CN116582554A - Edge node access processing method and device, mobile terminal and edge node - Google Patents
Edge node access processing method and device, mobile terminal and edge node Download PDFInfo
- Publication number
- CN116582554A CN116582554A CN202310596566.4A CN202310596566A CN116582554A CN 116582554 A CN116582554 A CN 116582554A CN 202310596566 A CN202310596566 A CN 202310596566A CN 116582554 A CN116582554 A CN 116582554A
- Authority
- CN
- China
- Prior art keywords
- edge node
- mobile terminal
- certificate
- information
- abstract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 256
- 238000012545 processing Methods 0.000 claims abstract description 169
- 230000008569 process Effects 0.000 claims abstract description 63
- 238000012795 verification Methods 0.000 claims description 43
- 238000004590 computer program Methods 0.000 claims description 30
- 230000003993 interaction Effects 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 abstract description 3
- 230000006854 communication Effects 0.000 description 49
- 238000004891 communication Methods 0.000 description 40
- 238000010586 diagram Methods 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 102100032318 pre-rRNA 2'-O-ribose RNA methyltransferase FTSJ3 Human genes 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 101100478087 Homo sapiens FTSJ3 gene Proteins 0.000 description 1
- 101100527115 Picea mariana RPL31 gene Proteins 0.000 description 1
- 101100525628 Picea mariana SB62 gene Proteins 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/16—Performing reselection for specific purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W56/00—Synchronisation arrangements
Abstract
The application relates to an edge node access processing method, a device, a mobile terminal and an edge node, wherein under the condition that the mobile terminal considers that edge node switching is required, the terminal and the accessed edge node generate abstract information based on the same preset abstract method and exchange the abstract information, and respectively send own certificate and the previously exchanged abstract information to a second edge node, the second edge node processes the certificate of the mobile terminal and the certificate of the first edge node by adopting the preset abstract method, and respectively verifies the consistency of the processing results with the certificate of the first edge node, if the authentication is passed, the mobile terminal and the first edge node are mutually trusted, the authentication of the second edge node is carried out, after the authentication is passed, the second edge node is synchronous with the service data of the mobile terminal and the first edge node, after the service data synchronization is completed, the access edge of the mobile terminal is switched to the second edge node, and the security is improved by association authentication.
Description
Description: the application provides a divisional application aiming at a parent application with the original application number of 2022103582916, the application date of 2022-04-07 and the application creation name of edge node access processing method, mobile terminal and edge node.
Technical Field
The present application relates to the field of mobile device edge node access switching control technologies, and in particular, to an edge node access processing method and apparatus, a mobile terminal, and an edge node.
Background
Ambulatory medical refers to the provision of medical services and information through the use of mobile communication technology. To ensure a low latency, highly reliable network, mobile terminals typically access the edge computing node nearby, obtaining services through applications hosted on the edge computing node.
The mobile terminal to application acquisition service is currently subjected to security authentication by an application layer communication protocol represented by HTTPS (Hyper Text TransferProtocol over SecureSocket Layer, hypertext transfer security protocol), and generally, the mobile terminal and an application on an edge node are authenticated one-to-one. In the mobile process, when the mobile terminal is switched between different edge nodes, two independent authentication processes are needed to finish the switching, the two authentication processes are independent, the situation that the mobile terminal data and the service data are not leaked due to man-in-the-middle attack in the switching process cannot be ensured, and the safety and the reliability are low.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an edge node access processing method, apparatus, mobile terminal and edge node that improve security of edge node access handover by association authentication.
In a first aspect, an embodiment of the present application provides an edge node access processing method, which is applied to a second edge node, where the method includes:
when the mobile terminal needs to switch the edge node, receiving a certificate of the first edge node and first abstract information sent by the first edge node, and receiving the certificate of the mobile terminal and second abstract information sent by the mobile terminal;
the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
respectively processing the certificate of the mobile terminal and the certificate of the first edge node by adopting a preset abstract method;
respectively comparing the processing result of the certificate of the mobile terminal with the first abstract information sent by the first edge node, and the processing result of the certificate of the first edge node with the second abstract information sent by the mobile terminal, if the processing result of the certificate of the first edge node is consistent with the second abstract information, judging that the mobile terminal and the first edge node are both trusted nodes, and feeding back a third abstract information and the certificate of the second edge node to the trusted nodes, wherein the third abstract information is formed after the certificate of the second edge node is processed based on the preset abstract method;
If the second edge node is a node trusted by the mobile terminal and the first edge node respectively, service data synchronization is carried out;
after the service data synchronization is completed, the mobile terminal is accessed, so that the access edge of the mobile terminal is switched from the first edge node to the second edge node.
In a second aspect, an embodiment of the present application further provides an edge node access processing method, which is applied to a mobile terminal, where the method includes:
when the mobile terminal needs to switch the edge nodes, the first abstract information is sent to the first edge node, and the second abstract information sent by the first edge node is received; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
sending the certificate of the mobile terminal and second abstract information to a second edge node; the second edge node is an edge node to be accessed by the mobile terminal;
receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third abstract information is formed by processing the certificate of the second edge node based on a preset abstract method;
Processing the certificate of the second edge node by adopting a preset abstract method;
and if the second edge node is judged to be the node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information, service data synchronization is carried out, and the access edge is switched from the first edge node to the second edge node.
In a third aspect, an embodiment of the present application further provides an edge node access processing method, applied to a first edge node, where the method includes:
when the mobile terminal needs to perform edge node switching, receiving first abstract information sent by the mobile terminal, and sending second abstract information to the mobile terminal; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
sending the certificate of the first edge node and the first abstract information to the second edge node;
receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third abstract information is formed by processing the certificate of the second edge node based on a preset abstract method;
Processing the certificate of the second edge node by adopting a preset abstract method;
if the second edge node is judged to be the node trusted by the first edge node according to the processing result of the certificate of the second edge node and the third abstract information, service data synchronization is carried out, so that the mobile terminal switches the access edge from the first edge node to the second edge node under the condition that the service data synchronization is completed.
In a fourth aspect, an embodiment of the present application provides an edge node access processing apparatus, applied to a mobile terminal, where the apparatus includes:
the terminal side abstract information interaction module is used for sending the first abstract information to the first edge node and receiving the second abstract information sent by the first edge node under the condition that the mobile terminal needs to switch the edge nodes; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
a terminal side first information sending module, configured to send a certificate of the mobile terminal and second summary information to a second edge node; the second edge node is an edge node to be accessed by the mobile terminal;
The terminal side first information receiving module is used for receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third abstract information is formed by processing the certificate of the second edge node based on a preset abstract method;
the terminal side first safety verification module is used for processing the certificate of the second edge node by adopting a preset abstract method;
and the terminal side switching execution module is used for carrying out service data synchronization when the second edge node is judged to be a node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information, and switching the access edge from the first edge node to the second edge node.
In a fifth aspect, an embodiment of the present application provides a mobile terminal, including a memory and a processor, where the memory stores a computer program, and the processor executes the computer program to implement the steps of the above method for processing edge node access applied to a mobile terminal side.
In a sixth aspect, an embodiment of the present application further provides a mobile terminal access edge switching system, including the mobile terminal, a first edge node, and a second edge node;
the first edge node comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the edge node access processing method when executing the computer program;
The second edge node comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the edge node access processing method when executing the computer program.
According to the edge node access processing method, when the mobile terminal considers that edge node switching is needed, for example, in the moving process of the mobile terminal, the distance between the mobile terminal and the first edge node is larger than a threshold value, at the moment, the communication stability between the mobile terminal and the first edge node can be considered to be tested, at the moment, directional communication connection is needed to be established between the mobile terminal and a second edge node which is closer to the first edge node, when the mobile terminal needs to switch the edge node, the mobile terminal and the first edge node generate summary information based on the same preset summary method and exchange the summary information, and respectively send own certificate and previously exchanged summary information to the second edge node, after the second edge node processes the certificate of the mobile terminal and the certificate of the first edge node by the preset summary method, whether the mobile terminal and the first edge node are trusted nodes can be judged according to the processing result, if the mobile terminal and the first summary information are judged to be trusted nodes, the second edge node feeds back generated third summary information and own certificate back to the trusted nodes, and accordingly, if the mobile terminal and the first edge node are also authenticated to be trusted nodes, the mobile terminal and the second edge node and the mobile terminal and the first edge node can be synchronously accessed to the first edge node through the service access node.
The process of the second edge node authenticating the mobile terminal and the first edge node as trusted nodes may be: if the summary information obtained after the second edge node processes the certificate of the mobile terminal by adopting a preset summary method is consistent with the summary information received by the second edge node from the first edge node, the mobile terminal is a terminal which is worth the trust of the first edge node, the mobile terminal is not impersonated, and the second edge node adopts the preset summary method to process the certificate of the first edge node sent by the first edge node to obtain the summary information, and compares the summary information with the second summary information received by the mobile terminal, if the summary information is consistent with the second summary information, the first edge node is a node which the mobile terminal trusts, at the moment, the second edge node confirms that the mobile terminal is a mobile terminal authenticated by the first edge node, and the first edge node is also the first edge node authenticated by the mobile terminal, the mobile terminal is not impersonated in the middle, the mobile terminal is safe and reliable, the authentication of the second edge node before the service data synchronization can be performed, after the second edge node is authenticated by the information fed back by the second edge node, the service data synchronization can be performed with the mobile terminal and the first edge node, and the second edge node is connected with the mobile terminal after the service data synchronization is completed, and the mobile terminal is disconnected with the mobile terminal, and the mobile terminal is connected with the first edge node, and the switching of the access node is realized. Through the association authentication, data leakage is avoided, so that the data security in the edge node switching process is improved.
Drawings
FIG. 1 is an application environment diagram of an edge node access processing method in one embodiment;
fig. 2 is a flow chart of an edge node access processing method performed by the second edge node side in one embodiment;
fig. 3 is a flowchart of an edge node access processing method performed by the second edge node side in another embodiment;
FIG. 4 is a diagram of a message structure in which a mobile terminal and a first edge node send a message to a second edge node in one embodiment;
FIG. 5 is a message structure diagram of a second edge node sending a message to a mobile terminal and a first edge node in one embodiment;
fig. 6 is a flow chart of an edge node access processing method performed by the mobile terminal side in one embodiment;
fig. 7 is a flowchart of an edge node access processing method performed by a mobile terminal according to another embodiment;
FIG. 8 is a flow chart of an edge node access processing method performed by a first edge node side in one embodiment;
fig. 9 is a flowchart of an edge node access processing method performed by the first edge node side in another embodiment;
fig. 10a is a timing diagram of a method for performing an edge node access processing by a mobile terminal (terminal a in the figure), a first edge node (edge node B in the figure), and a second edge node (edge node C in the figure) in one embodiment;
FIG. 10b is a timing diagram illustrating the negotiation phase of FIG. 10 a;
FIG. 10c is a timing diagram illustrating the switching stage of FIG. 10 a;
FIG. 11 is a block diagram of an edge node access processing device applied on the second edge node side in one embodiment;
FIG. 12 is a block diagram illustrating an edge node access processing device applied on the mobile terminal side in one embodiment;
FIG. 13 is a block diagram of an edge node access processing device applied on the first edge node side in one embodiment;
FIG. 14 is an internal block diagram of an edge node in one embodiment;
fig. 15 is an internal structural diagram of a mobile terminal in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It will be understood that the terms first, second, etc. as used herein may be used to describe various elements, data, etc. features, such as first message, second message, etc., but their order is not limited by these terms. These terms are only used to distinguish one data element from another data element, such as a first message and a second message as described in the embodiments below, and are intended to distinguish between the first message and the second message, but are not intended to limit the order of their corresponding steps.
It will be understood that the terms "comprises" and/or "comprising," etc., specify the presence of stated features, integers, steps, operations, elements, components, or groups thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or groups thereof. Also, the term "and/or" as used in this specification includes any and all combinations of the associated listed items.
The edge node access processing method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the mobile terminal 102 communicates with the first edge node 104 via a network. In the moving process, the mobile terminal 102 gradually moves away from the first edge node 104 and approaches the second edge node 106, so as to ensure the network stability of the mobile terminal 102, and at this time, the accessed edge node needs to be switched from the first edge node 104 to the second edge node 106. The mobile terminal 102 may be, but is not limited to, various mobile medical devices, handheld medical devices, wearable medical devices, etc. that may move with the movement of the user or autonomously move. The portable wearable medical device may be a health monitoring watch, a health monitoring bracelet, or the like. Edge nodes 104 and 106 may be implemented as edge gateways, edge controllers, edge servers, and the like.
In one embodiment, as shown in fig. 2, an edge node access processing method is provided, and the method is applied to the second edge node 106 in fig. 1 for illustration, and includes the following steps:
SC20: when the mobile terminal needs to switch the edge node, receiving a certificate of the first edge node and first abstract information sent by the first edge node, and receiving the certificate of the mobile terminal and second abstract information sent by the mobile terminal; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method.
The mobile terminal considers that the communication stability with the first edge node is tested, so as to ensure the stability of the network service of the mobile terminal in service processing, and the mobile terminal considers that the switching of the access edge is needed. When the mobile terminal considers that the edge node switching is needed, the mobile terminal can exchange the summary information generated by the two parties based on the same preset summary method with the first edge node for subsequent associated authentication. The subsequent second edge node may generate, from the received certificate of the mobile terminal and the first edge node, second digest information sent to the mobile terminal, and the second edge node receives, from the first edge node, the first digest information sent to the first edge node by the mobile terminal and the certificate of the first edge node. The first edge node refers to an edge node to which the mobile terminal has access, the access being to establish a directional connection with the mobile terminal, the mobile terminal hosting an application at the edge node. Edge node handoff refers to switching from directional communication with one edge node to directional communication with another edge node and enabling handoff between applications hosted by the edge nodes.
The preset summary method may be a summary method agreed in advance between the mobile terminal and the edge node, or may be generated by one of the communication objects and sent to the other communication objects, for example, may be generated by the mobile terminal and sent to the edge node in communication with the mobile terminal. The digest method is a method for generating digest information used for security verification. The summary information is information for performing security authentication, and is obtained after processing based on rules reflected by a summary method, for example, the summary information obtained after processing a certificate by a preset summary method may be used to verify whether the intermediate content is tampered.
SC40: respectively processing the certificate of the mobile terminal and the certificate of the first edge node by adopting a preset abstract method;
SC60: if the mobile terminal and the first edge node are both trusted nodes according to the processing result, the first abstract information sent by the first edge node and the second abstract information sent by the mobile terminal, the certificates of the third abstract information and the second edge node are fed back to the trusted nodes, wherein the third abstract information is formed by processing the certificates of the second edge node based on a preset abstract method.
The judgment of whether the mobile terminal is the trusted node can be realized by comparing the processing result obtained after the certificate of the mobile terminal is processed by adopting a preset abstract method with the first abstract information sent by the first edge node, if the processing result is consistent with the first abstract information, the mobile terminal is the mobile terminal originally interacted with the first edge node, namely the mobile terminal is the mobile terminal trusted by the first edge node and is not falsely used, at the moment, the second edge node and the third abstract information generated by the second edge node are fed back to the mobile terminal, so that the mobile terminal can conveniently authenticate the security of the second edge node of the interaction object of the mobile terminal, and the security assurance is provided for the subsequent service data synchronization.
Similarly to the security authentication principle of the second edge node on the certificate and the summary information sent by the mobile terminal side, for the first edge node, the second edge node can also process the certificate of the first edge node by adopting a preset summary method, compare the summary information obtained by processing with the second summary information sent by the mobile terminal, if the summary information is consistent with the second summary information, the first edge node interacted with the second edge node is the first edge node originally interacted with the mobile terminal, namely the first edge node is the first edge node trusted by the mobile terminal, at the moment, the third summary information and the certificate of the second edge node can be fed back to the first edge node, so that the first edge node can conveniently authenticate the security of the second edge node, and provide security guarantee for subsequent service data synchronization.
SC80: and if the second edge node is a node trusted by the mobile terminal and the first edge node respectively, carrying out service data synchronization. The service data synchronization may include that the first edge node synchronizes service data such as charging information to the second edge node at the edge node side, or may include that the mobile terminal synchronizes service data such as identity information to the second edge node side at the terminal side.
SC90: after the service data synchronization is completed, the mobile terminal is accessed, so that the access edge of the mobile terminal is switched from the first edge node to the second edge node. The access edge is used for establishing directional communication with the edge node, hosting an application program on the new access edge, and developing a service, which is different from a communication process when the preamble mobile terminal and the second edge node perform security authentication.
Specifically, when the mobile terminal considers that the edge node switching is required, for example, the communication distance between the mobile terminal and the first edge node exceeds a preset value, and one or more second edge nodes exist for connection within the preset value distance, the mobile terminal considers that the edge node switching is mainly performed. The preset value can be configured based on requirements for communication rate and communication stability in an application scenario. The mobile terminal and the first edge node can firstly generate summary information based on the same preset summary method, mutually exchange the generated summary information, send the summary information received from the opposite side and the certificate of the second edge node to the second edge node, judge whether the mobile terminal and the first edge node are trusted nodes according to the processing results of the mobile terminal and the first edge node and the previously received first summary information and the second summary information, if so, feed back the generated third summary information and the certificate of the second edge node to the trusted nodes so as to enable the trusted nodes to perform the authentication of whether the second edge node is trusted or not, and complete the bidirectional authentication.
In one embodiment, the process of determining whether the mobile terminal and the first edge node are trusted nodes may be: if the second edge node adopts the same preset abstracting method to process the certificate received from one party and the abstracting information received from the other party are consistent, then the mobile terminal and the first edge node which interact with the second edge node are explained, or the mobile terminal and the first edge node which exchange the abstracting information originally trust each other, the situation that a communication object is falsified does not occur, at the moment, the second edge node feeds back the certificate and the third abstracting information to the mobile terminal and the first edge node, when the two are based on the feedback content of the second edge node, the communication safety of the mobile terminal, the first edge node and the second edge node is explained, at the moment, the second edge node performs synchronization of service data to prepare for accessing the mobile terminal, and after the synchronization of the service data is completed, the second edge node accesses the mobile terminal to replace the original first edge node to provide network service for the mobile terminal.
In order to further improve the communication security, in one embodiment, before the step of processing the certificate of the mobile terminal and the certificate of the first edge node respectively by adopting a preset digest method, the method further includes the steps of:
Certificate authentication is carried out on the certificate of the mobile terminal;
and executing the step of processing the certificate of the mobile terminal by adopting a preset abstract method after the certificate passes the authentication. Through certificate authentication, the mobile terminal can be confirmed to be a safe terminal, and data such as certificates sent by the mobile terminal can be processed. The safety and reliability in the edge node switching process are further improved.
Similarly, for the first edge node, the second edge node needs to authenticate the security of the first edge node before processing the data sent by the second edge node, so as to further improve the security of the access processing of the edge node, so in one embodiment, before the step of processing the certificate of the mobile terminal and the certificate of the first edge node respectively by adopting a preset digest method, the method further includes the steps of:
certificate authentication is carried out on the certificate of the first edge node;
and after the certificate passes the authentication, executing the step of processing the certificate of the first edge node by adopting a preset digest method.
By means of certificate authentication, the first edge node can be confirmed to be a safe edge node, and data such as certificates sent by the first edge node can be processed. The safety and reliability in the edge node switching process are further improved.
In order to further improve the communication security, in one embodiment, before the step of receiving the certificate of the first edge node and the first digest information sent by the first edge node and receiving the certificate of the mobile terminal and the second digest information sent by the mobile terminal, the method further includes:
receiving an authentication request initiated by a mobile terminal and a first edge node;
and responding to authentication requests sent by the mobile terminal and the first edge node, and respectively feeding back certificates of the second edge node to the mobile terminal and the first edge node.
The certificate of the mobile terminal and the second summary information sent by the mobile terminal may be that the mobile terminal performs certificate authentication on the certificate of the second edge node, and the certificate authentication is fed back after passing. The certificate of the first edge node and the first summary information sent by the first edge node may be that the first edge node performs certificate authentication on the certificate of the second edge node, and the first summary information is fed back after the certificate authentication is passed. That is, before important content interaction such as summary information is performed between the mobile terminal and the first edge node and between the mobile terminal and the second edge node, the certificate may be authenticated in a bidirectional manner.
After negotiating to perform edge node switching and exchanging first abstract information and second abstract information, the mobile terminal and the first edge node both consider that the edge node switching work can be performed. For the mobile terminal, the mobile terminal needs to establish directional communication with an edge to be accessed, for the first edge node, the mobile terminal needs to synchronize service data with the second edge node so that the mobile terminal can normally perform service after the edge is switched, therefore, the mobile terminal and the first edge node initiate an authentication request to the second edge node, the second edge node receives and corresponds to the authentication request and feeds back own certificates to the second edge node, the second edge node authenticates the certificates of the second edge node, and after the authentication is passed, the first edge node sends the certificates of the first edge node and the first abstract information to the second edge node when the second edge node is considered to be a safe edge node, and the mobile terminal sends the certificates of the mobile terminal and the second abstract information to the second edge node.
In one embodiment, as shown in fig. 3, the step SC20 of receiving the certificate of the mobile terminal and the second digest information sent by the mobile terminal includes:
SC22: the first message fed back by the mobile terminal is received, as shown in fig. 4, where the first message includes a message generated according to a first ciphertext and a certificate of the mobile terminal, and the first ciphertext is generated by encrypting the second summary information and a preset summary method by the mobile terminal using a public key in the certificate of the second edge node.
In order to improve the communication safety and reliability, the certificate of the mobile terminal and the second summary information are transmitted in an encrypted manner, a public key in the certificate of the second edge node can be used for encrypting the second summary information and a preset summary method to generate a first ciphertext, and the first message is generated according to the first ciphertext and the certificate of the mobile terminal, for example, the first ciphertext is added on the certificate of the mobile terminal to generate the first message. And transmitting the first message to a second edge node, wherein after the second edge node receives the first message, the second edge node can decrypt the first message through a decryption method matched with encryption to obtain a certificate of the mobile terminal and second abstract information.
In one embodiment, as shown in fig. 3, the step SC40 of processing the certificate of the mobile terminal and the certificate of the first edge node by using a preset digest method includes:
SC42: and decrypting the first ciphertext in the first message by adopting a private key of the second edge node, and processing the certificate of the mobile terminal by adopting a preset abstract method obtained by decrypting the first ciphertext.
If it is determined that the mobile terminal and the first edge node are both trusted nodes according to the processing result, the first summary information sent by the first edge node, and the second summary information sent by the mobile terminal, step SC60 includes:
SC62: and comparing the processing result of the certificate of the mobile terminal with the first abstract information obtained by decrypting the first ciphertext, and if the processing result is consistent with the first abstract information, authenticating the mobile terminal as a node trusted by the second edge node.
Decrypting the first ciphertext generated by the mobile terminal based on the public key of C by adopting the private key of the second edge node, preventing the intermediate person from impersonating the mobile terminal or the second edge node, processing the certificate of the mobile terminal in the first message based on a preset abstract method obtained after decryption, comparing the processing result with the first abstract information obtained by decrypting the first ciphertext, and if the processing result is consistent with the first abstract information, indicating that the message is not tampered, wherein the situation that a communication object is impersonated or the transmitted message is tampered does not occur in the communication process.
In one embodiment, as shown in fig. 3 and 5, the step SC60 of feeding back the third digest information and the certificate of the second edge node to the trusted node includes:
SC64: encrypting the third abstract information and the second abstract information by adopting a public key in a certificate of the mobile terminal to generate a second ciphertext;
SC66: and generating a second message according to the second ciphertext and the certificate of the second edge node, and feeding back the second message to the mobile terminal.
For example, the second edge node may encrypt the third digest information and the second digest information by using a public key in the certificate of the mobile terminal to generate a second ciphertext, and append the second ciphertext to the certificate of the second edge node to generate a second message, which is fed back to the mobile terminal. The data encryption mode is adopted for interaction, so that the information transmission safety can be improved. In addition, the mobile terminal can conveniently decrypt the second ciphertext by adopting a private key matched with a public key in a certificate of the mobile terminal, so that the communication object is prevented from being falsified, the mobile terminal can decrypt the second ciphertext to second abstract information by utilizing the private key of the mobile terminal, the second abstract information is compared with the second abstract information received from the first edge node, if the second abstract information is consistent with the second abstract information, the condition that the communication object is falsified in the communication process is not shown, the mobile terminal can also process the received certificate of the second edge node by adopting a preset abstract method to obtain abstract information, and the processing result (namely the obtained abstract information) is compared with third abstract information received from the second edge node, if the second abstract information is consistent with the third abstract information, the condition that the interaction process of the second edge node and the mobile terminal is not shown in content falsification is shown.
In one embodiment, as shown in fig. 3 and 4, the step SC20 of receiving the certificate of the first edge node and the first digest information sent by the first edge node includes:
SC24: and receiving a third message, wherein the third message comprises a message generated according to a third ciphertext and a certificate of the first edge node, and the third ciphertext is generated by encrypting the first abstract information and a preset abstract method by the first edge node by adopting a public key in the certificate of the second edge node.
The implementation of the second edge node obtaining the credentials of the first edge node and the first digest information may be achieved by receiving a third message comprising these contents. The third message may be a message generated by the first edge node encrypting the first digest information and the preset digest method using a public key in the certificate of the second edge node received from the second edge node to generate a ciphertext, and attaching the ciphertext to the certificate of the first edge node. Of course, it should be noted that, in the embodiment of the present application, the generation manner of each message (the first message, the second message, the third message, and the fourth message) may be implemented in other manners besides the manner of attaching the ciphertext to the certificate, for example, combining the ciphertext and the certificate with the dynamic code according to the compiling rule to form a message for transmission, which is not exhaustive herein.
In one embodiment, as shown in fig. 3, the step SC60 of processing the certificate of the mobile terminal and the certificate of the first edge node by using the preset digest method includes:
SC67: and decrypting a third ciphertext in the third message by using the private key of the second edge node, and processing the certificate of the first edge node in the third message by using a preset abstract method obtained by decrypting the third ciphertext.
Similarly to the above process of decrypting the message sent by the mobile terminal side by the second edge node, for the first edge node, the second edge node may decrypt the third ciphertext in the third message by using its own private key, and process the certificate of the first edge node in the third message by using the preset digest method obtained by decryption, if the processing result is consistent with the second digest information sent by the first edge node to the mobile terminal, it is indicated that the message is not tampered, and the communication between the second edge node and the first edge node is safe and reliable. And the ciphertext obtained by encrypting the public key by adopting the paired private keys has higher security compared with a public key encryption and decryption mode, and can prevent the impersonation of a mobile terminal or a second edge node by a middleman.
In one embodiment, as shown in fig. 3 and 5, the step SC60 of feeding back the third digest information and the certificate of the second edge node to the trusted node further includes:
SC68: encrypting the third abstract information and the first abstract information by adopting a public key in the certificate of the first edge node to generate a fourth ciphertext;
SC69: and generating a fourth message according to the fourth ciphertext and the certificate of the second edge node, and feeding back the fourth message to the first edge node.
The authentication process of the second edge node to the first edge node can encrypt the third summary information and the first summary information based on a public key in a certificate received from the first edge node to generate a fourth ciphertext, and attach the fourth ciphertext to the certificate of the second edge node to generate a fourth message which is fed back to the first edge node, so that the first edge node can decrypt the fourth ciphertext in the fourth message by adopting a private key of the first edge node to obtain the third summary information and the first summary information, the first edge node can compare the decrypted first summary information with the first summary information obtained from the mobile terminal based on a decryption result, if the decrypted first summary information is consistent with the first summary information obtained from the mobile terminal, the situation that the middle person risks in the two-way communication process of the first edge node and the second edge node do not occur is described, the first edge node can further process the certificate of the second edge node in the fourth message by utilizing a preset summary method to obtain the summary information, compare the summary information with the third summary information, and if the decrypted first summary information is consistent, the situation that the communication process of the second edge node sends the message to the first edge node is not tampered is described.
In one embodiment, as shown in fig. 3, the step SC80 of performing service data synchronization includes:
SC82: synchronizing mobile terminal side service data with the mobile terminal, and synchronizing edge node side service data with the first edge node; or, the edge node side service data synchronization is carried out with the first edge node.
The edge node to be accessed can be provided with information such as identity information by the mobile terminal and is marked as mobile terminal side service data, and in order to ensure the continuity of the service on the mobile terminal before and after the access edge switching, the second edge node must synchronize the information provided by the first edge node, such as charging information and the like, and is marked as edge node side service data. Whether to synchronize the service data of the mobile terminal side can be determined according to the service range performed by the mobile terminal.
In one embodiment, before the step of feeding back the third digest information and the certificate of the second edge node to the trusted node, the method further comprises the step of:
and receiving a preset abstract method updated after the mobile terminal determines that the edge node switching is required.
The mobile terminal updates the preset abstract method after determining that the edge node switching is required, and the mobile terminal generates and verifies abstract information based on the updated preset abstract method in the subsequent two-way authentication process between the mobile terminal and the first edge node and the second edge node. The security problem caused by the fact that the preset abstract method is decoded can be avoided.
The edge node access processing method provided by the embodiment of the application can be applied to 5G mobile medical scenes.
According to the edge node access processing method provided by the embodiment of the application, the mobile terminal and the authentication process of the first edge node are associated, so that the attack of a man in the middle on the mobile terminal or the edge node can be prevented, the authentication work of the mobile terminal and the second edge node as well as the authentication work of the first edge node and the second edge node can be simultaneously carried out, the synchronous bidirectional authentication is carried out, the time of the whole edge node switching process is shortened, and better service stability and safety are provided. In addition, the service data switching flow is designed to synchronize the service data of the mobile terminal, the first edge node and the second edge node, so that the switching process time is further shortened, the system availability is increased, and the user service experience is improved.
The embodiment of the present application further provides an edge node access processing method, which is illustrated by taking the application to the mobile terminal 102 shown in fig. 1 as an example, and as shown in fig. 6, the method includes:
SA20: when the mobile terminal needs to switch the edge nodes, the first abstract information is sent to the first edge node, and the second abstract information sent by the first edge node is received; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method.
As for the mobile terminal, as described in the above embodiments, a mobile terminal such as an ambulatory medical device may be used. The explanation of the terms such as the first edge node may be referred to the description in the above embodiments, and will not be repeated here. When the mobile terminal considers that the edge node is required to be switched, switching negotiation is carried out between the mobile terminal and the first edge node, after the negotiation, the mobile terminal processes the certificate of the mobile terminal based on a preset abstract method to obtain first abstract information, and sends the first abstract information to the first edge node, and the mobile terminal receives second abstract information generated by the first edge node. The two parties establish association through exchanging abstract information, so that information on the mobile terminal side can be carried when the first edge node and the second edge node carry out security authentication, information on the first edge node side can be carried when the mobile terminal communicates to the second edge node, association authentication can be carried on the second edge node side, whether the second abstract information from the mobile terminal side is consistent with a result of certificate processing of the first edge node by the second edge node through a preset abstract method or not is verified, whether the first abstract information received from the first edge node side is consistent with a result of certificate processing of the mobile terminal by the second edge node through the preset abstract method or not can also be verified, and if the first abstract information is consistent with the second edge node, mutual trust of the mobile terminal and the first edge node is indicated.
SA40: sending the certificate of the mobile terminal and second abstract information to a second edge node; the second edge node is an edge node to be accessed by the mobile terminal. The mobile terminal sends the certificate of the mobile terminal and the second abstract information to the second edge node side for the second edge node to carry out association authentication, so that the second edge node processes the certificate of the first edge node by using a preset abstract method, compares a processing result with the second abstract information, and if the processing result is consistent with the second abstract information, the first edge node is the first edge node which sends the second abstract information to the mobile terminal at the moment, namely the first edge node is the edge node trusted by the mobile terminal.
SA60: receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third summary information is formed after the certificate of the second edge node is processed based on a preset summary method. The second edge node may obtain the preset abstract method by receiving the preset abstract method sent by the mobile terminal to the second edge node, or may be a pre-stored preset abstract method. The mobile terminal receives the third abstract information fed back by the second edge node and the certificate of the second edge node, and provides a basis for the subsequent safety authentication of the second edge node to the communication process of the mobile terminal. The information fed back by the second edge node may be fed back after the second edge node authenticates that the first edge node is an edge node trusted by the mobile terminal.
SA80: processing the certificate of the second edge node by adopting a preset abstract method;
SA90: and if the second edge node is judged to be the node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information, service data synchronization is carried out, and the access edge is switched from the first edge node to the second edge node. For example, the processing result is compared with the third abstract information, and if the processing result is consistent with the third abstract information, the second edge node is authenticated as the node trusted by the mobile terminal. After receiving the third abstract information fed back by the second edge node and the certificate of the second edge node, the terminal can process the certificate of the second edge node by adopting a preset abstract method to obtain abstract information, compare the abstract information with the third abstract information received from the second edge node, and if the abstract information is consistent with the third abstract information, the terminal indicates that the second edge node is a trusted edge node of the mobile terminal in the process of communicating to the mobile terminal, and can perform service data synchronization and directional communication connection of the mobile terminal and the second edge node.
After the second edge node completes service data synchronization, the mobile terminal switches the access edge from the first edge node to the second edge node, so that switching among application programs hosted by the edge nodes is realized, and based on preamble association authentication, attack to the mobile terminal or the edge nodes by a man-in-the-middle can be prevented, and safety is ensured.
Specifically, on the mobile terminal side, on the one hand, the first summary information can be sent to the first edge node side, and the certificate of the mobile terminal and the second summary information can be sent to the second edge node, so that when the second edge node authenticates the first edge node, whether the mobile terminal is a terminal trusted by the first edge node can be determined based on whether the first summary information obtained from the first edge node is consistent with the result of the certificate processing of the mobile terminal based on the preset summary method, and the second edge node is also convenient to determine whether the first edge node is a terminal trusted by the mobile terminal based on whether the second summary information obtained from the mobile terminal is consistent with the result of the second edge node based on the certificate processing of the first edge node based on the preset summary method. And the mobile terminal receives the third abstract information fed back by the second edge node and the certificate of the second edge node, processes the certificate of the second edge node by using a preset abstract method based on the same conception, compares the abstract information obtained by processing with the third abstract information, and if the abstract information is consistent with the third abstract information, the second edge node is not tampered in the process of sending the message to the mobile terminal, and the second edge node is trustworthy. At this time, the mobile terminal can perform service data synchronization to the second edge node, access the second edge node after the second edge node completes service data synchronization, and disconnect the first edge node to realize edge node switching.
In one embodiment, as shown in fig. 7, the step SA60 of receiving the third digest information fed back by the second edge node and the certificate of the second edge node includes:
SA62: and receiving third abstract information, second abstract information and a certificate of the second edge node fed back by the second edge node.
The step SA80 of determining that the second edge node is a node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third digest information includes:
SA82: performing first verification on the processing result of the certificate of the second edge node and the third abstract information, and performing second verification on the received second abstract information and the stored second abstract information;
SA84: and if the first verification and the second verification are both passed, authenticating the second edge node as the node trusted by the mobile terminal.
In addition to the third summary information and the certificate of the second edge node, in order to further improve the reliability of the security authentication, the second edge node may feed back the second summary information received from the mobile terminal, if the second summary information fed back by the second edge node is consistent with the second summary information received from the first edge node by the mobile terminal, and the result of processing the certificate of the second edge node by adopting the preset summary method is consistent with the third summary information, it is illustrated that the two-way communication process of the second edge node and the mobile terminal is safe and reliable, and the reliability of the security authentication is improved through dual content authentication.
In one embodiment, before the step of sending the certificate of the mobile terminal and the second digest information to the second edge node, step SA40 further includes:
and sending an authentication request to the second edge node, and receiving a certificate of the second edge node fed back by the second edge node in response to the authentication request sent by the mobile terminal. As described in the above embodiments, the mobile terminal may initiate authentication to the first edge node, and after the second edge node may verify the certificate of the mobile terminal, feed back its own certificate to the mobile terminal.
And performing certificate authentication on the received certificate of the second edge node, and after the certificate authentication is passed, executing the step of sending the certificate of the mobile terminal and the second abstract information to the second edge node. And if the certificate passes, the second edge node is indicated to be safe and reliable, the two-way authentication is completed, the certificate of the mobile terminal and the second abstract information are not sent to the second edge node and are used for the second edge node to process the certificate of the mobile terminal based on a preset abstract method, the processing result is compared with the first abstract information received from the first edge node, if the processing result is consistent, the mobile terminal is indicated to be a terminal trusted by the first edge node, the second edge node is convenient to process the certificate of the first edge node based on the preset abstract method, the processing result is compared with the second abstract information received from the mobile terminal, and if the processing result is consistent, the first edge node is indicated to be the terminal trusted by the mobile terminal.
Based on the above description of the second edge node-side embodiment, in one embodiment, as shown in fig. 7, the step SA40 of sending the certificate of the mobile terminal and the second digest information to the second edge node further includes:
SA42: encrypting the second abstract information and a preset abstract method by adopting a public key in a certificate of the second edge node to generate a first ciphertext;
SA44: and generating a first message according to the first ciphertext and the certificate of the mobile terminal, and sending the first message to the second edge node.
Specifically, the public key in the certificate of the second edge node is utilized to encrypt the second summary information and the preset summary method to generate a first ciphertext, the first ciphertext is added to the certificate of the mobile terminal to generate a first message, and the first message is sent to the second edge node, so that the second edge node can conveniently decrypt the first ciphertext based on the private key of the second edge node, if the decryption is successful, the situation that the middle person falsifies the mobile terminal and the situation that the second edge node is falsified is not shown, based on the fact, the second edge node can further process the certificate of the mobile terminal based on the preset summary method, and compare the processed result with the first summary information received from the first edge node, if the processed result is consistent, the mobile terminal is the terminal trusted by the first edge node, and the second edge node can conveniently verify whether the first edge node is the trusted edge node of the mobile terminal based on the received second summary information and the certificate of the first edge node received from the first edge node. Compared with the traditional mode of adopting the public key to carry out communication transmission, the public key and the private key are adopted to match for encryption and decryption, and the security is higher.
In one embodiment, the step of receiving the third digest information fed back by the second edge node, the second digest information, and the certificate of the second edge node SA62 includes:
a second message fed back by the second edge node is received, the second message comprising a message generated from the second ciphertext and the certificate of the second edge node, e.g., the second message may be generated by attaching the second ciphertext to the certificate of the second edge node. The second ciphertext is generated by encrypting the third abstract information and the second abstract information by the second edge node by adopting a public key in a certificate of the mobile terminal.
The mobile terminal receives a second ciphertext generated by encrypting the third abstract information and the second abstract information by the second edge node through a public key in the certificate of the mobile terminal and the certificate of the second edge node attached to the second ciphertext, decrypts the second ciphertext based on the private key of the mobile terminal, and if the second ciphertext can be successfully decrypted, the mobile terminal is not impersonated by the middle person without impersonating the second edge node.
In addition to whether the interactive object is falsified, whether the corresponding communication content is tampered is also an important ring in communication security authentication, so in one embodiment, the step of performing first verification on the processing result and the third digest information, and performing second verification on the received second digest information and the stored second digest information includes:
And decrypting a second ciphertext in the second message by adopting a private key of the mobile terminal, processing a certificate of a second edge node in the second message by adopting a preset abstract method obtained by decrypting the second ciphertext, performing first verification on a processing result and third abstract information obtained by decrypting the second ciphertext, and performing second verification on the second abstract information obtained by decrypting the second ciphertext and stored second abstract information. And performing first verification on the result of processing the certificate of the second edge node by the preset digest method and the third digest information, and performing second verification on the decrypted second digest information and the second digest information received by the mobile terminal from the first edge node, wherein if the two verifications pass, the content is not tampered, and the communication process is safe.
In one embodiment, as shown in fig. 7, the step SA90 of performing service data synchronization and switching an access edge from the first edge node to the second edge node includes:
SA92: and synchronizing the mobile terminal side service data to the second edge node. Besides the service data synchronization between the first edge node and the second edge node, the mobile terminal also participates in the service data synchronization process, so that the time of the switching process is further shortened, the availability of the system is increased, and the user service experience is improved.
SA94: and after the service data of the second edge node is synchronized, switching the access edge from the first edge node to the second edge node.
The mobile terminal may disconnect from the first edge node after establishing the directional communication connection with the second edge node.
In order to avoid loss of service data during the edge node handover, in one embodiment, the method further comprises the steps of:
suspending the service when sending an authentication request to the second edge node;
and further comprising the step, after the step of switching the access edge from the first edge node to the second edge node, of:
and recovering the service. By suspending and restoring the service at the mobile terminal side, the service data is not lost in the edge node switching process, more operation storage space is provided for the edge node access processing, and the processes of security authentication and edge access switching are quickened.
In order to avoid the security problem caused by the decoding of the preset digest method, in one embodiment, the method further includes the steps of:
updating a preset abstract method after the mobile terminal determines that edge node switching is required;
transmitting an updated preset summary method to the first edge node before executing the step of transmitting the first summary information to the first edge node and receiving the second summary information transmitted by the first edge node;
And before the step of receiving the third summary information fed back by the second edge node and the certificate of the second edge node is executed, sending an updated preset summary method to the second edge node.
Under the condition that the mobile terminal needs to switch the edge nodes each time, a new preset abstract method can be generated after switching negotiation is conducted with the first edge node, namely, the preset abstract method is updated, the updated preset abstract method is sent to the first edge node, the first edge node processes own certificate based on the abstract method to obtain second abstract information, and the second abstract information is sent to the mobile terminal. In addition, in order to realize the association authentication, the mobile terminal sends the updated preset abstract method to the second edge node, so that the second edge node can process own certificates based on the preset abstract method to obtain third abstract information, and the second edge node can conveniently carry out the security authentication that the mobile terminal is trusted by the first edge node based on the preset abstract method, and the first edge node is trusted by the mobile terminal.
In addition, the embodiment of the present application further provides an edge node access processing method, which is illustrated by taking the application to the first edge node 104 shown in fig. 1 as an example, as shown in fig. 8, and the method includes:
SB20: when the mobile terminal needs to perform edge node switching, receiving first abstract information sent by the mobile terminal, and sending second abstract information to the mobile terminal; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method.
For the definition of the edge node, reference is made to the description of the other side method embodiments, and no further description is given here. The first edge node performs switching negotiation with the mobile terminal, and the first edge node and the mobile terminal generate abstract information and exchange the abstract information based on the same preset abstract method. The method is convenient for carrying the abstract information of the opposite party when the information is sent to the second edge node in the two directions, and the association is established.
SB40: the certificate of the first edge node and the first digest information (digest information generated by the mobile terminal and transmitted to the first edge node) are transmitted to the second edge node. The second edge node is convenient to process the certificate of the first edge node based on a preset abstract method, compares the processing result with second abstract information received from the mobile terminal side, if the processing result is consistent, the first edge node is the edge node trusted by the mobile terminal, after receiving the first abstract information sent by the first edge node, the second edge node can compare the first abstract information with the result of the certificate processing of the mobile terminal by adopting the preset abstract method, if the processing result is consistent, the mobile terminal is the terminal trusted by the first edge node, and the associated authentication is realized.
SB60: receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third summary information is formed after the certificate of the second edge node is processed based on a preset summary method. Optionally, after authenticating that the mobile terminal is a terminal trusted by the first edge node and authenticating that the first edge node is a terminal trusted by the mobile terminal, the second edge node feeds back the third summary information and its own certificate to the first edge node for authentication of the second edge node.
SB80: processing the certificate of the second edge node by adopting a preset abstract method;
SB90: if the second edge node is judged to be the node trusted by the first edge node according to the processing result of the second edge node and the third abstract information, service data synchronization is carried out, so that the mobile terminal switches the access edge from the first edge node to the second edge node under the condition that the service data synchronization is completed.
The process of determining that the second edge node is the node trusted by the first edge node according to the processing result of the second edge node and the third abstract information may be: and comparing the processing result with the third abstract information, and if the processing result is consistent with the third abstract information, indicating that the second edge node is a node trusted by the first edge node, wherein the first edge node can synchronize service data with the second edge node, so that the mobile terminal switches the access edge from the first edge node to the second edge node under the condition that the service data synchronization of the second edge node is completed.
In one embodiment, the first edge node may disconnect from the mobile terminal after the mobile terminal accesses the second edge node. The disconnection of the first edge node from the mobile terminal may be triggered by the mobile terminal informing the first edge node after establishing directional communication with the second edge node.
In one embodiment, as shown in fig. 9, the step SB60 of receiving the third digest information fed back by the second edge node and the certificate of the second edge node includes:
SB62: and receiving third abstract information, the first abstract information and the certificate of the second edge node fed back by the second edge node.
The step SB90 of determining that the second edge node is a node trusted by the first edge node according to the result of processing the certificate of the second edge node and the third digest information includes:
SB92: performing third verification on the processing result of the certificate of the second edge node and third abstract information, and performing fourth verification on the received first abstract information and the stored first abstract information;
SB94: and if the third verification and the fourth verification are both passed, authenticating the second edge node as the node trusted by the first edge node. The service data synchronization of the edge node side can be performed between the first edge node and the second edge node, so that the mobile terminal can conveniently switch the access edge from the first edge node to the second edge node under the condition that the service data synchronization of the second edge node is completed. And through double verification, the communication safety is further improved.
In one embodiment, before the step SB40 of sending the certificate of the first edge node and the first digest information to the second edge node, it further comprises:
sending an authentication request to the second edge node, and receiving a certificate of the second edge node fed back by the second edge node after the second edge node responds to the authentication request;
and verifying the certificate of the second edge node, and after the verification is passed, executing the step of sending the certificate of the first edge node and the first digest information to the second edge node.
As described in the foregoing embodiments, before sending the certificate of the first edge node and the first digest information, the first edge node may perform a two-way authentication with the second edge node, by initiating an authentication request to the second edge node, and after receiving the authentication request sent by the first edge node, performing the certificate authentication on the certificate of the second edge node fed back after the certificate authentication of the first edge node passes, and if the certificate passes, sending the certificate of the first edge node and the first digest information to the second edge node, so that the second edge node determines whether the mobile terminal and the first edge node are trusted nodes based on the received certificate and the digest information.
In one embodiment, as shown in fig. 9, the step SB40 of sending the certificate of the first edge node and the first digest information to the second edge node includes:
SB42: encrypting the first abstract information and a preset abstract method by adopting a public key in a certificate of the second edge node to generate a third ciphertext;
SB44: and generating a third message according to the third ciphertext and the certificate of the first edge node, and feeding back the third message to the second edge node.
The public key in the certificate of the second edge node is utilized to encrypt the first abstract information and the preset abstract method, decryption can be carried out on the second edge node side based on the private key of the second edge node, and the information transmission safety can be improved in a mode of encrypting and decrypting the private key and the public key.
In one embodiment, the step SB62 of receiving the third digest information, the first digest information, and the certificate of the second edge node fed back by the second edge node includes:
and receiving a fourth message, wherein the fourth message comprises a message generated according to a fourth ciphertext and a certificate of the second edge node, and the fourth ciphertext is generated by encrypting the third summary information and the first summary information by the second edge node by adopting a public key in the certificate of the first edge node.
The first edge node receives a fourth ciphertext generated by encrypting the third abstract information and the first abstract information by the second edge node by adopting a public key in the certificate of the first edge node, and the first edge node decrypts the fourth ciphertext by utilizing a private key of the first edge node.
In one embodiment, the step SB92 of performing the third verification of the processing result of the certificate of the second edge node with the third digest information and performing the fourth verification of the received first digest information with the stored first digest information includes:
and decrypting a fourth ciphertext in the fourth message by adopting a private key of the first edge node, processing the certificate of the second edge node by adopting a preset abstract method obtained by decrypting the fourth ciphertext, performing third verification on a processing result and third abstract information, and performing fourth verification on the first abstract information obtained by decrypting the fourth ciphertext and the stored first abstract information.
In order to improve the security authentication reliability, the certificate of the second edge node is processed by using a preset abstract method obtained through decryption, the processing result is verified with the third abstract information, the first abstract information obtained through decryption of the fourth ciphertext is verified with the stored first abstract information, if both the two authentications pass, the second edge node is trustworthy, the two-way communication process of the first edge node and the second edge node is safe and reliable, and the first edge node and the second edge node can carry out edge node side service data synchronization.
In one embodiment, as shown in fig. 9, before the step of receiving the first summary information sent by the mobile terminal and sending the second summary information to the mobile terminal, SB20 further includes:
SB10: and receiving a preset abstract method updated after the mobile terminal determines that the edge node switching is required.
The implementation of updating the preset abstract method and the implementation of communication of the preset abstract method between the mobile terminal and the edge node can be referred to the description in the above embodiments, and will not be repeated here.
For better illustration, taking the environment shown in fig. 1 as an example, the following embodiments are taken as an illustration of the implementation of the edge node access method according to the embodiment of the present application, and it should be emphasized that the embodiments listed herein do not limit the actual protection scope of the present application, so as to help those skilled in the art to understand the implementation procedure of the edge node access processing method according to the present application:
the above edge node access processing method can be applied to the multi-edge switching security authentication of 5G mobile medical scenes, including the security switching process between the first edge node 104 and the second edge node 106 as shown in fig. 1, where the security authentication process can be accelerated by means of the hardware encryption chip integrated in each component.
The mobile terminal integrates the hardware encryption chip, realizes the information and functions of the method, the certificate, the encryption algorithm, the process, the threat detection and protection and the like related to the security authentication between the first edge node and the second edge node, and provides the hardware protection capability with high security level and faster security authentication speed through security reinforcement of the chip.
The secure authentication flow is shown in fig. 10a, 10b and 10c, where the hardware encryption chip acts on the negotiation phase (fig. 10 b) and the authentication phase (fig. 10 c). When the mobile terminal (terminal a in the figure) is far from the first edge node (edge node B in the figure) to which it is currently connected to a certain extent due to movement, a handover of the edge node is required to enter a negotiation phase.
The mobile terminal negotiates with a first edge node on the edge node currently connected to, and 2 pieces of summary information can be generated in the negotiation process: second summary information and first summary information, and a predetermined summary method. The preset summary method can be dynamically generated by software in the negotiation process and has timeliness, the preset summary method has timeliness before the switching of the access edge node is completed, the second summary information is summary information generated by the first edge node after processing the own certificate based on the preset summary method, and the summary information is sent to the mobile terminal by the first edge node in the negotiation process, is used for being attached to the certificate of the mobile terminal and is sent to the second edge node. The first summary information includes summary information generated after the mobile terminal processes its own certificate based on a preset summary method, and is sent to a first edge node by the mobile terminal in a negotiation process, and is used for being attached to a certificate of the mobile terminal (for example, a certificate of a terminal side application program a) and sent to an edge second edge node (edge node C in the figure).
In addition, the negotiation process divides the service data to be switched into two parts, and the mobile terminal can provide information such as identity information and the like to be marked as the service data of the mobile terminal side, and meanwhile, the first edge node must provide information such as charging information and the like to be marked as the service data of the edge node side. After the current negotiation is completed, entering an authentication stage:
the mobile terminal and the first edge node initiate an authentication negotiation request to the second edge node at the same time, and the second edge node sends the certificate of the second edge node to the mobile terminal and the first edge node at the same time.
And for the mobile terminal, verifying the certificate of the second edge node, if the verification is passed, encrypting the second abstract information and the preset abstract method by using a public key in the certificate of the second edge node, and adding the public key in the certificate of the second edge node to send the second abstract information and the preset abstract method to the second edge node. Similarly, for the first edge node, verifying the certificate of the second edge node, if the verification is passed, encrypting the first abstract information and the preset abstract method by using a public key in the certificate of the second edge node, and adding the public key in the certificate of the second edge node to send the public key to the second edge node.
After receiving the certificates of the mobile terminal and the first edge node, the second edge node prior verifies the validity of other parts of the certificates, and takes out encrypted second abstract information, the first abstract information and a preset abstract method, decrypts by using own private keys, applies the preset abstract method to the certificate parts of the messages sent by the mobile terminal and the first edge node again, compares the calculation results with the first abstract information and the second abstract information respectively, and if the calculation results are the same, the verification is passed.
After the verification is passed, the second edge node applies the received preset abstract method to the certificate of the second edge node and calculates and generates third abstract information. And encrypting the second abstract information and the third abstract information by using a public key in a certificate of the mobile terminal by the second edge node, and sending the encrypted second abstract information and the encrypted third abstract information to the mobile terminal for verification. And similarly, the first edge node and the second edge node encrypt the first abstract information and the third abstract information by using a public key in a certificate of the first edge node, and send the encrypted first abstract information and the third abstract information to the mobile terminal for verification.
And for the mobile terminal, after receiving the encrypted information of the second edge node, decrypting the information by using the private key of the mobile terminal to obtain second abstract information and third abstract information, calculating a certificate of the second edge node by using a preset abstract method, comparing a calculation result with the third abstract information, and simultaneously comparing the decrypted second abstract information with local second abstract information, wherein the two comparison results are equal, and the verification is passed. Similarly, for the first edge node, after receiving the encrypted message of the second edge node, decrypting the message by using the private key of the first edge node to obtain first abstract information and third abstract information, calculating a certificate of the second edge node by using a preset abstract method, comparing a calculation result with the third abstract information, and simultaneously comparing the first abstract information obtained by decryption with local first abstract information, wherein the two comparison results are equal, and verification is passed.
In the authentication phase, the failure of any certificate is indicated when the verification is not passed, and at the moment, the mobile terminal and the first edge node restart the negotiation phase, mainly to negotiate and adopt different second summary information, first summary information and preset summary methods. If the authentication phase is successfully completed, a handover phase is entered.
And (3) switching: the mobile terminal synchronizes the terminal side service data to the second edge node, and the first edge node synchronizes the edge node side service data to the second edge node. After the service data synchronization is completed, the second edge node informs the mobile terminal to redirect the connection to the second edge node, and the terminal switching is completed. After the switching is finished, the completion phase is entered.
The mobile terminal informs the first edge node that the entire handover procedure has ended and disconnects the connection with the first edge node.
In the above process, the service of the mobile terminal is affected at the beginning of the negotiation stage, and returns to normal when the switching stage is completed.
It should be noted that, the hardware encryption chip relied on in the security authentication process can ensure the high security requirement in the medical scene, but in some application scenes with low security requirement, the hardware encryption chip can be replaced by software to reduce the cost, namely, the security authentication process is completed by a pure software method.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the present application further provides an edge node access processing device for implementing the above-mentioned edge node access processing method executed by the application on the second edge node side. The implementation of the solution provided by the apparatus is similar to the implementation described in the above method, so the specific limitation in the embodiments of the one or more edge node access processing apparatus provided below may refer to the limitation of the second edge node side performing edge node access processing method hereinabove, and will not be repeated herein.
In one embodiment, as shown in fig. 11, there is provided an apparatus for processing access of an edge node, which is applied to a second edge node, and the apparatus includes:
the to-be-accessed node side information receiving module C20 is used for receiving the certificate and the first abstract information of the first edge node sent by the first edge node and receiving the certificate and the second abstract information of the mobile terminal sent by the mobile terminal under the condition that the mobile terminal needs to switch the edge node;
the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
the terminal safety verification and information feedback module C40 is used for respectively processing the certificate of the mobile terminal and the certificate of the first edge node by adopting a preset abstract method;
the first edge node security verification and information feedback module C60 is configured to, when it is determined that the mobile terminal and the first edge node are both trusted nodes according to the processing result, the first summary information sent by the first edge node, and the second summary information sent by the mobile terminal, feedback third summary information and a certificate of the second edge node to the trusted nodes, where the third summary information is formed by processing the certificate of the second edge node based on a preset summary method;
The service data synchronization module C80 is configured to perform service data synchronization when the second edge node is a node trusted by the mobile terminal and the first edge node, respectively;
the access terminal execution module C90 is configured to access the mobile terminal after the service data synchronization is completed, so that the access edge of the mobile terminal is switched from the first edge node to the second edge node.
The edge node access processing device applied to the second edge node side provided by the embodiment of the application further comprises other modules and units for executing other steps of the edge node access processing method of the second edge node side and realizing corresponding beneficial effects, and details are not repeated here.
Based on the same inventive concept, the embodiment of the application also provides an edge node access processing device for realizing the edge node access processing method executed by the application on the mobile terminal side. The implementation of the solution provided by the apparatus is similar to the implementation described in the above method, so the specific limitation in the embodiments of the edge node access processing apparatus provided in the following may be referred to the limitation of the mobile terminal side execution edge node access processing method, which is not described herein.
An edge node access processing device, applied to a mobile terminal, as shown in fig. 12, comprises:
the terminal side abstract information interaction module A20 is used for sending the first abstract information to the first edge node and receiving the second abstract information sent by the first edge node under the condition that the mobile terminal needs to switch the edge nodes; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
a terminal side first information sending module a40, configured to send a certificate of the mobile terminal and second summary information to the second edge node; the second edge node is an edge node to be accessed by the mobile terminal;
the terminal side first information receiving module a60 is configured to receive third summary information fed back by the second edge node and a certificate of the second edge node; the third abstract information is formed by processing the certificate of the second edge node based on a preset abstract method;
the terminal side first security verification module A80 is used for processing the certificate of the second edge node by adopting a preset abstract method;
And the terminal side switching execution module A90 is used for carrying out service data synchronization and switching the access edge from the first edge node to the second edge node under the condition that the second edge node is judged to be a node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information.
The edge node access processing device applied to the mobile terminal side provided by the embodiment of the application further comprises other modules and units for executing other steps of the edge node access processing method of the mobile terminal side and realizing corresponding beneficial effects, and details are not repeated here.
Based on the same inventive concept, the embodiment of the present application further provides an edge node access processing device for implementing the edge node access processing method executed by the application on the first edge node side. The implementation of the solution provided by the apparatus is similar to the implementation described in the above method, so the specific limitation in the embodiments of the one or more edge node access processing apparatus provided below may refer to the limitation in the implementation of the edge node access processing method on the first edge node side, which is not repeated herein.
An edge node access processing device, applied to a first edge node, as shown in fig. 13, includes:
the first edge node side abstract information interaction module B20 is used for receiving first abstract information sent by the mobile terminal and sending second abstract information to the mobile terminal under the condition that the mobile terminal needs to switch the edge nodes; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
a first information sending module B40 at the first edge node side, configured to send the certificate of the first edge node and the first digest information to the second edge node;
the first information receiving module B60 at the first edge node side is configured to receive third summary information fed back by the second edge node and a certificate of the second edge node; the third abstract information is formed by processing the certificate of the second edge node based on a preset abstract method;
a first security verification module B80 at the first edge node side, configured to process the certificate of the second edge node by using a preset digest method;
And the first edge node side service data synchronization module B90 is configured to perform service data synchronization when it is determined that the second edge node is a node trusted by the first edge node according to the processing result of the certificate of the second edge node and the third summary information, so that the mobile terminal switches the access edge from the first edge node to the second edge node when the service data synchronization is completed.
The edge node access processing device applied to the first edge node side provided by the embodiment of the application further comprises other modules and units for executing other steps of the edge node access processing method of the first edge node side and realizing corresponding beneficial effects, and details are not repeated here.
The above-mentioned respective modules in the edge node access processing means may be implemented in whole or in part by software, hardware or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, an edge node is provided, which may be a server, whose internal structure may be as shown in fig. 14. The edge node includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the edge node is adapted to provide computing and control capabilities. The memory of the edge node includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the edge node is used for storing data such as a preset abstract method. The network interface of the edge node is for communicating with an external terminal via a network connection. The computer program is executed by a processor to implement an edge node access processing method.
The embodiment of the application also provides an edge node, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the edge node access processing method executed by the second edge node and/or the first edge node side when executing the computer program.
In one embodiment, the processor is a hardware encryption chip. The hardware encryption chip can ensure high security requirements in medical scenes and the like.
In one embodiment, a mobile terminal is provided, which may be an ambulatory medical device. The mobile terminal includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the mobile terminal is configured to provide computing and control capabilities. The memory of the mobile terminal comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the mobile terminal is used for carrying out wired or wireless communication with an external terminal. The computer program, when executed by a processor, implements an edge node access processing method applied on the mobile terminal side. The display screen of the mobile terminal can be a liquid crystal display screen, a touch screen and the like, and the input device of the mobile terminal can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the mobile terminal as shown in fig. 1, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 15 is merely a block diagram of some of the architectures associated with the inventive arrangements and is not limiting of the mobile terminal to which the inventive arrangements are applied, and that a particular mobile terminal may include more or fewer components than shown, or may combine some components, or have a different arrangement of components.
In one embodiment, a mobile terminal is provided, including a memory storing a computer program and a processor implementing steps of an edge node access processing method performed by a mobile terminal side when the processor executes the computer program.
In one embodiment, the processor applied to the mobile terminal side is a hardware encryption chip. The hardware encryption chip can ensure high security requirements in medical scenes and the like.
In one embodiment, the mobile terminal is an ambulatory medical device.
In one embodiment, a system for switching access edges of a mobile terminal is further provided, including the mobile terminal, a first edge node and a second edge node;
the first edge node comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the edge node access processing method when executing the computer program;
The second edge node comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the edge node access processing method when executing the computer program.
When the mobile terminal is mobile medical equipment, the mobile terminal access edge switching system is an intelligent medical application system, and in the process of moving the mobile medical equipment, the mobile medical equipment can switch the edge nodes according to the factors related to communication quality such as the communication intensity between the mobile medical equipment and the accessed edge nodes, the communication intensity between the mobile medical equipment and other edge nodes and the like, so that the execution reliability of application programs carried on the mobile medical equipment is ensured.
For example, in the process of moving the ambulatory medical device from the emergency room to the operating room, the running stability of the application program carried on the ambulatory medical device needs to be maintained, the process depends on the communication stability of the ambulatory medical device, and the purpose can be achieved by executing the access edge switching process, so that accidents caused by communication interruption in the moving process of the medical device are avoided.
Wherein it should be understood by those skilled in the art that each edge node may be a first edge node or a second edge node, depending on its communication with the mobile terminal.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the above-described edge node access processing method.
In an embodiment a computer program product is provided comprising a computer program which, when executed by a processor, implements the steps of the above described edge node access processing method.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric RandomAccess Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (RandomAccess Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static RandomAccess Memory, SRAM) or dynamic random access memory (Dynamic RandomAccess Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (19)
1. An edge node access processing method, applied to a second edge node, comprising:
when the mobile terminal needs to switch the edge node, receiving a certificate of the first edge node and first abstract information sent by the first edge node, and receiving the certificate of the mobile terminal and second abstract information sent by the mobile terminal;
The first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
adopting the preset abstract method to respectively process the certificate of the mobile terminal and the certificate of the first edge node;
respectively comparing the processing result of the certificate of the mobile terminal with the first abstract information sent by the first edge node, and the processing result of the certificate of the first edge node with the second abstract information sent by the mobile terminal, if the processing result of the certificate of the first edge node is consistent with the second abstract information, judging that the mobile terminal and the first edge node are both trusted nodes, and feeding back a third abstract information and the certificate of the second edge node to the trusted nodes, wherein the third abstract information is formed after the certificate of the second edge node is processed based on the preset abstract method;
if the second edge node is a node trusted by the mobile terminal and the first edge node respectively, service data synchronization is performed;
And after the service data synchronization is completed, accessing the mobile terminal, so that the access edge of the mobile terminal is switched from the first edge node to the second edge node.
2. The method of claim 1, wherein the step of receiving the certificate of the mobile terminal and the second digest information transmitted by the mobile terminal comprises:
and receiving a first message fed back by the mobile terminal, wherein the first message comprises a message generated according to a first ciphertext and a certificate of the mobile terminal, and the first ciphertext is generated by encrypting the second summary information and the preset summary method by the mobile terminal by adopting a public key in the certificate of the second edge node.
3. The method according to claim 2, wherein the step of processing the certificate of the mobile terminal and the certificate of the first edge node, respectively, using the preset digest method comprises:
decrypting a first ciphertext in the first message by adopting a private key of the second edge node, and processing a certificate of the mobile terminal by adopting a preset abstract method obtained by decrypting the first ciphertext;
the step of comparing the processing result of the certificate of the mobile terminal with the first abstract information sent by the first edge node and the processing result of the certificate of the first edge node with the second abstract information sent by the mobile terminal in a consistent manner, if the processing result of the certificate of the mobile terminal and the first abstract information are consistent with each other, the step of judging that both the mobile terminal and the first edge node are trusted nodes comprises the following steps:
And comparing the processing result of the certificate of the mobile terminal with first abstract information obtained by decrypting the first ciphertext, and if the processing result is consistent with the first abstract information, authenticating the mobile terminal as a node trusted by the second edge node.
4. The method of claim 1, wherein the step of receiving the first edge node certificate and the first digest information transmitted by the first edge node comprises:
and receiving a third message, wherein the third message comprises a message generated according to a third ciphertext and the certificate of the first edge node, and the third ciphertext is generated by encrypting the first abstract information and a preset abstract method by the first edge node by adopting a public key in the certificate of the second edge node.
5. The method of claim 4, wherein the step of processing the certificate of the mobile terminal and the certificate of the first edge node using the preset digest method respectively comprises:
decrypting a third ciphertext in the third message by using the private key of the second edge node, and processing a certificate of the first edge node in the third message by using a preset abstract method obtained by decrypting the third ciphertext;
The step of comparing the processing result of the certificate of the mobile terminal with the first abstract information sent by the first edge node and the processing result of the certificate of the first edge node with the second abstract information sent by the mobile terminal in a consistent manner, if the processing result of the certificate of the mobile terminal and the first abstract information are consistent with each other, the step of judging that both the mobile terminal and the first edge node are trusted nodes comprises the following steps:
and comparing the processing result of the certificate of the first edge node with second abstract information obtained by decrypting the third ciphertext, and if the processing result is consistent with the second abstract information, authenticating the first edge node as a node trusted by the second edge node.
6. An edge node access processing method, applied to a mobile terminal, comprising:
when the mobile terminal needs to switch the edge nodes, the first abstract information is sent to the first edge node, and the second abstract information sent by the first edge node is received; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
Sending the certificate of the mobile terminal and the second abstract information to a second edge node; the second edge node is an edge node to be accessed by the mobile terminal;
receiving third abstract information fed back by the second edge node and a certificate of the second edge node; the third summary information is formed after the certificate of the second edge node is processed based on the preset summary method;
processing the certificate of the second edge node by adopting the preset abstract method;
and if the second edge node is judged to be the node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information, service data synchronization is carried out, and an access edge is switched from the first edge node to the second edge node.
7. The method of claim 6, wherein the step of sending the certificate of the mobile terminal and the second digest information to the second edge node is preceded by the step of:
sending an authentication request to the second edge node, and receiving a certificate of the second edge node fed back by the second edge node in response to the authentication request sent by the mobile terminal;
And performing certificate authentication on the received certificate of the second edge node, and executing the step of sending the certificate of the mobile terminal and the second abstract information to the second edge node after the certificate authentication is passed.
8. The method of claim 6, wherein the step of receiving the third digest information, the second digest information, and the certificate of the second edge node fed back by the second edge node comprises:
and receiving a second message fed back by the second edge node, wherein the second message comprises a message generated according to a second ciphertext and a certificate of the second edge node.
9. The method of claim 8, wherein the second message is a message generated by attaching the second ciphertext to a certificate of the second edge node.
10. The method according to claim 8, wherein the step of first verifying the processing result of the certificate of the second edge node with the third digest information, and second verifying the received second digest information with the stored second digest information comprises:
and decrypting a second ciphertext in the second message by adopting a private key of the mobile terminal, processing a certificate of a second edge node in the second message by adopting a preset digest method obtained by decrypting the second ciphertext, performing first verification on a processing result and third digest information obtained by decrypting the second ciphertext, and performing second verification on the second digest information obtained by decrypting the second ciphertext and stored second digest information.
11. The method according to any one of claims 6-10, further comprising:
suspending the service when sending an authentication request to the second edge node;
and further comprising, after the step of switching an access edge from the first edge node to the second edge node, the steps of:
and recovering the service.
12. An edge node access processing method, applied to a first edge node, comprising:
when the mobile terminal needs to perform edge node switching, receiving first abstract information sent by the mobile terminal, and sending second abstract information to the mobile terminal; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
sending the certificate of the first edge node and the first digest information to a second edge node;
receiving third abstract information fed back by a second edge node and a certificate of the second edge node; the third summary information is formed after the certificate of the second edge node is processed based on the preset summary method;
Processing the certificate of the second edge node by adopting the preset abstract method;
and if the second edge node is judged to be the node trusted by the first edge node according to the processing result of the certificate of the second edge node and the third abstract information, carrying out service data synchronization, so that the mobile terminal switches an access edge from the first edge node to the second edge node under the condition that the service data synchronization is completed.
13. The method of claim 12, wherein the step of receiving the third digest information fed back by the second edge node, the first digest information, and the certificate of the second edge node comprises:
and receiving a fourth message, wherein the fourth message comprises a message generated according to a fourth ciphertext and a certificate of the second edge node, and the fourth ciphertext is generated by encrypting the third abstract information and the first abstract information by the second edge node by adopting a public key in the certificate of the first edge node.
14. The method according to claim 13, wherein the step of performing third verification of the processing result of the certificate of the second edge node with the third digest information, and performing fourth verification of the received first digest information with the stored first digest information, comprises:
And decrypting the fourth ciphertext in the fourth message by adopting the private key of the first edge node, processing the certificate of the second edge node by adopting a preset digest method obtained by decrypting the fourth ciphertext, performing third verification on a processing result and the third digest information, and performing fourth verification on the first digest information obtained by decrypting the fourth ciphertext and the stored first digest information.
15. An edge node access processing apparatus for use in a mobile terminal, the apparatus comprising:
the terminal side abstract information interaction module is used for sending the first abstract information to a first edge node and receiving the second abstract information sent by the first edge node under the condition that the mobile terminal needs to switch the edge nodes; the first abstract information is formed by processing the certificate of the mobile terminal based on a preset abstract method, and the second abstract information is formed by processing the certificate of the first edge node based on the preset abstract method;
a terminal side first information sending module, configured to send a certificate of the mobile terminal and the second summary information to a second edge node; the second edge node is an edge node to be accessed by the mobile terminal;
A terminal side first information receiving module, configured to receive third summary information fed back by the second edge node and a certificate of the second edge node; the third summary information is formed after the certificate of the second edge node is processed based on the preset summary method;
the terminal side first security verification module is used for processing the certificate of the second edge node by adopting the preset abstract method;
and the terminal side switching execution module is used for carrying out service data synchronization and switching an access edge from the first edge node to the second edge node when the second edge node is judged to be a node trusted by the mobile terminal according to the processing result of the certificate of the second edge node and the third abstract information.
16. A mobile terminal comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the edge node access processing method of any of claims 6 to 14.
17. The mobile terminal of claim 16, wherein the mobile terminal is an ambulatory medical device.
18. The mobile terminal of claim 16, wherein the processor applied to the mobile terminal side is a hardware encryption chip.
19. A mobile terminal access edge switching system comprising a mobile terminal according to any of claims 16-18, a first edge node and a second edge node;
the first edge node comprising a memory storing a computer program and a processor implementing the steps of the edge node access processing method of any of claims 6 to 14 when the computer program is executed;
the second edge node comprises a memory storing a computer program and a processor implementing the edge node access processing method of any of claims 1 to 5 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310596566.4A CN116582554A (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method and device, mobile terminal and edge node |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210358291.6A CN114786177B (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method, mobile terminal and edge node |
| CN202310596566.4A CN116582554A (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method and device, mobile terminal and edge node |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210358291.6A Division CN114786177B (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method, mobile terminal and edge node |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116582554A true CN116582554A (en) | 2023-08-11 |
Family
ID=82426299
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310596566.4A Pending CN116582554A (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method and device, mobile terminal and edge node |
| CN202210358291.6A Active CN114786177B (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method, mobile terminal and edge node |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210358291.6A Active CN114786177B (en) | 2022-04-07 | 2022-04-07 | Edge node access processing method, mobile terminal and edge node |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN116582554A (en) |
Family Cites Families (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1191696C (en) * | 2002-11-06 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Sefe access of movable terminal in radio local area network and secrete data communication method in radio link |
| US20070064948A1 (en) * | 2005-09-19 | 2007-03-22 | George Tsirtsis | Methods and apparatus for the utilization of mobile nodes for state transfer |
| CN101527907B (en) * | 2009-03-31 | 2015-05-13 | 中兴通讯股份有限公司 | Wireless local area network access authentication method and wireless local area network system |
| CN101562814A (en) * | 2009-05-15 | 2009-10-21 | 中兴通讯股份有限公司 | Access method and system for a third-generation network |
| CN101616410B (en) * | 2009-06-25 | 2011-08-10 | 中兴通讯股份有限公司 | Access method and access system for cellular mobile communication network |
| US8699709B2 (en) * | 2011-07-08 | 2014-04-15 | Motorola Solutions, Inc. | Methods for obtaining authentication credentials for attaching a wireless device to a foreign 3GPP wireless domain |
| US9282898B2 (en) * | 2012-06-25 | 2016-03-15 | Sprint Communications Company L.P. | End-to-end trusted communications infrastructure |
| CN105376230B (en) * | 2015-11-16 | 2018-05-04 | 东北大学 | A kind of HMIPv6 network bi-directional access authentication methods of oriented multilayer MAP |
| KR20180135446A (en) * | 2016-04-15 | 2018-12-20 | 퀄컴 인코포레이티드 | Techniques for managing secure content transmissions in a content delivery network |
| US10681541B2 (en) * | 2016-04-29 | 2020-06-09 | Nokia Technologies Oy | Security key usage across handover that keeps the same wireless termination |
| CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
| CN107690138B (en) * | 2016-08-05 | 2020-08-14 | 华为技术有限公司 | Fast roaming method, device, system, access point and mobile station |
| CN107181597B (en) * | 2017-06-30 | 2020-02-07 | 东北大学 | PMIPv6 authentication system and method based on identity agent group signature |
| CN111277543B (en) * | 2018-12-04 | 2022-08-26 | 华为技术有限公司 | Information synchronization method, authentication method and device |
| SG11202105218PA (en) * | 2018-12-17 | 2021-06-29 | Xeniro | Multi-access edge computing node with distributed ledger |
| EP3713196A1 (en) * | 2019-03-19 | 2020-09-23 | Deutsche Telekom AG | Method and apparatuses for binding an edge computing device to a communication terminal for pre-processing data |
| US11172366B2 (en) * | 2019-06-20 | 2021-11-09 | Bank Of America Corporation | Edge-node authentication-data exchange system |
| CN111709747B (en) * | 2020-06-10 | 2023-08-18 | 中国工商银行股份有限公司 | Intelligent terminal authentication method and system |
| CN115868142A (en) * | 2020-08-28 | 2023-03-28 | Oppo广东移动通信有限公司 | Equipment verification method, equipment and cloud |
| CN114095256B (en) * | 2021-11-23 | 2023-09-26 | 广州市诺的电子有限公司 | Terminal authentication method, system, equipment and storage medium based on edge calculation |
-
2022
- 2022-04-07 CN CN202310596566.4A patent/CN116582554A/en active Pending
- 2022-04-07 CN CN202210358291.6A patent/CN114786177B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN114786177B (en) | 2023-05-30 |
| CN114786177A (en) | 2022-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11533297B2 (en) | Secure communication channel with token renewal mechanism | |
| CN110492990B (en) | Private key management method, device and system under block chain scene | |
| CN107659406B (en) | Resource operation method and device | |
| TW202036345A (en) | Program execution and data proof scheme using multiple key pair signatures | |
| CN112231708A (en) | Field programmable gate array based trusted execution environment for blockchain networks | |
| CN109104727A (en) | One kind is based on authorizing procedure safety Enhancement Method between the core network element of EAP-AKA ' | |
| US11399019B2 (en) | Failure recovery mechanism to re-establish secured communications | |
| JP2019514314A (en) | Method, system and medium for using dynamic public key infrastructure to send and receive encrypted messages | |
| WO2018120938A1 (en) | Offline key transmission method, terminal and storage medium | |
| CN114584307A (en) | Trusted key management method and device, electronic equipment and storage medium | |
| US8504832B2 (en) | Mobile terminal for sharing resources, method of sharing resources within mobile terminal and method of sharing resources between web server and terminal | |
| CN114786177B (en) | Edge node access processing method, mobile terminal and edge node | |
| US20200396088A1 (en) | System and method for securely activating a mobile device storing an encryption key | |
| US20240064011A1 (en) | Identity authentication method and apparatus, device, chip, storage medium, and program | |
| CN115037451B (en) | Data protection method and electronic equipment | |
| WO2022135383A1 (en) | Identity authentication method and apparatus | |
| CN114760043A (en) | Identity authentication method and device | |
| CN107682380B (en) | Cross authentication method and device | |
| US20240097887A1 (en) | Identity authentication method and apparatus, storage medium, program, and program product | |
| CN114765595B (en) | Chat message display method, chat message sending device, electronic equipment and media | |
| WO2022135384A1 (en) | Identity authentication method and apparatus | |
| EP4270856A1 (en) | Identity authentication method and apparatus, and device, chip, storage medium and program | |
| RU2807058C1 (en) | Method and apparatus for authentication of identification information, device, microcircuit, information storage media and program | |
| WO2016045307A1 (en) | Ike authentication method, ike initiating terminal, ike response terminal, and ike authentication system | |
| WO2022135418A1 (en) | Identity authentication method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |