WO2022148244A1 - Communication method, apparatus and system - Google Patents

Communication method, apparatus and system Download PDF

Info

Publication number
WO2022148244A1
WO2022148244A1 PCT/CN2021/140465 CN2021140465W WO2022148244A1 WO 2022148244 A1 WO2022148244 A1 WO 2022148244A1 CN 2021140465 W CN2021140465 W CN 2021140465W WO 2022148244 A1 WO2022148244 A1 WO 2022148244A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network function
function entity
client credential
statement
Prior art date
Application number
PCT/CN2021/140465
Other languages
French (fr)
Chinese (zh)
Inventor
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022148244A1 publication Critical patent/WO2022148244A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Abstract

Provided are a communication method, apparatus and system, which are used for solving the risk of leakage of network data caused when an existing client credential assertion mechanism is used in a roaming scenario. The method comprises: a first network function entity receiving a first client credential assertion from a second network function entity, wherein the first client credential assertion comprises a network identifier of a network in which a desired receiver network function entity of the first client credential assertion is located, the first network function entity belongs to a first network, the second network function entity belongs to a second network, and the first network and the second network are different networks; and the first network function entity verifying whether the network identifier of the network in which the desired receiver network function entity of the first client credential assertion is located is a network identifier of the first network.

Description

通信方法、装置及系统Communication method, device and system
本申请要求于2021年1月11日提交国家知识产权局、申请号为202110034375.X、申请名称为“通信方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202110034375.X and the application name "Communication Method, Device and System" filed with the State Intellectual Property Office on January 11, 2021, the entire contents of which are incorporated herein by reference Applying.
技术领域technical field
本申请涉及通信技术领域,尤其涉及通信方法、装置及系统。The present application relates to the field of communication technologies, and in particular, to a communication method, device, and system.
背景技术Background technique
当前第五代(fourth-generation,5G)网络中,非直接通信场景下,引入了一种新的客户凭证声明(client credential assertion,CCA)机制。具体地,发起方网络功能实体将客户凭证声明作为证明发起方网络功能实体的身份证明参数发送给接收方网络功能实体,由接收方网络功能实体根据该客户凭证声明证明发起方网络功能实体身份的正确性。当身份证明正确后,接收方网络功能实体可以直接为发起方网络功能实体提供服务。比如,即使中间有服务通信代理(service communication proxy,SCP)网元,诸如网络功能提供者(producer of the network function,pNF)或者网络功能存储功能(network exposure function Repository Function,NRF)之类的接收方网络功能实体也可以通过客户凭证声明校验诸如网络功能消费者(consumer of network function,cNF)之类的发起方网络功能实体的身份。当身份证明正确后,pNF或者NRF可以直接为cNF提供服务。In the current fifth-generation (5G) network, a new client credential assertion (CCA) mechanism is introduced in the indirect communication scenario. Specifically, the originator network function entity sends the client credential statement as an identity certification parameter for proving the originator network function entity to the recipient network function entity, and the recipient network function entity certifies the identity of the originator network function entity according to the client credential statement. correctness. When the identity certificate is correct, the receiver network function entity can directly provide services for the initiator network function entity. For example, even if there are service communication proxy (SCP) network elements in between, receivers such as producer of the network function (pNF) or network exposure function Repository Function (NRF) A party network function entity may also verify the identity of an initiator network function entity, such as a consumer of network function (cNF), through client credential assertions. When the identity is correct, the pNF or NRF can directly provide services to the cNF.
其中,客户凭证声明机制在漫游场景下使用时,发起方网络功能实体与接收方网络功能实体属于不同的运营商网络。假设客户凭证声明被网络C中的发起方网络功能实体生成后,用来访问网络A中的接收方网络功能实体。根据现有技术的方案,如果客户凭证声明被泄漏,被攻击者获得,那么攻击者可以将此客户凭证声明用在网络C之外的任何一个网络(例如网络B)中的接收方网络功能实体。然而,如果客户凭证被其他网络中接收方网络功能实体认证通过,则可能会为攻击者提供服务,造成网络数据泄露等风险。Wherein, when the client credential declaration mechanism is used in a roaming scenario, the initiator network function entity and the recipient network function entity belong to different operator networks. Assume that the client credential assertion is generated by the originating network function entity in network C and used to access the recipient network function entity in network A. According to the solution in the prior art, if the client credential statement is leaked and obtained by an attacker, the attacker can use the client credential statement in any network other than network C (eg, network B) in the recipient network function entity . However, if the client credentials are authenticated by the recipient network function entity in another network, it may provide services to attackers, resulting in risks such as network data leakage.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供通信方法、装置及系统,用于解决现有的客户凭证声明机制在漫游场景下使用时可能导致网络数据泄露的风险。Embodiments of the present application provide a communication method, device, and system, which are used to solve the risk that the existing client credential declaration mechanism may lead to network data leakage when used in a roaming scenario.
为达到上述目的,本申请的实施例采用如下技术方案:To achieve the above object, the embodiments of the present application adopt the following technical solutions:
第一方面,提供了一种通信方法,执行该通信方法的通信装置可以为第一网络功能实体;也可以为应用于第一网络功能实体中的模块,例如芯片或芯片系统。下面以执行主体为第一网络功能实体为例进行描述。第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明,该第一客户凭证声明中包括该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,该第一网络功能实体属于第一网络,该第二网络功能实体属于第二网络,该第一网络和该第二网络为不同网络;第一网络功能实体验证该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为 该第一网络的网络标识。由于本申请实施例中,发送方网络功能实体(对应上述第二网络功能实体)向接收方网络功能实体(对应上述第一网络功能实体)发送的第一客户凭证声明中绑定了第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与接收方网络功能实体所在网络的网络标识(对应上述第一网络的网络标识)相同。其中,接收方网络功能实体在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为接收方网络功能实体所在网络的网络标识的情况下,才会为发送方网络功能实体提供服务,因此可以避免第一客户凭证声明被用在第一客户凭证声明的期望接收方网络功能实体所在网络之外的其他网络中的可能性,从而可以避免由于第一客户凭证声明被用在第一客户凭证声明的期望接收方网络功能实体所在网络之外的其他网络所导致的网络数据泄露等风险,提高了网络数据传输的可靠性。In a first aspect, a communication method is provided, and a communication device executing the communication method may be a first network function entity; or may be a module applied in the first network function entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the first network function entity as an example. The first network function entity receives the first client credential statement from the second network function entity, the first client credential statement includes the network identifier of the network where the network function entity of the intended recipient of the first client credential statement is located, the first network The functional entity belongs to the first network, the second network functional entity belongs to the second network, and the first network and the second network are different networks; the first network functional entity verifies the expected recipient network functional entity of the first client credential statement Whether the network identifier of the network where it is located is the network identifier of the first network. Because in the embodiment of this application, the first client credential statement sent by the sender network function entity (corresponding to the second network function entity) to the receiver network function entity (corresponding to the first network function entity) is bound with the first client The network identifier of the network where the network function entity of the expected recipient of the credential statement is located, and the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is used to verify whether it is the same as the network identifier of the network where the network function entity of the recipient is located (corresponding to the The network identifier of the above-mentioned first network) is the same. Wherein, the network function entity of the receiver will only provide services to the network function entity of the sender when the network identity of the network where the network function entity of the expected receiver is located as declared by the first client credential is the network identity of the network function entity of the receiver side. , so it is possible to avoid the possibility that the first client credential statement is used in a network other than the network where the network function entity of the expected recipient of the first client credential statement is located, thereby avoiding the possibility that the first client credential statement is used in the Risks such as network data leakage caused by other networks other than the network where the network functional entity of the client's credential statement is expected to be located, improves the reliability of network data transmission.
结合上述第一方面,在一种可能的实现方式中,第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明,包括:第一网络功能实体通过第一安全边缘保护代理实体接收第一消息,该第一消息包括来自该第二网络功能实体的该第一客户凭证声明。With reference to the above first aspect, in a possible implementation manner, the first network function entity receives the first client credential declaration from the second network function entity, including: the first network function entity receives the first security edge protection proxy entity through the first security edge protection proxy entity. a first message, the first message including the first client credential assertion from the second network function entity.
结合上述第一方面,在一种可能的实现方式中,第一消息还包括第一根证书,该第一根证书为该第二网络的根证书;该方法还包括:第一网络功能实体根据该第一根证书,验证该第一客户凭证声明的证书信息是否正确。相对于现有技术在诸如不同运营商之间没有交叉证书等场景下接收方网络功能实体不能验证客户凭证声明中证书是否正确性的方案,本申请实施例可以根据第一根证书,验证第一客户凭证声明的证书信息是否正确,从而实现客户凭证声明中证书的验证,进而实现客户凭证声明的数字签名和被签名的内容的验证。With reference to the above first aspect, in a possible implementation manner, the first message further includes a first root certificate, where the first root certificate is the root certificate of the second network; the method further includes: the first network function entity according to The first root certificate verifies whether the certificate information declared by the first client certificate is correct. Compared with the prior art solution in which the recipient network function entity cannot verify whether the certificate in the client credential statement is correct in scenarios such as no cross-certificate between different operators, the embodiment of the present application can verify the first root certificate according to the first root certificate. Check whether the certificate information of the client certificate statement is correct, so as to realize the verification of the certificate in the client certificate statement, and then realize the verification of the digital signature of the client certificate statement and the signed content.
结合上述第一方面,在一种可能的实现方式中,该第一消息还包括该第二网络功能实体用于请求该第一网络功能实体的业务的第一授权令牌,该第一授权令牌中包括该第二网络的网络标识;该方法还包括:第一网络功能实体验证该第二网络的网络标识是否为该第一客户凭证声明的证书信息内的网络标识。With reference to the above first aspect, in a possible implementation manner, the first message further includes a first authorization token used by the second network function entity to request services of the first network function entity, the first authorization token The card includes the network identifier of the second network; the method further includes: verifying by the first network function entity whether the network identifier of the second network is the network identifier in the certificate information declared by the first client credential.
结合上述第一方面,在一种可能的实现方式中,该第一消息还包括该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;该方法还包括:第一网络功能实体验证该第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为该第一网络功能实体所属网络功能集合的标识。With reference to the above-mentioned first aspect, in a possible implementation manner, the first message further includes an identifier of the network function set to which the network function entity of the expected recipient declared by the first client credential belongs; the method further includes: a first network function The entity verifies whether the identity of the network function set to which the intended recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs.
结合上述第一方面,在一种可能的实现方式中,该第一客户凭证声明还包括该第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;该方法还包括:第一网络功能实体验证该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识是否为该第一网络功能实体所属网络功能集合的标识。With reference to the above first aspect, in a possible implementation manner, the first client credential statement further includes an identifier of the network function set where the network function entity of the expected recipient of the first client credential statement is located; the method further includes: a first The network function entity verifies whether the identity of the network function set to which the intended recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs.
结合上述第一方面,在一种可能的实现方式中,该第一客户凭证声明被签名的内容中包括该第一客户凭证声明的发起方网络功能实体所在网络的网络标识;该方法还包括:第一网络功能实体验证该第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否为该第一客户凭证声明的证书信息内的网络标识。With reference to the above first aspect, in a possible implementation manner, the signed content of the first client credential statement includes the network identifier of the network where the network function entity of the originator of the first client credential statement is located; the method further includes: The first network function entity verifies whether the network identification of the network where the network function entity of the first client credential assertion is located is the network identification in the certificate information of the first client credential assertion.
结合上述第一方面,在一种可能的实现方式中,在该第一网络功能实体验证该第 一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为该第一网络的网络标识之后,该方法还包括:第一网络功能实体向该第二网络功能实体发送第二客户凭证声明,该第二客户凭证声明中包括以下至少一个参数:该第二客户凭证声明的期望接收方网络功能实体的标识;该第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;该第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识;该第二客户凭证声明的期望接收方网络功能实体的类型;该第一客户凭证声明,或者该第一客户凭证声明的哈希值;第一业务请求的数据,或者该第一业务请求的数据的哈希值,该第一业务请求为承载该第一客户凭证声明的业务请求;该第二客户凭证声明的发起方网络功能实体的标识;该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;或者,该第二客户凭证声明的发起方网络功能实体所在网络的网络标识。基于该方案,发送方网络功能实体(对应上述第二网络功能实体)可以反向验证出接收方网络功能实体(对应上述第一网络功能实体)的身份是否正确。With reference to the above-mentioned first aspect, in a possible implementation manner, after the first network function entity verifies that the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is the network identifier of the first network , the method further includes: the first network function entity sends a second client credential declaration to the second network function entity, the second client credential declaration includes at least one of the following parameters: a desired recipient network function of the second client credential declaration the identity of the entity; the identity of the network function set to which the network function entity of the expected recipient of the second client credential statement belongs; the network identity of the network where the network function entity of the expected recipient of the second client credential statement is located; The type of network function entity of the expected recipient; the first client credential assertion, or the hash value of the first client credential assertion; the data of the first service request, or the hash value of the data of the first service request, the first A service request is a service request carrying the first client credential statement; the identifier of the originating network function entity of the second client credential statement; the identity of the network function set to which the originating network functional entity of the second client credential statement belongs; or , the network identifier of the network where the network function entity of the originator of the second client credential statement is located. Based on this solution, the sender network function entity (corresponding to the second network function entity) can reversely verify whether the identity of the receiver network function entity (corresponding to the first network function entity) is correct.
结合上述第一方面,在一种可能的实现方式中,该第一客户凭证声明包含在第二业务请求中,其中,该第二业务请求的数据包含在该第一客户凭证声明中,该方法还包括:第一网络功能实体验证该第二业务请求的数据的正确性。基于该方案,可以实现客户凭证声明的增强,使得客户凭证声明的设计更加灵活多样化。With reference to the above-mentioned first aspect, in a possible implementation manner, the first client credential statement is included in the second service request, wherein the data of the second service request is included in the first client credential statement, the method It also includes: the first network function entity verifies the correctness of the data requested by the second service. Based on this solution, the enhancement of the client credential declaration can be realized, making the design of the client credential declaration more flexible and diverse.
第二方面,提供了一种通信方法,执行该通信方法的通信装置可以为第二网络功能实体;也可以为应用于第二网络功能实体中的模块,例如芯片或芯片系统。下面以执行主体为第二网络功能实体为例进行描述。第二网络功能实体获取第一客户凭证声明,该第一客户凭证声明中包括该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;第二网络功能实体向第一网络功能实体发送该第一客户凭证声明,其中,该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与第一网络的网络标识相同,其中,该第一网络功能实体属于该第一网络,该第二网络功能实体属于第二网络,该第一网络和该第二网络为不同网络。其中,第二方面的技术效果可参考上述第一方面,在此不再赘述。In a second aspect, a communication method is provided, and a communication device executing the communication method may be a second network function entity; or may be a module applied in the second network function entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the second network function entity as an example. The second network function entity obtains the first client credential statement, and the first client credential statement includes the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located; the second network function entity reports to the first network function entity Sending the first client credential statement, wherein the network identity of the network where the network function entity of the expected recipient of the first client credential statement is located is used to verify whether it is the same as the network identity of the first network, wherein the first network function entity belongs to The first network and the second network function entity belong to a second network, and the first network and the second network are different networks. For the technical effect of the second aspect, reference may be made to the above-mentioned first aspect, which will not be repeated here.
结合上述第二方面,在一种可能的设计中,该方法还包括:第二网络功能实体向该第一网络功能实体发送该第二网络功能实体用于请求该第一网络功能实体的业务的第一授权令牌,该第一授权令牌中包括该第二网络的网络标识,该第二网络的标识用于验证是否与该第一客户凭证声明中证书信息内的网络标识相同。With reference to the above-mentioned second aspect, in a possible design, the method further includes: the second network function entity sends to the first network function entity a message used by the second network function entity to request the service of the first network function entity A first authorization token, where the first authorization token includes a network identification of the second network, and the identification of the second network is used to verify whether the identification is the same as the network identification in the certificate information in the first client credential statement.
结合上述第二方面,在一种可能的设计中,该方法还包括:第二网络功能实体向该第一网络功能实体发送该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与该第一网络功能实体所属网络功能集合的标识相同。With reference to the above-mentioned second aspect, in a possible design, the method further includes: the second network function entity sends to the first network function entity the information of the network function set to which the network function entity of the expected recipient of the first client credential statement belongs. identifier, the identifier of the network function set to which the expected recipient network function entity of the first client credential statement belongs is used to verify whether it is the same as the identifier of the network function set to which the first network function entity belongs.
结合上述第二方面,在一种可能的设计中,该第一客户凭证声明还包括该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,该第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与该第一网络功能实体所属网络功能集合的标识相同。With reference to the above second aspect, in a possible design, the first client credential statement further includes an identifier of the network function set to which the network function entity of the expected recipient of the first client credential statement belongs, and the expected The identifier of the network function set to which the recipient network function entity belongs is used to verify whether it is the same as the identifier of the network function set to which the first network function entity belongs.
结合上述第二方面,在一种可能的设计中,该方法还包括:第二网络功能实体接收来自该第一网络功能实体的第二客户凭证声明,该第二客户凭证声明中包括该第二 客户凭证声明的期望接收方网络功能实体所在网络的网络标识;第二网络功能实体验证该第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为该第二网络的网络标识。With reference to the above second aspect, in a possible design, the method further includes: the second network function entity receives a second client credential statement from the first network function entity, where the second client credential statement includes the second The network identity of the network where the network function entity of the expected recipient of the client credential statement is located; the second network function entity verifies whether the network identity of the network where the network function entity of the expected recipient of the second client certificate statement is located is the network identity of the second network.
结合上述第二方面,在一种可能的设计中,该方法还包括:第二网络功能实体接收来自该第一网络功能实体的第二客户凭证声明,该第二客户凭证声明还包括以下至少一个参数:该第二客户凭证声明的期望接收方网络功能实体的标识;该第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;该第二客户凭证声明的期望接收方网络功能实体的类型;该第一客户凭证声明,或者该第一客户凭证声明的哈希值;第一业务请求的数据,或者该第一业务请求的数据的哈希值,该第一业务请求为承载该第一客户凭证声明的业务请求;该第二客户凭证声明的发起方网络功能实体的标识;该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;或者,该第二客户凭证声明的发起方网络功能实体所在网络的网络标识。With reference to the above second aspect, in a possible design, the method further includes: the second network function entity receives a second client credential statement from the first network function entity, where the second client credential statement further includes at least one of the following Parameters: the identifier of the network function entity of the intended recipient of the second client credential statement; the identifier of the network function set to which the intended recipient of the second client credential statement belongs; the network function of the intended recipient of the second client credential statement The type of entity; the first client credential declaration, or the hash value of the first client credential declaration; the data of the first service request, or the hash value of the data of the first service request, the first service request is a bearer The service request of the first client credential assertion; the identifier of the originator network function entity of the second client credential assertion; the identifier of the network function set to which the originator network function entity of the second client credential assertion belongs; or, the second client The network identity of the network where the originating network function entity of the credential claim is located.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第二客户凭证声明的期望接收方网络功能实体的标识;该方法还包括:第二网络功能实体验证该第二客户凭证声明的期望接收方网络功能实体的标识是否为该第二网络功能实体的标识。With reference to the above second aspect, in a possible design, the second client credential statement includes an identifier of a network function entity that is expected to receive the second client credential statement; the method further includes: the second network function entity verifies the first 2. Whether the identity of the expected recipient network function entity declared by the client credential is the identity of the second network function entity.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;该方法还包括:第二网络功能实体验证该第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为该第二网络功能实体所属网络功能集合的标识。With reference to the above second aspect, in a possible design, the second client credential statement includes an identifier of the network function set where the network function entity of the intended recipient of the second client credential statement is located; the method further includes: a second network function The entity verifies whether the identity of the network function set to which the intended recipient network function entity of the second client credential statement belongs is the identity of the network function set to which the second network function entity belongs.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第二客户凭证声明的期望接收方网络功能实体的类型;该方法还包括:第二网络功能实体验证该第二客户凭证声明的期望接收方网络功能实体的类型是否为该第二网络功能实体的类型。With reference to the above second aspect, in a possible design, the second client credential statement includes the type of the intended recipient network function entity of the second client credential statement; the method further includes: the second network function entity verifies the first 2. Whether the type of the expected recipient network function entity declared by the client credential is the type of the second network function entity.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第一客户凭证声明;该方法还包括:第二网络功能实体验证该第二客户凭证声明中包括该第一客户凭证声明;或者,该第二客户凭证声明包括该第一客户凭证声明的哈希值;该方法还包括:第二网络功能实体验证该第二客户凭证声明中包括该第一客户凭证声明的哈希值。With reference to the above second aspect, in a possible design, the second client credential statement includes the first client credential statement; the method further includes: the second network function entity verifies that the second client credential statement includes the first client credential statement client credential assertion; alternatively, the second client credential assertion includes a hash value of the first client credential assertion; the method further includes: a second network function entity verifying that the second client credential assertion includes the first client credential assertion hash value.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第一业务请求的数据;该方法还包括:第二网络功能实体验证该第二客户凭证声明中包括该第一业务请求的数据;或者,该第二客户凭证声明包括该第一业务请求的数据的哈希值;该方法还包括:第二网络功能实体验证该第二客户凭证声明中包括该第一业务请求的数据的哈希值。With reference to the above second aspect, in a possible design, the second client credential statement includes the data of the first service request; the method further includes: verifying by the second network function entity that the second client credential statement includes the first service request. data of a service request; or, the second client credential statement includes a hash value of the data requested by the first service; the method further includes: a second network function entity verifying that the second client credential statement includes the first service The hash of the requested data.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第二客户凭证声明的发起方网络功能实体的标识,包括:该第二客户凭证声明中被签名的内容中包括该第二客户凭证声明的发起方网络功能实体的标识;该方法还包括:第二网络功能实体验证该第二客户凭证声明中被签名的内容中包括的该第二客户凭证声明的发起方网络功能实体的标识是否为该第二客户凭证声明中证书信息中的网络功能实体的 标识。With reference to the above second aspect, in a possible design, the second client credential statement includes the identity of the originator network function entity of the second client credential statement, including: in the signed content of the second client credential statement including the identity of the originator network function entity of the second client credential statement; the method further includes: the second network function entity verifies the originator of the second client credential statement included in the signed content of the second client credential statement Whether the identity of the network function entity is the identity of the network function entity in the certificate information in the second client credential statement.
结合上述第二方面,在一种可能的设计中,该第一客户凭证声明包含在该第二网络功能实体发送给该第一网络功能实体的第二业务请求中;该第二业务请求还包括该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;该第二客户凭证声明包括该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;该方法还包括:第二网络功能实体验证该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识是否为该第二业务请求中包括的该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识。In combination with the above second aspect, in a possible design, the first client credential declaration is included in a second service request sent by the second network function entity to the first network function entity; the second service request further includes The network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located; the second client credential statement includes the identifier of the network function set to which the originator network function entity of the second client credential statement belongs; the method further includes: The second network function entity verifies whether the identity of the network function set to which the originator network function entity of the second client credential assertion belongs is the identity of the network where the network function entity of the intended recipient of the first client credential assertion included in the second service request is located. network identity.
结合上述第二方面,在一种可能的设计中,该第二客户凭证声明包括该第二客户凭证声明的发起方网络功能实体所在网络的网络标识,包括:该第二客户凭证声明中被签名的内容中包括该第二客户凭证声明的发起方网络功能实体所在网络的网络标识;该方法还包括:第二网络功能实体验证该第二客户凭证声明中被签名的内容中包括的该第二客户凭证声明的发起方网络功能实体所在网络的网络标识是否为该第二客户凭证声明中证书信息中的网络标识。With reference to the above second aspect, in a possible design, the second client credential statement includes the network identifier of the network where the network function entity of the originator of the second client credential statement is located, including: the second client credential statement is signed The content of the second client credential statement includes the network identity of the network where the originator network function entity of the second client credential statement is located; the method further includes: the second network function entity verifies the second client credential statement included in the signed content. Whether the network identifier of the network where the network function entity that initiates the client credential statement is located is the network identifier in the certificate information in the second client credential statement.
基于上述第二客户凭证声明的方案,发送方网络功能实体(对应上述第二网络功能实体)可以反向验证出接收方网络功能实体(对应上述第一网络功能实体)的身份是否正确。Based on the solution of the second client credential declaration, the sender network function entity (corresponding to the second network function entity) can reversely verify whether the identity of the receiver network function entity (corresponding to the first network function entity) is correct.
第三方面,提供了一种通信方法,执行该通信方法的通信装置可以为第一安全边缘保护代理实体;也可以为应用于第一安全边缘保护代理实体中的模块,例如芯片或芯片系统。下面以执行主体为第一安全边缘保护代理实体为例进行描述。第一安全边缘保护代理实体接收来自第二网络功能实体的第一客户凭证声明,该第一客户凭证声明中包括该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明,其中,该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与第一网络的网络标识相同,其中,该第一网络功能实体和该第一安全边缘保护代理实体属于该第一网络,该第二网络功能实体属于该第二网络,该第一网络和该第二网络为不同网络。其中,第三方面的技术效果可参考上述第一方面,在此不再赘述。In a third aspect, a communication method is provided, and a communication device executing the communication method may be a first security edge protection proxy entity; or a module applied in the first security edge protection proxy entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the first security edge protection proxy entity as an example. The first security edge protection proxy entity receives the first client credential statement from the second network function entity, where the first client credential statement includes the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located; the first The security edge protection proxy entity sends the first client credential statement to the first network function entity, wherein the network identity of the network where the network function entity of the expected recipient of the first client credential statement is located is used to verify whether it is consistent with the network identity of the first network The same, wherein the first network function entity and the first security edge protection proxy entity belong to the first network, the second network function entity belongs to the second network, and the first network and the second network are different networks. For the technical effect of the third aspect, reference may be made to the above-mentioned first aspect, which will not be repeated here.
结合上述第三方面,在一种可能的实现方式中,第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明,包括:第一安全边缘保护代理实体向该第一网络功能实体发送第一消息,该第一消息包括该第一客户凭证声明;该第一消息还包括第一根证书,该第一根证书为该第二网络的根证书,该第一根证书用于验证该第一客户凭证声明的证书信息是否正确。相对于现有技术在诸如不同运营商之间没有交叉证书等场景下接收方网络功能实体不能验证客户凭证声明中证书是否正确性的方案,本申请实施例可以根据第一根证书,验证第一客户凭证声明的证书信息是否正确,从而实现客户凭证声明中证书的验证,进而实现客户凭证声明的数字签名和被签名的内容的验证。With reference to the above third aspect, in a possible implementation manner, the first security edge protection proxy entity sends the first client credential declaration to the first network function entity, including: the first security edge protection proxy entity sends the first network function entity to the first network function entity. The functional entity sends a first message, the first message includes the first client credential statement; the first message also includes a first root certificate, the first root certificate is the root certificate of the second network, and the first root certificate uses It is used to verify whether the certificate information declared by the first client certificate is correct. Compared with the prior art solution in which the recipient network function entity cannot verify whether the certificate in the client credential statement is correct in scenarios such as no cross-certificate between different operators, the embodiment of the present application can verify the first root certificate according to the first root certificate. Check whether the certificate information of the client certificate statement is correct, so as to realize the verification of the certificate in the client certificate statement, and then realize the verification of the digital signature of the client certificate statement and the signed content.
结合上述第三方面,在一种可能的实现方式中,该方法还包括:第一安全边缘保护代理实体接收来自第二安全边缘保护代理实体的该第一根证书,该第二安全边缘保护代理实体属于该第二网络。基于该方案,第一安全边缘保护代理可以获取第一根证 书。With reference to the above third aspect, in a possible implementation manner, the method further includes: the first security edge protection proxy entity receives the first root certificate from the second security edge protection proxy entity, the second security edge protection proxy entity The entity belongs to this second network. Based on this solution, the first security edge protection agent can obtain the first root certificate.
结合上述第三方面,在一种可能的实现方式中,该第一客户凭证声明中包括该第二网络的网络标识;在第一安全边缘保护代理实体向该第一网络功能实体发送该第一消息之前,该方法还包括:第一安全边缘保护代理实体根据该第二网络的网络标识,以及该第一根证书和该第二网络的网络标识的映射关系,确定该第一根证书。基于该方案,第一安全边缘保护代理可以获取第一根证书。With reference to the above third aspect, in a possible implementation manner, the first client credential statement includes the network identifier of the second network; the first security edge protection proxy entity sends the first network function entity to the first network function entity Before the message, the method further includes: the first security edge protection proxy entity determines the first root certificate according to the network identifier of the second network and the mapping relationship between the first root certificate and the network identifier of the second network. Based on this solution, the first security edge protection agent can obtain the first root certificate.
结合上述第三方面,在一种可能的实现方式中,该第一根证书和该第二网络的网络标识的映射关系预先配置在该第一安全边缘保护代理实体中;或者,该第一根证书为该第一安全边缘保护代理实体与第二安全边缘保护代理实体建立安全连接时,该第一安全边缘保护代理实体用于验证该第一安全边缘保护代理实体的证书信息的根证书;该第一根证书和该第二网络的网络标识的映射关系为该第一安全边缘保护代理实体与该第二安全边缘保护代理实体建立安全连接后存储在该第一安全边缘保护代理实体中的,该第二安全边缘保护代理实体属于该第二网络。With reference to the above third aspect, in a possible implementation manner, the mapping relationship between the first root certificate and the network identifier of the second network is preconfigured in the first security edge protection proxy entity; or, the first root certificate The certificate is the root certificate used by the first security edge protection proxy entity to verify the certificate information of the first security edge protection proxy entity when the first security edge protection proxy entity establishes a secure connection with the second security edge protection proxy entity; the The mapping relationship between the first root certificate and the network identifier of the second network is stored in the first security edge protection proxy entity after the first security edge protection proxy entity and the second security edge protection proxy entity establish a secure connection, The second security edge protection proxy entity belongs to the second network.
结合上述第三方面,在一种可能的实现方式中,在第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明之前,该方法还包括:第一安全边缘保护代理实体验证该第一客户凭证声明的数字签名成功。With reference to the above third aspect, in a possible implementation manner, before the first security edge protection proxy entity sends the first client credential declaration to the first network function entity, the method further includes: the first security edge protection proxy entity Verifying the digital signature of the first client credential claim is successful.
结合上述第三方面,在一种可能的实现方式中,在该第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明之前,该方法还包括:第一安全边缘保护代理实体验证该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为该第一网络的网络标识。With reference to the above third aspect, in a possible implementation manner, before the first security edge protection proxy entity sends the first client credential declaration to the first network function entity, the method further includes: a first security edge protection proxy The entity verifies that the network identity of the network where the network function entity of the intended recipient of the first client credential statement is located is the network identity of the first network.
结合上述第三方面,在一种可能的实现方式中,该第一客户凭证声明中包括该第一客户凭证声明的发起方网络功能实体所在网络的网络标识;在该第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明之前,该方法还包括:第一安全边缘保护代理实体验证该第一客户凭证声明的发起方网络功能实体所在网络的网络标识与N32-f上下文中的远端网络标识相同,该N32-f上下文为该第一安全边缘保护代理实体与该第二安全边缘保护代理实体之间建立N32连接时,建立的共享上下文。With reference to the above third aspect, in a possible implementation manner, the first client credential statement includes the network identifier of the network where the originator network function entity of the first client credential statement is located; the proxy entity is protected at the first security edge Before sending the first client credential statement to the first network function entity, the method further includes: the first security edge protection proxy entity verifies the network identity and N32-f context of the network where the network function entity of the originator of the first client credential statement is located The remote network identifiers in are the same, and the N32-f context is a shared context established when an N32 connection is established between the first security edge protection proxy entity and the second security edge protection proxy entity.
结合上述第三方面,在一种可能的实现方式中,该第一客户凭证声明中包括该第一客户凭证声明的发起方网络功能实体所在网络的网络标识;在该第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明之前,该方法还包括:第一安全边缘保护代理实体接收该第二网络功能实体用于请求该第一网络功能实体业务的第一授权令牌,该第一授权令牌中包括该第二网络的网络标识;第一安全边缘保护代理实体验证该第一授权令牌中该第二网络的网络标识为该第一客户凭证声明的发起方网络功能实体所在网络的网络标识。With reference to the above third aspect, in a possible implementation manner, the first client credential statement includes the network identifier of the network where the originator network function entity of the first client credential statement is located; the proxy entity is protected at the first security edge Before sending the first client credential statement to the first network function entity, the method further includes: the first security edge protection proxy entity receiving a first authorization token used by the second network function entity to request a service of the first network function entity , the first authorization token includes the network identifier of the second network; the first security edge protection proxy entity verifies that the network identifier of the second network in the first authorization token is the originator network of the first client credential statement Network ID of the network where the functional entity is located.
结合上述第三方面,在一种可能的实现方式中,在该第一安全边缘保护代理实体向第一网络功能实体发送该第一客户凭证声明之前,该方法还包括:第一安全边缘保护代理实体验证该第一客户凭证声明被签名的内容中包括的该第一客户凭证声明的发起方网络功能实体所在网络的网络标识为该第一客户凭证声明的证书信息内的网络标识。With reference to the above third aspect, in a possible implementation manner, before the first security edge protection proxy entity sends the first client credential declaration to the first network function entity, the method further includes: a first security edge protection proxy The entity verifies that the network identifier of the network where the network function entity of the originator of the first client credential statement included in the signed content of the first client credential statement is the network identifier in the certificate information of the first client credential statement.
基于上述第一安全边缘保护代理实体验证第一客户凭证声明是否正确的方案,可 以在第一客户凭证声明无法验证通过的情况下提前终止后续流程,减少了网元之间信令交互的步骤,节省了系统资源。Based on the above-mentioned solution of verifying whether the first client credential statement is correct by the first security edge protection proxy entity, the subsequent process can be terminated in advance if the first client credential statement cannot be verified, which reduces the steps of signaling interaction between network elements. System resources are saved.
结合上述第三方面,在一种可能的实现方式中,该方法还包括:第一安全边缘保护代理实体接收来自该第一网络功能实体的第二客户凭证声明;第一安全边缘保护代理实体向该第二网络功能实体发送该第二客户凭证声明,其中,该第二客户凭证声明中包括以下至少一个参数:该第二客户凭证声明的期望接收方网络功能实体的标识;该第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;该第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识;该第二客户凭证声明的期望接收方网络功能实体的类型;该第一客户凭证声明,或者该第一客户凭证声明的哈希值;第一业务请求的数据,或者该第一业务请求的数据的哈希值,该第一业务请求为承载该第一客户凭证声明的业务请求;该第二客户凭证声明的发起方网络功能实体的标识;该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;或者,该第二客户凭证声明的发起方网络功能实体所在网络的网络标识。基于该方案,发送方网络功能实体(对应上述第二网络功能实体)可以反向验证出接收方网络功能实体(对应上述第一网络功能实体)的身份是否正确。With reference to the above third aspect, in a possible implementation manner, the method further includes: the first security edge protection proxy entity receives the second client credential declaration from the first network function entity; the first security edge protection proxy entity sends The second network function entity sends the second client credential assertion, wherein the second client credential assertion includes at least one of the following parameters: the identifier of the intended recipient network function entity of the second client credential assertion; the second client credential The identifier of the network function set to which the declared intended recipient NF entity belongs; the network identifier of the network where the intended recipient NF entity declared by the second client credential is located; the type of the intended recipient NF declared by the second client credential claim; The first client credential declaration, or the hash value of the first client credential declaration; the data of the first service request, or the hash value of the data of the first service request, the first service request is to carry the first client The service request of the credential assertion; the identifier of the network function entity of the originator of the second client credential assertion; the identifier of the network function set to which the originator of the second client credential assertion belongs; or, the origination of the second client credential assertion The network identifier of the network where the party network function entity is located. Based on this solution, the sender network function entity (corresponding to the second network function entity) can reversely verify whether the identity of the receiver network function entity (corresponding to the first network function entity) is correct.
第四方面,提供了一种通信方法,执行该通信方法的通信装置可以为第一网络功能实体;也可以为应用于第一网络功能实体中的模块,例如芯片或芯片系统。下面以执行主体为第一网络功能实体为例进行描述。第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明和第一根证书,该第一根证书为第二网络的根证书;第一网络功能实体根据该第一根证书,验证该第一客户凭证声明的证书信息是否正确;其中,该第一网络功能实体属于第一网络,该第二网络功能实体属于第二网络,该第一网络和该第二网络为不同网络。相对于现有技术在诸如不同运营商之间没有交叉证书等场景下接收方网络功能实体不能验证客户凭证声明中证书是否正确性的方案,本申请实施例可以根据第一根证书,验证第一客户凭证声明的证书信息是否正确,从而实现客户凭证声明中证书的验证,进而实现客户凭证声明的数字签名和被签名的内容的验证。In a fourth aspect, a communication method is provided, and a communication device executing the communication method may be a first network function entity; or a module applied in the first network function entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the first network function entity as an example. The first network function entity receives the first client credential statement and the first root certificate from the second network function entity, where the first root certificate is the root certificate of the second network; the first network function entity verifies according to the first root certificate Whether the certificate information declared by the first client certificate is correct; wherein, the first network function entity belongs to the first network, the second network function entity belongs to the second network, and the first network and the second network are different networks. Compared with the prior art solution in which the recipient network function entity cannot verify whether the certificate in the client credential statement is correct in scenarios such as no cross-certificate between different operators, the embodiment of the present application can verify the first root certificate according to the first root certificate. Check whether the certificate information of the client certificate statement is correct, so as to realize the verification of the certificate in the client certificate statement, and then realize the verification of the digital signature of the client certificate statement and the signed content.
第五方面,提供了一种通信方法,执行该通信方法的通信装置可以为第一网络功能实体;也可以为应用于第一网络功能实体中的模块,例如芯片或芯片系统。下面以执行主体为第一网络功能实体为例进行描述。第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明;第一网络功能实体验证第一客户凭证声明通过之后,向该第二网络功能实体发送第二客户凭证声明,该第二客户凭证声明中包括以下至少一个参数:该第二客户凭证声明的期望接收方网络功能实体的标识;该第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;该第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识;该第二客户凭证声明的期望接收方网络功能实体的类型;该第一客户凭证声明,或者该第一客户凭证声明的哈希值;第一业务请求的数据,或者该第一业务请求的数据的哈希值,该第一业务请求为承载该第一客户凭证声明的业务请求;该第二客户凭证声明的发起方网络功能实体的标识;该第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;或者,该第二客户凭证声明的发起方网络功能实体所在网络的网络标识。基于该方案,发送方网络功能实 体(对应上述第二网络功能实体)可以反向验证出接收方网络功能实体(对应上述第一网络功能实体)的身份是否正确。In a fifth aspect, a communication method is provided, and a communication device executing the communication method may be a first network function entity; or may be a module applied in the first network function entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the first network function entity as an example. The first network function entity receives the first client credential declaration from the second network function entity; after the first network function entity verifies that the first client credential declaration passes, it sends the second client credential declaration to the second network function entity. The client credential assertion includes at least one of the following parameters: the identifier of the network function entity of the intended recipient of the second client credential assertion; the identifier of the network function set to which the intended recipient of the second client credential assertion belongs; the network function set to which the second client credential assertion belongs; The network identity of the network where the network function entity of the intended recipient of the credential claim is located; the type of the intended recipient of the second client credential claim; the first client credential claim, or the hash value of the first client credential claim; The data of the first service request, or the hash value of the data of the first service request, the first service request is the service request that carries the first client credential statement; the originating network function entity of the second client credential statement identifier; the identifier of the network function set to which the originator network function entity of the second client credential assertion belongs; or the network identifier of the network where the originator network function entity of the second client credential assertion is located. Based on this solution, the sender network function entity (corresponding to the second network function entity) can reversely verify whether the identity of the receiver network function entity (corresponding to the first network function entity) is correct.
第六方面,提供了一种通信装置用于实现上述方法。该通信装置可以为上述第一方面或第四方面或第五方面中的第一网络功能实体,或者包含上述第一网络功能实体的装置;或者,该通信装置可以为上述第二方面中的第二网络功能实体,或者包含上述第二网络功能实体的装装置;或者,该通信装置可以为上述第三方面中的第一安全边缘保护代理实体,或者包含上述第一安全边缘保护代理实体的装置。该通信装置包括实现上述方法相应的模块、单元、或手段(means),该模块、单元、或means可以通过硬件实现,软件实现,或者通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块或单元。In a sixth aspect, a communication apparatus is provided for implementing the above method. The communication device may be the first network function entity in the first aspect, the fourth aspect or the fifth aspect, or a device including the first network function entity; or, the communication device may be the first network function entity in the second aspect. two network function entities, or a device including the second network function entity; or, the communication device may be the first security edge protection proxy entity in the third aspect, or a device including the first security edge protection proxy entity . The communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
结合上述第六方面,在一些可能的实现中,该通信装置可以包括处理模块和收发模块。该收发模块,也可以称为收发单元,用以实现上述任一方面及其任意可能的实现方式中的发送和/或接收功能。该收发模块可以由收发电路,收发机,收发器或者通信接口构成。该处理模块,可以用于实现上述任一方面及其任意可能的实现方式中的处理功能。该处理模块例如可以为处理器。With reference to the above sixth aspect, in some possible implementations, the communication apparatus may include a processing module and a transceiver module. The transceiver module, also referred to as a transceiver unit, is used to implement the sending and/or receiving functions in any of the above aspects and any possible implementation manners. The transceiver module can be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface. The processing module may be used to implement the processing functions in any of the foregoing aspects and any possible implementation manners thereof. The processing module can be, for example, a processor.
结合上述第六方面,在一些可能的实现中,收发模块包括发送模块和接收模块,分别用于实现上述任一方面及其任意可能的实现方式中的发送和接收功能。With reference to the above sixth aspect, in some possible implementations, the transceiver module includes a transmitting module and a receiving module, which are respectively used to implement the transmitting and receiving functions in any of the above aspects and any possible implementation manners thereof.
第七方面,提供了一种通信装置,包括:处理器;该处理器用于与存储器耦合,并读取存储器中的指令之后,根据该指令执行如上述任一方面所述的方法。该通信装置可以为上述第一方面或第四方面或第五方面中的第一网络功能实体,或者包含上述第一网络功能实体的装置;或者,该通信装置可以为上述第二方面中的第二网络功能实体,或者包含上述第二网络功能实体的装装置;或者,该通信装置可以为上述第三方面中的第一安全边缘保护代理实体,或者包含上述第一安全边缘保护代理实体的装置。In a seventh aspect, a communication device is provided, comprising: a processor; the processor is configured to be coupled to a memory, and after reading an instruction in the memory, execute the method according to any one of the preceding aspects according to the instruction. The communication device may be the first network function entity in the first aspect, the fourth aspect or the fifth aspect, or a device including the first network function entity; or, the communication device may be the first network function entity in the second aspect. two network function entities, or a device including the second network function entity; or, the communication device may be the first security edge protection proxy entity in the third aspect, or a device including the first security edge protection proxy entity .
结合上述第七方面,在一种可能的实现方式中,该通信装置还包括存储器,该存储器,用于保存必要的程序指令和数据。With reference to the above seventh aspect, in a possible implementation manner, the communication device further includes a memory for storing necessary program instructions and data.
结合上述第七方面,在一种可能的实现方式中,该通信装置为芯片或芯片系统。可选的,该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件。With reference to the above seventh aspect, in a possible implementation manner, the communication device is a chip or a chip system. Optionally, when the communication device is a chip system, it may be constituted by a chip, or may include a chip and other discrete devices.
第八方面,提供了一种通信装置,包括:处理器接口电路;接口电路,用于接收计算机程序或指令并传输至处理器;处理器用于执行所述计算机程序或指令,以使该通信装置执执行如上述任一方面所述的方法。In an eighth aspect, a communication device is provided, comprising: a processor interface circuit; an interface circuit for receiving a computer program or instruction and transmitting it to a processor; the processor for executing the computer program or instruction, so that the communication device A method as described in any of the preceding aspects is performed.
第九方面,提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In a ninth aspect, a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer can execute the method described in any one of the above aspects.
第十方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述任一方面所述的方法。In a tenth aspect, there is provided a computer program product comprising instructions which, when run on a computer, enable the computer to perform the method of any of the preceding aspects.
其中,第六方面至第十方面中任一种可能的实现方式所带来的技术效果可参见上述第一方面至第六方面中任一方面或任一方面中不同设计方式所带来的技术效果,此处不再赘述。Wherein, for the technical effect brought by any possible implementation manner of the sixth aspect to the tenth aspect, reference may be made to the technology brought by any one of the above-mentioned first aspect to the sixth aspect or different design manners in any aspect The effect will not be repeated here.
第十一方面,提供了一种通信系统,该通信系统包括上述方面所述的第一网络功能实体和上述方面所述的第二网络功能实体。可选的,该通信系统包括上述方面所述的第一安全边缘保护代理实体。In an eleventh aspect, a communication system is provided, and the communication system includes the first network function entity described in the foregoing aspect and the second network function entity described in the foregoing aspect. Optionally, the communication system includes the first security edge protection proxy entity described in the above aspect.
附图说明Description of drawings
图1为本申请实施例提供的一种通信系统的结构示意图;FIG. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application;
图2a为本申请实施例提供的另一种通信系统的结构示意图;2a is a schematic structural diagram of another communication system provided by an embodiment of the present application;
图2b为本申请实施例提供的另一种通信系统的结构示意图;FIG. 2b is a schematic structural diagram of another communication system provided by an embodiment of the present application;
图3a为本申请实施例提供的图2a所述的通信系统在5G网络中的应用示意图;FIG. 3a is a schematic diagram of an application of the communication system described in FIG. 2a in a 5G network according to an embodiment of the application;
图3b为本申请实施例提供的图2a所述的通信系统在5G网络中的应用示意图;FIG. 3b is a schematic diagram of an application of the communication system described in FIG. 2a in a 5G network according to an embodiment of the application;
图4为本申请实施例提供的一种通信装置的结构示意图;FIG. 4 is a schematic structural diagram of a communication device according to an embodiment of the present application;
图5为本申请实施例提供的通信方法的交互示意图一;FIG. 5 is an interactive schematic diagram 1 of a communication method provided by an embodiment of the present application;
图6为本申请实施例提供的通信方法的交互示意图二;FIG. 6 is a second interactive schematic diagram of a communication method provided by an embodiment of the present application;
图7为本申请实施例提供的通信方法的交互示意图三;FIG. 7 is a schematic diagram three of interaction of the communication method provided by the embodiment of the present application;
图8为本申请实施例提供的通信方法的交互示意图四;FIG. 8 is a fourth interactive schematic diagram of a communication method provided by an embodiment of the present application;
图9为本申请实施例提供的通信方法的交互示意图五;FIG. 9 is a schematic diagram five of interaction of the communication method provided by the embodiment of the present application;
图10为本申请实施例提供的通信方法的交互示意图六;FIG. 10 is a schematic diagram 6 of interaction of the communication method provided by the embodiment of the present application;
图11为本申请实施例提供的通信方法的交互示意图七;FIG. 11 is a seventh interactive schematic diagram of a communication method provided by an embodiment of the present application;
图12为本申请实施例提供的通信方法的交互示意图八;FIG. 12 is an eighth interactive schematic diagram of a communication method provided by an embodiment of the present application;
图13为本申请实施例提供的另一种通信装置的结构示意图。FIG. 13 is a schematic structural diagram of another communication apparatus provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。其中,在本申请的描述中,除非另有说明,“/”表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。同时,在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of this application, unless otherwise specified, "/" indicates that the objects associated before and after are an "or" relationship, for example, A/B can indicate A or B; in this application, "and/or" "It is only an association relationship that describes an associated object, which means that there can be three kinds of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A exists , B can be singular or plural. Also, in the description of the present application, unless stated otherwise, "plurality" means two or more than two. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple . In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner to facilitate understanding.
此外,本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术 方案对于类似的技术问题,同样适用。In addition, the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
如图1所示,为本申请实施例提供的一种通信系统。该通信系统包括第一网络功能实体101和第二网络功能实体102。第一网络功能实体101和第二网络功能实体102之间可以直接通信,也可以通过其他设备的转发进行通信,本申请实施例对此不做具体限定。As shown in FIG. 1 , a communication system is provided in an embodiment of the present application. The communication system includes a first network function entity 101 and a second network function entity 102 . The first network function entity 101 and the second network function entity 102 may communicate directly or communicate through forwarding by other devices, which is not specifically limited in this embodiment of the present application.
示例性的,如图2a所示,第一网络功能实体101和第二网络功能实体102之间通过服务通信代理(service communication proxy,SCP)103通信。Exemplarily, as shown in FIG. 2a, the first network function entity 101 and the second network function entity 102 communicate through a service communication proxy (service communication proxy, SCP) 103.
或者,示例性的,如图2b所示,在漫游场景下,第一网络功能实体101和第二网络功能实体102之间通过第一安全边缘保护代理实体104和第二安全边缘保护代理实体105通信。其中,第一网络功能实体101和第一安全边缘保护代理实体104属于第一网络,第二网络功能实体102和第二安全边缘保护代理实体105属于第二网络。第一网络和第二网络为不同运营商网络。比如,第一网络为联通网络,第二网络为移动网络;或者,第一网络为移动网络,第二网络为电信网络等,本申请实施例对此不做具体限定。Or, exemplarily, as shown in FIG. 2b, in the roaming scenario, the first security edge protection proxy entity 104 and the second security edge protection proxy entity 105 are used between the first network function entity 101 and the second network function entity 102. communication. The first network function entity 101 and the first security edge protection proxy entity 104 belong to the first network, and the second network function entity 102 and the second security edge protection proxy entity 105 belong to the second network. The first network and the second network are networks of different operators. For example, the first network is a China Unicom network, and the second network is a mobile network; or, the first network is a mobile network, and the second network is a telecommunication network, etc., which are not specifically limited in this embodiment of the present application.
需要说明的是,虽然未示意出,在非直接通信场景下,图2b中的第一网络功能实体101和第一安全边缘保护代理实体104之间可能有一个或多个SCP,第二网络功能实体102和第二安全边缘保护代理实体105之间可能有一个或多个SCP,在此统一说明,以下不再赘述。It should be noted that, although not shown, in a non-direct communication scenario, there may be one or more SCPs between the first network function entity 101 and the first security edge protection proxy entity 104 in FIG. 2b, and the second network function entity 104 may There may be one or more SCPs between the entity 102 and the second security edge protection proxy entity 105, which are described in a unified manner here, and will not be repeated below.
具体地,基于本申请实施例提供的通信系统10的通信方法可参考后续方法实施例,在此不再赘述。Specifically, for the communication method based on the communication system 10 provided by the embodiment of the present application, reference may be made to the subsequent method embodiments, and details are not described herein again.
可选的,图1或图2a或图2b所示的通信系统可以适用于目前正在讨论的5G网络,也可以适用于未来的其他网络等,本申请实施例对此不做具体限定。Optionally, the communication system shown in FIG. 1 or FIG. 2a or FIG. 2b may be applicable to the 5G network currently under discussion, and may also be applicable to other future networks, etc., which is not specifically limited in this embodiment of the present application.
示例性的,以图1或图2a或图2b所示的通信系统适用于目前正在讨论的5G网络为例,则上述第一网络功能实体所对应的网元或者实体可以为5G网络中的cNF,上述第二网络功能实体所对应的网元或者实体可以为5G网络中的pNF或者NRF,上述第一安全边缘保护代理实体所对应的网元或者实体可以为5G网络中的消费者安全边缘保护代理实体(consumer of security edge protection proxy,cSEPP),上述第二安全边缘保护代理实体所对应的网元或者实体可以为5G网络中的提供者安全边缘保护代理实体(producer of security edge protection proxy,pSEPP)。或者,以图1或图2a或图2b所示的通信系统适用于目前正在讨论的5G网络为例,则上述第一网络功能实体所对应的网元或者实体可以为5G网络中的pNF或NRF,上述第二网络功能实体所对应的网元或者实体可以为5G网络中的cNF,上述第一安全边缘保护代理实体所对应的网元或者实体可以为5G网络中的pSEPP,上述第二安全边缘保护代理实体所对应的网元或者实体可以为5G网络中的cSEPP。例如,图2a在5G网络中的应用示意图可以如图3a所示,图2b在5G网络中的应用示意图可以如图3b所示。Exemplarily, taking the communication system shown in FIG. 1 or FIG. 2a or FIG. 2b being applicable to the 5G network currently under discussion as an example, the network element or entity corresponding to the above-mentioned first network function entity may be a cNF in the 5G network. , the network element or entity corresponding to the second network function entity may be a pNF or NRF in the 5G network, and the network element or entity corresponding to the first security edge protection agent entity may be the consumer security edge protection in the 5G network. A proxy entity (consumer of security edge protection proxy, cSEPP), the network element or entity corresponding to the second security edge protection proxy entity may be a provider of security edge protection proxy entity (producer of security edge protection proxy, pSEPP in the 5G network) ). Alternatively, taking the example that the communication system shown in FIG. 1 or FIG. 2a or FIG. 2b is applicable to the 5G network currently under discussion, the network element or entity corresponding to the first network function entity above may be a pNF or NRF in the 5G network , the network element or entity corresponding to the second network function entity may be the cNF in the 5G network, the network element or entity corresponding to the first security edge protection agent entity may be the pSEPP in the 5G network, the second security edge The network element or entity corresponding to the protection proxy entity may be cSEPP in the 5G network. For example, the schematic diagram of the application of FIG. 2a in the 5G network may be as shown in FIG. 3a, and the schematic diagram of the application of FIG. 2b in the 5G network may be as shown in FIG. 3b.
具体地,本申请实施例中的NRF负责网元的控制。例如,NRF执行NF的注册,发现和授权功能。Specifically, the NRF in the embodiment of the present application is responsible for the control of network elements. For example, the NRF performs the registration, discovery and authorization functions of the NF.
具体地,本申请实施例中的NF包括cNF和pNF。其中,cNF是业务消费者NF,pNF是业务提供者NF。cNF从pNF获得pNF提供的服务。在本申请实施例中,cNF 例如可以为5G网络的接入和移动性管理功能(core access and mobility management function,AMF)或者会话管理功能(session management function,SMF)等。在其他场景中,NF也可以为终端设备,基站,控制器或服务器等,在此统一说明,以下不再赘述。Specifically, the NF in the embodiments of the present application includes cNF and pNF. Among them, cNF is the service consumer NF, and pNF is the service provider NF. The cNF obtains the services provided by the pNF from the pNF. In this embodiment of the present application, the cNF may be, for example, an access and mobility management function (core access and mobility management function, AMF) or a session management function (session management function, SMF) of a 5G network. In other scenarios, the NF may also be a terminal device, a base station, a controller, or a server, etc., which are described in a unified manner here, and will not be repeated below.
具体地,本申请实施例中的SCP也可以称之为服务通信代理(service communication proxy,SeCoP),用于执行服务通信的转发,代理校验,或者授权等。或者,本申请实施例中的SCP也可以称之为服务架构支撑功能(service framework support function,SFSF),支持注册,发现、授权、转发以及校验等功能的至少一项,例如支持转发和校验。其中,cNF与pNF之间,或者cNF与NRF之间可以有一个或多个SCP,在此统一说明,以下不再赘述。Specifically, the SCP in this embodiment of the present application may also be referred to as a service communication proxy (SeCoP), which is used to perform forwarding of service communication, proxy verification, or authorization, and the like. Alternatively, the SCP in this embodiment of the present application may also be referred to as a service framework support function (SFSF), which supports at least one of functions such as registration, discovery, authorization, forwarding, and verification, for example, supports forwarding and verification. test. There may be one or more SCPs between the cNF and the pNF, or between the cNF and the NRF, which are uniformly described here, and will not be repeated below.
具体地,本申请实施例中的SEPP为两个运营商网络之间漫游的安全功能网元,包括cCEPP和pCEPP。cSEPP为cNF侧对应的SEPP,pSEPP为pNF侧对应的SEPP。其中,SEPP用于执行漫游数据的封装,保护,校验等操作,在此统一说明,以下不再赘述。Specifically, the SEPP in the embodiment of the present application is a network element with a security function roaming between two operator networks, including cCEPP and pCEPP. cSEPP is the SEPP corresponding to the cNF side, and pSEPP is the SEPP corresponding to the pNF side. Among them, SEPP is used to perform operations such as encapsulation, protection, and verification of roaming data, which are uniformly described here, and will not be repeated below.
可选的,本申请实施例中的第一网络功能实体或第一网络功能实体或第一安全边缘保护代理实体或第二安全边缘保护代理实体也可以称之为通信装置,其可以是一个通用设备或者是一个专用设备,本申请实施例对此不作具体限定。Optionally, the first network function entity or the first network function entity or the first security edge protection proxy entity or the second security edge protection proxy entity in this embodiment of the present application may also be referred to as a communication device, which may be a general The device or a dedicated device, which is not specifically limited in this embodiment of the present application.
可选的,本申请实施例中的第一网络功能实体或第一网络功能实体或第一安全边缘保护代理实体或第二安全边缘保护代理实体的相关功能可以由一个设备实现,也可以由多个设备共同实现,还可以是由一个设备内的一个或多个功能模块实现,本申请实施例对此不作具体限定。可以理解的是,上述功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能,或者是硬件与软件的结合,或者是平台(例如,云平台)上实例化的虚拟化功能。Optionally, the related functions of the first network function entity or the first network function entity or the first security edge protection proxy entity or the second security edge protection proxy entity in this embodiment of the present application may be implemented by one device, or may be implemented by multiple devices. It is implemented jointly by multiple devices, and may also be implemented by one or more functional modules in one device, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.
例如,本申请实施例中的第一网络功能实体或第一网络功能实体或第一安全边缘保护代理实体或第二安全边缘保护代理实体的相关功能可以通过图4中的通信装置400来实现。图4所示为本申请实施例提供的通信装置400的结构示意图。该通信装置400包括一个或多个处理器401,通信线路402,以及至少一个通信接口(图4中仅是示例性的以包括通信接口404,以及一个处理器401为例进行说明),可选的还可以包括存储器403。For example, the related functions of the first network function entity or the first network function entity or the first security edge protection proxy entity or the second security edge protection proxy entity in the embodiment of the present application may be implemented by the communication device 400 in FIG. 4 . FIG. 4 is a schematic structural diagram of a communication apparatus 400 according to an embodiment of the present application. The communication device 400 includes one or more processors 401, a communication line 402, and at least one communication interface (in FIG. 4, the communication interface 404 and one processor 401 are used as an example for illustration only), optional may also include memory 403 .
处理器401可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 401 may be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.
通信线路402可包括一通路,用于连接不同组件之间。 Communication line 402 may include a path for connecting the various components.
通信接口404,可以是收发模块用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN)等。例如,所述收发模块可以是收发器、收发机一类的装置。可选的,所述通信接口404也可以是位于处理器401内的收发电路,用以实现处理器的信号输入和信号输出。The communication interface 404 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like. For example, the transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 404 may also be a transceiver circuit located in the processor 401 to implement signal input and signal output of the processor.
存储器403可以是具有存储功能的装置。例如可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储 器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器可以是独立存在,通过通信线路402与处理器相连接。存储器也可以和处理器集成在一起。The memory 403 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this. The memory may exist independently and be connected to the processor through communication line 402 . The memory can also be integrated with the processor.
其中,存储器403用于存储执行本申请方案的计算机执行指令,并由处理器401来控制执行。处理器401用于执行存储器403中存储的计算机执行指令,从而实现本申请实施例中提供的通信方法。The memory 403 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 401 . The processor 401 is configured to execute the computer-executed instructions stored in the memory 403, so as to implement the communication method provided in the embodiments of the present application.
或者,可选的,本申请实施例中,也可以是处理器401执行本申请下述实施例提供的通信方法中的处理相关的功能,通信接口404负责与其他设备或通信网络通信,本申请实施例对此不作具体限定。Or, optionally, in this embodiment of the present application, the processor 401 may also perform processing-related functions in the communication methods provided in the following embodiments of the present application, and the communication interface 404 is responsible for communicating with other devices or communication networks. The embodiment does not specifically limit this.
可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。Optionally, the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.
在具体实现中,作为一种实施例,处理器401可以包括一个或多个CPU,例如图4中的CPU0和CPU1。In a specific implementation, as an embodiment, the processor 401 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 4 .
在具体实现中,作为一种实施例,通信装置400可以包括多个处理器,例如图4中的处理器401和处理器408。这些处理器中的每一个可以是一个单核(single-core)处理器,也可以是一个多核(multi-core)处理器。这里的处理器可以包括但不限于以下至少一种:中央处理单元(central processing unit,CPU)、微处理器、数字信号处理器(DSP)、微控制器(microcontroller unit,MCU)、或人工智能处理器等各类运行软件的计算设备,每种计算设备可包括一个或多个用于执行软件指令以进行运算或处理的核。In a specific implementation, as an embodiment, the communication apparatus 400 may include multiple processors, such as the processor 401 and the processor 408 in FIG. 4 . Each of these processors can be a single-core processor or a multi-core processor. The processor here may include, but is not limited to, at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or artificial intelligence Processors and other types of computing devices that run software, each computing device may include one or more cores for executing software instructions to perform operations or processing.
在具体实现中,作为一种实施例,通信装置400还可以包括输出设备405和输入设备406。输出设备405和处理器401通信,可以以多种方式来显示信息。例如,输出设备405可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备406和处理器401通信,可以以多种方式接收用户的输入。例如,输入设备406可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the communication apparatus 400 may further include an output device 405 and an input device 406 . The output device 405 is in communication with the processor 401 and can display information in a variety of ways. For example, the output device 405 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait. Input device 406 is in communication with processor 401 and can receive user input in a variety of ways. For example, the input device 406 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
上述的通信装置400有时也可以称为通信装置,其可以是一个通用设备或者是一个专用设备。例如通信装置400可以是台式机、便携式电脑、网络服务器、掌上电脑(personal digital assistant,PDA)、移动手机、平板电脑、无线终端设备、嵌入式设备、上述终端设备、上述网络设备、或具有图4中类似结构的设备。本申请实施例不限定通信装置400的类型。The above-mentioned communication apparatus 400 may also be sometimes referred to as a communication apparatus, which may be a general-purpose device or a dedicated device. For example, the communication device 400 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, an embedded device, the above-mentioned terminal device, the above-mentioned network device, or a 4 devices of similar structure. This embodiment of the present application does not limit the type of the communication apparatus 400 .
下面将结合图1至图4,对本申请实施例提供的通信方法进行说明。The communication method provided by the embodiment of the present application will be described below with reference to FIG. 1 to FIG. 4 .
需要说明的是,下述实施例中所述的“发起方网络功能实体”可以理解为生成客户凭证声明的网络功能实体,“发送方网络功能实体”可以理解为发送客户凭证声明的网络功能实体。其中,在某些描述中,“发起方网络功能实体”与“发送方网络功 能实体”可以相互替换,在此统一说明,以下不再赘述。It should be noted that the "initiator network function entity" described in the following embodiments can be understood as a network function entity that generates a client credential statement, and the "sender network function entity" can be understood as a network function entity that sends a client credential statement. . Wherein, in some descriptions, "initiator network function entity" and "sender network function entity" can be interchanged with each other, which are described here uniformly, and will not be repeated below.
首先,如背景技术所述,现有的客户凭证声明机制在漫游场景下使用时,可能由于攻击者攻击导致网络数据泄露。为解决该问题,结合图2b所示的通信系统,如图5所示,为本申请实施例提供的一种通信方法,如下所述。First, as described in the background art, when the existing client credential declaration mechanism is used in a roaming scenario, network data may be leaked due to an attacker's attack. To solve this problem, in conjunction with the communication system shown in FIG. 2 b , as shown in FIG. 5 , a communication method provided by an embodiment of the present application is as follows.
S501、第二网络功能实体向第一网络功能实体发送第一客户凭证声明。相应的,第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明。其中,第一客户凭证声明中包括第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识。S501. The second network function entity sends a first client credential statement to the first network function entity. Accordingly, the first network function entity receives the first client credential assertion from the second network function entity. Wherein, the first client credential statement includes the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located.
本申请实施例中,第二网络功能实体向第一网络功能实体发送第一客户凭证声明包括:第二网络功能实体通过第二安全边缘保护代理实体和第一安全边缘保护代理实体向第一网络功能实体发送第一客户凭证声明。In this embodiment of the present application, the sending of the first client credential declaration by the second network function entity to the first network function entity includes: the second network function entity sends the first network function entity to the first network through the second security edge protection proxy entity and the first security edge protection proxy entity The functional entity sends a first client credential statement.
本申请实施例中的第一客户凭证声明包括被签名的内容、计算得到的数字签名以及可以检验第一客户凭证声明的证书(也可以替换为证书链,在此统一说明,以下不再赘述)。其中,第一客户凭证声明被签名的内容中包括第一客户凭证声明的发起方网络功能实体的标识(也可以称之为实例标识(instance ID)、有效期和时间戳以及第一客户凭证声明的期望接收方网络功能实体的类型等,第一客户凭证声明的证书中包括证书的数字签名以及证书内被签名的内容,证书内被签名的内容包括第一客户凭证声明的发起方网络功能实体的信息,如第一客户凭证声明的发起方网络功能实体的标识以及第一客户凭证声明的发起方网络功能实体所在网络的网络标识等,具体可参考现有技术,在此不再赘述。The first client credential statement in this embodiment of the present application includes the signed content, the digital signature obtained by calculation, and a certificate that can verify the first client credential statement (it can also be replaced with a certificate chain, which is described here uniformly, and will not be repeated below) . Wherein, the signed content of the first client credential statement includes the identity of the originator network function entity of the first client credential statement (also referred to as an instance ID), the validity period and time stamp, and the identity of the first client credential statement. It is expected that the type of the recipient network function entity, etc., the certificate of the first client credential assertion includes the digital signature of the certificate and the signed content in the certificate, and the signed content in the certificate includes the originating network function entity of the first client credential assertion. Information, such as the identity of the originator network function entity of the first client credential statement and the network identity of the network where the originator network function entity of the first client credential statement is located, can be found in the prior art for details, and will not be repeated here.
此外,本申请实施例中的第一客户凭证声明被签名的内容中还包括第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识。In addition, the signed content of the first client credential statement in the embodiment of the present application further includes the network identifier of the network where the network function entity of the intended recipient of the first client credential statement is located.
可选的,本申请实施例中的第一客户凭证声明被签名的内容中还包括第一客户凭证声明的发起方网络功能实体所在网络的网络标识,和/或第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识。Optionally, the signed content of the first client credential statement in this embodiment of the present application further includes the network identifier of the network where the network function entity of the originator of the first client credential statement is located, and/or the expected reception of the first client credential statement. The identifier of the network function set to which the party network function entity belongs.
可选的,本申请实施例中的第一客户凭证声明为第二网络功能实体根据第二网络功能实体的私钥确定的客户凭证声明;或者,本申请实施例中的第一客户凭证声明为攻击者截获的其他网络功能实体(如第三网络功能实体)发送的客户凭证声明,本申请实施例对此不做具体限定。其中,在第一客户凭证声明为第二网络功能实体根据第二网络功能实体的私钥确定的客户凭证声明的场景下,上述第一客户凭证声明的发起方网络功能实体即为本申请实施例中的第二网络功能实体,在此统一说明,以下不再赘述。Optionally, the first client credential declaration in this embodiment of the present application is a client credential declaration determined by the second network function entity according to the private key of the second network function entity; or, the first client credential declaration in this embodiment of the present application is: The client credential statement sent by other network function entities (eg, a third network function entity) intercepted by the attacker is not specifically limited in this embodiment of the present application. Wherein, in the scenario where the first client credential declaration is a client credential declaration determined by the second network function entity according to the private key of the second network function entity, the network function entity that initiates the first client credential declaration is the embodiment of the present application The second network function entity in , is described uniformly here, and will not be repeated below.
可选的,本申请实施例中,第一客户凭证声明的期望接收方网络功能实体为第一网络功能实体或者第一网络功能实体之外的其他网络功能实体,本申请实施例对此不做具体限定。Optionally, in this embodiment of the present application, the expected recipient network function entity declared by the first client credential is the first network function entity or another network function entity other than the first network function entity, which is not done in this embodiment of the present application. Specific restrictions.
S502、第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为第一网络的网络标识。S502: The first network function entity verifies whether the network identifier of the network where the network function entity of the expected recipient declared by the first client credential is located is the network identifier of the first network.
本申请实施例中,第一网络功能实体接收第一客户凭证声明之后,可以参照现有的客户凭证声明的验证方式验证第一客户凭证声明,如验证第一客户凭证声明的证书的正确性,在证书验证正确的情况下,根据第一客户凭证声明的证书确定验证第一客 户凭证声明的数字签名的公钥,并基于该公钥验证第一客户凭证声明的数字签名的正确性,在第一客户凭证声明的数字签名验证正确的情况下,验证第一客户凭证声明被签名的内容中各个参数的正确性。比如,验证有效期或者时间戳的有效性,验证第一客户凭证声明的期望接收方网络功能实体的类型等,具体实现可参考现有技术,在此不再赘述。In this embodiment of the present application, after receiving the first client credential statement, the first network function entity can verify the first client credential statement with reference to the existing verification method of the client credential statement, such as verifying the correctness of the certificate of the first client credential statement, If the certificate verification is correct, determine the public key for verifying the digital signature of the first client certificate claim based on the certificate of the first client certificate claim, and verify the correctness of the digital signature of the first client certificate claim based on the public key. If the digital signature of a client credential statement is verified correctly, the correctness of each parameter in the signed content of the first client credential statement is verified. For example, verify the validity of the validity period or the time stamp, verify the type of the expected recipient network function entity declared by the first client credential, etc. The specific implementation can refer to the prior art, which will not be repeated here.
需要说明的是,本申请实施例中,第一客户凭证声明的证书中包括证书的数字签名以及证书内被签名的内容,因此验证第一客户凭证声明的证书的正确性包括验证证书的数字签名的正确性以及验证证书内被签名的内容中各个参数的正确性,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of the present application, the certificate of the first client credential declaration includes the digital signature of the certificate and the signed content in the certificate, so verifying the correctness of the certificate declared by the first client credential includes verifying the digital signature of the certificate. The correctness of the verification certificate and the correctness of each parameter in the signed content in the verification certificate are uniformly described here, and will not be repeated below.
此外,本申请实施例中,第一网络功能实体验证第一客户凭证声明中各个参数的正确性,还包括:第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为第一网络的网络标识。具体地,在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为第一网络的网络标识的情况下,第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为第一网络的网络标识,即验证通过(或成功);或者,在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识不是第一网络的网络标识的情况下,第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识不是第一网络的网络标识,即验证失败。In addition, in the embodiment of the present application, the first network function entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first network function entity verifies the network function entity of the expected recipient of the first client credential statement is located in the network. Whether the network identifier is the network identifier of the first network. Specifically, in the case where the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is the network identifier of the first network, the first network function entity verifies the network function entity of the expected recipient of the first client credential statement The network identifier of the network where the network is located is the network identifier of the first network, that is, the verification is passed (or successful); or, in the case where the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is not the network identifier of the first network Next, the first network function entity verifies that the network identity of the network where the network function entity of the expected recipient of the first client credential statement is located is not the network identity of the first network, that is, the verification fails.
可选的,本申请实施例中,第一网络功能实体验证第一客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明中还包括第一客户凭证声明的发起方网络功能实体所在网络的网络标识的情况下,第一网络功能实体验证第一客户凭证声明被签名的内容中的第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。在第一网络功能实体验证第一客户凭证声明被签名的内容中的第一客户凭证声明的发起方网络功能实体所在网络的网络标识为第一客户凭证声明的证书信息内的网络标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the first network function entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first client credential statement also includes an initiator network function of the first client credential statement. In the case of the network identity of the network where the entity is located, the first network function entity verifies whether the network identity of the network where the network function entity of the originator of the first client credential statement in the signed content of the first client credential statement is the first client credential statement The network identity within the certificate information. In the case where the first network function entity verifies that the network identity of the network where the network function entity of the originator of the first client certificate statement is located in the signed content of the first client certificate statement is the network identity in the certificate information of the first client certificate statement , the verification is passed, otherwise the verification is failed.
可选的,本申请实施例中,第一网络功能实体验证第一客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明中还包括第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识的情况下,第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识是否为第一网络功能实体所属网络功能集合的标识。在第一网络功能实体验证第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识为第一网络功能实体所属网络功能集合的标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the first network function entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first client credential statement also includes a desired recipient network of the first client credential statement. In the case of the identity of the network function set to which the functional entity belongs, the first network function entity verifies whether the identity of the network function set to which the intended recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs. In the case where the first network function entity verifies that the identity of the network function set to which the network function entity of the expected recipient of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs, the verification is deemed to be passed; otherwise, the verification is deemed to be passed. fail.
需要说明的是,本申请实施例中所述的第一客户凭证声明中的各个参数可以包含在第一客户凭证声明被签名的内容中,和/或包含在第一客户凭证声明的证书中,本申请实施例对此不做具体限定,在此统一说明,以下不再赘述。It should be noted that each parameter in the first client credential statement described in the embodiments of this application may be included in the signed content of the first client credential statement, and/or included in the certificate of the first client credential statement, This is not specifically limited in the embodiments of the present application, which are uniformly described here, and will not be repeated below.
需要说明的是,在其他一些实施例中,上述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识可能是可选的包含在第一客户凭证声明中,本申请实施例对此不做具体限定,在此统一说明,以下不再赘述。It should be noted that, in some other embodiments, the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located may be optionally included in the first client credential statement, and this embodiment of the present application does not No specific limitation is made, and a unified description is provided here, and details are not repeated below.
本申请实施例中,若第一网络功能实体验证第一客户凭证声明通过,则可以继续执行后续流程,如第一网络功能实体为第二网络功能实体提供服务。若第一网络功能实体验证第一客户凭证声明失败,则第一网络功能实体丢弃第二网络功能实体发送的数据。可选的,第一网络功能实体向第二网络功能实体发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第一客户凭证声明验证失败,具体实现可参考现有技术,在此不再赘述。In the embodiment of the present application, if the first network function entity verifies that the first client credential statement passes, the subsequent process may continue to be performed, for example, the first network function entity provides services for the second network function entity. If the first network function entity fails to verify the first client credential assertion, the first network function entity discards the data sent by the second network function entity. Optionally, the first network function entity sends a rejection indication or an error indication to the second network function entity, where the rejection indication or error indication is used to indicate that the verification of the first client credential claim fails. Repeat.
由于本申请实施例中,发送方网络功能实体(对应上述第二网络功能实体)向接收方网络功能实体(对应上述第一网络功能实体)发送的第一客户凭证声明中绑定了第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,该第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与接收方网络功能实体所在网络的网络标识(对应上述第一网络的网络标识)相同。其中,接收方网络功能实体在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为接收方网络功能实体所在网络的网络标识的情况下,才会为发送方网络功能实体提供服务,因此可以避免第一客户凭证声明被用在第一客户凭证声明的期望接收方网络功能实体所在网络之外的其他网络中的可能性,从而可以避免由于第一客户凭证声明被用在第一客户凭证声明的期望接收方网络功能实体所在网络之外的其他网络所导致的网络数据泄露等风险,提高了网络数据传输的可靠性。Because in the embodiment of this application, the first client credential statement sent by the sender network function entity (corresponding to the second network function entity) to the receiver network function entity (corresponding to the first network function entity) is bound with the first client The network identifier of the network where the network function entity of the expected recipient of the credential statement is located, and the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is used to verify whether it is the same as the network identifier of the network where the network function entity of the recipient is located (corresponding to the The network identifier of the above-mentioned first network) is the same. Wherein, the network function entity of the receiver will only provide services to the network function entity of the sender when the network identity of the network where the network function entity of the expected receiver is located as declared by the first client credential is the network identity of the network function entity of the receiver side. , so it is possible to avoid the possibility that the first client credential statement is used in a network other than the network where the network function entity of the expected recipient of the first client credential statement is located, thereby avoiding the possibility that the first client credential statement is used in the Risks such as network data leakage caused by other networks other than the network where the network functional entity of the client's credential statement is expected to be located, improves the reliability of network data transmission.
其中,上述步骤S501至S502中第一网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第一网络功能实体执行;上述步骤S501至S502中第二网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第二网络功能实体执行;上述步骤S501至S502中第一安全边缘保护代理实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第一安全边缘保护代理实体执行;上述步骤S501至S502中第二安全边缘保护代理实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第二安全边缘保护代理实体执行,本实施例对此不作任何限制。Wherein, the actions of the first network function entity in the above steps S501 to S502 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the first network function entity to execute; the above The actions of the second network function entity in steps S501 to S502 may be executed by the processor 401 in the communication device 400 shown in FIG. 4 by calling the application code stored in the memory 403 to instruct the second network function entity to execute; The action of the first edge protection proxy entity in S502 may be executed by the processor 401 in the communication device 400 shown in FIG. 4 by calling the application code stored in the memory 403 to instruct the first edge protection proxy entity to execute; the above step S501 The actions of the second security edge protection proxy entity in step S502 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the second security edge protection proxy entity to execute. The example does not impose any restrictions on this.
可选的,基于图5所述的通信方法,在第一安全边缘保护代理实体接收第一客户凭证声明之后,第一安全边缘保护代理实体向第一网络功能实体发送第一客户凭证声明之前,本申请实施例提供的通信方法还包括:第一安全边缘保护代理实体验证第一客户凭证声明通过。Optionally, based on the communication method described in FIG. 5, after the first security edge protection proxy entity receives the first client credential statement, and before the first security edge protection proxy entity sends the first client credential statement to the first network function entity, The communication method provided by the embodiment of the present application further includes: the first security edge protection proxy entity verifies that the first client credential declaration passes.
具体地,第一安全边缘保护代理实体验证第一客户凭证声明的方式可参照现有的客户凭证声明的验证方式,如验证第一客户凭证声明的证书的正确性,在证书验证正确的情况下,根据第一客户凭证声明的证书确定验证第一客户凭证声明的数字签名的公钥,并基于该公钥验证第一客户凭证声明的数字签名的正确性,在第一客户凭证声明的数字签名验证正确的情况下,验证第一客户凭证声明被签名的内容中各个参数的正确性。比如,验证有效期或者时间戳的有效性,验证第一客户凭证声明的期望接收方网络功能实体的类型等,具体实现可参考现有技术,在此不再赘述。Specifically, the method for the first security edge protection proxy entity to verify the first client credential assertion may refer to the existing client credential assertion verification method, such as verifying the correctness of the certificate of the first client credential assertion, if the certificate is verified correctly , determine the public key for verifying the digital signature of the first client credential assertion according to the certificate of the first client credential assertion, and verify the correctness of the digital signature of the first client credential assertion based on the public key, and verify the correctness of the digital signature of the first client credential assertion based on the public key. If the verification is correct, verify the correctness of each parameter in the signed content of the first client certificate statement. For example, verify the validity of the validity period or the time stamp, verify the type of the expected recipient network function entity declared by the first client credential, etc. The specific implementation can refer to the prior art, which will not be repeated here.
需要说明的是,本申请实施例中,第一客户凭证声明的证书中包括证书的数字签名以及证书内被签名的内容,因此验证第一客户凭证声明的证书的正确性包括验证证 书的数字签名的正确性以及验证证书内被签名的内容中各个参数的正确性,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of the present application, the certificate of the first client credential declaration includes the digital signature of the certificate and the signed content in the certificate, so verifying the correctness of the certificate declared by the first client credential includes verifying the digital signature of the certificate. The correctness of the verification certificate and the correctness of each parameter in the signed content in the verification certificate are uniformly described here, and will not be repeated below.
此外,本申请实施例中,第一安全边缘保护代理实体验证第一客户凭证声明中各个参数的正确性,还包括:第一安全边缘保护代理实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为第一网络的网络标识。具体地,在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为第一网络的网络标识的情况下,第一安全边缘保护代理实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为第一网络的网络标识,即验证通过;或者,在第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识不是第一网络的网络标识的情况下,第一安全边缘保护代理实体验证第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识不是第一网络的网络标识,即验证失败。In addition, in the embodiment of the present application, the first security edge protection proxy entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first security edge protection proxy entity verifies the expected recipient network function of the first client credential statement Whether the network identifier of the network where the entity is located is the network identifier of the first network. Specifically, in the case where the network identifier of the network where the network functional entity of the first client credential statement is located is the network identifier of the first network, the first security edge protection proxy entity verifies the intended recipient network of the first client credential statement The network identifier of the network where the functional entity is located is the network identifier of the first network, that is, the verification is passed; or, in the case that the network identifier of the network where the network functional entity of the expected recipient of the first client credential statement is located is not the network identifier of the first network, The first security edge protection proxy entity verifies that the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is not the network identifier of the first network, that is, the verification fails.
可选的,本申请实施例中,第一安全边缘保护代理实体验证第一客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明中还包括第一客户凭证声明的发起方网络功能实体所在网络的网络标识的情况下,第一安全边缘保护代理实体验证第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否与N32-f上下文中的远端网络标识相同。在第一安全边缘保护代理实体验证第一客户凭证声明的发起方网络功能实体所在网络的网络标识与N32-f上下文中的远端网络标识相同的情况下,视为验证通过,否则视为验证失败。其中,本申请实施例中,N32-f上下文为第一安全边缘保护代理实体与第二安全边缘保护代理实体之间建立N32连接时,建立的共享上下文,在此统一说明,以下不再赘述。Optionally, in this embodiment of the present application, the first security edge protection proxy entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first client credential statement also includes an initiator of the first client credential statement. In the case of the network identifier of the network where the network function entity is located, the first security edge protection proxy entity verifies whether the network identifier of the network where the network function entity of the originator of the first client credential statement is located is the same as the remote network identifier in the N32-f context. If the first security edge protection proxy entity verifies that the network identity of the network where the network function entity of the originator of the first client credential statement is located is the same as the remote network identity in the context of N32-f, the verification is deemed to be passed; otherwise, the verification is deemed to be passed. fail. Among them, in the embodiment of the present application, the N32-f context is a shared context established when an N32 connection is established between the first security edge protection proxy entity and the second security edge protection proxy entity, which is uniformly described here and will not be repeated below.
可选的,本申请实施例中,第一安全边缘保护代理实体验证第一客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明中还包括第一客户凭证声明的发起方网络功能实体所在网络的网络标识的情况下,第一安全边缘保护代理实体验证第一客户凭证声明被签名的内容中的第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。在第一安全边缘保护代理实体验证第一客户凭证声明被签名的内容中的第一客户凭证声明的发起方网络功能实体所在网络的网络标识为第一客户凭证声明的证书信息内的网络标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the first security edge protection proxy entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first client credential statement also includes an initiator of the first client credential statement. In the case of the network identifier of the network where the network function entity is located, the first security edge protection proxy entity verifies whether the network identifier of the network where the network function entity of the originator of the first client credential statement in the signed content of the first client credential statement is the third one. A network identity within the credential information of a client credential assertion. The network identity of the network where the network function entity of the initiator of the first client credential statement in the signed content of the first security edge protection proxy entity verifies that the first client credential statement is located is the network identity in the certificate information of the first client credential statement. In this case, the verification is considered to pass, otherwise, the verification is considered to fail.
可选的,本申请实施例中,第一安全边缘保护代理实体验证第一客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明中还包括第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识的情况下,第一安全边缘保护代理实体验证第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识是否为第一安全边缘保护代理实体连接的第一网络功能实体所属网络功能集合的标识。在第一安全边缘保护代理实体验证第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识为第一安全边缘保护代理实体连接的第一网络功能实体所属网络功能集合的标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the first security edge protection proxy entity verifies the correctness of each parameter in the first client credential statement, and further includes: the first client credential statement also includes the expected reception of the first client credential statement. In the case of the identity of the network function set to which the party network function entity belongs, the first security edge protection proxy entity verifies whether the identity of the network function set to which the network function entity of the expected recipient of the first client credential statement belongs is the first security edge protection proxy entity connection The identifier of the network function set to which the first network function entity belongs. In the case where the first security edge protection proxy entity verifies the identity of the network function set to which the desired recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity to which the first security edge protection proxy entity is connected belongs below, the verification is considered to pass, otherwise, the verification is considered to fail.
本申请实施例中,若第一安全边缘保护代理实体验证第一客户凭证声明通过,则第一安全边缘保护代理实体向第一网络功能实体发送第一客户凭证声明;若第一安全边缘保护代理实体验证第一客户凭证声明失败,则第一安全边缘保护代理实体丢弃第 二网络功能实体发送的数据。可选的,第一安全边缘保护代理实体向第二网络功能实体发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第一客户凭证声明验证失败。基于上述由第一安全边缘保护代理实体验证第一客户凭证声明的方案,可以在第一客户凭证声明无法验证通过的情况下提前终止后续流程,减少了网元之间信令交互的步骤,节省了系统资源。In this embodiment of the present application, if the first security edge protection proxy entity verifies that the first client credential statement passes, the first security edge protection proxy entity sends the first client credential statement to the first network function entity; if the first security edge protection proxy entity passes the first client credential statement If the entity fails to verify the first client credential assertion, the first security edge protection proxy entity discards the data sent by the second network function entity. Optionally, the first security edge protection proxy entity sends a rejection indication or an error indication to the second network function entity, where the rejection indication or the error indication is used to indicate that the verification of the first client credential claim fails. Based on the above solution of verifying the first client credential statement by the first security edge protection proxy entity, the subsequent process can be terminated in advance if the first client credential statement cannot be verified, which reduces the steps of signaling interaction between network elements and saves money. system resources.
另一方面,现有的客户凭证声明机制仅支持接收方网络功能实体验证发送方网络功能实体的身份,不支持发送方网络功能实体反向验证接收方网络功能实体的身份。如果引入发送方网络功能实体验证接收方网络功能实体身份的机制,如何设计接收方网络功能实体发送给发送方网络功能实体的客户凭证声明,是目前亟待解决的问题。比如,现有的客户凭证声明机制中,发送方网络功能实体仅有客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,发送方网络功能实体和接收方网络功能实体之间的SCP可能会根据客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识随机选择一个接收方网络功能实体为发送方网络功能实体提供服务,此时发送方网络功能实体如何确定接收方网络功能实体发送给发送方网络功能实体的客户凭证声明的发送方网络功能实体就是接收到发送方网络功能实体提供给接收方网络功能实体的客户凭证声明的网络功能实体。为解决该问题,结合图2a或图2b所示的通信系统,如图6所示,为本申请实施例提供的一种通信方法,如下所述。On the other hand, the existing client credential assertion mechanism only supports the recipient network function entity to verify the identity of the sender network function entity, and does not support the sender network function entity to reversely verify the identity of the recipient network function entity. If a mechanism for the sender's network function entity to verify the identity of the receiver's network function entity is introduced, how to design the client credential statement sent by the receiver's network function entity to the sender's network function entity is an urgent problem to be solved. For example, in the existing client credential declaration mechanism, the sender network function entity only has the identifier of the network function set to which the expected recipient network function entity of the client credential declaration belongs, and the SCP between the sender network function entity and the receiver network function entity A recipient NF may be randomly selected to provide services to the sender NF according to the identity of the NF set to which the desired recipient NF stated in the client credential. At this time, how does the sender NF determine the recipient NF? The sender network function entity that sends the client credential declaration to the sender network function entity is the network function entity that receives the client credential declaration provided by the sender network function entity to the recipient network function entity. To solve this problem, in conjunction with the communication system shown in FIG. 2a or FIG. 2b, as shown in FIG. 6, a communication method provided by an embodiment of the present application is as follows.
S601、第二网络功能实体向第一网络功能实体发送第一客户凭证声明。相应的,第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明。S601. The second network function entity sends a first client credential statement to the first network function entity. Accordingly, the first network function entity receives the first client credential assertion from the second network function entity.
其中,本申请实施例中的第一客户凭证声明可以参考现有技术,或者,本申请实施例中的第一客户凭证声明可以参考图5所示的实施例中的第一客户凭证声明,本申请实施例对此不做具体限定。The first client credential statement in the embodiment of the present application may refer to the prior art, or the first client credential statement in the embodiment of the present application may refer to the first client credential statement in the embodiment shown in FIG. 5 . This is not specifically limited in the application examples.
S602、第一网络功能实体验证第一客户凭证声明通过。S602, the first network function entity verifies that the first client credential statement passes.
其中,在第一客户凭证声明为现有技术的客户凭证声明的情况下,第一网络功能实体验证第一客户凭证声明的方式可参考现有技术;在第一客户凭证声明为图5所示的实施例中的第一客户凭证声明的情况下,第一网络功能实体验证第一客户凭证声明的方式可参考图5所示的实施例步骤S502,在此不再赘述。Wherein, in the case where the first client credential declaration is a prior art client credential declaration, the method for verifying the first client credential declaration by the first network function entity may refer to the prior art; when the first client credential declaration is as shown in FIG. 5 In the case of the first client credential declaration in the embodiment of FIG. 5 , the method for verifying the first client credential declaration by the first network function entity may refer to step S502 in the embodiment shown in FIG. 5 , which will not be repeated here.
S603、第一网络功能实体向第二网络功能实体发送第二客户凭证声明。相应的,第二网络功能实体接收来自第一网络功能实体的第二客户凭证声明。S603. The first network function entity sends a second client credential statement to the second network function entity. Accordingly, the second network function entity receives the second client credential assertion from the first network function entity.
本申请实施例中的第二客户凭证声明包括被签名的内容、计算得到的数字签名以及可以检验第二客户凭证声明的证书(也可以替换为证书链,在此统一说明,以下不再赘述)。其中,第二客户凭证声明被签名的内容中包括第二客户凭证声明的发起方网络功能实体的标识(也可以称之为实例标识(instance ID)、有效期和时间戳等,第二客户凭证声明的证书中包括证书的数字签名以及证书内被签名的内容,证书内被签名的内容包括第二客户凭证声明的发起方网络功能实体的信息,如第二客户凭证声明的发起方网络功能实体的标识以及第二客户凭证声明的发起方网络功能实体所在网络的网络标识等,具体可参考现有技术,在此不再赘述。The second client credential statement in the embodiment of the present application includes the signed content, the digital signature obtained by calculation, and a certificate that can verify the second client credential statement (it can also be replaced with a certificate chain, which is described in a unified manner here, and will not be repeated below) . Wherein, the signed content of the second client credential statement includes the identity of the originator network function entity of the second client credential statement (it may also be referred to as an instance ID (instance ID), a validity period and a timestamp, etc., and the second client credential statement The certificate includes the digital signature of the certificate and the signed content in the certificate, and the signed content in the certificate includes the information of the originator network function entity of the second client credential statement, such as the information of the originator network function entity of the second client credential statement. The identifier and the network identifier of the network where the network function entity of the originator of the second client credential declaration is located, etc., may refer to the prior art for details, and will not be repeated here.
此外,本申请实施例中的第二客户凭证声明为第一网络功能实体根据第一网络功能实体的私钥确定的客户凭证声明。该第二客户凭证声明被签名的内容中还包括第一 客户凭证声明、或者第一客户凭证声明的哈希值、或者第一业务请求的数据(如第一业务请求的数据承载,即payload),或者第一业务请求的数据的哈希值,第一业务请求为承载第一客户凭证声明的业务请求。In addition, the second client credential declaration in the embodiment of the present application is a client credential declaration determined by the first network function entity according to the private key of the first network function entity. The signed content of the second client credential statement further includes the first client credential statement, or the hash value of the first client credential statement, or the data of the first service request (such as the data bearer of the first service request, that is, the payload) , or the hash value of the data of the first service request, where the first service request is a service request bearing the first client credential declaration.
可选的,本申请实施例中,第二客户凭证声明还包括以下至少一个参数:第二客户凭证声明的期望接收方网络功能实体的标识;第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;第二客户凭证声明的期望接收方网络功能实体的类型;第二客户凭证声明的发起方网络功能实体的标识;第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;或者,第二客户凭证声明的发起方网络功能实体所在网络的网络标识。Optionally, in this embodiment of the present application, the second client credential statement further includes at least one of the following parameters: the identifier of the desired recipient network function entity of the second client credential statement; the network function entity of the desired recipient of the second client credential statement belongs to The identity of the network function set; the type of network function entity of the intended recipient of the second client credential statement; the identity of the network function entity of the originator of the second client credential statement; the network function set to which the originator network function entity of the second client credential statement belongs or, the network identifier of the network where the network function entity of the originator of the second client credential statement is located.
需要说明的是,在其他一些实施例中,上述第一客户凭证声明、或者第一客户凭证声明的哈希值、或者第一业务请求的数据(如第一业务请求的数据承载,即payload),或者第一业务请求的数据的哈希值可能是可选的包括在第二客户凭证声明中,本申请实施例对此不做具体限定,在此统一说明,以下不再赘述。It should be noted that, in some other embodiments, the above-mentioned first client credential statement, or the hash value of the first client credential statement, or the data of the first service request (such as the data bearer of the first service request, that is, the payload) , or the hash value of the data requested by the first service may be optionally included in the second client credential statement, which is not specifically limited in this embodiment of the present application, which is uniformly described here, and will not be repeated below.
需要说明的是,本申请实施例中,第二客户凭证声明的期望接收方网络功能实体为第二网络功能实体,第二客户凭证声明的发起方网络功能实体为第一网络功能实体。It should be noted that, in this embodiment of the present application, the expected recipient network function entity of the second client credential declaration is the second network function entity, and the initiator network function entity of the second client credential declaration is the first network function entity.
S604、第二网络功能实体验证第二客户凭证声明的正确性。S604. The second network function entity verifies the correctness of the second client credential statement.
本申请实施例中,第二网络功能实体接收第二客户凭证声明之后,可以参照现有的客户凭证声明的验证方式验证第二客户凭证声明,如验证第二客户凭证声明的证书的正确性,在证书验证正确的情况下,根据第二客户凭证声明的证书确定验证第二客户凭证声明的数字签名的公钥,并基于该公钥验证第二客户凭证声明的数字签名的正确性,在第二客户凭证声明的数字签名验证正确的情况下,验证第二客户凭证声明被签名的内容中各个参数的正确性。比如,验证有效期或者时间戳的有效性,验证第二客户凭证声明的期望接收方网络功能实体的类型等,具体实现可参考现有技术,在此不再赘述。In the embodiment of the present application, after receiving the second client credential statement, the second network function entity may verify the second client credential statement with reference to the existing verification method of the client credential statement, such as verifying the correctness of the certificate of the second client credential statement, If the certificate verification is correct, determine the public key for verifying the digital signature of the second client credential claim based on the certificate of the second client credential claim, and verify the correctness of the digital signature of the second client credential claim based on the public key. If the digital signature verification of the second client credential statement is correct, verify the correctness of each parameter in the signed content of the second client credential statement. For example, verify the validity of the validity period or the time stamp, verify the type of the expected recipient network function entity declared by the second client credential, etc. The specific implementation can refer to the prior art, which will not be repeated here.
需要说明的是,本申请实施例中,第二客户凭证声明的证书中包括证书的数字签名以及证书内被签名的内容,因此验证第二客户凭证声明的证书的正确性包括验证证书的数字签名的正确性以及验证证书内被签名的内容中各个参数的正确性,在此统一说明,以下不再赘述。It should be noted that, in this embodiment of the present application, the certificate of the second client credential declaration includes the digital signature of the certificate and the signed content in the certificate, so verifying the correctness of the certificate declared by the second client credential includes verifying the digital signature of the certificate. The correctness of the verification certificate and the correctness of each parameter in the signed content in the verification certificate are uniformly described here, and will not be repeated below.
此外,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:第二网络功能实体验证之前保存的第一客户凭证声明与第二客户凭证声明中包括的第一客户凭证声明是否一致,如第二网络功能实体验证第二客户凭证声明中包括第一客户凭证声明,则视为验证通过,否则视为验证失败;或者,第二网络功能实体验证之前保存的第一客户凭证声明的哈希值与第二客户凭证声明中包括的第一客户凭证声明的哈希值是否一致,如第二网络功能实体验证第二客户凭证声明中包括第一客户凭证声明的哈希值,则视为验证通过,否则视为验证失败;或者,第二网络功能实体验证之前保存的第一业务请求的数据与第二客户凭证声明中包括的第一业务请求的数据是否一致,如第二网络功能实体验证第二客户凭证声明中包括第一业务请求的数据,则视为验证通过,否则视为验证失败;或者,第二网络功能实体验证之前保存的第一业务请求的数据的哈希值与第二客户凭证声明中包括的第一业务请求 的数据的哈希值是否一致,如第二网络功能实体验证第二客户凭证声明中包括第一业务请求的数据的哈希值,则视为验证通过,否则视为验证失败。In addition, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, further comprising: verifying the first client credential statement and the second client credential statement saved before by the second network function entity Whether the included first client credential statement is consistent, if the second network function entity verifies that the second client credential statement includes the first client credential statement, the verification is deemed passed, otherwise, the verification fails; or, the second network function entity verifies Whether the hash value of the previously saved first client credential statement is consistent with the hash value of the first client credential statement included in the second client credential statement, for example, the second network function entity verifies that the second client credential statement includes the first client credential statement The hash value of the credential declaration is deemed to pass the verification, otherwise, the verification is deemed to have failed; or, the second network function entity verifies the previously saved data of the first service request and the first service request included in the second client credential declaration. Whether the data is consistent, if the second network function entity verifies that the data of the first service request is included in the second client credential statement, the verification is deemed passed, otherwise, the verification fails; or, the second network function entity verifies the previously saved first service request. Whether the hash value of the data of the service request is consistent with the hash value of the data of the first service request included in the second client credential statement, for example, the second network function entity verifies that the second client credential statement includes the data of the first service request The hash value is considered to pass the verification, otherwise it is considered that the verification fails.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:在第二客户凭证声明包括第二客户凭证声明的期望接收方网络功能实体的标识的情况下,第二网络功能实体验证第二客户凭证声明的期望接收方网络功能实体的标识是否为第二网络功能实体的标识。在第二客户凭证声明的期望接收方网络功能实体的标识为第二网络功能实体的标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, and further includes: the second client credential statement includes a desired recipient network function entity of the second client credential statement. In the case of the identity of the second network function entity, the second network function entity verifies whether the identity of the expected recipient network function entity declared by the second client credential is the identity of the second network function entity. In the case where the identity of the expected recipient network function entity declared by the second client credential is the identity of the second network function entity, it is deemed that the verification has passed; otherwise, the verification is deemed to have failed.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:在第二客户凭证声明包括第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识的情况下,第二网络功能实体验证第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为第二网络功能实体所属网络功能集合的标识。在第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识为第二网络功能实体所属网络功能集合的标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, and further includes: the second client credential statement includes a desired recipient network function entity of the second client credential statement. In the case of the identity of the network function set where the second network function entity belongs, the second network function entity verifies whether the identity of the network function set where the network function entity of the intended recipient of the second client credential statement is located is the identity of the network function set to which the second network function entity belongs. If the identifier of the network function set to which the network function entity of the expected recipient of the second client credential statement is located is the identifier of the network function set to which the second network function entity belongs, the verification is deemed to pass; otherwise, the verification is deemed to fail.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:在第二客户凭证声明包括第二客户凭证声明的期望接收方网络功能实体的类型的情况下,第二网络功能实体验证第二客户凭证声明的期望接收方网络功能实体的类型是否为第二网络功能实体的类型。在第二客户凭证声明的期望接收方网络功能实体的类型是否为第二网络功能实体的类型的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, and further includes: the second client credential statement includes a desired recipient network function entity of the second client credential statement. In the case of the type of the second network function entity, the second network function entity verifies whether the type of the expected recipient network function entity declared by the second client credential is the type of the second network function entity. In the case of whether the type of the expected recipient network function entity declared by the second client credential is the type of the second network function entity, it is deemed that the verification has passed; otherwise, it is deemed that the verification has failed.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:在第二客户凭证声明包括第二客户凭证声明的发起方网络功能实体的标识的情况下,第二网络功能实体验证第二客户凭证声明中被签名的内容中包括的第二客户凭证声明的发起方网络功能实体的标识是否为第二客户凭证声明中证书信息中的网络功能实体的标识。在第二客户凭证声明中被签名的内容中包括的第二客户凭证声明的发起方网络功能实体的标识为第二客户凭证声明中证书信息中的网络功能实体的标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential declaration, and further includes: in the second client credential declaration including the second client credential declaration in the originator network function entity of the second client credential declaration. In the case of identification, the second network function entity verifies whether the identity of the originator network function entity of the second client credential statement included in the signed content of the second client credential statement is the network in the certificate information in the second client credential statement. The identity of the functional entity. In the case where the identity of the originator network function entity of the second client credential statement included in the signed content of the second client credential statement is the identity of the network function entity in the certificate information in the second client credential statement, it is deemed to be verified Passed, otherwise it is regarded as verification failure.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数的正确性,还包括:在第一客户凭证声明包含在第二网络功能实体发送给第一网络功能实体的第二业务请求中,第二业务请求还包括第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,第二客户凭证声明包括第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识的情况下,第二网络功能实体验证第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识是否为第二业务请求中包括的第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识。在第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识为第二业务请求中包括的第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, further comprising: sending the second network function entity to the first network function when the first client credential statement is included in the second network function entity. In the second service request of the entity, the second service request further includes the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located, and the second client credential statement includes the originator of the second client credential statement to which the network function entity belongs. In the case of the identity of the network function set, the second network function entity verifies whether the identity of the network function set to which the originator network function entity of the second client credential assertion belongs is the intended recipient of the first client credential assertion included in the second service request The network identifier of the network where the network function entity is located. In the case where the identity of the network function set to which the network function entity of the originator of the second client credential statement belongs is the network identity of the network where the network function entity of the expected recipient of the first client credential statement included in the second service request is located, it is deemed to be verified. Passed, otherwise it is regarded as verification failure.
可选的,本申请实施例中,第二网络功能实体验证第二客户凭证声明中各个参数 的正确性,还包括:在第二客户凭证声明包括第二客户凭证声明的发起方网络功能实体所在网络的网络标识的情况下,第二网络功能实体验证第二客户凭证声明中被签名的内容中包括的第二客户凭证声明的发起方网络功能实体所在网络的网络标识是否为第二客户凭证声明中证书信息中的网络标识。在第二客户凭证声明中被签名的内容中包括的第二客户凭证声明的发起方网络功能实体所在网络的网络标识是否为第二客户凭证声明中证书信息中的网络标识的情况下,视为验证通过,否则视为验证失败。Optionally, in this embodiment of the present application, the second network function entity verifies the correctness of each parameter in the second client credential statement, and further includes: where the second client credential statement includes the originator network function entity of the second client credential statement. In the case of the network identification of the network, the second network function entity verifies whether the network identification of the network where the network function entity of the originator of the second client credential statement included in the signed content of the second client credential statement is the second client credential statement The network identity in the certificate information in . In the case of whether the network identifier of the network where the network function entity of the originator of the second client credential statement included in the signed content of the second client credential statement is located is the network identifier in the certificate information in the second client credential statement, it is deemed that The verification is passed, otherwise it is regarded as the verification failure.
需要说明的是,图6所示的实施例可以应用于漫游场景(如图2b所述的通信架构)下,也可以应用于非漫游场景(如图2a所述的通信架构)下,本申请实施例对此不做具体限定。在此统一说明,以下不再赘述。It should be noted that the embodiment shown in FIG. 6 can be applied to a roaming scenario (the communication architecture described in The embodiment does not specifically limit this. Here, a unified description is provided, and details are not repeated below.
本申请实施例中,接收方网络功能实体(对应上述第一网络功能实体)验证发送方网络功能实体(对应上述第二网络功能实体)发送的第一客户凭证声明通过之后,向发送方网络功能实体发送的第二客户凭证声明中包括第一客户凭证声明、或者第一客户凭证声明的哈希值、或者第一业务请求的数据,或者第一业务请求的数据的哈希值,第一业务请求为承载第一客户凭证声明的业务请求。由于上述参数均是第一客户凭证声明相关的参数,只有第一客户凭证声明的期望接收方网络功能实体才能获取到,因此,发送方网络功能实体验证第二客户凭证声明通过后,即可反向验证出接收方网络功能实体的身份正确。也就是说,发送方网络功能实体可以确定接收方网络功能实体发送给发送方网络功能实体的客户凭证声明的发送方网络功能实体就是接收到发送方网络功能实体提供给接收方网络功能实体的客户凭证声明的网络功能实体。In the embodiment of the present application, after the receiver network function entity (corresponding to the first network function entity) verifies that the first client credential statement sent by the sender network function entity (corresponding to the second network function entity) passes, the network function entity of the sender (corresponding to the second network function entity) sends The second client credential statement sent by the entity includes the first client credential statement, or the hash value of the first client credential statement, or the data requested by the first service, or the hash value of the data requested by the first service. The request is a service request carrying a first client credential claim. Since the above parameters are all parameters related to the first client credential declaration, only the expected recipient network function entity of the first client credential declaration can obtain it. Therefore, after the sender's network function entity verifies that the second client credential declaration is passed, it can reverse the To verify that the identity of the recipient network function entity is correct. That is, the sender network function entity can determine that the sender network function entity of the client credential statement sent by the receiver network function entity to the sender network function entity is the client that receives the client network function entity that the sender network function entity provides to the receiver network function entity. The network function entity of the credential assertion.
其中,上述步骤S601至S604中第一网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第一网络功能实体执行;上述步骤S601至S604中第二网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第二网络功能实体执行,本实施例对此不作任何限制。Wherein, the actions of the first network function entity in the above steps S601 to S604 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the first network function entity to execute; the above The actions of the second network function entity in steps S601 to S604 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the second network function entity to execute. This does not impose any restrictions.
又一方面,现有的客户凭证声明机制在漫游场景下使用时,发起方网络功能实体与接收方网络功能实体属于不同的运营商网络。当诸如pNF或者NRF之类的接收方网络功能实体不能验证客户凭证声明中证书的正确性时(例如发起方网络功能实体所在网络的运营商与接收方网络功能实体所在网络的运营商之间没有交叉证书(cross certificate)),接收方网络功能实体也不能基于客户凭证声明中的证书进一步验证客户凭证声明的正确性。该场景下,如何校验客户凭证声明中证书的正确性,是目前亟待解决的问题。为解决该问题,结合图2b所示的通信系统,如图7所示,为本申请实施例提供的一种通信方法,如下所述。On the other hand, when the existing client credential declaration mechanism is used in a roaming scenario, the initiator network function entity and the recipient network function entity belong to different operator networks. When a recipient network function entity such as a pNF or NRF cannot verify the correctness of the certificate in the client credential assertion (eg there is no relationship between the operator of the network where the originating network function entity is located and the operator of the network where the receiving network function entity is located) cross certificate), the recipient network function entity cannot further verify the correctness of the client credential assertion based on the certificate in the client credential assertion. In this scenario, how to verify the correctness of the certificate in the client certificate statement is an urgent problem to be solved. To solve this problem, in conjunction with the communication system shown in FIG. 2 b , as shown in FIG. 7 , a communication method provided by an embodiment of the present application is as follows.
S701、第二网络功能实体向第二安全边缘保护代理实体发送第一客户凭证声明。相应的,第二安全边缘保护代理实体接收来自第二网络功能实体的第一客户凭证声明。S701. The second network function entity sends the first client credential statement to the second security edge protection proxy entity. Correspondingly, the second security edge protection proxy entity receives the first client credential assertion from the second network function entity.
其中,本申请实施例中的第一客户凭证声明可以参考现有技术,或者,本申请实施例中的第一客户凭证声明可以参考图5所示的实施例中的第一客户凭证声明,本申请实施例对此不做具体限定。The first client credential statement in the embodiment of the present application may refer to the prior art, or the first client credential statement in the embodiment of the present application may refer to the first client credential statement in the embodiment shown in FIG. 5 . This is not specifically limited in the application examples.
S702、第二安全边缘保护代理实体向第一安全边缘保护代理实体发送第一客户凭证声明。相应的,第一安全边缘保护代理实体接收来自第二安全边缘保护代理实体的 第一客户凭证声明。S702. The second security edge protection proxy entity sends the first client credential statement to the first security edge protection proxy entity. Accordingly, the first security edge protection proxy entity receives the first client credential assertion from the second security edge protection proxy entity.
可选的,本申请实施例中,第二安全边缘保护代理实体还向第一安全边缘保护代理实体发送第一根证书。相应的,第一安全边缘保护代理实体接收来自第二安全边缘保护代理实体的第一根证书。其中,第一根证书为第二网络的根证书。第一根证书可以预先配置在第二安全边缘保护代理实体中。Optionally, in this embodiment of the present application, the second security edge protection proxy entity further sends the first root certificate to the first security edge protection proxy entity. Correspondingly, the first security edge protection proxy entity receives the first root certificate from the second security edge protection proxy entity. The first root certificate is the root certificate of the second network. The first root certificate may be preconfigured in the second security edge protection proxy entity.
可选的,当且仅当第二安全边缘保护代理实体接收到第一客户凭证声明的情况下,才向第一安全边缘保护代理实体发送第一根证书。Optionally, the second security edge protection proxy entity sends the first root certificate to the first security edge protection proxy entity if and only if the second security edge protection proxy entity receives the first client credential declaration.
S703、第一安全边缘保护代理实体向第一网络功能实体发送第一消息。相应的,第一网络功能实体接收来自第一安全边缘保护代理实体的第一消息。第一消息包括第一客户凭证声明和第一根证书。S703. The first security edge protection proxy entity sends a first message to the first network function entity. Correspondingly, the first network function entity receives the first message from the first security edge protection proxy entity. The first message includes a first client credential statement and a first root certificate.
可选的,类似于图5所述的实施,本申请实施例中,第一安全边缘保护代理实体验证第一客户凭证声明成功之后,向第一网络功能实体发送第一消息,本申请实施例对此不做具体限定。Optionally, similar to the implementation described in FIG. 5 , in this embodiment of the present application, the first security edge protection proxy entity sends a first message to the first network function entity after successfully verifying the first client credential declaration. There is no specific limitation on this.
可选的,第一客户凭证声明和第一根证书包含在第一消息的消息头中。Optionally, the first client credential declaration and the first root certificate are included in a message header of the first message.
一种可能的实现方式中,第一消息中的第一根证书来自第二安全边缘保护代理实体。In a possible implementation manner, the first root certificate in the first message comes from the second security edge protection proxy entity.
另一种可能的实现方式中,本申请实施例中,在第一安全边缘保护代理实体向第一网络功能实体发送第一消息之前,还包括:第一安全边缘保护代理实体根据第二网络的网络标识,以及第一根证书和第二网络的网络标识的映射关系,确定第一根证书。其中,第二网络的网络标识可以是第一安全边缘保护代理实体从第一客户凭证声明被签名的内容中获取的,或者第二网络的网络标识可以是第一安全边缘保护代理实体从第一客户凭证声明的证书中获取的;或者,第二网络的网络标识还可以是第一安全边缘保护代理实体通过其它方式获得,本申请实施例对此不做具体限定。In another possible implementation manner, in this embodiment of the present application, before the first security edge protection proxy entity sends the first message to the first network function entity, the method further includes: the first security edge protection proxy entity according to the second network's The network identifier, and the mapping relationship between the first root certificate and the network identifier of the second network, determine the first root certificate. The network identifier of the second network may be obtained by the first edge protection proxy entity from the signed content of the first client credential statement, or the network identifier of the second network may be obtained by the first edge protection proxy entity from the first edge protection proxy entity. Alternatively, the network identifier of the second network may also be obtained by the first security edge protection proxy entity through other means, which is not specifically limited in this embodiment of the present application.
对于上述实现方式,可选的,第一根证书和第二网络的网络标识的映射关系预先配置在第一安全边缘保护代理实体中。或者,第一根证书为第一安全边缘保护代理实体与第二安全边缘保护代理实体建立安全连接时,第一安全边缘保护代理实体用于验证第一安全边缘保护代理实体的证书信息的根证书。第一根证书和第二网络的网络标识的映射关系为第一安全边缘保护代理实体与第二安全边缘保护代理实体建立安全连接后存储在。第一安全边缘保护代理实体中的。For the above implementation manner, optionally, the mapping relationship between the first root certificate and the network identifier of the second network is pre-configured in the first security edge protection proxy entity. Alternatively, the first root certificate is the root certificate used by the first security edge protection proxy entity to verify the certificate information of the first security edge protection proxy entity when the first security edge protection proxy entity establishes a secure connection with the second security edge protection proxy entity . The mapping relationship between the first root certificate and the network identifier of the second network is stored after the first security edge protection proxy entity establishes a secure connection with the second security edge protection proxy entity. The first security edge is in the protection proxy entity.
S704、第一网络功能实体根据第一根证书,验证第一客户凭证声明的证书是否正确。S704. The first network function entity verifies whether the certificate declared by the first client certificate is correct according to the first root certificate.
本申请实施例中,第一网络功能实体根据第一根证书,验证第一客户凭证声明的证书信息是否正确可以理解为第一网络功能实体根据第一根证书,验证第一客户凭证声明的证书的数字签名是否正确,在此统一说明,以下不再赘述。In the embodiment of this application, the first network function entity verifies whether the certificate information declared by the first client certificate is correct according to the first root certificate, which can be understood as the first network function entity verifies the certificate declared by the first client certificate according to the first root certificate. Whether the digital signature is correct is explained here, and will not be repeated below.
其中,相对于现有技术在诸如不同运营商之间没有交叉证书等场景下接收方网络功能实体不能验证客户凭证声明中证书是否正确性的方案,本申请实施例可以根据第一根证书,验证第一客户凭证声明的证书信息是否正确,从而实现客户凭证声明中证书的验证,进而实现客户凭证声明的数字签名和被签名的内容的验证。其中,在第一客户凭证声明为现有技术的客户凭证声明的情况下,第一网络功能实体根据第一客户 凭证声明的证书验证第一客户凭证声明的数字签名和被签名的内容的方案可参考现有技术;在第一客户凭证声明为图5所示的实施例中的第一客户凭证声明的情况下,第一网络功能实体根据第一客户凭证声明的证书验证第一客户凭证声明的数字签名和被签名的内容的方案可参考图5所示的实施例步骤S502,在此不再赘述。Wherein, compared with the prior art solution in which the recipient network function entity cannot verify whether the certificate in the client credential statement is correct in scenarios such as no cross-certificate between different operators, the embodiment of the present application can verify the correctness of the certificate according to the first root certificate. Check whether the certificate information of the first client credential statement is correct, so as to realize the verification of the certificate in the client credential statement, and then realize the verification of the digital signature of the client credential statement and the signed content. Wherein, when the first client credential declaration is a prior art client credential declaration, the first network function entity can verify the digital signature of the first client credential declaration and the signed content according to the certificate of the first client credential declaration. Referring to the prior art; when the first client credential assertion is the first client credential assertion in the embodiment shown in FIG. 5 , the first network function entity verifies the first client credential assertion according to the certificate of the first client credential assertion. For the solution of the digital signature and the signed content, reference may be made to step S502 of the embodiment shown in FIG. 5 , which will not be repeated here.
进一步的,本申请实施例中,在第一网络功能实体验证第一客户凭证声明通过之后,还可以向第二网络功能实体发送第二客户凭证声明。相应的,第二网络功能实体接收来自第一网络功能实体的第二客户凭证声明,并验证第二客户凭证声明的正确性。相关实现及技术效果可参考图6所述的实施例,在此不再赘述。Further, in this embodiment of the present application, after the first network function entity verifies that the first client credential statement passes, the second client credential statement may also be sent to the second network function entity. Correspondingly, the second network function entity receives the second client credential statement from the first network function entity, and verifies the correctness of the second client credential statement. For related implementation and technical effects, reference may be made to the embodiment described in FIG. 6 , which will not be repeated here.
其中,上述步骤S701至S704中第一网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第一网络功能实体执行;上述步骤S701至S704中第二网络功能实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第二网络功能实体执行;上述步骤S701至S704中第一安全边缘保护代理实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第一安全边缘保护代理实体执行;上述步骤S701至S704中第二安全边缘保护代理实体的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该第二安全边缘保护代理实体执行,本实施例对此不作任何限制。Wherein, the actions of the first network function entity in the above steps S701 to S704 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the first network function entity to execute; the above The actions of the second network function entity in steps S701 to S704 may be executed by the processor 401 in the communication device 400 shown in FIG. 4 by calling the application code stored in the memory 403 to instruct the second network function entity to execute; The action of the first security edge protection proxy entity in S704 may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the first security edge protection proxy entity to execute; the above step S701 The actions of the second security edge protection proxy entity in step S704 may be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the second security edge protection proxy entity to execute. The example does not impose any restrictions on this.
可选的,在图5至图7所示的实施例中,本申请实施例提供的通信方法还可以包括:第一网络功能实体向第二网络功能实体发送第二网络功能实体用于请求第一网络功能实体的业务的第一授权令牌,第一授权令牌中包括第二网络的网络标识。相应的,第二网络功能实体接收来自第一网络功能实体的第一授权令牌,并验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。当然,若第一安全边缘保护代理实体验证第一客户凭证声明,则第一安全边缘保护代理实体可以验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识,本申请实施例对此不做具体限定。Optionally, in the embodiments shown in FIG. 5 to FIG. 7 , the communication method provided in this embodiment of the present application may further include: the first network function entity sends the second network function entity to the second network function entity for requesting the second network function entity. A first authorization token for a service of a network function entity, where the first authorization token includes the network identifier of the second network. Correspondingly, the second network function entity receives the first authorization token from the first network function entity, and verifies whether the network identification of the second network in the first authorization token is the network identification in the certificate information of the first client credential statement . Of course, if the first security edge protection proxy entity verifies the first client credential statement, the first security edge protection proxy entity can verify whether the network identity of the second network in the first authorization token is in the certificate information of the first client credential statement This is not specifically limited in this embodiment of the present application.
又一方面,现有的客户凭证声明机制中,没有针对业务请求的数据(payload)或者其他部分内容的客户凭证声明完整性保护。其中,针对业务请求的payload或者其他部分内容的客户凭证声明完整性保护可以称之为增强的客户凭证声明机制。如果未来客户凭证声明中引入了针对业务请求的payload或者其他部分内容的客户凭证声明完整性保护,发起方网络功能实体需要知道是否采用增强的客户凭证声明机制。同时,若发起方网络功能实体采用了增强的客户凭证声明机制,需要确定接收方网络功能实体是否支持对增强的客户凭证声明的验证,否则验证会失败。为解决该问题,本申请实施例中,发起方网络功能实体可以根据预先获取或配置的接收方网络功能实体是否支持增强的客户凭证声明机制的指示信息确定客户凭证声明。比如,接收方网络功能实体是否支持增强的客户凭证声明机制的指示信息指示接收方网络功能实体支持增强的客户凭证声明机制,则发起方网络功能实体可以生成增强的客户凭证声明,否则,发起方网络功能实体生成非增强的客户凭证声明,即如现有客户凭证声明机制一样,没有针对业务请求的payload或者其他部分内容的客户凭证声明完整性保护。进一步的,本申请实施例中,若发起方网络功能实体向接收方网络功能实体发送了增强的客 户凭证声明,则接收方网络功能实体接收到来自发送方网络功能实体的客户凭证声明后,可以验证该增强的客户凭证声明。其中,接收方网络功能实验证增强的客户凭证声明的方式与本申请实施例提供的客户凭证声明的验证方式类似,区别比如在于,本申请实施例还需要验证客户凭证声明中包括的业务请求的payload或者其他部分内容,在此不再赘述。On the other hand, in the existing client credential assertion mechanism, there is no client credential assertion integrity protection for the data (payload) or other partial contents of the service request. Among them, the integrity protection of the client credential declaration for the payload or other parts of the service request can be called an enhanced client credential declaration mechanism. If the client credential assertion integrity protection for the payload or other parts of the service request is introduced in the future client credential assertion, the initiator network function entity needs to know whether to adopt the enhanced client credential assertion mechanism. At the same time, if the initiator network function entity adopts the enhanced client credential assertion mechanism, it needs to determine whether the recipient network function entity supports the verification of the enhanced client credential assertion, otherwise the verification will fail. To solve this problem, in this embodiment of the present application, the initiator network function entity may determine the client credential assertion according to the pre-obtained or configured indication information of whether the recipient network function entity supports the enhanced client credential assertion mechanism. For example, the indication information of whether the recipient network function entity supports the enhanced client credential assertion mechanism indicates that the recipient network function entity supports the enhanced client credential assertion mechanism, then the initiator network function entity can generate the enhanced client credential assertion; otherwise, the initiator The network function entity generates a non-enhanced client credential assertion, ie, like the existing client credential assertion mechanism, there is no client credential assertion integrity protection for the payload or other parts of the business request. Further, in this embodiment of the present application, if the network function entity of the initiator sends the enhanced client credential statement to the network function entity of the receiver, the network function entity of the receiver can receive the client certificate statement from the network function entity of the sender. Verify the enhanced client credential assertion. The method of the client credential declaration enhanced by the network function experiment of the recipient is similar to the verification method of the client credential declaration provided by the embodiment of the present application. The payload or other parts of the content will not be repeated here.
可选的,本申请实施例中,接收方网络功能实体可以根据接收到的业务请求中用于指示客户凭证声明为增强的客户凭证声明的指示信息,确定接收到的客户凭证声明为增强的客户凭证声明。Optionally, in this embodiment of the present application, the recipient network function entity may determine that the received client credential declaration is an enhanced client according to the indication information in the received service request that indicates that the client credential declaration is an enhanced client credential declaration. Credential Statement.
可选的,本申请实施例中,接收方网络功能实体可以根据接收到的用于指示哪些信元(information element,IE)被引入增强的客户凭证声明的计算的加密IE参数,确定被新增引入客户凭证声明计算的IE参数,如业务请求的payload或者其他部分内容。Optionally, in this embodiment of the present application, the recipient network function entity may determine the newly added encryption IE parameters according to the received encrypted IE parameters used to indicate which information elements (information elements, IEs) are introduced into the enhanced client credential declaration calculation. Introduce the IE parameters calculated by the client credential declaration, such as the payload or other parts of the business request.
下面将以图2a所述的通信系统应用在如图3a所述的5G网络,或者,图2b所述的通信系统应用在如图3b所述的5G网络,第二网络功能实体为cNF,第二安全边缘保护代理实体为cSEPP,第一网络功能实体为pNF(也可以替换为NRF),第一安全边缘保护代理实体为pSEPP为例,对上述各方面所述的通信方法进行示例性说明。In the following, the communication system shown in Figure 2a will be applied to the 5G network shown in Figure 3a, or the communication system shown in Figure 2b will be applied to the 5G network shown in Figure 3b. The second network functional entity is cNF, and the second network functional entity is cNF. The second security edge protection proxy entity is cSEPP, the first network function entity is pNF (which can also be replaced by NRF), and the first security edge protection proxy entity is pSEPP as an example to illustrate the communication methods described in the above aspects.
需要说明的是,本申请下述实施例中各个网元之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不作具体限定。It should be noted that the names of messages between network elements or the names of parameters in the messages in the following embodiments of the present application are just an example, and other names may also be used in specific implementations, which are not specified in the embodiments of the present application. limited.
结合图5所述的通信方法,以图2b所述的通信系统应用在如图3b所述的5G网络为例,如图8所示,为本申请实施例提供的一种通信方法,包括如下步骤:In conjunction with the communication method shown in FIG. 5 , taking the communication system shown in FIG. 2 b applied to the 5G network shown in FIG. 3 b as an example, as shown in FIG. 8 , a communication method provided by an embodiment of the present application includes the following step:
S801、cNF获取第一客户凭证声明。S801. The cNF obtains a first client credential statement.
其中,第一客户凭证声明的相关描述可参考图5所述的实施例步骤S501,在此不再赘述。For the relevant description of the first client credential declaration, reference may be made to step S501 in the embodiment shown in FIG. 5 , which will not be repeated here.
S802、cNF向cSEPP发送业务请求1。相应的,cSEPP接收来自cNF的业务请求1。S802, the cNF sends a service request 1 to the cSEPP. Correspondingly, the cSEPP receives the service request 1 from the cNF.
其中,业务请求1中包括第一客户凭证声明。The service request 1 includes the first client credential statement.
S803、cSEPP向pSEPP发送业务请求2。相应的,pSEPP接收来自cSEPP的业务请求2。S803, cSEPP sends service request 2 to pSEPP. Correspondingly, pSEPP receives service request 2 from cSEPP.
其中,业务请求2中包括第一客户凭证声明。The service request 2 includes the first client credential statement.
S804、pSEPP验证第一客户凭证声明是否正确。S804, pSEPP verifies whether the first client credential statement is correct.
其中,pSEPP验证第一客户凭证声明是否正确的方式可参考上述方法实施例中第一安全边缘保护代理实体验证第一客户凭证声明是否正确的方式,在此不再赘述。The manner in which pSEPP verifies whether the first client credential statement is correct may refer to the manner in which the first security edge protection proxy entity verifies whether the first client credential statement is correct in the above method embodiments, which will not be repeated here.
S805、pSEPP验证第一客户凭证声明通过后,向pNF发送业务请求3。相应的,pNF接收来自pSEPP的业务请求3。S805. After the pSEPP verifies that the first client credential declaration is passed, it sends a service request 3 to the pNF. Correspondingly, the pNF receives the service request 3 from the pSEPP.
其中,业务请求3中包括第一客户凭证声明。The service request 3 includes the first client credential statement.
可选的,本申请实施例中,若pSEPP验证第一客户凭证声明失败,则pSEPP丢弃cNF发送的数据。可选的,pSEPP通过cSEPP向cNF发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第一客户凭证声明验证失败。其中,pSEPP验证第一客户凭证声明失败,则后续流程结束,减少了网元之间信令交互的步骤,节省了系统资源。Optionally, in this embodiment of the present application, if the pSEPP fails to verify the first client credential statement, the pSEPP discards the data sent by the cNF. Optionally, the pSEPP sends a rejection indication or an error indication to the cNF through the cSEPP, where the rejection indication or the error indication is used to indicate that the verification of the first client credential claim fails. Wherein, if pSEPP fails to verify the first client credential declaration, the subsequent process ends, which reduces the steps of signaling interaction between network elements and saves system resources.
需要说明的是,本申请实施例中步骤S804中验证第一客户凭证声明的动作是可选的,在此统一说明,以下不再赘述。It should be noted that, in this embodiment of the present application, the action of verifying the first client credential statement in step S804 is optional, which is described uniformly here, and will not be repeated below.
S806、pNF验证第一客户凭证声明是否正确。S806. The pNF verifies whether the first client credential statement is correct.
其中,pNF验证第一客户凭证声明是否正确的方式可参考图5所述的实施例步骤S502,在此不再赘述。The manner in which the pNF verifies whether the first client credential statement is correct may refer to step S502 in the embodiment shown in FIG. 5 , and details are not described herein again.
S807、pNF验证第一客户凭证声明通过后,通过pSEPP和cSEPP向cNF发送业务响应。相应的,cNF接收来自pNF的业务响应。S807. After the pNF verifies that the first client credential declaration is passed, it sends a service response to the cNF through pSEPP and cSEPP. Accordingly, the cNF receives the service response from the pNF.
可选的,本申请实施例中的业务请求1、业务请求2和业务请求3中还可以包括cNF用于请求pNF的业务的第一授权令牌。进而,pSEPP验证第一客户凭证声明是否正确包括:pSEPP验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。pNF验证第一客户凭证声明是否正确包括:pNF验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。Optionally, the service request 1, service request 2, and service request 3 in this embodiment of the present application may further include a first authorization token used by the cNF to request the service of the pNF. Further, the pSEPP verifying whether the first client credential claim is correct includes: pSEPP verifying whether the network identifier of the second network in the first authorization token is the network identifier in the certificate information of the first client credential claim. The pNF verifies whether the first client credential claim is correct includes: the pNF verifies whether the network identifier of the second network in the first authorization token is the network identifier in the certificate information of the first client credential claim.
需要说明的是,本申请实施例中的业务请求1、业务请求2和业务请求3可以是包含相同参数和/或数据的业务请求,也可以是包含不同参数和/或数据的业务请求,本申请实施例对此不做具体限定。It should be noted that the service request 1, service request 2 and service request 3 in the embodiment of this application may be service requests including the same parameters and/or data, or may be service requests including different parameters and/or data. This is not specifically limited in the application examples.
图8所述的实施例的技术效果可参考图5所述的实施例的技术效果,在此不再赘述。For the technical effect of the embodiment shown in FIG. 8 , reference may be made to the technical effect of the embodiment shown in FIG. 5 , which will not be repeated here.
其中,上述步骤S801至S807中pNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pNF执行;上述步骤S801至S807中cNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cNF执行;上述步骤S801至S807中pSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pSEPP执行;上述步骤S801至S807中cSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cSEPP执行,本实施例对此不作任何限制。Wherein, the actions of the pNF in the above steps S801 to S807 can be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the pNF to execute; the actions of the cNF in the above steps S801 to S807 The processor 401 in the communication device 400 shown in FIG. 4 can call the application code stored in the memory 403 to instruct the cNF to execute; the actions of pSEPP in the above steps S801 to S807 can be executed by the communication device 400 shown in FIG. 4 . The processor 401 of the processor 401 calls the application program code stored in the memory 403 to instruct the pSEPP to execute; the actions of the cSEPP in the above steps S801 to S807 can be called by the processor 401 in the communication device 400 shown in FIG. 4 to call the application stored in the memory 403. The program code is executed by instructing the cSEPP, which is not limited in this embodiment.
结合图6所述的通信方法,以图2a所述的通信系统应用在如图3a所述的5G网络为例,如图9所示,为本申请实施例提供的一种通信方法,包括如下步骤:With reference to the communication method shown in FIG. 6 , taking the communication system shown in FIG. 2 a applied to the 5G network shown in FIG. 3 a as an example, as shown in FIG. 9 , a communication method provided by an embodiment of the present application includes the following step:
S901、cNF获取第一客户凭证声明。S901. The cNF obtains a first client credential statement.
其中,第一客户凭证声明的相关描述可参考图6所述的实施例步骤S601,在此不再赘述。For the relevant description of the first client credential declaration, reference may be made to step S601 in the embodiment shown in FIG. 6 , which will not be repeated here.
S902、cNF向SCP发送业务请求1。相应的,SCP接收来自cNF的业务请求1。S902, the cNF sends service request 1 to the SCP. Correspondingly, the SCP receives service request 1 from the cNF.
其中,业务请求1中包括第一客户凭证声明。The service request 1 includes the first client credential statement.
S903、SCP向pNF发送业务请求2。相应的,pNF接收来自SCP的业务请求2。S903. The SCP sends service request 2 to the pNF. Correspondingly, the pNF receives the service request 2 from the SCP.
其中,业务请求2中包括第一客户凭证声明。The service request 2 includes the first client credential statement.
S904、pNF验证第一客户凭证声明是否正确。S904. The pNF verifies whether the first client credential statement is correct.
其中,pNF验证第一客户凭证声明是否正确的方式可参考图6所述的实施例步骤S602,在此不再赘述。The manner in which the pNF verifies whether the first client credential declaration is correct may refer to step S602 in the embodiment shown in FIG. 6 , and details are not described herein again.
S905、pNF验证第一客户凭证声明通过后,向SCP发送业务请求3。相应的,SCP接收来自pNF的业务请求3。S905. After the pNF verifies that the first client credential statement is passed, it sends service request 3 to the SCP. Correspondingly, the SCP receives the service request 3 from the pNF.
其中,业务请求3中包括第二客户凭证声明。The service request 3 includes the second client credential statement.
其中,第二客户凭证声明的相关描述可参考图6所述的实施例步骤S603,在此不再赘述。For the relevant description of the second client credential declaration, reference may be made to step S603 in the embodiment shown in FIG. 6 , which will not be repeated here.
S906、SCP向cNF发送业务请求4。相应的,cNF接收来自SCP的业务请求4。S906, the SCP sends service request 4 to the cNF. Correspondingly, the cNF receives the service request 4 from the SCP.
其中,业务请求4中包括第二客户凭证声明。The service request 4 includes a second client credential statement.
S907、cNF验证第二客户凭证声明是否正确。S907, the cNF verifies whether the second client credential statement is correct.
其中,cNF验证第二客户凭证声明是否正确的方式可参考图6所述的实施例步骤S604,在此不再赘述。The manner in which the cNF verifies whether the second client credential declaration is correct may refer to step S604 in the embodiment shown in FIG. 6 , and details are not described herein again.
本申请实施例中,若cNF验证第二客户凭证声明是通过,则继续执行后续流程;否则,可选的,cNF通过cSEPP和pSEPP向pNF发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第二客户凭证声明验证失败。In this embodiment of the present application, if the cNF verifies that the second client credential statement is passed, the subsequent process continues to be executed; otherwise, optionally, the cNF sends a rejection indication or an error indication to the pNF through cSEPP and pSEPP, and the rejection indication or error indication uses to indicate that the verification of the second client credential assertion failed.
可选的,本申请实施例中的业务请求1和业务请求2中还可以包括cNF用于请求pNF的业务的第一授权令牌。进而,pNF验证第一客户凭证声明是否正确包括:pNF验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。Optionally, the service request 1 and the service request 2 in this embodiment of the present application may further include a first authorization token used by the cNF to request the service of the pNF. Furthermore, the pNF verifying whether the first client credential claim is correct includes: the pNF verifying whether the network identifier of the second network in the first authorization token is the network identifier in the certificate information of the first client credential claim.
需要说明的是,本申请实施例中的业务请求1和业务请求2可以是包含相同参数和/或数据的业务请求,也可以是包含不同参数和/或数据的业务请求;本申请实施例中的业务请求3和业务请求4可以是包含相同参数和/或数据的业务请求,也可以是包含不同参数和/或数据的业务请求,本申请实施例对此不做具体限定。It should be noted that the service request 1 and the service request 2 in the embodiment of this application may be service requests including the same parameters and/or data, or may be service requests including different parameters and/or data; in the embodiments of this application The service request 3 and the service request 4 may be service requests including the same parameters and/or data, or may be service requests including different parameters and/or data, which are not specifically limited in this embodiment of the present application.
图9所述的实施例的技术效果可参考图6所述的实施例的技术效果,在此不再赘述。For the technical effect of the embodiment shown in FIG. 9 , reference may be made to the technical effect of the embodiment shown in FIG. 6 , which will not be repeated here.
其中,上述步骤S901至S907中pNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pNF执行;上述步骤S901至S907中cNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cNF执行,本实施例对此不作任何限制。Wherein, the actions of the pNF in the above steps S901 to S907 can be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the pNF to execute; the actions of the cNF in the above steps S901 to S907 The processor 401 in the communication apparatus 400 shown in FIG. 4 may call the application code stored in the memory 403 to instruct the cNF to execute, which is not limited in this embodiment.
结合图7所述的通信方法,以图2b所述的通信系统应用在如图3b所述的5G网络为例,如图10所示,为本申请实施例提供的一种通信方法,包括如下步骤:With reference to the communication method shown in FIG. 7 , taking the communication system shown in FIG. 2 b applied to the 5G network shown in FIG. 3 b as an example, as shown in FIG. 10 , a communication method provided by an embodiment of the present application includes the following step:
S1001、cNF获取第一客户凭证声明。S1001. The cNF obtains a first client credential statement.
其中,第一客户凭证声明的相关描述可参考图7所述的实施例步骤S701,在此不再赘述。For the relevant description of the first client credential declaration, reference may be made to step S701 in the embodiment shown in FIG. 7 , which will not be repeated here.
S1002、cNF向cSEPP发送业务请求1。相应的,cSEPP接收来自cNF的业务请求1。S1002, the cNF sends a service request 1 to the cSEPP. Correspondingly, the cSEPP receives the service request 1 from the cNF.
其中,业务请求1中包括第一客户凭证声明。The service request 1 includes the first client credential statement.
S1003、cSEPP向pSEPP发送业务请求2。相应的,pSEPP接收来自cSEPP的业务请求2。S1003, cSEPP sends service request 2 to pSEPP. Correspondingly, pSEPP receives service request 2 from cSEPP.
其中,业务请求2中包括第一客户凭证声明。The service request 2 includes the first client credential statement.
可选的,业务请求2中还包括第一根证书,第一根证书的相关描述可参考图7所述的实施例,在此不再赘述。Optionally, the service request 2 further includes the first root certificate, and the related description of the first root certificate can refer to the embodiment shown in FIG. 7 , and details are not repeated here.
可替换的,第一根证书也可能不携带在业务请求2中,而是cSEPP向pSEPP发送 业务请求2和第一根证书,本申请实施例对此不做具体限定。Alternatively, the first root certificate may not be carried in the service request 2, but the cSEPP sends the service request 2 and the first root certificate to the pSEPP, which is not specifically limited in this embodiment of the present application.
S1004、pSEPP向pNF发送业务请求3。相应的,pNF接收来自pSEPP的业务请求3。S1004, pSEPP sends service request 3 to pNF. Correspondingly, the pNF receives the service request 3 from the pSEPP.
其中,业务请求3中包括第一客户凭证声明和第一根证书。pSEPP获取第一根证书的方式可参考图7所述的实施例步骤S703,在此不再赘述。The service request 3 includes the first client certificate statement and the first root certificate. For the manner in which pSEPP obtains the first root certificate, reference may be made to step S703 of the embodiment described in FIG. 7 , and details are not described herein again.
需要说明的是,本申请实施例中的业务请求3仅是图7所述的实施例中第一消息的一种可能实现方式。可替换的,第一根证书也可能不携带在业务请求3中,而是cSEPP向pSEPP发送第一消息,第一消息包括业务请求3和第一根证书,本申请实施例对此不做具体限定。It should be noted that, the service request 3 in the embodiment of the present application is only a possible implementation manner of the first message in the embodiment described in FIG. 7 . Alternatively, the first root certificate may not be carried in the service request 3, but the cSEPP sends a first message to the pSEPP, and the first message includes the service request 3 and the first root certificate, which is not specified in this embodiment of the application. limited.
S1005、pNF验证第一客户凭证声明是否正确。S1005. The pNF verifies whether the first client credential statement is correct.
其中,pNF验证第一客户凭证声明是否正确的方式可参考图7所述的实施例步骤S704中的描述,在此不再赘述。The manner in which the pNF verifies whether the first client credential declaration is correct may refer to the description in step S704 of the embodiment shown in FIG. 7 , which will not be repeated here.
S1006、pNF验证第一客户凭证声明通过后,通过pSEPP和cSEPP向cNF发送业务响应。相应的,cNF接收来自pNF的业务响应。S1006. After the pNF verifies that the first client credential declaration is passed, it sends a service response to the cNF through pSEPP and cSEPP. Accordingly, the cNF receives the service response from the pNF.
可选的,本申请实施例中的业务请求1、业务请求2和业务请求3中还可以包括cNF用于请求pNF的业务的第一授权令牌。进而,pSEPP验证第一客户凭证声明是否正确包括:pSEPP验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。pNF验证第一客户凭证声明是否正确包括:pNF验证第一授权令牌中第二网络的网络标识是否为第一客户凭证声明的证书信息内的网络标识。Optionally, the service request 1, service request 2, and service request 3 in this embodiment of the present application may further include a first authorization token used by the cNF to request the service of the pNF. Further, the pSEPP verifying whether the first client credential claim is correct includes: pSEPP verifying whether the network identifier of the second network in the first authorization token is the network identifier in the certificate information of the first client credential claim. The pNF verifies whether the first client credential claim is correct includes: the pNF verifies whether the network identifier of the second network in the first authorization token is the network identifier in the certificate information of the first client credential claim.
需要说明的是,本申请实施例中的业务请求1、业务请求2和业务请求3可以是包含相同参数和/或数据的业务请求,也可以是包含不同参数和/或数据的业务请求,本申请实施例对此不做具体限定。It should be noted that the service request 1, service request 2 and service request 3 in the embodiment of this application may be service requests including the same parameters and/or data, or may be service requests including different parameters and/or data. This is not specifically limited in the application examples.
图10所述的实施例的技术效果可参考图7所述的实施例的技术效果,在此不再赘述。For the technical effect of the embodiment shown in FIG. 10 , reference may be made to the technical effect of the embodiment shown in FIG. 7 , which will not be repeated here.
其中,上述步骤S1001至S1006中pNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pNF执行;上述步骤S1001至S1006中cNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cNF执行;上述步骤S1001至S1006中pSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pSEPP执行;上述步骤S1001至S1006中cSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cSEPP执行,本实施例对此不作任何限制。Wherein, the actions of the pNF in the above steps S1001 to S1006 can be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the pNF to execute; the actions of the cNF in the above steps S1001 to S1006 The application code stored in the memory 403 can be called by the processor 401 in the communication device 400 shown in FIG. 4 to instruct the cNF to execute; the actions of pSEPP in the above steps S1001 to S1006 can be executed by the communication device 400 shown in FIG. 4 . The processor 401 of the processor 401 calls the application program code stored in the memory 403 to instruct the pSEPP to execute; the actions of the cSEPP in the above steps S1001 to S1006 can be called by the processor 401 in the communication device 400 shown in FIG. 4 to call the application stored in the memory 403. The program code is executed by instructing the cSEPP, which is not limited in this embodiment.
结合图5、图6或图7所述的通信方法,以图2b所述的通信系统应用在如图3b所述的5G网络为例,如图11所示,为本申请实施例提供的一种通信方法,包括如下步骤:In conjunction with the communication method described in FIG. 5 , FIG. 6 or FIG. 7 , taking the communication system described in FIG. 2 b applied to the 5G network described in FIG. 3 b as an example, as shown in FIG. A communication method, comprising the steps of:
S1101、cNF获取第一客户凭证声明。S1101. The cNF obtains a first client credential statement.
S1102、cNF向cSEPP发送业务请求1。相应的,cSEPP接收来自cNF的业务请求1。S1102, the cNF sends a service request 1 to the cSEPP. Correspondingly, the cSEPP receives the service request 1 from the cNF.
S1103、cSEPP向pSEPP发送业务请求2。相应的,pSEPP接收来自cSEPP的业 务请求2。S1103, cSEPP sends service request 2 to pSEPP. Accordingly, pSEPP receives service request 2 from cSEPP.
其中,步骤S1101-S1103的具体实现可参考图10所述的实施例步骤S1001-S1003,在此不再赘述。For the specific implementation of steps S1101-S1103, reference may be made to steps S1001-S1003 of the embodiment described in FIG. 10 , which will not be repeated here.
S1104、pSEPP验证第一客户凭证声明是否正确。S1104, pSEPP verifies whether the first client credential statement is correct.
其中,pSEPP验证第一客户凭证声明是否正确的方式可参考上述方法实施例中第一安全边缘保护代理实体验证第一客户凭证声明是否正确的方式,在此不再赘述。可选的,pSEPP根据第一根证书,验证第一客户凭证声明中证书是否正确,本申请实施例对此不做具体限定。pSEPP获取第一根证书的方式可参考图7所述的实施例步骤S702,在此不再赘述。The manner in which pSEPP verifies whether the first client credential declaration is correct may refer to the manner in which the first security edge protection proxy entity verifies whether the first client credential declaration is correct in the above method embodiments, which will not be repeated here. Optionally, pSEPP verifies whether the certificate in the first client certificate statement is correct according to the first root certificate, which is not specifically limited in this embodiment of the present application. For the manner in which pSEPP obtains the first root certificate, reference may be made to step S702 in the embodiment described in FIG. 7 , and details are not described herein again.
S1105、pSEPP验证第一客户凭证声明通过后,向pNF发送业务请求3。相应的,pNF接收来自pSEPP的业务请求3。S1105. After the pSEPP verifies that the first client credential declaration is passed, it sends a service request 3 to the pNF. Correspondingly, the pNF receives the service request 3 from the pSEPP.
其中,业务请求3中包括第一客户凭证声明。可选的,业务请求3中包括第一根证书。The service request 3 includes the first client credential statement. Optionally, the service request 3 includes the first root certificate.
需要说明的是,本申请实施例中的业务请求3仅是图7所述的实施例中第一消息的一种可能实现方式。可替换的,第一根证书也可能不携带在业务请求3中,而是cSEPP向pSEPP发送第一消息,第一消息包括业务请求3和第一根证书,本申请实施例对此不做具体限定。It should be noted that, the service request 3 in the embodiment of the present application is only a possible implementation manner of the first message in the embodiment described in FIG. 7 . Alternatively, the first root certificate may not be carried in the service request 3, but the cSEPP sends a first message to the pSEPP, and the first message includes the service request 3 and the first root certificate, which is not specified in this embodiment of the application. limited.
可选的,本申请实施例中,若pSEPP验证第一客户凭证声明失败,则pSEPP丢弃cNF发送的数据。可选的,pSEPP通过cSEPP向cNF发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第一客户凭证声明验证失败。其中,pSEPP验证第一客户凭证声明失败,则后续流程结束,减少了网元之间信令交互的步骤,节省了系统资源。Optionally, in this embodiment of the present application, if the pSEPP fails to verify the first client credential statement, the pSEPP discards the data sent by the cNF. Optionally, the pSEPP sends a rejection indication or an error indication to the cNF through the cSEPP, where the rejection indication or the error indication is used to indicate that the verification of the first client credential claim fails. Wherein, if pSEPP fails to verify the first client credential declaration, the subsequent process ends, which reduces the steps of signaling interaction between network elements and saves system resources.
需要说明的是,本申请实施例中步骤S1104中验证第一客户凭证声明的动作是可选的,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of the present application, the action of verifying the first client credential statement in step S1104 is optional, which is described uniformly here, and will not be repeated below.
S1106、pNF验证第一客户凭证声明是否正确。S1106. The pNF verifies whether the first client credential statement is correct.
其中,pNF验证第一客户凭证声明是否正确的方式可参考图6所述的实施例步骤S602或图7所述的实施例步骤S704,在此不再赘述。The manner in which the pNF verifies whether the first client credential declaration is correct may refer to step S602 in the embodiment described in FIG. 6 or step S704 in the embodiment described in FIG. 7 , and details are not described herein again.
S1107、pNF验证第一客户凭证声明通过后,向pSEPP发送业务请求4。相应的,pSEPP接收来自pNF的业务请求4。S1107: After the pNF verifies that the first client credential declaration is passed, it sends a service request 4 to the pSEPP. Correspondingly, the pSEPP receives the service request 4 from the pNF.
其中,业务请求4包括第二客户凭证声明。第二客户凭证声明的相关描述可参考图6所述的实施例步骤S603,在此不再赘述。Wherein, the service request 4 includes a second client credential statement. For a description of the second client credential declaration, reference may be made to step S603 in the embodiment shown in FIG. 6 , and details are not repeated here.
S1108、pSEPP向cSEPP发送业务请求5。相应的,cSEPP接收来自pSEPP的业务请求5。S1108, pSEPP sends service request 5 to cSEPP. Correspondingly, the cSEPP receives the service request 5 from the pSEPP.
其中,业务请求5中包括第二客户凭证声明。The service request 5 includes a second client credential statement.
可选的,业务请求5中还包括第一根证书,第一根证书为第一网络的根证书。Optionally, the service request 5 further includes a first root certificate, where the first root certificate is a root certificate of the first network.
可选的,第一根证书和第二客户凭证声明包含在业务请求5的消息头中。Optionally, the first root certificate and the second client certificate declaration are included in the message header of the service request 5 .
S1109、cSEPP验证第二客户凭证声明是否正确。S1109, cSEPP verifies whether the second client credential statement is correct.
其中,cSEPP验证第二客户凭证声明是否正确的方式可参考上述pSEPP验证第一客户凭证声明是否正确的方式或者上述cNF验证第二客户凭证声明是否正确的方式,在此不再赘述。可选的,cSEPP根据第二根证书,验证第二客户凭证声明中证书是否 正确。其中,cSEPP获取第二根证书的方式可参考上述pSEPP获取第一根证书的方式,在此不再赘述。The manner in which cSEPP verifies whether the second client credential statement is correct may refer to the above-mentioned pSEPP method for verifying whether the first client credential statement is correct or the above-mentioned method for cNF to verify whether the second client credential statement is correct, which will not be repeated here. Optionally, cSEPP verifies whether the certificate in the second client certificate statement is correct according to the second root certificate. The manner in which cSEPP acquires the second root certificate may refer to the foregoing manner in which pSEPP acquires the first root certificate, and details are not described herein again.
S1110、cSEPP验证第二客户凭证声明通过后,向cNF发送业务请求6。相应的,cNF接收来自cSEPP的业务请求6。S1110. After the cSEPP verifies that the second client credential declaration is passed, it sends a service request 6 to the cNF. Accordingly, the cNF receives the service request 6 from the cSEPP.
其中,业务请求6中包括第二客户凭证声明。可选的,业务请求6中包括第二根证书。The service request 6 includes a second client credential statement. Optionally, the service request 6 includes the second root certificate.
可替换的,第二根证书也可能不携带在业务请求6中,而是pSEPP向cSEPP发送业务请求6和第二根证书,本申请实施例对此不做具体限定。Alternatively, the second root certificate may not be carried in the service request 6, but the pSEPP sends the service request 6 and the second root certificate to the cSEPP, which is not specifically limited in this embodiment of the present application.
可选的,本申请实施例中,若cSEPP验证第二客户凭证声明失败,则cSEPP通过pSEPP向pNF发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第一客户凭证声明验证失败。Optionally, in this embodiment of the present application, if cSEPP fails to verify the second client credential claim, cSEPP sends a rejection indication or error indication to pNF through pSEPP, where the rejection indication or error indication is used to indicate that the first client credential claim verification fails.
需要说明的是,本申请实施例中步骤S1110中验证第二客户凭证声明的动作是可选的,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of the present application, the action of verifying the second client credential statement in step S1110 is optional, which is described uniformly here, and will not be repeated below.
S1111、cNF验证第二客户凭证声明是否正确。S1111. The cNF verifies whether the second client credential statement is correct.
其中,cNF验证第二客户凭证声明是否正确的方式可参考图6所述的实施例步骤S604,在此不再赘述。可选的,cNF根据第二根证书,验证第二客户凭证声明中证书是否正确。The manner in which the cNF verifies whether the second client credential declaration is correct may refer to step S604 in the embodiment shown in FIG. 6 , and details are not described herein again. Optionally, the cNF verifies whether the certificate in the second client certificate statement is correct according to the second root certificate.
本申请实施例中,若cNF验证第二客户凭证声明是通过,则继续执行后续流程;否则,可选的,cNF通过cSEPP和pSEPP向pNF发送拒绝指示或错误指示,该拒绝指示或错误指示用于指示第二客户凭证声明验证失败。In this embodiment of the present application, if the cNF verifies that the second client credential statement is passed, the subsequent process continues to be executed; otherwise, optionally, the cNF sends a rejection indication or an error indication to the pNF through cSEPP and pSEPP, and the rejection indication or error indication uses to indicate that the verification of the second client credential assertion failed.
图11所述的实施例的技术效果可参考图5、图6或图7所述的实施例的技术效果,在此不再赘述。For the technical effect of the embodiment shown in FIG. 11 , reference may be made to the technical effect of the embodiment shown in FIG. 5 , FIG. 6 or FIG. 7 , which will not be repeated here.
其中,上述步骤S1101至S1111中pNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pNF执行;上述步骤S1101至S1111中cNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cNF执行;上述步骤S1101至S1111中pSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该pSEPP执行;上述步骤S1101至S1111中cSEPP的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cSEPP执行,本实施例对此不作任何限制。Wherein, the actions of the pNF in the above steps S1101 to S1111 can be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the pNF to execute; the actions of the cNF in the above steps S1101 to S1111 The application code stored in the memory 403 can be called by the processor 401 in the communication device 400 shown in FIG. 4 to instruct the cNF to execute; the actions of pSEPP in the above steps S1101 to S1111 can be executed by the communication device 400 shown in FIG. 4 . The processor 401 of the processor 401 calls the application program code stored in the memory 403 to instruct the pSEPP to execute; the actions of the cSEPP in the above steps S1101 to S1111 can be invoked by the processor 401 in the communication device 400 shown in FIG. 4 to call the application stored in the memory 403 The program code is executed by instructing the cSEPP, which is not limited in this embodiment.
以图2a所述的通信系统应用在如图3a所述的5G网络为例,如图12所示,为本申请实施例提供的一种通信方法,包括如下步骤:Taking the communication system shown in FIG. 2a applied to the 5G network shown in FIG. 3a as an example, as shown in FIG. 12 , a communication method provided by an embodiment of the present application includes the following steps:
S1201、cNF向NRF发送发现请求。相应的,NRF接收来自cNF的发现请求。S1201. The cNF sends a discovery request to the NRF. Accordingly, the NRF receives the discovery request from the cNF.
其中,该发现请求用于请求发现pNF。Wherein, the discovery request is used for requesting discovery of pNF.
S1202、NRF根据发现请求确定pNF标识以及对应的pNF文件(pNF profile)。S1202, the NRF determines the pNF identifier and the corresponding pNF file (pNF profile) according to the discovery request.
其中,pNF文件中包括用于指示是否支持增强的客户凭证声明(即相对于现有客户凭证声明计算方法,在计算客户凭证声明中引入了新的参数或数据)机制的指示信息。该指示信息例如为支持业务请求的数据(payload)的客户凭证声明计算,或者该指示信息例如可以为支持业务请求的其他部分内容的客户凭证声明计算。Wherein, the pNF file includes indication information for indicating whether to support the enhanced client credential assertion (ie, compared with the existing client credential assertion calculation method, new parameters or data are introduced in calculating the client credential assertion) mechanism. The indication information is, for example, a client credential assertion calculation supporting the data (payload) of the service request, or the indication information can be, for example, a client credential assertion computation that supports other partial contents of the service request.
需要说明的是,本申请实施例中,支持对业务请求的payload或者其他部分内容的客户凭证声明也可以理解为支持对业务请求的payload或者其他部分内容的完整性保护,在此统一说明,以下不再赘述。It should be noted that, in the embodiment of this application, supporting the client credential declaration of the payload or other partial content of the service request can also be understood as supporting the integrity protection of the payload or other partial content of the service request, which is uniformly explained here, as follows. No longer.
可选的,pNF文件中还包括新增引入客户凭证声明计算的IE的指示信息,该指示信息用于指示被增引入客户凭证声明计算的业务请求的payload或者其他部分内容等。Optionally, the pNF file further includes instruction information for adding an IE that is introduced into the calculation of client credential assertion, where the instruction information is used to indicate the payload or other partial content of the service request that is added into the calculation of client credential assertion.
S1203、NRF向cNF发送发现响应。相应的,cNF接收来自NRF的发现响应。S1203, the NRF sends a discovery response to the cNF. Accordingly, the cNF receives the discovery response from the NRF.
其中,发现响应中包括上述pNF文件。Among them, the above-mentioned pNF file is included in the discovery response.
需要说明的是,本申请实施例中,若cNF不需要发现,而是配置了pNF标识,则cNF中也可以配置上述pNF文件。即本申请实施例步骤S1201-S1203为可选的,在此统一说明,以下不再赘述。It should be noted that, in this embodiment of the present application, if the cNF does not need to be discovered, but a pNF identifier is configured, the above pNF file may also be configured in the cNF. That is, steps S1201-S1203 in this embodiment of the present application are optional, and are described in a unified manner here, and are not repeatedly described below.
S1204、cNF获取第一客户凭证声明。S1204. The cNF obtains the first client credential statement.
可选的,本申请实施例中,cNF根据pNF文件中用于指示是否支持增强的客户凭证声明机制的指示信息,确定第一客户凭证声明。其中,在pNF文件中用于指示是否支持增强的客户凭证声明机制的指示信息指示支持增强的客户凭证声明机制的情况下,第一客户凭证声明为增强的客户凭证声明。比如,cNF计算第一客户凭证声明时,需要考虑业务请求的payload或者其他部分内容等。可选的,cNF计算第一客户凭证声明时,可以根据新增引入客户凭证声明计算的IE的指示信息,确定新增引入客户凭证声明计算的内容,本申请实施例对此不做具体限定。可选的,在上述判断的基础上,cNF还根据自己是否支持增强的客户凭证声明机制的计算,以及pNF文件中用于指示是否支持增强的客户凭证声明机制的指示信息一起进行判断;当且仅当都支持时,cNF才会采用增强的客户凭证声明机制。Optionally, in this embodiment of the present application, the cNF determines the first client credential assertion according to the indication information in the pNF file for indicating whether the enhanced client credential assertion mechanism is supported. Wherein, if the indication information used to indicate whether the enhanced client credential assertion mechanism is supported in the pNF file indicates that the enhanced client credential assertion mechanism is supported, the first client credential assertion is an enhanced client credential assertion. For example, when the cNF calculates the first client credential statement, it needs to consider the payload or other content of the service request. Optionally, when the cNF calculates the first client credential statement, it may determine the content to be newly introduced into the calculation of the client credential statement according to the instruction information of the newly added IE for introducing the calculation of the client credential statement, which is not specifically limited in this embodiment of the present application. Optionally, on the basis of the above judgment, the cNF also makes a judgment according to whether it supports the calculation of the enhanced client credential assertion mechanism, and the indication information in the pNF file for indicating whether the enhanced client credential assertion mechanism is supported; when and The cNF will employ an enhanced client credential assertion mechanism only if both are supported.
S1205、cNF向SCP发送业务请求1。相应的,SCP接收来自cNF的业务请求1。S1205, the cNF sends service request 1 to the SCP. Correspondingly, the SCP receives service request 1 from the cNF.
其中,业务请求1中包括第一客户凭证声明。The service request 1 includes the first client credential statement.
S1206、SCP向pNF发送业务请求2。相应的,pNF接收来自SCP的业务请求2。S1206. The SCP sends service request 2 to the pNF. Correspondingly, the pNF receives the service request 2 from the SCP.
其中,业务请求2中包括第一客户凭证声明。The service request 2 includes the first client credential statement.
可选的,上述业务请求1和业务请求2中还包括用于指示第一客户凭证声明为增强的客户凭证声明的指示信息。Optionally, the above service request 1 and service request 2 further include indication information for indicating that the first client credential declaration is an enhanced client credential declaration.
可选的,上述业务请求1和业务请求2中还包括加密IE参数,用于指示哪些IE被引入增强的客户凭证声明的计算。Optionally, the above-mentioned service request 1 and service request 2 further include encrypted IE parameters, which are used to indicate which IEs are introduced into the calculation of the enhanced client credential declaration.
S1207、pNF验证第一客户凭证声明是否正确。S1207. The pNF verifies whether the first client credential statement is correct.
可选的,pNF根据用于指示第一客户凭证声明为增强的客户凭证声明的指示信息,验证第一客户凭证声明是否正确。如pNF验证业务请求的payload或者其他部分内容是否正确,或者pNF根据加密IE参数,验证被引入增强的客户凭证声明的参数或数据的正确性。Optionally, the pNF verifies whether the first client credential assertion is correct according to the indication information for indicating that the first client credential assertion is an enhanced client credential assertion. For example, the pNF verifies whether the payload or other parts of the service request are correct, or the pNF verifies the correctness of the parameters or data introduced into the enhanced client credential declaration according to the encrypted IE parameters.
S1208、pNF验证第一客户凭证声明通过后,通过SCP向cNF发送业务响应。相应的,cNF接收来自pNF的业务响应。S1208. After the pNF verifies that the first client credential declaration is passed, it sends a service response to the cNF through the SCP. Accordingly, the cNF receives the service response from the pNF.
基于上述方案,可以实现增强的客户凭证声明与已有的客户凭证声明的区分,使得客户凭证声明的计算方式更加多样化。Based on the above solution, the enhanced client credential declaration can be differentiated from the existing client credential declaration, so that the calculation methods of the client credential declaration are more diversified.
其中,上述步骤S1201至S1208中pNF的动作可以由图4所示的通信装置400中 的处理器401调用存储器403中存储的应用程序代码以指令该pNF执行;上述步骤S1201至S1208中cNF的动作可以由图4所示的通信装置400中的处理器401调用存储器403中存储的应用程序代码以指令该cNF执行,本实施例对此不作任何限制。Wherein, the actions of the pNF in the above steps S1201 to S1208 can be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the pNF to execute; the actions of the cNF in the above steps S1201 to S1208 The processor 401 in the communication apparatus 400 shown in FIG. 4 may call the application code stored in the memory 403 to instruct the cNF to execute, which is not limited in this embodiment.
可选的,除了采用NF profile的方式来告知cNF是否支持支持增强的客户凭证声明机制之外,还存在其他的方式。例如若cNF为新版本的功能网元(例如Rel17版本cNF),则cNF可以采用增强的客户凭证声明机制,并发送版本信息给pNF。pNF根据此版本信息确定是否采用增强的客户凭证声明机制。若版本信息指示是新版本,则pNF采用增强的客户凭证声明机制进行验证。若版本信息指示是传统版本,则pNF采用传统的客户凭证声明机制进行验证。这里版本信息可以指示新版本或者传统版本。更进一步的,版本信息可以指示具体的版本,例如Rel16,Rel17或者Rel18等。pNF可以根据接收到的具体版本信息,确定增强的客户凭证声明机制包括哪些新的参数;进而执行对应的校验。可选的,cNF还可以根据自己是否支持新版本或者传统版本或者具体版本的客户凭证声明机制来确定是否采用增强的客户凭证声明机制,本申请实施例对此不做具体限定。Optionally, in addition to using the NF profile to inform the cNF whether it supports the enhanced client credential assertion mechanism, there are other ways. For example, if the cNF is a functional network element of a new version (eg Rel17 version cNF), the cNF can adopt an enhanced client credential declaration mechanism and send version information to the pNF. The pNF uses this version information to determine whether to use the enhanced client credential assertion mechanism. If the version information indicates a new version, the pNF uses an enhanced client credential assertion mechanism for verification. If the version information indicates a traditional version, the pNF uses the traditional client credential assertion mechanism for verification. This version information can indicate a new version or a legacy version. Further, the version information may indicate a specific version, such as Rel16, Rel17 or Rel18. The pNF can determine which new parameters are included in the enhanced client credential declaration mechanism according to the received specific version information, and then perform corresponding verification. Optionally, the cNF may also determine whether to adopt the enhanced client credential declaration mechanism according to whether it supports the new version, the traditional version or the specific version of the client credential declaration mechanism, which is not specifically limited in this embodiment of the present application.
可选的,pNF的NF profile中包括具体的版本,例如Rel16,Rel17或者Rel18等。这里不同的版本可能会引入不同的参数进行客户凭证声明的计算。cNF可以根据接收到的具体版本信息,确定增强的客户凭证声明机制包括哪些新的参数。cNF在计算增强的客户凭证声明机制时,将这些新的参数进行引入。可选的,cNF还可以考虑自己是否支持对应版本的增强的客户凭证声明机制。例如,cNF确定cNF和NF profile都支持最高的版本,则cNF可以采用最高的版本计算客户凭证声明。同时cNF发送具体采用的版本信息给pNF,以使pNF根据采用的版本信息,进行对应的安全凭证的校验。Optionally, the NF profile of pNF includes a specific version, such as Rel16, Rel17, or Rel18. Different versions here may introduce different parameters for the calculation of client credential claims. The cNF can determine which new parameters are included in the enhanced client credential assertion mechanism based on the specific version information received. These new parameters are introduced by cNF when computing the enhanced client credential assertion mechanism. Optionally, the cNF may also consider whether it supports the enhanced client credential assertion mechanism of the corresponding version. For example, if the cNF determines that both the cNF and the NF profile support the highest version, the cNF can use the highest version to calculate the client credential assertion. At the same time, the cNF sends the specifically adopted version information to the pNF, so that the pNF can verify the corresponding security credentials according to the adopted version information.
可以理解的是,本申请实施例中,网络功能集合参数也可以独立存在于客户凭证声明中。It can be understood that, in this embodiment of the present application, the network function set parameter may also exist independently in the client credential statement.
可以理解的是,上述网络功能集合的概念是用来指示网络功能所在的集合,用来限制网络功能所在的范围,因此其他限制网络功能范围的参数仍旧适用,例如切片标识,或者切片选择辅助参数等。换言之,在第一客户凭证声明或者第二客户凭证声明中,网络功能集合可以描述为网络功能限制参数,如切片标识,或者切片选择辅助参数,用来限制第一客户凭证声明或者第二客户凭证声明仅用于网络功能限制参数范围内的网元功能实体,在此统一说明,以下不再赘述。It can be understood that the concept of the above network function set is used to indicate the set where the network function is located, and is used to limit the scope of the network function, so other parameters that limit the scope of the network function are still applicable, such as slice identification, or slice selection auxiliary parameters. Wait. In other words, in the first client credential declaration or the second client credential declaration, the network function set can be described as a network function restriction parameter, such as a slice identifier, or a slice selection auxiliary parameter, which is used to restrict the first client credential declaration or the second client credential declaration The declaration is only used for the network element function entities within the scope of the network function limitation parameters, and is described in a unified manner here, and will not be repeated below.
可以理解的是,图5至图12所示的实施例中,由第一网络功能实体实现的方法和/或步骤,也可以由可用于第一网络功能实体的部件(例如芯片或者电路)实现;由第二网络功能实体实现的方法和/或步骤,也可以由可用于第二网络功能实体的部件(例如芯片或者电路)实现;由第一安全边缘保护代理实体实现的方法和/或步骤,也可以由可用于第一安全边缘保护代理实体的部件(例如芯片或者电路)实现;由第二安全边缘保护代理实体实现的方法和/或步骤,也可以由可用于第二安全边缘保护代理实体的部件(例如芯片或者电路)实现。It can be understood that, in the embodiments shown in FIG. 5 to FIG. 12 , the methods and/or steps implemented by the first network functional entity may also be implemented by components (such as chips or circuits) that can be used in the first network functional entity ; The methods and/or steps implemented by the second network functional entity can also be implemented by components (such as chips or circuits) that can be used in the second network functional entity; The methods and/or steps implemented by the first security edge protection proxy entity can also be implemented by a component (such as a chip or circuit) that can be used for the first security edge protection proxy entity; the methods and/or steps implemented by the second security edge protection proxy entity can also be implemented by the second security edge protection proxy entity. A physical component (eg, a chip or circuit) is implemented.
上述主要从各个网元之间交互的角度对本申请实施例提供的方案进行了介绍。相应的,本申请实施例还提供了通信装置,该通信装置可以为上述方法实施例中的第一网络功能实体,或者包含上述第一网络功能实体的装置,或者为可用于第一网络功能 实体的部件;或者,该通信装置可以为上述方法实施例中的第二网络功能实体,或者包含上述第二网络功能实体的装置,或者为可用于第二网络功能实体的部件;或者,该通信装置可以为上述方法实施例中的第一安全边缘保护代理实体,或者包含上述第一安全边缘保护代理实体的装置,或者为可用于第一安全边缘保护代理实体的部件;或者,该通信装置可以为上述方法实施例中的第二安全边缘保护代理实体,或者包含上述第二安全边缘保护代理实体的装置,或者为可用于第二安全边缘保护代理实体的部件。可以理解的是,该通信装置为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between various network elements. Correspondingly, an embodiment of the present application further provides a communication apparatus, and the communication apparatus may be the first network functional entity in the above method embodiments, or a device including the above-mentioned first network functional entity, or may be used for the first network functional entity or, the communication device may be the second network function entity in the above method embodiment, or a device including the second network function entity, or a component that can be used for the second network function entity; or, the communication device It may be the first security edge protection proxy entity in the above method embodiments, or a device including the first security edge protection proxy entity, or a component that can be used for the first security edge protection proxy entity; or, the communication device may be The second security edge protection proxy entity in the above method embodiment, or a device including the second security edge protection proxy entity, or a component that can be used for the second security edge protection proxy entity. It can be understood that, in order to realize the above-mentioned functions, the communication apparatus includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
图13示出了一种通信装置130的结构示意图。该通信装置130包括收发模块1301和处理模块1302。该通信装置130可以是前述方法实施例中的第一网络功能实体、第二网络功能实体、第一安全边缘保护代理实体或者第二安全边缘保护代理实体。收发模块1301,也可以称为收发单元,用以实现上述任一方法实施例中由第一网络功能实体、第二网络功能实体或者第一安全边缘保护代理实体或者第二安全边缘保护代理实体执行的发送和/或接收功能。该收发模块1301可以由收发电路,收发机,收发器或者通信接口构成。在一些可能的实现中,收发模块1301包括发送模块和接收模块,分别用以实现上述任一方法实施例中由第一网络功能实体、第二网络功能实体或者第一安全边缘保护代理实体或者第二安全边缘保护代理实体执行的发送与接收功能。处理模块1302,可以用于实现上述任一方法实施例中由第一网络功能实体、第二网络功能实体、第一安全边缘保护代理实体或者第二安全边缘保护代理实体执行的处理功能。该处理模块1302例如可以为处理器。FIG. 13 shows a schematic structural diagram of a communication device 130 . The communication device 130 includes a transceiver module 1301 and a processing module 1302 . The communication apparatus 130 may be the first network function entity, the second network function entity, the first security edge protection proxy entity or the second security edge protection proxy entity in the foregoing method embodiments. The transceiver module 1301, which may also be referred to as a transceiver unit, is used to implement any of the above method embodiments to be executed by the first network function entity, the second network function entity, or the first security edge protection proxy entity or the second security edge protection proxy entity. send and/or receive functions. The transceiver module 1301 may be composed of a transceiver circuit, a transceiver, a transceiver or a communication interface. In some possible implementations, the transceiver module 1301 includes a sending module and a receiving module, respectively configured to implement the protection of the proxy entity or the first network function entity or the first network function entity or the first network function entity in any of the foregoing method embodiments. 2. The sending and receiving functions performed by the security edge protection proxy entity. The processing module 1302 may be configured to implement the processing functions performed by the first network function entity, the second network function entity, the first security edge protection proxy entity or the second security edge protection proxy entity in any of the foregoing method embodiments. The processing module 1302 can be, for example, a processor.
在本实施例中,该通信装置130以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。在一个简单的实施例中,本领域的技术人员可以想到该通信装置130可以采用图4所示的通信装置400的形式。In this embodiment, the communication apparatus 130 is presented in the form of dividing each functional module in an integrated manner. "Module" herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above. In a simple embodiment, those skilled in the art can imagine that the communication device 130 may take the form of the communication device 400 shown in FIG. 4 .
比如,图4所示的通信装置400中的处理器401可以通过调用存储器403中存储的计算机执行指令,使得通信装置400执行上述方法实施例中的通信方法。For example, the processor 401 in the communication apparatus 400 shown in FIG. 4 may execute the instructions by calling the computer stored in the memory 403, so that the communication apparatus 400 executes the communication method in the above method embodiment.
具体的,图13中的收发模块1301和处理模块1302的功能/实现过程可以通过图4所示的通信装置400中的处理器401调用存储器403中存储的计算机执行指令来实现。或者,图13中的处理模块1302的功能/实现过程可以通过图4所示的通信装置400中的处理器401调用存储器403中存储的计算机执行指令来实现,图13中的收发模块1301的功能/实现过程可以通过图4中所示的通信装置400中的通信接口404来实现。Specifically, the functions/implementation process of the transceiver module 1301 and the processing module 1302 in FIG. 13 can be implemented by the processor 401 in the communication apparatus 400 shown in FIG. 4 calling the computer execution instructions stored in the memory 403 . Alternatively, the function/implementation process of the processing module 1302 in FIG. 13 can be implemented by the processor 401 in the communication device 400 shown in FIG. 4 calling the computer execution instructions stored in the memory 403, and the function of the transceiver module 1301 in FIG. 13 can be implemented. The implementation process can be implemented through the communication interface 404 in the communication device 400 shown in FIG. 4 .
由于本实施例提供的通信装置130可执行上述通信方法,因此其所能获得的技术效果可参考上述方法实施例,在此不再赘述。Since the communication apparatus 130 provided in this embodiment can perform the above communication method, the technical effects that can be obtained by the communication apparatus 130 may refer to the above method embodiments, which will not be repeated here.
可选的,本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质 中存储有指令,当其在计算机上运行时,使得计算机可以执行上述任一方法实施例中由第一网络功能实体、第二网络功能实体、第一安全边缘保护代理实体或者第二安全边缘保护代理实体执行的方法。Optionally, an embodiment of the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium runs on a computer, the computer can execute any of the above method embodiments from the first method. A method performed by a network function entity, a second network function entity, a first security edge protection proxy entity, or a second security edge protection proxy entity.
可选的,本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述任一方法实施例中由第一网络功能实体、第二网络功能实体、第一安全边缘保护代理实体或者第二安全边缘保护代理实体执行的方法。Optionally, the embodiment of the present application provides a computer program product containing instructions, when it runs on a computer, the computer can execute any of the above method embodiments by the first network function entity and the second network function entity. , A method performed by a first security edge protection proxy entity or a second security edge protection proxy entity.
需要说明的是,以上模块或单元的一个或多个可以软件、硬件或二者结合来实现。当以上任一模块或单元以软件实现的时候,所述软件以计算机程序指令的方式存在,并被存储在存储器中,处理器可以用于执行所述程序指令并实现以上方法流程。该处理器可以内置于SoC(片上系统)或ASIC,也可是一个独立的半导体芯片。该处理器内处理用于执行软件指令以进行运算或处理的核外,还可进一步包括必要的硬件加速器,如现场可编程门阵列(field programmable gate array,FPGA)、PLD(可编程逻辑器件)、或者实现专用逻辑运算的逻辑电路。It should be noted that, one or more of the above modules or units may be implemented by software, hardware or a combination of both. When any of the above modules or units are implemented in software, the software exists in the form of computer program instructions and is stored in the memory, and the processor can be used to execute the program instructions and implement the above method flow. The processor can be built into a SoC (system on chip) or an ASIC, or it can be an independent semiconductor chip. In addition to the core for executing software instructions for operation or processing, the internal processing of the processor may further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (Programmable Logic Device) , or a logic circuit that implements dedicated logic operations.
当以上模块或单元以硬件实现的时候,该硬件可以是CPU、微处理器、数字信号处理(digital signal processing,DSP)芯片、微控制单元(microcontroller unit,MCU)、人工智能处理器、ASIC、SoC、FPGA、PLD、专用数字电路、硬件加速器或非集成的分立器件中的任一个或任一组合,其可以运行必要的软件或不依赖于软件以执行以上方法流程。When the above modules or units are implemented in hardware, the hardware can be CPU, microprocessor, digital signal processing (DSP) chip, microcontroller unit (MCU), artificial intelligence processor, ASIC, Any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.
可选的,本申请实施例还提供了一种通信装置(例如,该通信装置可以是芯片或芯片系统),该通信装置包括处理器,用于实现上述任一方法实施例中的方法。在一种可能的实现方式中,该通信装置还包括存储器。该存储器,用于保存必要的程序指令和数据,处理器可以调用存储器中存储的程序代码以指令该通信装置执行上述任一方法实施例中的方法。当然,存储器也可以不在该通信装置中。该通信装置是芯片系统时,可以由芯片构成,也可以包含芯片和其他分立器件,本申请实施例对此不作具体限定。Optionally, an embodiment of the present application further provides a communication apparatus (for example, the communication apparatus may be a chip or a chip system), where the communication apparatus includes a processor for implementing the method in any of the foregoing method embodiments. In a possible implementation, the communication device further includes a memory. The memory is used to store necessary program instructions and data, and the processor can call the program code stored in the memory to instruct the communication apparatus to execute the method in any of the above method embodiments. Of course, the memory may also not be in the communication device. When the communication device is a chip system, it may be composed of a chip, or may include a chip and other discrete devices, which is not specifically limited in this embodiment of the present application.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.
尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请 过程中,本领域技术人员通过查看所述附图、公开内容、以及所附权利要求书,可理解并实现所述公开实施例的其他变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (36)

  1. 一种通信方法,其特征在于,所述方法包括:A communication method, characterized in that the method comprises:
    第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明,所述第一客户凭证声明中包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,所述第一网络功能实体属于第一网络,所述第二网络功能实体属于第二网络,所述第一网络和所述第二网络为不同网络;The first network function entity receives a first client credential statement from the second network function entity, the first client credential statement includes a network identifier of the network where the network function entity of the intended recipient of the first client credential statement is located, the The first network function entity belongs to the first network, the second network function entity belongs to the second network, and the first network and the second network are different networks;
    所述第一网络功能实体验证所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为所述第一网络的网络标识。The first network function entity verifies whether the network identity of the network where the network function entity of the expected recipient of the first client credential statement is located is the network identity of the first network.
  2. 根据权利要求1所述的方法,其特征在于,所述第一网络功能实体接收来自第二网络功能实体的第一客户凭证声明,包括:The method of claim 1, wherein the first network function entity receives the first client credential assertion from the second network function entity, comprising:
    所述第一网络功能实体通过第一安全边缘保护代理实体接收第一消息,所述第一消息包括来自所述第二网络功能实体的所述第一客户凭证声明。The first network function entity receives, through a first security edge protection proxy entity, a first message including the first client credential assertion from the second network function entity.
  3. 根据权利要求2所述的方法,其特征在于,所述第一消息还包括第一根证书,所述第一根证书为所述第二网络的根证书;所述方法还包括:The method according to claim 2, wherein the first message further includes a first root certificate, and the first root certificate is a root certificate of the second network; the method further comprises:
    所述第一网络功能实体根据所述第一根证书,验证所述第一客户凭证声明的证书信息是否正确。The first network function entity verifies whether the certificate information declared by the first client certificate is correct according to the first root certificate.
  4. 根据权利要求2或3所述的方法,其特征在于,所述第一消息还包括所述第二网络功能实体用于请求所述第一网络功能实体的业务的第一授权令牌,所述第一授权令牌中包括所述第二网络的网络标识;所述方法还包括:The method according to claim 2 or 3, wherein the first message further comprises a first authorization token used by the second network function entity to request services of the first network function entity, the The first authorization token includes the network identifier of the second network; the method further includes:
    所述第一网络功能实体验证所述第二网络的网络标识是否为所述第一客户凭证声明的证书信息内的网络标识。The first network function entity verifies whether the network identity of the second network is the network identity in the certificate information of the first client credential assertion.
  5. 根据权利要求2-4任一项所述的方法,其特征在于,所述第一消息还包括所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;所述方法还包括:The method according to any one of claims 2-4, wherein the first message further includes an identifier of the network function set to which the expected recipient network function entity declared by the first client credential belongs; the method further comprises: include:
    所述第一网络功能实体验证所述第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为所述第一网络功能实体所属网络功能集合的标识。The first network function entity verifies whether the identity of the network function set to which the intended recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述第一客户凭证声明还包括所述第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;所述方法还包括:The method according to any one of claims 1-5, wherein the first client credential statement further comprises an identifier of a network function set where a network function entity of a desired recipient of the first client credential statement is located; the Methods also include:
    所述第一网络功能实体验证所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识是否为所述第一网络功能实体所属网络功能集合的标识。The first network function entity verifies whether the identity of the network function set to which the expected recipient network function entity of the first client credential statement belongs is the identity of the network function set to which the first network function entity belongs.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述第一客户凭证声明被签名的内容中包括所述第一客户凭证声明的发起方网络功能实体所在网络的网络标识;所述方法还包括:The method according to any one of claims 1-6, wherein the signed content of the first client credential statement includes the network identifier of the network where the network function entity of the originator of the first client credential statement is located; The method also includes:
    所述第一网络功能实体验证所述第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否为所述第一客户凭证声明的证书信息内的网络标识。The first network function entity verifies whether the network identity of the network where the originator network function entity of the first client credential assertion is located is the network identity in the certificate information of the first client credential assertion.
  8. 根据权利要求1-7任一项所述的方法,其特征在于,在所述第一网络功能实体验证所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为所述第一网络的网络标识之后,所述方法还包括:The method according to any one of claims 1-7, wherein the network identity of the network where the network function entity of the expected recipient of the first client credential statement is verified by the first network function entity is the first network function entity. After the network identification of a network, the method further includes:
    所述第一网络功能实体向所述第二网络功能实体发送第二客户凭证声明,所述第二客户凭证声明中包括所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识。The first network function entity sends a second client credential statement to the second network function entity, where the second client credential statement includes the network identifier of the network where the network function entity of the intended recipient of the second client credential statement is located .
  9. 根据权利要求8所述的方法,其特征在于,所述第二客户凭证声明包括以下至少一个参数:The method of claim 8, wherein the second client credential claim includes at least one of the following parameters:
    所述第二客户凭证声明的期望接收方网络功能实体的标识;the identity of the intended recipient network function entity of the second client credential assertion;
    所述第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the intended recipient network function entity of the second client credential statement belongs;
    所述第二客户凭证声明的期望接收方网络功能实体的类型;the type of intended recipient network function entity of the second client credential assertion;
    所述第一客户凭证声明,或者所述第一客户凭证声明的哈希值;the first client credential assertion, or a hash of the first client credential assertion;
    第一业务请求的数据,或者所述第一业务请求的数据的哈希值,所述第一业务请求为承载所述第一客户凭证声明的业务请求;Data of the first service request, or a hash value of the data of the first service request, where the first service request is a service request bearing the first client credential statement;
    所述第二客户凭证声明的发起方网络功能实体的标识;the identity of the originator network function entity of the second client credential assertion;
    所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the originator network function entity of the second client credential statement belongs;
    或者,所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识。Or, the network identifier of the network where the network function entity of the originator of the second client credential statement is located.
  10. 根据权利要求1-9任一项所述的方法,其特征在于,所述第一客户凭证声明包含在第二业务请求中,其中,所述第二业务请求的数据包含在所述第一客户凭证声明中,所述方法还包括:The method according to any one of claims 1-9, wherein the first client credential statement is included in a second service request, wherein the data of the second service request is included in the first client In the credential declaration, the method further includes:
    所述第一网络功能实体验证所述第二业务请求的数据的正确性。The first network function entity verifies the correctness of the data requested by the second service.
  11. 一种通信方法,其特征在于,所述方法包括:A communication method, characterized in that the method comprises:
    第二网络功能实体获取第一客户凭证声明,所述第一客户凭证声明中包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;The second network function entity obtains a first client credential statement, where the first client credential statement includes the network identifier of the network where the network function entity of the intended recipient of the first client credential statement is located;
    所述第二网络功能实体向第一网络功能实体发送所述第一客户凭证声明,所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与第一网络的网络标识相同,其中,所述第一网络功能实体属于所述第一网络,所述第二网络功能实体属于第二网络,所述第一网络和所述第二网络为不同网络。The second network function entity sends the first client credential statement to the first network function entity, and the network identifier of the network where the network function entity of the first client credential statement is intended to be received The network identifiers are the same, wherein the first network function entity belongs to the first network, the second network function entity belongs to the second network, and the first network and the second network are different networks.
  12. 根据权利要求11所述的方法,其特征在于,所述方法还包括:The method according to claim 11, wherein the method further comprises:
    所述第二网络功能实体向所述第一网络功能实体发送所述第二网络功能实体用于请求所述第一网络功能实体的业务的第一授权令牌,所述第一授权令牌中包括所述第二网络的网络标识,所述第二网络的标识用于验证是否与所述第一客户凭证声明中证书信息内的网络标识相同。The second network function entity sends, to the first network function entity, a first authorization token used by the second network function entity to request services of the first network function entity, where the first authorization token contains A network identifier of the second network is included, and the identifier of the second network is used to verify whether it is the same as the network identifier in the certificate information in the first client credential statement.
  13. 根据权利要求11或12所述的方法,其特征在于,所述方法还包括:The method according to claim 11 or 12, wherein the method further comprises:
    所述第二网络功能实体向所述第一网络功能实体发送所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与所述第一网络功能实体所属网络功能集合的标识相同。The second network function entity sends, to the first network function entity, the identifier of the network function set to which the network function entity of the intended recipient of the first client credential statement belongs, the network function of the intended recipient of the first client credential statement The identity of the network function set to which the entity belongs is used to verify whether it is the same as the identity of the network function set to which the first network function entity belongs.
  14. 根据权利要求11或12所述的方法,其特征在于,所述第一客户凭证声明还包括所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与所述第一网络功能实体所属网络功能集合的标识相同。The method according to claim 11 or 12, wherein the first client credential statement further comprises an identifier of a network function set to which the intended recipient network function entity of the first client credential statement belongs, and the first client credential statement belongs to a network function set. The identity of the network function set to which the expected recipient network function entity of the credential declaration belongs is used to verify whether it is the same as the identity of the network function set to which the first network function entity belongs.
  15. 根据权利要求11-14任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 11-14, wherein the method further comprises:
    所述第二网络功能实体接收来自所述第一网络功能实体的第二客户凭证声明,所述第二客户凭证声明中包括所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识;the second network function entity receives a second client credential assertion from the first network function entity, the second client credential assertion includes a network of the network where the network function entity of the intended recipient of the second client credential assertion is located identification;
    所述第二网络功能实体验证所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为所述第二网络的网络标识。The second network function entity verifies whether the network identity of the network where the network function entity of the intended recipient of the second client credential statement is located is the network identity of the second network.
  16. 根据权利要求15所述的方法,其特征在于,所述第二客户凭证声明还包括以下至少一个参数:The method of claim 15, wherein the second client credential statement further comprises at least one of the following parameters:
    所述第二客户凭证声明的期望接收方网络功能实体的标识;the identity of the intended recipient network function entity of the second client credential assertion;
    所述第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the intended recipient network function entity of the second client credential statement belongs;
    所述第二客户凭证声明的期望接收方网络功能实体的类型;the type of intended recipient network function entity of the second client credential assertion;
    所述第一客户凭证声明,或者所述第一客户凭证声明的哈希值;the first client credential assertion, or a hash of the first client credential assertion;
    第一业务请求的数据,或者所述第一业务请求的数据的哈希值,所述第一业务请求为承载所述第一客户凭证声明的业务请求;Data of the first service request, or a hash value of the data of the first service request, where the first service request is a service request bearing the first client credential statement;
    所述第二客户凭证声明的发起方网络功能实体的标识;the identity of the originator network function entity of the second client credential assertion;
    所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the originator network function entity of the second client credential statement belongs;
    或者,所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识。Or, the network identifier of the network where the network function entity of the originator of the second client credential statement is located.
  17. 根据权利要求16所述的方法,其特征在于,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体的标识;所述方法还包括:17. The method of claim 16, wherein the second client credential assertion includes an identification of a desired recipient network function entity of the second client credential assertion; the method further comprising:
    所述第二网络功能实体验证所述第二客户凭证声明的期望接收方网络功能实体的标识是否为所述第二网络功能实体的标识;the second network function entity verifies whether the identity of the expected recipient network function entity of the second client credential assertion is the identity of the second network function entity;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;所述方法还包括:Alternatively, the second client credential statement includes an identifier of a network function set where the intended recipient network function entity of the second client credential statement is located; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为所述第二网络功能实体所属网络功能集合的标识The second network function entity verifies whether the identity of the network function set to which the intended recipient network function entity of the second client credential statement belongs is the identity of the network function set to which the second network function entity belongs
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体的类型;所述方法还包括:Alternatively, the second client credential assertion includes a desired recipient network function entity type of the second client credential assertion; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明的期望接收方网络功能实体的类型是否为所述第二网络功能实体的类型;the second network function entity verifies whether the type of the intended recipient network function entity declared by the second client credential is the type of the second network function entity;
    或者,所述第二客户凭证声明包括所述第一客户凭证声明;所述方法还包括:Alternatively, the second client credential assertion includes the first client credential assertion; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明中包括所述第一客户凭证声明;the second network function entity verifies that the first client credential assertion is included in the second client credential assertion;
    或者,所述第二客户凭证声明包括所述第一客户凭证声明的哈希值;所述方法还包括:Alternatively, the second client credential assertion includes a hash value of the first client credential assertion; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明中包括所述第一客户凭证声明的哈希值;或者,所述第二客户凭证声明包括所述第一业务请求的数据;所述方法还包括:The second network function entity verifies that the second client credential assertion includes a hash value of the first client credential assertion; or, the second client credential assertion includes data of the first service request; the Methods also include:
    所述第二网络功能实体验证所述第二客户凭证声明中包括所述第一业务请求的数据;The second network function entity verifies that the second client credential statement includes the data of the first service request;
    或者,所述第二客户凭证声明包括所述第一业务请求的数据的哈希值;所述方法 还包括:Alternatively, the second client credential statement includes a hash value of the data of the first service request; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明中包括所述第一业务请求的数据的哈希值;The second network function entity verifies that the second client credential statement includes a hash value of the data of the first service request;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体的标识,包括:所述第二客户凭证声明中被签名的内容中包括所述第二客户凭证声明的发起方网络功能实体的标识;所述方法还包括:Or, the second client credential statement includes the identity of the originator network function entity of the second client credential statement, including: the signed content in the second client credential statement includes the second client credential statement the identity of the initiator network function entity; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明中被签名的内容中包括的所述第二客户凭证声明的发起方网络功能实体的标识是否为所述第二客户凭证声明中证书信息中的网络功能实体的标识;The second network function entity verifies whether the identity of the originator network function entity of the second client credential statement included in the signed content in the second client credential statement is the certificate information in the second client credential statement The identification of the network functional entity in ;
    或者,所述第一客户凭证声明包含在所述第二网络功能实体发送给所述第一网络功能实体的第二业务请求中;所述第二业务请求还包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;所述方法还包括:Alternatively, the first client credential declaration is included in a second service request sent by the second network function entity to the first network function entity; the second service request further includes the first client credential declaration The network identity of the network where the network function entity of the expected recipient is located; the second client credential statement includes the identity of the network function set to which the originator network function entity of the second client credential statement belongs; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识是否为所述第二业务请求中包括的所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;The second network function entity verifies whether the identity of the network function set to which the originator network function entity of the second client credential assertion belongs is the intended recipient network of the first client credential assertion included in the second service request The network identifier of the network where the functional entity is located;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识,包括:所述第二客户凭证声明中被签名的内容中包括所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识;所述方法还包括:Or, the second client credential statement includes the network identifier of the network where the network function entity of the originator of the second client credential statement is located, including: the signed content in the second client credential statement includes the second client The network identifier of the network where the network function entity of the originator of the credential declaration is located; the method further includes:
    所述第二网络功能实体验证所述第二客户凭证声明中被签名的内容中包括的所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识是否为所述第二客户凭证声明中证书信息中的网络标识。The second network function entity verifies whether the network identity of the network where the network function entity of the originator of the second client certificate statement included in the signed content of the second client certificate statement is the second client certificate statement The network identity in the certificate information in .
  18. 一种第一网络功能实体,其特征在于,所述第一网络功能实体包括:收发模块和处理模块;A first network function entity, characterized in that the first network function entity comprises: a transceiver module and a processing module;
    所述收发模块,用于接收来自第二网络功能实体的第一客户凭证声明,所述第一客户凭证声明中包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识,所述第一网络功能实体属于第一网络,所述第二网络功能实体属于第二网络,所述第一网络和所述第二网络为不同网络;The transceiver module is configured to receive a first client credential statement from a second network function entity, where the first client credential statement includes a network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located, the first network function entity belongs to a first network, the second network function entity belongs to a second network, and the first network and the second network are different networks;
    所述处理模块,用于验证所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为所述第一网络的网络标识。The processing module is configured to verify whether the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is the network identifier of the first network.
  19. 根据权利要求18所述的第一网络功能实体,其特征在于,所述收发模块具体用于:The first network function entity according to claim 18, wherein the transceiver module is specifically configured to:
    通过第一安全边缘保护代理实体接收第一消息,所述第一消息包括来自所述第二网络功能实体的所述第一客户凭证声明。A first message is received by a first security edge protection proxy entity, the first message including the first client credential assertion from the second network function entity.
  20. 根据权利要求19所述的第一网络功能实体,其特征在于,所述第一消息还包括第一根证书,所述第一根证书为所述第二网络的根证书;The first network function entity according to claim 19, wherein the first message further includes a first root certificate, and the first root certificate is a root certificate of the second network;
    所述处理模块,还用于根据所述第一根证书,验证所述第一客户凭证声明的证书信息是否正确。The processing module is further configured to verify, according to the first root certificate, whether the certificate information declared by the first client certificate is correct.
  21. 根据权利要求19或20所述的第一网络功能实体,其特征在于,所述第一消息 还包括所述第二网络功能实体用于请求所述第一网络功能实体的业务的第一授权令牌,所述第一授权令牌中包括所述第二网络的网络标识;The first network function entity according to claim 19 or 20, wherein the first message further comprises a first authorization order used by the second network function entity to request the service of the first network function entity The first authorization token includes the network identifier of the second network;
    所述处理模块,还用于验证所述第二网络的网络标识是否为所述第一客户凭证声明的证书信息内的网络标识。The processing module is further configured to verify whether the network identifier of the second network is the network identifier in the certificate information declared by the first client certificate.
  22. 根据权利要求19-21任一项所述的第一网络功能实体,其特征在于,所述第一消息还包括所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;The first network function entity according to any one of claims 19-21, wherein the first message further includes an identifier of a network function set to which the network function entity of the expected recipient of the first client credential declaration belongs;
    所述处理模块,还用于验证所述第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为所述第一网络功能实体所属网络功能集合的标识。The processing module is further configured to verify whether the identifier of the network function set to which the intended recipient network function entity of the first client credential statement belongs is the identifier of the network function set to which the first network function entity belongs.
  23. 根据权利要求18-22任一项所述的第一网络功能实体,其特征在于,所述第一客户凭证声明还包括所述第一客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;The first network function entity according to any one of claims 18-22, wherein the first client credential statement further comprises a network function set of a network function set where a network function entity of a desired recipient of the first client credential statement is located. identification;
    所述处理模块,还用于验证所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识是否为所述第一网络功能实体所属网络功能集合的标识。The processing module is further configured to verify whether the identifier of the network function set to which the intended recipient network function entity declared by the first client credential belongs is the identifier of the network function set to which the first network function entity belongs.
  24. 根据权利要求18-23任一项所述的第一网络功能实体,其特征在于,所述第一客户凭证声明被签名的内容中包括所述第一客户凭证声明的发起方网络功能实体所在网络的网络标识;The first network function entity according to any one of claims 18 to 23, wherein the signed content of the first client credential statement includes the network where the originator network function entity of the first client credential statement is located. 's network identity;
    所述处理模块,还用于验证所述第一客户凭证声明的发起方网络功能实体所在网络的网络标识是否为所述第一客户凭证声明的证书信息内的网络标识。The processing module is further configured to verify whether the network identifier of the network where the originator network function entity of the first client credential statement is located is the network identifier in the certificate information of the first client credential statement.
  25. 根据权利要求18-24任一项所述的第一网络功能实体,其特征在于,在所述第一网络功能实体验证所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识为所述第一网络的网络标识之后,The first network function entity according to any one of claims 18 to 24, wherein the first network function entity verifies the network identity of the network where the network function entity of the expected recipient of the first client credential statement is located After being the network identifier of the first network,
    所述收发模块,还用于向所述第二网络功能实体发送第二客户凭证声明,所述第二客户凭证声明中包括所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识。The transceiver module is further configured to send a second client credential statement to the second network function entity, where the second client credential statement includes the network of the network where the network functional entity of the intended recipient of the second client credential statement is located logo.
  26. 根据权利要求25所述的第一网络功能实体,其特征在于,所述第二客户凭证声明包括以下至少一个参数:The first network function entity of claim 25, wherein the second client credential assertion includes at least one of the following parameters:
    所述第二客户凭证声明的期望接收方网络功能实体的标识;the identity of the intended recipient network function entity of the second client credential assertion;
    所述第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the intended recipient network function entity of the second client credential statement belongs;
    所述第二客户凭证声明的期望接收方网络功能实体的类型;the type of intended recipient network function entity of the second client credential assertion;
    所述第一客户凭证声明,或者所述第一客户凭证声明的哈希值;the first client credential assertion, or a hash of the first client credential assertion;
    第一业务请求的数据,或者所述第一业务请求的数据的哈希值,所述第一业务请求为承载所述第一客户凭证声明的业务请求;Data of the first service request, or a hash value of the data of the first service request, where the first service request is a service request bearing the first client credential statement;
    所述第二客户凭证声明的发起方网络功能实体的标识;the identity of the originator network function entity of the second client credential assertion;
    所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the originator network function entity of the second client credential statement belongs;
    或者,所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识。Or, the network identifier of the network where the network function entity of the originator of the second client credential statement is located.
  27. 根据权利要求18-26任一项所述的第一网络功能实体,其特征在于,所述第一客户凭证声明包含在第二业务请求中,其中,所述第二业务请求的数据包含在所述第一客户凭证声明中,The first network function entity according to any one of claims 18-26, wherein the first client credential declaration is included in a second service request, wherein the data of the second service request is included in the In the first client credential statement mentioned above,
    所述收发模块,还用于验证所述第二业务请求的数据的正确性。The transceiver module is further configured to verify the correctness of the data requested by the second service.
  28. 一种第二网络功能实体,其特征在于,所述第二网络功能实体包括:收发模块和处理模块;A second network function entity, characterized in that the second network function entity comprises: a transceiver module and a processing module;
    所述处理模块,用于获取第一客户凭证声明,所述第一客户凭证声明中包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;The processing module is configured to obtain a first client credential statement, where the first client credential statement includes the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located;
    所述收发模块,用于向第一网络功能实体发送所述第一客户凭证声明,所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识用于验证是否与第一网络的网络标识相同,其中,所述第一网络功能实体属于所述第一网络,所述第二网络功能实体属于第二网络,所述第一网络和所述第二网络为不同网络。The transceiver module is configured to send the first client credential statement to the first network function entity, and the network identifier of the network where the network function entity of the expected recipient of the first client credential statement is located is used to verify whether it is compatible with the first network. The network identifiers are the same, wherein the first network function entity belongs to the first network, the second network function entity belongs to the second network, and the first network and the second network are different networks.
  29. 根据权利要求28所述的第二网络功能实体,其特征在于,The second network functional entity according to claim 28, wherein:
    所述收发模块,还用于向所述第一网络功能实体发送所述第二网络功能实体用于请求所述第一网络功能实体的业务的第一授权令牌,所述第一授权令牌中包括所述第二网络的网络标识,所述第二网络的标识用于验证是否与所述第一客户凭证声明中证书信息内的网络标识相同。The transceiver module is further configured to send, to the first network function entity, a first authorization token used by the second network function entity to request services of the first network function entity, the first authorization token includes the network identification of the second network, and the identification of the second network is used to verify whether it is the same as the network identification in the certificate information in the first client credential statement.
  30. 根据权利要求28或29所述的第二网络功能实体,其特征在于,The second network functional entity according to claim 28 or 29, characterized in that:
    所述收发模块,还用于向所述第一网络功能实体发送所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与所述第一网络功能实体所属网络功能集合的标识相同。The transceiver module is further configured to send, to the first network function entity, the identifier of the network function set to which the network function entity of the intended recipient of the first client credential statement belongs, the network of the intended recipient of the first client credential statement The identification of the network function set to which the functional entity belongs is used to verify whether it is the same as the identification of the network function set to which the first network function entity belongs.
  31. 根据权利要求28或29所述的第二网络功能实体,其特征在于,所述第一客户凭证声明还包括所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识,所述第一客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识用于验证是否与所述第一网络功能实体所属网络功能集合的标识相同。The second network function entity according to claim 28 or 29, wherein the first client credential statement further comprises an identifier of the network function set to which the network function entity of the expected recipient of the first client credential statement belongs, and the The identity of the network function set to which the intended recipient network function entity of the first client credential statement belongs is used to verify whether it is the same as the identity of the network function set to which the first network function entity belongs.
  32. 根据权利要求28-31任一项所述的第二网络功能实体,其特征在于,The second network functional entity according to any one of claims 28-31, wherein,
    所述收发模块,还用于接收来自所述第一网络功能实体的第二客户凭证声明,所述第二客户凭证声明中包括所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识;The transceiver module is further configured to receive a second client credential statement from the first network function entity, where the second client credential statement includes the network function entity of the network where the intended recipient of the second client credential statement is located. network identification;
    所述处理模块,还用于验证所述第二客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为所述第二网络的网络标识。The processing module is further configured to verify whether the network identifier of the network where the network function entity of the expected recipient of the second client credential statement is located is the network identifier of the second network.
  33. 根据权利要求32所述的第二网络功能实体,其特征在于,所述第二客户凭证声明还包括以下至少一个参数:The second network function entity of claim 32, wherein the second client credential statement further comprises at least one of the following parameters:
    所述第二客户凭证声明的期望接收方网络功能实体的标识;the identity of the intended recipient network function entity of the second client credential assertion;
    所述第二客户凭证声明的期望接收方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the intended recipient network function entity of the second client credential statement belongs;
    所述第二客户凭证声明的期望接收方网络功能实体的类型;the type of intended recipient network function entity of the second client credential assertion;
    所述第一客户凭证声明,或者所述第一客户凭证声明的哈希值;the first client credential assertion, or a hash of the first client credential assertion;
    第一业务请求的数据,或者所述第一业务请求的数据的哈希值,所述第一业务请求为承载所述第一客户凭证声明的业务请求;Data of the first service request, or a hash value of the data of the first service request, where the first service request is a service request bearing the first client credential statement;
    所述第二客户凭证声明的发起方网络功能实体的标识;the identity of the originator network function entity of the second client credential assertion;
    所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;The identifier of the network function set to which the originator network function entity of the second client credential statement belongs;
    或者,所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识。Or, the network identifier of the network where the network function entity of the originator of the second client credential statement is located.
  34. 根据权利要求33所述的第二网络功能实体,其特征在于,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体的标识;所述处理模块,还用于验证所述第二客户凭证声明的期望接收方网络功能实体的标识是否为所述第二网络功能实体的标识;The second network function entity according to claim 33, wherein the second client credential statement includes an identification of a desired recipient network function entity of the second client credential statement; and the processing module is further configured to: verifying whether the identity of the intended recipient network function entity of the second client credential assertion is the identity of the second network function entity;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识;所述处理模块,还用于验证所述第二客户凭证声明的期望接收方网络功能实体所在网络功能集合的标识是否为所述第二网络功能实体所属网络功能集合的标识Alternatively, the second client credential statement includes an identifier of the network function set where the network function entity of the expected recipient of the second client credential statement is located; the processing module is further configured to verify the expected reception of the second client credential statement Whether the identity of the network function set to which the second network function entity belongs is the identity of the network function set to which the second network function entity belongs
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的期望接收方网络功能实体的类型;所述处理模块,还用于验证所述第二客户凭证声明的期望接收方网络功能实体的类型是否为所述第二网络功能实体的类型;Alternatively, the second client credential assertion includes the type of the intended recipient network function entity of the second client credential assertion; the processing module is further configured to verify the intended recipient NFE of the second client credential assertion Whether the type is the type of the second network function entity;
    或者,所述第二客户凭证声明包括所述第一客户凭证声明;所述处理模块,还用于验证所述第二客户凭证声明中包括所述第一客户凭证声明;Alternatively, the second client credential statement includes the first client credential statement; the processing module is further configured to verify that the second client credential statement includes the first client credential statement;
    或者,所述第二客户凭证声明包括所述第一客户凭证声明的哈希值;所述处理模块,还用于验证所述第二客户凭证声明中包括所述第一客户凭证声明的哈希值;Alternatively, the second client credential claim includes a hash value of the first client credential claim; the processing module is further configured to verify that the second client credential claim includes the hash value of the first client credential claim value;
    或者,所述第二客户凭证声明包括所述第一业务请求的数据;所述处理模块,还用于验证所述第二客户凭证声明中包括所述第一业务请求的数据;Alternatively, the second client credential statement includes the data of the first service request; the processing module is further configured to verify that the second client credential statement includes the data of the first service request;
    或者,所述第二客户凭证声明包括所述第一业务请求的数据的哈希值;所述处理模块,还用于验证所述第二客户凭证声明中包括所述第一业务请求的数据的哈希值;Or, the second client credential statement includes a hash value of the data requested by the first service; the processing module is further configured to verify that the second client credential statement includes the data of the first service request. hash value;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体的标识,包括:所述第二客户凭证声明中被签名的内容中包括所述第二客户凭证声明的发起方网络功能实体的标识;所述处理模块,还用于验证所述第二客户凭证声明中被签名的内容中包括的所述第二客户凭证声明的发起方网络功能实体的标识是否为所述第二客户凭证声明中证书信息中的网络功能实体的标识;Or, the second client credential statement includes the identity of the originator network function entity of the second client credential statement, including: the signed content in the second client credential statement includes the second client credential statement The identity of the originator network function entity; the processing module is further configured to verify whether the identity of the originator network function entity of the second client credential statement included in the signed content of the second client credential statement is the Describe the identity of the network function entity in the certificate information in the second client certificate statement;
    或者,所述第一客户凭证声明包含在所述第二网络功能实体发送给所述第一网络功能实体的第二业务请求中;所述第二业务请求还包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识;所述处理模块,还用于验证所述第二客户凭证声明的发起方网络功能实体所属网络功能集合的标识是否为所述第二业务请求中包括的所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;Alternatively, the first client credential declaration is included in a second service request sent by the second network function entity to the first network function entity; the second service request further includes the first client credential declaration The network identifier of the network where the network function entity of the expected recipient is located; the second client credential statement includes the identifier of the network function set to which the network function entity of the originator of the second client credential statement belongs; the processing module is further configured to verify all Whether the identity of the network function set to which the originator network function entity of the second client credential statement belongs is the network identity of the network where the network function entity of the expected recipient of the first client credential statement included in the second service request is located;
    或者,所述第二客户凭证声明包括所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识,包括:所述第二客户凭证声明中被签名的内容中包括所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识;所述处理模块,还用于验证所述第二客户凭证声明中被签名的内容中包括的所述第二客户凭证声明的发起方网络功能实体所在网络的网络标识是否为所述第二客户凭证声明中证书信息中的网络标识。Or, the second client credential statement includes the network identifier of the network where the network function entity of the originator of the second client credential statement is located, including: the signed content in the second client credential statement includes the second client the network identifier of the network where the network function entity of the originator of the credential statement is located; the processing module is further configured to verify the originator network function of the second client credential statement included in the signed content of the second client credential statement Whether the network identifier of the network where the entity is located is the network identifier in the certificate information in the second client credential statement.
  35. 一种通信系统,其特征在于,所述通信系统包括第一网络功能实体和第二网络 功能实体,所述第一网络功能实体属于第一网络,所述第二网络功能实体属于第二网络,所述第一网络和所述第二网络为不同网络;A communication system, characterized in that the communication system includes a first network function entity and a second network function entity, the first network function entity belongs to the first network, and the second network function entity belongs to the second network, the first network and the second network are different networks;
    所述第二网络功能实体,用于向所述第一网络功能实体发送第一客户凭证声明,所述第一客户凭证声明中包括所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识;the second network function entity is configured to send a first client credential statement to the first network function entity, where the first client credential statement includes the network where the network function entity of the expected recipient of the first client credential statement is located 's network identity;
    所述第一网络功能实体,用于接收来自所述第二网络功能实体的所述第一客户凭证声明,并验证所述第一客户凭证声明的期望接收方网络功能实体所在网络的网络标识是否为所述第一网络的网络标识。The first network function entity is configured to receive the first client credential statement from the second network function entity, and verify whether the network identity of the network where the network function entity of the intended recipient of the first client credential statement is located is located is the network identifier of the first network.
  36. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,使得计算机执行权1至17中任一项所述的方法。A computer-readable storage medium, characterized in that, the computer-readable storage medium stores instructions, and when the instructions are executed on a computer, the computer is made to execute the method described in any one of rights 1 to 17.
PCT/CN2021/140465 2021-01-11 2021-12-22 Communication method, apparatus and system WO2022148244A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110034375.XA CN114760630A (en) 2021-01-11 2021-01-11 Communication method, device and system
CN202110034375.X 2021-01-11

Publications (1)

Publication Number Publication Date
WO2022148244A1 true WO2022148244A1 (en) 2022-07-14

Family

ID=82324797

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/140465 WO2022148244A1 (en) 2021-01-11 2021-12-22 Communication method, apparatus and system

Country Status (2)

Country Link
CN (1) CN114760630A (en)
WO (1) WO2022148244A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4154501B1 (en) * 2020-05-20 2024-03-20 Telefonaktiebolaget LM ERICSSON (PUBL) Service request handling

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023335A (en) * 2014-05-28 2014-09-03 北京邮电大学 SDN (Software Defined Network)-based heterogeneous network convergence framework
CN108924838A (en) * 2018-09-11 2018-11-30 中国联合网络通信集团有限公司 Method for switching network, device, Provider Equipment and the terminal of cross operator

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023335A (en) * 2014-05-28 2014-09-03 北京邮电大学 SDN (Software Defined Network)-based heterogeneous network convergence framework
CN108924838A (en) * 2018-09-11 2018-11-30 中国联合网络通信集团有限公司 Method for switching network, device, Provider Equipment and the terminal of cross operator

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICION: "Enhancement on the client credentials assertion verification", 3GPP DRAFT; S3-201845, vol. SA WG3, 7 August 2020 (2020-08-07), pages 1 - 7, XP051916369 *
NOKIA, NOKIA SHANGHAI BELL: "New SID on eSBA security", 3GPP DRAFT; S3-203504, vol. SA WG3, 20 November 2020 (2020-11-20), pages 1 - 4, XP051956984 *

Also Published As

Publication number Publication date
CN114760630A (en) 2022-07-15

Similar Documents

Publication Publication Date Title
US11647010B2 (en) Single sign-on access to cloud applications
US20220052992A1 (en) Identity verification method for network function service and related apparatus
US20210328811A1 (en) Recursive token binding for cascaded service calls
US11121873B2 (en) System and method for hardening security between web services using protected forwarded access tokens
CN111213339B (en) Authentication token with client key
US20210297410A1 (en) Mec platform deployment method and apparatus
US20200067903A1 (en) Integration of Publish-Subscribe Messaging with Authentication Tokens
US20130268676A1 (en) Application programming interface routing system and method of operating the same
WO2022095730A1 (en) Service communication method, system and apparatus, and electronic device
CN110839087B (en) Interface calling method and device, electronic equipment and computer readable storage medium
US11381564B2 (en) Resource security integration platform
JP2022541760A (en) Techniques for certificate handling in the core network domain
WO2021088882A1 (en) Data sharing method, device, and system
CN112822678B (en) Method for authorizing service architecture
US11489822B2 (en) Cloud key management for AFU security
WO2022148244A1 (en) Communication method, apparatus and system
US20230171255A1 (en) Computerized system and method for enhanced authorization of network data
US20210365585A1 (en) Privacy-preserving contact tracing
WO2021159818A1 (en) Secret key access control method and apparatus
CN116737598B (en) Page debugging method, device, electronic equipment and computer readable medium
WO2021224545A1 (en) Enhanced registration in communication networks
CN111148076B (en) API (application program interface) issuing method and device
US20220037035A1 (en) Geospatial-temporal pathogen tracing
US8881241B2 (en) Method of and system for implementing privacy control
CN114070618A (en) Data processing method and system based on micro front end

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21917284

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21917284

Country of ref document: EP

Kind code of ref document: A1