WO2015100615A1 - Method and apparatus for processing service packet, and gateway device - Google Patents

Method and apparatus for processing service packet, and gateway device Download PDF

Info

Publication number
WO2015100615A1
WO2015100615A1 PCT/CN2013/091111 CN2013091111W WO2015100615A1 WO 2015100615 A1 WO2015100615 A1 WO 2015100615A1 CN 2013091111 W CN2013091111 W CN 2013091111W WO 2015100615 A1 WO2015100615 A1 WO 2015100615A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
key
application identifier
gateway device
service
Prior art date
Application number
PCT/CN2013/091111
Other languages
French (fr)
Chinese (zh)
Inventor
胡翔
胡玉胜
郭建成
张翀
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2013/091111 priority Critical patent/WO2015100615A1/en
Priority to CN201380072947.7A priority patent/CN104995891B/en
Publication of WO2015100615A1 publication Critical patent/WO2015100615A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • Embodiments of the present invention relate to the field of wireless communications, and, more particularly, to a method, apparatus, and gateway device for processing a service profile. Background technique
  • the gateway device of the core network in the mobile network needs to identify the application to which the service message belongs, so that different processing policies (such as charging policy and QoS policy) can be used for different applications.
  • DPI Deep Packet Inspection
  • the embodiment of the invention provides a method, a device and a gateway device for processing a service packet, so as to improve the recognition rate of the application of the service packet by the gateway device.
  • the first aspect provides a method for processing a service packet, where: the gateway device receives a service packet, where the service carries an application identifier, where the application identifier is used to indicate an application to which the service text belongs; The gateway device identifies the application to which the service packet belongs according to the application identifier. The gateway device performs the processing policy on the service packet according to the corresponding relationship between the application and the processing policy.
  • the gateway device stores a corresponding relationship between the application identifier and an application
  • the identifying the application according to the application identifier includes: And determining, according to the application identifier carried in the service text, and the corresponding relationship between the application identifier and the application, the application corresponding to the application identifier is determined as an application to which the service packet belongs.
  • the service packet further carries a security check code, where the security check code is used to verify the location
  • the gateway device further stores the corresponding relationship between the application identifier and the application, and the identifying the application according to the application identifier, including: according to the service packet Carrying the application identifier, and the corresponding relationship between the application identifier and the key, determining the key; generating a reference check code according to the key; and using the reference check code and the security check code
  • the application corresponding to the application identifier is determined as the application to which the service 4 belongs.
  • the key is a temporary key generated by the key server for the application,
  • the application identifier carried in the service text, and the corresponding relationship between the application identifier and the key, before determining the key the method further includes: sending a request message to the key server, where the request message is used And requesting the key server to generate the temporary key for the application; receiving a response message sent by the key server, where the response message carries the temporary key.
  • the service packet further carries a version number of the application
  • the gateway device further stores the The application identifier, the version number, and the correspondence between the keys, the determining the key according to the application identifier carried in the service packet, and the correspondence between the application identifier and the key
  • the method includes: selecting, according to the application identifier and the version number carried in the service text, and the corresponding relationship between the application identifier, the version number, and the key, selecting the application identifier and the version number. The key.
  • the generating the reference check code according to the key includes: generating, based on the key, based on the MD5 The reference check code.
  • the processing policy is a charging policy of the application, and the applying and processing according to the pre-establishment
  • the policy corresponding to the policy performs the processing policy on the service packet, including: charging the service packet according to the charging policy.
  • the second aspect provides a method for processing a service packet, including: generating a service packet, where the service packet carries an application identifier, where the application identifier is used to indicate that the service packet belongs to Transmitting, by the gateway device of the core network, the service packet.
  • the service packet further carries a security check code, where the security check code is used to verify the security of the service packet.
  • the method further includes: acquiring a key corresponding to the application; and generating the security check code according to the key.
  • the key is a temporary key generated by the key server for the application, and the acquiring the application Corresponding key, including: sending a request message to the key server, the request message is used to request the key server to generate the temporary key for the application; and receiving a response message sent by the key server The response message carries the temporary key.
  • the key is a built-in key of an application to which the service packet belongs, and the acquiring the application is corresponding to The key includes: extracting the built-in key.
  • the service packet further carries a version number of an application that generates the service packet.
  • the generating the security check code according to the key includes: according to the key, and The security check code is generated based on MD5.
  • a gateway device including: a first receiving unit, configured to receive a service packet, where the service carries an application identifier, where the application identifier is used to indicate an application to which the service text belongs; a unit, configured to identify, according to the application identifier that is carried in the service packet that is received by the first receiving unit, an application to which the service packet belongs, and an execution unit, configured to identify according to the pre-established identification unit The corresponding relationship between the application and the processing policy performs the processing policy on the service packet.
  • the gateway device stores a corresponding relationship between the application identifier and an application, where the identifying unit is specifically configured to be used according to the service And determining, by the application identifier, the application identifier that is stored in the gateway device, and the application identifier and the application, the application corresponding to the application identifier is determined to be an application to which the service >3 ⁇ 4 text belongs.
  • the service packet further carries a security check code, where the security check code is used to verify the location Shuye
  • the gateway device further stores the corresponding relationship between the application identifier, the application and the key
  • the identification unit is specifically configured to use the application identifier carried in the text according to the service, and Determining a correspondence between the application identifier and the key, determining the key; generating a reference check code according to the key; and when the reference check code matches the security check code, corresponding to the application identifier
  • the application is determined to be the application to which the business "3 ⁇ 4 text belongs.
  • the key is a temporary key generated by the key server for the application
  • the gateway device further includes a sending unit, configured to send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application, and a second receiving unit, configured to receive the secret a response message sent by the key server, where the response message carries the temporary key.
  • the service packet further carries a version number of the application
  • the gateway device further stores the The application identifier, the version number, and the corresponding relationship of the key
  • the identification unit is specifically configured to use the application identifier and the version number carried in the service according to the service, and the application identifier, Selecting, by the version number and the key, the key corresponding to the application identifier and the version number.
  • the identifying unit is specifically configured to generate the reference check code based on the MD5 according to the key.
  • the executing unit is specifically configured to perform charging according to the charging policy.
  • the fourth aspect provides an apparatus for processing a service packet, including: a first generating unit, configured to generate a service > 3 ⁇ 4 text, where the service > 3 ⁇ 4 text carries an application identifier, where the application identifier is used to indicate the service And the sending unit is configured to send the service packet generated by the first generating unit to the gateway device of the core network.
  • the service packet further includes a security check code, where the security check code is used to check security of the service packet
  • the device further includes: an obtaining unit, configured to acquire a key corresponding to the application; and a second generating unit, configured to generate the security check code according to the key.
  • the key is a temporary key generated by the key server for the application
  • the acquiring unit has The body is configured to send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application; and receive a response message sent by the key server, the response The temporary key is carried in the message.
  • the key is a built-in key of an application to which the service packet belongs, and the acquiring unit is specifically configured to: Extract the built-in key.
  • the service packet further carries a version number of an application that generates the service packet.
  • the second generating unit is specifically configured to generate, according to the key, based on the message digest algorithm MD5 Security check code.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • FIG. 1 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention.
  • FIG. 3 is a diagram of a networking architecture according to an embodiment of the present invention.
  • FIG. 4 is a flow chart of a method for processing a service packet according to the network architecture of FIG. 3 according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for processing a service message according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention. detailed description
  • an application identifier is added to a service packet, in order to solve the problem that the gateway device has a low recognition rate for the application of the service packet.
  • the application identifier can generate an application identifier corresponding to each application by means of cooperation between the OTT vendor and the operator of the mobile network to identify the application.
  • the operator can store the application identifier of the contracted application in the gateway device.
  • the application identifier of the application may be added to the application.
  • the gateway device may extract the application identifier carried in the service packet and match the stored application identifier to achieve the purpose of identifying the application.
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • LTE-A Advanced Long Term Evolution
  • UMTS Universal Mobile Telecommunication System, etc.
  • the UE User Equipment
  • the UE includes but is not limited to an MS (Mobile Station), a Mobile Terminal, a Mobile Telephone, and a handset.
  • the user equipment can communicate with one or more core networks via a RAN (Radio Access Network), for example, the user equipment can be a mobile phone (or "cellular"
  • the telephone, the computer with wireless communication function, etc. the user equipment can also be a portable, pocket, handheld, computer built-in or vehicle-mounted mobile device.
  • FIG. 1 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention. The method can be performed by a gateway device of the core network, such as GGSN/PGW.
  • the method of Figure 1 includes:
  • the gateway device receives the service text, where the service identifier carries the application identifier, and the application identifier is used to indicate the application to which the service text belongs.
  • the foregoing service message may be generated by an application on the UE or the UE (for example, may be a client of the application).
  • the application of the UE or the UE sends the packet to the SP Provider (Service Provider Server) of the application through the foregoing gateway device.
  • SP Provider Service Provider Server
  • the above business documents can also be generated by the SP Server.
  • the SP server sends a service packet to the UE through the gateway device.
  • the UE generates a service packet
  • the gateway device forwards the service text to the SP server as an example.
  • the SP server generates a service text, and the specific manner of sending the service packet to the gateway device corresponds to the UE side. To avoid repetition, it is not described in detail.
  • the application identifier may be an application ID specially established for identifying an application, and the application and the application ID are corresponding to each other, so that the gateway device can accurately identify the application according to the application ID.
  • the application ID can be established by means of negotiation between the mobile network operator and the OTT vendor. For example, a mobile network operator may require that an OTT vendor configure a dedicated application ID for each application and record the application ID on the gateway device before the application goes public.
  • the above application identifier may also use existing identification information as long as the identification information can accurately distinguish different applications.
  • the application name of each application; or the combination of the application name and the version number, etc. is not specifically limited in the embodiment of the present invention.
  • the operator of the mobile network can pre-record the identification information of each contracted application at the gateway device.
  • the identifier information may be embedded in the service packet for the gateway device to identify.
  • the gateway device identifies, according to the application identifier, an application to which the service packet belongs.
  • the step 120 may include: the gateway device extracting the application identifier from the service packet; and identifying the application according to the extracted application identifier.
  • the mobile network operator can pre-agreed with the OTT vendor the insertion location of the application identifier in the service. For example, the URL of the HTTP request of the service packet can be inserted, or any other location predetermined in advance.
  • the gateway device receives the service packet.
  • the application identifier can be extracted from the pre-determined location. It should be understood that the foregoing pre-agreed manner is only an example. In practice, the gateway device can also use the DPI to discover the application identifier, which is not specifically implemented by the embodiment of the present invention. limited. It should be noted that the gateway device may pre-store the application identifier of the subscription application, and then identify the application by matching the application identifier in the service packet with the stored application identifier.
  • the identification application in step 120 may be only a logical identification. For example, when the application identifier in the service packet matches an application identifier pre-stored by the gateway device, the gateway device can be considered to identify the application of the service packet.
  • the gateway device performs a processing policy on the service packet according to the correspondence between the pre-established application and the processing policy.
  • the foregoing processing policy may be an accounting policy of the application
  • the step 130 may include: charging the service text according to the charging policy of the application.
  • the gateway device establishes a correspondence between the application and the charging policy.
  • the accounting is performed according to the charging policy corresponding to the application.
  • processing strategy may also be other control policies.
  • data services of different applications have different priorities, and different QoS, congestion control, or bandwidth control are performed according to priorities of different data services.
  • the application identifier is carried in the service packet, and the application identifier is used to identify the application to which the service packet belongs, and the gateway device can identify the application according to the application identifier, thereby improving the identification of the application by the gateway device. rate.
  • the gateway device stores the corresponding relationship between the application identifier and the application
  • the step 120 may include: corresponding to the application identifier according to the application identifier carried in the service packet, and the corresponding relationship between the application identifier and the application
  • the application is determined to be the application to which the business "3 ⁇ 4 text belongs.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • the gateway device may pre-establish a list of application identifiers of the subscription application.
  • the first three items in the list are "Application ID 1 - Application Name 1", “Application ID 2 - Application Name 2", and "Application ID 3 - Application Name 3"; the application ID carried in the above service > 3 ⁇ 4 text is an application.
  • the identifier 2 is determined by the gateway device to find that the second item in the application identifier list matches the application identifier 2, and the application corresponding to the application identifier 2 (that is, the application indicated by the application name 2) is determined as the application to which the service packet belongs.
  • the gateway device matches the features in the feature library based on the features in the DPI detection packet to achieve the purpose of application identification.
  • such messages are easily forged and not safe enough. This will result in the loss of operators and users.
  • the foregoing service carries a security check code, where the security check code is used to check the security of the service packet, and the gateway device further stores the application identifier, the application, and the key.
  • step 120 may include: determining a key according to the application identifier carried in the service and the correspondence between the application identifier and the key stored in the gateway device; generating a reference check code according to the key; When the code matches the security check code, the application corresponding to the application identifier is determined to be the application to which the service packet belongs.
  • the security check code is carried in the service packet, and the gateway device checks the service packet according to the security check code, thereby avoiding the forgery of the service packet and improving the security of the service transmission. Sex.
  • the foregoing security check code may be generated by an application in the UE based on a key corresponding to the application.
  • the key used by the UE side to generate the security check code when the service message is generated by a secure application can be ensured by means of pre-agreed or signaling.
  • the encryption method is the same as the key used by the gateway device to generate the above-mentioned reference check code and the encryption method.
  • the UE and the gateway device side may be pre-arranged that the UE and the gateway device side generate the check code by using the same plaintext, key, and encryption manner, and the plaintext may be the name of the application, the URL of the application, or an arbitrary character string. Therefore, when the service packet is a secure service packet, the security check code is the same as the reference check code. When the service packet is a forged service packet, the forged message cannot obtain the plaintext of the agreement. Or a key, the security check code is different from the above reference check code.
  • generating the reference check code according to the key may include: generating a reference check code based on the key, based on the MD5 (Message Digest Algorithm 5). Since the check code obtained by MD5 is unable to calculate the string based on the algorithm in reverse, it avoids the possibility of cracking the agreed string, and the Internet enterprise uses MD5 in large quantities for CP (Content Provider, Content Provider) and The SP (Service Provider) is very low in terms of technology and cost.
  • MD5 Message Digest Algorithm 5
  • the key is a temporary key generated by the pre-deployed key server for the application, according to the application identifier carried in the service packet, and the correspondence between the application identifier and the key stored in the gateway device.
  • the method of FIG. 1 may further include: sending the key server Sending a request message, the request message is used to request the key server to generate a temporary key for the application; receiving the response message sent by the key server, and the response message carries the temporary key.
  • the OTT vendor can modify the APP application and deploy the key server on the network side.
  • the UE may request the temporary key of the application from the key server; the gateway device side may periodically send a request message to the key server, requesting the application identifier and the temporary key of the subscription application on the gateway device, when When the application to which the service packet belongs is one of the subscription applications, the request message is used to request the key server to generate a temporary key for the application.
  • the key server can also set the expiration time for the temporary key, and when the expiration time is reached, a re-request is required.
  • the above contract application may specifically refer to an application recorded in the GGSN/PGW.
  • an application's service provider provides a free traffic packet for an application under the mobile network, it needs to sign up with the operator of the mobile network, so that the GGSN/PGW records the application and the application's correspondence with the free traffic policy. relationship.
  • the application identifier may also be a temporary application identifier.
  • the key server may also generate a temporary application identifier.
  • the expiration time can also be set for the temporary application identifier.
  • an application identifier, a version number, and a key may be built in the application, where the service packet further carries an application version number, and the gateway device further stores an application identifier, a version number, and a key.
  • the foregoing determining the key according to the application identifier carried in the service and the corresponding relationship between the application identifier and the key stored in the gateway device may include: according to the application identifier and version number carried in the service packet, and the gateway device Corresponding relationship between the application identifier, the version number, and the key stored in the medium, and selecting a key corresponding to the application identifier and the version number.
  • the UE side when generating the service packet, the UE side extracts the application identifier, the version number, and the key built in the application from the application; the gateway device side may extract each application identifier, version number, and key from the subscription application, and Establish a correspondence list.
  • FIG. 1 a method for processing a service message according to an embodiment of the present invention is described in detail from the perspective of a gateway device.
  • a processing service according to an embodiment of the present invention will be described from the perspective of a user equipment in conjunction with FIG. 2 . Methods.
  • FIG. 2 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention.
  • the method may be performed by a device that processes a service text, for example, may be an application execution on a UE or a UE, or may be an SP Server.
  • the method of Figure 2 includes:
  • the sending of the service packet to the gateway device in step 220 may be the destination of the gateway device or the forwarding of the gateway device to other destinations.
  • the step 220 may include: the UE forwarding the service packet to the SP server of the application to which the service packet belongs by using the gateway device.
  • the step 220 may include: the SP server forwards the service packet to the UE through the gateway server.
  • the application identifier is carried in the service packet, and the application identifier is used to identify the application to which the service packet belongs, and the gateway device can identify the application according to the application identifier, thereby improving the identification of the application by the gateway device. rate.
  • the service packet further carries a security check code, where the security check code is used to check the security of the service packet.
  • the method in FIG. 2 may further include: obtaining an application corresponding Key; generates a security check code based on the key.
  • the key is a temporary key generated by the pre-deployed key server for the application
  • the obtaining the corresponding key of the application may include: sending a request message to the key server, and the request message is used for the request.
  • the key server generates a temporary key for the application; receives a response message sent by the key server, and the response message carries the temporary key.
  • the key is a built-in key of the application to which the service text belongs
  • the obtaining the key corresponding to the application may include: extracting the built-in key from the application to which the service message belongs.
  • the service packet further carries a version number of the application that generates the service packet.
  • generating a security check code according to the key includes: generating a security check code according to the key and based on the MD5.
  • FIG. 3 is a diagram of a networking architecture according to an embodiment of the present invention.
  • the application identifier and the key applied in the UE side are obtained from a public key server deployed by the OTT vendor on the network side; the correspondence between the application identifier and the key in the gateway device is also Obtained in the key server.
  • the above-mentioned gateway device takes GGSN/PGW as an example, and GGSN/PGW sets different charging policies for different applications, by PCRF (Policy and Charging Rules Function) entity and OCS (online meter) Charge System, Online Charging System) Control.
  • PCRF Policy and Charging Rules Function
  • OCS Online Charging System
  • the service packet may access the core network through the RAN, for example, UMTS or LTE, and sequentially pass through the SGSN/SGW in the core network.
  • the RAN for example, UMTS or LTE
  • FIG. 4 is a flow chart of a method for processing a service packet according to the network architecture of FIG. 3 according to an embodiment of the present invention. The method may be performed by the UE or by an application on the UE.
  • the application is located on the UE, ensuring that the temporary key is obtained from the key server each time the UE runs the application or when the key fails.
  • the key server is pre-established, and the key server can be located on the network side, as shown in the key server in FIG.
  • the application sends a request message to the key server according to the domain name or IP address of the key server, and the process may be carried on the HTTPS (Hypertext Transfer Protocol over Secure Socket Layer).
  • HTTPS Hypertext Transfer Protocol over Secure Socket Layer
  • the request message may carry an application name or an application ID, so that the key server knows the application of the request temporary key, and generates a temporary key corresponding to the application.
  • the request message may carry a username and a password required to log in to the key server, so that the key server performs authentication according to the username and password.
  • the GGSN/PGW forwards the application request.
  • the GGSN/PGW can configure a free-passing policy to ensure that the application of the UE can access the key server normally, and implement initial authentication and key application of the application.
  • the key server determines a temporary key of the application.
  • the key server may authenticate the application, and may specifically check the validity and validity of the application.
  • the authentication mode of the application may be that the application is authenticated according to the agreed username and password. Specifically, the application carries the username and password in the request message, and the key server authenticates the security of the application according to the username and password.
  • the application identifier of the application may also be a temporary identifier provided by the key server.
  • the key server determines the temporary key of the application
  • the temporary identifier of the application is also determined.
  • the expiration time of the application ID and the temporary key can also be determined.
  • the key server sends a response message to the application, where the response message carries the authentication result and the temporary key.
  • the expiration time of the temporary application identifier and/or the temporary key may also be carried.
  • the GGSN/PGW configures the address of the key server.
  • the GGSN/PGW can apply for the application identifier and temporary key of each subscription application to the key server according to the address timing of the key server.
  • the GGSN/PGW requests a message from the key server based on the pre-configured key server address, and requests an application identifier and a temporary key of the subscription application.
  • the message may carry the application name or application ID of the subscription application, so that the key server knows which applications need to generate a temporary key, and generates a corresponding temporary key for each contract application.
  • the message can be negotiated with the key server, private custom interface protocol type and request message format. For example, extend the Radius message.
  • the above contract application may specifically refer to an application recorded in the GGSN/PGW.
  • an application's service provider provides a free traffic packet for an application under the mobile network, it needs to sign up with the operator of the mobile network, so that the GGSN/PGW records the application and the application's correspondence with the free traffic policy. relationship.
  • step 401, step 406 and step 407 are optional steps.
  • the GGSN/PGW may pre-configure the address of the key server, and periodically request the application identifier and temporary key of the subscription application from the key server.
  • the key server encapsulates the application identifier and the temporary key of the subscription application in a response message.
  • the key server replies with a response message, where the response message carries an application identifier of each application. Knowledge and temporary keys.
  • the GGSN/PGW parses the response message content, and saves the application identifier and the temporary key in the response message.
  • the application generates a security check code according to an agreed encryption algorithm based on the temporary key.
  • the algorithm can use the MD5 algorithm.
  • the application and the gateway device may pre-define the character string for the encryption, for example, the name of the application, the URL of the application server, and the like, which are not specifically limited in the embodiment of the present invention.
  • the application identifier and the security check code are added to the service packet.
  • the string of the agreed format is inserted in the service message.
  • the string of the agreed format may include an application identifier and a security check code, and may also include a source string agreed by OTT and GGSN/PGW.
  • APP ID represents the application identifier
  • the APP name is the source string
  • the md5 (APP name) is the security check code calculated by the source string and the key through the MD5 encryption algorithm. Insert the string of the agreed format into the convention location, for example, the location of the insertion is after the URL of the HTTP request.
  • the GGSN/PGW detects the received service packet to identify the application to which the service packet belongs.
  • the GGSN/PGW obtains a string from the agreed location and confirms that the string conforms to the agreed format. Specifically, when the APP ID+APP name+md5(APP name) format is adopted, if the agreed format is met, the APP ID (application identifier), the APP name (source string), and the APP name calculated by the MD5 are obtained therefrom. That is, the security check code.
  • the GGSN/PGW finds the pre-stored key corresponding to the APP ID according to the APP ID in the message. The benchmark code is then calculated by the MD5 algorithm with the APP name and the key.
  • the verification succeeds, and the application corresponding to the application identifier stored in advance is determined as the application to which the service packet belongs. Then, matching is performed based on the charging and control policies bound by the user, and the charging and control manner of the service data flow of the application is determined.
  • the application re-initiates the authentication request and the key application process after the key is invalid, that is, steps 402 to 405, to update the temporary key.
  • the GGSN/PGW reacquires the application identifier and the temporary key of different types of applications.
  • step 414 and step 415 are optional steps, when the key server is pre- When the expiration time of the application identifier and/or the temporary key is set first, the above two steps can be performed. Otherwise, step 414 and step 415 may be omitted.
  • the application identification is carried in the service packet and matched with the application identifier stored in advance by the gateway device, thereby improving the recognition rate of the application.
  • a key server is established on the network side, and the UE and the gateway device obtain the temporary key through the key server, and use the temporary key to complete the verification of the security of the service packet, thereby improving the security of the service transmission.
  • FIG. 5 is a flowchart of a method for processing a service message according to an embodiment of the present invention.
  • the keys are fixedly allocated based on the version of the application.
  • the application service carries the application identifier, application version number, and security check code.
  • the method of Figure 5 may be performed by a UE or by an application on the UE. The specific process is as follows:
  • the GGSN/PGW configures an application identifier, a version number, and a corresponding key.
  • the application ID, version number, and corresponding key of the application are >3 ⁇ 4.
  • steps 510 and 520 can be accomplished in a pre-configured manner.
  • the application generates a security check code according to an agreed encryption algorithm based on the built-in key.
  • the application inserts a string of the agreed format in the agreed position of the service message.
  • the following format can be used: APP ID+APP version+APP name+md5(APP name).
  • the application version number is added, that is, APP version.
  • the GGSN/PGW detects the packet to identify the application to which the service packet belongs.
  • the character string may be obtained from the agreed location to confirm whether the string conforms to the agreed message format, such as the following format: APP ID+APP version +APP name+md5(APP name). If the agreed format is met, the APP ID, APP version, APP name, and the APP name calculated by MD5 are obtained, that is, the security check code.
  • the GGSN/PGW finds a pre-stored key corresponding to the APP ID and the APP version according to the APP ID and the APP version in the message. Then, the benchmark check code is calculated by the MD5 algorithm with the APP name and the key. If the benchmark check code is the same as the security check code in the secure service packet, the checksum is successful. After the verification succeeds, the matching is based on the charging and control policies bound by the user, and the number of services of the application is determined. According to the flow of billing and control methods.
  • the UE may download the upgrade package of the application from the SP server.
  • the upgrade package carries a new key corresponding to the new version of the application, and replaces the old old key with the new key.
  • the GGSN/PGW establishes an application identifier, an application version number, and a key correspondence relationship for the updated application or the newly added application.
  • Step 570 can be implemented in various manners, for example, manually configured, or the application identifier, application version number, and key of the application added or updated by the SP Server can be ⁇ to GGSN/PGW, so that the GGSN/ The PGW updates a list indicating the above correspondence.
  • the application identification is carried in the service packet and matched with the application identifier stored in advance by the gateway device, thereby improving the recognition rate of the application.
  • the application identifier, the version number and the key of the application are built in each application, and the application and the gateway device on the UE complete the verification of the security of the service packet through the built-in key, thereby improving the service transmission. safety.
  • FIG. 6 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
  • the gateway device 600 of FIG. 6 includes: a first receiving unit 610, an identifying unit 620, and an executing unit 630.
  • the first receiving unit 610 is configured to receive a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service belongs.
  • the identifying unit 620 is configured to identify, according to the application identifier carried in the service packet received by the first receiving unit 610, an application to which the service belongs;
  • the executing unit 630 is configured to perform a processing policy on the service packet according to the correspondence between the application and the processing policy identified by the pre-established identification unit 620.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • the gateway device 600 stores the corresponding relationship between the application identifier and the application
  • the identifying unit 620 is specifically configured to use the application identifier carried in the service packet and the application identifier and the application identifier and the application stored in the gateway device.
  • the corresponding relationship is determined by the application corresponding to the application identifier as the application to which the service belongs.
  • the service packet further carries a security check code, and the security check is performed.
  • the code is used to verify the security of the service packet.
  • the gateway device 600 also stores the application identifier, the application and the key.
  • the identification unit 620 is specifically configured to store the application identifier in the service packet and the gateway device. Corresponding relationship between the application identifier and the key, determining the key; generating a reference check code according to the key; and determining, when the benchmark check code matches the security check code, the application corresponding to the application identifier as the application to which the service text belongs.
  • the key is a temporary key generated by the key server for the application
  • the gateway device 600 further includes: a sending unit, configured to send a request message to the key server, where the request message is used to request the key
  • the server generates a temporary key for the application stored by the gateway device.
  • the second receiving unit is configured to receive a response message sent by the key server, where the response message carries the temporary key.
  • the service text further carries the version number of the application
  • the gateway device 600 further stores the corresponding relationship between the application identifier, the version number, and the key
  • the identifying unit 620 is specifically configured to use the application identifier carried in the service text. Select the key corresponding to the application ID and version number, and the version number, and the correspondence between the application ID, version number, and key.
  • the identifying unit 620 is specifically configured to generate a reference check code based on the MD5 according to the key.
  • the executing unit 630 is specifically configured to charge the service packet according to the charging policy.
  • FIG. 7 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention.
  • the apparatus 700 for processing service messages of FIG. 7 may be a UE or an SP server.
  • the apparatus 700 includes: a first generating unit 710 and a transmitting unit 720.
  • the first generating unit 710 is configured to generate a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service belongs.
  • the sending unit 720 is configured to send the service packet generated by the first generating unit 710 to the gateway device of the core network.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • the service packet further carries a security check code, where the security check code is used to check the security of the service packet
  • the device 700 further includes: an obtaining unit 730, configured to acquire an application corresponding a second generating unit 740, configured to generate a security check code according to the key.
  • the key is a temporary key generated by the key server for the application.
  • the obtaining unit 730 is specifically configured to send a request message to the key server, where the request message is used to request the key server to generate a temporary key for the application; and receive the response message sent by the key server, where the response message carries the temporary key.
  • the key is a built-in key of the application to which the service belongs, and the obtaining unit 730 is specifically configured to extract the built-in key.
  • the service packet further carries a version number of the application that generates the service packet.
  • the second generating unit 740 is specifically configured to generate a security check code according to the key and based on the MD5.
  • FIG. 8 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
  • the gateway device 800 of FIG. 8 includes: a receiver 810 and a processor 820.
  • the receiver 810 is configured to receive a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service packet belongs.
  • the processor 820 is configured to: according to the application identifier carried in the service packet received by the receiver 810, identify an application to which the service belongs; and perform a processing policy on the service packet according to the correspondence between the pre-established application and the processing policy.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • the gateway device 800 stores the corresponding relationship between the application identifier and the application
  • the processor 820 is specifically configured to: according to the application identifier carried in the service packet and the corresponding relationship between the application identifier and the application, corresponding to the application identifier
  • the application is determined to be the application to which the business >3 ⁇ 4 text belongs.
  • the service packet further carries a security check code, where the security check code is used to check the security of the service packet
  • the gateway device 800 further stores the application identifier, the application, and the key.
  • the processor 820 is specifically configured to determine a key according to the application identifier carried in the service, and the correspondence between the application identifier and the key; generate a reference check code according to the key; and use the reference check code and the security school When the code is matched, the application corresponding to the application identifier is determined to be the application to which the service packet belongs.
  • the key is a temporary key generated by the key server for the application
  • the gateway device 800 further includes: a sender, configured to send a request message to the key server, where the request message is used to request the key
  • the server generates a temporary key for the application stored by the gateway device; the receiver 810 also uses Receiving a response message sent by the key server, the response message carries a temporary key.
  • the service text further carries a version number of the application
  • the gateway device 800 further stores a correspondence between the application identifier, the version number, and the key
  • the processor 820 is specifically configured to be carried according to the service_3 ⁇ 4 text.
  • the application identifier and the version number, and the correspondence between the application identifier, the version number, and the key are selected, and the key corresponding to the application identifier and the version number is selected.
  • the processor 820 is specifically configured to generate a reference check code based on the MD5 according to the key.
  • the processor 820 is specifically configured to perform charging according to a charging policy.
  • FIG. 9 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention.
  • the apparatus 900 of Figure 9 may be a UE or an SP Server.
  • the apparatus 900 includes a processor 910 and a transmitter 920.
  • the processor 910 is configured to generate a service packet, where the service packet carries an application identifier, where the application identifier is used to indicate an application to which the service packet belongs;
  • the transmitter 920 is configured to send the service text generated by the processor 910 to the gateway device of the core network.
  • the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
  • the service packet further carries a security check code, where the security check code is used to check the security of the service packet, and the processor 910 is further configured to obtain a key corresponding to the application; The key generates a security check code.
  • the key is a temporary key generated by the key server for the application
  • the processor 910 is specifically configured to send a request message to the key server, where the request message is used to request the key server to generate a temporary application.
  • the key receives the response message sent by the key server, and the response message carries the temporary key.
  • the key is a built-in key of the application to which the service text belongs, and the processor 910 is specifically configured to extract the built-in key.
  • the service text further carries a version number of the application that generates the service text.
  • the processor 910 is specifically configured to
  • MD5 generates a security check code.
  • Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential to the prior art or part of the technical solution, may be embodied in the form of a software product stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present invention provide a method for processing a service packet, a user equipment, and a gateway device. The method comprises: a gateway device receiving a service packet, the service packet carrying an application identification, and the application identification being used for indicating an application to which the service packet belongs; the gateway device identifying the application to which the service packet belongs according the application identification; and the gateway device executing a processing policy on the service packet according to a pre-established correspondence between the application and the processing policy. In the embodiments of the present invention, by carrying an application identification in a service packet and pre-storing the application identification in a gateway device, the gateway device can identify an application according to matching between the application identification carried in the service packet and the application identification stored in the gateway device, thereby improving the rate of identifying the application by the gateway device.

Description

处理业务_¾文的方法、 装置和网关设备 技术领域  Method, device and gateway device for processing business _3⁄4 text
本发明实施例涉及无线通信领域, 并且更具体地, 涉及一种处理业务才艮 文的方法、 装置和网关设备。 背景技术  Embodiments of the present invention relate to the field of wireless communications, and, more particularly, to a method, apparatus, and gateway device for processing a service profile. Background technique
随着智能终端的普及, 应用 (APP ) 的使用越来越广泛。 现有的应用多 种多样, 主要由各自的 OTT (顶端之上, Over The Top )厂商进行维护和管 理。  With the popularity of smart terminals, the use of applications (APP) is becoming more widespread. There are many different applications, mainly maintained and managed by their respective OTT (Over The Top) vendors.
目前, 移动网络的运营商与 OTT厂商之间的合作越来越广泛。 例如, 阿里巴巴为使用其旗下淘宝、 天猫等应用的用户提供免费的流量包; 广州联 通、 电信齐推出微信流量包等。  Currently, cooperation between mobile network operators and OTT vendors is becoming more widespread. For example, Alibaba provides free traffic packets for users who use its Taobao, Tmall and other applications; Guangzhou Unicom and Telecom have launched WeChat traffic packages.
在使用移动网络的情况下,移动网络中核心网的网关设备需要识别出业 务报文所属应用, 才能针对不同的应用使用不同的处理策略(如计费策略和 QoS策略等)。  In the case of using a mobile network, the gateway device of the core network in the mobile network needs to identify the application to which the service message belongs, so that different processing policies (such as charging policy and QoS policy) can be used for different applications.
在现有技术中, 运营商通常利用 DPI (深度报文检测, Deep Packet Inspection )来识别业务报文所属应用的应用类型。但是,基于 DPI的识别方 式需要在核心网的网关设备处建立特征库。 由于应用的更新比较频繁, 该特 征库的更新往往跟不上应用的更新速度, 识别率较低。 发明内容  In the prior art, the operator usually uses DPI (Deep Packet Inspection) to identify the application type of the application to which the service message belongs. However, DPI-based identification requires the creation of a signature library at the gateway device of the core network. Due to the frequent update of the application, the update of the feature library often cannot keep up with the update speed of the application, and the recognition rate is low. Summary of the invention
本发明实施例提供一种处理业务报文的方法、 装置和网关设备, 以提高 网关设备对业务报文所属应用的识别率。  The embodiment of the invention provides a method, a device and a gateway device for processing a service packet, so as to improve the recognition rate of the application of the service packet by the gateway device.
第一方面, 提供一种处理业务报文的方法, 包括: 网关设备接收业务报 文, 所述业务"¾文中携带应用标识, 所述应用标识用于指示所述业务 文所 属的应用;所述网关设备根据所述应用标识,识别所述业务报文所属的应用; 所述网关设备根据预先建立的所述应用与处理策略的对应关系对所述业务 报文执行所述处理策略。  The first aspect provides a method for processing a service packet, where: the gateway device receives a service packet, where the service carries an application identifier, where the application identifier is used to indicate an application to which the service text belongs; The gateway device identifies the application to which the service packet belongs according to the application identifier. The gateway device performs the processing policy on the service packet according to the corresponding relationship between the application and the processing policy.
结合第一方面, 在第一方面的一种实现方式中, 所述网关设备存储有所 述应用标识与应用的对应关系,所述根据所述应用标识识别所述应用,包括: 根据所述业务 文中携带的所述应用标识, 以及所述应用标识与应用的对应 关系, 将所述应用标识对应的应用确定为所述业务报文所属的应用。 With reference to the first aspect, in an implementation manner of the first aspect, the gateway device stores a corresponding relationship between the application identifier and an application, and the identifying the application according to the application identifier includes: And determining, according to the application identifier carried in the service text, and the corresponding relationship between the application identifier and the application, the application corresponding to the application identifier is determined as an application to which the service packet belongs.
结合第一方面或其上述实现方式的任一种,在第一方面的另一种实现方 式中, 所述业务报文中还携带安全校验码, 所述安全校验码用于校验所述业 务报文的安全性, 所述网关设备还存储有所述应用标识、 应用与密钥的对应 关系, 则所述根据所述应用标识识别所述应用, 包括: 根据所述业务报文中 携带的所述应用标识,以及所述应用标识与密钥的对应关系,确定所述密钥; 根据所述密钥生成基准校验码; 当所述基准校验码与所述安全校验码匹配 时, 将所述应用标识对应的应用确定为所述业务4艮文所属的应用。  In conjunction with the first aspect, or any one of the foregoing implementation manners, in another implementation manner of the first aspect, the service packet further carries a security check code, where the security check code is used to verify the location For the security of the service packet, the gateway device further stores the corresponding relationship between the application identifier and the application, and the identifying the application according to the application identifier, including: according to the service packet Carrying the application identifier, and the corresponding relationship between the application identifier and the key, determining the key; generating a reference check code according to the key; and using the reference check code and the security check code When the matching is performed, the application corresponding to the application identifier is determined as the application to which the service 4 belongs.
结合第一方面或其上述实现方式的任一种,在第一方面的另一种实现方 式中, 所述密钥是密钥服务器为所述应用生成的临时密钥, 在所述根据所述 业务 文中携带的所述应用标识, 以及所述应用标识与密钥的对应关系, 确 定所述密钥之前, 所述方法还包括: 向所述密钥服务器发送请求消息, 所述 请求消息用于请求所述密钥服务器为所述应用生成所述临时密钥;接收所述 密钥服务器发送的响应消息, 所述响应消息中携带所述临时密钥。  In conjunction with the first aspect, or any one of the foregoing implementation manners, in another implementation manner of the first aspect, the key is a temporary key generated by the key server for the application, The application identifier carried in the service text, and the corresponding relationship between the application identifier and the key, before determining the key, the method further includes: sending a request message to the key server, where the request message is used And requesting the key server to generate the temporary key for the application; receiving a response message sent by the key server, where the response message carries the temporary key.
结合第一方面或其上述实现方式的任一种,在第一方面的另一种实现方 式中, 所述业务报文中还携带所述应用的版本号, 所述网关设备还存储有所 述应用标识、 所述版本号和所述密钥的对应关系, 所述根据所述业务报文中 携带的所述应用标识, 以及所述应用标识与所述密钥的对应关系确定所述密 钥, 包括: 根据所述业务 文中携带的所述应用标识和所述版本号, 以及所 述应用标识、 所述版本号、 所述密钥的对应关系, 选择所述应用标识和所述 版本号对应的所述密钥。  In conjunction with the first aspect, or any one of the foregoing implementation manners, in another implementation manner of the first aspect, the service packet further carries a version number of the application, and the gateway device further stores the The application identifier, the version number, and the correspondence between the keys, the determining the key according to the application identifier carried in the service packet, and the correspondence between the application identifier and the key The method includes: selecting, according to the application identifier and the version number carried in the service text, and the corresponding relationship between the application identifier, the version number, and the key, selecting the application identifier and the version number. The key.
结合第一方面或其上述实现方式的任一种,在第一方面的另一种实现方 式中, 所述根据所述密钥生成基准校验码, 包括: 根据所述密钥, 基于 MD5 生成所述基准校验码。  With reference to the first aspect, or any one of the foregoing implementation manners, in another implementation manner of the first aspect, the generating the reference check code according to the key, the method includes: generating, based on the key, based on the MD5 The reference check code.
结合第一方面或其上述实现方式的任一种,在第一方面的另一种实现方 式中, 所述处理策略为所述应用的计费策略, 所述根据预先建立的所述应用 与处理策略的对应关系对所述业务报文执行所述处理策略, 包括: 根据所述 计费策略对所述业务报文进行计费。  With reference to the first aspect, or any one of the foregoing implementation manners, in another implementation manner of the first aspect, the processing policy is a charging policy of the application, and the applying and processing according to the pre-establishment The policy corresponding to the policy performs the processing policy on the service packet, including: charging the service packet according to the charging policy.
第二方面, 提供一种处理业务报文的方法, 包括: 生成业务报文, 所述 业务报文中携带应用标识, 所述应用标识用于指示所述业务报文所属的应 用; 向核心网的网关设备发送所述业务报文。 The second aspect provides a method for processing a service packet, including: generating a service packet, where the service packet carries an application identifier, where the application identifier is used to indicate that the service packet belongs to Transmitting, by the gateway device of the core network, the service packet.
结合第二方面, 在第二方面的一种实现方式中, 所述业务报文中还携带 安全校验码, 所述安全校验码用于校验所述业务报文的安全性, 在所述生成 业务报文之前, 还包括: 获取所述应用对应的密钥; 根据所述密钥生成所述 安全校验码。  With reference to the second aspect, in an implementation manner of the second aspect, the service packet further carries a security check code, where the security check code is used to verify the security of the service packet. Before generating the service packet, the method further includes: acquiring a key corresponding to the application; and generating the security check code according to the key.
结合第二方面或其上述实现方式的任一种,在第二方面的另一种实现方 式中, 所述密钥是密钥服务器为所述应用生成的临时密钥, 所述获取所述应 用对应的密钥, 包括: 向所述密钥服务器发送请求消息, 所述请求消息用于 请求所述密钥服务器为所述应用生成所述临时密钥;接收所述密钥服务器发 送的响应消息, 所述响应消息中携带所述临时密钥。  With reference to the second aspect, or any one of the foregoing implementation manners, in another implementation manner of the second aspect, the key is a temporary key generated by the key server for the application, and the acquiring the application Corresponding key, including: sending a request message to the key server, the request message is used to request the key server to generate the temporary key for the application; and receiving a response message sent by the key server The response message carries the temporary key.
结合第二方面或其上述实现方式的任一种,在第二方面的另一种实现方 式中, 所述密钥为所述业务报文所属应用的内置密钥, 所述获取所述应用对 应的密钥, 包括: 提取所述内置密钥。  With reference to the second aspect, or any one of the foregoing implementation manners, in another implementation manner of the second aspect, the key is a built-in key of an application to which the service packet belongs, and the acquiring the application is corresponding to The key includes: extracting the built-in key.
结合第二方面或其上述实现方式的任一种,在第二方面的另一种实现方 式中, 所述业务报文中还携带生成所述业务报文的应用的版本号。  In conjunction with the second aspect, or any one of the foregoing implementation manners, in another implementation manner of the second aspect, the service packet further carries a version number of an application that generates the service packet.
结合第二方面或其上述实现方式的任一种,在第二方面的另一种实现方 式中, 所述根据所述密钥生成所述安全校验码, 包括: 根据所述密钥, 并基 于 MD5生成所述安全校验码。  With the second aspect, or any one of the foregoing implementation manners, in another implementation manner of the second aspect, the generating the security check code according to the key includes: according to the key, and The security check code is generated based on MD5.
第三方面, 提供一种网关设备, 包括: 第一接收单元, 用于接收业务报 文, 所述业务"¾文中携带应用标识, 所述应用标识用于指示所述业务 文所 属的应用; 识别单元, 用于根据所述第一接收单元接收的所述业务报文中携 带的所述应用标识, 识别所述业务报文所属的应用; 执行单元, 用于根据预 先建立的所述识别单元识别的所述应用与处理策略的对应关系对所述业务 报文执行所述处理策略。  In a third aspect, a gateway device is provided, including: a first receiving unit, configured to receive a service packet, where the service carries an application identifier, where the application identifier is used to indicate an application to which the service text belongs; a unit, configured to identify, according to the application identifier that is carried in the service packet that is received by the first receiving unit, an application to which the service packet belongs, and an execution unit, configured to identify according to the pre-established identification unit The corresponding relationship between the application and the processing policy performs the processing policy on the service packet.
结合第三方面, 在第三方面的一种实现方式中, 所述网关设备存储有所 述应用标识与应用的对应关系, 所述识别单元具体用于根据所述业务"¾文中 携带的所述应用标识与所述网关设备中存储的所述应用标识以及所述应用 标识与应用的对应关系,将所述应用标识对应的应用确定为所述业务>¾文所 属的应用。  With reference to the third aspect, in an implementation manner of the third aspect, the gateway device stores a corresponding relationship between the application identifier and an application, where the identifying unit is specifically configured to be used according to the service And determining, by the application identifier, the application identifier that is stored in the gateway device, and the application identifier and the application, the application corresponding to the application identifier is determined to be an application to which the service >3⁄4 text belongs.
结合第三方面或其上述实现方式的任一种,在第三方面的另一种实现方 式中, 所述业务报文中还携带安全校验码, 所述安全校验码用于校验所述业 务报文的安全性, 所述网关设备还存储有所述应用标识、 应用与密钥的对应 关系, 所述识别单元具体用于根据所述业务"¾文中携带的所述应用标识, 以 及所述应用标识与密钥的对应关系, 确定所述密钥; 根据所述密钥生成基准 校验码; 当所述基准校验码与所述安全校验码匹配时, 将所述应用标识对应 的应用确定为所述业务"¾文所属的应用。 In conjunction with the third aspect, or any one of the foregoing implementation manners, in another implementation manner of the third aspect, the service packet further carries a security check code, where the security check code is used to verify the location Shuye The security of the service message, the gateway device further stores the corresponding relationship between the application identifier, the application and the key, and the identification unit is specifically configured to use the application identifier carried in the text according to the service, and Determining a correspondence between the application identifier and the key, determining the key; generating a reference check code according to the key; and when the reference check code matches the security check code, corresponding to the application identifier The application is determined to be the application to which the business "3⁄4 text belongs.
结合第三方面或其上述实现方式的任一种,在第三方面的另一种实现方 式中, 所述密钥是密钥服务器为所述应用生成的临时密钥, 所述网关设备还 包括: 发送单元, 用于向所述密钥服务器发送请求消息, 所述请求消息用于 请求所述密钥服务器为所述应用生成所述临时密钥; 第二接收单元, 用于接 收所述密钥服务器发送的响应消息, 所述响应消息中携带所述临时密钥。  In conjunction with the third aspect, or any one of the foregoing implementation manners, in another implementation manner of the third aspect, the key is a temporary key generated by the key server for the application, and the gateway device further includes a sending unit, configured to send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application, and a second receiving unit, configured to receive the secret a response message sent by the key server, where the response message carries the temporary key.
结合第三方面或其上述实现方式的任一种,在第三方面的另一种实现方 式中, 所述业务报文中还携带所述应用的版本号, 所述网关设备还存储有所 述应用标识、 所述版本号和所述密钥的对应关系, 所述识别单元具体用于根 据所述业务 4艮文中携带的所述应用标识和所述版本号, 以及所述应用标识、 所述版本号和所述密钥的对应关系,选择所述应用标识和所述版本号对应的 所述密钥。  With the third aspect, or any one of the foregoing implementation manners, in another implementation manner of the third aspect, the service packet further carries a version number of the application, and the gateway device further stores the The application identifier, the version number, and the corresponding relationship of the key, the identification unit is specifically configured to use the application identifier and the version number carried in the service according to the service, and the application identifier, Selecting, by the version number and the key, the key corresponding to the application identifier and the version number.
结合第三方面或其上述实现方式的任一种,在第三方面的另一种实现方 式中, 所述识别单元具体用于根据所述密钥, 基于 MD5生成所述基准校验 码。  In conjunction with the third aspect, or any one of the foregoing implementation manners, in another implementation manner of the third aspect, the identifying unit is specifically configured to generate the reference check code based on the MD5 according to the key.
结合第三方面或其上述实现方式的任一种,在第三方面的另一种实现方 式中, 所述执行单元具体用于根据所述计费策略对所述业务 文进行计费。  In conjunction with the third aspect, or any one of the foregoing implementation manners, in another implementation manner of the third aspect, the executing unit is specifically configured to perform charging according to the charging policy.
第四方面, 提供一种处理业务报文的装置, 包括: 第一生成单元, 用于 生成业务>¾文, 所述业务>¾文中携带应用标识, 所述应用标识用于指示所述 业务 "¾文所属的应用; 发送单元, 用于向核心网的网关设备发送所述第一生 成单元生成的所述业务报文。  The fourth aspect provides an apparatus for processing a service packet, including: a first generating unit, configured to generate a service > 3⁄4 text, where the service > 3⁄4 text carries an application identifier, where the application identifier is used to indicate the service And the sending unit is configured to send the service packet generated by the first generating unit to the gateway device of the core network.
结合第四方面, 在第四方面的一种实现方式中, 所述业务报文中还携带 安全校验码, 所述安全校验码用于校验所述业务报文的安全性, 所述装置还 包括: 获取单元, 用于获取所述应用对应的密钥; 第二生成单元, 用于根据 所述密钥生成所述安全校验码。  With the fourth aspect, in an implementation manner of the fourth aspect, the service packet further includes a security check code, where the security check code is used to check security of the service packet, The device further includes: an obtaining unit, configured to acquire a key corresponding to the application; and a second generating unit, configured to generate the security check code according to the key.
结合第四方面或其上述实现方式的任一种,在第四方面的另一种实现方 式中, 所述密钥是密钥服务器为所述应用生成的临时密钥, 所述获取单元具 体用于向所述密钥服务器发送请求消息, 所述请求消息用于请求所述密钥服 务器为所述应用生成所述临时密钥; 接收所述密钥服务器发送的响应消息, 所述响应消息中携带所述临时密钥。 With reference to the fourth aspect, or any one of the foregoing implementation manners, in another implementation manner of the fourth aspect, the key is a temporary key generated by the key server for the application, and the acquiring unit has The body is configured to send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application; and receive a response message sent by the key server, the response The temporary key is carried in the message.
结合第四方面或其上述实现方式的任一种,在第四方面的另一种实现方 式中, 所述密钥为所述业务报文所属应用的内置密钥, 所述获取单元具体用 于提取所述内置密钥。  With reference to the fourth aspect, or any one of the foregoing implementation manners, in another implementation manner of the fourth aspect, the key is a built-in key of an application to which the service packet belongs, and the acquiring unit is specifically configured to: Extract the built-in key.
结合第四方面或其上述实现方式的任一种,在第四方面的另一种实现方 式中, 所述业务报文中还携带生成所述业务报文的应用的版本号。  In conjunction with the fourth aspect, or any one of the foregoing implementation manners, in another implementation manner of the fourth aspect, the service packet further carries a version number of an application that generates the service packet.
结合第四方面或其上述实现方式的任一种,在第四方面的另一种实现方 式中,所述第二生成单元具体用于根据所述密钥,并基于消息摘要算法 MD5 生成所述安全校验码。  In conjunction with the fourth aspect, or any one of the foregoing implementation manners, in another implementation manner of the fourth aspect, the second generating unit is specifically configured to generate, according to the key, based on the message digest algorithm MD5 Security check code.
本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。 附图说明  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对本发明实施例中 所需要使用的附图作筒单地介绍, 显而易见地, 下面所描述的附图仅仅是本 发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的 前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below. Obviously, the drawings described below are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.
图 1是根据本发明实施例的处理业务报文的方法的示意性流程图。  FIG. 1 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention.
图 2是根据本发明实施例的处理业务报文的方法的示意性流程图。  FIG. 2 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention.
图 3是根据本发明实施例的组网架构图。  FIG. 3 is a diagram of a networking architecture according to an embodiment of the present invention.
图 4是根据本发明实施例的处理业务报文的方法在图 3组网架构下的流 程图。  FIG. 4 is a flow chart of a method for processing a service packet according to the network architecture of FIG. 3 according to an embodiment of the present invention.
图 5是本发明实施例的处理业务报文的方法的流程图。  FIG. 5 is a flowchart of a method for processing a service message according to an embodiment of the present invention.
图 6是根据本发明实施例的网关设备的示意性框图。  FIG. 6 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
图 7是根据本发明实施例的处理业务报文的装置的示意性框图。  FIG. 7 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention.
图 8是根据本发明实施例的网关设备的示意性框图。  FIG. 8 is a schematic block diagram of a gateway device according to an embodiment of the present invention.
图 9是根据本发明实施例的处理业务报文的装置的示意性框图。 具体实施方式 FIG. 9 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例是本发明的一部分实施例, 而不 是全部实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出创 造性劳动的前提下所获得的所有其他实施例, 都应属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without making creative labor are within the scope of the present invention.
为了解决现有技术中网关设备对业务报文所属应用的识别率低的问题, 本发明实施例中, 在业务报文中加入应用标识。 该应用标识可以通过 OTT 厂商与移动网络的运营商之间合作的方式, 为每个应用生成一个与其对应的 应用标识, 以标识该应用。 运营商可以在网关设备中存储已签约应用的应用 标识。 应用在生成业务4艮文时, 可以在该 4艮文中加入该应用的应用标识。 当 该业务报文通过上述网关设备时, 该网关设备可以提取该业务报文中携带的 应用标识, 并与存储的应用标识进行匹配, 达到识别该应用的目的。  In the embodiment of the present invention, an application identifier is added to a service packet, in order to solve the problem that the gateway device has a low recognition rate for the application of the service packet. The application identifier can generate an application identifier corresponding to each application by means of cooperation between the OTT vendor and the operator of the mobile network to identify the application. The operator can store the application identifier of the contracted application in the gateway device. When the application generates the service, the application identifier of the application may be added to the application. When the service packet passes the foregoing gateway device, the gateway device may extract the application identifier carried in the service packet and match the stored application identifier to achieve the purpose of identifying the application.
应理解, 本发明的技术方案可以应用于各种通信系统, 例如: GSM (全 球移动通讯, Global System of Mobile communication ) 系统、 CDMA (码分 多址, Code Division Multiple Access ) 系统、 WCDMA (宽带码分多址, Wideband Code Division Multiple Access ) 系统、 GPRS (通用分组无线业务, General Packet Radio Service )、 LTE (长期演进, Long Term Evolution )系统、 LTE-A (先进的长期演进, Advanced long term evolution ) 系统、 UMTS (通 用移动通信系统 , Universal Mobile Telecommunication System )等。  It should be understood that the technical solution of the present invention can be applied to various communication systems, such as: GSM (Global System of Mobile communication) system, CDMA (Code Division Multiple Access) system, WCDMA (Wideband Code) Wideband Code Division Multiple Access system, GPRS (General Packet Radio Service), LTE (Long Term Evolution) system, LTE-A (Advanced Long Term Evolution) System, UMTS (Universal Mobile Telecommunication System, etc.).
还应理解, 在本发明实施例中, UE (用户设备, User Equipment ) 包括 但不限于 MS (移动台, Mobile Station ), 移动终端 (Mobile Terminal ), 移 动电话( Mobile Telephone )、手机 ( handset )及便携设备 ( portable equipment ) 等, 该用户设备可以经 RAN (无线接入网, Radio Access Network )与一个 或多个核心网进行通信, 例如, 用户设备可以是移动电话(或称为 "蜂窝" 电话)、 具有无线通信功能的计算机等, 用户设备还可以是便携式、 袖珍式、 手持式、 计算机内置的或者车载的移动装置。  It should be understood that, in the embodiment of the present invention, the UE (User Equipment) includes but is not limited to an MS (Mobile Station), a Mobile Terminal, a Mobile Telephone, and a handset. And portable equipment, etc., the user equipment can communicate with one or more core networks via a RAN (Radio Access Network), for example, the user equipment can be a mobile phone (or "cellular" The telephone, the computer with wireless communication function, etc., the user equipment can also be a portable, pocket, handheld, computer built-in or vehicle-mounted mobile device.
应理解, 上述网关设备与终端使用的移动网络的类型有关。 例如可以是 GPRS网给中的 GGSN(网关 GPRS支持节点, Gateway GPRS Support Node ); 也可以是 LTE中的 PGW(分组数据网络网关, Packet Data Network- Gateway ); 还可以是 CDMA 2000中的 PDSN (分组数据服务节点, Packet Data Serving Node )等, 本发明实施例对此不作具体限定。 图 1是根据本发明实施例的处理业务报文的方法的示意性流程图。该方 法可以由核心网的网关设备执行, 例如可以是 GGSN/PGW。 图 1的方法包 括: It should be understood that the above gateway device is related to the type of mobile network used by the terminal. For example, it may be a GGSN (Gateway GPRS Support Node) in the GPRS network; it may also be a PGW (Packet Data Network Gateway) in LTE; or a PDSN in CDMA 2000 ( The Packet Data Serving Node and the like are not specifically limited in the embodiment of the present invention. FIG. 1 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention. The method can be performed by a gateway device of the core network, such as GGSN/PGW. The method of Figure 1 includes:
110、 网关设备接收业务 文, 业务 文中携带应用标识, 应用标识用 于指示业务 文所属的应用。  110. The gateway device receives the service text, where the service identifier carries the application identifier, and the application identifier is used to indicate the application to which the service text belongs.
上述业务报文可以由 UE或 UE上的应用(例如, 可以是应用的客户端) 产生。 该 UE或 UE的应用通过上述网关设备向应用的 SP Server ( Service Provider Server, 服务提供商服务器)发送该报文。  The foregoing service message may be generated by an application on the UE or the UE (for example, may be a client of the application). The application of the UE or the UE sends the packet to the SP Provider (Service Provider Server) of the application through the foregoing gateway device.
上述业务 文还可以由 SP Server产生。 例如, 该 SP Server通过网关设 备向 UE发送业务报文。 本发明实施例以 UE生成业务报文, 通过网关设备 向 SP Server转发该业务 文为例进行举例说明。 SP Server生成业务 文, 并向网关设备发送该业务报文的具体方式与 UE侧对应, 为避免重复, 不再 详细叙述。  The above business documents can also be generated by the SP Server. For example, the SP server sends a service packet to the UE through the gateway device. In the embodiment of the present invention, the UE generates a service packet, and the gateway device forwards the service text to the SP server as an example. The SP server generates a service text, and the specific manner of sending the service packet to the gateway device corresponds to the UE side. To avoid repetition, it is not described in detail.
上述应用标识可以是为了识别应用而专门建立的应用 ID, 且应用与应 用 ID之间——对应,使得网关设备可以根据应用 ID准确识别应用。具体地, 可以通过移动网络运营商与 OTT厂商之间协商的方式建立应用 ID。 例如, 移动网络运营商可以要求在应用上市前, OTT厂商需要为每个应用配置专门 的应用 ID, 并在网关设备记录该应用 ID。  The application identifier may be an application ID specially established for identifying an application, and the application and the application ID are corresponding to each other, so that the gateway device can accurately identify the application according to the application ID. Specifically, the application ID can be established by means of negotiation between the mobile network operator and the OTT vendor. For example, a mobile network operator may require that an OTT vendor configure a dedicated application ID for each application and record the application ID on the gateway device before the application goes public.
上述应用标识还可以采用现有的标识信息, 只要该标识信息能够准确区 分不同应用即可。 例如每个应用的应用名; 或者应用名加版本号的组合等, 本发明实施例对此不作具体限定。移动网络的运营商可以在网关设备预先记 录每个签约应用的标识信息。 UE上的应用在生成业务报文时, 可以将该标 识信息嵌入该业务报文中, 以便网关设备识别。  The above application identifier may also use existing identification information as long as the identification information can accurately distinguish different applications. For example, the application name of each application; or the combination of the application name and the version number, etc., is not specifically limited in the embodiment of the present invention. The operator of the mobile network can pre-record the identification information of each contracted application at the gateway device. When the application on the UE generates the service packet, the identifier information may be embedded in the service packet for the gateway device to identify.
120、 网关设备根据应用标识, 识别业务报文所属的应用。  120. The gateway device identifies, according to the application identifier, an application to which the service packet belongs.
应理解, 步骤 120可包括: 网关设备从业务报文中提取该应用标识; 根 据提取的该应用标识识别该应用。  It should be understood that the step 120 may include: the gateway device extracting the application identifier from the service packet; and identifying the application according to the extracted application identifier.
移动网络运营商可以与 OTT厂商预先约定应用标识在业务 "¾文中的插 入位置。 例如, 可以插入业务报文 HTTP请求的 URL之后, 或预先预定的 其他任意位置。 网关设备收到业务报文后, 从预先预定的位置取提取该应用 标识即可。 应理解, 上述预先约定的方式仅仅是一个举例, 实际中, 网关设 备也可以利用 DPI自己去发现应用标识, 本发明实施例对此不作具体限定。 需要说明的是, 网关设备可以预先存储签约应用的应用标识, 然后通过 匹配业务报文中的应用标识与上述存储的应用标识来识别应用。 The mobile network operator can pre-agreed with the OTT vendor the insertion location of the application identifier in the service. For example, the URL of the HTTP request of the service packet can be inserted, or any other location predetermined in advance. After receiving the service packet, the gateway device receives the service packet. The application identifier can be extracted from the pre-determined location. It should be understood that the foregoing pre-agreed manner is only an example. In practice, the gateway device can also use the DPI to discover the application identifier, which is not specifically implemented by the embodiment of the present invention. limited. It should be noted that the gateway device may pre-store the application identifier of the subscription application, and then identify the application by matching the application identifier in the service packet with the stored application identifier.
需要说明的是, 步骤 120中的识别应用可以仅仅是逻辑意义上的识别。 举例说明, 当业务报文中的应用标识与网关设备预先存储的某个应用标识匹 配时, 即可认为网关设备识别了该业务报文所述应用。  It should be noted that the identification application in step 120 may be only a logical identification. For example, when the application identifier in the service packet matches an application identifier pre-stored by the gateway device, the gateway device can be considered to identify the application of the service packet.
130、 网关设备根据预先建立的应用与处理策略的对应关系对业务报文 执行处理策略。  130. The gateway device performs a processing policy on the service packet according to the correspondence between the pre-established application and the processing policy.
可选地, 上述处理策略可以为应用的计费策略, 步骤 130可包括: 根据 该应用的计费策略对业务 文进行计费。  Optionally, the foregoing processing policy may be an accounting policy of the application, and the step 130 may include: charging the service text according to the charging policy of the application.
例如, 不同应用产生的流量的计费策略不同。 在网关设备建立应用与计 费策略的对应关系, 当识别了该应用时, 根据该应用对应的计费策略进行计 费。  For example, the charging policies of traffic generated by different applications are different. The gateway device establishes a correspondence between the application and the charging policy. When the application is identified, the accounting is performed according to the charging policy corresponding to the application.
当然, 上述处理策略还可以是其他控制策略, 例如不同应用的数据业务 的优先级不同, 根据不同数据业务的优先级执行不同的 QoS、 拥塞控制或带 宽控制。  Of course, the foregoing processing strategy may also be other control policies. For example, data services of different applications have different priorities, and different QoS, congestion control, or bandwidth control are performed according to priorities of different data services.
本发明实施例中, 通过在业务报文中携带应用标识, 由于该应用标识用 于标识该业务报文所属应用, 网关设备能够根据该应用标识识别该应用, 从 而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is used to identify the application to which the service packet belongs, and the gateway device can identify the application according to the application identifier, thereby improving the identification of the application by the gateway device. rate.
可选地,作为一个实施例,网关设备存储有应用标识与应用的对应关系, 步骤 120可包括: 根据业务报文中携带的应用标识, 以及应用标识与应用的 对应关系, 将应用标识对应的应用确定为业务"¾文所属的应用。  Optionally, as an embodiment, the gateway device stores the corresponding relationship between the application identifier and the application, and the step 120 may include: corresponding to the application identifier according to the application identifier carried in the service packet, and the corresponding relationship between the application identifier and the application The application is determined to be the application to which the business "3⁄4 text belongs.
本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
具体地, 网关设备可以预先建立签约应用的应用标识列表。 例如, 该列 表前三项分别是 "应用标识 1-应用名称 1"、 "应用标识 2-应用名称 2"和 "应 用标识 3-应用名称 3" ; 上述业务>¾文中携带的应用标识为应用标识 2; 网关 设备通过搜索发现应用标识列表中的第二项与应用标识 2相匹配, 则将应用 标识 2对应的应用(即应用名称 2指示的应用)确定为该业务报文所属应用。  Specifically, the gateway device may pre-establish a list of application identifiers of the subscription application. For example, the first three items in the list are "Application ID 1 - Application Name 1", "Application ID 2 - Application Name 2", and "Application ID 3 - Application Name 3"; the application ID carried in the above service > 3⁄4 text is an application. The identifier 2 is determined by the gateway device to find that the second item in the application identifier list matches the application identifier 2, and the application corresponding to the application identifier 2 (that is, the application indicated by the application name 2) is determined as the application to which the service packet belongs.
现有技术中, 网关设备基于 DPI检测报文中的特征, 与特征库中的特征 进行匹配, 达到应用识别的目的。 但是, 此类报文容易被伪造, 不够安全, 会导致运营商及用户的损失。 In the prior art, the gateway device matches the features in the feature library based on the features in the DPI detection packet to achieve the purpose of application identification. However, such messages are easily forged and not safe enough. This will result in the loss of operators and users.
可选地, 作为另一个实施例, 上述业务"¾文中还携带安全校验码, 安全 校验码用于校验业务报文的安全性, 网关设备还存储有应用标识、 应用与密 钥的对应关系, 步骤 120可包括: 根据业务 "¾文中携带的应用标识, 以及网 关设备中存储的应用标识与密钥的对应关系, 确定密钥; 根据密钥生成基准 校验码; 当基准校验码与安全校验码匹配时, 将应用标识对应的应用确定为 业务报文所属的应用。  Optionally, in another embodiment, the foregoing service carries a security check code, where the security check code is used to check the security of the service packet, and the gateway device further stores the application identifier, the application, and the key. Corresponding relationship, step 120 may include: determining a key according to the application identifier carried in the service and the correspondence between the application identifier and the key stored in the gateway device; generating a reference check code according to the key; When the code matches the security check code, the application corresponding to the application identifier is determined to be the application to which the service packet belongs.
本发明实施例中, 通过在业务报文中携带安全校验码, 网关设备根据该 安全校验码对该业务报文进行校验, 从而避免了业务报文的伪造, 提高了业 务传输的安全性。  In the embodiment of the present invention, the security check code is carried in the service packet, and the gateway device checks the service packet according to the security check code, thereby avoiding the forgery of the service packet and improving the security of the service transmission. Sex.
需要说明的是, 上述安全校验码可以由 UE中的应用基于该应用对应的 密钥生成。 在此基础上, 可以通过预先约定或信令通知的方式, 以保证当该 业务报文由安全的应用 (如正版应用)生成时, UE侧生成上述安全校验码 时所使用的密钥以及加密方式, 与网关设备生成上述基准校验码时所使用的 密钥以及加密方式相同。  It should be noted that the foregoing security check code may be generated by an application in the UE based on a key corresponding to the application. On the basis of this, the key used by the UE side to generate the security check code when the service message is generated by a secure application (such as a genuine application) can be ensured by means of pre-agreed or signaling. The encryption method is the same as the key used by the gateway device to generate the above-mentioned reference check code and the encryption method.
具体地, 可以预先约定 UE侧与网关设备侧均采用相同的明文、 密钥和 加密方式生成校验码, 该明文可以是应用的名称、 该应用的 URL或者任意 字符串。 因此, 当业务报文为安全的业务报文时, 上述安全校验码与上述基 准校验码相同; 当业务报文为伪造的业务报文时, 由于伪造的报文无法获得 上述约定的明文或者密钥, 上述安全校验码与上述基准校验码不同。  Specifically, it may be pre-arranged that the UE and the gateway device side generate the check code by using the same plaintext, key, and encryption manner, and the plaintext may be the name of the application, the URL of the application, or an arbitrary character string. Therefore, when the service packet is a secure service packet, the security check code is the same as the reference check code. When the service packet is a forged service packet, the forged message cannot obtain the plaintext of the agreement. Or a key, the security check code is different from the above reference check code.
可选地, 上述根据密钥生成基准校验码可包括: 根据密钥, 基于 MD5 (消息摘要算法 5 , Message Digest Algorithm 5 )生成基准校验码。 由于 MD5 得出的校验码是无法反向算出该算法基于的字符串的, 所以避免了破解出约 定字符串的可能,且互联网企业大量运用 MD5 ,对于 CP(内容提供商, Content Provider )和 SP (服务提供商, Service Provider ) 来说技术和成本投入门槛 都十分低。  Optionally, generating the reference check code according to the key may include: generating a reference check code based on the key, based on the MD5 (Message Digest Algorithm 5). Since the check code obtained by MD5 is unable to calculate the string based on the algorithm in reverse, it avoids the possibility of cracking the agreed string, and the Internet enterprise uses MD5 in large quantities for CP (Content Provider, Content Provider) and The SP (Service Provider) is very low in terms of technology and cost.
需要说明的是, UE侧与网关设备侧获取密钥的方式可以有多种, 以下 给出两种获取密钥的具体方式。  It should be noted that there may be multiple ways to obtain a key on the UE side and the gateway device side. Two specific ways of obtaining a key are given below.
可选地, 作为一个实施例, 密钥为预先部署的密钥服务器为应用生成的 临时密钥, 根据业务报文中携带的应用标识, 以及网关设备中存储的应用标 识与密钥的对应关系, 确定密钥之前, 图 1方法还可包括: 向密钥服务器发 送请求消息, 请求消息用于请求密钥服务器为该应用生成临时密钥; 接收密 钥服务器发送的响应消息, 响应消息中携带临时密钥。 Optionally, as an embodiment, the key is a temporary key generated by the pre-deployed key server for the application, according to the application identifier carried in the service packet, and the correspondence between the application identifier and the key stored in the gateway device. Before determining the key, the method of FIG. 1 may further include: sending the key server Sending a request message, the request message is used to request the key server to generate a temporary key for the application; receiving the response message sent by the key server, and the response message carries the temporary key.
具体地, 为了达到准确识别业务 文所属应用的目的, OTT厂商可以对 APP应用进行改造, 在网络侧部署密钥服务器。 UE在应用启动时, 可以向 该密钥服务器请求该应用的临时密钥; 网关设备侧可以定时向该密钥服务器 发送请求消息, 请求网关设备上的签约应用的应用标识和临时密钥, 当上述 业务报文所属应用为该签约应用之一时, 该请求消息用于请求密钥服务器为 该应用生成临时密钥。 当然, 密钥服务器还可以为临时密钥设定失效时间, 当达到该失效时间时, 需要重新请求。  Specifically, in order to accurately identify the application to which the service text belongs, the OTT vendor can modify the APP application and deploy the key server on the network side. When the application is started, the UE may request the temporary key of the application from the key server; the gateway device side may periodically send a request message to the key server, requesting the application identifier and the temporary key of the subscription application on the gateway device, when When the application to which the service packet belongs is one of the subscription applications, the request message is used to request the key server to generate a temporary key for the application. Of course, the key server can also set the expiration time for the temporary key, and when the expiration time is reached, a re-request is required.
上述签约应用具体可指在该 GGSN/PGW中记录的应用。 例如, 当某个 应用的服务提供商提供某个应用在移动网络下的免费流量包时, 需要与移动 网络的运营商进行签约, 以便 GGSN/PGW记录该应用以及该应用与免费流 量策略的对应关系。  The above contract application may specifically refer to an application recorded in the GGSN/PGW. For example, when an application's service provider provides a free traffic packet for an application under the mobile network, it needs to sign up with the operator of the mobile network, so that the GGSN/PGW records the application and the application's correspondence with the free traffic policy. relationship.
可选地, 上述应用标识也可以是临时的应用标识, UE 上的应用或 GGSN/PGW在向密钥服务器发送请求消息时, 密钥服务器还可以生成临时 的应用标识。 同理, 也可以为该临时的应用标识设置失效时间。  Optionally, the application identifier may also be a temporary application identifier. When the application or the GGSN/PGW on the UE sends a request message to the key server, the key server may also generate a temporary application identifier. Similarly, the expiration time can also be set for the temporary application identifier.
可选地, 作为另一个实施例, 可以在应用中内置应用标识、 版本号和密 钥, 上述业务报文中还携带应用的版本号, 网关设备还存储有应用标识、 版 本号和密钥的对应关系, 上述根据业务 "¾文中携带的应用标识, 以及网关设 备中存储的应用标识与密钥的对应关系确定密钥可包括: 根据业务报文中携 带的应用标识和版本号, 以及网关设备中存储的应用标识、 版本号和密钥的 对应关系, 选择与该应用标识和该版本号对应的密钥。  Optionally, as another embodiment, an application identifier, a version number, and a key may be built in the application, where the service packet further carries an application version number, and the gateway device further stores an application identifier, a version number, and a key. Corresponding relationship, the foregoing determining the key according to the application identifier carried in the service and the corresponding relationship between the application identifier and the key stored in the gateway device may include: according to the application identifier and version number carried in the service packet, and the gateway device Corresponding relationship between the application identifier, the version number, and the key stored in the medium, and selecting a key corresponding to the application identifier and the version number.
具体地, UE侧在生成业务报文时, 从应用中提取该应用内置的应用标 识、 版本号和密钥; 网关设备侧可以从签约应用中提取每个应用标识、 版本 号和密钥, 并建立对应关系列表。  Specifically, when generating the service packet, the UE side extracts the application identifier, the version number, and the key built in the application from the application; the gateway device side may extract each application identifier, version number, and key from the subscription application, and Establish a correspondence list.
上文中结合图 1 , 从网关设备的角度详细描述了根据本发明实施例的处 理业务报文的方法, 下面将结合图 2, 从用户设备的角度描述根据本发明实 施例的处理业务>¾文的方法。  With reference to FIG. 1 , a method for processing a service message according to an embodiment of the present invention is described in detail from the perspective of a gateway device. Hereinafter, a processing service according to an embodiment of the present invention will be described from the perspective of a user equipment in conjunction with FIG. 2 . Methods.
应理解, UE侧描述的 UE与网关设备的交互及相关特性、 功能等与网 关设备侧的描述相应, 为了筒洁, 适当省略重复的描述。  It should be understood that the interaction between the UE and the gateway device described on the UE side and related features, functions, and the like correspond to the description of the gateway device side, and the duplicate description is omitted as appropriate.
图 2是根据本发明实施例的处理业务报文的方法的示意性流程图。 图 2 的方法可以由处理业务 文的装置执行, 例如, 可以是 UE或 UE上的应用 执行, 也可以是 SP Server。 图 2的方法包括: FIG. 2 is a schematic flowchart of a method for processing a service message according to an embodiment of the present invention. figure 2 The method may be performed by a device that processes a service text, for example, may be an application execution on a UE or a UE, or may be an SP Server. The method of Figure 2 includes:
210、 生成业务报文, 业务报文中携带应用标识, 应用标识用于指示业 务报文所属应用;  210. Generate a service packet, where the service packet carries an application identifier, where the application identifier is used to indicate an application to which the service packet belongs.
220、 向核心网的网关设备发送业务报文。  220. Send a service packet to a gateway device of the core network.
应理解, 步骤 220中的向网关设备发送业务报文, 可以是以网关设备为 目的地的发送, 也可以是通过网关设备向其他目的地的转发。  It should be understood that the sending of the service packet to the gateway device in step 220 may be the destination of the gateway device or the forwarding of the gateway device to other destinations.
具体地, 当图 2的方法由 UE执行时, 步骤 220可包括: UE通过网关 设备向业务报文所属应用的 SP Server转发该业务报文。  Specifically, when the method of FIG. 2 is performed by the UE, the step 220 may include: the UE forwarding the service packet to the SP server of the application to which the service packet belongs by using the gateway device.
当图 2的方法由 SP Server执行时, 步骤 220可包括: SP Server通过网 关服务器向可以向 UE转发该业务报文。  When the method of FIG. 2 is performed by the SP server, the step 220 may include: the SP server forwards the service packet to the UE through the gateway server.
本发明实施例中, 通过在业务报文中携带应用标识, 由于该应用标识用 于标识该业务报文所属应用, 网关设备能够根据该应用标识识别该应用, 从 而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is used to identify the application to which the service packet belongs, and the gateway device can identify the application according to the application identifier, thereby improving the identification of the application by the gateway device. rate.
可选地, 作为一个实施例, 业务报文中还携带安全校验码, 安全校验码 用于校验业务报文的安全性, 在步骤 210之前, 图 2方法还可包括: 获取应 用对应的密钥; 根据密钥生成安全校验码。  Optionally, as an embodiment, the service packet further carries a security check code, where the security check code is used to check the security of the service packet. Before step 210, the method in FIG. 2 may further include: obtaining an application corresponding Key; generates a security check code based on the key.
可选地, 作为另一个实施例, 密钥为预先部署的密钥服务器为应用生成 的临时密钥,上述获取应用对应的密钥可包括:向密钥服务器发送请求消息, 请求消息用于请求密钥服务器为应用生成临时密钥;接收密钥服务器发送的 响应消息, 响应消息中携带临时密钥。  Optionally, as another embodiment, the key is a temporary key generated by the pre-deployed key server for the application, and the obtaining the corresponding key of the application may include: sending a request message to the key server, and the request message is used for the request. The key server generates a temporary key for the application; receives a response message sent by the key server, and the response message carries the temporary key.
可选地, 作为另一个实施例, 密钥为业务 文所属应用的内置密钥, 上 述获取应用对应的密钥可包括: 从业务报文所属应用中提取内置密钥。  Optionally, as another embodiment, the key is a built-in key of the application to which the service text belongs, and the obtaining the key corresponding to the application may include: extracting the built-in key from the application to which the service message belongs.
可选地, 作为另一个实施例, 业务报文中还携带生成业务报文的应用的 版本号。  Optionally, as another embodiment, the service packet further carries a version number of the application that generates the service packet.
可选地, 作为另一个实施例, 根据密钥生成安全校验码, 包括: 根据密 钥, 并基于 MD5生成安全校验码。  Optionally, as another embodiment, generating a security check code according to the key includes: generating a security check code according to the key and based on the MD5.
下面结合具体例子, 更加详细地描述本发明实施例。 应注意, 图 3至图 4的例子仅仅是为了帮助本领域技术人员理解本发明实施例, 而非要将本发 明实施例限于所例示的具体数值或具体场景。本领域技术人员根据所给出的 图 3至图 5的例子, 显然可以进行各种等价的修改或变化, 这样的修改或变 化也落入本发明实施例的范围内。 Embodiments of the present invention are described in more detail below with reference to specific examples. It should be noted that the examples of FIG. 3 to FIG. 4 are merely for facilitating the understanding of the embodiments of the present invention, and the embodiments of the present invention are not limited to the specific numerical values or specific examples illustrated. Those skilled in the art will appreciate that various modifications or changes can be made in accordance with the examples of Figures 3 through 5, such modifications or variations. It also falls within the scope of the embodiments of the present invention.
图 3是根据本发明实施例的组网架构图。 在图 3的实施例中, UE侧中 应用的应用标识和密钥是从 OTT厂商在网络侧部署的公共的密钥服务器中 获取的; 网关设备中的应用标识和密钥的对应关系也是从该密钥服务器中获 取的。  FIG. 3 is a diagram of a networking architecture according to an embodiment of the present invention. In the embodiment of FIG. 3, the application identifier and the key applied in the UE side are obtained from a public key server deployed by the OTT vendor on the network side; the correspondence between the application identifier and the key in the gateway device is also Obtained in the key server.
此外, 上述网关设备以 GGSN/PGW为例, 且 GGSN/PGW针对不同的 应用设置了不同的计费策略, 由 PCRF (策略与计费规则功能, Policy and Charging Rules Function ) 实体和 OCS (在线计费系统, Online Charging System )控制。  In addition, the above-mentioned gateway device takes GGSN/PGW as an example, and GGSN/PGW sets different charging policies for different applications, by PCRF (Policy and Charging Rules Function) entity and OCS (online meter) Charge System, Online Charging System) Control.
具体地, UE在移动网络中与 SP Server交互时, 业务报文会通过 RAN , 例如可以是 UMTS或 LTE ,接入核心网;并依次通过核心网中的 SGSN/SGW、 Specifically, when the UE interacts with the SP server in the mobile network, the service packet may access the core network through the RAN, for example, UMTS or LTE, and sequentially pass through the SGSN/SGW in the core network.
GGSN/PGW到达 SP Server„ GGSN/PGW arrives at SP Server
图 4是根据本发明实施例的处理业务报文的方法在图 3组网架构下的流 程图。 该方法可以由 UE执行, 也可以由 UE上的应用执行。  FIG. 4 is a flow chart of a method for processing a service packet according to the network architecture of FIG. 3 according to an embodiment of the present invention. The method may be performed by the UE or by an application on the UE.
401、 应用内置密钥服务器的域名或 IP (网际协议, Internet Protocol ) 地址。  401. Apply the domain name of the built-in key server or IP (Internet Protocol) address.
应用位于 UE上, 确保每次 UE运行该应用时或密钥失效时从密钥服务 器获取临时密钥。  The application is located on the UE, ensuring that the temporary key is obtained from the key server each time the UE runs the application or when the key fails.
该密钥服务器是预先建立的, 且该密钥服务器可以位于网络侧, 具体参 见图 3中的密钥服务器。  The key server is pre-established, and the key server can be located on the network side, as shown in the key server in FIG.
402、 在 UE接入移动网络的情况下, 应用运行时, 向密钥服务器发送 请求消息, 并请求临时密钥。  402. When the UE accesses the mobile network, when the application runs, send a request message to the key server, and request a temporary key.
具体的, 应用根据密钥服务器的域名或 IP向密钥服务器发送请求消息, 该过程可以承载在 HTTPS (安全套接层之上的超文本传输协议, Hypertext Transfer Protocol over Secure Socket Layer )上, 通过力口密的方式完成与密钥 服务器的鉴权和密钥申请, 避免密钥被中间设备截获。  Specifically, the application sends a request message to the key server according to the domain name or IP address of the key server, and the process may be carried on the HTTPS (Hypertext Transfer Protocol over Secure Socket Layer). The authentication and key application with the key server is completed in a confidential manner to prevent the key from being intercepted by the intermediate device.
该请求消息中可携带应用名称或应用 ID, 以便密钥服务器获知请求临 时密钥的应用, 并生成该应用对应的临时密钥。  The request message may carry an application name or an application ID, so that the key server knows the application of the request temporary key, and generates a temporary key corresponding to the application.
进一步地, 该请求消息中可以携带登录该密钥服务器所需的用户名和密 码, 以便密钥服务器根据该用户名和密码进行鉴权。  Further, the request message may carry a username and a password required to log in to the key server, so that the key server performs authentication according to the username and password.
403、 GGSN/PGW转发应用的请求。 GGSN/PGW转发该请求时, 可以配置免费通过的策略, 确保 UE的应 用可以正常访问密钥服务器, 实现应用的初始鉴权和密钥申请。 403. The GGSN/PGW forwards the application request. When the GGSN/PGW forwards the request, it can configure a free-passing policy to ensure that the application of the UE can access the key server normally, and implement initial authentication and key application of the application.
404、 密钥服务器确定该应用的临时密钥。  404. The key server determines a temporary key of the application.
可选的, 密钥服务器可以对应用鉴权, 具体可指对应用的合法性和有效 性进行检查。应用的鉴权方式可以是按照约定的用户名和密码完成该应用的 鉴权。 具体地, 应用在上述请求消息中携带用户名和密码, 密钥服务器根据 该用户名和密码认证该应用的安全性。  Optionally, the key server may authenticate the application, and may specifically check the validity and validity of the application. The authentication mode of the application may be that the application is authenticated according to the agreed username and password. Specifically, the application carries the username and password in the request message, and the key server authenticates the security of the application according to the username and password.
可选地, 该应用的应用标识也可以是该密钥服务器提供的临时标识, 此 时, 密钥服务器确定该应用的临时密钥时,也确定该应用的临时标识。此外, 还可以确定该应用标识和临时密钥的失效时间。  Optionally, the application identifier of the application may also be a temporary identifier provided by the key server. At this time, when the key server determines the temporary key of the application, the temporary identifier of the application is also determined. In addition, the expiration time of the application ID and the temporary key can also be determined.
405、 密钥服务器向应用发送响应消息, 该响应消息中携带鉴权结果和 临时密钥。  405. The key server sends a response message to the application, where the response message carries the authentication result and the temporary key.
可选地, 还可以携带临时的应用标识和 /或临时密钥的失效时间。  Optionally, the expiration time of the temporary application identifier and/or the temporary key may also be carried.
406、 GGSN/PGW配置密钥服务器的地址。  406. The GGSN/PGW configures the address of the key server.
GGSN/PGW可以根据该密钥服务器的地址定时向密钥服务器申请各签 约应用的应用标识和临时密钥。  The GGSN/PGW can apply for the application identifier and temporary key of each subscription application to the key server according to the address timing of the key server.
407、 GGSN/PGW基于预先配置的密钥服务器地址, 向密钥服务器请求 消息, 请求签约应用的应用标识和临时密钥。  407. The GGSN/PGW requests a message from the key server based on the pre-configured key server address, and requests an application identifier and a temporary key of the subscription application.
该消息中可携带签约应用的应用名字或应用 ID, 以便密钥服务器获知 需要为哪些应用生成临时密钥, 并为各个签约应用生成对应的临时密钥。  The message may carry the application name or application ID of the subscription application, so that the key server knows which applications need to generate a temporary key, and generates a corresponding temporary key for each contract application.
该消息可以通过与密钥服务器进行约定,私有定制接口协议类型和请求 消息格式。 例如对 Radius消息进行扩展。  The message can be negotiated with the key server, private custom interface protocol type and request message format. For example, extend the Radius message.
上述签约应用具体可指在该 GGSN/PGW中记录的应用。 例如, 当某个 应用的服务提供商提供某个应用在移动网络下的免费流量包时, 需要与移动 网络的运营商进行签约, 以便 GGSN/PGW记录该应用以及该应用与免费流 量策略的对应关系。  The above contract application may specifically refer to an application recorded in the GGSN/PGW. For example, when an application's service provider provides a free traffic packet for an application under the mobile network, it needs to sign up with the operator of the mobile network, so that the GGSN/PGW records the application and the application's correspondence with the free traffic policy. relationship.
应注意,步骤 401、步骤 406和步骤 407为可选步骤。具体地, GGSN/PGW 可以预先配置密钥服务器的地址, 并周期性的向密钥服务器请求签约应用的 应用标识和临时密钥。  It should be noted that step 401, step 406 and step 407 are optional steps. Specifically, the GGSN/PGW may pre-configure the address of the key server, and periodically request the application identifier and temporary key of the subscription application from the key server.
408、 密钥服务器将签约应用的应用标识和临时密钥封装在响应消息中。 408. The key server encapsulates the application identifier and the temporary key of the subscription application in a response message.
409、 密钥服务器回复响应消息, 该响应消息中携带各类应用的应用标 识和临时密钥。 409. The key server replies with a response message, where the response message carries an application identifier of each application. Knowledge and temporary keys.
410、 GGSN/PGW解析响应消息内容, 保存响应消息中的应用标识和临 时密钥。  410. The GGSN/PGW parses the response message content, and saves the application identifier and the temporary key in the response message.
411、 应用基于临时密钥按照约定的加密算法生成安全校验码。  411. The application generates a security check code according to an agreed encryption algorithm based on the temporary key.
该算法可以使用 MD5算法。 应用和网关设备可以预先约定用于加密的 字符串, 例如, 可以是应用的名字、 应用服务器的 URL等, 本发明实施例 对此不作具体限定。  The algorithm can use the MD5 algorithm. The application and the gateway device may pre-define the character string for the encryption, for example, the name of the application, the URL of the application server, and the like, which are not specifically limited in the embodiment of the present invention.
412、 应用业务访问时, 在业务报文中加入应用标识和安全校验码 具体的, 在业务报文中约定位置插入约定格式的字符串。 其中该约定格 式的字符串可包括应用标识和安全校验码, 还可以包括 OTT与 GGSN/PGW 约定的源字符串。 例如, 可以采用如下约定格式: APP ID+APP name+md5(APP name)。其中, APP ID代表应用标识, APP name为源字符串, md5 ( APP name )是以源字符串和密钥通过 MD5加密算法计算出来的安全 校验码。 将该约定格式的字符串插入约定位置即可, 例如, 插入的位置是 HTTP请求的 URL之后。  412. When the application service is accessed, the application identifier and the security check code are added to the service packet. Specifically, the string of the agreed format is inserted in the service message. The string of the agreed format may include an application identifier and a security check code, and may also include a source string agreed by OTT and GGSN/PGW. For example, the following convention format can be used: APP ID+APP name+md5(APP name). The APP ID represents the application identifier, the APP name is the source string, and the md5 (APP name) is the security check code calculated by the source string and the key through the MD5 encryption algorithm. Insert the string of the agreed format into the convention location, for example, the location of the insertion is after the URL of the HTTP request.
413、 GGSN/PGW对收到的业务报文进行探测, 以识别该业务报文所属 应用。  413. The GGSN/PGW detects the received service packet to identify the application to which the service packet belongs.
GGSN/PGW从约定位置获取字符串, 确认字符串是否符合约定格式。 具体地, 当采用 APP ID+APP name+md5(APP name)格式时, 如果符合约定 格式, 则从中获取 APP ID (应用标识)、 APP name (源字符串) 以及经过 MD5计算后的 APP name ,即安全校验码。 GGSN/PGW根据报文中的 APP ID , 找到预先存储的该 APP ID对应的密钥。然后以 APP name和该密钥通过 MD5 算法计算出基准校验码。 如果基准校验码与该业务报文中的安全校验码相 同, 则校验成功, 将预先存储的该应用标识对应的应用确定为该业务报文所 属的应用。 然后, 基于该用户绑定的计费和控制策略进行匹配, 确定该应用 的业务数据流的计费和控制方式。  The GGSN/PGW obtains a string from the agreed location and confirms that the string conforms to the agreed format. Specifically, when the APP ID+APP name+md5(APP name) format is adopted, if the agreed format is met, the APP ID (application identifier), the APP name (source string), and the APP name calculated by the MD5 are obtained therefrom. That is, the security check code. The GGSN/PGW finds the pre-stored key corresponding to the APP ID according to the APP ID in the message. The benchmark code is then calculated by the MD5 algorithm with the APP name and the key. If the reference check code is the same as the security check code in the service packet, the verification succeeds, and the application corresponding to the application identifier stored in advance is determined as the application to which the service packet belongs. Then, matching is performed based on the charging and control policies bound by the user, and the charging and control manner of the service data flow of the application is determined.
414、应用在密钥失效后重新发起鉴权请求和密钥申请流程, 即步骤 402 至 405, 以更新临时密钥。  414. The application re-initiates the authentication request and the key application process after the key is invalid, that is, steps 402 to 405, to update the temporary key.
415、 GGSN/PGW在密钥失效后重新获取不同类型的应用的应用标识和 临时密钥。  415. After the key is invalid, the GGSN/PGW reacquires the application identifier and the temporary key of different types of applications.
需要说明的是, 步骤 414和步骤 415均为可选的步骤, 当密钥服务器预 先设定了应用标识和 /或临时密钥的失效时间时,可以执行上述两个步骤。否 则, 可以省略步骤 414和步骤 415。 It should be noted that step 414 and step 415 are optional steps, when the key server is pre- When the expiration time of the application identifier and/or the temporary key is set first, the above two steps can be performed. Otherwise, step 414 and step 415 may be omitted.
本发明实施例中, 通过在业务报文中携带应用标识, 并与网关设备预先 存储的应用标识进行匹配, 提高了应用的识别率。  In the embodiment of the present invention, the application identification is carried in the service packet and matched with the application identifier stored in advance by the gateway device, thereby improving the recognition rate of the application.
此外, 在网络侧建立密钥服务器, UE与网关设备均通过该密钥服务器 获取临时密钥, 并利用该临时密钥完成对业务报文安全性的校验, 提高了业 务传输的安全性。  In addition, a key server is established on the network side, and the UE and the gateway device obtain the temporary key through the key server, and use the temporary key to complete the verification of the security of the service packet, thereby improving the security of the service transmission.
图 5是本发明实施例的处理业务报文的方法的流程图。在图 5的实施例 中, 密钥是基于应用的版本固定分配的。 换句话说, 在每个应用的不同版本 中内置一个密钥。 因此, 应用的业务报文中会携带应用标识、 应用版本号和 安全校验码。 图 5的方法可以由 UE执行, 也可以由 UE上的应用执行。 具 体流程如下:  FIG. 5 is a flowchart of a method for processing a service message according to an embodiment of the present invention. In the embodiment of Figure 5, the keys are fixedly allocated based on the version of the application. In other words, a key is built into a different version of each app. Therefore, the application service carries the application identifier, application version number, and security check code. The method of Figure 5 may be performed by a UE or by an application on the UE. The specific process is as follows:
510、 应用内置应用标识、 版本号以及对应的密钥。  510. Apply the built-in application identifier, version number, and corresponding key.
520、 GGSN/PGW配置应用标识、 版本号以及对应的密钥。  520. The GGSN/PGW configures an application identifier, a version number, and a corresponding key.
例如, 可以是应用在签约时, 上>¾该应用的应用标识、 版本号和对应的 密钥。  For example, it can be applied at the time of signing, and the application ID, version number, and corresponding key of the application are >3⁄4.
应注意, 步骤 510和 520均可以通过预先配置的方式完成。  It should be noted that both steps 510 and 520 can be accomplished in a pre-configured manner.
530、 应用基于内置的密钥按照约定的加密算法生成安全校验码。  530. The application generates a security check code according to an agreed encryption algorithm based on the built-in key.
具体生成安全校验码的方式与图 4实施例类似, 此处不再赘述。  The manner of generating the security check code is similar to that of the embodiment in FIG. 4, and details are not described herein again.
540、 应用在业务报文的约定位置插入约定格式的字符串。  540. The application inserts a string of the agreed format in the agreed position of the service message.
例如, 可以采用如下格式: APP ID+APP version+APP name+md5(APP name)。 与图 4实施例中的格式相比, 多了应用版本号, 即 APP version。  For example, the following format can be used: APP ID+APP version+APP name+md5(APP name). Compared with the format in the embodiment of Fig. 4, the application version number is added, that is, APP version.
550、 GGSN/PGW对报文进行探测, 以识别该业务报文所属应用。  550. The GGSN/PGW detects the packet to identify the application to which the service packet belongs.
具体地, 可以从约定的位置获取字符串, 确认字符串是否符合约定的报 文格式, 如否采用如下格式: APP ID+APP version +APP name+md5(APP name)。 如果符合约定格式, 则从中获取 APP ID、 APP version, APP name 以及经过 MD5计算后的 APP name, 即安全校验码。 GGSN/PGW根据报文 中的 APP ID和 APP version, 找到预先存储的与该 APP ID和 APP version对 应的密钥。 然后, 以 APP name和该密钥通过 MD5算法计算出基准校验码。 如果基准校验码与安全该业务报文中的安全校验码相同, 则校验成功。 校验 成功后, 基于该用户绑定的计费和控制策略进行匹配, 确定该应用的业务数 据流的计费和控制方式。 Specifically, the character string may be obtained from the agreed location to confirm whether the string conforms to the agreed message format, such as the following format: APP ID+APP version +APP name+md5(APP name). If the agreed format is met, the APP ID, APP version, APP name, and the APP name calculated by MD5 are obtained, that is, the security check code. The GGSN/PGW finds a pre-stored key corresponding to the APP ID and the APP version according to the APP ID and the APP version in the message. Then, the benchmark check code is calculated by the MD5 algorithm with the APP name and the key. If the benchmark check code is the same as the security check code in the secure service packet, the checksum is successful. After the verification succeeds, the matching is based on the charging and control policies bound by the user, and the number of services of the application is determined. According to the flow of billing and control methods.
560、 应用升级后更新密钥。  560. Update the key after applying the upgrade.
具体地, 当应用升级后, UE可以从 SP Server中下载该应用的升级包。 该升级包中携带该新版本的应用对应的新密钥, 利用该新密钥替换原来的旧 密钥。  Specifically, after the application is upgraded, the UE may download the upgrade package of the application from the SP server. The upgrade package carries a new key corresponding to the new version of the application, and replaces the old old key with the new key.
570、 GGSN/PGW为更新后的应用或新增的应用建立应用标识、 应用的 版本号和密钥的对应关系。  570. The GGSN/PGW establishes an application identifier, an application version number, and a key correspondence relationship for the updated application or the newly added application.
步骤 570的实现方式可以有多种, 例如, 可以人工配置, 也可以由 SP Server 将新增或更新后应用的应用标识、 应用的版本号和密钥上 4艮至 GGSN/PGW, 以便 GGSN/PGW更新指示上述对应关系的列表。  Step 570 can be implemented in various manners, for example, manually configured, or the application identifier, application version number, and key of the application added or updated by the SP Server can be 艮 to GGSN/PGW, so that the GGSN/ The PGW updates a list indicating the above correspondence.
本发明实施例中, 通过在业务报文中携带应用标识, 并与网关设备预先 存储的应用标识进行匹配, 提高了应用的识别率。  In the embodiment of the present invention, the application identification is carried in the service packet and matched with the application identifier stored in advance by the gateway device, thereby improving the recognition rate of the application.
进一步地, 在每个应用中内置应用标识、 应用的版本号以及密钥, UE 上的应用与网关设备均通过该内置的密钥完成对业务报文安全性的校验,提 高了业务传输的安全性。  Further, the application identifier, the version number and the key of the application are built in each application, and the application and the gateway device on the UE complete the verification of the security of the service packet through the built-in key, thereby improving the service transmission. safety.
图 6是根据本发明实施例的网关设备的示意性框图。图 6的网关设备 600 包括: 第一接收单元 610、 识别单元 620和执行单元 630。  FIG. 6 is a schematic block diagram of a gateway device according to an embodiment of the present invention. The gateway device 600 of FIG. 6 includes: a first receiving unit 610, an identifying unit 620, and an executing unit 630.
第一接收单元 610, 用于接收业务报文, 业务报文中携带应用标识, 应 用标识用于指示业务 "¾文所属的应用;  The first receiving unit 610 is configured to receive a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service belongs.
识别单元 620, 用于根据第一接收单元 610接收的业务报文中携带的应 用标识, 识别业务 4艮文所属的应用;  The identifying unit 620 is configured to identify, according to the application identifier carried in the service packet received by the first receiving unit 610, an application to which the service belongs;
执行单元 630, 用于根据预先建立的识别单元 620识别的应用与处理策 略的对应关系对业务报文执行处理策略。  The executing unit 630 is configured to perform a processing policy on the service packet according to the correspondence between the application and the processing policy identified by the pre-established identification unit 620.
本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
可选地, 作为一个实施例, 网关设备 600存储有应用标识与应用的对应 关系,识别单元 620具体用于根据业务报文中携带的应用标识与网关设备中 存储的应用标识以及应用标识与应用的对应关系,将应用标识对应的应用确 定为业务 "¾文所属的应用。  Optionally, as an embodiment, the gateway device 600 stores the corresponding relationship between the application identifier and the application, and the identifying unit 620 is specifically configured to use the application identifier carried in the service packet and the application identifier and the application identifier and the application stored in the gateway device. The corresponding relationship is determined by the application corresponding to the application identifier as the application to which the service belongs.
可选地, 作为另一个实施例, 业务报文中还携带安全校验码, 安全校验 码用于校验业务报文的安全性, 网关设备 600还存储有应用标识、 应用与密 钥的对应关系, 识别单元 620具体用于根据业务报文中携带的应用标识, 以 及网关设备中存储的应用标识与密钥的对应关系, 确定密钥; 根据密钥生成 基准校验码; 当基准校验码与安全校验码匹配时, 将应用标识对应的应用确 定为业务 文所属的应用。 Optionally, as another embodiment, the service packet further carries a security check code, and the security check is performed. The code is used to verify the security of the service packet. The gateway device 600 also stores the application identifier, the application and the key. The identification unit 620 is specifically configured to store the application identifier in the service packet and the gateway device. Corresponding relationship between the application identifier and the key, determining the key; generating a reference check code according to the key; and determining, when the benchmark check code matches the security check code, the application corresponding to the application identifier as the application to which the service text belongs.
可选地,作为另一个实施例,密钥是密钥服务器为应用生成的临时密钥, 网关设备 600还包括: 发送单元, 用于向密钥服务器发送请求消息, 请求消 息用于请求密钥服务器为网关设备存储的应用生成临时密钥; 第二接收单 元, 用于接收密钥服务器发送的响应消息, 响应消息中携带临时密钥。  Optionally, as another embodiment, the key is a temporary key generated by the key server for the application, and the gateway device 600 further includes: a sending unit, configured to send a request message to the key server, where the request message is used to request the key The server generates a temporary key for the application stored by the gateway device. The second receiving unit is configured to receive a response message sent by the key server, where the response message carries the temporary key.
可选地, 作为另一个实施例, 业务 文中还携带应用的版本号, 网关设 备 600还存储有应用标识、 版本号和密钥的对应关系, 识别单元 620具体用 于根据业务 文中携带的应用标识和版本号, 以及应用标识、 版本号和密钥 的对应关系, 选择与应用标识和版本号对应的密钥。  Optionally, as another embodiment, the service text further carries the version number of the application, and the gateway device 600 further stores the corresponding relationship between the application identifier, the version number, and the key, and the identifying unit 620 is specifically configured to use the application identifier carried in the service text. Select the key corresponding to the application ID and version number, and the version number, and the correspondence between the application ID, version number, and key.
可选地, 作为另一个实施例, 识别单元 620 具体用于根据密钥, 基于 MD5生成基准校验码。  Optionally, as another embodiment, the identifying unit 620 is specifically configured to generate a reference check code based on the MD5 according to the key.
可选地, 作为另一个实施例, 执行单元 630具体用于根据计费策略对业 务报文进行计费。  Optionally, as another embodiment, the executing unit 630 is specifically configured to charge the service packet according to the charging policy.
图 7是根据本发明实施例的处理业务报文的装置的示意性框图。 图 7的 处理业务报文的装置 700可以是 UE, 也可以是 SP Server。 装置 700包括: 第一生成单元 710和发送单元 720。  FIG. 7 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention. The apparatus 700 for processing service messages of FIG. 7 may be a UE or an SP server. The apparatus 700 includes: a first generating unit 710 and a transmitting unit 720.
第一生成单元 710, 用于生成业务报文, 业务报文中携带应用标识, 应 用标识用于指示业务 "¾文所属的应用;  The first generating unit 710 is configured to generate a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service belongs.
发送单元 720, 用于向核心网的网关设备发送第一生成单元 710生成的 业务报文。  The sending unit 720 is configured to send the service packet generated by the first generating unit 710 to the gateway device of the core network.
本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
可选地, 作为一个实施例, 业务报文中还携带安全校验码, 安全校验码 用于校验业务报文的安全性, 装置 700还包括: 获取单元 730, 用于获取应 用对应的密钥; 第二生成单元 740, 用于根据密钥生成安全校验码。  Optionally, as an embodiment, the service packet further carries a security check code, where the security check code is used to check the security of the service packet, and the device 700 further includes: an obtaining unit 730, configured to acquire an application corresponding a second generating unit 740, configured to generate a security check code according to the key.
可选地,作为另一个实施例,密钥是密钥服务器为应用生成的临时密钥, 获取单元 730具体用于向密钥服务器发送请求消息,请求消息用于请求密钥 服务器为应用生成临时密钥; 接收密钥服务器发送的响应消息, 响应消息中 携带临时密钥。 Optionally, as another embodiment, the key is a temporary key generated by the key server for the application. The obtaining unit 730 is specifically configured to send a request message to the key server, where the request message is used to request the key server to generate a temporary key for the application; and receive the response message sent by the key server, where the response message carries the temporary key.
可选地, 作为另一个实施例, 密钥为业务 文所属应用的内置密钥, 获 取单元 730具体用于提取内置密钥。  Optionally, as another embodiment, the key is a built-in key of the application to which the service belongs, and the obtaining unit 730 is specifically configured to extract the built-in key.
可选地, 作为另一个实施例, 业务报文中还携带生成业务报文的应用的 版本号。  Optionally, as another embodiment, the service packet further carries a version number of the application that generates the service packet.
可选地, 作为另一个实施例, 第二生成单元 740具体用于根据密钥, 并 基于 MD5生成安全校验码。  Optionally, as another embodiment, the second generating unit 740 is specifically configured to generate a security check code according to the key and based on the MD5.
图 8是根据本发明实施例的网关设备的示意性框图。图 8的网关设备 800 包括: 接收器 810和处理器 820。  FIG. 8 is a schematic block diagram of a gateway device according to an embodiment of the present invention. The gateway device 800 of FIG. 8 includes: a receiver 810 and a processor 820.
接收器 810, 用于接收业务报文, 业务报文中携带应用标识, 应用标识 用于指示业务报文所属的应用;  The receiver 810 is configured to receive a service packet, where the service packet carries an application identifier, and the application identifier is used to indicate an application to which the service packet belongs.
处理器 820, 用于根据接收器 810接收的业务报文中携带的应用标识, 识别业务 "¾文所属的应用; 根据预先建立的应用与处理策略的对应关系对业 务报文执行处理策略。  The processor 820 is configured to: according to the application identifier carried in the service packet received by the receiver 810, identify an application to which the service belongs; and perform a processing policy on the service packet according to the correspondence between the pre-established application and the processing policy.
本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。  In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
可选地, 作为一个实施例, 网关设备 800存储有应用标识与应用的对应 关系,处理器 820具体用于根据业务报文中携带的应用标识以及应用标识与 应用的对应关系, 将应用标识对应的应用确定为业务>¾文所属的应用。  Optionally, as an embodiment, the gateway device 800 stores the corresponding relationship between the application identifier and the application, and the processor 820 is specifically configured to: according to the application identifier carried in the service packet and the corresponding relationship between the application identifier and the application, corresponding to the application identifier The application is determined to be the application to which the business >3⁄4 text belongs.
可选地, 作为另一个实施例, 业务报文中还携带安全校验码, 安全校验 码用于校验业务报文的安全性, 网关设备 800还存储有应用标识、 应用与密 钥的对应关系, 处理器 820具体用于根据业务 "¾文中携带的应用标识, 以及 应用标识与密钥的对应关系, 确定密钥; 根据密钥生成基准校验码; 当基准 校验码与安全校验码匹配时,将应用标识对应的应用确定为业务报文所属的 应用。  Optionally, as another embodiment, the service packet further carries a security check code, where the security check code is used to check the security of the service packet, and the gateway device 800 further stores the application identifier, the application, and the key. Corresponding relationship, the processor 820 is specifically configured to determine a key according to the application identifier carried in the service, and the correspondence between the application identifier and the key; generate a reference check code according to the key; and use the reference check code and the security school When the code is matched, the application corresponding to the application identifier is determined to be the application to which the service packet belongs.
可选地,作为另一个实施例,密钥是密钥服务器为应用生成的临时密钥, 网关设备 800还包括: 发送器, 用于向密钥服务器发送请求消息, 请求消息 用于请求密钥服务器为网关设备存储的应用生成临时密钥;接收器 810还用 于接收密钥服务器发送的响应消息, 响应消息中携带临时密钥。 Optionally, as another embodiment, the key is a temporary key generated by the key server for the application, and the gateway device 800 further includes: a sender, configured to send a request message to the key server, where the request message is used to request the key The server generates a temporary key for the application stored by the gateway device; the receiver 810 also uses Receiving a response message sent by the key server, the response message carries a temporary key.
可选地, 作为另一个实施例, 业务 文中还携带应用的版本号, 网关设 备 800还存储有应用标识、 版本号和密钥的对应关系, 处理器 820具体用于 根据业务_¾文中携带的应用标识和版本号, 以及应用标识、 版本号和密钥的 对应关系, 选择与应用标识、 版本号对应的密钥。  Optionally, in another embodiment, the service text further carries a version number of the application, and the gateway device 800 further stores a correspondence between the application identifier, the version number, and the key, where the processor 820 is specifically configured to be carried according to the service_3⁄4 text. The application identifier and the version number, and the correspondence between the application identifier, the version number, and the key are selected, and the key corresponding to the application identifier and the version number is selected.
可选地,作为另一个实施例, 处理器 820具体用于根据密钥,基于 MD5 生成基准校验码。  Optionally, as another embodiment, the processor 820 is specifically configured to generate a reference check code based on the MD5 according to the key.
可选地, 作为另一个实施例, 处理器 820具体用于根据计费策略对业务 文进行计费。  Optionally, as another embodiment, the processor 820 is specifically configured to perform charging according to a charging policy.
图 9是根据本发明实施例的处理业务报文的装置的示意性框图。 图 9的 装置 900可以是 UE, 也可以是 SP Server。 该装置 900包括: 处理器 910和 发送器 920。  FIG. 9 is a schematic block diagram of an apparatus for processing a service message according to an embodiment of the present invention. The apparatus 900 of Figure 9 may be a UE or an SP Server. The apparatus 900 includes a processor 910 and a transmitter 920.
处理器 910, 用于生成业务报文, 业务报文中携带应用标识, 应用标识 用于指示业务报文所属的应用;  The processor 910 is configured to generate a service packet, where the service packet carries an application identifier, where the application identifier is used to indicate an application to which the service packet belongs;
发送器 920,用于向核心网的网关设备发送处理器 910生成的业务 文。 本发明实施例中, 通过在业务报文中携带应用标识, 并在网关设备预先 存储该应用标识, 网关设备能够根据业务报文中携带的应用标识与网关设备 中存储的应用标识的匹配识别应用, 从而提高了网关设备对应用的识别率。  The transmitter 920 is configured to send the service text generated by the processor 910 to the gateway device of the core network. In the embodiment of the present invention, the application identifier is carried in the service packet, and the application identifier is pre-stored in the gateway device, and the gateway device can identify the application according to the matching between the application identifier carried in the service packet and the application identifier stored in the gateway device. , thereby improving the recognition rate of the gateway device to the application.
可选地, 作为一个实施例, 业务报文中还携带安全校验码, 安全校验码 用于校验业务报文的安全性, 处理器 910还用于获取应用对应的密钥; 根据 密钥生成安全校验码。  Optionally, as an embodiment, the service packet further carries a security check code, where the security check code is used to check the security of the service packet, and the processor 910 is further configured to obtain a key corresponding to the application; The key generates a security check code.
可选地,作为另一个实施例,密钥是密钥服务器为应用生成的临时密钥, 处理器 910具体用于向密钥服务器发送请求消息,请求消息用于请求密钥服 务器为应用生成临时密钥; 接收密钥服务器发送的响应消息, 响应消息中携 带临时密钥。  Optionally, as another embodiment, the key is a temporary key generated by the key server for the application, and the processor 910 is specifically configured to send a request message to the key server, where the request message is used to request the key server to generate a temporary application. The key receives the response message sent by the key server, and the response message carries the temporary key.
可选地, 作为另一个实施例, 密钥为业务 文所属应用的内置密钥, 处 理器 910具体用于提取内置密钥。  Optionally, as another embodiment, the key is a built-in key of the application to which the service text belongs, and the processor 910 is specifically configured to extract the built-in key.
可选地, 作为另一个实施例, 业务 文中还携带生成业务 文的应用的 版本号。  Optionally, as another embodiment, the service text further carries a version number of the application that generates the service text.
可选地, 作为另一个实施例, 处理器 910 具体用于根据密钥, 并基于 Optionally, as another embodiment, the processor 910 is specifically configured to
MD5生成安全校验码。 本领域普通技术人员可以意识到, 结合本文中所公开的实施例描述的各 示例的单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件的结 合来实现。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特 定应用和设计约束条件。 专业技术人员可以对每个特定的应用来使用不同方 法来实现所描述的功能, 但是这种实现不应认为超出本发明的范围。 MD5 generates a security check code. Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到, 为描述的方便和筒洁, 上述描 述的系统、 装置和单元的具体工作过程, 可以参考前述方法实施例中的对应 过程, 在此不再赘述。  It will be apparent to those skilled in the art that, for the convenience of the description and the cleaning process, the specific operation of the system, the device and the unit described above may be referred to the corresponding processes in the foregoing method embodiments, and details are not described herein again.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置和 方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示 意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可 以有另外的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个 系统, 或一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间 的耦合或直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合 或通信连接, 可以是电性, 机械或其它的形式。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元 中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在一 个单元中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使 用时, 可以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发明 的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部 分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。 而前 述的存储介质包括: U盘、移动硬盘、只读存储器( ROM, Read-Only Memory )、 随机存取存储器(RAM, Random Access Memory ), 磁碟或者光盘等各种可 以存储程序代码的介质。 以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应所述以权利要求的保护范围为准。 The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential to the prior art or part of the technical solution, may be embodied in the form of a software product stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. . The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利要求 Rights request
1、 一种处理业务 文的方法, 其特征在于, 包括: 1. A method for processing business documents, which is characterized by including:
网关设备接收业务报文, 所述业务报文中携带应用标识, 所述应用标识 用于指示所述业务>¾文所属的应用; The gateway device receives the service message, the service message carries an application identifier, and the application identifier is used to indicate the application to which the service message belongs;
所述网关设备 居所述应用标识, 识别所述业务 "¾文所属的应用; 所述网关设备根据预先建立的所述应用与处理策略的对应关系对所述 业务报文执行所述处理策略。 The gateway device uses the application identifier to identify the application to which the service message belongs; the gateway device executes the processing policy on the service message according to the pre-established correspondence between the application and the processing policy.
2、 如权利要求 1所述的方法, 其特征在于, 所述网关设备存储有所述 应用标识与应用的对应关系, 2. The method of claim 1, wherein the gateway device stores the corresponding relationship between the application identifier and the application,
所述根据所述应用标识识别所述应用, 包括: The identifying the application according to the application identifier includes:
根据所述业务报文中携带的所述应用标识, 以及所述应用标识与应用的 对应关系, 将所述应用标识对应的应用确定为所述业务4艮文所属的应用。 According to the application identifier carried in the service message and the corresponding relationship between the application identifier and the application, the application corresponding to the application identifier is determined as the application to which the service message belongs.
3、 如权利要求 1 所述的方法, 其特征在于, 所述业务报文中还携带安 全校验码, 所述安全校验码用于校验所述业务报文的安全性, 所述网关设备 还存储有所述应用标识、 应用与密钥的对应关系, 3. The method of claim 1, wherein the service message also carries a security check code, and the security check code is used to verify the security of the service message, and the gateway The device also stores the application identification, the corresponding relationship between the application and the key,
则所述根据所述应用标识识别所述应用, 包括: Then identifying the application according to the application identifier includes:
根据所述业务报文中携带的所述应用标识, 以及所述应用标识与密钥的 对应关系, 确定所述密钥; Determine the key according to the application identifier carried in the service message and the corresponding relationship between the application identifier and the key;
根据所述密钥生成基准校验码; Generate a baseline check code based on the key;
当所述基准校验码与所述安全校验码匹配时,将所述应用标识对应的应 用确定为所述业务 "¾文所属的应用。 When the reference check code matches the security check code, the application corresponding to the application identifier is determined as the application to which the service document belongs.
4、 如权利要求 3所述的方法, 其特征在于, 所述密钥是密钥服务器为 所述应用生成的临时密钥, 4. The method of claim 3, wherein the key is a temporary key generated by a key server for the application,
在所述根据所述业务 4艮文中携带的所述应用标识, 以及所述应用标识与 密钥的对应关系, 确定所述密钥之前, 所述方法还包括: Before determining the key based on the application identifier carried in the service document and the corresponding relationship between the application identifier and the key, the method further includes:
向所述密钥服务器发送请求消息, 所述请求消息用于请求所述密钥服务 器为所述应用生成所述临时密钥; Send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application;
接收所述密钥服务器发送的响应消息, 所述响应消息中携带所述临时密 钥。 Receive a response message sent by the key server, where the response message carries the temporary key.
5、 如权利要求 3所述的方法, 其特征在于, 所述业务报文中还携带所 述应用的版本号, 所述网关设备还存储有所述应用标识、 所述版本号和所述 密钥的对应关系, 5. The method of claim 3, wherein the service message also carries a version number of the application, and the gateway device also stores the application identifier, the version number and the Correspondence between keys,
所述根据所述业务报文中携带的所述应用标识, 以及所述应用标识与所 述密钥的对应关系确定所述密钥, 包括: Determining the key based on the application identifier carried in the service message and the corresponding relationship between the application identifier and the key includes:
根据所述业务报文中携带的所述应用标识和所述版本号, 以及所述应用 标识、 所述版本号和所述密钥的对应关系, 选择与所述应用标识和所述版本 号对应的所述密钥。 According to the application identification and the version number carried in the service message, and the corresponding relationship between the application identification, the version number and the key, select the application identification and the version number corresponding to of said key.
6、 如权利要求 3-5中任一项所述的方法, 其特征在于, 6. The method according to any one of claims 3-5, characterized in that,
所述根据所述密钥生成基准校验码, 包括: Generating a reference check code based on the key includes:
根据所述密钥, 基于消息摘要算法 MD5生成所述基准校验码。 According to the key, the reference check code is generated based on the message digest algorithm MD5.
7、 如权利要求 1-6 中任一项所述的方法, 其特征在于, 所述处理策略 为所述应用的计费策略, 7. The method according to any one of claims 1 to 6, characterized in that the processing policy is the charging policy of the application,
所述根据预先建立的所述应用与处理策略的对应关系对所述业务报文 执行所述处理策略, 包括: Executing the processing policy on the service packet according to the pre-established correspondence between the application and the processing policy includes:
根据所述计费策略对所述业务报文进行计费。 The service packet is charged according to the charging policy.
8、 一种处理业务 文的方法, 其特征在于, 包括: 8. A method for processing business documents, which is characterized by including:
生成业务报文, 所述业务报文中携带应用标识, 所述应用标识用于指示 所述业务>¾文所属的应用; Generate a service message, the service message carries an application identifier, and the application identifier is used to indicate the application to which the service message belongs;
向核心网的网关设备发送所述业务报文。 Send the service message to the gateway device of the core network.
9、 如权利要求 8所述的方法, 其特征在于, 所述业务报文中还携带安 全校验码, 所述安全校验码用于校验所述业务报文的安全性, 9. The method of claim 8, wherein the service message also carries a security check code, and the security check code is used to verify the security of the service message.
在所述生成业务报文之前, 还包括: Before generating the service message, it also includes:
获取所述应用对应的密钥; Obtain the key corresponding to the application;
根据所述密钥生成所述安全校验码。 The security check code is generated according to the key.
10、 如权利要求 9所述的方法, 其特征在于, 所述密钥是密钥服务器为 所述应用生成的临时密钥, 10. The method of claim 9, wherein the key is a temporary key generated by a key server for the application,
所述获取所述应用对应的密钥, 包括: The obtaining the key corresponding to the application includes:
向所述密钥服务器发送请求消息, 所述请求消息用于请求所述密钥服务 器为所述应用生成所述临时密钥; Send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application;
接收所述密钥服务器发送的响应消息, 所述响应消息中携带所述临时密 钥。 Receive a response message sent by the key server, where the response message carries the temporary key.
11、 如权利要求 9所述的方法, 其特征在于, 所述密钥为所述业务报文 所属应用的内置密钥, 11. The method of claim 9, wherein the key is the service message The built-in key of the belonging application,
所述获取所述应用对应的密钥, 包括: 提取所述内置密钥。 The obtaining the key corresponding to the application includes: extracting the built-in key.
12、 如权利要求 11 所述的方法, 其特征在于, 所述业务报文中还携带 生成所述业务报文的应用的版本号。 12. The method of claim 11, wherein the service message also carries a version number of the application that generated the service message.
13、 如权利要求 9-12 中任一项所述的方法, 其特征在于, 所述根据所 述密钥生成所述安全校验码, 包括: 13. The method according to any one of claims 9-12, characterized in that generating the security check code according to the key includes:
根据所述密钥, 并基于消息摘要算法 MD5生成所述安全校验码。 The security check code is generated according to the key and based on the message digest algorithm MD5.
14、 一种网关设备, 其特征在于, 包括: 14. A gateway device, characterized by including:
第一接收单元, 用于接收业务报文, 所述业务报文中携带应用标识, 所 述应用标识用于指示所述业务"¾文所属的应用; The first receiving unit is configured to receive a service message, the service message carries an application identifier, and the application identifier is used to indicate the application to which the service message belongs;
识别单元, 用于根据所述第一接收单元接收的所述业务报文中携带的所 述应用标识, 识别所述业务 文所属的应用; An identification unit, configured to identify the application to which the service message belongs based on the application identifier carried in the service message received by the first receiving unit;
执行单元, 用于根据预先建立的所述识别单元识别的所述应用与处理策 略的对应关系对所述业务报文执行所述处理策略。 An execution unit, configured to execute the processing policy on the service packet according to the pre-established correspondence between the application identified by the identification unit and the processing policy.
15、 如权利要求 14所述的网关设备, 其特征在于, 所述网关设备存储 有所述应用标识与应用的对应关系,所述识别单元具体用于根据所述业务才艮 文中携带的所述应用标识以及所述应用标识与应用的对应关系,将所述应用 标识对应的应用确定为所述业务 文所属的应用。 15. The gateway device according to claim 14, characterized in that, the gateway device stores a corresponding relationship between the application identifier and the application, and the identification unit is specifically configured to identify the user according to the information carried in the service document. The application identifier and the corresponding relationship between the application identifier and the application are determined as the application to which the business document belongs.
16、 如权利要求 15所述的网关设备, 其特征在于, 所述业务报文中还 携带安全校验码, 所述安全校验码用于校验所述业务报文的安全性, 所述网 关设备还存储有所述应用标识、 应用与密钥的对应关系, 所述识别单元具体 用于根据所述业务报文中携带的所述应用标识, 以及所述应用标识与密钥的 对应关系, 确定所述密钥; 根据所述密钥生成基准校验码; 当所述基准校验 码与所述安全校验码匹配时,将所述应用标识对应的应用确定为所述业务报 文所属的应用。 16. The gateway device according to claim 15, wherein the service message also carries a security check code, and the security check code is used to verify the security of the service message. The gateway device also stores the application identifier and the corresponding relationship between the application and the key. The identification unit is specifically configured to identify the application identifier according to the application identifier carried in the service message and the corresponding relationship between the application identifier and the key. , determine the key; generate a reference check code based on the key; when the reference check code matches the security check code, determine the application corresponding to the application identifier as the service message The application it belongs to.
17、 如权利要求 16所述的网关设备, 其特征在于, 所述密钥是密钥服 务器为所述应用生成的临时密钥, 所述网关设备还包括: 17. The gateway device according to claim 16, wherein the key is a temporary key generated by a key server for the application, and the gateway device further includes:
发送单元, 用于向所述密钥服务器发送请求消息, 所述请求消息用于请 求所述密钥服务器为所述应用生成所述临时密钥; A sending unit, configured to send a request message to the key server, where the request message is used to request the key server to generate the temporary key for the application;
第二接收单元, 用于接收所述密钥服务器发送的响应消息, 所述响应消 息中携带所述临时密钥。 The second receiving unit is configured to receive a response message sent by the key server, where the response message carries the temporary key.
18、 如权利要求 16所述的网关设备, 其特征在于, 所述业务报文中还 携带所述应用的版本号, 所述网关设备还存储有所述应用标识、 所述版本号 和所述密钥的对应关系, 所述识别单元具体用于根据所述业务"¾文中携带的 所述应用标识和所述版本号, 以及所述应用标识、 所述版本号和所述密钥的 对应关系, 选择所述应用标识和所述版本号对应的所述密钥。 18. The gateway device according to claim 16, wherein the service message also carries the version number of the application, and the gateway device also stores the application identifier, the version number and the The corresponding relationship between the keys, the identification unit is specifically configured to identify the application identifier and the version number carried in the service document, and the corresponding relationship between the application identifier, the version number and the key. , select the key corresponding to the application identifier and the version number.
19、 如权利要求 16-18中任一项所述的网关设备, 其特征在于, 所述识别单元具体用于根据所述密钥, 基于消息摘要算法 MD5生成所 述基准校验码。 19. The gateway device according to any one of claims 16-18, wherein the identification unit is specifically configured to generate the reference check code based on the message digest algorithm MD5 according to the key.
20、 如权利要求 14-19中任一项所述的网关设备, 其特征在于, 所述执 行单元具体用于根据所述计费策略对所述业务 文进行计费。 20. The gateway device according to any one of claims 14 to 19, characterized in that the execution unit is specifically configured to charge the service packet according to the charging policy.
21、 一种处理业务 文的装置, 其特征在于, 包括: 21. A device for processing business documents, characterized by including:
第一生成单元, 用于生成业务报文, 所述业务报文中携带应用标识, 所 述应用标识用于指示所述业务>¾文所属的应用; The first generation unit is used to generate a service message, the service message carries an application identifier, and the application identifier is used to indicate the application to which the service message belongs;
发送单元, 用于向核心网的网关设备发送所述第一生成单元生成的所述 业务报文。 A sending unit, configured to send the service message generated by the first generating unit to the gateway device of the core network.
22、 如权利要求 31所述的装置, 其特征在于, 所述业务报文中还携带 安全校验码, 所述安全校验码用于校验所述业务报文的安全性, 所述 UE还 包括: 22. The device according to claim 31, wherein the service message also carries a security check code, and the security check code is used to verify the security of the service message. The UE Also includes:
获取单元, 用于获取所述应用对应的密钥; An acquisition unit, used to acquire the key corresponding to the application;
第二生成单元, 用于根据所述密钥生成所述安全校验码。 The second generation unit is used to generate the security verification code according to the key.
23、 如权利要求 22所述的装置, 其特征在于, 所述密钥是密钥服务器 为所述应用生成的临时密钥, 23. The device of claim 22, wherein the key is a temporary key generated by a key server for the application,
所述获取单元具体用于向所述密钥服务器发送请求消息, 所述请求消息 用于请求所述密钥服务器为所述应用生成所述临时密钥;接收所述密钥服务 器发送的响应消息, 所述响应消息中携带所述临时密钥。 The acquisition unit is specifically configured to send a request message to the key server. The request message is used to request the key server to generate the temporary key for the application; and to receive a response message sent by the key server. , the response message carries the temporary key.
24、 如权利要求 22所述的装置, 其特征在于, 所述密钥为所述业务报 文所属应用的内置密钥, 24. The device according to claim 22, wherein the key is a built-in key of the application to which the service message belongs,
所述获取单元具体用于提取所述内置密钥。 The acquisition unit is specifically used to extract the built-in key.
25、 如权利要求 24所述的装置, 其特征在于, 所述业务报文中还携带 生成所述业务报文的应用的版本号。 25. The device according to claim 24, wherein the service message also carries a version number of the application that generated the service message.
26、 如权利要求 22-25中任一项所述的装置, 其特征在于, 所述第二生 成单元具体用于根据所述密钥, 并基于消息摘要算法 MD5生成所述安全校 验码。 26. The device according to any one of claims 22 to 25, characterized in that the second generation The forming unit is specifically configured to generate the security check code according to the key and based on the message digest algorithm MD5.
PCT/CN2013/091111 2013-12-31 2013-12-31 Method and apparatus for processing service packet, and gateway device WO2015100615A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2013/091111 WO2015100615A1 (en) 2013-12-31 2013-12-31 Method and apparatus for processing service packet, and gateway device
CN201380072947.7A CN104995891B (en) 2013-12-31 2013-12-31 The method, apparatus and gateway of processing business message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/091111 WO2015100615A1 (en) 2013-12-31 2013-12-31 Method and apparatus for processing service packet, and gateway device

Publications (1)

Publication Number Publication Date
WO2015100615A1 true WO2015100615A1 (en) 2015-07-09

Family

ID=53492966

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/091111 WO2015100615A1 (en) 2013-12-31 2013-12-31 Method and apparatus for processing service packet, and gateway device

Country Status (2)

Country Link
CN (1) CN104995891B (en)
WO (1) WO2015100615A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241310A (en) * 2017-05-04 2017-10-10 北京潘达互娱科技有限公司 A kind of client identity verification method and device
CN108400879A (en) * 2017-02-06 2018-08-14 北京上元信安技术有限公司 The discovery method and system of information assets based on gateway
CN113949645A (en) * 2020-07-15 2022-01-18 华为技术有限公司 Service processing method, device, equipment and system
CN114024917A (en) * 2020-07-15 2022-02-08 中国移动通信集团终端有限公司 Method, device, equipment and storage medium for guaranteeing internet service bandwidth
WO2023078357A1 (en) * 2021-11-05 2023-05-11 中国移动通信有限公司研究院 Information processing method and apparatus, device and readable storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109388499A (en) * 2017-08-04 2019-02-26 东软集团股份有限公司 Message forwarding method and device, computer readable storage medium, electronic equipment
CN110580256B (en) 2018-05-22 2022-06-10 华为技术有限公司 Method, device and system for identifying application identification
CN111431839B (en) * 2019-01-09 2024-03-19 中兴通讯股份有限公司 Processing method and device for hiding user identification
CN111683011B (en) * 2019-03-11 2022-04-29 华为技术有限公司 Message processing method, device, equipment and system
CN113312390A (en) * 2021-06-01 2021-08-27 北京沃东天骏信息技术有限公司 Service data calling method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572718A (en) * 2008-04-30 2009-11-04 张文 IP QoS unified strategic system based on oriented application and method thereof
CN101827084A (en) * 2009-01-28 2010-09-08 丛林网络公司 The application identification efficiently of the network equipment
CN101873640A (en) * 2010-05-27 2010-10-27 华为终端有限公司 Flow processing method, device and mobile terminal
CN102035748A (en) * 2010-12-31 2011-04-27 深圳市深信服电子科技有限公司 Application-based traffic control method and controller

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8264965B2 (en) * 2008-03-21 2012-09-11 Alcatel Lucent In-band DPI application awareness propagation enhancements
CN101309195A (en) * 2008-06-18 2008-11-19 华为技术有限公司 Method and apparatus for guarantee quality of service of secure socket layer of virtual private network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572718A (en) * 2008-04-30 2009-11-04 张文 IP QoS unified strategic system based on oriented application and method thereof
CN101827084A (en) * 2009-01-28 2010-09-08 丛林网络公司 The application identification efficiently of the network equipment
CN101873640A (en) * 2010-05-27 2010-10-27 华为终端有限公司 Flow processing method, device and mobile terminal
CN102035748A (en) * 2010-12-31 2011-04-27 深圳市深信服电子科技有限公司 Application-based traffic control method and controller

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108400879A (en) * 2017-02-06 2018-08-14 北京上元信安技术有限公司 The discovery method and system of information assets based on gateway
CN107241310A (en) * 2017-05-04 2017-10-10 北京潘达互娱科技有限公司 A kind of client identity verification method and device
CN107241310B (en) * 2017-05-04 2020-11-06 北京潘达互娱科技有限公司 Client identity verification method and device
CN113949645A (en) * 2020-07-15 2022-01-18 华为技术有限公司 Service processing method, device, equipment and system
WO2022012352A1 (en) * 2020-07-15 2022-01-20 华为技术有限公司 Service processing method and apparatus, and device, and system
CN114024917A (en) * 2020-07-15 2022-02-08 中国移动通信集团终端有限公司 Method, device, equipment and storage medium for guaranteeing internet service bandwidth
CN114024917B (en) * 2020-07-15 2024-04-09 中国移动通信集团终端有限公司 Method, device, equipment and storage medium for guaranteeing internet service bandwidth
WO2023078357A1 (en) * 2021-11-05 2023-05-11 中国移动通信有限公司研究院 Information processing method and apparatus, device and readable storage medium

Also Published As

Publication number Publication date
CN104995891A (en) 2015-10-21
CN104995891B (en) 2018-12-25

Similar Documents

Publication Publication Date Title
WO2015100615A1 (en) Method and apparatus for processing service packet, and gateway device
CN110800331B (en) Network verification method, related equipment and system
EP3284274B1 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
US10285050B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
CN104956638B (en) Limited certificate registration for the unknown device in hot spot networks
CN101651682B (en) Method, system and device of security certificate
US11503469B2 (en) User authentication method and apparatus
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
US20170161721A1 (en) Method and system for opening account based on euicc
WO2011035684A1 (en) Network selection method based on multi-link and apparatus thereof
US11838752B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
RU2009138223A (en) USER PROFILE, POLICY, AND PMIP KEY DISTRIBUTION IN A WIRELESS COMMUNICATION NETWORK
WO2007106620A2 (en) Method for authenticating a mobile node in a communication network
JP5536628B2 (en) Wireless LAN connection method, wireless LAN client, and wireless LAN access point
JP2017528804A (en) Terminal authentication method and apparatus used in mobile communication system
CN102215486B (en) Network access method, system, network authentication method, equipment and terminal
CN111132305A (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
WO2017128286A1 (en) Method for downloading subscription file, related device, and system
WO2019071472A1 (en) Service policy creation method and apparatus
TWI592001B (en) System and method for providing telephony services over wifi for non-cellular devices
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
JP2020017032A (en) User authorization method for core network system including authorization device and service device
KR101480706B1 (en) Network system for providing security to intranet and method for providing security to intranet using security gateway of mobile communication network
WO2014110768A1 (en) Method for authenticating terminal by mobile network, network element, and terminal
JP6205391B2 (en) Access point, server, communication system, wireless communication method, connection control method, wireless communication program, and connection control program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13900729

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13900729

Country of ref document: EP

Kind code of ref document: A1