CN116347443A - Base station access control method, base station, block chain system and storage medium - Google Patents

Base station access control method, base station, block chain system and storage medium Download PDF

Info

Publication number
CN116347443A
CN116347443A CN202111578563.5A CN202111578563A CN116347443A CN 116347443 A CN116347443 A CN 116347443A CN 202111578563 A CN202111578563 A CN 202111578563A CN 116347443 A CN116347443 A CN 116347443A
Authority
CN
China
Prior art keywords
base station
identity
information
certificate
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111578563.5A
Other languages
Chinese (zh)
Inventor
侯芳
范璟玮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202111578563.5A priority Critical patent/CN116347443A/en
Priority to PCT/CN2022/140789 priority patent/WO2023116784A1/en
Publication of CN116347443A publication Critical patent/CN116347443A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point

Abstract

The invention discloses a base station access control method, electronic equipment and a computer readable storage medium, wherein the base station access control method is applied to a base station, and comprises the following steps: sending first authentication request information to a blockchain system, wherein the first authentication request information carries an identity certificate of a base station; acquiring first identity certificate issuing information sent by a blockchain system, wherein the first identity certificate issuing information is generated according to an identity certificate by the blockchain system under the condition that the stored identity certificate is confirmed based on first authentication request information; and accessing the gateway according to the first identity certificate issuing information. According to the embodiment of the invention, the identity certificate of the base station can be brought into the blockchain system for management, and the effectiveness and the correctness of certificate management are improved.

Description

Base station access control method, base station, block chain system and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a base station access control method, a base station, a blockchain system, and a computer readable storage medium.
Background
In daily life, the access network and the core network of 4G/5G communication adopt an x.509 certificate mode based on public key infrastructure (Public Key Infrastructure, PKI) to perform access authentication of devices, network elements and functional modules, wherein a certificate issuing mechanism (Certificate Authority, CA) plays a role as a third party trusted mechanism as a manager of certificates and as a centralized mode, however, as mass growth of internet (Internet of Things, IOT) access devices consisting of objects and requirements of zero trust and the like on hypertext transfer protocol (HyperText Transfer Protocol, HTTP) and domain name system (Domain Name System, DNS) encryption transmission lead to high security risk of the PKI design based on CA, and thus certificate management cannot be performed correctly and effectively.
Disclosure of Invention
The embodiment of the invention provides a base station access control method, electronic equipment and a computer readable storage medium, which can bring an identity certificate of a base station into a blockchain system for management and improve the effectiveness and the correctness of certificate management.
In a first aspect, an embodiment of the present invention provides a base station access control method, applied to a base station, where the method includes: sending first authentication request information to a blockchain system, wherein the first authentication request information carries an identity certificate of the base station;
acquiring first identity certificate issuing information sent by the blockchain system, wherein the first identity certificate issuing information is generated according to the identity certificate by the blockchain system under the condition that the identity certificate is confirmed to be stored based on the first authentication request information;
and accessing the gateway according to the first identity certificate issuing information.
In a second aspect, an embodiment of the present invention provides a base station access control method, applied to a blockchain system, where the method includes: receiving first authentication request information sent by a base station, wherein the first authentication request information carries an identity certificate of the base station;
generating first identity certificate issuing information according to the identity certificate under the condition that the storage of the identity certificate is confirmed based on the first authentication request information;
And sending the first identity certificate issuing information for the access gateway to the base station.
In a third aspect, an embodiment of the present invention provides a base station, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the base station access control method according to the first aspect when executing the computer program.
In a fourth aspect, embodiments of the present invention provide a blockchain system, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the base station access control method according to the second aspect when the computer program is executed.
In a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the base station access control method according to the first or second aspect.
The embodiment of the invention comprises the following steps: the base station access control method applied to the base station comprises the following steps: sending first authentication request information to a blockchain system, wherein the first authentication request information carries an identity certificate of the base station; acquiring first identity certificate issuing information sent by a blockchain system, wherein the first identity certificate issuing information is generated according to an identity certificate by the blockchain system under the condition that the stored identity certificate is confirmed based on first authentication request information; and accessing the gateway according to the first identity certificate issuing information. According to the scheme provided by the embodiment of the invention, the first authentication request information sent by the base station carries the related identity certificate, so that when the blockchain system acquires the first authentication request information sent by the base station, the identity certificate of the base station can be acquired simultaneously, and therefore, under the condition that the storage of the identity certificate is confirmed based on the first authentication request information, the blockchain system generates the first identity certificate issue information and sends the first identity certificate issue information to the base station so as to inform the base station that the identity certificate of the base station is taken into the blockchain system for management, and then the base station accesses a gateway according to the first identity issue information, so that the access control of the base station is realized, and the effectiveness and the correctness of the certificate management are improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate and do not limit the invention.
Fig. 1 is a schematic diagram of a system architecture for performing a base station access control method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a system framework of a base station access control method according to an embodiment;
fig. 3 is a flowchart of a base station access control method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a conventional CA registration audit method;
FIG. 5 is a schematic diagram of a model of an identity credential provided by one embodiment of the present invention;
FIG. 6 is a flowchart of a specific method of step S300 in FIG. 3;
fig. 7 is a flowchart of a base station access control method according to an embodiment of the present invention;
Fig. 8 is a flowchart of a base station access control method according to an embodiment of the present invention;
fig. 9 is a flowchart of a base station access control method according to an embodiment of the present invention;
fig. 10 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 11 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 12 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 13 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 14 is a schematic diagram of a system framework of a base station access gateway provided by a specific example of the present invention;
fig. 15 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example of the present invention;
fig. 17 is a flowchart of a base station access control method according to another embodiment of the present invention;
fig. 18 is a schematic diagram of a system framework for network management user authentication according to a specific example of the present invention;
fig. 19 is a flowchart of a base station access control method according to another embodiment of the present invention;
Fig. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record, provided by a specific example.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It should be noted that in the description of embodiments of the present invention, the terms "first," "second," and the like in the description and claims and in the foregoing drawings are used for distinguishing between similar objects and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of the technical features indicated. "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relation of association objects, and indicates that there may be three kinds of relations, for example, a and/or B, and may indicate that a alone exists, a and B together, and B alone exists. Wherein A, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. Although functional block diagrams are depicted in the device diagrams, logical orders are depicted in the flowchart, in some cases, the steps shown or described may be performed in a different order than the block diagrams in the device, or in the flowchart.
In addition, the technical features of the embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The invention provides a base station access control method, electronic equipment and a computer readable storage medium, wherein, because first authentication request information sent by a base station carries related identity certificates, when a blockchain system acquires the first authentication request information sent by the base station, the identity certificates of the base station can be acquired simultaneously, so that under the condition of confirming storage of the identity certificates based on the first authentication request information, the blockchain system generates first identity certificate issue information and sends the first identity certificate issue information to the base station so as to inform the base station that the identity certificates of the base station are managed by the blockchain system, and then the base station accesses a gateway according to the first identity issue information, thereby realizing base station access control and improving the validity and the correctness of certificate management.
Embodiments of the present invention will be further described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a system architecture for performing a base station access control method according to an embodiment of the present invention.
As can be seen from the figure, the blockchain network 100 is mainly composed of a base station 200 and a blockchain system 300, the blockchain network 100 includes the blockchain system 300 and the base station 200, wherein the base station 200 is divided into a base station identity client management end and a base station identity management server end, the blockchain system 300 includes a blockchain certificate system and a blockchain identity system, the blockchain identity system mainly stores identity certificates of the base station 200 and other devices, so that the base station 200 or other devices can request the identity certificates, and thus access a gateway, the blockchain certificate system is used for authorization authentication of the base station 200 or network management devices, and the authentication of the identity certificates by the base station 200 or the network management devices is facilitated.
The blockchain network 100 mainly solves the problem of security threat to 5G base station equipment, and currently, the problem of security threat to 5G mainly has 4 aspects: firstly, the security threat of the hardware, software and network infrastructure forming the base station; secondly, aiming at the air interface security threat of information transmission on an air interface connected with the NG-UE; third, security threat for transport network security and information for N2 (RAN- > AMF) and N3 (RAN- > UPF) connected to 5G core network; fourth, security threat to management plane where base station connects to network management.
From the base station Security boundary, besides the identity authentication of a base station access Security Gateway (SEG), there are two important key elements, namely network management user access control and DNS request authentication, and the invention manages the identity authentication based on a blockchain by introducing a transport layer Security protocol DANE (DNS-based Authentication of Named Entities, DNSSEC-based secure transport layer protocol) and a blockchain in DNS.
As shown in fig. 2, fig. 2 is a schematic diagram of a system framework of a base station access control method according to an embodiment.
In the system framework of the base station access control method, a user certificate management system based on a blockchain and a certificate issuing technology based on DNS security extension (Domain Name System Security Extensions, DNSSEC) are combined, and on one hand, the base station realizes the issuing, updating and authentication of the user certificate by establishing a blockchain user certificate management subsystem. Meanwhile, if the authorized serial number of the network management equipment or the login identity is introduced into the user certificate, for example, a hash digest is implemented on the user name and password, double authentication of the user key and the user equipment can be realized, the security is further improved, and if more other edge equipment is accessed in the future through the blockchain certificate management system, the user certificate type can be unified, and the management complexity of a server side is reduced.
On the other hand, considering the characteristic that the service end commonly issues a service address through a domain name, the DANE technology is multiplexed, the certificate of the service end can be associated through a TLSA record and issued on a DNS system, and the client side utilizes a DNSSEC mechanism to realize the verification of the identity of the service end, so that the issuing cost of the server certificate is reduced, the verification flow of the client side is simplified, and the bidirectional identity authentication which does not depend on CA and is safe and reliable is realized.
With respect to the x509 certificate of a conventional CA used by a base station, if an authorization list, such as a network management user or device, is added, an attacker must obtain both the user private key and authorized user information to impersonate the identity.
In one embodiment, the security mechanism of DNS is described in detail below for more clarity.
Regardless of any device that wants to access the internet, DNS services must be provided, but DNS design does not take much security into account at the beginning, itself cannot verify the authenticity of the response, and the source IP address of the DNS response packet is easily spoofed or forged.
DNSSEC is a widely applied DNS security enhancement scheme which is formally released at present, can effectively prevent DNS cache pollution, adopts a digital signature based on public key encryption, and a certificate and a private key are generated at a self server and are self-signed, which is different from HTTPS, a root certificate issuer is not needed, a domain name recursion resolver starts from a root domain name server during authentication, the integrity of a public key of a verification domain is resolved layer by layer downwards, and the trust of the public key of each level of domain is ensured; instead of cryptographically signing the DNS query and response itself, the data owner signs the DNS data itself with a private key, thereby enhancing DNS verification strength, i.e., verifying the origin of the DNS data and protecting the integrity of the data.
The DANE is a security protocol that only works when DNSSEC is activated, and issues digital certificates through DNS services, which ensures that certificates issued by CA are good, self-signed certificates, and ultimately desired certificates; the method is based on instance verification of the name of the DNS, a TLSA record is used for proving that a certain certificate is trusted, and meanwhile, the problem that DNSSEC cannot protect access privacy is solved.
It allows issuing secure transport layer protocol (Transport Layer Security, TLS) keys in an area towards applications such as mail transfer, it allows binding certificates to DNS names, provides additional assurance for traditional PKIX (Public Key Infrastructure for x.509certificates based public key infrastructure for x.509 certificates) based models, and enables domain owners to declare certificates for themselves without reference to third party certificate authorities, surpassing the standard HTTPS protocol in terms of the trust chain between protection server, certificate authority and users.
Traditional DNS servers assert their rights to a domain by providing PKIX digital certificates (RFC 5280). At the time of access authentication, the client, e.g., DNS proxy in the base station, determines whether it is a trusted DNS server by evaluating the credentials. The method of evaluation is primarily to see if the certificate contains the required domain name and if the certificate is issued by a trusted trust anchor (e.g., trusted CA). The problem is that the current browser or operating system can use a large number of default trust anchors, so that the trust anchors have wide authority, meanwhile, the manual deletion of the trust anchors is troublesome, unsafe is caused, and DANE has limited scope of use for the trust anchors.
In one embodiment, to solve the constraint problem described above, a specific description of TLSA recording is given below.
The DANE defines a DNS resource record type TLSA for describing the declaration of certificates associated with a domain. Each TLSA record has three basic fields, which the client can find when he wants to connect to a domain and apply the constraint when verifying the certificate of the server. In use the DANE allows the browser to examine the TLSA record to obtain a public fingerprint of the certificate that the user marks as secure. This may be an intermediate certificate of the CA issuing the certificate on the server, or it may be a fingerprint of the certificate itself. The TLSA record can be easily created by means of a generator (e.g., opensl, online website Generate TLSA Record, etc.).
Wherein, the TLSA recording elements are as follows:
the usage method is as follows: this record makes what type of statement;
for example: 3PKIX-EE service certificate constraints specifying the exact transport layer security protocol (Transport Layer Security, TLS) certificate that should be used for a domain name;
selector/match: how the TLS certificate chain should match this record (e.g., by exact match, by public key, or by SHA-1 digest);
for example: cert, use the entire certificate
Matching type:
for example: 2:SHA-512:SHA-512hash
Examples: actual data_443_tcp.zte.com to which the associated TLS certificate chain should match
Finally, the method comprises the following steps: 3 0.2 XXXXXXXXX
The certificate based on DNSSEC system has the same with the identity certificate authentication of the traditional base station, and has own trust chain, except that DNS trust chain analysis is an iterative mode, and the certificate is self-issued by each level of domain server instead of CA. For the base station, if there is no certificate system based on the blockchain, the base station needs to maintain the life cycle management of two certificates at the same time, and by using the blockchain system, the certificates and the management can be pushed to the chain, and the local base station only needs to match with the TLSA according to the returned result of the identity authentication blockchain.
As shown in fig. 3, fig. 3 is a flowchart of a base station access control method according to an embodiment of the present invention, which is applied to a base station, and the base station access control method includes, but is not limited to, steps S100 to S300.
Step S100: and sending first authentication request information to the blockchain system, wherein the first authentication request information carries an identity certificate of the base station.
In an embodiment, the base station sends first authentication request information to the blockchain system, wherein the first authentication request information carries certificate content and related identity information of the base station, so that the blockchain system can verify the first authentication request information conveniently.
It may be appreciated that when the first authentication request information is sent to the blockchain system, the first authentication request information is sent by the base station identity management client and sent to the verification node in the blockchain system, where the verification node may be a digital certificate registration approval authority (Registration Authority, RA) or CA, which is not specifically limited in this embodiment.
Step S200: the method comprises the steps of obtaining first identity certificate issuing information sent by a blockchain system, wherein the first identity certificate issuing information is generated according to an identity certificate by the blockchain system under the condition that the stored identity certificate is confirmed based on first authentication request information.
In an embodiment, after the blockchain system receives the first authentication request information, whether the corresponding identity certificate is stored is judged according to the identity certificate carried by the first authentication request information, and under the condition that the blockchain system is confirmed to store the identity certificate corresponding to the first authentication request information, the first identity certificate issuing information corresponding to the first authentication request information is generated according to the identity certificate, so that accuracy of certificate configuration is improved, and the base station can conveniently access the gateway according to the first identity certificate issuing information.
It can be appreciated that when the blockchain system determines the first authentication request information, the determination method is the same as the conventional CA registration audit method, and the following is the conventional CA registration audit method.
In order to more clearly describe the conventional CA registration auditing method, a specific description will be given below.
As shown in fig. 4, fig. 4 is a schematic diagram of a conventional CA registration audit method.
The 5G mainly comprises an access network, a bearing network and a core network; for the access network, the base station has a set of method in use in access identity authentication at present, and depends on the issuing and configuration of CA, wherein the configuration workload of the identity certificate is relatively large, when a communication manufacturer configures and uses the certificate, the communication manufacturer needs to apply the certificate to an operator CA mechanism first, after the CA mechanism issues the certificate, the issued certificate needs to be configured or installed in a target equipment base station, and the equipment needs to configure a digital certificate to realize equipment authentication.
Because different private keys and certificates are required to be configured for each device, batch operation is difficult to achieve, construction efficiency is low, certificate life cycle management is difficult, safety risks of private key leakage caused by manual operation exist, the issuing mechanism described by the invention can be improved through decentralization, and meanwhile CA single-point faults can be eliminated.
Meanwhile, the 5G is based on different service scenes, so that operators can create customized private networks based on the requirements of vertical industries, and end-to-end network services can be required to be mutually connected by the slices of a plurality of operators in a plurality of countries, so that seamless cross-country domain and cross-service 5G services are provided together. The slices need to be protected, and the security channel needs to be ensured by using a digital certificate. Different operators have different CAs, mutual trust must be established between the CAs to normally perform slicing service, and at this time, the multi-CA mutual trust is also easy to realize by adopting an identity authentication system based on a block chain deployed in a alliance mode.
The cost for building, maintaining and operating the CA system in 5G can be reduced by virtue of the blockchain and the intelligent contract;
the registration mechanism of the base station certificate described by 3gpp 33.310 is as follows:
the base station is provided with a factory generated public and private key pair in advance by a device manufacturer, and is preloaded with a digital certificate signed by the device manufacturer, a Registration Authority (RA)/Certificate Authority (CA) server of the operator, a root certificate of the device manufacturer and a root certificate of the operator of a core network SEG.
Step S300: and accessing the gateway according to the first identity certificate issuing information.
In an embodiment, first, a base station sends first authentication request information to a blockchain system, after the blockchain system receives the first authentication request information, under the condition that the blockchain system is confirmed to store an identity certificate corresponding to the first authentication request information, first identity certificate issue information corresponding to the first authentication request information is generated according to the identity certificate, and finally, the gateway is accessed according to the first identity certificate issue information obtained in step S200, so that accuracy of an access certificate is improved conveniently.
As shown in fig. 5, fig. 5 is a schematic diagram of a model of an identity credential provided by one embodiment.
In fig. 5, the base station access control certificate model shows that the base station can complete external identity authentication and DNS domain authority definition and network management privilege user control by only one access control certificate through the unit of the invention, and the certificate has the functions, can synchronously provide more expansion information, and meets other future scenes needing verification or control.
In an embodiment, the identity certificate contains information such as a base station name, a base station unique identifier, a version number, a certificate public key, a certificate validity period, a serial number and the like, and also contains a network management user authorization list, DNS domain authorization information or other expansion information and the like.
As shown in fig. 6, fig. 6 is a flowchart of a specific method of step S300 in fig. 3, and the step S300 includes, but is not limited to, steps S310 to S340.
Step S310: and generating an identity authentication access request carrying the first identity certificate issuing information according to the first identity certificate issuing information.
Step S320: and sending an identity authentication access request to the gateway.
Step S330: and receiving an access verification result sent by the gateway according to the identity authentication access request, wherein the access verification result is obtained by the blockchain system according to the identity of the verification request verification base station from the gateway, and sending the access verification result to the gateway, and the verification request is generated by the gateway according to the identity authentication access request.
In an embodiment, a base station identity management client sends an identity authentication access request to a network manager, a gateway sends a verification request to a blockchain system, wherein the verification request is generated by the gateway according to the identity authentication access request, the blockchain system obtains an access verification result after verification, the access verification result is sent to the gateway, and the gateway sends the verification result to the base station identity management client, so that multiple verification of access certificates is realized, and the security of certificate access is improved.
Step S340: and accessing the gateway according to the access verification result.
It can be appreciated that the base station identity management client accesses the gateway according to the access verification result returned by the blockchain system, wherein the gateway is an SEG.
As shown in fig. 7, fig. 7 is a flowchart of a base station access control method according to an embodiment of the present invention, including, but not limited to, steps S2100 to S2200.
Step S2100: and sending an authorization processing request corresponding to the in-station equipment to the blockchain system.
In an embodiment, a base station identity management client sends an authorization processing request corresponding to a device in a station to a verification node in a blockchain system, wherein the authorization processing request carries an identity certificate corresponding to the device in the station, so that the management node can verify the device in the station conveniently, and the security of the certificate is improved.
In an embodiment, the authorization processing request may be an authorization request of the in-station device or an unauthorized request of the in-station device, so as to realize diversity of operation of the in-station device and improve efficiency of processing the request by authorization of the in-station device.
It is to be understood that the in-station device may be a management device or a management user inside the base station, which is not particularly limited in this embodiment.
Step S2200: and receiving second identity certificate issuing information sent by the blockchain system, wherein the second identity certificate issuing information is obtained by updating the identity certificate by the blockchain system according to the authorization processing request and based on the updated identity certificate.
In an embodiment, after receiving the authorization request, the blockchain system updates the identity certificate according to the authorization request, and obtains the second identity certificate issue information according to the updated identity certificate, and the base station identity management client receives the second identity certificate issue information sent by the blockchain system, so that the identity certificate is updated, and the identity certificate is convenient to manage.
In an embodiment, referring to the model diagram of the identity certificate shown in fig. 5, after receiving the authorization request, the blockchain system updates the identity certificate according to the authorization request, and updates the network management user authorization list in the identity certificate.
It is to be understood that the step S2100 may be performed before the step S300 or may be performed after the step S300, which is not particularly limited in the embodiment of the present invention.
As shown in fig. 8, fig. 8 is a flowchart of a base station access control method according to an embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S400 to S600.
Step S400: and sending second authentication request information to the blockchain system, wherein the second authentication request information is generated by the base station according to a user identity authorization request from the authorization terminal, and the user identity authorization request carries the user identity information of the authorization terminal.
In an embodiment, the base station identity client receives the user identity authorization request from the authorization end, processes the user identity authorization request, so that the blockchain system can read the user identity authorization request, the user identity authorization request carries user identity information corresponding to a user of the authorization end, and the base station sends second authentication request information to the blockchain system according to the user identity information, so that the blockchain system can conveniently conduct authorization judgment on the authorization end according to the second authentication request information.
It should be noted that, the second authentication request information is obtained by splicing the client identity information with the unique identifier of the base station.
It can be understood that the identity certificate of the base station may authorize access to the network management device or other devices accessing the base station and the identity, where the network management device or other devices authorize access after the base station identity management client completes the uplink operation of the identity certificate.
It should be noted that, the authorized end user in this embodiment may be a network management device or a network management user, and in this embodiment, the OAM-agent (Operation Administration and Maintenance agent, operation management maintenance agent) is used.
Step S500: and receiving a target authorization code sent by the blockchain system according to the second authentication request information, wherein the target authorization code is generated by the blockchain system according to the second authentication request information under the condition that the authorization end is confirmed to be unregistered according to the user identity information in the second authentication request information.
In an embodiment, the second authentication request information is processed by the blockchain system to obtain a target authorization code, where the target authorization code is generated according to the second authentication request information when the authorization end is confirmed to be unregistered according to the user identity information in the second authentication request information, and if the authorization end is confirmed to be registered according to the user identity information in the second authentication request information, the second authentication request information is discarded, so that multiple certificates, authentication processes and lifecycle management can be conveniently combined.
Step S600: and sending the target authorization code to an authorization terminal.
In an embodiment, the base station identity management client inputs the target authorization code obtained in step S500 into the device to be authorized, and completes the process of device authorization.
As shown in fig. 9, fig. 9 is a flowchart of a base station access control method according to an embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S2300 to S2600.
Step S2300: receiving user authentication request information sent by a network manager, wherein the user authentication request information is generated by the network manager under the condition of receiving an access request of a network manager user.
In an embodiment, the base station identity management server receives user authentication request information sent by the network manager, wherein the user authentication request information is generated by the network manager after receiving an access request of the network manager user, and the access request of the network manager user is a user identity inquiry request, so that authentication of the base station identity management server and the blockchain system to the network manager user is facilitated, and accuracy of user access is improved.
It should be noted that, in the present invention, the access request of the network management user is a login user of the professional network element management system (Element Management System, EMS).
Step S2400: and sending a certificate inquiry request to the blockchain system, wherein the certificate inquiry request is generated by the base station according to the user authentication request information.
In an embodiment, when a network management user requests access to send an access request to a network management, user authentication request information is generated, and after receiving the access request, a base station identity management server generates a query certificate request, so that a blockchain system can query according to the query certificate request.
Step S2500: and acquiring an identity certificate fed back by the blockchain system according to the certificate inquiry request.
In an embodiment, a request for inquiring a certificate is sent to the blockchain system according to the user authentication request information obtained in step S2300, and an identity certificate returned by the blockchain system is obtained after the blockchain system is inquired, so that a subsequent base station identity management server can conveniently read a corresponding authorization code according to the identity certificate.
Step S2600: and sending verification result information aiming at the network management user to the network management according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, wherein the verification authorization code corresponds to the network management user.
In one embodiment, the base station identity management server reads the target authorization code of the corresponding network management user in the identity certificate obtained in step S2500, and requests the network management for the verification authorization code of the network management user, if the authorization code exists in the network management user, the verification authorization code is returned to the base station identity management server, the base station identity management server performs hash calculation on the verification authorization code and then compares the hash calculation with the target authorization code obtained from the blockchain inquiry, and when the verification authorization code is the same as the target authorization, the verification success is returned to the network management; if the network management user does not have the verification authorization code corresponding to the target authorization code in the network management, returning an empty string to the network management, inquiring the unauthorized base station identity management server, returning verification failure, realizing multiple authentication of the network management user, and reducing the management complexity of the base station identity management server.
As shown in fig. 10, fig. 10 is a flowchart of a base station access control method according to an embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S700 to S900.
Step S700: DNS certificate information is obtained from the blockchain system.
In an embodiment, the base station identity management client first sends a request for inquiring DNS certificate information to the DNS proxy, then after the DNS proxy returns DNS certificate information to the base station identity management client, the base station identity management client and the DNS proxy integrally serve as clients to send request DNS server certificate information to the blockchain system, and then receives DNS server certificate information returned by the blockchain system, so that the base station identity management client can compare the certificate information with the TLSA record conveniently.
Step S800: a TLSA record associated with DNS certificate information is obtained from the DNS.
In one embodiment, the base station identity management client requests the TLSA record associated with the DNS certificate information from the DNS, and then the DNS returns the TLSA record to the base station management client according to the DNS certificate information, so that the base station identity management client compares the TLSA record with the DNS certificate information.
It will be appreciated that using the DANE protocol in DNS, DANE defines a DNS resource record type TLSA describing the declaration of credentials associated with a domain, wherein each TLSA record has three basic fields, and when a base station wants to connect to a domain, control of access to the domain can be enhanced by the TLSA record and applying this constraint when validating the credentials of the server.
Step S900: and verifying the DNS certificate information according to the TLSA record.
In one embodiment, DNS verification strength is enhanced by verifying DNS certificate information using TLSA records, i.e., verifying the origin of DNS data and protecting the integrity of the data.
As shown in fig. 11, fig. 11 is a flowchart of a base station access control method according to another embodiment of the present invention, which is applied to a blockchain system, and the base station access control method includes, but is not limited to, steps S1000 to S3000.
Step S1000: and receiving first authentication request information sent by the base station, wherein the first authentication request information carries an identity certificate of the base station.
Step S2000: in the case of confirming the storage of the identity certificate based on the first authentication request information, first identity certificate issue information is generated from the identity certificate.
In an embodiment, the blockchain system judges whether the corresponding identity certificate is saved according to the identity certificate carried by the first authentication request information, and generates first identity certificate issuing information corresponding to the first authentication request information according to the identity certificate under the condition that the blockchain system is confirmed to store the identity certificate corresponding to the first authentication request information, so that accuracy of certificate configuration is improved, and the gateway is accessed according to the first identity certificate issuing information.
It can be understood that, when the blockchain system determines the first authentication request information, the determination method is the same as the conventional CA registration auditing method, and is a common technical means for those skilled in the art, and will not be described herein again.
Step S3000: and sending first identity certificate issuing information for the access gateway to the base station.
In one embodiment, sending the first identity credential issuance information to the base station identity management client facilitates the base station identity management client to access the gateway.
As shown in fig. 12, fig. 12 is a flowchart of a base station access control method according to another embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S3100 to S3400.
Step S3100: and receiving an authorization processing request corresponding to the in-station equipment, which is sent by the base station.
In an embodiment, the base station identity management client sends an authorization processing request corresponding to the in-station device to the blockchain system, wherein the authorization processing request carries an identity certificate corresponding to the in-station device, so that the management node can verify the in-station device conveniently, and the security of the certificate is improved.
It is to be understood that the in-station device may be a management device or a management user inside the base station, which is not particularly limited in this embodiment.
Step S3200: the identity certificate is updated according to the authorization processing request.
In an embodiment, the blockchain system obtains an authorization code of the in-station device or the user according to the authorization processing request, judges the authorization code and the identity certificate, performs the uplink operation on the authenticated identity certificate corresponding to the authorization code, and updates the identity certificate according to the result of the uplink operation, thereby improving the certificate configuration efficiency.
Step S3300: and generating second identity certificate issuing information according to the updated identity certificate.
Step S3400: and sending second identity certificate issuing information to the base station.
In an embodiment, the blockchain system generates second identity certificate issue information according to the updated identity certificate, and sends the identity certificate corresponding to the second identity certificate issue information to the base station identity management client to realize the unified life cycle management mode.
As shown in fig. 13, fig. 13 is a flowchart of a base station access control method according to another embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S3500 to S3700.
Step S3500: and receiving a verification request sent by the gateway, wherein the verification request is generated by the gateway according to an identity authentication access request from the base station, and the identity authentication access request carries first identity certificate issuing information.
Step S3600: and verifying the identity of the base station according to the verification request to obtain an access verification result.
In an embodiment, according to the verification request sent by the gateway and the first identity certificate issue information, the identity and the equipment for sending the verification request are obtained, the equipment for sending the identity authentication access request and the identity are verified, an access verification result is obtained, and the base station is convenient to access the gateway according to the access verification result.
It can be understood that the access verification result is that the blockchain system confirms the identity certificate of the base station according to the first identity certificate issue information, so as to find the corresponding base station.
Step S3700: and sending an access verification result to the gateway, so that the base station accesses the gateway according to the access verification result.
In an embodiment, the access verification result obtained in step S3600 is sent to the gateway, so that the base station can access the gateway according to the access verification result, and the process of authentication of the base station is completed.
In an embodiment, in order to more clearly describe the identity authentication process of the base station access gateway, specific examples are given below for description.
As shown in fig. 14, fig. 14 is a schematic diagram of a system framework of a base station access gateway provided by a specific example.
Example one:
when the base station leaves the factory, the base station carries a digital certificate, namely an identity certificate, a private key corresponding to the identity certificate is stored in the base station locally, and then the base station identity management client sends certificate content and related identity information as request content to a verification node (operator RA/CA) on a chain to enter a state of waiting for the issuing of the identity certificate; after receiving the request, the verification node on the chain judges whether to store the identity certificate of the user through the information provided by the user, and the judgment method is the same as the traditional CA registration and verification, and the identity certificate through verification is added into the blockchain system through a consensus mechanism.
As shown in fig. 15, fig. 15 is a flowchart of a base station access control method according to another embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S4000 to S6000.
Step S4000: and receiving second authentication request information sent by the base station, wherein the second authentication request information is generated by the base station according to a user identity authorization request from the authorization terminal, and the user identity authorization request carries the user identity information of the authorization terminal.
In an embodiment, the blockchain system receives second authentication request information, wherein the second authentication request information is generated according to a user identity authorization request from an authorization terminal, and the second authentication request information comprises user identity information of the authorization terminal carried by the user identity authorization request, so that the blockchain system can conveniently judge the authorization terminal according to the user identity information of the authorization terminal.
Step S5000: and generating a target authorization code according to the second authentication request information under the condition that the authorization end is not registered according to the user identity information in the second authentication request information.
In an embodiment, when the authorization terminal is not registered according to the user identity information in the second authentication request information, the blockchain system splices a randomly generated serial number and the time sent by the second authentication request information into a target authorization code, then sends the original text of the target authorization code back to the authorization terminal device, and stores the hash value of the target authorization code into an authorization device list in the blockchain system, wherein the authorization device list is used for storing the hash value of the authorization code of the authorized device, so that the problem of excessive authorization of the network management user of the authorization terminal is solved, and the accuracy of authorization of the network management user is improved.
It can be understood that a large number of identity certificates are stored in the blockchain system, including a base station identity certificate, a device identity certificate or an identity certificate of a network management user, etc., wherein the identity certificate carries an authorization code of the device or the network management user, and the authorization code is written into a base station certificate authorization list to form an authorization device list, wherein the authorization device list is a common technology for those skilled in the art and is not described herein again.
It should be noted that, when the authorization terminal is confirmed to be registered according to the user identity information in the second authentication request information, the blockchain system discards the second authentication request information.
Step S6000: and sending the target authorization code to the authorization terminal through the base station.
In an embodiment, under the condition that the authorization terminal is not registered, the base station identity management client sends a target authorization code to the authorization terminal, wherein the authorization terminal is the terminal for sending the user identity authorization request, so that the authorization operation of the authorization terminal is realized, and the reliability of the blockchain system is improved.
In an embodiment, to more clearly illustrate the network management user authorization process, specific examples are given below for illustration.
As shown in fig. 16, fig. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example.
Example two:
the identity certificate of the base station can authorize access to network management equipment, other equipment or identities of the access base station, when the authorization is performed, after the initial base station identity management client finishes the uplink work of the identity certificate, an authorization request is sent to a blockchain system according to the authorized user information of the network management OAM-agent, the blockchain system splices a randomly generated serial number and the time sent by the request into a character string, then the character string original text is sent back to the request end equipment, and the hash value of the character string is stored in an authorization equipment list in the blockchain certificate. Finally, the base station inputs the obtained character string into the equipment to be authorized, namely the network management OAM-agent, completes the equipment authorization process, and can also inquire which users are authorized and whether the authorization is expired or not through the network management system.
As shown in fig. 17, fig. 17 is a flowchart of a base station access control method according to another embodiment of the present invention, and the base station access control method includes, but is not limited to, steps S3800 to S3900.
Step S3800: receiving a certificate inquiry request sent by a base station, wherein the certificate inquiry request is generated by the base station according to user authentication request information sent by a network manager, and the user authentication request information is generated by the network manager under the condition of receiving an access request of a network manager user.
In an embodiment, the blockchain system receives a certificate inquiry request sent by the base station identity management server, wherein when a network management user requests access to send an access request to the network management, user authentication request information is generated, after the base station identity management server receives the access request, the blockchain system generates the certificate inquiry request, and the accuracy of certificate authentication of the network management user is improved.
Step S3900: and sending an identity certificate to the base station according to the inquiry certificate request, so that the base station sends verification result information aiming at the network management user to the network management according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, wherein the verification authorization code corresponds to the network management user.
In an embodiment, after receiving the certificate inquiry request in step S3800, the blockchain searches the stored certificate, and returns an identity certificate corresponding to the certificate inquiry request to the base station identity management server according to the search result, so that the base station identity management server can verify the network management user according to the identity certificate.
It can be appreciated that a large number of identity certificates are stored in the blockchain system, including a base station identity certificate, a device identity certificate, or an identity certificate of a network management user, etc., where the identity certificate carries an authorization code of the device or the network management user.
In an embodiment, in order to more clearly describe the network management user authentication process, a specific example is given below for description.
As shown in fig. 18, fig. 18 is a schematic diagram of a system framework for network management user authentication provided by a specific example.
Example three:
after receiving an EMS login user request, an OAM-agent sends a user identity inquiry request to an identity management server module of a base station, the server applies an identity certificate inquiry request of the base station to a blockchain system, the blockchain system inquires and returns a certificate, the base station identity management server reads an authorization code value of a corresponding network management user in the certificate and simultaneously requests the authorization code of the user to the OAM-agent, if the authorization code exists in the user, the authorization code is returned to the server, and the server compares the character string hash calculated with the authorization code obtained from the blockchain system inquiry and returns successful verification when the authorization code is the same; if the user does not have the authorization character string in the OAM-agent, an empty string is returned, the server inquires that the user is not authorized, and a verification failure result is returned.
As shown in fig. 19, fig. 19 is a flowchart of a base station access control method according to another embodiment of the present invention, and the base station access control method includes, but is not limited to, step S7000.
Step S7000: and sending the DNS certificate information to the base station, so that the base station verifies the DNS certificate information according to the TLSA record which is acquired from the DNS and is associated with the DNS certificate information.
In one embodiment, the blockchain system stores DNS server certificate information sent by the DNS server, and the base station identity management client first sends a query DNS certificate information to the DNS proxy, then sends a request DNS server certificate information to the blockchain system, and sends DNS certificate information to the base station identity management client according to the DNS server certificate request, so that the base station identity management client can verify the DNS certificate information through the TLSA.
In one embodiment, to more clearly illustrate the TLSA record configuration and DNS authentication process, specific examples are given below.
As shown in fig. 20, fig. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record provided as a specific example.
Example four:
the base station identity management client sends a request for inquiring DNS certificate information to the DNS proxy, sends a request TLSA record to the DNS, and sends request DNS server certificate information to the blockchain system according to the received request for DNS certificate information.
In addition, an embodiment of the present invention also provides a base station, including: memory, a processor, and a computer program stored on the memory and executable on the processor.
The processor and the memory may be connected by a bus or other means.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software program and instructions required to implement the base station access control method of the above-described embodiments are stored in the memory, and when executed by the processor, the base station access control method of the above-described embodiments is performed, for example, the method steps S100 to S300 in fig. 3, the method steps S310 to S340 in fig. 6, the method steps S2100 to S2200 in fig. 7, the method steps S400 and S600 in fig. 8, the method steps S2300 to S2600 in fig. 9, and the method steps S700 and S900 in fig. 10 described above are performed.
In addition, one embodiment of the present invention also provides a blockchain system including: memory, a processor, and a computer program stored on the memory and executable on the processor.
The processor and the memory may be connected by a bus or other means.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software program and instructions required to implement the base station access control method of the above-described embodiments are stored in the memory, and when executed by the processor, the base station access control method of the above-described embodiments is performed, for example, the method steps S1000 to S3000 in fig. 11, the method steps S3100 to S3400 in fig. 12, the method steps S3500 to S3700 in fig. 13, the method steps S4000 to S6000 in fig. 15, the method steps S3800 to S3900 in fig. 17, and the method step S7000 in fig. 19 described above are performed.
Furthermore, an embodiment of the present invention provides a computer-readable storage medium storing computer-executable instructions that are executed by a processor or controller, for example, by one of the processors in the above-described device embodiments, which may cause the processor to perform the base station access control method in the above-described embodiment, for example, the method steps S100 to S300 in fig. 3, the method steps S310 to S340 in fig. 6, the method steps S2100 to S2200 in fig. 7, the method steps S400 and S600 in fig. 8, the method steps S2300 to S2600 in fig. 9, the method steps S700 and S900 in fig. 10, the method steps S1000 to S3000 in fig. 11, the method steps S3100 to S3400 in fig. 13, the method steps S3500 to S3700 in fig. 15, the method steps S3800 to S6000 in fig. 17, the method steps S3800 to S3900 in fig. 17, and the method steps S7000 in fig. 19.
The embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically include computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
The preferred embodiments of the present invention have been described in detail, but the present invention is not limited to the above embodiments, and those skilled in the art will appreciate that the present invention may be practiced without departing from the spirit of the present invention. Various equivalent modifications and substitutions may be made in the shared context, and are intended to be included within the scope of the present invention as defined in the following claims.

Claims (15)

1. A base station access control method applied to a base station, the method comprising:
sending first authentication request information to a blockchain system, wherein the first authentication request information carries an identity certificate of the base station;
acquiring first identity certificate issuing information sent by the blockchain system, wherein the first identity certificate issuing information is generated according to the identity certificate by the blockchain system under the condition that the identity certificate is confirmed to be stored based on the first authentication request information;
and accessing the gateway according to the first identity certificate issuing information.
2. The base station access control method according to claim 1, wherein the accessing gateway according to the first identity certificate issuing information comprises:
generating an identity authentication access request carrying the first identity certificate issuing information according to the first identity certificate issuing information;
Sending the identity authentication access request to the gateway;
receiving an access verification result sent by the gateway according to the identity authentication access request, wherein the access verification result is obtained by the blockchain system verifying the identity of the base station according to a verification request from the gateway and is sent to the gateway, and the verification request is generated by the gateway according to the identity authentication access request;
and accessing the gateway according to the access verification result.
3. The base station access control method according to claim 1, wherein the base station comprises an in-station device; after the first identity certificate issuing information sent by the blockchain system is obtained, the method further comprises:
sending an authorization processing request corresponding to the in-station equipment to the blockchain system;
and receiving second identity certificate issuing information sent by the blockchain system, wherein the second identity certificate issuing information is obtained by the blockchain system according to the authorization processing request by updating the identity certificate and based on the updated identity certificate.
4. The base station access control method according to claim 1, characterized in that the method further comprises:
Sending second authentication request information to the blockchain system, wherein the second authentication request information is generated by the base station according to a user identity authorization request from an authorization terminal, and the user identity authorization request carries user identity information of the authorization terminal;
receiving a target authorization code sent by the blockchain system according to the second authentication request information, wherein the target authorization code is generated by the blockchain system according to the second authentication request information under the condition that the authorization end is not registered according to the user identity information in the second authentication request information;
and sending the target authorization code to the authorization terminal.
5. The base station access control method of claim 1, wherein after the obtaining the first identity credential issuance information sent by the blockchain system, further comprises:
receiving user authentication request information sent by a network manager, wherein the user authentication request information is generated by the network manager under the condition of receiving an access request of a network manager user;
sending a certificate inquiry request to the blockchain system, wherein the certificate inquiry request is generated by the base station according to the user authentication request information;
Acquiring the identity certificate which is fed back by the blockchain system according to the inquiry certificate request;
and sending verification result information aiming at the network management user to the network management according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, wherein the verification authorization code corresponds to the network management user.
6. The base station access control method according to claim 1, characterized in that the method further comprises:
obtaining DNS certificate information from the blockchain system;
obtaining a TLSA record associated with the DNS certificate information from a DNS;
and verifying the DNS certificate information according to the TLSA record.
7. A base station access control method applied to a blockchain system, the method comprising:
receiving first authentication request information sent by a base station, wherein the first authentication request information carries an identity certificate of the base station;
generating first identity certificate issuing information according to the identity certificate under the condition that the storage of the identity certificate is confirmed based on the first authentication request information;
and sending the first identity certificate issuing information for the access gateway to the base station.
8. The base station access control method according to claim 7, wherein the base station comprises an in-station device; after the first identity certificate issuing information for the access gateway is sent to the base station, the method further comprises:
receiving an authorization processing request which is sent by the base station and corresponds to the in-station equipment;
updating the identity certificate according to the authorization processing request;
generating second identity certificate issuing information according to the updated identity certificate;
and sending second identity certificate issuing information to the base station.
9. The base station access control method according to claim 7, wherein after the sending the first identity certificate issuance information for an access gateway to the base station, further comprising:
receiving a verification request sent by the gateway, wherein the verification request is generated by the gateway according to an identity authentication access request from the base station, and the identity authentication access request carries the first identity certificate issuing information;
verifying the identity of the base station according to the verification request to obtain an access verification result;
and sending the access verification result to the gateway, so that the base station accesses the gateway according to the access verification result.
10. The base station access control method of claim 7, further comprising:
receiving second authentication request information sent by the base station, wherein the second authentication request information is generated by the base station according to a user identity authorization request from an authorization terminal, and the user identity authorization request carries user identity information of the authorization terminal;
under the condition that the authorization terminal is not registered according to the user identity information in the second authentication request information, generating a target authorization code according to the second authentication request information;
and sending the target authorization code to the authorization terminal through the base station.
11. The base station access control method according to claim 7, wherein after the sending the first identity certificate issuance information for an access gateway to the base station, further comprising:
receiving a query certificate request sent by the base station, wherein the query certificate request is generated by the base station according to user authentication request information sent by a network manager, and the user authentication request information is generated by the network manager under the condition of receiving an access request of a network manager user;
and sending the identity certificate to the base station according to the inquiry certificate request, so that the base station sends verification result information aiming at the network management user to the network management according to the difference between a verification authorization code from the network management and a target authorization code obtained from the identity certificate, wherein the verification authorization code corresponds to the network management user.
12. The base station access control method of claim 7, further comprising:
and sending DNS certificate information to the base station, so that the base station verifies the DNS certificate information according to the TLSA record which is acquired from the DNS and is associated with the DNS certificate information.
13. A base station, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the base station access control method according to any one of claims 1 to 6 when executing the computer program.
14. A blockchain system, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the base station access control method according to any of claims 7 to 12 when executing the computer program.
15. A computer-readable storage medium storing computer-executable instructions for causing a computer to perform the base station access control method according to any one of claims 1 to 12.
CN202111578563.5A 2021-12-22 2021-12-22 Base station access control method, base station, block chain system and storage medium Pending CN116347443A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111578563.5A CN116347443A (en) 2021-12-22 2021-12-22 Base station access control method, base station, block chain system and storage medium
PCT/CN2022/140789 WO2023116784A1 (en) 2021-12-22 2022-12-21 Base station access control method, base station, blockchain system, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111578563.5A CN116347443A (en) 2021-12-22 2021-12-22 Base station access control method, base station, block chain system and storage medium

Publications (1)

Publication Number Publication Date
CN116347443A true CN116347443A (en) 2023-06-27

Family

ID=86889876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111578563.5A Pending CN116347443A (en) 2021-12-22 2021-12-22 Base station access control method, base station, block chain system and storage medium

Country Status (2)

Country Link
CN (1) CN116347443A (en)
WO (1) WO2023116784A1 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412792A (en) * 2017-08-16 2019-03-01 中国移动通信有限公司研究院 Generation, authentication method, communication equipment and the storage medium of digital certificate
US11106812B2 (en) * 2019-05-09 2021-08-31 At&T Intellectual Property I, L.P. Controlling access to datasets described in a cryptographically signed record
CN111182545B (en) * 2020-01-10 2022-07-29 中国联合网络通信集团有限公司 Micro base station authentication method and terminal

Also Published As

Publication number Publication date
WO2023116784A1 (en) 2023-06-29

Similar Documents

Publication Publication Date Title
US8560645B2 (en) Location-aware configuration
US8468340B2 (en) Configuring a valid duration period for a digital certificate
US20220217152A1 (en) Systems and methods for network access granting
KR101158956B1 (en) Method for distributing certificates in a communication system
EP2842258B1 (en) Multi-factor certificate authority
US8850187B2 (en) Subscriber certificate provisioning
US10523659B2 (en) Server authentication using multiple authentication chains
US8301887B2 (en) Method and system for automated authentication of a device to a management node of a computer network
US20100138907A1 (en) Method and system for generating digital certificates and certificate signing requests
EP2553894B1 (en) Certificate authority
EP3850510B1 (en) Infrastructure device enrolment
KR20130084315A (en) A bidirectional entity authentication method based on the credible third party
CA2719034A1 (en) System and method for storing client-side certificate credentials
CN105516163A (en) Login method, terminal device and communication system
US9722802B2 (en) Method, apparatus, and system for increasing network security
KR20120104193A (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
Zhang et al. NDN certificate management protocol (NDNCERT)
CN109274579A (en) It is a kind of that user's uniform authentication method is applied based on wechat platform more
Chariton et al. DCSP: Performant Certificate Revocation a DNS-based approach
CN114189380A (en) Zero-trust-based distributed authentication system and authorization method for Internet of things equipment
CN113647080B (en) Providing digital certificates in a cryptographically secure manner
CN113010871A (en) Electronic calendar certificate verification method based on alliance block chain platform
Kasten Automatic Certificate Management Environment (ACME) draft-ietf-acme-acme-03
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
CN116347443A (en) Base station access control method, base station, block chain system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication