CN116321138A - Sinking private network data security management method, system and medium based on 5G commercial network - Google Patents

Sinking private network data security management method, system and medium based on 5G commercial network Download PDF

Info

Publication number
CN116321138A
CN116321138A CN202211741484.6A CN202211741484A CN116321138A CN 116321138 A CN116321138 A CN 116321138A CN 202211741484 A CN202211741484 A CN 202211741484A CN 116321138 A CN116321138 A CN 116321138A
Authority
CN
China
Prior art keywords
network
key
service
sinking
user subscription
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211741484.6A
Other languages
Chinese (zh)
Inventor
张乐
田丁
陈冯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi IoT Technology Co Ltd
Original Assignee
Tianyi IoT Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi IoT Technology Co Ltd filed Critical Tianyi IoT Technology Co Ltd
Priority to CN202211741484.6A priority Critical patent/CN116321138A/en
Publication of CN116321138A publication Critical patent/CN116321138A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a sinking private network data security management method, a system and a medium based on a 5G commercial network, wherein the method comprises the following steps: if a key distribution instruction is received, the card management system generates a system initial key and sends the system initial key to a client relation management network, the client relation management network distributes the system initial key to corresponding terminal equipment, the card management system generates an encryption verification key corresponding to user subscription data and sends the encryption verification key to the client relation management network, the client relation management network authenticates activation information from the terminal equipment, and if the authentication result is passed, an access instruction is sent to a corresponding service sub-network so as to control the service sub-network to access the terminal equipment. The invention belongs to the technical field of data security, and flexibly selects the transmission of the system initial secret key and the encryption verification secret key according to different service sub-network types, can be simultaneously suitable for the intensive service sub-network and the sinking service sub-network, realizes the intensive management of the commercial 5G customized network, and reduces the data security management cost of the commercial 5G customized network.

Description

Sinking private network data security management method, system and medium based on 5G commercial network
Technical Field
The invention relates to the technical field of data security, in particular to a sinking private network data security management method, system and medium based on a 5G commercial network.
Background
In the commercial 5G customized network project, the requirement of UDM (unified data management function, unified Data Management) sinking is generally involved, however, in the prior art method, a reasonable and safe scheme cannot be provided yet to be able to multiplex resources such as number card management, authentication flow, automatic provisioning and the like of the commercial network, and the commercial requirement of a plurality of independent 5G customized networks in the existing application process cannot be met due to lack of compliance management. In the prior art, two methods are used for processing the number cards of the 5G sinking custom network, namely, the number card management system of the sinking custom network is shared by an intensive commercial network number card management system without considering safety, including key sharing. Secondly, the number card management system of the sinking custom network is completely customized by considering safety, no longer depends on any overall planning, and no longer burns and leaves the card from the intensive card management system and the card Shang Fang, and all parameters are completely customized. The former has the disadvantage of extremely high security risks, and once the security line of the sinking customized network is breached, the intensive commercial network is breached immediately, and is extremely vulnerable, precisely because the sinking customized network is deployed on the customer park side. So this method is not currently used. While the latter has the disadvantage that it is not possible to enjoy any advantage of intensive management, while protection for intensive commercial networks is warranted, it is costly to apply. Therefore, the conventional management method of the commercial 5G customized network has a problem that low-cost data security management cannot be performed.
Disclosure of Invention
The embodiment of the invention provides a sinking private network data security management method, system and medium based on a 5G commercial network, which aim to solve the problem that low-cost data security management cannot be performed in the existing management method of a commercial 5G customized network.
In a first aspect, an embodiment of the present invention provides a method for managing data security of a sinking private network based on a 5G commercial network, where the method is applied to a system for managing data security of a sinking private network based on a 5G commercial network, where the system includes a customer relationship management network, a card management system, a user subscription data synchronization center, and a service subnet, where network connection is established between the customer relationship management network and the card management system to implement transmission of data information, and network connection is established between the service subnet and the user subscription data synchronization center or the customer relationship management network to implement transmission of data information, and network connection is established between the user subscription data synchronization center and the customer relationship management network to implement transmission of data information, where the method includes:
if the input key distribution instruction is received, the card management system generates a system initial key corresponding to the key distribution instruction and sends the system initial key to the client relationship management network;
The customer relationship management network distributes the system initial secret key to corresponding terminal equipment in the service subnet;
the card management system generates an encryption verification key corresponding to pre-stored user subscription data and sends the encryption verification key to the customer relationship management network;
if the activation information sent by the terminal equipment is received, the customer relationship management network authenticates the activation information according to the encryption verification secret key to obtain an authentication result of whether the activation information passes or not;
and if the authentication result is passed, the client relationship management network sends an access instruction to the corresponding service subnet so as to control the service subnet to access the terminal equipment.
In a second aspect, an embodiment of the present invention provides a system for managing data security of a sinking private network based on a 5G commercial network, where the system includes a customer relationship management network, a card management system, a user subscription data synchronization center, and a service subnet, where network connection is established between the customer relationship management network and the card management system to implement transmission of data information, and network connection is established between the service subnet and the user subscription data synchronization center or the customer relationship management network to implement transmission of data information, and network connection is established between the user subscription data synchronization center and the customer relationship management network to implement transmission of data information; the system comprises a system initial secret key distribution unit and an encryption verification secret key transmission unit which are configured in the card management system, and a first transmission unit, an authentication unit and an access instruction transmission unit which are configured in the client relationship management network;
The system initial key distribution unit is used for generating a system initial key corresponding to the key distribution instruction and sending the system initial key to the client relationship management network if the input key distribution instruction is received;
the first sending unit is configured to distribute the system initial secret key to a corresponding terminal device in the service subnet;
the encryption verification key sending unit is used for generating an encryption verification key corresponding to pre-stored user subscription data and sending the encryption verification key to the client relationship management network;
the authentication unit is used for authenticating the activation information according to the encryption verification key if the activation information sent by the terminal equipment is received, so as to obtain an authentication result whether the activation information passes or not;
and the access instruction sending unit is used for sending an access instruction to the corresponding service subnet if the authentication result is passed so as to control the service subnet to access the terminal equipment.
In a third aspect, an embodiment of the present invention further provides a system for managing data security of a sinking private network based on a 5G commercial network, where the system includes a customer relationship management network, a card management system, and a user subscription data synchronization center and a service subnet, where the card management system includes a first memory, a first processor, and a first computer program stored in the first memory and capable of running on the first processor, and the customer relationship management network includes a second memory, a second processor, and a second computer program stored in the second memory and capable of running on the second processor, where the first processor executes the first computer program and the second processor jointly implement the method for managing data security of a sinking private network based on a 5G commercial network according to the first aspect when executing the second computer program.
In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores a first computer program and a second computer program, where the first computer program is executed by a first processor and the second computer program is executed by a second processor, to jointly implement the method for managing data security of a sinking private network based on a 5G commercial network according to the first aspect.
The embodiment of the invention provides a sinking private network data security management method, system and medium based on a 5G commercial network. If a key distribution instruction is received, the card management system generates a system initial key and sends the system initial key to a client relation management network, the client relation management network distributes the system initial key to corresponding terminal equipment, the card management system generates an encryption verification key corresponding to user subscription data and sends the encryption verification key to the client relation management network, the client relation management network authenticates activation information from the terminal equipment, and if the authentication result is passed, an access instruction is sent to a corresponding service sub-network so as to control the service sub-network to access the terminal equipment. By the method, the system initial key and the encryption verification key can be flexibly selected according to different service sub-network types to be sent, the method is applicable to the intensive service sub-network and the sinking service sub-network at the same time, the problem of safety isolation between the customized network and the commercial network is solved, the intensive management of the commercial 5G customized network is realized, and the data safety management cost of the commercial 5G customized network is reduced.
Drawings
In order to more clearly illustrate the technical scheme of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it will be apparent that the drawings in the following description are some embodiments of the present invention, and it is also possible for those skilled in the art to make the description of the embodiments without inventive effort
Other figures are obtained from these figures.
Fig. 1 is a flow chart of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 2 is an application scenario schematic diagram of a sinking private network data security management method based on a 5G commercial network according to an embodiment of the present invention;
fig. 3 is a schematic sub-flowchart of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 4 is another schematic sub-flowchart of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 5 is a schematic diagram of another sub-flow of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 6 is a schematic diagram of another sub-flow of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
Fig. 7 is a schematic diagram of a later sub-flow of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a further sub-flow of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention;
fig. 9 is a schematic block diagram of a sinking private network data security management system based on a 5G commercial network according to an embodiment of the present invention;
fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a flow chart of a method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention, and fig. 2 is an application scenario diagram of the method for managing data security of a sinking private network based on a 5G commercial network according to an embodiment of the present invention; the sinking private network data security management method based on the 5G commercial network is applied to a sinking private network data security management system 10 based on the 5G commercial network, the system 10 comprises a customer relationship management network 11, a card management system 12, a user subscription data synchronization center 13 and a service sub-network 14, network connection is established between the customer relationship management network 11 and the card management system 12 so as to realize data information transmission, network connection is established between the service sub-network 14 and the user subscription data synchronization center 13 or the customer relationship management network 11 so as to realize data information transmission, network connection is established between the user subscription data synchronization center 13 and the customer relationship management network 11 so as to realize data information transmission, a terminal device 15 is accessed to the 5G commercial network through the service sub-network 14, and the terminal device is a terminal device which can be accessed to the 5G network, such as a wireless terminal access device (CPE, customer PremiseE) of a smart watch, a smart sound box, a smart phone and the like. As shown in fig. 1, the method includes steps S110 to S150.
S110, if the input key distribution instruction is received, the card management system generates a system initial key corresponding to the key distribution instruction and sends the system initial key to the client relationship management network.
If the input key distribution instruction is received, the card management system generates a system initial key corresponding to the key distribution instruction and sends the system initial key to the customer relationship management network. The card management system can receive the key distribution instruction, and if the instruction is received, the card management system generates a system initial key corresponding to the key distribution instruction and sends the system initial key to the customer relationship management network.
In one embodiment, as shown in fig. 3, step S110 includes sub-steps S111, S112 and S113.
S111, judging whether the secret key distribution instruction is of a first distribution type or not; s112, if the key distribution instruction is of a first distribution type, a prestored large network number segment key and a special user key corresponding to the key distribution instruction are obtained and combined to be used as a corresponding system initial key to be transmitted; and S113, if the key distribution instruction is not of the first distribution type, acquiring a special user key corresponding to the key distribution instruction as a corresponding system initial key to transmit.
The card management system can automatically trigger a secret key distribution instruction when a card is discharged; the key distribution instruction contains corresponding distribution types, and the key system can be divided into two types through the distribution types and respectively distributed to different 5G commercial networks. Specifically, whether the key distribution instruction is of a first distribution type or not can be judged, if the key distribution instruction is of the first distribution type, a prestored large network number segment key and a special user key corresponding to the key distribution instruction are obtained and combined, and a corresponding system initial key is obtained; if the key distribution instruction is not of the first distribution type, directly acquiring a dedicated user key corresponding to the key distribution instruction as a system initial key to be sent.
For example, to distinguish between multiple sets of key systems, the key system associated with the large network segment for commercial use is referred to as K4, and the key system dedicated to the customer's customized network is referred to as k4+x (X is a random choice, e.g., K4P). The service sub-network can be divided into an intensive service sub-network and a sinking service sub-network, two secret key systems are obtained by the intensive service sub-network, if secret key distribution instructions are of a first distribution type, namely corresponding to the intensive service sub-network, K4+K4P is obtained as a system initial secret key, wherein K4 is used for a large network number segment, and K4P is used for a sinking customized network number card of a exclusive user; and if the key distribution instruction is not of the first distribution type, namely the corresponding sinking service sub-network, K4P is obtained as a system initial key, and the sinking service sub-network uses K4P for emergency use.
And S120, the customer relationship management network distributes the system initial secret key to the corresponding terminal equipment in the service subnet.
And the customer relationship management network distributes the system initial secret key to the corresponding terminal equipment in the service subnet. The system initial key can be distributed to the corresponding terminal equipment in the corresponding service sub-network through the client relation management network, wherein the system initial key correspondingly comprises at least one set of key system (K4+K4P or K4P). The terminal device side may configure a UDM (unified data management function Unified Data Management) module corresponding to the service subnet, and configure a sink UDM corresponding to the terminal device in the sink service subnet. The UDM decrypts according to the pre-written key K4 to obtain corresponding decryption information, and in the whole card data transmission process, the processing of the key K4 is the key of the whole card data security processing, if the UDM is sunk to the client side, the K4 value preset on the client side UDM and the K4 value on the commercial network UDM need to be distinguished, so that network isolation between the intensive service subnetwork and the sunk service subnetwork is realized.
The key systems between the sinking service subnets are mutually non-universal, the key system corresponding to the sinking service subnet A is K4A, and the key system corresponding to the sinking service subnet B is K4B.
And S130, the card management system generates an encryption verification key corresponding to the pre-stored user subscription data and sends the encryption verification key to the customer relationship management network.
And the card management system generates an encryption verification key corresponding to the pre-stored user subscription data and sends the encryption verification key to the customer relationship management network. After the card management system sends the initial key of the system, the card management system can also generate a corresponding encryption verification key according to the pre-stored user subscription data and send the encryption verification key to the customer relationship management network.
A user subscription data synchronous center is added between the sinking service sub-network and the client relation management network, and the client relation management network can send the user subscription data to the corresponding managed sinking service sub-network in a signaling forwarding (signaling intercommunication) mode. The user subscription data synchronization center well realizes topology hiding and signaling safety isolation and signaling speed limiting/fusing of the intensive commercial network (intensive service sub-network), prevents faults or safety risks of the sinking service sub-network from being conducted into the intensive 5GC from the sinking service sub-network, and ensures operation safety of the 5GC of the intensive commercial network.
In one embodiment, as shown in fig. 4, step S130 includes sub-steps S131 and S132.
S131, encrypting a verification key corresponding to the user subscription data according to the system initial key to obtain a corresponding encrypted verification key; and S132, the encryption verification secret key is sent to a customer relationship management network corresponding to the management network code according to the management network code of the user subscription data.
Specifically, the verification key corresponding to the user subscription data may be encrypted according to the system initial key, so as to obtain an encrypted verification key, and the encrypted verification key may be sent to the corresponding client relationship management network according to the management network code in the user subscription data. The verification key comprises OPC and KI information corresponding to user subscription data, the OPC and KI information can be encrypted through a DES algorithm, and encryption processing is carried out by using a system initial key in the encryption step; after receiving the encryption verification key, the corresponding algorithm is used for decryption, and the decryption step is also used for decryption processing by using the initial key of the system.
The management network code is the code information uniquely corresponding to each customer relationship management network, and different customer relationship management networks can be identified and distinguished through the management network code.
In one embodiment, as shown in fig. 5, step S131 is preceded by steps S1310 and S1320.
S1310, determining a corresponding service type according to the service subnet codes of the user subscription data; s1320, a group of verification keys corresponding to the user subscription data are obtained according to the service type, wherein the verification keys are intensive verification keys or sinking verification keys.
Specifically, the user subscription data includes a service subnet code, and a corresponding service type can be determined according to the service subnet code, for example, the service type can be an intensive service type or a sinking service type, the intensive service type corresponds to the intensive service subnet, and the sinking service type corresponds to the sinking service subnet.
A group of verification keys corresponding to the user subscription data can be obtained according to the service type, and if the service type is the intensive service type, the obtained verification keys are intensive verification keys; if the service type is a sinking service type, the acquired verification key is a sinking verification key.
In one embodiment, as shown in FIG. 6, step S1320 includes sub-steps S1321, S1322, S1323 and S1324.
S1321, acquiring a corresponding operation Shang Gen secret key according to the operator information in the user subscription data; s1322, obtaining a corresponding authentication key according to the service type and the service subnet code in the user subscription data; s1323, carrying out combined calculation on the operator root secret key and the authentication secret key according to a preset calculation rule to obtain a corresponding first verification secret key; s1324, combine the first verification key with the authentication key to generate a corresponding set of verification keys.
The corresponding operation Shang Gen secret key can be obtained according to the service type and the operator information in the user subscription data, the operator root secret key can be expressed by using an OP, the OP is a 128-bit configurable field, and the OP is embodied in the practical application process that each province of the 5G2B private network has a special OP value. Further, according to the service type and the service subnet code, the corresponding authentication key is obtained, the authentication key can be expressed by Ki, different service subnet codes and different service types correspond to different authentication keys, and the authentication key is a 128-bit character string. The operator root secret key and the authentication secret key can be combined and calculated through calculation rules, the authentication secret key and the operator root secret key can be combined and calculated to obtain a first verification secret key, the first verification secret key is OPC information, and the first verification secret key is a 128-bit character string. The first verification key is combined with the authentication key to generate a corresponding set of verification keys. In the five-tuple of the 5G HE AV required for generating authentication in the UDM, the most important input information is OPC information and KI information, so that security of the OPC information and KI information must be ensured.
Because the pursuit of the sinking service subnetwork and the convergence service subnetwork is highly unified in the management of card parameters, the convergence 5GC (intensive service subnetwork) needs to share a set of OPC and KI with the sinking 5GC (sinking service subnetwork), and on this basis, the unification of interfaces such as card parameter management, authentication flow, service opening and the like can be ensured. Only in this way, the 5GC lightweight network elements can be totally sunk into the enterprise, production service data are all in the enterprise park through the data network element UPF, and meanwhile, the emergency signaling network elements AMF/SMF/UDM deployed in the park ensure that local service of the enterprise internal network is not influenced under the condition of large network disconnection (communication interruption), and better data and service isolation and reliability are provided for the enterprise. Sinking the UDM and intensive UDM can ensure the unification of card parameters, and also needs to ensure that OPC and KI of two sets of networks are completely isolated and cannot be deduced from each other.
And S140, if the activation information sent by the terminal equipment is received, the customer relationship management network authenticates the activation information according to the encryption verification key to obtain an authentication result of whether the activation information passes or not.
And if the activation information sent by the terminal equipment is received, the client relationship management network authenticates the activation information according to the encryption verification secret key to obtain an authentication result of whether the activation information passes or not. When the user uses the device in which the SIM card is assembled, authentication needs to be performed on the assembled SIM card first, and specifically, the terminal device may send activation information corresponding to the SIM card to the customer relationship management network. The customer relation management network authenticates the activation information according to a pre-stored encryption verification key, and obtains an authentication result whether the activation information passes or not, if the authentication result passes, the terminal equipment can use the SIM to access a corresponding service subnet; if the authentication result is not passed, the terminal equipment is not allowed to access the corresponding service subnet.
In one embodiment, as shown in fig. 7, step S140 includes sub-steps S141 and S142.
S141, decrypting the activation information according to the system initial key to obtain corresponding activation decryption information; s142, judging whether the activation decryption information is consistent with the verification key corresponding to the encryption verification key, so as to obtain an authentication result of whether the activation decryption information passes.
Specifically, in order to authenticate the activation information, the activation information may be decrypted according to the key K4 in the initial key of the system, so as to obtain activation decryption information corresponding to the activation information, that is, the OPC information and Ki information are obtained by decryption. After the activation decryption information is obtained, whether the activation decryption information is consistent with a verification key corresponding to the encryption verification key or not can be judged, namely whether the OPC information and the Ki information obtained through decryption are consistent with the OPC information and the Ki information which are originally generated or not is judged, and if so, a passing authentication result is obtained; if the authentication result is inconsistent, an authentication result which does not pass is obtained.
And S150, if the authentication result is that the authentication result is passed, the customer relationship management network sends an access instruction to the corresponding service sub-network so as to control the service sub-network to access the terminal equipment.
And if the authentication result is passed, the client relationship management network sends an access instruction to the corresponding service subnet so as to control the service subnet to access the terminal equipment. If the authentication result is passed, the customer relationship management network can send an access instruction to the corresponding service subnet, and the service subnet registers the terminal equipment and accesses the terminal equipment to the network.
In one embodiment, as shown in fig. 8, step S150 includes sub-steps S151, S152 and S153.
S151, judging whether the service subnet code corresponding to the authentication result is matched with the first service type; s152, if the authentication result is matched with the first service type, sending an access instruction to a service subnet corresponding to the service subnet code; and S153, if the authentication result is not matched with the first service type, sending an access instruction and transmitting the access instruction to a service subnet corresponding to the service subnet code through the user subscription data synchronous center.
Specifically, whether the service subnet code corresponding to the authentication result is matched with the first service type or not can be judged, if the service subnet code is matched with the first service type, the application scene is indicated to be the intensive service subnet at the moment, and an access instruction is sent to the service subnet corresponding to the service subnet code, and the access of the terminal equipment is controlled directly through the intensive service subnet. If the service type is not matched with the first service type, an access instruction is sent to the user subscription data synchronization center, the access instruction is forwarded to the corresponding service sub-network through the user subscription data synchronization center, and the service sub-network is controlled to access the corresponding terminal equipment.
Because more than two sets of system initial keys and encryption verification keys are used for data security management, the method can realize that sinking light-weight 5GC service can be managed by intensive nano tubes, share all resources of a commercial network, and can be switched to a sinking management surface (emergency UDM\SMF\AMF) in an emergency when the commercial network fails, so that the stability of the park service is ensured. And the park subsides to customize the network and has no hidden trouble to the commercial network all the time.
In the method for managing data security of a sinking private network based on a 5G commercial network provided by the embodiment of the present invention, if a key distribution instruction is received, a card management system generates a system initial key and sends the system initial key to a customer relationship management network, the customer relationship management network distributes the system initial key to a corresponding terminal device, the card management system generates an encryption verification key corresponding to user subscription data and sends the encryption verification key to the customer relationship management network, the customer relationship management network authenticates activation information from the terminal device, and if the authentication result is passed, an access instruction is sent to a corresponding service subnet to control the service subnet to access the terminal device. By the method, the system initial key and the encryption verification key can be flexibly selected according to different service sub-network types to be sent, the method is applicable to the intensive service sub-network and the sinking service sub-network at the same time, the problem of safety isolation between the customized network and the commercial network is solved, the intensive management of the commercial 5G customized network is realized, and the data safety management cost of the commercial 5G customized network is reduced.
The embodiment of the invention also provides a sinking private network data security management system based on the 5G commercial network, which is used for executing any embodiment of the sinking private network data security management method based on the 5G commercial network. Specifically, referring to fig. 9, fig. 9 is a schematic block diagram of a sinking private network data security management system based on a 5G commercial network according to an embodiment of the present invention.
As shown in fig. 9, the sinking private network data security management system 10 based on the 5G commercial network includes a customer relationship management network 11, a card management system 12, a user subscription data synchronization center 13 and a service subnetwork 14, wherein network connection is established between the customer relationship management network 11 and the card management system 12 to realize data information transmission, network connection is established between the service subnetwork 14 and the user subscription data synchronization center 13 or the customer relationship management network 11 to realize data information transmission, and network connection is established between the user subscription data synchronization center 13 and the customer relationship management network 11 to realize data information transmission; the system includes a system initial key distribution unit 121, an encryption verification key transmission unit 122, which are disposed in the card management system 12, a first transmission unit 111, an authentication unit 112, and an access instruction transmission unit 113, which are disposed in the customer relationship management network 11.
The system initial key distribution unit 121 is configured to, if receiving an input key distribution instruction, generate a system initial key corresponding to the key distribution instruction, and send the system initial key to the customer relationship management network.
The first sending unit 111 is configured to distribute the system initial key to a corresponding terminal device in the service subnet.
The encryption verification key sending unit 122 is configured to generate an encryption verification key corresponding to pre-stored user subscription data and send the encryption verification key to the customer relationship management network.
The authentication unit 112 is configured to, if receiving the activation information sent by the terminal device, authenticate the activation information according to the encryption verification key, and obtain an authentication result that whether the activation information passes or not.
The access instruction sending unit 113 is configured to send an access instruction to the corresponding service subnet to control the service subnet to access the terminal device if the authentication result is passed.
The sinking private network data security management system based on the 5G commercial network provided by the embodiment of the invention applies the sinking private network data security management method based on the 5G commercial network, if a key distribution instruction is received, the card management system generates a system initial key and sends the system initial key to the client relationship management network, the client relationship management network distributes the system initial key to the corresponding terminal equipment, the card management system generates an encryption verification key corresponding to user subscription data and sends the encryption verification key to the client relationship management network, the client relationship management network authenticates the activation information from the terminal equipment, and if the authentication result is passed, an access instruction is sent to the corresponding service sub-network so as to control the service sub-network to access the terminal equipment. By the method, the system initial key and the encryption verification key can be flexibly selected according to different service sub-network types to be sent, the method is applicable to the intensive service sub-network and the sinking service sub-network at the same time, the problem of safety isolation between the customized network and the commercial network is solved, the intensive management of the commercial 5G customized network is realized, and the data safety management cost of the commercial 5G customized network is reduced.
The above-mentioned sinking private network data security management method based on the 5G commercial network may be implemented in the form of a computer program, and both the customer relationship management network and the card management system in the sinking private network data security management system based on the 5G commercial network may be implemented as a computer device, where the computer program may run on the computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention. The computer device may be a customer relationship management network and a card management system for executing a sinking private network data security management method based on a 5G commercial network to implement data security management of the commercial 5G customized network.
With reference to fig. 10, the computer device 500 includes a processor 502, a memory, and a network interface 505, which are connected by a system bus 501, wherein the memory may include a storage medium 503 and an internal memory 504.
The storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032, when executed, may cause the processor 502 to perform a method for managing sinking private network data security based on a 5G commercial network, where the storage medium 503 may be a volatile storage medium or a nonvolatile storage medium.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform a method for managing sink private network data security based on a 5G commercial network.
The network interface 505 is used for network communication, such as wired network communication and/or wireless network communication, to provide for the transmission of data information. It will be appreciated by those skilled in the art that the structure shown in FIG. 10 is merely a block diagram of some of the structures associated with the present inventive arrangements and does not constitute a limitation of the computer device 500 to which the present inventive arrangements may be applied, and that a particular computer device 500 may include more or fewer components than shown, or may combine certain components, or may have a different arrangement of components.
The processor 502 is configured to execute a computer program 5032 stored in a memory, so as to implement the corresponding functions in the method for managing data security of a sinking private network based on a 5G commercial network.
Those skilled in the art will appreciate that the embodiment of the computer device shown in fig. 10 is not limiting of the specific construction of the computer device, and in other embodiments, the computer device may include more or less components than those shown, or certain components may be combined, or a different arrangement of components. For example, in some embodiments, the computer device may include only a memory and a processor, and in such embodiments, the structure and function of the memory and the processor are consistent with the embodiment shown in fig. 10, and will not be described again.
It should be appreciated that in an embodiment of the invention, the processor 502 may be a central processing unit (Central Processing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In another embodiment of the invention, a computer-readable storage medium is provided. The computer readable storage medium may be a volatile or nonvolatile computer readable storage medium. The computer readable storage medium stores a first computer program, a second computer program or a third computer program, which when executed by a first processor, the second computer program is executed by a second processor, and the third computer program is executed by a third processor, collectively implement the steps included in the above-described method for managing data security of a sinking private network based on a 5G commercial network.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus, device and unit described above may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein. Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the units is merely a logical function division, there may be another division manner in actual implementation, or units having the same function may be integrated into one unit, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment of the present invention.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or part of what contributes to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a computer-readable storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned computer-readable storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. The utility model provides a sinking private network data security management method based on 5G commercial network, its characterized in that, the method is applied to data security management system, the system includes customer relation management net, card management system and user subscription data synchronization center and service subnetwork, establish network connection between customer relation management net, the card management system in order to realize data information's transmission, establish network connection between service subnetwork and user subscription data synchronization center or the customer relation management net in order to realize data information's transmission, establish network connection between user subscription data synchronization center and the customer relation management net in order to realize data information's transmission, the method includes:
if the input key distribution instruction is received, the card management system generates a system initial key corresponding to the key distribution instruction and sends the system initial key to the client relationship management network;
The customer relationship management network distributes the system initial secret key to corresponding terminal equipment in the service subnet;
the card management system generates an encryption verification key corresponding to pre-stored user subscription data and sends the encryption verification key to the customer relationship management network;
if the activation information sent by the terminal equipment is received, the customer relationship management network authenticates the activation information according to the encryption verification secret key to obtain an authentication result of whether the activation information passes or not;
and if the authentication result is passed, the client relationship management network sends an access instruction to the corresponding service subnet so as to control the service subnet to access the terminal equipment.
2. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 1, wherein generating a system initial key corresponding to the key distribution instruction and transmitting the system initial key to the customer relationship management network comprises:
judging whether the secret key distribution instruction is of a first distribution type or not;
if the key distribution instruction is of a first distribution type, a prestored large network number segment key and a special user key corresponding to the key distribution instruction are obtained and combined to be used as a corresponding system initial key to be transmitted;
And if the key distribution instruction is not of the first distribution type, acquiring a special user key corresponding to the key distribution instruction as a corresponding system initial key to transmit.
3. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 1, wherein the generating and transmitting the encrypted verification key corresponding to the pre-stored subscriber subscription data to the customer relationship management network comprises:
encrypting a verification key corresponding to the user subscription data according to the system initial key to obtain a corresponding encrypted verification key;
and sending the encryption verification key to a customer relationship management network corresponding to the management network code according to the management network code of the user subscription data.
4. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 3, wherein before encrypting the verification key corresponding to the user subscription data according to the system initial key, further comprises:
determining a corresponding service type according to the service subnet code of the user subscription data;
and acquiring a group of verification keys corresponding to the user subscription data according to the service type, wherein the verification keys are intensive verification keys or sinking verification keys.
5. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 4, wherein the obtaining a set of authentication keys corresponding to the user subscription data according to the service type comprises:
acquiring a corresponding operation Shang Gen secret key according to the operator information in the user subscription data;
acquiring a corresponding authentication key according to the service type and the service subnet code in the user subscription data;
combining and calculating the operator root secret key and the authentication secret key according to a preset calculation rule to obtain a corresponding first verification secret key;
the first verification key is combined with the authentication key to generate a corresponding set of verification keys.
6. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 1, wherein the authenticating the activation information according to the encryption verification key to obtain the authentication result of whether the activation information passes or not comprises:
decrypting the activation information according to the system initial key to obtain corresponding activation decryption information;
and judging whether the activation decryption information is consistent with the verification key corresponding to the encryption verification key, so as to obtain an authentication result of whether the activation decryption information passes.
7. The method for managing data security of a sinking private network based on a 5G commercial network according to claim 1, wherein the sending an access instruction to the corresponding service subnet to control the service subnet to access the terminal device comprises:
judging whether the service subnet code corresponding to the authentication result is matched with the first service type;
if the authentication result is matched with the first service type, sending an access instruction to a service subnet corresponding to the service subnet code;
and if the authentication result is not matched with the first service type, sending an access instruction and transmitting the access instruction to a service subnet corresponding to the service subnet code through the user subscription data synchronous center.
8. The system is characterized by comprising a customer relation management network, a card management system, a user subscription data synchronization center and a service subnetwork, wherein network connection is established between the customer relation management network and the card management system to realize data information transmission, network connection is established between the service subnetwork and the user subscription data synchronization center or the customer relation management network to realize data information transmission, and network connection is established between the user subscription data synchronization center and the customer relation management network to realize data information transmission; the system comprises a system initial secret key distribution unit and an encryption verification secret key transmission unit which are configured in the card management system, and a first transmission unit, an authentication unit and an access instruction transmission unit which are configured in the client relationship management network;
The system initial key distribution unit is used for generating a system initial key corresponding to the key distribution instruction and sending the system initial key to the client relationship management network if the input key distribution instruction is received;
the first sending unit is configured to distribute the system initial secret key to a corresponding terminal device in the service subnet;
the encryption verification key sending unit is used for generating an encryption verification key corresponding to pre-stored user subscription data and sending the encryption verification key to the client relationship management network;
the authentication unit is used for authenticating the activation information according to the encryption verification key if the activation information sent by the terminal equipment is received, so as to obtain an authentication result whether the activation information passes or not;
and the access instruction sending unit is used for sending an access instruction to the corresponding service subnet if the authentication result is passed so as to control the service subnet to access the terminal equipment.
9. A system for managing data security of a sinking private network based on a 5G commercial network, the system comprising a customer relationship management network, a card management system and a user subscription data synchronization center and a service subnet, the card management system comprising a first memory, a first processor and a first computer program stored on the first memory and executable on the first processor, the customer relationship management network comprising a second memory, a second processor and a second computer program stored on the second memory and executable on the second processor, characterized in that the first processor executes the first computer program and the second processor together implement the method for managing data security of a sinking private network based on a 5G commercial network according to any one of claims 1 to 7 when the second computer program is executed by the first processor.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores a first computer program and a second computer program, which when executed by a first processor and the second computer program is executed by a second processor, collectively implement the 5G commercial network-based sinking private network data security management method according to any one of claims 1 to 7.
CN202211741484.6A 2022-12-31 2022-12-31 Sinking private network data security management method, system and medium based on 5G commercial network Pending CN116321138A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211741484.6A CN116321138A (en) 2022-12-31 2022-12-31 Sinking private network data security management method, system and medium based on 5G commercial network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211741484.6A CN116321138A (en) 2022-12-31 2022-12-31 Sinking private network data security management method, system and medium based on 5G commercial network

Publications (1)

Publication Number Publication Date
CN116321138A true CN116321138A (en) 2023-06-23

Family

ID=86813928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211741484.6A Pending CN116321138A (en) 2022-12-31 2022-12-31 Sinking private network data security management method, system and medium based on 5G commercial network

Country Status (1)

Country Link
CN (1) CN116321138A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117896710A (en) * 2023-12-22 2024-04-16 天翼物联科技有限公司 Private network access control method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117896710A (en) * 2023-12-22 2024-04-16 天翼物联科技有限公司 Private network access control method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN106664311B (en) Supporting differentiated secure communications between heterogeneous electronic devices
US11570159B2 (en) Secure key management in a high volume device deployment
US11824978B2 (en) Cryptographic key generation system and method
US10951467B2 (en) Secure enabling and disabling points of entry on a device remotely or locally
EP3920503B1 (en) Resource request method, device and storage medium
CN113411187B (en) Identity authentication method and system, storage medium and processor
US11438162B2 (en) Network device authentication
CN110383755A (en) The network equipment and trusted third party's equipment
CN116321138A (en) Sinking private network data security management method, system and medium based on 5G commercial network
US20200112563A1 (en) System and method for secure onboarding of network devices
CN113141333A (en) Communication method, device, server, system and storage medium for network access device
CN113647051B (en) System and method for secure electronic data transmission
WO2018172776A1 (en) Secure transfer of data between internet of things devices
KR101690093B1 (en) Controlled security domains
CN110995516B (en) Method and device for constructing data transmission network, storage medium and processor
US20210243034A1 (en) Authentication without pre-known credentials
CN116158054A (en) Access token using method and equipment
KR20220134604A (en) Secure communication between device and remote server
US11818110B2 (en) Method and apparatus for providing secure short-lived downloadable debugging tools
CN215734303U (en) Internet of things system and internet of things safety box
US20220278961A1 (en) Symmetric key generation, authentication and communication between a plurality of entities in a network
GB2560895A (en) Secure transfer of data between internet of things devices
US20070217376A1 (en) Authentication of wireless access nodes
CN118646535A (en) IROS node key negotiation method, system, equipment and medium
CN117254906A (en) Public key encryption method supporting bidirectional access control and capable of being obligated

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination