CN116318643A - Private network safety protection system based on 5G network slicing - Google Patents
Private network safety protection system based on 5G network slicing Download PDFInfo
- Publication number
- CN116318643A CN116318643A CN202211205850.6A CN202211205850A CN116318643A CN 116318643 A CN116318643 A CN 116318643A CN 202211205850 A CN202211205850 A CN 202211205850A CN 116318643 A CN116318643 A CN 116318643A
- Authority
- CN
- China
- Prior art keywords
- network
- method comprises
- following
- steps
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of mobile communication, and discloses a private network safety protection system based on 5G network slicing; the invention encrypts the terminal, RAN, bearing network and core network in 5G network in segments, and can set different encryption algorithms according to different transmission needs, thereby ensuring the safety of data transmission, reducing the data cost without integral encryption of 5G network, simultaneously obtaining more targeted data protection mechanism, adopting different isolation safety mechanisms in different networks, greatly improving the safety of network safety protection, selecting various encryption algorithms, and users can select different encryption algorithms according to different needs, thereby meeting the needs of users for various safety levels.
Description
Technical Field
The invention belongs to the technical field of mobile communication, and relates to a private network safety protection system based on 5G network slicing.
Background
The fifth generation mobile communication technology is a new generation broadband mobile communication technology with the characteristics of high speed, low time delay and large connection, is a network infrastructure for realizing man-machine object interconnection, further promotes the rapid development of 5G and industrial Internet, accelerates the popularization and application of the 5G technology in the aviation field, and can effectively consolidate and promote the intelligent manufacturing level of enterprises.
The current 5G security standard meets the level protection requirements of the level of operators, but also faces a plurality of security challenges, in order to solve the security problem of the current 5G network data transmission, encryption transmission is adopted, the current encryption transmission is integral transmission, the security level requirements of different end blocks are different, the integral encryption increases the data operation cost, and the data transmission rate is reduced; thus, improvements are now needed for the current situation.
Disclosure of Invention
Aiming at the situation, in order to overcome the defects of the prior art, the invention provides a private network safety protection system based on 5G network slicing, which effectively solves the problems that the current 5G safety standard meets the level protection requirement of an operator level, but faces a plurality of safety challenges, and in order to solve the safety problem of the current 5G network data transmission, the encryption transmission method is adopted, the existing encryption transmission is integral transmission, the safety level requirements of different end blocks are different, the integral encryption increases the data operation cost and reduces the data transmission rate.
Technical proposal
In order to achieve the above purpose, the present invention provides the following technical solutions: a private network safety protection system based on 5G network slicing, which encrypts a terminal, a RAN, a bearing network and a core network in a 5G network in a segmentation mode, comprises the following specific contents:
segment encryption unit: the segment encryption unit is an end-to-end segment encryption mechanism based on a 5G private network, and specifically comprises terminal side encryption, an RNA transmission unit, carrier network encryption and core network encryption;
RNA transmission unit: the RNA transmission unit is used for carrying out encryption authentication transmission on the RAN and the bearing network through an ipsecVPN encryption tunnel so as to realize the encryption transmission of related links at a terminal side and a network side, and adopts an RAN and bearing network encryption transmission architecture;
CA authentication unit: the CA authentication unit is used for using a CA digital certificate and a security authentication gateway at a secondary authentication network side, decoupling and integrating a protocol and an algorithm part required by secondary authentication into a physical or logical security component, adapting to the security authentication gateway equipment, and acquiring an executing result of the protocol and the algorithm between the security component and the security equipment through an interface when AAA performs secondary authentication.
Preferably, the terminal side encryption comprises encryption of the application data stored and operated by the terminal equipment, and is used for providing a unified authentication framework for the access terminal, supporting various access modes and access credentials and finally providing an on-demand security protection solution; the RNA transmission unit uses logic isolation, resource blocks are allocated according to requirements of different slices, the slices adopt a safety protection mechanism, and in the whole wireless transmission link, password protection measures are required to be adopted in the wireless transmission process of data;
the core network encryption adopts a multiple protection mechanism, including security protection among network slices and isolation and access control between the network slices and users. The encryption method based on IPSec VPN encryption carries out encryption protection on the bearing network, the core network introduces an SEPP security boundary protection proxy network element, and a security protection function is provided for signaling messages of a roaming boundary: topology hiding, message filtering, TLS providing, and IPX network roaming message providing application layer security protection, preventing transmission layer and application layer data disclosure and illegal tampering attack, and improving network transmission and data confidentiality and integrity.
Preferably, the security protection between the network slices specifically comprises a physical security mode and a logical security mode.
Preferably, the security protection between the network slice and the user includes: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
Preferably, the following isolation and security mechanisms are adopted from the terminal to the user side:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
The isolation mode is encrypted by adopting an asymmetric cryptographic algorithm, wherein the asymmetric cryptographic algorithm comprises SM2, RSA and ECDSA.
Preferably, the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
Preferably, the decryption process after the encryption of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps And calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the U=c3, and if the U=c3 is not satisfied, not decrypting the U=c3.
Preferably, the process of generating the digital signature by the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps The digital signature result (r, s) (r, s) is obtained.
Preferably, the digital signature verification process of the SM2 and ECDSA asymmetric cryptography algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
Technical effects
Compared with the prior art, the invention has the beneficial effects that: 1. the terminal, the RAN, the bearing network and the core network in the 5G network are encrypted in a segmented mode, and different encryption algorithms can be set according to different transmission requirements, so that the safety of data transmission can be ensured while the data transmission rate is ensured, the 5G network is not required to be encrypted in an integral mode, the data cost is reduced, and a more targeted data protection mechanism is obtained;
2. different isolation safety mechanisms are adopted in different networks, so that the safety of network safety protection is greatly improved;
3. the multiple encryption algorithms are selected, and a user can select different encryption algorithms according to different requirements, so that the requirements of multiple security levels of the user are met, different algorithms are selected automatically, more network transmission selectivity is provided for the user, and the diversity of the 5G network transmission security framework is increased in practical application;
4. the two encryption algorithms and the decryption algorithm are integrated, so that operation data can be reduced when encryption signature verification is carried out, verification of a digital signature can be rapidly carried out, and the data transmission rate is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention.
In the drawings:
FIG. 1 is a block diagram of a private network security protection system based on 5G network slicing;
FIG. 2 is a diagram of the encryption process performed by the asymmetric cryptographic algorithm of the present invention;
FIG. 3 is a diagram of the decryption process after encryption by the asymmetric cryptographic algorithm of the present invention;
FIG. 4 is a process diagram of the SM2 and ECDSA asymmetric cryptographic algorithm of the present invention for generating a digital signature;
FIG. 5 is a diagram of a digital signature verification process for the SM2 and ECDSA asymmetric cryptographic algorithm of the present invention;
fig. 6 is a diagram of a security private network architecture system of the present invention for network slicing.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention; all other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the present invention provides a technical solution: a private network safety protection system based on 5G network slicing encrypts a terminal, a RAN, a bearing network and a core network in a 5G network in a segmented mode, and specifically comprises the following contents:
segment encryption unit: the segmented encryption unit is an end-to-end segmented encryption mechanism based on a 5G private network, and specifically comprises terminal side encryption, an RNA transmission unit, carrier network encryption and core network encryption;
RNA transmission unit: the RNA transmission unit is used for carrying out encryption authentication transmission on the RAN and the bearing network through an ipsecVPN encryption tunnel so as to realize the encryption transmission of related links at a terminal side and a network side, and adopts an RAN and bearing network encryption transmission architecture;
CA authentication unit: the CA authentication unit is used for using a CA digital certificate and a security authentication gateway at the secondary authentication network side, decoupling and integrating a protocol and an algorithm part required by secondary authentication into a physical or logical security component, adapting to the security authentication gateway equipment, and acquiring an executing result of the protocol and the algorithm between the security component and the security equipment through a specific interface when AAA performs secondary authentication.
The terminal side encryption comprises encryption of application data stored and operated by the terminal equipment, and is used for providing a unified authentication framework for the access terminal, supporting various access modes and access credentials and finally providing an on-demand security protection solution; the RNA transmission unit uses logic isolation, resource blocks are allocated according to requirements of different slices, the slices adopt a safety protection mechanism, and in the whole wireless transmission link, the password protection measures are required to be adopted in the wireless transmission process of data; the encryption of the core network adopts a multiple protection mechanism, including the safety protection between network slices, the isolation between the network slices and users and the access control; the security protection between the network slices specifically comprises a physical security mode and a logic security mode; the security protection between the network slice and the user comprises: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
The terminal, the RAN, the bearing network and the core network in the 5G network are encrypted in a segmented mode, and different encryption algorithms can be set according to different transmission requirements, so that the safety of data transmission can be ensured while the data transmission rate is ensured, the 5G network is not required to be encrypted in an integral mode, the data cost is reduced, and a more targeted data protection mechanism is obtained.
The following isolation and security mechanisms are adopted from the terminal to the user terminal:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
The isolation mode is encrypted by adopting an asymmetric cryptographic algorithm, wherein the asymmetric cryptographic algorithm comprises SM2, RSA and ECDSA.
Different isolation security mechanisms are adopted in different networks, so that the security of network security protection is greatly improved.
As shown in fig. 2, the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
As shown in fig. 3, the decryption process after encryption by the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps And calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the U=c3, and if the U=c3 is not satisfied, not decrypting the U=c3.
The multiple encryption algorithms are selected, and the user can select different encryption algorithms according to different requirements, so that the requirements of multiple security levels of the user are met, different algorithms are selected automatically, more network transmission selectivity is provided for the user, and the diversity of the 5G network transmission security framework is increased in practical application.
As shown in fig. 4, the process of generating a digital signature by SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps The digital signature result (r, s) (r, s) is obtained.
As shown in fig. 5, the digital signature verification process of the SM2 and ECDSA asymmetric cryptography algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
The two encryption algorithms and the decryption algorithm are integrated, so that operation data can be reduced when encryption signature verification is carried out, verification of a digital signature can be rapidly carried out, and the data transmission rate is improved.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. The private network safety protection system based on 5G network slicing is characterized in that the safety protection system performs segment encryption on a terminal, a RAN, a bearing network and a core network in a 5G network, and a segment encryption unit: the segment encryption unit is an end-to-end segment encryption mechanism based on a 5G private network and comprises a terminal side encryption unit, an RNA transmission unit, a bearing network encryption unit and a core network encryption unit;
RNA transmission unit: used for carrying out encryption authentication transmission on the RAN and the bearing network through the ipsecVPN encryption tunnel, realizing the related link encryption transmission on the terminal side and the network side,
CA authentication unit: the method comprises the steps that a CA digital certificate is used on a secondary authentication network side and a security authentication gateway is used, a protocol and an algorithm part required by secondary authentication are decoupled and collected in a physical or logical security component, the protocol and the algorithm part are adapted to security authentication gateway equipment, and when AAA performs secondary authentication, an executing result of the protocol and the algorithm is obtained between the protocol and the security component and the security equipment through interfaces;
terminal side encryption: the method comprises the steps of encrypting the storage and running application data of the terminal equipment, providing a unified authentication framework for the access terminal, supporting various access modes and access credentials, and finally providing an on-demand security protection solution;
the encryption of the core network adopts a multiple protection mechanism, including the security protection among network slices and the isolation and access control between the network slices and users.
2. The private network security protection system based on 5G network slicing according to claim 1, wherein the RNA transmission unit uses logical isolation to allocate resource blocks according to requirements of different slices, and the slices adopt security protection mechanisms, so that password protection measures are needed in the wireless transmission process of data in the whole wireless transmission link.
3. The private network security protection system based on 5G network slicing of claim 1, wherein the RNA transmission unit employs a RAN and carrier network encrypted transmission architecture.
4. The private network security protection system based on 5G network slicing according to claim 1, wherein the carrier network is cryptographically protected based on an IPSec VPN encryption manner, the core network introduces SEPP security border protection proxy network elements, and provides security protection functions for signaling messages of roaming borders: topology hiding, message filtering, TLS providing, and IPX network roaming message providing application layer security protection, preventing transmission layer and application layer data disclosure and illegal tampering attack, and improving network transmission and data confidentiality and integrity.
5. The private network security protection system based on 5G network slices according to claim 1, wherein the security protection between network slices specifically comprises a physical security mode and a logical security mode.
6. The private network security protection system based on 5G network slicing of claim 5, wherein the security protection between the network slicing and the user comprises: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
7. The private network security protection system based on 5G network slicing of claim 6, wherein the following isolation and security mechanisms are adopted from the terminal to the user side:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
8. The private network security protection system based on 5G network slicing of claim 7, wherein the isolation modes are encrypted by using asymmetric cryptographic algorithms, and the asymmetric cryptographic algorithms comprise SM2, RSA and ECDSA.
9. The private network security protection system based on 5G network slicing according to claim 8, wherein the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
10. The private network security protection system based on 5G network slicing according to claim 9, wherein preferably, the decryption process after encryption by the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps Calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the decryption;
the process of generating the digital signature by the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps Obtaining a digital signature result (r, s) (r, s);
the digital signature verification process of the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211205850.6A CN116318643A (en) | 2022-09-30 | 2022-09-30 | Private network safety protection system based on 5G network slicing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211205850.6A CN116318643A (en) | 2022-09-30 | 2022-09-30 | Private network safety protection system based on 5G network slicing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116318643A true CN116318643A (en) | 2023-06-23 |
Family
ID=86831106
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211205850.6A Pending CN116318643A (en) | 2022-09-30 | 2022-09-30 | Private network safety protection system based on 5G network slicing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116318643A (en) |
-
2022
- 2022-09-30 CN CN202211205850.6A patent/CN116318643A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Fang et al. | Security for 5G mobile wireless networks | |
CN112671809B (en) | Data transmission method, signal source end and receiving end | |
CN111131258B (en) | Safe private network architecture system based on 5G network slice | |
CN102036230B (en) | Method for implementing local route service, base station and system | |
KR20180004612A (en) | Method and device for managing a security according to a service in a wireless communication system | |
CN101420686B (en) | Industrial wireless network security communication implementation method based on cipher key | |
EP2437531B1 (en) | Security service control method and wireless local area network terminal | |
CN105429945B (en) | A kind of method, apparatus and system of data transmission | |
KR20200003108A (en) | Key generation methods, user equipment, devices, computer readable storage media, and communication systems | |
CN113228721B (en) | Communication method and related product | |
US11431728B2 (en) | Method and management node in a communication network, for supporting management of network nodes based on LLDP messages | |
CN110808830A (en) | IoT (Internet of things) security verification framework based on 5G network slice and service method thereof | |
CN106134231A (en) | Key generation method, equipment and system | |
WO2014131356A1 (en) | Method, system, and terminal for hierarchical management of group keys of broadband cluster system | |
US11552994B2 (en) | Methods and nodes for handling LLDP messages in a communication network | |
WO2014113887A1 (en) | Control plane encryption in ip/mpls networks | |
EP3135052B1 (en) | Method for communication between femto access points and femto access point | |
CN103200563B (en) | A kind of subliminal channel anonymous communication method based on authentication code | |
EP2557727B1 (en) | Method and system for multi-access authentication in next generation network | |
CN116318643A (en) | Private network safety protection system based on 5G network slicing | |
CN114614984A (en) | Time-sensitive network secure communication method based on state cryptographic algorithm | |
Zhang et al. | Security-aware device-to-device communications underlaying cellular networks | |
Wu et al. | An Approach of Security Protection for VSAT Network | |
CN101009597A (en) | Subdivision method of the user network access style and network system | |
CN113766497B (en) | Key distribution method, device, computer readable storage medium and base station |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |