WO2023115913A1 - Authentication method and system, and electronic device and computer-readable storage medium - Google Patents

Authentication method and system, and electronic device and computer-readable storage medium Download PDF

Info

Publication number
WO2023115913A1
WO2023115913A1 PCT/CN2022/105156 CN2022105156W WO2023115913A1 WO 2023115913 A1 WO2023115913 A1 WO 2023115913A1 CN 2022105156 W CN2022105156 W CN 2022105156W WO 2023115913 A1 WO2023115913 A1 WO 2023115913A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
address
authentication server
authentication
network element
Prior art date
Application number
PCT/CN2022/105156
Other languages
French (fr)
Chinese (zh)
Inventor
单雨威
林奕琳
何宇锋
刘洁
杨峰义
张琳峰
王庆扬
陈思柏
刘玉芹
唐凌
朱红梅
Original Assignee
中国电信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国电信股份有限公司 filed Critical 中国电信股份有限公司
Publication of WO2023115913A1 publication Critical patent/WO2023115913A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Definitions

  • the present disclosure relates to the technical field of communication, and in particular to an authentication method, system, electronic equipment and computer-readable storage medium.
  • the network system In order to ensure that the terminal accessing the network system is normal and safe, the network system usually needs to authenticate the terminal when the terminal accesses.
  • the addressing of Authentication Server Function (AUSF) and Unified Data Management (UDM) in the terminal authentication process of the relevant network is realized based on the service discovery process or static configuration, which needs to be based on the user number segment to address.
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • the future 6G network will realize the ubiquitous connection of air-space-ground integration, mobile operator equipment and satellite operator equipment, etc.
  • the future mobile network will be composed of operators' equipment. Considering the cost of base station construction, there may be only one operator's base station node in the same area. Therefore, a more flexible addressing method is required in the user identity authentication process.
  • the purpose of the present disclosure is to provide an authentication method, system, electronic equipment and computer-readable storage medium.
  • an authentication method including: a target access control network element receives a registration request sent by a target device; the target access control network element determines the target User identification, and the target access method for the target device to access the network system; the target access control network element requests the target block chain for the target authentication server address corresponding to the target access method and the target authentication server address corresponding to the target device
  • the address of the target signing database corresponding to the user identification, at least one authentication server address and at least one signing database address are stored in the target block chain, the at least one authentication server includes the target authentication server, and the at least one signing database address includes the target signing database address Address;
  • the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database Obtain target signing data corresponding to the target device, so as to authenticate the target device according to the target signing data.
  • the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier, including: The target access control network element sends the target user ID of the target device, the target security token, and the target access mode to the target block chain; the target access control network element receives the target block The address of the target authentication server corresponding to the target access mode and the address of the target subscription database corresponding to the target user identifier returned by the chain.
  • the sending by the target access control network element to the target blockchain of the target user ID of the target device, the target security token, and the target access method includes: the target access control The network element sends the target user identifier of the target device, the target security token, and the target access method to the target blockchain through the target blockchain network element.
  • the registration request carries a target security token of the target device, and the target security token is generated by a target random number issued by the target operation platform; wherein, the target access control network element Requesting the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identification from the target block chain, including: the target access control network element sends the target block chain Send the target user ID of the target device, the target security token, and the target access method; the target blockchain determines the target authority credential corresponding to the target device according to the target user ID, the The target authority certificate is generated according to the target random number issued by the target operation platform to the target device; if the target blockchain determines that the target authority certificate matches the target security token, then it is determined that the The address of the target authentication server corresponding to the target access method, and the address of the target subscription database corresponding to the target user ID; The target subscription database address corresponding to the target user identifier is returned to the target access control network element.
  • the target access control network element sends the target user ID of the target device, the target security token, and the target access method to the target block chain, including: the target The access control network element sends an authentication request carrying the target user ID of the target device, the target security token, and the target access mode to the target blockchain network element; The authentication request sends the target user ID of the target device, the target security token, and the target access method to the target block chain, so as to request the target block chain to match the target access method The corresponding target authentication server address and the target subscription database address corresponding to the target user identifier.
  • the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier, including: The target access control network element requests the target block chain for the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user identifier, and the address corresponding to the contract data of the target device target key; wherein, the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server
  • the address accessing the target subscription database to obtain the target subscription data corresponding to the target device includes: the target access control network element sending an authentication request carrying the address of the target subscription database and the target key to the target authentication The target authentication server corresponding to the server address, so that the target authentication server accesses the target contract database according to the target contract database address to obtain the target contract data corresponding to the target device through the target key.
  • the target access control network element before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform stores the target user identifier and target subscription data corresponding to the target device in the target subscription database, and The target user identification and the target contract database address are stored in the target block chain.
  • the target access control network element before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform signs a card for the target device; The target signing data corresponding to the target device is encrypted to obtain the target signing ciphertext; the target operation platform sends the target user identification corresponding to the target device and the target signing ciphertext to the target signing database for storage; the The target operation platform is to receive the target subscription database address and the target user identifier returned by the target subscription database; the target operation platform sends the target user identifier, the target subscription database address and the target key to the The target block chain, so that the target block chain associates and stores the target user identifier, the target subscription database address, and the target key.
  • the method further includes: the target operation platform generates a target random number for the target device; the target operation platform generates a target permission credential according to the target random number; The target authority credential is sent to the target blockchain, so that the target blockchain associates and stores the target authority credential with the target user identifier.
  • the method before the target access control network element receives the registration request sent by the target device, the method includes: the target operation platform acquires multiple access modes, the multiple access modes include the target access method; the target operation platform obtains multiple authentication server addresses of multiple authentication servers, and the multiple authentication server addresses include the address of the target authentication server; To determine the corresponding authentication server address respectively.
  • an authentication device which is set in a target access control network element, and includes: a receiving module configured to receive a registration request sent by a target device; a determining module configured to The registration request determines the target user identifier corresponding to the target device and the target access method for the target device to access the network system; the request module is configured to request the target block chain for the target corresponding to the target access method An authentication server address and a target subscription database address corresponding to the target user identifier; a sending module configured to send an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target The authentication server accesses the target contract database according to the address of the target contract database to obtain target contract data corresponding to the target device, so as to authenticate the target device according to the target contract data.
  • an authentication system including: a target block chain, at least one authentication server address and at least one contract database address are stored in the target block chain, and the at least one authentication server includes The target authentication server, wherein the at least one subscription database address includes the target subscription database address; the target access control network element is configured to: receive a registration request sent by the target device; determine the target user identifier of the target device according to the registration request , and the target access method for the target device to access the network system; request the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identification from the target block chain; The address of the target authentication server sends an authentication request carrying the address of the target subscription database to the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target contract data corresponding to the target device , so as to authenticate the target device according to the target signing data.
  • it also includes: a target operation platform configured to store the target user identifier and target subscription data corresponding to the target device in the target subscription database, and store the target user identifier and the target subscription database address in the target blockchain.
  • an electronic device includes: one or more processors; a storage device for storing one or more programs, when the one or more programs are executed by the electronic The device executes the authentication method described in any one of the above electronic devices.
  • a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the authentication method described in any one of the above is implemented.
  • a computer program including: instructions, which when executed by a processor cause the processor to execute the aforementioned authentication method.
  • Fig. 1 shows an authentication method according to related technologies.
  • Fig. 2 is a flowchart of an authentication method according to some exemplary embodiments.
  • Fig. 3 shows an authentication system according to some exemplary embodiments.
  • Fig. 4 is a sequence diagram of an authentication method according to some exemplary embodiments.
  • Fig. 5 is a sequence diagram of an authentication method according to some exemplary embodiments.
  • FIG. 6 shows a schematic structural diagram of an electronic device suitable for implementing an embodiment of the present disclosure.
  • Fig. 7 is a schematic structural diagram of an authentication device according to some embodiments of the present disclosure.
  • Example embodiments will now be described more fully with reference to the accompanying drawings.
  • Example embodiments may, however, be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
  • the same reference numerals denote the same or similar parts in the drawings, and thus their repeated descriptions will be omitted.
  • the terms “a”, “an”, “the”, “” and “at least one” are used to indicate the presence of one or more elements/components/etc.; the terms “comprising”, “including” and “having " is used in an open, inclusive sense and means that there may be additional elements/components/etc. in addition to the listed elements/components/etc.; the terms “first”, “second” and “Third” and so on are used only as marks, not as restrictions on the number of their objects.
  • the user terminal UE sends a NAS message (a 5G message) to the AMF (Authentication Management Function, authentication management function), including SUCI (Subscription Concealed Identifier, subscription hidden identifier) or 5G-GUTI (5G Globally Unique Temporary UE Identity, 5G globally unique identifier) for registration.
  • AMF Authentication Management Function, authentication management function
  • SUCI Subscribed Identifier, subscription hidden identifier
  • 5G-GUTI 5G Globally Unique Temporary UE Identity, 5G globally unique identifier
  • AMF sends an authentication request to AUSF (Authentication server function, authentication service function), including SUCI/SUPI (Subscription Permanent Identifier, user permanent identifier) and service network name.
  • AUSF Authentication server function, authentication service function
  • SUCI/SUPI Subscribescription Permanent Identifier, user permanent identifier
  • UDM Unified Data Management, unified data management function
  • the UDM analyzes the SUCI to obtain the SUPI, determines the authentication method, and performs authentication processing.
  • AUSF and UDM are addressed by AMF based on user identification (that is, user's number prefix or number segment) during authentication.
  • the disclosure provides an authentication method, device, electronic equipment, and computer-readable storage medium.
  • a target device When a target device sends a registration request, it can dynamically match the target device according to the target device's target access method and target user ID.
  • the corresponding target authentication server address and the target subscription database address so as to authenticate the target device through the target authentication server corresponding to the target authentication server address and the target subscription database address corresponding to the target subscription database address.
  • different authentication servers can be dynamically adapted for devices with different access modes, and the subscription database can be adapted without relying on the user number segment.
  • the target operating platform can be allowed to sign a card for the target device through the following methods.
  • the target operation platform signs a card for the target device; the target operation platform encrypts the target contract data corresponding to the target device through the target key to obtain the target contract ciphertext;
  • the document is sent to the target contract database for storage; the target operation platform receives the target contract database address and the target user ID returned by the target contract database; the target operation platform sends the target user ID, target contract database address and target key to the target block chain , so that the target blockchain can associate and store the target user ID, target signing database address and target key.
  • the data storage is carried out through the block chain.
  • the data transfer process is also traceable; at the same time, the target contract data is encrypted using the target key, which makes the data safe, reliable and reliable on the one hand.
  • the authentication process it can be guaranteed that only the device corresponding to the target signing data can hold the target key to decrypt the target ciphertext, thus ensuring the security in the authentication process.
  • the target operation platform will also generate a target random number for the target device, and then generate a target authority certificate according to the target random number, and finally send the target authority certificate to the target blockchain, so that the target blockchain can associate the target authority certificate with the target user ID for associative storage.
  • the target operation platform will also obtain multiple access methods, the multiple access methods include the target access method; the target operation platform can obtain multiple authentication server addresses of multiple authentication servers, and the multiple authentication server addresses include the target Authentication server address; the target operation platform can determine the corresponding authentication server address for each access method according to the authentication method of each authentication server.
  • the target operating platform After the target operating platform determines the corresponding authentication server address for each access method, it will store each authentication server address and its corresponding access method in the target blockchain.
  • the multiple access methods may include space-based access (such as satellite), ground-based access (such as base station), and space-based access (such as airplane, drone, hot air balloon, etc.), which is not limited in the present disclosure .
  • space-based access such as satellite
  • ground-based access such as base station
  • space-based access such as airplane, drone, hot air balloon, etc.
  • each access mode has an authentication server corresponding to it.
  • At least one authentication server address and at least one contract database address can be stored in the target block chain, wherein at least one authentication server includes the target authentication server, at least one contract database address includes the target contract database address, each authentication server Corresponding to at least one access method (that is, an authentication server address can be matched through the access method), each subscription database corresponds to at least one user ID (that is, a subscription database can store subscription data corresponding to multiple user IDs, A subscription database address can be matched through the user ID).
  • Fig. 2 is a flowchart showing an authentication method according to an exemplary embodiment.
  • the authentication method provided by the embodiment of the present disclosure may include the following steps.
  • Step S202 the target access control network element receives the registration request sent by the target device.
  • the target device may send a registration request to the target access control network element in the target mobile network when accessing the target mobile network for the first time.
  • the target access control network element may be any device in the target mobile network system, for example, it may be an AMF network element in the 5G network, and the disclosure does not limit this.
  • the target device may be any electronic device that needs to communicate, such as a mobile phone, a computer, and a notebook, and this disclosure does not limit it.
  • step S204 the target access control network element determines the target user ID corresponding to the target device and the target access method for the target device to access the network system according to the registration request.
  • the above-mentioned target access method may be any access method such as space-based access, ground-based access, space-based access, fixed network access, etc., which is not limited in the present disclosure.
  • Step S206 the target access control network element requests the target blockchain for the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user ID.
  • the target access control network element can request the corresponding authentication server address from the target blockchain according to the target access mode, and can request the corresponding subscription database address from the target blockchain according to the target user identifier.
  • the target blockchain can determine the target authentication server address corresponding to the target access method in at least one authentication server address according to the pre-stored association between the access method and the authentication server address, and can determine the target authentication server address corresponding to the target access method according to the pre-stored user identification and the subscription database. For the address association, determine the target subscription database address corresponding to the target user identifier in at least one subscription database, and return the target authentication server address and the target subscription database address to the target access control network element.
  • the registration request sent by the target device may also carry a target security token of the target device, and the target security token is generated by a target random number issued by the target operation platform.
  • the target access control network element requests the target blockchain for the target authentication server address and the target subscription database address corresponding to the target access mode
  • the target access control network element sends the target user identification of the target device to the target blockchain , the target security token, and the target access method
  • the target blockchain determines the target authority certificate corresponding to the target device according to the target user ID, and the target authority certificate is generated according to the target random number issued by the target operation platform to the target device; if If the target blockchain determines that the target authority certificate matches the target security token, then it determines the address of the target authentication server corresponding to the target access method, and the address of the target signing database corresponding to the target user ID; the target blockchain will match the target access method
  • the address of the target authentication server corresponding to the mode and the address of the target subscription database corresponding to the target user ID are returned to the target access
  • the above process compares the target security token with the target authority certificate, which can ensure the security of the entire authentication process and avoid illegal data acquisition.
  • the target access control network element sending the target user identification of the target device, the target security token, and the target access method to the target blockchain may include the target access control network element sending the target blockchain network element Send an authentication request carrying the target user ID, target security token, and target access mode; the target blockchain network element sends the target user ID, target security token, and target access mode to the target blockchain according to the authentication request, so as to The target block chain requests the address of the target authentication server corresponding to the target access method and the address of the target signing database corresponding to the target user identification.
  • the target blockchain network element may be a certain node in the target blockchain.
  • the target blockchain network element may be located in the target network, for example, it may be the target access control network element, and of course it may also be a device independent of the target access control network element, which is not limited in the present disclosure.
  • Step S208 the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target subscription data corresponding to the target device , so as to authenticate the target device according to the target signing data.
  • the target access control network element may request the target authentication server corresponding to the target authentication server address to access the target subscription database corresponding to the target subscription database address, so as to obtain the subscription data corresponding to the target device, so as to perform authentication processing on the target device .
  • the target access control network element requests the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user identifier from the target block chain, including: the target access control network element requests The target block chain requests the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user ID, and the target key corresponding to the contract data of the target device;
  • the target access control network element sends an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain the target subscription data corresponding to the target device.
  • the target access control network element sends the authentication request, the target signing database address and the target key to the target authentication server corresponding to the target authentication server address, so that the target authentication server accesses the target signing database according to the target signing database address to pass the target key
  • the target signing data corresponding to the target device is obtained.
  • the above process can encrypt and decrypt the target contract data through the target key, which improves the security of data transmission and avoids illegal acquisition of data.
  • the technical solution provided by this embodiment introduces blockchain technology, and records the address of the authentication server and the address of the signing database on the blockchain; the terminal passes the security token to the blockchain through the network element of the blockchain, and the blockchain determines After the security token and the authority certificate are consistent, the contract database and authentication server address and key are returned; when the access control network element sends the authentication request to the blockchain, it carries the access type and user ID, and the blockchain responds according to different access types Different authentication servers return different subscription database addresses according to different user IDs. For different access methods, different operators may provide services, so there may be different authentication servers, and for different user identities, services may be provided by different subscription databases, so there may be different subscription databases. If services are provided by the same operator, different authentication servers may be used for different access technologies, and the subscription databases may be unified or different.
  • This method solves the routing and addressing problem of identity authentication when providing services across operators, and supports flexible selection of independent subscription databases and authentication servers according to access types, providing a solid foundation for future (such as 6G) heterogeneous network integration.
  • the authentication system corresponding to the authentication method provided by this disclosure may include network devices, authentication servers, contract databases and other devices of each operator, and these devices can interact through the blockchain network to achieve decentralization distributed deployment.
  • blockchain network elements that interact with the blockchain in the network equipment, and the operator's operation platform compares the corresponding relationship between the target user ID and the contract database address, the corresponding relationship between the access method and the authentication server, and the user ID and key.
  • the association relationship of the network is recorded in the blockchain, and the network element of the blockchain obtains the address of the authentication server corresponding to the access mode of the device, the address of the contract database corresponding to the user ID, and other information from the blockchain, and completes the identification through this method. Addressing flow during authentication.
  • the operator's operating platform can open a card for the user, encrypt the user subscription data corresponding to the user card, store the target user identifier and the encrypted user subscription data in the subscription database and return the storage location; the operator The platform selects different authentication servers according to different access methods and returns the address of the authentication server corresponding to the access methods.
  • the operating platform records the returned information and the decryption key on the blockchain.
  • the operation platform generates a random number and sends it to the terminal, and generates a permission certificate based on the random number and sends it to the blockchain, which stores it locally.
  • the addressing process of the authentication server and subscription database is done through the blockchain.
  • the terminal device generates a security token according to the random number, and sends the registration request and the security token to the access control network element.
  • the access control network element judges the access mode of the terminal and sends an authentication request to the blockchain network element.
  • the blockchain network element queries the blockchain for the data required for authentication, and at the same time sends it a security token.
  • the blockchain network element passes it to the access control network element, and the access control network element addresses according to the address of the authentication server, sends an authentication request, and carries the address and key of the contract database.
  • the authentication server addresses according to the received address of the signing database, and sends the authentication request and the decryption key of the signing data to the signing database.
  • the terminal and the network complete the authentication process and return the authentication result to the terminal.
  • the authentication method corresponding to the system shown in FIG. 3 can be specifically described through the sequence diagrams shown in FIG. 4 and FIG. 5 .
  • the operator's operating platform opens a card for the user, encrypts the user contract data corresponding to the user card, and stores the target user ID and the encrypted user contract data in the contract database.
  • the subscription database returns the storage location of the subscription data corresponding to the target user identifier to the operation platform.
  • the operation platform selects different authentication servers according to different access methods, and the operation platform associates the access methods with the corresponding authentication servers.
  • the authentication server returns the address of the authentication server corresponding to the access mode.
  • steps 1, 2 and steps 3, 4 are not limited, and steps 3, 4 can be performed before 1, 2 or at the same time.
  • the operating platform records the returned information and the decryption key on the blockchain.
  • the address of the authentication server, the address of the signing database, and the decryption key can be stored on the blockchain as a whole or stored separately on the blockchain.
  • the operation platform provides the relevant information of the user card to the terminal.
  • the user card is the unique identity of the mobile user in the network.
  • the terminal accesses the network, it provides the user ID, performs calculations based on the authentication parameters (such as key K) and algorithms stored in the card, and provides an authentication response.
  • USIM Universal Subscriber Identity Module
  • OTA OTA data
  • the USIM writing method allows the mobile device to obtain the SUCI generated by the USIM through the ME-UICC (ME: mobile device, UICC: Universal Integrated Circuit Card, Universal Integrated Circuit Card) machine card interface GET IDENTITY command; OTA (Over The Air, over the air download Technology)
  • Data writing refers to the synchronization of card authentication configuration data with the card authentication system through OTA data SMS.
  • the operation platform generates the first random number and sends it to the terminal.
  • the operation platform generates an authorization certificate according to the first random number.
  • the permission certificate can be generated by hashing the random number, or by hashing the user ID and the random number together.
  • the operation platform sends the authority certificate to the blockchain.
  • the blockchain stores the authority certificate locally, and then updates its own storage information.
  • the terminal device generates a security token according to the first random number.
  • the terminal device sends the registration request and the security token to the access control network element.
  • the access control network element judges the access mode of the terminal, which can be satellite access, fixed network access, mobile access, etc.
  • the access control network element sends an identity authentication request to the blockchain network element, including the terminal user ID, access method and security token.
  • the blockchain network element queries the blockchain for the data required for identity authentication, and at the same time sends it a security token.
  • the blockchain determines whether the security token is the same as the locally stored authority certificate, and then returns the address of the signing database according to the target user ID of the target device, and returns the address of the authentication server according to the access type.
  • Different access types such as satellite, fixed network, and cellular network may be provided by different operators, so there may be different authentication servers and subscription databases.
  • the same operator may adopt different authentication technologies for different access methods, and different authentication servers may complete the authentication.
  • the subscription databases may be unified or different. This method supports all implementation methods.
  • the blockchain network element sends the signing database, authentication server address and key to the access control network element.
  • the access control network element finds the corresponding authentication server according to the address of the authentication server, sends an authentication request, and carries the address and key of the contract database.
  • the authentication server performs addressing according to the received signing database address.
  • the signing database decrypts the encrypted data according to the received key.
  • the terminal and the network complete the authentication and authorization process, such as the EAP-AKA' authentication (an authentication method) process used in 5G or the 5G AKA authentication (an authentication method) process.
  • EAP-AKA' authentication an authentication method
  • 5G AKA authentication an authentication method
  • AMF is the access control network element
  • AUSF is the authentication server
  • UDM is the subscription database.
  • the technical solution provided by this embodiment uses block chain technology to solve the addressing problem of the attribution authentication server and the contract database, which greatly improves the reliability and flexibility of data sharing between operators.
  • the technical solution provided in this embodiment can select different authentication servers according to different access types, and the subscription databases can be unified or different, and different implementation modes are supported.
  • the present disclosure also provides an authentication system, which may include a target block chain, at least one authentication server address and at least one contract database address are stored in the target block chain, at least one authentication server includes the target authentication server, at least one The subscription database address includes the target subscription database address; the authentication system also includes a target access control network element, which is used to receive the registration request sent by the target device; determine the target user ID of the target device and the target device access network system according to the registration request Access method; request to the target block chain the address of the target authentication server corresponding to the target access method and the address of the target signing database corresponding to the target user ID; send an authentication certificate carrying the address of the target signing database to the target authentication server according to the address of the target authentication server Request, so that the target authentication server accesses the target contract database according to the address of the target contract database to obtain the target contract data corresponding to the target device, so as to authenticate the target device according to the target contract data.
  • an authentication system may include a target block chain, at least one authentication server address and at least one contract database
  • the registration request carries the target security token of the target device, and the target security token is generated by the target random number issued by the target operation platform;
  • the address of the target authentication server corresponding to the access method and the address of the target subscription database corresponding to the target user ID including:
  • the target access control network element sends the target user ID of the target device, the target security token and the target access method to the target blockchain;
  • the target blockchain determines the target authority certificate corresponding to the target device according to the target user identification, and the target authority certificate is generated according to the target random number issued by the target operation platform to the target device;
  • target block chain determines that the target authority credential matches the target security token, then determine the target authentication server address corresponding to the target access method, and the target signing database address corresponding to the target user ID;
  • the target access control network element sending the target user identification of the target device, the target security token, and the target access method to the target block chain includes: the target access control network element sends the target block chain network element An authentication request carrying the target user ID, target security token, and target access mode; the target blockchain network element sends the target user ID, target security token, and target access mode to the target blockchain according to the authentication request, to send the target user ID, target security token, and target access mode to the target
  • the block chain requests the target authentication server address corresponding to the target access mode and the target signing database address corresponding to the target user identification.
  • the request from the target access control network element to the target block chain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier includes: the target access control network element sends the target The block chain requests the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user ID, and the target key corresponding to the contract data of the target device; wherein, the target access control network element according to the target The authentication server address sends an authentication request carrying the target subscription database address to the target authentication server, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain the target subscription data corresponding to the target device, including: the target access control network element will authenticate The request, the address of the target signing database and the target key are sent to the target authentication server corresponding to the address of the target authentication server, so that the target authentication server accesses the target signing database according to the address of the target signing database to obtain the target signing data corresponding to the target
  • the method before the target access control network element receives the registration request sent by the target device, the method includes: the target operation platform signs a card for the target device; The signing data is encrypted to obtain the target signing ciphertext; the target operation platform sends the target user identification corresponding to the target device and the target signing ciphertext to the target signing database for storage; the target operating platform receives the target signing database address and Target user identification; the target operation platform sends the target user identification, target contract database address and target key to the target block chain, so that the target block chain can associate and store the target user identification, target contract database address and target key.
  • the target operation platform is also used to generate a target random number for the target device; the target operation platform generates a target authority certificate according to the target random number; the target operation platform sends the target authority certificate to the target block chain, so that the target The blockchain associates and stores the target authority credentials with the target user ID.
  • the target access control network element before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform obtains multiple access methods, and the multiple access methods include the target access method; the target operation platform obtains The multiple authentication server addresses of the multiple authentication servers, the multiple authentication server addresses include the address of the target authentication server; the target operation platform determines the corresponding target authentication server address for each access mode according to the authentication mode of each authentication server.
  • each block in a flowchart or block diagram may represent a module, program segment, or portion of code that includes one or more logical functions for implementing specified executable instructions.
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block in the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations can be implemented by a dedicated hardware-based system that performs the specified function or operation, or can be implemented by a A combination of dedicated hardware and computer instructions.
  • FIG. 6 shows a schematic structural diagram of an electronic device suitable for implementing an embodiment of the present disclosure. It should be noted that the electronic device 600 shown in FIG. 6 is only an example, and should not limit the functions and application scope of the embodiments of the present disclosure.
  • an electronic device 600 includes a central processing unit (CPU) 601, which can operate according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage section 608 into a random access memory (RAM) 603 Instead, various appropriate actions and processes are performed.
  • ROM read-only memory
  • RAM random access memory
  • various programs and data necessary for the operation of the electronic device 600 are also stored.
  • the CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604.
  • An input/output (I/O) interface 605 is also connected to the bus 604 .
  • the following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 608 including a hard disk, etc. and a communication section 609 including a network interface card such as a LAN card, a modem, or the like.
  • the communication section 609 performs communication processing via a network such as the Internet.
  • a drive 610 is also connected to the I/O interface 605 as needed.
  • a removable medium 611 such as a magnetic disk, optical disk, magneto-optical disk, semiconductor memory, etc. is mounted on the drive 610 as necessary so that a computer program read therefrom is installed into the storage section 608 as necessary.
  • the processes described above with reference to the flowcharts can be implemented as computer software programs.
  • the embodiments of the present disclosure include a computer program product, which includes a computer program carried on a computer-readable storage medium, where the computer program includes program codes for executing the methods shown in the flowcharts.
  • the computer program may be downloaded and installed from a network via communication portion 609 and/or installed from removable media 611 .
  • this computer program is executed by a central processing unit (CPU) 601
  • CPU central processing unit
  • the computer-readable storage medium shown in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two.
  • a computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
  • a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, in which computer-readable program codes are carried. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • a computer-readable signal medium may also be any computer-readable storage medium other than a computer-readable storage medium that can be sent, propagated, or transported for use by or in conjunction with an instruction execution system, apparatus, or device program of.
  • Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wires, optical cables, RF, etc., or any suitable combination of the foregoing.
  • the present application also provides a computer-readable storage medium, which may be included in the device described in the above-mentioned embodiments; or exist independently without being assembled into the device middle.
  • the above-mentioned computer-readable storage medium carries one or more programs, and when the above-mentioned one or more programs are executed by one of the devices, enabling the device to implement functions includes: the target access control network element receives the registration request sent by the target device;
  • the target access control network element determines the target user identifier corresponding to the target device and the target access method for the target device to access the network system according to the registration request; the target access control network element sends a message to the target area
  • the block chain requests the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identifier; the target access control network element sends the target authentication server address to the target authentication server according to the target authentication server address an authentication request carrying the address of the target subscription database, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target contract data corresponding to the target device, so that the The target device is authenticated.
  • a computer program product or computer program comprising computer instructions stored in a computer readable storage medium.
  • the processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the methods provided in various optional implementation manners of the foregoing embodiments.
  • Fig. 7 is a schematic structural diagram of an authentication device according to some embodiments of the present disclosure.
  • the authentication device in the embodiment of the present disclosure is set in the target access control network element.
  • the authentication device 700 includes: a receiving module 710 , a determining module 720 , a requesting module 730 , and a sending module 740 .
  • the receiving module 710 is configured to receive the registration request sent by the target device.
  • the determining module 720 is configured to determine a target user identifier corresponding to the target device and a target access method for the target device to access the network system according to the registration request.
  • the requesting module 730 is configured to request from the target blockchain the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user ID.
  • the sending module 740 is configured to send an authentication request carrying a target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain target subscription data corresponding to the target device, thereby The target device is authenticated based on the target signing data.
  • the authentication device in the embodiment of the present disclosure can dynamically adapt different authentication servers for devices with different access modes, and can adapt the subscription database without relying on the user number segment.
  • the technical solutions of the embodiments of the present disclosure can be embodied in the form of software products, which can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.), including several instruction It is used to make a computing device (which may be a personal computer, a server, a mobile terminal, or a smart device, etc.) execute the method according to the embodiment of the present disclosure, such as the steps shown in FIG. 3 .
  • a computing device which may be a personal computer, a server, a mobile terminal, or a smart device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the present disclosure are an authentication method and system, and an electronic device and a computer-readable storage medium. The authentication method comprises: a target access control network element receiving a registration request, which is sent by a target device; the target access control network element determining, according to the registration request, a target user identifier corresponding to the target device, and a target access mode in which the target device accesses a network system; the target access control network element requesting from a target blockchain a target authentication server address, which corresponds to the target access mode, and a target subscription database address, which corresponds to the target user identifier; and according to the target authentication server address, the target access control network element sending to a target authentication server an authentication request carrying the target subscription database address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain target subscription data corresponding to the target device, so as to authenticate the target device according to the target subscription data.

Description

认证方法、系统、电子设备和计算机可读存储介质Authentication method, system, electronic device and computer-readable storage medium
相关申请的交叉引用Cross References to Related Applications
本申请是以CN申请号为202111559465.7,申请日为2021年12月20日的申请为基础,并主张其优先权,该CN申请的公开内容在此作为整体引入本申请中。This application is based on the application with CN application number 202111559465.7 and the application date is December 20, 2021, and claims its priority. The disclosure content of this CN application is hereby incorporated into this application as a whole.
技术领域technical field
本公开涉及通信技术领域,尤其涉及一种认证方法、系统、电子设备和计算机可读存储介质。The present disclosure relates to the technical field of communication, and in particular to an authentication method, system, electronic equipment and computer-readable storage medium.
背景技术Background technique
为了保证接入网络系统的终端是正常且安全的,在终端接入时,网络系统通常需要对该终端进行认证。相关网络的终端认证流程中鉴权服务功能(Authentication Server Function,AUSF)和统一数据管理功能(Unified Data Management,UDM)的寻址是基于服务发现流程或静态配置来实现的,需要基于用户号段来进行寻址。随着移动业务的丰富,现网中的接入终端的类型也越来越多,此外,未来6G网络将实现空天地一体化的泛在连接,移动运营商设备和卫星运营商设备等多运营商设备共同构成未来移动网络,同时考虑到基站建设的成本问题,同一区域可能只存在一家运营商的基站节点,因此用户身份认证过程中需要更加灵活的寻址方式。In order to ensure that the terminal accessing the network system is normal and safe, the network system usually needs to authenticate the terminal when the terminal accesses. The addressing of Authentication Server Function (AUSF) and Unified Data Management (UDM) in the terminal authentication process of the relevant network is realized based on the service discovery process or static configuration, which needs to be based on the user number segment to address. With the enrichment of mobile services, there are more and more types of access terminals in the existing network. In addition, the future 6G network will realize the ubiquitous connection of air-space-ground integration, mobile operator equipment and satellite operator equipment, etc. The future mobile network will be composed of operators' equipment. Considering the cost of base station construction, there may be only one operator's base station node in the same area. Therefore, a more flexible addressing method is required in the user identity authentication process.
发明内容Contents of the invention
本公开的目的在于提供一种认证方法、系统、电子设备以及计算机可读存储介质。The purpose of the present disclosure is to provide an authentication method, system, electronic equipment and computer-readable storage medium.
本公开的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本公开的实践而习得。Other features and advantages of the present disclosure will become apparent from the following detailed description, or in part, be learned by practice of the present disclosure.
根据本公开的一个方面,提供了一种认证方法,包括:目标接入控制网元接收目标设备发送的注册请求;所述目标接入控制网元根据所述注册请求确定所述目标设备的目标用户标识、和所述目标设备接入网络系统的目标接入方式;所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,目标区块链中存储有至少一个认证服务器地址和至少一个签约数据库地址,所述至少一个认证服务器包括目标认证服务器,所述 至少一个签约数据库地址包括目标签约数据库地址;所述目标接入控制网元根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。According to one aspect of the present disclosure, an authentication method is provided, including: a target access control network element receives a registration request sent by a target device; the target access control network element determines the target User identification, and the target access method for the target device to access the network system; the target access control network element requests the target block chain for the target authentication server address corresponding to the target access method and the target authentication server address corresponding to the target device The address of the target signing database corresponding to the user identification, at least one authentication server address and at least one signing database address are stored in the target block chain, the at least one authentication server includes the target authentication server, and the at least one signing database address includes the target signing database address Address; the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database Obtain target signing data corresponding to the target device, so as to authenticate the target device according to the target signing data.
在一些实施例中,所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式;所述目标接入控制网元接收所述目标区块链返回的与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址。In some embodiments, the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier, including: The target access control network element sends the target user ID of the target device, the target security token, and the target access mode to the target block chain; the target access control network element receives the target block The address of the target authentication server corresponding to the target access mode and the address of the target subscription database corresponding to the target user identifier returned by the chain.
在一些实施例中,所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式包括:所述目标接入控制网元,通过目标区块链网元,向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式。In some embodiments, the sending by the target access control network element to the target blockchain of the target user ID of the target device, the target security token, and the target access method includes: the target access control The network element sends the target user identifier of the target device, the target security token, and the target access method to the target blockchain through the target blockchain network element.
在一些实施例中,所述注册请求携带所述目标设备的目标安全令牌,所述目标安全令牌是由目标运营平台下发的目标随机数生成;其中,所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式;所述目标区块链根据所述目标用户标识确定与所述目标设备对应的目标权限凭证,所述目标权限凭证是根据所述目标运营平台下发给所述目标设备的目标随机数生成的;若所述目标区块链确定所述目标权限凭证与所述目标安全令牌匹配,则确定与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址;所述目标区块链将与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址返回给所述目标接入控制网元。In some embodiments, the registration request carries a target security token of the target device, and the target security token is generated by a target random number issued by the target operation platform; wherein, the target access control network element Requesting the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identification from the target block chain, including: the target access control network element sends the target block chain Send the target user ID of the target device, the target security token, and the target access method; the target blockchain determines the target authority credential corresponding to the target device according to the target user ID, the The target authority certificate is generated according to the target random number issued by the target operation platform to the target device; if the target blockchain determines that the target authority certificate matches the target security token, then it is determined that the The address of the target authentication server corresponding to the target access method, and the address of the target subscription database corresponding to the target user ID; The target subscription database address corresponding to the target user identifier is returned to the target access control network element.
在一些实施例中,所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式,包括:所述目标接入控制网元向目标区块链网元发送携带所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式的认证请求;所述目标区块链网元根据所述认证请求向所述目标 区块链发送所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式,以向所述目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址。In some embodiments, the target access control network element sends the target user ID of the target device, the target security token, and the target access method to the target block chain, including: the target The access control network element sends an authentication request carrying the target user ID of the target device, the target security token, and the target access mode to the target blockchain network element; The authentication request sends the target user ID of the target device, the target security token, and the target access method to the target block chain, so as to request the target block chain to match the target access method The corresponding target authentication server address and the target subscription database address corresponding to the target user identifier.
在一些实施例中,所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址、与所述目标用户标识对应的目标签约数据库地址、和与所述目标设备的签约数据对应的目标密钥;其中,所述目标接入控制网元根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,包括:所述目标接入控制网元将携带所述目标签约数据库地址和所述目标密钥的认证请求发送给所述目标认证服务器地址对应的目标认证服务器,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以通过所述目标密钥获得所述目标设备对应的目标签约数据。In some embodiments, the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier, including: The target access control network element requests the target block chain for the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user identifier, and the address corresponding to the contract data of the target device target key; wherein, the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server The address accessing the target subscription database to obtain the target subscription data corresponding to the target device includes: the target access control network element sending an authentication request carrying the address of the target subscription database and the target key to the target authentication The target authentication server corresponding to the server address, so that the target authentication server accesses the target contract database according to the target contract database address to obtain the target contract data corresponding to the target device through the target key.
在一些实施例中,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:目标运营平台将所述目标设备对应的目标用户标识和目标签约数据存储至目标签约数据库,并将所述目标用户标识和目标签约数据库地址存储至目标区块链。In some embodiments, before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform stores the target user identifier and target subscription data corresponding to the target device in the target subscription database, and The target user identification and the target contract database address are stored in the target block chain.
在一些实施例中,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:目标运营平台为所述目标设备进行签约开卡;所述目标运营平台为通过目标密钥对所述目标设备对应的目标签约数据进行加密以获得目标签约密文;所述目标运营平台将所述目标设备对应的目标用户标识和所述目标签约密文发送至目标签约数据库以进行存储;所述目标运营平台为接收所述目标签约数据库返回的目标签约数据库地址和所述目标用户标识;所述目标运营平台将所述目标用户标识、所述目标签约数据库地址以及所述目标密钥发送给所述目标区块链,以便所述目标区块链将所述目标用户标识、所述目标签约数据库地址以及所述目标密钥进行关联存储。In some embodiments, before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform signs a card for the target device; The target signing data corresponding to the target device is encrypted to obtain the target signing ciphertext; the target operation platform sends the target user identification corresponding to the target device and the target signing ciphertext to the target signing database for storage; the The target operation platform is to receive the target subscription database address and the target user identifier returned by the target subscription database; the target operation platform sends the target user identifier, the target subscription database address and the target key to the The target block chain, so that the target block chain associates and stores the target user identifier, the target subscription database address, and the target key.
在一些实施例中,所述方法还包括:所述目标运营平台为所述目标设备生成目标随机数;所述目标运营平台根据所述目标随机数生成目标权限凭证;所述目标运营平台将所述目标权限凭证发送给所述目标区块链,以便所述目标区块链将所述目标权限凭证与所述目标用户标识进行关联存储。In some embodiments, the method further includes: the target operation platform generates a target random number for the target device; the target operation platform generates a target permission credential according to the target random number; The target authority credential is sent to the target blockchain, so that the target blockchain associates and stores the target authority credential with the target user identifier.
在一些实施例中,在目标接入控制网元接收目标设备发送的注册请求之前,所述 方法包括:目标运营平台获取多个接入方式,所述多个接入方式包括所述目标接入方式;所述目标运营平台获取多个认证服务器的多个认证服务器地址,所述多个认证服务器地址包括所述目标认证服务器地址;所述目标运营平台根据各个认证服务器的认证方式为各个接入方式分别确定对应的认证服务器地址。In some embodiments, before the target access control network element receives the registration request sent by the target device, the method includes: the target operation platform acquires multiple access modes, the multiple access modes include the target access method; the target operation platform obtains multiple authentication server addresses of multiple authentication servers, and the multiple authentication server addresses include the address of the target authentication server; To determine the corresponding authentication server address respectively.
根据本公开的另一方面,提供了一种认证装置,设置在目标接入控制网元中,包括:接收模块,被配置为接收目标设备发送的注册请求;确定模块,被配置为根据所述注册请求确定所述目标设备对应的目标用户标识、和所述目标设备接入网络系统的目标接入方式;请求模块,被配置为向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址;发送模块,被配置为根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。According to another aspect of the present disclosure, an authentication device is provided, which is set in a target access control network element, and includes: a receiving module configured to receive a registration request sent by a target device; a determining module configured to The registration request determines the target user identifier corresponding to the target device and the target access method for the target device to access the network system; the request module is configured to request the target block chain for the target corresponding to the target access method An authentication server address and a target subscription database address corresponding to the target user identifier; a sending module configured to send an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target The authentication server accesses the target contract database according to the address of the target contract database to obtain target contract data corresponding to the target device, so as to authenticate the target device according to the target contract data.
根据本公开的再一方面,提供了一种认证系统,包括:目标区块链,所述目标区块链中存储有至少一个认证服务器地址和至少一个签约数据库地址,所述至少一个认证服务器包括目标认证服务器,所述至少一个签约数据库地址包括目标签约数据库地址;目标接入控制网元,被配置为:接收目标设备发送的注册请求;根据所述注册请求确定所述目标设备的目标用户标识、和所述目标设备接入网络系统的目标接入方式;向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址;根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。According to another aspect of the present disclosure, an authentication system is provided, including: a target block chain, at least one authentication server address and at least one contract database address are stored in the target block chain, and the at least one authentication server includes The target authentication server, wherein the at least one subscription database address includes the target subscription database address; the target access control network element is configured to: receive a registration request sent by the target device; determine the target user identifier of the target device according to the registration request , and the target access method for the target device to access the network system; request the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identification from the target block chain; The address of the target authentication server sends an authentication request carrying the address of the target subscription database to the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target contract data corresponding to the target device , so as to authenticate the target device according to the target signing data.
在一些实施例中,还包括:目标运营平台,被配置为将所述目标设备对应的目标用户标识和目标签约数据存储至目标签约数据库,并将所述目标用户标识和目标签约数据库地址存储至目标区块链。In some embodiments, it also includes: a target operation platform configured to store the target user identifier and target subscription data corresponding to the target device in the target subscription database, and store the target user identifier and the target subscription database address in the target blockchain.
根据本公开的又一方面,提出一种电子设备,该电子设备包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述电子设备执行,使得所述电子设备上述任一项所述的认证方法。According to yet another aspect of the present disclosure, an electronic device is proposed, the electronic device includes: one or more processors; a storage device for storing one or more programs, when the one or more programs are executed by the electronic The device executes the authentication method described in any one of the above electronic devices.
根据本公开的又一方面,提出一种计算机可读存储介质,其上存储有计算机程序, 所述程序被处理器执行时实现如上述任一项所述的认证方法。According to yet another aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, and when the program is executed by a processor, the authentication method described in any one of the above is implemented.
根据本公开的又一方面,提出一种计算机程序,包括:指令,所述指令当由处理器执行时使所述处理器执行如前所述的认证方法。According to still another aspect of the present disclosure, a computer program is proposed, including: instructions, which when executed by a processor cause the processor to execute the aforementioned authentication method.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性的,并不能限制本公开。It is to be understood that both the foregoing general description and the following detailed description are exemplary only and are not restrictive of the present disclosure.
附图说明Description of drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description serve to explain the principles of the disclosure. Apparently, the drawings in the following description are only some embodiments of the present disclosure, and those skilled in the art can obtain other drawings according to these drawings without creative efforts.
图1是根据相关技术示出的一种认证方法。Fig. 1 shows an authentication method according to related technologies.
图2是根据一些示例性实施例示出的一种认证方法的流程图。Fig. 2 is a flowchart of an authentication method according to some exemplary embodiments.
图3是根据一些示例性实施例示出的一种认证系统。Fig. 3 shows an authentication system according to some exemplary embodiments.
图4是根据一些示例性实施例示出的一种认证方法的时序图。Fig. 4 is a sequence diagram of an authentication method according to some exemplary embodiments.
图5是根据一些示例性实施例示出的一种认证方法的时序图。Fig. 5 is a sequence diagram of an authentication method according to some exemplary embodiments.
图6示出了适于用来实现本公开实施例的电子设备的结构示意图。FIG. 6 shows a schematic structural diagram of an electronic device suitable for implementing an embodiment of the present disclosure.
图7是根据本公开一些实施例示出的认证装置的结构示意图。Fig. 7 is a schematic structural diagram of an authentication device according to some embodiments of the present disclosure.
具体实施方式Detailed ways
现在将参考附图更全面地描述示例实施例。然而,示例实施例能够以多种形式实施,且不应被理解为限于在此阐述的实施例;相反,提供这些实施例使得本公开将全面和完整,并将示例实施例的构思全面地传达给本领域的技术人员。在图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus their repeated descriptions will be omitted.
本公开所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施方式中。在下面的描述中,提供许多具体细节从而给出对本公开的实施方式的充分理解。然而,本领域技术人员将意识到,可以实践本公开的技术方案而省略特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本公开的各方面。The features, structures, or characteristics described in this disclosure may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided in order to give a thorough understanding of embodiments of the present disclosure. However, those skilled in the art will appreciate that the technical solutions of the present disclosure may be practiced without one or more of the specific details, or other methods, components, devices, steps, etc. may be adopted. In other instances, well-known methods, apparatus, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
附图仅为本公开的示意性图解,图中相同的附图标记表示相同或类似的部分,因 而将省略对它们的重复描述。附图中所示的一些方框图不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The drawings are only schematic illustrations of the present disclosure, and the same reference numerals in the drawings denote the same or similar parts, and thus repeated descriptions thereof will be omitted. Some of the block diagrams shown in the drawings do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different network and/or processor means and/or microcontroller means.
附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和步骤,也不是必须按所描述的顺序执行。例如,有的步骤还可以分解,而有的步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flow charts shown in the drawings are just exemplary illustrations, not necessarily including all contents and steps, and not necessarily executing in the order described. For example, some steps can be decomposed, and some steps can be combined or partly combined, so the actual execution sequence may be changed according to the actual situation.
本说明书中,用语“一个”、“一”、“该”、“”和“至少一个”用以表示存在一个或多个要素/组成部分/等;用语“包含”、“包括”和“具有”用以表示开放式的包括在内的意思并且是指除了列出的要素/组成部分/等之外还可存在另外的要素/组成部分/等;用语“第一”、“第二”和“第三”等仅作为标记使用,不是对其对象的数量限制。In this specification, the terms "a", "an", "the", "" and "at least one" are used to indicate the presence of one or more elements/components/etc.; the terms "comprising", "including" and "having " is used in an open, inclusive sense and means that there may be additional elements/components/etc. in addition to the listed elements/components/etc.; the terms "first", "second" and "Third" and so on are used only as marks, not as restrictions on the number of their objects.
为了能够更清楚地理解本公开的上述目的、特征和优点,下面结合附图和具体实施方式对本公开进行进一步的详细描述,需要说明的是,在不冲突的情况下,本申请的实施例及实施例中的特征可以相互组合。In order to be able to understand the above purpose, features and advantages of the present disclosure more clearly, the present disclosure will be further described in detail below in conjunction with the accompanying drawings and specific implementation methods. It should be noted that, where there is no conflict, the embodiments and Features in the embodiments can be combined with each other.
需要事先说明的是,本公开的命名(例如目标接入控制网元、区块链网元等)是基于功能特点来命名的,如果以其他的命名方法来实现相同或者类似的功能,依然属于本公开的保护范围。It should be noted in advance that the naming in this disclosure (such as target access control network element, blockchain network element, etc.) is named based on functional characteristics. protection scope of the present disclosure.
目前移动网络系统中的认证过程如图1所示:The authentication process in the current mobile network system is shown in Figure 1:
1.用户终端UE向AMF(Authentication Management Function,认证管理功能)发送NAS消息(一种5G消息),包含SUCI(Subscription Concealed Identifier,订阅隐藏标识符)或5G-GUTI(5G Globally Unique Temporary UE Identity,5G全局唯一标识)以进行注册。1. The user terminal UE sends a NAS message (a 5G message) to the AMF (Authentication Management Function, authentication management function), including SUCI (Subscription Concealed Identifier, subscription hidden identifier) or 5G-GUTI (5G Globally Unique Temporary UE Identity, 5G globally unique identifier) for registration.
2.AMF向AUSF(Authentication server function,认证服务功能)发送认证请求,包含SUCI/SUPI(Subscription Permanent Identifier,用户永久标识)和服务网络名。2. AMF sends an authentication request to AUSF (Authentication server function, authentication service function), including SUCI/SUPI (Subscription Permanent Identifier, user permanent identifier) and service network name.
3.AUSF向UDM(Unified Data Management,统一数据管理功能)发送认证请求,包含SUCI/SUPI和服务网络名。3. AUSF sends an authentication request to UDM (Unified Data Management, unified data management function), including SUCI/SUPI and service network name.
4.UDM解析SUCI获得SUPI,确定认证方式,从而进行认证处理。4. The UDM analyzes the SUCI to obtain the SUPI, determines the authentication method, and performs authentication processing.
AUSF和UDM在认证时是基于用户标识(即用户的号码前缀或号段)被AMF寻址 的。AUSF and UDM are addressed by AMF based on user identification (that is, user's number prefix or number segment) during authentication.
针对目前的5G身份认证中UDM/AUSF的路由寻址仅能通过用户号段来实现,缺乏灵活性和可扩展性的问题。For the current 5G identity authentication, the routing addressing of UDM/AUSF can only be realized through the user number segment, which lacks flexibility and scalability.
本公开提供了一种认证方法、装置及电子设备和计算机可读存储介质,在目标设备发送注册请求时,可以根据该目标设备的目标接入方式和目标用户标识,为该目标设备动态的匹配对应的目标认证服务器地址和目标签约数据库地址,以通过该目标认证服务器地址对应的目标认证服务器和目标签约数据库地址对应的目标签约数据库对目标设备进行认证。通过上述认证方法可以为不同接入方式的设备动态的适配不同的认证服务器,并且无需依赖用户号段即可适配签约数据库。The disclosure provides an authentication method, device, electronic equipment, and computer-readable storage medium. When a target device sends a registration request, it can dynamically match the target device according to the target device's target access method and target user ID. The corresponding target authentication server address and the target subscription database address, so as to authenticate the target device through the target authentication server corresponding to the target authentication server address and the target subscription database address corresponding to the target subscription database address. Through the above authentication method, different authentication servers can be dynamically adapted for devices with different access modes, and the subscription database can be adapted without relying on the user number segment.
在移动网络在对设备进行认证之前,可以允许目标运营平台通过以下方法为目标设备签约开卡。Before the mobile network authenticates the device, the target operating platform can be allowed to sign a card for the target device through the following methods.
目标运营平台为目标设备进行签约开卡;目标运营平台通过目标密钥对目标设备对应的目标签约数据进行加密以获得目标签约密文;目标运营平台将目标设备对应的目标用户标识和目标签约密文发送至目标签约数据库以进行存储;目标运营平台接收目标签约数据库返回的目标签约数据库地址和目标用户标识;目标运营平台将目标用户标识、目标签约数据库地址以及目标密钥发送给目标区块链,以便目标区块链将目标用户标识、目标签约数据库地址以及目标密钥进行关联存储。The target operation platform signs a card for the target device; the target operation platform encrypts the target contract data corresponding to the target device through the target key to obtain the target contract ciphertext; The document is sent to the target contract database for storage; the target operation platform receives the target contract database address and the target user ID returned by the target contract database; the target operation platform sends the target user ID, target contract database address and target key to the target block chain , so that the target blockchain can associate and store the target user ID, target signing database address and target key.
其中,不同的运营商可能会对应不同的运营平台,本公开对此步骤限制。Wherein, different operators may correspond to different operating platforms, and this disclosure limits this step.
在本实施例中通过区块链进行数据存储,在保证数据透明、公正的基础上,还使得数据流转过程可追溯;同时使用目标密钥对目标签约数据进行加密,一方面使得数据安全可靠不会被篡改,另一方面在认证过程中,可以保证只有目标签约数据对应的设备才能持有目标密钥对目标密文进行解密,从而保证了认证过程中的安全性。In this embodiment, the data storage is carried out through the block chain. On the basis of ensuring data transparency and fairness, the data transfer process is also traceable; at the same time, the target contract data is encrypted using the target key, which makes the data safe, reliable and reliable on the one hand. On the other hand, in the authentication process, it can be guaranteed that only the device corresponding to the target signing data can hold the target key to decrypt the target ciphertext, thus ensuring the security in the authentication process.
另外,目标运营平台还会为目标设备生成目标随机数,然后根据目标随机数生成目标权限凭证,最后将目标权限凭证发送给目标区块链,以便目标区块链将目标权限凭证与目标用户标识进行关联存储。In addition, the target operation platform will also generate a target random number for the target device, and then generate a target authority certificate according to the target random number, and finally send the target authority certificate to the target blockchain, so that the target blockchain can associate the target authority certificate with the target user ID for associative storage.
再者,目标运营平台还会获取多个接入方式,该多个接入方式包括目标接入方式;目标运营平台可以获取多个认证服务器的多个认证服务器地址,多个认证服务器地址包括目标认证服务器地址;目标运营平台可以根据各个认证服务器的认证方式为各个接入方式分别确定对应的认证服务器地址。Furthermore, the target operation platform will also obtain multiple access methods, the multiple access methods include the target access method; the target operation platform can obtain multiple authentication server addresses of multiple authentication servers, and the multiple authentication server addresses include the target Authentication server address; the target operation platform can determine the corresponding authentication server address for each access method according to the authentication method of each authentication server.
在一些实施例中,当目标运营平台为各个接入方式确定了对应的认证服务器地址 后,会将各个认证服务器地址及其对应的接入方式关联存储在目标区块链中。In some embodiments, after the target operating platform determines the corresponding authentication server address for each access method, it will store each authentication server address and its corresponding access method in the target blockchain.
其中,多个接入方式可以包括天基接入(例如卫星)、地基接入(例如基站)、空基接入(例如飞机、无人机、热气球等),本公开对此不做限制。Among them, the multiple access methods may include space-based access (such as satellite), ground-based access (such as base station), and space-based access (such as airplane, drone, hot air balloon, etc.), which is not limited in the present disclosure .
在本公开中,可以为不同的接入方式使用不同的认证技术设置不同的认证服务器,当然也可以为不同的接入方式设置相同的认证服务器,本公开对此不做限制。总之,每一接入方式均有一个认证服务器与之对应。In the present disclosure, different authentication servers may be set for different access modes using different authentication technologies, and of course the same authentication server may be set for different access modes, which is not limited in the present disclosure. In short, each access mode has an authentication server corresponding to it.
通过上述方法,目标区块链中可以存储有至少一个认证服务器地址和至少一个签约数据库地址,其中至少一个认证服务器包括目标认证服务器,至少一个签约数据库地址包括目标签约数据库地址,每个认证服务器均与至少一个接入方式对应(即通过接入方式可以匹配出一个认证服务器地址),每个签约数据库均与至少一个用户标识对应(即一个签约数据库中可以存储多个用户标识对应的签约数据,通过用户标识可以匹配出一个签约数据库地址)。Through the above method, at least one authentication server address and at least one contract database address can be stored in the target block chain, wherein at least one authentication server includes the target authentication server, at least one contract database address includes the target contract database address, each authentication server Corresponding to at least one access method (that is, an authentication server address can be matched through the access method), each subscription database corresponds to at least one user ID (that is, a subscription database can store subscription data corresponding to multiple user IDs, A subscription database address can be matched through the user ID).
图2是根据一示例性实施例示出的一种认证方法的流程图。Fig. 2 is a flowchart showing an authentication method according to an exemplary embodiment.
参照图2,本公开实施例提供的认证方法可以包括以下步骤。Referring to FIG. 2 , the authentication method provided by the embodiment of the present disclosure may include the following steps.
步骤S202,目标接入控制网元接收目标设备发送的注册请求。Step S202, the target access control network element receives the registration request sent by the target device.
在一些实施例中,目标设备可以在首次接入目标移动网络时向目标移动网络中的目标接入控制网元发送注册请求。In some embodiments, the target device may send a registration request to the target access control network element in the target mobile network when accessing the target mobile network for the first time.
目标接入控制网元可以是目标移动网网络系统中的任一设备,例如可以是5G网络中的AMF网元等,本公开对此不做限制。The target access control network element may be any device in the target mobile network system, for example, it may be an AMF network element in the 5G network, and the disclosure does not limit this.
目标设备可以是手机、电脑、笔记本等任意需要通信的电子设备,本公开对此不做限制。The target device may be any electronic device that needs to communicate, such as a mobile phone, a computer, and a notebook, and this disclosure does not limit it.
步骤S204,目标接入控制网元根据注册请求确定目标设备对应的目标用户标识、和目标设备接入网络系统的目标接入方式。In step S204, the target access control network element determines the target user ID corresponding to the target device and the target access method for the target device to access the network system according to the registration request.
在一些实施例中,上述目标接入方式可以是天基接入、地基接入、空基接入、固网接入等任意一种接入方式,本公开对此不做限制。In some embodiments, the above-mentioned target access method may be any access method such as space-based access, ground-based access, space-based access, fixed network access, etc., which is not limited in the present disclosure.
步骤S206,目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址。Step S206, the target access control network element requests the target blockchain for the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user ID.
在一些实施例中,目标接入控制网元可以根据目标接入方式向目标区块链请求对应的认证服务器地址,可以根据目标用户标识向目标区块链请求对应的签约数据库地址。In some embodiments, the target access control network element can request the corresponding authentication server address from the target blockchain according to the target access mode, and can request the corresponding subscription database address from the target blockchain according to the target user identifier.
目标区块链可以根据预先存储的接入方式与认证服务器地址的关联关系,在至少一个认证服务器地址中确定与目标接入方式对应的目标认证服务器地址,可以根据预先存储的用户标识与签约数据库地址的关联关系,在至少一个签约数据库中确定与目标用户标识对应的目标签约数据库地址,并将该目标认证服务器地址和目标签约数据库地址返回给目标接入控制网元。The target blockchain can determine the target authentication server address corresponding to the target access method in at least one authentication server address according to the pre-stored association between the access method and the authentication server address, and can determine the target authentication server address corresponding to the target access method according to the pre-stored user identification and the subscription database. For the address association, determine the target subscription database address corresponding to the target user identifier in at least one subscription database, and return the target authentication server address and the target subscription database address to the target access control network element.
在一些实施例中,目标设备发送的注册请求还可以携带目标设备的目标安全令牌,目标安全令牌由目标运营平台下发的目标随机数生成。那么,目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址和目标签约数据库地址时,目标接入控制网元向目标区块链发送目标设备的目标用户标识、目标安全令牌以及目标接入方式;目标区块链根据目标用户标识确定与目标设备对应的目标权限凭证,目标权限凭证是根据目标运营平台下发给目标设备的目标随机数生成的;若目标区块链确定目标权限凭证与目标安全令牌匹配,则确定与目标接入方式对应的目标认证服务器地址、和与目标用户标识对应的目标签约数据库地址;目标区块链将与目标接入方式对应的目标认证服务器地址、和与目标用户标识对应的目标签约数据库地址返回给目标接入控制网元。In some embodiments, the registration request sent by the target device may also carry a target security token of the target device, and the target security token is generated by a target random number issued by the target operation platform. Then, when the target access control network element requests the target blockchain for the target authentication server address and the target subscription database address corresponding to the target access mode, the target access control network element sends the target user identification of the target device to the target blockchain , the target security token, and the target access method; the target blockchain determines the target authority certificate corresponding to the target device according to the target user ID, and the target authority certificate is generated according to the target random number issued by the target operation platform to the target device; if If the target blockchain determines that the target authority certificate matches the target security token, then it determines the address of the target authentication server corresponding to the target access method, and the address of the target signing database corresponding to the target user ID; the target blockchain will match the target access method The address of the target authentication server corresponding to the mode and the address of the target subscription database corresponding to the target user ID are returned to the target access control network element.
上述过程通过目标安全令牌与目标权限凭证进行比对,可以保证整个认证过程的安全性,避免非法获得数据。The above process compares the target security token with the target authority certificate, which can ensure the security of the entire authentication process and avoid illegal data acquisition.
在另外一些实施例中,目标接入控制网元向目标区块链发送目标设备的目标用户标识、目标安全令牌以及目标接入方式可以包括目标接入控制网元向目标区块链网元发送携带目标用户标识、目标安全令牌以及目标接入方式的认证请求;目标区块链网元根据认证请求向目标区块链发送目标用户标识、目标安全令牌以及目标接入方式,以向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址。In some other embodiments, the target access control network element sending the target user identification of the target device, the target security token, and the target access method to the target blockchain may include the target access control network element sending the target blockchain network element Send an authentication request carrying the target user ID, target security token, and target access mode; the target blockchain network element sends the target user ID, target security token, and target access mode to the target blockchain according to the authentication request, so as to The target block chain requests the address of the target authentication server corresponding to the target access method and the address of the target signing database corresponding to the target user identification.
其中,目标区块链网元可以是目标区块链中的某个节点。该目标该区块链网元可以位于目标网络中,例如可以就是目标接入控制网元,当然也可以是与目标接入控制网元相互独立的设备,本公开对此不做限制。Wherein, the target blockchain network element may be a certain node in the target blockchain. The target blockchain network element may be located in the target network, for example, it may be the target access control network element, and of course it may also be a device independent of the target access control network element, which is not limited in the present disclosure.
步骤S208,目标接入控制网元根据目标认证服务器地址向目标认证服务器发送携带目标签约数据库地址的认证请求,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以获得目标设备对应的目标签约数据,从而根据目标签约数据对目标设备进行认证。Step S208, the target access control network element sends an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target subscription data corresponding to the target device , so as to authenticate the target device according to the target signing data.
在一些实施例中,目标接入控制网元可以请求目标认证服务器地址对应的目标认证服务器访问目标签约数据库地址对应的目标签约数据库,以获得目标设备对应的签约数据,从而对目标设备进行认证处理。In some embodiments, the target access control network element may request the target authentication server corresponding to the target authentication server address to access the target subscription database corresponding to the target subscription database address, so as to obtain the subscription data corresponding to the target device, so as to perform authentication processing on the target device .
在一些实施例中,目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址,包括:目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址、与目标用户标识对应的目标签约数据库地址、和与目标设备的签约数据对应的目标密钥;In some embodiments, the target access control network element requests the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user identifier from the target block chain, including: the target access control network element requests The target block chain requests the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user ID, and the target key corresponding to the contract data of the target device;
那么,目标接入控制网元根据目标认证服务器地址向目标认证服务器发送携带目标签约数据库地址的认证请求,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以获得目标设备对应的目标签约数据可以包括:目标接入控制网元将认证请求、目标签约数据库地址和目标密钥发送给目标认证服务器地址对应的目标认证服务器,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以通过目标密钥获得目标设备对应的目标签约数据。Then, the target access control network element sends an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain the target subscription data corresponding to the target device. Including: the target access control network element sends the authentication request, the target signing database address and the target key to the target authentication server corresponding to the target authentication server address, so that the target authentication server accesses the target signing database according to the target signing database address to pass the target key The target signing data corresponding to the target device is obtained.
上述过程可以通过目标密钥对目标签约数据进行加解密,提高了数据传输的安全性,避免了非法获取数据。The above process can encrypt and decrypt the target contract data through the target key, which improves the security of data transmission and avoids illegal acquisition of data.
本实施例提供的技术方案,引入区块链技术,将认证服务器地址和签约数据库地址记录在区块链上;终端将安全令牌通过区块链网元传递给区块链,区块链确定安全令牌和权限凭证一致后返回签约数据库和认证服务器地址以及密钥;接入控制网元向区块链发送认证请求时携带接入类型和用户标识,区块链根据不同的接入类型反馈不同的认证服务器,并根据不同的用户标识返回不同的签约数据库地址。针对不同的接入方式,可能由不同的运营商提供服务,因此可能有不同的认证服务器,针对不同的用户标识,可能由不同的签约数据库提供服务,因此可能有不同的签约数据库。若由同一运营商提供服务,针对不同的接入技术可能使用不同的认证服务器,而签约数据库可以统一或不同。The technical solution provided by this embodiment introduces blockchain technology, and records the address of the authentication server and the address of the signing database on the blockchain; the terminal passes the security token to the blockchain through the network element of the blockchain, and the blockchain determines After the security token and the authority certificate are consistent, the contract database and authentication server address and key are returned; when the access control network element sends the authentication request to the blockchain, it carries the access type and user ID, and the blockchain responds according to different access types Different authentication servers return different subscription database addresses according to different user IDs. For different access methods, different operators may provide services, so there may be different authentication servers, and for different user identities, services may be provided by different subscription databases, so there may be different subscription databases. If services are provided by the same operator, different authentication servers may be used for different access technologies, and the subscription databases may be unified or different.
通过这种方法,解决了跨运营商提供服务时身份认证的路由寻址问题,同时支持根据接入类型灵活选择独立的签约数据库和认证服务器,为未来(例如6G)异构网络的融合提供了一种解决方案。This method solves the routing and addressing problem of identity authentication when providing services across operators, and supports flexible selection of independent subscription databases and authentication servers according to access types, providing a solid foundation for future (such as 6G) heterogeneous network integration. A solution.
如图3所示,本公开提供的认证方法所对应的认证系统可以包括各运营商的网络设备、认证服务器、签约数据库等设备,这些设备之间可以通过区块链网络进行交互,实现去中心化的分布式部署。As shown in Figure 3, the authentication system corresponding to the authentication method provided by this disclosure may include network devices, authentication servers, contract databases and other devices of each operator, and these devices can interact through the blockchain network to achieve decentralization distributed deployment.
网络设备中存在与区块链进行交互的区块链网元,运营商的运营平台将目标用户标识与签约数据库地址的对应关系、接入方式与认证服务器的对应关系、以及用户标识与密钥的关联关系记录在区块链中,区块链网元从区块链处获取与设备的接入方式对应的认证服务器地址和与用户标识对应的签约数据库地址以及其他信息,通过此方法完成身份认证过程中的寻址流程。There are blockchain network elements that interact with the blockchain in the network equipment, and the operator's operation platform compares the corresponding relationship between the target user ID and the contract database address, the corresponding relationship between the access method and the authentication server, and the user ID and key. The association relationship of the network is recorded in the blockchain, and the network element of the blockchain obtains the address of the authentication server corresponding to the access mode of the device, the address of the contract database corresponding to the user ID, and other information from the blockchain, and completes the identification through this method. Addressing flow during authentication.
在一些实施例中,运营商的运营平台可以为用户开卡,将用户卡对应的用户签约数据加密,将目标用户标识和加密后的用户签约数据存储到签约数据库中并返回存储位置;运营商平台根据不同的接入方式选择不同的认证服务器并返回接入方式对应的认证服务器地址。运营平台将上述返回的信息以及解密密钥记录在区块链上。运营平台生成随机数发给终端,根据随机数生成权限凭证发给区块链,区块链将其存储到本地。In some embodiments, the operator's operating platform can open a card for the user, encrypt the user subscription data corresponding to the user card, store the target user identifier and the encrypted user subscription data in the subscription database and return the storage location; the operator The platform selects different authentication servers according to different access methods and returns the address of the authentication server corresponding to the access methods. The operating platform records the returned information and the decryption key on the blockchain. The operation platform generates a random number and sends it to the terminal, and generates a permission certificate based on the random number and sends it to the blockchain, which stores it locally.
在一些实施例中,通过区块链完成认证服务器和签约数据库的寻址流程。终端设备根据随机数生成安全令牌,将注册请求和安全令牌发送给接入控制网元。接入控制网元判断终端的接入方式后向区块链网元发送认证请求。区块链网元向区块链查询认证所需数据,同时向其发送安全令牌。区块链确定安全令牌和权限凭证一致后,向区块链网元返回签约数据库和认证服务器地址以及密钥。区块链网元将其传递给接入控制网元,接入控制网元根据认证服务器地址寻址,发送认证请求,同时携带签约数据库的地址和密钥。认证服务器根据收到的签约数据库地址进行寻址,将认证请求和签约数据的解密密钥发送给签约数据库。终端与网络完成认证过程并向终端返回认证结果。In some embodiments, the addressing process of the authentication server and subscription database is done through the blockchain. The terminal device generates a security token according to the random number, and sends the registration request and the security token to the access control network element. The access control network element judges the access mode of the terminal and sends an authentication request to the blockchain network element. The blockchain network element queries the blockchain for the data required for authentication, and at the same time sends it a security token. After the blockchain confirms that the security token is consistent with the authority certificate, it returns the signing database and authentication server address and key to the blockchain network element. The blockchain network element passes it to the access control network element, and the access control network element addresses according to the address of the authentication server, sends an authentication request, and carries the address and key of the contract database. The authentication server addresses according to the received address of the signing database, and sends the authentication request and the decryption key of the signing data to the signing database. The terminal and the network complete the authentication process and return the authentication result to the terminal.
图3所示系统对应的认证方法具体可以通过图4和图5所示时序图进行说明。The authentication method corresponding to the system shown in FIG. 3 can be specifically described through the sequence diagrams shown in FIG. 4 and FIG. 5 .
首先,将相关数据写入区块链的流程可以如图4所示:First, the process of writing relevant data into the blockchain can be shown in Figure 4:
1、运营商的运营平台为用户开卡,将用户卡对应的用户签约数据加密,将目标用户标识和加密后的用户签约数据存储到签约数据库中。1. The operator's operating platform opens a card for the user, encrypts the user contract data corresponding to the user card, and stores the target user ID and the encrypted user contract data in the contract database.
2、签约数据库将目标用户标识对应的签约数据的存储位置返回给运营平台。2. The subscription database returns the storage location of the subscription data corresponding to the target user identifier to the operation platform.
3、运营平台根据不同的接入方式选择不同的认证服务器,由运营平台将接入方式与相应的认证服务器关联。3. The operation platform selects different authentication servers according to different access methods, and the operation platform associates the access methods with the corresponding authentication servers.
4、认证服务器返回接入方式对应的认证服务器地址。4. The authentication server returns the address of the authentication server corresponding to the access mode.
注:步骤1、2和步骤3、4的先后顺序不受限制,步骤3、4可以先于1、2或者同时执行。Note: The order of steps 1, 2 and steps 3, 4 is not limited, and steps 3, 4 can be performed before 1, 2 or at the same time.
5、运营平台将上述返回的信息以及解密密钥记录在区块链上。5. The operating platform records the returned information and the decryption key on the blockchain.
注:认证服务器地址、签约数据库地址和解密密钥可以作为整体共同存储到区块链上或者分别存储到区块链上。Note: The address of the authentication server, the address of the signing database, and the decryption key can be stored on the blockchain as a whole or stored separately on the blockchain.
6、运营平台将用户卡相关信息提供给终端。用户卡是移动用户在网络中的唯一身份标识,在终端接入网络时提供用户标识、根据卡存储的认证参数(如密钥K)及算法进行运算并提供认证响应。6. The operation platform provides the relevant information of the user card to the terminal. The user card is the unique identity of the mobile user in the network. When the terminal accesses the network, it provides the user ID, performs calculations based on the authentication parameters (such as key K) and algorithms stored in the card, and provides an authentication response.
注:可以通过USIM(Universal Subscriber Identity Module,全球用户识别卡)卡写入和OTA数据写入两种方式。USIM写入方式可令移动设备通过ME-UICC(ME:移动设备,UICC:Universal Integrated Circuit Card,通用集成电路卡)机卡接口GET IDENTITY命令获取USIM生成的SUCI;OTA(Over The Air,空中下载技术)数据写入是指通过OTA数据短信方式与卡认证系统进行卡认证配置数据的同步。Note: There are two ways to write through USIM (Universal Subscriber Identity Module, Global Subscriber Identity Card) card and OTA data. The USIM writing method allows the mobile device to obtain the SUCI generated by the USIM through the ME-UICC (ME: mobile device, UICC: Universal Integrated Circuit Card, Universal Integrated Circuit Card) machine card interface GET IDENTITY command; OTA (Over The Air, over the air download Technology) Data writing refers to the synchronization of card authentication configuration data with the card authentication system through OTA data SMS.
7、运营平台生成第一随机数发给终端。7. The operation platform generates the first random number and sends it to the terminal.
8、运营平台根据第一随机数生成权限凭证。8. The operation platform generates an authorization certificate according to the first random number.
注:可以采用对随机数进行哈希加密的方式生成权限凭证,或者将用户标识和随机数共同进行哈希加密的方式生成权限凭证。Note: The permission certificate can be generated by hashing the random number, or by hashing the user ID and the random number together.
9、运营平台将权限凭证发给区块链。9. The operation platform sends the authority certificate to the blockchain.
10、区块链将权限凭证存储到本地,然后更新自身存储信息。10. The blockchain stores the authority certificate locally, and then updates its own storage information.
其次,通过区块链完成认证服务器和签约数据库的寻址流程可以如图5所示:Secondly, the addressing process of the authentication server and the signing database can be completed through the block chain as shown in Figure 5:
1、终端设备根据第一随机数生成安全令牌。1. The terminal device generates a security token according to the first random number.
2、终端设备将注册请求和安全令牌发送给接入控制网元。2. The terminal device sends the registration request and the security token to the access control network element.
3、接入控制网元判断终端的接入方式,可以是卫星接入、固网接入、移动接入等。3. The access control network element judges the access mode of the terminal, which can be satellite access, fixed network access, mobile access, etc.
4、接入控制网元向区块链网元发送身份认证请求,包括终端的用户标识、接入方式和安全令牌。4. The access control network element sends an identity authentication request to the blockchain network element, including the terminal user ID, access method and security token.
5、区块链网元向区块链查询身份认证所需数据,同时向其发送安全令牌。5. The blockchain network element queries the blockchain for the data required for identity authentication, and at the same time sends it a security token.
6、区块链确定安全令牌与本地存储的权限凭证是否相同,然后根据目标设备的目标用户标识返回签约数据库地址,根据接入类型返回认证服务器的地址。6. The blockchain determines whether the security token is the same as the locally stored authority certificate, and then returns the address of the signing database according to the target user ID of the target device, and returns the address of the authentication server according to the access type.
注:不同的接入类型如卫星、固网、蜂窝网等可能由不同的运营商提供服务,因此可能有不同的认证服务器和签约数据库。另外,同一运营商,针对不同的接入方式可能采用不同的认证技术,可能由不同的认证服务器完成认证,其中签约数据库可以统一,也可以不同,本方法支持全部的实现方式。Note: Different access types such as satellite, fixed network, and cellular network may be provided by different operators, so there may be different authentication servers and subscription databases. In addition, the same operator may adopt different authentication technologies for different access methods, and different authentication servers may complete the authentication. The subscription databases may be unified or different. This method supports all implementation methods.
7、区块链确定安全令牌和权限凭证一致后,向区块链网元返回签约数据库和认证服务器地址以及密钥。7. After the blockchain confirms that the security token and the authority certificate are consistent, it returns the signing database and authentication server address and key to the blockchain network element.
8、区块链网元将签约数据库和认证服务器地址以及密钥发送给接入控制网元。8. The blockchain network element sends the signing database, authentication server address and key to the access control network element.
9、接入控制网元根据认证服务器地址找到对应的认证服务器,发送认证请求,同时携带签约数据库的地址和密钥。9. The access control network element finds the corresponding authentication server according to the address of the authentication server, sends an authentication request, and carries the address and key of the contract database.
10、认证服务器根据收到的签约数据库地址进行寻址。10. The authentication server performs addressing according to the received signing database address.
11、找到用户对应的签约数据库后,将认证请求和签约数据的解密密钥发送给签约数据库。11. After finding the contract database corresponding to the user, send the authentication request and the decryption key of the contract data to the contract database.
12、签约数据库根据收到的密钥对加密数据进行解密。12. The signing database decrypts the encrypted data according to the received key.
13、终端与网络完成认证授权过程,例如5G中使用的EAP-AKA’认证(一种认证方式)过程或5G AKA认证(一种认证方式)过程。13. The terminal and the network complete the authentication and authorization process, such as the EAP-AKA' authentication (an authentication method) process used in 5G or the 5G AKA authentication (an authentication method) process.
14、向终端返回认证结果,完成认证过程。14. Return the authentication result to the terminal to complete the authentication process.
注:本方法适用于5G/6G网络,在5G网络中的一种实施例即AMF为接入控制网元,AUSF为认证服务器,UDM为签约数据库。Note: This method is applicable to 5G/6G networks. An embodiment in 5G networks is that AMF is the access control network element, AUSF is the authentication server, and UDM is the subscription database.
本实施例提供的技术方案,使用区块链技术解决归属认证服务器和签约数据库的寻址问题,大大提升了运营商之间数据共享的可靠性和灵活性。The technical solution provided by this embodiment uses block chain technology to solve the addressing problem of the attribution authentication server and the contract database, which greatly improves the reliability and flexibility of data sharing between operators.
针对多接入场景,本实施例提供的技术方案可以根据接入类型的不同选择不同的认证服务器,签约数据库可以统一或不同,支持不同的实现方式。For multiple access scenarios, the technical solution provided in this embodiment can select different authentication servers according to different access types, and the subscription databases can be unified or different, and different implementation modes are supported.
本公开还提供了一种认证系统,该认证系统可包括目标区块链,目标区块链中存储有至少一个认证服务器地址和至少一个签约数据库地址,至少一个认证服务器包括目标认证服务器,至少一个签约数据库地址包括目标签约数据库地址;认证系统还包括目标接入控制网元,用于接收目标设备发送的注册请求;根据注册请求确定目标设备的目标用户标识、和目标设备接入网络系统的目标接入方式;向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址;根据目标认证服务器地址向目标认证服务器发送携带目标签约数据库地址的认证请求,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以获得目标设备对应的目标签约数据,从而根据目标签约数据对目标设备进行认证。The present disclosure also provides an authentication system, which may include a target block chain, at least one authentication server address and at least one contract database address are stored in the target block chain, at least one authentication server includes the target authentication server, at least one The subscription database address includes the target subscription database address; the authentication system also includes a target access control network element, which is used to receive the registration request sent by the target device; determine the target user ID of the target device and the target device access network system according to the registration request Access method; request to the target block chain the address of the target authentication server corresponding to the target access method and the address of the target signing database corresponding to the target user ID; send an authentication certificate carrying the address of the target signing database to the target authentication server according to the address of the target authentication server Request, so that the target authentication server accesses the target contract database according to the address of the target contract database to obtain the target contract data corresponding to the target device, so as to authenticate the target device according to the target contract data.
在一些实施例中,注册请求携带目标设备的目标安全令牌,目标安全令牌是由目标运营平台下发的目标随机数生成;其中,目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地 址,包括:In some embodiments, the registration request carries the target security token of the target device, and the target security token is generated by the target random number issued by the target operation platform; The address of the target authentication server corresponding to the access method and the address of the target subscription database corresponding to the target user ID, including:
目标接入控制网元向目标区块链发送目标设备的目标用户标识、目标安全令牌以及目标接入方式;The target access control network element sends the target user ID of the target device, the target security token and the target access method to the target blockchain;
目标区块链根据目标用户标识确定与目标设备对应的目标权限凭证,目标权限凭证是根据目标运营平台下发给目标设备的目标随机数生成的;The target blockchain determines the target authority certificate corresponding to the target device according to the target user identification, and the target authority certificate is generated according to the target random number issued by the target operation platform to the target device;
若目标区块链确定目标权限凭证与目标安全令牌匹配,则确定与目标接入方式对应的目标认证服务器地址、和与目标用户标识对应的目标签约数据库地址;If the target block chain determines that the target authority credential matches the target security token, then determine the target authentication server address corresponding to the target access method, and the target signing database address corresponding to the target user ID;
在一些实施例中,目标接入控制网元向目标区块链发送目标设备的目标用户标识、目标安全令牌以及目标接入方式包括:目标接入控制网元向目标区块链网元发送携带目标用户标识、目标安全令牌以及目标接入方式的认证请求;目标区块链网元根据认证请求向目标区块链发送目标用户标识、目标安全令牌以及目标接入方式,以向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址。In some embodiments, the target access control network element sending the target user identification of the target device, the target security token, and the target access method to the target block chain includes: the target access control network element sends the target block chain network element An authentication request carrying the target user ID, target security token, and target access mode; the target blockchain network element sends the target user ID, target security token, and target access mode to the target blockchain according to the authentication request, to send the target user ID, target security token, and target access mode to the target The block chain requests the target authentication server address corresponding to the target access mode and the target signing database address corresponding to the target user identification.
在一些实施例中,目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址包括:目标接入控制网元向目标区块链请求与目标接入方式对应的目标认证服务器地址、与目标用户标识对应的目标签约数据库地址、和与目标设备的签约数据对应的目标密钥;其中,目标接入控制网元根据目标认证服务器地址向目标认证服务器发送携带目标签约数据库地址的认证请求,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以获得目标设备对应的目标签约数据,包括:目标接入控制网元将认证请求、目标签约数据库地址和目标密钥发送给目标认证服务器地址对应的目标认证服务器,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以通过目标密钥获得目标设备对应的目标签约数据。In some embodiments, the request from the target access control network element to the target block chain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier includes: the target access control network element sends the target The block chain requests the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user ID, and the target key corresponding to the contract data of the target device; wherein, the target access control network element according to the target The authentication server address sends an authentication request carrying the target subscription database address to the target authentication server, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain the target subscription data corresponding to the target device, including: the target access control network element will authenticate The request, the address of the target signing database and the target key are sent to the target authentication server corresponding to the address of the target authentication server, so that the target authentication server accesses the target signing database according to the address of the target signing database to obtain the target signing data corresponding to the target device through the target key.
在一些实施例中,在目标接入控制网元接收目标设备发送的注册请求之前,方法包括:目标运营平台为目标设备进行签约开卡;目标运营平台为通过目标密钥对目标设备对应的目标签约数据进行加密以获得目标签约密文;目标运营平台将目标设备对应的目标用户标识和目标签约密文发送至目标签约数据库以进行存储;目标运营平台接收目标签约数据库返回的目标签约数据库地址和目标用户标识;目标运营平台将目标用户标识、目标签约数据库地址以及目标密钥发送给目标区块链,以便目标区块链将目标用户标识、目标签约数据库地址以及目标密钥进行关联存储。In some embodiments, before the target access control network element receives the registration request sent by the target device, the method includes: the target operation platform signs a card for the target device; The signing data is encrypted to obtain the target signing ciphertext; the target operation platform sends the target user identification corresponding to the target device and the target signing ciphertext to the target signing database for storage; the target operating platform receives the target signing database address and Target user identification; the target operation platform sends the target user identification, target contract database address and target key to the target block chain, so that the target block chain can associate and store the target user identification, target contract database address and target key.
在一些实施例中,目标运营平台还用于为目标设备生成一目标随机数;目标运营平台根据目标随机数生成一目标权限凭证;目标运营平台将目标权限凭证发送给目标区块链,以便目标区块链将目标权限凭证与目标用户标识进行关联存储。In some embodiments, the target operation platform is also used to generate a target random number for the target device; the target operation platform generates a target authority certificate according to the target random number; the target operation platform sends the target authority certificate to the target block chain, so that the target The blockchain associates and stores the target authority credentials with the target user ID.
在一些实施例中,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:目标运营平台获取多个接入方式,多个接入方式包括目标接入方式;目标运营平台获取多个认证服务器的多个认证服务器地址,多个认证服务器地址包括目标认证服务器地址;目标运营平台根据各个认证服务器的认证方式为各个接入方式分别确定对应的目标认证服务器地址。In some embodiments, before the target access control network element receives the registration request sent by the target device, it further includes: the target operation platform obtains multiple access methods, and the multiple access methods include the target access method; the target operation platform obtains The multiple authentication server addresses of the multiple authentication servers, the multiple authentication server addresses include the address of the target authentication server; the target operation platform determines the corresponding target authentication server address for each access mode according to the authentication mode of each authentication server.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that includes one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block in the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or operation, or can be implemented by a A combination of dedicated hardware and computer instructions.
此外,上述附图仅是根据本公开示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。In addition, the above-mentioned drawings are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It is easy to understand that the processes shown in the above figures do not imply or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be executed synchronously or asynchronously in multiple modules, for example.
图6示出了适于用来实现本公开实施例的电子设备的结构示意图。需要说明的是,图6示出的电子设备600仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。FIG. 6 shows a schematic structural diagram of an electronic device suitable for implementing an embodiment of the present disclosure. It should be noted that the electronic device 600 shown in FIG. 6 is only an example, and should not limit the functions and application scope of the embodiments of the present disclosure.
如图6所示,电子设备600包括中央处理单元(CPU)601,其可以根据存储在只读存储器(ROM)602中的程序或者从储存部分608加载到随机访问存储器(RAM)603中的程序而执行各种适当的动作和处理。在RAM 603中,还存储有电子设备600操作所需的各种程序和数据。CPU 601、ROM 602以及RAM 603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG. 6 , an electronic device 600 includes a central processing unit (CPU) 601, which can operate according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage section 608 into a random access memory (RAM) 603 Instead, various appropriate actions and processes are performed. In the RAM 603, various programs and data necessary for the operation of the electronic device 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to the bus 604 .
以下部件连接至I/O接口605:包括键盘、鼠标等的输入部分606;包括诸如阴极 射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607;包括硬盘等的储存部分608;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器610上,以便于从其上读出的计算机程序根据需要被安装入储存部分608。The following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 608 including a hard disk, etc. and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, optical disk, magneto-optical disk, semiconductor memory, etc. is mounted on the drive 610 as necessary so that a computer program read therefrom is installed into the storage section 608 as necessary.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在计算机可读存储介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分609从网络上被下载和安装,和/或从可拆卸介质611被安装。在该计算机程序被中央处理单元(CPU)601执行时,执行本申请的系统中限定的上述功能。In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, the embodiments of the present disclosure include a computer program product, which includes a computer program carried on a computer-readable storage medium, where the computer program includes program codes for executing the methods shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communication portion 609 and/or installed from removable media 611 . When this computer program is executed by a central processing unit (CPU) 601, the above-mentioned functions defined in the system of the present application are performed.
需要说明的是,本公开所示的计算机可读存储介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读存储介质,该计算机可读存储介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读存储介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable storage medium shown in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. A computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present application, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, in which computer-readable program codes are carried. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium may also be any computer-readable storage medium other than a computer-readable storage medium that can be sent, propagated, or transported for use by or in conjunction with an instruction execution system, apparatus, or device program of. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wires, optical cables, RF, etc., or any suitable combination of the foregoing.
作为另一方面,本申请还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例中描述的设备中所包含的;也可以是单独存在,而未装配入该设备中。上述计算机可读存储介质承载有一个或者多个程序,当上述一个或者多个程序 被一个该设备执行时,使得该设备可实现功能包括:目标接入控制网元接收目标设备发送的注册请求;As another aspect, the present application also provides a computer-readable storage medium, which may be included in the device described in the above-mentioned embodiments; or exist independently without being assembled into the device middle. The above-mentioned computer-readable storage medium carries one or more programs, and when the above-mentioned one or more programs are executed by one of the devices, enabling the device to implement functions includes: the target access control network element receives the registration request sent by the target device;
所述目标接入控制网元根据所述注册请求确定所述目标设备对应的目标用户标识、和所述目标设备接入网络系统的目标接入方式;所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址;所述目标接入控制网元根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。The target access control network element determines the target user identifier corresponding to the target device and the target access method for the target device to access the network system according to the registration request; the target access control network element sends a message to the target area The block chain requests the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identifier; the target access control network element sends the target authentication server address to the target authentication server according to the target authentication server address an authentication request carrying the address of the target subscription database, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target contract data corresponding to the target device, so that the The target device is authenticated.
根据本申请的一个方面,提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述实施例的各种可选实现方式中提供的方法。According to an aspect of the present application there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the methods provided in various optional implementation manners of the foregoing embodiments.
根据本公开的一个方面,还提供了一种认证装置。图7是根据本公开一些实施例示出的认证装置的结构示意图。本公开实施例的认证装置设置在目标接入控制网元中。如图7所示,认证装置700包括:接收模块710、确定模块720、请求模块730、发送模块740。According to an aspect of the present disclosure, an authentication device is also provided. Fig. 7 is a schematic structural diagram of an authentication device according to some embodiments of the present disclosure. The authentication device in the embodiment of the present disclosure is set in the target access control network element. As shown in FIG. 7 , the authentication device 700 includes: a receiving module 710 , a determining module 720 , a requesting module 730 , and a sending module 740 .
接收模块710,被配置为接收目标设备发送的注册请求.The receiving module 710 is configured to receive the registration request sent by the target device.
确定模块720,被配置为根据注册请求确定目标设备对应的目标用户标识、和目标设备接入网络系统的目标接入方式。The determining module 720 is configured to determine a target user identifier corresponding to the target device and a target access method for the target device to access the network system according to the registration request.
请求模块730,被配置为向目标区块链请求与目标接入方式对应的目标认证服务器地址和与目标用户标识对应的目标签约数据库地址。The requesting module 730 is configured to request from the target blockchain the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user ID.
发送模块740,被配置为根据目标认证服务器地址向目标认证服务器发送携带目标签约数据库地址的认证请求,以便目标认证服务器根据目标签约数据库地址访问目标签约数据库以获得目标设备对应的目标签约数据,从而根据目标签约数据对目标设备进行认证。The sending module 740 is configured to send an authentication request carrying a target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain target subscription data corresponding to the target device, thereby The target device is authenticated based on the target signing data.
本公开实施例的认证装置,可以为不同接入方式的设备动态的适配不同的认证服务器,并且无需依赖用户号段即可适配签约数据库。The authentication device in the embodiment of the present disclosure can dynamically adapt different authentication servers for devices with different access modes, and can adapt the subscription database without relying on the user number segment.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,本公 开实施例的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者智能设备等)执行根据本公开实施例的方法,例如图3所示的步骤。Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions of the embodiments of the present disclosure can be embodied in the form of software products, which can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.), including several instruction It is used to make a computing device (which may be a personal computer, a server, a mobile terminal, or a smart device, etc.) execute the method according to the embodiment of the present disclosure, such as the steps shown in FIG. 3 .
本领域技术人员在考虑说明书及实践在这里公开的公开后,将容易想到本公开的其他实施例。本公开旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未申请的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本公开的真正范围和精神由权利要求指出。Other embodiments of the disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. The present disclosure is intended to cover any modification, use or adaptation of the present disclosure, which follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field for which the present disclosure does not apply . The specification and examples are to be considered exemplary only, with the true scope and spirit of the disclosure indicated by the appended claims.
应当理解的是,本公开并不限于这里已经示出的详细结构、附图方式或实现方法,相反,本公开意图涵盖包含在所附权利要求的精神和范围内的各种修改和等效设置。It should be understood that the present disclosure is not limited to the detailed structures, drawing methods or implementation methods shown herein, but on the contrary, the present disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims .

Claims (16)

  1. 一种认证方法,包括:An authentication method comprising:
    目标接入控制网元接收目标设备发送的注册请求;The target access control network element receives the registration request sent by the target device;
    所述目标接入控制网元根据所述注册请求确定所述目标设备对应的目标用户标识、和所述目标设备接入网络系统的目标接入方式;The target access control network element determines a target user identifier corresponding to the target device and a target access method for the target device to access the network system according to the registration request;
    所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,目标区块链中存储有至少一个认证服务器地址和至少一个签约数据库地址,所述至少一个认证服务器包括目标认证服务器,所述至少一个签约数据库地址包括目标签约数据库地址;The target access control network element requests the target block chain for the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user ID, and the target block chain stores at least one an authentication server address and at least one subscription database address, the at least one authentication server includes a target authentication server, and the at least one subscription database address includes a target subscription database address;
    所述目标接入控制网元根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。The target access control network element sends an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address to obtain target signing data corresponding to the target device, so as to authenticate the target device according to the target signing data.
  2. 根据权利要求1所述的认证方法,其中,所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:The authentication method according to claim 1, wherein the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access mode and the target subscription corresponding to the target user ID Database address, including:
    所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式;The target access control network element sends the target user ID of the target device, the target security token, and the target access method to the target blockchain;
    所述目标接入控制网元接收所述目标区块链返回的与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址。The target access control network element receives the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user identifier returned by the target blockchain.
  3. 根据权利要求2所述的认证方法,其中,所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式包括:The authentication method according to claim 2, wherein the sending of the target user ID of the target device, the target security token, and the target access method by the target access control network element to the target block chain includes:
    所述目标接入控制网元,通过目标区块链网元,向所述目标区块链发送所述目标设备的目标用户标识、目标安全令牌以及所述目标接入方式。The target access control network element sends the target user ID of the target device, the target security token, and the target access mode to the target blockchain through the target blockchain network element.
  4. 根据权利要求1所述的认证方法,其中,所述注册请求携带所述目标设备的目标安全令牌,所述目标安全令牌是由目标运营平台下发的目标随机数生成;其中, 所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:The authentication method according to claim 1, wherein the registration request carries a target security token of the target device, and the target security token is generated by a target random number issued by the target operation platform; wherein, the The target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access mode and the address of the target subscription database corresponding to the target user ID, including:
    所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式;The target access control network element sends the target user ID of the target device, the target security token, and the target access method to the target blockchain;
    所述目标区块链根据所述目标用户标识确定与所述目标设备对应的目标权限凭证,所述目标权限凭证是根据所述目标运营平台下发给所述目标设备的目标随机数生成的;The target block chain determines the target authority certificate corresponding to the target device according to the target user identifier, and the target authority certificate is generated according to the target random number issued by the target operation platform to the target device;
    若所述目标区块链确定所述目标权限凭证与所述目标安全令牌匹配,则确定与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址;If the target block chain determines that the target authority credential matches the target security token, then determine the target authentication server address corresponding to the target access method and the target signing database corresponding to the target user ID address;
    所述目标区块链将与所述目标接入方式对应的目标认证服务器地址、和与所述目标用户标识对应的目标签约数据库地址返回给所述目标接入控制网元。The target blockchain returns the target authentication server address corresponding to the target access method and the target subscription database address corresponding to the target user identifier to the target access control network element.
  5. 根据权利要求4所述的认证方法,其中,所述目标接入控制网元向所述目标区块链发送所述目标设备的目标用户标识、所述目标安全令牌以及所述目标接入方式,包括:The authentication method according to claim 4, wherein the target access control network element sends the target user ID of the target device, the target security token, and the target access method to the target block chain ,include:
    所述目标接入控制网元向目标区块链网元发送携带所述目标用户标识、所述目标安全令牌以及所述目标接入方式的认证请求;The target access control network element sends an authentication request carrying the target user ID, the target security token, and the target access mode to the target blockchain network element;
    所述目标区块链网元根据所述认证请求向所述目标区块链发送所述目标用户标识、所述目标安全令牌以及所述目标接入方式,以向所述目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址。The network element of the target block chain sends the target user ID, the target security token, and the target access method to the target block chain according to the authentication request, so as to request the target block chain A target authentication server address corresponding to the target access mode and a target subscription database address corresponding to the target user identifier.
  6. 根据权利要求1所述的认证方法,其中,所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址,包括:The authentication method according to claim 1, wherein the target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access mode and the target subscription corresponding to the target user ID Database address, including:
    所述目标接入控制网元向目标区块链请求与所述目标接入方式对应的目标认证服务器地址、与所述目标用户标识对应的目标签约数据库地址、和与所述目标设备的签约数据对应的目标密钥;The target access control network element requests the target blockchain for the address of the target authentication server corresponding to the target access method, the address of the target subscription database corresponding to the target user identifier, and the contract data with the target device the corresponding target key;
    其中,所述目标接入控制网元根据所述目标认证服务器地址向目标认证服务器发 送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,包括:Wherein, the target access control network element sends an authentication request carrying the target subscription database address to the target authentication server according to the target authentication server address, so that the target authentication server accesses the target subscription database according to the target subscription database address Obtaining the target signing data corresponding to the target device, including:
    所述目标接入控制网元将携带所述目标签约数据库地址和所述目标密钥的认证请求发送给所述目标认证服务器地址对应的目标认证服务器,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以通过所述目标密钥获得所述目标设备对应的目标签约数据。The target access control network element sends an authentication request carrying the target subscription database address and the target key to the target authentication server corresponding to the target authentication server address, so that the target authentication server The database address accesses the target subscription database to obtain the target contract data corresponding to the target device through the target key.
  7. 根据权利要求1所述的认证方法,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:According to the authentication method according to claim 1, before the target access control network element receives the registration request sent by the target device, it further includes:
    目标运营平台将所述目标设备对应的目标用户标识和目标签约数据存储至目标签约数据库,并将所述目标用户标识和目标签约数据库地址存储至目标区块链。The target operation platform stores the target user identifier and target contract data corresponding to the target device in the target contract database, and stores the target user identifier and target contract database address in the target block chain.
  8. 根据权利要求1所述的认证方法,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:According to the authentication method according to claim 1, before the target access control network element receives the registration request sent by the target device, it further includes:
    目标运营平台为所述目标设备进行签约开卡;The target operation platform signs a contract for the target device;
    所述目标运营平台通过目标密钥对所述目标设备对应的目标签约数据进行加密以获得目标签约密文;The target operation platform encrypts the target signing data corresponding to the target device through the target key to obtain the target signing ciphertext;
    所述目标运营平台将所述目标设备对应的目标用户标识和所述目标签约密文发送至目标签约数据库以进行存储;The target operation platform sends the target user identification corresponding to the target device and the target signing ciphertext to the target signing database for storage;
    所述目标运营平台接收所述目标签约数据库返回的目标签约数据库地址和所述目标用户标识;The target operation platform receives the target contract database address and the target user identifier returned by the target contract database;
    所述目标运营平台将所述目标用户标识、所述目标签约数据库地址以及所述目标密钥发送给所述目标区块链,以便所述目标区块链将所述目标用户标识、所述目标签约数据库地址以及所述目标密钥进行关联存储。The target operation platform sends the target user ID, the target signing database address, and the target key to the target blockchain, so that the target blockchain can transfer the target user ID, the target The contract database address and the target key are stored in association.
  9. 根据权利要求8所述的认证方法,还包括:The authentication method according to claim 8, further comprising:
    所述目标运营平台为所述目标设备生成目标随机数;The target operating platform generates a target random number for the target device;
    所述目标运营平台根据所述目标随机数生成目标权限凭证;The target operating platform generates a target authority certificate according to the target random number;
    所述目标运营平台将所述目标权限凭证发送给所述目标区块链,以便所述目标区块链将所述目标权限凭证与所述目标用户标识进行关联存储。The target operation platform sends the target authority certificate to the target blockchain, so that the target blockchain associates and stores the target authority certificate and the target user identifier.
  10. 根据权利要求1所述的认证方法,在目标接入控制网元接收目标设备发送的注册请求之前,还包括:According to the authentication method according to claim 1, before the target access control network element receives the registration request sent by the target device, it further includes:
    目标运营平台获取多个接入方式,所述多个接入方式包括所述目标接入方式;The target operation platform acquires multiple access methods, where the multiple access methods include the target access method;
    所述目标运营平台获取多个认证服务器的多个认证服务器地址,所述多个认证服务器地址包括所述目标认证服务器地址;The target operation platform obtains multiple authentication server addresses of multiple authentication servers, and the multiple authentication server addresses include the target authentication server address;
    所述目标运营平台根据各个认证服务器的认证方式为各个接入方式分别确定对应的目标认证服务器地址。The target operation platform determines corresponding target authentication server addresses for each access mode according to the authentication mode of each authentication server.
  11. 一种认证装置,设置在目标接入控制网元中,包括:An authentication device, set in a target access control network element, comprising:
    接收模块,被配置为接收目标设备发送的注册请求;A receiving module configured to receive a registration request sent by the target device;
    确定模块,被配置为根据所述注册请求确定所述目标设备对应的目标用户标识、和所述目标设备接入网络系统的目标接入方式;A determination module configured to determine a target user identifier corresponding to the target device and a target access method for the target device to access the network system according to the registration request;
    请求模块,被配置为向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址;The request module is configured to request from the target block chain the address of the target authentication server corresponding to the target access method and the address of the target subscription database corresponding to the target user identifier;
    发送模块,被配置为根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。A sending module configured to send an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the Target signing data corresponding to the target device, so as to authenticate the target device according to the target signing data.
  12. 一种认证系统,包括:An authentication system comprising:
    目标区块链,所述目标区块链中存储有至少一个认证服务器地址和至少一个签约数据库地址,所述至少一个认证服务器包括目标认证服务器,所述至少一个签约数据库地址包括目标签约数据库地址;和Target block chain, at least one authentication server address and at least one contract database address are stored in the target block chain, the at least one authentication server includes the target authentication server, and the at least one contract database address includes the target contract database address; and
    目标接入控制网元,被配置为:The target access control network element is configured as:
    接收目标设备发送的注册请求;Receive the registration request sent by the target device;
    根据所述注册请求确定所述目标设备的目标用户标识、和所述目标设备接入网络系统的目标接入方式;determining a target user identifier of the target device and a target access method for the target device to access the network system according to the registration request;
    向目标区块链请求与所述目标接入方式对应的目标认证服务器地址和与所述目标用户标识对应的目标签约数据库地址;Requesting the target authentication server address corresponding to the target access mode and the target subscription database address corresponding to the target user identification from the target block chain;
    根据所述目标认证服务器地址向目标认证服务器发送携带所述目标签约数据 库地址的认证请求,以便所述目标认证服务器根据所述目标签约数据库地址访问目标签约数据库以获得所述目标设备对应的目标签约数据,从而根据所述目标签约数据对所述目标设备进行认证。Send an authentication request carrying the address of the target subscription database to the target authentication server according to the address of the target authentication server, so that the target authentication server accesses the target subscription database according to the address of the target subscription database to obtain the target subscription corresponding to the target device data, so as to authenticate the target device according to the target signing data.
  13. 根据权利要求12所述的认证系统,还包括:The authentication system according to claim 12, further comprising:
    目标运营平台,被配置为将所述目标设备对应的目标用户标识和目标签约数据存储至目标签约数据库,并将所述目标用户标识和目标签约数据库地址存储至目标区块链。The target operation platform is configured to store the target user identifier and target contract data corresponding to the target device in the target contract database, and store the target user identifier and target contract database address in the target block chain.
  14. 一种电子设备,其特征在于,包括:An electronic device, characterized in that it comprises:
    存储器;memory;
    以及耦合到所述存储器的处理器;and a processor coupled to the memory;
    所述电子设备被用于基于存储在所述存储器中的指令,执行如权利要求1-10任一项所述的认证方法。The electronic device is configured to execute the authentication method according to any one of claims 1-10 based on the instructions stored in the memory.
  15. 一种计算机可读存储介质,其上存储有程序,该程序被处理器执行时实现如权利要求1-10任一项所述的认证方法。A computer-readable storage medium, on which a program is stored, and when the program is executed by a processor, the authentication method according to any one of claims 1-10 is implemented.
  16. 一种计算机程序,包括:A computer program comprising:
    指令,所述指令当由处理器执行时使所述处理器执行根据权利要求1-10中任一项所述的认证方法。Instructions which, when executed by a processor, cause the processor to perform the authentication method according to any one of claims 1-10.
PCT/CN2022/105156 2021-12-20 2022-07-12 Authentication method and system, and electronic device and computer-readable storage medium WO2023115913A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111559465.7A CN114286342B (en) 2021-12-20 2021-12-20 Authentication method, authentication system, electronic device, and computer-readable storage medium
CN202111559465.7 2021-12-20

Publications (1)

Publication Number Publication Date
WO2023115913A1 true WO2023115913A1 (en) 2023-06-29

Family

ID=80873379

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/105156 WO2023115913A1 (en) 2021-12-20 2022-07-12 Authentication method and system, and electronic device and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN114286342B (en)
WO (1) WO2023115913A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114286342B (en) * 2021-12-20 2024-01-02 中国电信股份有限公司 Authentication method, authentication system, electronic device, and computer-readable storage medium
CN115001707B (en) * 2022-05-27 2023-06-27 珠海复旦创新研究院 Device authentication method based on block chain and related device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
US20190305964A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for user device authentication
US20200280851A1 (en) * 2019-03-01 2020-09-03 Hewlett Packard Enterprise Development Lp Remote access point clustering for user authentication in wireless networks
CN114286342A (en) * 2021-12-20 2022-04-05 中国电信股份有限公司 Authentication method, system, electronic device, and computer-readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106533696B (en) * 2016-11-18 2019-10-01 江苏通付盾科技有限公司 Identity identifying method, certificate server and user terminal based on block chain
CN110581860B (en) * 2019-09-19 2022-08-26 腾讯科技(深圳)有限公司 Identity authentication method, device, storage medium and equipment based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
US20190305964A1 (en) * 2018-03-27 2019-10-03 Workday, Inc. Digital credentials for user device authentication
US20200280851A1 (en) * 2019-03-01 2020-09-03 Hewlett Packard Enterprise Development Lp Remote access point clustering for user authentication in wireless networks
CN114286342A (en) * 2021-12-20 2022-04-05 中国电信股份有限公司 Authentication method, system, electronic device, and computer-readable storage medium

Also Published As

Publication number Publication date
CN114286342A (en) 2022-04-05
CN114286342B (en) 2024-01-02

Similar Documents

Publication Publication Date Title
WO2023115913A1 (en) Authentication method and system, and electronic device and computer-readable storage medium
US8196188B2 (en) Systems and methods for providing network credentials
CN110770695A (en) Internet of things (IOT) device management
US20070254630A1 (en) Methods, devices and modules for secure remote access to home networks
US20080209206A1 (en) Apparatus, method and computer program product providing enforcement of operator lock
US20080060066A1 (en) Systems and methods for acquiring network credentials
TWI455558B (en) Authentication in communication networks
JP5276593B2 (en) System and method for obtaining network credentials
CN104205891A (en) Virtual sim card cloud platform
KR20160127167A (en) Multi-factor certificate authority
BRPI0419244B1 (en) “REMOTE ACCESS METHOD AND SYSTEM TO ENABLE A USER TO REMOTELY ACCESS A TERMINAL EQUIPMENT”
US11070980B1 (en) Secondary device authentication proxied from authenticated primary device
JP2018517367A (en) Service provider certificate management
WO2022160124A1 (en) Service authorisation management method and apparatus
US11146552B1 (en) Decentralized application authentication
CN113966625B (en) Techniques for certificate handling in the core network domain
US12074859B2 (en) Password-less wireless authentication
WO2019056971A1 (en) Authentication method and device
CN112512048B (en) Mobile network access system, method, storage medium and electronic device
EP1611725B1 (en) Method and apparatuses for provisioning network access
JP7312279B2 (en) MOBILE NETWORK ACCESS SYSTEM, METHOD, STORAGE MEDIUM AND ELECTRONIC DEVICE
US20230033931A1 (en) Method, ledger and system for establishing a secure connection from a chip to a network and corresponding network
WO2022252912A1 (en) User data management method and related device
JP2024044748A (en) Communication system and communication method for vehicle
CN117135635A (en) User identity verification system, method, device, network equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22909244

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE