CN116017460B - Signaling interaction method for 5G day-to-ground integrated scene security promotion - Google Patents
Signaling interaction method for 5G day-to-ground integrated scene security promotion Download PDFInfo
- Publication number
- CN116017460B CN116017460B CN202310021798.7A CN202310021798A CN116017460B CN 116017460 B CN116017460 B CN 116017460B CN 202310021798 A CN202310021798 A CN 202310021798A CN 116017460 B CN116017460 B CN 116017460B
- Authority
- CN
- China
- Prior art keywords
- user
- core network
- service
- satellite
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000011664 signaling Effects 0.000 title claims abstract description 21
- 230000003993 interaction Effects 0.000 title claims abstract description 17
- 238000012795 verification Methods 0.000 claims abstract description 28
- 238000012986 modification Methods 0.000 claims description 10
- 230000004048 modification Effects 0.000 claims description 10
- 101000684181 Homo sapiens Selenoprotein P Proteins 0.000 claims description 5
- 102100023843 Selenoprotein P Human genes 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 5
- 229940119265 sepp Drugs 0.000 claims description 5
- 230000002708 enhancing effect Effects 0.000 claims description 4
- 230000000737 periodic effect Effects 0.000 claims description 2
- 208000037550 Primary familial polycythemia Diseases 0.000 claims 2
- 208000017693 primary familial polycythemia due to EPO receptor mutation Diseases 0.000 claims 2
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 claims 1
- 238000010295 mobile communication Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 10
- 230000006855 networking Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000011814 protection agent Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of mobile communication and discloses a signaling interaction method for improving the safety of a 5G day-to-ground integrated scene. The 5G core network is converged in the access network mode through the satellite core network, and user validity verification on the service initiated by the 5G user is realized on the service surface network element of the satellite core network, so that the possibility that the network pipeline resources are occupied and the server side is attacked by the illegal user initiated by the service can be effectively reduced under the condition of being compatible with the existing 5G system flow. The invention is compatible with the existing 3GPP TS23.502 and TS29.244 (version of 17 th edition of specification 2021, 9 th year) system flow and signaling structure, and can be widely applied to various methods required by the legal authentication of users who need 5G pipelines to use legal registration terminals.
Description
Technical Field
The invention relates to the technical field of mobile communication, in particular to a user plane method for enhancing the security of a service flow between a mobile terminal and a core network element under a 5G day-to-ground integrated network architecture.
Background
The current 3GPP fifth generation communication system (5G) provides no research content on the side of a core network, and meanwhile, the CCSA TC12 working group 'the general technical requirement of an heaven-earth integrated 5G network' is 11.3 ', and the heaven-earth integrated 5G network security scheme' also generally describes the heaven-earth integrated architecture and security requirements, namely, the heaven-earth integrated 5G network security is comprehensively considered from the aspects of physical security, data security and network operation security, and the content can comprise, but is not limited to, terminal connection security, heaven-earth access network connection security, heaven-earth core network connection security, foundation access network connection security, foundation core network connection security, network function security, user data security, network physical isolation and logic isolation, network management security, network configuration security, heaven-earth integrated service security and the like. The technical means which can be adopted include, but are not limited to, a network security protection technology such as a destruction resistance technology, an anti-interference technology, a security access and security routing technology, a security transmission technology, a security storage technology, a key management technology and the like, so as to construct a heaven-earth integrated network security architecture and ensure the safe operation of the network system.
In a conventional 5G heaven and earth integration scenario, as shown in fig. 1, a 5G terminal is connected to a 5G base station (gNB) through an air interface, a backhaul network of the 5G base station is provided by a satellite relay through a satellite core network user plane to connect to a remote 5G core network, and a user is finally connected to a data network through a 5G data pipe relayed by the satellite (DNN Data Network Name). The satellite user plane only provides the 5G base station (gNB) and the 5G core inter-network pipeline relay function, and a control plane (CP control plane) message triggered by the 5G user service cannot be analyzed. The 5G core network and the satellite core network belong to different operators and are independent from each other.
As shown in fig. 2, the conventional satellite system integrated with the 5G network to form the space has the following problems:
1. the existing 3GPP NTN standard work stands only consider the air interface side, and no data sharing architecture and system flow based on heterogeneous network fusion exist on the core network side, so that existing functions among systems cannot be reused, and meanwhile, the system of the 3GPP NTN standard work stands independent of a 5G heterogeneous networking system and a 5G system further increase deployment cost and operation and maintenance complexity.
The 'space-earth integrated 5G network safety scheme' of 11.3 item 'space-earth integrated 5G network general technical requirement' proposed by CCSA TC12 has no specific architecture and technology yet.
3. And the illegal user initiates illegal service to the satellite relay pipeline and the 5G pipeline to preempt the limited hardware processing resources by using the terminal registered in the 5G system through legal. In addition, the illegal user can attack the data network end (DNN Data Network Name) to increase the safety protection cost of the data network server end.
4. There is no way to perform simultaneous digital certificate verification on devices and users using the devices based on a certificate authority.
As described above, a new network architecture system capable of being deeply integrated with a 5G core network is needed in the existing heterogeneous system for 5G networking, so as to effectively enhance the security guarantee method for users initiating services by using legal terminals in the system.
Disclosure of Invention
The invention aims to provide a signaling interaction method for improving the safety of a 5G day-to-ground integrated scene, which solves the problem that the prior 5G core network only authenticates a user terminal but not a user terminal user, so that a service surface network element is occupied by a large number of illegal services initiated by the user.
In order to achieve the above purpose, the technical scheme of the invention is as follows:
the invention discloses a signaling interaction method for safety promotion of a 5G day-to-ground integrated scene, which comprises the following steps:
step 1, a satellite core network is networked with a 5G core network based on a home roaming architecture;
step 2, a digital certificate verification function is deployed on a satellite core network user plane, and a satellite core network user plane network element deploying the digital certificate verification function and a user binding the 5G terminal acquire respective digital certificates from a certificate center respectively;
step 3, the satellite core network control plane session management network element issues a PFCP session creation or modification request, and successfully loads the received user plane gating instruction, and the user plane performs gating autonomously according to a user validity check result;
step 4, when the user initiates user service by using the 5G system terminal which is successfully registered, the user carries legal information into the service flow;
and step 5, the satellite user plane network element performs flow gating on the service flow according to the user validity verification result after detecting that the service flow corresponding to the user starts.
Preferably, in the step 1, the satellite core network is used as the visited PLMN to access the 5G core network, part or all of the functions reuse the 5G ground core network element, the 5G terminal is connected to the 5G base station through an air interface, and the backhaul network of the 5G base station is provided by the satellite relay to connect to the remote 5G core network through the satellite core network service pipeline.
Preferably, in the step 1, the satellite core network and the 5G core network control plane signaling are interconnected and communicated through the 3GPP existing security edge protection proxy SEPP interface; the user plane opens the satellite relay data plane pipeline through the existing N9 interface.
Preferably, in the step 3, the validity check and the autonomous gating of the user facing the user service flow are implemented by enhancing the gating state cell structure in the service quality execution rule message created or updated in the PFCP session creation or modification request issued by the control plane.
Preferably, in the step 4, when the user initiates the user service by using the terminal successfully registered to the 5G system, the user plane message carries information for user validity verification, which contains the user characteristic information and the binding device characteristic information.
Preferably, the user characteristic information comprises geographical location information, a use time validity period and historical use characteristic information; the binding equipment characteristic information comprises equipment identification ID, equipment network identification and equipment MAC address.
Preferably, in the step 4, in the service flow initiated by the user, the information carried for user validity verification indicates that the current service carries user validity information through continuous transmission, or periodic transmission or specific identification.
Preferably, in the step 5, after receiving the service request initiated by the 5G terminal user, the satellite core network checks the validity of the user facing the service user, and releases the service flow if the check passes, and triggers the session release flow if the check fails.
The invention has the beneficial effects that: the invention discloses a signaling interaction method for improving the safety of a 5G day-to-ground integrated scene, which is suitable for a service safety enhancement method required for carrying out additional authentication on the legitimacy of a user using a terminal on the basis that the 5G only provides the authentication of the terminal (UE comprises a Sim card) under the condition that the traditional satellite only provides a relay pipeline and can not analyze control plane and user plane information. The 5G core network is converged in the access network mode through the satellite core network, and user validity verification on the service initiated by the 5G user is realized on the service surface network element of the satellite core network, so that the possibility that the network pipeline resources are occupied and the server side is attacked by the illegal user initiated by the service can be effectively reduced under the condition of being compatible with the existing 5G system flow.
In addition, the invention is compatible with the existing 3GPP TS23.502 and TS29.244 (version of 17 th edition of specification 2021, 9 th year) system flow and signaling structure, accords with the 11.3 th item of 'space-earth integrated 5G network security scheme' scope of the general technical requirement (examination and approval) of the space-earth integrated 5G network of the CCSA TC12 working group, and can be widely applied to various methods required by the validity authentication of users who need 5G pipelines to use legal registered terminals.
Drawings
FIG. 1 is a schematic diagram of a conventional 5G system combined with satellite relay pipeline architecture;
FIG. 2 is a schematic diagram of an attack on network pipes and data networks under a 5G heaven-earth integrated heterogeneous network;
FIG. 3 is a diagram of a roaming architecture of a conventional 5G system;
FIG. 4 is a schematic diagram of an asymmetric zero trust authentication flow based on a certificate authority;
fig. 5 is a schematic diagram of a system flow for controlling traffic under a 5G system existing control plane and user plane separation architecture;
FIG. 6 is a schematic diagram of a 5G heaven-earth integrated network heterogeneous system collaboration architecture based on a 5G home roaming architecture of the present invention;
FIG. 7 is a schematic diagram of an asymmetric zero trust enhancement authentication flow based on a certificate authority in accordance with the present invention;
fig. 8 is a schematic diagram of a 5G day-to-ground integrated network heterogeneous system collaborative architecture deploying an enhanced authentication procedure according to the present invention;
FIG. 9 is a schematic diagram of a gating cell according to the present invention;
FIG. 10 is a diagram illustrating the benefits of the industrial chain of the present invention;
FIG. 11 is a schematic diagram of the gating state (Gate Status) set to "gating according to user validity check" of the present invention;
FIG. 12 is a schematic overall flow chart of an embodiment of the invention.
Detailed Description
The present invention will be further described in detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description and specific examples, while indicating the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
The invention relates to a method for authenticating the user safety of a 5G satellite roaming pipeline through a different system function interaction architecture under a 5G day-to-ground integrated networking scene, which further improves the possibility and the protection necessity of a data pipeline for discriminating a fake user using a 5G terminal and the interception and leakage of user information on the basis of the existing 5G standard only for terminal safety authentication, and provides a new safety authentication function signaling interaction method based on TS29.244 Packet Forwarding Control Protocol (PFCP).
Firstly, the system flow of service control under the existing 5G system roaming architecture, the asymmetric zero trust authentication flow based on the certificate center and the existing control plane and user plane separation architecture of the 5G system is introduced.
As shown in fig. 3, different operator networks in the current 5G system are interconnected by adopting a roaming architecture, and a visited Network (visited Network) and a Home Network (Home-routed Network) are operated separately and independently from each other by belonging to different operator public land mobile networks (PLMN Public Land Mobile Network). The control plane and the user plane among different PLMN operators are respectively interconnected and communicated through a safety edge protection agent (SEPP Security Edge Protection Proxy) and an N9 interface. The current 5G core network only provides authentication to the terminal (including SIM/USIM card), there is no method for authenticating the legitimacy of the user using the terminal (misappropriating the handset which is legally registered through the 5G core network and inserted with the legal user SIM card), and the authentication of the legitimacy of the user depends on the data network side (DNN Data Network Name).
The existing certificate-center (CA Certificate Authority) -based zero trust security system is divided into two independent methods, namely user validity verification and device validity verification, and the bidirectional identity verification between users/devices can be effectively ensured by issuing digital certificates to corresponding users/devices. Fig. 4 shows a certificate-centric user/device-based asymmetric authentication method, comprising the steps of:
1. the user/device a and the user/device B sign up for the digital certificate from the certificate authority (CA Certification Authority) and include the certificate base information, the CA public key, and all authorized user/device public keys (user a and user B in fig. 4) and the user/device base information. The user/device A and the user/device B can take the public key of the other party through the issued digital certificate;
2. the user/equipment A initiates a communication request to the user/equipment B, and the request needs to contain information encrypted by a digital certificate public key of the user/equipment B and is sent to the user/equipment B;
3. after receiving the request from the user a, the user/device B verifies whether the request is sent from the user/device a and whether the content is tampered. The received information is sent by the user/equipment A, authentication is successful if the information is not tampered, otherwise, the authentication fails.
The current validity verification technology based on asymmetric encryption of a certificate center has no method for issuing a certificate by binding a user and equipment together so as to limit that a specific user can only use the specific equipment. Meanwhile, under the existing 5G system control plane and user plane separation architecture, the user plane itself can not autonomously determine the policy by gating operation to the user plane traffic flow only through the control plane issuing detection rule and flow control rule to cut off the designated service, as shown in FIG. 5, the specific steps are as follows:
1. the control plane issues a flow detection and flow control rule;
2. the user plane executes the control plane issuing flow detection and flow control rule.
Aiming at the current technical scheme, the embodiment of the invention provides a signaling interaction method for safety promotion of a 5G day-to-ground integrated scene, which comprises the following steps:
step 1, a satellite core network is networked with a 5G core network based on a home roaming architecture;
step 2, a digital certificate verification function is deployed on a satellite core network user plane, and a satellite core network user plane network element deploying the digital certificate verification function and a user binding the 5G terminal acquire respective digital certificates from a certificate center respectively;
step 3, the satellite core network control plane session management network element issues a PFCP session creation or modification request, and successfully loads the received user plane gating instruction, and performs gating according to user validity check;
step 4, when the user initiates user service by using the 5G system terminal which is successfully registered, the user carries legal information into the service flow;
and step 5, the satellite user plane network element performs flow gating on the service flow according to the user validity verification result after detecting that the service flow corresponding to the user starts.
As shown in fig. 6, the network convergence architecture of the present invention is based on a 5G existing home roaming (home-routed roaming) architecture, and a satellite core network is used as a similar access PLMN (visiting PLMN) to access the 5G core network, and part or all of the functions reuse the 5G terrestrial core network elements. The 5G terminal is connected to a 5G base station (gNB) through an air interface, and a backhaul network of the 5G base station is provided by a satellite relay to be connected to a remote 5G core network through a satellite core network service pipeline. The satellite core network and 5G core network control plane signaling are interconnected through the 3GPP existing security edge protection agency (SEPP Security Edge Protection Proxy) interface (the newly added definition part of the interface is not included in the invention); the user plane is connected to the UPF side of the 5G through the existing N9 interface (the newly added definition part of the interface is not included in the present invention). The user data is forwarded via the satellite core network user plane (S-UPF: satellite User Plane Function) as the visited PLMN to the 5G core network UPF of the home PLMN and connected to the final data network side DNN.
The user validity authentication for using the terminal is realized by the satellite core network control plane through the deployment of the digital certificate verification function. The digital certificate issued to the user by the certificate authority binds the user characteristic information (geographical location information, use time validity period, history use characteristic information) and information of the use device (device ID, device network identity, device MAC address). As shown in fig. 7, the specific steps are as follows:
1. the user a and the user/device B who bind the identity of the device a sign up the digital certificate from the certificate center, respectively, and include the certificate basic information, the CA public key, all authorized users and the binding device/user/device public keys (user a and binding device a and user/device B in fig. 4), and the user and binding device/user/device basic information. Both user a and user/device B of binding device a can access the public key of each other through the issued digital certificate. The user level information center needs to contain user/device or/and binding information of user and device.
2. The user/device A initiates a communication request to the user/device B, and the request needs to contain information encrypted by the public key of the digital certificate of the user/device B and send the information to the user/device B.
3. After receiving the request of the user A, the user/device B verifies whether the request is information sent by the user A through the binding device A and whether the content of the sent information is tampered. The received information is sent by the user/equipment A, authentication is successful if the information is not tampered, otherwise, the authentication fails.
The invention deploys the authentication function of the user digital certificate successfully registered to the 5G system terminal on the user plane of the satellite PLMN core network in the newly added network convergence architecture. As shown in fig. 8, the satellite core network control plane session management network element (S-SMF) and the user plane network element (S-UPF) use the existing 5G session management network element ((SMF Session Management Function) and the network and protocol architecture (TS 29.244) between the user plane network element (UPF User Plane Function). The method for completely controlling the user plane network element of the 5G core network by the PFCP protocol (TS 29.244) is enhanced, so that the control plane has a certain independent decision right for controlling the data flow on the basis of not providing specific flow detection and flow control rules, and the specific steps are as follows:
1. the digital certificate checking function of the user for the 5G terminal is deployed on the satellite core network user plane S-UPF. The verification function implements the validity verification and autonomous gating of user-facing traffic by enhancing the structure (see table 1 and fig. 9) of the gating Status (Gate Status) cells (IE Information Element) in the quality of service execution rule (QER QoS Enforcement Rule) message (Create/Update QER) created/updated in the PFCP session creation/modification request (PFCP Session Establishment/Modification Request) issued by the control plane (S-SMF).
As shown in tables 2 and 3, the user plane performs self-gating on the user validity authentication result according to the deployed user validity check function by adding a status indication "gating according to user validity check" (Decided by User Authentication Result only) to the uplink gating (table 2 UL Gate) and the downlink gating (table 3 DL Gate) of the gating status cell.
2. The satellite user plane network element (S-UPF) successfully receives the PFCP session creation/modification request sent by the control plane, and successfully loads the received user plane gating indication ("gating according to user validity check").
3. The user carries the validity information into the service flow, the carried information for user validity check can be continuously sent in the sent service flow, or periodically sent or indicated by a specific mark to carry the user validity information in the current service.
4. And after detecting that the service flow corresponding to the user starts, the satellite user plane network element (S-UPF) performs flow Gating (Gating) on the service flow according to the user validity check result.
In summary, the present invention provides a method for sharing information between heterogeneous systems of 5G networking and reusing existing functions of 5G, which aims at the current situation that the current 3GPP standard only discusses the air interface side of the satellite-ground integrated network, the CCSA provides the satellite-ground integrated architecture, and no specific content exists, so that the satellite system blends into the 5G eSBA architecture through roaming, and the existing 5G functions and processes are reused, thereby effectively reducing the hardware and operation and maintenance costs of the whole network equipment. Meanwhile, aiming at the situation that an illegal user using a legal terminal to initiate a service cannot be identified by the existing communication system, the invention provides a method for issuing a user digital certificate verification based on a certificate center, and the method enables the pipeline side to detect the illegal user using the legal terminal by binding the user and equipment based on a user legal authentication function deployed at the network pipeline side, so that the resource preemption of the pipeline side caused by the legal terminal used by the illegal user is effectively avoided, and meanwhile, the cost for improving the security level of a data network server (DNN) is reduced. The architecture and the method effectively supplement and promote the development and evolution technology of the core network architecture and the safety standard.
As shown in fig. 10, an industry-floor multiparty benefit point analysis based on the present invention is presented:
the 1.5G operators sign up satellite safety relay pipeline service through the fusion architecture, provide more user coverage and better use safety ecology of user terminal equipment, for example, the equipment cannot be used after being lost, and the equipment loss probability is reduced.
2. The user signs up for the 5G satellite roaming service, obtains better service coverage and effectively improves the safety of the use environment of the terminal equipment
3. The service provider signs up the 5G satellite pipeline, covers more service users, improves the security protection level of the server side, and can effectively improve the intention of the service operator to sign up the 5G package service of the operator.
4. Satellite operators may receive more revenue from 5G operators and service providers by providing 5G roaming tunnels and user security services.
The invention is described in detail below with reference to the drawings and the detailed description.
As shown in fig. 12, the method for improving user security based on the network element sharing architecture between heterogeneous systems of 5G networking and using 5G terminals of the present invention comprises the following steps:
step one: the satellite core network is networked with the 5G core network based on a home roaming architecture. The control plane and the data plane pipeline are opened by the user plane through the existing N9 interface through the existing SEPP interface between the two sets of core networks.
Step two: the satellite core network user plane deploys a digital certificate verification function. The user of the satellite core network user plane network element and the binding 5G terminal which deploy the checking function respectively acquire respective digital certificates from the certificate center.
Step three: the control plane session management network element (S-SMF) of the satellite core network issues a PFCP session creation/modification request, the uplink and downlink gating states (in figure 11) in the creation/updating service quality execution rule in the request are all set to be 2, and the user plane performs gating autonomously according to the user validity check result.
Step four: when a user uses a 5G system terminal to successfully register to initiate user service, a user plane message needs to carry information which contains user and binding equipment characteristic information and is used for user validity verification, and the related user characteristic information comprises geographic position information, service time validity period and historical service characteristic information; the information of the related equipment comprises equipment identification ID, equipment network identification and equipment MAC address; the user initiated traffic stream may carry this characteristic information in three ways, persistence/periodicity/specific identification bit designation.
Step five: after receiving a service request initiated by a 5G terminal user, the satellite core network checks the validity of the service user at a user plane (S-UPF). And if the verification is passed, releasing the service flow, and if the verification is failed, triggering the session release flow of the user.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, or alternatives falling within the spirit and principles of the invention.
Claims (8)
1. A signaling interaction method for safety promotion of a 5G day-to-ground integrated scene is characterized by comprising the following steps of: the method comprises the following steps:
step 1, a satellite core network is networked with a 5G core network based on a home roaming architecture;
step 2, a digital certificate verification function is deployed on a satellite core network user plane, a satellite core network user plane network element deploying the digital certificate verification function and a user binding a 5G terminal acquire respective digital certificates from a certificate center respectively, the digital certificates comprise public keys of all authorized users and binding equipment, and identity verification is carried out through the digital certificates;
step 3, the satellite core network control plane session management network element issues a PFCP session creation or modification request, and successfully loads the received user plane gating instruction for the user plane to autonomously perform flow gating according to the user validity check result;
step 4, when the user initiates user service by using the 5G system terminal which is successfully registered, the user carries legal information into the service flow;
and step 5, after detecting that the service flow corresponding to the user starts, the user plane network element of the satellite core network performs flow gating on the service flow according to the user validity verification result.
2. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: the satellite core network is used as a visiting PLMN to access the 5G core network based on the home roaming architecture in the step 1, part or all of functions reuse 5G ground core network elements, a 5G terminal is connected to a 5G base station through an air interface, and a backhaul network of the 5G base station is provided by a satellite relay to be connected to a remote 5G core network through a satellite core network service pipeline.
3. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: in the step 1, satellite core network and 5G core network control plane signaling are interconnected and communicated through an existing security edge protection proxy SEPP interface of 3 GPP; the user plane opens the satellite relay data plane pipeline through the existing N9 interface.
4. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: in the step 3, the validity check and the autonomous gating of the user facing the user service flow are realized by enhancing the gating state cell structure in the service quality execution rule message created or updated in the PFCP session creation or modification request issued by the control plane.
5. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: in the step 4, when the user initiates the user service by using the terminal successfully registered to the 5G system, the user plane message carries information for user validity verification, which contains the user characteristic information and the binding equipment characteristic information.
6. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 5, wherein: the user characteristic information comprises geographic position information, a using time validity period and historical using characteristic information; the binding equipment characteristic information comprises equipment identification ID, equipment network identification and equipment MAC address.
7. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: in the step 4, in the service flow initiated by the user, the carried information for verifying the validity of the user indicates that the current service carries the validity information of the user through continuous transmission, or periodic transmission or specific identification.
8. The signaling interaction method for 5G day-to-ground integrated scene security promotion of claim 1, wherein: in the step 5, after receiving the service request initiated by the 5G terminal user, the satellite core network checks the validity of the user facing the service user, and releases the service flow if the check passes, and triggers the session release flow if the check fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310021798.7A CN116017460B (en) | 2023-01-07 | 2023-01-07 | Signaling interaction method for 5G day-to-ground integrated scene security promotion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310021798.7A CN116017460B (en) | 2023-01-07 | 2023-01-07 | Signaling interaction method for 5G day-to-ground integrated scene security promotion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116017460A CN116017460A (en) | 2023-04-25 |
| CN116017460B true CN116017460B (en) | 2023-11-14 |
Family
ID=86024542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310021798.7A Active CN116017460B (en) | 2023-01-07 | 2023-01-07 | Signaling interaction method for 5G day-to-ground integrated scene security promotion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116017460B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116489652B (en) * | 2023-06-21 | 2023-09-15 | 之江实验室 | Pipeline security improving method and device for air-to-ground network architecture |
| CN116806023B (en) * | 2023-06-25 | 2024-02-09 | 之江实验室 | Method and device for verifying service validity under heterogeneous network architecture |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112994775A (en) * | 2021-02-04 | 2021-06-18 | 亚太卫星宽带通信(深圳)有限公司 | Method for fusing GEO satellite access network and 5G core network |
| WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
| CN113949436A (en) * | 2021-09-16 | 2022-01-18 | 航天恒星科技有限公司 | High-flux satellite terminal system capable of accessing 5G core network |
| CN115460606A (en) * | 2022-11-10 | 2022-12-09 | 之江实验室 | Method and device for enhancing control surface security based on 5G core network |
-
2023
- 2023-01-07 CN CN202310021798.7A patent/CN116017460B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022002175A1 (en) * | 2020-07-01 | 2022-01-06 | 大唐移动通信设备有限公司 | Dynamic authentication method and apparatus, and device and readable storage medium |
| CN112994775A (en) * | 2021-02-04 | 2021-06-18 | 亚太卫星宽带通信(深圳)有限公司 | Method for fusing GEO satellite access network and 5G core network |
| CN113949436A (en) * | 2021-09-16 | 2022-01-18 | 航天恒星科技有限公司 | High-flux satellite terminal system capable of accessing 5G core network |
| CN115460606A (en) * | 2022-11-10 | 2022-12-09 | 之江实验室 | Method and device for enhancing control surface security based on 5G core network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116017460A (en) | 2023-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116017460B (en) | Signaling interaction method for 5G day-to-ground integrated scene security promotion | |
| DK2547134T3 (en) | IMPROVED SUBSCRIPTION AUTHENTICATION FOR UNAUTHORIZED MOBILE ACCESS SIGNALS | |
| RU2464729C2 (en) | Method to authenticate mobile devices connected to femtocell acting according to multistation access with code channel division | |
| CN101686164B (en) | Positioning method and position verification method of wireless access device, and wireless access device | |
| US20070115886A1 (en) | Method of verifying integrity of an access point on a wireless network | |
| WO2014102525A1 (en) | Method and device for secure network access | |
| CN116193440B (en) | User plane method and device for improving service security of 5G heterogeneous network | |
| CN109768861A (en) | Massive D2D anonymous discovery authentication and key agreement method | |
| CN113765874A (en) | Private network and dual-mode networking method based on 5G mobile communication technology | |
| US20080176572A1 (en) | Method of handoff | |
| CN101877852B (en) | User access control method and system | |
| CN115442807B (en) | User security improving method and device for 5G system | |
| CN115915138B (en) | Method for sharing 5G day-to-ground integrated network signaling interaction architecture | |
| CN102036415B (en) | Femto sharing method and femto system | |
| EP2378802B1 (en) | A wireless telecommunications network, and a method of authenticating a message | |
| Lei et al. | 5G security system design for all ages | |
| CN116806023B (en) | Method and device for verifying service validity under heterogeneous network architecture | |
| Rodríguez-Piñeiro et al. | Long term evolution security analysis for railway communications | |
| Li et al. | Wireless network security detection system design based on client | |
| WO2022236543A1 (en) | Systems and methods for authorization of proximity based services | |
| CN114143788B (en) | Method and system for realizing authentication control of 5G private network based on MSISDN | |
| US20240137757A1 (en) | Systems and methods for authorization of proximity based services | |
| CN102843678A (en) | Access control method, device, interface and security gateway | |
| Abdalla et al. | Security threats and cellular network procedures for unmanned aircraft systems | |
| CN117354868A (en) | Private network system, private network data processing method, private network access method and private network access device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |