WO2023221502A1 - 数据传输方法和系统及信令安全管理网关 - Google Patents
数据传输方法和系统及信令安全管理网关 Download PDFInfo
- Publication number
- WO2023221502A1 WO2023221502A1 PCT/CN2022/140915 CN2022140915W WO2023221502A1 WO 2023221502 A1 WO2023221502 A1 WO 2023221502A1 CN 2022140915 W CN2022140915 W CN 2022140915W WO 2023221502 A1 WO2023221502 A1 WO 2023221502A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network element
- sinking
- access network
- user
- access
- Prior art date
Links
- 230000011664 signaling Effects 0.000 title claims abstract description 113
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000005540 biological transmission Effects 0.000 title claims abstract description 27
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 108
- 238000010586 diagram Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 14
- 230000008569 process Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 230000004913 activation Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W56/00—Synchronisation arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W56/00—Synchronisation arrangements
- H04W56/001—Synchronization between nodes
Definitions
- the present disclosure relates to the technical fields of communication and network security, and in particular to a data transmission method and system and a signaling security management gateway.
- 5G fifth generation mobile communication technology
- This disclosed embodiment provides access authentication and management for downlink access network elements through a signaling security management gateway, and transmits data sent from core network elements to downlink access network elements that have passed the authentication through an encrypted channel.
- Some embodiments of the present disclosure provide a data transmission method, including:
- the signaling security management gateway receives a request from a downlink access network element to access a core network element, and authenticates the downlink access network element;
- the signaling security management gateway establishes an encrypted channel between it and the authenticated sinking access network element
- the signaling security management gateway receives the user data synchronization request sent by the sinking access network element, and sends the user data synchronization request to the core network element;
- the signaling security management gateway receives the encrypted user data sent by the core network element, and sends the encrypted user data to the sinking access network element through the encrypted channel.
- the signaling security management gateway receives a request from a sinking access network element to access a core network element, and authenticating the sinking access network element includes:
- the signaling security management gateway receives a request from a sinking access network element to access a core network element.
- the request to access a core network element carries the identifier of the sinking access network element and is embedded in the sinking access network element.
- the signaling security management gateway determines that the binding relationship between the identifier of the sinking access network element and the identifier of the user card in the request to access the core network element is incorrect or does not exist.
- the sinking access network element fails to pass the authentication; or,
- the signaling security management gateway determines that the sinking access network element is not authenticated. pass; or,
- the binding relationship between the identifier of the sinking access network element and the identifier of the user card in the request to access the core network element by the signaling security management gateway is correct and the certificate information in the user subscription data is correct. If the timeliness and legality meet the requirements, it is determined that the sinking access network element has passed the authentication.
- the user data synchronization request includes the identification and data network information of the sinking access network element; the signaling security management gateway receives the user data synchronization request sent by the sinking access network element. , and sending the user data synchronization request to the core network element, including: the signaling security management gateway receiving the user data synchronization request sent by the sinking access network element, and synchronizing the user data The request is sent to the core network element, so that the core network element obtains corresponding encrypted user data based on the identification and data network information of the sinking access network element.
- it also includes:
- the signaling security management gateway receives a request for downloading user subscription data sent by the sinking access network element, and the request for downloading the user subscription data includes the identification of the sinking access network element and the embedded number of the sinking access network element.
- the signaling security management gateway performs authentication based on the identification and certificate of the user card. After passing the authentication, it queries the user subscription data loaded in the sinking access network element. If no user is loaded in the sinking access network element, When the subscription data or the loaded user subscription data has expired, notify the sinking access network element to download new user subscription data, and establish a relationship between the identifier of the sinking access network element and the identifier of the user card. Binding information.
- the signaling security management gateway notifies the sinking access network element to download new user subscription data including:
- the signaling security management gateway notifies the sinking access network element to download new user subscription data, so that the sinking access network element downloads the new user subscription data through an encrypted channel and activates it;
- the signaling security management gateway receives the message that the new user subscription data is successfully activated sent by the sinking access network element.
- the signaling security management gateway issues user cards for each downlink access network element, and each user card includes the certificate of the user card.
- the core network elements include UDM network elements, UPF network elements, AMF network elements, and SMF network elements.
- the sinking access network elements include UDM network elements, UPF network elements, AMF network elements, and SMF network elements.
- the user card includes an embedded UICC.
- Some embodiments of the present disclosure provide a signaling security management gateway, including:
- An authentication module configured to receive a request from a downlink access network element to access a core network element, and authenticate the downlink access network element
- a channel establishment module configured to establish an encrypted channel with the sinking access network element that has passed the authentication of the authentication module
- An information agent module configured to receive a user data synchronization request sent by the sinking access network element, and send the user data synchronization request to the core network element; receive an encrypted message sent by the core network element; user data, and sends the encrypted user data to the sinking access network element through the encrypted channel.
- the signaling security management gateway further includes: a download management module configured to receive a request to download user subscription data sent by the sinking access network element, where the request to download user subscription data includes the The identification of the sinking access network element and the identification and certificate of the user card embedded in the sinking access network element; perform authentication based on the identification and certificate of the user card, and after passing the authentication, query the sinking access network If the user subscription data loaded by the user element is not loaded in the sinking access network element or the loaded user subscription data has expired, the sinking access network element is notified to download new user subscription data, and Establish binding information between the identifier of the downlink access network element and the identifier of the user card.
- a download management module configured to receive a request to download user subscription data sent by the sinking access network element, where the request to download user subscription data includes the The identification of the sinking access network element and the identification and certificate of the user card embedded in the sinking access network element; perform authentication based on the identification and certificate of the user card, and after passing the authentication, query the
- the authentication module is configured as:
- the request to access a core network element carries the identifier of the sinking access network element and the identifier of the user card embedded in the sinking access network element. And the certificate information in the user’s contract data;
- the binding relationship between the identifier of the sinking access network element and the identifier of the user card is correct and the timeliness and legality of the certificate information in the user subscription data meet the requirements.
- Some embodiments of the present disclosure provide a signaling security management gateway, including: a memory; and a processor coupled to the memory, the processor being configured to execute various embodiments based on instructions stored in the memory. data transmission method.
- Some embodiments of the present disclosure provide a data transmission system, including: a signaling security management gateway of each embodiment, a core network element, configured to respond to a user data synchronization request and send encrypted user data to the signaling security management gateway , and the sinking access network element is configured to send a request to access the core network element to the signaling security management gateway, establish an encrypted channel with the signaling security management gateway, and send a request to the signaling security management gateway.
- User data synchronization request receiving encrypted user data sent by the signaling security management gateway through an encrypted channel.
- Some embodiments of the present disclosure provide a non-transitory computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the steps of the data transmission method of each embodiment are implemented.
- Figure 1 shows a schematic diagram of a secure data transmission system according to some embodiments of the present disclosure.
- Figure 2 shows a schematic diagram of a secure data transmission method according to some embodiments of the present disclosure.
- Figure 3 shows a schematic diagram of a secure data transmission method according to other embodiments of the present disclosure.
- Figure 4 shows a schematic structural diagram of a signaling security management gateway according to some embodiments of the present disclosure.
- Figure 5 shows a schematic structural diagram of a signaling security management gateway according to other embodiments of the present disclosure.
- This disclosed embodiment provides access authentication and management for downlink access network elements through the signaling security management gateway, and transmits data from the core network element to the downlink access network element that has passed the authentication through an encrypted channel, thereby improving The security of data transmitted between core network elements and sinking access network elements reduces the risk of information leakage.
- Figure 1 shows a schematic diagram of a secure data transmission system according to some embodiments of the present disclosure.
- the secure data transmission system of this embodiment includes: a core network element 110, a signaling security management gateway 120, and a downlink access network element 130.
- the core network element 110 is a variety of network elements deployed in the core network, which may include, for example, Universal Data Management (Unified Data Management, UDM) network elements, User Plane Function (UPF, User Plane Function) network elements, AMF (Access and Mobility) Management Function, access and mobility management function) network element, SMF (Session Management Function, session management function) network element, etc.
- the core network provides network services such as terminal access and mobility management, authentication and authorization management, session management, and policy control through various core network elements.
- the 5G SA Tin Alone, independent networking
- core network provides 5G network services such as 5G terminal access and mobility management, authentication management, session management, and policy control.
- the signaling security management gateway 120 may include functions such as network element authentication and authentication, embedded user card remote management, and information agency.
- the remote management function of the embedded user card may include, for example: performing data interaction with the embedded user card and establishing an encrypted channel; implementing the management and downloading of the embedded user card data, interacting with the embedded user card, and downloading the user contract data to On the embedded user card, remote configuration of user data is realized to meet the needs of users to configure and manage embedded user cards safely and flexibly.
- the user card may include, for example, an embedded universal integrated circuit card (eUICC, embedded Universal Integrated Circuit Card), etc.
- the user subscription data may include, for example, but is not limited to: user authentication related subscription data, access management subscription data, session management subscription data, etc.
- user authentication-related subscription data may include, for example, but is not limited to: International Mobile Subscriber Identity (IMSI, International Mobile Subscriber Identity), mobile subscriber number, etc.
- IMSI International Mobile Subscriber Identity
- the mobile subscriber number may be, for example, MSISDN (Mobile Subscriber International ISDN number, Mobile Subscriber International Integrated Services Digital Network (ISDN) number).
- Access management subscription data includes but is not limited to: UE (User Equipment, user equipment) level uplink and downlink bandwidth, prohibited area data, business area restriction data, RFSP (RAT/Frequency Selection Priority, wireless access type/frequency selection priority) ; RAT: Radio Access Technology, wireless access technology), authentication methods, etc.
- session management contract data include but are not limited to: S-NSSAI (Single Network Slice Selection Assistance Information, single network slice selection assistance information), DNN (Data Network Name, data network name), quality of service, whether to default to DNN, etc.
- the sinking access network element 130 refers to the network elements with some functions sinking from the core network to the edge access network.
- the sinking access network element 130 may include, for example, a UDM network element, a UPF network element, an AMF network element, an SMF network element, etc.
- sinking UDM network elements can be network elements formed by sinking some functions of the UDM network elements of the core network to the edge access network.
- the downlink access network element 130 can interact with the core network element 110 for data exchange such as user authentication.
- the sinking access network element 130 can be equipped with an embedded user card.
- the embedded user card can store card files, data and applications, and can remotely download user contract data.
- User subscription data may include, for example, but is not limited to: user identification information, business information, etc.
- the embedded user card may include, for example, an embedded UICC or the like.
- the interface between the core network element 110 and the signaling security management gateway 120 may include, for example, N4/N8/N10/N12/N14, etc.
- the interface between the signaling security management gateway 120 and the downlink access network element 130 may, for example, Including N4/N8/N10/N12/N14, etc.
- the signaling security management gateway 120 can be configured to receive the request of the sinking access network element to access the core network element, and authenticate the sinking access network element; and authenticate Establish an encrypted channel through the sinking access network element; receive the user data synchronization request sent by the sinking access network element, and send the user data synchronization request to the corresponding core network element; receive the encrypted user data sent by the core network element , sending the encrypted user data to the sinking access network element through the encrypted channel; the core network element 110 can be configured to respond to the user data synchronization request and send the encrypted user data to the signaling security management gateway; and the sinking access network Element 130 can be configured to send a request to access the core network element to the signaling security management gateway, establish an encrypted channel with the signaling security management gateway, send a user data synchronization request to the signaling security management gateway, and receive signaling through the encrypted channel. Secure management of encrypted user data sent by the gateway.
- the signaling security management gateway 120 can be configured to receive a request for downloading user subscription data sent by the sinking access network element.
- the request may include a request from the sinking access network element.
- the identification and the identification and certificate of the user card embedded in the sinking access network element; authentication is performed based on the identification and certificate of the user card.
- the user subscription data loaded in the sinking access network element is queried, and the user's contract data loaded in the sinking access network element is If the user subscription data is not loaded into the user element or the loaded user subscription data has expired, notify the downlink access network element to download new user subscription data, establish the identification of the downlink access network element and embed the downlink access network element's Binding information of user card identification.
- Figure 2 shows a schematic diagram of a secure data transmission method according to some embodiments of the present disclosure.
- the secure data transmission method of this embodiment may include the following steps.
- the signaling security management gateway issues user cards for each downlink access network element, and each user card includes the certificate of the issued user card.
- the signaling security management gateway receives a request to download user subscription data sent by the sinking access network element.
- the request includes the identifier of the sinking access network element and the identifier of the user card embedded in the sinking access network element. Certificate.
- the signaling security management gateway performs authentication based on the identity and certificate of the user card. After passing the authentication, it queries the user subscription data loaded in the downlink access network element. If the downlink access network element does not load the user subscription data or loads the user subscription data, When the user subscription data has expired, the downlink access network element is notified to download new user subscription data, and the binding information between the downlink access network element's identifier and the identifier of the user card embedded in the downlink access network element is established. When the user subscription data loaded by the downlink access network element has not expired, the downlink access network element is notified that it does not need to download or stops downloading the user subscription data.
- authentication based on the identity and certificate of the user card includes: if the issuer of the certificate of the user card is the signaling security management gateway, and the certificate of the user card is within the validity period, and the certificate of the user card matches the identity of the user card , the authentication passes, otherwise, the authentication fails.
- step 230 the signaling security management gateway notifies the underlying access network element to download new user subscription data.
- step 240 the downlink access network element downloads the new user subscription data through the encrypted channel and activates it, and the old user subscription data can be deleted.
- step 250 the signaling security management gateway receives the new user subscription data activation success message sent by the sinking access network element.
- the signaling security management gateway receives a request from the sinking access network element to access the core network element, which carries the identifier of the sinking access network element, the identifier of the user card embedded in the sinking access network element, and the user's contract. Certificate information in the data.
- the signaling security management gateway authenticates the downlink access network element, which may include, for example:
- the sinking access network element in the access request When the binding relationship between the identifier of the sinking access network element in the access request and the identifier of the user card is correct and the timeliness and legality of the certificate information in the user subscription data meet the requirements, it is determined that the sinking access network is Meta-certification passed.
- steps 290 to 2150 are allowed to be executed.
- step 280 the signaling security management gateway sends the authentication result to the downlink access network element.
- the authentication result includes, for example, authentication passed or authentication failed.
- step 290 the signaling security management gateway establishes an encrypted channel with the authenticated sinking access network element.
- the establishment method of the encrypted channel can refer to the existing technology.
- the encrypted channel includes, for example, encryption key information negotiated by the communicating parties. After the encrypted channel is established, the communicating parties can use the negotiated encryption key to transmit information. Since the third party does not know the encryption key, even if the encrypted information is intercepted, there is no way to know the transmitted information.
- the signaling security management gateway receives a user data synchronization request sent by the downlink access network element.
- the user data synchronization request may include the identification of the downlink access network element and data network information.
- the data network information includes, but is not limited to, data network name (Data Network name, DNN).
- step 2110 the signaling security management gateway sends the user data synchronization request to the corresponding core network element.
- the signaling security management gateway forwards user data synchronization requests from UDM network elements to core network UDM network elements.
- the core network elements are hidden from the sinking access network elements.
- the sinking access network elements send the request to the signaling security management gateway. There is no need to send the core network element.
- the signaling security management gateway can send the request to Core network elements.
- the core network element searches for the user data corresponding to the identification of the sinking access network element and the data network information and encrypts the user data to obtain the encrypted user data.
- the core network element can encrypt the user data according to the key negotiated in advance with the downlink access network element to obtain encrypted user data.
- the user data is, for example, user card and authentication data, such as IMSI, KI (Key identifier), etc.
- step 2130 the signaling security management gateway receives the encrypted user data sent by the core network element.
- step 2140 the signaling security management gateway sends the encrypted user data to the downlink access network element through the encrypted channel.
- the sinking access network element receives the encrypted user data, decrypts it to obtain the user data, and uses the user data according to business needs to ensure service, for example, to ensure that the service is not interrupted.
- the downlink access network element can decrypt the encrypted user data to obtain the user data according to the key negotiated in advance with the core network element.
- the above embodiment provides access authentication and management for downlink access network elements through the signaling security management gateway, and transmits data from core network elements to downlink access network elements that have passed the authentication through encrypted channels, thereby improving the core
- the security of data transmitted between network elements and sinking access network elements reduces the risk of information leakage.
- Figure 3 shows a schematic diagram of a secure data transmission method according to other embodiments of the present disclosure.
- the secure data transmission method of this embodiment may include the following steps.
- the downlink UDM network element has an embedded UICC, and the UICC is issued by the signaling security management gateway.
- the sinking UDM network element requests access to the 5G SA network on time or on demand, actively connects to the signaling security management gateway through the embedded UICC, and requests to download the user subscription data (set as Profile).
- the request carries the embedded UICC EID (Electronic Identity, electronic identity identification) and the device ID of the UDM network element.
- the network element access management gateway performs security authentication based on the EID and the certificate information in the UICC. After passing the authentication, it queries whether the sinking UDM network element corresponding to the device ID has loaded the Profile; if it has not been loaded or the Profile has expired, notify the sinking UDM network element to prepare to download the user subscription data, and bind the EID and device ID; if the Profile has been loaded and the Profile has not expired, notify the sinking UDM network element to stop downloading.
- security authentication based on the EID and the certificate information in the UICC includes: If the issuer of the certificate in the UICC is the signaling security management gateway, and the certificate in the UICC is within the validity period, and the certificate in the UICC matches the EID, the authentication passes, otherwise , the authentication fails.
- step 330 the signaling security management gateway sends a request to the sinking UDM network element, requesting to establish an encrypted channel, download and enable the Profile.
- step 340 an encrypted channel is established between the sinking UDM network element and the signaling security management gateway, and a new Profile is downloaded through the encrypted channel. If an expired Profile has been loaded before, the old Profile is deleted and the new Profile is enabled.
- step 350 the sinking UDM network element returns a profile activation success message to the signaling security management gateway.
- step 360 the sinking UDM network element initiates a request to access the core network UDM network element in the 5G SA network to the signaling security management gateway, carrying the EID of the embedded UICC, the device ID and the certificate information in the Profile.
- the signaling security management gateway checks whether the binding relationship between the EID and the device ID is correct based on the request information of the sinking UDM network element. If it is incorrect or does not exist, the sinking UDM network element is not allowed to access; if it is correct, , then the validity and legality of the certificate in the Profile are verified. After the certification is passed, access to the sinking UDM network element is allowed.
- step 380 after the authentication is passed, the signaling security management gateway sends an authentication pass notification to the downlink UDM network element.
- the sinking UDM network element uses the embedded UICC-related security information, such as EID, to establish an encrypted channel with the signaling security management gateway.
- EID embedded UICC-related security information
- step 3100 the sinking UDM network element sends a user data synchronization request to the signaling security management gateway, carrying information such as DNN and device ID.
- the signaling security management gateway hides the core network UDM topology information and forwards the user data synchronization request to the corresponding core network UDM network element to request synchronization of user data.
- the UDM network element of the core network finds relevant user card data, authentication data and other user data, such as IMSI, KI and other data, based on the device ID and DNN information, and then The data is encrypted, and the encryption key is pre-negotiated or pre-set by the core network UDM network element and the sinking UDM network element.
- step 3130 the core network UDM network element transmits the encrypted user data to the signaling security management gateway.
- step 3140 the signaling security management gateway transmits the encrypted user data to the sinking UDM network element through the encrypted channel.
- the sinking UDM network element decrypts the encrypted user data to obtain user data.
- user data such as user card data and authentication data are used as needed to ensure 5G services. No interruption.
- the above embodiment does not change the existing 5G architecture and business implementation process, and uses embedded UICC remote configuration technology and security encryption technology to perform security authentication and security authentication for untrusted access network element devices such as 5G sinking UDM to access the 5G core network. management, effectively reducing the security interaction risk of sinking network elements to the 5G core network.
- data encryption and channel encryption are performed on the requested sensitive data (such as user card data and authentication data) in the UDM of the 5G core network, effectively reducing Information leakage security risks, thereby improving 5G network security and data security.
- Figure 4 shows a schematic structural diagram of a signaling security management gateway according to some embodiments of the present disclosure.
- the signaling security management gateway 120 of this embodiment may include:
- the authentication module 410 is configured to receive a request from a downlink access network element to access a core network element, and authenticate the downlink access network element;
- the channel establishment module 420 is configured to establish an encrypted channel with the authenticated sinking access network element
- the information agent module 430 is configured to receive the user data synchronization request sent by the sinking access network element, and send the user data synchronization request to the corresponding core network network element; receive the encrypted user data sent by the core network network element, and send the encrypted user data to the corresponding core network element.
- the data is sent to the downlink access network element through an encrypted channel.
- the signaling security management gateway 120 also includes: a download management module 440, configured to receive a request to download user subscription data sent by the sinking access network element, where the request includes the identification of the sinking access network element. and the identity and certificate of the user card embedded in the sinking access network element; authentication is performed based on the user card's identity and certificate. After the authentication is passed, the user contract data loaded in the sinking access network element is queried. When the user subscription data is loaded or the loaded user subscription data has expired, the downlink access network element is notified to download new user subscription data, and the identification of the downlink access network element is established and the user card embedded in the downlink access network element is The binding information of the identifier.
- a download management module 440 configured to receive a request to download user subscription data sent by the sinking access network element, where the request includes the identification of the sinking access network element. and the identity and certificate of the user card embedded in the sinking access network element; authentication is performed based on the user card's identity and certificate. After the authentication is passed
- the authentication module 410 is also configured to:
- Figure 5 shows a schematic structural diagram of a signaling security management gateway according to other embodiments of the present disclosure.
- the signaling security management gateway 120 of this embodiment includes: a memory 510 and a processor 520 coupled to the memory 510.
- the processor 520 is configured to perform any of the foregoing based on instructions stored in the memory 510. Secure data transmission methods in some embodiments.
- the memory 510 may include, for example, system memory, fixed non-volatile storage media, etc.
- System memory stores, for example, operating systems, applications, boot loaders, and other programs.
- the processor 520 can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a field programmable gate array (Field Programmable Gate Array, FPGA) or It can be implemented by other discrete hardware components such as programmable logic devices, discrete gates or transistors.
- DSP Digital Signal Processor
- ASIC Application Specific Integrated Circuit
- FPGA Field Programmable Gate Array
- FPGA Field Programmable Gate Array
- the signaling security management gateway 120 may also include an input and output interface 530, a network interface 540, a storage interface 550, and so on. These interfaces 530, 540, 550, the memory 510 and the processor 520 may be connected through a bus 560, for example.
- the input and output interface 530 provides a connection interface for input and output devices such as a monitor, mouse, keyboard, and touch screen.
- Network interface 540 provides a connection interface for various networked devices.
- the storage interface 550 provides a connection interface for external storage devices such as SD cards and USB disks.
- Bus 560 may use any of a variety of bus structures. For example, bus structures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, and Peripheral Component Interconnect (PCI) bus.
- ISA Industry Standard Architecture
- MCA Micro Channel Architecture
- PCI Peripheral Component Interconnect
- embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more non-transitory computer-readable storage media (including, but not limited to, disk memory, CD-ROM, optical storage, etc.) embodying computer program code therein. .
- These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions
- the device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
- These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device.
- Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请提出一种数据传输方法和系统及信令安全管理网关,涉及通信与网络安全技术领域。信令安全管理网关接收下沉接入网元访问核心网网元的请求,对下沉接入网元进行认证;在其与认证通过的下沉接入网元之间建立加密通道;接收下沉接入网元发送的用户数据同步请求,并将用户数据同步请求发送到相应的核心网网元;接收核心网网元发送的加密用户数据,并将加密用户数据通过加密通道发送给下沉接入网元。通过信令安全管理网关为下沉接入网元提供准入认证和管理,对核心网网元发来的数据通过加密通道传输给认证通过的下沉接入网元,从而提高核心网网元与下沉接入网元之间传递数据的安全性,降低信息泄露风险。
Description
本公开基于申请号为202210550259.8、申请日为2022年5月20日、发明名称为《数据传输方法和系统及信令安全管理网关》的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本公开作为参考。
本公开涉及通信与网络安全技术领域,特别涉及一种数据传输方法和系统及信令安全管理网关。
在第五代移动通信技术(5th Generation Mobile Communication Technology,简称5G)网络中,根据需要,核心网的一些功能会下沉到接入网。
发明内容
本公开实施例通过信令安全管理网关为下沉接入网元提供准入认证和管理,对核心网网元发来的数据通过加密通道传输给认证通过的下沉接入网元。
本公开一些实施例提出一种数据传输方法,包括:
信令安全管理网关接收下沉接入网元访问核心网网元的请求,对所述下沉接入网元进行认证;
所述信令安全管理网关在其与认证通过的所述下沉接入网元之间建立加密通道;
所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元;
所述信令安全管理网关接收所述核心网网元发送的加密用户数据,并将所述加密用户数据通过所述加密通道发送给所述下沉接入网元。
在一些实施例中,信令安全管理网关接收下沉接入网元访问核心网 网元的请求,对所述下沉接入网元进行认证包括:
信令安全管理网关接收下沉接入网元访问核心网网元的请求,所述访问核心网网元的请求携带所述下沉接入网元的标识、嵌入所述下沉接入网元的用户卡的标识以及用户签约数据中的证书信息;
所述信令安全管理网关在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系不正确或不存在的情况下,判定所述下沉接入网元认证不通过;或者,
所述信令安全管理网关在所述访问核心网网元的请求中的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定所述下沉接入网元认证不通过;或者,
所述信令安全管理网关在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判定所述下沉接入网元认证通过。
在一些实施例中,所述用户数据同步请求包括所述下沉接入网元的标识和数据网络信息;所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元,包括:所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元,以使所述核心网网元根据所述下沉接入网元的标识和数据网络信息获得相应的加密用户数据。
在一些实施例中,还包括:
所述信令安全管理网关接收所述下沉接入网元发送的下载用户签约数据的请求,所述下载用户签约数据的请求包括所述下沉接入网元的标识和嵌入所述下沉接入网元的用户卡的标识和证书;
所述信令安全管理网关根据所述用户卡的标识和证书进行认证,认证通过后,查询所述下沉接入网元加载的用户签约数据,在所述下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知所述下沉接入网元下载新的用户签约数据,并建立所述下沉接入网元的标识与所述用户卡的标识的绑定信息。
在一些实施例中,所述信令安全管理网关通知所述下沉接入网元下载新的用户签约数据包括:
所述信令安全管理网关通知所述下沉接入网元下载新的用户签约数据,以使所述下沉接入网元通过加密通道下载新的用户签约数据并启用;
所述信令安全管理网关接收所述下沉接入网元发送的新的用户签约数据启用成功的消息。
在一些实施例中,所述信令安全管理网关为各个下沉接入网元签发用户卡,每个用户卡内包括所述用户卡的证书。
在一些实施例中,所述核心网网元包括UDM网元、UPF网元、AMF网元、SMF网元。
在一些实施例中,所述下沉接入网元包括UDM网元、UPF网元、AMF网元、SMF网元。
在一些实施例中,所述用户卡包括嵌入式UICC。
本公开一些实施例提出一种信令安全管理网关,包括:
认证模块,被配置为接收下沉接入网元访问核心网网元的请求,对所述下沉接入网元进行认证;
通道建立模块,被配置为在与所述认证模块认证通过的所述下沉接入网元之间建立加密通道;
信息代理模块,被配置为接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元;接收所述核心网网元发送的加密用户数据,并将所述加密用户数据通过所述加密通道发送给所述下沉接入网元。
在一些实施例中,信令安全管理网关还包括:下载管理模块,被配置为接收所述下沉接入网元发送的下载用户签约数据的请求,所述下载用户签约数据的请求包括所述下沉接入网元的标识和嵌入所述下沉接入网元的用户卡的标识和证书;根据所述用户卡的标识和证书进行认证,认证通过后,查询所述下沉接入网元加载的用户签约数据,在所述下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知所述下沉接入网元下载新的用户签约数据,并建立所述下沉接 入网元的标识与所述用户卡的标识的绑定信息。
在一些实施例中,所述认证模块,被配置为:
接收下沉接入网元访问核心网网元的请求,所述访问核心网网元的请求携带所述下沉接入网元的标识、嵌入所述下沉接入网元的用户卡的标识以及用户签约数据中的证书信息;
在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系不正确或不存在的情况下,判定所述下沉接入网元认证不通过;或者,
在所述访问核心网网元的请求中的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定所述下沉接入网元认证不通过;或者,
在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判定所述下沉接入网元认证通过。
本公开一些实施例提出一种信令安全管理网关,包括:存储器;以及耦接至所述存储器的处理器,所述处理器被配置为基于存储在所述存储器中的指令,执行各个实施例的数据传输方法。
本公开一些实施例提出一种数据传输系统,包括:各个实施例的信令安全管理网关,核心网网元,被配置为响应用户数据同步请求,发送加密用户数据给所述信令安全管理网关,以及下沉接入网元,被配置为向所述信令安全管理网关发送访问核心网网元的请求,与所述信令安全管理网关建立加密通道,向所述信令安全管理网关发送用户数据同步请求,通过加密通道接收所述信令安全管理网关发送的加密用户数据。
本公开一些实施例提出一种非瞬时性计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现各个实施例的数据传输方法的步骤。
下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍。根据下面参照附图的详细描述,可以更加清楚地理解本公开。
显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1示出本公开一些实施例的安全数据传输系统的示意图。
图2示出本公开一些实施例的安全数据传输方法的示意图。
图3示出本公开另一些实施例的安全数据传输方法的示意图。
图4示出本公开一些实施例的信令安全管理网关的结构示意图。
图5示出本公开另一些实施例的信令安全管理网关的结构示意图。
下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述。
除非特别说明,否则,本公开中的“第一”“第二”等描述用来区分不同的对象,并不用来表示大小或时序等含义。
相关技术中核心网网元与下沉接入网元之间传递数据,存在信息泄露风险。本公开实施例通过信令安全管理网关为下沉接入网元提供准入认证和管理,对核心网网元发来的数据通过加密通道传输给认证通过的下沉接入网元,从而提高核心网网元与下沉接入网元之间传递数据的安全性,降低信息泄露风险。
图1示出本公开一些实施例的安全数据传输系统的示意图。
如图1所示,该实施例的安全数据传输系统包括:核心网网元110,信令安全管理网关120,以及下沉接入网元130。
核心网网元110是部署在核心网的各种网元,例如可以包括通用数据管理(Unified Data Management,UDM)网元、用户面功能(UPF,User Plane Function)网元、AMF(Access and Mobility Management Function,接入和移动性管理功能)网元、SMF(Session Management Function,会话管理功能)网元等。核心网通过各种核心网网元提供终端的接入和移动性管理,认证鉴权管理,会话管理,策略控制等网络服务。以5G网络为例,5G SA(Stand Alone,独立组网)核心网提供5G终端的接入和移动性管理,认证鉴权管理,会话管理,策略控制等5G网络服务。
信令安全管理网关120可以包括:网元认证鉴权、嵌入式用户卡远程管理、信息代理等功能。其中,嵌入式用户卡远程管理功能例如可以包括:与嵌入式用户卡进行数据交互,建立加密通道;实现嵌入式用户卡数据的管理和下载,与嵌入式用户卡交互,将用户签约数据下载到嵌入式用户卡上,实现用户数据的远程配置,满足用户安全灵活地配置管理嵌入式用户卡的需要。利用嵌入式用户卡远程管理的安全能力,提供下沉接入网元的认证管理。其中,用户卡例如可以包括嵌入式通用集成电路卡(eUICC,embedded Universal Integrated Circuit Card)等。
其中,用户签约数据例如可以包括但不限于:用户鉴权相关签约数据,接入管理签约数据,会话管理签约数据等。其中,用户鉴权相关签约数据例如可以包括但不限于:国际移动用户识别码(IMSI,International Mobile Subscriber Identity),移动用户号码等,移动用户号码例如为MSISDN(Mobile Subscriber International ISDN number,移动用户国际综合业务数字网(Integrated Services Digital Network,ISDN)号码)。接入管理签约数据例如包括但不限于:UE(User Equipment,用户设备)级别上下行带宽、禁止区域数据、业务区域限制数据、RFSP(RAT/Frequency Selection Priority,无线接入类型/频率选择优先级;RAT:Radio Access Technology,无线接入技术)、鉴权方式等。会话管理签约数据例如包括但不限于:S-NSSAI(Single Network Slice Selection Assistance Information,单个网络切片选择辅助信息)、DNN(Data Network Name,数据网络名称)、服务质量、是否默认DNN等。
下沉接入网元130,是指从核心网下沉到边缘接入网的一些功能的网元。下沉接入网元130例如可以包括UDM网元、UPF网元、AMF网元、SMF网元等。例如,下沉UDM网元可以是核心网的UDM网元的部分功能下沉到边缘接入网形成的网元。下沉接入网元130可以与核心网网元110进行用户鉴权等数据交互。
下沉接入网元130可设置嵌入式用户卡。嵌入式用户卡可存储卡文件、数据和应用等,可远程下载用户签约数据。用户签约数据例如可以包括但不限于:用户识别信息和业务信息等。嵌入式用户卡例如可以包括嵌入式UICC等。
核心网网元110与信令安全管理网关120之间的接口例如可以包括N4/N8/N10/N12/N14等,信令安全管理网关120与下沉接入网元130之间的接口例如可以包括N4/N8/N10/N12/N14等。
为了实现安全数据传输,在数据传输系统中,信令安全管理网关120,可被配置为接收下沉接入网元访问核心网网元的请求,对下沉接入网元进行认证;与认证通过的下沉接入网元建立加密通道;接收下沉接入网元发送的用户数据同步请求,将用户数据同步请求发送到相应的核心网网元;接收核心网网元发送的加密用户数据,将加密用户数据通过加密通道发送给下沉接入网元;核心网网元110,可被配置为响应用户数据同步请求,发送加密用户数据给信令安全管理网关;以及下沉接入网元130,可被配置为向信令安全管理网关发送访问核心网网元的请求,与信令安全管理网关建立加密通道,向信令安全管理网关发送用户数据同步请求,通过加密通道接收信令安全管理网关发送的加密用户数据。
为了安全下载用户签约数据,在数据传输系统中,信令安全管理网关120,可被配置为接收下沉接入网元发送的下载用户签约数据的请求,该请求可包括下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识和证书;根据用户卡的标识和证书进行认证,认证通过后,查询下沉接入网元加载的用户签约数据,在下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知下沉接入网元下载新的用户签约数据,建立下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识的绑定信息。
图2示出本公开一些实施例的安全数据传输方法的示意图。
如图2所示,该实施例的安全数据传输方法可以包括以下步骤。
在步骤200,信令安全管理网关为各个下沉接入网元签发用户卡,每个用户卡内包括签发的用户卡的证书。
在步骤210,信令安全管理网关接收到下沉接入网元发送的下载用户签约数据的请求,请求包括下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识和证书。
在步骤220,信令安全管理网关根据用户卡的标识和证书进行认证,认证通过后,查询下沉接入网元加载的用户签约数据,在下沉接入网元 未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知下沉接入网元下载新的用户签约数据,建立下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识的绑定信息,在下沉接入网元加载的用户签约数据未过期的情况下,通知下沉接入网元无需下载或者停止下载用户签约数据。
其中,根据用户卡的标识和证书进行认证包括:如果用户卡的证书的颁发者是信令安全管理网关,且用户卡的证书在有效期内,且用户卡的证书与用户卡的标识是匹配的,认证通过,否则,认证不通过。
在步骤230,信令安全管理网关通知下沉接入网元下载新的用户签约数据。
在步骤240,下沉接入网元通过加密通道下载新的用户签约数据并启用,旧的用户签约数据可以删除。
在步骤250,信令安全管理网关接收下沉接入网元发送的新的用户签约数据启用成功的消息。
在步骤260,信令安全管理网关接收下沉接入网元访问核心网网元的请求,其中携带下沉接入网元的标识、嵌入下沉接入网元的用户卡的标识以及用户签约数据中的证书信息。
在步骤270,信令安全管理网关对下沉接入网元进行认证,例如可以包括:
在该访问请求中的下沉接入网元的标识与用户卡的标识的绑定关系不正确或不存在的情况下,判定下沉接入网元认证不通过;或者,
在该访问请求中的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定下沉接入网元认证不通过;或者,
在该访问请求中的下沉接入网元的标识与用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判定下沉接入网元认证通过。
认证通过后,才允许执行步骤290~2150。
在步骤280,信令安全管理网关发送认证结果给下沉接入网元。其中,认证结果例如包括认证通过或认证不通过。
在步骤290,信令安全管理网关与认证通过的下沉接入网元建立加密 通道。
加密通道的建立方法可以参考现有技术。加密通道例如包括通信双方协商的加密密钥信息。加密通道建立后,通信双方可以利用协商的加密密钥传输信息。第三方由于不知道加密密钥,即使截获加密信息,也无从获知传输的信息。
在步骤2100,信令安全管理网关接收下沉接入网元发送的用户数据同步请求,该用户数据同步请求可以包括下沉接入网元的标识和数据网络信息。
其中,数据网络信息例如包括但不限于数据网络名称(Data Network name,DNN)。
在步骤2110,信令安全管理网关将用户数据同步请求发送到相应的核心网网元。
例如,信令安全管理网关将下沉UDM网元的用户数据同步请求转发到核心网UDM网元。
核心网网元对于下沉接入网元来说是隐藏的,下沉接入网元将请求发送到信令安全管理网关,无需发送核心网网元,信令安全管理网关可将请求发送到核心网网元。
在步骤2120,核心网网元查找下沉接入网元的标识和数据网络信息相应的用户数据并加密得到加密用户数据。
其中,核心网网元可按照与下沉接入网元预先协商好的密钥,对用户数据加密得到加密用户数据。
其中,用户数据例如是用户卡和鉴权数据等,例如,IMSI、KI(Key identifier,密钥标识)等。
在步骤2130,信令安全管理网关接收核心网网元发送的加密用户数据。
在步骤2140,信令安全管理网关将加密用户数据通过加密通道发送给下沉接入网元。
在步骤2150,下沉接入网元接收加密用户数据,解密得到用户数据,根据业务需要使用用户数据进行业务保障,例如保障业务不中断。
其中,下沉接入网元可按照与核心网网元预先协商好的密钥,对加 密用户数据解密得到用户数据。
上述实施例通过信令安全管理网关为下沉接入网元提供准入认证和管理,对核心网网元发来的数据通过加密通道传输给认证通过的下沉接入网元,从而提高核心网网元与下沉接入网元之间传递数据的安全性,降低信息泄露风险。
下面结合图3描述核心网UDM网元与下沉UDM网元通过信令安全管理网关安全传输用户数据的方法。
图3示出本公开另一些实施例的安全数据传输方法的示意图。
如图3所示,该实施例的安全数据传输方法可以包括以下步骤。
在步骤300,下沉UDM网元具备嵌入式UICC,且该UICC是由信令安全管理网关签发。
在步骤310,下沉UDM网元按时或按需请求接入5G SA网络,通过嵌入式UICC主动连接信令安全管理网关,请求下载用户签约数据(设为Profile),请求中携带嵌入式UICC的EID(Electronic Identity,电子身份标识)和下沉UDM网元的设备ID。
在步骤320,网元接入管理网关收到请求后,根据EID及UICC内证书信息进行安全认证,认证通过后,查询设备ID相应的下沉UDM网元是否已加载Profile;若未加载或Profile已过期,则通知该下沉UDM网元准备进行用户签约数据下载,并将EID和设备ID进行绑定;若已加载Profile且Profile未过期,则通知下沉UDM网元停止下载。
其中,根据EID及UICC内证书信息进行安全认证包括:如果UICC内证书的颁发者是信令安全管理网关,且UICC内证书在有效期内,且UICC内证书与EID是匹配的,认证通过,否则,认证不通过。
在步骤330,信令安全管理网关发送请求到下沉UDM网元,要求建立加密通道、下载并启用Profile。
在步骤340,下沉UDM网元与信令安全管理网关间建立加密通道,通过加密通道下载新的Profile,若之前已加载过期Profile,则删除旧Profile,启用新的Profile。
在步骤350,下沉UDM网元向信令安全管理网关返回Profile启用成功的消息。
在步骤360,下沉UDM网元发起访问5G SA网络中的核心网UDM网元的请求到信令安全管理网关,携带嵌入式UICC的EID,设备ID和Profile内的证书信息。
在步骤370,信令安全管理网关依据下沉UDM网元的请求信息,检查EID和设备ID绑定关系是否正确,若不正确或不存在,则不允许下沉UDM网元接入;若正确,则认证Profile内证书的时效性和合法性,认证通过后,允许下沉UDM网元接入。
在步骤380,认证通过后,信令安全管理网关发送认证通过的通知给下沉UDM网元。
在步骤390,下沉UDM网元利用嵌入式UICC相关安全信息,如EID,与信令安全管理网关建立加密通道。
在步骤3100,下沉UDM网元发送用户数据同步请求至信令安全管理网关,携带DNN、设备ID等信息。
在步骤3110,信令安全管理网关隐藏核心网UDM拓扑信息,将用户数据同步请求转发至相应的核心网UDM网元请求同步用户数据。
在步骤3120,核心网UDM网元接到用户数据同步请求后,根据设备ID及DNN等信息,查找到相关的用户卡数据和鉴权数据等用户数据,如IMSI、KI等数据,并对用户数据进行加密处理,加密密钥由核心网UDM网元与下沉UDM网元预先协商或预先设置。
在步骤3130,核心网UDM网元将加密用户数据传递至信令安全管理网关。
在步骤3140,信令安全管理网关将加密用户数据通过加密通道传递到下沉UDM网元。
在步骤3150,下沉UDM网元解密加密用户数据得到用户数据,依据5G应用场景(如应急通信、紧急通信等)的需求,按需使用用户卡数据及鉴权数据等用户数据,保障5G业务不中断。
上述实施例,不改变现有5G的架构和业务实现流程,利用嵌入式UICC远程配置技术和安全加密技术,对5G下沉UDM等不可信接入网元设备接入5G核心网进行安全认证和管理,有效降低下沉网元对5G核心网的安全交互风险,同时,对请求的5G核心网UDM中的敏感数据(如 用户卡数据和鉴权数据)进行数据加密和通道加密传递,有效降低信息泄露安全风险,从而提高5G的网络安全和数据安全。
图4示出本公开一些实施例的信令安全管理网关的结构示意图。
如图4所示,该实施例的信令安全管理网关120可以包括:
认证模块410,被配置为接收下沉接入网元访问核心网网元的请求,对下沉接入网元进行认证;
通道建立模块420,被配置为与认证通过的下沉接入网元建立加密通道;
信息代理模块430,被配置为接收下沉接入网元发送的用户数据同步请求,将用户数据同步请求发送到相应的核心网网元;接收核心网网元发送的加密用户数据,将加密用户数据通过加密通道发送给下沉接入网元。
在一些实施例中,信令安全管理网关120还包括:下载管理模块440,被配置为接收到下沉接入网元发送的下载用户签约数据的请求,请求包括下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识和证书;根据用户卡的标识和证书进行认证,认证通过后,查询下沉接入网元加载的用户签约数据,在下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知下沉接入网元下载新的用户签约数据,建立下沉接入网元的标识和嵌入下沉接入网元的用户卡的标识的绑定信息。
在一些实施例中,认证模块410,还被配置为:
接收下沉接入网元访问核心网网元的请求,其中携带下沉接入网元的标识、嵌入下沉接入网元的用户卡的标识以及用户签约数据中的证书信息;
在访问请求的下沉接入网元的标识与用户卡的标识的绑定关系不正确或不存在的情况下,判定下沉接入网元认证不通过;或者,
在访问请求的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定下沉接入网元认证不通过;或者,
在访问请求的下沉接入网元的标识与用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判 定下沉接入网元认证通过。
图5示出本公开另一些实施例的信令安全管理网关的结构示意图。
如图5所示,该实施例的信令安全管理网关120包括:存储器510以及耦接至该存储器510的处理器520,处理器520被配置为基于存储在存储器510中的指令,执行前述任意一些实施例中的安全数据传输方法。
其中,存储器510例如可以包括系统存储器、固定非易失性存储介质等。系统存储器例如存储有操作系统、应用程序、引导装载程序(Boot Loader)以及其他程序等。
其中,处理器520可以用通用处理器、数字信号处理器(Digital Signal Processor,DSP)、应用专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field Programmable Gate Array,FPGA)或其它可编程逻辑设备、分立门或晶体管等分立硬件组件方式来实现。
信令安全管理网关120还可以包括输入输出接口530、网络接口540、存储接口550等。这些接口530,540,550以及存储器510和处理器520之间例如可以通过总线560连接。其中,输入输出接口530为显示器、鼠标、键盘、触摸屏等输入输出设备提供连接接口。网络接口540为各种联网设备提供连接接口。存储接口550为SD卡、U盘等外置存储设备提供连接接口。总线560可以使用多种总线结构中的任意总线结构。例如,总线结构包括但不限于工业标准体系结构(Industry Standard Architecture,ISA)总线、微通道体系结构(Micro Channel Architecture,MCA)总线、外围组件互连(Peripheral Component Interconnect,PCI)总线。
本领域内的技术人员应当明白,本公开的实施例可提供为方法、系统、或计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机程序代码的非瞬时性计算机可读存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本公开是参照根据本公开实施例的方法、设备(系统)、和计算机程 序产品的流程图和/或方框图来描述的。应理解为可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
以上所述仅为本公开的较佳实施例,并不用以限制本公开,凡在本公开的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开的保护范围之内。
Claims (14)
- 一种数据传输方法,其中,包括:信令安全管理网关接收下沉接入网元访问核心网网元的请求,对所述下沉接入网元进行认证;所述信令安全管理网关在其与认证通过的所述下沉接入网元之间建立加密通道;所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元;所述信令安全管理网关接收所述核心网网元发送的加密用户数据,并将所述加密用户数据通过所述加密通道发送给所述下沉接入网元。
- 根据权利要求1所述的方法,其中,信令安全管理网关接收下沉接入网元访问核心网网元的请求,对所述下沉接入网元进行认证包括:信令安全管理网关接收下沉接入网元访问核心网网元的请求,所述访问核心网网元的请求携带所述下沉接入网元的标识、嵌入所述下沉接入网元的用户卡的标识以及用户签约数据中的证书信息;所述信令安全管理网关在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系不正确或不存在的情况下,判定所述下沉接入网元认证不通过;或者,所述信令安全管理网关在所述访问核心网网元的请求中的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定所述下沉接入网元认证不通过;或者,所述信令安全管理网关在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判定所述下沉接入网元认证通过。
- 根据权利要求1所述的方法,其中,所述用户数据同步请求包括所述下沉接入网元的标识和数据网络信息;所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步 请求,并将所述用户数据同步请求发送到所述核心网网元,包括:所述信令安全管理网关接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元,以使所述核心网网元根据所述下沉接入网元的标识和数据网络信息获得相应的加密用户数据。
- 根据权利要求1所述的方法,其中,还包括:所述信令安全管理网关接收所述下沉接入网元发送的下载用户签约数据的请求,所述下载用户签约数据的请求包括所述下沉接入网元的标识和嵌入所述下沉接入网元的用户卡的标识和证书;所述信令安全管理网关根据所述用户卡的标识和证书进行认证,认证通过后,查询所述下沉接入网元加载的用户签约数据,在所述下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知所述下沉接入网元下载新的用户签约数据,并建立所述下沉接入网元的标识与所述用户卡的标识的绑定信息。
- 根据权利要求4所述的方法,其中,所述信令安全管理网关通知所述下沉接入网元下载新的用户签约数据包括:所述信令安全管理网关通知所述下沉接入网元下载新的用户签约数据,以使所述下沉接入网元通过加密通道下载新的用户签约数据并启用;所述信令安全管理网关接收所述下沉接入网元发送的新的用户签约数据启用成功的消息。
- 根据权利要求1所述的方法,其中,所述信令安全管理网关为各个下沉接入网元签发用户卡,每个用户卡内包括所述用户卡的证书。
- 根据权利要求2-6任一项所述的方法,其中,所述核心网网元包括UDM网元、UPF网元、AMF网元、SMF网 元;所述下沉接入网元包括UDM网元、UPF网元、AMF网元、SMF网元;所述用户卡包括嵌入式UICC。
- 一种信令安全管理网关,其中,包括:认证模块,被配置为接收下沉接入网元访问核心网网元的请求,对所述下沉接入网元进行认证;通道建立模块,被配置为在与所述认证模块认证通过的所述下沉接入网元之间建立加密通道;信息代理模块,被配置为接收所述下沉接入网元发送的用户数据同步请求,并将所述用户数据同步请求发送到所述核心网网元;接收所述核心网网元发送的加密用户数据,并将所述加密用户数据通过所述加密通道发送给所述下沉接入网元。
- 根据权利要求8所述的信令安全管理网关,其中,还包括:下载管理模块,被配置为接收所述下沉接入网元发送的下载用户签约数据的请求,所述下载用户签约数据的请求包括所述下沉接入网元的标识和嵌入所述下沉接入网元的用户卡的标识和证书;根据所述用户卡的标识和证书进行认证,认证通过后,查询所述下沉接入网元加载的用户签约数据,在所述下沉接入网元未加载用户签约数据或者加载的用户签约数据已过期的情况下,通知所述下沉接入网元下载新的用户签约数据,并建立所述下沉接入网元的标识与所述用户卡的标识的绑定信息。
- 根据权利要求8所述的信令安全管理网关,其中,所述认证模块,被配置为:接收下沉接入网元访问核心网网元的请求,所述访问核心网网元的请求携带所述下沉接入网元的标识、嵌入所述下沉接入网元的用户卡的标识以及用户签约数据中的证书信息;在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述 用户卡的标识的绑定关系不正确或不存在的情况下,判定所述下沉接入网元认证不通过;或者,在所述访问核心网网元的请求中的用户签约数据中的证书信息的时效性和合法性不满足要求的情况下,判定所述下沉接入网元认证不通过;或者,在所述访问核心网网元的请求中的所述下沉接入网元的标识与所述用户卡的标识的绑定关系正确且用户签约数据中的证书信息的时效性和合法性满足要求的情况下,判定所述下沉接入网元认证通过。
- 一种信令安全管理网关,包括:存储器;以及耦接至所述存储器的处理器,所述处理器被配置为基于存储在所述存储器中的指令,执行权利要求1-7中任一项所述的数据传输方法。
- 一种数据传输系统,包括:权利要求8-11任一项所述的信令安全管理网关,核心网网元,被配置为响应用户数据同步请求,发送加密用户数据给所述信令安全管理网关,以及下沉接入网元,被配置为向所述信令安全管理网关发送访问核心网网元的请求,与所述信令安全管理网关建立加密通道,向所述信令安全管理网关发送用户数据同步请求,通过加密通道接收所述信令安全管理网关发送的加密用户数据。
- 根据权利要求12所述的数据传输系统,其中,所述核心网网元包括UDM网元、UPF网元、AMF网元、SMF网元;所述下沉接入网元包括UDM网元、UPF网元、AMF网元、SMF网元。
- 一种非瞬时性计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现权利要求1-7中任一项所述的数据传输方法的步骤。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210550259.8 | 2022-05-20 | ||
CN202210550259.8A CN117135625A (zh) | 2022-05-20 | 2022-05-20 | 数据传输方法和系统及信令安全管理网关 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023221502A1 true WO2023221502A1 (zh) | 2023-11-23 |
Family
ID=88834496
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/140915 WO2023221502A1 (zh) | 2022-05-20 | 2022-12-22 | 数据传输方法和系统及信令安全管理网关 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117135625A (zh) |
WO (1) | WO2023221502A1 (zh) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111147426A (zh) * | 2018-11-05 | 2020-05-12 | 中兴通讯股份有限公司 | 一种承载侧网络系统、移固共存融合系统及其部署方法 |
CN112422679A (zh) * | 2020-11-17 | 2021-02-26 | 中国联合网络通信集团有限公司 | 一种通信方法及装置 |
CN113068175A (zh) * | 2019-12-12 | 2021-07-02 | 中国电信股份有限公司 | 用户数据分流的方法、下沉用户面功能网元和系统 |
CN113747515A (zh) * | 2020-05-27 | 2021-12-03 | 华为技术有限公司 | 一种通信方法及装置 |
WO2021244509A1 (zh) * | 2020-06-03 | 2021-12-09 | 中兴通讯股份有限公司 | 数据传输方法和系统、电子设备及计算机可读存储介质 |
-
2022
- 2022-05-20 CN CN202210550259.8A patent/CN117135625A/zh active Pending
- 2022-12-22 WO PCT/CN2022/140915 patent/WO2023221502A1/zh unknown
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111147426A (zh) * | 2018-11-05 | 2020-05-12 | 中兴通讯股份有限公司 | 一种承载侧网络系统、移固共存融合系统及其部署方法 |
CN113068175A (zh) * | 2019-12-12 | 2021-07-02 | 中国电信股份有限公司 | 用户数据分流的方法、下沉用户面功能网元和系统 |
CN113747515A (zh) * | 2020-05-27 | 2021-12-03 | 华为技术有限公司 | 一种通信方法及装置 |
WO2021244509A1 (zh) * | 2020-06-03 | 2021-12-09 | 中兴通讯股份有限公司 | 数据传输方法和系统、电子设备及计算机可读存储介质 |
CN112422679A (zh) * | 2020-11-17 | 2021-02-26 | 中国联合网络通信集团有限公司 | 一种通信方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN117135625A (zh) | 2023-11-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11601809B2 (en) | Method and system for updating certificate issuer public key, and related device | |
US10554420B2 (en) | Wireless connections to a wireless access point | |
CN110474875B (zh) | 基于服务化架构的发现方法及装置 | |
CN109756447B (zh) | 一种安全认证方法及相关设备 | |
US8320880B2 (en) | Apparatus and methods for secure architectures in wireless networks | |
CN109905350B (zh) | 一种数据传输方法及系统 | |
US11841959B1 (en) | Systems and methods for requiring cryptographic data protection as a precondition of system access | |
CN110519753B (zh) | 访问方法、装置、终端和可读存储介质 | |
JP2016167835A (ja) | アクセス制御クライアントの記憶及び演算に関する方法及び装置 | |
CN113556227B (zh) | 网络连接管理方法、装置、计算机可读介质及电子设备 | |
US12041452B2 (en) | Non-3GPP device access to core network | |
US11917416B2 (en) | Non-3GPP device access to core network | |
WO2018202109A1 (zh) | 一种证书请求消息发送方法、接收方法和装置 | |
WO2019019853A1 (zh) | 处理数据的方法、终端设备和网络设备 | |
CN112512048B (zh) | 移动网络接入系统、方法、存储介质及电子设备 | |
WO2022171657A1 (en) | Method and device to provide a security level for communication | |
CN108989302B (zh) | 一种基于密钥的opc代理连接系统和连接方法 | |
WO2023240587A1 (zh) | 一种设备权限配置方法及装置、终端设备 | |
WO2023221502A1 (zh) | 数据传输方法和系统及信令安全管理网关 | |
JP7312279B2 (ja) | モバイルネットワークアクセスシステム、方法、記憶媒体及び電子機器 | |
US20230336998A1 (en) | Safe mode configuration method, device and system, and computer-readable storage medium | |
US11171786B1 (en) | Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities | |
WO2016176902A1 (zh) | 一种终端认证方法、管理终端及申请终端 | |
KR20150114923A (ko) | Ap접속정보 설정방법 및 이를 위한 단말기 | |
TW202215813A (zh) | 用於加密通訊的電子裝置及方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22942522 Country of ref document: EP Kind code of ref document: A1 |