CN114980107A - Data integrity verification method and device and storage medium - Google Patents
Data integrity verification method and device and storage medium Download PDFInfo
- Publication number
- CN114980107A CN114980107A CN202210603462.7A CN202210603462A CN114980107A CN 114980107 A CN114980107 A CN 114980107A CN 202210603462 A CN202210603462 A CN 202210603462A CN 114980107 A CN114980107 A CN 114980107A
- Authority
- CN
- China
- Prior art keywords
- data
- information
- integrity verification
- data integrity
- digital signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013496 data integrity verification Methods 0.000 title claims abstract description 383
- 238000000034 method Methods 0.000 title claims abstract description 145
- 238000004891 communication Methods 0.000 claims abstract description 104
- 238000012545 processing Methods 0.000 claims description 87
- 238000012795 verification Methods 0.000 claims description 41
- 238000013523 data management Methods 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims 2
- 230000008569 process Effects 0.000 abstract description 35
- 238000012546 transfer Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 34
- 230000004044 response Effects 0.000 description 25
- 238000010586 diagram Methods 0.000 description 15
- 238000004590 computer program Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 230000011664 signaling Effects 0.000 description 6
- 238000013500 data storage Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a data integrity verification method, a data integrity verification device and a storage medium, relates to the technical field of communication, and can verify data integrity in a data stream transfer process. The method comprises the following steps: receiving first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, and the first identifier is a storage identifier of the data integrity verification information of a data sending end in the DIVS AS; inquiring data integrity verification information corresponding to the first identifier; and sending data integrity verification information to a data receiving end. The embodiment of the application is used in the data integrity verification process.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for verifying data integrity, and a storage medium.
Background
In the related art, after a data sending end collects data, the data is often required to be sent to a specific terminal, and the specific terminal forwards or circulates the data to a data receiving end. But the data receiving end cannot verify the data integrity of the received data after receiving the data. And then, data reception cannot determine whether the received data is the original data sent by the data sending end, and whether the specific terminal is tampered with the data in the forwarding process. Therefore, how to verify the data integrity of the received data becomes a problem to be solved urgently at present.
Disclosure of Invention
The application provides a data integrity verification method, a data integrity verification device and a storage medium, wherein after a data receiving end receives data, the data integrity of the data is verified.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present disclosure provides a data integrity verification method, including: receiving first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, and the first identifier is a storage identifier of the data integrity verification information of a data sending end in the DIVS AS; inquiring data integrity verification information corresponding to the first identifier; and sending data integrity verification information to a data receiving end.
With reference to the first aspect, in a possible implementation manner, the first identifier belongs to target data sent by the data sending end to the data receiving end; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is a digital signature generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the data integrity verification information comprises a first public key, and the first public key is a public key in a first key pair generated by the data sending end.
With reference to the first aspect, in a possible implementation manner, the method further includes: receiving second indication information from a data sending end; the second indication information is used for carrying first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; acquiring the subscription information of the data sending end according to the first terminal information in the second indication information; the subscription information includes: the signing validity information of the data sending end; determining data integrity verification information according to the first data and the subscription information; the data integrity verification information is stored in the blockchain.
With reference to the first aspect, in a possible implementation manner, the acquiring, according to the first terminal information, subscription information of the data sending end includes: sending a signing information acquisition request to a capability open platform NEF; the subscription information acquisition request comprises first terminal information; receiving subscription information from the NEF; the subscription information is the subscription information of the data sending end, which is returned by the NEF and acquired in the user data management network element UDM according to the first terminal information.
With reference to the first aspect, in a possible implementation manner, the first data further includes a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm; after receiving the second indication information from the data transmitting end, the method further includes: verifying the second digital signature according to the first public key and a first signature algorithm; under the condition that the second digital signature passes verification, acquiring first terminal information in the first data; and generating a subscription information acquisition request according to the first terminal information.
With reference to the first aspect, in a possible implementation manner, the determining data integrity verification information according to the first data and the subscription information includes: generating a first data set to be signed according to the first data and the signing data; signing the first data set to be signed according to a second private key and a second signature algorithm, and determining a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS; and determining data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
With reference to the first aspect, in a possible implementation manner, the method further includes: sending a first transaction identifier to a data sending end; the first transaction identification is used for characterizing the storage information of the data integrity verification information in the blockchain.
With reference to the first aspect, in a possible implementation manner, the method further includes: sending first address information to a data sending end; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier.
With reference to the first aspect, in a possible implementation manner, the method further includes: receiving a subscription information update message from the NEF; the subscription information update message includes: second terminal information and the updated subscription information of the data sending terminal; inquiring latest target data integrity verification information including second terminal information in the block chain; updating the latest target data integrity verification information according to the updated subscription information; and storing the updated latest target data integrity verification information in the block chain.
With reference to the first aspect, in a possible implementation manner, the updating, according to the updated subscription information, the latest target data integrity verification information includes: executing a first operation on the latest target data integrity verification information, and determining the updated latest target data integrity verification information; the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information; signing the second data set to be signed according to the second private key and a second signature algorithm, and determining a fourth data signature; and determining updated latest target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
With reference to the first aspect, in a possible implementation manner, the method further includes: sending a second transaction identifier to the data sending end; and the second transaction identifier is used for representing the storage information of the updated latest target data integrity verification information in the blockchain.
With reference to the first aspect, in a possible implementation manner, the method further includes: sending second address information to a data sending end; the second address information is address information of a DIVS AS storing updated latest target data integrity verification information.
In a second aspect, a data integrity verification method is provided, including: receiving target data from a data transmitting end; the target data includes: the data to be verified, the first digital signature and the first identifier are obtained; the first digital signature is a digital signature determined by signing the data to be verified according to the first private key; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; the first private key is a private key in a first key pair generated by the data sending end; sending first indication information to a DIVS AS; the first indication information is used for indicating the DIVS AS to inquire the data integrity verification information corresponding to the first identifier; data integrity verification information is received from the DIVS AS.
With reference to the second aspect, in a possible implementation manner, the data integrity verification information includes a first public key; the first public key is a public key in a first key pair generated by the data sending end; the method further comprises the following steps: verifying the first digital signature according to the first public key in the data integrity verification information; and determining the data integrity of the data to be verified according to the verification result of the first digital signature.
With reference to the second aspect above, in a possible implementation manner, the target data further includes a timestamp of the first digital signature; the data integrity verification information further includes: the subscription validity period of the data sending end; the method further comprises the following steps: determining whether the timestamp of the first digital signature is within the signing validity period of the data sending end; and if so, determining that the data integrity verification of the data to be verified is successful.
With reference to the second aspect, in a possible implementation manner, the data integrity verification information specifically includes: the first data set to be signed, a certificate corresponding to the second private key and a third digital signature are obtained; the first data set to be signed comprises first data and subscription information; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the subscription information includes: the subscription validity information of the data sending end and the second terminal information of the data sending end; the second private key is a private key in a second key pair generated by the DIVS AS; the third digital signature is a digital signature generated after the first data set to be signed is signed according to the second private key and a second signature algorithm; after receiving the data integrity verification information from the DIVS AS, the method further includes: verifying the third digital signature according to the certificate corresponding to the second private key and a second signature algorithm; and under the condition that the third digital signature is verified successfully, acquiring a first public key in the first data set to be signed.
In a third aspect, a data integrity verification method is provided, including: generating target data; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; and sending the target data to a data receiving end so that the data receiving end determines the data integrity of the data to be verified according to the first identifier and the first digital signature.
With reference to the third aspect, in a possible implementation manner, the method further includes: generating first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; generating second indication information including the first data; and sending second indication information to the DIVS AS.
With reference to the third aspect, in a possible implementation manner, the generating the first data includes: generating a first key pair; the first key pair comprises a first public key and a first private key; acquiring first terminal information of a data sending end; signing the first public key and the first terminal information according to the first private key and a first signature algorithm, and determining a second digital signature; and generating first data according to the first public key, the first terminal information, the signature algorithm set supported by the data sending end and the second digital signature.
With reference to the third aspect, in a possible implementation manner, the method further includes: receiving at least one of a first transaction identification and a second transaction identification from a DIVS AS; the first transaction identification is generated according to the storage information of the data integrity verification information in the block chain; the second transaction identification is generated according to the storage information of the updated data integrity verification information in the block chain; and generating the first identifier according to the latest transaction identifier in the first transaction identifier and the second transaction identifier.
With reference to the third aspect, in a possible implementation manner, the target data further includes a verification access address; the verification access address is used for representing the address of a DIVS (do not verify service) AS for storing data integrity verification information of a data transmitting end; the method further comprises the following steps: receiving at least one of first address information and second address information from a DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier; the second address information is the address information of DIVS AS for storing the updated data integrity verification information corresponding to the second transaction identifier; and generating the verification access address according to the latest address in the first address information and the second address information.
With reference to the third aspect, in a possible implementation manner, the first terminal information includes at least one of an embedded eUICC ID/an integrated circuit card identification code ICCID of the data sending end, an international mobile equipment identification code IMEI, and a mobile subscriber number MSISDN.
In a fourth aspect, a data integrity verification apparatus is provided, including: a communication unit and a processing unit; the communication unit is used for receiving first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, and the first identifier is a storage identifier of the data integrity verification information of a data sending end in the DIVS AS; the processing unit is used for inquiring the data integrity verification information corresponding to the first identifier; and the processing unit is also used for indicating the communication unit to send the data integrity verification information to the data receiving end.
With reference to the fourth aspect, in a possible implementation manner, the first identifier belongs to target data sent by the data sending end to the data receiving end; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the data integrity verification information comprises a first public key, and the first public key is a public key in a first key pair generated by the data sending end.
With reference to the fourth aspect, in a possible implementation manner, the apparatus further includes: the communication unit is also used for receiving second indication information from the data sending end; the second indication information is used for carrying first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the communication unit is further used for acquiring the subscription information of the data sending end according to the first terminal information in the second indication information; the subscription information includes: the signing validity information of the data sending end; the processing unit is further used for determining data integrity verification information according to the first data and the subscription information; and the processing unit is also used for storing the data integrity verification information in the block chain.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is specifically configured to: sending a signing information acquisition request to a capability open platform NEF; the subscription information acquisition request comprises first terminal information; receiving subscription information from the NEF; the subscription information is the subscription information of the data sending end, which is returned by the NEF and acquired in the user data management network element UDM according to the first terminal information.
With reference to the fourth aspect, in a possible implementation manner, the first data further includes a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm; a processing unit further to: verifying the second digital signature according to the first public key and a first signature algorithm; under the condition that the second digital signature passes verification, acquiring first terminal information in the first data; and generating a subscription information acquisition request according to the first terminal information.
With reference to the fourth aspect, in a possible implementation manner, the processing unit is specifically configured to: generating a first data set to be signed according to the first data and the signing data; signing the first data set to be signed according to a second private key and a second signature algorithm, and determining a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS; and determining data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is further configured to: sending a first transaction identifier to a data sending end; the first transaction identification is used for characterizing the storage information of the data integrity verification information in the blockchain.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is further configured to: sending first address information to a data sending end; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is further configured to: receiving a subscription information update message from the NEF; the subscription information update message includes: second terminal information and the updated subscription information of the data sending terminal; the processing unit is also used for inquiring the latest target data integrity verification information including the second terminal information in the block chain; the processing unit is also used for updating the latest target data integrity verification information according to the updated subscription information; and the processing unit is further used for storing the updated latest target data integrity verification information in the block chain.
With reference to the fourth aspect, in a possible implementation manner, the processing unit is further configured to: executing a first operation on the latest target data integrity verification information, and determining the updated latest target data integrity verification information; the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information; signing the second data set to be signed according to the second private key and a second signature algorithm, and determining a fourth data signature; and determining updated latest target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is further configured to: sending a second transaction identifier to the data sending end; and the second transaction identifier is used for representing the storage information of the updated latest target data integrity verification information in the blockchain.
With reference to the fourth aspect, in a possible implementation manner, the communication unit is further configured to: sending second address information to a data sending end; the second address information is address information of a DIVS AS storing updated latest target data integrity verification information.
In a fifth aspect, a data integrity verification apparatus is provided, including: a communication unit and a processing unit; a communication unit for receiving target data from a data transmitting end; the target data includes: the data to be verified, the first digital signature and the first identifier are obtained; the first digital signature is a digital signature determined by signing the data to be verified according to the first private key; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; the first private key is a private key in a first key pair generated by the data sending end; the processing unit is used for indicating the communication unit to send first indication information to the DIVS AS; the first indication information is used for indicating a DIVS AS to inquire data integrity verification information corresponding to the first identifier; and the processing unit is also used for indicating the communication unit to receive the data integrity verification information from the DIVS AS.
With reference to the fifth aspect, in a possible implementation manner, the data integrity verification information includes a first public key; the first public key is a public key in a first key pair generated by the data sending end; a processing unit further to: verifying the first digital signature according to the first public key in the data integrity verification information; and determining the data integrity of the data to be verified according to the verification result of the first digital signature.
With reference to the fifth aspect, in a possible implementation manner, the target data further includes a timestamp of the first digital signature; the data integrity verification information further includes: the subscription validity period of the data sending end; a processing unit further to: determining whether the timestamp of the first digital signature is within the signing validity period of the data sending end; and if so, determining that the data integrity verification of the data to be verified is successful.
With reference to the fifth aspect, in a possible implementation manner, the data integrity verification information specifically includes: the first data set to be signed, the certificate corresponding to the second private key and the third digital signature; the first data set to be signed comprises first data and subscription information; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the subscription information includes: the subscription validity information of the data sending end and the second terminal information of the data sending end; the second private key is a private key in a second key pair generated by the DIVS AS; the third digital signature is a digital signature generated after the first data set to be signed is signed according to the second private key and the second signature algorithm; a processing unit further to: verifying the third digital signature according to the certificate corresponding to the second private key and a second signature algorithm; and under the condition that the third digital signature is verified successfully, acquiring a first public key in the first data set to be signed.
In a sixth aspect, there is provided a data integrity verification apparatus comprising: a communication unit and a processing unit; a processing unit for generating target data; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; and the communication unit is used for sending the target data to the data receiving end so that the data receiving end can determine the data integrity of the data to be verified according to the first identifier and the first digital signature.
With reference to the sixth aspect, in a possible implementation manner, the processing unit is further configured to generate first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the processing unit is also used for generating second indication information comprising the first data; and the communication unit is also used for sending second indication information to the DIVS AS.
With reference to the sixth aspect, in a possible implementation manner, the processing unit is specifically configured to: generating a first key pair; the first key pair comprises a first public key and a first private key; acquiring first terminal information of a data sending end; signing the first public key and the first terminal information according to the first private key and a first signature algorithm, and determining a second digital signature; and generating first data according to the first public key, the first terminal information, the signature algorithm set supported by the data sending end and the second digital signature.
With reference to the sixth aspect, in a possible implementation manner, the communication unit is further configured to receive at least one of the first transaction identifier and the second transaction identifier from the DIVS AS; the first transaction identification is generated according to the storage information of the data integrity verification information in the block chain; the second transaction identification is generated according to the storage information of the updated data integrity verification information in the block chain; and the processing unit is also used for generating a first identifier according to the latest transaction identifier in the first transaction identifier and the second transaction identifier.
With reference to the sixth aspect, in a possible implementation manner, the target data further includes a verification access address; the verification access address is used for representing the address of a DIVS (do not verify service) AS for storing data integrity verification information of a data transmitting end; a communication unit further configured to receive at least one of first address information and second address information from the DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier; the second address information is address information of a DIVS AS storing updated data integrity verification information corresponding to the second transaction identifier; and the processing unit is also used for generating the verification access address according to the latest address in the first address information and the second address information.
With reference to the sixth aspect, in a possible implementation manner, the first terminal information includes at least one of an embedded eUICC ID/an integrated circuit card identification number ICCID of the data sending end, an international mobile equipment identification number IMEI, and a mobile subscriber number MSISDN.
In a seventh aspect, the present application provides a data integrity verification apparatus, including: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the data integrity verification method as described in the first aspect and any one of the possible implementations of the first aspect.
In an eighth aspect, the present application provides a data integrity verification apparatus, including: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the data integrity verification method as described in the second aspect and any possible implementation form of the second aspect.
In a ninth aspect, the present application provides a data integrity verification apparatus, comprising: a processor and a communication interface; the communication interface is coupled to a processor for executing a computer program or instructions for implementing the data integrity verification method as described in the third aspect and any possible implementation manner of the third aspect.
In a tenth aspect, the present application provides a computer-readable storage medium having instructions stored therein, which when executed by a processor of a data integrity verification apparatus, enable the data integrity verification apparatus to perform the data integrity verification method as described in the first aspect and any one of the possible implementations of the first aspect.
In an eleventh aspect, the present application provides a computer-readable storage medium having instructions stored therein, which when executed by a processor of a data integrity verification apparatus, enable the data integrity verification apparatus to perform the data integrity verification method as described in the second aspect and any one of the possible implementations of the second aspect.
In a twelfth aspect, the present application provides a computer-readable storage medium having instructions stored therein, which when executed by a processor of a data integrity verification apparatus, enable the data integrity verification apparatus to perform the data integrity verification method as described in any one of the possible implementations of the third aspect and the third aspect.
In the present application, the names of the data integrity verification apparatuses described above do not limit the devices or the function modules themselves, and in actual implementation, the devices or the function modules may appear by other names. Insofar as the functions of the respective devices or functional blocks are similar to those of the present invention, they are within the scope of the claims of the present invention and their equivalents.
These and other aspects of the invention will be more readily apparent from the following description.
The technical scheme provided by the application at least brings the following beneficial effects: in the embodiment of the disclosure, after the data is acquired by the data transmitting end, the data is digitally signed by using the first private key, and then the digital signature and the data to be verified are uniformly transmitted to the data receiving end. After the data receiving end receives the data, the data integrity verification information of the data sending end is obtained from the DIVS AS, the first digital signature is verified by using the first public key in the data integrity verification information, if the verification is successful, the signature is performed according to the first private key according to the first digital signature, and the first private key is a secret key inside the data sending end and cannot be stolen by the outside. Therefore, under the condition that the first digital signature is successfully verified, the first digital signature is obtained after the data sending end signs the data to be verified, and therefore the data to be verified is the original data sent by the data sending end. Based on this, the data receiving end can determine whether the received data is the original data sent by the data sending end according to the method, so that the data integrity of the data to be verified is effectively verified.
In the present application, the names of the above-mentioned data integrity verification means do not limit the devices or functional modules themselves, and in actual implementation, these devices or functional modules may appear by other names. Insofar as the functions of the respective devices or functional blocks are similar to those of the present invention, they are within the scope of the claims of the present invention and their equivalents.
Drawings
Fig. 1 is a system architecture diagram of a 5G capability open architecture provided in the present application;
fig. 2 is a schematic structural diagram of a blockchain according to the present application;
FIG. 3 is a system architecture diagram of a data integrity verification system in a vertical industry scenario as provided herein;
fig. 4 is a schematic flowchart of a data integrity verification method provided in the present application;
fig. 5 is a schematic flow chart of another data integrity verification method provided in the present application;
fig. 6 is a schematic flowchart of another data integrity verification method provided in the present application;
fig. 7 is a schematic flowchart of another data integrity verification method provided in the present application;
fig. 8 is a schematic flowchart of another data integrity verification method provided in the present application;
fig. 9 is a schematic flowchart of a data sending end signing a contract in an operator network according to the present disclosure;
fig. 10 is a flowchart illustrating a data integrity verification information uplink process according to the present disclosure;
fig. 11 is a schematic flow chart of updating data integrity verification information according to the present disclosure;
fig. 12 is a schematic flow chart of data integrity verification provided by the present disclosure;
fig. 13 is a schematic structural diagram of a data integrity verification apparatus provided in the present disclosure;
fig. 14 is a schematic structural diagram of a data integrity verification apparatus provided in the present disclosure;
fig. 15 is a schematic structural diagram of a data integrity verification apparatus provided in the present disclosure;
fig. 16 is a schematic structural diagram of an electronic device provided in the present disclosure.
Detailed Description
The data integrity verification system provided by the embodiment of the present application is described in detail below with reference to the accompanying drawings.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion.
Hereinafter, for the sake of understanding, the terms referred to in the embodiments of the present application will be explained first.
1. Machine type terminal
Machine type terminals are generally used for collecting generated data and are widely applied in the vertical industry. The application of machine type terminals has effectively facilitated the digital transformation of vertical industries such as agriculture, logistics, transportation, medical, environmental, supply chain finance, smart cities, etc.
With the development of 5G networks, machine type terminals are more and more widely applied, mass machine type terminals acquire data and then send the data to a service provider terminal, and the service provider terminal collects, summarizes and analyzes the acquired data. In addition, the service provider terminal can also forward the data collected by the machine type terminal to the upstream data consumer terminal. The data consumer terminal may obtain valuable data within the industry by analyzing the data. For example, in the agricultural industry, a data consumption terminal may determine environmental data (such as temperature and wind speed) for agricultural insurance based on data collected by a machine type terminal. In the used vehicle industry, the data consumption terminal may determine driving behavior data for used transaction vehicles based on data collected by the machine type terminal. In the traffic industry, data consuming terminals may determine traffic data for AI algorithm training based on data collected by machine type terminals.
The current machine type terminal directly reports the acquired data to the service provider terminal after acquiring the data, and the data can not be directly provided to the data consumption terminal. The data consumption terminal can only obtain the collected data from the service provider terminal, but cannot directly obtain the data from the machine type terminal. However, after the data consumption terminal receives the collected data, it cannot be determined whether the data provided by the service provider terminal is tampered, and it is difficult to verify whether the received collected data is the original data collected by the machine type terminal.
In many industries, such as agricultural insurance and distributed artificial intelligence applications, the requirement on data integrity (data authenticity) is very high, and if data consumption terminals in these industries perform data analysis and decision based on tampered data, unnecessary economic loss and security attack may be caused. Therefore, for a data consumption terminal, how to verify the integrity of the acquired data and ensure that the acquired data is the original data acquired by a source end and the data is not tampered becomes a problem to be solved urgently at present.
2. Data integrity
In the embodiment of the present disclosure, the data integrity is mainly used for the data receiving end (e.g., the data consuming terminal described above) to verify whether the received data is the original data sent by the data sending end (e.g., the machine type terminal described above). The data is prevented from being tampered in the intermediate forwarding process. As can be seen from the above description in the machine type terminal, there is a need for a current data consuming terminal to verify the data integrity of data provided by a service provider terminal.
In the related art, the integrity of data can be verified by using a symmetric key + one-way Hash function or an asymmetric key Hash manner. However, these solutions have at least the following problems.
The data integrity verification method adopting the symmetric key and the one-way Hash function can only verify the data integrity of the data in the point-to-point transmission process, but cannot verify whether the data is the original data provided by the source end. This may result in the service provider terminal tampering with the data before sending the data to the data consumer terminal, which cannot verify whether the data has been tampered with.
In the process of data integrity verification by using asymmetric key hash, the data integrity is verified by using a private key signature + public key signature verification (for example, ITU-T X.509, IETF RFC 4880). But in this way it is also not possible to verify whether the data is the original data provided by the source. For example, after the data is collected at the machine type terminal, the collected data is forwarded by the service provider terminal to the data consuming terminal. The data consumption terminal can only perform subsequent processing with the received data as raw data, or restrict the service provider to provide the raw data by way of declaration and contract. However, these methods cannot avoid the original data provided by the service provider terminal, and it is difficult to ensure the integrity of the data.
3. Embedded subscriber identity module (eSIM) and Trusted Execution Environment (TEE) technologies.
The eSIM and TEE can store confidential data and perform trusted operations at the machine type terminal, for example, generate a public-private key pair in the eSIM of the machine type terminal, or issue public key endorsement information to the eSIM in an OTA manner.
In the machine type terminal, when the machine type terminal needs to transmit data, the machine type terminal may call a predetermined interface through the OS to sign the collected data using a private key stored in the TEE or the eSIM, and then transmit the signed data to the service provider terminal.
4. 5G open capability architecture
Fig. 1 is a system architecture diagram of a 5G capability open architecture provided in an embodiment of the present application. In the 5G capability open architecture shown in fig. 1, the architecture includes: an Application Server (AS), a Network Element Function (NEF), a unified data management Function (UDM), a Policy Control Function (PCF), an access and mobility management Function (AMF), a Session Management Function (SMF), a Network Repository Function (NRF), a Network Entity.
The AS is an application server of an operator or a third-party application server and is used for providing network service capability of the operator or service capability of third-party application. The AS accesses the API interface of the NEF of the operator 5G network through the Nnef, and communicates with the NEF through the API interface.
The NEF is a capability opening network element of the operator, and is configured to open the network capability of the operator to a third-party service, open data (e.g., location information) in the core network to the AS, or transmit a service requirement (e.g., QoS policy) of the AS to a network element in the 5G core network.
The NEF is connected with the UDM through a NUDM interface, connected with the PCF through an Npcf interface, connected with the AMF through a Namf, connected with the SMF through an Nsmf, connected with the NRF through an Nnrf and connected with the Network Entity through a 3GPP interface.
It should be noted that, in the embodiment of the present disclosure, a long-term data integrity verification service may be provided for data collected by a machine type terminal through an AS function of an operator.
5. Block chain
Blockchains are a data storage technique that is commonly maintained by multiple parties, stores data in a blockchain structure, and uses cryptography to secure transmission and access. The effects of data consistent storage, incapability of tampering and incapability of repudiation can be realized through the block chain technology.
The blockchain usually comprises a plurality of blockchain nodes, the plurality of nodes respectively store the ledgers in the blockchain, and the P2P technology is used for synchronizing the ledgers, so that the consistency of the stored ledgers of each node is ensured. When the data in the account book needs to be updated, the plurality of nodes adopt a consensus mechanism to confirm the record written in the account book. Therefore, the data written into the block chain account book can be guaranteed to be written under the condition that the plurality of nodes confirm together, the data which is not confirmed by the plurality of nodes together cannot be written, and the data written into the block chain account book cannot be tampered and is traceable.
The blockchains are divided according to the types of allowed access users into: public, federation, and private chains. Wherein the public chain allows any terminal to access and use ledger accounting. The federation chain only allows access and accounting using the ledger for terminals of a particular individual or terminals of a particular enterprise. Private chains only allow enterprise internal nodes to maintain and use blockchains.
Fig. 2 is a schematic structural diagram of a block chain according to an embodiment of the disclosure. As shown in fig. 2, the blockchain includes a plurality of blockchain nodes Peer, and the blockchain nodes are connected to each other. The blockchain node is provided with an intelligent contract (only the blockchain node 3 is shown as an example in the figure, and other nodes are similar to the blockchain node 3).
Each block link point comprises a block chain Ledger (leader), and the block chain Ledger is used for storing data, for example, storing data in a hash form.
It should be noted that in the embodiment of the present disclosure, the data integrity verification information may be stored by using a block chain technique. Such as public key information, Mobile Station International Subscriber Number (MSISDN), Integrated Circuit Card Identifier (ICCID), device sequence information, hash algorithm, timestamp, etc., and provides a data integrity verification server for the terminal through the open capability of the 5G network. Therefore, the data integrity verification of the whole data life cycle is ensured when the vertical industry collects data through the machine type terminal, the trust cost generated in the data stream conversion and reapplication process is reduced, and the digital conversion and data application of the vertical industry are promoted.
The technical terms related to the embodiments of the present application are described above in detail.
As can be seen from the above description of the machine type terminal and the data integrity verification, in the current data transmission process (especially, in the process of forwarding data by a third party), the data receiving end has a need to verify the data integrity of the received data.
For example, in an application scenario of a vertical industry, a machine type terminal sends collected data to a service provider terminal, and the service provider terminal forwards the data to a data consumption terminal. In this scenario, it is difficult for the data consuming terminal to verify whether the service provider terminal has tampered with the data collected by the machine type terminal. Resulting in the data consuming terminal being unable to determine the data integrity of the received data.
In order to solve the problems in the related art, an embodiment of the present application provides a data integrity verification system, where data integrity verification information of a data sending end is stored in a data integrity verification server DIVS AS, after a data receiving end receives data to be verified and a first digital signature of the data to be verified, the data integrity verification information of the data sending end is obtained from the DIVS AS, the first digital signature is verified according to the data integrity verification information, and when the first digital signature passes verification, the data is represented AS original data acquired by a data acquisition terminal, so AS to represent that the data integrity verification of the data is successful.
Fig. 3 is a system architecture diagram of a data integrity verification system provided in an embodiment of the present application in a vertical industry scenario.
AS shown in fig. 3, the data integrity verification system includes a machine type terminal 301, a data integrity verification server (DIVS AS)302, a data consumption terminal 303, a capability openness function network element 304, a user data storage network element 305, and another data integrity verification service network element 306.
The machine type terminal 301 is provided with an APP for implementing different application functions. The machine type terminal has an operating system OS built therein. The machine type terminal has an eSIM installed therein, which enables the machine type terminal to transmit data through an operator network (e.g., a 5G network). An applet for generating a key pair (e.g., the first public key and the first private key) may also be installed in the machine type terminal eSIM. The first private key is always stored in the applet, leakage of the first private key is avoided, and the first public key can be sent to other terminals, so that the other terminals can decrypt data encrypted by the first private key according to the first public key. Optionally, a 5G communication module and an Embedded Universal Integrated Circuit Card identifier (eUICC) eUICC may also be Integrated in the machine type terminal, so that the machine type terminal has a 5G communication capability.
The data integrity verification server 302 is configured to store data integrity verification information of the data sending end, and provide data integrity verification information for the data receiving end. Alternatively, the data integrity verification server may be a third party entity deployed in the operator network. The data integrity verification server 302 may specifically include a signaling processing module 3021, an access control module 3022, a data management module 3023, and a blockchain ledger 3024.
The data consuming terminal 303 is a third party terminal for collecting, using, and circulating data collected by the machine type terminal. For example, it may be a terminal of an individual or a terminal in an enterprise.
The capability openness function network element 304 may illustratively be a capability openness function network element in a 5G core network, such as NEF, for enabling communication between a third party application (e.g., a data integrity verification server) and an operator core network.
The user data storage network element 305 is configured to store data of the user terminal, for example, in the embodiment of the present disclosure, the user data storage network element 305 is configured to store subscription information of the machine type terminal.
The other data integrity verification service network elements 306 are data integrity verification servers deployed in different core networks of the same operator, or data integrity verification servers of other operators; and the block chain account book function of the data integrity verification server forms a block chain network.
A system architecture diagram of a data integrity verification system in a vertical industry scenario is described above in detail.
Hereinafter, the data integrity verification method according to the embodiment of the present application will be described in detail.
Fig. 4 is a data integrity verification method provided in an embodiment of the present application, and as shown in fig. 4, the method includes the following steps:
s401, the data sending end generates target data.
The target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identifier is a storage identifier of data integrity verification information of the data sending end in the DIVS AS.
In a specific implementation manner, the data sending terminal collects data, and the collected data is used as data to be verified. The data sending end adopts a first private key to sign the data to be verified, and generates a first digital signature. The data transmitting end acquires a first identifier which is used for indicating the storage of data integrity verification information of the data transmitting end in a DIVS AS.
And the data sending end takes the data to be verified, the first digital signature and the first identification as target data.
In a possible implementation manner, the target data further includes a timestamp of the first digital signature. The timestamp of the first digital signature is used to indicate the time of generation of the first digital signature.
S402, the data sending end sends the target data to the data receiving end. Accordingly, the data receiving end receives the target data sent by the data sending end.
In a possible implementation manner, the data sending end may send the target data to the data receiving end through an operator network.
Or, the data sending end sends the target data to the data forwarding device, and the data forwarding device sends the target data to the data receiving end.
For example, in a vertical industry scenario, a data sending end (machine type terminal) sends target data to a service provider terminal, and the service provider terminal forwards the data to a data receiving end (data consuming terminal).
It should be noted that the data sending end may also send the target data to the data receiving end in other manners, which is not limited in this application.
S403, the data receiving end sends first indication information to the DIVS AS. Accordingly, the DIVS AS receives the first indication information from the data receiving end.
The first indication information is used for indicating a DIVS AS to inquire data integrity verification information corresponding to the first identifier; the data integrity verification information comprises a first public key; the first public key is a public key in a first key pair generated by the data sending end.
In a specific implementation manner, after receiving target data, a data receiving end extracts a first identifier in the target data, and generates first indication information according to the first identifier. And the data receiving end sends the first indication information to the DIVS AS.
In a possible implementation manner, the data integrity verification information may further include a subscription validity period of the data sending end.
S404, the DIVS AS inquires data integrity verification information corresponding to the first identification.
In a possible implementation manner, the DIVS AS includes a block chain ledger, where the block chain ledger is used to store data integrity verification information of at least one data sending end.
And after receiving the first identifier, the DIVS AS queries data integrity verification information corresponding to the first identifier in the block chain account book according to the first identifier.
405. And the DIVS AS sends data integrity verification information to the data receiving end. Accordingly, the data receiving end receives the data integrity verification information from the DIVS AS.
It should be noted that, after receiving the data integrity verification information from the DIVS AS, the data may verify the received data from the data sending end through the data integrity verification information, thereby completing the data integrity verification on the data to be verified.
The scheme at least has the following beneficial effects: in the embodiment of the disclosure, after the data is acquired by the data transmitting end, the data is digitally signed by using the first private key, and then the digital signature and the data to be verified are uniformly transmitted to the data receiving end. After the data receiving end receives the data, the data integrity verification information of the data sending end is obtained from the DIVS AS, the first digital signature is verified by using the first public key in the data integrity verification information, if the verification is successful, the signature is performed according to the first private key according to the first digital signature, and the first private key is a secret key inside the data sending end and is not easy to steal from the outside. Therefore, under the condition that the first digital signature is successfully verified, the first digital signature is obtained after the data sending end signs the data to be verified, and therefore the data to be verified is the original data sent by the data sending end. Based on this, the data receiving end can determine whether the received data is the original data sent by the data sending end according to the method, so that the data integrity of the data to be verified is effectively verified.
In a possible implementation manner, as shown in fig. 4, after S405, the method further includes:
s406, the data receiving end verifies the first digital signature according to the first public key in the data integrity verification information.
In a possible implementation manner, when generating target data, the data sending end signs data to be verified (or hash of the data to be verified) according to a first private key and a first signature algorithm, and generates a first digital signature.
The data receiving end analyzes the first digital signature according to the first public key and the first signature algorithm, and determines whether the analyzed data is consistent with the data to be verified (or the hash of the data to be verified). And if so, determining that the first digital signature is valid. And if not, determining that the first digital signature is invalid.
S407, the data receiving end determines the data integrity of the data to be verified according to the verification result of the first digital signature.
And the data receiving end determines that the data integrity verification of the data to be verified is successful under the condition that the first digital signature is valid. In the case where the first digital signature is invalid, it is determined that the data integrity verification with the verification data fails.
In one possible implementation, the target data further includes a timestamp of the first digital signature; the data integrity verification information further includes: under the condition of the contract signing validity period of the data sending end;
the data receiving end can also verify whether the timestamp of the first determined digital signature is within the signing validity period of the data sending end; and if so, determining that the data integrity verification of the data to be verified is successful. And if not, determining that the data integrity verification of the data to be verified fails.
That is, the data receiving end may jointly verify the data integrity of the data to be verified according to the first digital signature and the timestamp of the first digital signature.
In this way, the data receiving end can specifically judge whether the terminal is in the signing effective time period or not according to whether the timestamp of the first digital signature is within the signing effective period or not, and determine that the integrity verification of the data collected by the data sending end within the signing effective period is successful, and the integrity verification of the data collected by the data sending end outside the signing effective period is failed.
In a possible implementation manner, before the data receiving end performs verification according to the data integrity verification information provided by the DIVS AS, the DIVS AS may interact with the data transmitting end to obtain the data integrity verification information of the data transmitting end, and store the data integrity verification information in the block chain.
AS shown in fig. 5, the method for storing data integrity verification information in a blockchain by a DIVS AS includes the following steps:
s501, the data sending end generates first data.
The first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end.
In a specific implementation manner, the data sending end obtains the first public key, the signature algorithm set supported by the data sending end, and the first terminal information of the data sending end. And the data sending end takes the first public key, the signature algorithm set supported by the data sending end and the first terminal information as first data.
Optionally, the first data further includes a first signature algorithm and a second digital signature. In this case, the step may be specifically implemented as: a data sending end generates a first key pair; the first key pair includes a first public key and a first private key.
The data sending end acquires first terminal information of the data sending end.
And the data sending end signs the first public key and the first terminal information according to the first private key and the first signature algorithm and determines a second digital signature.
And the data sending end generates first data according to the first public key, the first signature algorithm and the second digital signature.
Thus, the data sending end generates a first public key and a first private key, stores the first private key and sends the first public key to the DIVS AS. In addition, the data sending end adopts the first private key and the first signature algorithm to sign the metadata to generate a second digital signature, so that the DIVS AS can verify the second digital signature according to the first public key and the first signature algorithm to ensure the accuracy of the received first data.
S502, the data sending end generates second indication information comprising the first data.
Specifically, the data sending end generates second indication information, loads the first data in the second indication information, and sends the second indication information to the DIVS AS.
S503, the data transmitting end transmits second indication information to the DIVS AS. Accordingly, the DIVS AS receives the second indication information from the data transmitting terminal.
And S504, the DIVS AS acquires the subscription information of the data sending end according to the first terminal information in the second indication information.
The subscription information includes: and the signing validity information of the data sending end.
In a specific implementation manner, AS shown in fig. 6, the process of obtaining the subscription information of the data sending end by the DIVS AS may be specifically implemented by the following steps:
s601, DIVS AS sends a contract information acquisition request to NEF. Accordingly, the NEF receives a subscription information acquisition request from the DIVS AS.
The subscription information acquisition request comprises first terminal information.
In a specific implementation manner, the first data further includes a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm; the step can be specifically realized as follows:
the second digital signature is verified according to the first public key and a first signature algorithm.
And under the condition that the second digital signature passes verification, acquiring the first terminal information in the first data.
And generating a subscription information acquisition request according to the first terminal information.
Therefore, based on the above, the DIVS AS signs the data integrity verification information again, so that the data receiving end can check the signature according to the signature information of the block chain after receiving the data integrity verification information, and the data integrity verification information is ensured to be the information from the DIVS AS.
S602, the NEF transmits the subscription information acquisition request to the UDM.
S603, the UDM sends subscription information to the NEF.
The subscription information comprises subscription information of the data sending end.
In a specific implementation manner, after receiving the subscription information acquisition request, the UDM queries subscription information corresponding to the first terminal information according to the first terminal information in the subscription information acquisition request. And the UDM generates subscription information according to the subscription information corresponding to the first terminal information and sends the subscription information to the NEF.
And S604, the NEF sends the subscription information to the DIVS AS. Accordingly, the DIVS AS receives subscription information from the NEF.
S605, after receiving the subscription information, the DIVS AS acquires the subscription information of the data sending end from the subscription information.
According to the S601-S606.DIVS AS, the subscription information of the data sending end can be obtained through NEF and UDM.
And S505, the DIVS AS determines the data integrity verification information according to the first data and the subscription information.
In a possible implementation manner, the step may be specifically implemented as: and the DIVS AS generates a first data set to be signed according to the first data and the signing data. The DIVS AS signs the first data set to be signed according to the second private key and the second signature algorithm, and determines a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS. And the DIVS AS determines the data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
Optionally, the subscription information further includes a subscription validity period, and at this time, the DIVS AS first verifies whether the subscription of the data sending end is in the subscription validity period.
And if the contract of the data sending end is in the contract validity period, the DIVS AS determines the data integrity verification information according to the first data and the contract information.
And if the contract of the data sending end is not in the contract validity period, the DIVS AS returns a registration failure message to the data sending end.
S506, the DIVS AS stores the data integrity verification information in the block chain.
Based on this, before performing data integrity verification, the data sending end may store data integrity verification information in the block chain by interacting with the DIVS AS. Therefore, when the data receiving end requests the data integrity verification information, the data sending end can acquire the data integrity verification information from the block chain so as to avoid tampering the data integrity verification information.
In addition, before storing the data integrity verification information in the block chain, the DIVS AS acquires the subscription information of the data sending end from the operator network, compares whether the terminal information of the data sending end is consistent with the terminal information in the subscription information, and stores the data integrity verification information in the block chain under the condition of consistency. And the data stored in the block chain by the DIVS AS is ensured to be the data integrity verification information of the data transmitting end.
And S507, generating a first transaction identifier by the DIVS AS according to the storage information of the data integrity verification information in the block chain.
The first transaction identification is used for the data sending end to determine the first identification.
S508, the DIVS AS sends the first transaction identification to the data sending end. Correspondingly, the data transmitting end receives the first transaction identification from the DIVS AS.
Optionally, the DIVS AS may further send address information of the DIVS AS to the data sending end, so that the data sending end and the data receiving end obtain data integrity verification information from the DIVS AS according to the address information. The method specifically comprises the following steps:
s509, generating first address information by a DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier;
s510, the DIVS AS sends first address information to the data sending end. Accordingly, the data transmitting end receives the first address information from the DIVS AS.
Optionally, after the data sending end receives the first transaction identifier, the data sending end may generate the first identifier according to the first transaction identifier.
After the data sending end receives the first address information, the data sending end can also add the first address information to the target data, so that the data receiving end can determine the DIVS AS for storing the data integrity verification information of the data sending end according to the first address information.
It should be noted that, in the above description, the DIVS AS is taken AS an example to generate and send the first transaction identifier and the first address information respectively, in an actual process, the DIVS AS may send the first transaction identifier and the first address information to the data sending end in the same message after generating the first transaction identifier and the first address information respectively.
Based on this, the DIVS AS sends the transaction identifier and the DIVS AS entry address to the data sending end, so that the data sending end can generate the first identifier according to the transaction identifier, and the DIVS AS entry address is carried in the data, and the data receiving end can acquire data integrity verification information from the DIVS AS according to the DIVS AS entry address.
In a possible implementation manner, after the subscription information of the data sending end is updated, the embodiment of the present application further provides a method for updating the data integrity verification information of the data sending end according to the updated subscription information.
As shown in fig. 7, the method includes:
s701, the data sending end eSIM signing update triggers a UDM subscription contract change event.
Specifically, if an install terminal of an eSIM needs to update subscription information, an eSIM subscription information update flow is triggered. The UDM listens for contract change events and instructs the NEF to update the subscription information for the eSIM.
S702, the UDM sends an eSIM subscription update message to the NEF.
S703, NEF sends contract information update message to DIVS AS. Accordingly, the DIVS AS receives a subscription information update message from the NEF.
Wherein, the subscription information update message includes: second terminal information, and the subscription information updated by the data sending terminal.
S704, the DIVS AS inquires the block chain to include the latest target data integrity verification information of the second terminal information.
It should be noted that, in the embodiment of the present application, the latest target data integrity verification information refers to the data integrity verification information that is updated last time. For example, the DIVS AS may determine the latest updated data integrity verification information according to the time tag of the data integrity verification information, and use the latest updated data integrity verification information AS the latest target data integrity verification information.
And S705, updating the latest target data integrity verification information by the DIVS AS according to the updated subscription information.
In a specific implementation manner, a first operation is executed on each piece of target data integrity verification information, and each piece of updated target data integrity verification information is determined;
the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information;
signing the second data set to be signed according to the second private key and a second signature algorithm, and determining a fourth data signature;
and determining the updated target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
And S706, the DIVS AS stores the updated latest target data integrity verification information in the block chain.
Based on this, after the subscription information of the data sending end is changed, the UDM can timely notify the DIVS AS to update the subscription information. After that, the DIVS AS stores the updated subscription information of the data sending end in the block chain, so that the data receiving end can verify the data integrity of the data to be verified according to the updated subscription information.
Optionally, after S706, the method further includes:
and S707, the DIVS AS determines the updated latest target data integrity verification information.
S708, generating a second transaction identifier corresponding to the updated latest target data integrity verification information by the DIVS according to the storage information of the updated latest target data integrity verification information in the block chain; the second transaction identity is used to determine the first identity.
And S709, the DIVS AS sends a second transaction identifier to the data sending end.
S710, generating second address information by the DIVS AS; the second address information is address information of a DIVS AS storing updated data integrity verification information corresponding to the second transaction identifier.
S711, the DIVS AS sends the second address information to the data sending end.
Based on this, the DIVS AS sends the updated transaction identifier (second transaction identifier) and the DIVS AS entry address to the data sending end, so that the data sending end can generate the first identifier according to the updated transaction identifier, and the data carries the DIVS AS entry address, so that the data receiving end can obtain the updated data integrity verification information from the DIVS AS according to the DIVS AS entry address.
In one possible implementation, after S707-S711, the method further includes the following steps:
and S712, the data sending end generates a first identifier according to the latest transaction identifier in the first transaction identifier and the second transaction identifier.
Optionally, the second transaction identifier is a transaction identifier generated according to the storage information of the latest updated data integrity verification information in the blockchain. At this time, the data sending end generates a first identifier according to the second transaction identifier.
S713, the data sending end generates a verification access address according to the latest address information in the first address information and the second address information.
Optionally, the second address information is address information of a DIVS AS storing the latest updated data integrity verification information corresponding to the second transaction identifier. At this time, the data transmitting end generates a verification access address according to the second address information.
Based on this, the data sending end can generate the first identifier according to the updated transaction identifier, so that the data receiving end can obtain the latest data integrity verification information according to the first identifier. Similarly, the data sending end produces the verification access address according to the address of the DIVS AS corresponding to the updated transaction identifier, so that the data receiving end can quickly and accurately determine the DIVS AS for obtaining the data integrity verification information.
As shown in fig. 8, the method provided in the embodiment of the present application further includes: and the data sending end registers on the account opening platform and determines the subscription information.
S801, the data sending end user sends third indication information to the account opening platform. Correspondingly, the account opening platform receives third indication information from the data sending end.
And the third indication information is used for indicating the equipment information of the data sending end registered by the account opening platform.
And S802, the account opening platform generates first terminal information according to the third indication information.
And S803, the account opening platform sends the first terminal information to the data sending end. Correspondingly, the data sending end receives the first terminal information from the account opening platform.
Based on this, the data sending end completes the subscription in the operator network, so that the UDM can obtain the subscription information of the data sending end, and the UDM can provide a verification basis for the DIVS AS in the data integrity verification information uplink process.
The technical solutions provided in the embodiments of the present application are described in detail above.
Hereinafter, the data integrity verification method provided by the embodiment of the present application will be described in detail with reference to specific applications of the data integrity verification information provided by the embodiment of the present application in the vertical industry.
In the embodiment of the present disclosure, the process of performing data integrity verification according to the data integrity verification method provided by the present application in the vertical industry may specifically include the following procedures:
the method comprises the steps of firstly, signing a contract in an operator network by a machine type terminal; a second process, namely a process of data integrity verification information chaining; a third flow is a flow for updating the data integrity verification information; and a fourth process of verifying the data integrity. The above-described flow is described below:
and the first process is a process of signing a contract in an operator network by the machine type terminal.
As shown in fig. 9, the flow of the machine type terminal signing up in the operator network includes the following S901-S904.
And S901, the machine type terminal sends the equipment subscription information to the account opening platform.
The device subscription information includes at least one of: common Name, location (country, region), home organization Name, mailbox address.
And S902, opening an account for the machine type terminal by the account opening platform.
The method specifically comprises the following steps: and the machine type terminal opens an account in the account opening platform, and registers information such as eUICC ID, IMEI, equipment serial number SN, equipment attribution entity name, deployment position, contact mailbox and the like of the machine type terminal.
And the account opening platform triggers the eSIM management platform to generate an eSIM profile and a secure applet. And in the process of generating the eSIM profile by the eSIM management platform, distributing the ICCID for the machine type terminal.
And the account opening platform binds the ICCID with the IMEI and the eUICC ID.
It should be noted that the information required in the above process includes at least one of the following: common Name, location (country, region), home organization Name, mailbox address.
And S903, accessing the machine type terminal to an operator network, and acquiring and installing the eSIM profile and the secure applet.
In a specific implementation manner, after accessing the operator network, the machine type terminal requests the eSIM management platform to download the eSIM profile and the secure applet. After the downloading is completed, the machine type terminal installs the eSIM profile and the secure applet in the eUICC.
In this way, the machine type terminal can encrypt data to be encrypted by using a web service through the eSIM and generating a key pair through the applet.
And S904, the account opening platform sends the subscription information to the UDM. Accordingly, the UDM receives and stores subscription information of the machine type terminal.
In this way, after the UDM stores the subscription information of the machine type terminal, the subscription information in the machine type may be sent to the DIVS AS, so that the DIVS AS verifies the machine type terminal according to the subscription information.
It should be noted that specific implementations of the above S901 to S904 may be mutually referred to with the above S801 to S803, and are not described herein again.
The above describes the process of signing a machine type terminal in an operator network, and based on the process, by binding the ICCID with the IMEI and the eUICC ID, unique identification of the machine type terminal can be completed through the above information. After that, the DIVS AS and the data consuming terminal may authenticate the machine type terminal based on the above information.
And a second process of data integrity verification information uplink.
As shown in fig. 10, the process of chaining the data integrity verification information can be implemented through the following steps S1001-S1012.
S1001, the machine type terminal generates a first key pair.
In one possible implementation, the machine type terminal calls a secure applet in the eUICC to generate a first key pair (based on ECC or RSA). The first key pair includes a first public key and a first private key.
It should be noted that the first private key is always stored in the secure applet and cannot be obtained by the machine type terminal or other devices, so that it is avoided that other devices send data to the data consuming terminal according to the first private key after stealing the first private key.
S1002, the machine type terminal acquires the metadata and generates first data according to the metadata.
The metadata includes at least one of: the first public key, IEMI, ICCID, eUICC ID, equipment serial number SN, MSISDN.
In one possible implementation manner, the machine type terminal application obtains the first public key generated by the secure applet through the ADPU instruction. The machine type terminal acquires first terminal information of the machine type terminal from the operating system interface and the communication module interface, wherein the first terminal information comprises at least one of the following information: IEMI, ICCID, eUICC ID, equipment serial number SN, MSISDN.
Wherein the first data includes: the system comprises metadata, a first signature algorithm for signing the metadata, and a first digital signature obtained after signing the metadata.
In one possible implementation, the machine type terminal application sends metadata to the secure applet. And the secure applet digitally signs the metadata according to a first private key in the public-private key pair and a first signature algorithm to obtain a first digital signature.
The machine type terminal generates first data according to the metadata, the first signature algorithm and the first digital signature.
S1003, the machine type terminal sends second indication information to the DIVS AS.
And the second indication information is used for carrying the first data.
In a possible implementation manner, the second indication information is: NDIVS AS _ DeviceMetadata _ registration.
Optionally, the data carried by the second indication information is shown in table 1 below.
TABLE 1
S1004, the DIVS AS verifies the first data according to the first public key and the first digital signature.
Optionally, the DIVS AS decrypts the first digital signature according to the first public key to obtain decrypted data. And the DIVS AS determines whether the decrypted data is consistent with the metadata or the hash of the metadata, and if so, determines that the verification is successful.
S1005, the DIVS AS sends the first subscription request information to the NEF.
The subscription request information is used for requesting to acquire subscription information of the machine type terminal.
Optionally, the DIVS AS accesses the NEF through a query interface (RP-EDI). And the access message carries the MSISDN, the ICCID and the IMEI and requests to acquire the subscription information of the machine type terminal corresponding to the MSISDN, the ICCID and the IMEI.
In one possible implementation manner, the subscription request information is: nnef _ Subscribersdata _ Request.
Optionally, data carried by the Nnef _ subscriberdata _ Request is shown in table 2 below.
TABLE 2
S1006, the NEF sends a second subscription request message to the UDM.
Specifically, the NEF determines the UDM to which the machine type terminal belongs, according to the user identifier in the second subscription request message. The NEF sends a second subscription request message to the homed UDM.
Optionally, the NEF forwards at least one of the MSISDN, the ICCID, and the IMEI to the UDM, and requests to acquire the subscription information of the machine type terminal corresponding to the at least one of the MSISDN, the ICCID, and the IMEI. And the UDM inquires the subscription information with at least one item of information of the MSISDN, the ICCID and the IMEI through at least one item of the MSISDN, the ICCID and the IMEI and returns the inquired subscription information to the NEF.
In one possible implementation manner, the second subscription Request message is a Nusm _ subscriberbersdata _ Request.
Optionally, the data carried by the Nusm _ Subscribersdata _ Request is shown in table 3 below.
TABLE 3
S1007, the UDM sends a first subscription response message to the NEF.
Specifically, after receiving the second subscription request message, the UDM queries subscription data corresponding to at least one of MSISDN, ICCID, and IMEI carried in the second subscription request message, generates a first subscription response message according to the queried subscription data, and sends the first subscription response message to the NEF.
In one possible implementation manner, the first subscription Response message is Nusm _ subscriberbersdata _ Response.
Alternatively, the data carried by the Nusm _ Subscribersdata _ Response is shown in table 4 below.
TABLE 4
It should be noted that, if the UDM cannot query the subscription data corresponding to at least one of the MSISDN, the ICCID, and the IMEI, a failure message is returned to the NEF.
S1008, NEF sends a second subscription response message to the DIVS AS.
Specifically, after receiving the first subscription response message from the UDM, the NEF generates a second subscription response message according to the first subscription response message, and sends the second subscription response message to the DIVS AS.
In a possible implementation manner, the second subscription Response message is Nnef _ subscriberbersdata _ Response.
Alternatively, the data carried by the Nnef _ substscribersdata _ Response is shown in table 5 below.
TABLE 5
It is noted that if the NEF does not receive the first subscription response message from the UDM, a failure message is returned to the DIVS AS.
S1009 determines whether the first terminal information in the metadata and the second terminal information in the subscription information are consistent, and generates the first data set to be signed if the first terminal information in the metadata and the second terminal information in the subscription information are consistent.
Specifically, the DIVS AS compares the IEMI and MSISDN and ICCID in the metadata with the IEMI and MSISDN and ICCID in the subscription information to determine whether they are consistent. And if the data set is consistent with the signature data set, taking the metadata, the subscription information, the public key and the first signature algorithm information as a first data set to be signed.
Optionally, the DIVS AS may directly use the metadata, the subscription information, the public key, and the first signature algorithm information AS the first data set to be signed, or may construct a hash value of the metadata, the subscription information, the public key, and the first signature algorithm information AS the first data set to be signed. This is not limited in this application.
And S1010, generating data integrity verification information according to the first to-be-signed data set by the DIVS AS, and uploading the data integrity verification information to the block chain account book.
Specifically, the DIVS AS signs the first data set to be signed according to the second private key of the blockchain ledger and the second signature algorithm, and generates a second digital signature. And the DIVS AS uploads the first data set to be signed, the second digital signature and the CA certificate of the second private key AS data integrity verification information to the block chain account book.
Note that the blockchain ledger includes a previous transaction identifier (transfer ID) of the data integrity verification information. After the data integrity verification information is uploaded to the block chain account book, the DIVS AS sets the value of the previous transaction identifier of the data integrity verification information to be null, and sets the record state to be available.
S1011, the DIVS AS generates a transaction identifier of the verification information of the data complete line.
And S1012, the DIVS AS sends a transaction identifier to the machine type terminal.
Optionally, the DIVS AS further generates a URL of the DIVS AS entry, and synchronously sends the URL and the transaction identifier to the machine type terminal.
In one possible implementation, the transaction identification and URL are carried in an NDIVS AS _ DeviceMetadata _ registration _ Response message sent by the DIVS AS to the machine type terminal.
Alternatively, the data carried by the NDIVS AS _ devicematadata _ registration _ Response is shown in table 6 below.
TABLE 6
It is noted that the machine type terminal, after receiving the transaction identity and the URL, may store the transaction identity and the URL in a secure applet in the eUICC.
It should be noted that, in the second process, the certificate corresponding to the second private key provided by the DIVS AS may be a CA certificate generated by a member of the blockchain system managing based on the public-private key pair, or may be a CA certificate generated by an authoritative CA structure, or may be a self-signed CA certificate, which is not limited in this application.
Alternatively, the second signature algorithm and the first signature algorithm may be the same signature algorithm.
Optionally, the block chain account book includes a block chain client, and the client is configured to perform data reading and writing of the block chain account book and execution of the intelligent contract.
It is understood that the above signaling message may be transmitted through the HTTP GET method.
It should be noted that, in the second flow, data communication between the machine type terminal and the DIVS AS may be realized through opening a dedicated data interface. Data communication between the corresponding DIVS AS and the NEF can also be realized by opening a special data interface. The interaction function between the NEF and the UDM related to the disclosure can be realized by enhancing the existing interface function between the NEF and the UDM.
And a third process of updating the data integrity verification information.
AS shown in fig. 11, the DIVS AS first initiates subscription/unsubscription of subscription data events to the UDM. The UDM will inform the DIVS AS of the user subscription information update after the data sender subscription data update. The method specifically comprises the following steps:
s1101, the DIVS AS sends a first subscription data event subscription/unsubscription to the NEF.
The first subscription data event subscribe/unsubscribe message carries machine type terminal identification data such as user identification data MSISDN.
In one possible implementation, the subscription for the first subscription data event is: nfnef _ EventExposure _ SubscribersSignData _ SubscribeRequest.
The first subscription data event unsubscribe is as follows: nnef _ EventExpo _ SubscriptersSignData _ UnSubscripterequest
Alternatively, the data carried by the Nnef _ EventExposure _ subscribersigndata _ SubscribeRequest is shown in table 7 below.
TABLE 7
S1102, NEF sends the second subscription data event subscription/unsubscription to the UDM.
Specifically, the NEF queries the home subscriber data storage network element UDM based on the subscriber identity in the first subscription data event subscribe/unsubscribe request. NEF performs subscriber identity translation, translates the subscriber identity into IMSI or SUPI, and converts the Nnef _ EventExposure _ SubscribersSignData _ SubscribeRequest message into: the Nusm _ EventExpo _ SubscriptissSignData _ SubscripteRequest carries the parameters carried by the Nnef _ EventExpo _ SubscriptesSignData _ SubscripteRequest message.
Alternatively, the data carried by the Nusm _ EventExposure _ subscribeberssigndata _ SubscribeRequest is shown in table 8 below.
TABLE 8
It should be noted that the second subscription data event unsubscribe is: nusm _ EventExposure _ SubscriptbersSignData _ UnSubscribeRequest.
S1103, the UDM sends a first subscription data event subscribe/unsubscribe response to the NEF.
Specifically, the UDM performs subscriber subscription data event monitoring based on the subscriber identity, and sends a first subscription data event subscribe/unsubscribe response to the NEF.
In one possible implementation manner, the first subscription data event subscription response is Nusm _ EventExposure _ SubscribersSignData _ SubscribeResponse.
Alternatively, the data carried by the Nusm _ EventExposure _ subscribeberssigndata _ SubscribeRequest is shown in table 9 below.
TABLE 9
It should be noted that the first subscription data event/unsubscribe response is: nusm _ EventExposure _ SubscriptbersSignData _ UnSubscribeRequest.
And S1104, the NEF sends a subscription/unsubscription response of the second subscription data event to the DIVS AS.
In a possible implementation manner, the second subscription data event subscription response is: nnef _ EventExposure _ subscribersigndata _ SubscribeResponse.
Alternatively, the data carried by the nfef _ EventExposure _ subscribersignata _ SubscribeResponse is shown in table 10 below.
Watch 10
It should be noted that the change of the user subscription event mainly includes the following cases:
Case 4, the eUICC for the eSIM binding changes.
Case 5, MSISDN corresponding to ICCID changes.
Case 6, Applet deactivates.
Case 7, others.
The signaling is used for the DIVS AS subscribing to the user subscription information change notification from NEF, and the NEF subscribes to the UDM for the user subscription information change notification (the DIVS AS cannot subscribe to the UDM directly). Once the information in UDM relating to subscription MSISDN subscription de-registration, machine-card binding change, etc., UDM will be triggered to actively send notification.
It will be appreciated that the above-described signaling messages may be transmitted using the HTTP POST method.
It can be understood that the above description mainly takes the subscription as an example, and the flow and the signaling content in the process of releasing the subscription are similar, and are not described in detail in this disclosure.
The above describes the process of time subscription of the DIVS AS to the UDM in connection with S1001-S1004. Hereinafter, a process of notifying an event after the UDM updates the subscription data will be described.
S1105, eSIM sign-up deregistration triggers a UDM monitoring event.
Specifically, if a certain eSIM installation terminal needs to log off, an eSIM subscription log-off process is triggered. The UDM indicates NEF, which eSIM signs up for deregistration.
S1106, the UDM sends a first eSIM sign-up deregistration message to the NEF.
Wherein the first eSIM subscription deregistration message comprises at least one of: ICCID, MSISDN and binding IMEI, eSIM signing logout time.
In one possible implementation, the first eSIM subscription deregistration message is Nusm _ EventExposure _ SubscribersSignData _ Notify.
Optionally, the data carried by the Nusm _ EventExposure _ SubscribersSignData _ Notify is shown in table 11 below.
TABLE 11
S1107, NEF sends a second eSIM sign-up deregistration message to the DIVS AS.
Specifically, the NEF triggers a subscription notification event, sending a second eSIM subscription deregistration message to the DIVS AS.
In one possible implementation, the second eSIM subscription deregistration message is: nnef _ EventExpore _ SubscribersSignData _ Notify.
Alternatively, the data carried by the Nusm _ EventExposure _ SubscribersSignData _ Notify is shown in table 12 below.
TABLE 12
And S1108, the DIVS AS determines the corresponding transaction identifier according to the second eSIM signing logout message.
Specifically, after receiving the second eSIM subscription deregistration message, the DIVS AS acquires the ICCID, MSISDN, and IMEI in the second eSIM subscription deregistration message. The DIVS AS determines all transaction identities associated with ICCID, MSISDN and IMEI.
And S1109, updating the first data set to be signed corresponding to the transaction identifier by the DIVS AS to obtain a second data set to be signed.
Specifically, the DIVS AS updates eSIM sign-up and sign-off time in the first to-be-signed data set corresponding to each transaction identifier, and takes the updated first to-be-signed data set AS a second to-be-signed data set.
And the DIVS AS signs the second data set to be signed according to the second private key and the second signature algorithm to obtain a fourth digital signature.
S1110, the DIVS AS uploads the second data set to be signed, the fourth digital signature and the CA certificate of the second private key AS updated data integrity verification information to the block chain account book.
And S1111, the DIVS AS generates the transaction identification of the updated data integrity verification information.
S1112, the DIVS AS sends the updated transaction identifier of the data integrity verification information to the machine type terminal.
The specific implementation manner of S1111 and S1112 may refer to S1010 and S1011 described above, and is not described herein again.
The above description explains the procedure of subscription information update.
And a fourth process of verifying the data integrity.
As shown in fig. 12, the flow of data integrity verification may be specifically realized by the following S1201-S1207.
S1201, the machine type terminal obtains data to be verified.
Optionally, after the machine type terminal collects the data, the collected data is used as the data to be verified
And S1202, the machine type terminal generates target data according to the data to be verified.
The method specifically comprises the following steps: the machine type terminal adopts a first private key and a first signature algorithm to carry out digital signature to be verified, and a first digital signature is obtained.
And the machine type terminal calls the ADPU instruction, sends the data to the secure applet, signs the data to be verified by using a first private key and a first signature algorithm, and obtains a first digital signature and a timestamp of the first digital signature.
S1203, the machine type terminal sends the target data to the data consumption terminal.
Specifically, the machine type terminal generates target data according to the data to be verified, the first digital signature, the timestamp of the first digital signature and the first identifier.
The machine type terminal sends the target data to the data consuming terminal.
It should be noted that the machine type terminal may send the target data to the data consuming terminal directly, or send the target data to the data consuming terminal after being forwarded by another device, which is not limited in this application.
S1204, the data consumption terminal sends a data integrity verification information request message to the DIVS AS.
The data integrity verification information request message comprises a first identifier.
In one possible implementation manner, the data integrity verification information request message is: ndivs _ IntergrityVerification _ Request.
Alternatively, data carried by Ndivs _ IntergrityVerification _ Request is shown in table 13 below.
Watch 13
S1205, the DIVS AS inquires data integrity verification information related to the first identification.
Specifically, upon receipt of the request message by the DIVS AS, the first identity is determined. And the DIVS AS inquires data integrity verification information related to the first identifier in the block chain account book.
Optionally, the DIVS AS first queries the query block chain ledger and the first identification data integrity verification information, and determines metadata in the data integrity verification information. And then the DIVS AS determines the updated data integrity verification information based on the IEMI, the MSISDN and the ICCID in the metadata.
The DIVS AS sends the data integrity verification information and the updated data integrity verification information to the data consumption terminal
S1206, the DIVS AS sends data integrity verification information to the data consumption terminal.
In one possible implementation manner, the data integrity verification information request message is: ndivs _ IntergrityVerification _ Response.
Alternatively, data carried by Ndivs _ IntergrityVerification _ Response is shown in table 14 below.
TABLE 14
S1207, the data consumption terminal verifies the data integrity of the data to be verified according to the data integrity verification information.
Specifically, after receiving the data integrity verification information, the DIVS AS verifies the third digital signature or the fourth digital signature according to the CA integer of the first private key and the second public key in the data integrity verification information. And after the verification is successful, acquiring a first public key in the data integrity verification information, and verifying the first digital signature according to the first public key and a first signature algorithm. After the first digital signature verification passes, it is determined whether a timestamp of the first digital signature is within a subscription validity period of the machine type terminal. And if so, determining that the data integrity verification of the data to be verified is successful.
It is understood that the above signaling message may be transmitted through the method of HTTP GET.
The data integrity verification system, the functions of each device in the data integrity verification system, and the interaction between the devices according to the embodiments of the present application are described in detail above.
It can be seen that the technical solutions provided in the embodiments of the present application are mainly introduced from the perspective of methods. To implement the above functions, it includes hardware structures and/or software modules for performing the respective functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiment of the present application, the data integrity verification apparatus (the data integrity verification apparatus may be any one of the above-mentioned data sending end, data receiving end, DIVS AS, NEF, or UDM) may be divided into function modules according to the above-mentioned method example, for example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. Optionally, the division of the modules in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
Fig. 13 is a schematic structural diagram of a data integrity verification apparatus according to an embodiment of the present application, where the data integrity verification apparatus may be the above-mentioned DIVS AS. The data integrity verification apparatus includes: a communication unit 1301 and a processing unit 1302.
A communication unit 1301, configured to receive first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, and the first identifier is a storage identifier of the data integrity verification information of a data sending end in the DIVS AS; the processing unit 1302 is configured to query data integrity verification information corresponding to the first identifier; the processing unit 1302 is further configured to instruct the communication unit 1301 to send data integrity verification information to the data receiving end.
In a possible implementation manner, the first identifier belongs to target data sent by the data sending end to the data receiving end; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the data integrity verification information comprises a first public key, and the first public key is a public key in a first key pair generated by the data sending end.
In one possible implementation, the apparatus further includes: the communication unit 1301 is further configured to receive second indication information from the data sending end; the second indication information is used for carrying first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the communication unit 1301 is further configured to obtain subscription information of the data sending end according to the first terminal information in the second indication information; the subscription information includes: the signing validity information of the data sending end; the processing unit 1302 is further configured to determine data integrity verification information according to the first data and the subscription information; the processing unit 1302 is further configured to store the data integrity verification information in the block chain.
In a possible implementation manner, the communication unit 1301 is specifically configured to: sending a signing information acquisition request to a capability open platform NEF; the subscription information acquisition request comprises first terminal information; receiving subscription information from the NEF; the subscription information is the subscription information of the data sending end, which is returned by the NEF and acquired in the user data management network element UDM according to the first terminal information.
In a possible implementation manner, the first data further includes a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm; the processing unit 1302 is further configured to: verifying the second digital signature according to the first public key and a first signature algorithm; under the condition that the second digital signature passes verification, acquiring first terminal information in the first data; and generating a subscription information acquisition request according to the first terminal information.
In a possible implementation manner, the processing unit 1302 is specifically configured to: generating a first data set to be signed according to the first data and the signing data; signing the first data set to be signed according to a second private key and a second signature algorithm, and determining a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS; and determining data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
In a possible implementation manner, the communication unit 1301 is further configured to: sending a first transaction identifier to a data sending end; the first transaction identification is used for representing the storage information of the data integrity verification information in the blockchain.
In a possible implementation manner, the communication unit 1301 is further configured to: sending first address information to a data sending end; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier.
In a possible implementation manner, the communication unit 1301 is further configured to: receiving a subscription information updating message from the NEF; the subscription information update message includes: second terminal information and the updated subscription information of the data sending terminal; the processing unit 1302 is further configured to query the block chain for latest target data integrity verification information including the second terminal information; the processing unit 1302 is further configured to update the latest target data integrity verification information according to the updated subscription information; the processing unit 1302 is further configured to store the updated latest target data integrity verification information in the blockchain.
In a possible implementation manner, the processing unit 1302 is further configured to: executing a first operation on the latest target data integrity verification information, and determining the updated latest target data integrity verification information; the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information; signing the second data set to be signed according to the second private key and a second signature algorithm, and determining a fourth data signature; and determining updated latest target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
In a possible implementation manner, the communication unit 1301 is further configured to: sending a second transaction identifier to the data sending end; and the second transaction identifier is used for representing the storage information of the updated latest target data integrity verification information in the blockchain.
In a possible implementation manner, the communication unit 1301 is further configured to: sending second address information to a data sending end; the second address information is address information of a DIVS AS storing updated latest target data integrity verification information.
The processing unit 1302 may be a processor or a controller, among others. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors in conjunction with a DSP or microprocessors, a combination of DSPs and microprocessors, or the like. The communication unit 1301 may be a transceiving circuit or a communication interface, etc. The storage module may be a memory. When the processing unit 1302 is a processor, the communication unit 1301 is a communication interface, and the storage module is a memory, the data integrity verification apparatus according to the embodiment of the present application may be a DIVS AS shown in fig. 3 to 12.
As shown in fig. 14, a schematic structural diagram of a data integrity verification apparatus according to an embodiment of the present application is provided, where the data integrity verification apparatus may be the data receiving end. The data integrity verification apparatus includes: a communication unit 1401 and a processing unit 1402.
A communication unit 1401 and a processing unit 1402; a communication unit 1401 for receiving target data from a data transmitting end; the target data includes: the data to be verified, the first digital signature and the first identifier are obtained; the first digital signature is a digital signature determined by signing the data to be verified according to the first private key; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; the first private key is a private key in a first key pair generated by the data sending end; a processing unit 1402 for instructing the communication unit 1401 to transmit first instruction information to the DIVS AS; the first indication information is used for indicating a DIVS AS to inquire data integrity verification information corresponding to the first identifier; the processing unit 1402 is further configured to instruct the communication unit 1401 to receive data integrity verification information from the DIVS AS.
In a possible implementation manner, the data integrity verification information includes a first public key; the first public key is a public key in a first key pair generated by the data sending end; a processing unit 1402, further configured to: verifying the first digital signature according to the first public key in the data integrity verification information; and determining the data integrity of the data to be verified according to the verification result of the first digital signature.
In one possible implementation, the target data further includes a timestamp of the first digital signature; the data integrity verification information further includes: the subscription validity period of the data sending end; a processing unit 1402, further configured to: determining whether the timestamp of the first digital signature is within the signing validity period of the data sending end; and if so, determining that the data integrity verification of the data to be verified is successful.
In a possible implementation manner, the data integrity verification information specifically includes: the first data set to be signed, the certificate corresponding to the second private key and the third digital signature; the first data set to be signed comprises first data and subscription information; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; the subscription information includes: the subscription validity information of the data sending end and the second terminal information of the data sending end; the second private key is a private key in a second key pair generated by the DIVS AS; the third digital signature is a digital signature generated after the first data set to be signed is signed according to the second private key and the second signature algorithm; a processing unit 1402, further configured to: verifying the third digital signature according to the certificate corresponding to the second private key and a second signature algorithm; and under the condition that the third digital signature is verified successfully, acquiring a first public key in the first data set to be signed.
The processing unit 1402 may be a processor or a controller, among others. Which may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors in conjunction with a DSP or microprocessors, a combination of DSPs and microprocessors, or the like. The communication unit 1401 may be a transceiver circuit or a communication interface or the like. The storage module may be a memory. When the processing unit 1402 is a processor, the communication unit 1401 is a communication interface, and the storage module is a memory, the data integrity verification apparatus according to the embodiment of the present application can be a data receiving end shown in fig. 3 to 12.
Fig. 15 is a schematic structural diagram of a data integrity verification apparatus according to an embodiment of the present application, where the data integrity verification apparatus may be the data sending end. The data integrity verification apparatus includes: a communication unit 1501, and a processing unit 1502.
A communication unit 1501 and a processing unit 1502; a processing unit 1502 for generating target data; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is generated after the data to be verified is signed according to the first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identification is a storage identification of data integrity verification information of the data sending end in a DIVS AS; the communication unit 1501 is configured to send target data to the data receiving end, so that the data receiving end determines data integrity of the data to be verified according to the first identifier and the first digital signature.
In a possible implementation, the processing unit 1502 is further configured to generate first data; the first data comprises a first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end; a processing unit 1502 for generating second indication information including the first data; the communication unit 1501 is further configured to send second indication information to the DIVS AS.
In a possible implementation manner, the processing unit 1502 is specifically configured to: generating a first key pair; the first key pair comprises a first public key and a first private key; acquiring first terminal information of a data sending end; signing the first public key and the first terminal information according to the first private key and a first signature algorithm, and determining a second digital signature; and generating first data according to the first public key, the first terminal information, the signature algorithm set supported by the data sending end and the second digital signature.
In a possible implementation, the communication unit 1501 is further configured to receive at least one of the first transaction identifier and the second transaction identifier from the DIVS AS; the first transaction identification is generated according to the storage information of the data integrity verification information in the block chain; the second transaction identification is generated according to the storage information of the updated data integrity verification information in the block chain; the processing unit 1502 is further configured to generate the first identifier according to a latest transaction identifier of the first transaction identifier and the second transaction identifier.
In one possible implementation, the target data further includes a verification access address; the verification access address is used for representing the address of a DIVS AS for storing data integrity verification information of a data sending end; a communication unit 1501 further configured to receive at least one of first address information and second address information from the DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier; the second address information is the address information of DIVS AS for storing the updated data integrity verification information corresponding to the second transaction identifier; the processing unit 1502 is further configured to generate a verification access address according to the latest address in the first address information and the second address information.
In a possible implementation manner, the first terminal information includes at least one of an embedded universal integrated circuit card identifier eUICC ID/integrated circuit card identifier ICCID of the data sending end, an international mobile equipment identifier IMEI, and a mobile subscriber number MSISDN.
The processing unit 1502 may be a processor or a controller, among others. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors in conjunction with a DSP or microprocessors, a combination of DSPs and microprocessors, or the like. The communication unit 1501 may be a transceiver circuit, a communication interface, or the like. The storage module may be a memory. When the processing unit 1502 is a processor, the communication unit 1501 is a communication interface, and the storage module is a memory, the data integrity verification apparatus according to the embodiment of the present application may be a data sending end shown in fig. 3 to 12.
The embodiment of the application provides an electronic device, which is used for executing a method required to be executed by any device in the data integrity determination system. The electronic device may be a data sending end, a data receiving end, a DIVS AS, NEF, or UDM, and the like, which is not limited in the present application. The electronic device may be an electronic device referred to in this application, or a module in an electronic device; or a chip in the electronic device, or other devices for executing the network quality determination method, which is not limited in this application.
Fig. 16 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 16, the electronic device 100 includes at least one processor 101, a communication line 102, and at least one communication interface 104, and may further include a memory 103. The processor 101, the memory 103 and the communication interface 104 may be connected via a communication line 102.
The processor 101 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more Digital Signal Processors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs). In particular implementations, processor 101 may perform the actions performed by processing unit 1302 in fig. 13, the actions performed by processing unit 1402 in fig. 14, or the actions performed by processing unit 1502 in fig. 15, as described above.
The communication link 102 may include a path for communicating information between the aforementioned components.
The communication interface 104 is used for communicating with other devices or a communication network, and may use any transceiver or the like, such as ethernet, Radio Access Network (RAN), Wireless Local Area Network (WLAN), and the like. In concrete implementation, the communication interface 104 may perform the actions performed by the communication unit 1301 in fig. 13, the actions performed by the communication unit 1401 in fig. 14, or the actions performed by the communication unit 1501 in fig. 15 described above.
The memory 103 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to include or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
In a possible design, the memory 103 may exist separately from the processor 101, that is, the memory 103 may be a memory external to the processor 101, in which case, the memory 103 may be connected to the processor 101 through the communication line 102, and is used for storing execution instructions or application program codes, and is controlled by the processor 101 to execute, so as to implement the network quality determination method provided in the following embodiments of the present application. In yet another possible design, the memory 103 may also be integrated with the processor 101, that is, the memory 103 may be an internal memory of the processor 101, for example, the memory 103 is a cache memory, and may be used for temporarily storing some data and instruction information.
As one implementation, the processor 101 may include one or more CPUs, such as CPU0 and CPU1 of FIG. 16. As another implementation, the electronic device 100 may include multiple processors, such as the processor 101 and the processor 107 of FIG. 16. As yet another implementable manner, the electronic device 100 may also include an output device 105 and an input device 106.
Through the description of the above embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the foregoing function distribution may be completed by different functional modules according to needs, that is, the internal structure of the network node is divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the module and the network node described above, reference may be made to the corresponding processes in the foregoing method embodiments, which are not described herein again.
The embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by a computer, the computer executes each step in the method flow shown in the above method embodiment.
Embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the communication method in the above-described method embodiments.
Embodiments of the present application provide a chip comprising a processor and a communication interface, the communication interface being coupled to the processor, the processor being configured to run a computer program or instructions to implement the communication method as in the above-mentioned method embodiments.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, and a hard disk. Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read-Only Memory (EPROM), registers, a hard disk, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium, in any suitable combination, or as appropriate in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC). In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the apparatus, the device, the computer-readable storage medium, and the computer program product in the embodiments of the present invention may be applied to the method described above, for technical effects obtained by the apparatus, the computer-readable storage medium, and the computer program product, reference may also be made to the method embodiments described above, and details of the embodiments of the present application are not repeated herein.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (46)
1. A method for verifying data integrity, comprising:
receiving first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, wherein the first identifier is a storage identifier of the data integrity verification information of the data sending end in the DIVS AS;
inquiring data integrity verification information corresponding to the first identification;
and sending the data integrity verification information to the data receiving end.
2. The method of claim 1, wherein the first identifier belongs to target data sent by the data sending end to the data receiving end; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is a digital signature generated after the data to be verified is signed according to a first private key; the first private key is a private key in a first key pair generated by the data sending end;
the data integrity verification information includes a first public key, and the first public key is a public key in a first key pair generated by the data sending end.
3. The method of claim 2, further comprising:
receiving second indication information from the data sending end; the second indication information is used for carrying first data; the first data comprises the first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end;
acquiring the subscription information of the data sending end according to the first terminal information in the second indication information; the subscription information includes: the signing validity information of the data sending end;
determining the data integrity verification information according to the first data and the subscription information;
storing the data integrity verification information in a blockchain.
4. The method of claim 3, wherein the obtaining the subscription information of the data sending end according to the first terminal information comprises:
sending a signing information acquisition request to a capability open platform NEF; the subscription information acquisition request comprises the first terminal information;
receiving subscription information from the NEF; and the subscription information is the subscription information of the data sending end, which is returned by the NEF and acquired in a user data management network element UDM according to the first terminal information.
5. The method of claim 4, wherein the first data further comprises a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm;
after receiving the second indication information from the data transmitting end, the method further comprises:
verifying the second digital signature according to the first public key and the first signature algorithm;
under the condition that the second digital signature passes verification, acquiring first terminal information in the first data;
and generating the subscription information acquisition request according to the first terminal information.
6. The method according to any one of claims 3 to 5, wherein the determining the data integrity verification information according to the first data and the subscription information comprises:
generating a first data set to be signed according to the first data and the signing data;
signing the first data set to be signed according to a second private key and a second signature algorithm, and determining a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS;
and determining the data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
7. The method according to any one of claims 2-5, further comprising:
sending the first transaction identification to the data sending end; wherein the first transaction identifier is used for characterizing the storage information of the data integrity verification information in the blockchain.
8. The method of claim 7, further comprising:
sending the first address information to the data sending end; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier.
9. The method according to any one of claims 2-5, further comprising:
receiving a subscription information update message from the NEF; the subscription information update message includes: the second terminal information and the updated subscription information of the data sending terminal;
inquiring latest target data integrity verification information including the second terminal information in the block chain;
updating the latest target data integrity verification information according to the updated subscription information;
and storing the updated latest target data integrity verification information in the block chain.
10. The method of claim 9, wherein updating the latest target data integrity verification information according to the updated subscription information comprises:
executing a first operation on the latest target data integrity verification information, and determining the updated latest target data integrity verification information;
the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information;
signing the second data set to be signed according to the second private key and the second signature algorithm, and determining a fourth data signature;
and determining the updated latest target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
11. The method of claim 10, further comprising:
sending the second transaction identification to the data sending end; wherein the second transaction identifier is used for characterizing the storage information of the updated latest target data integrity verification information in the blockchain.
12. The method of claim 11, further comprising:
sending the second address information to the data sending end; wherein the second address information is address information of the DIVS AS storing the updated latest target data integrity verification information.
13. A method for verifying data integrity, comprising:
receiving target data from a data transmitting end; the target data includes: the data to be verified, the first digital signature and the first identifier are obtained; the first digital signature is a digital signature determined by signing the data to be verified according to a first private key; the first identifier is a storage identifier of data integrity verification information of the data sending end in the DIVS AS; the first private key is a private key in a first key pair generated by the data sending end;
sending first indication information to a DIVS AS; the first indication information is used for indicating the DIVS AS to inquire data integrity verification information corresponding to the first identifier;
receiving the data integrity verification information from the DIVS AS.
14. The method according to claim 13, wherein the data integrity verification information includes a first public key; the first public key is a public key in a first key pair generated by the data sending end; the method further comprises the following steps:
verifying the first digital signature according to the first public key in the data integrity verification information;
and determining the data integrity of the data to be verified according to the verification result of the first digital signature.
15. The method of claim 14, wherein the target data further comprises a timestamp of the first digital signature; the data integrity verification information further includes: the subscription validity period of the data sending end; the method further comprises the following steps:
determining whether the timestamp of the first digital signature is within the signing validity period of the data sending end;
and if so, determining that the data integrity verification of the data to be verified is successful.
16. The method according to claim 15, wherein the data integrity verification information specifically includes: the first data set to be signed, a certificate corresponding to the second private key and a third digital signature are obtained; the first data set to be signed comprises first data and subscription information; the first data comprises the first public key, a signature algorithm set supported by a data sending end and first terminal information of the data sending end; the subscription information includes: the subscription validity information of the data sending end and the second terminal information of the data sending end; the second private key is a private key in a second key pair generated by the DIVS AS; the third digital signature is a digital signature generated after the first data set to be signed is signed according to the second private key and a second signature algorithm;
after receiving the data integrity verification information from the DIVS AS, the method further comprises:
verifying the third digital signature according to the certificate corresponding to the second private key and the second signature algorithm;
and under the condition that the third digital signature is verified successfully, acquiring a first public key in the first data set to be signed.
17. A method for verifying data integrity, comprising:
generating target data; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is a digital signature generated after the data to be verified is signed according to a first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identifier is a storage identifier of data integrity verification information of the data sending end in a DIVS AS;
and sending the target data to a data receiving end so that the data receiving end determines the data integrity of the data to be verified according to the first identifier and the first digital signature.
18. The method of claim 17, further comprising:
generating first data; the first data comprises the first public key, a signature algorithm set supported by a data transmitting end and first terminal information of the data transmitting end;
generating second indication information including the first data;
and sending the second indication information to the DIVS AS.
19. The method of claim 18, wherein generating the first data comprises:
generating a first key pair; the first key pair comprises a first public key and the first private key;
acquiring first terminal information of the data sending terminal;
signing the first public key and the first terminal information according to the first private key and a first signature algorithm, and determining a second digital signature;
and generating the first data according to the first public key, the first terminal information, a signature algorithm set supported by a data sending end and the second digital signature.
20. The method according to any one of claims 17-19, further comprising:
receiving at least one of a first transaction identification and a second transaction identification from the DIVS AS; the first transaction identifier is a transaction identifier generated according to the storage information of the data integrity verification information in the block chain; the second transaction identification is generated according to the storage information of the updated data integrity verification information in the block chain;
and generating the first identifier according to the latest transaction identifier in the first transaction identifier and the second transaction identifier.
21. The method of claim 20, wherein the target data further comprises a validation access address; the verification access address is used for representing the address of a DIVS (do not use virtual switch) AS for storing data integrity verification information of the data transmitting end; the method further comprises the following steps:
receiving at least one of first address information and second address information from the DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier; the second address information is address information of a DIVS AS storing updated data integrity verification information corresponding to the second transaction identifier;
and generating the verification access address according to the latest address in the first address information and the second address information.
22. The method according to claim 21, wherein the first terminal information comprises at least one of embedded generic integrated circuit card identification euicid/integrated circuit card identification ICCID, international mobile equipment identity IMEI and mobile subscriber number MSISDN of the data sender.
23. A data integrity verification apparatus, comprising: a communication unit and a processing unit;
the communication unit is used for receiving first indication information from a data receiving end; the first indication information is used for indicating a data integrity verification server DIVS AS to inquire data integrity verification information corresponding to a first identifier, wherein the first identifier is a storage identifier of the data integrity verification information of the data sending end in the DIVS AS;
the processing unit is used for inquiring data integrity verification information corresponding to the first identifier;
the processing unit is further configured to instruct the communication unit to send the data integrity verification information to the data receiving end.
24. The apparatus according to claim 23, wherein the first identifier belongs to target data transmitted from the data transmitting end to the data receiving end; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is a digital signature generated after the data to be verified is signed according to a first private key; the first private key is a private key in a first key pair generated by the data sending end;
the data integrity verification information includes a first public key, and the first public key is a public key in a first key pair generated by the data sending end.
25. The apparatus of claim 24, further comprising:
the communication unit is further used for receiving second indication information from the data sending end; the second indication information is used for carrying first data; the first data comprises the first public key, a signature algorithm set supported by the data sending end and first terminal information of the data sending end;
the communication unit is further configured to acquire subscription information of the data sending end according to the first terminal information in the second indication information; the subscription information includes: the signing validity information of the data sending end;
the processing unit is further configured to determine the data integrity verification information according to the first data and the subscription information;
the processing unit is further configured to store the data integrity verification information in a block chain.
26. The apparatus according to claim 25, wherein the communication unit is specifically configured to:
sending a signing information acquisition request to a capability open platform NEF; the subscription information acquisition request comprises the first terminal information;
receiving subscription information from the NEF; and the subscription information is the subscription information of the data sending end, which is returned by the NEF and acquired in a user data management network element UDM according to the first terminal information.
27. The apparatus of claim 26, wherein the first data further comprises a second digital signature; the second digital signature is a digital signature generated after the first public key and the first terminal information are signed according to the first public key and a first signature algorithm; the processing unit is further configured to:
verifying the second digital signature according to the first public key and the first signature algorithm;
under the condition that the second digital signature passes verification, acquiring first terminal information in the first data;
and generating the subscription information acquisition request according to the first terminal information.
28. The apparatus according to any one of claims 25 to 27, wherein the processing unit is specifically configured to:
generating a first data set to be signed according to the first data and the signing data;
signing the first data set to be signed according to a second private key and a second signature algorithm, and determining a third digital signature; the second private key belongs to a second key pair generated by the DIVS AS;
and determining the data integrity verification information according to the first data set to be signed, the certificate corresponding to the second private key and the third digital signature.
29. The apparatus according to any of claims 24-27, wherein the communication unit is further configured to:
sending the first transaction identification to the data sending end; wherein the first transaction identifier is used for characterizing the storage information of the data integrity verification information in the blockchain.
30. The apparatus of claim 29, wherein the communication unit is further configured to:
sending the first address information to the data sending end; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier.
31. The apparatus according to any of claims 24-27, wherein the communication unit is further configured to: receiving a subscription information update message from the NEF; the subscription information update message includes: the second terminal information and the updated subscription information of the data sending terminal;
the processing unit is further configured to query latest target data integrity verification information including the second terminal information in the block chain;
the processing unit is further configured to update the latest target data integrity verification information according to the updated subscription information;
the processing unit is further configured to store the updated latest target data integrity verification information in the block chain.
32. The apparatus of claim 31, wherein the processing unit is further configured to:
executing a first operation on the latest target data integrity verification information, and determining the updated latest target data integrity verification information;
the first operation includes: generating a second data set to be verified according to the first data and the updated subscription information;
signing the second data set to be signed according to the second private key and the second signature algorithm, and determining a fourth data signature;
and determining the updated latest target data integrity verification information according to the second data set to be signed, the certificate corresponding to the second private key and the fourth digital signature.
33. The apparatus of claim 32, wherein the communication unit is further configured to: sending the second transaction identification to the data sending end; wherein the second transaction identifier is used for characterizing the storage information of the updated latest target data integrity verification information in the blockchain.
34. The apparatus of claim 33, wherein the communication unit is further configured to: sending the second address information to the data sending end; wherein the second address information is address information of the DIVS AS storing the updated latest target data integrity verification information.
35. A data integrity verification apparatus, comprising: a communication unit and a processing unit;
the communication unit is used for receiving target data from a data transmitting end; the target data includes: the data to be verified, the first digital signature and the first identifier are obtained; the first digital signature is a digital signature determined by signing the data to be verified according to a first private key; the first identifier is a storage identifier of data integrity verification information of the data sending end in the DIVS AS; the first private key is a private key in a first key pair generated by the data sending end;
the processing unit is used for instructing the communication unit to send first instruction information to the DIVS AS; the first indication information is used for indicating the DIVS AS to inquire data integrity verification information corresponding to the first identifier;
the processing unit is further configured to instruct the communication unit to receive the data integrity verification information from the DIVS AS.
36. The apparatus according to claim 35, wherein the data integrity verification information includes a first public key; the first public key is a public key in a first key pair generated by the data sending end; the processing unit is further configured to:
verifying the first digital signature according to the first public key in the data integrity verification information;
and determining the data integrity of the data to be verified according to the verification result of the first digital signature.
37. The apparatus of claim 36, wherein the target data further comprises a timestamp of the first digital signature; the data integrity verification information further includes: the signing validity period of the data sending end; the processing unit is further configured to:
determining whether the timestamp of the first digital signature is within the signing validity period of the data sending end;
and if so, determining that the data integrity verification of the data to be verified is successful.
38. The apparatus according to claim 37, wherein the data integrity verification information specifically comprises: the first data set to be signed, the certificate corresponding to the second private key and the third digital signature; the first data set to be signed comprises first data and subscription information; the first data comprises the first public key, a signature algorithm set supported by a data sending end and first terminal information of the data sending end; the subscription information includes: the subscription validity information of the data sending end and the second terminal information of the data sending end; the second private key is a private key in a second key pair generated by the DIVS AS; the third digital signature is a digital signature generated after the first data set to be signed is signed according to the second private key and a second signature algorithm; the processing unit is further configured to:
verifying the third digital signature according to the certificate corresponding to the second private key and the second signature algorithm;
and under the condition that the third digital signature is verified successfully, acquiring a first public key in the first data set to be signed.
39. A data integrity verification apparatus, comprising: a communication unit and a processing unit;
the processing unit is used for generating target data; the target data comprises data to be verified, a first digital signature and a first identifier; the first digital signature is a digital signature generated after the data to be verified is signed according to a first private key; the first private key is a private key in a first key pair generated by the data sending end; the first identifier is a storage identifier of data integrity verification information of the data sending end in a DIVS AS;
the communication unit is configured to send the target data to a data receiving end, so that the data receiving end determines the data integrity of the data to be verified according to the first identifier and the first digital signature.
40. The apparatus of claim 39, wherein the processing unit is further configured to generate first data; the first data comprises the first public key, a signature algorithm set supported by a data sending end and first terminal information of the data sending end;
the processing unit is further used for generating second indication information comprising the first data;
the communication unit is further configured to send the second indication information to the DIVS AS.
41. The apparatus according to claim 40, wherein the processing unit is specifically configured to:
generating a first key pair; the first key pair comprises a first public key and the first private key;
acquiring first terminal information of the data sending terminal;
signing the first public key and the first terminal information according to the first private key and a first signature algorithm, and determining a second digital signature;
and generating the first data according to the first public key, the first terminal information, a signature algorithm set supported by a data sending end and the second digital signature.
42. The apparatus according to any of claims 39-41, wherein said communication unit is further configured to receive at least one of a first transaction identifier and a second transaction identifier from said DIVS AS; the first transaction identifier is a transaction identifier generated according to the storage information of the data integrity verification information in the block chain; the second transaction identification is generated according to the storage information of the updated data integrity verification information in the block chain;
the processing unit is further configured to generate the first identifier according to a latest transaction identifier of the first transaction identifier and the second transaction identifier.
43. The apparatus of claim 42, wherein the target data further comprises a validation access address; the verification access address is used for representing the address of a DIVS (do not use virtual switch) AS for storing data integrity verification information of the data transmitting end;
the communication unit is further configured to receive at least one of first address information and second address information from the DIVS AS; the first address information is address information of a DIVS AS storing data integrity verification information corresponding to the first transaction identifier; the second address information is address information of a DIVS AS storing updated data integrity verification information corresponding to the second transaction identifier;
the processing unit is further configured to generate the verification access address according to a latest address in the first address information and the second address information.
44. The apparatus of claim 43, wherein the first terminal information comprises at least one of an embedded Universal Integrated Circuit card identification (eUICCID)/Integrated Circuit Card Identification (ICCID) of the data sender, an International Mobile Equipment Identity (IMEI) and a Mobile subscriber number (MSISDN).
45. A data integrity verification apparatus, comprising: a processor and a memory; wherein the memory is configured to store computer-executable instructions, and when the data integrity verification apparatus is running, the processor executes the computer-executable instructions stored by the memory to cause the data integrity verification apparatus to perform the data integrity verification method of any one of claims 1-12; or performing the data integrity verification method of any one of claims 13-16; or to perform the data integrity verification method of any one of claims 17-22.
46. A computer-readable storage medium comprising instructions that, when executed, cause the computer to perform the data integrity verification method of any one of claims 1-12; or performing the data integrity verification method of any one of claims 13-16; or to perform the data integrity verification method of any one of claims 17-22.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210603462.7A CN114980107A (en) | 2022-05-30 | 2022-05-30 | Data integrity verification method and device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210603462.7A CN114980107A (en) | 2022-05-30 | 2022-05-30 | Data integrity verification method and device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114980107A true CN114980107A (en) | 2022-08-30 |
Family
ID=82958504
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210603462.7A Pending CN114980107A (en) | 2022-05-30 | 2022-05-30 | Data integrity verification method and device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114980107A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115550918A (en) * | 2022-10-31 | 2022-12-30 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, device and medium |
CN115550902A (en) * | 2022-10-31 | 2022-12-30 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, device and medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111133731A (en) * | 2017-07-25 | 2020-05-08 | 瑞典爱立信有限公司 | Private key and message authentication code |
US20210234706A1 (en) * | 2018-08-10 | 2021-07-29 | Nokia Technologies Oy | Network function authentication based on public key binding in access token in a communication system |
CN113497709A (en) * | 2020-04-02 | 2021-10-12 | 浪潮云信息技术股份公司 | Trusted data source management method based on block chain, signature device and verification device |
CN113868713A (en) * | 2021-09-27 | 2021-12-31 | 中国联合网络通信集团有限公司 | Data verification method and device, electronic equipment and storage medium |
WO2022042417A1 (en) * | 2020-08-27 | 2022-03-03 | 华为技术有限公司 | Authentication method, apparatus and system |
-
2022
- 2022-05-30 CN CN202210603462.7A patent/CN114980107A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111133731A (en) * | 2017-07-25 | 2020-05-08 | 瑞典爱立信有限公司 | Private key and message authentication code |
US20210234706A1 (en) * | 2018-08-10 | 2021-07-29 | Nokia Technologies Oy | Network function authentication based on public key binding in access token in a communication system |
CN113497709A (en) * | 2020-04-02 | 2021-10-12 | 浪潮云信息技术股份公司 | Trusted data source management method based on block chain, signature device and verification device |
WO2022042417A1 (en) * | 2020-08-27 | 2022-03-03 | 华为技术有限公司 | Authentication method, apparatus and system |
CN113868713A (en) * | 2021-09-27 | 2021-12-31 | 中国联合网络通信集团有限公司 | Data verification method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
徐云云;白光伟;沈航;黄中平;: "云存储中基于虚拟用户的数据完整性验证", 计算机科学, no. 05, 15 May 2017 (2017-05-15) * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115550918A (en) * | 2022-10-31 | 2022-12-30 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, device and medium |
CN115550902A (en) * | 2022-10-31 | 2022-12-30 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, device and medium |
CN115550902B (en) * | 2022-10-31 | 2024-03-19 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, equipment and medium |
CN115550918B (en) * | 2022-10-31 | 2024-07-16 | 中国联合网络通信集团有限公司 | Security data updating method, USIM, terminal, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11784788B2 (en) | Identity management method, device, communications network, and storage medium | |
Khodaei et al. | The key to intelligent transportation: Identity and credential management in vehicular communication systems | |
US9135629B2 (en) | User targeting management, monitoring and enforcement | |
CN114980107A (en) | Data integrity verification method and device and storage medium | |
CN107580790A (en) | Method and apparatus for providing profile | |
CN103477689A (en) | Method and apparatus for a control plane to manage domain-based security and mobility in an information centric network | |
KR20190004499A (en) | Apparatus and methods for esim device and server to negociate digital certificates | |
US11589212B2 (en) | Method and apparatus for managing event in communication system | |
CN113785532B (en) | Method and apparatus for managing and verifying certificates | |
KR20240051103A (en) | Apparatus and methods for ssp device and server to negociate digital certificates | |
KR20180093333A (en) | Apparatus and Methods for Access Control on eSIM | |
KR20190138994A (en) | Apparatus and method for installing and managing a profile by using messaging service | |
US11889586B2 (en) | Method and apparatus for negotiating EUICC version | |
Sicari et al. | A secure ICN-IoT architecture | |
KR20180062923A (en) | APPARATUS AND METHODS TO INSTALL AND MANAGE eSIM PROFILES | |
WO2023231782A1 (en) | Data integrity verification system | |
Jacobsen et al. | A Low-Cost Vehicle Tracking Platform Using Secure SMS | |
US11018966B2 (en) | Providing connectivity information | |
KR20220028863A (en) | Apparatus and method for managing events in communication system | |
CN102318376A (en) | Method of and system for implementing privacy control | |
KR102637120B1 (en) | APPARATUS AND METHOD FOR MANAGING AUTHORIZATION OF INSTALLING AN eUICC PROFILE | |
EP4175337A1 (en) | Method for managing at least one euicc information set (eis) of a euicc and intermediate buffer proxy | |
US20240236080A1 (en) | Systems and methods for service authorization in a delegated discovery deployment | |
KR20220142318A (en) | Method and apparatus for managing events in a wireless communication system | |
EP3863313A1 (en) | Method and server for pushing data to mno |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |