WO2022042417A1 - Authentication method, apparatus and system - Google Patents

Authentication method, apparatus and system Download PDF

Info

Publication number
WO2022042417A1
WO2022042417A1 PCT/CN2021/113523 CN2021113523W WO2022042417A1 WO 2022042417 A1 WO2022042417 A1 WO 2022042417A1 CN 2021113523 W CN2021113523 W CN 2021113523W WO 2022042417 A1 WO2022042417 A1 WO 2022042417A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal device
network element
blockchain system
identifier
Prior art date
Application number
PCT/CN2021/113523
Other languages
French (fr)
Chinese (zh)
Inventor
张艳平
洪佳楠
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022042417A1 publication Critical patent/WO2022042417A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the present application relates to the field of communication technologies, and in particular, to an authentication method, device and system.
  • AKMA application-layer authentication and key management
  • the AKMA authentication function (AKMA authentication function, AAuF) network element is between the authentication service function (Authentication Server Function) network element and the AKMA application function (AKMA application function, AApF) network element.
  • the AApF network element searches for the AUSF network element through the AAuF network element.
  • the terminal device accesses the mobile network, after the authentication between the terminal device and the AUSF network element is successful, the AUSF network element and the terminal device negotiate to generate a key between the terminal device and the AUSF network element, and generate a key based on the key. Key used for secure communication between terminal equipment and AApF network elements.
  • the AApF network element can obtain a key for secure communication between the terminal device and the AApF network element from the AUSF network element, and use the key when the terminal device accesses a third-party application. That is to say, the AKMA architecture reuses the result of authentication of the terminal device by the mobile network, and only needs to perform an authentication process when the terminal device accesses the mobile network to realize secure communication.
  • the AApF network elements on the application side need to be configured with the Interfaces and interface addresses of AAuF NEs in different networks.
  • the AApF network element needs to add or delete the interface and interface address of the AAuF network element in the private network, which obviously increases the implementation complexity of third-party applications.
  • the embodiments of the present application provide an authentication method, device, and system, which can simplify the configuration of third-party applications.
  • an authentication method comprising: a blockchain system receiving a first message from an application server, where the first message includes a first identifier, and parameters encrypted by the terminal device using the first key and/or message; the blockchain system determines the user context of the terminal device according to the first identifier; the blockchain system determines the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key, as The third-party application corresponding to the application server verifies the legitimacy of the terminal device.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the user context of the terminal device includes the first key
  • the blockchain system determines the user context of the terminal device according to the first identifier includes: the blockchain system determines the user context of the terminal device according to the first identifier. identification, to determine the first key.
  • the blockchain system verifies the third-party application corresponding to the application server for the third-party application of the terminal device according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the legality includes: the blockchain system uses the first key to decrypt the parameters and/or messages encrypted by the first key for the terminal device, and obtains the decrypted parameters and/or messages; when the decrypted parameters and/or messages are obtained; Conform to the preconfigured parameter format or value used by the terminal device and the blockchain system interactively, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the blockchain system interactively, block
  • the chain system determines that the end device is legitimate. Based on this solution, the legitimacy verification of the terminal device can be realized.
  • the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key, where the second key is the terminal device and the authentication service function The key generated after successful authentication between network elements.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the communication method provided by the embodiment of the present application further includes: after the blockchain system verifies that the terminal device is legal, the blockchain system obtains a third key, and the third key is used for The key for secure communication between the terminal device and the application server; the blockchain system sends the third key to the application server. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained through the blockchain system, so as to realize the secure communication between the terminal device and the application server.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, It enables the application server to interact with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the third-party application Configuration, and avoid the third-party application side and the operator to negotiate one by one, and deploy network elements to plan routes, improve the efficiency of the third-party application side.
  • the user context of the terminal device includes the first key; the blockchain system obtains the third key, including: the blockchain system generates a third key, wherein generating the third key
  • the first key is included in the input parameters of the three-key. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained by the blockchain system, and the legality of the terminal device can be verified by the blockchain system for the third-party application corresponding to the application server.
  • acquiring the third key by the blockchain system includes: the blockchain system sends a second message to the authentication service function network element, where the second message includes the first identifier, the first identifier Used to determine the user context of the terminal device, the user context of the terminal device includes the first key or the second key, and the second key is generated after successful authentication between the terminal device and the authentication service function network element
  • the blockchain system receives the third key from the authentication service function network element, wherein the input parameters for generating the third key include the first key or the second key. That is to say, in the embodiment of the present application, the blockchain system can verify the legitimacy of the terminal device for the third-party application corresponding to the application server, and obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
  • the input parameter for generating the third key further includes a second identifier and/or a decrypted parameter, wherein the second identifier is an application identifier of the third-party application, and the decrypted
  • the latter parameter is a parameter obtained by decrypting the parameter encrypted by the terminal device using the first key using the first key.
  • the authentication method provided in this embodiment of the present application further includes: the blockchain system receives a third message from the authentication service function network element message, the third message requests to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device; the blockchain system uses the first key, the first key, the An identity and the address of the authentication service function network element are stored in the user context of the terminal device.
  • the authentication service function network element can send the data to the blockchain system.
  • the information required by the application server to perform secure operations through the blockchain system (such as the first key, the first identifier, and the address of the authentication service function network element), so that subsequent application servers can perform secure operations through the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, it can be directly accessed from the terminal. The address of the authentication service function network element is obtained from the user context of the device, which simplifies the processing logic of the blockchain system.
  • the authentication method provided in this embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle.
  • the authentication service function network element can send the data to the blockchain system.
  • the information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • an authentication method includes: an authentication service function network element obtains indication information, the indication information indicates that a secure operation is performed through a blockchain system; and an authentication service function network element, according to the indication information, sends the The block chain system sends a third message, the third message includes first information, and is used to request that the first information be stored in the user context of the terminal device, wherein the first information is the application server through the block chain system. Information required for safe operation.
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the first information includes a first identifier and an address of the authentication service function network element, where the first identifier is used to determine the user context of the terminal device.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
  • the first information includes the first identifier and the first key.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first information includes the first identifier, the first key, and the address of the authentication service function network element.
  • the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
  • the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
  • obtaining the indication information by the authentication service function network element includes: the authentication service function network element receiving the indication information from the terminal device; or, the authentication service function network element receiving the indication information from the unified data management network element of this indication.
  • the method further includes: the authentication service function network element receives data from the blockchain system The second message includes the first identifier; the authentication service function network element determines the user context of the terminal device according to the first identifier, and the user context of the terminal device includes the first key or the second key ; The first key is derived from the second key, and the second key is a key generated after the authentication between the terminal device and the authentication service function network element is successful; the authentication service function network element Generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key; the authentication service function network element sends the third key to the blockchain system.
  • the authentication service function network element may generate the security parameter (eg, the third key) for communication between the application server and the terminal device. Furthermore, the application server can obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
  • the security parameter eg, the third key
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
  • the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted
  • the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal
  • the message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
  • performing the security operation through the blockchain system includes obtaining security parameters of the communication between the application server and the terminal device through the blockchain system.
  • performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
  • an authentication method includes: the blockchain system receives a first message from an application server, where the first message includes a first identifier; and the blockchain system determines a terminal device according to the first identifier The user context of the terminal device includes a first key; the blockchain system generates a third key, and the third key is a key used for the secure communication between the terminal device and the application server, wherein the generated The input parameter of the third key includes the first key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the first key is derived from a second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is an application identifier of a third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the communication method provided by the embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle.
  • the authentication service function network element can send the data to the blockchain system.
  • the information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • an authentication method comprising: an authentication service function network element receiving a second message from a blockchain system, the second message including a first identifier; and an authentication service function network element according to the first identifier, Determine the user context of the terminal device.
  • the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the second key is used for the terminal device and the authentication service.
  • the key input parameter includes the first key or the second key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server;
  • the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device.
  • the parameters obtained after decrypting the parameters encrypted by the key can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers.
  • the secure communication between the terminal device and the application server is further ensured.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
  • the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted
  • the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal
  • the message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
  • a communication device for implementing the above method.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above
  • the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions.
  • a communication device comprising: a processor and a memory; the memory is used for storing computer instructions, and when the processor executes the instructions, the communication device executes the method described in any one of the above aspects.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above.
  • a communication device comprising: a processor; the processor is configured to be coupled to a memory, and after reading an instruction in the memory, execute the method according to any one of the preceding aspects according to the instruction.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above.
  • a communication device comprising: a processor and an interface circuit; the interface circuit is used to receive a computer program or instruction and transmit it to the processor; the processor is used to execute the computer program or instruction to enable the communication
  • the apparatus performs a method as described in any of the above aspects.
  • the communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above
  • a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer can execute the method described in any one of the above aspects.
  • a computer program product comprising instructions which, when run on a computer, enable the computer to perform the method of any of the preceding aspects.
  • a communication apparatus for example, the communication apparatus may be a chip or a chip system
  • the communication apparatus includes a processor for implementing the functions involved in any of the above aspects.
  • the communication device further includes a memory for storing necessary program instructions and data.
  • the communication device is a chip system, it may be constituted by a chip, or may include a chip and other discrete devices.
  • a twelfth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier and a terminal The parameters and/or messages encrypted by the device using the first key; the blockchain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device , and the parameters and/or messages encrypted by the terminal device using the first key to verify the legitimacy of the terminal device for a third-party application corresponding to the application server.
  • the twelfth aspect reference may be made to the above-mentioned first aspect, which is not repeated here.
  • a thirteenth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier; a block chain The chain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, generate a third key, where the third key is used for the secure communication between the terminal device and the application server. .
  • the user context of the terminal device includes the first key, and the input parameter for generating the third key includes the first key.
  • a communication system in a fourteenth aspect, includes an authentication service function network element and a blockchain system; the authentication service function network element is used to obtain indication information indicating that security is performed through the blockchain system operate.
  • the authentication service function network element is further configured to send a third message to the blockchain system according to the indication information, where the third message includes the first information and is used to request to store the first information in the user context of the terminal device, wherein, The first information is the information required by the application server to perform secure operations through the blockchain system.
  • the blockchain system is used for receiving the third message from the authentication service function network element, and storing the first information in the user context of the terminal device.
  • Figure 1 is a schematic diagram of the existing AKMA architecture
  • FIG. 2 is a schematic structural diagram of a communication system provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of another communication system provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of the architecture of a 5G network provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 6 is an interactive schematic diagram 1 of an authentication method provided by an embodiment of the present application.
  • FIG. 7 is a second interactive schematic diagram of an authentication method provided by an embodiment of the present application.
  • FIG. 8 is an interactive schematic diagram 3 of the authentication method provided by the embodiment of the present application.
  • FIG. 9 is a schematic flowchart 1 of an authentication method provided by an embodiment of the present application.
  • FIG. 10 is a second schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 11 is a third schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 12 is a fourth schematic flowchart of an authentication method provided by an embodiment of the present application.
  • FIG. 13 is a schematic structural diagram of a communication apparatus provided by an embodiment of the present application.
  • Blockchain technology also known as distributed ledger technology, is an emerging technology in which several computing devices jointly participate in "bookkeeping" (ie, record transaction data) and jointly maintain a complete distributed database. Because blockchain technology has the characteristics of decentralization (that is, no central node), openness and transparency, each computing device can participate in database records, and data synchronization between computing devices can be performed quickly, blockchain technology has been used in Widely used in many fields.
  • the blockchain can be divided into: public chain and alliance chain according to the deployment method.
  • a public chain refers to a blockchain that can be read by any device in the world, or a blockchain in which any device can participate in the consensus verification process of transactions.
  • Consortium chains also known as consortium blockchains, refer to a consortium formed by participating members of a designated blockchain, and the business transaction information between members is recorded in the blockchain, which limits the scale of use and authority.
  • the blockchain system in the embodiments of the present application may also be referred to as a blockchain for short.
  • the blockchain system includes one or more blockchain devices, such as blockchain security processing modules.
  • the blockchain security processing module in the embodiment of the present application may be, for example, a blockchain smart contract module, and the blockchain smart contract module is a smart contract module in the blockchain system that processes the security operations of users accessing third-party applications. , which is described here uniformly, and will not be repeated below.
  • At least one item(s) below or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s).
  • at least one item (a) of a, b, or c may represent: a, b, c, ab, ac, bc, or abc, where a, b, and c may be single or multiple .
  • words such as "first" and "second” are used to distinguish the same items or similar items that have basically the same function and effect.
  • words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like are not necessarily different.
  • words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as “exemplary” or “such as” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as “exemplary” or “such as” is intended to present the related concepts in a specific manner to facilitate understanding.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
  • the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • a communication system 20 is provided in an embodiment of the present application.
  • the communication system 20 includes a blockchain system 201 and an application server 202 .
  • the blockchain system 201 and the application server 202 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application.
  • the application server 202 may interact with the blockchain system 201 through a newly added blockchain handling function (BCHF) network element in the current 5G communication system, which is not specifically described in this embodiment of the present application. limited.
  • BCHF blockchain handling function
  • the BCHF network element in the embodiment of the present application can be used as the one between the application server 202 and the blockchain system 201 when the application server 202 does not have the blockchain processing function (it can also be understood as not supporting blockchain-related operations).
  • the intermediary agent interacts with the blockchain system 201 on behalf of the application server 202 .
  • the BCHF network element is responsible for publishing network processing information as transactions to the blockchain system, and at the same time publishing the blockchain system and network-related things to the network.
  • the functions of BCHF network elements include but are not limited to: publishing transactions, recording blocks or executing one or more of smart contracts.
  • the BCHF network element in the embodiment of the present application can also act as an agent between the first network element and the blockchain system when other network elements do not have the blockchain processing function, and interact with the blockchain system on behalf of other network elements .
  • the BCHF network element can act as a proxy between the authentication service function network element 301 and the blockchain system 302 when the authentication service function network element 301 does not have the blockchain processing function,
  • the interaction between the network element 301 representing the authentication service function and the blockchain system 302 is described in a unified manner here, and will not be repeated below.
  • the application server 202 is configured to send a first message to the blockchain system 201, where the first message includes the first identifier and the first message used by the terminal device. A key to encrypt parameters and/or messages.
  • the blockchain system 201 is used for receiving the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device and the parameters encrypted by the terminal device using the first key and/or message to verify the legitimacy of the terminal device for the third-party application corresponding to the application server 202 .
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the application server 202 is configured to send a first message to the blockchain system 201 , where the first message includes the first identifier.
  • the blockchain system 201 is used to receive the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, generate a third key, and the third key is used for the security of the terminal device and the application server. Communication key.
  • the user context of the terminal device includes the first key
  • the input parameter for generating the third key includes the first key.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the application server interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of the terminal device for third-party applications), so not only simplifies the configuration of third-party applications, but also avoids third-party applications.
  • the application side negotiates with the operator one by one and deploys network elements to plan routes, which improves the efficiency of the third-party application side.
  • a communication system 30 is provided in an embodiment of the present application.
  • the communication system 30 includes an authentication service function network element 301 and a blockchain system 302 .
  • the authentication service function network element 301 and the blockchain system 302 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application.
  • the authentication service function network element 301 may interact with the blockchain system 302 through the newly added BCHF network element in the current 5G communication system, which is not specifically limited in this embodiment of the present application.
  • the authentication service function network element 301 is used to obtain indication information, where the indication information indicates that the security operation is performed through the blockchain system.
  • the authentication service function network element 301 is further configured to send a third message to the blockchain system 302 according to the indication information, where the third message includes the first information and is used to request that the first information be stored in the user context of the terminal device, wherein, the first information is the information required by the application server to perform a secure operation through the blockchain system 302 .
  • the blockchain system 302 is configured to receive the third message from the authentication service function network element 301, and store the first information in the user context of the terminal device.
  • performing the security operation through the blockchain system 302 includes obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system 302 .
  • performing the security operation through the blockchain system 302 includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system 302 .
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
  • the "third party” in the “third party application” in the embodiment of the present application is relative to the operator's transmission network, such as a mobile transmission network.
  • the "third-party application” in this embodiment of the present application may be any current runnable application, which is uniformly described here, and will not be repeated below.
  • the communication system 20 shown in FIG. 2 or the communication system 30 shown in FIG. 3 may be applied to the current 5G network or other future networks, which is not specifically limited in this embodiment of the present application.
  • the application server 202 in the communication system 20 shown in FIG. 4 may be an application function (AF) network element in the 5G network architecture, and the network element or entity corresponding to the authentication service function network element in the communication system shown in FIG. 3 may be the 5G network architecture.
  • the current 5G network can also include access network equipment, access and mobility management function (core access and mobility management function, AMF) network elements, session management function (session management function, SMF) Network element, BCHF network element, user plane function (UPF) network element, network slice selection function (NSSF) network element, network exposure function (NEF) network element, network function Storage function (network exposure function Repository Function, NRF) network element, policy control function (policy control function, PCF) network element, unified data management (unified data management, UDM) network element, etc., which are not specifically limited in this embodiment of the present application .
  • AMF access and mobility management function
  • SMF session management function
  • BCHF user plane function
  • UPF user plane function
  • NSSF network slice selection function
  • NEF network exposure function
  • NRF network exposure function Repository Function
  • policy control function policy control function
  • PCF policy control function
  • UDM unified data management
  • the terminal device accesses the 5G network through the access network device, the terminal device communicates with the AMF network element through the N1 interface (N1 for short); the access network device communicates with the AMF network element through the N2 interface (N2 for short) Communication; the access network equipment communicates with the UPF network element through the N3 interface (N3 for short), the SMF network element communicates with the UPF network element through the N4, and the UPF network element accesses the data network through the N6 interface (N6 for short).
  • N1 N1 for short
  • the access network device communicates with the AMF network element through the N2 interface (N2 for short) Communication
  • the access network equipment communicates with the UPF network element through the N3 interface (N3 for short)
  • the SMF network element communicates with the UPF network element through the N4
  • the UPF network element accesses the data network through the N6 interface (N6 for short).
  • control plane networks such as AUSF network elements, AMF network elements, SMF network elements, NSSF network elements, NEF network elements, NRF network elements, PCF network elements, UDM network elements, AF network elements, or BCHF network elements shown in Figure 4 Elements can also use service interfaces to interact.
  • the service interface provided by the AUSF network element can be Nausf; the service interface provided by the AMF network element can be Namf; the service interface provided by the SMF network element can be Nsmf; the service interface provided by the NSSF network element It can be Nnssf; the service interface provided by the NEF network element can be Nnef; the service interface provided by the NRF network element can be Nnrf; the service interface provided by the PCF network element can be Npcf; the service provided by the UDM network element externally
  • the service interface can be Nudm; the service interface provided by the AF network element can be Naf, and the service interface provided by the BCHF network element can be Nbchf.
  • the BCHF network element in the embodiment of the present application may be an independent function module, which is independently deployed independently of the 5G network element, or may be a distributed function module and a 5G network element deployed in one, which is not implemented in this embodiment of the present application. Specific restrictions.
  • the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may also be referred to as a communication device or a communication device, which may be a general-purpose device or a special-purpose device. This is not specifically limited.
  • the relevant functions of the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may be implemented by one device, or may be implemented jointly by multiple devices, or may be implemented by one device in one device. or multiple functional modules, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
  • FIG. 5 is a schematic structural diagram of a communication device 500 according to an embodiment of the present application.
  • the communication device 500 includes one or more processors 501, a communication line 502, and at least one communication interface (in FIG. 5, the communication interface 504 and one processor 501 are used as an example for illustration), optional may also include memory 503 .
  • the processor 501 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • Communication line 502 may include a path for connecting the various components.
  • the communication interface 504 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like.
  • the transceiver module may be a device such as a transceiver or a transceiver.
  • the communication interface 504 may also be a transceiver circuit located in the processor 501 to implement signal input and signal output of the processor.
  • the memory 503 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions
  • the dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this.
  • the memory may exist independently and be connected to the processor through communication line 502 .
  • the memory can also be integrated with the processor.
  • the memory 503 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 501 .
  • the processor 501 is configured to execute the computer-executed instructions stored in the memory 503, thereby implementing the authentication method provided in the embodiment of the present application.
  • the processor 501 may also perform processing-related functions in the authentication methods provided in the following embodiments of the present application, and the communication interface 504 is responsible for communicating with other devices or communication networks.
  • the embodiment does not specifically limit this.
  • the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.
  • the processor 501 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 5 .
  • the communication device 500 may include multiple processors, such as the processor 501 and the processor 508 in FIG. 5 .
  • processors can be a single-core processor or a multi-core processor.
  • the processor here may include, but is not limited to, at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or artificial intelligence Processors and other types of computing devices that run software, each computing device may include one or more cores for executing software instructions to perform operations or processing.
  • the communication device 500 may further include an output device 505 and an input device 506 .
  • the output device 505 is in communication with the processor 501 and can display information in a variety of ways.
  • the output device 505 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait.
  • Input device 506 is in communication with processor 501 and can receive user input in a variety of ways.
  • the input device 506 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
  • the above-mentioned communication device 500 may also be sometimes referred to as a communication device, which may be a general-purpose device or a dedicated device.
  • the communication device 500 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, an embedded device, the above-mentioned terminal device, the above-mentioned network device, or a 5 devices of similar structure.
  • PDA personal digital assistant
  • This embodiment of the present application does not limit the type of the communication device 500 .
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the terminal device sends a registration request (registration request) to the AMF network element.
  • the AMF network element receives the registration request from the terminal device.
  • the registration request is used for the terminal device to register with the mobile network.
  • the registration request in this embodiment of the present application may further include indication information 1 .
  • the instruction information 1 indicates that the security operation is performed through the blockchain system.
  • performing the security operation through the blockchain system includes obtaining, through the blockchain system, security parameters (such as security keys) for communication between the AF network element corresponding to the third-party application and the terminal device.
  • performing the security operation through the blockchain system also includes verifying the legitimacy of the terminal device for a third-party application through the blockchain system, which is described here uniformly and will not be repeated below.
  • the value of a certain cell may indicate that a secure operation needs to be performed through the blockchain system. For example, when the value of a certain cell is "1", it can indicate that the security operation needs to be carried out through the blockchain system; or, when the value of a certain cell is "0", it can indicate that the blockchain system needs to be carried out. for safe operation.
  • whether a certain information element exists may indicate that a secure operation needs to be performed through the blockchain system. For example, when a certain cell exists, it can represent the need for a secure operation through the blockchain system.
  • the AMF network element sends an authentication request (authentication request) to the AUSF network element.
  • the AUSF network element receives the authentication request from the AMF network element.
  • the authentication request in step S602 when the registration request in step S601 includes indication information 1, the authentication request in step S602 also includes indication information 1, which is described here uniformly and will not be repeated below.
  • the AUSF network element sends an authentication get request (authentication get request) to the UDM network element.
  • the UDM network element receives the authentication acquisition request from the AUSF network element.
  • the authentication acquisition request is used to request to acquire authentication data of the terminal device.
  • the UDM network element sends an authentication get response (authentication get response) to the AUSF network element.
  • the UDM network element receives the authentication acquisition response from the AUSF network element.
  • the authentication acquisition response includes authentication data of the terminal device.
  • the authentication acquisition response may include the above-mentioned indication information 1 .
  • the instruction information 1 indicates that the security operation is performed through the blockchain system.
  • the implementation of the indication information 1 may refer to step S601, which will not be repeated here.
  • the indication information 1 obtained by the AUSF network element may be sent by the terminal device through the AMF network element, or may be sent by the UDM network element, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element and the terminal device perform mutual authentication, and negotiate to generate a key between the terminal device and the AUSF network element (in the embodiment of this application, the key between the terminal device and the AUSF network element is denoted as Kausf); and , the AUSF network element assigns the key identifier (KID) corresponding to Kausf to the terminal device
  • the terminal device and the AUSF network element may also derive a key according to Kausf (in this embodiment of the present application, a key derived from Kausf will be used.
  • the key is denoted as Kchain).
  • the manner of deriving the key according to Kausf may include, for example: generating Kchain according to Kausf and the global blockchain identifier of the terminal device.
  • the global blockchain identifier of the terminal device is used to uniquely identify the terminal device in the blockchain system, which may be sent by the UDM network element to the AUSF network element, or may be sent by the AMF network element to the AUSF network element, which is not specifically limited in this embodiment of the present application.
  • the global blockchain identifier of the terminal device may be, for example, the identifier allocated by the blockchain system to the terminal device, or may be a generic public subscription identifier (GPSI) or a subscription permanent identifier (subscription permanent identifier). , SUPI).
  • the subsequent steps in this embodiment of the present application are described by taking the communication between the AF network element and the terminal device using the key derived in the mobile network as an example for description. Since the AF network element and the terminal device can communicate using the key derived in the mobile network before obtaining the key for secure communication between the terminal device and the AF network element, the service security of the terminal device is improved.
  • the terminal device may register with the mobile network. Further, the authentication method provided by the embodiment of the present application may further include the following step S606:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element registers the first identifier and Kchain in the blockchain system.
  • the first identifier is used to locate the user context of the terminal device.
  • the first identifier may be at least one of a global blockchain identifier or a KID of the terminal device, which is described here uniformly and will not be repeated below.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system.
  • the processes in the processing module are uniformly described here, and will not be repeated below.
  • the blockchain security processing module reference may be made to the preamble of the specific implementation manner, which will not be repeated here.
  • the AUSF network element when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain The blockchain security processing module of the system stores the encrypted Kchain.
  • the manner in which the AUSF network element encrypts the Kchain may, for example, include: the AUSF network element encrypts the Kchain using the public key allocated by the blockchain system to the blockchain security processing module.
  • the blockchain security processing module uses the private key corresponding to the public key allocated by the blockchain system to the blockchain security processing module to decrypt the encrypted Kchain to obtain the Kchain. No longer.
  • the Kchain can also be encrypted and the encrypted Kchain can be decrypted in other ways, which are not specifically limited in the embodiment of the present application.
  • the AUSF network element may directly interact with the blockchain system, and may also interact with the blockchain system through the BCHF network element, which is not specifically limited in the embodiment of the present application.
  • the BCHF network element can register the address of the BCHF network element with the blockchain system, so that the subsequent blockchain system can be based on the BCHF network element address. Interact with the BCHF network element, which is not specifically limited in this embodiment of the present application.
  • the BCHF network element when the BCHF network element interacts with the blockchain system, it may also be forwarded by the NEF network element, which is not specifically limited in the embodiment of the present application.
  • the NEF network element which is not specifically limited in the embodiment of the present application.
  • the above description is also applicable to the embodiments shown in the subsequent FIG. 7 and FIG. 8 , and is described in a unified manner here, and will not be repeated below.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • the terminal device sends a login request to the AF network element.
  • the AF network element receives the login request from the terminal device.
  • the login request is used for requesting to log in to the third-party application corresponding to the AF network element.
  • the login request includes the first identifier.
  • the login request may further include parameters and/or messages encrypted using Kchain.
  • the parameters and/or messages encrypted by Kchain can mean: there are parameters encrypted by Kchain alone, messages encrypted by Kchain are present alone, and parameters and messages encrypted by Kchain exist simultaneously.
  • a unified description is provided here, and the description is applicable to all the embodiments of the present application, and details are not repeated below.
  • the encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in the embodiment of the present application.
  • the encrypted message may be, for example, a registration message.
  • the first identifier reference may be made to the foregoing step S606, which is not repeated here.
  • the AF network element sends a verification request (validate request) 1 to the blockchain system.
  • the blockchain system receives the verification request 1 from the AF network element.
  • the verification request 1 includes the first identifier in step S607.
  • the verification request 1 may further include parameters and/or messages encrypted using Kchain in step S607.
  • the verification request 1 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
  • the authentication method provided by the embodiment of the present application further includes the following step S609:
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application.
  • the blockchain system may determine the user context of the terminal device according to the first identifier. Furthermore, the blockchain system can verify the legitimacy of the terminal device for third-party applications based on the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the blockchain system determining the user context of the terminal device according to the first identifier includes: the blockchain system determining the Kchain stored in the blockchain system according to the first identifier.
  • the blockchain system can determine the user context of the terminal device stored in the blockchain system according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal device, and further blockchain The system can determine the Kchain in the user context of the terminal device (that is, the Kchain stored by the AUSF network element in the blockchain system).
  • determining the Kchain in the user context of the terminal device by the blockchain system may include, for example: the blockchain system may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
  • the blockchain system verifies the legitimacy of the terminal device for third-party applications according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the blockchain system can use Kchain to decrypt Parameters and/or messages encrypted with Kchain sent by end devices.
  • the terminal device sends parameters encrypted with Kchain but does not send messages encrypted with Kchain, if the decrypted parameters conform to the parameter format or value preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, or If the decrypted parameters conform to the parameters agreed by the terminal device and the blockchain system, the terminal device is considered legal.
  • the terminal device sends a message encrypted with Kchain and does not send parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, it is considered that The end device is legal.
  • the terminal device When the terminal device sends a message encrypted with Kchain and sends parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system; and the decryption If the latter parameters conform to the parameter format or value used by the terminal device preconfigured by the blockchain system and the blockchain system interact, or if the decrypted parameters conform to the parameters agreed upon between the terminal device and the blockchain system, the terminal device is considered legal.
  • the terminal device determines whether the decrypted parameter is the same as the APP sent by the AF network element. If the IDs are consistent, the terminal device is considered legal; if they are inconsistent, the terminal device is considered illegal.
  • the terminal device can obtain the APP ID through a domain name system (domain name system, DNS) query.
  • domain name system domain name system, DNS
  • the terminal device can also obtain the APP ID through other methods, which is not specifically described in this embodiment of the application. limited.
  • the blockchain system after the blockchain system receives the verification request 1 from the AF network element, it needs to provide a security key for the communication between the AF network element corresponding to the third-party application and the terminal device, including the following steps:
  • the blockchain system generates a key for secure communication between the terminal device and the AF network element according to Kchain (in this embodiment of the present application, the key for the secure communication between the terminal device and the AF network element is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain stored by the AUSF network element in the blockchain system.
  • step S609 after the blockchain system verifies that the terminal device is legal, the blockchain system generates Kapp according to Kchain. Otherwise, if the blockchain system verifies that the terminal device is illegal, the process of accessing the third-party application by the terminal device can be terminated. Based on this solution, the access process can be terminated in time when the terminal device is illegal to access the third-party application, which avoids the block chain system still generating Kapp and delivering the Kapp to the AF network element when the terminal device is illegal to access the third-party application. resource consumption and signaling waste.
  • the blockchain system may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not the case in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the blockchain system sends a validation response (validate response) 1 to the AF network element.
  • the AF network element receives the verification response 1 from the blockchain system.
  • the verification response 1 includes the above Kapp.
  • the verification response 1 may further include the validity period of the Kapp.
  • the validity period of the Kapp expires, the terminal device and the AF network element can initiate the Kapp renegotiation process, so that the AF network element obtains the Kapp through the blockchain system again.
  • the verification response 1 when the verification request 1 includes parameters and/or messages encrypted using Kchain, the verification response 1 may also include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the AF network element sends a login response to the terminal device.
  • the terminal device receives the login response from the AF network element.
  • the login response when the login request includes a message encrypted using Kchain, such as a registration request, the login response may include a registration acceptance message obtained according to the registration request decrypted using Kchain.
  • the registration acceptance message when the verification response 1 includes the validity period of the Kapp, the registration acceptance message may include the validity period of the Kapp.
  • the login response when the login request includes parameters encrypted using Kchain, the login response may include parameters decrypted using Kchain.
  • the terminal device can read the parameters decrypted by Kchain included in the login response, and compare the parameters decrypted by Kchain included in the login response with the parameters that have not been decrypted before the terminal device sends the login request to the AF network element. The encrypted parameters are compared, and if the two are consistent, it is considered that the terminal device has passed the verification on the network side (that is, the terminal device confirms the network security).
  • the message or parameter in the login response may be encrypted using Kapp, so as to ensure secure communication between the terminal device and the AF network element.
  • the terminal device after the terminal device receives the login response, it can encrypt key information by using the locally generated Kapp in the subsequent information exchange process with the AF network element.
  • the way in which the terminal device generates Kapp is the same as the way in which the blockchain system generates Kapp, and will not be repeated here.
  • the legitimacy of the terminal device can also be verified through subsequent procedures. .
  • the terminal device when the login response does not include the parameters decrypted using Kchain, since both the subsequent terminal device and the AF network element can use Kapp to encrypt the information, the terminal device can also pass the subsequent message interactive verification. Whether the network side is legal is not specifically limited in this embodiment of the present application.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S601 to S612 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method is provided in this embodiment of the present application, and the method includes the following: step:
  • S701-S705 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
  • the terminal device may register with the mobile network. Further, the authentication method provided in the embodiment of the present application may further include the following step S706:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the first identifier and the Kchain can be registered.
  • the AUSF network element can obtain the Kchain
  • the address, the first identifier and the Kchain of the AUSF network element can be registered.
  • the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system.
  • the process in the processing module; the process of the AUSF network element registering the AUSF network element's address, first identifier and Kchain in the blockchain system can be understood as the AUSF network element storing the AUSF network element's address, first identifier and Kchain in the block chain.
  • the process in the blockchain security processing module of the chain system is uniformly described here, and will not be repeated below.
  • the AUSF network element when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain
  • the blockchain security processing module of the system stores the encrypted Kchain.
  • step S606 in the embodiment shown in FIG. 6 , and details are not described herein again.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • the terminal device sends a login request to the AF network element.
  • the AF network element receives the login request from the terminal device.
  • the login request is used for requesting to log in to the third-party application corresponding to the AF network element.
  • the login request includes the first identifier, parameters and/or messages encrypted using Kchain.
  • the encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in this embodiment of the present application.
  • the encrypted message may be, for example, a registration message.
  • the first identifier reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
  • the AF network element sends a verification request (validate request) 1 to the blockchain system.
  • the blockchain system receives the verification request 1 from the AF network element.
  • the verification request 1 includes the first identifier in step S607, and parameters and/or messages encrypted using Kchain.
  • the verification request 1 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application.
  • step S709 may refer to step S609 in the embodiment shown in FIG. 6 , which will not be repeated here.
  • the blockchain system After the blockchain system verifies that the terminal device is legal, the blockchain system sends a verification request 2 to the AUSF network element. Correspondingly, the AUSF network element receives the verification request 2 from the blockchain system.
  • the verification request 2 includes the first identifier.
  • the verification request 2 may further include an application identifier (APP ID) of a third-party application.
  • the verification request 2 may further include parameters and/or messages encrypted using Kchain and sent by the terminal device, which are not specifically limited in this embodiment of the present application.
  • the blockchain system can send the verification request 2 to the AUSF network element according to the first
  • the identity determines the corresponding user context.
  • the user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element.
  • the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
  • the login request and the verification request 1 in the embodiment of the present application may also include the service The network ID of the end device.
  • the AUSF network element serving the terminal device may be determined according to the network identifier, which is not specifically limited in this embodiment of the present application.
  • the network identifier in the embodiment of the present application may be, for example, a public land mobile network (public land mobile network, PLMN), or a domain name (such as CMCC.com), which is not specifically limited in the embodiment of the present application.
  • the network identifier in the embodiment of the present application may be an independent information element, or may be information included in other information elements, which is not specifically limited in the embodiment of the present application.
  • the blockchain system may directly interact with the AUSF network element, or may interact with the AUSF network element through the BCHF network element, which is not specifically limited in the embodiment of the present application.
  • the above two implementation manners are both illustratively described by taking the blockchain system addressing AUSF network elements as an example.
  • the blockchain system can also address the BCHF network element in a similar manner, which will not be repeated in this embodiment of the present application.
  • the AUSF network element generates a key used for the secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key used for the secure communication between the terminal device and the AF network element in the embodiment of this application is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain or Kausf generated by the AUSF network element.
  • the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the AUSF network element sends a verification response 2 to the blockchain system.
  • the blockchain system receives the verification response 2 from the AUSF network element.
  • the verification response 2 includes Kapp.
  • the verification response 2 may further include the validity period of the Kapp.
  • the verification response 2 when the verification request 2 includes parameters and/or messages encrypted using Kchain, the verification response 2 may also include parameters and/or messages decrypted using Kchain, and the verification response 2 may include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the blockchain system sends a verification response 1 to the AF network element.
  • the AF network element receives the verification response 1 from the blockchain system.
  • the verification response 1 includes the parameters in the verification response 2 in step S712, such as Kapp, the validity period of the Kapp (optional), and parameters and/or messages decrypted using Kchain (optional).
  • the verification response 1 may also include parameters and/or messages decrypted using Kchain.
  • the parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
  • the AF network element sends a login response to the terminal device.
  • the terminal device receives the login response from the AF network element.
  • step S714 For the specific implementation of step S714, reference may be made to step S612 in the embodiment shown in FIG. 6 , which will not be repeated here.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally.
  • the AUSF network element still generates Kapp and sends the Kapp to the AF network element through the blockchain system, the resource consumption and signaling waste caused by it.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S701 to S714 may be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method is provided in this embodiment of the application, and the method includes the following: step:
  • S801-S805 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description may refer to the embodiment shown in FIG. 6 , which will not be repeated here.
  • the terminal device may register with the mobile network. Further, optionally, the authentication method provided in this embodiment of the present application may further include the following step S806:
  • the AUSF network element is registered in the blockchain system.
  • the AUSF network element registers the first identifier and the address of the AUSF network element in the blockchain system.
  • the first identifier reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
  • the AUSF network element may be registered in the blockchain system according to the indication information 1.
  • the process of registering the first identifier and the address of the AUSF network element in the blockchain system by the AUSF network element can be understood as the AUSF network element storing the first identifier and the address of the AUSF network element in the area.
  • the process in the blockchain security processing module of the blockchain system is described here in a unified manner, and will not be repeated below.
  • the AUSF network element can be registered with the blockchain system.
  • the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
  • S807-S808 are the same as steps S607-S608 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
  • the blockchain system sends a verification request 2 to the AUSF network element.
  • the AUSF network element receives the verification request 2 from the blockchain system.
  • the verification request 2 includes the parameters in the verification request 1 in step S808, such as the first identifier, and parameters and/or messages encrypted by Kchain (optional).
  • the verification request 2 may further include an application identifier (APP ID) of a third-party application.
  • APP ID application identifier
  • the blockchain system can determine the corresponding AUSF network element according to the first identifier before sending the verification request 2 to the AUSF network element.
  • the user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element.
  • the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
  • the login request and the verification request 1 in the embodiment of the present application may further include the network identifier of the service terminal device. Furthermore, before the blockchain system sends the verification request 2 to the AUSF network element, the AUSF network element serving the terminal device may be determined according to the network identifier. For related description, reference may be made to step S710 in the embodiment shown in FIG. 7 , and details are not repeated here.
  • the AUSF network element generates a key for secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key for secure communication between the terminal device and the AF network element in the embodiment of the present application is denoted as Kapp).
  • the blockchain system may determine the corresponding user context according to the first identifier.
  • the user context includes the Kchain or Kausf generated by the AUSF network element.
  • the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
  • the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application.
  • the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
  • the AUSF network element when the terminal device sends parameters and/or messages encrypted with Kchain, and the verification request 2 includes parameters and/or messages encrypted with Kchain, the AUSF network element may also be the first The third-party application verifies the legitimacy of the terminal device. After the AUSF network element verifies that the terminal device is legal, the AUSF network element generates a Kapp according to Kchain or Kausf. If the AUSF network element verifies that the terminal device is illegal, the process of the terminal device accessing the third-party application can be terminated. .
  • the access process can be terminated in time when the terminal device is illegal to access the third-party application, so that when the terminal device is illegal to access the third-party application, the AUSF network element still generates Kapp and downloads it to the AF network element through the blockchain system. Resource consumption and signaling waste caused by sending Kapps.
  • the manner in which the AUSF network element verifies the legitimacy of the terminal device for the third-party application may be, for example, the AUSF network element may determine the user context of the terminal device according to the first identifier. Further, the AUSF network element can verify the legitimacy of the terminal device for the third-party application according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the AUSF network element determining the user context of the terminal device according to the first identifier includes: the AUSF network element determining the Kchain stored in the AUSF network element according to the first identifier.
  • the AUSF network element may determine the user context of the terminal equipment stored in the AUSF network element according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal equipment, and further AUSF network elements may determine Kchain in the user context of the end device.
  • the AUSF network element determining the Kchain in the user context of the terminal device may include, for example: the AUSF network element may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
  • the AUSF network element verifies the legitimacy of the terminal device for the third-party application according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the AUSF network element can use the Kchain to decrypt the terminal device. Sent parameters and/or messages encrypted with Kchain. Wherein, when the terminal device sends parameters encrypted by Kchain but does not send messages encrypted by Kchain, if the decrypted parameters conform to the preconfigured parameter format or value used by the terminal device and the AUSF network element for interaction, or the decrypted If the parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal.
  • the terminal device When the terminal device sends a message encrypted by Kchain but does not send parameters encrypted by Kchain, if the format of the decrypted message conforms to the preconfigured message format used by the terminal device and the AUSF network element for interaction, the terminal device is considered legitimate.
  • the terminal device sends a message encrypted by Kchain and sends parameters encrypted by Kchain, if the decrypted message format conforms to the preconfigured message format used by the terminal device and the AUSF network element interactively; and the decrypted parameters conform to the preconfigured message format. If the configured parameter format or value used by the terminal device and the AUSF network element for interaction, or if the decrypted parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal.
  • the terminal device may obtain the APP ID through DNS query.
  • the terminal device may also obtain the APP ID through other methods, which is not specifically limited in this embodiment of the present application.
  • S811-S813 are the same as steps S712-S714 in the embodiment shown in FIG. 7 , and the related description can refer to the embodiment shown in FIG. 7 , and details are not repeated here.
  • the legality of the terminal device may also be verified through subsequent procedures. For example, since Kapp is derived from Kchain, if the terminal device is legal, the terminal device can obtain the correct Kchain, and the Kapp generated by the terminal device is the same as the Kapp obtained by the AF network element. Secure communication will succeed. Conversely, if the terminal device is illegal, the terminal device cannot obtain the correct Kchain, and the Kapp generated by the terminal device is different from the Kapp obtained by the AF network element. The subsequent secure communication between the terminal device and the AF network element using Kapp will fail. The interests of legitimate terminal equipment are protected.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application.
  • the legitimacy of terminal equipment, etc. not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
  • the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S801 to S813 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the blockchain system receives a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6 or FIG. 7
  • the blockchain system in the embodiment of the present application may be, for example, the one shown in FIG. 6 or FIG. 7 .
  • the first message in the embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 ; or, the first message in the embodiment of the present application may be, for example, the one shown in FIG. 7 . In the embodiment of the verification request 2 in step S708.
  • the blockchain system determines the user context of the terminal device according to the first identifier.
  • the blockchain system verifies the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • steps S902-S903 reference may be made to step S609 in the embodiment shown in FIG. 6 or step S709 in the embodiment shown in FIG. 7 , and details are not repeated here.
  • the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application.
  • the resource consumption and signaling waste caused by continuing to execute the subsequent process (such as continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device).
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the domain authentication interface allows the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), so not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
  • the actions of the blockchain system in the above steps S901 to S903 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the blockchain system receives a first message from an application server, where the first message includes a first identifier.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6
  • the blockchain system in the embodiment of the present application may be, for example, the network element in the embodiment shown in FIG. blockchain system.
  • the first message in this embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 .
  • the blockchain system determines a user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key.
  • the first key in this embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 6 .
  • the blockchain system generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
  • the third key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 6 .
  • steps S1002-S1003 For the specific implementation of steps S1002-S1003, reference may be made to step S610 in the embodiment shown in FIG. 6, and details are not described herein again.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the blockchain system in the above steps S1001 to S1003 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the authentication service function network element obtains instruction information, where the instruction information indicates that a secure operation is performed through a blockchain system.
  • the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiments shown in FIG. 6 to FIG. 8
  • the blockchain system in the embodiment of the present application may be, for example, FIG. 6 to The blockchain system in the embodiment shown in FIG. 8 .
  • step S604 in the embodiment shown in FIG. 6 for the manner in which the authentication service function network element obtains the indication information, which will not be repeated here.
  • the authentication service function network element sends a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first The information is the information required by the application server to perform secure operations through the blockchain system.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiments shown in FIG. 6 to FIG. 8 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S606 of the embodiment shown in FIG. 6 .
  • the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S606 of the embodiment shown in FIG. 6 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S706 of the embodiment shown in FIG. 7 .
  • the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S706 of the embodiment shown in FIG. 7 , or the first information may be step S706 of the embodiment shown in FIG. 7 .
  • the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S806 of the embodiment shown in FIG. 8 .
  • the first information may be the first identifier of the AUSF network element registered in the blockchain system in step S806 of the embodiment shown in FIG. 8 and the address of the AUSF network element.
  • step S1102 may refer to step S606 in the embodiment shown in FIG. 6 or step S706 in the embodiment shown in FIG. 7 or step S806 in the embodiment shown in FIG. 8 , and details are not repeated here.
  • the authentication service function network element can send the data to the blockchain system.
  • a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface, and perform safe operations through the blockchain system, which not only simplifies the third party It also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the authentication service function network element in the above steps S1101 to S1102 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute.
  • the example does not impose any restrictions on this.
  • an authentication method provided by an embodiment of the present application includes the following steps:
  • the authentication service function network element receives a second message from the blockchain system, where the second message includes the first identifier.
  • the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiment shown in FIG. 7 or FIG. 8
  • the blockchain system in the embodiment of the present application may be, for example, FIG. 7 or The blockchain system in the embodiment shown in FIG. 8 .
  • the second message in the embodiment of the present application may be, for example, the verification request 2 in step S710 in the embodiment shown in FIG. 7 ; or, the second message in the embodiment of the present application may be, for example, as shown in FIG. 8 .
  • the authentication service function network element determines the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first key in the embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 7 or FIG. 8
  • the second key may be, for example, the Kchain in the embodiment shown in FIG. 7 or FIG. 8 .
  • the authentication service function network element generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the third key. Second key.
  • the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 7 or FIG. 8 .
  • the first key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 7 or FIG. 8 .
  • steps S1202-S1203 reference may be made to step S711 in the embodiment shown in FIG. 7 or step S810 in the embodiment shown in FIG. 8, and details are not repeated here.
  • the authentication service function network element sends the third key to the blockchain system.
  • step S1204 For the specific implementation of step S1204, reference may be made to step S712 in the embodiment shown in FIG. 7 or step S811 in the embodiment shown in FIG. 8 , and details are not repeated here.
  • the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one.
  • the application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step
  • the configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
  • the actions of the authentication service function network element in the above steps S1201 to S1204 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute.
  • the example does not impose any restrictions on this.
  • the methods and/or steps implemented by the blockchain system may also be implemented by components that can be used in the blockchain system (for example, one of the blockchain systems). or multiple blockchain devices); implemented by the authentication service function network element (the AUSF network element in the embodiment shown in FIG. 6 to FIG. 8 , or the authentication service in the embodiment shown in FIG. 11 to FIG. 12 )
  • the methods and/or steps implemented by the functional network element may also be implemented by a component (for example, a chip or a circuit) that can be used to authenticate the service functional network element.
  • an embodiment of the present application further provides a communication device
  • the communication device may be one or more blockchain devices in the blockchain system in the above method embodiments, or a device including the above blockchain system, or It is a component that can be used in the above-mentioned blockchain device; or, the communication device can be an authentication service function network element in the above method embodiment, or a device including the above-mentioned authentication service function network element, or can be used for the authentication service function network element. components.
  • the communication apparatus includes corresponding hardware structures and/or software modules for executing each function.
  • FIG. 13 shows a schematic structural diagram of a communication device 130 .
  • the communication device 130 includes a transceiver module 1301 and a processing module 1302 .
  • the transceiver module 1301 may also be referred to as a transceiver unit to implement a transceiver function, for example, a transceiver circuit, a transceiver, a transceiver or a communication interface.
  • the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in a possible implementation manner:
  • the transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier.
  • the processing module 1302 is further configured to verify the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
  • the user context of the terminal device includes the first key
  • the processing module 1302, configured to determine the user context of the terminal device according to the first identifier includes: determining the first key according to the first identifier.
  • the processing module 1302 is configured to verify the legitimacy of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key, including: Use the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain the decrypted parameters and/or messages; when the decrypted parameters meet the pre-configured interaction between the terminal device and the blockchain system
  • the parameter format or value used, and/or the decrypted message conforms to the pre-configured message format used by the terminal device and the blockchain system for interaction, and the terminal device is determined to be legal.
  • the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key
  • the second key is the authentication between the terminal device and the authentication service function network element. The key generated after success.
  • the first key is derived from the second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to obtain a third key after verifying that the terminal device is legal, where the third key is a key used for secure communication between the terminal device and the application server.
  • the transceiver module 1301 is further configured to send the third key to the application server.
  • the user context of the terminal device includes the first key; the processing module 1302, configured to obtain the third key, includes: being used to generate the third key, wherein the input parameters for generating the third key include: first key.
  • the processing module 1302, configured to obtain the third key includes: sending a second message to the authentication service function network element through the transceiver module 1301, where the second message includes a first identifier, and the first identifier is used to determine the terminal
  • the user context of the device, the user context of the terminal device includes the first key or the second key, and the second key is the key generated after the authentication between the terminal device and the authentication service function network element is successful; 1301 Receive a third key from an authentication service function network element, wherein the input parameter for generating the third key includes the first key or the second key.
  • the input parameters for generating the third key also include the second identifier and/or the decrypted parameter, wherein the second identifier is the application identifier of the third-party application, and the decrypted parameter is to use the first key pair.
  • the parameters obtained by the terminal device after decrypting the parameters encrypted by the first key are included in the input parameters for generating the third key.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, the third message requests the first key, the first identifier and the authentication service.
  • the addresses of the functional network elements are stored in the user context of the terminal device.
  • the processing module 1302 is further configured to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal.
  • the processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
  • the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in another possible implementation manner :
  • the transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
  • the first key is derived from the second key
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal. in the user context of the device.
  • the processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
  • the processing module 1302 is configured to obtain instruction information, the instruction information indicates that a secure operation is performed through the blockchain system.
  • the transceiver module 1301 is configured to send a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first information is Information required by the application server to operate securely through the blockchain system.
  • the first information includes a first identifier and an address of an authentication service function network element; or, the first information includes a first identifier and a first key; or, the first information includes a first identifier, a first key, and a first key.
  • the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
  • the processing module 1302, configured to obtain the indication information includes: for receiving the indication information from the terminal device through the transceiver module 1301; or for receiving the indication information from the unified data management network element through the transceiver module 1301.
  • the transceiver module 1301 is further configured to receive a second message from the blockchain system after sending the third message to the blockchain system, where the second message includes the first identifier.
  • the processing module 1302 is further configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key.
  • the transceiver module 1301 is further configured to send a third key to the blockchain system.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
  • the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages;
  • the configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
  • performing the security operation through the blockchain system includes obtaining security parameters for communication between the application server and the terminal device through the blockchain system.
  • performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
  • the transceiver module 1301 is configured to receive a second message from the blockchain system, where the second message includes the first identifier.
  • the processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the first key is derived from the second key.
  • the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  • the processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key.
  • the transceiver module 1301 is further configured to send a third key to the blockchain system.
  • the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key
  • the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated.
  • the input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
  • the second message further includes parameters and/or messages encrypted by the terminal device using the first key.
  • the processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
  • the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key.
  • the application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages;
  • the configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
  • the communication apparatus 130 is presented in the form of dividing each functional module in an integrated manner.
  • Module herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
  • the communication apparatus 130 may take the form of the communication device 500 shown in FIG. 5 .
  • the processor 501 in the communication device 500 shown in FIG. 5 may invoke the computer execution instructions stored in the memory 503 to cause the communication device 500 to execute the authentication method in the above method embodiment.
  • the functions/implementation process of the transceiver module 1301 and the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503 .
  • the function/implementation process of the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503, and the function of the transceiver module 1301 in FIG. 13 can be implemented.
  • the implementation process may be implemented through the communication interface 504 in the communication device 500 shown in FIG. 5 .
  • the communication device 130 provided in this embodiment can execute the above authentication method, the technical effect obtained by the communication device 130 can refer to the above method embodiment, which is not repeated here.
  • one or more of the above modules or units may be implemented by software, hardware or a combination of both.
  • the software exists in the form of computer program instructions and is stored in the memory, and the processor can be used to execute the program instructions and implement the above method flow.
  • the processor can be built into a SoC (system on chip) or an ASIC, or it can be an independent semiconductor chip.
  • SoC system on chip
  • ASIC application specific integrated circuit
  • the internal processing of the processor may further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (Programmable Logic Device) , or a logic circuit that implements dedicated logic operations.
  • FPGA field programmable gate array
  • PLD Programmable Logic Device
  • the hardware can be CPU, microprocessor, digital signal processing (DSP) chip, microcontroller unit (MCU), artificial intelligence processor, ASIC, Any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
  • DSP digital signal processing
  • MCU microcontroller unit
  • ASIC any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
  • an embodiment of the present application further provides a communication apparatus (for example, the communication apparatus may be a chip or a chip system), where the communication apparatus includes a processor for implementing the method in any of the foregoing method embodiments.
  • the communication device further includes a memory.
  • the memory is used to store necessary program instructions and data, and the processor can call the program code stored in the memory to instruct the communication apparatus to execute the method in any of the above method embodiments.
  • the memory may also not be in the communication device.
  • the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium.
  • the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

Abstract

Provided are an authentication method, apparatus and system, which can simplify the configurations of a third-party application. The method comprises: a blockchain system receiving a first message from an application server, wherein the first message comprises a first identifier, and a parameter and/or message encrypted by a terminal device using a first key; the blockchain system determining the user context of the terminal device according to the first identifier; and according to the user context of the terminal device and the parameter and/or message encrypted by the terminal device using the first key, the blockchain system verifying the legitimacy of the terminal device for a third-party application corresponding to the application server. The present application is applicable to the technical field of communications.

Description

认证方法、装置及系统Authentication method, device and system
本申请要求于2020年08月27日提交国家知识产权局、申请号为202010880356.4、申请名称为“认证方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202010880356.4 and the application name "Authentication Method, Device and System" filed with the State Intellectual Property Office on August 27, 2020, the entire contents of which are incorporated into this application by reference .
技术领域technical field
本申请涉及通信技术领域,尤其涉及认证方法,装置及系统。The present application relates to the field of communication technologies, and in particular, to an authentication method, device and system.
背景技术Background technique
现有技术中,基于安全通信的考虑,终端设备接入移动网络时,需要执行一次鉴权流程。在终端设备接入移动网络后,若终端设备需要访问第三方应用,还需要再执行一次鉴权流程。也就是说,若终端设备能够访问第三方应用,则终端设备需要支持两种鉴权方式(一次移动网络接入鉴权,一次应用接入鉴权),只有两次鉴权成功后,终端设备才能访问第三方应用。为简化终端设备的实现,目前提出了应用层鉴权和密钥管理(authentication and key management for applications,AKMA)架构。如图1所示,在AKMA架构中,AKMA鉴权功能(AKMA authentication function,AAuF)网元为认证服务功能(Authentication Server Function)网元与AKMA应用功能(AKMA application function,AApF)网元之间的代理,AApF网元通过AAuF网元寻找AUSF网元。其中,当终端设备接入移动网络时,终端设备和AUSF网元之间鉴权成功后,AUSF网元和终端设备协商生成终端设备与AUSF网元之间的密钥,并基于该密钥生成用于终端设备和AApF网元安全通信的密钥。进而,AApF网元可以从AUSF网元获得用于终端设备和AApF网元安全通信的密钥,并在终端设备访问第三方应用时使用该密钥。也就是说,AKMA架构重用移动网络对终端设备鉴权的结果,仅需在终端设备接入移动网络时执行一次鉴权流程即可实现安全通信。In the prior art, based on the consideration of secure communication, when a terminal device accesses a mobile network, an authentication process needs to be performed once. After the terminal device is connected to the mobile network, if the terminal device needs to access a third-party application, an authentication process needs to be performed again. That is to say, if the terminal device can access third-party applications, the terminal device needs to support two authentication methods (one mobile network access authentication and one application access authentication). to access third-party apps. In order to simplify the implementation of terminal devices, an application-layer authentication and key management (AKMA) architecture is proposed. As shown in Figure 1, in the AKMA architecture, the AKMA authentication function (AKMA authentication function, AAuF) network element is between the authentication service function (Authentication Server Function) network element and the AKMA application function (AKMA application function, AApF) network element. The AApF network element searches for the AUSF network element through the AAuF network element. When the terminal device accesses the mobile network, after the authentication between the terminal device and the AUSF network element is successful, the AUSF network element and the terminal device negotiate to generate a key between the terminal device and the AUSF network element, and generate a key based on the key. Key used for secure communication between terminal equipment and AApF network elements. Furthermore, the AApF network element can obtain a key for secure communication between the terminal device and the AApF network element from the AUSF network element, and use the key when the terminal device accesses a third-party application. That is to say, the AKMA architecture reuses the result of authentication of the terminal device by the mobile network, and only needs to perform an authentication process when the terminal device accesses the mobile network to realize secure communication.
然而,在第三方应用的用户属于多个运营商从而应用服务器需要和多个运营商设备进行交互的场景下,比如多个专网组成联盟的情况下,应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址。此外,当有专网加入或者退出联盟时,AApF网元上还要新增或者删除专网中AAuF网元的接口以及接口地址,这显然增加了第三方应用的实现复杂度。However, in the scenario where the user of the third-party application belongs to multiple operators and the application server needs to interact with the devices of multiple operators, for example, when multiple private networks form an alliance, the AApF network elements on the application side need to be configured with the Interfaces and interface addresses of AAuF NEs in different networks. In addition, when a private network joins or leaves the alliance, the AApF network element needs to add or delete the interface and interface address of the AAuF network element in the private network, which obviously increases the implementation complexity of third-party applications.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供认证方法,装置及系统,可以简化第三方应用的配置。The embodiments of the present application provide an authentication method, device, and system, which can simplify the configuration of third-party applications.
为达到上述目的,本申请的实施例采用如下技术方案:To achieve the above object, the embodiments of the present application adopt the following technical solutions:
第一方面,提供一种认证方法,该方法包括:区块链系统接收来自应用服务器的第一消息,该第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息;区块链系统根据该第一标识,确定该终端设备的用户上下文;区块链系统根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数和/或消息,为该应用服务器对应的第三方应用验证该终端设备的合法性。一方面,本申请实施例中,在区块链系统为第三方应用验证终端设备合法,这样可以在终端设备访问第三方应用不 合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,继续执行后续流程(如继续为第三方应用对应的应用服务器和终端设备之间的通信提供安全密钥)所造成的资源消耗与信令浪费。另一方面,相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如为第三方应用验证终端设备的合法性),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a first aspect, an authentication method is provided, the method comprising: a blockchain system receiving a first message from an application server, where the first message includes a first identifier, and parameters encrypted by the terminal device using the first key and/or message; the blockchain system determines the user context of the terminal device according to the first identifier; the blockchain system determines the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key, as The third-party application corresponding to the application server verifies the legitimacy of the terminal device. On the one hand, in the embodiment of the present application, the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application. When it is legal, the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device). On the other hand, compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. The domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
在一种可能的实现方式中,该终端设备的用户上下文中包括该第一密钥,区块链系统根据该第一标识,确定该终端设备的用户上下文包括:区块链系统根据该第一标识,确定该第一密钥。In a possible implementation manner, the user context of the terminal device includes the first key, and the blockchain system determines the user context of the terminal device according to the first identifier includes: the blockchain system determines the user context of the terminal device according to the first identifier. identification, to determine the first key.
在一种可能的实现方式中,区块链系统根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数或消息,为该应用服务器对应的第三方应用验证该终端设备的合法性,包括:区块链系统使用该第一密钥对该终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当该解密后的参数符合预配置的该终端设备和该区块链系统交互使用的参数格式或者数值,和/或该解密后的消息符合预配置的该终端设备和该区块链系统交互使用的消息格式,区块链系统确定该终端设备合法。基于该方案,可以实现终端设备的合法性验证。In a possible implementation manner, the blockchain system verifies the third-party application corresponding to the application server for the third-party application of the terminal device according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key. The legality includes: the blockchain system uses the first key to decrypt the parameters and/or messages encrypted by the first key for the terminal device, and obtains the decrypted parameters and/or messages; when the decrypted parameters and/or messages are obtained; Conform to the preconfigured parameter format or value used by the terminal device and the blockchain system interactively, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the blockchain system interactively, block The chain system determines that the end device is legitimate. Based on this solution, the legitimacy verification of the terminal device can be realized.
在一种可能的实现方式中,第一标识包括该终端设备的全局区块链标识或者第二密钥对应的密钥标识KID中的至少一个,该第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥。In a possible implementation manner, the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key, where the second key is the terminal device and the authentication service function The key generated after successful authentication between network elements.
在一种可能的实现方式中,第一密钥是根据第二密钥派生得到的,该第二密钥为该终端设备与认证服务功能网元之间鉴权成功后生成的密钥。基于该方案,由于后续在获得终端设备和应用服务器安全通信的密钥之前,应用服务器与终端设备可以使用移动网络中派生的密钥进行通信,因此提升了终端设备的业务安全性。In a possible implementation manner, the first key is derived from a second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element. Based on this solution, before obtaining the key for secure communication between the terminal device and the application server, the application server and the terminal device can communicate using the key derived from the mobile network, thus improving the service security of the terminal device.
在一种可能的实现方式中,本申请实施例提供的通信方法还包括:在该区块链系统验证该终端设备合法后,区块链系统获取第三密钥,该第三密钥为用于该终端设备和该应用服务器安全通信的密钥;区块链系统向该应用服务器发送该第三密钥。也就是说,本申请实施例中,可以通过区块链系统获得应用服务器和终端设备之间通信的安全参数,从而实现终端设备与应用服务器之间的安全通信。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如通过区块链系统获得应用服务器和终端设备之间通信的安全参数),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a possible implementation manner, the communication method provided by the embodiment of the present application further includes: after the blockchain system verifies that the terminal device is legal, the blockchain system obtains a third key, and the third key is used for The key for secure communication between the terminal device and the application server; the blockchain system sends the third key to the application server. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained through the blockchain system, so as to realize the secure communication between the terminal device and the application server. Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, It enables the application server to interact with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the third-party application Configuration, and avoid the third-party application side and the operator to negotiate one by one, and deploy network elements to plan routes, improve the efficiency of the third-party application side.
在一种可能的实现方式中,该终端设备的用户上下文中包括该第一密钥;区块链系统获取第三密钥,包括:区块链系统生成第三密钥,其中,生成该第三密钥的输入参数中包括该第一密钥。也就是说,本申请实施例中,可以由区块链系统获得应用服 务器和终端设备之间通信的安全参数,以及由区块链系统为应用服务器对应的第三方应用验证终端设备的合法性。In a possible implementation manner, the user context of the terminal device includes the first key; the blockchain system obtains the third key, including: the blockchain system generates a third key, wherein generating the third key The first key is included in the input parameters of the three-key. That is to say, in the embodiment of the present application, the security parameters of the communication between the application server and the terminal device can be obtained by the blockchain system, and the legality of the terminal device can be verified by the blockchain system for the third-party application corresponding to the application server.
在一种可能的实现方式中,区块链系统获取第三密钥,包括:区块链系统向认证服务功能网元发送第二消息,该第二消息包括该第一标识,该第一标识用于确定该终端设备的用户上下文,该终端设备的用户上下文中包括该第一密钥或第二密钥,该第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥;区块链系统接收来自该认证服务功能网元该第三密钥,其中,生成该第三密钥的输入参数中包括该第一密钥或该第二密钥。也就是说,本申请实施例中,可以由区块链系统为应用服务器对应的第三方应用验证终端设备的合法性,以及通过区块链系统获得应用服务器和终端设备之间通信的安全参数。In a possible implementation manner, acquiring the third key by the blockchain system includes: the blockchain system sends a second message to the authentication service function network element, where the second message includes the first identifier, the first identifier Used to determine the user context of the terminal device, the user context of the terminal device includes the first key or the second key, and the second key is generated after successful authentication between the terminal device and the authentication service function network element The blockchain system receives the third key from the authentication service function network element, wherein the input parameters for generating the third key include the first key or the second key. That is to say, in the embodiment of the present application, the blockchain system can verify the legitimacy of the terminal device for the third-party application corresponding to the application server, and obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
在一种可能的实现方式中,该生成该第三密钥的输入参数中还包括第二标识和/或解密后的参数,其中,该第二标识为该第三方应用的应用标识,该解密后的参数是使用该第一密钥对该终端设备使用第一密钥加密的参数进行解密后获得的参数。基于该方案,由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的第三密钥也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与应用服务器之间的安全通信。In a possible implementation manner, the input parameter for generating the third key further includes a second identifier and/or a decrypted parameter, wherein the second identifier is an application identifier of the third-party application, and the decrypted The latter parameter is a parameter obtained by decrypting the parameter encrypted by the terminal device using the first key using the first key. Based on this scheme, since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers. Thus, the secure communication between the terminal device and the application server is further ensured.
在一种可能的实现方式中,在该区块链系统接收来自应用服务器的第一消息之前,本申请实施例提供的认证方法还包括:区块链系统接收来自认证服务功能网元的第三消息,该第三消息请求将该第一密钥、该第一标识和该认证服务功能网元的地址存储在该终端设备的用户上下文中;区块链系统将该第一密钥、该第一标识和该认证服务功能网元的地址存储在该终端设备的用户上下文中。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息(如第一密钥、第一标识和认证服务功能网元的地址),因此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。此外,本申请实施例中,区块链系统将认证服务功能网元的地址存储在该终端设备的用户上下文中,这样可以使得后续区块链系统与认证服务功能网元交互时,直接从终端设备的用户上下文中获取认证服务功能网元的地址,简化了区块链系统的处理逻辑。In a possible implementation manner, before the blockchain system receives the first message from the application server, the authentication method provided in this embodiment of the present application further includes: the blockchain system receives a third message from the authentication service function network element message, the third message requests to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device; the blockchain system uses the first key, the first key, the An identity and the address of the authentication service function network element are stored in the user context of the terminal device. Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information required by the application server to perform secure operations through the blockchain system (such as the first key, the first identifier, and the address of the authentication service function network element), so that subsequent application servers can perform secure operations through the blockchain system. . That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party. In addition, in the embodiment of the present application, the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, it can be directly accessed from the terminal. The address of the authentication service function network element is obtained from the user context of the device, which simplifies the processing logic of the blockchain system.
在一种可能的实现方式中,在区块链系统接收来自应用服务器的第一消息之前,本申请实施例提供的认证方法还包括:区块链系统接收来自认证服务功能网元的第三消息,该第三消息请求将该第一密钥和该第一标识存储在该终端设备的用户上下文中;区块链系统将该第一密钥和该第一标识存储在该终端设备的用户上下文中。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息(如第一密钥和第一标识),因 此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a possible implementation manner, before the blockchain system receives the first message from the application server, the authentication method provided in this embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle. Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
第二方面,提供了一种认证方法,该方法包括:认证服务功能网元获取指示信息,该指示信息指示通过区块链系统进行安全操作;认证服务功能网元根据该指示信息,向该区块链系统发送第三消息,该第三消息包括第一信息,用于请求将该第一信息存储在终端设备的用户上下文中,其中,该第一信息为应用服务器通过该区块链系统进行安全操作时所需的信息。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息,因此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a second aspect, an authentication method is provided, the method includes: an authentication service function network element obtains indication information, the indication information indicates that a secure operation is performed through a blockchain system; and an authentication service function network element, according to the indication information, sends the The block chain system sends a third message, the third message includes first information, and is used to request that the first information be stored in the user context of the terminal device, wherein the first information is the application server through the block chain system. Information required for safe operation. Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information required for the application server to perform safe operations through the blockchain system, so that subsequent application servers can perform safe operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
在一种可能的实现方式中,第一信息包括第一标识和该认证服务功能网元的地址,其中,该第一标识用于确定该终端设备的用户上下文。本申请实施例中,区块链系统将认证服务功能网元的地址存储在该终端设备的用户上下文中,这样可以使得后续区块链系统与认证服务功能网元交互时,直接从终端设备的用户上下文中获取认证服务功能网元的地址,简化了区块链系统的处理逻辑。In a possible implementation manner, the first information includes a first identifier and an address of the authentication service function network element, where the first identifier is used to determine the user context of the terminal device. In the embodiment of this application, the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
在一种可能的实现方式中,该第一信息包括该第一标识和第一密钥。其中,该第一密钥是根据第二密钥派生得到的,该第二密钥为该终端设备与认证服务功能网元之间鉴权成功后生成的密钥。In a possible implementation manner, the first information includes the first identifier and the first key. Wherein, the first key is derived from a second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
在一种可能的实现方式中,该第一信息包括该第一标识、第一密钥和该认证服务功能网元的地址。本申请实施例中,区块链系统将认证服务功能网元的地址存储在该终端设备的用户上下文中,这样可以使得后续区块链系统与认证服务功能网元交互时,直接从终端设备的用户上下文中获取认证服务功能网元的地址,简化了区块链系统的处理逻辑。In a possible implementation manner, the first information includes the first identifier, the first key, and the address of the authentication service function network element. In the embodiment of this application, the blockchain system stores the address of the authentication service function network element in the user context of the terminal device, so that when the subsequent blockchain system interacts with the authentication service function network element, the Obtaining the address of the authentication service function network element in the user context simplifies the processing logic of the blockchain system.
在一种可能的实现方式中,该第一标识包括该终端设备的全局区块链标识或者该第二密钥对应的密钥标识KID中的至少一个。In a possible implementation manner, the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
在一种可能的实现方式中,该认证服务功能网元获取指示信息,包括:认证服务功能网元接收来自该终端设备的该指示信息;或者,认证服务功能网元接收来自统一数据管理网元的该指示信息。In a possible implementation manner, obtaining the indication information by the authentication service function network element includes: the authentication service function network element receiving the indication information from the terminal device; or, the authentication service function network element receiving the indication information from the unified data management network element of this indication.
在一种可能的实现方式中,在该认证服务功能网元根据该指示信息,向该区块链系统发送第三消息之后,该方法还包括:认证服务功能网元接收来自该区块链系统的第二消息,该第二消息包括第一标识;认证服务功能网元根据该第一标识,确定该终端设备的用户上下文,该终端设备的用户上下文中包括第一密钥或第二密钥;该第一 密钥是根据该第二密钥派生得到的,该第二密钥为用于该终端设备与认证服务功能网元之间鉴权成功后生成的密钥;认证服务功能网元生成第三密钥,该第三密钥为用于该终端设备和该应用服务器安全通信的密钥,其中,生成该第三密钥的输入参数中包括该第一密钥或该第二密钥;认证服务功能网元向该区块链系统发送该第三密钥。也就是说,本申请实施例中,可以由认证服务功能网元生成应用服务器和终端设备之间通信的安全参数(如第三密钥)。进而,应用服务器可以通过区块链系统获得应用服务器和终端设备之间通信的安全参数。In a possible implementation manner, after the authentication service function network element sends the third message to the blockchain system according to the indication information, the method further includes: the authentication service function network element receives data from the blockchain system The second message includes the first identifier; the authentication service function network element determines the user context of the terminal device according to the first identifier, and the user context of the terminal device includes the first key or the second key ; The first key is derived from the second key, and the second key is a key generated after the authentication between the terminal device and the authentication service function network element is successful; the authentication service function network element Generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key; the authentication service function network element sends the third key to the blockchain system. That is to say, in this embodiment of the present application, the authentication service function network element may generate the security parameter (eg, the third key) for communication between the application server and the terminal device. Furthermore, the application server can obtain the security parameters of the communication between the application server and the terminal device through the blockchain system.
在一种可能的实现方式中,该第二消息还包括第二标识和/或该终端设备使用第一密钥加密的参数,该第二标识为该应用服务器对应的第三方应用的应用标识;相应的,该生成该第三密钥的输入参数中还包括该第二标识和/或解密后的参数,其中,该解密后的参数是使用该第一密钥对该终端设备使用第一密钥加密的参数进行解密后获得的参数。基于该方案,由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的第三密钥也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与应用服务器之间的安全通信。In a possible implementation manner, the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server; Correspondingly, the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device. The parameters obtained after decrypting the parameters encrypted by the key. Based on this scheme, since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers. Thus, the secure communication between the terminal device and the application server is further ensured.
在一种可能的实现方式中,该第二消息还包括该终端设备使用该第一密钥加密的参数和/或消息;在认证服务功能网元生成第三密钥之前,该方法还包括:认证服务功能网元根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数和/或消息,为该应用服务器对应的第三方应用验证该终端设备合法。基于该方案,可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,继续执行后续流程(如继续为第三方应用对应的应用服务器和终端设备之间的通信提供安全密钥)所造成的资源消耗与信令浪费。In a possible implementation manner, the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
在一种可能的实现方式中,该终端设备的用户上下文中包括该第一密钥;认证服务功能网元根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数或消息,为该应用服务器对应的第三方应用验证该终端设备合法,包括:认证服务功能网元使用该第一密钥对该终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当该解密后的参数符合预配置的该终端设备和该认证服务功能网元交互使用的参数格式或者数值,和/或该解密后的消息符合预配置的该终端设备和该认证服务功能网元交互使用的消息格式,认证服务功能网元确定该终端设备合法。基于该方案,可以实现终端设备的合法认证。In a possible implementation manner, the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted When the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal The message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
在一种可能的实现方式中,该通过区块链系统进行安全操作包括通过该区块链系统获得该应用服务器和该终端设备之间通信的安全参数。In a possible implementation manner, performing the security operation through the blockchain system includes obtaining security parameters of the communication between the application server and the terminal device through the blockchain system.
在一种可能的实现方式中,该通过区块链系统进行安全操作还包括通过该区块链系统为该应用服务器对应的第三方应用验证该终端设备的合法性。In a possible implementation manner, performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
第三方面,提供了一种认证方法,该方法包括:区块链系统接收来自应用服务器的第一消息,该第一消息包括第一标识;区块链系统根据该第一标识,确定终端设备的用户上下文,该终端设备的用户上下文中包括第一密钥;区块链系统生成第三密钥,该第三密钥为用于该终端设备和应用服务器安全通信的密钥,其中,生成该第三密钥的输入参数中包括该第一密钥。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由 区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如通过该区块链系统获得该应用服务器和该终端设备之间通信的安全参数),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a third aspect, an authentication method is provided, the method includes: the blockchain system receives a first message from an application server, where the first message includes a first identifier; and the blockchain system determines a terminal device according to the first identifier The user context of the terminal device includes a first key; the blockchain system generates a third key, and the third key is a key used for the secure communication between the terminal device and the application server, wherein the generated The input parameter of the third key includes the first key. Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, The application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step The configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
在一种可能的实现方式中,该第一密钥是根据第二密钥派生得到的,该第二密钥为该终端设备与认证服务功能网元之间鉴权成功后生成的密钥。基于该方案,由于后续在获得终端设备和应用服务器安全通信的密钥之前,应用服务器与终端设备可以使用移动网络中派生的密钥进行通信,因此提升了终端设备的业务安全性。In a possible implementation manner, the first key is derived from a second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element. Based on this solution, before obtaining the key for secure communication between the terminal device and the application server, the application server and the terminal device can communicate using the key derived from the mobile network, thus improving the service security of the terminal device.
在一种可能的实现方式中,该第一消息还包括第二标识和/或该终端设备使用第一密钥加密的参数,该第二标识为该应用服务器对应的第三方应用的应用标识;相应的,该生成该第三密钥的输入参数中还包括该第二标识和/或解密后的参数,其中,该解密后的参数是使用该第一密钥对该终端设备使用第一密钥加密的参数进行解密后获得的参数。基于该方案,由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的第三密钥也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与应用服务器之间的安全通信。In a possible implementation manner, the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is an application identifier of a third-party application corresponding to the application server; Correspondingly, the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device. The parameters obtained after decrypting the parameters encrypted by the key. Based on this scheme, since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers. Thus, the secure communication between the terminal device and the application server is further ensured.
在一种可能的实现方式中,在区块链系统接收来自应用服务器的第一消息之前,本申请实施例提供的通信方法还包括:区块链系统接收来自认证服务功能网元的第三消息,该第三消息请求将该第一密钥和该第一标识存储在该终端设备的用户上下文中;区块链系统将该第一密钥和该第一标识存储在该终端设备的用户上下文中。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息(如第一密钥和第一标识),因此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a possible implementation manner, before the blockchain system receives the first message from the application server, the communication method provided by the embodiment of the present application further includes: the blockchain system receives the third message from the authentication service function network element , the third message requests to store the first key and the first identifier in the user context of the terminal device; the blockchain system stores the first key and the first identifier in the user context of the terminal device middle. Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information (such as the first key and the first identifier) required for the application server to perform secure operations through the blockchain system, so that subsequent application servers can perform secure operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
第四方面,提供了一种认证方法,该方法包括:认证服务功能网元接收来自区块链系统的第二消息,该第二消息包括第一标识;认证服务功能网元根据第一标识,确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥或第二密钥;第一密钥是根据第二密钥派生得到的,第二密钥为用于终端设备与认证服务功能网元之间鉴权成功后生成的密钥;认证服务功能网元生成第三密钥,该第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥或第二密钥。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如通过该区块链系统获得该应用服务器和该终端设备之间通信的安全参数),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a fourth aspect, an authentication method is provided, the method comprising: an authentication service function network element receiving a second message from a blockchain system, the second message including a first identifier; and an authentication service function network element according to the first identifier, Determine the user context of the terminal device. The user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the second key is used for the terminal device and the authentication service The key generated after the authentication between functional network elements is successful; the authentication service function network element generates a third key, and the third key is the key used for the secure communication between the terminal device and the application server, wherein the third key is generated. The key input parameter includes the first key or the second key. Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, The application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step The configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
在一种可能的实现方式中,该第二消息还包括第二标识和/或该终端设备使用第一密钥加密的参数,该第二标识为该应用服务器对应的第三方应用的应用标识;相应的,该生成该第三密钥的输入参数中还包括该第二标识和/或解密后的参数,其中,该解密后的参数是使用该第一密钥对该终端设备使用第一密钥加密的参数进行解密后获得的参数。基于该方案,由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的第三密钥也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与应用服务器之间的安全通信。In a possible implementation manner, the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, where the second identifier is the application identifier of the third-party application corresponding to the application server; Correspondingly, the input parameter for generating the third key also includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is to use the first key to use the first key for the terminal device. The parameters obtained after decrypting the parameters encrypted by the key. Based on this scheme, since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the third key generated based on the random number is also more flexible and is not easily attacked by attackers. Thus, the secure communication between the terminal device and the application server is further ensured.
在一种可能的实现方式中,该第二消息还包括该终端设备使用该第一密钥加密的参数和/或消息;在认证服务功能网元生成第三密钥之前,该方法还包括:认证服务功能网元根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数和/或消息,为该应用服务器对应的第三方应用验证该终端设备合法。基于该方案,可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,继续执行后续流程(如继续为第三方应用对应的应用服务器和终端设备之间的通信提供安全密钥)所造成的资源消耗与信令浪费。In a possible implementation manner, the second message further includes parameters and/or messages encrypted by the terminal device using the first key; before the authentication service function network element generates the third key, the method further includes: The authentication service function network element verifies the validity of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. Based on this solution, when it is illegal for the terminal device to access the third-party application, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally and continue to execute the subsequent process (such as continuing to access the application server and terminal corresponding to the third-party application). Communication between devices provides a security key) resource consumption and signaling waste.
在一种可能的实现方式中,该终端设备的用户上下文中包括该第一密钥;认证服务功能网元根据该终端设备的用户上下文,以及该终端设备使用第一密钥加密的参数或消息,为该应用服务器对应的第三方应用验证该终端设备合法,包括:认证服务功能网元使用该第一密钥对该终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当该解密后的参数符合预配置的该终端设备和该认证服务功能网元交互使用的参数格式或者数值,和/或该解密后的消息符合预配置的该终端设备和该认证服务功能网元交互使用的消息格式,认证服务功能网元确定该终端设备合法。基于该方案,可以实现终端设备的合法认证。In a possible implementation manner, the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key , verifying the legitimacy of the terminal device for the third-party application corresponding to the application server, including: using the first key for the authentication service function network element to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain decrypted When the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element interactively, and/or the decrypted message conforms to the pre-configured parameter format or value for the terminal The message format used by the device and the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal. Based on this solution, the legal authentication of the terminal device can be realized.
第五方面,提供了一种通信装置用于实现上述方法。该通信装置可以为上述第一方面或第三方面中的区块链系统中的一个或多个区块链装置,或者包含上述区块链系统的装置;或者,该通信装置可以为上述第二方面或第四方面中的认证服务功能网元,或者包含上述认证服务功能网元的装置。该通信装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a fifth aspect, a communication device is provided for implementing the above method. The communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above The authentication service function network element in the aspect or the fourth aspect, or a device including the above authentication service function network element. The communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
第六方面,提供了一种通信装置,包括:处理器和存储器;该存储器用于存储计算机指令,当该处理器执行该指令时,以使该通信装置执行上述任一方面所述的方法。该通信装置可以为上述第一方面或第三方面中的区块链系统中的一个或多个区块链装置,或者包含上述区块链系统的装置;或者,该通信装置可以为上述第二方面或第四方面中的认证服务功能网元,或者包含上述认证服务功能网元的装置。In a sixth aspect, a communication device is provided, comprising: a processor and a memory; the memory is used for storing computer instructions, and when the processor executes the instructions, the communication device executes the method described in any one of the above aspects. The communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above The authentication service function network element in the aspect or the fourth aspect, or a device including the above authentication service function network element.
第七方面,提供了一种通信装置,包括:处理器;该处理器用于与存储器耦合,并读取存储器中的指令之后,根据该指令执行如上述任一方面所述的方法。该通信装置可以为上述第一方面或第三方面中的区块链系统中的一个或多个区块链装置,或者包含上述区块链系统的装置;或者,该通信装置可以为上述第二方面或第四方面中的认证服务功能网元,或者包含上述认证服务功能网元的装置。In a seventh aspect, a communication device is provided, comprising: a processor; the processor is configured to be coupled to a memory, and after reading an instruction in the memory, execute the method according to any one of the preceding aspects according to the instruction. The communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above The authentication service function network element in the aspect or the fourth aspect, or a device including the above authentication service function network element.
第八方面,提供了一种通信装置,包括:处理器和接口电路;接口电路,用于接收计算机程序或指令并传输至处理器;处理器用于执行所述计算机程序或指令,以使该通信装置执执行如上述任一方面所述的方法。该通信装置可以为上述第一方面或第三方面中的区块链系统中的一个或多个区块链装置,或者包含上述区块链系统的装置;或者,该通信装置可以为上述第二方面或第四方面中的认证服务功能网元,或者包含上述认证服务功能网元的装置。In an eighth aspect, a communication device is provided, comprising: a processor and an interface circuit; the interface circuit is used to receive a computer program or instruction and transmit it to the processor; the processor is used to execute the computer program or instruction to enable the communication The apparatus performs a method as described in any of the above aspects. The communication device may be one or more blockchain devices in the blockchain system in the first aspect or the third aspect, or a device including the blockchain system; or, the communication device may be the second blockchain system described above The authentication service function network element in the aspect or the fourth aspect, or a device including the above authentication service function network element.
第九方面,提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In a ninth aspect, a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer can execute the method described in any one of the above aspects.
第十方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In a tenth aspect, there is provided a computer program product comprising instructions which, when run on a computer, enable the computer to perform the method of any of the preceding aspects.
第十一方面,提供了一种通信装置(例如,该通信装置可以是芯片或芯片系统),该通信装置包括处理器,用于实现上述任一方面中所涉及的功能。在一种可能的实现方式中,该通信装置还包括存储器,该存储器,用于保存必要的程序指令和数据。该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件。In an eleventh aspect, a communication apparatus is provided (for example, the communication apparatus may be a chip or a chip system), the communication apparatus includes a processor for implementing the functions involved in any of the above aspects. In a possible implementation manner, the communication device further includes a memory for storing necessary program instructions and data. When the communication device is a chip system, it may be constituted by a chip, or may include a chip and other discrete devices.
其中,第五方面至第十一方面中任一种可能的实现方式所带来的技术效果可参见上述第一方面至第四方面中不同设计方式所带来的技术效果,此处不再赘述。Wherein, for the technical effect brought by any possible implementation manner of the fifth aspect to the eleventh aspect, reference may be made to the technical effect brought by the different design manners in the above-mentioned first aspect to the fourth aspect, which will not be repeated here. .
第十二方面,提供了一种通信系统,该通信系统包括区块链系统和应用服务器;应用服务器,用于向区块链系统发送第一消息,该第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息;区块链系统,用于接收来自应用服务器的第一消息,并根据第一标识,确定终端设备的用户上下文之后,根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器对应的第三方应用验证终端设备的合法性。其中,第十二方面的技术效果可参考上述第一方面,在此不在赘述。A twelfth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier and a terminal The parameters and/or messages encrypted by the device using the first key; the blockchain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device , and the parameters and/or messages encrypted by the terminal device using the first key to verify the legitimacy of the terminal device for a third-party application corresponding to the application server. For the technical effect of the twelfth aspect, reference may be made to the above-mentioned first aspect, which is not repeated here.
第十三方面,提供了一种通信系统,该通信系统包括区块链系统和应用服务器;应用服务器,用于向区块链系统发送第一消息,该第一消息包括第一标识;区块链系统,用于接收来自应用服务器的第一消息,并根据第一标识确定终端设备的用户上下文之后,生成第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥。其中,终端设备的用户上下文中包括第一密钥,生成第三密钥的输入参数中包括第一密钥。其中,第十三方面的技术效果可参考上述第三方面,在此不在赘述。A thirteenth aspect provides a communication system, the communication system includes a blockchain system and an application server; the application server is configured to send a first message to the blockchain system, where the first message includes a first identifier; a block chain The chain system is used to receive the first message from the application server, and after determining the user context of the terminal device according to the first identifier, generate a third key, where the third key is used for the secure communication between the terminal device and the application server. . The user context of the terminal device includes the first key, and the input parameter for generating the third key includes the first key. For the technical effect of the thirteenth aspect, reference may be made to the third aspect, which is not repeated here.
第十四方面,提供了一种通信系统,该通信系统包括认证服务功能网元和区块链系统;认证服务功能网元,用于获取指示信息,该指示信息指示通过区块链系统进行安全操作。认证服务功能网元,还用于根据该指示信息,向区块链系统发送第三消息,第三消息包括第一信息,用于请求将第一信息存储在终端设备的用户上下文中,其中,所述第一信息为应用服务器通过区块链系统进行安全操作时所需的信息。区块链系统,用于接收来自认证服务功能网元的第三消息,并将第一信息存储在终端设备的用户上下文中。其中,第十四方面的技术效果可参考上述第二方面,在此不在赘述。In a fourteenth aspect, a communication system is provided, the communication system includes an authentication service function network element and a blockchain system; the authentication service function network element is used to obtain indication information indicating that security is performed through the blockchain system operate. The authentication service function network element is further configured to send a third message to the blockchain system according to the indication information, where the third message includes the first information and is used to request to store the first information in the user context of the terminal device, wherein, The first information is the information required by the application server to perform secure operations through the blockchain system. The blockchain system is used for receiving the third message from the authentication service function network element, and storing the first information in the user context of the terminal device. For the technical effect of the fourteenth aspect, reference may be made to the above-mentioned second aspect, which will not be repeated here.
附图说明Description of drawings
图1为现有的AKMA架构示意图;Figure 1 is a schematic diagram of the existing AKMA architecture;
图2为本申请实施例提供的一种通信系统的结构示意图;FIG. 2 is a schematic structural diagram of a communication system provided by an embodiment of the present application;
图3为本申请实施例提供的另一种通信系统的结构示意图;FIG. 3 is a schematic structural diagram of another communication system provided by an embodiment of the present application;
图4为本申请实施例提供的5G网络的架构示意图;FIG. 4 is a schematic diagram of the architecture of a 5G network provided by an embodiment of the present application;
图5为本申请实施例提供的通信设备的结构示意图;FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application;
图6为本申请实施例提供的认证方法的交互示意图一;FIG. 6 is an interactive schematic diagram 1 of an authentication method provided by an embodiment of the present application;
图7为本申请实施例提供的认证方法的交互示意图二;FIG. 7 is a second interactive schematic diagram of an authentication method provided by an embodiment of the present application;
图8为本申请实施例提供的认证方法的交互示意图三;FIG. 8 is an interactive schematic diagram 3 of the authentication method provided by the embodiment of the present application;
图9为本申请实施例提供的认证方法的流程示意图一;FIG. 9 is a schematic flowchart 1 of an authentication method provided by an embodiment of the present application;
图10为本申请实施例提供的认证方法的流程示意图二;10 is a second schematic flowchart of an authentication method provided by an embodiment of the present application;
图11为本申请实施例提供的认证方法的流程示意图三;11 is a third schematic flowchart of an authentication method provided by an embodiment of the present application;
图12为本申请实施例提供的认证方法的流程示意图四;12 is a fourth schematic flowchart of an authentication method provided by an embodiment of the present application;
图13为本申请实施例提供的通信装置的结构示意图。FIG. 13 is a schematic structural diagram of a communication apparatus provided by an embodiment of the present application.
具体实施方式detailed description
为方便理解本申请实施例的方案,首先给出相关概念的简要介绍如下:In order to facilitate understanding of the solutions of the embodiments of the present application, a brief introduction of related concepts is first given as follows:
第一,区块链技术First, blockchain technology
区块链技术,也被称为分布式账本技术,是一种由若干台计算设备共同参与“记账”(即记录交易数据),共同维护一份完整的分布式数据库的新兴技术。由于区块链技术具有去中心化(即没有中心节点)、公开透明、每台计算设备可以参与数据库记录、并且各计算设备之间可以快速的进行数据同步的特性,使得区块链技术已在众多的领域中广泛的进行应用。Blockchain technology, also known as distributed ledger technology, is an emerging technology in which several computing devices jointly participate in "bookkeeping" (ie, record transaction data) and jointly maintain a complete distributed database. Because blockchain technology has the characteristics of decentralization (that is, no central node), openness and transparency, each computing device can participate in database records, and data synchronization between computing devices can be performed quickly, blockchain technology has been used in Widely used in many fields.
目前,区块链按照部署方式可以分为:公有链和联盟链。公有链是指全世界任何设备都可读取的区块链,或者是任何设备都能参与交易的共识验证过程的区块链。联盟链,也称共同体区块链(consortium block chains),是指由指定区块链的参与成员组成联盟,成员之间的业务往来信息被记录在区块链中,限定了使用规模和权限。At present, the blockchain can be divided into: public chain and alliance chain according to the deployment method. A public chain refers to a blockchain that can be read by any device in the world, or a blockchain in which any device can participate in the consensus verification process of transactions. Consortium chains, also known as consortium blockchains, refer to a consortium formed by participating members of a designated blockchain, and the business transaction information between members is recorded in the blockchain, which limits the scale of use and authority.
第二,区块链系统Second, the blockchain system
本申请实施例中的区块链系统也可以简称为区块链。该区块链系统包括一个或多个区块链装置,该区块链装置例如是区块链安全处理模块。示例性的,本申请实施例中的区块链安全处理模块例如可以为区块链智能合约模块,区块链智能合约模块为区块链系统中处理用户访问第三方应用安全操作的智能合约模块,在此统一说明,以下不在赘述。The blockchain system in the embodiments of the present application may also be referred to as a blockchain for short. The blockchain system includes one or more blockchain devices, such as blockchain security processing modules. Exemplarily, the blockchain security processing module in the embodiment of the present application may be, for example, a blockchain smart contract module, and the blockchain smart contract module is a smart contract module in the blockchain system that processes the security operations of users accessing third-party applications. , which is described here uniformly, and will not be repeated below.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。其中,在本申请的描述中,除非另有说明,“/”表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和 作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。同时,在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of this application, unless otherwise specified, "/" indicates that the objects associated before and after are an "or" relationship, for example, A/B can indicate A or B; in this application, "and/or" "It is only an association relationship that describes an associated object, which means that there can be three kinds of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A exists , B can be singular or plural. Also, in the description of the present application, unless stated otherwise, "plurality" means two or more than two. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one item (a) of a, b, or c may represent: a, b, c, ab, ac, bc, or abc, where a, b, and c may be single or multiple . In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same items or similar items that have basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner to facilitate understanding.
此外,本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。In addition, the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
如图2所示,为本申请实施例提供的一种通信系统20。该通信系统20包括区块链系统201和应用服务器202。其中,区块链系统201和应用服务器202之间可以直接通信,也可以通过其他设备的转发进行通信,本申请实施例对此不作具体限定。示例性的,应用服务器202可以通过在目前的5G通信系统中新增的区块链处理功能(block chain handling function,BCHF)网元与区块链系统201交互,本申请实施例对此不作具体限定。也就是说,本申请实施例中的BCHF网元可以在应用服务器202不具有区块链处理功能(也可以理解为不支持区块链相关操作)时作为应用服务器202和区块链系统201之间的代理,代表应用服务器202和区块链系统201交互。比如,BCHF网元负责将网络处理信息作为交易发布到区块链系统中,同时将区块链系统和网络相关的事物发布到网络中。其中,BCHF网元的功能包括但不限于:发布交易,记录区块或者执行智能合约中的一项或多项。As shown in FIG. 2 , a communication system 20 is provided in an embodiment of the present application. The communication system 20 includes a blockchain system 201 and an application server 202 . Wherein, the blockchain system 201 and the application server 202 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application. Exemplarily, the application server 202 may interact with the blockchain system 201 through a newly added blockchain handling function (BCHF) network element in the current 5G communication system, which is not specifically described in this embodiment of the present application. limited. That is to say, the BCHF network element in the embodiment of the present application can be used as the one between the application server 202 and the blockchain system 201 when the application server 202 does not have the blockchain processing function (it can also be understood as not supporting blockchain-related operations). The intermediary agent interacts with the blockchain system 201 on behalf of the application server 202 . For example, the BCHF network element is responsible for publishing network processing information as transactions to the blockchain system, and at the same time publishing the blockchain system and network-related things to the network. Among them, the functions of BCHF network elements include but are not limited to: publishing transactions, recording blocks or executing one or more of smart contracts.
当然,本申请实施例中的BCHF网元也可以在其他网元不具有区块链处理功能时作为第一网元和区块链系统之间的代理,代表其他网元和区块链系统交互。比如,在图3所示的通信系统30中,BCHF网元可以在认证服务功能网元301不具有区块链处理功能时作为认证服务功能网元301和区块链系统302之间的代理,代表认证服务功能网元301和区块链系统302交互,在此统一说明,以下不在赘述。Of course, the BCHF network element in the embodiment of the present application can also act as an agent between the first network element and the blockchain system when other network elements do not have the blockchain processing function, and interact with the blockchain system on behalf of other network elements . For example, in the communication system 30 shown in FIG. 3, the BCHF network element can act as a proxy between the authentication service function network element 301 and the blockchain system 302 when the authentication service function network element 301 does not have the blockchain processing function, The interaction between the network element 301 representing the authentication service function and the blockchain system 302 is described in a unified manner here, and will not be repeated below.
一种可能的实现方式中,在图2所示的通信系统20中,应用服务器202,用于向区块链系统201发送第一消息,该第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息。区块链系统201,用于接收来自应用服务器202的第一消息,并根据第一标识,确定终端设备的用户上下文之后,根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器202对应的第三方应用验证终端设备的合法性。其中,上述方案的具体实现将在后续方法实施例中详细阐述,在此不予赘述。一方面,本申请实施例中,在区块链系统为第三方应用验证终端设备合法,这样可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,继续执行后续流程(如继续为第三方应用对应的应用服务器和终端设备之间的通信提供安全密钥)所造成的资源消耗与信令浪费。另一方面,相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安 全操作(如为第三方应用验证终端设备的合法性),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In a possible implementation manner, in the communication system 20 shown in FIG. 2 , the application server 202 is configured to send a first message to the blockchain system 201, where the first message includes the first identifier and the first message used by the terminal device. A key to encrypt parameters and/or messages. The blockchain system 201 is used for receiving the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, according to the user context of the terminal device and the parameters encrypted by the terminal device using the first key and/or message to verify the legitimacy of the terminal device for the third-party application corresponding to the application server 202 . The specific implementation of the above solution will be described in detail in the subsequent method embodiments, which will not be repeated here. On the one hand, in the embodiment of the present application, the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application. When it is legal, the resource consumption and signaling waste caused by continuing to execute the subsequent process (eg, continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device). On the other hand, compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. The domain authentication interface enables the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), which not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
另一种可能的实现方式中,在图2所示的通信系统20中,应用服务器202,用于向区块链系统201发送第一消息,该第一消息包括第一标识。区块链系统201,用于接收来自应用服务器202的第一消息,并根据第一标识确定终端设备的用户上下文之后,生成第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥。其中,终端设备的用户上下文中包括第一密钥,生成第三密钥的输入参数中包括第一密钥。其中,上述方案的具体实现将在后续方法实施例中详细阐述,在此不予赘述。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如为第三方应用验证终端设备的合法性),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。In another possible implementation manner, in the communication system 20 shown in FIG. 2 , the application server 202 is configured to send a first message to the blockchain system 201 , where the first message includes the first identifier. The blockchain system 201 is used to receive the first message from the application server 202, and after determining the user context of the terminal device according to the first identifier, generate a third key, and the third key is used for the security of the terminal device and the application server. Communication key. The user context of the terminal device includes the first key, and the input parameter for generating the third key includes the first key. The specific implementation of the above solution will be described in detail in the subsequent method embodiments, which will not be repeated here. Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the application server interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of the terminal device for third-party applications), so not only simplifies the configuration of third-party applications, but also avoids third-party applications. The application side negotiates with the operator one by one and deploys network elements to plan routes, which improves the efficiency of the third-party application side.
如图3所示,为本申请实施例提供的一种通信系统30。该通信系统30包括认证服务功能网元301和区块链系统302。认证服务功能网元301和区块链系统302之间可以直接通信,也可以通过其他设备的转发进行通信,本申请实施例对此不作具体限定。示例性的,如上所述,认证服务功能网元301可以通过在目前的5G通信系统中新增的BCHF网元与区块链系统302交互,本申请实施例对此不作具体限定。As shown in FIG. 3 , a communication system 30 is provided in an embodiment of the present application. The communication system 30 includes an authentication service function network element 301 and a blockchain system 302 . The authentication service function network element 301 and the blockchain system 302 may communicate directly or communicate through the forwarding of other devices, which is not specifically limited in this embodiment of the present application. Exemplarily, as described above, the authentication service function network element 301 may interact with the blockchain system 302 through the newly added BCHF network element in the current 5G communication system, which is not specifically limited in this embodiment of the present application.
其中,认证服务功能网元301,用于获取指示信息,该指示信息指示通过区块链系统进行安全操作。认证服务功能网元301,还用于根据该指示信息,向区块链系统302发送第三消息,第三消息包括第一信息,用于请求将第一信息存储在终端设备的用户上下文中,其中,所述第一信息为应用服务器通过区块链系统302进行安全操作时所需的信息。区块链系统302,用于接收来自认证服务功能网元301的第三消息,并将第一信息存储在终端设备的用户上下文中。其中,本申请实施例中,通过区块链系统302进行安全操作包括通过区块链系统302获得应用服务器和终端设备之间通信的安全参数。可选的,通过区块链系统302进行安全操作包括通过区块链系统302为应用服务器对应的第三方应用验证终端设备的合法性。在此统一说明,以下不再赘述。上述方案的具体实现将在后续方法实施例中详细阐述,在此不予赘述。相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息,因此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Among them, the authentication service function network element 301 is used to obtain indication information, where the indication information indicates that the security operation is performed through the blockchain system. The authentication service function network element 301 is further configured to send a third message to the blockchain system 302 according to the indication information, where the third message includes the first information and is used to request that the first information be stored in the user context of the terminal device, Wherein, the first information is the information required by the application server to perform a secure operation through the blockchain system 302 . The blockchain system 302 is configured to receive the third message from the authentication service function network element 301, and store the first information in the user context of the terminal device. Wherein, in the embodiment of the present application, performing the security operation through the blockchain system 302 includes obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system 302 . Optionally, performing the security operation through the blockchain system 302 includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system 302 . Here, a unified description is provided, and details are not repeated below. The specific implementation of the above solution will be described in detail in the subsequent method embodiments, which will not be repeated here. Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information required for the application server to perform safe operations through the blockchain system, so that subsequent application servers can perform safe operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface and perform secure operations through the blockchain system, thus not only simplifying the third party It also avoids the problem of one-by-one negotiation between the third-party application party and the operator, and the deployment of network elements to plan routes, which improves the efficiency of the third-party application party.
需要说明的是,本申请实施例中的“第三方应用”中的“第三方”是相对运营商的传输网络,比如移动传输网来说的。换言之,本申请实施例中的“第三方应用”可 以为目前的任一可运行的应用,在此统一说明,以下不在赘述。It should be noted that the "third party" in the "third party application" in the embodiment of the present application is relative to the operator's transmission network, such as a mobile transmission network. In other words, the "third-party application" in this embodiment of the present application may be any current runnable application, which is uniformly described here, and will not be repeated below.
可选的,图2所示的通信系统20或图3所示的通信系统30可以应用于目前的5G网络或者未来的其他网络,本申请实施例对此不作具体限定。Optionally, the communication system 20 shown in FIG. 2 or the communication system 30 shown in FIG. 3 may be applied to the current 5G network or other future networks, which is not specifically limited in this embodiment of the present application.
示例性的,如图4所示,若图2所示的通信系统20或图3所示的通信系统30应用于目前的5G网络,则图2所示的通信系统20中的应用服务器202所对应的网元或者实体可以为5G网络架构中的应用功能(application function,AF)网元,图3所示的通信系统中的认证服务功能网元所对应的网元或者实体可以为5G网络架构中的认证服务器功能(authentication server function,AUSF)网元。Exemplarily, as shown in FIG. 4 , if the communication system 20 shown in FIG. 2 or the communication system 30 shown in FIG. 3 is applied to the current 5G network, the application server 202 in the communication system 20 shown in FIG. The corresponding network element or entity may be an application function (AF) network element in the 5G network architecture, and the network element or entity corresponding to the authentication service function network element in the communication system shown in FIG. 3 may be the 5G network architecture. The authentication server function (AUSF) network element in .
此外,如图4所示,目前的5G网络还可以包括接入网设备、接入和移动性管理功能(core access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、BCHF网元、用户面功能(user plane function,UPF)网元、网络切片选择功能(network slice selection function,NSSF)网元、网络开放功能(network exposure function,NEF)网元、网络功能存储功能(network exposure function Repository Function,NRF)网元、策略控制功能(policy control function,PCF)网元、统一数据管理(unified data management,UDM)网元等,本申请实施例对此不作具体限定。In addition, as shown in Figure 4, the current 5G network can also include access network equipment, access and mobility management function (core access and mobility management function, AMF) network elements, session management function (session management function, SMF) Network element, BCHF network element, user plane function (UPF) network element, network slice selection function (NSSF) network element, network exposure function (NEF) network element, network function Storage function (network exposure function Repository Function, NRF) network element, policy control function (policy control function, PCF) network element, unified data management (unified data management, UDM) network element, etc., which are not specifically limited in this embodiment of the present application .
其中,如图4所示,终端设备通过接入网设备接入5G网络,终端设备通过N1接口(简称N1)与AMF网元通信;接入网设备通过N2接口(简称N2)与AMF网元通信;接入网设备通过N3接口(简称N3)与UPF网元通信,SMF网元通过N4与UPF网元通信,UPF网元通过N6接口(简称N6)接入数据网络。此外,图4所示的AUSF网元、AMF网元、SMF网元、NSSF网元、NEF网元、NRF网元、PCF网元、UDM网元、AF网元或者BCHF网元等控制面网元也可以采用服务化接口进行交互。比如,AUSF网元对外提供的服务化接口可以为Nausf;AMF网元对外提供的服务化接口可以为Namf;SMF网元对外提供的服务化接口可以为Nsmf;NSSF网元对外提供的服务化接口可以为Nnssf;NEF网元对外提供的服务化接口可以为Nnef;NRF网元对外提供的服务化接口可以为Nnrf;PCF网元对外提供的服务化接口可以为Npcf;UDM网元对外提供的服务化接口可以为Nudm;AF网元对外提供的服务化接口可以为Naf,BCHF网元对外提供的服务化接口可以为Nbchf。相关描述可以参考23501标准中的5G系统架构(5G system architecture)图,在此不予赘述。此外,示例性的,如图4所示,在AUSF网元、AF网元、UDM网元、UDR网元、AMF网元、SMF网元或者NEF网元不具有区块链处理功能时,可以通过BCHF网元与区块链系统交互,在此统一说明,以下不再赘述。As shown in Figure 4, the terminal device accesses the 5G network through the access network device, the terminal device communicates with the AMF network element through the N1 interface (N1 for short); the access network device communicates with the AMF network element through the N2 interface (N2 for short) Communication; the access network equipment communicates with the UPF network element through the N3 interface (N3 for short), the SMF network element communicates with the UPF network element through the N4, and the UPF network element accesses the data network through the N6 interface (N6 for short). In addition, control plane networks such as AUSF network elements, AMF network elements, SMF network elements, NSSF network elements, NEF network elements, NRF network elements, PCF network elements, UDM network elements, AF network elements, or BCHF network elements shown in Figure 4 Elements can also use service interfaces to interact. For example, the service interface provided by the AUSF network element can be Nausf; the service interface provided by the AMF network element can be Namf; the service interface provided by the SMF network element can be Nsmf; the service interface provided by the NSSF network element It can be Nnssf; the service interface provided by the NEF network element can be Nnef; the service interface provided by the NRF network element can be Nnrf; the service interface provided by the PCF network element can be Npcf; the service provided by the UDM network element externally The service interface can be Nudm; the service interface provided by the AF network element can be Naf, and the service interface provided by the BCHF network element can be Nbchf. For related descriptions, please refer to the 5G system architecture diagram in the 23501 standard, which will not be repeated here. In addition, exemplarily, as shown in FIG. 4, when the AUSF network element, the AF network element, the UDM network element, the UDR network element, the AMF network element, the SMF network element or the NEF network element does not have the blockchain processing function, it can be The interaction between the BCHF network element and the blockchain system is described here in a unified manner, and will not be repeated below.
可选的,本申请实施例中的BCHF网元可以是独立功能模块,独立于5G网元单独部署,也可以是一个分布式功能模块和5G网元合一部署,本申请实施例对此不作具体限定。Optionally, the BCHF network element in the embodiment of the present application may be an independent function module, which is independently deployed independently of the 5G network element, or may be a distributed function module and a 5G network element deployed in one, which is not implemented in this embodiment of the present application. Specific restrictions.
可选的,本申请实施例中的区块链系统、应用服务器或者认证服务功能网元也可以称之为通信装置或通信设备,其可以是一个通用设备或者是一个专用设备,本申请实施例对此不作具体限定。Optionally, the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may also be referred to as a communication device or a communication device, which may be a general-purpose device or a special-purpose device. This is not specifically limited.
可选的,本申请实施例中的区块链系统、应用服务器或者认证服务功能网元的相 关功能可以由一个设备实现,也可以由多个设备共同实现,还可以是由一个设备内的一个或多个功能模块实现,本申请实施例对此不作具体限定。可以理解的是,上述功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能,或者是硬件与软件的结合,或者是平台(例如,云平台)上实例化的虚拟化功能。Optionally, the relevant functions of the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may be implemented by one device, or may be implemented jointly by multiple devices, or may be implemented by one device in one device. or multiple functional modules, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
例如,本申请实施例中的区块链系统、应用服务器或者认证服务功能网元的相关功能可以通过图5中的通信设备500来实现。图5所示为本申请实施例提供的通信设备500的结构示意图。该通信设备500包括一个或多个处理器501,通信线路502,以及至少一个通信接口(图5中仅是示例性的以包括通信接口504,以及一个处理器501为例进行说明),可选的还可以包括存储器503。For example, the relevant functions of the blockchain system, the application server, or the authentication service function network element in the embodiment of the present application may be implemented by the communication device 500 in FIG. 5 . FIG. 5 is a schematic structural diagram of a communication device 500 according to an embodiment of the present application. The communication device 500 includes one or more processors 501, a communication line 502, and at least one communication interface (in FIG. 5, the communication interface 504 and one processor 501 are used as an example for illustration), optional may also include memory 503 .
处理器501可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 501 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.
通信线路502可包括一通路,用于连接不同组件之间。 Communication line 502 may include a path for connecting the various components.
通信接口504,可以是收发模块用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN)等。例如,所述收发模块可以是收发器、收发机一类的装置。可选的,所述通信接口504也可以是位于处理器501内的收发电路,用以实现处理器的信号输入和信号输出。The communication interface 504 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like. For example, the transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 504 may also be a transceiver circuit located in the processor 501 to implement signal input and signal output of the processor.
存储器503可以是具有存储功能的装置。例如可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路502与处理器相连接。存储器也可以和处理器集成在一起。The memory 503 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this. The memory may exist independently and be connected to the processor through communication line 502 . The memory can also be integrated with the processor.
其中,存储器503用于存储执行本申请方案的计算机执行指令,并由处理器501来控制执行。处理器501用于执行存储器503中存储的计算机执行指令,从而实现本申请实施例中提供的认证方法。The memory 503 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 501 . The processor 501 is configured to execute the computer-executed instructions stored in the memory 503, thereby implementing the authentication method provided in the embodiment of the present application.
或者,可选的,本申请实施例中,也可以是处理器501执行本申请下述实施例提供的认证方法中的处理相关的功能,通信接口504负责与其他设备或通信网络通信,本申请实施例对此不作具体限定。Or, optionally, in this embodiment of the present application, the processor 501 may also perform processing-related functions in the authentication methods provided in the following embodiments of the present application, and the communication interface 504 is responsible for communicating with other devices or communication networks. The embodiment does not specifically limit this.
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。Optionally, the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.
在具体实现中,作为一种实施例,处理器501可以包括一个或多个CPU,例如图5中的CPU0和CPU1。In a specific implementation, as an embodiment, the processor 501 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 5 .
在具体实现中,作为一种实施例,通信设备500可以包括多个处理器,例如图5中的处理器501和处理器508。这些处理器中的每一个可以是一个单核(single-core)处理器,也可以是一个多核(multi-core)处理器。这里的处理器可以包括但不限于以 下至少一种:中央处理单元(central processing unit,CPU)、微处理器、数字信号处理器(DSP)、微控制器(microcontroller unit,MCU)、或人工智能处理器等各类运行软件的计算设备,每种计算设备可包括一个或多个用于执行软件指令以进行运算或处理的核。In a specific implementation, as an embodiment, the communication device 500 may include multiple processors, such as the processor 501 and the processor 508 in FIG. 5 . Each of these processors can be a single-core processor or a multi-core processor. The processor here may include, but is not limited to, at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or artificial intelligence Processors and other types of computing devices that run software, each computing device may include one or more cores for executing software instructions to perform operations or processing.
在具体实现中,作为一种实施例,通信设备500还可以包括输出设备505和输入设备506。输出设备505和处理器501通信,可以以多种方式来显示信息。例如,输出设备505可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备506和处理器501通信,可以以多种方式接收用户的输入。例如,输入设备506可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the communication device 500 may further include an output device 505 and an input device 506 . The output device 505 is in communication with the processor 501 and can display information in a variety of ways. For example, the output device 505 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait. Input device 506 is in communication with processor 501 and can receive user input in a variety of ways. For example, the input device 506 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
上述的通信设备500有时也可以称为通信装置,其可以是一个通用设备或者是一个专用设备。例如通信设备500可以是台式机、便携式电脑、网络服务器、掌上电脑(personal digital assistant,PDA)、移动手机、平板电脑、无线终端设备、嵌入式设备、上述终端设备,上述网络设备、或具有图5中类似结构的设备。本申请实施例不限定通信设备500的类型。The above-mentioned communication device 500 may also be sometimes referred to as a communication device, which may be a general-purpose device or a dedicated device. For example, the communication device 500 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, an embedded device, the above-mentioned terminal device, the above-mentioned network device, or a 5 devices of similar structure. This embodiment of the present application does not limit the type of the communication device 500 .
下面将结合附图,对本申请实施例提供的认证方法进行示例性说明。The authentication method provided by the embodiments of the present application will be exemplarily described below with reference to the accompanying drawings.
需要说明的是,本申请下述实施例中各个网元之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不作具体限定。It should be noted that the names of messages between network elements or the names of parameters in the messages in the following embodiments of the present application are just an example, and other names may also be used in specific implementations, which are not specified in the embodiments of the present application. limited.
以图2或图3所示的通信系统应用于如图4所示的5G网络为例,如图6所示,为本申请实施例提供的一种认证方法,该方法包括如下步骤:Taking the communication system shown in FIG. 2 or FIG. 3 applied to the 5G network shown in FIG. 4 as an example, as shown in FIG. 6 , an authentication method provided by an embodiment of the present application includes the following steps:
S601、终端设备向AMF网元发送注册请求(registration request)。相应的,AMF网元接收来自终端设备的注册请求。其中,该注册请求用于终端设备注册到移动网络。注册请求中的相关参数可参考现有技术,在此不再赘述。S601. The terminal device sends a registration request (registration request) to the AMF network element. Correspondingly, the AMF network element receives the registration request from the terminal device. Wherein, the registration request is used for the terminal device to register with the mobile network. For the relevant parameters in the registration request, reference may be made to the prior art, which will not be repeated here.
可选的,本申请实施例中的注册请求中还可以包括指示信息1。该指示信息1指示通过区块链系统进行安全操作。本申请实施例中,通过区块链系统进行安全操作包括通过区块链系统获得第三方应用对应的AF网元和终端设备之间通信的安全参数(如安全密钥)。可选的,本申请实施例中,通过区块链系统进行安全操作还包括通过区块链系统为第三方应用验证终端设备的合法性,在此统一说明,以下不再赘述。Optionally, the registration request in this embodiment of the present application may further include indication information 1 . The instruction information 1 indicates that the security operation is performed through the blockchain system. In the embodiment of the present application, performing the security operation through the blockchain system includes obtaining, through the blockchain system, security parameters (such as security keys) for communication between the AF network element corresponding to the third-party application and the terminal device. Optionally, in this embodiment of the present application, performing the security operation through the blockchain system also includes verifying the legitimacy of the terminal device for a third-party application through the blockchain system, which is described here uniformly and will not be repeated below.
一种可能的实现方式中,本申请实施例中,可以通过某个信元的数值指示需要通过区块链系统进行安全操作。比如,当某个信元的值为“1”时,可以表征需要通过区块链系统进行安全操作;或者,当某个信元的值为“0”时,可以表征需要通过区块链系统进行安全操作。In a possible implementation manner, in this embodiment of the present application, the value of a certain cell may indicate that a secure operation needs to be performed through the blockchain system. For example, when the value of a certain cell is "1", it can indicate that the security operation needs to be carried out through the blockchain system; or, when the value of a certain cell is "0", it can indicate that the blockchain system needs to be carried out. for safe operation.
另一种可能的实现方式中,本申请实施例中,可以通过某个信元是否存在指示需要通过区块链系统进行安全操作。比如,当某个信元存在时,可以表征需要通过区块链系统进行安全操作。In another possible implementation manner, in this embodiment of the present application, whether a certain information element exists may indicate that a secure operation needs to be performed through the blockchain system. For example, when a certain cell exists, it can represent the need for a secure operation through the blockchain system.
S602、AMF网元向AUSF网元发送鉴权请求(authentication request)。相应的,AUSF网元接收来自AMF网元的鉴权请求。S602. The AMF network element sends an authentication request (authentication request) to the AUSF network element. Correspondingly, the AUSF network element receives the authentication request from the AMF network element.
本申请实施例中,当步骤S601中的注册请求中包括指示信息1时,步骤S602中 的鉴权请求中也包括指示信息1,在此统一说明,以下不再赘述。In this embodiment of the present application, when the registration request in step S601 includes indication information 1, the authentication request in step S602 also includes indication information 1, which is described here uniformly and will not be repeated below.
S603、AUSF网元向UDM网元发送鉴权获取请求(authentication get request)。相应的,UDM网元接收来自AUSF网元的鉴权获取请求。其中,该鉴权获取请求用于请求获取终端设备的鉴权数据。S603. The AUSF network element sends an authentication get request (authentication get request) to the UDM network element. Correspondingly, the UDM network element receives the authentication acquisition request from the AUSF network element. Wherein, the authentication acquisition request is used to request to acquire authentication data of the terminal device.
S604、UDM网元向AUSF网元发送鉴权获取响应(authentication get response)。相应的,UDM网元接收来自AUSF网元的鉴权获取响应。其中,该鉴权获取响应中包括终端设备的鉴权数据。S604, the UDM network element sends an authentication get response (authentication get response) to the AUSF network element. Correspondingly, the UDM network element receives the authentication acquisition response from the AUSF network element. The authentication acquisition response includes authentication data of the terminal device.
可选的,本申请实施例中,鉴权获取响应中可以包括上述指示信息1。该指示信息1指示通过区块链系统进行安全操作。其中,指示信息1的实现方式可参考步骤S601,在此不再赘述。Optionally, in this embodiment of the present application, the authentication acquisition response may include the above-mentioned indication information 1 . The instruction information 1 indicates that the security operation is performed through the blockchain system. The implementation of the indication information 1 may refer to step S601, which will not be repeated here.
也就是说,本申请实施例中,AUSF网元获取的指示信息1可以是终端设备通过AMF网元发送的,也可以是UDM网元发送的,本申请实施例对此不做具体限定。That is to say, in the embodiment of the present application, the indication information 1 obtained by the AUSF network element may be sent by the terminal device through the AMF network element, or may be sent by the UDM network element, which is not specifically limited in the embodiment of the present application.
S605、AUSF网元和终端设备进行相互鉴权,协商生成终端设备与AUSF网元之间的密钥(本申请实施例中将终端设备与AUSF网元之间的密钥记作Kausf);以及,AUSF网元为终端设备分配Kausf对应的密钥标识(key identifier,KID)S605, the AUSF network element and the terminal device perform mutual authentication, and negotiate to generate a key between the terminal device and the AUSF network element (in the embodiment of this application, the key between the terminal device and the AUSF network element is denoted as Kausf); and , the AUSF network element assigns the key identifier (KID) corresponding to Kausf to the terminal device
可选的,本申请实施例中,在AUSF网元和终端设备进行相互鉴权的过程中,终端设备与AUSF网元还可以根据Kausf派生密钥(本申请实施例中将根据Kausf派生的密钥记作Kchain)。示例性的,根据Kausf派生密钥的方式例如可以包括:根据Kausf以及终端设备的全局区块链标识生成Kchain。其中,本申请实施例中,终端设备的全局区块链标识用于在区块链系统唯一标识该终端设备,可以是UDM网元发送给AUSF网元的,也可以是AMF网元发送给AUSF网元的,本申请实施例对此不做具体限定。示例性的,终端设备的全局区块链标识例如可以为区块链系统为终端设备分配的标识,也可以为通用公共用户标识符(generic public subscription identifier,GPSI)或者签约永久标识(subscription permanent identifier,SUPI)。需要说明的时,本申请实施例后续步骤以AF网元与终端设备之间使用移动网络中派生的密钥进行通信为例进行说明。由于后续在获得终端设备和AF网元安全通信的密钥之前,AF网元与终端设备可以使用移动网络中派生的密钥进行通信,因此提升了终端设备的业务安全性。Optionally, in this embodiment of the present application, in the process of mutual authentication between the AUSF network element and the terminal device, the terminal device and the AUSF network element may also derive a key according to Kausf (in this embodiment of the present application, a key derived from Kausf will be used. The key is denoted as Kchain). Exemplarily, the manner of deriving the key according to Kausf may include, for example: generating Kchain according to Kausf and the global blockchain identifier of the terminal device. Among them, in the embodiment of the present application, the global blockchain identifier of the terminal device is used to uniquely identify the terminal device in the blockchain system, which may be sent by the UDM network element to the AUSF network element, or may be sent by the AMF network element to the AUSF network element, which is not specifically limited in this embodiment of the present application. Exemplarily, the global blockchain identifier of the terminal device may be, for example, the identifier allocated by the blockchain system to the terminal device, or may be a generic public subscription identifier (GPSI) or a subscription permanent identifier (subscription permanent identifier). , SUPI). When it needs to be explained, the subsequent steps in this embodiment of the present application are described by taking the communication between the AF network element and the terminal device using the key derived in the mobile network as an example for description. Since the AF network element and the terminal device can communicate using the key derived in the mobile network before obtaining the key for secure communication between the terminal device and the AF network element, the service security of the terminal device is improved.
基于上述步骤S601-S605,终端设备可以注册到移动网络。进一步的,本申请实施例提供的认证方法还可以包括如下步骤S606:Based on the above steps S601-S605, the terminal device may register with the mobile network. Further, the authentication method provided by the embodiment of the present application may further include the following step S606:
S606、AUSF网元在区块链系统注册。S606, the AUSF network element is registered in the blockchain system.
本申请实施例中,AUSF网元在区块链系统注册第一标识和Kchain。第一标识用于定位终端设备的用户上下文,该第一标识例如可以为终端设备的全局区块链标识或者KID中的至少一个,在此统一说明,以下不再赘述。In the embodiment of this application, the AUSF network element registers the first identifier and Kchain in the blockchain system. The first identifier is used to locate the user context of the terminal device. For example, the first identifier may be at least one of a global blockchain identifier or a KID of the terminal device, which is described here uniformly and will not be repeated below.
本申请实施例中,AUSF网元可以根据指示信息1在区块链系统注册。In this embodiment of the present application, the AUSF network element may be registered in the blockchain system according to the indication information 1.
需要说明的是,本申请实施例中,AUSF网元在区块链系统注册第一标识和Kchain的过程可以理解为AUSF网元将第一标识和Kchain存储在区块链系统的区块链安全处理模块中的过程,在此统一说明,以下不再赘述。其中,区块链安全处理模块的相关描述可参考具体实施方式前序部分,在此不再赘述。It should be noted that, in this embodiment of the present application, the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system. The processes in the processing module are uniformly described here, and will not be repeated below. For the relevant description of the blockchain security processing module, reference may be made to the preamble of the specific implementation manner, which will not be repeated here.
需要说明的是,为了安全考虑,本申请实施例中,AUSF网元在区块链系统注册 Kchain时,AUSF网元需要加密Kchain并将加密后的Kchain发送至区块链系统,进而区块链系统的区块链安全处理模块存储加密后的Kchain。一种可能的实现方式中,AUSF网元加密Kchain的方式例如可以包括:AUSF网元使用区块链系统为区块链安全处理模块分配的公钥加密Kchain。进一步的,后续需要使用Kchain时,区块链安全处理模块使用区块链系统为区块链安全处理模块分配的公钥对应的私钥解密加密后的Kchain从而获得Kchain,在此统一说明,以下不再赘述。当然,也可以通过其他方式加密Kchain以及解密加密后的Kchain,本申请实施例对此不做具体限定。It should be noted that, for security reasons, in the embodiment of this application, when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain The blockchain security processing module of the system stores the encrypted Kchain. In a possible implementation manner, the manner in which the AUSF network element encrypts the Kchain may, for example, include: the AUSF network element encrypts the Kchain using the public key allocated by the blockchain system to the blockchain security processing module. Further, when the Kchain needs to be used in the future, the blockchain security processing module uses the private key corresponding to the public key allocated by the blockchain system to the blockchain security processing module to decrypt the encrypted Kchain to obtain the Kchain. No longer. Of course, the Kchain can also be encrypted and the encrypted Kchain can be decrypted in other ways, which are not specifically limited in the embodiment of the present application.
需要说明的是,本申请实施例中,AUSF网元可以直接与区块链系统交互,也可以通过BCHF网元与区块链系统交互,本申请实施例对此不做具体限定。其中,在AUSF网元通过BCHF网元与区块链系统交互的情况下,BCHF网元可以向区块链系统注册BCHF网元的地址,以使得后续区块链系统可以根据BCHF网元的地址与该BCHF网元进行交互,本申请实施例对此不做具体限定。此外,需要说明的是,本申请实施例中,BCHF网元与区块链系统交互时,还可能经过NEF网元的转发,本申请实施例对此不做具体限定。上述说明同样适用于后续图7和图8所示的实施例,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of the present application, the AUSF network element may directly interact with the blockchain system, and may also interact with the blockchain system through the BCHF network element, which is not specifically limited in the embodiment of the present application. Among them, when the AUSF network element interacts with the blockchain system through the BCHF network element, the BCHF network element can register the address of the BCHF network element with the blockchain system, so that the subsequent blockchain system can be based on the BCHF network element address. Interact with the BCHF network element, which is not specifically limited in this embodiment of the present application. In addition, it should be noted that, in the embodiment of the present application, when the BCHF network element interacts with the blockchain system, it may also be forwarded by the NEF network element, which is not specifically limited in the embodiment of the present application. The above description is also applicable to the embodiments shown in the subsequent FIG. 7 and FIG. 8 , and is described in a unified manner here, and will not be repeated below.
基于步骤S606,AUSF网元可以注册到区块链系统。进一步的,本申请实施例提供的认证方法还包括通过区块链系统进行安全操作的过程,包括如下步骤:Based on step S606, the AUSF network element can be registered with the blockchain system. Further, the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
S607、终端设备向AF网元发送登录请求。相应的,AF网元接收来自终端设备的登录请求。其中,该登录请求用于请求登录该AF网元对应的第三方应用。S607. The terminal device sends a login request to the AF network element. Correspondingly, the AF network element receives the login request from the terminal device. The login request is used for requesting to log in to the third-party application corresponding to the AF network element.
本申请实施例中,该登录请求包括第一标识。可选的,该登录请求还可以包括使用Kchain加密的参数和/或消息。其中,本申请实施例中,使用Kchain加密的参数和/或消息可以表示:单独存在使用Kchain加密的参数,单独存在使用Kchain加密的消息、同时存在使用Kchain加密的参数和消息这三种情况,在此统一说明,该说明适用于本申请所有实施例,以下不再赘述。In this embodiment of the present application, the login request includes the first identifier. Optionally, the login request may further include parameters and/or messages encrypted using Kchain. Among them, in the embodiment of the present application, the parameters and/or messages encrypted by Kchain can mean: there are parameters encrypted by Kchain alone, messages encrypted by Kchain are present alone, and parameters and messages encrypted by Kchain exist simultaneously. A unified description is provided here, and the description is applicable to all the embodiments of the present application, and details are not repeated below.
本申请实施例中,加密的参数例如可以是终端设备选择的随机数、第一标识、或者终端设备和区块链系统约定的值,本申请实施例对此不做具体限定。加密的消息例如可以是注册消息。第一标识的相关描述可参考上述步骤S606,在此不再赘述。In the embodiment of the present application, the encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in the embodiment of the present application. The encrypted message may be, for example, a registration message. For the related description of the first identifier, reference may be made to the foregoing step S606, which is not repeated here.
S608、AF网元向区块链系统发送验证请求(validate request)1。相应的,区块链系统接收来自AF网元的验证请求1。S608, the AF network element sends a verification request (validate request) 1 to the blockchain system. Correspondingly, the blockchain system receives the verification request 1 from the AF network element.
本申请实施例中,该验证请求1包括步骤S607中的第一标识。可选的,该验证请求1还可以包括步骤S607中使用Kchain加密的参数和/或消息。In this embodiment of the present application, the verification request 1 includes the first identifier in step S607. Optionally, the verification request 1 may further include parameters and/or messages encrypted using Kchain in step S607.
可选的,该验证请求1还可以包括第三方应用的应用标识(APP ID)。该应用标识可以包括在验证请求1的消息体中,也可以包括在验证请求1的消息头中,还可以以APP的数字签名的形式表达,本申请实施例对此不做具体限定。Optionally, the verification request 1 may further include an application identifier (APP ID) of a third-party application. The application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
可选的,本申请实施例中,当验证请求1包括步骤S607中的第一标识以及使用Kchain加密的参数和/或消息时,本申请实施例提供的认证方法还包括如下步骤S609:Optionally, in the embodiment of the present application, when the verification request 1 includes the first identifier in step S607 and the parameters and/or messages encrypted by Kchain, the authentication method provided by the embodiment of the present application further includes the following step S609:
S609、区块链系统为第三方应用验证终端设备的合法性。S609. The blockchain system verifies the legitimacy of the terminal device for a third-party application.
其中,本申请实施例中,区块链系统可以根据第一标识确定终端设备的用户上下文。进而区块链系统可以根据终端设备的用户上下文,以及终端设备使用第一密钥加 密的参数和/或消息,为第三方应用验证终端设备的合法性。Wherein, in this embodiment of the present application, the blockchain system may determine the user context of the terminal device according to the first identifier. Furthermore, the blockchain system can verify the legitimacy of the terminal device for third-party applications based on the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
可选的,本申请实施例中,区块链系统根据第一标识,确定终端设备的用户上下文包括:区块链系统根据所述第一标识,确定区块链系统中存储的Kchain。一种可能的实现方式中,区块链系统可以根据第一标识以及第一标识和终端设备的用户上下文的对应关系,确定区块链系统中存储的终端设备的用户上下文,进一步的区块链系统可以确定终端设备的用户上下文中的Kchain(即AUSF网元在区块链系统中存储的Kchain)。示例性的,区块链系统确定终端设备的用户上下文中的Kchain例如可以包括:区块链系统可以根据终端设备的用户上下文中的第一标识和Kchain的对应关系,确定Kchain。Optionally, in the embodiment of the present application, the blockchain system determining the user context of the terminal device according to the first identifier includes: the blockchain system determining the Kchain stored in the blockchain system according to the first identifier. In a possible implementation manner, the blockchain system can determine the user context of the terminal device stored in the blockchain system according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal device, and further blockchain The system can determine the Kchain in the user context of the terminal device (that is, the Kchain stored by the AUSF network element in the blockchain system). Exemplarily, determining the Kchain in the user context of the terminal device by the blockchain system may include, for example: the blockchain system may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
本申请实施例中,区块链系统根据Kchain,以及终端设备使用第一密钥加密的参数和/或消息,为第三方应用验证终端设备的合法性,包括:区块链系统可以使用Kchain解密终端设备发送的使用Kchain加密的参数和/或消息。在终端设备发送使用Kchain加密的参数,未发送使用Kchain加密的消息的情况下,若解密后的参数符合区块链系统预配置的终端设备和区块链系统交互使用的参数格式或者数值,或者解密后的参数符合终端设备和区块链系统约定的参数,则认为终端设备合法。在终端设备发送使用Kchain加密的消息,未发送使用Kchain加密的参数的情况下,若解密后的消息格式符合区块链系统预配置的终端设备和区块链系统交互使用的消息格式,则认为终端设备合法。在终端设备发送使用Kchain加密的消息,且发送使用Kchain加密的参数的情况下,若解密后的消息格式符合区块链系统预配置的终端设备和区块链系统交互使用的消息格式;并且解密后的参数符合区块链系统预配置的终端设备和区块链系统交互使用的参数格式或者数值,或者解密后的参数符合终端设备和区块链系统约定的参数,则认为终端设备合法。In the embodiment of this application, the blockchain system verifies the legitimacy of the terminal device for third-party applications according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the blockchain system can use Kchain to decrypt Parameters and/or messages encrypted with Kchain sent by end devices. In the case where the terminal device sends parameters encrypted with Kchain but does not send messages encrypted with Kchain, if the decrypted parameters conform to the parameter format or value preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, or If the decrypted parameters conform to the parameters agreed by the terminal device and the blockchain system, the terminal device is considered legal. In the case where the terminal device sends a message encrypted with Kchain and does not send parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system, it is considered that The end device is legal. When the terminal device sends a message encrypted with Kchain and sends parameters encrypted with Kchain, if the format of the decrypted message conforms to the message format preconfigured by the blockchain system for the interaction between the terminal device and the blockchain system; and the decryption If the latter parameters conform to the parameter format or value used by the terminal device preconfigured by the blockchain system and the blockchain system interact, or if the decrypted parameters conform to the parameters agreed upon between the terminal device and the blockchain system, the terminal device is considered legal.
示例性的,以终端设备和区块链系统约定的参数为APP ID为例,区块链系统解密终端设备发送的使用Kchain加密的参数后,确定解密后的参数是否与AF网元发送的APP ID一致,若一致则认为终端设备合法,若不一致则认为终端设备不合法。其中,一种可能的实现方式中,终端设备可以通过域名系统(domain name system,DNS)查询获得APP ID,当然,终端设备也可以通过其他方式获得APP ID,本申请实施例对此不做具体限定。Exemplarily, taking the APP ID as the agreed parameter between the terminal device and the blockchain system as an example, after the blockchain system decrypts the Kchain-encrypted parameter sent by the terminal device, it determines whether the decrypted parameter is the same as the APP sent by the AF network element. If the IDs are consistent, the terminal device is considered legal; if they are inconsistent, the terminal device is considered illegal. Among them, in a possible implementation manner, the terminal device can obtain the APP ID through a domain name system (domain name system, DNS) query. Of course, the terminal device can also obtain the APP ID through other methods, which is not specifically described in this embodiment of the application. limited.
进一步的,本申请实施例中,区块链系统接收来自AF网元的验证请求1之后,需要为第三方应用对应的AF网元和终端设备之间的通信提供安全密钥,包括如下步骤:Further, in the embodiment of the present application, after the blockchain system receives the verification request 1 from the AF network element, it needs to provide a security key for the communication between the AF network element corresponding to the third-party application and the terminal device, including the following steps:
S610、区块链系统根据Kchain生成用于终端设备和AF网元安全通信的密钥(本申请实施例中用于终端设备和AF网元安全通信的密钥记作Kapp)。S610, the blockchain system generates a key for secure communication between the terminal device and the AF network element according to Kchain (in this embodiment of the present application, the key for the secure communication between the terminal device and the AF network element is denoted as Kapp).
其中,本申请实施例中,区块链系统可以根据第一标识确定相应的用户上下文。该用户上下文中包括AUSF网元在区块链系统中存储的Kchain。Wherein, in this embodiment of the present application, the blockchain system may determine the corresponding user context according to the first identifier. The user context includes the Kchain stored by the AUSF network element in the blockchain system.
可选的,若本申请实施例执行上述步骤S609,则在区块链系统验证终端设备合法后,区块链系统根据Kchain生成Kapp。否则,若区块链系统验证终端设备不合法,则可以终止终端设备访问第三方应用的流程。基于该方案,可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,区 块链系统仍然生成Kapp并向AF网元下发Kapp所造成的资源消耗与信令浪费。Optionally, if the above step S609 is performed in this embodiment of the present application, after the blockchain system verifies that the terminal device is legal, the blockchain system generates Kapp according to Kchain. Otherwise, if the blockchain system verifies that the terminal device is illegal, the process of accessing the third-party application by the terminal device can be terminated. Based on this solution, the access process can be terminated in time when the terminal device is illegal to access the third-party application, which avoids the block chain system still generating Kapp and delivering the Kapp to the AF network element when the terminal device is illegal to access the third-party application. resource consumption and signaling waste.
可选的,本申请实施例中,当验证请求1包括APP ID时,区块链系统还可以将APP ID作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, when the verification request 1 includes the APP ID, the blockchain system may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,区块链系统还可以将第一标识作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, the blockchain system may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,在终端设备发送使用Kchain加密的参数的情况下,区块链系统还可以将解密后的参数作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的Kapp也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与AF网元之间的安全通信。Optionally, in this embodiment of the present application, when the terminal device sends parameters encrypted by Kchain, the blockchain system may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not the case in this embodiment of the present application. Make specific restrictions. Since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
S611、区块链系统向AF网元发送验证响应(validate response)1。相应的,AF网元接收来自区块链系统的验证响应1。S611, the blockchain system sends a validation response (validate response) 1 to the AF network element. Correspondingly, the AF network element receives the verification response 1 from the blockchain system.
其中,该验证响应1包括上述Kapp。可选的,该验证响应1还可以包括Kapp的有效期。当Kapp的有效期结束后,终端设备和AF网元之间可以发起Kapp的重协商流程,使得AF网元再次通过区块链系统获取Kapp,具体流程可参考上述实施例,在此不再赘述。Wherein, the verification response 1 includes the above Kapp. Optionally, the verification response 1 may further include the validity period of the Kapp. When the validity period of the Kapp expires, the terminal device and the AF network element can initiate the Kapp renegotiation process, so that the AF network element obtains the Kapp through the blockchain system again.
可选的,本申请实施例中,当验证请求1包括使用Kchain加密的参数和/或消息时,该验证响应1还可以包括使用Kchain解密后的参数和/或消息,该使用Kchain解密后的参数和/或消息用于后续验证网络的安全性,本申请实施例对此不做具体限定。Optionally, in this embodiment of the present application, when the verification request 1 includes parameters and/or messages encrypted using Kchain, the verification response 1 may also include parameters and/or messages decrypted using Kchain. The parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
S612、AF网元向终端设备发送登录响应。相应的,终端设备接收来自AF网元的登录响应。S612. The AF network element sends a login response to the terminal device. Correspondingly, the terminal device receives the login response from the AF network element.
本申请实施例中,当登录请求中包括使用Kchain加密的消息,例如注册请求时,该登录响应中可以包括根据使用Kchain解密后的注册请求获得的注册接受消息。可选的,当验证响应1包括Kapp的有效期时,该注册接受消息中可以包括Kapp的有效期。In this embodiment of the present application, when the login request includes a message encrypted using Kchain, such as a registration request, the login response may include a registration acceptance message obtained according to the registration request decrypted using Kchain. Optionally, when the verification response 1 includes the validity period of the Kapp, the registration acceptance message may include the validity period of the Kapp.
可选的,本申请实施例中,当登录请求中包括使用Kchain加密的参数时,该登录响应中可以包括使用Kchain解密后的参数。进而终端设备接收到登录响应后,可以读取登录响应中包括的使用Kchain解密后的参数,并将登录响应中包括的使用Kchain解密后的参数与中终端设备向AF网元发送登录请求之前未加密的参数进行比较,若二者一致则认为终端设备对网络侧的验证通过(即终端设备确认网络安全)。Optionally, in this embodiment of the present application, when the login request includes parameters encrypted using Kchain, the login response may include parameters decrypted using Kchain. After receiving the login response, the terminal device can read the parameters decrypted by Kchain included in the login response, and compare the parameters decrypted by Kchain included in the login response with the parameters that have not been decrypted before the terminal device sends the login request to the AF network element. The encrypted parameters are compared, and if the two are consistent, it is considered that the terminal device has passed the verification on the network side (that is, the terminal device confirms the network security).
可选的,本申请实施例中,登录响应中的消息或参数可以使用Kapp进行加密,从而可以保证终端设备与AF网元之间的安全通信。Optionally, in this embodiment of the present application, the message or parameter in the login response may be encrypted using Kapp, so as to ensure secure communication between the terminal device and the AF network element.
本申请实施例中,当终端设备接收到登录响应后,可以在后续与AF网元的信息交互流程中,使用本地生成的Kapp加密关键信息。其中,终端设备生成Kapp的方式与区块链系统生成Kapp的方式一致,在此不再赘述。此外,需要说明的是,若本申请实施例未执行上述步骤S609(即区块链系统未利用Kchain为第三方应用验证终端设备的合法性),则也可以通过后续流程验证终端设备的合法性。比如,由于Kapp是由Kchain派生的,如果终端设备合法,则该终端设备可以获得正确Kchain,进而终端设备生成的Kapp与AF网元获得的Kapp相同,后续终端设备与AF网元之间利用Kapp进行安全通信会成功。反之,如果终端设备不合法,则该终端设备无法获得正确 Kchain,进而终端设备生成的Kapp不同于AF网元获得的Kapp,后续终端设备与AF网元之间利用Kapp进行安全通信会失败,从而保护了合法终端设备的利益。In this embodiment of the present application, after the terminal device receives the login response, it can encrypt key information by using the locally generated Kapp in the subsequent information exchange process with the AF network element. Among them, the way in which the terminal device generates Kapp is the same as the way in which the blockchain system generates Kapp, and will not be repeated here. In addition, it should be noted that, if the above-mentioned step S609 is not executed in this embodiment of the present application (that is, the blockchain system does not use Kchain to verify the legitimacy of the terminal device for a third-party application), the legitimacy of the terminal device can also be verified through subsequent procedures. . For example, since Kapp is derived from Kchain, if the terminal device is legal, the terminal device can obtain the correct Kchain, and the Kapp generated by the terminal device is the same as the Kapp obtained by the AF network element. Secure communication will succeed. Conversely, if the terminal device is illegal, the terminal device cannot obtain the correct Kchain, and the Kapp generated by the terminal device is different from the Kapp obtained by the AF network element. The subsequent secure communication between the terminal device and the AF network element using Kapp will fail. The interests of legitimate terminal equipment are protected.
可选的,本申请实施例中,当登录响应中未包括使用Kchain解密后的参数时,由于后续终端设备和AF网元均可以利用Kapp加密信息,因此终端设备也可以通过后续的消息交互验证网络侧是否合法,本申请实施例对此不做具体限定。Optionally, in this embodiment of the present application, when the login response does not include the parameters decrypted using Kchain, since both the subsequent terminal device and the AF network element can use Kapp to encrypt the information, the terminal device can also pass the subsequent message interactive verification. Whether the network side is legal is not specifically limited in this embodiment of the present application.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得AF网元通过该接口与区块链系统交互,通过区块链系统进行安全操作,如为第三方应用对应的AF网元和终端设备之间的通信提供安全密钥、为第三方应用验证终端设备的合法性等,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application. The legitimacy of terminal equipment, etc., not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
其中,上述步骤S601至S612中AUSF网元、AF网元或者区块链系统的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令AUSF网元、AF网元或者区块链系统执行,本实施例对此不作任何限制。Wherein, the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S601 to S612 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
可选的,以图2或图3所示的通信系统应用于如图4所示的5G网络为例,如图7所示,为本申请实施例提供的一种认证方法,该方法包括如下步骤:Optionally, taking the communication system shown in FIG. 2 or FIG. 3 applied to the 5G network shown in FIG. 4 as an example, as shown in FIG. 7 , an authentication method is provided in this embodiment of the present application, and the method includes the following: step:
S701-S705、同图6所示的实施例中的步骤S601-S605,相关描述可参考图6所示的实施例,在此不再赘述。S701-S705 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
基于上述步骤S701-S705,终端设备可以注册到移动网络。进一步的,本申请实施例提供的认证方法还可以包括如下步骤S706:Based on the above steps S701-S705, the terminal device may register with the mobile network. Further, the authentication method provided in the embodiment of the present application may further include the following step S706:
S706、AUSF网元在区块链系统注册。S706, the AUSF network element is registered in the blockchain system.
本申请实施例中,AUSF网元可以根据指示信息1在区块链系统注册。In this embodiment of the present application, the AUSF network element may be registered in the blockchain system according to the indication information 1.
一种可能的实现方式中,本申请实施例中,AUSF网元在区块链系统注册时,可以注册第一标识和Kchain。In a possible implementation manner, in the embodiment of the present application, when the AUSF network element is registered in the blockchain system, the first identifier and the Kchain can be registered.
又一种可能的实现方式中,在AUSF网元可以获取Kchain的情况下,本申请实施例中,AUSF网元在区块链系统注册时,可以注册AUSF网元的地址、第一标识和Kchain。需要说明的是,本申请实施例中,AUSF网元在区块链系统注册第一标识和Kchain的过程可以理解为AUSF网元将第一标识和Kchain存储在区块链系统的区块链安全处理模块中的过程;AUSF网元在区块链系统注册AUSF网元的地址、第一标识和Kchain的过程可以理解为AUSF网元将AUSF网元的地址、第一标识和Kchain存储在区块链系统的区块链安全处理模块中的过程在此统一说明,以下不再赘述。In another possible implementation manner, in the case where the AUSF network element can obtain the Kchain, in this embodiment of the present application, when the AUSF network element is registered in the blockchain system, the address, the first identifier and the Kchain of the AUSF network element can be registered. . It should be noted that, in this embodiment of the present application, the process of registering the first identifier and Kchain by the AUSF network element in the blockchain system can be understood as the blockchain security where the AUSF network element stores the first identifier and Kchain in the blockchain system. The process in the processing module; the process of the AUSF network element registering the AUSF network element's address, first identifier and Kchain in the blockchain system can be understood as the AUSF network element storing the AUSF network element's address, first identifier and Kchain in the block chain. The process in the blockchain security processing module of the chain system is uniformly described here, and will not be repeated below.
需要说明的是,为了安全考虑,本申请实施例中,AUSF网元在区块链系统注册Kchain时,AUSF网元需要加密Kchain并将加密后的Kchain发送至区块链系统,进而区块链系统的区块链安全处理模块存储加密后的Kchain。相关实现可参考图6所示的实施例中的步骤S606,在此不再赘述。It should be noted that, for security reasons, in the embodiment of this application, when the AUSF network element registers the Kchain in the blockchain system, the AUSF network element needs to encrypt the Kchain and send the encrypted Kchain to the blockchain system, and then the blockchain The blockchain security processing module of the system stores the encrypted Kchain. For related implementation, reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not described herein again.
基于步骤S706,AUSF网元可以注册到区块链系统。进一步的,本申请实施例提供的认证方法还包括通过区块链系统进行安全操作的过程,包括如下步骤:Based on step S706, the AUSF network element can be registered with the blockchain system. Further, the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
S707、终端设备向AF网元发送登录请求。相应的,AF网元接收来自终端设备的 登录请求。其中,该登录请求用于请求登录该AF网元对应的第三方应用。S707, the terminal device sends a login request to the AF network element. Correspondingly, the AF network element receives the login request from the terminal device. The login request is used for requesting to log in to the third-party application corresponding to the AF network element.
本申请实施例中,该登录请求包括第一标识、使用Kchain加密的参数和/或消息。其中,加密的参数例如可以是终端设备选择的随机数、第一标识、或者终端设备和区块链系统约定的值,本申请实施例对此不做具体限定。加密的消息例如可以是注册消息。第一标识的相关描述可参考图6所示的实施例中的步骤S606,在此不再赘述。In this embodiment of the present application, the login request includes the first identifier, parameters and/or messages encrypted using Kchain. The encrypted parameter may be, for example, a random number selected by the terminal device, a first identifier, or a value agreed between the terminal device and the blockchain system, which is not specifically limited in this embodiment of the present application. The encrypted message may be, for example, a registration message. For the related description of the first identifier, reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
S708、AF网元向区块链系统发送验证请求(validate request)1。相应的,区块链系统接收来自AF网元的验证请求1。S708, the AF network element sends a verification request (validate request) 1 to the blockchain system. Correspondingly, the blockchain system receives the verification request 1 from the AF network element.
本申请实施例中,该验证请求1包括步骤S607中的第一标识、以及使用Kchain加密的参数和/或消息。In this embodiment of the present application, the verification request 1 includes the first identifier in step S607, and parameters and/or messages encrypted using Kchain.
可选的,该验证请求1还可以包括第三方应用的应用标识(APP ID)。该应用标识可以包括在验证请求1的消息体中,也可以包括在验证请求1的消息头中,还可以以APP的数字签名的形式表达,本申请实施例对此不做具体限定。Optionally, the verification request 1 may further include an application identifier (APP ID) of a third-party application. The application identifier may be included in the message body of the verification request 1, may also be included in the message header of the verification request 1, and may also be expressed in the form of a digital signature of the APP, which is not specifically limited in this embodiment of the present application.
S709、区块链系统为第三方应用验证终端设备的合法性。S709. The blockchain system verifies the legitimacy of the terminal device for a third-party application.
其中,步骤S709的具体实现可参考图6所示的实施例中的步骤S609,在此不再赘述。The specific implementation of step S709 may refer to step S609 in the embodiment shown in FIG. 6 , which will not be repeated here.
S710、在区块链系统验证终端设备合法后,区块链系统向AUSF网元发送验证请求2。相应的,AUSF网元接收来自区块链系统的验证请求2。S710. After the blockchain system verifies that the terminal device is legal, the blockchain system sends a verification request 2 to the AUSF network element. Correspondingly, the AUSF network element receives the verification request 2 from the blockchain system.
其中,该验证请求2包括第一标识。可选的,该验证请求2还可以包括第三方应用的应用标识(APP ID)。可选的,该验证请求2还可以包括终端设备发送的使用Kchain加密的参数和/或消息,本申请实施例对此不做具体限定。Wherein, the verification request 2 includes the first identifier. Optionally, the verification request 2 may further include an application identifier (APP ID) of a third-party application. Optionally, the verification request 2 may further include parameters and/or messages encrypted using Kchain and sent by the terminal device, which are not specifically limited in this embodiment of the present application.
一种可能的实现方式中,本申请实施例中,若AUSF网元已经在区块链系统注册AUSF网元的地址,则区块链系统向AUSF网元发送验证请求2之前,可以根据第一标识确定相应的用户上下文。该用户上下文中包括AUSF网元在区块链系统注册的AUSF网元的地址。进而,区块链系统可以根据该AUSF网元的地址确定相应的AUSF网元。In a possible implementation manner, in the embodiment of this application, if the AUSF network element has registered the address of the AUSF network element in the blockchain system, the blockchain system can send the verification request 2 to the AUSF network element according to the first The identity determines the corresponding user context. The user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element. Furthermore, the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
另一种可能的实现方式中,本申请实施例中,若AUSF网元未在区块链系统注册AUSF网元的地址,则本申请实施例中的登录请求和验证请求1中还可以包括服务终端设备的网络标识。进而,区块链系统向AUSF网元发送验证请求2之前,可以根据该网络标识确定服务终端设备的AUSF网元,本申请实施例对此不作具体限定。示例性的,本申请实施例中的网络标识例如可以是公共陆地移动网络(public land mobile network,PLMN),或者域名(比如CMCC.com),本申请实施例对此不做具体限定。此外,需要说明的是,本申请实施例中的网络标识可以是一个独立的信元,也可以是包括在其他信元中的信息,本申请实施例对此不做具体限定。In another possible implementation manner, in the embodiment of the present application, if the AUSF network element does not register the address of the AUSF network element in the blockchain system, the login request and the verification request 1 in the embodiment of the present application may also include the service The network ID of the end device. Furthermore, before the blockchain system sends the verification request 2 to the AUSF network element, the AUSF network element serving the terminal device may be determined according to the network identifier, which is not specifically limited in this embodiment of the present application. Exemplarily, the network identifier in the embodiment of the present application may be, for example, a public land mobile network (public land mobile network, PLMN), or a domain name (such as CMCC.com), which is not specifically limited in the embodiment of the present application. In addition, it should be noted that the network identifier in the embodiment of the present application may be an independent information element, or may be information included in other information elements, which is not specifically limited in the embodiment of the present application.
需要说明的是,本申请实施例中,区块链系统可以直接与AUSF网元交互,也可以通过BCHF网元与AUSF网元交互,本申请实施例对此不做具体限定。上述两种实现方式均是示例性的以区块链系统寻址AUSF网元为例进行说明。当然,若区块链系统通过BCHF网元与AUSF网元交互,则区块链系统也可以通过类似的方式寻址BCHF网元,本申请实施例在此不再赘述。It should be noted that, in the embodiment of the present application, the blockchain system may directly interact with the AUSF network element, or may interact with the AUSF network element through the BCHF network element, which is not specifically limited in the embodiment of the present application. The above two implementation manners are both illustratively described by taking the blockchain system addressing AUSF network elements as an example. Of course, if the blockchain system interacts with the AUSF network element through the BCHF network element, the blockchain system can also address the BCHF network element in a similar manner, which will not be repeated in this embodiment of the present application.
S711、AUSF网元根据Kchain或者Kausf生成用于终端设备和AF网元安全通信 的密钥(本申请实施例中用于终端设备和AF网元安全通信的密钥记作Kapp)。S711. The AUSF network element generates a key used for the secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key used for the secure communication between the terminal device and the AF network element in the embodiment of this application is denoted as Kapp).
其中,本申请实施例中,区块链系统可以根据第一标识确定相应的用户上下文。该用户上下文中包括AUSF网元生成的Kchain或者Kausf。Wherein, in this embodiment of the present application, the blockchain system may determine the corresponding user context according to the first identifier. The user context includes the Kchain or Kausf generated by the AUSF network element.
可选的,本申请实施例中,当验证请求1包括APP ID时,AUSF网元还可以将APP ID作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, when the verification request 1 includes the APP ID, the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,AUSF网元还可以将第一标识作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,在终端设备发送使用Kchain加密的参数的情况下,AUSF网元还可以将解密后的参数作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的Kapp也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与AF网元之间的安全通信。Optionally, in this embodiment of the present application, in the case where the terminal device sends parameters encrypted using Kchain, the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application. Specific restrictions. Since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
S712、AUSF网元向区块链系统发送验证响应2。相应的,区块链系统接收来自AUSF网元的验证响应2。其中,该验证响应2包括Kapp。可选的,该验证响应2还可以包括Kapp的有效期。当Kapp的有效期结束后,终端设备和AF网元之间可以发起Kapp的重协商流程,使得AF网元再次通过区块链系统获取Kapp,具体流程可参考上述实施例,在此不再赘述。S712, the AUSF network element sends a verification response 2 to the blockchain system. Correspondingly, the blockchain system receives the verification response 2 from the AUSF network element. Wherein, the verification response 2 includes Kapp. Optionally, the verification response 2 may further include the validity period of the Kapp. When the validity period of the Kapp expires, the terminal device and the AF network element can initiate the Kapp renegotiation process, so that the AF network element obtains the Kapp through the blockchain system again.
可选的,本申请实施例中,当验证请求2包括使用Kchain加密的参数和/或消息时,该验证响应2还可以包括使用Kchain解密后的参数和/或消息,该使用Kchain解密后的参数和/或消息用于后续验证网络的安全性,本申请实施例对此不做具体限定。Optionally, in this embodiment of the present application, when the verification request 2 includes parameters and/or messages encrypted using Kchain, the verification response 2 may also include parameters and/or messages decrypted using Kchain, and the verification response 2 may include parameters and/or messages decrypted using Kchain. The parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
S713、区块链系统向AF网元发送验证响应1。相应的,AF网元接收来自区块链系统的验证响应1。该验证响应1中包括步骤S712中验证响应2中的参数,如Kapp、Kapp的有效期(可选)、以及使用Kchain解密后的参数和/或消息(可选)。S713, the blockchain system sends a verification response 1 to the AF network element. Correspondingly, the AF network element receives the verification response 1 from the blockchain system. The verification response 1 includes the parameters in the verification response 2 in step S712, such as Kapp, the validity period of the Kapp (optional), and parameters and/or messages decrypted using Kchain (optional).
当然,本申请实施例中,若验证请求2中不包括使用Kchain加密的参数和/或消息,则验证响应1中还可以包括使用Kchain解密后的参数和/或消息,该使用Kchain解密后的参数和/或消息用于后续验证网络的安全性,本申请实施例对此不做具体限定。Of course, in the embodiment of the present application, if the verification request 2 does not include parameters and/or messages encrypted using Kchain, the verification response 1 may also include parameters and/or messages decrypted using Kchain. The parameters and/or messages are used for subsequent verification of network security, which is not specifically limited in this embodiment of the present application.
S714、AF网元向终端设备发送登录响应。相应的,终端设备接收来自AF网元的登录响应。S714. The AF network element sends a login response to the terminal device. Correspondingly, the terminal device receives the login response from the AF network element.
其中,步骤S714的具体实现可参考图6所示的实施例中的步骤S612,在此不再赘述。For the specific implementation of step S714, reference may be made to step S612 in the embodiment shown in FIG. 6 , which will not be repeated here.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得AF网元通过该接口与区块链系统交互,通过区块链系统进行安全操作,如为第三方应用对应的AF网元和终端设备之间的通信提供安全密钥、为第三方应用验证终端设备的合法性等,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。此外,本申请实施例中,在区块链系统为第三方应用验证终端设备合法,这样可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,AUSF网元仍然生成Kapp并通过区块链系统向AF网元发送Kapp 所造成的资源消耗与信令浪费。Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application. The legitimacy of terminal equipment, etc., not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications. In addition, in the embodiment of the present application, the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application illegally. When the AUSF network element still generates Kapp and sends the Kapp to the AF network element through the blockchain system, the resource consumption and signaling waste caused by it.
其中,上述步骤S701至S714中AUSF网元、AF网元或者区块链系统的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令AUSF网元、AF网元或者区块链系统执行,本实施例对此不作任何限制。The actions of the AUSF network element, the AF network element or the blockchain system in the above steps S701 to S714 may be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
可选的,以图2或图3所示的通信系统应用于如图4所示的5G网络为例,如图8所示,为本申请实施例提供的一种认证方法,该方法包括如下步骤:Optionally, taking the communication system shown in FIG. 2 or FIG. 3 applied to the 5G network shown in FIG. 4 as an example, as shown in FIG. 8 , an authentication method is provided in this embodiment of the application, and the method includes the following: step:
S801-S805、同图6所示的实施例中的步骤S601-S605,相关描述可参考图6所示的实施例,在此不再赘述。S801-S805 are the same as steps S601-S605 in the embodiment shown in FIG. 6 , and the related description may refer to the embodiment shown in FIG. 6 , which will not be repeated here.
基于上述步骤S801-S805,终端设备可以注册到移动网络。进一步的,可选的,本申请实施例提供的认证方法还可以包括如下步骤S806:Based on the above steps S801-S805, the terminal device may register with the mobile network. Further, optionally, the authentication method provided in this embodiment of the present application may further include the following step S806:
S806、AUSF网元在区块链系统注册。S806, the AUSF network element is registered in the blockchain system.
本申请实施例中,AUSF网元在区块链系统注册第一标识和AUSF网元的地址。第一标识的描述可参考图6所示的实施例中的步骤S606,在此不再赘述。In the embodiment of the present application, the AUSF network element registers the first identifier and the address of the AUSF network element in the blockchain system. For the description of the first identifier, reference may be made to step S606 in the embodiment shown in FIG. 6 , and details are not repeated here.
本申请实施例中,AUSF网元可以根据指示信息1在区块链系统注册。In this embodiment of the present application, the AUSF network element may be registered in the blockchain system according to the indication information 1.
需要说明的是,本申请实施例中,AUSF网元在区块链系统注册第一标识和AUSF网元的地址的过程可以理解为AUSF网元将第一标识和AUSF网元的地址存储在区块链系统的区块链安全处理模块中的过程,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of this application, the process of registering the first identifier and the address of the AUSF network element in the blockchain system by the AUSF network element can be understood as the AUSF network element storing the first identifier and the address of the AUSF network element in the area. The process in the blockchain security processing module of the blockchain system is described here in a unified manner, and will not be repeated below.
基于步骤S806,AUSF网元可以注册到区块链系统。进一步的,本申请实施例提供的认证方法还包括通过区块链系统进行安全操作的过程,包括如下步骤:Based on step S806, the AUSF network element can be registered with the blockchain system. Further, the authentication method provided by the embodiment of the present application also includes a process of performing a secure operation through a blockchain system, including the following steps:
S807-S808、同图6所示的实施例中的步骤S607-S608,相关描述可参考图6所示的实施例,在此不再赘述。S807-S808 are the same as steps S607-S608 in the embodiment shown in FIG. 6 , and the related description can refer to the embodiment shown in FIG. 6 , and details are not repeated here.
S809、区块链系统向AUSF网元发送验证请求2。相应的,AUSF网元接收来自区块链系统的验证请求2。其中,该验证请求2包括步骤S808中验证请求1中的参数,如第一标识、以及使用Kchain加密的参数和/或消息(可选)。S809, the blockchain system sends a verification request 2 to the AUSF network element. Correspondingly, the AUSF network element receives the verification request 2 from the blockchain system. Wherein, the verification request 2 includes the parameters in the verification request 1 in step S808, such as the first identifier, and parameters and/or messages encrypted by Kchain (optional).
可选的,该验证请求2还可以包括第三方应用的应用标识(APP ID)。Optionally, the verification request 2 may further include an application identifier (APP ID) of a third-party application.
本申请实施例中,若执行上述步骤S806,即AUSF网元在区块链系统注册AUSF网元的地址,则区块链系统向AUSF网元发送验证请求2之前,可以根据第一标识确定相应的用户上下文。该用户上下文中包括AUSF网元在区块链系统注册的AUSF网元的地址。进而,区块链系统可以根据该AUSF网元的地址确定相应的AUSF网元。In the embodiment of the present application, if the above step S806 is executed, that is, the AUSF network element registers the address of the AUSF network element in the blockchain system, the blockchain system can determine the corresponding AUSF network element according to the first identifier before sending the verification request 2 to the AUSF network element. user context. The user context includes the address of the AUSF network element registered in the blockchain system by the AUSF network element. Furthermore, the blockchain system can determine the corresponding AUSF network element according to the address of the AUSF network element.
本申请实施例中,若未执行上述步骤S806,此时,本申请实施例中的登录请求和验证请求1中还可以包括服务终端设备的网络标识。进而,区块链系统向AUSF网元发送验证请求2之前,可以根据该网络标识确定服务终端设备的AUSF网元。相关描述可参考图7所示的实施例中的步骤S710,在此不再赘述。In the embodiment of the present application, if the above step S806 is not performed, at this time, the login request and the verification request 1 in the embodiment of the present application may further include the network identifier of the service terminal device. Furthermore, before the blockchain system sends the verification request 2 to the AUSF network element, the AUSF network element serving the terminal device may be determined according to the network identifier. For related description, reference may be made to step S710 in the embodiment shown in FIG. 7 , and details are not repeated here.
S810、AUSF网元根据Kchain或者Kausf生成用于终端设备和AF网元安全通信的密钥(本申请实施例中用于终端设备和AF网元安全通信的密钥记作Kapp)。S810: The AUSF network element generates a key for secure communication between the terminal device and the AF network element according to Kchain or Kausf (the key for secure communication between the terminal device and the AF network element in the embodiment of the present application is denoted as Kapp).
其中,本申请实施例中,区块链系统可以根据第一标识确定相应的用户上下文。该用户上下文中包括AUSF网元生成的Kchain或者Kausf。Wherein, in this embodiment of the present application, the blockchain system may determine the corresponding user context according to the first identifier. The user context includes the Kchain or Kausf generated by the AUSF network element.
可选的,本申请实施例中,当验证请求1包括APP ID时,AUSF网元还可以将APP ID作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, when the verification request 1 includes the APP ID, the AUSF network element may also use the APP ID as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,AUSF网元还可以将第一标识作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。Optionally, in the embodiment of the present application, the AUSF network element may also use the first identifier as one of the input parameters for generating Kapp, which is not specifically limited in the embodiment of the present application.
可选的,本申请实施例中,在终端设备发送使用Kchain加密的参数的情况下,AUSF网元还可以将解密后的参数作为生成Kapp的输入参数之一,本申请实施例对此不做具体限定。由于解密后的参数例如可以包括终端设备选择的随机数,而随机数具有随机性,因此基于该随机数生成的Kapp也更具灵活性,不容易被攻击者攻击,从而进一步保证了终端设备与AF网元之间的安全通信。Optionally, in this embodiment of the present application, in the case where the terminal device sends parameters encrypted using Kchain, the AUSF network element may also use the decrypted parameter as one of the input parameters for generating Kapp, which is not done in this embodiment of the present application. Specific restrictions. Since the decrypted parameters can include, for example, a random number selected by the terminal device, and the random number is random, the Kapp generated based on the random number is also more flexible and is not easily attacked by attackers, thereby further ensuring that the terminal device can communicate with Secure communication between AF network elements.
可选的,本申请实施例中,在终端设备发送使用Kchain加密的参数和/或消息,并且验证请求2中包括使用Kchain加密的参数和/或消息的情况下,AUSF网元还可以为第三方应用验证终端设备的合法性,在AUSF网元验证终端设备合法后,AUSF网元根据Kchain或者Kausf生成Kapp,若AUSF网元验证终端设备不合法,则可以终止终端设备访问第三方应用的流程。基于该方案,可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,AUSF网元仍然生成Kapp并通过区块链系统向AF网元下发Kapp所造成的资源消耗与信令浪费。Optionally, in this embodiment of the present application, when the terminal device sends parameters and/or messages encrypted with Kchain, and the verification request 2 includes parameters and/or messages encrypted with Kchain, the AUSF network element may also be the first The third-party application verifies the legitimacy of the terminal device. After the AUSF network element verifies that the terminal device is legal, the AUSF network element generates a Kapp according to Kchain or Kausf. If the AUSF network element verifies that the terminal device is illegal, the process of the terminal device accessing the third-party application can be terminated. . Based on this solution, the access process can be terminated in time when the terminal device is illegal to access the third-party application, so that when the terminal device is illegal to access the third-party application, the AUSF network element still generates Kapp and downloads it to the AF network element through the blockchain system. Resource consumption and signaling waste caused by sending Kapps.
本申请实施例中,AUSF网元为第三方应用验证终端设备的合法性的方式例如可以为:AUSF网元可以根据第一标识确定终端设备的用户上下文。进而AUSF网元可以根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为第三方应用验证终端设备的合法性。In this embodiment of the present application, the manner in which the AUSF network element verifies the legitimacy of the terminal device for the third-party application may be, for example, the AUSF network element may determine the user context of the terminal device according to the first identifier. Further, the AUSF network element can verify the legitimacy of the terminal device for the third-party application according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
可选的,本申请实施例中,AUSF网元根据第一标识,确定终端设备的用户上下文包括:AUSF网元根据所述第一标识,确定AUSF网元中存储的Kchain。一种可能的实现方式中,AUSF网元可以根据第一标识以及第一标识和终端设备的用户上下文的对应关系,确定AUSF网元中存储的终端设备的用户上下文,进一步的AUSF网元可以确定终端设备的用户上下文中的Kchain。示例性的,AUSF网元确定终端设备的用户上下文中的Kchain例如可以包括:AUSF网元可以根据终端设备的用户上下文中的第一标识和Kchain的对应关系,确定Kchain。Optionally, in this embodiment of the present application, the AUSF network element determining the user context of the terminal device according to the first identifier includes: the AUSF network element determining the Kchain stored in the AUSF network element according to the first identifier. In a possible implementation manner, the AUSF network element may determine the user context of the terminal equipment stored in the AUSF network element according to the first identifier and the corresponding relationship between the first identifier and the user context of the terminal equipment, and further AUSF network elements may determine Kchain in the user context of the end device. Exemplarily, the AUSF network element determining the Kchain in the user context of the terminal device may include, for example: the AUSF network element may determine the Kchain according to the correspondence between the first identifier in the user context of the terminal device and the Kchain.
本申请实施例中,AUSF网元根据Kchain,以及终端设备使用第一密钥加密的参数和/或消息,为第三方应用验证终端设备的合法性,包括:AUSF网元可以使用Kchain解密终端设备发送的使用Kchain加密的参数和/或消息。其中,在终端设备发送使用Kchain加密的参数,未发送使用Kchain加密的消息的情况下,若解密后的参数符合预配置的终端设备和AUSF网元交互使用的参数格式或者数值,或者解密后的参数符合终端设备和AUSF网元约定的参数,则认为终端设备合法。在终端设备发送使用Kchain加密的消息,未发送使用Kchain加密的参数的情况下,若解密后的消息格式符合预配置的终端设备和AUSF网元交互使用的消息格式,则认为终端设备合法。在终端设备发送使用Kchain加密的消息,且发送使用Kchain加密的参数的情况下,若解密后的消息格式符合预配置的终端设备和AUSF网元交互使用的消息格式;并且解密后的参数符合预配置的终端设备和AUSF网元交互使用的参数格式或者数值,或者解密后的参数符合终端设备和AUSF网元约定的参数,则认为终端设备合法。In the embodiment of this application, the AUSF network element verifies the legitimacy of the terminal device for the third-party application according to Kchain and the parameters and/or messages encrypted by the terminal device using the first key, including: the AUSF network element can use the Kchain to decrypt the terminal device. Sent parameters and/or messages encrypted with Kchain. Wherein, when the terminal device sends parameters encrypted by Kchain but does not send messages encrypted by Kchain, if the decrypted parameters conform to the preconfigured parameter format or value used by the terminal device and the AUSF network element for interaction, or the decrypted If the parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal. When the terminal device sends a message encrypted by Kchain but does not send parameters encrypted by Kchain, if the format of the decrypted message conforms to the preconfigured message format used by the terminal device and the AUSF network element for interaction, the terminal device is considered legitimate. When the terminal device sends a message encrypted by Kchain and sends parameters encrypted by Kchain, if the decrypted message format conforms to the preconfigured message format used by the terminal device and the AUSF network element interactively; and the decrypted parameters conform to the preconfigured message format. If the configured parameter format or value used by the terminal device and the AUSF network element for interaction, or if the decrypted parameters conform to the parameters agreed by the terminal device and the AUSF network element, the terminal device is considered legal.
示例性的,以终端设备和AUSF网元约定的参数为APP ID为例,AUSF网元解密终端设备发送的使用Kchain加密的参数后,确定解密后的参数是否与AF网元发送的 APP ID一致,若一致则认为终端设备合法,若不一致则认为终端设备不合法。其中,一种可能的实现方式中,终端设备可以通过DNS查询获得APP ID,当然,终端设备也可以通过其他方式获得APP ID,本申请实施例对此不做具体限定。Exemplarily, taking the parameter agreed between the terminal device and the AUSF network element as the APP ID as an example, after the AUSF network element decrypts the Kchain-encrypted parameters sent by the terminal device, it is determined whether the decrypted parameters are consistent with the APP ID sent by the AF network element. , if they are consistent, the terminal device is considered legal, if not, the terminal device is considered illegal. Among them, in a possible implementation manner, the terminal device may obtain the APP ID through DNS query. Of course, the terminal device may also obtain the APP ID through other methods, which is not specifically limited in this embodiment of the present application.
S811-S813、同图7所示的实施例中的步骤S712-S714,相关描述可参考图7所示的实施例,在此不再赘述。S811-S813 are the same as steps S712-S714 in the embodiment shown in FIG. 7 , and the related description can refer to the embodiment shown in FIG. 7 , and details are not repeated here.
需要说明的是,若本申请实施例中,AUSF网元未为第三方应用验证终端设备的合法性,则也可以通过后续流程验证终端设备的合法性。比如,由于Kapp是由Kchain派生的,如果终端设备合法,则该终端设备可以获得正确Kchain,进而终端设备生成的Kapp与AF网元获得的Kapp相同,后续终端设备与AF网元之间利用Kapp进行安全通信会成功。反之,如果终端设备不合法,则该终端设备无法获得正确Kchain,进而终端设备生成的Kapp不同于AF网元获得的Kapp,后续终端设备与AF网元之间利用Kapp进行安全通信会失败,从而保护了合法终端设备的利益。It should be noted that, if the AUSF network element does not verify the legality of the terminal device for the third-party application in the embodiment of the present application, the legality of the terminal device may also be verified through subsequent procedures. For example, since Kapp is derived from Kchain, if the terminal device is legal, the terminal device can obtain the correct Kchain, and the Kapp generated by the terminal device is the same as the Kapp obtained by the AF network element. Secure communication will succeed. Conversely, if the terminal device is illegal, the terminal device cannot obtain the correct Kchain, and the Kapp generated by the terminal device is different from the Kapp obtained by the AF network element. The subsequent secure communication between the terminal device and the AF network element using Kapp will fail. The interests of legitimate terminal equipment are protected.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得AF网元通过该接口与区块链系统交互,通过区块链系统进行安全操作,如为第三方应用对应的AF网元和终端设备之间的通信提供安全密钥、为第三方应用验证终端设备的合法性等,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, Make the AF network element interact with the blockchain system through this interface, and perform safe operations through the blockchain system, such as providing security keys for the communication between the AF network element corresponding to the third-party application and the terminal device, and verifying the third-party application. The legitimacy of terminal equipment, etc., not only simplifies the configuration of third-party applications, but also avoids the problem of negotiating one-by-one between third-party applications and operators, and deploying network elements to plan routes, improving the efficiency of third-party applications.
其中,上述步骤S801至S813中AUSF网元、AF网元或者区块链系统的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令AUSF网元、AF网元或者区块链系统执行,本实施例对此不作任何限制。Wherein, the actions of the AUSF network element, the AF network element or the blockchain system in the above steps S801 to S813 can be performed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the AUSF network element, AF network element, or blockchain system, and this embodiment does not impose any restrictions on this.
如图9所示,为本申请实施例提供的一种认证方法,该认证方法包括如下步骤:As shown in FIG. 9 , an authentication method provided by an embodiment of the present application includes the following steps:
S901、区块链系统接收来自应用服务器的第一消息,该第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息。S901. The blockchain system receives a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key.
示例性的,本申请实施例中的应用服务器例如可以为图6或图7所示的实施例中的AF网元,本申请实施例中的区块链系统例如可以为图6或图7所示的实施例中的区块链系统。Exemplarily, the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6 or FIG. 7 , and the blockchain system in the embodiment of the present application may be, for example, the one shown in FIG. 6 or FIG. 7 . The blockchain system in the embodiment shown.
示例性的,本申请实施例中的第一消息例如可以为图6所示的实施例中步骤S608中的验证请求1;或者,本申请实施例中的第一消息例如可以为图7所示的实施例中步骤S708中的验证请求2。Exemplarily, the first message in the embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 ; or, the first message in the embodiment of the present application may be, for example, the one shown in FIG. 7 . In the embodiment of the verification request 2 in step S708.
S902、区块链系统根据所述第一标识,确定终端设备的用户上下文。S902, the blockchain system determines the user context of the terminal device according to the first identifier.
S903、区块链系统根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器对应的第三方应用验证终端设备的合法性。S903, the blockchain system verifies the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
示例性的,步骤S902-S903的具体实现可参考图6所示的实施例中步骤S609或者图7所示的实施例中步骤S709,在此不再赘述。Exemplarily, for the specific implementation of steps S902-S903, reference may be made to step S609 in the embodiment shown in FIG. 6 or step S709 in the embodiment shown in FIG. 7 , and details are not repeated here.
一方面,本申请实施例中,在区块链系统为第三方应用验证终端设备合法,这样可以在终端设备访问第三方应用不合法时,及时终止访问流程,避免了终端设备访问第三方应用不合法时,继续执行后续流程(如继续为第三方应用对应的应用服务器和 终端设备之间的通信提供安全密钥)所造成的资源消耗与信令浪费。另一方面,相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如为第三方应用验证终端设备的合法性),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。On the one hand, in the embodiment of the present application, the blockchain system verifies the legality of the terminal device for the third-party application, so that when the terminal device accesses the third-party application is illegal, the access process can be terminated in time, so as to prevent the terminal device from accessing the third-party application. When it is legal, the resource consumption and signaling waste caused by continuing to execute the subsequent process (such as continuing to provide a security key for the communication between the application server corresponding to the third-party application and the terminal device). On the other hand, compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. The domain authentication interface allows the application server to interact with the blockchain system through this interface, and perform safe operations through the blockchain system (such as verifying the legitimacy of terminal devices for third-party applications), so not only simplifies the configuration of third-party applications, but also The problem of negotiating one by one between the third-party application party and the operator and deploying network elements to plan routes is avoided, and the efficiency of the third-party application party is improved.
其中,上述步骤S901至S903中区块链系统的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令区块链系统执行,本实施例对此不作任何限制。The actions of the blockchain system in the above steps S901 to S903 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
如图10所示,为本申请实施例提供的一种认证方法,该认证方法包括如下步骤:As shown in FIG. 10 , an authentication method provided by an embodiment of the present application includes the following steps:
S1001、区块链系统接收来自应用服务器的第一消息,该第一消息包括第一标识。S1001. The blockchain system receives a first message from an application server, where the first message includes a first identifier.
示例性的,本申请实施例中的应用服务器例如可以为图6所示的实施例中的AF网元,本申请实施例中的区块链系统例如可以为图6所示的实施例中的区块链系统。Exemplarily, the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 6 , and the blockchain system in the embodiment of the present application may be, for example, the network element in the embodiment shown in FIG. blockchain system.
示例性的,本申请实施例中的第一消息例如可以为图6所示的实施例中步骤S608中的验证请求1。Exemplarily, the first message in this embodiment of the present application may be, for example, the verification request 1 in step S608 in the embodiment shown in FIG. 6 .
S1002、区块链系统根据第一标识,确定终端设备的用户上下文,该终端设备的用户上下文中包括第一密钥。S1002. The blockchain system determines a user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key.
示例性的,本申请实施例中的第一密钥例如可以为图6所示的实施例中的Kchain。Exemplarily, the first key in this embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 6 .
S1003、区块链系统生成第三密钥,该第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥。S1003. The blockchain system generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
示例性的,本申请实施例中的第三密钥例如可以为图6所示的实施例中的Kapp。Exemplarily, the third key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 6 .
其中,步骤S1002-S1003的具体实现可参考图6所示的实施例中步骤S610,在此不再赘述。For the specific implementation of steps S1002-S1003, reference may be made to step S610 in the embodiment shown in FIG. 6, and details are not described herein again.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如通过该区块链系统获得该应用服务器和该终端设备之间通信的安全参数),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, The application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step The configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
其中,上述步骤S1001至S1003中区块链系统的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令区块链系统执行,本实施例对此不作任何限制。The actions of the blockchain system in the above steps S1001 to S1003 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the blockchain system to execute. This does not impose any restrictions.
如图11所示,为本申请实施例提供的一种认证方法,该认证方法包括如下步骤:As shown in FIG. 11 , an authentication method provided by an embodiment of the present application includes the following steps:
S1101、认证服务功能网元获取指示信息,该指示信息指示通过区块链系统进行安全操作。S1101. The authentication service function network element obtains instruction information, where the instruction information indicates that a secure operation is performed through a blockchain system.
示例性的,本申请实施例中的认证服务功能网元例如可以为图6至图8所示的实施例中的AUSF网元,本申请实施例中的区块链系统例如可以为图6至图8所示的实施例中的区块链系统。Exemplarily, the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiments shown in FIG. 6 to FIG. 8 , and the blockchain system in the embodiment of the present application may be, for example, FIG. 6 to The blockchain system in the embodiment shown in FIG. 8 .
示例性的,本申请实施例中,认证服务功能网元获取指示信息的方式可参考图6所示的实施例中步骤S604的描述,在此不再赘述。Exemplarily, in this embodiment of the present application, reference may be made to the description of step S604 in the embodiment shown in FIG. 6 for the manner in which the authentication service function network element obtains the indication information, which will not be repeated here.
S1102、认证服务功能网元根据指示信息,向区块链系统发送第三消息,该第三消息包括第一信息,用于请求将第一信息存储在终端设备的用户上下文中,其中,第一信息为应用服务器通过所述区块链系统进行安全操作时所需的信息。S1102. The authentication service function network element sends a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first The information is the information required by the application server to perform secure operations through the blockchain system.
示例性的,本申请实施例中的应用服务器例如可以为图6至图8所示的实施例中的AF网元。Exemplarily, the application server in the embodiment of the present application may be, for example, the AF network element in the embodiments shown in FIG. 6 to FIG. 8 .
示例性的,本申请实施例中的第三消息例如可以为图6所示的实施例步骤S606中AUSF网元在区块链系统注册时AUSF网元向区块链系统发送的消息。相应的,第一信息可以为图6所示的实施例步骤S606中AUSF网元在区块链系统注册的第一标识和Kchain。Exemplarily, the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S606 of the embodiment shown in FIG. 6 . Correspondingly, the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S606 of the embodiment shown in FIG. 6 .
或者,示例性的,本申请实施例中的第三消息例如可以为图7所示的实施例步骤S706中AUSF网元在区块链系统注册时AUSF网元向区块链系统发送的消息。相应的,第一信息可以为图7所示的实施例步骤S706中AUSF网元在区块链系统注册的第一标识和Kchain,或者,第一信息可以为图7所示的实施例步骤S706中AUSF网元在区块链系统注册的第一标识、Kchain和AUSF网元的地址。Or, for example, the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S706 of the embodiment shown in FIG. 7 . Correspondingly, the first information may be the first identifier and Kchain registered by the AUSF network element in the blockchain system in step S706 of the embodiment shown in FIG. 7 , or the first information may be step S706 of the embodiment shown in FIG. 7 . The first identifier of the AUSF network element registered in the blockchain system, the Kchain and the address of the AUSF network element.
或者,示例性的,本申请实施例中的第三消息例如可以为图8所示的实施例步骤S806中AUSF网元在区块链系统注册时AUSF网元向区块链系统发送的消息。相应的,第一信息可以为图8所示的实施例步骤S806中AUSF网元在区块链系统注册的第一标识和AUSF网元的地址。Or, for example, the third message in this embodiment of the present application may be, for example, a message sent by the AUSF network element to the blockchain system when the AUSF network element registers with the blockchain system in step S806 of the embodiment shown in FIG. 8 . Correspondingly, the first information may be the first identifier of the AUSF network element registered in the blockchain system in step S806 of the embodiment shown in FIG. 8 and the address of the AUSF network element.
其中,步骤S1102的具体实现可参考图6所示的实施例中步骤S606或者图7所示的实施例中步骤S706或者图8所示的实施例中步骤S806,在此不再赘述。The specific implementation of step S1102 may refer to step S606 in the embodiment shown in FIG. 6 or step S706 in the embodiment shown in FIG. 7 or step S806 in the embodiment shown in FIG. 8 , and details are not repeated here.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例中,认证服务功能网元可以向区块链系统发送应用服务器通过区块链系统进行安全操作时所需的信息,因此可以使得后续应用服务器可以通过区块链系统进行安全操作。也就是说,本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作,因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Compared with the existing AKMA solution in which the AApF network element of the application side needs to configure the interfaces and interface addresses of the AAuF network elements in different networks one by one, because in the embodiment of the present application, the authentication service function network element can send the data to the blockchain system. The information required for the application server to perform safe operations through the blockchain system, so that subsequent application servers can perform safe operations through the blockchain system. That is to say, in this embodiment of the present application, a unified cross-domain authentication interface can be provided by the blockchain system, so that the application server can interact with the blockchain system through this interface, and perform safe operations through the blockchain system, which not only simplifies the third party It also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
其中,上述步骤S1101至S1102中认证服务功能网元的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令认证服务功能网元执行,本实施例对此不作任何限制。The actions of the authentication service function network element in the above steps S1101 to S1102 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute. The example does not impose any restrictions on this.
如图12所示,为本申请实施例提供的一种认证方法,该认证方法包括如下步骤:As shown in FIG. 12 , an authentication method provided by an embodiment of the present application includes the following steps:
S1201、认证服务功能网元接收来自区块链系统的第二消息,该第二消息包括第一标识。S1201. The authentication service function network element receives a second message from the blockchain system, where the second message includes the first identifier.
示例性的,本申请实施例中的认证服务功能网元例如可以为图7或图8所示的实施例中的AUSF网元,本申请实施例中的区块链系统例如可以为图7或图8所示的实施例中的区块链系统。Exemplarily, the authentication service function network element in the embodiment of the present application may be, for example, the AUSF network element in the embodiment shown in FIG. 7 or FIG. 8 , and the blockchain system in the embodiment of the present application may be, for example, FIG. 7 or The blockchain system in the embodiment shown in FIG. 8 .
示例性的,本申请实施例中的第二消息例如可以为图7所示的实施例中步骤S710中的验证请求2;或者,本申请实施例中的第二消息例如可以为图8所示的实施例中步骤S809中的验证请求2。Exemplarily, the second message in the embodiment of the present application may be, for example, the verification request 2 in step S710 in the embodiment shown in FIG. 7 ; or, the second message in the embodiment of the present application may be, for example, as shown in FIG. 8 . In the embodiment of the verification request 2 in step S809.
S1202、认证服务功能网元根据第一标识,确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥或第二密钥;第一密钥是根据第二密钥派生得到的,第二密钥为用于终端设备与认证服务功能网元之间鉴权成功后生成的密钥。S1202. The authentication service function network element determines the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
示例性的,本申请实施例中的第一密钥例如可以为图7或图8所示的实施例中的Kchain,第二密钥例如可以为图7或图8所示的实施例中的Kausf。Exemplarily, the first key in the embodiment of the present application may be, for example, Kchain in the embodiment shown in FIG. 7 or FIG. 8 , and the second key may be, for example, the Kchain in the embodiment shown in FIG. 7 or FIG. 8 . Kausf.
S1203、认证服务功能网元生成第三密钥,该第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥或第二密钥。S1203. The authentication service function network element generates a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the third key. Second key.
示例性的,本申请实施例中的应用服务器例如可以为图7或图8所示的实施例中的AF网元。Exemplarily, the application server in the embodiment of the present application may be, for example, the AF network element in the embodiment shown in FIG. 7 or FIG. 8 .
示例性的,本申请实施例中的第一密钥例如可以为图7或图8所示的实施例中的Kapp。Exemplarily, the first key in this embodiment of the present application may be, for example, Kapp in the embodiment shown in FIG. 7 or FIG. 8 .
示例性的,步骤S1202-S1203的具体实现可参考图7所示的实施例中步骤S711或者图8所示的实施例中步骤S810,在此不再赘述。Exemplarily, for the specific implementation of steps S1202-S1203, reference may be made to step S711 in the embodiment shown in FIG. 7 or step S810 in the embodiment shown in FIG. 8, and details are not repeated here.
S1204、认证服务功能网元向区块链系统发送第三密钥。S1204, the authentication service function network element sends the third key to the blockchain system.
示例性的,步骤S1204的具体实现可参考图7所示的实施例中步骤S712或者图8所示的实施例中步骤S811,在此不再赘述。Exemplarily, for the specific implementation of step S1204, reference may be made to step S712 in the embodiment shown in FIG. 7 or step S811 in the embodiment shown in FIG. 8 , and details are not repeated here.
相比较现有AKMA方案中应用方AApF网元需要一一配置与不同网络中AAuF网元的接口以及接口地址的方式,由于本申请实施例可以由区块链系统提供统一的跨域认证接口,使得应用服务器通过该接口与区块链系统交互,通过区块链系统进行安全操作(如通过该区块链系统获得该应用服务器和该终端设备之间通信的安全参数),因此不仅简化了第三方应用的配置,而且避免了第三方应用方和运营商一一谈判,并部署网元规划路由的问题,提高了第三方应用方的效率。Compared with the existing AKMA solution, the application side AApF network elements need to configure the interfaces and interface addresses with the AAuF network elements in different networks one by one. Because the embodiment of the present application can provide a unified cross-domain authentication interface by the blockchain system, The application server interacts with the blockchain system through this interface, and performs safe operations through the blockchain system (such as obtaining the security parameters of the communication between the application server and the terminal device through the blockchain system), which not only simplifies the first step The configuration of the third-party application also avoids the problem of negotiating one by one between the third-party application party and the operator, and deploying network elements to plan routes, which improves the efficiency of the third-party application party.
其中,上述步骤S1201至S1204中认证服务功能网元的动作可以由图5所示的通信设备500中的处理器501调用存储器503中存储的应用程序代码以指令认证服务功能网元执行,本实施例对此不作任何限制。The actions of the authentication service function network element in the above steps S1201 to S1204 may be executed by the processor 501 in the communication device 500 shown in FIG. 5 calling the application code stored in the memory 503 to instruct the authentication service function network element to execute. The example does not impose any restrictions on this.
可以理解的是,图6至图12所示的实施例中,由区块链系统实现的方法和/或步骤,也可以由可用于区块链系统的部件(例如区块链系统中的一个或多个区块链装置)实现;由认证服务功能网元(如图6至图8所示的实施例中的AUSF网元、或者如图11至图12所示的实施例中的认证服务功能网元)实现的方法和/或步骤,也可以由可用于认证服务功能网元的部件(例如芯片或者电路)实现。It can be understood that, in the embodiments shown in FIGS. 6 to 12 , the methods and/or steps implemented by the blockchain system may also be implemented by components that can be used in the blockchain system (for example, one of the blockchain systems). or multiple blockchain devices); implemented by the authentication service function network element (the AUSF network element in the embodiment shown in FIG. 6 to FIG. 8 , or the authentication service in the embodiment shown in FIG. 11 to FIG. 12 ) The methods and/or steps implemented by the functional network element) may also be implemented by a component (for example, a chip or a circuit) that can be used to authenticate the service functional network element.
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍。相应的,本申请实施例还提供了通信装置,该通信装置可以为上述方法实施例中的区块链系统中的一个或多个区块链装置,或者包含上述区块链系统的装置,或者为可用于上述区块链装置的部件;或者,该通信装置可以为上述方法实施例中的认证服务功能网元,或者包含上述认证服务功能网元的装置,或者为可用于认证服务功能网元的部件。可以理解的是,该通信装置为了实现上述功能,其包含了执行各个功能相应的硬 件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between various network elements. Correspondingly, an embodiment of the present application further provides a communication device, and the communication device may be one or more blockchain devices in the blockchain system in the above method embodiments, or a device including the above blockchain system, or It is a component that can be used in the above-mentioned blockchain device; or, the communication device can be an authentication service function network element in the above method embodiment, or a device including the above-mentioned authentication service function network element, or can be used for the authentication service function network element. components. It can be understood that, in order to realize the above-mentioned functions, the communication apparatus includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
图13示出了一种通信装置130的结构示意图。该通信装置130包括收发模块1301和处理模块1302。所述收发模块1301,也可以称为收发单元用以实现收发功能,例如可以是收发电路,收发机,收发器或者通信接口。FIG. 13 shows a schematic structural diagram of a communication device 130 . The communication device 130 includes a transceiver module 1301 and a processing module 1302 . The transceiver module 1301 may also be referred to as a transceiver unit to implement a transceiver function, for example, a transceiver circuit, a transceiver, a transceiver or a communication interface.
以通信装置130为上述方法实施例中的区块链系统中的一个或多个区块链装置或者设置在该区块链装置中的芯片或其他部件为例,一种可能的实现方式中:Taking the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in a possible implementation manner:
收发模块1301,用于接收来自应用服务器的第一消息,第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息。处理模块1302,用于根据第一标识,确定终端设备的用户上下文。处理模块1302,还用于根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器对应的第三方应用验证终端设备的合法性。The transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier, and parameters and/or messages encrypted by the terminal device using the first key. The processing module 1302 is configured to determine the user context of the terminal device according to the first identifier. The processing module 1302 is further configured to verify the legitimacy of the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key.
可选的,终端设备的用户上下文中包括第一密钥,处理模块1302,用于根据第一标识,确定终端设备的用户上下文包括:用于根据第一标识,确定第一密钥。Optionally, the user context of the terminal device includes the first key, and the processing module 1302, configured to determine the user context of the terminal device according to the first identifier includes: determining the first key according to the first identifier.
可选的,处理模块1302,用于根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数或消息,为应用服务器对应的第三方应用验证终端设备的合法性,包括:用于使用第一密钥对终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当解密后的参数符合预配置的终端设备和区块链系统交互使用的参数格式或者数值,和/或解密后的消息符合预配置的终端设备和区块链系统交互使用的消息格式,确定终端设备合法。Optionally, the processing module 1302 is configured to verify the legitimacy of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key, including: Use the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtain the decrypted parameters and/or messages; when the decrypted parameters meet the pre-configured interaction between the terminal device and the blockchain system The parameter format or value used, and/or the decrypted message conforms to the pre-configured message format used by the terminal device and the blockchain system for interaction, and the terminal device is determined to be legal.
可选的,第一标识包括终端设备的全局区块链标识或者第二密钥对应的密钥标识KID中的至少一个,该第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥。Optionally, the first identifier includes at least one of the global blockchain identifier of the terminal device or the key identifier KID corresponding to the second key, and the second key is the authentication between the terminal device and the authentication service function network element. The key generated after success.
可选的,第一密钥是根据第二密钥派生得到的,第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥。Optionally, the first key is derived from the second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
可选的,处理模块1302,还用于在验证终端设备合法后,获取第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥。收发模块1301,还用于向应用服务器发送第三密钥。Optionally, the processing module 1302 is further configured to obtain a third key after verifying that the terminal device is legal, where the third key is a key used for secure communication between the terminal device and the application server. The transceiver module 1301 is further configured to send the third key to the application server.
可选的,终端设备的用户上下文中包括第一密钥;处理模块1302,用于获取第三密钥,包括:用于生成第三密钥,其中,生成第三密钥的输入参数中包括第一密钥。Optionally, the user context of the terminal device includes the first key; the processing module 1302, configured to obtain the third key, includes: being used to generate the third key, wherein the input parameters for generating the third key include: first key.
可选的,处理模块1302,用于获取第三密钥,包括:用于通过收发模块1301向认证服务功能网元发送第二消息,第二消息包括第一标识,第一标识用于确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥或第二密钥,该第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥;通过收发模块1301接收来自认证服务功能网元第三密钥,其中,生成第三密钥的输入参数中包括第一密钥或第二密钥。Optionally, the processing module 1302, configured to obtain the third key, includes: sending a second message to the authentication service function network element through the transceiver module 1301, where the second message includes a first identifier, and the first identifier is used to determine the terminal The user context of the device, the user context of the terminal device includes the first key or the second key, and the second key is the key generated after the authentication between the terminal device and the authentication service function network element is successful; 1301 Receive a third key from an authentication service function network element, wherein the input parameter for generating the third key includes the first key or the second key.
可选的,生成第三密钥的输入参数中还包括第二标识和/或解密后的参数,其中,第二标识为第三方应用的应用标识,解密后的参数是使用第一密钥对终端设备使用第一密钥加密的参数进行解密后获得的参数。Optionally, the input parameters for generating the third key also include the second identifier and/or the decrypted parameter, wherein the second identifier is the application identifier of the third-party application, and the decrypted parameter is to use the first key pair. The parameters obtained by the terminal device after decrypting the parameters encrypted by the first key.
可选的,收发模块1301,还用于在接收来自应用服务器的第一消息之前,接收来自认证服务功能网元的第三消息,第三消息请求将第一密钥、第一标识和认证服务功能网元的地址存储在终端设备的用户上下文中。处理模块1302,还用于将第一密钥、第一标识和认证服务功能网元的地址存储在终端设备的用户上下文中。Optionally, the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, the third message requests the first key, the first identifier and the authentication service. The addresses of the functional network elements are stored in the user context of the terminal device. The processing module 1302 is further configured to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device.
可选的,收发模块1301,还用于在接收来自应用服务器的第一消息之前,接收来自认证服务功能网元的第三消息,第三消息请求将第一密钥和第一标识存储在终端设备的用户上下文中;处理模块1302,还用于将第一密钥和第一标识存储在终端设备的用户上下文中。Optionally, the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal. In the user context of the device; the processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
以通信装置130为上述方法实施例中的区块链系统中的一个或多个区块链装置或者设置在该区块链装置中的芯片或其他部件为例,另一种可能的实现方式中:Taking the communication device 130 as one or more blockchain devices in the blockchain system in the above method embodiments or a chip or other components provided in the blockchain device as an example, in another possible implementation manner :
收发模块1301,用于接收来自应用服务器的第一消息,第一消息包括第一标识。处理模块1302,用于根据第一标识,确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥。处理模块1302,还用于生成第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥。The transceiver module 1301 is configured to receive a first message from an application server, where the first message includes a first identifier. The processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key. The processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key.
可选的,第一密钥是根据第二密钥派生得到的,第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥。Optionally, the first key is derived from the second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
可选的,第一消息还包括第二标识和/或终端设备使用第一密钥加密的参数,第二标识为应用服务器对应的第三方应用的应用标识;相应的,生成第三密钥的输入参数中还包括第二标识和/或解密后的参数,其中,解密后的参数是使用第一密钥对终端设备使用第一密钥加密的参数进行解密后获得的参数。Optionally, the first message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, and the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated. The input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
可选的,收发模块1301,还用于在接收来自应用服务器的第一消息之前,接收来自认证服务功能网元的第三消息,第三消息请求将第一密钥和第一标识存储在终端设备的用户上下文中。处理模块1302,还用于将第一密钥和第一标识存储在终端设备的用户上下文中。Optionally, the transceiver module 1301 is further configured to, before receiving the first message from the application server, receive a third message from the authentication service function network element, and the third message requests to store the first key and the first identifier in the terminal. in the user context of the device. The processing module 1302 is further configured to store the first key and the first identifier in the user context of the terminal device.
以通信装置130为上述方法实施例中的认证服务功能网元或者设置在该认证服务功能网元中的芯片或其他部件为例,一种可能的实现方式中:Taking the communication device 130 as an authentication service function network element in the above method embodiments or a chip or other component provided in the authentication service function network element as an example, in a possible implementation manner:
处理模块1302,用于获取指示信息,指示信息指示通过区块链系统进行安全操作。收发模块1301,用于根据指示信息,向区块链系统发送第三消息,第三消息包括第一信息,用于请求将第一信息存储在终端设备的用户上下文中,其中,第一信息为应用服务器通过区块链系统进行安全操作时所需的信息。The processing module 1302 is configured to obtain instruction information, the instruction information indicates that a secure operation is performed through the blockchain system. The transceiver module 1301 is configured to send a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request to store the first information in the user context of the terminal device, wherein the first information is Information required by the application server to operate securely through the blockchain system.
可选的,第一信息包括第一标识和认证服务功能网元的地址;或者,第一信息包括第一标识和第一密钥;或者,第一信息包括第一标识、第一密钥和认证服务功能网元的地址;其中,第一标识用于确定终端设备的用户上下文,第一密钥是根据第二密钥派生得到的,第二密钥为终端设备与认证服务功能网元之间鉴权成功后生成的密钥。Optionally, the first information includes a first identifier and an address of an authentication service function network element; or, the first information includes a first identifier and a first key; or, the first information includes a first identifier, a first key, and a first key. The address of the authentication service function network element; wherein the first identifier is used to determine the user context of the terminal device, the first key is derived from the second key, and the second key is the difference between the terminal device and the authentication service function network element The key generated after the authentication is successful.
可选的,第一标识包括终端设备的全局区块链标识或者第二密钥对应的密钥标识KID中的至少一个。Optionally, the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
可选的,处理模块1302,用于获取指示信息,包括:用于通过收发模块1301接收来自终端设备的指示信息;或者,用于通过收发模块1301接收来自统一数据管理网元的指示信息。Optionally, the processing module 1302, configured to obtain the indication information, includes: for receiving the indication information from the terminal device through the transceiver module 1301; or for receiving the indication information from the unified data management network element through the transceiver module 1301.
可选的,收发模块1301,还用于在向区块链系统发送第三消息之后,接收来自区块链系统的第二消息,第二消息包括第一标识。处理模块1302,还用于根据第一标识,确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥或第二密钥;第一密钥是根据第二密钥派生得到的,第二密钥为用于终端设备与认证服务功能网元之间鉴权成功后生成的密钥。处理模块1302,还用于生成第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥或第二密钥。收发模块1301,还用于向区块链系统发送第三密钥。Optionally, the transceiver module 1301 is further configured to receive a second message from the blockchain system after sending the third message to the blockchain system, where the second message includes the first identifier. The processing module 1302 is further configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element. The processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key. The transceiver module 1301 is further configured to send a third key to the blockchain system.
可选的,第二消息还包括第二标识和/或终端设备使用第一密钥加密的参数,第二标识为应用服务器对应的第三方应用的应用标识;相应的,生成第三密钥的输入参数中还包括第二标识和/或解密后的参数,其中,解密后的参数是使用第一密钥对终端设备使用第一密钥加密的参数进行解密后获得的参数。Optionally, the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, and the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated. The input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
可选的,第二消息还包括终端设备使用第一密钥加密的参数和/或消息。处理模块1302,还用于在生成第三密钥之前,根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器对应的第三方应用验证终端设备合法。Optionally, the second message further includes parameters and/or messages encrypted by the terminal device using the first key. The processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
可选的,终端设备的用户上下文中包括第一密钥;处理模块1302,用于根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数或消息,为应用服务器对应的第三方应用验证终端设备合法,包括:用于使用第一密钥对终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当解密后的参数符合预配置的终端设备和认证服务功能网元交互使用的参数格式或者数值,和/或解密后的消息符合预配置的终端设备和认证服务功能网元交互使用的消息格式,确定终端设备合法。Optionally, the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key. The application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages; The configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
可选的,通过区块链系统进行安全操作包括通过区块链系统获得应用服务器和终端设备之间通信的安全参数。Optionally, performing the security operation through the blockchain system includes obtaining security parameters for communication between the application server and the terminal device through the blockchain system.
可选的,通过区块链系统进行安全操作还包括通过区块链系统为应用服务器对应的第三方应用验证终端设备的合法性。Optionally, performing the security operation through the blockchain system further includes verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system.
以通信装置130为上述方法实施例中的认证服务功能网元或者设置在该认证服务功能网元中的芯片或其他部件为例,另一种可能的实现方式中:Taking the communication device 130 as the authentication service function network element in the above method embodiment or a chip or other component provided in the authentication service function network element as an example, in another possible implementation manner:
收发模块1301,用于接收来自区块链系统的第二消息,第二消息包括第一标识。处理模块1302,用于根据第一标识,确定终端设备的用户上下文,终端设备的用户上下文中包括第一密钥或第二密钥;第一密钥是根据第二密钥派生得到的,第二密钥为用于终端设备与认证服务功能网元之间鉴权成功后生成的密钥。处理模块1302,还用于生成第三密钥,第三密钥为用于终端设备和应用服务器安全通信的密钥,其中,生成第三密钥的输入参数中包括第一密钥或第二密钥。收发模块1301,还用于向区块链系统发送第三密钥。The transceiver module 1301 is configured to receive a second message from the blockchain system, where the second message includes the first identifier. The processing module 1302 is configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes the first key or the second key; the first key is derived from the second key, and the first key is derived from the second key. The second key is a key generated after successful authentication between the terminal device and the authentication service function network element. The processing module 1302 is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein the input parameters for generating the third key include the first key or the second key key. The transceiver module 1301 is further configured to send a third key to the blockchain system.
可选的,第二消息还包括第二标识和/或终端设备使用第一密钥加密的参数,第二标识为应用服务器对应的第三方应用的应用标识;相应的,生成第三密钥的输入参数 中还包括第二标识和/或解密后的参数,其中,解密后的参数是使用第一密钥对终端设备使用第一密钥加密的参数进行解密后获得的参数。Optionally, the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, and the second identifier is the application identifier of the third-party application corresponding to the application server; correspondingly, the third key is generated. The input parameters also include the second identifier and/or the decrypted parameters, wherein the decrypted parameters are parameters obtained by decrypting the parameters encrypted by the terminal device with the first key using the first key.
可选的,第二消息还包括终端设备使用第一密钥加密的参数和/或消息。处理模块1302,还用于在生成第三密钥之前,根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数和/或消息,为应用服务器对应的第三方应用验证终端设备合法。Optionally, the second message further includes parameters and/or messages encrypted by the terminal device using the first key. The processing module 1302 is further configured to verify the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key before generating the third key .
可选的,终端设备的用户上下文中包括第一密钥;处理模块1302,用于根据终端设备的用户上下文,以及终端设备使用第一密钥加密的参数或消息,为应用服务器对应的第三方应用验证终端设备合法,包括:用于使用第一密钥对终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当解密后的参数符合预配置的终端设备和认证服务功能网元交互使用的参数格式或者数值,和/或解密后的消息符合预配置的终端设备和认证服务功能网元交互使用的消息格式,确定终端设备合法。Optionally, the user context of the terminal device includes the first key; the processing module 1302 is used for the third party corresponding to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key. The application verifies that the terminal device is legal, including: using the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key, and obtaining the decrypted parameters and/or messages; The configured parameter format or value used by the terminal device and the authentication service function network element, and/or the decrypted message conforms to the preconfigured message format used by the terminal device and the authentication service function network element, to determine that the terminal device is legal.
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。Wherein, all relevant contents of the steps involved in the above method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.
在本实施例中,该通信装置130以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。在一个简单的实施例中,本领域的技术人员可以想到该通信装置130可以采用图5所示的通信设备500的形式。In this embodiment, the communication apparatus 130 is presented in the form of dividing each functional module in an integrated manner. "Module" herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above. In a simple embodiment, those skilled in the art can imagine that the communication apparatus 130 may take the form of the communication device 500 shown in FIG. 5 .
比如,图5所示的通信设备500中的处理器501可以通过调用存储器503中存储的计算机执行指令,使得通信设备500执行上述方法实施例中的认证方法。For example, the processor 501 in the communication device 500 shown in FIG. 5 may invoke the computer execution instructions stored in the memory 503 to cause the communication device 500 to execute the authentication method in the above method embodiment.
具体的,图13中的收发模块1301和处理模块1302的功能/实现过程可以通过图5所示的通信设备500中的处理器501调用存储器503中存储的计算机执行指令来实现。或者,图13中的处理模块1302的功能/实现过程可以通过图5所示的通信设备500中的处理器501调用存储器503中存储的计算机执行指令来实现,图13中的收发模块1301的功能/实现过程可以通过图5中所示的通信设备500中的通信接口504来实现。Specifically, the functions/implementation process of the transceiver module 1301 and the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503 . Alternatively, the function/implementation process of the processing module 1302 in FIG. 13 can be implemented by the processor 501 in the communication device 500 shown in FIG. 5 calling the computer execution instructions stored in the memory 503, and the function of the transceiver module 1301 in FIG. 13 can be implemented. The implementation process may be implemented through the communication interface 504 in the communication device 500 shown in FIG. 5 .
由于本实施例提供的通信装置130可执行上述认证方法,因此其所能获得的技术效果可参考上述方法实施例,在此不再赘述。Since the communication device 130 provided in this embodiment can execute the above authentication method, the technical effect obtained by the communication device 130 can refer to the above method embodiment, which is not repeated here.
需要说明的是,以上模块或单元的一个或多个可以软件、硬件或二者结合来实现。当以上任一模块或单元以软件实现的时候,所述软件以计算机程序指令的方式存在,并被存储在存储器中,处理器可以用于执行所述程序指令并实现以上方法流程。该处理器可以内置于SoC(片上系统)或ASIC,也可是一个独立的半导体芯片。该处理器内处理用于执行软件指令以进行运算或处理的核外,还可进一步包括必要的硬件加速器,如现场可编程门阵列(field programmable gate array,FPGA)、PLD(可编程逻辑器件)、或者实现专用逻辑运算的逻辑电路。It should be noted that, one or more of the above modules or units may be implemented by software, hardware or a combination of both. When any of the above modules or units are implemented in software, the software exists in the form of computer program instructions and is stored in the memory, and the processor can be used to execute the program instructions and implement the above method flow. The processor can be built into a SoC (system on chip) or an ASIC, or it can be an independent semiconductor chip. In addition to the core for executing software instructions for operation or processing, the internal processing of the processor may further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (Programmable Logic Device) , or a logic circuit that implements dedicated logic operations.
当以上模块或单元以硬件实现的时候,该硬件可以是CPU、微处理器、数字信号处理(digital signal processing,DSP)芯片、微控制单元(microcontroller unit,MCU)、人工智能处理器、ASIC、SoC、FPGA、PLD、专用数字电路、硬件加速器或非集成的分立器件中的任一个或任一组合,其可以运行必要的软件或不依赖于软件以执行以上 方法流程。When the above modules or units are implemented in hardware, the hardware can be CPU, microprocessor, digital signal processing (DSP) chip, microcontroller unit (MCU), artificial intelligence processor, ASIC, Any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
可选的,本申请实施例还提供了一种通信装置(例如,该通信装置可以是芯片或芯片系统),该通信装置包括处理器,用于实现上述任一方法实施例中的方法。在一种可能的实现方式中,该通信装置还包括存储器。该存储器,用于保存必要的程序指令和数据,处理器可以调用存储器中存储的程序代码以指令该通信装置执行上述任一方法实施例中的方法。当然,存储器也可以不在该通信装置中。该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件,本申请实施例对此不作具体限定。Optionally, an embodiment of the present application further provides a communication apparatus (for example, the communication apparatus may be a chip or a chip system), where the communication apparatus includes a processor for implementing the method in any of the foregoing method embodiments. In a possible implementation, the communication device further includes a memory. The memory is used to store necessary program instructions and data, and the processor can call the program code stored in the memory to instruct the communication apparatus to execute the method in any of the above method embodiments. Of course, the memory may also not be in the communication device. When the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.
尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请过程中,本领域技术人员通过查看所述附图、公开内容、以及所附权利要求书,可理解并实现所述公开实施例的其他变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (46)

  1. 一种认证方法,其特征在于,所述方法包括:An authentication method, characterized in that the method comprises:
    区块链系统接收来自应用服务器的第一消息,所述第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息;The blockchain system receives a first message from the application server, where the first message includes a first identifier and parameters and/or messages encrypted by the terminal device using the first key;
    所述区块链系统根据所述第一标识,确定所述终端设备的用户上下文;The blockchain system determines the user context of the terminal device according to the first identifier;
    所述区块链系统根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数和/或消息,为所述应用服务器对应的第三方应用验证所述终端设备的合法性。The blockchain system verifies the legality of the terminal device for the third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key. sex.
  2. 根据权利要求1所述的方法,其特征在于,所述终端设备的用户上下文中包括所述第一密钥,所述区块链系统根据所述第一标识,确定所述终端设备的用户上下文包括:The method according to claim 1, wherein the user context of the terminal device includes the first key, and the blockchain system determines the user context of the terminal device according to the first identifier include:
    所述区块链系统根据所述第一标识,确定所述第一密钥。The blockchain system determines the first key according to the first identifier.
  3. 根据权利要求2所述的方法,其特征在于,所述区块链系统根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数或消息,为所述应用服务器对应的第三方应用验证所述终端设备的合法性,包括:The method according to claim 2, wherein the blockchain system corresponds to the application server according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key. third-party applications to verify the legitimacy of the terminal device, including:
    所述区块链系统使用所述第一密钥对所述终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;The blockchain system uses the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key to obtain the decrypted parameters and/or messages;
    当所述解密后的参数符合预配置的所述终端设备和所述区块链系统交互使用的参数格式或者数值,和/或所述解密后的消息符合预配置的所述终端设备和所述区块链系统交互使用的消息格式,所述区块链系统确定所述终端设备合法。When the decrypted parameter conforms to the pre-configured parameter format or value used for interaction between the terminal device and the blockchain system, and/or the decrypted message conforms to the pre-configured terminal device and the The message format used interactively by the blockchain system that determines that the terminal device is legitimate.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述第一标识包括所述终端设备的全局区块链标识或者第二密钥对应的密钥标识KID中的至少一个,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The method according to any one of claims 1-3, wherein the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key, The second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述第一密钥是根据第二密钥派生得到的,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The method according to any one of claims 1-4, wherein the first key is derived from a second key, and the second key is the terminal device and the authentication service function network The key generated after successful authentication between elements.
  6. 根据权利要求1-5任一项所述的方法,所述方法还包括:The method according to any one of claims 1-5, further comprising:
    在所述区块链系统验证所述终端设备合法后,所述区块链系统获取第三密钥,所述第三密钥为用于所述终端设备和所述应用服务器安全通信的密钥;After the blockchain system verifies that the terminal device is legal, the blockchain system obtains a third key, where the third key is a key used for secure communication between the terminal device and the application server ;
    所述区块链系统向所述应用服务器发送所述第三密钥。The blockchain system sends the third key to the application server.
  7. 根据权利要求6所述的方法,其特征在于,所述终端设备的用户上下文中包括所述第一密钥;所述区块链系统获取第三密钥,包括:The method according to claim 6, wherein the user context of the terminal device includes the first key; and the blockchain system obtains the third key, comprising:
    所述区块链系统生成所述第三密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥。The blockchain system generates the third key, wherein the input parameters for generating the third key include the first key.
  8. 根据权利要求6所述的方法,其特征在于,所述区块链系统获取第三密钥,包括:The method according to claim 6, wherein obtaining the third key by the blockchain system comprises:
    所述区块链系统向认证服务功能网元发送第二消息,所述第二消息包括所述第一标识,所述第一标识用于确定所述终端设备的用户上下文,所述终端设备的用户上下文中包括所述第一密钥或第二密钥,所述第二密钥为所述终端设备与认证服务功能网 元之间鉴权成功后生成的密钥;The blockchain system sends a second message to the authentication service function network element, where the second message includes the first identifier, where the first identifier is used to determine the user context of the terminal device, and the user context of the terminal device. The user context includes the first key or the second key, and the second key is a key generated after successful authentication between the terminal device and the authentication service function network element;
    所述区块链系统接收来自所述认证服务功能网元所述第三密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥或所述第二密钥。The blockchain system receives the third key from the authentication service function network element, wherein the input parameter for generating the third key includes the first key or the second key.
  9. 根据权利要求7或8所述的方法,其特征在于,所述生成所述第三密钥的输入参数中还包括第二标识和/或解密后的参数,其中,所述第二标识为所述第三方应用的应用标识,所述解密后的参数是使用所述第一密钥对所述终端设备使用第一密钥加密的参数进行解密后获得的参数。The method according to claim 7 or 8, wherein the input parameters for generating the third key further include a second identifier and/or a decrypted parameter, wherein the second identifier is the the application identifier of the third-party application, and the decrypted parameter is a parameter obtained by using the first key to decrypt the parameter encrypted by the terminal device using the first key.
  10. 根据权利要求8所述的方法,其特征在于,在所述区块链系统接收来自应用服务器的第一消息之前,所述方法还包括:The method according to claim 8, wherein before the blockchain system receives the first message from the application server, the method further comprises:
    所述区块链系统接收来自认证服务功能网元的第三消息,所述第三消息请求将所述第一密钥、所述第一标识和所述认证服务功能网元的地址存储在所述终端设备的用户上下文中;The blockchain system receives a third message from the authentication service function network element, the third message requests to store the first key, the first identifier and the address of the authentication service function network element in the in the user context of the terminal device;
    所述区块链系统将所述第一密钥、所述第一标识和所述认证服务功能网元的地址存储在所述终端设备的用户上下文中。The blockchain system stores the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device.
  11. 根据权利要求1-10任一项所述的方法,其特征在于,在所述区块链系统接收来自应用服务器的第一消息之前,所述方法还包括:The method according to any one of claims 1-10, wherein before the blockchain system receives the first message from the application server, the method further comprises:
    所述区块链系统接收来自认证服务功能网元的第三消息,所述第三消息请求将所述第一密钥和所述第一标识存储在所述终端设备的用户上下文中;the blockchain system receives a third message from the authentication service function network element, the third message requests to store the first key and the first identification in the user context of the terminal device;
    所述区块链系统将所述第一密钥和所述第一标识存储在所述终端设备的用户上下文中。The blockchain system stores the first key and the first identification in the user context of the terminal device.
  12. 一种认证方法,其特征在于,所述方法包括:An authentication method, characterized in that the method comprises:
    认证服务功能网元获取指示信息,所述指示信息指示通过区块链系统进行安全操作;The authentication service function network element obtains the instruction information, the instruction information indicates that the security operation is performed through the blockchain system;
    所述认证服务功能网元根据所述指示信息,向所述区块链系统发送第三消息,所述第三消息包括第一信息,用于请求将所述第一信息存储在终端设备的用户上下文中,其中,所述第一信息为应用服务器通过所述区块链系统进行安全操作时所需的信息。The authentication service function network element sends a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request a user who stores the first information in the terminal device In the context, the first information is the information required by the application server to perform a secure operation through the blockchain system.
  13. 根据权利要求12所述的方法,其特征在于,所述第一信息包括第一标识和所述认证服务功能网元的地址;或者,The method according to claim 12, wherein the first information comprises a first identifier and an address of the authentication service function network element; or,
    所述第一信息包括所述第一标识和第一密钥;或者,The first information includes the first identifier and the first key; or,
    所述第一信息包括所述第一标识、第一密钥和所述认证服务功能网元的地址;其中,The first information includes the first identifier, the first key and the address of the authentication service function network element; wherein,
    所述第一标识用于确定所述终端设备的用户上下文,所述第一密钥是根据第二密钥派生得到的,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The first identifier is used to determine the user context of the terminal device, the first key is derived from a second key, and the second key is the relationship between the terminal device and the authentication service function network element. The key generated after the authentication is successful.
  14. 根据权利要求13所述的方法,其特征在于,所述第一标识包括所述终端设备的全局区块链标识或者所述第二密钥对应的密钥标识KID中的至少一个。The method according to claim 13, wherein the first identifier comprises at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key.
  15. 根据权利要求12-14任一项所述的方法,其特征在于,所述认证服务功能网元获取指示信息,包括:The method according to any one of claims 12 to 14, wherein the acquisition of the indication information by the authentication service function network element comprises:
    所述认证服务功能网元接收来自所述终端设备的所述指示信息;或者,The authentication service function network element receives the indication information from the terminal device; or,
    所述认证服务功能网元接收来自统一数据管理网元的所述指示信息。The authentication service function network element receives the indication information from the unified data management network element.
  16. 根据权利要求12-15任一项所述的方法,其特征在于,在所述认证服务功能网元根据所述指示信息,向所述区块链系统发送第三消息之后,所述方法还包括:The method according to any one of claims 12-15, wherein after the authentication service function network element sends a third message to the blockchain system according to the indication information, the method further comprises: :
    所述认证服务功能网元接收来自所述区块链系统的第二消息,所述第二消息包括第一标识;The authentication service function network element receives a second message from the blockchain system, where the second message includes the first identifier;
    所述认证服务功能网元根据所述第一标识,确定所述终端设备的用户上下文,所述终端设备的用户上下文中包括第一密钥或第二密钥;所述第一密钥是根据所述第二密钥派生得到的,所述第二密钥为用于所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥;The authentication service function network element determines the user context of the terminal device according to the first identifier, and the user context of the terminal device includes the first key or the second key; Derived from the second key, the second key is a key generated after successful authentication between the terminal device and the authentication service function network element;
    所述认证服务功能网元生成第三密钥,所述第三密钥为用于所述终端设备和所述应用服务器安全通信的密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥或所述第二密钥;The authentication service function network element generates a third key, where the third key is a key used for the secure communication between the terminal device and the application server, wherein the input parameter for generating the third key is including the first key or the second key;
    所述认证服务功能网元向所述区块链系统发送所述第三密钥。The authentication service function network element sends the third key to the blockchain system.
  17. 根据权利要求16所述的方法,其特征在于,所述第二消息还包括第二标识和/或所述终端设备使用第一密钥加密的参数,所述第二标识为所述应用服务器对应的第三方应用的应用标识;The method according to claim 16, wherein the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, and the second identifier corresponds to the application server the application ID of the third-party application;
    相应的,所述生成所述第三密钥的输入参数中还包括所述第二标识和/或解密后的参数,其中,所述解密后的参数是使用所述第一密钥对所述终端设备使用第一密钥加密的参数进行解密后获得的参数。Correspondingly, the input parameter for generating the third key further includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is the The parameters obtained by the terminal device after decrypting the parameters encrypted by the first key.
  18. 根据权利要求16或17所述的方法,其特征在于,所述第二消息还包括所述终端设备使用所述第一密钥加密的参数和/或消息;在所述认证服务功能网元生成第三密钥之前,所述方法还包括:The method according to claim 16 or 17, wherein the second message further includes parameters and/or messages encrypted by the terminal device using the first key; Before the third key, the method further includes:
    所述认证服务功能网元根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数和/或消息,为所述应用服务器对应的第三方应用验证所述终端设备合法。The authentication service function network element verifies that the terminal device is legal for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key .
  19. 根据权利要求18所述的方法,其特征在于,所述终端设备的用户上下文中包括所述第一密钥;所述认证服务功能网元根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数或消息,为所述应用服务器对应的第三方应用验证所述终端设备合法,包括:The method according to claim 18, wherein the user context of the terminal device includes the first key; the authentication service function network element is based on the user context of the terminal device and the terminal device Using the parameters or messages encrypted by the first key to verify the validity of the terminal device for the third-party application corresponding to the application server, including:
    所述认证服务功能网元使用所述第一密钥对所述终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;The authentication service function network element uses the first key to decrypt the parameters and/or messages encrypted by the terminal device using the first key to obtain the decrypted parameters and/or messages;
    当所述解密后的参数符合预配置的所述终端设备和所述认证服务功能网元交互使用的参数格式或者数值,和/或所述解密后的消息符合预配置的所述终端设备和所述认证服务功能网元交互使用的消息格式,所述认证服务功能网元确定所述终端设备合法。When the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the authentication service function network element for interaction, and/or the decrypted message conforms to the pre-configured terminal device and the The message format used by the authentication service function network element for interaction, and the authentication service function network element determines that the terminal device is legal.
  20. 根据权利要求12-19任一项所述的方法,其特征在于,所述通过区块链系统进行安全操作包括通过所述区块链系统获得所述应用服务器和所述终端设备之间通信的安全参数。The method according to any one of claims 12 to 19, characterized in that, performing the secure operation through the blockchain system comprises obtaining, through the blockchain system, the information of the communication between the application server and the terminal device. security parameters.
  21. 根据权利要求20所述的方法,其特征在于,所述通过区块链系统进行安全操作还包括通过所述区块链系统为所述应用服务器对应的第三方应用验证所述终端设备 的合法性。The method according to claim 20, wherein the performing the security operation through the blockchain system further comprises verifying the legitimacy of the terminal device for a third-party application corresponding to the application server through the blockchain system .
  22. 一种通信装置,其特征在于,所述通信装置包括:处理模块和收发模块;A communication device, characterized in that the communication device comprises: a processing module and a transceiver module;
    所述收发模块,用于接收来自应用服务器的第一消息,所述第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息;The transceiver module is configured to receive a first message from an application server, where the first message includes a first identifier and parameters and/or messages encrypted by the terminal device using the first key;
    所述处理模块,用于根据所述第一标识,确定所述终端设备的用户上下文;the processing module, configured to determine the user context of the terminal device according to the first identifier;
    所述处理模块,还用于根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数和/或消息,为所述应用服务器对应的第三方应用验证所述终端设备的合法性。The processing module is further configured to authenticate the terminal device for a third-party application corresponding to the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key legitimacy.
  23. 根据权利要求22所述的通信装置,其特征在于,所述终端设备的用户上下文中包括所述第一密钥,所述处理模块,用于根据所述第一标识,确定所述终端设备的用户上下文包括:用于根据所述第一标识,确定所述第一密钥。The communication apparatus according to claim 22, wherein the user context of the terminal device includes the first key, and the processing module is configured to determine the user context of the terminal device according to the first identifier. The user context includes: determining the first key according to the first identifier.
  24. 根据权利要求23所述的通信装置,其特征在于,所述处理模块,用于根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数或消息,为所述应用服务器对应的第三方应用验证所述终端设备的合法性,包括:用于使用所述第一密钥对所述终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当所述解密后的参数符合预配置的所述终端设备和区块链系统交互使用的参数格式或者数值,和/或所述解密后的消息符合预配置的所述终端设备和所述区块链系统交互使用的消息格式,确定所述终端设备合法。The communication apparatus according to claim 23, wherein the processing module is configured to, according to the user context of the terminal device and the parameters or messages encrypted by the terminal device using the first key, provide the application for the application Verifying the legitimacy of the terminal device by a third-party application corresponding to the server includes: decrypting the parameters and/or messages encrypted by the terminal device using the first key using the first key, and obtaining the decrypted parameter and/or message; when the decrypted parameter conforms to the pre-configured parameter format or value used by the terminal device and the blockchain system for interaction, and/or the decrypted message conforms to the pre-configured terminal The message format used in the interaction between the device and the blockchain system determines that the terminal device is legal.
  25. 根据权利要求22-24任一项所述的通信装置,其特征在于,所述第一标识包括所述终端设备的全局区块链标识或者第二密钥对应的密钥标识KID中的至少一个,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The communication device according to any one of claims 22-24, wherein the first identifier includes at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key , the second key is a key generated after successful authentication between the terminal device and the authentication service function network element.
  26. 根据权利要求22-25任一项所述的通信装置,其特征在于,所述第一密钥是根据第二密钥派生得到的,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The communication device according to any one of claims 22-25, wherein the first key is derived from a second key, and the second key is the terminal device and the authentication service function The key generated after successful authentication between network elements.
  27. 根据权利要求22-26任一项所述的通信装置,所述处理模块,还用于在所述通信装置验证所述终端设备合法后,获取第三密钥,所述第三密钥为用于所述终端设备和所述应用服务器安全通信的密钥;The communication device according to any one of claims 22 to 26, wherein the processing module is further configured to obtain a third key after the communication device verifies that the terminal device is legal, the third key is used for a key for secure communication between the terminal device and the application server;
    所述收发模块,还用于向所述应用服务器发送所述第三密钥。The transceiver module is further configured to send the third key to the application server.
  28. 根据权利要求27所述的通信装置,其特征在于,所述终端设备的用户上下文中包括所述第一密钥;所述处理模块,用于获取第三密钥,包括:用于生成所述第三密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥。The communication apparatus according to claim 27, wherein the user context of the terminal device includes the first key; the processing module, configured to acquire the third key, comprises: generating the first key A third key, wherein the input parameter for generating the third key includes the first key.
  29. 根据权利要求27所述的通信装置,其特征在于,所述处理模块,用于获取第三密钥,包括:用于通过所述收发模块向认证服务功能网元发送第二消息,所述第二消息包括所述第一标识,所述第一标识用于确定所述终端设备的用户上下文,所述终端设备的用户上下文中包括所述第一密钥或第二密钥,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥;通过所述收发模块接收来自所述认证服务功能网元所述第三密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥或所述第二密钥。The communication device according to claim 27, wherein the processing module, configured to obtain the third key, comprises: sending a second message to an authentication service function network element through the transceiver module, the first The second message includes the first identifier, where the first identifier is used to determine the user context of the terminal device, the user context of the terminal device includes the first key or the second key, the second key The key is the key generated after the authentication between the terminal device and the authentication service function network element is successful; the third key is received from the authentication service function network element through the transceiver module, wherein the generation of the The input parameter of the third key includes the first key or the second key.
  30. 根据权利要求28或29所述的通信装置,其特征在于,所述生成所述第三密钥 的输入参数中还包括第二标识和/或解密后的参数,其中,所述第二标识为所述第三方应用的应用标识,所述解密后的参数是使用所述第一密钥对所述终端设备使用第一密钥加密的参数进行解密后获得的参数。The communication device according to claim 28 or 29, wherein the input parameter for generating the third key further includes a second identifier and/or a decrypted parameter, wherein the second identifier is The application identifier of the third-party application, and the decrypted parameter is a parameter obtained by using the first key to decrypt the parameter encrypted by the terminal device using the first key.
  31. 根据权利要求29所述的通信装置,其特征在于,所述收发模块,还用于在接收来自应用服务器的第一消息之前,接收来自认证服务功能网元的第三消息,所述第三消息请求将所述第一密钥、所述第一标识和所述认证服务功能网元的地址存储在所述终端设备的用户上下文中;The communication device according to claim 29, wherein the transceiver module is further configured to receive a third message from an authentication service function network element before receiving the first message from the application server, the third message requesting to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device;
    所述处理模块,还用于将所述第一密钥、所述第一标识和所述认证服务功能网元的地址存储在所述终端设备的用户上下文中。The processing module is further configured to store the first key, the first identifier and the address of the authentication service function network element in the user context of the terminal device.
  32. 根据权利要求22-31任一项所述的通信装置,其特征在于,所述收发模块,还用于在接收来自应用服务器的第一消息之前,接收来自认证服务功能网元的第三消息,所述第三消息请求将所述第一密钥和所述第一标识存储在所述终端设备的用户上下文中;The communication device according to any one of claims 22-31, wherein the transceiver module is further configured to receive a third message from an authentication service function network element before receiving the first message from the application server, the third message requests to store the first key and the first identification in the user context of the terminal device;
    所述处理模块,还用于将所述第一密钥和所述第一标识存储在所述终端设备的用户上下文中。The processing module is further configured to store the first key and the first identifier in the user context of the terminal device.
  33. 一种认证服务功能网元,其特征在于,所述认证服务功能网元包括:处理模块和收发模块;An authentication service function network element, characterized in that the authentication service function network element comprises: a processing module and a transceiver module;
    所述处理模块,用于获取指示信息,所述指示信息指示通过区块链系统进行安全操作;The processing module is used to obtain instruction information, the instruction information indicates that the security operation is performed through the blockchain system;
    所述收发模块,用于根据所述指示信息,向所述区块链系统发送第三消息,所述第三消息包括第一信息,用于请求将所述第一信息存储在终端设备的用户上下文中,其中,所述第一信息为应用服务器通过所述区块链系统进行安全操作时所需的信息。The transceiver module is configured to send a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request a user who stores the first information in the terminal device In the context, the first information is the information required by the application server to perform a secure operation through the blockchain system.
  34. 根据权利要求33所述的认证服务功能网元,其特征在于,所述第一信息包括第一标识和所述认证服务功能网元的地址;或者,The authentication service function network element according to claim 33, wherein the first information comprises a first identifier and an address of the authentication service function network element; or,
    所述第一信息包括所述第一标识和第一密钥;或者,The first information includes the first identifier and the first key; or,
    所述第一信息包括所述第一标识、第一密钥和所述认证服务功能网元的地址;其中,The first information includes the first identifier, the first key and the address of the authentication service function network element; wherein,
    所述第一标识用于确定所述终端设备的用户上下文,所述第一密钥是根据第二密钥派生得到的,所述第二密钥为所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥。The first identifier is used to determine the user context of the terminal device, the first key is derived from a second key, and the second key is the relationship between the terminal device and the authentication service function network element. The key generated after the authentication is successful.
  35. 根据权利要求34所述的认证服务功能网元,其特征在于,所述第一标识包括所述终端设备的全局区块链标识或者所述第二密钥对应的密钥标识KID中的至少一个。The authentication service function network element according to claim 34, wherein the first identifier comprises at least one of a global blockchain identifier of the terminal device or a key identifier KID corresponding to the second key .
  36. 根据权利要求33-35任一项所述的认证服务功能网元,其特征在于,所述处理模块,用于获取指示信息,包括:用于通过所述收发模块接收来自所述终端设备的所述指示信息;或者,用于通过所述收发模块接收来自统一数据管理网元的所述指示信息。The authentication service function network element according to any one of claims 33-35, wherein the processing module, configured to acquire the indication information, comprises: being configured to receive all the information from the terminal device through the transceiver module. the indication information; or, for receiving the indication information from the unified data management network element through the transceiver module.
  37. 根据权利要求33-36任一项所述的认证服务功能网元,其特征在于,所述收发模块,还用于在向所述区块链系统发送第三消息之后,接收来自所述区块链系统的第二消息,所述第二消息包括第一标识;The authentication service function network element according to any one of claims 33-36, wherein the transceiver module is further configured to receive a message from the block chain after sending the third message to the block chain system a second message of the chain system, the second message includes the first identifier;
    所述处理模块,还用于根据所述第一标识,确定所述终端设备的用户上下文,所述终端设备的用户上下文中包括第一密钥或第二密钥;所述第一密钥是根据所述第二密钥派生得到的,所述第二密钥为用于所述终端设备与认证服务功能网元之间鉴权成功后生成的密钥;The processing module is further configured to determine the user context of the terminal device according to the first identifier, where the user context of the terminal device includes a first key or a second key; the first key is Derived from the second key, the second key is a key generated after successful authentication between the terminal device and the authentication service function network element;
    所述处理模块,还用于生成第三密钥,所述第三密钥为用于所述终端设备和所述应用服务器安全通信的密钥,其中,生成所述第三密钥的输入参数中包括所述第一密钥或所述第二密钥;The processing module is further configured to generate a third key, where the third key is a key used for secure communication between the terminal device and the application server, wherein an input parameter for generating the third key including the first key or the second key;
    所述收发模块,还用于向所述区块链系统发送所述第三密钥。The transceiver module is further configured to send the third key to the blockchain system.
  38. 根据权利要求37所述的认证服务功能网元,其特征在于,所述第二消息还包括第二标识和/或所述终端设备使用第一密钥加密的参数,所述第二标识为所述应用服务器对应的第三方应用的应用标识;The authentication service function network element according to claim 37, wherein the second message further includes a second identifier and/or a parameter encrypted by the terminal device using the first key, and the second identifier is the the application identifier of the third-party application corresponding to the application server;
    相应的,所述生成所述第三密钥的输入参数中还包括所述第二标识和/或解密后的参数,其中,所述解密后的参数是使用所述第一密钥对所述终端设备使用第一密钥加密的参数进行解密后获得的参数。Correspondingly, the input parameter for generating the third key further includes the second identifier and/or the decrypted parameter, wherein the decrypted parameter is the The parameters obtained by the terminal device after decrypting the parameters encrypted by the first key.
  39. 根据权利要求37或38所述的认证服务功能网元,其特征在于,所述第二消息还包括所述终端设备使用所述第一密钥加密的参数和/或消息;The authentication service function network element according to claim 37 or 38, wherein the second message further includes parameters and/or messages encrypted by the terminal device using the first key;
    所述处理模块,还用于在生成所述第三密钥之前,根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数和/或消息,为所述应用服务器对应的第三方应用验证所述终端设备合法。The processing module is further configured to, before generating the third key, provide the application server according to the user context of the terminal device and the parameters and/or messages encrypted by the terminal device using the first key The corresponding third-party application verifies that the terminal device is legal.
  40. 根据权利要求39所述的认证服务功能网元,其特征在于,所述终端设备的用户上下文中包括所述第一密钥;所述处理模块,用于根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数或消息,为所述应用服务器对应的第三方应用验证所述终端设备合法,包括:用于使用所述第一密钥对所述终端设备使用第一密钥加密的参数和/或消息进行解密,获得解密后的参数和/或消息;当所述解密后的参数符合预配置的所述终端设备和所述认证服务功能网元交互使用的参数格式或者数值,和/或所述解密后的消息符合预配置的所述终端设备和所述认证服务功能网元交互使用的消息格式,确定所述终端设备合法。The authentication service function network element according to claim 39, wherein the user context of the terminal device includes the first key; the processing module is configured to, according to the user context of the terminal device, and The terminal device uses the parameters or messages encrypted by the first key to verify the validity of the terminal device for a third-party application corresponding to the application server, including: using the first key to use the first key for the terminal device. Decrypt the parameters and/or messages encrypted with a key to obtain the decrypted parameters and/or messages; when the decrypted parameters conform to the pre-configured parameters used by the terminal device and the authentication service function network element interactively The format or value, and/or the decrypted message conforms to the pre-configured message format used by the terminal device and the authentication service function network element for interaction, and it is determined that the terminal device is legitimate.
  41. 根据权利要求33-40任一项所述的认证服务功能网元,其特征在于,所述通过区块链系统进行安全操作包括通过所述区块链系统获得所述应用服务器和所述终端设备之间通信的安全参数。The authentication service function network element according to any one of claims 33-40, wherein the performing the security operation through the blockchain system comprises obtaining the application server and the terminal device through the blockchain system Security parameters for communication between them.
  42. 根据权利要求41所述的认证服务功能网元,其特征在于,所述通过区块链系统进行安全操作还包括通过所述区块链系统为所述应用服务器对应的第三方应用验证所述终端设备的合法性。The authentication service function network element according to claim 41, wherein the performing the security operation through the blockchain system further comprises verifying the terminal for a third-party application corresponding to the application server through the blockchain system Legality of the device.
  43. 一种通信系统,其特征在于,所述通信系统包括应用服务器和区块链系统;A communication system, characterized in that the communication system includes an application server and a blockchain system;
    所述应用服务器,用于向区块链系统发送第一消息,所述第一消息包括第一标识、以及终端设备使用第一密钥加密的参数和/或消息;the application server, configured to send a first message to the blockchain system, where the first message includes a first identifier and parameters and/or messages encrypted by the terminal device using the first key;
    所述区块链系统,用于接收来自应用服务器的第一消息,并根据所述第一标识,确定所述终端设备的用户上下文之后,根据所述终端设备的用户上下文,以及所述终端设备使用第一密钥加密的参数和/或消息,为所述应用服务器对应的第三方应用验证 所述终端设备的合法性。The blockchain system is configured to receive the first message from the application server, and determine the user context of the terminal device according to the first identifier, and then determine the user context of the terminal device and the terminal device according to the user context of the terminal device. Use the parameters and/or messages encrypted with the first key to verify the legitimacy of the terminal device for a third-party application corresponding to the application server.
  44. 一种通信系统,其特征在于,所述通信系统包括区块链系统和认证服务功能网元;A communication system, characterized in that the communication system includes a blockchain system and an authentication service function network element;
    所述认证服务功能网元,用于获取指示信息,所述指示信息指示通过所述区块链系统进行安全操作;The authentication service function network element is used to obtain instruction information, and the instruction information indicates that a secure operation is performed through the blockchain system;
    所述认证服务功能网元,还用于根据所述指示信息,向所述区块链系统发送第三消息,所述第三消息包括第一信息,用于请求将所述第一信息存储在终端设备的用户上下文中,其中,所述第一信息为应用服务器通过所述区块链系统进行安全操作时所需的信息;The authentication service function network element is further configured to send a third message to the blockchain system according to the indication information, where the third message includes first information and is used to request that the first information be stored in the blockchain system. In the user context of the terminal device, the first information is the information required by the application server to perform a secure operation through the blockchain system;
    所述区块链系统,用于接收来自所述认证服务功能网元的所述第三消息,并将所述第一信息存储在终端设备的用户上下文中。The blockchain system is configured to receive the third message from the authentication service function network element, and store the first information in the user context of the terminal device.
  45. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得所述计算机执行如权利要求1-11任一项所述的方法,或者,执行如权利要求12-21任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores an instruction, which, when executed on a computer, causes the computer to execute the method according to any one of claims 1-11 , or, performing the method of any one of claims 12-21.
  46. 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得所述计算机执行如权利要求1-11任一项所述的方法,或者,执行如权利要求12-21任一项所述的方法。A computer program product comprising instructions, which, when run on a computer, causes the computer to perform the method of any one of claims 1-11, or, to perform any of the claims 12-21 one of the methods described.
PCT/CN2021/113523 2020-08-27 2021-08-19 Authentication method, apparatus and system WO2022042417A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010880356.4A CN114205072B (en) 2020-08-27 2020-08-27 Authentication method, device and system
CN202010880356.4 2020-08-27

Publications (1)

Publication Number Publication Date
WO2022042417A1 true WO2022042417A1 (en) 2022-03-03

Family

ID=80352621

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/113523 WO2022042417A1 (en) 2020-08-27 2021-08-19 Authentication method, apparatus and system

Country Status (2)

Country Link
CN (1) CN114205072B (en)
WO (1) WO2022042417A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928617B (en) * 2022-06-15 2023-07-21 中国电信股份有限公司 Private network subscription data management method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737418A (en) * 2018-05-22 2018-11-02 飞天诚信科技股份有限公司 A kind of identity identifying method and system based on block chain
WO2019086127A1 (en) * 2017-11-03 2019-05-09 Motorola Mobility Llc User authentication using connection information provided by a blockchain network
CN109829720A (en) * 2019-01-31 2019-05-31 中国—东盟信息港股份有限公司 A kind of identity real name authentication method based on block chain transaction data
US20200084018A1 (en) * 2018-09-07 2020-03-12 Sap Se Blockchain-incorporating distributed authentication system
WO2020091278A1 (en) * 2018-10-31 2020-05-07 주식회사 스위클 System and method for providing personal information using one time private key based on blockchain of proof of use
CN111132165A (en) * 2019-12-30 2020-05-08 全链通有限公司 5G communication card-free access method, equipment and storage medium based on block chain
CN111464287A (en) * 2019-01-21 2020-07-28 华为技术有限公司 Method and device for generating secret key

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492590A (en) * 2017-11-14 2021-03-12 华为技术有限公司 Communication method and device
CN110798833B (en) * 2018-08-03 2023-10-24 华为技术有限公司 Method and device for verifying user equipment identification in authentication process

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019086127A1 (en) * 2017-11-03 2019-05-09 Motorola Mobility Llc User authentication using connection information provided by a blockchain network
CN108737418A (en) * 2018-05-22 2018-11-02 飞天诚信科技股份有限公司 A kind of identity identifying method and system based on block chain
US20200084018A1 (en) * 2018-09-07 2020-03-12 Sap Se Blockchain-incorporating distributed authentication system
WO2020091278A1 (en) * 2018-10-31 2020-05-07 주식회사 스위클 System and method for providing personal information using one time private key based on blockchain of proof of use
CN111464287A (en) * 2019-01-21 2020-07-28 华为技术有限公司 Method and device for generating secret key
CN109829720A (en) * 2019-01-31 2019-05-31 中国—东盟信息港股份有限公司 A kind of identity real name authentication method based on block chain transaction data
CN111132165A (en) * 2019-12-30 2020-05-08 全链通有限公司 5G communication card-free access method, equipment and storage medium based on block chain

Also Published As

Publication number Publication date
CN114205072B (en) 2023-04-28
CN114205072A (en) 2022-03-18

Similar Documents

Publication Publication Date Title
JP7457173B2 (en) Internet of Things (IOT) device management
US11838841B2 (en) System, apparatus and method for scalable internet of things (IOT) device on-boarding with quarantine capabilities
TWI455559B (en) Virtual subscriber identity module
CN109479049B (en) System, apparatus and method for key provisioning delegation
CN109314705B (en) System, apparatus and method for large scale scalable dynamic multipoint virtual private network using group encryption keys
US20160365975A1 (en) System, apparatus and method for group key distribution for a network
EP3437249B1 (en) Registration of devices in secure domain
US10382213B1 (en) Certificate registration
WO2019041809A1 (en) Registration method and apparatus based on service-oriented architecture
KR20120004528A (en) System of multiple domains and domain ownership
EP2767029B1 (en) Secure communication
KR20070097736A (en) Method and apparatus for local domain management using device with local domain authority module
CN113544672A (en) Autonomous verification of privacy protection
JP2022541760A (en) Techniques for certificate handling in the core network domain
KR20230078706A (en) Certificate-based security using post-quantum cryptography
CN112187709A (en) Authentication method, device and server
WO2021088882A1 (en) Data sharing method, device, and system
US11489822B2 (en) Cloud key management for AFU security
WO2022042417A1 (en) Authentication method, apparatus and system
Enge et al. An offline mobile access control system based on self-sovereign identity standards
JP2020078067A (en) System and method for securely enabling user with mobile device to access capabilities of standalone computing device
CN105518696B (en) Operation is executed to data storage
CN114650182B (en) Identity authentication method, system, device, gateway equipment, equipment and terminal
JP6353412B2 (en) ID password authentication method, password management service system, information terminal, password management service device, user terminal, and program thereof
CN116561820B (en) Trusted data processing method and related device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21860255

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21860255

Country of ref document: EP

Kind code of ref document: A1