WO2016112677A1 - Discovery service code checking processing method and device, and discovery service code checking method and device - Google Patents

Discovery service code checking processing method and device, and discovery service code checking method and device Download PDF

Info

Publication number
WO2016112677A1
WO2016112677A1 PCT/CN2015/085362 CN2015085362W WO2016112677A1 WO 2016112677 A1 WO2016112677 A1 WO 2016112677A1 CN 2015085362 W CN2015085362 W CN 2015085362W WO 2016112677 A1 WO2016112677 A1 WO 2016112677A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
discovery
service
broadcast
suffix
Prior art date
Application number
PCT/CN2015/085362
Other languages
French (fr)
Chinese (zh)
Inventor
游世林
蔡继燕
彭锦
梁爽
林兆骥
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016112677A1 publication Critical patent/WO2016112677A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for verifying a service code.
  • the Standards Working Group of the 3GPP (3rd Generation Partnership Project) is working on the Evolved Packet System (EPS).
  • the entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility.
  • MME Mobility Management Entity
  • SGSN Serving GPRS Support Node
  • PCRF Policy and Charging Rule Function
  • S-GW Serving Gateway
  • PDN Gateway Packet Data Network
  • PDN Packet Data Network
  • D2D device-to-device
  • the D2D service is also called distance-based.
  • Business ProSe, Proximity-based Services
  • D2D service when the two UEs are relatively close, they can communicate directly, and the connected data path can be bypassed to the core network.
  • data routing can be reduced, and on the other hand, the network can be reduced. Data load. Therefore, D2D services have received the attention of many operators.
  • FIG. 1 is a structural block diagram of a communication architecture of the D2D discovery service in the prior art. As shown in FIG. 1 , two UEs accessed by the D2D can only access the EPC through the E-UTRAN.
  • the two UEs may belong to one Public Land Mobile Network (PLMN) or belong to two PLMNs; for one UE, the PLMN may be divided into a Home PLMN (HPLMN, Home PLMN) and when the UE is from other
  • the visited PLMN (VPLMN, Visited PLMN) when the PLMN is accessed may be collectively referred to as a local public land mobile network (LPLMN, Local PLMN) for the PLMN in which the UE is currently located, regardless of whether the local PLMN is HPLMN or VPLMN.
  • LLMN local public land mobile network
  • the D2D discovery service not only the EPS but also the ProSe Application Server that deploys the D2D discovery service can be deployed on the carrier side.
  • the ProSe application server can be provided by the service provider that operates the D2D service, or can be operated by the service provider.
  • the network operator of the EPS provides a ProSe Function entity in different PLMNs. For the two UEs of the ProSe service, one of the UEs obtains the service identifier from the ProSe function entity, and then obtains the broadcastable service code from the ProSe function entity. This UE is called an Announcing UE (A-UE). The other UE accepts the broadcast of the A-UE and then matches the ProSe functional entity of the UE. If the matching is successful, the ProSe service is performed with the A-UE. Then, the non-broadcast UE is called a monitoring UE (M-UE).
  • A-UE Announcing UE
  • M-UE monitoring UE
  • the interface with the ProSe application server is a PC1 interface, and provides related authentication functions.
  • the interface between the UE and the UE is the PC5, which is used for direct mutual discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is the PC3, which is used for discovery and authentication through the network.
  • the interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication.
  • the interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service.
  • the ProSe function entity and the ProSe function entity have PC6 and PC7 interfaces respectively, which are used for the UE in both roaming and non-roaming situations.
  • PC7 interface When the UE roams, it is the PC7 interface, and when the UE is not roaming, it is the PC6 interface.
  • the UE performs the D2D discovery service the information interaction between the two ProSe functional entities is performed.
  • FIG. 2 is a schematic flowchart of a method for limiting discovery service in the prior art. As shown in FIG. 2, the method includes:
  • Step S200 The A-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the user close-range restriction service identifier;
  • Step S201 After the A-UE and the ProSe functional entity under the HPLMN establish a secure connection, the A-UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user close-range restricted service identifier, the discovered service type, and the user. Identification, the discovery service type is the broadcast service Announce;
  • Step S202 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the A-UE allocates the discovery service code, and the ProSe service The code is a broadcast code of the A-UE;
  • Step S203 After the ProSe function entity of the A-UE of the A-UE authenticates the broadcast request, the device sends a broadcast authentication request response message to the ProSe function entity in the HPLMN of the A-UE.
  • Step S204 The ProSe functional entity of the HPLMN sends a discovery service request response message to the A-UE.
  • the message carries the discovery service code, the discovery key, the current time, and the maximum duration.
  • the ProSe service code is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the A-UE to the A-UE, and the key is found to be 128 bits in total.
  • the current time is the Greenwich Mean Time, that is, the world unified clock, A-
  • the UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the current discovery, that is, the life cycle of the service code is found, and the maximum duration is invalid;
  • Step S205 The A-UE broadcasts to the air through a broadcast channel, and the broadcast message carries the discovery service code.
  • Step S206 The M-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the user proximity restriction service identifier list;
  • Step S207 After the M-UE is interested in monitoring at least one user close-range restricted service identity, and establishing a secure connection with the ProSe functional entity under the HPLMN of the M-UE, the M-UE sends a discovery service request message to the ProSe functional entity under the HPLMN.
  • the message includes a user close-range restricted service identifier list, and the found service type is a monitor service monitor and a user identifier;
  • Step S208 If the ProSe functional entity under the HPLMN of the M-UE has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity of the MLM of the M-UE sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier list and the user identifier;
  • the ProSe functional entity of the other PLMN also includes the ProSe functional entity in the HPLMN corresponding to the A-UE. Therefore, the user close-range restricted service identifier list also includes at least one A-UE user close-range restricted service identifier.
  • Step S209 the ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe server;
  • Step S210 If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the user's short-range restriction service identifier, the authentication and monitoring authentication request message is sent back to the ProSe function entity of the M-UE of the M-UE to send a monitoring authentication request response message, and the message carries The mask corresponding to the service code and the life cycle corresponding to the discovery service code, that is, the current time and the maximum duration of the ProSe functional entity of other PLMNs;
  • Step S211 The ProSe functional entity of the HPLMN of the M-UE parses the ProSe service code composition discovery template according to the mask in the interception authentication request response message, and sends a discovery service request response message to the M-UE.
  • the message carries the discovery template, the current time, and the maximum duration;
  • the current time is the current time of the ProSe functional entity of the HPLMN of the M-UE if the ProSe functional entity time of the HPLMN of the M-UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise it is carried by the monitoring authentication response request.
  • the current time, the maximum duration is the maximum duration of the listening authentication response request.
  • the M-UE sets the ProSe clock according to the current time;
  • Step S212 The M-UE receives the broadcast information of the A-UE, where the broadcast information includes the discovery service code.
  • Step S213 If the M-UE finds that the discovery service code broadcast by the A-UE exists in the discovery template, and the discovery service code is within the lifecycle of the discovery template, sends a matching report message to the ProSe functional entity of the HPLMN of the M-UE, The message carries the discovery service code, and the message also carries the ProSe time corresponding to the UE;
  • Step S214 ProSe function of the HPLMN of the M-UE to the ProSe function of the HPLMN of the A-UE The entity forwards the matching report message.
  • Step S215 The ProSe function entity of the HPLMN of the A-UE carries the parameter according to the matching report, the ProSe time and the discovery service code received by the broadcast, and checks whether the service code is integrity passed, otherwise it fails, that is, the M-UE discovery service code does not. complete;
  • Step S216 After the ProSe functional entity integrity check of the HPLMN of the A-UE is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the M-UE;
  • Step S217 The ProSe functional entity of the HPLMN of the M-UE sends a matching report response message to the M-UE, where the message carries the current time of the ProSe functional entity of the HPLMN of the M-UE, and the M-UE sets the ProSe time. After the matching is successful, the M-UE discovers the A-UE.
  • the service code is found to be divided into a discovery code prefix and a discovery code suffix, wherein the discovery code prefix is allocated by the ProSe functional entity, and the discovery code suffix is controlled by the service and allocated at the service layer.
  • the discovery code suffix is also intact, and the risk of counterfeiting and replay attacks is also possible.
  • how to protect the discovery code suffix does not propose an effective solution.
  • an embodiment of the present invention provides a verification processing, a verification method, and a device for discovering a service code.
  • a method for verifying a service code including: a broadcast user equipment UE acquiring a discovery code suffix of a discovery service code and a first key corresponding to the discovery code suffix; Generating, by the broadcast UE, a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key; the broadcast UE broadcasts the first check code to a monitoring UE .
  • the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, including: the broadcast UE acquires from the distance-based service ProSe server and/or the ProSe functional entity.
  • the discovery code suffix and the first key are included in the broadcast UE.
  • the method when the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, the method further includes: the broadcast UE acquiring the discovery service from the ProSe functional entity. a discovery code prefix of the code and a second key corresponding to the discovery code prefix; the method further includes: the broadcast UE generating, according to the discovery code prefix and the second key, a prefix for the discovery code The second check code for verification.
  • the first check code and/or the second check code are generated by the following algorithm:
  • the method when the broadcast UE broadcasts the first check code to the monitoring UE, the method further includes: sending the second check code to the monitoring UE.
  • a method for verifying a service code including: monitoring, by a user equipment, UE, broadcast information broadcast by a broadcast UE; and the intercepting UE acquiring, by using the broadcast information, The second check code of the discovery code suffix of the discovery service code is checked; the interception UE checks the discovery code suffix according to the second check code.
  • the method further includes: the intercepting UE further acquiring, according to the broadcast information, a second check code for verifying a discovery code prefix of the discovery service code; And verifying the discovery code prefix according to the second check code.
  • a method for verifying a service code includes: a broadcast user equipment UE acquires a prefix of the discovery service code, and obtains a suffix of the discovery service code. And obtaining a third key corresponding to the discovery service code, where the discovery service code includes: a prefix of the discovery service code, a suffix of the discovery service code; and the broadcast UE according to the discovery service code and the The third key generates a third check code for verifying the discovery service code; the broadcast UE broadcasts the third check code to the monitoring UE.
  • the broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires the third key corresponding to the discovery service code, including: the broadcast UE from the ProSe function
  • the entity obtains the prefix of the discovery service code, acquires the suffix of the discovery service code from the ProSe server, and acquires a third key corresponding to the discovery service code from the ProSe function entity.
  • a verification processing apparatus for discovering a service code is further applied to a broadcast user equipment UE, including: an obtaining module, configured to acquire a discovery code suffix of the discovery service code, and the discovery a first key corresponding to the code suffix; a generating module, configured to generate a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key; The first check code is broadcast to the monitoring UE.
  • the acquiring module is configured to acquire the discovery code suffix and the first key from a distance-based service ProSe server.
  • a verification device for discovering a service code is further provided, which is applied to the monitoring UE, and includes: a receiving module, configured to receive broadcast information broadcast by the broadcast UE; and an acquiring module, configured to Obtaining, by the broadcast information, a second check code for verifying the discovery code suffix of the discovery service code; and the verification module is configured to check the discovery code suffix according to the second check code.
  • the technical solution of generating the verification code according to the discovery code suffix and the corresponding key is solved by the related art.
  • FIG. 1 is a structural block diagram of a communication architecture of a D2D discovery service in the related art
  • FIG. 2 is a schematic flowchart of a method for limiting discovery service in the related art
  • FIG. 3 is a flowchart of a method for verifying a service code discovery according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a check processing device for discovering a service code according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a method for verifying a service code according to an embodiment of the present invention
  • FIG. 6 is a structural block diagram of a device for verifying a service code according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of a method for broadcasting a device-to-device D2D restricted discovery service according to a preferred embodiment of the present invention.
  • FIG. 8 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention.
  • FIG. 9 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment of the present invention.
  • FIG. 10 is a flowchart of a broadcast method of a D2D restriction discovery service according to a preferred embodiment 2 of the present invention.
  • FIG. 11 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 2 of the present invention.
  • FIG. 12 is a flowchart of a matching method of a D2D restriction discovery service according to a preferred embodiment 2 of the present invention.
  • FIG. 13 is a flowchart of a broadcast method of a D2D restriction discovery service according to a preferred embodiment 3 of the present invention.
  • FIG. 14 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 3 of the present invention.
  • 15 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment 3 of the present invention.
  • FIG. 16 is another flow chart of a method for verifying a service code according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of a verification processing method for the discovery service code according to the embodiment of the present invention, as shown in FIG. , including the following steps:
  • Step S302 the broadcast user equipment UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix;
  • Step S304 the broadcast UE generates a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key.
  • Step S306 the broadcast UE broadcasts the first check code to the monitoring UE.
  • the foregoing steps can generate a verification code according to the discovery code suffix and its corresponding key, and then solve the technical solution for verifying the code suffix.
  • the problem of the technical solution for discovering the code suffix has not been proposed, thereby implementing the integrity protection of the discovery code suffix, not only preventing the risk of the code prefix being attacked by the spoofing attack, but also preventing the discovery code suffix. The risk of being spoofed and replayed.
  • the foregoing step S302 may have multiple implementation manners.
  • the broadcast UE may obtain the foregoing discovery code suffix and the first first from the distance-based service ProSe server and/or the ProSe functional entity. Key.
  • step S302 when performing the solution of step S302: when the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, the following process may also be performed: the foregoing broadcast UE from the ProSe functional entity Obtaining a discovery code prefix of the foregoing discovery service code and a second key corresponding to the discovery code prefix; and the broadcast UE generates a second verification for verifying the discovery code prefix according to the discovery code prefix and the second key.
  • the code that is, the technical solution for simultaneously verifying the discovery code prefix and the discovery code suffix at the same time is implemented in the embodiment of the present invention.
  • the first check code and/or the second check code may be generated by the following algorithm: a hash function message authentication code-safe hash algorithm HMAC-SHA.
  • the broadcast UE when the broadcast UE broadcasts the first check code to the monitoring UE, the broadcast UE further needs to use the second The check code is sent to the above monitoring UE.
  • FIG. 4 is a structural block diagram of a verification processing apparatus for discovering a service code according to an embodiment of the present invention, as shown in FIG. 4:
  • the obtaining module 40 is configured to obtain a discovery code suffix of the discovery service code and a first key corresponding to the discovery code suffix;
  • the generating module 42 is connected to the obtaining module 40, and configured to generate a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key;
  • the broadcast module 44 is connected to the generating module 42 and configured to broadcast the first check code to the monitoring UE.
  • the verification code can be generated according to the discovery code suffix and its corresponding key, and then the technical solution for verifying the discovery code suffix can be verified.
  • the problem of the technical solution that the protection of the code suffix has not been proposed is solved, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being attacked by the spoofing attack, but also prevents the risk.
  • the discovery that the code suffix is at risk of counterfeiting and replaying attacks.
  • a further improvement of the foregoing technical solution in the embodiment of the present invention is that the obtaining module 40 is configured to obtain the discovery code suffix and the first key from the distance-based service ProSe server.
  • FIG. 5 is a flowchart of a method for verifying a service code according to an embodiment of the present invention. As shown in 5, the following steps are included:
  • Step S502 The monitoring user equipment UE receives the broadcast information broadcast by the broadcast UE.
  • Step S504 The monitoring UE acquires, from the broadcast information, a first check code for verifying a discovery code suffix of the discovery service code.
  • Step S506 the monitoring UE verifies the discovery code suffix according to the first check code.
  • the technical solution for verifying the discovery code suffix can be verified according to the discovery code suffix corresponding to the discovery code suffix of the service code in the monitored broadcast information, and the related technology is not solved for the discovery code.
  • the suffix raises the problem of the technical solution of protection, thereby implementing the integrity protection of the discovery code suffix, not only preventing the risk of the code prefix being spoofed and replaying attacks, but also preventing the risk of the suffix being found to be counterfeited and replayed. .
  • the embodiment of the present invention further provides the following technical solution: the monitoring UE further acquires according to the foregoing broadcast information. a second check code for verifying the discovery code prefix of the discovery service code; the monitoring UE checks the discovery code prefix according to the second check code, that is, the embodiment of the present invention focuses on implementing the discovery code prefix and The verification process of the code suffix is found at the same time.
  • a device for verifying the service code is also provided, which is applied to the monitoring UE, and is used to implement the foregoing embodiment and the preferred embodiment.
  • the module to be explained.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 6 is a structural block diagram of a device for verifying a service code according to an embodiment of the present invention, as shown in FIG.
  • the receiving module 60 is configured to receive broadcast information broadcast by the broadcast UE;
  • the obtaining module 62 is connected to the receiving module 60, and is configured to obtain, from the broadcast information, a first check code for verifying the discovery code suffix of the discovery service code;
  • the verification module 64 is connected to the acquisition module 62 and configured to verify the discovery code suffix according to the first verification code.
  • the technical solution for verifying the discovery code suffix can be found according to the discovery code suffix corresponding to the discovery code suffix of the service code in the monitored broadcast information, and the related technology has not been solved yet.
  • the problem of the technical solution for discovering the code suffix is implemented, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being spoofed and replayed, but also prevents the discovery code suffix from being counterfeited and replayed. The risk of an attack.
  • a preferred embodiment of the present invention provides a device-to-device restriction discovery service, wherein FIG. 7, 8, and 9 correspond to a preferred embodiment 1.
  • the core idea of the preferred embodiment of the present invention is that during broadcast, broadcast The UE obtains the discovery code suffix and the corresponding discovery key from the ProSe functional entity, and obtains the key corresponding to the discovery code prefix from the ProSe server body, and the broadcast UE separately calculates the discovery code prefix check code and the discovery code suffix check code, and broadcasts The UE broadcasts the discovery code prefix, the discovery code suffix, and the corresponding check code discovery code prefix check code and the discovery code suffix check code, and the monitoring UE receives the broadcast information and then checks the discovery code prefix in the ProSe function entity, and applies the code prefix in the ProSe application. The server verifies the discovery code suffix.
  • FIG. 7 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows:
  • Step S700 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, obtains the user close-range restriction service identifier from the ProSe APP Server, and discovers the code suffix and the discovery key corresponding to the discovery code suffix.
  • Step S702 After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's proximity restricted service identifier, and the found service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
  • Step S704 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S706 If the service authentication is successful, the ProSe function entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
  • Step S708 The ProSe application server finds the UE discovery identifier corresponding to the user according to the user proximity restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier.
  • Step S710 The ProSe functional entity in the HLPMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, and discovers the validity period of the code prefix, and finds the code prefix corresponding to the key;
  • Step S712 The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the UE allocates a discovery code prefix, and the discovery code prefix. Corresponding validity period;
  • Step S714 The ProSe functional entity under the VLPMN sends back a broadcast authentication request response message to the ProSe functional entity of the HPLMN;
  • Step S716 The ProSe functional entity of the HPLMN sends back a discovery service request response message to the UE.
  • the message carries the discovery code prefix, the discovery code prefix key, and the validity period of the discovery code prefix.
  • the discovery code prefix is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the UE to the UE, and the discovery key has a total of 128 bits.
  • the validity period is the current time is the Greenwich Mean Time, that is, the world unified clock, and the UE is based on the current time.
  • Set the ProSe time of the A-UE, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the discovery. That is, the validity period of the code prefix is found, and the maximum duration is invalid.
  • Step S718 The UE allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air.
  • Device allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air.
  • L1, where FC is Fixed length algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code prefix, L1 is the length of the discovery code prefix, and the discovery code suffix check code is HMAC-SHA-256 (the discovery code suffix key, character) String S), the string S consists of S FC
  • the time counter is the last 4 digits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and can be revised for 8 seconds. Error.
  • FIG. 8 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows;
  • Step S800 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, obtains the user close-range restriction service identifier from the ProSe APP Server, and finds the code suffix template, and the template can match and filter the suffix of the discovery code.
  • Step S802 After the ProSe function entity in the HPLMN of the UE establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type is restricted to discover the service, and the discovery service is monitored.
  • the service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
  • Step S804 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S806 The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
  • Step S808 After the ProSe application server authenticates the user close-range restricted service identifier and the application layer service transparent container, the ProSe function entity sends an authentication request response message to the ProSe functional entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
  • the ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the broadcast UE. Therefore, the user close-range restricted service identifier list also includes at least one broadcast UE user close-range restricted service identifier. Similarly, the UE discovers the identifier list. Also including the UE discovery identifier of the broadcast UE;
  • Step S810 After the ProSe functional entity in the HPLMN authenticates the UE, the UE discovers that the identifier is successful, and determines to obtain the discovery code prefix of the target UE discovery identifier (that is, the discovery code prefix of the broadcast UE).
  • Step S812 The ProSe function entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier.
  • Step S814 The ProSe functional entity of the other PLMN acquires the discovery code prefix and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier.
  • Step S816 The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
  • Step S818 The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
  • Step S820 The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code prefix and the validity period corresponding to the discovery code prefix.
  • Step S822 The ProSe functional entity of the HPLMN of the UE forms a discovery code prefix template according to the discovery code prefix in the interception authentication request response message, and sends a discovery service request response message to the UE.
  • the message carries a discovery code prefix template and a corresponding validity period;
  • the current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest.
  • the duration is the maximum duration of the listening authentication response request.
  • the UE sets the ProSe clock according to the current time.
  • Step S824 The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
  • FIG. 9 is a flowchart of a method for matching a D2D restriction discovery service according to the first embodiment of the present invention, and the specific process is as follows;
  • Step S900 After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code prefix and the discovery code suffix of the broadcast UE are in the corresponding discovery code prefix template and the discovery code suffix template, and the discovery code prefix is found in the prefix.
  • the template sends a matching report message to the ProSe function entity of the HPLMN of the UE.
  • the message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code prefix, prefix check code, and discovery code suffix.
  • a suffix check code, a time counter, and the time calculator is a revision time;
  • Step S902 If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S904 The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction.
  • Step S906 The ProSe functional entity of the other PLMN checks whether the discovery code prefix check code is accurate.
  • the verification method may verify whether the prefix check code is consistent with the ProSe functional entity by using a signature algorithm, or may be a key.
  • the algorithm calculates the corresponding discovery code prefix and checks whether it is accurate.
  • Step S908 After the ProSe functional entity integrity check of the other HPLMN is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the UE.
  • Step S910 The ProSe function entity of the HPLMN of the UE sends a matching report message to the ProSe application server, where the message carries the user close-range restricted service identifier, the target user closes the service identifier, the code suffix, the discovery code suffix check code, and the time. counter;
  • Step S912 The ProSe application server verifies whether the discovery code suffix check code is accurate, and the verification method may be Whether the discovery code prefix check code is consistent with the ProSe application server is verified by the signature algorithm, or the corresponding discovery code prefix is calculated by the key algorithm, and the check is accurate.
  • Step S914 After the ProSe application server integrity check succeeds, the device sends a match report response message to the ProSe function entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
  • Steps S910-S914 may also be performed after the step S906, when the ProSe functional entity of the other HPLMN performs the operation to the ProSe application server, the step S904 is required to carry the response discovery code suffix and the discovery code suffix check code, and other ProSe operation modes. constant.
  • Step S916 The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
  • Step S918 After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
  • the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
  • the preferred embodiment 2 of the present invention provides a device-to-device restriction discovery service, wherein FIG. 10, FIG. 11 and FIG. 12 correspond to a preferred embodiment 2.
  • the core idea of the preferred embodiment 2 is that during the broadcast process, The broadcast UE ProSe server obtains the discovery code prefix, the discovery code suffix and the corresponding key, and the broadcast UE separately calculates the discovery code prefix check code and the discovery code suffix check code, the broadcast UE broadcasts the discovery code prefix, the discovery code suffix, and the corresponding The check code finds the code prefix check code and the discovery code suffix check code, and the monitoring UE receives the broadcast information and checks the discovery code prefix and the check discovery code suffix respectively in the ProSe function entity.
  • FIG. 10 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment 2 of the present invention, and the specific process is as follows;
  • Step S1000 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
  • Step S1002 After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's proximity restricted service identifier, and the found service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
  • Step S1004 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1006 If the service authentication is successful, the ProSe functional entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
  • Step S1008 The ProSe application server finds the UE discovery identifier corresponding to the user according to the user close-range restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the message is further Contains the ProSe application server to assign a discovery code suffix.
  • Step S1010 The ProSe functional entity under the HLMMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, and discovers the code prefix validity period, the discovery code prefix corresponding key, and the key corresponding to the discovery code suffix;
  • Step S1012 The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN.
  • the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the UE allocates a discovery code prefix or a discovery code suffix. And the validity period corresponding to the discovery code prefix;
  • Step S1014 The ProSe functional entity under the VLPMN sends a broadcast authentication request response message to the ProSe functional entity of the HPLMN.
  • Step S1016 The ProSe functional entity of the HPLMN sends a discovery service request response message to the UE.
  • the message carries the discovery code prefix, the discovery code prefix key, the discovery code suffix, the discovery code suffix key, and the validity period of the discovery code prefix.
  • the discovery code prefix is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the UE to the UE, and the discovery key has a total of 128 bits.
  • the validity period is the current time is the Greenwich Mean Time, that is, the world unified clock, and the UE is based on the current time.
  • Set the ProSe time of the A-UE, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the discovery, that is, the validity period of the code prefix is found, and the maximum duration is invalid;
  • Step S1018 The UE allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air.
  • Device allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air.
  • L1, where FC is Fixed length algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code prefix, L1 is the length of the discovery code prefix, and the discovery code suffix check code is HMAC-SHA-256 (the discovery code suffix key, character) String S), the string S consists of S FC
  • the time counter is the last 4 bits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and the error of 8 seconds can be revised.
  • FIG. 11 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows;
  • Step S1100 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
  • Step S1102 After the ProSe functional entity of the UE's HPLMN establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity of the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type restricts the discovery service, and the discovery service is the interception.
  • the service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
  • Step S1104 If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1106 The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
  • Step S1108 After the ProSe application server authenticates the user to the proximity-restricted service identifier and the application-layer service transparent container, it sends an authentication request response message to the ProSe functional entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
  • the ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the broadcast UE. Therefore, the user close-range restricted service identifier list also includes at least one broadcast UE user close-range restricted service identifier. Similarly, the UE discovers the identifier list. Also including the UE discovery identifier of the broadcast UE;
  • Step S1110 After the ProSe function entity of the HPLMN authenticates the UE, the UE obtains the discovery code prefix and the discovery code suffix of the target UE discovery identifier (that is, the discovery code prefix and the discovery code suffix of the broadcast UE).
  • Step S1112 The ProSe function entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier.
  • Step S1114 The ProSe functional entity of the other PLMN acquires the discovery code prefix and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier, and the discovery code suffix;
  • Step S1116 The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
  • Step S1118 The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
  • Step S1120 The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code prefix and the validity period corresponding to the discovery code prefix, and the code suffix is found;
  • Step S1122 The ProSe functional entity of the HPLMN of the UE sends a discovery service request response message to the UE according to the discovery code prefix composition template in the interception authentication request response message and the discovery code suffix template according to the discovery code suffix.
  • the message carries a discovery code prefix template, and a corresponding validity period, and a code suffix template is found;
  • the current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest.
  • the duration is the maximum duration of the listening authentication response request.
  • the UE sets the ProSe clock according to the current time;
  • Step S1124 The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
  • FIG. 12 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment 2 of the present invention, and the specific process is as follows;
  • Step S1200 After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code prefix and the discovery code suffix of the broadcast UE are in the corresponding discovery code prefix template and the discovery code suffix template, and the discovery code prefix is in the discovery code.
  • the validity period corresponding to the prefix template sends a matching report message to the ProSe functional entity of the HPLMN of the UE, where the message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code prefix, prefix check code, and discovery code.
  • Suffix, suffix check code, time counter, the time calculator is the revision time;
  • Step S1202 If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1204 The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction.
  • Step S1206 The ProSe functional entity of the other PLMN checks whether the discovery code prefix check code is accurate.
  • the verification method may verify whether the prefix check code is consistent with the ProSe functional entity by using a signature algorithm, or may be a key.
  • the algorithm calculates the corresponding discovery code prefix and checks whether it is accurate.
  • Step S1208 The ProSe functional entity of the other PLMN checks whether the discovery code suffix check code is accurate.
  • the verification method can verify whether the suffix check code is consistent with the ProSe functional entity by using a signature algorithm, or The key algorithm calculates the corresponding discovery code suffix and checks whether it is accurate.
  • Step S1210 After the verification succeeds, the ProSe functional entity of the other PLMN sends a matching report response message to the ProSe functional entity under the HPLMN of the UE;
  • Step S1212 The ProSe function entity of the HPLMN of the UE sends an authentication request message to the ProSe application server, where the message carries the user close-range restricted service identifier, and the target user closely limits the service identifier;
  • Step S1214 After the ProSe application server is successfully authenticated, the device sends a matching report response message to the ProSe functional entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
  • Step S1216 The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
  • Step S1218 After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
  • the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
  • the preferred embodiment 3 of the present invention provides a device-to-device limitation discovery service, wherein FIG. 13, 14, and 15 correspond to the third embodiment of the present invention, and the core idea of the preferred embodiment 3 of the present invention is that during the broadcast process, the broadcast is performed.
  • the UE obtains the discovery code suffix from the ProSe server and obtains the discovery code prefix from the ProSe functional entity, and forms a discovery code in the ProSe functional entity, and the ProSe functional entity allocates a key of the corresponding discovery code, and the broadcast UE separately calculates the discovery code check code.
  • the broadcast UE broadcasts the discovery code prefix and the corresponding check code discovery code check code, and the monitoring UE receives the broadcast information and then checks the discovery code in the ProSe functional entity, thereby verifying the prefix and discovery of the discovery code in the ProSe functional entity. Code suffix.
  • FIG. 13 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment 3 of the present invention, and the specific process is as follows;
  • Step S1300 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
  • Step S1202 After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user close-range restricted service identifier, and the discovered service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
  • Step S1304 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1306 If the service authentication is successful, the ProSe function entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
  • Step S1308 The ProSe application server finds the UE discovery identifier corresponding to the user according to the user proximity restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the message is further Contains the ProSe application server to assign a discovery code suffix.
  • Step S1310 The ProSe functional entity in the HLPMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, the discovery code prefix and the discovery code suffix constitute a discovery code, and the discovery code key and the discovery code validity period;
  • Step S1312 The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN.
  • the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity allocation discovery code under the HPLMN of the UE, and the discovery code corresponding to the discovery code.
  • Step S1314 The ProSe functional entity under the VLPMN sends a broadcast authentication request response message to the ProSe functional entity of the HPLMN;
  • Step S1316 The ProSe functional entity of the HPLMN sends back a discovery service request response message to the UE.
  • the message carries the discovery code, the discovery code key, and the validity period of the discovery code.
  • the key is found to be a total of 128 bits.
  • the validity period is the current time is the Greenwich Mean Time, that is, the world unified clock.
  • the UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration.
  • the time of the discovery constitutes the discovery time slot of this discovery, that is, the validity period of the code prefix is found, and the maximum duration is invalid;
  • Step S1318 The UE allocates radio resources, calculates a discovery code check code, and broadcasts a discovery code discovery code check code and a time calculator to the air.
  • the algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code, and L1 is the length of the discovery code.
  • the time counter is the last 4 bits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and the error of 8 seconds can be revised.
  • FIG. 14 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 3 of the present invention, and the specific process is as follows;
  • Step S1400 The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
  • Step S1402 After the ProSe functional entity of the UE's HPLMN establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity of the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type is restricted to discover the service, and the discovery service is monitored.
  • the service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
  • Step S1404 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1406 The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
  • Step S1408 After the ProSe application server authenticates the user's proximity-restricted service identifier and the application-layer service transparent container, it sends an authentication request response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
  • the ProSe functional entity of the other PLMN also includes the ProSe under the HPLMN corresponding to the broadcast UE. a functional entity, so the user close-range restricted service identifier list at least includes a broadcast UE user close-range restricted service identifier. Similarly, the UE discovery identifier list also includes the UE discovery identifier of the broadcast UE.
  • Step S1410 After the ProSe function entity of the HPLMN authenticates the UE, the UE discovers that the identifier is successful, and determines to obtain the discovery code of the target UE discovery identifier (that is, the discovery code of the broadcast UE).
  • Step S1412 The ProSe functional entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier;
  • Step S1414 The ProSe functional entity of the other PLMN acquires the discovery code and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier.
  • Step S1416 The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
  • Step S1418 The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
  • Step S1420 The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code and the validity period corresponding to the corresponding discovery code;
  • Step S1422 The ProSe functional entity of the HPLMN of the UE sends a discovery service request response message to the UE according to the discovery code composition discovery code template in the interception authentication request response message.
  • the message carries a discovery code template and a corresponding validity period;
  • the current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest.
  • the duration is the maximum duration of the listening authentication response request.
  • the UE sets the ProSe clock according to the current time;
  • Step S1424 The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
  • Step S1500 After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code broadcast by the broadcast UE exists in the corresponding discovery code template, and the discovery code is in the validity period corresponding to the discovery code template, and then the ProSe function of the HPLMN to the UE.
  • the entity sends a matching report message, where the message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code, discovery code check code, time counter, and the time calculator is the revision time;
  • Step S1502 If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
  • Step S1504 The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction.
  • Step S1506 The ProSe functional entity of the other PLMN checks whether the discovery code check code is accurate.
  • the verification method may verify whether the check code is consistent with the ProSe functional entity by using a signature algorithm, or may be calculated by a key algorithm. Corresponding discovery code, check whether it is accurate.
  • Step S1508 After the verification succeeds, the ProSe functional entity of the other PLMN sends a matching report response message to the ProSe functional entity under the HPLMN of the UE;
  • Step S1510 The ProSe function entity of the HPLMN of the UE sends an authentication request message to the ProSe application server, where the message carries the user close-range restricted service identifier, and the target user closely limits the service identifier;
  • Step S1512 After the ProSe application server is successfully authenticated, the device sends a matching report response message to the ProSe functional entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
  • Step S1514 The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
  • Step S1516 After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
  • the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
  • FIG. 16 is another flowchart of a method for verifying a service code according to an embodiment of the present invention, such as As shown in Figure 16, the following steps are included:
  • Step S1602 The broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires a third key corresponding to the discovery service code, where the discovery service code includes: the prefix of the discovery service code, the foregoing Discover the suffix of the service code;
  • Step S1604 The broadcast UE generates a third check code for verifying the discovery service code according to the discovery service code and the third key.
  • Step S1606 The broadcast UE broadcasts the third parity check code to the monitoring UE.
  • the verification code can be generated according to the corresponding key of the discovery service code. Further, the technical solution for verifying the service code is solved, and the related technology is not yet proposed for the discovery code suffix.
  • the problem of the protected technical solution achieves the integrity protection of the discovery code suffix, not only prevents the risk of the code prefix being spoofed by the replay attack, but also prevents the risk of the code suffix being counterfeited and replayed.
  • the broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires the discovery service code.
  • the corresponding third key includes: the foregoing broadcast UE acquires the prefix of the discovery service code from the ProSe function entity, acquires the suffix of the discovery service code from the ProSe server, and acquires the third key corresponding to the discovery service code from the ProSe function entity. .
  • the embodiment of the present invention achieves the following technical effects: the problem of the technical solution that the protection of the code suffix has not been proposed is solved in the related art, and the integrity protection of the discovery code suffix is realized, which not only prevents the discovery.
  • the code prefix is at risk of spoofing replay attacks, while also preventing the risk of spoofing and replay attacks being discovered.
  • a storage medium is further provided, wherein the software includes the above-mentioned software, including but not limited to: an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the technical solution for generating the verification code according to the discovery code suffix and the corresponding key thereof is solved, and the related technology has not been solved yet.
  • the problem of the technical solution for discovering the code suffix is implemented, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being spoofed and replayed, but also prevents the discovery code suffix from being counterfeited and replayed. The risk of an attack.

Abstract

The present invention provides a discovery service code checking processing method and device, and a discovery service code checking method and device. The checking processing method comprises: a broadcast user equipment (UE) acquires a discovery code suffix of a discovery service code and a first key corresponding to the discovery code suffix; the broadcast UE generates, according to the discovery code suffix and the first key, a first check code used for checking the discovery code suffix; and the broadcast UE broadcasts the first check code to a monitoring UE. By using the technical scheme provided in the present invention, the problem in the related art of lacking a technical scheme for protecting a discovery code suffix is solved; and therefore integrity protection is realized on the discovery code suffix, risks of counterfeit and replay attacks to a discovery code prefix are avoided, and risks of counterfeit and replay attacks to the discovery code suffix are also avoided.

Description

发现业务码的校验处理、校验方法及装置Service code verification processing, verification method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种发现业务码的校验处理、校验方法及装置。The present invention relates to the field of communications, and in particular to a method and apparatus for verifying a service code.
背景技术Background technique
为了保持第三代移动通信系统在通信领域的竞争力,并为用户提供速率更快、时延更低、更加个性化的移动通信服务,同时,为了降低运营商的运营成本,第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)标准工作组正致力于演进分组系统(EPS,Evolved Packet System)的研究。整个EPS包括无线接入网(E-UTRAN,Evolved Universal Terrestrial Radio Access Network)和移动核心网(EPC,Evolved Packet Core Networking),其中,EPC包含了归属用户服务器(HSS,Home Subscriber Server)、移动性管理实体(MME,Mobility Management Entity)、服务GPRS支持节点(SGSN,Serving GPRS Support Node)、策略计费规则功能(PCRF,Policy and Charging Rule Function)、服务网关(S-GW,Serving Gateway)、分组数据网关(P-GW,PDN Gateway)和分组数据网络(PDN,Packet Data Network)。In order to maintain the competitiveness of the third generation mobile communication system in the field of communication, and to provide users with faster, less delayed, more personalized mobile communication services, and at the same time, in order to reduce the operator's operating costs, the third generation of cooperation The Standards Working Group of the 3GPP (3rd Generation Partnership Project) is working on the Evolved Packet System (EPS). The entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobility. Management entity (MME, Mobility Management Entity), Serving GPRS Support Node (SGSN), Policy and Charging Rule Function (PCRF), Serving Gateway (S-GW), grouping Data Gateway (P-GW, PDN Gateway) and Packet Data Network (PDN).
当两个用户设备(UE,User Equipment)通过EPS进行通信时,两个UE需要分别与EPS建立承载。但是考虑到UE以及各种移动互联网业务的快速发展,很多业务希望能够发现临近的UE并且进行通信,因此催生了设备到设备(D2D,Device to Device)业务,D2D业务还被称为基于距离的业务(ProSe,Proximity-based Services)。在D2D业务中,当两个UE位置比较接近的时候,可以直接通信,其连接的数据路径可以不绕回到核心网,这样,一方面可以减少数据路由的迂回,另一方面也能够减少网络数据负荷。因此,D2D业务已得到了很多运营商的重视。When two user equipments (UE, User Equipment) communicate through the EPS, the two UEs need to establish bearers with the EPS respectively. However, considering the rapid development of the UE and various mobile Internet services, many services want to be able to discover neighboring UEs and communicate, thus spawning a device-to-device (D2D) service. The D2D service is also called distance-based. Business (ProSe, Proximity-based Services). In the D2D service, when the two UEs are relatively close, they can communicate directly, and the connected data path can be bypassed to the core network. Thus, on the one hand, data routing can be reduced, and on the other hand, the network can be reduced. Data load. Therefore, D2D services have received the attention of many operators.
目前,常用的D2D业务有D2D发现业务,图1是现有技术中D2D发现业务的通信架构的结构框图,如图1所示,D2D接入的两个UE只能通过E-UTRAN接入EPC,两个UE可以都属于一个公用陆地移动网络(PLMN,Public Land Mobile Network)或者分属于两个PLMN;对于一个UE,PLMN可以分为归属的PLMN(HPLMN,Home PLMN)和当该UE从其他的PLMN接入时的拜访的PLMN(VPLMN,Visited PLMN),对于UE当前所处区域的PLMN可以统称为本地的公用陆地移动网络(LPLMN,Local PLMN),无论该本地的PLMN是HPLMN还是VPLMN。为了实现D2D发现业务,在运营商侧不仅仅部署了EPS,还包括部署D2D发现业务的ProSe应用服务器(ProSe Application Server),ProSe应用服务器可以由运营D2D业务的业务提供商提供,也可以由运营EPS的网络运营商提供,在不同PLMN还部署了ProSe功能实体(ProSe Function)。 对于ProSe业务的两个UE,其中一个UE从ProSe功能实体获取业务标识后,再向ProSe功能实体获取能够广播的业务码,这个UE被称为广播UE(Announcing UE,简称A-UE),而另外一个UE则接受A-UE的广播,然后与该UE的ProSe功能实体进行匹配,如果匹配成功后,则和A-UE进行ProSe业务。则这个非广播UE称为监听UE(Monitoring UE,简称M-UE)。At present, the commonly used D2D service has a D2D discovery service. FIG. 1 is a structural block diagram of a communication architecture of the D2D discovery service in the prior art. As shown in FIG. 1 , two UEs accessed by the D2D can only access the EPC through the E-UTRAN. The two UEs may belong to one Public Land Mobile Network (PLMN) or belong to two PLMNs; for one UE, the PLMN may be divided into a Home PLMN (HPLMN, Home PLMN) and when the UE is from other The visited PLMN (VPLMN, Visited PLMN) when the PLMN is accessed may be collectively referred to as a local public land mobile network (LPLMN, Local PLMN) for the PLMN in which the UE is currently located, regardless of whether the local PLMN is HPLMN or VPLMN. In order to implement the D2D discovery service, not only the EPS but also the ProSe Application Server that deploys the D2D discovery service can be deployed on the carrier side. The ProSe application server can be provided by the service provider that operates the D2D service, or can be operated by the service provider. The network operator of the EPS provides a ProSe Function entity in different PLMNs. For the two UEs of the ProSe service, one of the UEs obtains the service identifier from the ProSe function entity, and then obtains the broadcastable service code from the ProSe function entity. This UE is called an Announcing UE (A-UE). The other UE accepts the broadcast of the A-UE and then matches the ProSe functional entity of the UE. If the matching is successful, the ProSe service is performed with the A-UE. Then, the non-broadcast UE is called a monitoring UE (M-UE).
在D2D发现业务通信架构中,由于UE提供相关的ProSe应用(APP,Application),其和ProSe应用服务器的接口为PC1接口,提供相关认证功能。UE与UE之间的接口为PC5,用于UE之间的相互直接发现和通信,而UE与ProSe功能实体之间的接口是PC3,用于通过网络的发现认证。ProSe功能实体与现有EPC之间的接口是PC4,包含与P-GW的用户面接口和与HSS的控制面接口,用于D2D发现业务发现认证。ProSe功能实体与ProSe应用服务器的接口为PC2,用于D2D发现业务的应用实现。ProSe功能实体与ProSe功能实体分别有PC6和PC7接口,分别用于UE在漫游和非漫游的两种情况,UE漫游时为PC7接口,UE非漫游时是为PC6接口,这两个接口用于UE进行D2D发现业务时执行两个ProSe功能实体之间的信息交互。In the D2D discovery service communication architecture, since the UE provides a related ProSe application (APP, Application), the interface with the ProSe application server is a PC1 interface, and provides related authentication functions. The interface between the UE and the UE is the PC5, which is used for direct mutual discovery and communication between the UEs, and the interface between the UE and the ProSe functional entity is the PC3, which is used for discovery and authentication through the network. The interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS for D2D discovery service discovery authentication. The interface between the ProSe functional entity and the ProSe application server is PC2, which is used for application implementation of the D2D discovery service. The ProSe function entity and the ProSe function entity have PC6 and PC7 interfaces respectively, which are used for the UE in both roaming and non-roaming situations. When the UE roams, it is the PC7 interface, and when the UE is not roaming, it is the PC6 interface. When the UE performs the D2D discovery service, the information interaction between the two ProSe functional entities is performed.
图2为现有技术限制发现业务实现方法的流程示意图,如图2所示,该方法包括:2 is a schematic flowchart of a method for limiting discovery service in the prior art. As shown in FIG. 2, the method includes:
步骤S200:A-UE向ProSe服务器获取配置参数,以及获得限制发现业务许可,配置参数包含用户近距离限制业务标识;Step S200: The A-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the user close-range restriction service identifier;
步骤S201:当A-UE和HPLMN下的ProSe功能实体建立安全连接后,A-UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,发现业务类型,以及用户标识,发现业务类型为广播业务Announce;Step S201: After the A-UE and the ProSe functional entity under the HPLMN establish a secure connection, the A-UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user close-range restricted service identifier, the discovered service type, and the user. Identification, the discovery service type is the broadcast service Announce;
步骤S202:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数。如果发现请求获得认证,ProSe功能实体向VPLMN的ProSe功能实体发送广播认证请求,消息携带用户近距离限制业务标识,用户标识,以及A-UE的HPLMN下的ProSe功能实体分配发现业务码,ProSe业务码为A-UE的广播码;Step S202: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the A-UE allocates the discovery service code, and the ProSe service The code is a broadcast code of the A-UE;
步骤S203:A-UE的VPLMN的ProSe功能实体认证广播请求后,向A-UE的HPLMN下的ProSe功能实体回送广播认证请求响应消息;Step S203: After the ProSe function entity of the A-UE of the A-UE authenticates the broadcast request, the device sends a broadcast authentication request response message to the ProSe function entity in the HPLMN of the A-UE.
步骤S204:HPLMN的ProSe功能实体向A-UE回送发现业务请求响应消息。消息携带发现业务码,发现密钥,当前时间,最大时长。Step S204: The ProSe functional entity of the HPLMN sends a discovery service request response message to the A-UE. The message carries the discovery service code, the discovery key, the current time, and the maximum duration.
其中,ProSe业务码为A-UE的HPLMN的ProSe功能实体为A-UE分配的广播业务码,发现密钥一共128位(bit),当前时间为格林威治时间,即世界统一时钟,A-UE根据当前时间,设置A-UE的ProSe时间,即同步与网络的时间,最大时长与当年时间组成本次发现的发现时隙,即发现业务码的生存周期,超过最大时长无效; The ProSe service code is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the A-UE to the A-UE, and the key is found to be 128 bits in total. The current time is the Greenwich Mean Time, that is, the world unified clock, A- The UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the current discovery, that is, the life cycle of the service code is found, and the maximum duration is invalid;
步骤S205:A-UE通过广播信道向空中广播,广播消息携带发现业务码;Step S205: The A-UE broadcasts to the air through a broadcast channel, and the broadcast message carries the discovery service code.
步骤S206:M-UE向ProSe服务器获取配置参数,以及获得限制发现业务许可,配置参数包含用户近距离限制业务标识列表;Step S206: The M-UE obtains the configuration parameter from the ProSe server, and obtains the restriction discovery service permission, where the configuration parameter includes the user proximity restriction service identifier list;
步骤S207:当M-UE感兴趣监听至少一个用户近距离限制业务标识,和M-UE的HPLMN下的ProSe功能实体建立安全连接后,M-UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识列表,发现业务类型为监听业务monitor,以及用户标识;Step S207: After the M-UE is interested in monitoring at least one user close-range restricted service identity, and establishing a secure connection with the ProSe functional entity under the HPLMN of the M-UE, the M-UE sends a discovery service request message to the ProSe functional entity under the HPLMN. The message includes a user close-range restricted service identifier list, and the found service type is a monitor service monitor and a user identifier;
步骤S208:如果M-UE的HPLMN下的ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数。如果发现请求获得认证,M-UE的HPLMN下的ProSe功能实体向其他PLMN的ProSe功能实体发送监听认证请求,消息携带用户近距离限制业务标识列表,用户标识;Step S208: If the ProSe functional entity under the HPLMN of the M-UE has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE. If the request is found to be authenticated, the ProSe functional entity of the MLM of the M-UE sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier list and the user identifier;
其中,其他的PLMN的ProSe功能实体也包含A-UE对应的HPLMN下的ProSe功能实体,因此用户近距离限制业务标识列表至少也包含一个A-UE用户近距离限制业务标识;The ProSe functional entity of the other PLMN also includes the ProSe functional entity in the HPLMN corresponding to the A-UE. Therefore, the user close-range restricted service identifier list also includes at least one A-UE user close-range restricted service identifier.
步骤S209:其他的PLMN的ProSe功能实体向ProSe服务器获得认证许可;Step S209: the ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe server;
步骤S210:如果其他PLMN的ProSe功能实体保存用户近距离限制业务标识对应的发现业务码,则认证监听认证请求消息,向M-UE的HPLMN下的ProSe功能实体回送监听认证请求响应消息,消息携带发现业务码对应的掩码,以及对应发现业务码对应的生命周期,即其他PLMN的ProSe功能实体的当前时间和最大时长;Step S210: If the ProSe function entity of the other PLMN saves the discovery service code corresponding to the user's short-range restriction service identifier, the authentication and monitoring authentication request message is sent back to the ProSe function entity of the M-UE of the M-UE to send a monitoring authentication request response message, and the message carries The mask corresponding to the service code and the life cycle corresponding to the discovery service code, that is, the current time and the maximum duration of the ProSe functional entity of other PLMNs;
步骤S211:M-UE的HPLMN的ProSe功能实体根据监听认证请求响应消息中掩码组成ProSe业务码组成发现模版,向M-UE回送发现业务请求响应消息。消息携带发现模版,当前时间,最大时长;Step S211: The ProSe functional entity of the HPLMN of the M-UE parses the ProSe service code composition discovery template according to the mask in the interception authentication request response message, and sends a discovery service request response message to the M-UE. The message carries the discovery template, the current time, and the maximum duration;
其中,当前时间如果M-UE的HPLMN的ProSe功能实体时间已经和其他PLMN的ProSe功能实体时间同步,则为M-UE的HPLMN的ProSe功能实体的当前时间,否则为监听认证响应请求所携带的当前时间,最大时长为监听认证响应请求所携带的最大时长。M-UE根据当前时间设置ProSe时钟;The current time is the current time of the ProSe functional entity of the HPLMN of the M-UE if the ProSe functional entity time of the HPLMN of the M-UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise it is carried by the monitoring authentication response request. The current time, the maximum duration is the maximum duration of the listening authentication response request. The M-UE sets the ProSe clock according to the current time;
步骤S212:M-UE接收A-UE的广播信息,广播信息包括发现业务码;Step S212: The M-UE receives the broadcast information of the A-UE, where the broadcast information includes the discovery service code.
步骤S213:如果M-UE发现A-UE广播的发现业务码存在发现模版中,且该发现业务码在发现模版的生命周期内,则向M-UE的HPLMN的ProSe功能实体发送匹配报告消息,消息携带发现业务码,消息还携带UE对应的ProSe时间;Step S213: If the M-UE finds that the discovery service code broadcast by the A-UE exists in the discovery template, and the discovery service code is within the lifecycle of the discovery template, sends a matching report message to the ProSe functional entity of the HPLMN of the M-UE, The message carries the discovery service code, and the message also carries the ProSe time corresponding to the UE;
步骤S214:M-UE的HPLMN的ProSe功能实体向A-UE的HPLMN的ProSe功能 实体转发匹配报告消息。Step S214: ProSe function of the HPLMN of the M-UE to the ProSe function of the HPLMN of the A-UE The entity forwards the matching report message.
步骤S215:A-UE的HPLMN的ProSe功能实体根据匹配报告携带参数,ProSe时间和广播接收到的发现业务码,检查发现业务码是否完整性通过,否则失败,即M-UE的发现业务码不完整;Step S215: The ProSe function entity of the HPLMN of the A-UE carries the parameter according to the matching report, the ProSe time and the discovery service code received by the broadcast, and checks whether the service code is integrity passed, otherwise it fails, that is, the M-UE discovery service code does not. complete;
步骤S216:A-UE的HPLMN的ProSe功能实体完整性校验成功后,向M-UE的HPLMN的ProSe功能实体回送匹配报告响应消息;Step S216: After the ProSe functional entity integrity check of the HPLMN of the A-UE is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the M-UE;
步骤S217:M-UE的HPLMN的ProSe功能实体向M-UE回送匹配报告响应消息,消息携带M-UE的HPLMN的ProSe功能实体的当前时间,M-UE设置ProSe时间。匹配成功后,M-UE即发现了A-UE。Step S217: The ProSe functional entity of the HPLMN of the M-UE sends a matching report response message to the M-UE, where the message carries the current time of the ProSe functional entity of the HPLMN of the M-UE, and the M-UE sets the ProSe time. After the matching is successful, the M-UE discovers the A-UE.
现有技术中,将发现业务码分成了发现码前缀和发现码后缀,其中发现码前缀由ProSe功能实体分配,发现码后缀由业务控制,在业务层分配。另外,图2中仅仅只对由ProSe功能实体分配的发现业务码进行完整性保护,仿冒和重放攻击的保护,发现码后缀也同样有完整性,同样有可能被仿冒和重放攻击的风险,目前具体怎么保护发现码后缀未提出有效的解决方案。In the prior art, the service code is found to be divided into a discovery code prefix and a discovery code suffix, wherein the discovery code prefix is allocated by the ProSe functional entity, and the discovery code suffix is controlled by the service and allocated at the service layer. In addition, in Figure 2, only the discovery service code assigned by the ProSe functional entity is protected against integrity, spoofing and replay attacks, and the code suffix is also intact, and the risk of counterfeiting and replay attacks is also possible. At present, how to protect the discovery code suffix does not propose an effective solution.
针对相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,尚未提出有效的解决方案。In view of the related art, the technical solution of the protection of the discovery code suffix has not been proposed, and an effective solution has not been proposed.
发明内容Summary of the invention
为了解决上述技术问题,本发明实施例提供了一种发现业务码的校验处理、校验方法及装置。In order to solve the above technical problem, an embodiment of the present invention provides a verification processing, a verification method, and a device for discovering a service code.
根据本发明的一个实施例,提供了一种发现业务码的校验处理方法,包括:广播用户设备UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥;所述广播UE根据所述发现码后缀和所述第一密钥生成用于对所述发现码后缀进行校验的第一校验码;所述广播UE将所述第一校验码广播至监听UE。According to an embodiment of the present invention, a method for verifying a service code is provided, including: a broadcast user equipment UE acquiring a discovery code suffix of a discovery service code and a first key corresponding to the discovery code suffix; Generating, by the broadcast UE, a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key; the broadcast UE broadcasts the first check code to a monitoring UE .
在本发明实施例中,广播UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥,包括:所述广播UE从基于距离的业务ProSe服务器和/或ProSe功能实体获取所述发现码后缀和所述第一密钥。In the embodiment of the present invention, the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, including: the broadcast UE acquires from the distance-based service ProSe server and/or the ProSe functional entity. The discovery code suffix and the first key.
在本发明实施例中,广播UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥时,所述方法还包括:所述广播UE从ProSe功能实体获取所述发现业务码的发现码前缀以及所述发现码前缀对应的第二密钥;所述方法还包括:所述广播UE根据所述发现码前缀和所述第二密钥生成用于对所述发现码前缀进行校验的第二校验码。In the embodiment of the present invention, when the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, the method further includes: the broadcast UE acquiring the discovery service from the ProSe functional entity. a discovery code prefix of the code and a second key corresponding to the discovery code prefix; the method further includes: the broadcast UE generating, according to the discovery code prefix and the second key, a prefix for the discovery code The second check code for verification.
在本发明实施例中,通过以下算法生成所述第一校验码和/或所述第二校验码:基 于哈希函数消息认证码-安全散列算法HMAC-SHA。In the embodiment of the present invention, the first check code and/or the second check code are generated by the following algorithm: The hash function message authentication code - secure hash algorithm HMAC-SHA.
在本发明实施例中,所述广播UE将所述第一校验码广播至监听UE时,所述方法还包括:将所述第二校验码发送至所述监听UE。In the embodiment of the present invention, when the broadcast UE broadcasts the first check code to the monitoring UE, the method further includes: sending the second check code to the monitoring UE.
根据本发明的另一个实施例,还提供了一种发现业务码的校验方法,包括:监听用户设备UE接收广播UE广播的广播信息;所述监听UE从所述广播信息中获取用于对所述发现业务码的发现码后缀进行校验的第二校验码;所述监听UE根据所述第二校验码校验所述发现码后缀。According to another embodiment of the present invention, a method for verifying a service code is further provided, including: monitoring, by a user equipment, UE, broadcast information broadcast by a broadcast UE; and the intercepting UE acquiring, by using the broadcast information, The second check code of the discovery code suffix of the discovery service code is checked; the interception UE checks the discovery code suffix according to the second check code.
在本发明实施例中,所述方法还包括:所述监听UE根据所述广播信息还获取用于对所述发现业务码的发现码前缀进行校验的第二校验码;所述监听UE根据所述第二校验码校验所述发现码前缀。In the embodiment of the present invention, the method further includes: the intercepting UE further acquiring, according to the broadcast information, a second check code for verifying a discovery code prefix of the discovery service code; And verifying the discovery code prefix according to the second check code.
根据本发明的另一个实施例,还提供了一种发现业务码的校验方法,所述方法包括:广播用户设备UE获取所述发现业务码的前缀、从获取所述发现业务码的后缀,以及获取发现业务码对应的第三密钥,其中,所述发现业务码包括:所述发现业务码的前缀、所述发现业务码的后缀;所述广播UE根据所述发现业务码和所述第三密钥生成用于对所述发现业务码进行校验的第三校验码;所述广播UE将所述发第三校验码广播至监听UE。According to another embodiment of the present invention, a method for verifying a service code is provided. The method includes: a broadcast user equipment UE acquires a prefix of the discovery service code, and obtains a suffix of the discovery service code. And obtaining a third key corresponding to the discovery service code, where the discovery service code includes: a prefix of the discovery service code, a suffix of the discovery service code; and the broadcast UE according to the discovery service code and the The third key generates a third check code for verifying the discovery service code; the broadcast UE broadcasts the third check code to the monitoring UE.
在本发明实施例中,所述广播UE获取所述发现业务码的前缀、从获取所述发现业务码的后缀,以及获取发现业务码对应的第三密钥包括:所述广播UE从ProSe功能实体获取所述发现业务码的前缀、从ProSe服务器获取所述发现业务码的后缀,以及从所述ProSe功能实体获取发现业务码对应的第三密钥。In the embodiment of the present invention, the broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires the third key corresponding to the discovery service code, including: the broadcast UE from the ProSe function The entity obtains the prefix of the discovery service code, acquires the suffix of the discovery service code from the ProSe server, and acquires a third key corresponding to the discovery service code from the ProSe function entity.
根据本发明的另一个实施例,还提供了一种发现业务码的校验处理装置,应用于广播用户设备UE中,包括:获取模块,设置为获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥;生成模块,设置为根据所述发现码后缀和所述第一密钥生成用于对所述发现码后缀进行校验的第一校验码;广播模块,设置为将所述第一校验码广播至监听UE。According to another embodiment of the present invention, a verification processing apparatus for discovering a service code is further applied to a broadcast user equipment UE, including: an obtaining module, configured to acquire a discovery code suffix of the discovery service code, and the discovery a first key corresponding to the code suffix; a generating module, configured to generate a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key; The first check code is broadcast to the monitoring UE.
在本发明实施例中,所述获取模块设置为从基于距离的业务ProSe服务器获取所述发现码后缀和所述第一密钥。In the embodiment of the present invention, the acquiring module is configured to acquire the discovery code suffix and the first key from a distance-based service ProSe server.
根据本发明的另一个实施例,还提供了一种发现业务码的校验装置,应用于监听UE,包括:接收模块,设置为接收广播UE广播的广播信息;获取模块,设置为从所述广播信息中获取用于对所述发现业务码的发现码后缀进行校验的第二校验码;校验模块,设置为根据所述第二校验码校验所述发现码后缀。According to another embodiment of the present invention, a verification device for discovering a service code is further provided, which is applied to the monitoring UE, and includes: a receiving module, configured to receive broadcast information broadcast by the broadcast UE; and an acquiring module, configured to Obtaining, by the broadcast information, a second check code for verifying the discovery code suffix of the discovery service code; and the verification module is configured to check the discovery code suffix according to the second check code.
通过本发明实施例,在获取到发现码后缀以及发现码后缀对应的密钥之后,能够根据发现码后缀以及其对应的密钥生成验证码的技术方案,解决了相关技术中,尚未针对 发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。After obtaining the discovery code suffix and the key corresponding to the discovery code suffix, the technical solution of generating the verification code according to the discovery code suffix and the corresponding key is solved by the related art. The problem that the code suffix proposes the technical solution of the protection, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being spoofed and replayed, but also prevents the discovery code suffix from being counterfeited and replayed. risks of.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是相关技术中D2D发现业务的通信架构的结构框图;1 is a structural block diagram of a communication architecture of a D2D discovery service in the related art;
图2是相关技术中限制发现业务实现方法的流程示意图;2 is a schematic flowchart of a method for limiting discovery service in the related art;
图3为根据本发明实施例的发现业务码的校验处理方法的流程图;3 is a flowchart of a method for verifying a service code discovery according to an embodiment of the present invention;
图4为根据本发明实施例的发现业务码的校验处理装置的结构框图;4 is a structural block diagram of a check processing device for discovering a service code according to an embodiment of the present invention;
图5为根据本发明实施例的发现业务码的校验方法流程图;FIG. 5 is a flowchart of a method for verifying a service code according to an embodiment of the present invention; FIG.
图6为根据本发明实施例的发现业务码的校验装置的结构框图;6 is a structural block diagram of a device for verifying a service code according to an embodiment of the present invention;
图7是根据本发明优选实施例一种设备到设备D2D限制发现业务的广播方法的流程图;7 is a flowchart of a method for broadcasting a device-to-device D2D restricted discovery service according to a preferred embodiment of the present invention;
图8是根据本发明优选实施例一的D2D限制发现业务的监听方法的流程图;FIG. 8 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention; FIG.
图9是根据本发明优选实施例一的D2D限制发现业务的匹配方法的流程图;9 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment of the present invention;
图10是根据本发明优选实施例二的D2D限制发现业务的广播方法的流程图;10 is a flowchart of a broadcast method of a D2D restriction discovery service according to a preferred embodiment 2 of the present invention;
图11是根据本发明优选实施例二的D2D限制发现业务的监听方法的流程图;11 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 2 of the present invention;
图12是根据本发明优选实施例二的D2D限制发现业务的匹配方法的流程图;12 is a flowchart of a matching method of a D2D restriction discovery service according to a preferred embodiment 2 of the present invention;
图13是根据本发明优选实施例三的D2D限制发现业务的广播方法的流程图;13 is a flowchart of a broadcast method of a D2D restriction discovery service according to a preferred embodiment 3 of the present invention;
图14是根据本发明优选实施例三的D2D限制发现业务的监听方法的流程图;14 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 3 of the present invention;
图15是根据本发明优选实施例三的D2D限制发现业务的匹配方法的流程图;15 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment 3 of the present invention;
图16为根据本发明实施例的发现业务码的校验方法的另一流程图。FIG. 16 is another flow chart of a method for verifying a service code according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得 显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Other features and advantages of the invention will be set forth in the description which follows, and in part become It will be obvious or understood by practicing the invention. The objectives and other advantages of the invention may be realized and obtained by means of the structure particularly pointed in the appended claims.
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is an embodiment of the invention, but not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.
为了解决上述技术问题,在本实施例中提供了一种发现业务码的校验处理方法,图3为根据本发明实施例的发现业务码的校验处理方法的流程图,如图3所示,包括以下步骤:In order to solve the above technical problem, a verification processing method for the discovery service code is provided in the embodiment, and FIG. 3 is a flowchart of a verification processing method for the discovery service code according to the embodiment of the present invention, as shown in FIG. , including the following steps:
步骤S302,广播用户设备UE获取发现业务码的发现码后缀以及上述发现码后缀对应的第一密钥;Step S302, the broadcast user equipment UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix;
步骤S304,广播UE根据上述发现码后缀和上述第一密钥生成用于对发现码后缀进行校验的第一校验码;Step S304, the broadcast UE generates a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key.
步骤S306,广播UE将上述第一校验码广播至监听UE。Step S306, the broadcast UE broadcasts the first check code to the monitoring UE.
通过上述各个步骤,在获取到发现码后缀以及发现码后缀对应的密钥之后,能够根据发现码后缀以及其对应的密钥生成验证码,进而对发现码后缀进行校验的技术方案,解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。After obtaining the discovery code suffix and the key corresponding to the discovery code suffix, the foregoing steps can generate a verification code according to the discovery code suffix and its corresponding key, and then solve the technical solution for verifying the code suffix. In the related art, the problem of the technical solution for discovering the code suffix has not been proposed, thereby implementing the integrity protection of the discovery code suffix, not only preventing the risk of the code prefix being attacked by the spoofing attack, but also preventing the discovery code suffix. The risk of being spoofed and replayed.
可选地,上述步骤S302可以有多种实现方式,在本发明实施例的可选示例中,广播UE可以从基于距离的业务ProSe服务器和/或ProSe功能实体获取上述发现码后缀和上述第一密钥。Optionally, the foregoing step S302 may have multiple implementation manners. In an optional example of the embodiment of the present invention, the broadcast UE may obtain the foregoing discovery code suffix and the first first from the distance-based service ProSe server and/or the ProSe functional entity. Key.
需要说明的是,在执行步骤S302的方案的同时:广播UE获取发现业务码的发现码后缀以及上述发现码后缀对应的第一密钥时,还可以执行以下过程:上述广播UE从ProSe功能实体获取上述发现业务码的发现码前缀以及上述发现码前缀对应的第二密钥;进而广播UE根据上述发现码前缀和上述第二密钥生成用于对发现码前缀进行校验的第二校验码,也就是说,在本发明实施例中实现了同时对发现码前缀和发现码后缀同时进行校验的技术方案。It should be noted that, when performing the solution of step S302: when the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, the following process may also be performed: the foregoing broadcast UE from the ProSe functional entity Obtaining a discovery code prefix of the foregoing discovery service code and a second key corresponding to the discovery code prefix; and the broadcast UE generates a second verification for verifying the discovery code prefix according to the discovery code prefix and the second key. The code, that is, the technical solution for simultaneously verifying the discovery code prefix and the discovery code suffix at the same time is implemented in the embodiment of the present invention.
而对于上述步骤S304中计算发现码后缀校验码的计算方法,可以通过以下算法生成上述第一校验码和/或上述第二校验码:基于哈希函数消息认证码-安全散列算法HMAC-SHA。For the calculation method of calculating the discovery code suffix check code in the above step S304, the first check code and/or the second check code may be generated by the following algorithm: a hash function message authentication code-safe hash algorithm HMAC-SHA.
并且,在广播UE将上述第一校验码广播至监听UE时,广播UE还要将上述第二 校验码发送至上述监听UE。And, when the broadcast UE broadcasts the first check code to the monitoring UE, the broadcast UE further needs to use the second The check code is sent to the above monitoring UE.
在本实施例中还提供了一种发现业务码的校验处理装置,应用于广播用户设备UE中,用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述,下面对该装置中涉及到的模块进行说明。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。图4为根据本发明实施例的发现业务码的校验处理装置的结构框图,如图4所示:In this embodiment, a check processing device for discovering a service code is also provided, which is applied to the broadcast user equipment UE, and is used to implement the foregoing embodiments and preferred embodiments. The modules involved in the device are described. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated. FIG. 4 is a structural block diagram of a verification processing apparatus for discovering a service code according to an embodiment of the present invention, as shown in FIG. 4:
获取模块40,设置为获取发现业务码的发现码后缀以及上述发现码后缀对应的第一密钥;The obtaining module 40 is configured to obtain a discovery code suffix of the discovery service code and a first key corresponding to the discovery code suffix;
生成模块42,与获取模块40连接,设置为根据上述发现码后缀和上述第一密钥生成用于对发现码后缀进行校验的第一校验码;The generating module 42 is connected to the obtaining module 40, and configured to generate a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key;
广播模块44,与生成模块42连接,设置为将上述第一校验码广播至监听UE。The broadcast module 44 is connected to the generating module 42 and configured to broadcast the first check code to the monitoring UE.
通过上述各个模块的综合作用,在获取到发现码后缀以及发现码后缀对应的密钥之后,能够根据发现码后缀以及其对应的密钥生成验证码,进而对发现码后缀进行校验的技术方案,解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。Through the comprehensive function of the above modules, after obtaining the discovery code suffix and the key corresponding to the discovery code suffix, the verification code can be generated according to the discovery code suffix and its corresponding key, and then the technical solution for verifying the discovery code suffix can be verified. The problem of the technical solution that the protection of the code suffix has not been proposed is solved, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being attacked by the spoofing attack, but also prevents the risk. The discovery that the code suffix is at risk of counterfeiting and replaying attacks.
本发明实施例对上述技术方案的进一步改进在于,获取模块40设置为从基于距离的业务ProSe服务器获取上述发现码后缀和上述第一密钥。A further improvement of the foregoing technical solution in the embodiment of the present invention is that the obtaining module 40 is configured to obtain the discovery code suffix and the first key from the distance-based service ProSe server.
为了完善上述技术方案的整体流程,在本发明实施例中,还提供了一种发现业务码的校验方法,图5为根据本发明实施例的发现业务码的校验方法流程图,如图5所示,包括以下步骤:In order to improve the overall process of the foregoing technical solution, in the embodiment of the present invention, a method for verifying a service code is also provided, and FIG. 5 is a flowchart of a method for verifying a service code according to an embodiment of the present invention. As shown in 5, the following steps are included:
步骤S502,监听用户设备UE接收广播UE广播的广播信息;Step S502: The monitoring user equipment UE receives the broadcast information broadcast by the broadcast UE.
步骤S504,监听UE从上述广播信息中获取用于对发现业务码的发现码后缀进行校验的第一校验码;Step S504: The monitoring UE acquires, from the broadcast information, a first check code for verifying a discovery code suffix of the discovery service code.
步骤S506,监听UE根据上述第一校验码校验上述发现码后缀。Step S506, the monitoring UE verifies the discovery code suffix according to the first check code.
通过上述各个步骤,能够根据监听到的广播信息中发现业务码的发现码后缀所对应的发现码后缀校验码对发现码后缀进行校验的技术方案,解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。Through the foregoing steps, the technical solution for verifying the discovery code suffix can be verified according to the discovery code suffix corresponding to the discovery code suffix of the service code in the monitored broadcast information, and the related technology is not solved for the discovery code. The suffix raises the problem of the technical solution of protection, thereby implementing the integrity protection of the discovery code suffix, not only preventing the risk of the code prefix being spoofed and replaying attacks, but also preventing the risk of the suffix being found to be counterfeited and replayed. .
可选地,本发明实施例还提供了以下技术方案:监听UE根据上述广播信息还获取 用于对上述发现业务码的发现码前缀进行校验的第二校验码;上述监听UE根据上述第二校验码校验上述发现码前缀,即本发明实施例侧重于实现发现码前缀和发现码后缀的同时校验过程。Optionally, the embodiment of the present invention further provides the following technical solution: the monitoring UE further acquires according to the foregoing broadcast information. a second check code for verifying the discovery code prefix of the discovery service code; the monitoring UE checks the discovery code prefix according to the second check code, that is, the embodiment of the present invention focuses on implementing the discovery code prefix and The verification process of the code suffix is found at the same time.
在本实施例中还提供了一种发现业务码的校验装置,应用于监听UE,用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述,下面对该装置中涉及到的模块进行说明。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。图6为根据本发明实施例的发现业务码的校验装置的结构框图,如图6所示:In this embodiment, a device for verifying the service code is also provided, which is applied to the monitoring UE, and is used to implement the foregoing embodiment and the preferred embodiment. The module to be explained. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated. FIG. 6 is a structural block diagram of a device for verifying a service code according to an embodiment of the present invention, as shown in FIG.
接收模块60,设置为接收广播UE广播的广播信息;The receiving module 60 is configured to receive broadcast information broadcast by the broadcast UE;
获取模块62,与接收模块60连接,设置为从上述广播信息中获取用于对上述发现业务码的发现码后缀进行校验的第一校验码;The obtaining module 62 is connected to the receiving module 60, and is configured to obtain, from the broadcast information, a first check code for verifying the discovery code suffix of the discovery service code;
校验模块64,与获取模块62连接,设置为根据上述第一校验码校验上述发现码后缀。The verification module 64 is connected to the acquisition module 62 and configured to verify the discovery code suffix according to the first verification code.
通过上述各个模块的综合应用,能够根据监听到的广播信息中发现业务码的发现码后缀所对应的发现码后缀校验码对发现码后缀进行校验的技术方案,解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。Through the comprehensive application of each module, the technical solution for verifying the discovery code suffix can be found according to the discovery code suffix corresponding to the discovery code suffix of the service code in the monitored broadcast information, and the related technology has not been solved yet. The problem of the technical solution for discovering the code suffix is implemented, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being spoofed and replayed, but also prevents the discovery code suffix from being counterfeited and replayed. The risk of an attack.
为了更好的理解上述发现业务码的校验处理以及校验过程,以下结合优选实施例一至优选实施例三以及附图7-图15进行说明:In order to better understand the verification process and the verification process of the above discovered service code, the following description will be made with reference to the preferred embodiment 1 to the preferred embodiment 3 and FIGS. 7 to 15:
优选实施例一 Preferred embodiment 1
本发明优选实施例提供了一种设备到设备限制发现业务的方法,其中,图7、8、9对应的是优选实施例一,本发明优选实施例的核心思想是,在广播过程中,广播UE分别从ProSe功能实体获取发现码后缀和对应的发现密钥,而从ProSe服务器体获取发现码前缀对应的密钥,广播UE分别计算发现码前缀校验码和发现码后缀校验码,广播UE广播发现码前缀,发现码后缀,以及对应的校验码发现码前缀校验码和发现码后缀校验码,监听UE接收广播信息后分别在ProSe功能实体校验发现码前缀,在ProSe应用服务器校验发现码后缀。A preferred embodiment of the present invention provides a device-to-device restriction discovery service, wherein FIG. 7, 8, and 9 correspond to a preferred embodiment 1. The core idea of the preferred embodiment of the present invention is that during broadcast, broadcast The UE obtains the discovery code suffix and the corresponding discovery key from the ProSe functional entity, and obtains the key corresponding to the discovery code prefix from the ProSe server body, and the broadcast UE separately calculates the discovery code prefix check code and the discovery code suffix check code, and broadcasts The UE broadcasts the discovery code prefix, the discovery code suffix, and the corresponding check code discovery code prefix check code and the discovery code suffix check code, and the monitoring UE receives the broadcast information and then checks the discovery code prefix in the ProSe function entity, and applies the code prefix in the ProSe application. The server verifies the discovery code suffix.
图7是根据本发明优选实施例一的D2D限制发现业务的广播方法的流程图,具体流程如下所示:FIG. 7 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows:
步骤S700:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识,发现码后缀以及发现码后缀对应的发现密钥; Step S700: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, obtains the user close-range restriction service identifier from the ProSe APP Server, and discovers the code suffix and the discovery key corresponding to the discovery code suffix.
步骤S702:当UE和HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,,发现业务类型为限制发现业务,以及用户标识,发现业务类型为广播业务Announce;Step S702: After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's proximity restricted service identifier, and the found service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
步骤S704:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S704: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S706:如果发现业务认证成功后,HPLMN下的ProSe功能实体向ProSe应用服务器发送认证请求,所述消息携带用户近距离限制业务标识;Step S706: If the service authentication is successful, the ProSe function entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
步骤S708:ProSe应用服务器根据用户近距离限制业务标识找到用户对应的UE发现标识,向所述HPLMN下的ProSe功能实体回送认证响应消息,所述消息携带所述的UE发现标识。Step S708: The ProSe application server finds the UE discovery identifier corresponding to the user according to the user proximity restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier.
步骤S710:HLPMN下ProSe功能实体认证UE发现标识,成功后分配发现码前缀,以及发现码前缀有效期,发现码前缀对应密钥;Step S710: The ProSe functional entity in the HLPMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, and discovers the validity period of the code prefix, and finds the code prefix corresponding to the key;
步骤S712:HLPMN下ProSe功能实体其向VPLMN的ProSe功能实体发送广播认证请求,消息携带用户近距离限制业务标识,用户标识,以及UE的HPLMN下的ProSe功能实体分配发现码前缀,以及发现码前缀对应的有效期;Step S712: The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN, the message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the UE allocates a discovery code prefix, and the discovery code prefix. Corresponding validity period;
步骤S714:VLPMN下ProSe功能实体其向HPLMN的ProSe功能实体回送广播认证请求响应消息;Step S714: The ProSe functional entity under the VLPMN sends back a broadcast authentication request response message to the ProSe functional entity of the HPLMN;
步骤S716:HPLMN的ProSe功能实体向UE回送发现业务请求响应消息。消息携带发现码前缀,发现码前缀密钥,以及发现码前缀对应的有效期。Step S716: The ProSe functional entity of the HPLMN sends back a discovery service request response message to the UE. The message carries the discovery code prefix, the discovery code prefix key, and the validity period of the discovery code prefix.
其中,发现码前缀是UE的HPLMN的ProSe功能实体为UE分配的广播业务码,发现密钥一共128位(bit),有效期为当前时间为格林威治时间,即世界统一时钟,UE根据当前时间,设置A-UE的ProSe时间,即同步与网络的时间,最大时长与当年时间组成本次发现的发现时隙,即发现码前缀的有效期,超过最大时长无效.The discovery code prefix is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the UE to the UE, and the discovery key has a total of 128 bits. The validity period is the current time is the Greenwich Mean Time, that is, the world unified clock, and the UE is based on the current time. Set the ProSe time of the A-UE, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the discovery. That is, the validity period of the code prefix is found, and the maximum duration is invalid.
步骤S718:UE分配无线资源,计算发现码前缀校验码和发现码后缀校验码,向空中广播发现码前缀、发现码后缀、发现码前缀校验码、发现码后缀校验码和时间计算器。Step S718: The UE allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air. Device.
上述校验码使用签名算法HMAC-SHA-256计算所得。即发现码前缀校验码=HMAC-SHA-256(发现码前缀密钥,字符串S),该字符串S由S=FC||P0||L0||P1||L1组成,其中FC为固定长度的算法类型,P0为广播时间,L0为时间长度,P1为发现码前缀,L1为发现码前缀的长度;发现码后缀校验码=HMAC-SHA-256(发现码后缀密钥,字符串S),该字符串S由S=FC||P0||L0||P1||L1组成,其中FC为固定长度的算法类型,P0为广播时间,L0为时间长度,P1为发现码后缀,L1为发现码后缀的长度。The above check code is calculated using the signature algorithm HMAC-SHA-256. That is, the code prefix check code = HMAC-SHA-256 (discovery code prefix key, string S) is found, and the string S is composed of S=FC||P0||L0||P1||L1, where FC is Fixed length algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code prefix, L1 is the length of the discovery code prefix, and the discovery code suffix check code is HMAC-SHA-256 (the discovery code suffix key, character) String S), the string S consists of S=FC||P0||L0||P1||L1, where FC is a fixed-length algorithm type, P0 is the broadcast time, L0 is the time length, and P1 is the discovery code suffix. L1 is the length of the discovery code suffix.
所述时间计数器为当前时间截取到秒后的后4位,即最大为16秒,能够修订8秒 的误差。The time counter is the last 4 digits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and can be revised for 8 seconds. Error.
图8是根据本发明优选实施例一的D2D限制发现业务的监听方法的流程图,具体流程如下所示;FIG. 8 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows;
步骤S800:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识,发现码后缀模板,所述模板能够对发现码的后缀能够匹配过滤;Step S800: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, obtains the user close-range restriction service identifier from the ProSe APP Server, and finds the code suffix template, and the template can match and filter the suffix of the discovery code.
步骤S802:UE的HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,发现业务类型限制发现业务,发现业务为监听业务monitor,以及用户标识,以及应用层业务透明容器,所述应用层业务透明容器为目标用户近距离限制业务标识列表,且对HPLMN下的ProSe功能实体透明,所述透明可以通过加密技术实现;Step S802: After the ProSe function entity in the HPLMN of the UE establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type is restricted to discover the service, and the discovery service is monitored. The service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
步骤S804:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S804: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S806:HPLMN下的ProSe功能实体向ProSe应用服务器发起认证请求,所述认证请求携带用户近距离限制业务标识和应用层业务透明容器;Step S806: The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
步骤S808:ProSe应用服务器认证用户近距离限制业务标识和应用层业务透明容器后,向HPLMN下的ProSe功能实体回送认证请求响应消息,所述消息携带UE发现标识,目标UE发现标识与用户近距离限制业务标识列表;Step S808: After the ProSe application server authenticates the user close-range restricted service identifier and the application layer service transparent container, the ProSe function entity sends an authentication request response message to the ProSe functional entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
其中,其他的PLMN的ProSe功能实体也包含广播UE对应的HPLMN下的ProSe功能实体,因此用户近距离限制业务标识列表至少也包含一个广播UE用户近距离限制业务标识,同理,UE发现标识列表也包含广播UE的UE发现标识;The ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the broadcast UE. Therefore, the user close-range restricted service identifier list also includes at least one broadcast UE user close-range restricted service identifier. Similarly, the UE discovers the identifier list. Also including the UE discovery identifier of the broadcast UE;
步骤S810:HPLMN下的ProSe功能实体认证UE发现标识成功后,决定获取目标UE发现标识的发现码前缀(即广播UE的发现码前缀);Step S810: After the ProSe functional entity in the HPLMN authenticates the UE, the UE discovers that the identifier is successful, and determines to obtain the discovery code prefix of the target UE discovery identifier (that is, the discovery code prefix of the broadcast UE).
步骤S812:HPLMN下的ProSe功能实体向其他PLMN的ProSe功能实体发送监听认证请求,消息携带用户近距离限制业务标识,用户标识,目标UE发现标识,业务标识,目标用户近距离限制业务标识;Step S812: The ProSe function entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier.
步骤S814:其他的PLMN的ProSe功能实体根据目标用户近距离限制业务标识或者目标UE发现标识获取广播UE的发现码前缀以及有效期;Step S814: The ProSe functional entity of the other PLMN acquires the discovery code prefix and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier.
步骤S816:其他的PLMN的ProSe功能实体向ProSe应用服务器获得认证许可,所述消息携带用户近距离限制业务标识和目标用户近距离限制业务标识;Step S816: The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
步骤S818:ProSe应用服务器向其他的PLMN的ProSe功能实体回送认证许可响应消息,所述消息携带UE发现标识和目标UE发现标识; Step S818: The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
步骤S820:其他PLMN的ProSe功能实体向UE的HPLMN下的ProSe功能实体回送监听认证请求响应消息,消息携带发现码前缀,以及对应发现码前缀对应的有效期;Step S820: The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code prefix and the validity period corresponding to the discovery code prefix.
步骤S822:UE的HPLMN的ProSe功能实体根据监听认证请求响应消息中发现码前缀组成发现码前缀模版,向UE回送发现业务请求响应消息。消息携带发现码前缀模版,以及对应的有效期;Step S822: The ProSe functional entity of the HPLMN of the UE forms a discovery code prefix template according to the discovery code prefix in the interception authentication request response message, and sends a discovery service request response message to the UE. The message carries a discovery code prefix template and a corresponding validity period;
其中,当前时间如果UE的HPLMN的ProSe功能实体时间已经和其他PLMN的ProSe功能实体时间同步,则为UE的HPLMN的ProSe功能实体的当前时间,否则为监听认证响应请求所携带的当前时间,最大时长为监听认证响应请求所携带的最大时长。UE根据当前时间设置ProSe时钟.The current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest. The duration is the maximum duration of the listening authentication response request. The UE sets the ProSe clock according to the current time.
步骤S824:UE分配无线资源,开始侦听广播UE发出广播信息。Step S824: The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
图9是根据本发明实施例一的D2D限制发现业务的匹配方法的流程图,具体流程如下所示;FIG. 9 is a flowchart of a method for matching a D2D restriction discovery service according to the first embodiment of the present invention, and the specific process is as follows;
步骤S900:UE接受到广播UE发出的广播信息后,发现广播UE广播的发现码前缀和发现码后缀均在存在对应的发现码前缀模版和发现码后缀模板中,且该发现码前缀在发现前缀模版对应的有效期内,则向UE的HPLMN的ProSe功能实体发送匹配报告消息,消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码前缀,前缀校验码,发现码后缀,后缀校验码,时间计数器,所述时间计算器为修订时间;Step S900: After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code prefix and the discovery code suffix of the broadcast UE are in the corresponding discovery code prefix template and the discovery code suffix template, and the discovery code prefix is found in the prefix. The template sends a matching report message to the ProSe function entity of the HPLMN of the UE. The message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code prefix, prefix check code, and discovery code suffix. a suffix check code, a time counter, and the time calculator is a revision time;
步骤S902,如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S902: If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S904:UE的HPLMN的ProSe功能实体向其他的PLMN的ProSe功能实体发送匹配报告消息,所述其他的PLMN的ProSe功能实体为广播UE的HPLMN的ProSe功能实体,所述消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码前缀,发现码前缀校验码,时间计数器;Step S904: The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction. Service identity, user identity, discovery type, service identity, discovery code prefix, discovery code prefix check code, time counter;
步骤S906:其他的PLMN的ProSe功能实体校验发现码前缀校验码的是否准确,所述校验方法可以通过签名算法校验前缀校验码是否和ProSe功能实体一致,也可以是通过密钥算法算出对应的发现码前缀,检查是否准确。Step S906: The ProSe functional entity of the other PLMN checks whether the discovery code prefix check code is accurate. The verification method may verify whether the prefix check code is consistent with the ProSe functional entity by using a signature algorithm, or may be a key. The algorithm calculates the corresponding discovery code prefix and checks whether it is accurate.
步骤S908:其他的HPLMN的ProSe功能实体完整性校验成功后,向UE的HPLMN的ProSe功能实体回送匹配报告响应消息;Step S908: After the ProSe functional entity integrity check of the other HPLMN is successful, the matching report response message is sent back to the ProSe functional entity of the HPLMN of the UE.
步骤S910:UE的HPLMN的ProSe功能实体向ProSe应用服务器发送匹配报告消息,所述消息携带用户近距离限制业务标识,目标用户近距离限制业务标识,发现码后缀,发现码后缀校验码,时间计数器;Step S910: The ProSe function entity of the HPLMN of the UE sends a matching report message to the ProSe application server, where the message carries the user close-range restricted service identifier, the target user closes the service identifier, the code suffix, the discovery code suffix check code, and the time. counter;
步骤S912:ProSe应用服务器校验发现码后缀校验码的是否准确,所述校验方法可 以通过签名算法校验发现码前缀校验码是否和ProSe应用服务器一致,也可以是通过密钥算法算出对应的发现码前缀,检查是否准确。Step S912: The ProSe application server verifies whether the discovery code suffix check code is accurate, and the verification method may be Whether the discovery code prefix check code is consistent with the ProSe application server is verified by the signature algorithm, or the corresponding discovery code prefix is calculated by the key algorithm, and the check is accurate.
步骤S914:ProSe应用服务器完整性校验成功后,向UE的HPLMN的ProSe功能实体回送匹配报告响应消息,所述消息携带UE发现标识和目标UE的发现标识;Step S914: After the ProSe application server integrity check succeeds, the device sends a match report response message to the ProSe function entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
其中,步骤S910-S914也可以在步骤S906后,有其他的HPLMN的ProSe功能实体向ProSe应用服务器操作执行,则需要步骤S904携带响应的发现码后缀以及发现码后缀校验码,其他ProSe操作模式不变。Steps S910-S914 may also be performed after the step S906, when the ProSe functional entity of the other HPLMN performs the operation to the ProSe application server, the step S904 is required to carry the response discovery code suffix and the discovery code suffix check code, and other ProSe operation modes. constant.
步骤S916:UE的HPLMN的ProSe功能实体验证UE发现标识和目标UE发现标识;Step S916: The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
步骤S918:UE的HPLMN的ProSe功能实体认证成功后,向UE回送匹配报告响应消息,所述消息携带发现码前缀,业务标识,目标用户近距离限制业务标识,以及发现码前缀对应的有效期。Step S918: After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
至此,监听UE发现了广播UE,防止了发现码前缀和后缀被仿冒、重放攻击,同时也保证了其完整性。At this point, the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
优选实施例二Preferred embodiment two
本发明优选实施例二提供了一种设备到设备限制发现业务的方法,其中图10、11、12对应的是优选实施例二,本发明优选实施例二的核心思想是,在广播过程中,广播UE ProSe服务器获取发现码前缀,发现码后缀以及对应的密钥,广播UE分别计算发现码前缀校验码和发现码后缀校验码,广播UE广播发现码前缀,发现码后缀,以及对应的校验码发现码前缀校验码和发现码后缀校验码,监听UE接收广播信息后分别在ProSe功能实体校验发现码前缀和校验发现码后缀。The preferred embodiment 2 of the present invention provides a device-to-device restriction discovery service, wherein FIG. 10, FIG. 11 and FIG. 12 correspond to a preferred embodiment 2. The core idea of the preferred embodiment 2 is that during the broadcast process, The broadcast UE ProSe server obtains the discovery code prefix, the discovery code suffix and the corresponding key, and the broadcast UE separately calculates the discovery code prefix check code and the discovery code suffix check code, the broadcast UE broadcasts the discovery code prefix, the discovery code suffix, and the corresponding The check code finds the code prefix check code and the discovery code suffix check code, and the monitoring UE receives the broadcast information and checks the discovery code prefix and the check discovery code suffix respectively in the ProSe function entity.
图10是根据本发明优选实施例二的D2D限制发现业务的广播方法的流程图,具体流程如下所示;10 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment 2 of the present invention, and the specific process is as follows;
步骤S1000:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识;Step S1000: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
步骤S1002:当UE和HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,,发现业务类型为限制发现业务,以及用户标识,发现业务类型为广播业务Announce;Step S1002: After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user's proximity restricted service identifier, and the found service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
步骤S1004:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S1004: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1006:如果发现业务认证成功后,HPLMN下的ProSe功能实体向ProSe应用服务器发送认证请求,所述消息携带用户近距离限制业务标识; Step S1006: If the service authentication is successful, the ProSe functional entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
步骤S1008:ProSe应用服务器根据用户近距离限制业务标识找到用户对应的UE发现标识,向所述HPLMN下的ProSe功能实体回送认证响应消息,所述消息携带所述的UE发现标识,所述消息还包含ProSe应用服务器分配发现码后缀。Step S1008: The ProSe application server finds the UE discovery identifier corresponding to the user according to the user close-range restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the message is further Contains the ProSe application server to assign a discovery code suffix.
步骤S1010:HLPMN下ProSe功能实体认证UE发现标识,成功后分配发现码前缀,以及发现码前缀有效期,发现码前缀对应密钥,以及发现码后缀对应的密钥;Step S1010: The ProSe functional entity under the HLMMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, and discovers the code prefix validity period, the discovery code prefix corresponding key, and the key corresponding to the discovery code suffix;
步骤S1012:HLPMN下ProSe功能实体其向VPLMN的ProSe功能实体发送广播认证请求,消息携带用户近距离限制业务标识,用户标识,以及UE的HPLMN下的ProSe功能实体分配发现码前缀或者发现码后缀,以及发现码前缀对应的有效期;Step S1012: The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN. The message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity under the HPLMN of the UE allocates a discovery code prefix or a discovery code suffix. And the validity period corresponding to the discovery code prefix;
步骤S1014:VLPMN下ProSe功能实体其向HPLMN的ProSe功能实体回送广播认证请求响应消息;Step S1014: The ProSe functional entity under the VLPMN sends a broadcast authentication request response message to the ProSe functional entity of the HPLMN.
步骤S1016:HPLMN的ProSe功能实体向UE回送发现业务请求响应消息。消息携带发现码前缀,发现码前缀密钥,发现码后缀,发现码后缀密钥,以及发现码前缀对应的有效期。Step S1016: The ProSe functional entity of the HPLMN sends a discovery service request response message to the UE. The message carries the discovery code prefix, the discovery code prefix key, the discovery code suffix, the discovery code suffix key, and the validity period of the discovery code prefix.
其中,发现码前缀是UE的HPLMN的ProSe功能实体为UE分配的广播业务码,发现密钥一共128位(bit),有效期为当前时间为格林威治时间,即世界统一时钟,UE根据当前时间,设置A-UE的ProSe时间,即同步与网络的时间,最大时长与当年时间组成本次发现的发现时隙,即发现码前缀的有效期,超过最大时长无效;The discovery code prefix is a broadcast service code allocated by the ProSe functional entity of the HPLMN of the UE to the UE, and the discovery key has a total of 128 bits. The validity period is the current time is the Greenwich Mean Time, that is, the world unified clock, and the UE is based on the current time. Set the ProSe time of the A-UE, that is, the time of the synchronization and the network, and the maximum duration and the current time constitute the discovery time slot of the discovery, that is, the validity period of the code prefix is found, and the maximum duration is invalid;
步骤S1018:UE分配无线资源,计算发现码前缀校验码和发现码后缀校验码,向空中广播发现码前缀、发现码后缀、发现码前缀校验码、发现码后缀校验码和时间计算器。Step S1018: The UE allocates radio resources, calculates a discovery code prefix check code and a discovery code suffix check code, and broadcasts a discovery code prefix, a discovery code suffix, a discovery code prefix check code, a discovery code suffix check code, and a time calculation to the air. Device.
上述校验码使用签名算法HMAC-SHA-256计算所得。即发现码前缀校验码=HMAC-SHA-256(发现码前缀密钥,字符串S),该字符串S由S=FC||P0||L0||P1||L1组成,其中FC为固定长度的算法类型,P0为广播时间,L0为时间长度,P1为发现码前缀,L1为发现码前缀的长度;发现码后缀校验码=HMAC-SHA-256(发现码后缀密钥,字符串S),该字符串S由S=FC||P0||L0||P1||L1组成,其中FC为固定长度的算法类型,P0为广播时间,L0为时间长度,P1为发现码后缀,L1为发现码后缀的长度。The above check code is calculated using the signature algorithm HMAC-SHA-256. That is, the code prefix check code = HMAC-SHA-256 (discovery code prefix key, string S) is found, and the string S is composed of S=FC||P0||L0||P1||L1, where FC is Fixed length algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code prefix, L1 is the length of the discovery code prefix, and the discovery code suffix check code is HMAC-SHA-256 (the discovery code suffix key, character) String S), the string S consists of S=FC||P0||L0||P1||L1, where FC is a fixed-length algorithm type, P0 is the broadcast time, L0 is the time length, and P1 is the discovery code suffix. L1 is the length of the discovery code suffix.
所述时间计数器为当前时间截取到秒后的后4位,即最大为16秒,能够修订8秒的误差。The time counter is the last 4 bits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and the error of 8 seconds can be revised.
图11是根据本发明优选实施例二的D2D限制发现业务的监听方法的流程图,具体流程如下所示;11 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment of the present invention, and the specific process is as follows;
步骤S1100:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识; Step S1100: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
步骤S1102:UE的HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,发现业务类型限制发现业务,发现业务为监听业务monitor,以及用户标识,以及应用层业务透明容器,所述应用层业务透明容器为目标用户近距离限制业务标识列表,且对HPLMN下的ProSe功能实体透明,所述透明可以通过加密技术实现;Step S1102: After the ProSe functional entity of the UE's HPLMN establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity of the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type restricts the discovery service, and the discovery service is the interception. The service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
步骤S1104:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S1104: If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1106:HPLMN下的ProSe功能实体向ProSe应用服务器发起认证请求,所述认证请求携带用户近距离限制业务标识和应用层业务透明容器;Step S1106: The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
步骤S1108:ProSe应用服务器认证用户近距离限制业务标识和应用层业务透明容器后,向HPLMN下的ProSe功能实体回送认证请求响应消息,所述消息携带UE发现标识,目标UE发现标识与用户近距离限制业务标识列表;Step S1108: After the ProSe application server authenticates the user to the proximity-restricted service identifier and the application-layer service transparent container, it sends an authentication request response message to the ProSe functional entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
其中,其他的PLMN的ProSe功能实体也包含广播UE对应的HPLMN下的ProSe功能实体,因此用户近距离限制业务标识列表至少也包含一个广播UE用户近距离限制业务标识,同理,UE发现标识列表也包含广播UE的UE发现标识;The ProSe functional entity of the other PLMN also includes the ProSe functional entity under the HPLMN corresponding to the broadcast UE. Therefore, the user close-range restricted service identifier list also includes at least one broadcast UE user close-range restricted service identifier. Similarly, the UE discovers the identifier list. Also including the UE discovery identifier of the broadcast UE;
步骤S1110:HPLMN下的ProSe功能实体认证UE发现标识成功后,决定获取目标UE发现标识的发现码前缀和发现码后缀(即广播UE的发现码前缀和发现码后缀);Step S1110: After the ProSe function entity of the HPLMN authenticates the UE, the UE obtains the discovery code prefix and the discovery code suffix of the target UE discovery identifier (that is, the discovery code prefix and the discovery code suffix of the broadcast UE).
步骤S1112:HPLMN下的ProSe功能实体向其他PLMN的ProSe功能实体发送监听认证请求,消息携带用户近距离限制业务标识,用户标识,目标UE发现标识,业务标识,目标用户近距离限制业务标识;Step S1112: The ProSe function entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier.
步骤S1114:其他的PLMN的ProSe功能实体根据目标用户近距离限制业务标识或者目标UE发现标识获取广播UE的发现码前缀以及有效期,以及发现码后缀;Step S1114: The ProSe functional entity of the other PLMN acquires the discovery code prefix and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier, and the discovery code suffix;
步骤S1116:其他的PLMN的ProSe功能实体向ProSe应用服务器获得认证许可,所述消息携带用户近距离限制业务标识和目标用户近距离限制业务标识;Step S1116: The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
步骤S1118:ProSe应用服务器向其他的PLMN的ProSe功能实体回送认证许可响应消息,所述消息携带UE发现标识和目标UE发现标识;Step S1118: The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
步骤S1120:其他PLMN的ProSe功能实体向UE的HPLMN下的ProSe功能实体回送监听认证请求响应消息,消息携带发现码前缀,以及对应发现码前缀对应的有效期,发现码后缀;Step S1120: The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code prefix and the validity period corresponding to the discovery code prefix, and the code suffix is found;
步骤S1122:UE的HPLMN的ProSe功能实体根据监听认证请求响应消息中发现码前缀组成发现码前缀模版和根据发现码后缀组成发现码后缀模板,向UE回送发现业务请求响应消息。消息携带发现码前缀模版,以及对应的有效期,发现码后缀模板; Step S1122: The ProSe functional entity of the HPLMN of the UE sends a discovery service request response message to the UE according to the discovery code prefix composition template in the interception authentication request response message and the discovery code suffix template according to the discovery code suffix. The message carries a discovery code prefix template, and a corresponding validity period, and a code suffix template is found;
其中,当前时间如果UE的HPLMN的ProSe功能实体时间已经和其他PLMN的ProSe功能实体时间同步,则为UE的HPLMN的ProSe功能实体的当前时间,否则为监听认证响应请求所携带的当前时间,最大时长为监听认证响应请求所携带的最大时长。UE根据当前时间设置ProSe时钟;The current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest. The duration is the maximum duration of the listening authentication response request. The UE sets the ProSe clock according to the current time;
步骤S1124:UE分配无线资源,开始侦听广播UE发出广播信息。Step S1124: The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
图12是根据本发明优选实施例二的D2D限制发现业务的匹配方法的流程图,具体流程如下所示;12 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment 2 of the present invention, and the specific process is as follows;
步骤S1200:UE接受到广播UE发出的广播信息后,发现广播UE广播的发现码前缀和发现码后缀均在存在对应的发现码前缀模版和发现码后缀模板中,且该发现码前缀在发现码前缀模版对应的有效期内,则向UE的HPLMN的ProSe功能实体发送匹配报告消息,消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码前缀,前缀校验码,发现码后缀,后缀校验码,时间计数器,所述时间计算器为修订时间;Step S1200: After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code prefix and the discovery code suffix of the broadcast UE are in the corresponding discovery code prefix template and the discovery code suffix template, and the discovery code prefix is in the discovery code. The validity period corresponding to the prefix template sends a matching report message to the ProSe functional entity of the HPLMN of the UE, where the message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code prefix, prefix check code, and discovery code. Suffix, suffix check code, time counter, the time calculator is the revision time;
步骤S1202,如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S1202: If the ProSe functional entity has no associated UE context, the ProSe functional entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1204:UE的HPLMN的ProSe功能实体向其他的PLMN的ProSe功能实体发送匹配报告消息,所述其他的PLMN的ProSe功能实体为广播UE的HPLMN的ProSe功能实体,所述消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码前缀,发现码前缀校验码,发现码后缀,发现码后缀校验码,时间计数器;Step S1204: The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction. Service identity, user identity, discovery type, service identity, discovery code prefix, discovery code prefix check code, discovery code suffix, discovery code suffix check code, time counter;
步骤S1206:其他的PLMN的ProSe功能实体校验发现码前缀校验码的是否准确,所述校验方法可以通过签名算法校验前缀校验码是否和ProSe功能实体一致,也可以是通过密钥算法算出对应的发现码前缀,检查是否准确。Step S1206: The ProSe functional entity of the other PLMN checks whether the discovery code prefix check code is accurate. The verification method may verify whether the prefix check code is consistent with the ProSe functional entity by using a signature algorithm, or may be a key. The algorithm calculates the corresponding discovery code prefix and checks whether it is accurate.
步骤S1208:其他的PLMN的ProSe功能实体校验发现码后缀校验码的是否准确,所述校验方法可以通过签名算法校验前后缀校验码是否和ProSe功能实体一致,也可以是通过密钥算法算出对应的发现码后缀,检查是否准确。Step S1208: The ProSe functional entity of the other PLMN checks whether the discovery code suffix check code is accurate. The verification method can verify whether the suffix check code is consistent with the ProSe functional entity by using a signature algorithm, or The key algorithm calculates the corresponding discovery code suffix and checks whether it is accurate.
步骤S1210:验证成功后其他的PLMN的ProSe功能实体向UE的HPLMN下的ProSe功能实体向回送匹配报告响应消息;Step S1210: After the verification succeeds, the ProSe functional entity of the other PLMN sends a matching report response message to the ProSe functional entity under the HPLMN of the UE;
步骤S1212:UE的HPLMN的ProSe功能实体向ProSe应用服务器发送认证请求消息,所述消息携带用户近距离限制业务标识,目标用户近距离限制业务标识;Step S1212: The ProSe function entity of the HPLMN of the UE sends an authentication request message to the ProSe application server, where the message carries the user close-range restricted service identifier, and the target user closely limits the service identifier;
步骤S1214:ProSe应用服务器认证成功后,向UE的HPLMN的ProSe功能实体回送匹配报告响应消息,所述消息携带UE发现标识和目标UE的发现标识;Step S1214: After the ProSe application server is successfully authenticated, the device sends a matching report response message to the ProSe functional entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
步骤S1216:UE的HPLMN的ProSe功能实体验证UE发现标识和目标UE发现标识; Step S1216: The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
步骤S1218:UE的HPLMN的ProSe功能实体认证成功后,向UE回送匹配报告响应消息,所述消息携带发现码前缀,业务标识,目标用户近距离限制业务标识,以及发现码前缀对应的有效期。Step S1218: After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
至此,监听UE发现了广播UE,防止了发现码前缀和后缀被仿冒、重放攻击,同时也保证了其完整性。At this point, the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
优选实施例三Preferred embodiment three
本发明优选实施例三提供了一种设备到设备限制发现业务的方法,其中图13、14、15对应本发明实施例三,本发明优选实施例三的核心思想是,在广播过程中,广播UE分别从ProSe服务器获取发现码后缀以及从ProSe功能实体获得发现码前缀,在ProSe功能实体中组成发现码,ProSe功能实体分配对应的发现码的密钥,广播UE分别计算发现码校验码,广播UE广播发现码前缀,以及对应的校验码发现码校验码,监听UE接收广播信息后分别在ProSe功能实体校验发现码,从而在ProSe功能实体中校验了发现码的前缀和发现码后缀。The preferred embodiment 3 of the present invention provides a device-to-device limitation discovery service, wherein FIG. 13, 14, and 15 correspond to the third embodiment of the present invention, and the core idea of the preferred embodiment 3 of the present invention is that during the broadcast process, the broadcast is performed. The UE obtains the discovery code suffix from the ProSe server and obtains the discovery code prefix from the ProSe functional entity, and forms a discovery code in the ProSe functional entity, and the ProSe functional entity allocates a key of the corresponding discovery code, and the broadcast UE separately calculates the discovery code check code. The broadcast UE broadcasts the discovery code prefix and the corresponding check code discovery code check code, and the monitoring UE receives the broadcast information and then checks the discovery code in the ProSe functional entity, thereby verifying the prefix and discovery of the discovery code in the ProSe functional entity. Code suffix.
图13是根据本发明优选实施例三的D2D限制发现业务的广播方法的流程图,具体流程如下所示;13 is a flowchart of a method for broadcasting a D2D restriction discovery service according to a preferred embodiment 3 of the present invention, and the specific process is as follows;
步骤S1300:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识;Step S1300: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
步骤S1202:当UE和HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,,发现业务类型为限制发现业务,以及用户标识,发现业务类型为广播业务Announce;Step S1202: After the UE establishes a secure connection with the ProSe functional entity under the HPLMN, the UE sends a discovery service request message to the ProSe functional entity in the HPLMN, where the message includes the user close-range restricted service identifier, and the discovered service type is the restricted discovery service, and User identification, the discovery service type is the broadcast service Announce;
步骤S1304:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S1304: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1306:如果发现业务认证成功后,HPLMN下的ProSe功能实体向ProSe应用服务器发送认证请求,所述消息携带用户近距离限制业务标识;Step S1306: If the service authentication is successful, the ProSe function entity in the HPLMN sends an authentication request to the ProSe application server, where the message carries the user close-range restricted service identifier;
步骤S1308:ProSe应用服务器根据用户近距离限制业务标识找到用户对应的UE发现标识,向所述HPLMN下的ProSe功能实体回送认证响应消息,所述消息携带所述的UE发现标识,所述消息还包含ProSe应用服务器分配发现码后缀。Step S1308: The ProSe application server finds the UE discovery identifier corresponding to the user according to the user proximity restriction service identifier, and sends an authentication response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the message is further Contains the ProSe application server to assign a discovery code suffix.
步骤S1310:HLPMN下ProSe功能实体认证UE发现标识,成功后分配发现码前缀,所述发现码前缀与发现码后缀组成发现码,以及发现码的密钥和发现码有效期;Step S1310: The ProSe functional entity in the HLPMN authenticates the UE to discover the identifier, and after the success, allocates the discovery code prefix, the discovery code prefix and the discovery code suffix constitute a discovery code, and the discovery code key and the discovery code validity period;
步骤S1312:HLPMN下ProSe功能实体其向VPLMN的ProSe功能实体发送广播认证请求,消息携带用户近距离限制业务标识,用户标识,以及UE的HPLMN下的ProSe功能实体分配发现码,以及发现码对应的有效期; Step S1312: The ProSe functional entity under the HLPMN sends a broadcast authentication request to the ProSe functional entity of the VPLMN. The message carries the user close-range restricted service identifier, the user identifier, and the ProSe functional entity allocation discovery code under the HPLMN of the UE, and the discovery code corresponding to the discovery code. Validity period
步骤S1314:VLPMN下ProSe功能实体其向HPLMN的ProSe功能实体回送广播认证请求响应消息;Step S1314: The ProSe functional entity under the VLPMN sends a broadcast authentication request response message to the ProSe functional entity of the HPLMN;
步骤S1316:HPLMN的ProSe功能实体向UE回送发现业务请求响应消息。消息携带发现码,发现码密钥,以及发现码对应的有效期。Step S1316: The ProSe functional entity of the HPLMN sends back a discovery service request response message to the UE. The message carries the discovery code, the discovery code key, and the validity period of the discovery code.
其中,发现密钥一共128位(bit),有效期为当前时间为格林威治时间,即世界统一时钟,UE根据当前时间,设置A-UE的ProSe时间,即同步与网络的时间,最大时长与当年时间组成本次发现的发现时隙,即发现码前缀的有效期,超过最大时长无效;The key is found to be a total of 128 bits. The validity period is the current time is the Greenwich Mean Time, that is, the world unified clock. The UE sets the ProSe time of the A-UE according to the current time, that is, the time of the synchronization and the network, and the maximum duration. The time of the discovery constitutes the discovery time slot of this discovery, that is, the validity period of the code prefix is found, and the maximum duration is invalid;
步骤S1318:UE分配无线资源,计算发现码校验码,向空中广播发现码发现码校验码和时间计算器。Step S1318: The UE allocates radio resources, calculates a discovery code check code, and broadcasts a discovery code discovery code check code and a time calculator to the air.
上述校验码使用签名算法HMAC-SHA-256计算所得。即发现码校验码=HMAC-SHA-256(发现码密钥,字符串S),该字符串S由S=FC||P0||L0||P1||L1组成,其中FC为固定长度的算法类型,P0为广播时间,L0为时间长度,P1为发现码,L1为发现码的长度。The above check code is calculated using the signature algorithm HMAC-SHA-256. That is, the code check code = HMAC-SHA-256 (discovery code key, string S) is found, and the string S is composed of S=FC||P0||L0||P1||L1, where FC is a fixed length. The algorithm type, P0 is the broadcast time, L0 is the time length, P1 is the discovery code, and L1 is the length of the discovery code.
所述时间计数器为当前时间截取到秒后的后4位,即最大为16秒,能够修订8秒的误差。The time counter is the last 4 bits after the current time is intercepted to the second, that is, the maximum is 16 seconds, and the error of 8 seconds can be revised.
图14是根据本发明优选实施例三的D2D限制发现业务的监听方法的流程图,具体流程如下所示;14 is a flowchart of a method for monitoring a D2D restriction discovery service according to a preferred embodiment 3 of the present invention, and the specific process is as follows;
步骤S1400:UE向ProSe应用服务器获得业务授权,提供UE的发现标识,向ProSe APP Server获得用户近距离限制业务标识;Step S1400: The UE obtains the service authorization from the ProSe application server, provides the discovery identifier of the UE, and obtains the user close-range restricted service identifier from the ProSe APP Server.
步骤S1402:UE的HPLMN下的ProSe功能实体建立安全连接后,UE向HPLMN下的ProSe功能实体发送发现业务请求消息,消息包含用户近距离限制业务标识,发现业务类型限制发现业务,发现业务为监听业务monitor,以及用户标识,以及应用层业务透明容器,所述应用层业务透明容器为目标用户近距离限制业务标识列表,且对HPLMN下的ProSe功能实体透明,所述透明可以通过加密技术实现;Step S1402: After the ProSe functional entity of the UE's HPLMN establishes a secure connection, the UE sends a discovery service request message to the ProSe functional entity of the HPLMN, where the message includes the user's close-range restricted service identifier, and the service type is restricted to discover the service, and the discovery service is monitored. The service monitor, and the user identifier, and the application layer service transparent container, the application layer service transparent container is a target user close-range restricted service identifier list, and is transparent to the ProSe functional entity under the HPLMN, and the transparent can be implemented by using an encryption technology;
步骤S1404:如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数;Step S1404: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1406:HPLMN下的ProSe功能实体向ProSe应用服务器发起认证请求,所述认证请求携带用户近距离限制业务标识和应用层业务透明容器;Step S1406: The ProSe function entity in the HPLMN initiates an authentication request to the ProSe application server, where the authentication request carries the user close-range restricted service identifier and the application layer service transparent container;
步骤S1408:ProSe应用服务器认证用户近距离限制业务标识和应用层业务透明容器后,向HPLMN下的ProSe功能实体回送认证请求响应消息,所述消息携带UE发现标识,目标UE发现标识与用户近距离限制业务标识列表;Step S1408: After the ProSe application server authenticates the user's proximity-restricted service identifier and the application-layer service transparent container, it sends an authentication request response message to the ProSe function entity in the HPLMN, where the message carries the UE discovery identifier, and the target UE discovers the identifier and the user. Limit the list of business identifiers;
其中,其他的PLMN的ProSe功能实体也包含广播UE对应的HPLMN下的ProSe 功能实体,因此用户近距离限制业务标识列表至少也包含一个广播UE用户近距离限制业务标识,同理,UE发现标识列表也包含广播UE的UE发现标识;The ProSe functional entity of the other PLMN also includes the ProSe under the HPLMN corresponding to the broadcast UE. a functional entity, so the user close-range restricted service identifier list at least includes a broadcast UE user close-range restricted service identifier. Similarly, the UE discovery identifier list also includes the UE discovery identifier of the broadcast UE.
步骤S1410:HPLMN下的ProSe功能实体认证UE发现标识成功后,决定获取目标UE发现标识的发现码(即广播UE的发现码);Step S1410: After the ProSe function entity of the HPLMN authenticates the UE, the UE discovers that the identifier is successful, and determines to obtain the discovery code of the target UE discovery identifier (that is, the discovery code of the broadcast UE).
步骤S1412:HPLMN下的ProSe功能实体向其他PLMN的ProSe功能实体发送监听认证请求,消息携带用户近距离限制业务标识,用户标识,目标UE发现标识,业务标识,目标用户近距离限制业务标识;Step S1412: The ProSe functional entity in the HPLMN sends a monitoring authentication request to the ProSe functional entity of the other PLMN, and the message carries the user close-range restricted service identifier, the user identifier, the target UE discovery identifier, the service identifier, and the target user close-range restricted service identifier;
步骤S1414:其他的PLMN的ProSe功能实体根据目标用户近距离限制业务标识或者目标UE发现标识获取广播UE的发现码以及有效期;Step S1414: The ProSe functional entity of the other PLMN acquires the discovery code and the validity period of the broadcast UE according to the target user close-range restricted service identifier or the target UE discovery identifier.
步骤S1416:其他的PLMN的ProSe功能实体向ProSe应用服务器获得认证许可,所述消息携带用户近距离限制业务标识和目标用户近距离限制业务标识;Step S1416: The ProSe functional entity of the other PLMN obtains the authentication permission from the ProSe application server, where the message carries the user close-range restricted service identifier and the target user close-range restricted service identifier;
步骤S1418:ProSe应用服务器向其他的PLMN的ProSe功能实体回送认证许可响应消息,所述消息携带UE发现标识和目标UE发现标识;Step S1418: The ProSe application server sends an authentication permission response message to the ProSe functional entity of the other PLMN, where the message carries the UE discovery identifier and the target UE discovery identifier.
步骤S1420:其他PLMN的ProSe功能实体向UE的HPLMN下的ProSe功能实体回送监听认证请求响应消息,消息携带发现码,以及对应发现码对应的有效期;Step S1420: The ProSe function entity of the other PLMN sends a monitoring authentication request response message to the ProSe function entity of the HPLMN of the UE, where the message carries the discovery code and the validity period corresponding to the corresponding discovery code;
步骤S1422:UE的HPLMN的ProSe功能实体根据监听认证请求响应消息中发现码组成发现码模版,向UE回送发现业务请求响应消息。消息携带发现码模版,以及对应的有效期;Step S1422: The ProSe functional entity of the HPLMN of the UE sends a discovery service request response message to the UE according to the discovery code composition discovery code template in the interception authentication request response message. The message carries a discovery code template and a corresponding validity period;
其中,当前时间如果UE的HPLMN的ProSe功能实体时间已经和其他PLMN的ProSe功能实体时间同步,则为UE的HPLMN的ProSe功能实体的当前时间,否则为监听认证响应请求所携带的当前时间,最大时长为监听认证响应请求所携带的最大时长。UE根据当前时间设置ProSe时钟;The current time is the current time of the ProSe functional entity of the HPLMN of the UE, if the ProSe functional entity time of the HPLMN of the UE has been time synchronized with the ProSe functional entity of the other PLMN, otherwise the current time carried by the monitoring authentication response request is the largest. The duration is the maximum duration of the listening authentication response request. The UE sets the ProSe clock according to the current time;
步骤S1424:UE分配无线资源,开始侦听广播UE发出广播信息。Step S1424: The UE allocates radio resources, and starts to listen to the broadcast UE to send broadcast information.
图15是根据本发明优选实施例三的D2D限制发现业务的匹配方法的流程图,具体流程如下所示;15 is a flowchart of a method for matching a D2D restriction discovery service according to a preferred embodiment 3 of the present invention, and the specific process is as follows;
步骤S1500:UE接受到广播UE发出的广播信息后,发现广播UE广播的发现码存在对应的发现码模版中,且该发现码在发现码模版对应的有效期内,则向UE的HPLMN的ProSe功能实体发送匹配报告消息,消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码,发现码校验码,时间计数器,所述时间计算器为修订时间;Step S1500: After receiving the broadcast information sent by the broadcast UE, the UE finds that the discovery code broadcast by the broadcast UE exists in the corresponding discovery code template, and the discovery code is in the validity period corresponding to the discovery code template, and then the ProSe function of the HPLMN to the UE. The entity sends a matching report message, where the message carries the user close-range restricted service identifier, user identifier, discovery type, service identifier, discovery code, discovery code check code, time counter, and the time calculator is the revision time;
步骤S1502,如果ProSe功能实体无关联的UE上下文,则ProSe功能实体与HSS进行发现业务认证鉴权,并建立新的UE上下文,UE上下文中包含UE的订阅参数; Step S1502: If the ProSe function entity has no associated UE context, the ProSe function entity performs authentication service authentication and authentication with the HSS, and establishes a new UE context, where the UE context includes the subscription parameters of the UE.
步骤S1504:UE的HPLMN的ProSe功能实体向其他的PLMN的ProSe功能实体发送匹配报告消息,所述其他的PLMN的ProSe功能实体为广播UE的HPLMN的ProSe功能实体,所述消息携带用户近距离限制业务标识,用户标识,发现类型,业务标识,发现码,发现码校验码,时间计数器;Step S1504: The ProSe functional entity of the HPLMN of the UE sends a matching report message to the ProSe functional entity of the other PLMN, where the ProSe functional entity of the other PLMN is a ProSe functional entity of the HPLMN of the broadcast UE, and the message carries the user close-range restriction. Service identity, user identity, discovery type, service identity, discovery code, discovery code check code, time counter;
步骤S1506:其他的PLMN的ProSe功能实体校验发现码校验码的是否准确,所述校验方法可以通过签名算法校验校验码是否和ProSe功能实体一致,也可以是通过密钥算法算出对应的发现码,检查是否准确。Step S1506: The ProSe functional entity of the other PLMN checks whether the discovery code check code is accurate. The verification method may verify whether the check code is consistent with the ProSe functional entity by using a signature algorithm, or may be calculated by a key algorithm. Corresponding discovery code, check whether it is accurate.
步骤S1508:验证成功后其他的PLMN的ProSe功能实体向UE的HPLMN下的ProSe功能实体向回送匹配报告响应消息;Step S1508: After the verification succeeds, the ProSe functional entity of the other PLMN sends a matching report response message to the ProSe functional entity under the HPLMN of the UE;
步骤S1510:UE的HPLMN的ProSe功能实体向ProSe应用服务器发送认证请求消息,所述消息携带用户近距离限制业务标识,目标用户近距离限制业务标识;Step S1510: The ProSe function entity of the HPLMN of the UE sends an authentication request message to the ProSe application server, where the message carries the user close-range restricted service identifier, and the target user closely limits the service identifier;
步骤S1512:ProSe应用服务器认证成功后,向UE的HPLMN的ProSe功能实体回送匹配报告响应消息,所述消息携带UE发现标识和目标UE的发现标识;Step S1512: After the ProSe application server is successfully authenticated, the device sends a matching report response message to the ProSe functional entity of the HPLMN of the UE, where the message carries the UE discovery identifier and the discovery identifier of the target UE.
步骤S1514:UE的HPLMN的ProSe功能实体验证UE发现标识和目标UE发现标识;Step S1514: The ProSe functional entity of the HPLMN of the UE verifies the UE discovery identifier and the target UE discovery identifier;
步骤S1516:UE的HPLMN的ProSe功能实体认证成功后,向UE回送匹配报告响应消息,所述消息携带发现码前缀,业务标识,目标用户近距离限制业务标识,以及发现码前缀对应的有效期。Step S1516: After the ProSe functional entity of the UE is successfully authenticated, the UE sends a matching report response message to the UE, where the message carries the discovery code prefix, the service identifier, the target user close-range restricted service identifier, and the validity period corresponding to the discovery code prefix.
至此,监听UE发现了广播UE,防止了发现码前缀和后缀被仿冒、重放攻击,同时也保证了其完整性。At this point, the listening UE discovers the broadcast UE, preventing the discovery code prefix and suffix from being counterfeited and replaying attacks, and also ensuring its integrity.
对应上述优选实施例三,在本发明实施例中,还提供了一种发现业务码的校验方法,图16为根据本发明实施例的发现业务码的校验方法的另一流程图,如图16所示,包括以下步骤:Corresponding to the foregoing preferred embodiment 3, in the embodiment of the present invention, a method for verifying a service code is further provided, and FIG. 16 is another flowchart of a method for verifying a service code according to an embodiment of the present invention, such as As shown in Figure 16, the following steps are included:
步骤S1602,广播UE获取上述发现业务码的前缀、从获取上述发现业务码的后缀,以及获取发现业务码对应的第三密钥,其中,上述发现业务码包括:上述发现业务码的前缀、上述发现业务码的后缀;Step S1602: The broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires a third key corresponding to the discovery service code, where the discovery service code includes: the prefix of the discovery service code, the foregoing Discover the suffix of the service code;
步骤S1604,广播UE根据上述发现业务码和上述第三密钥生成用于对上述发现业务码进行校验的第三校验码;Step S1604: The broadcast UE generates a third check code for verifying the discovery service code according to the discovery service code and the third key.
步骤S1606,上述广播UE将上述发第三校验码广播至监听UE。Step S1606: The broadcast UE broadcasts the third parity check code to the monitoring UE.
通过上述各个步骤,在获取到发现码业务码和发现业务码对应密钥(即为发现码前缀和发现码后缀分配一个密钥)之后,能够根据发现业务码其对应的密钥生成验证码,进而对发现业务码进行校验的技术方案,解决了相关技术中,尚未针对发现码后缀提出 保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。After obtaining the discovery code service code and the discovery service code corresponding key (that is, assigning a key to the discovery code prefix and the discovery code suffix), the verification code can be generated according to the corresponding key of the discovery service code. Further, the technical solution for verifying the service code is solved, and the related technology is not yet proposed for the discovery code suffix. The problem of the protected technical solution, in turn, achieves the integrity protection of the discovery code suffix, not only prevents the risk of the code prefix being spoofed by the replay attack, but also prevents the risk of the code suffix being counterfeited and replayed.
对于上述步骤S1602的技术方案,在本发明实施例的可选示例中,可以通过以下技术方案实现:广播UE获取上述发现业务码的前缀、从获取上述发现业务码的后缀,以及获取发现业务码对应的第三密钥包括:上述广播UE从ProSe功能实体获取上述发现业务码的前缀、从ProSe服务器获取上述发现业务码的后缀,以及从上述ProSe功能实体获取发现业务码对应的第三密钥。For the technical solution of the foregoing step S1602, in an optional example of the embodiment of the present invention, the following technical solutions may be implemented: the broadcast UE acquires the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires the discovery service code. The corresponding third key includes: the foregoing broadcast UE acquires the prefix of the discovery service code from the ProSe function entity, acquires the suffix of the discovery service code from the ProSe server, and acquires the third key corresponding to the discovery service code from the ProSe function entity. .
综上所述,本发明实施例达到了以下技术效果:解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。In summary, the embodiment of the present invention achieves the following technical effects: the problem of the technical solution that the protection of the code suffix has not been proposed is solved in the related art, and the integrity protection of the discovery code suffix is realized, which not only prevents the discovery. The code prefix is at risk of spoofing replay attacks, while also preventing the risk of spoofing and replay attacks being discovered.
在另外一个实施例中,还提供了一种软件,该软件用于执行上述实施例及优选实施方式中描述的技术方案。In another embodiment, software is also provided for performing the technical solutions described in the above embodiments and preferred embodiments.
在另外一个实施例中,还提供了一种存储介质,该存储介质中存储有上述软件,该存储介质包括但不限于:光盘、软盘、硬盘、可擦写存储器等。In another embodiment, a storage medium is further provided, wherein the software includes the above-mentioned software, including but not limited to: an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的对象在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It is to be understood that the terms "first", "second" and the like in the specification and claims of the present invention are used to distinguish similar objects, and are not necessarily used to describe a particular order or order. It is to be understood that the objects so used are interchangeable, where appropriate, so that the embodiments of the invention described herein can be carried out in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性 Industrial applicability
通过本发明提供的上述技术方案,在获取到发现码后缀以及发现码后缀对应的密钥之后,能够根据发现码后缀以及其对应的密钥生成验证码的技术方案,解决了相关技术中,尚未针对发现码后缀提出保护的技术方案的问题,进而实现了对发现码后缀的完整性保护,不仅防止了发现码前缀被仿冒重放攻击的风险,同时还防止了发现码后缀被仿冒、重放攻击的风险。 After the foregoing technical solution provided by the present invention, after obtaining the discovery code suffix and the key corresponding to the discovery code suffix, the technical solution for generating the verification code according to the discovery code suffix and the corresponding key thereof is solved, and the related technology has not been solved yet. The problem of the technical solution for discovering the code suffix is implemented, and the integrity protection of the discovery code suffix is realized, which not only prevents the risk of the code prefix being spoofed and replayed, but also prevents the discovery code suffix from being counterfeited and replayed. The risk of an attack.

Claims (12)

  1. 一种发现业务码的校验处理方法,包括:A method for verifying a service code, comprising:
    广播用户设备UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥;The broadcast user equipment UE acquires a discovery code suffix of the discovery service code and a first key corresponding to the discovery code suffix;
    所述广播UE根据所述发现码后缀和所述第一密钥生成用于对所述发现码后缀进行校验的第一校验码;Generating, by the broadcast UE, a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key;
    所述广播UE将所述第一校验码广播至监听UE。The broadcast UE broadcasts the first check code to the listening UE.
  2. 根据权利要求1所述的方法,其中,广播UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥,包括:The method according to claim 1, wherein the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, including:
    所述广播UE从基于距离的业务ProSe服务器和/或ProSe功能实体获取所述发现码后缀和所述第一密钥。The broadcast UE acquires the discovery code suffix and the first key from a distance-based service ProSe server and/or a ProSe functional entity.
  3. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    广播UE获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥时,所述方法还包括:所述广播UE从ProSe功能实体获取所述发现业务码的发现码前缀以及所述发现码前缀对应的第二密钥;When the broadcast UE acquires the discovery code suffix of the discovery service code and the first key corresponding to the discovery code suffix, the method further includes: the broadcast UE acquiring the discovery code prefix of the discovery service code from the ProSe functional entity and the Depicting a second key corresponding to the code prefix;
    所述方法还包括:所述广播UE根据所述发现码前缀和所述第二密钥生成用于对所述发现码前缀进行校验的第二校验码。The method further includes: the broadcast UE generating a second check code for verifying the discovery code prefix according to the discovery code prefix and the second key.
  4. 根据权利要求3所述的方法,其中,通过以下算法生成所述第一校验码和/或所述第二校验码:基于哈希函数消息认证码‐安全散列算法HMAC‐SHA。The method of claim 3, wherein the first check code and/or the second check code are generated by a hash function message authentication code-secure hash algorithm HMAC-SHA.
  5. 根据权利要求4所述的方法,其中,所述广播UE将所述第一校验码广播至监听UE时,所述方法还包括:将所述第二校验码发送至所述监听UE。The method according to claim 4, wherein when the broadcast UE broadcasts the first check code to the snooping UE, the method further comprises: sending the second check code to the snooping UE.
  6. 一种发现业务码的校验方法,包括:A method for verifying a service code, comprising:
    监听用户设备UE接收广播UE广播的广播信息;Monitoring the user equipment UE to receive broadcast information broadcast by the broadcast UE;
    所述监听UE从所述广播信息中获取用于对所述发现业务码的发现码后缀进行校验的第二校验码;Obtaining, by the monitoring UE, a second check code for verifying a discovery code suffix of the discovery service code from the broadcast information;
    所述监听UE根据所述第二校验码校验所述发现码后缀。The listening UE checks the discovery code suffix according to the second check code.
  7. 根据权利要求6所述的方法,其中,所述方法还包括:The method of claim 6 wherein the method further comprises:
    所述监听UE根据所述广播信息还获取用于对所述发现业务码的发现码前缀进行校验的第二校验码;And the intercepting UE further acquires, according to the broadcast information, a second check code for verifying a discovery code prefix of the discovery service code;
    所述监听UE根据所述第二校验码校验所述发现码前缀。 The listening UE checks the discovery code prefix according to the second check code.
  8. 一种发现业务码的校验方法,包括:A method for verifying a service code, comprising:
    广播用户设备UE获取所述发现业务码的前缀、从获取所述发现业务码的后缀,以及获取发现业务码对应的第三密钥,其中,所述发现业务码包括:所述发现业务码的前缀、所述发现业务码的后缀;The broadcast user equipment UE obtains the prefix of the discovery service code, obtains the suffix of the discovery service code, and acquires a third key corresponding to the discovery service code, where the discovery service code includes: the discovery service code a prefix, a suffix of the discovery service code;
    所述广播UE根据所述发现业务码和所述第三密钥生成用于对所述发现业务码进行校验的第三校验码;Generating, by the broadcast UE, a third check code for verifying the discovery service code according to the discovery service code and the third key;
    所述广播UE将所述第三校验码广播至监听UE。The broadcast UE broadcasts the third check code to the listening UE.
  9. 根据权利要求8所述的方法,其中,所述广播UE获取所述发现业务码的前缀、从获取所述发现业务码的后缀,以及获取发现业务码对应的第三密钥包括:所述广播UE从ProSe功能实体获取所述发现业务码的前缀、从ProSe服务器获取所述发现业务码的后缀,以及从所述ProSe功能实体获取发现业务码对应的第三密钥。The method according to claim 8, wherein the broadcast UE acquires a prefix of the discovery service code, obtains a suffix of the discovery service code, and acquires a third key corresponding to the discovery service code, including: the broadcast The UE obtains the prefix of the discovery service code from the ProSe function entity, acquires the suffix of the discovery service code from the ProSe server, and acquires a third key corresponding to the discovery service code from the ProSe function entity.
  10. 一种发现业务码的校验处理装置,应用于广播用户设备UE中,包括:A verification processing device for discovering a service code, which is applied to a broadcast user equipment UE, includes:
    获取模块,设置为获取发现业务码的发现码后缀以及所述发现码后缀对应的第一密钥;An acquiring module, configured to obtain a discovery code suffix of the discovery service code and a first key corresponding to the discovery code suffix;
    生成模块,设置为根据所述发现码后缀和所述第一密钥生成用于对所述发现码后缀进行校验的第一校验码;Generating a module, configured to generate a first check code for verifying the discovery code suffix according to the discovery code suffix and the first key;
    广播模块,设置为将所述第一校验码广播至监听UE。And a broadcast module, configured to broadcast the first check code to the monitoring UE.
  11. 根据权利要求10所述的装置,其中,所述获取模块设置为从基于距离的业务ProSe服务器获取所述发现码后缀和所述第一密钥。The apparatus of claim 10, wherein the acquisition module is configured to obtain the discovery code suffix and the first key from a distance-based service ProSe server.
  12. 一种发现业务码的校验装置,应用于监听UE,包括:A verification device for discovering a service code, which is applied to the monitoring UE, includes:
    接收模块,设置为接收广播UE广播的广播信息;a receiving module, configured to receive broadcast information broadcast by the broadcast UE;
    获取模块,设置为从所述广播信息中获取用于对所述发现业务码的发现码后缀进行校验的第二校验码;An obtaining module, configured to obtain, from the broadcast information, a second check code for verifying a discovery code suffix of the discovery service code;
    校验模块,设置为根据所述第二校验码校验所述发现码后缀。 And a verification module, configured to verify the discovery code suffix according to the second verification code.
PCT/CN2015/085362 2015-01-13 2015-07-28 Discovery service code checking processing method and device, and discovery service code checking method and device WO2016112677A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510016482.4A CN104540106B (en) 2015-01-13 2015-01-13 It was found that the checking treatment of service code, method of calibration and device
CN201510016482.4 2015-01-13

Publications (1)

Publication Number Publication Date
WO2016112677A1 true WO2016112677A1 (en) 2016-07-21

Family

ID=52855543

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/085362 WO2016112677A1 (en) 2015-01-13 2015-07-28 Discovery service code checking processing method and device, and discovery service code checking method and device

Country Status (2)

Country Link
CN (1) CN104540106B (en)
WO (1) WO2016112677A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220032181A1 (en) * 2019-03-18 2022-02-03 Google Llc Cloud-based discovery service for end-user devices

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104540106B (en) * 2015-01-13 2019-02-12 中兴通讯股份有限公司 It was found that the checking treatment of service code, method of calibration and device
CN107534858B (en) * 2015-08-06 2020-09-11 华为技术有限公司 Processing method and device for matching report message
WO2017031629A1 (en) * 2015-08-21 2017-03-02 华为技术有限公司 Method and device for finding terminal device
WO2019051776A1 (en) * 2017-09-15 2019-03-21 华为技术有限公司 Key transmission method and device
CN108134991B (en) * 2017-12-22 2020-10-16 杭州清创微品智能科技有限公司 Method and system for reducing D2D equipment switching

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2685779A1 (en) * 2012-07-09 2014-01-15 Industrial Technology Research Institute Method and apparatus for device to device communication
US20140344578A1 (en) * 2013-05-16 2014-11-20 Samsung Electronics Co., Ltd. Method and apparatus for performing discovery for device-to-device communication
CN104185208A (en) * 2013-05-20 2014-12-03 华为终端有限公司 Approaching business authorizing method, device and system thereof
CN104540106A (en) * 2015-01-13 2015-04-22 中兴通讯股份有限公司 Verifying processing method for finding service code and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104066070B (en) * 2013-03-20 2018-10-26 中兴通讯股份有限公司 Terminal registration method, terminal find method, terminal and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2685779A1 (en) * 2012-07-09 2014-01-15 Industrial Technology Research Institute Method and apparatus for device to device communication
US20140344578A1 (en) * 2013-05-16 2014-11-20 Samsung Electronics Co., Ltd. Method and apparatus for performing discovery for device-to-device communication
CN104185208A (en) * 2013-05-20 2014-12-03 华为终端有限公司 Approaching business authorizing method, device and system thereof
CN104540106A (en) * 2015-01-13 2015-04-22 中兴通讯股份有限公司 Verifying processing method for finding service code and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220032181A1 (en) * 2019-03-18 2022-02-03 Google Llc Cloud-based discovery service for end-user devices

Also Published As

Publication number Publication date
CN104540106B (en) 2019-02-12
CN104540106A (en) 2015-04-22

Similar Documents

Publication Publication Date Title
WO2016112677A1 (en) Discovery service code checking processing method and device, and discovery service code checking method and device
Zhang et al. Overview of 5G security in 3GPP
CN105828413B (en) Safety method, terminal and system for D2D mode B discovery
US11233817B2 (en) Methods and apparatus for end device discovering another end device
EP3598711B1 (en) User authentication method and device
EP2750349A1 (en) Method and device for secure network access
CN105611533B (en) Integrity check code MIC (many Integrated core) checking method and device
CN102740297B (en) Paging method, device and system
CN103686718A (en) D2D (Device-to-Device) device identification label processing method and D2D device identification label processing device
WO2017167153A1 (en) Mobile communication system and paging method
CN104735027A (en) Safety authentication method and authentication certification server
CN105246022B (en) D2D service authorization method and device, and home near field communication server
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN105592433B (en) method, device and system for broadcasting and monitoring device-to-device restriction discovery service
CN116235524A (en) Secure communication method and device
CN105163313A (en) WiFi (Wireless Fidelity) connection authentication method based on hidden SSID (Service Set Identifier)
CN110557753B (en) DNS redirection method based on relay access for public security network access
WO2016112678A1 (en) Data processing method and device
EP3454583B1 (en) Network connection method, and secure node determination method and device
CN112039838B (en) Secondary authentication method and system suitable for different application scenes of mobile communication
CN114079876B (en) Communication control method, communication control device, communication apparatus, and storage medium
CN117676492A (en) Control method, flow statistics method, device and medium for near field communication
Villanueva et al. Solving the MANET autoconfiguration problem using the 802.11 SSID field
WO2015154406A1 (en) Monitoring information sending method and apparatus, and monitoring method and apparatus
CN108243415A (en) A kind of identity legitimacy authentication method of D2D communications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15877591

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15877591

Country of ref document: EP

Kind code of ref document: A1