CN116318643A - Private network safety protection system based on 5G network slicing - Google Patents

Private network safety protection system based on 5G network slicing Download PDF

Info

Publication number
CN116318643A
CN116318643A CN202211205850.6A CN202211205850A CN116318643A CN 116318643 A CN116318643 A CN 116318643A CN 202211205850 A CN202211205850 A CN 202211205850A CN 116318643 A CN116318643 A CN 116318643A
Authority
CN
China
Prior art keywords
network
method comprises
following
steps
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211205850.6A
Other languages
Chinese (zh)
Inventor
邱飞
罗喜东
梁晶晶
唐松柏
余乔
刘晓波
刘菁洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi Aircraft Industry Co Ltd
Original Assignee
Shaanxi Aircraft Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shaanxi Aircraft Industry Co Ltd filed Critical Shaanxi Aircraft Industry Co Ltd
Priority to CN202211205850.6A priority Critical patent/CN116318643A/en
Publication of CN116318643A publication Critical patent/CN116318643A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to the technical field of mobile communication, and discloses a private network safety protection system based on 5G network slicing; the invention encrypts the terminal, RAN, bearing network and core network in 5G network in segments, and can set different encryption algorithms according to different transmission needs, thereby ensuring the safety of data transmission, reducing the data cost without integral encryption of 5G network, simultaneously obtaining more targeted data protection mechanism, adopting different isolation safety mechanisms in different networks, greatly improving the safety of network safety protection, selecting various encryption algorithms, and users can select different encryption algorithms according to different needs, thereby meeting the needs of users for various safety levels.

Description

Private network safety protection system based on 5G network slicing
Technical Field
The invention belongs to the technical field of mobile communication, and relates to a private network safety protection system based on 5G network slicing.
Background
The fifth generation mobile communication technology is a new generation broadband mobile communication technology with the characteristics of high speed, low time delay and large connection, is a network infrastructure for realizing man-machine object interconnection, further promotes the rapid development of 5G and industrial Internet, accelerates the popularization and application of the 5G technology in the aviation field, and can effectively consolidate and promote the intelligent manufacturing level of enterprises.
The current 5G security standard meets the level protection requirements of the level of operators, but also faces a plurality of security challenges, in order to solve the security problem of the current 5G network data transmission, encryption transmission is adopted, the current encryption transmission is integral transmission, the security level requirements of different end blocks are different, the integral encryption increases the data operation cost, and the data transmission rate is reduced; thus, improvements are now needed for the current situation.
Disclosure of Invention
Aiming at the situation, in order to overcome the defects of the prior art, the invention provides a private network safety protection system based on 5G network slicing, which effectively solves the problems that the current 5G safety standard meets the level protection requirement of an operator level, but faces a plurality of safety challenges, and in order to solve the safety problem of the current 5G network data transmission, the encryption transmission method is adopted, the existing encryption transmission is integral transmission, the safety level requirements of different end blocks are different, the integral encryption increases the data operation cost and reduces the data transmission rate.
Technical proposal
In order to achieve the above purpose, the present invention provides the following technical solutions: a private network safety protection system based on 5G network slicing, which encrypts a terminal, a RAN, a bearing network and a core network in a 5G network in a segmentation mode, comprises the following specific contents:
segment encryption unit: the segment encryption unit is an end-to-end segment encryption mechanism based on a 5G private network, and specifically comprises terminal side encryption, an RNA transmission unit, carrier network encryption and core network encryption;
RNA transmission unit: the RNA transmission unit is used for carrying out encryption authentication transmission on the RAN and the bearing network through an ipsecVPN encryption tunnel so as to realize the encryption transmission of related links at a terminal side and a network side, and adopts an RAN and bearing network encryption transmission architecture;
CA authentication unit: the CA authentication unit is used for using a CA digital certificate and a security authentication gateway at a secondary authentication network side, decoupling and integrating a protocol and an algorithm part required by secondary authentication into a physical or logical security component, adapting to the security authentication gateway equipment, and acquiring an executing result of the protocol and the algorithm between the security component and the security equipment through an interface when AAA performs secondary authentication.
Preferably, the terminal side encryption comprises encryption of the application data stored and operated by the terminal equipment, and is used for providing a unified authentication framework for the access terminal, supporting various access modes and access credentials and finally providing an on-demand security protection solution; the RNA transmission unit uses logic isolation, resource blocks are allocated according to requirements of different slices, the slices adopt a safety protection mechanism, and in the whole wireless transmission link, password protection measures are required to be adopted in the wireless transmission process of data;
the core network encryption adopts a multiple protection mechanism, including security protection among network slices and isolation and access control between the network slices and users. The encryption method based on IPSec VPN encryption carries out encryption protection on the bearing network, the core network introduces an SEPP security boundary protection proxy network element, and a security protection function is provided for signaling messages of a roaming boundary: topology hiding, message filtering, TLS providing, and IPX network roaming message providing application layer security protection, preventing transmission layer and application layer data disclosure and illegal tampering attack, and improving network transmission and data confidentiality and integrity.
Preferably, the security protection between the network slices specifically comprises a physical security mode and a logical security mode.
Preferably, the security protection between the network slice and the user includes: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
Preferably, the following isolation and security mechanisms are adopted from the terminal to the user side:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
The isolation mode is encrypted by adopting an asymmetric cryptographic algorithm, wherein the asymmetric cryptographic algorithm comprises SM2, RSA and ECDSA.
Preferably, the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
Preferably, the decryption process after the encryption of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps And calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the U=c3, and if the U=c3 is not satisfied, not decrypting the U=c3.
Preferably, the process of generating the digital signature by the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps The digital signature result (r, s) (r, s) is obtained.
Preferably, the digital signature verification process of the SM2 and ECDSA asymmetric cryptography algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
Technical effects
Compared with the prior art, the invention has the beneficial effects that: 1. the terminal, the RAN, the bearing network and the core network in the 5G network are encrypted in a segmented mode, and different encryption algorithms can be set according to different transmission requirements, so that the safety of data transmission can be ensured while the data transmission rate is ensured, the 5G network is not required to be encrypted in an integral mode, the data cost is reduced, and a more targeted data protection mechanism is obtained;
2. different isolation safety mechanisms are adopted in different networks, so that the safety of network safety protection is greatly improved;
3. the multiple encryption algorithms are selected, and a user can select different encryption algorithms according to different requirements, so that the requirements of multiple security levels of the user are met, different algorithms are selected automatically, more network transmission selectivity is provided for the user, and the diversity of the 5G network transmission security framework is increased in practical application;
4. the two encryption algorithms and the decryption algorithm are integrated, so that operation data can be reduced when encryption signature verification is carried out, verification of a digital signature can be rapidly carried out, and the data transmission rate is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention.
In the drawings:
FIG. 1 is a block diagram of a private network security protection system based on 5G network slicing;
FIG. 2 is a diagram of the encryption process performed by the asymmetric cryptographic algorithm of the present invention;
FIG. 3 is a diagram of the decryption process after encryption by the asymmetric cryptographic algorithm of the present invention;
FIG. 4 is a process diagram of the SM2 and ECDSA asymmetric cryptographic algorithm of the present invention for generating a digital signature;
FIG. 5 is a diagram of a digital signature verification process for the SM2 and ECDSA asymmetric cryptographic algorithm of the present invention;
fig. 6 is a diagram of a security private network architecture system of the present invention for network slicing.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention; all other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the present invention provides a technical solution: a private network safety protection system based on 5G network slicing encrypts a terminal, a RAN, a bearing network and a core network in a 5G network in a segmented mode, and specifically comprises the following contents:
segment encryption unit: the segmented encryption unit is an end-to-end segmented encryption mechanism based on a 5G private network, and specifically comprises terminal side encryption, an RNA transmission unit, carrier network encryption and core network encryption;
RNA transmission unit: the RNA transmission unit is used for carrying out encryption authentication transmission on the RAN and the bearing network through an ipsecVPN encryption tunnel so as to realize the encryption transmission of related links at a terminal side and a network side, and adopts an RAN and bearing network encryption transmission architecture;
CA authentication unit: the CA authentication unit is used for using a CA digital certificate and a security authentication gateway at the secondary authentication network side, decoupling and integrating a protocol and an algorithm part required by secondary authentication into a physical or logical security component, adapting to the security authentication gateway equipment, and acquiring an executing result of the protocol and the algorithm between the security component and the security equipment through a specific interface when AAA performs secondary authentication.
The terminal side encryption comprises encryption of application data stored and operated by the terminal equipment, and is used for providing a unified authentication framework for the access terminal, supporting various access modes and access credentials and finally providing an on-demand security protection solution; the RNA transmission unit uses logic isolation, resource blocks are allocated according to requirements of different slices, the slices adopt a safety protection mechanism, and in the whole wireless transmission link, the password protection measures are required to be adopted in the wireless transmission process of data; the encryption of the core network adopts a multiple protection mechanism, including the safety protection between network slices, the isolation between the network slices and users and the access control; the security protection between the network slices specifically comprises a physical security mode and a logic security mode; the security protection between the network slice and the user comprises: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
The terminal, the RAN, the bearing network and the core network in the 5G network are encrypted in a segmented mode, and different encryption algorithms can be set according to different transmission requirements, so that the safety of data transmission can be ensured while the data transmission rate is ensured, the 5G network is not required to be encrypted in an integral mode, the data cost is reduced, and a more targeted data protection mechanism is obtained.
The following isolation and security mechanisms are adopted from the terminal to the user terminal:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
The isolation mode is encrypted by adopting an asymmetric cryptographic algorithm, wherein the asymmetric cryptographic algorithm comprises SM2, RSA and ECDSA.
Different isolation security mechanisms are adopted in different networks, so that the security of network security protection is greatly improved.
As shown in fig. 2, the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
As shown in fig. 3, the decryption process after encryption by the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps And calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the U=c3, and if the U=c3 is not satisfied, not decrypting the U=c3.
The multiple encryption algorithms are selected, and the user can select different encryption algorithms according to different requirements, so that the requirements of multiple security levels of the user are met, different algorithms are selected automatically, more network transmission selectivity is provided for the user, and the diversity of the 5G network transmission security framework is increased in practical application.
As shown in fig. 4, the process of generating a digital signature by SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps The digital signature result (r, s) (r, s) is obtained.
As shown in fig. 5, the digital signature verification process of the SM2 and ECDSA asymmetric cryptography algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
The two encryption algorithms and the decryption algorithm are integrated, so that operation data can be reduced when encryption signature verification is carried out, verification of a digital signature can be rapidly carried out, and the data transmission rate is improved.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. The private network safety protection system based on 5G network slicing is characterized in that the safety protection system performs segment encryption on a terminal, a RAN, a bearing network and a core network in a 5G network, and a segment encryption unit: the segment encryption unit is an end-to-end segment encryption mechanism based on a 5G private network and comprises a terminal side encryption unit, an RNA transmission unit, a bearing network encryption unit and a core network encryption unit;
RNA transmission unit: used for carrying out encryption authentication transmission on the RAN and the bearing network through the ipsecVPN encryption tunnel, realizing the related link encryption transmission on the terminal side and the network side,
CA authentication unit: the method comprises the steps that a CA digital certificate is used on a secondary authentication network side and a security authentication gateway is used, a protocol and an algorithm part required by secondary authentication are decoupled and collected in a physical or logical security component, the protocol and the algorithm part are adapted to security authentication gateway equipment, and when AAA performs secondary authentication, an executing result of the protocol and the algorithm is obtained between the protocol and the security component and the security equipment through interfaces;
terminal side encryption: the method comprises the steps of encrypting the storage and running application data of the terminal equipment, providing a unified authentication framework for the access terminal, supporting various access modes and access credentials, and finally providing an on-demand security protection solution;
the encryption of the core network adopts a multiple protection mechanism, including the security protection among network slices and the isolation and access control between the network slices and users.
2. The private network security protection system based on 5G network slicing according to claim 1, wherein the RNA transmission unit uses logical isolation to allocate resource blocks according to requirements of different slices, and the slices adopt security protection mechanisms, so that password protection measures are needed in the wireless transmission process of data in the whole wireless transmission link.
3. The private network security protection system based on 5G network slicing of claim 1, wherein the RNA transmission unit employs a RAN and carrier network encrypted transmission architecture.
4. The private network security protection system based on 5G network slicing according to claim 1, wherein the carrier network is cryptographically protected based on an IPSec VPN encryption manner, the core network introduces SEPP security border protection proxy network elements, and provides security protection functions for signaling messages of roaming borders: topology hiding, message filtering, TLS providing, and IPX network roaming message providing application layer security protection, preventing transmission layer and application layer data disclosure and illegal tampering attack, and improving network transmission and data confidentiality and integrity.
5. The private network security protection system based on 5G network slices according to claim 1, wherein the security protection between network slices specifically comprises a physical security mode and a logical security mode.
6. The private network security protection system based on 5G network slicing of claim 5, wherein the security protection between the network slicing and the user comprises: adopting a CA authentication mode between the network slice and the terminal user; by deploying virtual or physical firewalls and setting access policies.
7. The private network security protection system based on 5G network slicing of claim 6, wherein the following isolation and security mechanisms are adopted from the terminal to the user side:
(1) the method comprises the following steps When the data file is large and the user is at the cell edge and needs a high transmission rate, adopting a logic isolation mode;
(2) the method comprises the following steps When running software on DU and CU, the method can be respectively isolated based on NFC, and can be carried with a physical security mode and a logical security mode;
(3) the method comprises the following steps In a carrier network, soft or hard isolation is used;
(4) the method comprises the following steps In the core network, layered isolation can be performed, i.e. it is divided into a resource layer, a network layer and a management layer for separate isolation.
8. The private network security protection system based on 5G network slicing of claim 7, wherein the isolation modes are encrypted by using asymmetric cryptographic algorithms, and the asymmetric cryptographic algorithms comprise SM2, RSA and ECDSA.
9. The private network security protection system based on 5G network slicing according to claim 8, wherein the encryption process of the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Generating a random number value by a random number generator;
(2) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(3) the method comprises the following steps Selecting different algorithms according to user settings;
(4) the method comprises the following steps Calculating a point C2 on the elliptic curve;
(5) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(6) the method comprises the following steps Calculating C2 and C3;
(7) the method comprises the following steps The ciphertext c=c1=c2=c3 is obtained.
10. The private network security protection system based on 5G network slicing according to claim 9, wherein preferably, the decryption process after encryption by the asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps C1C1 is taken out from the ciphertext cC to judge whether an elliptic curve equation is satisfied;
(2) the method comprises the following steps Selecting different algorithms according to user settings to select corresponding decryption algorithms;
(3) the method comprises the following steps Calculating a point C1 on the elliptic curve;
(4) the method comprises the following steps Generating a key data stream by using a key derivation function KDF;
(5) the method comprises the following steps Calculating C2;
(6) the method comprises the following steps Calculating a U value, judging whether U=c3U=c3 is satisfied, obtaining a decryption result mM after the U=c3U=c3 is satisfied, and if the U=c3 is not satisfied, decrypting the decryption;
the process of generating the digital signature by the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Taking a random value kK and calculating;
(2) the method comprises the following steps Calculating an r value and an s value;
(3) the method comprises the following steps Obtaining a digital signature result (r, s) (r, s);
the digital signature verification process of the SM2 and ECDSA asymmetric cryptographic algorithm is as follows:
(1) the method comprises the following steps Calculating t=r+smodnt=r+smodn;
(2) the method comprises the following steps Calculating (x 1, y 1) = [ s ] g+ [ t ] PA;
(3) the method comprises the following steps And calculating the R value, and verifying that r=Rr=R, if the R value is consistent, the signature passes verification, and if the R value is inconsistent, the signature does not pass.
CN202211205850.6A 2022-09-30 2022-09-30 Private network safety protection system based on 5G network slicing Pending CN116318643A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211205850.6A CN116318643A (en) 2022-09-30 2022-09-30 Private network safety protection system based on 5G network slicing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211205850.6A CN116318643A (en) 2022-09-30 2022-09-30 Private network safety protection system based on 5G network slicing

Publications (1)

Publication Number Publication Date
CN116318643A true CN116318643A (en) 2023-06-23

Family

ID=86831106

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211205850.6A Pending CN116318643A (en) 2022-09-30 2022-09-30 Private network safety protection system based on 5G network slicing

Country Status (1)

Country Link
CN (1) CN116318643A (en)

Similar Documents

Publication Publication Date Title
Fang et al. Security for 5G mobile wireless networks
CN112671809B (en) Data transmission method, signal source end and receiving end
CN111131258B (en) Safe private network architecture system based on 5G network slice
CN102036230B (en) Method for implementing local route service, base station and system
KR20180004612A (en) Method and device for managing a security according to a service in a wireless communication system
CN101420686B (en) Industrial wireless network security communication implementation method based on cipher key
EP2437531B1 (en) Security service control method and wireless local area network terminal
CN105429945B (en) A kind of method, apparatus and system of data transmission
KR20200003108A (en) Key generation methods, user equipment, devices, computer readable storage media, and communication systems
CN113228721B (en) Communication method and related product
US11431728B2 (en) Method and management node in a communication network, for supporting management of network nodes based on LLDP messages
CN110808830A (en) IoT (Internet of things) security verification framework based on 5G network slice and service method thereof
CN106134231A (en) Key generation method, equipment and system
WO2014131356A1 (en) Method, system, and terminal for hierarchical management of group keys of broadband cluster system
US11552994B2 (en) Methods and nodes for handling LLDP messages in a communication network
WO2014113887A1 (en) Control plane encryption in ip/mpls networks
EP3135052B1 (en) Method for communication between femto access points and femto access point
CN103200563B (en) A kind of subliminal channel anonymous communication method based on authentication code
EP2557727B1 (en) Method and system for multi-access authentication in next generation network
CN116318643A (en) Private network safety protection system based on 5G network slicing
CN114614984A (en) Time-sensitive network secure communication method based on state cryptographic algorithm
Zhang et al. Security-aware device-to-device communications underlaying cellular networks
Wu et al. An Approach of Security Protection for VSAT Network
CN101009597A (en) Subdivision method of the user network access style and network system
CN113766497B (en) Key distribution method, device, computer readable storage medium and base station

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination