprises the steps of:
step 501, the target terminal sends network identifiers of a plurality of networks to the credential management network element. Correspondingly, the certificate management network element receives the network identifications of the plurality of networks sent by the target terminal.
Illustratively, the plurality of networks includes 2G, 3G, 4G, 5G established by 3GPP and future communication technology oriented networks, WIFI networks established in IEEE802.11 standards, bluetooth networks. Wherein the plurality of networks may also comprise communication networks of different operators. The multiple networks may also include an industrial Internet, such as an Internet of things (IoT) inter-working between devices, a LoRa network.
The network identifier may be identification information of each of the plurality of networks to the terminal, for example, the network identifier may be an International Mobile Subscriber Identity (IMSI), an International Mobile Equipment Identity (IMEI), or the like.
Step 502, the credential management network element generates a network credential according to the network identifiers of the plurality of networks.
Wherein the network credentials are to prove authenticity of network identifications of the plurality of networks. The network certificate comprises a network identification signature and a first public key; the network identifier signature is a signature of network identifiers of a plurality of networks, and the first public key is a public key of the network identifiers of the plurality of networks.
Illustratively, the network credential may be a Verifiable Credential (VC).
It should be noted that, before generating the network credential, the credential management network element verifies the authenticity of the network identifiers of the multiple networks, and after determining that the network identifiers of the multiple networks are authentic and correct, generates the network credential.
For example, the credential management network element may send the network identification of the corresponding network to the service system of each network. The service system verifies the authenticity of the network identifier of the network and feeds back a verification result to the certificate management network element. And the certificate management network element determines that the network identifications of the plurality of networks are true and error-free according to the verification result.
In a possible implementation manner, the credential management network element randomly generates a first private key, and generates a corresponding first public key according to the first private key. And the certificate management network element determines network identification signatures of the network identifications of the plurality of networks according to the first private key, the first public key and the network identifications of the plurality of networks, and generates the network certificate according to the first public key and the network identification signatures.
Step 503, the credential management network element sends the network credential to the target terminal. Correspondingly, the target terminal receives the network certificate sent by the certificate management network element.
It should be noted that, since the network credential can prove the authenticity of the network identifiers of the multiple networks, after the target terminal receives the network credential, the target terminal may request to access any one of the multiple networks through the network credential.
The following describes a network access method in the present application, taking an example that a target terminal requests to access a first network:
the target terminal may actively search for probe signals of a plurality of networks, and when a probe signal of any one of the networks is searched, the target terminal may perform an access procedure. The process may be a random access process in which the target terminal establishes an initial signaling connection with the access network device in the communication network, or may be a process in which the target terminal scans a WIFI hotspot, which may refer to related technologies, and the present application does not limit this.
When the target terminal requests to access the first network, the authentication network element of the first network needs to verify whether the target terminal can access the first network, and therefore, the target terminal may perform the following step 504.
Step 504, the target terminal sends the verification request information to the verification network element of the first network. Correspondingly, the verification network element receives the verification request information sent by the target terminal.
The verification request information comprises network identification signatures of network identifications of a plurality of networks, first public keys of the network identifications of the plurality of networks, network identifications of a first network and encrypted network identifications of a second network, the first network is any one of the plurality of networks, and the second network is a network except the first network in the plurality of networks.
It should be noted that, while determining the authenticity of the network identifiers of multiple networks, the credential management network element may also determine the authority of the target terminal to access each network. In the event that it is determined that the target terminal is capable of accessing the plurality of networks, network credentials are generated. Therefore, the target terminal does not need to send the unencrypted network identifier of the first network to the verification network element of the first network, and the verification network element only needs to determine that the received encrypted network identifiers of the multiple networks are not tampered, so that the privacy safety problem caused by the leakage of the network identifiers is avoided.
In one possible implementation manner, the verification request information includes signatures of network identifications of the plurality of networks, first public keys of the network identifications of the plurality of networks, and network identifications encrypted by the plurality of networks.
Step 505, the verifying network element verifies the network identifier signatures of the network identifiers of the plurality of networks, the first public keys of the network identifiers of the plurality of networks, the network identifier of the first network, and the encrypted network identifier of the second network, and obtains a verification result.
Wherein the authentication result comprises allowing access to the first network or prohibiting access to the first network.
It should be noted that the verifying network element may determine whether the network identifier of the first network and the encrypted network identifier of the second network are tampered with according to the signatures of the network identifiers of the multiple networks and the first public keys of the network identifiers of the multiple networks. If the network identifier of the first network and the encrypted network identifier of the second network are not tampered, the network identifier of the first network and the encrypted network identifier of the second network are true and correct.
In a possible implementation manner, the verification network element may further determine whether to allow the target terminal to access the first network according to the network identifier of the first network.
In combination with the related description in step 504, in the case that the credential management network element has determined the authority of the target terminal to access each network, the verifying network element only needs to determine whether the network identifier of the first network and the encrypted network identifier of the second network are tampered according to the signatures of the network identifiers of the multiple networks and the first public keys of the network identifiers of the multiple networks, and does not need to further check the network identifier of the first network. And if the target terminal is not tampered, determining that the target terminal is allowed to access the first network. And if the target terminal is tampered, determining that the target terminal is forbidden to access the first network.
Step 506, the verification network element sends the verification result to the target terminal. Correspondingly, the target terminal receives the verification result sent by the verification network element.
Wherein the authentication result comprises allowing access to the first network or prohibiting access to the first network.
And step 507, the target terminal determines whether to access the first network according to the verification result.
After the target terminal determines that the first network is allowed to be accessed, the target terminal may execute a corresponding network access operation according to a network access flow of the first network. Reference is made in particular to the related art, which is not limited in this application.
It should be noted that, in the network access process, data generated by the target terminal, the credential management network element, and the authentication network element in the communication process may all be stored in the data storage center, so as to improve data security. For example, if the target terminal loses the network credential due to a system reset or the like, the network credential may be recovered through the data storage center. For another example, when there is a data verification error during the network access process, the relevant device may query the relevant data in the data storage center to determine the error reason. It should be noted that the relevant devices are only able to query the data in the data storage center after acquiring the respective rights.
The scheme at least has the following beneficial effects: in the network access method provided by the application, the target terminal can obtain the network identifier signatures and the first public key of the network identifiers of the multiple networks from the certificate management network element as the network certificate based on the network identifiers of the multiple networks. When the target terminal needs to access any one of the networks, the target terminal only needs to send the network identifier signatures of the networks, the first public key, the network identifier of the network and other network encrypted network identifiers to the verification network element of the network, so that the verification network element can verify the authenticity of the network identifier of the network based on the information, and further determine whether the target terminal can access the network. Therefore, the target terminal in the application can realize the network access of any one of the plurality of networks through the unified network access method, and the network access efficiency is improved.
As a possible implementation manner, in the above scheme of the present application, the credential management network element generates a network credential, and the verification process of the network element can be implemented through zero-knowledge proof.
The following describes the generation process and the verification process of the network credentials in the present application in detail by taking CL (Camenisch-Lysyanskaya) signature algorithm as an example.
In step 501, the target terminal sends network identifiers of L networks, which are (m) respectively, to the credential management network element 1 ,m 2 ,m 3 ,……m L ). Wherein m is 1 ,m 2 ,m 3 ,……m L Are all numbers greater than 0.
In step 502, the credential management network element randomly generates two prime numbers (p, q) and calculates the product of the two prime numbers n.
The credential management network element uses (p, q, n) as the first private key.
The credential management network element calculates the quadratic residue modulo n, i.e. there is x that satisfies the following equation 1:
a=x 2 (modn) equation 1
Where a is the quadratic residue of modulo n. It should be noted that the second order of modulo n has a plurality of solutions.
And the certificate management network element randomly selects L +2 solutions from the calculated secondary residues of the plurality of modulo n to generate a first public key. The first public key comprises (a) 1 ,a 2 ,a 3 ,……a L B, c, n). Wherein (a) 1 ,a 2 ,a 3 ,……a L B, c) are randomly selected L +2 solutions, and n is the product of p and q.
Then, the credential management network element randomly generates a prime e and a random s, and calculates the value v by the following formula 2:
the certificate management network element takes (e, s, v) as a network identification (m) 1 ,m 2 ,m 3 ,……m L ) The network identification signature.
In step 505, the verifying network element may verify the authenticity of the network identifications of the plurality of networks transmitted by the target terminal through the above formula 2.
It should be noted that the modulo operation in the above formula 2 satisfies the distribution law, so the above formula 2 can be modified to the following formula 3:
wherein, (e, s, v) is a network identification signature, (a) 1 ,a 2 ,a 3 ,……a L B, c, n) is a first public key, m 1 Is a network identification of the first network,
is the network identification of the second network.
Thus, the target terminal may send an unencrypted network identification, e.g. (m), to the verifying network element according to actual requirements 1 ,m 2 ,m 3 ,……m L ) Any one or more of the network identifications may also be encrypted, e.g.
The verification network element is difficult to obtain the unencrypted network identifier through the encrypted network identifier, and meanwhile, the verification network element can determine the authenticity of the network identifiers of the plurality of networks through the formula 3 or any deformation formula thereof.
Specifically, when the network identifiers, the network identifier signatures, and the first public keys of the multiple networks sent by the target terminal satisfy the above formula 3 or any variant formula thereof, the network identifiers of the multiple networks sent by the target terminal are determined by the verification network element, and are the same as the network identifiers of the multiple networks sent by the target terminal when the network credential is generated by the credential management web page, and the network identifiers are not tampered. Otherwise, when the network identifiers, the signatures, and the first public keys of the multiple networks sent by the target terminal do not satisfy the above formula 3 or any variant formula thereof, the verifying network element determines the network identifiers of the multiple networks sent by the target terminal, and the network identifiers are tampered differently from the network identifiers of the multiple networks sent by the target terminal when the network credential is generated by the credential management web page.
In a possible implementation manner, when the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network satisfy formula 3, the verification network element determines that the verification result is that the first network is allowed to be accessed; and under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network do not satisfy the formula 3, the verification network element determines that the verification result is forbidden to access the first network.
As a possible embodiment of the present application, in conjunction with fig. 5, as shown in fig. 6, before step 501, the method further includes the following steps 601-602:
step 601, the target terminal creates decentralized identity DID information.
Wherein the DID information includes network identifications of the plurality of networks.
Illustratively, the representation of the DID information may be a DID document (DID document) including an identifier of the DID and attributes corresponding to the DID (e.g., network identifiers of multiple networks). The DID id includes a protocol header field, a DID method field, and a DID method id, and is generally represented by the following form:
did:example:123456789abcdefghi
the DID information corresponds to a DID address (DID url), and the related devices (e.g., the target terminal 101, the credential management network element 102, the verification network element 103, etc.) can resolve the corresponding DID information through the DID address.
Step 602, the target terminal generates a second public key and a second private key corresponding to the DID information, and encrypts the network identifiers of the multiple networks according to the second private key.
It should be noted that the second public key and the second private key belong to the same key pair, and the information encrypted by the second private key can only be decrypted by the second public key, whereas the information encrypted by the second public key can only be decrypted by the second private key.
In one possible implementation manner, the target terminal generates a second private key according to the random seed value, and generates a second public key according to the second private key.
In another possible implementation manner, the target terminal randomly generates a second private key, and generates a second public key according to the second private key.
Illustratively, after the destination terminal generates the DID information, the destination terminal may further store the generated DID information in the data storage center, so as to recover the data through the data storage center in case of data loss.
In a possible implementation manner, in order to avoid the problem of data security caused by the leakage of the second private key, the target terminal may also periodically update the second public key and the second private key.
Illustratively, the target terminal updates the second private key and the second public key by calling a replace _ key _ start interface and a replace _ key _ apply interface. The target terminal may also store the updated key in the data storage center.
As a possible implementation manner, the above step 501 can also be implemented by the following steps 603 to 604.
Step 603, the target terminal sends the network identifiers and the second public keys after the network encryption to the certificate management network element. Correspondingly, the certificate management network element receives the network identifications and the second public keys which are sent by the target terminal and are encrypted by the plurality of networks.
It should be noted that, here, the way and purpose of encrypting the network identifiers of the multiple networks by the second private key are different from the way and purpose of encrypting the network identifier of the second network by the target terminal in step 504.
In step 504, the purpose of the target terminal encrypting the network identifier of the second network is to prevent the authentication network element of the first network from acquiring the network identifiers of other networks, thereby causing the problem of privacy disclosure.
In step 603, the target terminal encrypts the data that the target terminal needs to send by using the second private key as a whole. Meanwhile, devices capable of acquiring the second public key can decrypt the encrypted data. But only the target terminal possesses the second private key, and meanwhile, the second public key can only correctly decrypt the data encrypted by the second private key.
Therefore, other devices cannot disguise the target terminal and send the false data to the certificate management network element. That is, the purpose of the target terminal encrypting the data is to enable the device receiving the data (i.e., the credential management network element) to determine that the received data is from the target terminal and has not been altered during transmission.
And step 604, the certificate management network element decrypts the network identifications encrypted by the plurality of networks according to the second public key.
In a possible implementation manner, the target terminal may further transmit data to the credential management network element by the following encryption manner:
and the target terminal acquires a third public key of the certificate management network element and encrypts the network identifications of the plurality of networks according to the third public key.
And the target terminal sends the network identifications after the network encryption to the certificate management network element. Correspondingly, the certificate management network element receives the network identifications which are sent by the target terminal and are encrypted by the plurality of networks.
And the certificate management network element decrypts the network identifications encrypted by the plurality of networks according to the third private key.
The manner in which the credential management network element generates the third private key and the third public key may refer to the description of the target terminal generating the second public key and the second private key in step 602.
It should be noted that the above two encryption methods can also be applied to the data interaction process between other devices in the present application, and this is not described in detail herein.
The scheme at least has the following beneficial effects: in the network access method provided by the application, the target terminal can create the DID information and generate a second public key and a second private key corresponding to the DID information, and encrypt the network identifications of the multiple networks to be sent through the second private key. Only the target terminal has the second private key, and the second public key can only decrypt the data information encrypted by the second private key. Therefore, after the certificate management network element receives the network identifiers encrypted by the plurality of networks, if the encrypted information can be decrypted by the second public key, the information is not tampered in the transmission process, and the security of data transmission is effectively guaranteed.
As a possible implementation manner, in the network access method provided by the present application, the devices may also perform data transmission through the relay node. Taking step 501 in fig. 5 as an example, as shown in fig. 7, step 501 may be further implemented by the following steps 701 to 705:
step 701, the target terminal obtains the communication address of the relay node of the certificate management network element.
Illustratively, the communication address may be a DIDComm address. The credential management network element can publish the DIDComm address to the other device so that the other device interacts with the credential management network element data through the address.
Step 702, the target terminal encrypts the network identifiers of the plurality of networks through a preset key to obtain target data.
In a possible implementation manner, the target terminal may determine the preset key by using the second private key, the third public key of the credential management network element, and a randomly generated temporary value (nonce value).
Illustratively, the target terminal may determine the preset key through a crypto _ box function in the libsodium library.
And step 703, the target terminal sends target data to the relay node through the communication address of the relay node. Correspondingly, the relay node receives the target data sent by the target terminal.
The relay node may be an independent relay device, or may be a module of any device in the network access method, for example, the relay node may be a relay module of a credential management network element.
Step 704, the relay node forwards the target data to the credential management network element. Correspondingly, the certificate management network element receives the target data sent by the relay node.
Step 705, the voucher management network element decrypts the target data through the preset key to obtain the network identifiers of the multiple networks.
In a possible implementation manner, the credential management network element may recover the same pre-configured secret key by using the third private key, the second public key of the target terminal, and the randomly generated temporary value (nonce value).
Illustratively, the credential management network element may recover the pre-set key through a crypto _ box function in the libsodium library.
The scheme at least has the following beneficial effects: in the network access method provided by the application, the devices can perform data transmission through the relay node, so that two parties performing data transmission do not need to worry about the problem of information leakage of the two parties, and the privacy protection capability in the data transmission process is effectively improved.
As a possible embodiment, the present application further performs a system function test on the network access system.
The function test list and the test result of the target terminal are shown in the following table 1:
TABLE 1 list of functions of target terminal and test results
The list of functions of the credential management network element and the test results are shown in table 2 below:
table 2 management cloud platform function list and test results
BUG test analysis, as shown in Table 3 below:
TABLE 3 BUG statistical table
| Measured module | Total number of BUGs | Number of times of closure | Number of non-closure |
| Identity technology system | 46 | 46 | 0 |
| Authentication system | 27 | 27 | 0 |
The system test finds that the number of defects is 73 in total, the number of closed defects is 73 in total, and the BUG is solved by 100%. The tests cover the functionality, user interface, logic function and the like of the three systems, the found defects are repaired and confirmed, and the related personnel can better understand and use the system.
The performance test of the network access system in the present application is shown in table 4 below:
TABLE 4 Performance test Table
The test environments used in this application are shown in table 5 below:
table 5 test environment table
The following are test results under different test scenarios:
table 6 test results of test scenario 1
Table 7 test results of test scenario 2
Table 8 test results of test scenario 3
In addition, the network access system provided by the application also supports containerized deployment, such as deployment through a docker-composition script. The services to be deployed include the following:
1. and the Spring micro-service gateway (cert-gateway) is used for providing micro-service interface authorization and routing service.
2. And the network element management micro service (cert-admin) is used for providing the mechanism management background interface support.
3. And the network element external API micro service (cert-API-center) is used for providing support for the communication access of the certificate management network element and the business system.
4. A micro service gateway authorization service (cert-auth) for providing a unified login authorization service based on the JWT (json webtoken) standard.
5. And the relay service is used for providing the offline message forwarding service for the related application.
6. Data storage services, such as block-link point servers.
7. Data query services, such as a blockchain browser.
8. And the service system proxy service is used for accessing the service system of the relevant service provider.
In the embodiment of the present application, the target terminal, the credential management network element, and the verification network element may be divided into the functional modules or the functional units according to the above method examples, for example, each functional module or functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module may be implemented in a form of hardware, or may be implemented in a form of a software functional module or a functional unit. The division of the modules or units in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
As shown in fig. 8, a schematic structural diagram of a target terminal 80 provided in the embodiment of the present application is shown, where the target terminal 80 includes:
a communication unit 802, configured to send network identifiers of multiple networks to a credential management network element.
A communication unit 802, further configured to receive a network credential generated by a credential management network element according to network identifiers of multiple networks; the network certificate comprises a network identification signature and a first public key; the network identifier signature is a signature of network identifiers of a plurality of networks, and the first public key is a public key of the network identifiers of the plurality of networks.
The communication unit 802 is further configured to send authentication request information to an authentication network element of the first network, so that the authentication network element obtains an authentication result based on the authentication request information; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network.
The communication unit 802 is further configured to receive an authentication result sent by the authentication network element.
A processing unit 801, configured to determine whether to access the first network according to the verification result.
In a possible implementation manner, the processing unit 801 is further configured to create decentralized identity DID information, where the DID information includes network identifiers of multiple networks; generating a second public key and a second private key corresponding to the DID information, and encrypting the network identifications of the plurality of networks according to the second private key; the communication unit 802 is further configured to send the network identifiers and the second public key after the network encryption to the credential management network element.
As shown in fig. 9, which is a schematic structural diagram of a credential management network element 90 provided in an embodiment of the present application, where the credential management network element 90 includes:
a communication unit 902, configured to receive network identifiers of multiple networks sent by a target terminal.
A processing unit 901, configured to generate a network credential according to network identifiers of multiple networks; the network certificate comprises a network identification signature and a first public key; the network identifier signature is a signature of network identifiers of a plurality of networks, and the first public key is a public key of the network identifiers of the plurality of networks.
The communication unit 902 is further configured to send the network credential to the target terminal.
In a possible implementation manner, the communication unit 902 is further configured to receive a plurality of network identifiers and a second public key, which are sent by the target terminal and encrypted by the network; the processing unit 901 is further configured to decrypt the network identifiers after the network encryption according to the second public key.
In a possible implementation manner, the processing unit 901 is configured to randomly generate a first private key and generate a corresponding first public key according to the first private key; determining network identification signatures of the network identifications of the plurality of networks according to the first private key, the first public key and the network identifications of the plurality of networks; and generating a network certificate according to the first public key and the network identification signature.
As shown in fig. 10, a schematic structural diagram of an authentication network element 100 provided in this embodiment of the present application is shown, where the authentication network element 100 includes:
a communication unit 1002, configured to receive authentication request information sent by a target terminal; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the network identification signature is a signature of network identifications of a plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks; the first network is any one of a plurality of networks; the second network is a network of the plurality of networks other than the first network.
The processing unit 1001 is configured to verify the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network, and obtain a verification result; wherein the authentication result comprises allowing access to the first network or prohibiting access to the first network.
The communication unit 1002 is further configured to send the verification result to the target terminal.
In a possible implementation manner, the processing unit 1001 is configured to determine that the verification result is that the access to the first network is allowed when the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network satisfy a preset formula; and under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network do not meet a preset formula, determining that the verification result is that the access to the first network is forbidden.
In one possible implementation, the preset formula is:
wherein, (e, s, v) is a network identification signature, (a) 1 ,a 2 ,a 3 ,……a L B, c, n) is a first public key, m 1 Is a network identification of the first network,
is the network identification of the second network.
When implemented by hardware, the communication unit 802, the communication unit 902, and the communication unit 1002 in the embodiment of the present application may be integrated on a communication interface, and the processing unit 801, the processing unit 901, and the processing unit 1001 may be integrated on a processor. The specific implementation is shown in fig. 11.
Fig. 11 shows a schematic diagram of still another possible structure of the network access device 110 involved in the above embodiments. The network access device 110 may be one possible implementation of the target terminal 80, the credential management network element 90, and the authentication network element 100. The network access device 110 includes: a processor 1102, and a communication interface 1103. Processor 1102 is configured to control and manage the actions of network access device 110, e.g., perform the steps performed by processing unit 801, processing unit 901, processing unit 1001, and/or other processes for performing the techniques described herein. The communication interface 1103 is used for supporting the communication between the network access device 110 and other network entities, for example, the steps performed by the communication unit 802, the communication unit 902, and the communication unit 1002 are performed. The network access device 110 may also include a memory 1101 and a bus 1104, the memory 1101 for storing program codes and data for the network access device 110.
Wherein the memory 1101 may be a memory in the network access device 110 or the like, which may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
The processor 1102 may be any means that may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein. The processor may be a central processing unit, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
The bus 1104 may be an Extended Industry Standard Architecture (EISA) bus or the like. The bus 1104 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 11, but that does not indicate only one bus or one type of bus.
The network access device in fig. 11 may also be a chip. The chip includes one or more (including two) processors 1102 and a communication interface 1103.
In some embodiments, the chip also includes a memory 1101, which memory 1101 may include both read-only memory and random access memory, and provides operating instructions and data to the processor 1102. A portion of the memory 1101 may also include non-volatile random access memory (NVRAM).
In some embodiments, memory 1101 stores elements, execution modules or data structures, or a subset thereof, or an expanded set thereof.
In the embodiment of the present application, by calling an operation instruction stored in the memory 1101 (the operation instruction may be stored in an operating system), a corresponding operation is performed.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
The present application provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the network access method in the above method embodiments.
The embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on a computer, the computer is caused to execute the network access method in the method flow shown in the foregoing method embodiment.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a register, a hard disk, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, any suitable combination of the above, or any other form of computer readable storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC). In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the target terminal, the credential management network element, the verification network element, the network access device, the computer-readable storage medium, and the computer program product in the embodiments of the present invention may be applied to the method described above, reference may also be made to the above method embodiment for obtaining technical effects, and details of the embodiments of the present invention are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The above is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (13)
1. A method for network access, the method comprising:
sending network identifications of a plurality of networks to a credential management network element;
receiving a network certificate generated by the certificate management network element according to the network identifications of the plurality of networks; wherein the network credential comprises a network identification signature and a first public key; the network identification signatures are signatures of the network identifications of the plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks;
sending verification request information to a verification network element of a first network so that the verification network element obtains a verification result based on the verification request information; the verification request information comprises the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network; the first network is any one of the plurality of networks; the second network is a network of the plurality of networks other than the first network;
and receiving a verification result sent by the verification network element, and determining whether to access the first network according to the verification result.
2. The method of claim 1, wherein prior to said sending network identifications for a plurality of networks to a credential management network element, the method further comprises:
creating Decentralized Identity (DID) information, the DID information including network identifications of the plurality of networks;
generating a second public key and a second private key corresponding to the DID information, and encrypting the network identifications of the plurality of networks according to the second private key;
the sending network identifiers of a plurality of networks to the credential management network element includes:
and sending the network identifications and the second public key after the plurality of networks are encrypted to the certificate management network element.
3. A method for network access, the method comprising:
receiving network identifications of a plurality of networks sent by a target terminal;
generating a network certificate according to the network identifications of the plurality of networks; wherein the network credential comprises a network identification signature and a first public key; the network identification signatures are signatures of the network identifications of the plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks;
and sending the network certificate to the target terminal.
4. The method of claim 3, wherein the receiving network identifications of the plurality of networks sent by the target terminal comprises:
receiving a plurality of network encrypted network identifications and a second public key sent by a target terminal;
and decrypting the network identifications encrypted by the plurality of networks according to the second public key.
5. The method of claim 3, wherein generating network credentials based on the network identifications of the plurality of networks comprises:
randomly generating a first private key, and generating a corresponding first public key according to the first private key;
determining network identification signatures of the network identifications of the plurality of networks according to the first private key, the first public key and the network identifications of the plurality of networks;
and generating the network certificate according to the first public key and the network identification signature.
6. A method for network access, the method comprising:
receiving verification request information sent by a target terminal; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the network identifier signatures are signatures of network identifiers of a plurality of networks, and the first public key is a public key of the network identifiers of the plurality of networks; the first network is any one of the plurality of networks; the second network is a network of the plurality of networks other than the first network;
verifying the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network to obtain a verification result; wherein the verification result comprises allowing access to the first network or prohibiting access to the first network;
and sending the verification result to the target terminal.
7. The method of claim 6, wherein the verifying the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network to obtain the verification result comprises:
under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network meet a preset formula, determining that the verification result is that the first network is allowed to be accessed;
and under the condition that the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network do not meet a preset formula, determining that the verification result is forbidden to access the first network.
8. The method of claim 7, wherein the predetermined formula is:
wherein (e, s, v) is the network identification signature, (a) 1 ,a 2 ,a 3 ,……a L B, c, n) is the first public key, m 1 Is a network identification for the first network,
a network identification for the second network.
9. A target terminal, comprising a communication unit and a processing unit;
the communication unit is used for sending network identifiers of a plurality of networks to the certificate management network element;
the communication unit is further configured to receive a network credential generated by the credential management network element according to the network identifiers of the multiple networks; wherein the network credential comprises a network identification signature and a first public key; the network identification signatures are the signatures of the network identifications of the plurality of networks, and the first public key is the public key of the network identifications of the plurality of networks;
the communication unit is further configured to send authentication request information to an authentication network element of the first network, so that the authentication network element obtains an authentication result based on the authentication request information; the verification request information comprises the network identification signature, the first public key, the network identification of the first network and the encrypted network identification of the second network; the first network is any one of the plurality of networks; the second network is a network of the plurality of networks other than the first network;
the communication unit is further configured to receive a verification result sent by the verification network element;
and the processing unit is used for determining whether to access the first network according to the verification result.
10. A credential management network element comprising a communication unit and a processing unit;
the communication unit is used for receiving network identifiers of a plurality of networks sent by a target terminal;
the processing unit is used for generating a network certificate according to the network identifications of the plurality of networks; wherein the network credential comprises a network identification signature and a first public key; the network identification signatures are signatures of the network identifications of the plurality of networks, and the first public key is a public key of the network identifications of the plurality of networks;
the communication unit is further configured to send the network credential to the target terminal.
11. An authentication network element comprising a communication unit and a processing unit;
the communication unit is used for receiving verification request information sent by a target terminal; the verification request information comprises a network identification signature, a first public key, a network identification of the first network and a network identification encrypted by the second network; the network identifier signatures are signatures of network identifiers of a plurality of networks, and the first public key is a public key of the network identifiers of the plurality of networks; the first network is any one of the plurality of networks; the second network is a network of the plurality of networks other than the first network;
the processing unit is configured to verify the network identifier signature, the first public key, the network identifier of the first network, and the encrypted network identifier of the second network, and obtain a verification result; wherein the verification result comprises allowing access to the first network or prohibiting access to the first network;
the communication unit is further configured to send the verification result to the target terminal.
12. A target terminal, comprising: a processor and a communication interface; the communication interface is coupled to the processor for executing a computer program or instructions for implementing the network access method as claimed in claim 1 or 2.
13. A computer-readable storage medium having stored therein instructions which, when executed by a computer, cause the computer to perform the network access method of claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210569753.9A CN114978698B (en) | 2022-05-24 | 2022-05-24 | Network access method, target terminal, credential management network element and verification network element |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210569753.9A CN114978698B (en) | 2022-05-24 | 2022-05-24 | Network access method, target terminal, credential management network element and verification network element |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114978698A true CN114978698A (en) | 2022-08-30 |
| CN114978698B CN114978698B (en) | 2023-07-28 |
Family
ID=82955413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210569753.9A Active CN114978698B (en) | 2022-05-24 | 2022-05-24 | Network access method, target terminal, credential management network element and verification network element |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114978698B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115996126A (en) * | 2022-12-02 | 2023-04-21 | 北京深盾科技股份有限公司 | Information interaction method, application device, auxiliary platform and electronic device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007074391A (en) * | 2005-09-07 | 2007-03-22 | Ntt Docomo Inc | Device and authentication method, and authentication program for configuring secure adhoc network |
| WO2010151692A1 (en) * | 2009-06-24 | 2010-12-29 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
| US20130117560A1 (en) * | 2011-11-03 | 2013-05-09 | Cleversafe, Inc. | Processing a dispersed storage network access request utilizing certificate chain validation information |
| KR20140051018A (en) * | 2012-10-22 | 2014-04-30 | 삼성전자주식회사 | Method and apparatus for managing an embedded subscriber identity module in a communication system |
| CN104704789A (en) * | 2012-10-15 | 2015-06-10 | 诺基亚通信公司 | Network authentication |
| US20150257083A1 (en) * | 2014-03-10 | 2015-09-10 | Belkin International, Inc. | Unifying multiple wireless networks |
| US20160165651A1 (en) * | 2014-12-04 | 2016-06-09 | Belkin International, Inc. | Associating devices and users with a local area network using network identifiers |
| WO2020177768A1 (en) * | 2019-03-07 | 2020-09-10 | 华为技术有限公司 | Network verification method, apparatus, and system |
-
2022
- 2022-05-24 CN CN202210569753.9A patent/CN114978698B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007074391A (en) * | 2005-09-07 | 2007-03-22 | Ntt Docomo Inc | Device and authentication method, and authentication program for configuring secure adhoc network |
| WO2010151692A1 (en) * | 2009-06-24 | 2010-12-29 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
| US20130117560A1 (en) * | 2011-11-03 | 2013-05-09 | Cleversafe, Inc. | Processing a dispersed storage network access request utilizing certificate chain validation information |
| CN104704789A (en) * | 2012-10-15 | 2015-06-10 | 诺基亚通信公司 | Network authentication |
| KR20140051018A (en) * | 2012-10-22 | 2014-04-30 | 삼성전자주식회사 | Method and apparatus for managing an embedded subscriber identity module in a communication system |
| US20150257083A1 (en) * | 2014-03-10 | 2015-09-10 | Belkin International, Inc. | Unifying multiple wireless networks |
| US20160165651A1 (en) * | 2014-12-04 | 2016-06-09 | Belkin International, Inc. | Associating devices and users with a local area network using network identifiers |
| WO2020177768A1 (en) * | 2019-03-07 | 2020-09-10 | 华为技术有限公司 | Network verification method, apparatus, and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115996126A (en) * | 2022-12-02 | 2023-04-21 | 北京深盾科技股份有限公司 | Information interaction method, application device, auxiliary platform and electronic device |
| CN115996126B (en) * | 2022-12-02 | 2023-11-03 | 北京深盾科技股份有限公司 | Information interaction method, application device, auxiliary platform and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114978698B (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11784788B2 (en) | Identity management method, device, communications network, and storage medium | |
| CN110602138B (en) | Data processing method and device for block chain network, electronic equipment and storage medium | |
| CN111835520B (en) | Method for device authentication, method for service access control, device and storage medium | |
| JP6533203B2 (en) | Mobile device supporting multiple access control clients and corresponding method | |
| US9621355B1 (en) | Securely authorizing client applications on devices to hosted services | |
| USRE49673E1 (en) | Systems and methods for secure data exchange | |
| US20190245704A1 (en) | Template based credential provisioning | |
| CN113194469B (en) | 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain | |
| US9800556B2 (en) | Systems and methods for providing data security services | |
| US20100266128A1 (en) | Credential provisioning | |
| US11184336B2 (en) | Public key pinning for private networks | |
| WO2022193984A1 (en) | Cross-chain data transmission method and apparatus, and computer device, storage medium and computer program product | |
| CN113328997A (en) | Alliance chain cross-chain system and method | |
| CN114978698B (en) | Network access method, target terminal, credential management network element and verification network element | |
| CN115409511B (en) | Personal information protection system based on block chain | |
| Gao et al. | Bc-aka: Blockchain based asymmetric authentication and key agreement protocol for distributed 5g core network | |
| Kern et al. | Quantumcharge: Post-quantum cryptography for electric vehicle charging | |
| NL1043779B1 (en) | Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| US11171786B1 (en) | Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities | |
| Ahmed et al. | Transparency of SIM profiles for the consumer remote SIM provisioning protocol | |
| CN111383110A (en) | Cross-block-chain evidence transfer method and device and hardware equipment | |
| US20230155842A1 (en) | Method and apparatus for certifying an application-specific key and for requesting such certification | |
| Culnane et al. | Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices | |
| CN116633553A (en) | Block chain based WPKI certificate management method for Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |