WO2023116784A1 - Base station access control method, base station, blockchain system, and storage medium - Google Patents

Base station access control method, base station, blockchain system, and storage medium Download PDF

Info

Publication number
WO2023116784A1
WO2023116784A1 PCT/CN2022/140789 CN2022140789W WO2023116784A1 WO 2023116784 A1 WO2023116784 A1 WO 2023116784A1 CN 2022140789 W CN2022140789 W CN 2022140789W WO 2023116784 A1 WO2023116784 A1 WO 2023116784A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
identity
information
certificate
request
Prior art date
Application number
PCT/CN2022/140789
Other languages
French (fr)
Chinese (zh)
Inventor
侯芳
范璟玮
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2023116784A1 publication Critical patent/WO2023116784A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point

Definitions

  • the present application relates to the field of communication technology, and in particular to a base station access control method, a base station, a blockchain system, and a computer-readable storage medium.
  • the access network and core network of 4G/5G communication adopt the X.509 certificate mode based on the public key infrastructure (Public Key Infrastructure, PKI) to perform access authentication of equipment, network elements, and functional modules.
  • the certificate authority (Certificate Authority, CA)
  • CA Certificate Authority
  • IOT Internet of Things
  • HTML HyperText Transfer Protocol
  • DNS Domain Name System
  • Embodiments of the present application provide a base station access control method, electronic equipment, and a computer-readable storage medium.
  • the embodiment of the present application provides a base station access control method, which is applied to a base station, and the method includes: sending first authentication request information to the blockchain system, the first authentication request information carrying the base station's Identity certificate; obtain the first identity certificate issuance information sent by the block chain system, and the first identity certificate issuance information is confirmed by the block chain system based on the first authentication request information to store the identity certificate In the case of , generate according to the identity certificate; issue information access gateway according to the first identity certificate.
  • the embodiment of the present application provides a base station access control method, which is applied to a blockchain system.
  • the method includes: receiving first authentication request information sent by the base station, the first authentication request information carrying the The identity certificate of the base station; in the case of confirming the storage of the identity certificate based on the first authentication request information, generating first identity certificate issuance information according to the identity certificate; sending the information for accessing the gateway to the base station Issuing information of the first identity certificate.
  • an embodiment of the present application provides a base station, including: a memory, a processor, and a computer program stored in the memory and operable on the processor, and the processor implements the first aspect when executing the computer program.
  • the base station access control method.
  • an embodiment of the present application provides a blockchain system, including: a memory, a processor, and a computer program stored on the memory and operable on the processor.
  • the processor executes the computer program, it implements the following: The base station access control method described in the second aspect.
  • the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to make the computer execute the first aspect or the second aspect.
  • the base station access control method is not limited to.
  • FIG. 1 is a schematic diagram of a system architecture for performing a base station access control method provided by an embodiment of the present application
  • Fig. 2 is a schematic diagram of a system framework of a base station access control method provided by an embodiment
  • FIG. 3 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a traditional CA registration review method
  • Fig. 5 is a schematic diagram of a model of an identity certificate provided by an embodiment of the present application.
  • Fig. 6 is a specific method flowchart of step S300 in Fig. 3;
  • FIG. 7 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • FIG. 8 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • FIG. 10 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • FIG. 11 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • FIG. 12 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • FIG. 13 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • Fig. 14 is a schematic diagram of a system framework of a base station access gateway provided in a specific example of the present application.
  • FIG. 15 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • Fig. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example of the present application.
  • FIG. 17 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • Fig. 18 is a schematic diagram of a system framework for network management user authentication provided by a specific example of the present application.
  • FIG. 19 is a flowchart of a base station access control method provided in another embodiment of the present application.
  • Fig. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record provided by a specific example.
  • Embodiments of the present application provide a base station access control method, electronic equipment, and a computer-readable storage medium. Since the first authentication request information sent by the base station itself carries the relevant identity certificate, when the blockchain system obtains the first authentication request sent by the base station When there is an authentication request information, the identity certificate of the base station can be obtained at the same time, so that when the stored identity certificate is confirmed based on the first authentication request information, the blockchain system generates the first identity certificate issuance information and sends it to the base station to inform The identity certificate of the base station has been incorporated into the blockchain system for management, and then the base station will issue information to access the gateway according to the first identity, realize base station access control, and improve the effectiveness and correctness of certificate management.
  • FIG. 1 is a schematic diagram of a system architecture for performing a base station access control method provided by an embodiment of the present application.
  • the blockchain network 100 is mainly composed of a base station 200 and a blockchain system 300
  • the blockchain network 100 includes a blockchain system 300 and a base station 200, wherein the base station 200 is divided into a base station identity client management terminal and a base station identity Management server
  • the blockchain system 300 includes a blockchain certificate system and a blockchain identity system
  • the blockchain identity system mainly stores the identity certificates of the base station 200 and other devices, so that the base station 200 or other devices can request the identity certificates
  • the blockchain certificate system is used for the base station 200 or the network management device to perform authorization authentication, which is convenient for the base station 200 or the network management device to perform identity certificate authentication.
  • This blockchain network 100 mainly solves the security threat to 5G base station equipment.
  • the security threat of 5G mainly has four aspects: one is the security threat to the hardware, software and network infrastructure that constitute the base station; two. The third is the security threat to the transmission network security and information of N2 (RAN->AMF) and N3 (RAN->UPF) connected to the 5G core network; The fourth is the security threat to the management plane connecting the base station to the network management.
  • N2 RAN->AMF
  • N3 RAN->UPF
  • Layer security protocol DANE DNS-based Authentication of Named Entities, DNSSEC-based secure transport layer protocol
  • blockchain-based identity authentication management From the perspective of the base station security boundary, in addition to the identity authentication of the base station access Security Gateway (SEG), there are two important key elements, network management user access control and DNS request authentication.
  • Layer security protocol DANE DNS-based Authentication of Named Entities, DNSSEC-based secure transport layer protocol
  • blockchain-based identity authentication management is a blockchain-based identity authentication management.
  • FIG. 2 is a schematic diagram of a system framework of a base station access control method provided by an embodiment.
  • the user certificate management system based on blockchain and the certificate issuance technology based on DNS Security Extensions (Domain Name System Security Extensions, DNSSEC) are combined.
  • the management subsystem, the base station implements the issuance, renewal and authentication of user certificates.
  • the authorized serial number of the network management device or login identity is introduced into the user certificate, for example, a hash summary is implemented for the user name and password, the double authentication of the user key and the user device can be realized, which further improves the security, and through this area
  • the blockchain certificate management system if more other edge devices are connected in the future, it can unify the types of user certificates and reduce the management complexity of the server.
  • the server usually publishes the service address through the domain name
  • its certificate can be associated with the TLSA record and published on the DNS system, and the client can use the DNSSEC mechanism to verify the identity of the server. It reduces the cost of issuing server certificates and simplifies the client verification process, so as to realize safe and reliable two-way identity authentication that does not depend on CA.
  • the attacker Compared with the x509 certificate of the traditional CA used by the base station, if the authorization list is added, such as network management users or devices, the attacker must obtain the user's private key and authorized user information at the same time to impersonate the identity.
  • DNS service must be provided, but DNS was not designed with a lot of security in mind, and it cannot verify the authenticity of the response by itself, and the source IP address of the DNS response packet is easy to counterfeit or forge.
  • DNSSEC is currently a widely used DNS security enhancement solution officially released. It can effectively prevent DNS cache pollution. It uses digital signatures based on public key encryption. Its certificates and private keys are generated and self-signed on its own server. This is different from HTTPS, which does not require a root certificate issuer.
  • the domain name recursive resolver starts from the root domain name server and resolves layer by layer to verify the integrity of the domain's public key, ensuring that the public key of each level of domain is Credible; instead of cryptographically signing the DNS query and response itself, the data owner uses the private key to sign the DNS data itself, thereby enhancing the strength of DNS verification, that is, verifying the source of DNS data and protecting the integrity of the data .
  • DANE is a security protocol that only works when DNSSEC is activated. It publishes digital certificates through DNS services to ensure that whether it is a certificate issued by a CA or a self-signed certificate, it is ultimately the desired certificate. ; It is an instance verification based on DNS names, and a TLSA record is used to prove that a certificate is trustworthy, and it also solves the problem that DNSSEC cannot protect access privacy.
  • Transport Layer Security TLS
  • TLS Transport Layer Security
  • public key infrastructure for X.509 certificates provides additional assurance and enables domain holders to claim certificates for themselves without reference to third-party certificate authorities, while protecting servers, certificate authorities, and users
  • the chain of trust between HTTPS goes beyond the standard HTTPS protocol.
  • a traditional DNS server asserts its right to represent a domain by presenting a PKIX digital certificate (RFC 5280).
  • the client such as the DNS proxy in the base station, evaluates the certificate to determine whether it is a trusted DNS server.
  • the method of evaluation is mainly to see whether the required domain name is included in the certificate, and whether the certificate is issued by a trusted trust anchor (eg: trusted CA).
  • trusted CA trusted CA
  • the current browser or operating system will use a large number of default trust anchors, so that the trust anchor has a wide range of permissions, and manually deleting the trust anchor is also more troublesome, resulting in insecurity, DANE has done some limited work on the trust anchor Range usage restrictions.
  • the TLSA record is described in detail below.
  • DANE defines a DNS resource record type TLSA for describing the claims that a certificate is associated with a domain.
  • Each TLSA record has three basic fields, when a client wants to connect to a certain domain, he can find these TLSA records and apply the constraints when verifying the server's certificate.
  • DANE allows browsers to inspect TLSA records for the public thumbprint of certificates marked as secure by the user. This could be an intermediate certificate of the CA that issued the certificate on the server, or it could be the thumbprint of the certificate itself.
  • generators such as opessl, online website Generate TLSA Record, etc.
  • the TLSA record elements are as follows:
  • 3PKIX-EE service certificate constraints, specifying the exact Transport Layer Security (TLS) certificate that should be used for a domain name;
  • TLS Transport Layer Security
  • selector/match how the TLS certificate chain should match this record (e.g. by exact match, by public key, or by SHA-1 digest);
  • the certificate based on the DNSSEC system is similar to the identity certificate authentication of the traditional base station, and both have their own trust chain. The difference is that DNS trust chain resolution is iterative, and the certificates are issued by the domain servers at all levels, not the CA. issued.
  • the base station if there is no blockchain-based certificate system, the base station needs to maintain the life cycle management of the two certificates at the same time. Using the blockchain system, these certificates and management can be pushed to the chain. The result returned by the identity authentication blockchain can be matched with TLSA.
  • FIG. 3 is a flowchart of a base station access control method provided by an embodiment of the present application, which is applied to a base station.
  • the base station access control method includes but is not limited to steps S100 to S300 .
  • Step S100 Send first authentication request information to the blockchain system, where the first authentication request information carries the identity certificate of the base station.
  • the base station sends the first authentication request information to the blockchain system, wherein the first authentication request information carries the content of the certificate of the base station and related identity information, so that the blockchain system can verify the first authentication request information.
  • the first authentication request information is sent by the base station identity management client and sent to the verification node in the blockchain system, wherein the verification node can be a digital certificate Registration authority (Registration Authority, RA) or CA, which is not specifically limited in this embodiment.
  • RA digital certificate Registration authority
  • CA digital certificate Registration authority
  • Step S200 Obtain the first identity certificate issuance information sent by the blockchain system.
  • the first identity certificate issuance information is generated by the blockchain system based on the identity certificate under the condition that the storage identity certificate is confirmed based on the first authentication request information.
  • the block chain system after the block chain system receives the first authentication request information, it judges whether the corresponding identity certificate has been saved according to the identity certificate carried in the first authentication request information, and after confirming that the block chain system has stored the information corresponding to the first authentication request information.
  • the identity certificate corresponding to the authentication request information the first identity certificate issuance information corresponding to the first authentication request information is generated according to the identity certificate, thereby improving the accuracy of the certificate configuration and facilitating the subsequent access of the base station according to the first identity certificate issuance information gateway.
  • the blockchain system judges the first authentication request information
  • the judgment method is the same as the traditional CA registration review method, and the following is the traditional CA registration review method.
  • FIG. 4 is a schematic diagram of a traditional CA registration review method.
  • 5G mainly includes three parts: access network, bearer network, and core network.
  • access network there is currently a set of methods in use for the access identity authentication of the base station, which depends on the issuance and configuration of the CA.
  • the identity certificate The configuration workload is relatively large.
  • communication manufacturers need to first apply for a certificate from the operator's CA organization. After the CA organization issues the certificate, it needs to configure or install the issued certificate into the base station of the target device. Certificates implement device authentication.
  • the embodiment of this application describes The release mechanism of the system can improve efficiency through decentralization, and at the same time eliminate CA single point of failure.
  • 5G is based on different business scenarios. Slicing enables operators to create customized private networks based on the needs of vertical industries. End-to-end network services may require slices of multiple operators in multiple countries to be interconnected to jointly provide seamless services. Cross-country and cross-service 5G services. Security protection is required between slices, and secure channels need to be guaranteed by digital certificates. Different operators have different CAs, and mutual trust must be established between CAs in order to perform slicing services normally. At this time, it is also easy to realize multi-CA mutual trust by adopting a blockchain-based identity authentication system deployed in an alliance manner.
  • the registration mechanism of the base station certificate described in 3GPP 33.310 is as follows:
  • the base station is pre-provided by the equipment manufacturer with a public-private key pair generated at the factory, and pre-installed with a digital certificate signed by the equipment supplier, the operator's Registration Authorization (RA)/Certificate Authorization (CA) server pre-installs the equipment manufacturer's root certificate, the core network SEG Carrier root certificate is pre-installed.
  • RA Registration Authorization
  • CA Certificate Authorization
  • Step S300 Issuing information to access the gateway according to the first identity certificate.
  • the base station sends the first authentication request information to the block chain system, and after the block chain system receives the first authentication request information, after confirming that the block chain system stores the information corresponding to the first authentication request information
  • the base station sends the first authentication request information to the block chain system, and after the block chain system receives the first authentication request information, after confirming that the block chain system stores the information corresponding to the first authentication request information
  • the gateway access the gateway according to the first identity certificate issuance information obtained in step S200, so as to improve the accuracy of the access certificate. sex.
  • FIG. 5 is a schematic diagram of an identity certificate model provided by an embodiment.
  • the base station access control certificate model shows that the base station only needs one access control certificate to complete external identity authentication, DNS domain authority definition, and network management privileged user control through the inventive unit.
  • the certificate can Simultaneously provide more extended information to meet other scenarios that require verification or control in the future.
  • the identity certificate contains information such as base station name, base station unique identifier, version number, certificate public key, certificate validity period, and serial number, and also contains network management user authorization list, DNS domain authorization information or other extended information, etc.
  • identity certificates in the blockchain system, multiple certificates can be integrated into one, and at the same time, extended information can be introduced into the identity certificate that has passed the authentication request information, and the management user authorization outside the base station can be introduced into blockchain-based identity authentication system to ensure the accuracy of the identity certificate, improve the security of the identity certificate, and expand the information without restriction, and can add or remove operations at any time according to authorization requests or certification requests, so it has the ability to update certificates.
  • FIG. 6 is a flow chart of the method of step S300 in FIG. 3, and the step S300 includes but not limited to steps S310 to S340.
  • Step S310 Generate an identity authentication access request carrying the first identity certificate issuance information according to the first identity certificate issuance information.
  • Step S320 Send an identity authentication access request to the gateway.
  • Step S330 Receive the access verification result sent by the gateway according to the identity authentication access request.
  • the access verification result is obtained by the blockchain system by verifying the identity of the base station according to the verification request from the gateway, and sent to the gateway.
  • the verification request is sent by the gateway Generated based on an identity authentication access request.
  • the identity management client of the base station sends an identity authentication access request to the gateway, and the gateway sends a verification request to the blockchain system, wherein the verification request is generated by the gateway according to the identity authentication access request, and the blockchain system is verified.
  • the access verification result is sent to the gateway, and the gateway then sends the verification result to the base station identity management client to realize multiple verifications of the access certificate and improve the security of certificate access.
  • Step S340 access the gateway according to the access verification result.
  • the base station identity management client accesses the gateway according to the access verification result returned by the blockchain system, wherein the gateway is SEG.
  • FIG. 7 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • the base station access control method includes but is not limited to steps S2100 to S2200 .
  • Step S2100 Send an authorization processing request corresponding to the on-site device to the blockchain system.
  • the identity management client of the base station sends an authorization processing request corresponding to the on-site equipment to the verification node in the blockchain system, wherein the authorization processing request carries the identity certificate corresponding to the on-site equipment, which is convenient for the management node to verify the on-site equipment. Validate and improve the security of the certificate.
  • the authorization processing request may be an authorization request of the on-site device, or a de-authorization request of the on-site device, so as to realize the diversity of operations on the on-site device and improve the efficiency of authorization processing requests on the on-site device.
  • the in-station device may be a management device or a management user inside the base station, which is not specifically limited in this embodiment.
  • Step S2200 Receive the second identity certificate issuance information sent by the blockchain system.
  • the second identity certificate issuance information is obtained by the blockchain system according to the authorization processing request to update the identity certificate and based on the updated identity certificate.
  • the block chain system after receiving the authorization processing request, updates the identity certificate according to the authorization processing request, obtains the second identity certificate issuance information according to the updated identity certificate, and the identity management client of the base station receives the information issued by the block
  • the issuance information of the second identity certificate sent by the chain system realizes the update of the identity certificate and facilitates the management of the identity certificate.
  • the identity certificate is updated according to the authorization processing request, and the network management user authorization list in the identity certificate is updated. .
  • step S2100 may be performed before step S300, or may be performed after step S300, which is not specifically limited in this embodiment of the present application.
  • FIG. 8 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • the base station access control method includes but is not limited to steps S400 to S600 .
  • Step S400 Send the second authentication request information to the blockchain system, the second authentication request information is generated by the base station according to the user identity authorization request from the authorization end, and the user identity authorization request carries the user identity information of the authorization end.
  • the base station identity client receives the user identity authorization request from the authorization end, and processes the user identity authorization request, so that the blockchain system can read the user identity authorization request, and the user identity authorization request carries the identity authorization information of the authorization end.
  • the user identity information corresponding to the user, according to the user identity information the base station sends the second authentication request information to the blockchain system, so that the blockchain system can make an authorization judgment on the authorization terminal according to the second authentication request information.
  • the second authentication request information is obtained by concatenating the client identity information and the unique identifier of the base station.
  • the identity certificate of the base station can authorize access to the network management device or other devices and identities that access the base station, and the authorized access of the network management device or other devices must be performed after the identity management client of the base station completes the uploading of the identity certificate.
  • the authorized end user in this embodiment can be a network management device or a network management user, etc., and in this application is an OAM-agent (Operation Administration and Maintenance agent, operation management and maintenance agent).
  • OAM-agent Operaation Administration and Maintenance agent, operation management and maintenance agent
  • Step S500 Receive the target authorization code sent by the blockchain system according to the second authentication request information.
  • the target authorization code is determined by the blockchain system according to the user identity information in the second authentication request information. , generated according to the second authentication request information.
  • a target authorization code is obtained, wherein the target authorization code confirms that the authorization terminal is not registered according to the user identity information in the second authentication request information, Generated according to the second authentication request information, if the registration of the authorization terminal is confirmed according to the user identity information in the second authentication request information, the second authentication request information will be discarded, which facilitates the integration of various certificates, authentication process, and life cycle management.
  • Step S600 Send the target authorization code to the authorization end.
  • the base station identity management client inputs the target authorization code obtained through step S500 into the device to be authorized, and completes the device authorization process.
  • FIG. 9 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • the base station access control method includes but is not limited to steps S2300 to S2600.
  • Step S2300 Receive user authentication request information sent by the network management system.
  • the user authentication request information is generated by the network management system upon receiving an access request from a network management user.
  • the base station identity management server receives user authentication request information sent by the network manager, wherein the user authentication request information is generated by the network manager upon receiving an access request from a network manager user, and the access request of the network manager user is the user identity
  • the query request is convenient for the identity management server of the base station and the authentication of the network management user by the blockchain system, and improves the accuracy of user access.
  • the access request of the network management user in this application is a professional network element management system (Element Management System, EMS) login user.
  • EMS Network Management System
  • Step S2400 Send a query certificate request to the blockchain system, and the query certificate request is generated by the base station according to the user authentication request information.
  • the network management user when the network management user requests access and sends an access request to the network management, user authentication request information is generated.
  • the base station identity management server After receiving the access request, the base station identity management server generates a query certificate request, which is convenient for the blockchain system to query Certificate request for query.
  • Step S2500 Obtain the identity certificate fed back by the blockchain system according to the query certificate request.
  • a query certificate request is sent to the blockchain system, and the identity certificate returned by the blockchain system is obtained after the query of the blockchain system is completed, so as to facilitate subsequent base station identity management services
  • the terminal reads the corresponding authorization code according to the identity certificate.
  • Step S2600 According to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, send the verification result information for the network management user to the network management, wherein the verification authorization code corresponds to the network management user.
  • the base station identity management server reads the target authorization code of the corresponding network management user in the identity certificate obtained in step S2500, and at the same time requests the network management for the verification authorization code of the network management user. If the network management user has an authorization code, Then send it back to the base station identity management server.
  • the base station identity management server performs hash calculation on the verification authorization code and compares it with the target authorization code obtained from the blockchain query.
  • the verification authorization code When the verification authorization code is the same as the target authorization, it returns to the network management The verification is successful; if the network management user does not have a verification authorization code corresponding to the target authorization code in the network management, an empty string is returned to the network management, and the identity management server of the base station queries without authorization, and returns a verification failure, realizing multiple authentication of the network management user, reducing The management complexity of the base station identity management server.
  • FIG. 10 is a flowchart of a base station access control method provided by an embodiment of the present application.
  • the base station access control method includes but is not limited to steps S700 to S900 .
  • Step S700 Obtain DNS certificate information from the blockchain system.
  • the base station identity management client first sends a DNS proxy query request for DNS certificate information, and then after the DNS proxy returns the DNS certificate information to the base station identity management client, the base station identity management client and the DNS proxy act as a client as a whole Send the request DNS server certificate information to the blockchain system, and then receive the DNS server certificate information returned by the blockchain system, so that the identity management client of the base station can compare the certificate information with the TLSA record.
  • Step S800 Obtain the TLSA record associated with the DNS certificate information from the DNS.
  • the base station identity management client requests DNS for the TLSA record associated with the DNS certificate information, and then the DNS returns the TLSA record to the base station management client according to the DNS certificate information, so that the base station identity management client can information for comparison.
  • DANE protocol is used in DNS
  • DANE defines a DNS resource record type TLSA, which is used to describe the statement associated with the certificate and the domain.
  • TLSA record has three basic fields. When the base station wants to connect to When accessing a certain domain, you can use the TLSA record and apply the constraint when verifying the server's certificate to strengthen the control of the access domain.
  • Step S900 Verify the DNS certificate information according to the TLSA record.
  • the strength of DNS verification is enhanced, that is, the source of DNS data is verified and the integrity of data is protected.
  • Fig. 11 is a flowchart of a base station access control method provided by another embodiment of the present application, which is applied to a blockchain system.
  • the base station access control method includes but is not limited to steps S1000 to S3000.
  • Step S1000 Receive first authentication request information sent by the base station, where the first authentication request information carries the identity certificate of the base station.
  • Step S2000 When the stored identity certificate is confirmed based on the first authentication request information, generate first identity certificate issuance information according to the identity certificate.
  • the blockchain system judges whether the corresponding identity certificate has been saved according to the identity certificate carried by the first authentication request information, and if it is confirmed that the blockchain system stores the identity certificate corresponding to the first authentication request information , generating first identity certificate issuance information corresponding to the first authentication request information according to the identity certificate, thereby improving the accuracy of certificate configuration, and facilitating subsequent access to the gateway according to the first identity certificate issuance information.
  • Step S3000 Send the first identity certificate issuance information for the access gateway to the base station.
  • sending the first identity certificate issuance information to the identity management client of the base station facilitates the identity management client of the base station to access the gateway.
  • FIG. 12 is a flowchart of a base station access control method provided by another embodiment of the present application.
  • the base station access control method includes but is not limited to steps S3100 to S3400 .
  • Step S3100 Receive the authorization processing request corresponding to the in-station equipment sent by the base station.
  • the identity management client of the base station sends an authorization processing request corresponding to the equipment in the station to the blockchain system, wherein the authorization processing request carries the identity certificate corresponding to the equipment in the station, which is convenient for the management node to verify the equipment in the station, and improves Certificate security.
  • the in-station device may be a management device or a management user inside the base station, which is not specifically limited in this embodiment.
  • Step S3200 update the identity certificate according to the authorization processing request.
  • the blockchain system obtains the authorization code of the on-site device or user according to the authorization processing request, judges the authorization code and the identity certificate, and performs an uplink operation on the authenticated identity certificate corresponding to the authorization code.
  • the result of the chain operation updates the identity certificate to improve the efficiency of certificate configuration.
  • Step S3300 Generate second identity certificate issuance information according to the updated identity certificate.
  • Step S3400 Send the second identity certificate issuance information to the base station.
  • the blockchain system generates the second identity certificate issuance information according to the updated identity certificate, and sends the identity certificate corresponding to the second identity certificate issuance information to the base station identity management client, so as to realize the unified life cycle management mode .
  • FIG. 13 is a flowchart of a base station access control method provided by another embodiment of the present application.
  • the base station access control method includes but is not limited to steps S3500 to S3700 .
  • Step S3500 Receive the verification request sent by the gateway.
  • the verification request is generated by the gateway according to the identity authentication access request from the base station, and the identity authentication access request carries the first identity certificate issuance information.
  • Step S3600 Verify the identity of the base station according to the verification request, and obtain the access verification result.
  • the identity and device that sent the verification request are obtained, and the device and identity that send the identity authentication access request are verified to obtain the access verification result, which is convenient
  • the base station accesses the gateway according to the access verification result.
  • the access verification result is that the blockchain system confirms the identity certificate of the base station according to the information issued by the first identity certificate, so as to find the corresponding base station.
  • Step S3700 Send the access verification result to the gateway, so that the base station accesses the gateway according to the access verification result.
  • the access verification result obtained according to step S3600 is sent to the gateway, so that the base station can access the gateway according to the access verification result, and complete the process of authenticating the identity of the base station.
  • FIG. 14 is a schematic diagram of a system framework of a base station access gateway provided in a specific example.
  • the base station comes with a digital certificate when it leaves the factory, that is, the identity certificate, and the private key corresponding to the identity certificate is stored locally in the base station, and then the base station identity management client sends the certificate content and related identity information as the request content to the verification node on the chain (operator RA/CA), enter the state of waiting for the identity certificate to be issued; the verification node on the chain judges whether to save the user's identity certificate based on the information provided by the user after receiving the request.
  • the identity certificate is added to the blockchain system through a consensus mechanism.
  • FIG. 15 is a flowchart of a base station access control method provided by another embodiment of the present application.
  • the base station access control method includes but is not limited to steps S4000 to S6000 .
  • Step S4000 Receive the second authentication request information sent by the base station.
  • the second authentication request information is generated by the base station according to the user identity authorization request from the authorizer, and the user identity authorization request carries the user identity information of the authorizer.
  • the block chain system receives the second authentication request information, wherein the second authentication request information is generated according to the user identity authorization request from the authorization end, and the second authentication request information includes the authorization end user ID carried by the user identity authorization request.
  • Identity information which is convenient for the blockchain system to judge the authorization end based on the user identity information of the authorization end.
  • Step S5000 When it is confirmed according to the user identity information in the second authentication request information that the authorizing terminal is not registered, generate a target authorization code according to the second authentication request information.
  • the blockchain system splices a randomly generated serial number and the time when the second authentication request information is issued into a target authorization code, Then send the original text of the target authorization code back to the authorizing device, and store the hash value of the target authorization code in the authorized device list in the blockchain system.
  • the authorized device list is used to store the hash value of the authorization code of the authorized device , to solve the problem of network management user authorization flooding at the authorization end, and improve the accuracy of network management user authorization.
  • identity certificates are stored in the blockchain system, including base station identity certificates, device identity certificates, or network management user identity certificates.
  • the identity certificates carry the authorization code of the device or network management user, and the authorization code is written into the base station certificate
  • the authorization list constitutes an authorized device list, wherein the authorized device list is a common technology for those skilled in the art, and will not be described in detail here.
  • the blockchain system discards the second authentication request information.
  • Step S6000 Send the target authorization code to the authorization end through the base station.
  • the base station identity management client when it is determined that the authorizing end is not registered, sends the target authorization code to the authorizing end, wherein the authorizing end is the end that sends the user identity authorization request to implement the authorization operation on the authorizing end, Improve the reliability of the blockchain system.
  • FIG. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example.
  • the identity certificate of the base station can authorize access to network management equipment, other equipment or identities accessing the base station.
  • the initial base station identity management client completes the work of uploading the identity certificate to the block according to the authorized user information of the network management OAM-agent.
  • the chain system sends an authorization request, and the blockchain system concatenates a randomly generated serial number and the time when the request is issued into a string, then sends the original text of the string back to the requesting device, and stores the hash value of the string into the block list of authorized devices in the chain certificate.
  • the base station inputs the obtained character string into the device to be authorized, that is, the network management OAM-agent, and completes the device authorization process.
  • the network management system can also query which users have been authorized and whether the authorization has expired.
  • FIG. 17 is a flowchart of a base station access control method provided by another embodiment of the present application.
  • the base station access control method includes but is not limited to steps S3800 to S3900 .
  • Step S3800 Receive the certificate query request sent by the base station.
  • the certificate query request is generated by the base station according to the user authentication request information sent by the network management.
  • the user authentication request information is generated by the network management upon receiving the access request from the network management user.
  • the blockchain system receives the query certificate request sent by the base station identity management server, wherein, when the network management user requests access and sends an access request to the network management, user authentication request information is generated, and the base station identity management server After receiving the access request, a query certificate request is generated, and the blockchain system receives the query certificate request to improve the accuracy of the network management user's certificate authentication.
  • Step S3900 Send the identity certificate to the base station according to the query certificate request, so that the base station sends the verification result information for the network management user to the network management according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, wherein , verify that the authorization code corresponds to the network management user.
  • the blockchain after receiving the query certificate request in step S3800, the blockchain searches the stored certificates, and returns the identity certificate corresponding to the query certificate request to the base station identity management server according to the search results, so that the base station identity
  • the management server verifies the network management user according to the identity certificate.
  • identity certificates are stored in the blockchain system, including base station identity certificates, device identity certificates, or network management user identity certificates, among which the identity certificates carry the authorization code of the device or network management user.
  • FIG. 18 is a schematic diagram of a system framework for network management user authentication provided by a specific example.
  • the OAM-agent After the OAM-agent receives the EMS login user request, it sends a user identity query request to the identity management server module of the base station, and the server applies to the blockchain system for the identity certificate query request of the base station, and the blockchain system returns the certificate after querying.
  • the base station identity management server reads the authorization code value of the corresponding network management user in the certificate, and at the same time requests the user's authorization code from the OAM-agent.
  • the server will hash the string After calculation, it is compared with the authorization code obtained from the blockchain system query, and if the same, the authentication success is returned; if the user does not have an authorization string in the OAM-agent, an empty string is returned, and the server query is not authorized, and the authentication failure result is returned .
  • FIG. 19 is a flowchart of a base station access control method provided by another embodiment of the present application.
  • the base station access control method includes but is not limited to step S7000 .
  • Step S7000 Send the DNS certificate information to the base station, so that the base station verifies the DNS certificate information according to the TLSA record associated with the DNS certificate information obtained from the DNS.
  • the blockchain system stores the DNS server certificate information sent by the DNS server, and the base station identity management client first sends the query DNS certificate information to the DNS proxy, and then sends the DNS server certificate information request to the blockchain system, Send the DNS certificate information to the base station identity management client according to the DNS server certificate request, so that the base station identity management client can verify the DNS certificate information through TLSA.
  • FIG. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record provided by a specific example.
  • the base station identity management client sends a request for querying DNS certificate information to the DNS agent, and sends a request for TLSA records to DNS, and the DNS agent sends a request for DNS server certificate information to the blockchain system according to the received DNS certificate information request, and the blockchain system query is completed Afterwards, the DNS server certificate information is returned to the DNS agent, and the identity management client of the base station compares the TLSA record obtained according to the DNS with the returned DNS server certificate information, obtains the result, and completes the verification of the server certificate.
  • an embodiment of the present application further provides a base station, where the base station includes: a memory, a processor, and a computer program stored in the memory and operable on the processor.
  • the processor and memory can be connected by a bus or other means.
  • memory can be used to store non-transitory software programs and non-transitory computer-executable programs.
  • the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices.
  • the memory may include memory located remotely from the processor, which remote memory may be connected to the processor through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • the non-transitory software programs and instructions required to implement the base station access control method of the above-mentioned embodiment are stored in the memory, and when executed by the processor, the base station access control method in the above-mentioned embodiment is executed, for example, the above-described Method steps S100 to S300 in FIG. 3, method steps S310 to S340 in FIG. 6, method steps S2100 to S2200 in FIG. 7, method steps S400 and S600 in FIG. 8, method steps S2300 to S2600 in FIG. 9, Method steps S700 and S900 in FIG. 10 .
  • an embodiment of the present application also provides a blockchain system, which includes: a memory, a processor, and a computer program stored in the memory and operable on the processor.
  • the processor and memory can be connected by a bus or other means.
  • memory can be used to store non-transitory software programs and non-transitory computer-executable programs.
  • the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices.
  • the memory may include memory located remotely from the processor, which remote memory may be connected to the processor via a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • the non-transitory software programs and instructions required to implement the base station access control method of the above-mentioned embodiment are stored in the memory, and when executed by the processor, the base station access control method in the above-mentioned embodiment is executed, for example, the above-described Method steps S1000 to S3000 in FIG. 11 , method steps S3100 to S3400 in FIG. 12 , method steps S3500 to S3700 in FIG. 13 , method steps S4000 to S6000 in FIG. 15 , method steps S3800 to S3900 in FIG. 17 , Method step S7000 in FIG. 19 .
  • an embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are executed by a processor or a controller, for example, by the above-mentioned Execution by a processor in the device embodiment can cause the above processor to execute the base station access control method in the above embodiment, for example, execute the method steps S100 to S300 in FIG. 3 and the method step S310 in FIG. 6 described above To S340, method steps S2100 to S2200 in Fig. 7, method steps S400 and S600 in Fig. 8, method steps S2300 to S2600 in Fig. 9, method steps S700 and S900 in Fig. 10, method steps S1000 in Fig. 11 To S3000, method steps S3100 to S3400 in Figure 12, method steps S3500 to S3700 in Figure 13, method steps S4000 to S6000 in Figure 15, method steps S3800 to S3900 in Figure 17, method steps S7000 in Figure 19 .
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.
  • the embodiment of the present application includes: a base station access control method applied to a base station, including: sending first authentication request information to the blockchain system, the first authentication request information carrying the identity certificate of the base station; obtaining the information sent by the blockchain system Issuing information of the first identity certificate, the first identity certificate issuing information is generated by the blockchain system according to the identity certificate under the condition of confirming the storage of the identity certificate based on the first authentication request information; the issuing information of the first identity certificate is accessed to the gateway.
  • a base station access control method applied to a base station including: sending first authentication request information to the blockchain system, the first authentication request information carrying the identity certificate of the base station; obtaining the information sent by the blockchain system Issuing information of the first identity certificate, the first identity certificate issuing information is generated by the blockchain system according to the identity certificate under the condition of confirming the storage of the identity certificate based on the first authentication request information; the issuing information of the first identity certificate is accessed to the gateway.
  • the blockchain system so that in the case of confirming the stored identity certificate based on the first authentication request information, the blockchain system generates the first identity certificate issuance information and sends it to the base station to inform the base station that its identity certificate has been included in the blockchain system for management , and then the base station issues information to access the gateway according to the first identity, so as to implement access control of the base station and improve the effectiveness and correctness of certificate management.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage devices, or can Any other medium used to store desired information and which can be accessed by a computer.
  • communication media typically embody computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application discloses a base station access control method, an electronic device, and a computer-readable storage medium. The base station access control method is applied to a base station and comprises: sending first authentication request information to a blockchain system, the first authentication request information carrying an identity certificate of the base station (S100); obtaining first identity certificate issuing information sent by the blockchain system, the first identity certificate issuing information being generated by the blockchain system according to the identity certificate under the condition of confirming storage of the identity certificate on the basis of the first authentication request information (S200); and accessing a gateway according to the first identity certificate issuing information (S300).

Description

基站接入控制方法、基站、区块链系统及存储介质Base station access control method, base station, blockchain system, and storage medium
相关申请的交叉引用Cross References to Related Applications
本申请基于申请号为202111578563.5、申请日为2021年12月22日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 202111578563.5 and a filing date of December 22, 2021, and claims the priority of this Chinese patent application. The entire content of this Chinese patent application is hereby incorporated by reference into this application.
技术领域technical field
本申请涉及通信技术领域,特别是涉及一种基站接入控制方法、基站、区块链系统及计算机可读存储介质。The present application relates to the field of communication technology, and in particular to a base station access control method, a base station, a blockchain system, and a computer-readable storage medium.
背景技术Background technique
在日常生活中,4G/5G通信的接入网、核心网采用了基于公钥基础设施(Public Key Infrastructure,PKI)的X.509证书模式来进行设备及网元、功能模块的接入认证,其中,证书颁发机构(Certificate Authority,CA)作为证书的管理者以及作为一种中心化的模式,充当着第三方可信机构的角色,然而随着物体组成的因特网(Internet of Things,IOT)接入设备的海量增长以及零信任等对超文本传输协议(HyperText Transfer Protocol,HTTP)及域名系统(Domain Name System,DNS)加密传输的要求,导致基于CA的PKI设计具有很高的安全风险,无法正确有效地进行证书管理。In daily life, the access network and core network of 4G/5G communication adopt the X.509 certificate mode based on the public key infrastructure (Public Key Infrastructure, PKI) to perform access authentication of equipment, network elements, and functional modules. Among them, the certificate authority (Certificate Authority, CA), as the manager of the certificate and as a centralized model, acts as a third-party trusted organization. However, with the Internet of Things (IOT) composed of objects The massive growth of incoming devices and zero-trust requirements for encrypted transmission of HyperText Transfer Protocol (HTTP) and Domain Name System (Domain Name System, DNS) lead to high security risks in the design of CA-based PKI. Correct and efficient certificate management.
发明内容Contents of the invention
本申请实施例提供一种基站接入控制方法、电子设备及计算机可读存储介质。Embodiments of the present application provide a base station access control method, electronic equipment, and a computer-readable storage medium.
第一方面,本申请实施例提供一种基站接入控制方法,应用于基站,所述方法包括:向区块链系统发送第一认证请求信息,所述第一认证请求信息携带所述基站的身份证书;获取由所述区块链系统发送的第一身份证书签发信息,所述第一身份证书签发信息由所述区块链系统在基于所述第一认证请求信息确认存储所述身份证书的情况下,根据所述身份证书生成;根据所述第一身份证书签发信息接入网关。In the first aspect, the embodiment of the present application provides a base station access control method, which is applied to a base station, and the method includes: sending first authentication request information to the blockchain system, the first authentication request information carrying the base station's Identity certificate; obtain the first identity certificate issuance information sent by the block chain system, and the first identity certificate issuance information is confirmed by the block chain system based on the first authentication request information to store the identity certificate In the case of , generate according to the identity certificate; issue information access gateway according to the first identity certificate.
第二方面,本申请实施例提供一种基站接入控制方法,应用于区块链系统,所述方法包括:接收由基站发送的第一认证请求信息,所述第一认证请求信息携带所述基站的身份证书;在基于所述第一认证请求信息确认存储所述身份证书的情况下,根据所述身份证书生成第一身份证书签发信息;向所述基站发送用于接入网关的所述第一身份证书签发信息。In a second aspect, the embodiment of the present application provides a base station access control method, which is applied to a blockchain system. The method includes: receiving first authentication request information sent by the base station, the first authentication request information carrying the The identity certificate of the base station; in the case of confirming the storage of the identity certificate based on the first authentication request information, generating first identity certificate issuance information according to the identity certificate; sending the information for accessing the gateway to the base station Issuing information of the first identity certificate.
第三方面,本申请实施例提供一种基站,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如第一方面所述的基站接入控制方法。In a third aspect, an embodiment of the present application provides a base station, including: a memory, a processor, and a computer program stored in the memory and operable on the processor, and the processor implements the first aspect when executing the computer program. The base station access control method.
第四方面,本申请实施例提供一种区块链系统,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如第二方面所述的基站接入控制方法。In a fourth aspect, an embodiment of the present application provides a blockchain system, including: a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the computer program, it implements the following: The base station access control method described in the second aspect.
第五方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使计算机执行如第一方面或者第二方面所述的基站接入控制方法。In the fifth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to make the computer execute the first aspect or the second aspect. The base station access control method.
本申请的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the application will be set forth in the description which follows, and, in part, will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
附图说明Description of drawings
附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present application, and constitute a part of the specification, and are used together with the embodiments of the present application to explain the technical solution of the present application, and do not constitute a limitation to the technical solution of the present application.
图1是本申请一个实施例提供的用于执行基站接入控制方法的系统架构的示意图;FIG. 1 is a schematic diagram of a system architecture for performing a base station access control method provided by an embodiment of the present application;
图2是一个实施例提供的基站接入控制方法的系统框架的示意图;Fig. 2 is a schematic diagram of a system framework of a base station access control method provided by an embodiment;
图3是本申请一个实施例提供的基站接入控制方法的流程图;FIG. 3 is a flowchart of a base station access control method provided by an embodiment of the present application;
图4是传统的CA注册审核方法的示意图;FIG. 4 is a schematic diagram of a traditional CA registration review method;
图5是本申请一个实施例提供的身份证书的模型的示意图;Fig. 5 is a schematic diagram of a model of an identity certificate provided by an embodiment of the present application;
图6是图3中的步骤S300的具体方法流程图;Fig. 6 is a specific method flowchart of step S300 in Fig. 3;
图7是本申请一个实施例提供的基站接入控制方法的流程图;FIG. 7 is a flowchart of a base station access control method provided by an embodiment of the present application;
图8是本申请一个实施例提供的基站接入控制方法的流程图;FIG. 8 is a flowchart of a base station access control method provided by an embodiment of the present application;
图9是本申请一个实施例提供的基站接入控制方法的流程图;FIG. 9 is a flowchart of a base station access control method provided by an embodiment of the present application;
图10是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 10 is a flowchart of a base station access control method provided in another embodiment of the present application;
图11是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 11 is a flowchart of a base station access control method provided in another embodiment of the present application;
图12是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 12 is a flowchart of a base station access control method provided in another embodiment of the present application;
图13是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 13 is a flowchart of a base station access control method provided in another embodiment of the present application;
图14是本申请一个具体示例提供的基站接入网关的系统框架的示意图;Fig. 14 is a schematic diagram of a system framework of a base station access gateway provided in a specific example of the present application;
图15是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 15 is a flowchart of a base station access control method provided in another embodiment of the present application;
图16是本申请一个具体示例提供的网管用户授权的系统框架的示意图;Fig. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example of the present application;
图17是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 17 is a flowchart of a base station access control method provided in another embodiment of the present application;
图18是本申请一个具体示例提供的网管用户认证的系统框架的示意图;Fig. 18 is a schematic diagram of a system framework for network management user authentication provided by a specific example of the present application;
图19是本申请另一个实施例提供的基站接入控制方法的流程图;FIG. 19 is a flowchart of a base station access control method provided in another embodiment of the present application;
图20是一个具体示例提供的根据TLSA记录验证服务器证书的架构的示意图。Fig. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record provided by a specific example.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, not to limit the present application.
需要注意的是,在本申请实施例的描述中,说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量或者隐含指明所指示的技术特征的先后关系。“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示 可以存在三种关系,例如,A和/或B,可以表示单独存在A、同时存在A和B、单独存在B的情况。其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。虽然在装置示意图中进行了功能模块划分,在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于装置中的模块划分,或流程图中的顺序执行所示出或描述的步骤。It should be noted that in the description of the embodiments of the present application, the terms "first", "second", etc. Implying relative importance or implicitly specifying the quantity of indicated technical features or implicitly indicating the sequence relationship of indicated technical features. "At least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three kinds of relationships, for example, A and/or B, which may indicate the existence of A alone, the existence of A and B at the same time, or the existence of B alone. Among them, A and B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. Although the functional modules are divided in the schematic diagram of the device, and the logical order is shown in the flowchart, in some cases, the modules shown or described in the device may be divided or executed in an order different from that in the flowchart. A step of.
此外,下面所描述的本申请各个实施方式中所涉及到的技术特征只要彼此之间未构成冲突就可以相互组合。In addition, the technical features involved in the various embodiments of the present application described below may be combined with each other as long as they do not constitute a conflict with each other.
本申请实施例提供一种基站接入控制方法、电子设备及计算机可读存储介质,由于基站发送的第一认证请求信息自身携带相关的身份证书,因此当区块链系统获取由基站发送的第一认证请求信息时,则能够同时获取到基站的身份证书,从而在基于第一认证请求信息确认存储身份证书的情况下,区块链系统生成第一身份证书签发信息并向基站发送,以告知基站其身份证书已被纳入区块链系统进行管理,进而基站根据第一身份签发信息接入网关,实现基站接入控制,提高证书管理的有效性和正确性。Embodiments of the present application provide a base station access control method, electronic equipment, and a computer-readable storage medium. Since the first authentication request information sent by the base station itself carries the relevant identity certificate, when the blockchain system obtains the first authentication request sent by the base station When there is an authentication request information, the identity certificate of the base station can be obtained at the same time, so that when the stored identity certificate is confirmed based on the first authentication request information, the blockchain system generates the first identity certificate issuance information and sends it to the base station to inform The identity certificate of the base station has been incorporated into the blockchain system for management, and then the base station will issue information to access the gateway according to the first identity, realize base station access control, and improve the effectiveness and correctness of certificate management.
下面结合附图,对本申请实施例作进一步阐述。The embodiments of the present application will be further described below in conjunction with the accompanying drawings.
如图1所示,图1是本申请一个实施例提供的用于执行基站接入控制方法的系统架构的示意图。As shown in FIG. 1 , FIG. 1 is a schematic diagram of a system architecture for performing a base station access control method provided by an embodiment of the present application.
由图可知,区块链网络100主要由基站200和区块链系统300构成,区块链网络100包括区块链系统300和基站200,其中,基站200分为基站身份客户管理端和基站身份管理服务端,区块链系统300包括区块链证书系统以及区块链身份系统,区块链身份系统主要存储基站200以及其他设备的身份证书,便于基站200或者其他设备对身份证书进行请求,从而接入网关,区块链证书系统用于基站200或者网管设备进行授权认证,便于基站200或者网管设备进行身份证书的认证。It can be seen from the figure that the blockchain network 100 is mainly composed of a base station 200 and a blockchain system 300, and the blockchain network 100 includes a blockchain system 300 and a base station 200, wherein the base station 200 is divided into a base station identity client management terminal and a base station identity Management server, the blockchain system 300 includes a blockchain certificate system and a blockchain identity system, the blockchain identity system mainly stores the identity certificates of the base station 200 and other devices, so that the base station 200 or other devices can request the identity certificates, In order to access the gateway, the blockchain certificate system is used for the base station 200 or the network management device to perform authorization authentication, which is convenient for the base station 200 or the network management device to perform identity certificate authentication.
本区块链网络100主要解决对5G基站设备的安全威胁问题,目前看来,5G的安全威胁问题主要有4个方面:一是构成基站的硬件、软件及网络的基础设施的安全威胁;二是针对连接NG-UE的空口上传送信息的空口安全威胁;三是针对连接到5G核心网的N2(RAN->AMF)和N3(RAN->UPF)的传输网络安全和信息的安全威胁;四是对基站连接到网管的管理平面的安全威胁。This blockchain network 100 mainly solves the security threat to 5G base station equipment. At present, the security threat of 5G mainly has four aspects: one is the security threat to the hardware, software and network infrastructure that constitute the base station; two. The third is the security threat to the transmission network security and information of N2 (RAN->AMF) and N3 (RAN->UPF) connected to the 5G core network; The fourth is the security threat to the management plane connecting the base station to the network management.
从基站安全边界来看,除了基站接入安全网关(Security Gateway,SEG)的身份认证,还有两个重要的关键要素,网管用户访问控制和DNS请求认证,本申请实施例通过在DNS引入传输层安全协议DANE(DNS-based Authentication of Named Entities,基于DNSSEC的安全传输层协议)和基于区块链的身份认证管理。From the perspective of the base station security boundary, in addition to the identity authentication of the base station access Security Gateway (SEG), there are two important key elements, network management user access control and DNS request authentication. Layer security protocol DANE (DNS-based Authentication of Named Entities, DNSSEC-based secure transport layer protocol) and blockchain-based identity authentication management.
如图2所示,图2是一个实施例提供的基站接入控制方法的系统框架的示意图。As shown in FIG. 2 , FIG. 2 is a schematic diagram of a system framework of a base station access control method provided by an embodiment.
该基站接入控制方法的系统框架中,结合基于区块链的用户证书管理系统和基于DNS安全扩展(Domain Name System Security Extensions,DNSSEC)的证书发布技术,一方面,通过建立区块链用户证书管理子系统,基站实现对用户证书的签发、更新和认证。同时如果在用户证书中引入了网管设备或登陆身份的授权序列号,例如对用户名密码实施hash摘要,还可以实现用户密钥和用户设备的双重认证,进一步提高了安全性,并且通过该区块链证书管理系统,未来如果有更多的其它边缘设备接入,这样可以统一用户证书类型,降低服务端的管理复杂度。In the system framework of the base station access control method, the user certificate management system based on blockchain and the certificate issuance technology based on DNS Security Extensions (Domain Name System Security Extensions, DNSSEC) are combined. The management subsystem, the base station implements the issuance, renewal and authentication of user certificates. At the same time, if the authorized serial number of the network management device or login identity is introduced into the user certificate, for example, a hash summary is implemented for the user name and password, the double authentication of the user key and the user device can be realized, which further improves the security, and through this area The blockchain certificate management system, if more other edge devices are connected in the future, it can unify the types of user certificates and reduce the management complexity of the server.
另一方面,考虑到服务端通常通过域名发布服务地址的特性,复用DANE技术,可以将其证书通过TLSA记录关联,发布在DNS系统上,客户端利用DNSSEC机制实现对服务端身份的验证,降低了服务器证书签发成本,并简化了客户端验证流程,从而实现不依赖CA、安全可靠的双向身份认证。On the other hand, considering the fact that the server usually publishes the service address through the domain name, by using DANE technology, its certificate can be associated with the TLSA record and published on the DNS system, and the client can use the DNSSEC mechanism to verify the identity of the server. It reduces the cost of issuing server certificates and simplifies the client verification process, so as to realize safe and reliable two-way identity authentication that does not depend on CA.
相对于基站使用的传统CA的x509证书,如果加入了授权列表,例如网管用户或设备,攻击者必须同时获取到用户私钥和已授权的用户信息才可冒充身份。Compared with the x509 certificate of the traditional CA used by the base station, if the authorization list is added, such as network management users or devices, the attacker must obtain the user's private key and authorized user information at the same time to impersonate the identity.
在一实施例中,为了更加清楚的说明DNS的安全机制,下面进行具体的说明。In an embodiment, in order to illustrate the security mechanism of the DNS more clearly, a specific description is given below.
无论任何设备想访问互联网,必须提供DNS服务,但是DNS设计之初没有考虑很多安全性,其本身不能验证响应的真实性,DNS响应数据包的源IP地址很容易仿冒或伪造。No matter which device wants to access the Internet, DNS service must be provided, but DNS was not designed with a lot of security in mind, and it cannot verify the authenticity of the response by itself, and the source IP address of the DNS response packet is easy to counterfeit or forge.
DNSSEC是目前正式发布的应用较广泛的DNS安全增强方案,它可以有效防止DNS缓存污染,其采用基于公共密钥加密的数字签名,其证书和私钥都是在自己服务器生成、自签名的,这就与HTTPS不同,不需要根证书颁发者,认证的时候通过域名递归解析器从根域名服务器开始,一层层向下解析去验证域的公钥完整性,保证每级域的公钥是可信的;它不是对DNS查询和响应本身进行加密签名,而是由数据所有者利用私钥对DNS数据本身进行签名,从而增强DNS验证强度,即验证DNS数据的来源与保护数据的完整性。DNSSEC is currently a widely used DNS security enhancement solution officially released. It can effectively prevent DNS cache pollution. It uses digital signatures based on public key encryption. Its certificates and private keys are generated and self-signed on its own server. This is different from HTTPS, which does not require a root certificate issuer. During authentication, the domain name recursive resolver starts from the root domain name server and resolves layer by layer to verify the integrity of the domain's public key, ensuring that the public key of each level of domain is Credible; instead of cryptographically signing the DNS query and response itself, the data owner uses the private key to sign the DNS data itself, thereby enhancing the strength of DNS verification, that is, verifying the source of DNS data and protecting the integrity of the data .
DANE是一种仅在DNSSEC激活时才起作用的安全协议,它将数字证书通过DNS服务进行发布,能确保不管是CA签发的证书也好,还是自签的证书,最终是期望想要的证书;它是基于DNS的名称的实例验证,通过一条TLSA记录来证明某个证书是可信的,同时也解决了DNSSEC不能保护访问隐私的问题。DANE is a security protocol that only works when DNSSEC is activated. It publishes digital certificates through DNS services to ensure that whether it is a certificate issued by a CA or a self-signed certificate, it is ultimately the desired certificate. ; It is an instance verification based on DNS names, and a TLSA record is used to prove that a certificate is trustworthy, and it also solves the problem that DNSSEC cannot protect access privacy.
它允许在区域中面向邮件传输等应用发布安全传输层协议(Transport Layer Security,TLS)密钥,它允许将证书绑定到DNS名称,为传统的、基于PKIX(Public Key Infrastructure for X.509 Certificates,用于X.509证书的公钥基础结构)的模型提供额外的保证,并使域持有者能够为自己声明证书,而无需参考第三方证书颁发机构,在保护服务器、证书颁发机构和用户之间的信任链方面超越了标准HTTPS协议。It allows the release of Transport Layer Security (TLS) keys for applications such as mail transmission in the zone, and it allows certificates to be bound to DNS names. , public key infrastructure for X.509 certificates) model provides additional assurance and enables domain holders to claim certificates for themselves without reference to third-party certificate authorities, while protecting servers, certificate authorities, and users The chain of trust between HTTPS goes beyond the standard HTTPS protocol.
传统的DNS服务器通过提供PKIX数字证书(RFC 5280)来声明其代表域的权利。在接入验证的时候,客户端,例如基站中的DNS proxy,通过评估证书来确定是否是可信的DNS服务器。评估的方法主要是看证书中是否包含所需的域名,以及证书是否由可信的信任锚(例:受信任的CA)颁发。这存在一个问题,当前浏览器或操作系统都会使用大量默认的信任锚,使信任锚有了广泛的权限,同时手工删除信任锚也比较麻烦,造成了不安全,DANE对信任锚做了一些有限范围的使用限制。A traditional DNS server asserts its right to represent a domain by presenting a PKIX digital certificate (RFC 5280). During access verification, the client, such as the DNS proxy in the base station, evaluates the certificate to determine whether it is a trusted DNS server. The method of evaluation is mainly to see whether the required domain name is included in the certificate, and whether the certificate is issued by a trusted trust anchor (eg: trusted CA). There is a problem, the current browser or operating system will use a large number of default trust anchors, so that the trust anchor has a wide range of permissions, and manually deleting the trust anchor is also more troublesome, resulting in insecurity, DANE has done some limited work on the trust anchor Range usage restrictions.
在一实施例中,为了解决上述约束问题,下面对TLSA记录进行具体的说明。In an embodiment, in order to solve the above constraint problem, the TLSA record is described in detail below.
DANE定义了一个DNS资源记录类型TLSA,用于描述证书与域相关联的声明。每个TLSA记录具有三个基本字段,当客户端想要连接到某个域时,他可以找到这些TLSA记录并在验证服务器的证书时应用该约束。使用时DANE允许浏览器检查TLSA记录以获取用户标记为安全的证书的公共指纹。这可能是在服务器上颁发证书的CA的中间证书,也可能是证书本身的指纹。借助生成器(例如opessl、在线网站Generate TLSA Record等均可),可以很容易的创建TLSA记录。DANE defines a DNS resource record type TLSA for describing the claims that a certificate is associated with a domain. Each TLSA record has three basic fields, when a client wants to connect to a certain domain, he can find these TLSA records and apply the constraints when verifying the server's certificate. When used DANE allows browsers to inspect TLSA records for the public thumbprint of certificates marked as secure by the user. This could be an intermediate certificate of the CA that issued the certificate on the server, or it could be the thumbprint of the certificate itself. With the help of generators (such as opessl, online website Generate TLSA Record, etc.), TLSA records can be easily created.
其中,TLSA记录要素如下:Among them, the TLSA record elements are as follows:
用法:此记录进行哪种类型的陈述;Usage: what type of statement this record makes;
例如:3PKIX-EE:服务证书约束,指定应当用于某一域名的准确传输层安全性协议(Transport Layer Security,TLS)证书;For example: 3PKIX-EE: service certificate constraints, specifying the exact Transport Layer Security (TLS) certificate that should be used for a domain name;
选择器/匹配:TLS证书链应如何与此记录匹配(例如,通过精确匹配、通过公钥或通过SHA-1摘要);selector/match: how the TLS certificate chain should match this record (e.g. by exact match, by public key, or by SHA-1 digest);
例如:0:Cert:使用整个证书For example: 0:Cert:Use the entire certificate
匹配类型:Match Type:
例如:2:SHA-512:SHA-512 hashFor example: 2:SHA-512:SHA-512 hash
实例:关联TLS证书链应与之匹配的实际数据_443._tcp.zte.comExample: The actual data that the associated TLS certificate chain should match _443._tcp.zte.com
最后得到:3 0 2 XXXXXXXXXFinally got: 3 0 2 XXXXXXXXXX
基于DNSSEC系统的证书和传统的基站的身份证书认证有相同之处,都有自己的信任链,不同的是,DNS信任链解析是迭代方式,证书是各级域服务器自签发的,而不是CA签发的。对于基站来说,如果没有基于区块链的证书系统,基站需要同时维护两种证书的生命周期管理,利用区块链系统,则可以将这些证书及管理都推到链上,本地只需要根据身份认证区块链返回的结果,与TLSA进行匹配即可。The certificate based on the DNSSEC system is similar to the identity certificate authentication of the traditional base station, and both have their own trust chain. The difference is that DNS trust chain resolution is iterative, and the certificates are issued by the domain servers at all levels, not the CA. issued. For the base station, if there is no blockchain-based certificate system, the base station needs to maintain the life cycle management of the two certificates at the same time. Using the blockchain system, these certificates and management can be pushed to the chain. The result returned by the identity authentication blockchain can be matched with TLSA.
如图3所示,图3是本申请一个实施例提供的基站接入控制方法的流程图,应用于基站,基站接入控制方法包括但不限于步骤S100至S300。As shown in FIG. 3 , FIG. 3 is a flowchart of a base station access control method provided by an embodiment of the present application, which is applied to a base station. The base station access control method includes but is not limited to steps S100 to S300 .
步骤S100:向区块链系统发送第一认证请求信息,第一认证请求信息携带基站的身份证书。Step S100: Send first authentication request information to the blockchain system, where the first authentication request information carries the identity certificate of the base station.
在一实施例中,基站向区块链系统发送第一认证请求信息,其中,第一认证请求信息携带基站的证书内容以及相关身份信息,便于区块链系统对第一认证请求信息进行验证。In an embodiment, the base station sends the first authentication request information to the blockchain system, wherein the first authentication request information carries the content of the certificate of the base station and related identity information, so that the blockchain system can verify the first authentication request information.
可以理解的是,向区块链系统发送第一认证请求信息时,第一认证请求信息由基站身份管理客户端发出,发送给区块链系统中的验证节点,其中,验证节点可以为数字证书注册审批机构(Registration Authority,RA)或者CA,本实施例不对此做具体限制。It can be understood that when sending the first authentication request information to the blockchain system, the first authentication request information is sent by the base station identity management client and sent to the verification node in the blockchain system, wherein the verification node can be a digital certificate Registration authority (Registration Authority, RA) or CA, which is not specifically limited in this embodiment.
步骤S200:获取由区块链系统发送的第一身份证书签发信息,第一身份证书签发信息由区块链系统在基于第一认证请求信息确认存储身份证书的情况下,根据身份证书生成。Step S200: Obtain the first identity certificate issuance information sent by the blockchain system. The first identity certificate issuance information is generated by the blockchain system based on the identity certificate under the condition that the storage identity certificate is confirmed based on the first authentication request information.
在一实施例中,在区块链系统收到第一认证请求信息之后,根据第一认证请求信息携带的身份证书判断是否保存过对应的身份证书,在确认区块链系统存储有与第一认证请求信息对应的身份证书的情况下,根据身份证书生成与第一认证请求信息对应的第一身份证书签发信息,从而提高证书配置的准确性,便于基站后续根据第一身份证书签发信息接入网关。In one embodiment, after the block chain system receives the first authentication request information, it judges whether the corresponding identity certificate has been saved according to the identity certificate carried in the first authentication request information, and after confirming that the block chain system has stored the information corresponding to the first authentication request information. In the case of the identity certificate corresponding to the authentication request information, the first identity certificate issuance information corresponding to the first authentication request information is generated according to the identity certificate, thereby improving the accuracy of the certificate configuration and facilitating the subsequent access of the base station according to the first identity certificate issuance information gateway.
可以理解的是,当区块链系统对第一认证请求信息进行判断,判断方法与传统的CA注册审核方法相同,下面为传统的CA注册审核方法。It can be understood that when the blockchain system judges the first authentication request information, the judgment method is the same as the traditional CA registration review method, and the following is the traditional CA registration review method.
为了更加清楚的说明传统的CA注册审核方法,下面进行具体说明。In order to illustrate the traditional CA registration review method more clearly, a specific description is given below.
如图4所示,图4是传统的CA注册审核方法的示意图。As shown in FIG. 4, FIG. 4 is a schematic diagram of a traditional CA registration review method.
5G主要包括接入网、承载网、核心网三大部分;对于接入网来说,目前基站在接入身份认证上有一套在用的方法,依赖于CA的签发与配置,其中身份证书的配置工作量比较大,通信厂商在配置和使用证书时,需要首先向运营商CA机构申请证书,CA机构签发证书后,需要将签发的证书配置或安装至目标设备基站中,该设备需要配置数字证书实现设备认证。5G mainly includes three parts: access network, bearer network, and core network. For the access network, there is currently a set of methods in use for the access identity authentication of the base station, which depends on the issuance and configuration of the CA. The identity certificate The configuration workload is relatively large. When configuring and using certificates, communication manufacturers need to first apply for a certificate from the operator's CA organization. After the CA organization issues the certificate, it needs to configure or install the issued certificate into the base station of the target device. Certificates implement device authentication.
由于需要为每台设备配置不同的私钥和证书,难以实现批量操作,这会导致施工效率低以及证书生命周期管理困难,还存在因为人工操作导致私钥泄露的安全风险,本申请实施例描述的发布机制可以通过去中心化来提效,同时可以消除CA单点故障。Since it is necessary to configure different private keys and certificates for each device, it is difficult to implement batch operations, which will lead to low construction efficiency and difficulty in certificate life cycle management. There is also a security risk of private key leakage due to manual operations. The embodiment of this application describes The release mechanism of the system can improve efficiency through decentralization, and at the same time eliminate CA single point of failure.
同时5G基于不同的业务场景,切片使得运营商能够基于垂直行业的需求创建定制化的专用网络,端到端的网络服务可能需要位于多个国家多个运营商的切片进行互联,共同提供无缝的跨国家域、跨业务的5G业务。切片间需要安全保护,安全通道需要利用数字证书来保证。不同的运营商有不同的CA,CA之间必须建立互信,才能正常进行切片服务,此时采用基于联盟方式布署的区块链的身份认证系统也容易实现多CA互信。At the same time, 5G is based on different business scenarios. Slicing enables operators to create customized private networks based on the needs of vertical industries. End-to-end network services may require slices of multiple operators in multiple countries to be interconnected to jointly provide seamless services. Cross-country and cross-service 5G services. Security protection is required between slices, and secure channels need to be guaranteed by digital certificates. Different operators have different CAs, and mutual trust must be established between CAs in order to perform slicing services normally. At this time, it is also easy to realize multi-CA mutual trust by adopting a blockchain-based identity authentication system deployed in an alliance manner.
借助区块链及智能合约可以减少在5G建设、维护、以及运行CA系统所需的费用;With the help of blockchain and smart contracts, the cost of building, maintaining, and operating CA systems in 5G can be reduced;
3GPP 33.310描述的基站证书的注册机制如下:The registration mechanism of the base station certificate described in 3GPP 33.310 is as follows:
基站由设备商预先提供出厂生成的公私钥对,并预装由设备商签名的数字证书、运营商的登记授权(RA)/证书授权(CA)服务器预装设备商的根证书、核心网SEG预装运营商根证书。The base station is pre-provided by the equipment manufacturer with a public-private key pair generated at the factory, and pre-installed with a digital certificate signed by the equipment supplier, the operator's Registration Authorization (RA)/Certificate Authorization (CA) server pre-installs the equipment manufacturer's root certificate, the core network SEG Carrier root certificate is pre-installed.
步骤S300:根据第一身份证书签发信息接入网关。Step S300: Issuing information to access the gateway according to the first identity certificate.
在一实施例中,首先,基站向区块链系统发送第一认证请求信息,在区块链系统收到第一认证请求信息之后,在确认区块链系统存储有与第一认证请求信息对应的身份证书的情况下,根据身份证书生成与第一认证请求信息对应的第一身份证书签发信息,最后,根据步骤S200获得的第一身份证书签发信息接入网关,便于提高接入证书的正确性。In one embodiment, first, the base station sends the first authentication request information to the block chain system, and after the block chain system receives the first authentication request information, after confirming that the block chain system stores the information corresponding to the first authentication request information In the case of an identity certificate, generate the first identity certificate issuance information corresponding to the first authentication request information according to the identity certificate, and finally, access the gateway according to the first identity certificate issuance information obtained in step S200, so as to improve the accuracy of the access certificate. sex.
如图5所示,图5是一个实施例提供的身份证书的模型的示意图。As shown in FIG. 5, FIG. 5 is a schematic diagram of an identity certificate model provided by an embodiment.
图5中,基站接入控制证书模型展示了基站通过该发明单元,只需要一张接入控制证书来完成对外的身份认证及DNS域权限界定、网管特权用户管控,该证书除了上述功能,可以同步提供更多扩展信息,满足未来其它需验证或控制的场景。In Figure 5, the base station access control certificate model shows that the base station only needs one access control certificate to complete external identity authentication, DNS domain authority definition, and network management privileged user control through the inventive unit. In addition to the above functions, the certificate can Simultaneously provide more extended information to meet other scenarios that require verification or control in the future.
在一实施例中,身份证书中包含基站名称、基站唯一标识符、版本号、证书公钥、证书有效期以及序列号等信息,并且还含有网管用户授权列表、DNS域授权信息或者其他拓展信息等,通过设计区块链系统中身份证书的形式,实现多种证书合一,同时将通过认证请求信息的身份证书中引入扩展信息,能够将基站外的管理用户授权引入基于区块链的身份认证体系,确保身份证书的准确性,提高身份证书的安全性,并且拓展信息不受限制,可以随时根据授权请求或者认证请求进行添加或移除操作,因此具有更新证书的能力。In one embodiment, the identity certificate contains information such as base station name, base station unique identifier, version number, certificate public key, certificate validity period, and serial number, and also contains network management user authorization list, DNS domain authorization information or other extended information, etc. , by designing the form of identity certificates in the blockchain system, multiple certificates can be integrated into one, and at the same time, extended information can be introduced into the identity certificate that has passed the authentication request information, and the management user authorization outside the base station can be introduced into blockchain-based identity authentication system to ensure the accuracy of the identity certificate, improve the security of the identity certificate, and expand the information without restriction, and can add or remove operations at any time according to authorization requests or certification requests, so it has the ability to update certificates.
如图6所示,图6是图3中的步骤S300的方法流程图,该步骤S300包括但不限于步骤S310至S340。As shown in FIG. 6, FIG. 6 is a flow chart of the method of step S300 in FIG. 3, and the step S300 includes but not limited to steps S310 to S340.
步骤S310:根据第一身份证书签发信息生成携带第一身份证书签发信息的身份认证接入请求。Step S310: Generate an identity authentication access request carrying the first identity certificate issuance information according to the first identity certificate issuance information.
步骤S320:向网关发送身份认证接入请求。Step S320: Send an identity authentication access request to the gateway.
步骤S330:接收由网关根据身份认证接入请求发送的接入验证结果,接入验证结果由区块链系统根据来自网关的验证请求验证基站的身份而得到,并向网关发送,验证请求由网关根据身份认证接入请求生成。Step S330: Receive the access verification result sent by the gateway according to the identity authentication access request. The access verification result is obtained by the blockchain system by verifying the identity of the base station according to the verification request from the gateway, and sent to the gateway. The verification request is sent by the gateway Generated based on an identity authentication access request.
在一实施例中,基站身份管理客户端向网关发送身份认证接入请求,网关向区块链系统发送验证请求,其中验证请求由网关根据身份认证接入请求生成,区块链系统经过验证之后 得到接入验证结果,将接入验证结果发送给网关,网关再将验证结果发送给基站身份管理客户端,实现对接入证书的多重验证,提高证书接入的安全性。In one embodiment, the identity management client of the base station sends an identity authentication access request to the gateway, and the gateway sends a verification request to the blockchain system, wherein the verification request is generated by the gateway according to the identity authentication access request, and the blockchain system is verified. After obtaining the access verification result, the access verification result is sent to the gateway, and the gateway then sends the verification result to the base station identity management client to realize multiple verifications of the access certificate and improve the security of certificate access.
步骤S340:根据接入验证结果接入网关。Step S340: access the gateway according to the access verification result.
可以理解的是,基站身份管理客户端根据由区块链系统返回的接入验证结果接入网关,其中,网关为SEG。It can be understood that the base station identity management client accesses the gateway according to the access verification result returned by the blockchain system, wherein the gateway is SEG.
如图7所示,图7是本申请一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S2100至S2200。As shown in FIG. 7 , FIG. 7 is a flowchart of a base station access control method provided by an embodiment of the present application. The base station access control method includes but is not limited to steps S2100 to S2200 .
步骤S2100:向区块链系统发送与站内设备对应的授权处理请求。Step S2100: Send an authorization processing request corresponding to the on-site device to the blockchain system.
在一实施例中,基站身份管理客户端向区块链系统中的验证节点发送与站内设备对应的授权处理请求,其中,授权处理请求携带与站内设备对应的身份证书,便于管理节点对站内设备进行验证,提高证书的安全性。In one embodiment, the identity management client of the base station sends an authorization processing request corresponding to the on-site equipment to the verification node in the blockchain system, wherein the authorization processing request carries the identity certificate corresponding to the on-site equipment, which is convenient for the management node to verify the on-site equipment. Validate and improve the security of the certificate.
在一实施例中,授权处理请求可以为站内设备的授权请求,或者为站内设备的去授权请求,实现对站内设备操作的多样性,提高对站内设备授权处理请求的效率。In an embodiment, the authorization processing request may be an authorization request of the on-site device, or a de-authorization request of the on-site device, so as to realize the diversity of operations on the on-site device and improve the efficiency of authorization processing requests on the on-site device.
可以理解的是,站内设备可以为在基站内部的管理设备或者管理用户,本实施例不对此做具体限制。It can be understood that the in-station device may be a management device or a management user inside the base station, which is not specifically limited in this embodiment.
步骤S2200:接收由区块链系统发送的第二身份证书签发信息,第二身份证书签发信息由区块链系统根据授权处理请求更新身份证书,并基于更新后的身份证书得到。Step S2200: Receive the second identity certificate issuance information sent by the blockchain system. The second identity certificate issuance information is obtained by the blockchain system according to the authorization processing request to update the identity certificate and based on the updated identity certificate.
在一实施例中,区块链系统接收到授权处理请求之后,根据授权处理请求对身份证书进行更新,根据更新后的身份证书得到第二身份证书签发信息,基站身份管理客户端接收由区块链系统发送的第二身份证书签发信息,实现对身份证书的更新,便于管理身份证书。In one embodiment, after receiving the authorization processing request, the block chain system updates the identity certificate according to the authorization processing request, obtains the second identity certificate issuance information according to the updated identity certificate, and the identity management client of the base station receives the information issued by the block The issuance information of the second identity certificate sent by the chain system realizes the update of the identity certificate and facilitates the management of the identity certificate.
在一实施例中,参照图5所示的身份证书的模型图,区块链系统接收到授权处理请求之后,根据授权处理请求对身份证书进行更新,对身份证书中的网管用户授权列表进行更新。In one embodiment, referring to the model diagram of the identity certificate shown in Figure 5, after the block chain system receives the authorization processing request, the identity certificate is updated according to the authorization processing request, and the network management user authorization list in the identity certificate is updated. .
可以理解的是,步骤S2100可以在步骤S300之前执行,也可以在步骤S300之后执行,本申请实施例对此不做具体限制。It can be understood that step S2100 may be performed before step S300, or may be performed after step S300, which is not specifically limited in this embodiment of the present application.
如图8所示,图8是本申请一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S400至S600。As shown in FIG. 8 , FIG. 8 is a flowchart of a base station access control method provided by an embodiment of the present application. The base station access control method includes but is not limited to steps S400 to S600 .
步骤S400:向区块链系统发送第二认证请求信息,第二认证请求信息由基站根据来自授权端的用户身份授权请求生成,用户身份授权请求携带授权端的用户身份信息。Step S400: Send the second authentication request information to the blockchain system, the second authentication request information is generated by the base station according to the user identity authorization request from the authorization end, and the user identity authorization request carries the user identity information of the authorization end.
在一实施例中,基站身份客户端接收来自授权端的用户身份授权请求,对用户身份授权请求进行处理,使得区块链系统能够读取该用户身份授权请求,并且用户身份授权请求携带与授权端的用户对应的用户身份信息,根据用户身份信息,基站将第二认证请求信息发送给区块链系统,便于区块链系统根据第二认证请求信息对授权端进行授权判断。In one embodiment, the base station identity client receives the user identity authorization request from the authorization end, and processes the user identity authorization request, so that the blockchain system can read the user identity authorization request, and the user identity authorization request carries the identity authorization information of the authorization end. The user identity information corresponding to the user, according to the user identity information, the base station sends the second authentication request information to the blockchain system, so that the blockchain system can make an authorization judgment on the authorization terminal according to the second authentication request information.
需要说明的是,第二认证请求信息由客户端身份信息与基站的唯一标识符拼接得到。It should be noted that the second authentication request information is obtained by concatenating the client identity information and the unique identifier of the base station.
可以理解的是,基站的身份证书可以对访问基站的网管设备或者其他设备以及身份进行授权访问,网管设备或者其他设备进行授权访问要在基站身份管理客户端完成身份证书的上链工作之后进行。It can be understood that the identity certificate of the base station can authorize access to the network management device or other devices and identities that access the base station, and the authorized access of the network management device or other devices must be performed after the identity management client of the base station completes the uploading of the identity certificate.
需要说明的是,本实施例中的授权端用户可以为网管设备或者网管用户等,本申请中为OAM-agent(Operation Administration and Maintenance agent,操作管理维护代理)。It should be noted that the authorized end user in this embodiment can be a network management device or a network management user, etc., and in this application is an OAM-agent (Operation Administration and Maintenance agent, operation management and maintenance agent).
步骤S500:接收由区块链系统根据第二认证请求信息发送的目标授权码,目标授权码由区块链系统,在根据第二认证请求信息中的用户身份信息确认授权端未注册的情况下,根据第二认证请求信息生成。Step S500: Receive the target authorization code sent by the blockchain system according to the second authentication request information. The target authorization code is determined by the blockchain system according to the user identity information in the second authentication request information. , generated according to the second authentication request information.
在一实施例中,第二认证请求信息经过区块链系统处理后,得到目标授权码,其中,目标授权码在根据第二认证请求信息中的用户身份信息确认授权端未注册的情况下,根据第二认证请求信息生成,如果根据第二认证请求信息中的用户身份信息确认授权端注册,则第二认证请求信息会被丢弃,便于将多种证书和认证过程、生命周期管理合一。In one embodiment, after the second authentication request information is processed by the blockchain system, a target authorization code is obtained, wherein the target authorization code confirms that the authorization terminal is not registered according to the user identity information in the second authentication request information, Generated according to the second authentication request information, if the registration of the authorization terminal is confirmed according to the user identity information in the second authentication request information, the second authentication request information will be discarded, which facilitates the integration of various certificates, authentication process, and life cycle management.
步骤S600:向授权端发送所述目标授权码。Step S600: Send the target authorization code to the authorization end.
在一实施例中,基站身份管理客户端将通过步骤S500得到的目标授权码输入到待授权的设备中,完成设备授权的过程。In an embodiment, the base station identity management client inputs the target authorization code obtained through step S500 into the device to be authorized, and completes the device authorization process.
如图9所示,图9是本申请一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S2300至S2600。As shown in FIG. 9, FIG. 9 is a flowchart of a base station access control method provided by an embodiment of the present application. The base station access control method includes but is not limited to steps S2300 to S2600.
步骤S2300:接收由网管发送的用户认证请求信息,用户认证请求信息由网管在接收到网管用户的接入请求的情况下生成。Step S2300: Receive user authentication request information sent by the network management system. The user authentication request information is generated by the network management system upon receiving an access request from a network management user.
在一实施例中,基站身份管理服务端接收由网管发送的用户认证请求信息,其中,用户认证请求信息为网管在接收到网管用户的接入请求下生成,网管用户的接入请求为用户身份查询请求,便于基站身份管理服务端以及区块链系统对网管用户的认证,提高用户接入的准确性。In one embodiment, the base station identity management server receives user authentication request information sent by the network manager, wherein the user authentication request information is generated by the network manager upon receiving an access request from a network manager user, and the access request of the network manager user is the user identity The query request is convenient for the identity management server of the base station and the authentication of the network management user by the blockchain system, and improves the accuracy of user access.
需要说明的是,本申请中的网管用户的接入请求为专业网元管理系统(Element Management System,EMS)登录用户。It should be noted that the access request of the network management user in this application is a professional network element management system (Element Management System, EMS) login user.
步骤S2400:向区块链系统发送查询证书请求,查询证书请求由基站根据用户认证请求信息生成。Step S2400: Send a query certificate request to the blockchain system, and the query certificate request is generated by the base station according to the user authentication request information.
在一实施例中,当网管用户请求接入向网管发送接入请求时,生成用户认证请求信息,基站身份管理服务端接收到接入请求后,生成查询证书请求,便于区块链系统根据查询证书请求进行查询。In one embodiment, when the network management user requests access and sends an access request to the network management, user authentication request information is generated. After receiving the access request, the base station identity management server generates a query certificate request, which is convenient for the blockchain system to query Certificate request for query.
步骤S2500:获取由区块链系统根据查询证书请求反馈的身份证书。Step S2500: Obtain the identity certificate fed back by the blockchain system according to the query certificate request.
在一实施例中,根据步骤S2300获得的用户认证请求信息向区块链系统发送查询证书请求,在区块链系统查询完成之后获取由区块链系统返回的身份证书,便于后续基站身份管理服务端根据身份证书读取对应的授权码。In one embodiment, according to the user authentication request information obtained in step S2300, a query certificate request is sent to the blockchain system, and the identity certificate returned by the blockchain system is obtained after the query of the blockchain system is completed, so as to facilitate subsequent base station identity management services The terminal reads the corresponding authorization code according to the identity certificate.
步骤S2600:根据来自网管的验证授权码和从身份证书中获得的目标授权码之间的差异性,向网管发送针对网管用户的验证结果信息,其中,验证授权码与网管用户对应。Step S2600: According to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, send the verification result information for the network management user to the network management, wherein the verification authorization code corresponds to the network management user.
在一实施例中,基站身份管理服务端读取通过步骤S2500获得的身份证书中的对应网管用户的目标授权码,同时向网管请求该网管用户的验证授权码,如果该网管用户存在授权码,则回送给基站身份管理服务端,基站身份管理服务端将验证授权码进行哈希计算后与从区块链查询获取的目标授权码对比,当验证授权码与目标授权一样时,则向网管返回验证成功;如果该网管用户在网管没有与目标授权码对应的验证授权码,则向网管返回一个空串,基站身份管理服务端查询无授权,返回验证失败,实现对网管用户的多重认证,降低对基站身份管理服务端的管理复杂度。In one embodiment, the base station identity management server reads the target authorization code of the corresponding network management user in the identity certificate obtained in step S2500, and at the same time requests the network management for the verification authorization code of the network management user. If the network management user has an authorization code, Then send it back to the base station identity management server. The base station identity management server performs hash calculation on the verification authorization code and compares it with the target authorization code obtained from the blockchain query. When the verification authorization code is the same as the target authorization, it returns to the network management The verification is successful; if the network management user does not have a verification authorization code corresponding to the target authorization code in the network management, an empty string is returned to the network management, and the identity management server of the base station queries without authorization, and returns a verification failure, realizing multiple authentication of the network management user, reducing The management complexity of the base station identity management server.
如图10所示,图10是本申请一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S700至S900。As shown in FIG. 10 , FIG. 10 is a flowchart of a base station access control method provided by an embodiment of the present application. The base station access control method includes but is not limited to steps S700 to S900 .
步骤S700:从区块链系统获取DNS证书信息。Step S700: Obtain DNS certificate information from the blockchain system.
在一实施例中,基站身份管理客户端首先向DNS代理发送查询DNS证书信息请求,之后在DNS代理返回DNS证书信息给基站身份管理客户端之后,基站身份管理客户端和DNS代理整体作为客户端向区块链系统发送请求DNS服务器证书信息,之后接收区块链系统返回的DNS服务器证书信息,便于基站身份管理客户端对证书信息与TLSA记录进行对比。In one embodiment, the base station identity management client first sends a DNS proxy query request for DNS certificate information, and then after the DNS proxy returns the DNS certificate information to the base station identity management client, the base station identity management client and the DNS proxy act as a client as a whole Send the request DNS server certificate information to the blockchain system, and then receive the DNS server certificate information returned by the blockchain system, so that the identity management client of the base station can compare the certificate information with the TLSA record.
步骤S800:从DNS获取与DNS证书信息关联的TLSA记录。Step S800: Obtain the TLSA record associated with the DNS certificate information from the DNS.
在一实施例中,基站身份管理客户端向DNS请求与DNS证书信息关联的TLSA记录,之后DNS根据DNS证书信息向基站管理客户端返回TLSA记录,便于基站身份管理客户端根据TLSA记录与DNS证书信息进行对比。In one embodiment, the base station identity management client requests DNS for the TLSA record associated with the DNS certificate information, and then the DNS returns the TLSA record to the base station management client according to the DNS certificate information, so that the base station identity management client can information for comparison.
可以理解的是,DNS中使用DANE协议,DANE定义了一个DNS资源记录类型TLSA,用于描述证书与域相关联的声明,其中,每个TLSA记录具有三个基本字段,当基站想要连接到某个域时,可以通过TLSA记录并在验证服务器的证书时应用该约束,加强对接入域的控制。It can be understood that the DANE protocol is used in DNS, and DANE defines a DNS resource record type TLSA, which is used to describe the statement associated with the certificate and the domain. Each TLSA record has three basic fields. When the base station wants to connect to When accessing a certain domain, you can use the TLSA record and apply the constraint when verifying the server's certificate to strengthen the control of the access domain.
步骤S900:根据TLSA记录验证DNS证书信息。Step S900: Verify the DNS certificate information according to the TLSA record.
在一实施例中,通过使用TLSA记录验证DNS证书信息,增强DNS验证强度,即验证DNS数据的来源与保护数据的完整性。In one embodiment, by using TLSA records to verify DNS certificate information, the strength of DNS verification is enhanced, that is, the source of DNS data is verified and the integrity of data is protected.
如图11所示,图11是本申请另一个实施例提供的基站接入控制方法的流程图,应用于区块链系统,基站接入控制方法包括但不限于步骤S1000至S3000。As shown in Fig. 11, Fig. 11 is a flowchart of a base station access control method provided by another embodiment of the present application, which is applied to a blockchain system. The base station access control method includes but is not limited to steps S1000 to S3000.
步骤S1000:接收由基站发送的第一认证请求信息,第一认证请求信息携带基站的身份证书。Step S1000: Receive first authentication request information sent by the base station, where the first authentication request information carries the identity certificate of the base station.
步骤S2000:在基于第一认证请求信息确认存储身份证书的情况下,根据身份证书生成第一身份证书签发信息。Step S2000: When the stored identity certificate is confirmed based on the first authentication request information, generate first identity certificate issuance information according to the identity certificate.
在一实施例中,区块链系统根据第一认证请求信息携带的身份证书判断是否保存过对应的身份证书,在确认区块链系统存储有与第一认证请求信息对应的身份证书的情况下,根据身份证书生成与第一认证请求信息对应的第一身份证书签发信息,从而提高证书配置的准确性,便于后续根据第一身份证书签发信息接入网关。In one embodiment, the blockchain system judges whether the corresponding identity certificate has been saved according to the identity certificate carried by the first authentication request information, and if it is confirmed that the blockchain system stores the identity certificate corresponding to the first authentication request information , generating first identity certificate issuance information corresponding to the first authentication request information according to the identity certificate, thereby improving the accuracy of certificate configuration, and facilitating subsequent access to the gateway according to the first identity certificate issuance information.
可以理解的是,当区块链系统对第一认证请求信息进行判断,判断方法与传统的CA注册审核方法相同,是本领域人员常用技术手段,在此不再赘述。It can be understood that when the blockchain system judges the first authentication request information, the judgment method is the same as the traditional CA registration review method, which is a common technical means for those skilled in the art, and will not be repeated here.
步骤S3000:向基站发送用于接入网关的第一身份证书签发信息。Step S3000: Send the first identity certificate issuance information for the access gateway to the base station.
在一实施例中,向基站身份管理客户端发送第一身份证书签发信息便于基站身份管理客户端接入网关。In an embodiment, sending the first identity certificate issuance information to the identity management client of the base station facilitates the identity management client of the base station to access the gateway.
如图12所示,图12是本申请另一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S3100至S3400。As shown in FIG. 12 , FIG. 12 is a flowchart of a base station access control method provided by another embodiment of the present application. The base station access control method includes but is not limited to steps S3100 to S3400 .
步骤S3100:接收由基站发送的与站内设备对应的授权处理请求。Step S3100: Receive the authorization processing request corresponding to the in-station equipment sent by the base station.
在一实施例中,基站身份管理客户端向区块链系统发送与站内设备对应的授权处理请求,其中,授权处理请求携带与站内设备对应的身份证书,便于管理节点对站内设备进行验证,提高证书的安全性。In one embodiment, the identity management client of the base station sends an authorization processing request corresponding to the equipment in the station to the blockchain system, wherein the authorization processing request carries the identity certificate corresponding to the equipment in the station, which is convenient for the management node to verify the equipment in the station, and improves Certificate security.
可以理解的是,站内设备可以为在基站内部的管理设备或者管理用户,本实施例不对此做具体限制。It can be understood that the in-station device may be a management device or a management user inside the base station, which is not specifically limited in this embodiment.
步骤S3200:根据授权处理请求更新身份证书。Step S3200: update the identity certificate according to the authorization processing request.
在一实施例中,区块链系统根据授权处理请求得到站内设备或者用户的授权码,将授权码与身份证书进行判断,将通过验证的与授权码对应的身份证书进行上链操作,根据上链操作的结果更新身份证书,提高证书配置效率。In one embodiment, the blockchain system obtains the authorization code of the on-site device or user according to the authorization processing request, judges the authorization code and the identity certificate, and performs an uplink operation on the authenticated identity certificate corresponding to the authorization code. The result of the chain operation updates the identity certificate to improve the efficiency of certificate configuration.
步骤S3300:根据更新后的身份证书生成第二身份证书签发信息。Step S3300: Generate second identity certificate issuance information according to the updated identity certificate.
步骤S3400:向基站发送第二身份证书签发信息。Step S3400: Send the second identity certificate issuance information to the base station.
在一实施例中,区块链系统根据更新后的身份证书生成第二身份证书签发信息,并且向基站身份管理客户端发送与第二身份证书签发信息对应的身份证书,实现生命周期管理方式统一。In one embodiment, the blockchain system generates the second identity certificate issuance information according to the updated identity certificate, and sends the identity certificate corresponding to the second identity certificate issuance information to the base station identity management client, so as to realize the unified life cycle management mode .
如图13所示,图13是本申请另一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S3500至S3700。As shown in FIG. 13 , FIG. 13 is a flowchart of a base station access control method provided by another embodiment of the present application. The base station access control method includes but is not limited to steps S3500 to S3700 .
步骤S3500:接收由网关发送的验证请求,验证请求由网关根据来自基站的身份认证接入请求生成,身份认证接入请求携带第一身份证书签发信息。Step S3500: Receive the verification request sent by the gateway. The verification request is generated by the gateway according to the identity authentication access request from the base station, and the identity authentication access request carries the first identity certificate issuance information.
步骤S3600:根据验证请求验证基站的身份,得到接入验证结果。Step S3600: Verify the identity of the base station according to the verification request, and obtain the access verification result.
在一实施例中,根据网关发送的验证请求以及第一身份证书签发信息,得到发送验证请求的身份及设备,对发送身份认证接入请求的设备以及身份进行验证,得到接入验证结果,便于基站根据接入验证结果接入网关。In one embodiment, according to the verification request sent by the gateway and the first identity certificate issuance information, the identity and device that sent the verification request are obtained, and the device and identity that send the identity authentication access request are verified to obtain the access verification result, which is convenient The base station accesses the gateway according to the access verification result.
可以理解的是,接入验证结果为区块链系统根据第一身份证书签发信息确认基站的身份证书,从而找到对应的基站。It can be understood that the access verification result is that the blockchain system confirms the identity certificate of the base station according to the information issued by the first identity certificate, so as to find the corresponding base station.
步骤S3700:向网关发送接入验证结果,使得基站根据接入验证结果接入网关。Step S3700: Send the access verification result to the gateway, so that the base station accesses the gateway according to the access verification result.
在一实施例中,向网关发送根据步骤S3600得到的接入验证结果,使得基站能够根据接入验证结果接入网关中,完成对基站身份认证的过程。In an embodiment, the access verification result obtained according to step S3600 is sent to the gateway, so that the base station can access the gateway according to the access verification result, and complete the process of authenticating the identity of the base station.
在一实施例中,为了更加清楚的说明基站接入网关身份认证过程,以下给出具体示例进行说明。In an embodiment, in order to illustrate the identity authentication process of the base station access gateway more clearly, a specific example is given below for illustration.
如图14所示,图14是一个具体示例提供的基站接入网关的系统框架的示意图。As shown in FIG. 14 , FIG. 14 is a schematic diagram of a system framework of a base station access gateway provided in a specific example.
示例一:Example one:
基站出厂时自带一份数字证书,即身份证书,与身份证书相对应的私钥存储于基站本地,随后基站身份管理客户端将证书内容和相关身份信息作为请求内容发送给链上的验证节点(运营商RA/CA),进入等待身份证书签发状态;链上的验证节点收到用请求后通过用户提供的信息判断是否保存用户的身份证书,判断方法和传统的CA注册审核一样,通过验证的身份证书通过共识机制被增加到区块链系统中。The base station comes with a digital certificate when it leaves the factory, that is, the identity certificate, and the private key corresponding to the identity certificate is stored locally in the base station, and then the base station identity management client sends the certificate content and related identity information as the request content to the verification node on the chain (operator RA/CA), enter the state of waiting for the identity certificate to be issued; the verification node on the chain judges whether to save the user's identity certificate based on the information provided by the user after receiving the request. The identity certificate is added to the blockchain system through a consensus mechanism.
如图15所示,图15是本申请另一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S4000至S6000。As shown in FIG. 15 , FIG. 15 is a flowchart of a base station access control method provided by another embodiment of the present application. The base station access control method includes but is not limited to steps S4000 to S6000 .
步骤S4000:接收由基站发送的第二认证请求信息,第二认证请求信息由基站根据来自授权端的用户身份授权请求生成,用户身份授权请求携带授权端的用户身份信息。Step S4000: Receive the second authentication request information sent by the base station. The second authentication request information is generated by the base station according to the user identity authorization request from the authorizer, and the user identity authorization request carries the user identity information of the authorizer.
在一实施例中,区块链系统接收第二认证请求信息,其中,第二认证请求信息根据来自授权端的用户身份授权请求生成,第二认证请求信息包括有用户身份授权请求携带的授权端的用户身份信息,便于区块链系统根据授权端的用户身份信息对授权端进行判断。In one embodiment, the block chain system receives the second authentication request information, wherein the second authentication request information is generated according to the user identity authorization request from the authorization end, and the second authentication request information includes the authorization end user ID carried by the user identity authorization request. Identity information, which is convenient for the blockchain system to judge the authorization end based on the user identity information of the authorization end.
步骤S5000:在根据第二认证请求信息中的用户身份信息确认授权端未注册的情况下,根据第二认证请求信息生成目标授权码。Step S5000: When it is confirmed according to the user identity information in the second authentication request information that the authorizing terminal is not registered, generate a target authorization code according to the second authentication request information.
在一实施例中,当根据第二认证请求信息中的用户身份信息确认授权端未注册,区块链系统将一个随机生成的序列号和第二认证请求信息发出的时间拼接成目标授权码,随后将目标授权码原文发送回授权端设备,并将目标授权码的哈希值存入区块链系统中的授权设备列表中,授权设备列表用于存储已经授权设备的授权码的哈希值,解决授权端的网管用户授权泛滥问题,提高对网管用户授权的准确性。In one embodiment, when it is confirmed that the authorized end is not registered according to the user identity information in the second authentication request information, the blockchain system splices a randomly generated serial number and the time when the second authentication request information is issued into a target authorization code, Then send the original text of the target authorization code back to the authorizing device, and store the hash value of the target authorization code in the authorized device list in the blockchain system. The authorized device list is used to store the hash value of the authorization code of the authorized device , to solve the problem of network management user authorization flooding at the authorization end, and improve the accuracy of network management user authorization.
可以理解的是,区块链系统中存储大量身份证书,包括基站身份证书、设备身份证书或者网管用户身份证书等,其中身份证书中携带设备或者网管用户的授权码,将授权码写入基站证书授权列表构成授权设备列表,其中,授权设备列表为本领域技术人员常用技术,在此不再赘述。It is understandable that a large number of identity certificates are stored in the blockchain system, including base station identity certificates, device identity certificates, or network management user identity certificates. The identity certificates carry the authorization code of the device or network management user, and the authorization code is written into the base station certificate The authorization list constitutes an authorized device list, wherein the authorized device list is a common technology for those skilled in the art, and will not be described in detail here.
需要说明的是,当根据第二认证请求信息中的用户身份信息确认授权端已注册,则区块链系统丢弃第二认证请求信息。It should be noted that, when it is confirmed according to the user identity information in the second authentication request information that the authorization terminal has been registered, the blockchain system discards the second authentication request information.
步骤S6000:通过基站向授权端发送目标授权码。Step S6000: Send the target authorization code to the authorization end through the base station.
在一实施例中,在确定授权端未注册的情况下,通过基站身份管理客户端向授权端发送目标授权码,其中,授权端为发送用户身份授权请求的一端,实现对授权端的授权操作,提高区块链系统的可靠性。In one embodiment, when it is determined that the authorizing end is not registered, the base station identity management client sends the target authorization code to the authorizing end, wherein the authorizing end is the end that sends the user identity authorization request to implement the authorization operation on the authorizing end, Improve the reliability of the blockchain system.
在一实施例中,为了更加清楚的说明网管用户授权过程,以下给出具体示例进行说明。In an embodiment, in order to illustrate the network management user authorization process more clearly, a specific example is given below for illustration.
如图16所示,图16是一个具体示例提供的网管用户授权的系统框架的示意图。As shown in FIG. 16 , FIG. 16 is a schematic diagram of a system framework for network management user authorization provided by a specific example.
示例二:Example two:
基站的身份证书可以对访问基站的网管设备、其他设备或身份进行授权访问,授权时,初始基站身份管理客户端完成身份证书的上链工作后,根据网管OAM-agent的授权用户信息向区块链系统发送授权请求,区块链系统将一个随机生成的序列号和请求发出的时间拼接成字符串,随后将字符串原文发送回请求端设备,并将字符串的哈希值存入区块链证书中的授权设备列表中。最后,基站将得到的字符串输入到待授权的设备,即网管OAM-agent中,完成设备授权过程,通过网管系统也可以查询哪些用户已授权,授权是否过期。The identity certificate of the base station can authorize access to network management equipment, other equipment or identities accessing the base station. When authorizing, the initial base station identity management client completes the work of uploading the identity certificate to the block according to the authorized user information of the network management OAM-agent. The chain system sends an authorization request, and the blockchain system concatenates a randomly generated serial number and the time when the request is issued into a string, then sends the original text of the string back to the requesting device, and stores the hash value of the string into the block list of authorized devices in the chain certificate. Finally, the base station inputs the obtained character string into the device to be authorized, that is, the network management OAM-agent, and completes the device authorization process. The network management system can also query which users have been authorized and whether the authorization has expired.
如图17所示,图17是本申请另一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S3800至S3900。As shown in FIG. 17 , FIG. 17 is a flowchart of a base station access control method provided by another embodiment of the present application. The base station access control method includes but is not limited to steps S3800 to S3900 .
步骤S3800:接收由基站发送的查询证书请求,查询证书请求由基站根据由网管发送的用户认证请求信息生成,用户认证请求信息由网管在接收到网管用户的接入请求的情况下生成。Step S3800: Receive the certificate query request sent by the base station. The certificate query request is generated by the base station according to the user authentication request information sent by the network management. The user authentication request information is generated by the network management upon receiving the access request from the network management user.
在一实施例中,区块链系统接收由基站身份管理服务端发送的查询证书请求,其中,当网管用户请求接入向网管发送接入请求时,生成用户认证请求信息,基站身份管理服务端接收到接入请求后,生成查询证书请求,区块链系统接收查询证书请求,提高网管用户的证书认证的准确性。In one embodiment, the blockchain system receives the query certificate request sent by the base station identity management server, wherein, when the network management user requests access and sends an access request to the network management, user authentication request information is generated, and the base station identity management server After receiving the access request, a query certificate request is generated, and the blockchain system receives the query certificate request to improve the accuracy of the network management user's certificate authentication.
步骤S3900:根据查询证书请求向基站发送身份证书,使得基站根据来自网管的验证授权码和从身份证书中获得的目标授权码之间的差异性,向网管发送针对网管用户的验证结果信息,其中,验证授权码与网管用户对应。Step S3900: Send the identity certificate to the base station according to the query certificate request, so that the base station sends the verification result information for the network management user to the network management according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate, wherein , verify that the authorization code corresponds to the network management user.
在一实施例中,在接收步骤S3800的查询证书请求之后,区块链对已经存储的证书进行查找,根据查找结果,向基站身份管理服务端返回与查询证书请求对应的身份证书,便于基站身份管理服务端根据身份证书对网管用户进行验证。In one embodiment, after receiving the query certificate request in step S3800, the blockchain searches the stored certificates, and returns the identity certificate corresponding to the query certificate request to the base station identity management server according to the search results, so that the base station identity The management server verifies the network management user according to the identity certificate.
可以理解的是,区块链系统中存储大量身份证书,包括基站身份证书、设备身份证书或者网管用户身份证书等,其中身份证书中携带设备或者网管用户的授权码。It is understandable that a large number of identity certificates are stored in the blockchain system, including base station identity certificates, device identity certificates, or network management user identity certificates, among which the identity certificates carry the authorization code of the device or network management user.
在一实施例中,为了更加清楚的说明网管用户认证过程,以下给出具体示例进行说明。In an embodiment, in order to illustrate the network management user authentication process more clearly, a specific example is given below for illustration.
如图18所示,图18是一个具体示例提供的网管用户认证的系统框架的示意图。As shown in FIG. 18 , FIG. 18 is a schematic diagram of a system framework for network management user authentication provided by a specific example.
示例三:Example three:
OAM-agent收到EMS登陆用户请求后,向基站的身份管理服务端模块发送用户身份查询请求,服务端向区块链系统申请本基站的身份证书查询请求,区块链系统查询后返回证书,基站身份管理服务端读取证书中的对应网管用户的授权码值,同时向OAM-agent请求该用户的授权码,如果该用户存在授权码,则回送给服务端,服务端对将字符串hash计算后与从区块链系统查询获取的授权码比对,一样时返回验证成功;如果该用户在OAM-agent没有授权字符串,则返回一个空串,服务端查询无授权,返回验证失败结果。After the OAM-agent receives the EMS login user request, it sends a user identity query request to the identity management server module of the base station, and the server applies to the blockchain system for the identity certificate query request of the base station, and the blockchain system returns the certificate after querying. The base station identity management server reads the authorization code value of the corresponding network management user in the certificate, and at the same time requests the user's authorization code from the OAM-agent. If the user has an authorization code, it will send it back to the server, and the server will hash the string After calculation, it is compared with the authorization code obtained from the blockchain system query, and if the same, the authentication success is returned; if the user does not have an authorization string in the OAM-agent, an empty string is returned, and the server query is not authorized, and the authentication failure result is returned .
如图19所示,图19是本申请另一个实施例提供的基站接入控制方法的流程图,基站接入控制方法包括但不限于步骤S7000。As shown in FIG. 19 , FIG. 19 is a flowchart of a base station access control method provided by another embodiment of the present application. The base station access control method includes but is not limited to step S7000 .
步骤S7000:向基站发送DNS证书信息,使得基站根据从DNS获取到的与DNS证书信息关联的TLSA记录,验证DNS证书信息。Step S7000: Send the DNS certificate information to the base station, so that the base station verifies the DNS certificate information according to the TLSA record associated with the DNS certificate information obtained from the DNS.
在一实施例中,区块链系统存储由DNS服务器发送的DNS服务器证书信息,基站身份管理客户端首先向DNS代理发送查询DNS证书信息,之后再向区块链系统发送请求DNS服务器证书信息,根据DNS服务器证书请求向基站身份管理客户端发送DNS证书信息,便于基站身份管理客户端通过TLSA验证DNS证书信息。In one embodiment, the blockchain system stores the DNS server certificate information sent by the DNS server, and the base station identity management client first sends the query DNS certificate information to the DNS proxy, and then sends the DNS server certificate information request to the blockchain system, Send the DNS certificate information to the base station identity management client according to the DNS server certificate request, so that the base station identity management client can verify the DNS certificate information through TLSA.
在一实施例中,为了更加清楚的说明TLSA记录配置及DNS认证的过程,以下给出具体示例进行说明。In an embodiment, in order to illustrate the process of TLSA record configuration and DNS authentication more clearly, a specific example is given below for illustration.
如图20所示,图20是一个具体示例提供的根据TLSA记录验证服务器证书的架构的示意图。As shown in FIG. 20, FIG. 20 is a schematic diagram of an architecture for verifying a server certificate according to a TLSA record provided by a specific example.
示例四:Example four:
基站身份管理客户端向DNS代理发送查询DNS证书信息请求,并且向DNS发送请求TLSA记录,DNS代理根据接收的DNS证书信息请求向区块链系统发送请求DNS服务器证书信息,区块链系统查询完成后,向DNS代理返回DNS服务器证书信息,基站身份管理客户端通过根据DNS获得的TLSA记录与返回的DNS服务器证书信息进行对比,得到结果,完成对服务器证书的验证。The base station identity management client sends a request for querying DNS certificate information to the DNS agent, and sends a request for TLSA records to DNS, and the DNS agent sends a request for DNS server certificate information to the blockchain system according to the received DNS certificate information request, and the blockchain system query is completed Afterwards, the DNS server certificate information is returned to the DNS agent, and the identity management client of the base station compares the TLSA record obtained according to the DNS with the returned DNS server certificate information, obtains the result, and completes the verification of the server certificate.
另外,本申请的一个实施例还提供了一种基站,该基站包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序。In addition, an embodiment of the present application further provides a base station, where the base station includes: a memory, a processor, and a computer program stored in the memory and operable on the processor.
处理器和存储器可以通过总线或者其他方式连接。The processor and memory can be connected by a bus or other means.
存储器作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序以及非暂态性计算机可执行程序。此外,存储器可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至该处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。As a non-transitory computer-readable storage medium, memory can be used to store non-transitory software programs and non-transitory computer-executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices. In some embodiments, the memory may include memory located remotely from the processor, which remote memory may be connected to the processor through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
实现上述实施例的基站接入控制方法所需的非暂态软件程序以及指令存储在存储器中,当被处理器执行时,执行上述实施例中的基站接入控制方法,例如,执行以上描述的图3中的方法步骤S100至S300、图6中的方法步骤S310至S340、图7中的方法步骤S2100至S2200、图8中的方法步骤S400和S600、图9中的方法步骤S2300至S2600、图10中的方法步骤S700和S900。The non-transitory software programs and instructions required to implement the base station access control method of the above-mentioned embodiment are stored in the memory, and when executed by the processor, the base station access control method in the above-mentioned embodiment is executed, for example, the above-described Method steps S100 to S300 in FIG. 3, method steps S310 to S340 in FIG. 6, method steps S2100 to S2200 in FIG. 7, method steps S400 and S600 in FIG. 8, method steps S2300 to S2600 in FIG. 9, Method steps S700 and S900 in FIG. 10 .
另外,本申请的一个实施例还提供了一种区块链系统,该区块链系统包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序。In addition, an embodiment of the present application also provides a blockchain system, which includes: a memory, a processor, and a computer program stored in the memory and operable on the processor.
处理器和存储器可以通过总线或者其他方式连接。The processor and memory can be connected by a bus or other means.
存储器作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序以及非暂态性计算机可执行程序。此外,存储器可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至该处理器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。As a non-transitory computer-readable storage medium, memory can be used to store non-transitory software programs and non-transitory computer-executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage devices. In some embodiments, the memory may include memory located remotely from the processor, which remote memory may be connected to the processor via a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
实现上述实施例的基站接入控制方法所需的非暂态软件程序以及指令存储在存储器中,当被处理器执行时,执行上述实施例中的基站接入控制方法,例如,执行以上描述的图11中的方法步骤S1000至S3000,图12中的方法步骤S3100至S3400、图13中的方法步骤S3500至S3700,图15中的方法步骤S4000至S6000、图17中的方法步骤S3800至S3900、图19中的方法步骤S7000。The non-transitory software programs and instructions required to implement the base station access control method of the above-mentioned embodiment are stored in the memory, and when executed by the processor, the base station access control method in the above-mentioned embodiment is executed, for example, the above-described Method steps S1000 to S3000 in FIG. 11 , method steps S3100 to S3400 in FIG. 12 , method steps S3500 to S3700 in FIG. 13 , method steps S4000 to S6000 in FIG. 15 , method steps S3800 to S3900 in FIG. 17 , Method step S7000 in FIG. 19 .
此外,本申请的一个实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令被一个处理器或控制器执行,例如,被上述设备实施例中的一个处理器执行,可使得上述处理器执行上述实施例中的基站接入控制方法,例如,执行以上描述的图3中的方法步骤S100至S300、图6中的方法步骤S310至S340、图7中的方法步骤S2100至S2200、图8中的方法步骤S400和S600、图9中的方法步骤S2300至S2600、图10中的方法步骤S700和S900,图11中的方法步骤S1000至S3000,图12中的方法步骤S3100至S3400、图13中的方法步骤S3500至S3700,图15中的方法步骤S4000至S6000、图17中的方法步骤S3800至S3900、图19中的方法步骤S7000。In addition, an embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are executed by a processor or a controller, for example, by the above-mentioned Execution by a processor in the device embodiment can cause the above processor to execute the base station access control method in the above embodiment, for example, execute the method steps S100 to S300 in FIG. 3 and the method step S310 in FIG. 6 described above To S340, method steps S2100 to S2200 in Fig. 7, method steps S400 and S600 in Fig. 8, method steps S2300 to S2600 in Fig. 9, method steps S700 and S900 in Fig. 10, method steps S1000 in Fig. 11 To S3000, method steps S3100 to S3400 in Figure 12, method steps S3500 to S3700 in Figure 13, method steps S4000 to S6000 in Figure 15, method steps S3800 to S3900 in Figure 17, method steps S7000 in Figure 19 .
以上所描述的实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.
本申请实施例包括:应用于基站的基站接入控制方法,包括:向区块链系统发送第一认证请求信息,第一认证请求信息携带所述基站的身份证书;获取由区块链系统发送的第一身 份证书签发信息,第一身份证书签发信息由区块链系统在基于第一认证请求信息确认存储身份证书的情况下,根据身份证书生成;根据第一身份证书签发信息接入网关。根据本申请实施例提供的方案,由于基站发送的第一认证请求信息自身携带相关的身份证书,因此当区块链系统获取由基站发送的第一认证请求信息时,则能够同时获取到基站的身份证书,从而在基于第一认证请求信息确认存储身份证书的情况下,区块链系统生成第一身份证书签发信息并向基站发送,以告知基站其身份证书已被纳入区块链系统进行管理,进而基站根据第一身份签发信息接入网关,实现基站接入控制,提高证书管理的有效性和正确性。The embodiment of the present application includes: a base station access control method applied to a base station, including: sending first authentication request information to the blockchain system, the first authentication request information carrying the identity certificate of the base station; obtaining the information sent by the blockchain system Issuing information of the first identity certificate, the first identity certificate issuing information is generated by the blockchain system according to the identity certificate under the condition of confirming the storage of the identity certificate based on the first authentication request information; the issuing information of the first identity certificate is accessed to the gateway. According to the solution provided by the embodiment of this application, since the first authentication request information sent by the base station itself carries the relevant identity certificate, when the blockchain system obtains the first authentication request information sent by the base station, it can simultaneously obtain the identity certificate of the base station. Identity certificate, so that in the case of confirming the stored identity certificate based on the first authentication request information, the blockchain system generates the first identity certificate issuance information and sends it to the base station to inform the base station that its identity certificate has been included in the blockchain system for management , and then the base station issues information to access the gateway according to the first identity, so as to implement access control of the base station and improve the effectiveness and correctness of certificate management.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包括计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those skilled in the art can understand that all or some of the steps and systems in the methods disclosed above can be implemented as software, firmware, hardware and an appropriate combination thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit . Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. permanent, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage devices, or can Any other medium used to store desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embody computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .
以上是对本申请的若干实施进行了具体说明,但本申请并不局限于上述实施方式,熟悉本领域的技术人员在不违背本申请本质的共享条件下还可作出种种等同的变形或替换,这些等同的变形或替换均包括在本申请权利要求所限定的范围内。The above is a specific description of several implementations of the present application, but the present application is not limited to the above-mentioned embodiments, and those skilled in the art can also make various equivalent deformations or replacements without violating the sharing conditions of the essence of the present application. Equivalent modifications or replacements are all within the scope defined by the claims of the present application.

Claims (15)

  1. 一种基站接入控制方法,应用于基站,所述方法包括:A base station access control method applied to a base station, the method comprising:
    向区块链系统发送第一认证请求信息,所述第一认证请求信息携带所述基站的身份证书;Sending first authentication request information to the block chain system, the first authentication request information carrying the identity certificate of the base station;
    获取由所述区块链系统发送的第一身份证书签发信息,所述第一身份证书签发信息由所述区块链系统在基于所述第一认证请求信息确认存储所述身份证书的情况下,根据所述身份证书生成;Obtain the first identity certificate issuance information sent by the blockchain system, and the first identity certificate issuance information is confirmed by the blockchain system based on the first authentication request information to store the identity certificate , generated according to the identity certificate;
    根据所述第一身份证书签发信息接入网关。The information access gateway is issued according to the first identity certificate.
  2. 根据权利要求1所述的基站接入控制方法,其中,所述根据所述第一身份证书签发信息接入网关,包括:The base station access control method according to claim 1, wherein the issuing information access gateway according to the first identity certificate includes:
    根据所述第一身份证书签发信息生成携带所述第一身份证书签发信息的身份认证接入请求;generating an identity authentication access request carrying the first identity certificate issuance information according to the first identity certificate issuance information;
    向所述网关发送所述身份认证接入请求;sending the identity authentication access request to the gateway;
    接收由所述网关根据所述身份认证接入请求发送的接入验证结果,所述接入验证结果由所述区块链系统根据来自所述网关的验证请求验证所述基站的身份而得到,并向所述网关发送,所述验证请求由所述网关根据所述身份认证接入请求生成;receiving an access verification result sent by the gateway according to the identity authentication access request, the access verification result being obtained by the blockchain system verifying the identity of the base station according to the verification request from the gateway, And send to the gateway, the verification request is generated by the gateway according to the identity authentication access request;
    根据所述接入验证结果接入网关。Access to the gateway according to the access verification result.
  3. 根据权利要求1所述的基站接入控制方法,其中,所述基站包括站内设备;所述获取由所述区块链系统发送的第一身份证书签发信息之后,还包括:The base station access control method according to claim 1, wherein the base station includes in-station equipment; after acquiring the first identity certificate issuance information sent by the blockchain system, further comprising:
    向所述区块链系统发送与所述站内设备对应的授权处理请求;sending an authorization processing request corresponding to the on-site device to the blockchain system;
    接收由所述区块链系统发送的第二身份证书签发信息,所述第二身份证书签发信息由所述区块链系统根据所述授权处理请求更新所述身份证书,并基于更新后的所述身份证书得到。receiving the second identity certificate issuance information sent by the blockchain system, the second identity certificate issuance information is updated by the blockchain system according to the authorization processing request, and based on the updated The above identity certificate is obtained.
  4. 根据权利要求1所述的基站接入控制方法,还包括:The base station access control method according to claim 1, further comprising:
    向所述区块链系统发送第二认证请求信息,所述第二认证请求信息由所述基站根据来自授权端的用户身份授权请求生成,所述用户身份授权请求携带所述授权端的用户身份信息;Sending second authentication request information to the blockchain system, the second authentication request information is generated by the base station according to the user identity authorization request from the authorization end, and the user identity authorization request carries the user identity information of the authorization end;
    接收由所述区块链系统根据所述第二认证请求信息发送的目标授权码,所述目标授权码由所述区块链系统,在根据所述第二认证请求信息中的所述用户身份信息确认所述授权端未注册的情况下,根据所述第二认证请求信息生成;Receive the target authorization code sent by the blockchain system according to the second authentication request information, the target authorization code is sent by the blockchain system according to the user identity in the second authentication request information When the information confirms that the authorization terminal is not registered, it is generated according to the second authentication request information;
    向所述授权端发送所述目标授权码。sending the target authorization code to the authorizing end.
  5. 根据权利要求1所述的基站接入控制方法,其中,所述获取由所述区块链系统发送的第一身份证书签发信息之后,还包括:The base station access control method according to claim 1, wherein, after acquiring the first identity certificate issuance information sent by the blockchain system, further comprising:
    接收由网管发送的用户认证请求信息,所述用户认证请求信息由所述网管在接收到网管用户的接入请求的情况下生成;receiving user authentication request information sent by the network manager, where the user authentication request information is generated by the network manager upon receiving an access request from a network management user;
    向所述区块链系统发送查询证书请求,所述查询证书请求由所述基站根据所述用户认证请求信息生成;Sending a query certificate request to the blockchain system, the query certificate request is generated by the base station according to the user authentication request information;
    获取由所述区块链系统根据所述查询证书请求反馈的所述身份证书;Obtain the identity certificate fed back by the blockchain system according to the query certificate request;
    根据来自所述网管的验证授权码和从所述身份证书中获得的目标授权码之间的差异性,向所述网管发送针对所述网管用户的验证结果信息,其中,所述验证授权码与所述网管用户对应。According to the difference between the verification authorization code from the network manager and the target authorization code obtained from the identity certificate, send the verification result information for the network management user to the network manager, wherein the verification authorization code is the same as Corresponding to the network management user.
  6. 根据权利要求1所述的基站接入控制方法,还包括:The base station access control method according to claim 1, further comprising:
    从所述区块链系统获取DNS证书信息;Obtain DNS certificate information from the blockchain system;
    从DNS获取与所述DNS证书信息关联的TLSA记录;Obtaining a TLSA record associated with the DNS certificate information from DNS;
    根据所述TLSA记录验证所述DNS证书信息。Verifying the DNS certificate information according to the TLSA record.
  7. 一种基站接入控制方法,应用于区块链系统,所述方法包括:A base station access control method applied to a blockchain system, the method comprising:
    接收由基站发送的第一认证请求信息,所述第一认证请求信息携带所述基站的身份证书;receiving first authentication request information sent by the base station, where the first authentication request information carries the identity certificate of the base station;
    在基于所述第一认证请求信息确认存储所述身份证书的情况下,根据所述身份证书生成第一身份证书签发信息;In the case of confirming the storage of the identity certificate based on the first authentication request information, generating first identity certificate issuance information according to the identity certificate;
    向所述基站发送用于接入网关的所述第一身份证书签发信息。Sending the first identity certificate issuance information for the access gateway to the base station.
  8. 根据权利要求7所述的基站接入控制方法,其中,所述基站包括站内设备;所述向所述基站发送用于接入网关的所述第一身份证书签发信息之后,还包括:The base station access control method according to claim 7, wherein the base station includes in-station equipment; after sending the first identity certificate issuance information for the access gateway to the base station, further comprising:
    接收由所述基站发送的与所述站内设备对应的授权处理请求;receiving an authorization processing request corresponding to the in-station equipment sent by the base station;
    根据所述授权处理请求更新所述身份证书;updating the identity certificate according to the authorization processing request;
    根据更新后的所述身份证书生成第二身份证书签发信息;generating second identity certificate issuance information according to the updated identity certificate;
    向所述基站发送第二身份证书签发信息。Send the second identity certificate issuance information to the base station.
  9. 根据权利要求7所述的基站接入控制方法,其中,所述向所述基站发送用于接入网关的所述第一身份证书签发信息之后,还包括:The base station access control method according to claim 7, wherein, after sending the first identity certificate issuance information for the access gateway to the base station, further comprising:
    接收由所述网关发送的验证请求,所述验证请求由所述网关根据来自所述基站的身份认证接入请求生成,所述身份认证接入请求携带所述第一身份证书签发信息;receiving a verification request sent by the gateway, the verification request being generated by the gateway according to the identity authentication access request from the base station, the identity authentication access request carrying the first identity certificate issuance information;
    根据所述验证请求验证所述基站的身份,得到接入验证结果;Verifying the identity of the base station according to the verification request, and obtaining an access verification result;
    向所述网关发送所述接入验证结果,使得所述基站根据所述接入验证结果接入所述网关。Sending the access verification result to the gateway, so that the base station accesses the gateway according to the access verification result.
  10. 根据权利要求7所述的基站接入控制方法,还包括:The base station access control method according to claim 7, further comprising:
    接收由所述基站发送的第二认证请求信息,所述第二认证请求信息由所述基站根据来自授权端的用户身份授权请求生成,所述用户身份授权请求携带所述授权端的用户身份信息;receiving the second authentication request information sent by the base station, the second authentication request information is generated by the base station according to the user identity authorization request from the authorization end, the user identity authorization request carries the user identity information of the authorization end;
    在根据所述第二认证请求信息中的所述用户身份信息确认所述授权端未注册的情况下,根据所述第二认证请求信息生成目标授权码;When it is confirmed according to the user identity information in the second authentication request information that the authorization terminal is not registered, generate a target authorization code according to the second authentication request information;
    通过所述基站向所述授权端发送所述目标授权码。Sending the target authorization code to the authorization end through the base station.
  11. 根据权利要求7所述的基站接入控制方法,其中,所述向所述基站发送用于接入网关的所述第一身份证书签发信息之后,还包括:The base station access control method according to claim 7, wherein, after sending the first identity certificate issuance information for the access gateway to the base station, further comprising:
    接收由所述基站发送的查询证书请求,所述查询证书请求由所述基站根据由网管发送的用户认证请求信息生成,所述用户认证请求信息由所述网管在接收到网管用户的接入请求的情况下生成;receiving the certificate query request sent by the base station, the certificate query request is generated by the base station according to the user authentication request information sent by the network management, and the user authentication request information is generated by the network management after receiving the access request of the network management user generated under the circumstances;
    根据所述查询证书请求向所述基站发送所述身份证书,使得所述基站根据来自所述网管的验证授权码和从所述身份证书中获得的目标授权码之间的差异性,向所述网管发送针对所述网管用户的验证结果信息,其中,所述验证授权码与所述网管用户对应。Send the identity certificate to the base station according to the query certificate request, so that the base station sends the identity certificate to the base station according to the difference between the verification authorization code from the network management and the target authorization code obtained from the identity certificate The network management sends verification result information for the network management user, wherein the verification authorization code corresponds to the network management user.
  12. 根据权利要求7所述的基站接入控制方法,还包括:The base station access control method according to claim 7, further comprising:
    向所述基站发送DNS证书信息,使得所述基站根据从DNS获取到的与所述DNS证书信息关联的TLSA记录,验证所述DNS证书信息。Sending the DNS certificate information to the base station, so that the base station verifies the DNS certificate information according to the TLSA record associated with the DNS certificate information obtained from the DNS.
  13. 一种基站,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现如权利要求1至6任意一项所述的基站接入控制方法。A base station, comprising: a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein, when the processor executes the computer program, the computer program described in any one of claims 1 to 6 is implemented. Base station access control method.
  14. 一种区块链系统,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现如权利要求7至12任意一项所述的基站接入控制方法。A blockchain system, comprising: a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein, when the processor executes the computer program, any one of claims 7 to 12 is implemented. The base station access control method described in the item.
  15. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使计算机执行如权利要求1至12任意一项所述的基站接入控制方法。A computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used to make a computer execute the base station access control method according to any one of claims 1 to 12 .
PCT/CN2022/140789 2021-12-22 2022-12-21 Base station access control method, base station, blockchain system, and storage medium WO2023116784A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111578563.5 2021-12-22
CN202111578563.5A CN116347443A (en) 2021-12-22 2021-12-22 Base station access control method, base station, block chain system and storage medium

Publications (1)

Publication Number Publication Date
WO2023116784A1 true WO2023116784A1 (en) 2023-06-29

Family

ID=86889876

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/140789 WO2023116784A1 (en) 2021-12-22 2022-12-21 Base station access control method, base station, blockchain system, and storage medium

Country Status (2)

Country Link
CN (1) CN116347443A (en)
WO (1) WO2023116784A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412792A (en) * 2017-08-16 2019-03-01 中国移动通信有限公司研究院 Generation, authentication method, communication equipment and the storage medium of digital certificate
CN111182545A (en) * 2020-01-10 2020-05-19 中国联合网络通信集团有限公司 Micro base station authentication method and terminal
US20200356689A1 (en) * 2019-05-09 2020-11-12 At&T Intellectual Property I, L.P. Controlling Access to Datasets Described in a Cryptographically Signed Record

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412792A (en) * 2017-08-16 2019-03-01 中国移动通信有限公司研究院 Generation, authentication method, communication equipment and the storage medium of digital certificate
US20200356689A1 (en) * 2019-05-09 2020-11-12 At&T Intellectual Property I, L.P. Controlling Access to Datasets Described in a Cryptographically Signed Record
CN111182545A (en) * 2020-01-10 2020-05-19 中国联合网络通信集团有限公司 Micro base station authentication method and terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHINA UNICOM: "Study on Blockchain in Application Layer support Verticals over 5G network", 3GPP DRAFT; S6-200696, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG6, no. Online Meeting ;20200514 - 20200526, 8 May 2020 (2020-05-08), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051882182 *

Also Published As

Publication number Publication date
CN116347443A (en) 2023-06-27

Similar Documents

Publication Publication Date Title
Barnes et al. Automatic certificate management environment (acme)
US10027670B2 (en) Distributed authentication
EP2842258B1 (en) Multi-factor certificate authority
US20100138907A1 (en) Method and system for generating digital certificates and certificate signing requests
US20060282670A1 (en) Relying party trust anchor based public key technology framework
US20070150737A1 (en) Certificate registration after issuance for secure communication
EP2553894B1 (en) Certificate authority
EP3291514A1 (en) Integrated dns service provider services using certificate-based authentication
KR20100116697A (en) A bidirectional entity authentication method based on the credible third party
KR20120104193A (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
US8566910B2 (en) Method and apparatus to bind a key to a namespace
US20160352702A1 (en) System and Method for Resetting Passwords on Electronic Devices
US9398024B2 (en) System and method for reliably authenticating an appliance
US20190173880A1 (en) Secure node management using selective authorization attestation
Zhang et al. NDN certificate management protocol (NDNCERT)
US20080010448A1 (en) Delegated Certificate Authority
US20180062856A1 (en) Integrated dns service provider services using certificate-based authentication
Chariton et al. DCSP: Performant Certificate Revocation a DNS-based approach
Tehrani et al. The missing piece: On namespace management in NDN and how DNSSEC might help
CN113647080B (en) Providing digital certificates in a cryptographically secure manner
CN113010871A (en) Electronic calendar certificate verification method based on alliance block chain platform
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
Kasten Automatic Certificate Management Environment (ACME) draft-ietf-acme-acme-03
WO2023116784A1 (en) Base station access control method, base station, blockchain system, and storage medium
Yu et al. SALVE: server authentication with location verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22910096

Country of ref document: EP

Kind code of ref document: A1