WO2024082143A1 - Device service role verification method and apparatus and device, and storage medium - Google Patents

Device service role verification method and apparatus and device, and storage medium Download PDF

Info

Publication number
WO2024082143A1
WO2024082143A1 PCT/CN2022/125974 CN2022125974W WO2024082143A1 WO 2024082143 A1 WO2024082143 A1 WO 2024082143A1 CN 2022125974 W CN2022125974 W CN 2022125974W WO 2024082143 A1 WO2024082143 A1 WO 2024082143A1
Authority
WO
WIPO (PCT)
Prior art keywords
authorization token
service
key
discovery
network device
Prior art date
Application number
PCT/CN2022/125974
Other languages
French (fr)
Chinese (zh)
Inventor
陆伟
商正仪
Original Assignee
北京小米移动软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京小米移动软件有限公司 filed Critical 北京小米移动软件有限公司
Priority to PCT/CN2022/125974 priority Critical patent/WO2024082143A1/en
Publication of WO2024082143A1 publication Critical patent/WO2024082143A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L27/00Modulated-carrier systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/06Message adaptation to terminal or network requirements

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to a method/device/equipment for verifying a device business role and a storage medium.
  • UE user equipment
  • the service roles of UE may include reference UE (such as sidelink reference UE (SL Reference UE)), target UE (Target UE), assistant UE (Assistant UE), located UE (Located UE), server UE (such as sidelink positioning server UE (SL Positioning Server UE)), client UE (such as sidelink positioning client UE (SL Positioning Client UE)), etc.
  • reference UE such as sidelink reference UE (SL Reference UE)
  • target UE target UE
  • assistant UE Assistant UE
  • located UE located Located UE
  • server UE such as sidelink positioning server UE (SL Positioning Server UE)
  • client UE such as sidelink positioning client UE (SL Positioning Client UE)
  • the device service role verification method/device/equipment and storage medium proposed in the present disclosure are used to verify the service role declared by the UE to ensure the accuracy of service execution and information security.
  • an embodiment of the present disclosure provides a method for verifying a service role of a device, the method being executed by a first user device, including:
  • the discovery response message includes an authorization token of the second UE
  • the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, the discovery response message including the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE.
  • the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • an embodiment of the present disclosure provides a method for verifying a service role of a device, the method being executed by a second user device, including:
  • a discovery response message is sent to the first UE, and the discovery response message includes the authorization token of the second UE.
  • an embodiment of the present disclosure provides a communication device, which is configured in a first user equipment, including:
  • a transceiver module used for sending a discovery request message
  • the transceiver module is further configured to receive a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
  • the processing module is also used to establish a connection with the second UE after the authorization token of the second UE is verified.
  • an embodiment of the present disclosure provides a communication device, which is configured in a second user equipment, including:
  • a transceiver module configured to receive a discovery request message sent by a first UE, wherein the discovery request message includes an authorization token of the first UE;
  • the transceiver module is further used to send a discovery response message to the first UE after the authorization token of the first UE is verified, and the discovery response message includes the authorization token of the second UE.
  • an embodiment of the present disclosure provides a communication device, which includes a processor.
  • the processor calls a computer program in a memory, the method described in the first aspect or the second aspect is executed.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the first aspect or the second aspect above.
  • an embodiment of the present disclosure provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the first or second aspect above.
  • an embodiment of the present disclosure provides a communication system, the system includes the communication device described in the third to fourth aspects, or the system includes the communication device described in the fifth aspect, or the system includes the communication device described in the sixth aspect, or the system includes the communication device described in the seventh aspect.
  • an embodiment of the present disclosure provides a computer-readable storage medium for storing instructions used by the above-mentioned network device, and when the instructions are executed, the terminal device executes the method described in the first or second aspect above.
  • the present disclosure further provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the first aspect or the second aspect above.
  • the present disclosure provides a chip system, which includes at least one processor and an interface, for supporting a network device to implement the functions involved in the method described in the first aspect or the second aspect, for example, determining or processing at least one of the data and information involved in the above method.
  • the chip system also includes a memory, which is used to store computer programs and data necessary for the source auxiliary node.
  • the chip system can be composed of a chip, or it can include a chip and other discrete devices.
  • the present disclosure provides a computer program, which, when executed on a computer, enables the computer to execute the method described in the first or second aspect above.
  • FIG1 is a schematic diagram of the architecture of some communication systems provided by embodiments of the present disclosure.
  • FIG2 is a schematic diagram of a flow chart of a method for verifying a device service role according to another embodiment of the present disclosure
  • 3a-3c are schematic flow charts of a method for verifying a device service role according to another embodiment of the present disclosure.
  • 4a-4b are schematic structural diagrams of a communication device provided by another embodiment of the present disclosure.
  • FIG5 is a block diagram of a communication device provided by an embodiment of the present disclosure.
  • FIG6 is a schematic diagram of the structure of a chip provided by an embodiment of the present disclosure.
  • first, second, third, etc. may be used to describe various information in the disclosed embodiments, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
  • first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information.
  • the words "if” and “if” as used herein may be interpreted as “at” or "when” or "in response to determination".
  • Sidelink positioning service also known as sidelink positioning service or ranging service, refers to determining the distance between two UEs and/or the direction from one UE to another UE through a direct communication connection.
  • Figure 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present disclosure.
  • the communication system may include but is not limited to a network device and at least two UEs.
  • the number and form of devices shown in Figure 1 are only used for example and do not constitute a limitation on the embodiment of the present disclosure.
  • the application may include two or more network devices and more than two UEs.
  • the communication system shown in Figure 1 includes a network device 11, a first UE 12, and a second UE 13 as an example.
  • LTE long term evolution
  • 5G fifth generation
  • NR 5G new radio
  • the network device 11 in the embodiment of the present disclosure is an entity on the network side for transmitting or receiving signals.
  • the network device 11 may be an evolved NodeB (eNB), a transmission reception point (TRP), a Radio Remote Head (RRH), a next generation NodeB (gNB) in an NR system, a base station in other future mobile communication systems, or an access node in a wireless fidelity (WiFi) system.
  • eNB evolved NodeB
  • TRP transmission reception point
  • RRH Radio Remote Head
  • gNB next generation NodeB
  • the embodiment of the present disclosure does not limit the specific technology and specific device form adopted by the base station.
  • the base station provided in the embodiment of the present disclosure may be composed of a central unit (CU) and a distributed unit (DU), wherein the CU may also be referred to as a control unit.
  • CU central unit
  • DU distributed unit
  • the CU-DU structure may be used to split the base station, such as the protocol layer of the base station, and the functions of some protocol layers are placed in the CU for centralized control, and the functions of the remaining part or all of the protocol layers are distributed in the DU, and the DU is centrally controlled by the CU.
  • the first UE12 and the second UE13 in the embodiment of the present disclosure are both entities for receiving or transmitting signals on the user side, such as a mobile phone.
  • the terminal device may also be referred to as a terminal device (terminal), a user equipment (UE), a mobile station (MS), a mobile terminal device (MT), etc.
  • the terminal device may be a car with communication function, a smart car, a mobile phone (mobile phone), a wearable device, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control (industrial control), a wireless terminal device in self-driving, a wireless terminal device in remote medical surgery, a wireless terminal device in smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in a smart city (smart city), a wireless terminal device in a smart home (smart home), etc.
  • the embodiments of the present disclosure do not limit the specific technology and specific device form adopted by the terminal device.
  • the communication system described in the embodiment of the present disclosure is for the purpose of more clearly illustrating the technical solution of the embodiment of the present disclosure, and does not constitute a limitation on the technical solution provided by the embodiment of the present disclosure.
  • a person skilled in the art can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided by the embodiment of the present disclosure is also applicable to similar technical problems.
  • FIG2 is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a first UE. As shown in FIG2 , the method for verifying a device service role may include the following steps:
  • Step 201 Send a discovery request message.
  • the discovery request message may be, for example, a broadcast discovery message or a direct communication message.
  • the discovery request message may include service information (such as a service identifier and/or a service type, etc.) requested by the first UE to discover to the second UE, and/or a service role declared by the first UE.
  • service information such as a service identifier and/or a service type, etc.
  • the service role declared by the first UE can be understood as the service role that the first UE wants to play in the service it requests to discover.
  • the service role declared by the first UE may be any one or several of the service roles that the network device pre-authorizes for the first UE in the service it requests to discover, or may not be a service role that the network device pre-authorizes for the first UE.
  • the service role declared by the first UE is not a service role that the network device pre-authorizes for it
  • the second UE and the first UE perform the service an error may occur due to the mismatch of the service roles of the two UEs, thereby causing service interruption or low service execution efficiency.
  • the first UE is a malicious UE and deliberately declares a service role that is not authorized by the network device, that is, the first UE deceives the second UE, then for the second UE, the communication between the second UE and the malicious UE may bring communication security issues.
  • the discovery request message may also include an authorization token of the first UE, and the authorization token of the first UE is used for: the second UE verifies the business role of the first UE based on the authorization token of the first UE to verify whether the business role declared by the first UE is its authorized business role, and/or further verifies other information of the first UE to prevent the first UE from deceiving the second UE.
  • the service roles of UE may include, for example: reference UE (such as sidelink reference UE (SL Reference UE)), target UE (Target UE), assistant UE (Assistant UE), located UE (Located UE), UE as a server (such as UE as a sidelink positioning server (SL Positioning Server UE)), client UE (such as sidelink positioning client UE (SL Positioning Client UE)), etc.
  • reference UE such as sidelink reference UE (SL Reference UE)
  • target UE target UE
  • assistant UE Assistant UE
  • located UE located Located UE
  • UE UE as a server
  • client UE such as sidelink positioning client UE (SL Positioning Client UE)
  • client UE such as sidelink positioning client UE (SL Positioning Client UE)
  • the above-mentioned target UE may be a UE to be located or measured;
  • the above-mentioned positioning UE may be a UE to obtain the positioning position of the target UE;
  • the above-mentioned reference UE may be: a UE that can determine the positioning position or ranging distance of the target UE based on the position of the reference UE or the distance between the reference UE and the target UE;
  • the above-mentioned assistant UE may be: a UE used to assist in forwarding messages in ranging service or sidelink positioning service;
  • the above-mentioned UE as a server may be: a UE with positioning calculation capability or ranging calculation capability;
  • the above-mentioned client UE may be: a UE that can act as a client in ranging service or sidelink positioning service.
  • the authorization token of the first UE may include at least one of the following:
  • the service role that the first UE is authorized to use in the service requested for discovery
  • the validity period of the authorization token of the first UE is the validity period of the authorization token of the first UE.
  • the above-mentioned "network device for generating authorization token” may include at least one of a ProSe key management function (PKMF) network element, a direct discovery name management function (DDNMF) network element, a server including proximity services, and a Unified Data Management (UDM) network element.
  • PKMF ProSe key management function
  • DDNMF direct discovery name management function
  • UDM Unified Data Management
  • the network device for generating authorization token is generally a network device for authorizing a service role for the first UE.
  • the above-mentioned conditions of the opposite end UE include any one of the following: allowing any UE to be the opposite end UE of the first UE; allowing any UE to be the opposite end UE of the first UE in the service requested to be discovered by the first UE; the business role and/or ID of the opposite end UE expected by the first UE; the business role and/or ID of the opposite end UE expected by the first UE to be the first UE in the service requested to be discovered by the first UE, etc.
  • any UE to serve as the opposite UE of the first UE in the service requested to be discovered by the first UE can be understood as: in the service requested to be discovered by the first UE, any UE playing any business role can be allowed to serve as the opposite UE of the first UE.
  • the above-mentioned "service role and/or ID of the opposite UE expected by the UE” may be determined by the UE based on its own authorized service role in the requested discovery service. For example, if the service role authorized by the UE itself is the target UE, the service role of the opposite UE expected by the UE may include at least one of a reference UE, an auxiliary UE, a positioning UE, etc., and the ID of the opposite UE expected by the UE may be: the ID of a UE whose service role is at least one of a reference UE, an auxiliary UE, a positioning UE, etc.
  • the above-mentioned “service requested to be discovered by the UE” may be, for example, a ranging service and/or a sidelink positioning service.
  • the above-mentioned "service role authorized by the UE in the service requested for discovery" may be authorized by a network device, wherein the network device that authorizes the service role may be at least one of a server including proximity service and a unified data management function (UDM) network element.
  • the network device that authorizes the service role may be at least one of a server including proximity service and a unified data management function (UDM) network element.
  • UDM unified data management function
  • condition for allowing execution of services requested by the UE to be discovered may include time conditions for allowing execution and/or geographical conditions for allowing execution.
  • the time conditions for allowing execution may include: the time period for allowing execution of services requested by the UE to be discovered, such as allowing execution of services requested by the UE to be discovered during daytime hours of 8:00-16:00;
  • the geographical conditions for allowing execution may include: the geographical area for allowing execution of services requested by the UE to be discovered, such as allowing execution of services requested by the UE to be discovered in Beijing.
  • the conditions for allowing execution may also be other conditions, for example, the distance between the opposite UE and the first UE is within a preset distance range, etc., and the embodiments of the present disclosure do not specifically limit this.
  • the above-mentioned "validity period of the authorization token” may include the validity period of the authorization token, or the invalid period of the authorization token.
  • the authorization token of the first UE may carry the start time and valid duration of the validity period of the authorization token. Among them, the generation time and valid duration of the token are used to indicate the validity period of the authorization token.
  • the authorization token of the first UE may carry the validity start time and end time of the authorization token.
  • the authorization token of the first UE may carry the expiration time of the authorization token, which is used to indicate the validity period of the authorization token or to indicate the invalid period of the authorization token.
  • the embodiments of the present disclosure do not specifically limit the method of specifically indicating the validity period or invalid period of the authorization token.
  • the authorization token of the first UE in the above-mentioned discovery request message may be: the authorization token of the first UE signed by the first key. And, after the second UE receives the authorization token of the first UE signed by the first key, it may use the second key to decode and verify the received authorization token of the first UE.
  • the first key may be used to: digitally sign and protect the authorization token to ensure that the authorization token will not be forged or tampered with during transmission by an attacker (such as a malicious UE), thereby improving the accuracy of service execution and information security.
  • malicious UEs may include, for example: UEs requesting discovery of services different from UEs receiving authorization tokens, UEs that have not requested services, UEs whose roles are not authorized by network devices, UEs that have not obtained authorization tokens from network devices, etc.
  • the above-mentioned first key may be a private key of a network device
  • the second key may be a public key of the network device.
  • the first key and the second key may be a public-private key pair generated by a network device, and the network device sends the second key to the first UE.
  • the network device may generate and send the second key to the first UE when authorizing a service role for any UE (e.g., the first UE).
  • the network device may send the second key together with the authorization token generated for the UE to the UE.
  • both the first key and the second key may be a shared key between the UE and the network device; wherein the shared key between the UE and the network device may be pre-agreed and configured by the UE and the network device. For example, it may be pre-agreed and configured when the network device authorizes a service role for the UE.
  • the authorization token when the network device sends the authorization token generated for the UE to the UE, the authorization token may also be signed using the first key, and the UE may decode the authorization token signed by the first key received from the network device based on the second key received from the network device and/or the pre-agreed configured second key.
  • the embodiment of the present disclosure does not specifically limit the encryption method of the authorization token, nor does it specifically limit the method for generating the first key and the second key.
  • the service role of the first UE can be verified based on the authorization token of the first UE. Specifically, at least one of the following can be verified:
  • the specific conditions include at least one of the following:
  • the business role of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the business role authorized for the second UE.
  • the business role of the opposite UE expected by the first UE in the authorization token of the first UE is reference UE and positioning UE, and the business role authorized for the second UE is reference UE, then the second UE successfully verifies the authorization token of the first UE.
  • the business role of the opposite UE expected by the first UE in the authorization token of the first UE is reference UE and positioning UE, and the business role authorized for the second UE is target UE, then the second UE fails to verify the authorization token of the first UE.
  • the ID of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the ID of the second UE.
  • the ID of the opposite UE expected by the first UE in the authorization token of the first UE includes UE#1 and UE#2, and the ID of the second UE is UE#1, then the second UE successfully verifies the authorization token of the first UE.
  • the ID of the opposite UE expected by the first UE in the authorization token of the first UE includes UE#1 and UE#2, and the ID of the second UE is UE#3, then the second UE fails to verify the authorization token of the first UE.
  • the service requested by the first UE to be discovered in the authorization token of the first UE is consistent with the service that the first UE needs to discover from the second UE.
  • the service requested by the first UE to be discovered in the authorization token of the first UE is: ranging service
  • the service that the first UE needs to discover from the second UE is also: ranging service
  • the second UE successfully verifies the authorization token of the first UE.
  • the service requested by the first UE to be discovered in the authorization token of the first UE is: ranging service
  • the service that the first UE needs to discover from the second UE is: side link, then the second UE fails to verify the authorization token of the first UE.
  • the business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is consistent with the business role declared by the first UE.
  • the business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is the target UE, and the business role declared by the first UE is also the target UE, then the second UE successfully verifies the authorization token of the first UE.
  • the business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is the target UE, and the business role declared by the first UE is the reference UE, then the second UE fails to verify the authorization token of the first UE.
  • Specific condition 5 the execution condition of the service requested to be discovered in the authorization token of the first UE is met (for example, the execution condition of the service requested to be discovered in the authorization token of the first UE is: the service requested to be discovered by the first UE is allowed to be executed during 8:00-16:00 in Beijing during the day, and the second UE determines that the first UE and the second UE are both located in Beijing, and the time point when the first UE requests to discover the service is 9:00);
  • the authorization token of the first UE has not expired (for example, the authorization token of the first UE is valid from October 1, 2022 to October 9, 2022, and the time when the first UE requests discovery service is October 8, 2022).
  • the second UE may send a discovery response message to the first UE.
  • Step 202 Receive a discovery response message sent by the second UE, where the discovery response message includes an authorization token of the second UE.
  • the authorization token of the second UE may include at least one of the following:
  • the ID of the network device that generates the authorization token of the second UE is the ID of the network device that generates the authorization token of the second UE
  • Conditions of the opposite UE include: allowing any UE to serve as the opposite UE of the second UE in the service requested to be discovered by the second UE, or the conditions of the opposite UE include the service role and/or ID of the opposite UE expected by the second UE;
  • the validity period of the authorization token of the second UE is the validity period of the authorization token of the second UE.
  • the authorization token of the second UE may be an authorization token of the second UE signed by the first key.
  • the first UE may use the second key to decode and verify the received authorization token of the second UE.
  • the discovery response message may include service information (such as the identifier of the service, and/or the type of service, etc.) requested by the second UE to discover to the first UE, and/or the service role declared by the second UE.
  • service information such as the identifier of the service, and/or the type of service, etc.
  • the meaning of the service role declared by the second UE can be described with reference to the above embodiment. It can be understood that, when the service role declared by the second UE is not a service role pre-authorized by the network device, when the first UE and the second UE perform the service, an error may occur due to the mismatch between the service roles of the two UEs, resulting in service interruption or low service execution efficiency.
  • the second UE is a malicious UE and deliberately declares a service role that is not authorized by the network device, that is, the second UE deceives the first UE, then for the first UE, communicating with the malicious UE may bring communication security issues.
  • Step 203 After the authorization token of the second UE is verified, a connection is established with the second UE.
  • the first UE when the first UE receives a discovery response message sent by the second UE, it can first verify the service role of the second UE based on the authorization token of the second UE, and when the authorization token of the second UE is verified, establish a connection with the second UE.
  • the method for verifying the service role of the second UE based on the authorization token of the second UE may include at least one of the following:
  • the specific conditions include at least one of the following:
  • the service role of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the service role authorized by the first UE;
  • the ID of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the ID of the first UE;
  • the service requested to be discovered by the second UE in the authorization token of the second UE is consistent with the service that the second UE needs to discover from the first UE;
  • the service role authorized by the second UE in the service requested for discovery in the authorization token of the second UE is consistent with the service role declared by the second UE;
  • the authorization token of the second UE has not expired.
  • the principle of the above verification process is similar to the principle of the aforementioned verification process of the service role of the first UE by the second UE, and will not be repeated in the embodiment of the present disclosure.
  • the present disclosure provides the specific information included in the authorization token and provides a specific detailed process of how a first UE verifies the business role of the second UE based on the authorization token of the second UE.
  • the verification method of the present disclosure can realize the verification of the business role of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • the first UE will respond to the message of the second UE, or communicate with the second UE, or send the authorization token of the first UE to the second UE, or establish a communication connection with the second UE, only after the first UE successfully verifies the business role of the second UE; at the same time, for the second UE, the second UE will respond to the message of the first UE, or communicate with the first UE, or send the authorization token of the second UE to the first UE, or establish a communication connection with the first UE, only after the second UE successfully verifies the business role of the first UE.
  • the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, and the discovery response message includes the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE.
  • the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • FIG3a is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a first UE. As shown in FIG3a , the method for verifying a device service role may include the following steps:
  • Step 301a Receive an authorization token of the first UE sent by the network device.
  • the authorization token of the UE is generated by a network device and then sent to the UE. Also, the network device that generates the authorization token may be described in the above embodiment.
  • the authorization token sent by the network device to the UE may be an authorization token signed by the first key, and when the first UE receives the authorization token of the first UE signed by the first key, the second key may be used to decode and verify the received authorization token of the first UE.
  • the first key and the second key reference may be made to the description of the above embodiment.
  • the first UE can store the authorization token of the first UE in association with the service requested to be discovered corresponding to the authorization token of the first UE.
  • the authorization token of the first UE associated with the service currently requested to be discovered by the first UE is sent to the second UE. That is, in one embodiment of the present disclosure, the authorization token is used to verify the business role of the UE in the service requested to be discovered corresponding to the authorization token.
  • the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, and the discovery response message includes the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE.
  • the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • FIG3b is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a second UE. As shown in FIG3b , the method for verifying a device service role may include the following steps:
  • Step 301b Receive a discovery request message sent by the first UE, where the discovery request message includes an authorization token of the first UE.
  • Step 302b After the authorization token of the first UE is verified, a discovery response message is sent to the first UE, where the discovery response message includes the authorization token of the second UE.
  • steps 301b - 302b please refer to the above embodiment description.
  • the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • FIG3c is a flow chart of a method for verifying a device service role provided in an embodiment of the present disclosure. The method is executed by a second UE. As shown in FIG3c , the method for verifying a device service role may include the following steps:
  • Step 301c Receive the authorization token of the second UE sent by the network device.
  • step 301c For a detailed description of step 301c, please refer to the above embodiment description.
  • the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • FIG4a is a schematic diagram of the structure of a communication device provided by an embodiment of the present disclosure. As shown in FIG4a , the device may include:
  • a transceiver module used for sending a discovery request message
  • the transceiver module is further configured to receive a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
  • the processing module is also used to establish a connection with the second UE after the authorization token of the second UE is verified.
  • the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, the discovery response message including the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE.
  • the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • the discovery request message includes an authorization token of the first UE
  • the authorization token of the first UE is used for: the second UE to verify the service role of the first UE based on the authorization token of the first UE.
  • the authorization token of the first UE includes at least one of the following:
  • the condition of the opposite end UE includes: allowing any UE to be the opposite end UE of the first UE, or, the condition of the opposite end UE includes the service role and/or ID of the opposite end UE expected by the first UE.
  • the device is further used for:
  • the transceiver module is further used to:
  • An authorization token of the first UE signed by the first key and sent by the network device is received.
  • the authorization token of the first UE in the discovery request message is: the authorization token of the first UE signed by the first key.
  • the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key;
  • the device is also used for:
  • the received authorization token of the second UE is decoded and verified using the second key.
  • the first key is a private key of the network device
  • the second key is a public key of the network device
  • the first key and the second key are both shared keys between the UE and the network device.
  • the device is further used for at least one of the following:
  • FIG4b is a schematic diagram of the structure of a communication device provided by an embodiment of the present disclosure. As shown in FIG4b , the device may include:
  • a transceiver module configured to receive a discovery request message sent by a first UE, wherein the discovery request message includes an authorization token of the first UE;
  • the transceiver module is further used to send a discovery response message to the first UE after the authorization token of the first UE is verified, and the discovery response message includes the authorization token of the second UE.
  • the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token.
  • the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
  • the authorization token of the second UE includes at least one of the following:
  • the condition of the opposite UE includes: allowing any UE to serve as the opposite UE of the second UE, or, the condition of the opposite UE includes the service role and/or ID of the opposite UE expected by the second UE.
  • the device is further used for:
  • the transceiver module is further used for:
  • An authorization token of the second UE signed by the first key and sent by the network device is received.
  • the authorization token of the first UE in the discovery request message is: the authorization token of the second UE signed by the first key;
  • the device is also used for:
  • the received authorization token of the first UE is decoded and verified using the second key.
  • the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key.
  • the first key is a private key of the network device
  • the second key is a public key of the network device
  • the first key and the second key are both shared keys between the UE and the network device.
  • the device is further used for at least one of the following:
  • FIG. 5 is a schematic diagram of the structure of a communication device 500 provided in an embodiment of the present application.
  • the communication device 500 can be a base station, or a terminal device, or a chip, a chip system, or a processor that supports the base station to implement the above method, or a chip, a chip system, or a processor that supports the terminal device to implement the above method.
  • the device can be used to implement the method described in the above method embodiment, and the details can be referred to the description in the above method embodiment.
  • the communication device 500 may include one or more processors 501.
  • the processor 501 may be a general-purpose processor or a dedicated processor, etc. For example, it may be a baseband processor or a central processing unit.
  • the baseband processor may be used to process the communication protocol and communication data
  • the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a computer program, and process the data of the computer program.
  • the communication device 500 may further include one or more memories 502, on which a computer program 504 may be stored, and the processor 501 executes the computer program 504 so that the communication device 500 performs the method described in the above method embodiment.
  • data may also be stored in the memory 502.
  • the communication device 500 and the memory 502 may be provided separately or integrated together.
  • the communication device 500 may further include a transceiver 505 and an antenna 506.
  • the transceiver 505 may be referred to as a transceiver unit, a transceiver, or a transceiver circuit, etc., for implementing a transceiver function.
  • the transceiver 505 may include a receiver and a transmitter, the receiver may be referred to as a receiver or a receiving circuit, etc., for implementing a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., for implementing a transmitting function.
  • the communication device 500 may further include one or more interface circuits 507.
  • the interface circuit 507 is used to receive code instructions and transmit them to the processor 501.
  • the processor 501 runs the code instructions to enable the communication device 500 to perform the method described in the above method embodiment.
  • the processor 501 may include a transceiver for implementing the receiving and sending functions.
  • the transceiver may be a transceiver circuit, an interface, or an interface circuit.
  • the transceiver circuit, interface, or interface circuit for implementing the receiving and sending functions may be separate or integrated.
  • the above-mentioned transceiver circuit, interface, or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface, or interface circuit may be used for transmitting or delivering signals.
  • the processor 501 may store a computer program 503, which runs on the processor 501 and enables the communication device 500 to perform the method described in the above method embodiment.
  • the computer program 503 may be fixed in the processor 501, in which case the processor 501 may be implemented by hardware.
  • the communication device 500 may include a circuit that can implement the functions of sending or receiving or communicating in the aforementioned method embodiments.
  • the processor and transceiver described in the present application can be implemented in an integrated circuit (IC), an analog IC, a radio frequency integrated circuit RFIC, a mixed signal IC, an application specific integrated circuit (ASIC), a printed circuit board (PCB), an electronic device, etc.
  • the processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
  • CMOS complementary metal oxide semiconductor
  • NMOS N-type metal oxide semiconductor
  • PMOS P-type metal oxide semiconductor
  • BJT bipolar junction transistor
  • BiCMOS bipolar CMOS
  • SiGe silicon germanium
  • GaAs gallium arsenide
  • the communication device described in the above embodiments may be a base station or a terminal device, but the scope of the communication device described in the present application is not limited thereto, and the structure of the communication device may not be limited by FIG. 5.
  • the communication device may be an independent device or may be part of a larger device.
  • the communication device may be:
  • the IC set may also include a storage component for storing data and computer programs;
  • ASIC such as modem
  • the communication device can be a chip or a chip system
  • the chip shown in Figure 6 includes a processor 601 and an interface 602.
  • the number of the processor 601 can be one or more, and the number of the interface 602 can be multiple.
  • the chip further includes a memory 603, and the memory 603 is used to store necessary computer programs and data.
  • the present application also provides a readable storage medium having instructions stored thereon, which implement the functions of any of the above method embodiments when executed by a computer.
  • the present application also provides a computer program product, which implements the functions of any of the above method embodiments when executed by a computer.
  • the computer program product includes one or more computer programs.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer program can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer program can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated.
  • the available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.
  • a magnetic medium e.g., a floppy disk, a hard disk, a magnetic tape
  • an optical medium e.g., a high-density digital video disc (DVD)
  • DVD high-density digital video disc
  • SSD solid state disk
  • At least one in the present application can also be described as one or more, and a plurality can be two, three, four or more, which is not limited in the present application.
  • the technical features in the technical feature are distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc., and there is no order of precedence or size between the technical features described by the "first”, “second”, “third”, “A”, “B”, “C” and “D”.
  • the corresponding relationships shown in each table in the present application can be configured or predefined.
  • the values of the information in each table are only examples and can be configured as other values, which are not limited by the present application.
  • the corresponding relationships shown in some rows may not be configured.
  • appropriate deformation adjustments can be made based on the above table, such as splitting, merging, etc.
  • the names of the parameters shown in the titles in the above tables can also use other names that can be understood by the communication device, and the values or representations of the parameters can also be other values or representations that can be understood by the communication device.
  • other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables.
  • the predefined in the present application may be understood as defined, predefined, stored, pre-stored, pre-negotiated, pre-configured, solidified, or pre-burned.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present disclosure provides a device service role verification method and apparatus and device, and a storage medium. The method comprises: sending a discovery request message; receiving a discovery response message sent by a second UE, the discovery response message comprising an authorization token of the second UE; and when the authorization token of the second UE passes verification, establishing a connection with the second UE. The method provided by the present disclosure avoids spoofing between UEs, improves service execution accuracy, and improves information security.

Description

一种设备业务角色的验证方法/装置/设备及存储介质A device business role verification method/device/equipment and storage medium 技术领域Technical Field
本公开涉及通信技术领域,尤其涉及一种设备业务角色的验证方法/装置/设备及存储介质。The present disclosure relates to the field of communication technology, and in particular to a method/device/equipment for verifying a device business role and a storage medium.
背景技术Background technique
通信系统中,在进行测距(Ranging)服务和/或侧行链路(Sidelink,SL)定位服务时,通常需要由多个用户设备(User Equipment,UE)来分别扮演不同的业务角色参与完成服务,其中,UE的业务角色可以包括参考UE(如侧行链路参考UE(SL Reference UE))、目标UE(Target UE)、辅助UE(Assistant UE)、定位UE(Located UE)、作为服务器的UE(如作为侧行链路定位服务器的UE(SL Positioning Server UE))、客户端UE(如侧行链路定位客户端UE(SL Positioning Client UE))等。在多个UE的发现连接过程中,如何提升多个UE之间的通信安全亟待解决。In a communication system, when performing ranging services and/or sidelink (SL) positioning services, multiple user equipment (UE) are usually required to play different service roles to complete the services, wherein the service roles of UE may include reference UE (such as sidelink reference UE (SL Reference UE)), target UE (Target UE), assistant UE (Assistant UE), located UE (Located UE), server UE (such as sidelink positioning server UE (SL Positioning Server UE)), client UE (such as sidelink positioning client UE (SL Positioning Client UE)), etc. In the process of discovering and connecting multiple UEs, how to improve the communication security between multiple UEs needs to be solved urgently.
发明内容Summary of the invention
本公开提出的设备业务角色的验证方法/装置/设备及存储介质,用于对UE声明的业务角色进行验证,以确保服务执行的准确度和信息安全性。The device service role verification method/device/equipment and storage medium proposed in the present disclosure are used to verify the service role declared by the UE to ensure the accuracy of service execution and information security.
第一方面,本公开实施例提供一种设备业务角色的验证方法,该方法被第一用户设备执行,包括:In a first aspect, an embodiment of the present disclosure provides a method for verifying a service role of a device, the method being executed by a first user device, including:
发送发现请求消息;Send a discovery request message;
接收第二UE发送的发现响应消息,所述发现响应消息包括第二UE的授权令牌;receiving a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
当对所述第二UE的授权令牌验证通过后,与所述第二UE建立连接。After the authorization token of the second UE is verified, a connection is established with the second UE.
本公开中,第一UE会发送发现请求消息,之后,第一UE会接收第二UE发送的发现响应消息,该发现响应消息包括第二UE的授权令牌;以及,当对第二UE的授权令牌验证通过后,第一UE会与第二UE建立连接。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In the present disclosure, the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, the discovery response message including the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
第二方面,本公开实施例提供一种设备业务角色的验证方法,该方法被第二用户设备执行,包括:In a second aspect, an embodiment of the present disclosure provides a method for verifying a service role of a device, the method being executed by a second user device, including:
接收第一UE发送的发现请求消息,所述发现请求消息包括第一UE的授权令牌;Receiving a discovery request message sent by the first UE, where the discovery request message includes an authorization token of the first UE;
当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消息,所述发现响应消息包括所述第二UE的授权令牌。When the authorization token of the first UE is verified, a discovery response message is sent to the first UE, and the discovery response message includes the authorization token of the second UE.
第三方面,本公开实施例提供一种通信装置,该装置配置于第一用户设备中,包括:In a third aspect, an embodiment of the present disclosure provides a communication device, which is configured in a first user equipment, including:
收发模块,用于发送发现请求消息;A transceiver module, used for sending a discovery request message;
所述收发模块,还用于接收第二UE发送的发现响应消息,所述发现响应消息包括第二UE的授权令牌;The transceiver module is further configured to receive a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
处理模块,还用于当对所述第二UE的授权令牌验证通过后,与所述第二UE建立连接。The processing module is also used to establish a connection with the second UE after the authorization token of the second UE is verified.
第四方面,本公开实施例提供一种通信装置,该装置配置于第二用户设备中,包括:In a fourth aspect, an embodiment of the present disclosure provides a communication device, which is configured in a second user equipment, including:
收发模块,用于接收第一UE发送的发现请求消息,所述发现请求消息包括所述第一UE的授权令牌;A transceiver module, configured to receive a discovery request message sent by a first UE, wherein the discovery request message includes an authorization token of the first UE;
所述收发模块,还用于当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消息,所述发现响应消息包括所述第二UE的授权令牌。The transceiver module is further used to send a discovery response message to the first UE after the authorization token of the first UE is verified, and the discovery response message includes the authorization token of the second UE.
第五方面,本公开实施例提供一种通信装置,该通信装置包括处理器,当该处理器调用存储器中的计算机程序时,执行上述第一方面或第二方面所述的方法。In a fifth aspect, an embodiment of the present disclosure provides a communication device, which includes a processor. When the processor calls a computer program in a memory, the method described in the first aspect or the second aspect is executed.
第六方面,本公开实施例提供一种通信装置,该通信装置包括处理器和存储器,该存储器中存储有 计算机程序;所述处理器执行该存储器所存储的计算机程序,以使该通信装置执行上述第一方面或第二方面所述的方法。In a sixth aspect, an embodiment of the present disclosure provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the first aspect or the second aspect above.
第七方面,本公开实施例提供一种通信装置,该装置包括处理器和接口电路,该接口电路用于接收代码指令并传输至该处理器,该处理器用于运行所述代码指令以使该装置执行上述第一方面或第二方面所述的方法。In a seventh aspect, an embodiment of the present disclosure provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the first or second aspect above.
第八方面,本公开实施例提供一种通信系统,该系统包括第三方面至第四方面所述的通信装置,或者,该系统包括第五方面所述的通信装置,或者,该系统包括第六方面所述的通信装置,或者,该系统包括第七方面所述的通信装置。In an eighth aspect, an embodiment of the present disclosure provides a communication system, the system includes the communication device described in the third to fourth aspects, or the system includes the communication device described in the fifth aspect, or the system includes the communication device described in the sixth aspect, or the system includes the communication device described in the seventh aspect.
第九方面,本公开实施例提供一种计算机可读存储介质,用于储存为上述网络设备所用的指令,当所述指令被执行时,使所述终端设备执行上述第一方面或第二方面所述的方法。In a ninth aspect, an embodiment of the present disclosure provides a computer-readable storage medium for storing instructions used by the above-mentioned network device, and when the instructions are executed, the terminal device executes the method described in the first or second aspect above.
第十方面,本公开还提供一种包括计算机程序的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面或第二方面所述的方法。In a tenth aspect, the present disclosure further provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the first aspect or the second aspect above.
第十一方面,本公开提供一种芯片系统,该芯片系统包括至少一个处理器和接口,用于支持网络设备实现第一方面或第二方面所述的方法所涉及的功能,例如,确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存源辅节点必要的计算机程序和数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。In the eleventh aspect, the present disclosure provides a chip system, which includes at least one processor and an interface, for supporting a network device to implement the functions involved in the method described in the first aspect or the second aspect, for example, determining or processing at least one of the data and information involved in the above method. In one possible design, the chip system also includes a memory, which is used to store computer programs and data necessary for the source auxiliary node. The chip system can be composed of a chip, or it can include a chip and other discrete devices.
第十二方面,本公开提供一种计算机程序,当其在计算机上运行时,使得计算机执行上述第一方面或第二方面所述的方法。In a twelfth aspect, the present disclosure provides a computer program, which, when executed on a computer, enables the computer to execute the method described in the first or second aspect above.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
本公开上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present disclosure will become apparent and easily understood from the following description of the embodiments in conjunction with the accompanying drawings, in which:
图1为本公开实施例提供的一些通信系统的架构示意图;FIG1 is a schematic diagram of the architecture of some communication systems provided by embodiments of the present disclosure;
图2为本公开另一个实施例所提供的设备业务角色的验证方法的流程示意图;FIG2 is a schematic diagram of a flow chart of a method for verifying a device service role according to another embodiment of the present disclosure;
图3a-3c为本公开再一个实施例所提供的设备业务角色的验证方法的流程示意图;3a-3c are schematic flow charts of a method for verifying a device service role according to another embodiment of the present disclosure;
图4a-4b为本公开另一个实施例所提供的通信装置的结构示意图;4a-4b are schematic structural diagrams of a communication device provided by another embodiment of the present disclosure;
图5是本公开一个实施例所提供的一种通信装置的框图;FIG5 is a block diagram of a communication device provided by an embodiment of the present disclosure;
图6为本公开一个实施例所提供的一种芯片的结构示意图。FIG6 is a schematic diagram of the structure of a chip provided by an embodiment of the present disclosure.
具体实施方式Detailed ways
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开实施例相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本公开实施例的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the embodiments of the present disclosure. Instead, they are merely examples of devices and methods consistent with some aspects of the embodiments of the present disclosure as detailed in the appended claims.
在本公开实施例使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in the disclosed embodiments are only for the purpose of describing specific embodiments and are not intended to limit the disclosed embodiments. The singular forms of "a" and "the" used in the disclosed embodiments and the appended claims are also intended to include plural forms unless the context clearly indicates other meanings. It should also be understood that the term "and/or" used herein refers to and includes any or all possible combinations of one or more associated listed items.
应当理解,尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本公开实施例范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”及“若”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used to describe various information in the disclosed embodiments, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of the disclosed embodiments, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the words "if" and "if" as used herein may be interpreted as "at" or "when" or "in response to determination".
下面详细描述本公开的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的要素。下面通过参考附图描述的实施例是示例性的,旨在用于解释本公开,而不能理解为对本公开的限制。Embodiments of the present disclosure are described in detail below, examples of which are shown in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements. The embodiments described below with reference to the accompanying drawings are exemplary and are intended to be used to explain the present disclosure, and should not be construed as limiting the present disclosure.
为了便于理解,首先介绍本申请涉及的术语。To facilitate understanding, the terms involved in this application are first introduced.
1、侧行链路定位服务1. Sidelink positioning service
侧行链路定位服务,又称侧链定位服务或测距服务,是指通过直接通信连接,确定两个UE之间的距离和/或从一个UE到另一UE的方向。Sidelink positioning service, also known as sidelink positioning service or ranging service, refers to determining the distance between two UEs and/or the direction from one UE to another UE through a direct communication connection.
为了更好的理解本公开实施例公开的一种设备业务角色的验证方法,下面首先对本公开实施例适用的通信系统进行描述。In order to better understand a method for verifying a device service role disclosed in an embodiment of the present disclosure, a communication system to which the embodiment of the present disclosure is applicable is first described below.
请参见图1,图1为本公开实施例提供的一种通信系统的架构示意图。该通信系统可包括但不限于一个网络设备,至少两个UE,图1所示的设备数量和形态仅用于举例并不构成对本公开实施例的限定,应用中可以包括两个或两个以上的网络设备,两个以上的UE。图1所示的通信系统以包括一个网络设备11、一个第一UE12、一个第二UE13为例。Please refer to Figure 1, which is a schematic diagram of the architecture of a communication system provided by an embodiment of the present disclosure. The communication system may include but is not limited to a network device and at least two UEs. The number and form of devices shown in Figure 1 are only used for example and do not constitute a limitation on the embodiment of the present disclosure. The application may include two or more network devices and more than two UEs. The communication system shown in Figure 1 includes a network device 11, a first UE 12, and a second UE 13 as an example.
需要说明的是,本公开实施例的技术方案可以应用于各种通信系统。例如:长期演进(long term evolution,LTE)系统、第五代(5th generation,5G)移动通信系统、5G新空口(new radio,NR)系统,或者其他未来的新型移动通信系统等。It should be noted that the technical solutions of the embodiments of the present disclosure can be applied to various communication systems, such as long term evolution (LTE) system, fifth generation (5G) mobile communication system, 5G new radio (NR) system, or other future new mobile communication systems.
本公开实施例中的网络设备11是网络侧的一种用于发射或接收信号的实体。例如,网络设备11可以为演进型基站(evolved NodeB,eNB)、发送接收点(transmission reception point,TRP)、射频拉远头(Radio Remote Head,RRH)、NR系统中的下一代基站(next generation NodeB,gNB)、其他未来移动通信系统中的基站或无线保真(wireless fidelity,WiFi)系统中的接入节点等。本公开的实施例对基站所采用的具体技术和具体设备形态不做限定。本公开实施例提供的基站可以是由集中单元(central unit,CU)与分布式单元(distributed unit,DU)组成的,其中,CU也可以称为控制单元(control unit),采用CU-DU的结构可以将基站,例如基站的协议层拆分开,部分协议层的功能放在CU集中控制,剩下部分或全部协议层的功能分布在DU中,由CU集中控制DU。The network device 11 in the embodiment of the present disclosure is an entity on the network side for transmitting or receiving signals. For example, the network device 11 may be an evolved NodeB (eNB), a transmission reception point (TRP), a Radio Remote Head (RRH), a next generation NodeB (gNB) in an NR system, a base station in other future mobile communication systems, or an access node in a wireless fidelity (WiFi) system. The embodiment of the present disclosure does not limit the specific technology and specific device form adopted by the base station. The base station provided in the embodiment of the present disclosure may be composed of a central unit (CU) and a distributed unit (DU), wherein the CU may also be referred to as a control unit. The CU-DU structure may be used to split the base station, such as the protocol layer of the base station, and the functions of some protocol layers are placed in the CU for centralized control, and the functions of the remaining part or all of the protocol layers are distributed in the DU, and the DU is centrally controlled by the CU.
本公开实施例中的第一UE12和第二UE13均是用户侧的用于接收或发射信号的实体,如手机。终端设备也可以称为终端设备(terminal)、用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端设备(mobile terminal,MT)等。终端设备可以是具备通信功能的汽车、智能汽车、手机(mobile phone)、穿戴式设备、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self-driving)中的无线终端设备、远程手术(remote medical surgery)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备等等。本公开的实施例对终端设备所采用的具体技术和具体设备形态不做限定。The first UE12 and the second UE13 in the embodiment of the present disclosure are both entities for receiving or transmitting signals on the user side, such as a mobile phone. The terminal device may also be referred to as a terminal device (terminal), a user equipment (UE), a mobile station (MS), a mobile terminal device (MT), etc. The terminal device may be a car with communication function, a smart car, a mobile phone (mobile phone), a wearable device, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control (industrial control), a wireless terminal device in self-driving, a wireless terminal device in remote medical surgery, a wireless terminal device in smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in a smart city (smart city), a wireless terminal device in a smart home (smart home), etc. The embodiments of the present disclosure do not limit the specific technology and specific device form adopted by the terminal device.
可以理解的是,本公开实施例描述的通信系统是为了更加清楚的说明本公开实施例的技术方案,并不构成对于本公开实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统架构的演变和新业务场景的出现,本公开实施例提供的技术方案对于类似的技术问题,同样适用。It can be understood that the communication system described in the embodiment of the present disclosure is for the purpose of more clearly illustrating the technical solution of the embodiment of the present disclosure, and does not constitute a limitation on the technical solution provided by the embodiment of the present disclosure. A person skilled in the art can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided by the embodiment of the present disclosure is also applicable to similar technical problems.
下面参考附图对本公开实施例所提供的设备业务角色的验证方法/装置/设备及存储介质进行详细描述。The following describes in detail the device service role verification method/device/equipment and storage medium provided by the embodiments of the present disclosure with reference to the accompanying drawings.
需要说明的是,下述各个消息(包括请求消息、响应消息等)的命名仅为方便方案,命名本身并不构成对该消息功能的限定。It should be noted that the naming of the following messages (including request messages, response messages, etc.) is only for convenience, and the naming itself does not constitute a limitation on the function of the message.
图2为本公开实施例所提供的一种设备业务角色的验证方法的流程示意图,该方法由第一UE执行,如图2所示,该设备业务角色的验证方法可以包括以下步骤:FIG2 is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a first UE. As shown in FIG2 , the method for verifying a device service role may include the following steps:
步骤201、发送发现请求消息。Step 201: Send a discovery request message.
在本公开的一个实施例之中,该发现请求消息例如可以为广播发现消息(broadcast discovery message)或直接通信消息(direct communication))。In one embodiment of the present disclosure, the discovery request message may be, for example, a broadcast discovery message or a direct communication message.
在本公开的一个实施例之中,该发现请求消息中可以包括有第一UE向第二UE请求发现的服务信息(例如服务的标识,和/或服务的类型等),和/或,第一UE声明的业务角色。其中,该第一UE声明的业务角色可以理解为:第一UE在其请求发现的服务中想要扮演的业务角色。该第一UE声明的业 务角色可能是网络设备预先为第一UE在其请求发现的服务中授权的业务角色中的任一个或任几个,也可能不是网络设备预先为第一UE授权的业务角色。其中,当第一UE声明的业务角色不是网络设备预先为其授权的业务角色时,那么第二UE与第一UE执行服务时,可能因为两个UE的业务角色不匹配出现错误,从而使得服务中断或者服务执行效率低。或者,当第一UE为恶意UE时,故意声明网络设备未授权的业务角色时,即第一UE欺骗了第二UE,那么,对于第二UE来说,第二UE与恶意的UE通信可能带来通信安全问题。In one embodiment of the present disclosure, the discovery request message may include service information (such as a service identifier and/or a service type, etc.) requested by the first UE to discover to the second UE, and/or a service role declared by the first UE. The service role declared by the first UE can be understood as the service role that the first UE wants to play in the service it requests to discover. The service role declared by the first UE may be any one or several of the service roles that the network device pre-authorizes for the first UE in the service it requests to discover, or may not be a service role that the network device pre-authorizes for the first UE. When the service role declared by the first UE is not a service role that the network device pre-authorizes for it, when the second UE and the first UE perform the service, an error may occur due to the mismatch of the service roles of the two UEs, thereby causing service interruption or low service execution efficiency. Alternatively, when the first UE is a malicious UE and deliberately declares a service role that is not authorized by the network device, that is, the first UE deceives the second UE, then for the second UE, the communication between the second UE and the malicious UE may bring communication security issues.
在本公开的一个实施例之中,该发现请求消息中还可以包括有第一UE的授权令牌,该第一UE的授权令牌用于:第二UE基于第一UE的授权令牌对第一UE的业务角色进行验证,以验证第一UE声明业务角色是否为其被授权的业务角色,和/或,对第一UE的其他信息也进一步进行验证,避免第一UE欺骗第二UE。In one embodiment of the present disclosure, the discovery request message may also include an authorization token of the first UE, and the authorization token of the first UE is used for: the second UE verifies the business role of the first UE based on the authorization token of the first UE to verify whether the business role declared by the first UE is its authorized business role, and/or further verifies other information of the first UE to prevent the first UE from deceiving the second UE.
其中,在本公开的一个实施例之中,UE的业务角色例如可以包括:参考UE(如侧行链路参考UE(SL Reference UE))、目标UE(Target UE)、辅助UE(Assistant UE)、定位UE(Located UE)、作为服务器的UE(如作为侧行链路定位服务器的UE(SL Positioning Server UE))、客户端UE(如侧行链路定位客户端UE(SL Positioning Client UE))等。其中,上述目标UE可以为被定位或被测距的UE;上述定位UE可以为要获取目标UE的定位位置的UE;上述参考UE可以为:基于该参考UE的位置或参考UE与目标UE之间的距离能够确定出目标UE的定位位置或测距距离的UE;上述辅助UE可以为:在测距服务或侧行链路定位服务中用于协助转发消息的UE;上述作为服务器的UE可以为:具有定位计算能力或测距计算能力的UE;上述的客户端UE可以为:能够在测距服务或侧行链路定位服务中充当客户端的UE。Among them, in one embodiment of the present disclosure, the service roles of UE may include, for example: reference UE (such as sidelink reference UE (SL Reference UE)), target UE (Target UE), assistant UE (Assistant UE), located UE (Located UE), UE as a server (such as UE as a sidelink positioning server (SL Positioning Server UE)), client UE (such as sidelink positioning client UE (SL Positioning Client UE)), etc. Among them, the above-mentioned target UE may be a UE to be located or measured; the above-mentioned positioning UE may be a UE to obtain the positioning position of the target UE; the above-mentioned reference UE may be: a UE that can determine the positioning position or ranging distance of the target UE based on the position of the reference UE or the distance between the reference UE and the target UE; the above-mentioned assistant UE may be: a UE used to assist in forwarding messages in ranging service or sidelink positioning service; the above-mentioned UE as a server may be: a UE with positioning calculation capability or ranging calculation capability; the above-mentioned client UE may be: a UE that can act as a client in ranging service or sidelink positioning service.
在本公开的一个实施例之中,该第一UE的授权令牌可以包括以下至少一种:In one embodiment of the present disclosure, the authorization token of the first UE may include at least one of the following:
生成第一UE的授权令牌的网络设备的ID;The ID of the network device that generates the authorization token of the first UE;
第一UE的ID;ID of the first UE;
对端UE的条件;The conditions of the peer UE;
第一UE所请求发现的服务;The service requested to be discovered by the first UE;
第一UE在请求发现的服务中被授权的业务角色;The service role that the first UE is authorized to use in the service requested for discovery;
第一UE请求发现的服务的允许执行条件;A condition for allowing execution of a service requested to be discovered by the first UE;
第一UE的授权令牌的有效期。The validity period of the authorization token of the first UE.
其中,上述的“生成授权令牌的网络设备”可以包括邻近通信服务密钥管理功能(ProSe key management function,PKMF)网元、邻近通信服务名称管理功能(directdiscovery name management function,DDNMF)网元、包括接近服务的服务器、统一数据管理功能(Unified Data Management,UDM)网元中的至少一种。可以理解的是,生成授权令牌的网络设备一般是为第一UE授权业务角色的网络设备。The above-mentioned "network device for generating authorization token" may include at least one of a ProSe key management function (PKMF) network element, a direct discovery name management function (DDNMF) network element, a server including proximity services, and a Unified Data Management (UDM) network element. It is understandable that the network device for generating authorization token is generally a network device for authorizing a service role for the first UE.
上述对端UE的条件,包括以下任一项:允许任一UE作为第一UE的对端UE;允许任一UE在第一UE所请求发现的服务中作为所述第一UE的对端UE;第一UE期望的对端UE的业务角色和/或ID;第一UE期望的在第一UE所请求发现的服务中作为所述第一UE的对端UE的业务角色和/或ID等。The above-mentioned conditions of the opposite end UE include any one of the following: allowing any UE to be the opposite end UE of the first UE; allowing any UE to be the opposite end UE of the first UE in the service requested to be discovered by the first UE; the business role and/or ID of the opposite end UE expected by the first UE; the business role and/or ID of the opposite end UE expected by the first UE to be the first UE in the service requested to be discovered by the first UE, etc.
上述的“允许任一UE在所述第一UE所请求发现的服务中作为所述第一UE的对端UE”可以理解为:在第一UE所请求发现的服务中,扮演任一业务角色的UE均可以允许作为该第一UE的对端UE。The above-mentioned “allowing any UE to serve as the opposite UE of the first UE in the service requested to be discovered by the first UE” can be understood as: in the service requested to be discovered by the first UE, any UE playing any business role can be allowed to serve as the opposite UE of the first UE.
上述的“UE期望的对端UE的业务角色和/或ID”可以是UE基于其自身在所请求发现的服务中被授权的业务角色所确定的。示例的,若UE自身被授权的业务角色是目标UE,则该UE期望的对端UE的业务角色可以包括参考UE、辅助UE、定位UE等中的至少一种,该UE期望的对端UE的ID可以为:业务角色为参考UE、辅助UE、定位UE等中的至少一种业务角色的UE的ID。The above-mentioned "service role and/or ID of the opposite UE expected by the UE" may be determined by the UE based on its own authorized service role in the requested discovery service. For example, if the service role authorized by the UE itself is the target UE, the service role of the opposite UE expected by the UE may include at least one of a reference UE, an auxiliary UE, a positioning UE, etc., and the ID of the opposite UE expected by the UE may be: the ID of a UE whose service role is at least one of a reference UE, an auxiliary UE, a positioning UE, etc.
上述的“UE所请求发现的服务”例如可以为测距服务和/或侧行链路定位服务。The above-mentioned “service requested to be discovered by the UE” may be, for example, a ranging service and/or a sidelink positioning service.
上述的“UE在请求发现的服务中被授权的业务角色”可以是由网络设备授权的,其中,授权业务角色的网络设备可以为包括接近服务的服务器、统一数据管理功能(Unified Data Management,UDM)网元中的至少一种。The above-mentioned "service role authorized by the UE in the service requested for discovery" may be authorized by a network device, wherein the network device that authorizes the service role may be at least one of a server including proximity service and a unified data management function (UDM) network element.
上述的“UE请求发现的服务的允许执行条件”可以包括允许执行的时间条件和/或允许执行的地理条件。其中,该允许执行的时间条件可以包括:允许执行UE请求发现的服务的时间段,如允许在白天8:00-16:00执行UE请求发现的服务;该允许执行的地理条件可以包括:允许执行UE请求发现的服务的地理区域,如允许在北京执行UE请求发现的服务。可以理解的是,允许执行条件也可以是其他条件,例如,对端UE与第一UE的距离位于预设距离范围内等,本公开实施例对此不做具体限定。The above-mentioned "conditions for allowing execution of services requested by the UE to be discovered" may include time conditions for allowing execution and/or geographical conditions for allowing execution. Among them, the time conditions for allowing execution may include: the time period for allowing execution of services requested by the UE to be discovered, such as allowing execution of services requested by the UE to be discovered during daytime hours of 8:00-16:00; the geographical conditions for allowing execution may include: the geographical area for allowing execution of services requested by the UE to be discovered, such as allowing execution of services requested by the UE to be discovered in Beijing. It is understandable that the conditions for allowing execution may also be other conditions, for example, the distance between the opposite UE and the first UE is within a preset distance range, etc., and the embodiments of the present disclosure do not specifically limit this.
上述的“授权令牌的有效期”可以包括授权令牌的有效时间段,或者,授权令牌的无效时间段。在一个示例中,第一UE的授权令牌中可以携带授权令牌的有效期的开始时间和有效时长。其中,令牌的生成时间和有效时长用于指示授权令牌的有效期。或者,第一UE的授权令牌中可以携带授权令牌的有效期开始时间和截至时间。又或者,第一UE的授权令牌中可以携带授权令牌的失效时间,该失效时间用于指示授权令牌的有效期或用于指示授权令牌的无效期。总之,本公开实施例对具体指示授权令牌的有效期或无效期的方法不做具体限定。The above-mentioned "validity period of the authorization token" may include the validity period of the authorization token, or the invalid period of the authorization token. In one example, the authorization token of the first UE may carry the start time and valid duration of the validity period of the authorization token. Among them, the generation time and valid duration of the token are used to indicate the validity period of the authorization token. Alternatively, the authorization token of the first UE may carry the validity start time and end time of the authorization token. Alternatively, the authorization token of the first UE may carry the expiration time of the authorization token, which is used to indicate the validity period of the authorization token or to indicate the invalid period of the authorization token. In short, the embodiments of the present disclosure do not specifically limit the method of specifically indicating the validity period or invalid period of the authorization token.
在本公开的一个实施例之中,上述的发现请求消息中的第一UE的授权令牌可以为:经由第一密钥签名后的第一UE的授权令牌。以及,第二UE接收到经由第一密钥签名后的第一UE的授权令牌后,可以利用第二密钥来对接收到的第一UE的授权令牌进行解码验证。其中,该第一密钥可以用于:对该授权令牌的进行数字签名保护,以确保授权令牌不会被攻击者(如恶意UE)伪造或在传输过程中篡改,提升了服务执行的准确性,还提升了信息安全性。其中,恶意UE例如可以包括:请求发现的服务与接收授权令牌的UE不同的UE、未请求服务的UE、未被网络设备授权角色的UE、未从网络设备处获取到授权令牌的UE等。In one embodiment of the present disclosure, the authorization token of the first UE in the above-mentioned discovery request message may be: the authorization token of the first UE signed by the first key. And, after the second UE receives the authorization token of the first UE signed by the first key, it may use the second key to decode and verify the received authorization token of the first UE. Among them, the first key may be used to: digitally sign and protect the authorization token to ensure that the authorization token will not be forged or tampered with during transmission by an attacker (such as a malicious UE), thereby improving the accuracy of service execution and information security. Among them, malicious UEs may include, for example: UEs requesting discovery of services different from UEs receiving authorization tokens, UEs that have not requested services, UEs whose roles are not authorized by network devices, UEs that have not obtained authorization tokens from network devices, etc.
在本公开的一个实施例之中,上述第一密钥可以为网络设备的私钥,第二密钥可以为网络设备的公钥。在一些实施例中,该第一密钥和第二密钥可以是由网络设备生成的公私密钥对,网络设备向第一UE下发第二密钥。例如,网络设备可以在为任一个UE(例如第一UE)授权业务角色时生成,并向第一UE下发第二密钥。在一个示例中,网络设备可以在向UE下发其为UE生成的授权令牌时一并发送第二密钥。在本公开的另一个实施例中,第一密钥和第二密钥均可以为UE和网络设备之间的共享密钥;其中,该UE和网络设备之间的共享密钥可以是UE与网络设备预先约定配置好的。例如可以是在网络设备为UE授权业务角色时预先约定配置的。In one embodiment of the present disclosure, the above-mentioned first key may be a private key of a network device, and the second key may be a public key of the network device. In some embodiments, the first key and the second key may be a public-private key pair generated by a network device, and the network device sends the second key to the first UE. For example, the network device may generate and send the second key to the first UE when authorizing a service role for any UE (e.g., the first UE). In one example, the network device may send the second key together with the authorization token generated for the UE to the UE. In another embodiment of the present disclosure, both the first key and the second key may be a shared key between the UE and the network device; wherein the shared key between the UE and the network device may be pre-agreed and configured by the UE and the network device. For example, it may be pre-agreed and configured when the network device authorizes a service role for the UE.
可选的,在本公开的一个实施例之中,网络设备向UE下发其为UE生成的授权令牌时,也可利用第一密钥对该授权令牌进行签名,以及,UE可以基于从网络设备处接收到的第二密钥和/或预先约定配置的第二密钥来对其从网络设备处接收到的经由第一密钥签名后的授权令牌进行解码。Optionally, in one embodiment of the present disclosure, when the network device sends the authorization token generated for the UE to the UE, the authorization token may also be signed using the first key, and the UE may decode the authorization token signed by the first key received from the network device based on the second key received from the network device and/or the pre-agreed configured second key.
需要说明的是,本公开实施例对授权令牌的加密方式不做具体限定,对第一密钥和第二密钥的生成方法也不做具体限定。It should be noted that the embodiment of the present disclosure does not specifically limit the encryption method of the authorization token, nor does it specifically limit the method for generating the first key and the second key.
此外,在本公开的一个实施例之中,当第二UE接收到第一UE发送的第一UE的授权令牌后,可以基于第一UE的授权令牌对第一UE的业务角色进行验证。具体的,可以验证以下至少一种:In addition, in one embodiment of the present disclosure, after the second UE receives the authorization token of the first UE sent by the first UE, the service role of the first UE can be verified based on the authorization token of the first UE. Specifically, at least one of the following can be verified:
验证第一UE的授权令牌中的第一UE期望的对端UE的业务角色与所述第二UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the service role authorized by the second UE;
验证第一UE的授权令牌中的第一UE期望的对端UE的ID与第二UE的ID是否一致;Verify whether the ID of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the ID of the second UE;
验证第一UE的授权令牌中的第一UE请求发现的服务与第一UE向第二UE需请求发现的服务是否一致;Verify whether the service requested to be discovered by the first UE in the authorization token of the first UE is consistent with the service that the first UE needs to request to be discovered by the second UE;
验证第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色与第一UE声明的业务角色是否一致;Verify whether the service role authorized by the first UE in the service requested for discovery in the authorization token of the first UE is consistent with the service role declared by the first UE;
验证是否符合第一UE的授权令牌中的请求发现的服务的允许执行条件;Verify whether the execution permission condition of the service requested to be discovered in the authorization token of the first UE is met;
验证所述第一UE的授权令牌是否过期。Verify whether the authorization token of the first UE has expired.
其中,响应于满足特定条件,确定第二UE对该第一UE的业务角色验证成功(即验证通过);In response to satisfying a specific condition, determining that the second UE successfully authenticates the service role of the first UE (i.e., the authentication is passed);
该特定条件包括以下至少之一:The specific conditions include at least one of the following:
特定条件1:第一UE的授权令牌中的第一UE期望的对端UE的业务角色与第二UE被授权的业务角色一致。例如:第一UE的授权令牌中的第一UE期望的对端UE的业务角色为参考UE和定位UE, 第二UE被授权的业务角色为参考UE,那么第二UE对第一UE的授权令牌验证成功。又例如:第一UE的授权令牌中的第一UE期望的对端UE的业务角色为参考UE和定位UE,第二UE被授权的业务角色为目标UE,那么第二UE对第一UE的授权令牌验证失败。Specific condition 1: The business role of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the business role authorized for the second UE. For example: the business role of the opposite UE expected by the first UE in the authorization token of the first UE is reference UE and positioning UE, and the business role authorized for the second UE is reference UE, then the second UE successfully verifies the authorization token of the first UE. For another example: the business role of the opposite UE expected by the first UE in the authorization token of the first UE is reference UE and positioning UE, and the business role authorized for the second UE is target UE, then the second UE fails to verify the authorization token of the first UE.
特定条件2:第一UE的授权令牌中的第一UE期望的对端UE的ID与所述第二UE的ID一致。例如第一UE的授权令牌中的第一UE期望的对端UE的ID包括UE#1和UE#2,第二UE的ID为UE#1,那么第二UE对第一UE的授权令牌验证成功。又例如:第一UE的授权令牌中的第一UE期望的对端UE的ID包括UE#1和UE#2,第二UE的ID为UE#3,那么第二UE对第一UE的授权令牌验证失败。Specific condition 2: The ID of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the ID of the second UE. For example, the ID of the opposite UE expected by the first UE in the authorization token of the first UE includes UE#1 and UE#2, and the ID of the second UE is UE#1, then the second UE successfully verifies the authorization token of the first UE. For another example: the ID of the opposite UE expected by the first UE in the authorization token of the first UE includes UE#1 and UE#2, and the ID of the second UE is UE#3, then the second UE fails to verify the authorization token of the first UE.
特定条件3:第一UE的授权令牌中的第一UE请求发现的服务与所述第一UE向第二UE需发现的服务一致。例如,第一UE的授权令牌中的第一UE请求发现的服务为:测距服务,第一UE向第二UE需发现的服务也为:测距服务,那么第二UE对第一UE的授权令牌验证成功。又例如:第一UE的授权令牌中的第一UE请求发现的服务为:测距服务,第一UE向第二UE需发现的服务为:侧行链路,那么第二UE对第一UE的授权令牌验证失败。Specific condition 3: The service requested by the first UE to be discovered in the authorization token of the first UE is consistent with the service that the first UE needs to discover from the second UE. For example, the service requested by the first UE to be discovered in the authorization token of the first UE is: ranging service, and the service that the first UE needs to discover from the second UE is also: ranging service, then the second UE successfully verifies the authorization token of the first UE. For another example: the service requested by the first UE to be discovered in the authorization token of the first UE is: ranging service, and the service that the first UE needs to discover from the second UE is: side link, then the second UE fails to verify the authorization token of the first UE.
特定条件4:第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色与所述第一UE声明的业务角色一致。例如:第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色为目标UE,第一UE声明的业务角色也为目标UE,那么第二UE对第一UE的授权令牌验证成功。又例如:第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色为目标UE,第一UE声明的业务角色为参考UE,那么第二UE对第一UE的授权令牌验证失败。Specific condition 4: The business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is consistent with the business role declared by the first UE. For example: the business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is the target UE, and the business role declared by the first UE is also the target UE, then the second UE successfully verifies the authorization token of the first UE. For another example: the business role authorized by the first UE in the authorization token of the first UE in the service requested to be discovered is the target UE, and the business role declared by the first UE is the reference UE, then the second UE fails to verify the authorization token of the first UE.
特定条件5:符合第一UE的授权令牌中的请求发现的服务的允许执行条件(如第一UE的授权令牌中的请求发现的服务的允许执行条件为:在北京白天8:00-16:00允许执行第一UE请求发现的服务,同时第二UE确定出第一UE和第二UE的定位位置均在北京,且第一UE请求发现服务时的时间点为9:00);Specific condition 5: the execution condition of the service requested to be discovered in the authorization token of the first UE is met (for example, the execution condition of the service requested to be discovered in the authorization token of the first UE is: the service requested to be discovered by the first UE is allowed to be executed during 8:00-16:00 in Beijing during the day, and the second UE determines that the first UE and the second UE are both located in Beijing, and the time point when the first UE requests to discover the service is 9:00);
特定条件6:第一UE的授权令牌未过期(如第一UE的授权令牌的有效期为2022年10月1号至2022年10月9号,第一UE请求发现服务时的时间为2022年10月8号)。Specific condition 6: The authorization token of the first UE has not expired (for example, the authorization token of the first UE is valid from October 1, 2022 to October 9, 2022, and the time when the first UE requests discovery service is October 8, 2022).
进一步地,在本公开的一个实施例之中,当第二UE对第一UE的业务角色验证成功后,第二UE可以向第一UE发送发现响应消息。Further, in an embodiment of the present disclosure, after the second UE successfully authenticates the service role of the first UE, the second UE may send a discovery response message to the first UE.
步骤202、接收第二UE发送的发现响应消息,该发现响应消息包括第二UE的授权令牌。Step 202: Receive a discovery response message sent by the second UE, where the discovery response message includes an authorization token of the second UE.
本公开的一个实施例之中,上述的第二UE的授权令牌可以包括以下至少之一:In one embodiment of the present disclosure, the authorization token of the second UE may include at least one of the following:
生成第二UE的授权令牌的网络设备的ID;The ID of the network device that generates the authorization token of the second UE;
第二UE的ID;ID of the second UE;
对端UE的条件;其中,该对端UE的条件包括:允许任一UE在所述第二UE所请求发现的服务中作为所述第二UE的对端UE,或者,所述对端UE的条件包括所述第二UE期望的对端UE的业务角色和/或ID;Conditions of the opposite UE; wherein the conditions of the opposite UE include: allowing any UE to serve as the opposite UE of the second UE in the service requested to be discovered by the second UE, or the conditions of the opposite UE include the service role and/or ID of the opposite UE expected by the second UE;
第二UE所请求发现的服务;The service requested to be discovered by the second UE;
第二UE在请求发现的服务中被授权的业务角色;The service role that the second UE is authorized to use in the service requested for discovery;
第二UE请求发现的服务的允许执行条件;The conditions for allowing execution of the service requested to be discovered by the second UE;
第二UE的授权令牌的有效期。The validity period of the authorization token of the second UE.
其中,关于第二UE的授权令牌的相关介绍可以参考上述的第一UE的授权令牌的介绍内容。For the introduction of the authorization token of the second UE, reference may be made to the introduction of the authorization token of the first UE mentioned above.
进一步地,在本公开的一个实施例之中,该第二UE的授权令牌可以是经由第一密钥签名后的第二UE的授权令牌。第一UE接收到经由第一密钥签名后的第二UE的授权令牌后,可以利用第二密钥来对接收到的第二UE的授权令牌进行解码验证。其中,关于第一密钥和第二密钥的相关介绍可以参考上述实施例描述。Further, in one embodiment of the present disclosure, the authorization token of the second UE may be an authorization token of the second UE signed by the first key. After the first UE receives the authorization token of the second UE signed by the first key, it may use the second key to decode and verify the received authorization token of the second UE. For the relevant introduction of the first key and the second key, reference may be made to the description of the above embodiment.
此外,在本公开的一个实施例之中,该发现响应消息中可以包括有第二UE向第一UE请求发现的服务信息(例如服务的标识,和/或服务的类型等),和/或,第二UE声明的业务角色。其中,第二UE声明的业务角色的含义介绍可以参考上述实施例描述。可以理解的是,其中,当第二UE声明的业务角色不是网络设备预先为其授权的业务角色时,那么第一UE与第二UE执行服务时,可能因为两个UE 的业务角色不匹配出现错误,从而使得服务中断或者服务执行效率低。或者,当第二UE为恶意UE时,故意声明网络设备未授权的业务角色时,即第二UE欺骗了第一UE,那么,对于第一UE来说,与恶意的UE通信可能带来通信安全问题。In addition, in one embodiment of the present disclosure, the discovery response message may include service information (such as the identifier of the service, and/or the type of service, etc.) requested by the second UE to discover to the first UE, and/or the service role declared by the second UE. The meaning of the service role declared by the second UE can be described with reference to the above embodiment. It can be understood that, when the service role declared by the second UE is not a service role pre-authorized by the network device, when the first UE and the second UE perform the service, an error may occur due to the mismatch between the service roles of the two UEs, resulting in service interruption or low service execution efficiency. Alternatively, when the second UE is a malicious UE and deliberately declares a service role that is not authorized by the network device, that is, the second UE deceives the first UE, then for the first UE, communicating with the malicious UE may bring communication security issues.
步骤203、当对第二UE的授权令牌验证通过后,与第二UE建立连接。Step 203: After the authorization token of the second UE is verified, a connection is established with the second UE.
在本公开的一个实施例之中,当第一UE接收到第二UE发送的发现响应消息后,可以先基于第二UE的授权令牌对第二UE的业务角色进行验证,当对第二UE的授权令牌验证通过后,与第二UE建立连接。In one embodiment of the present disclosure, when the first UE receives a discovery response message sent by the second UE, it can first verify the service role of the second UE based on the authorization token of the second UE, and when the authorization token of the second UE is verified, establish a connection with the second UE.
其中,在本公开的一个实施例之中,基于第二UE的授权令牌对该第二UE的业务角色进行验证的方法可以包括以下至少一种:Among them, in one embodiment of the present disclosure, the method for verifying the service role of the second UE based on the authorization token of the second UE may include at least one of the following:
验证第二UE的授权令牌中的第二UE期望的对端UE的业务角色与第一UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the service role authorized by the first UE;
验证第二UE的授权令牌中的第二UE期望的对端UE的ID与第一UE的ID是否一致;Verify whether the ID of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the ID of the first UE;
验证第二UE的授权令牌中的第二UE请求发现的服务与第二UE向第一UE需发现的服务是否一致;Verify whether the service requested to be discovered by the second UE in the authorization token of the second UE is consistent with the service that the second UE needs to discover from the first UE;
验证第二UE的授权令牌中的第二UE在请求发现的服务中被授权的业务角色与第二UE声明的业务角色是否一致;Verify whether the service role authorized by the second UE in the service requested for discovery in the authorization token of the second UE is consistent with the service role declared by the second UE;
验证是否符合第二UE的授权令牌中的请求发现的服务的允许执行条件;Verify whether the execution permission condition of the service requested to be discovered in the authorization token of the second UE is met;
验证第二UE的授权令牌是否过期。Verify whether the authorization token of the second UE is expired.
其中,响应于满足特定条件,确定对该第二UE的业务角色验证成功;wherein, in response to satisfying a specific condition, determining that the service role verification of the second UE is successful;
该特定条件包括以下至少之一:The specific conditions include at least one of the following:
第二UE的授权令牌中的第二UE期望的对端UE的业务角色与第一UE被授权的业务角色一致;The service role of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the service role authorized by the first UE;
第二UE的授权令牌中的第二UE期望的对端UE的ID与所述第一UE的ID一致;The ID of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the ID of the first UE;
第二UE的授权令牌中的第二UE请求发现的服务与所述第二UE向第一UE需发现的服务一致;The service requested to be discovered by the second UE in the authorization token of the second UE is consistent with the service that the second UE needs to discover from the first UE;
第二UE的授权令牌中的第二UE在请求发现的服务中被授权的业务角色与所述第二UE声明的业务角色一致;The service role authorized by the second UE in the service requested for discovery in the authorization token of the second UE is consistent with the service role declared by the second UE;
符合第二UE的授权令牌中的请求发现的服务的允许执行条件;The execution permission condition of the service requested to be discovered in the authorization token of the second UE is met;
第二UE的授权令牌未过期。The authorization token of the second UE has not expired.
其中,关于上述验证过程的原理与前述的第二UE对第一UE的业务角色的验证过程的原理类似,本公开实施例在此不再赘述。The principle of the above verification process is similar to the principle of the aforementioned verification process of the service role of the first UE by the second UE, and will not be repeated in the embodiment of the present disclosure.
由上述内容可知,本公开中提供了授权令牌所包括的具体信息以及提供了一种第一UE如何基于第二UE的授权令牌对该第二UE的业务角色进行验证的具体细节过程,则采用本公开的验证方法可以实现对UE的业务角色的验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。From the above content, it can be seen that the present disclosure provides the specific information included in the authorization token and provides a specific detailed process of how a first UE verifies the business role of the second UE based on the authorization token of the second UE. The verification method of the present disclosure can realize the verification of the business role of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
进一步地,还需要说明的是,在本公开的一个实施例之中,针对第一UE而言,只有当第一UE对第二UE的业务角色验证成功后,第一UE才会响应第二UE的消息,或者,与第二UE进行通信,或者,向第二UE发送第一UE的授权令牌,或者,与第二UE建立通信连接;同时,针对第二UE而言,只有当第二UE对第一UE的业务角色验证成功后,第二UE才会响应第一UE的消息,或者,与第一UE进行通信,或者,向第一UE发送第二UE的授权令牌,或者,与第一UE建立通信连接。Furthermore, it should be noted that, in one embodiment of the present disclosure, for the first UE, the first UE will respond to the message of the second UE, or communicate with the second UE, or send the authorization token of the first UE to the second UE, or establish a communication connection with the second UE, only after the first UE successfully verifies the business role of the second UE; at the same time, for the second UE, the second UE will respond to the message of the first UE, or communicate with the first UE, or send the authorization token of the second UE to the first UE, or establish a communication connection with the first UE, only after the second UE successfully verifies the business role of the first UE.
综上所述,在本公开实施例提供的设备业务角色的验证方法之中,第一UE会发送发现请求消息,之后,第一UE会接收第二UE发送的发现响应消息,该发现响应消息包括第二UE的授权令牌;以及,当对第二UE的授权令牌验证通过后,第一UE会与第二UE建立连接。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the verification method of the device business role provided in the embodiment of the present disclosure, the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, and the discovery response message includes the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
图3a为本公开实施例所提供的一种设备业务角色的验证方法的流程示意图,该方法由第一UE执行,如图3a所示,该设备业务角色的验证方法可以包括以下步骤:FIG3a is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a first UE. As shown in FIG3a , the method for verifying a device service role may include the following steps:
步骤301a、接收网络设备发送的第一UE的授权令牌。 Step 301a: Receive an authorization token of the first UE sent by the network device.
其中,在本公开的一个实施例之中,UE的授权令牌具体是由网络设备生成后发送至UE的。以及,关于生成授权令牌的网络设备具体包括哪些可以参考上述实施例描述。In one embodiment of the present disclosure, the authorization token of the UE is generated by a network device and then sent to the UE. Also, the network device that generates the authorization token may be described in the above embodiment.
进一步地,在本公开的一个实施例之中,网络设备发送至UE的授权令牌可以是经由第一密钥签名后的授权令牌,当第一UE接收到经由第一密钥签名后的第一UE的授权令牌后,可以利用第二密钥对接收到的第一UE的授权令牌进行解码验证。其中,关于第一密钥和第二密钥的相关介绍可以参考上述实施例描述。Further, in one embodiment of the present disclosure, the authorization token sent by the network device to the UE may be an authorization token signed by the first key, and when the first UE receives the authorization token of the first UE signed by the first key, the second key may be used to decode and verify the received authorization token of the first UE. For the introduction of the first key and the second key, reference may be made to the description of the above embodiment.
此外,在本公开的一个实施例之中,当第一UE获取到网络设备发送的第一UE的授权令牌之后,第一UE可以将第一UE的授权令牌与第一UE的授权令牌所对应的请求发现的服务关联存储。当第一UE后续要向第二UE发送第一UE的授权令牌时,是向第二UE发送与第一UE当前请求发现的服务关联的第一UE的授权令牌。也即是,在本公开的一个实施例之中,授权令牌是作用于:在与该授权令牌所对应的请求发现的服务中对UE的业务角色进行验证。In addition, in one embodiment of the present disclosure, after the first UE obtains the authorization token of the first UE sent by the network device, the first UE can store the authorization token of the first UE in association with the service requested to be discovered corresponding to the authorization token of the first UE. When the first UE subsequently sends the authorization token of the first UE to the second UE, the authorization token of the first UE associated with the service currently requested to be discovered by the first UE is sent to the second UE. That is, in one embodiment of the present disclosure, the authorization token is used to verify the business role of the UE in the service requested to be discovered corresponding to the authorization token.
综上所述,在本公开实施例提供的设备业务角色的验证方法之中,第一UE会发送发现请求消息,之后,第一UE会接收第二UE发送的发现响应消息,该发现响应消息包括第二UE的授权令牌;以及,当对第二UE的授权令牌验证通过后,第一UE会与第二UE建立连接。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the verification method of the device business role provided in the embodiment of the present disclosure, the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, and the discovery response message includes the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
图3b为本公开实施例所提供的一种设备业务角色的验证方法的流程示意图,该方法由第二UE执行,如图3b所示,该设备业务角色的验证方法可以包括以下步骤:FIG3b is a flow chart of a method for verifying a device service role provided by an embodiment of the present disclosure. The method is executed by a second UE. As shown in FIG3b , the method for verifying a device service role may include the following steps:
步骤301b、接收第一UE发送的发现请求消息,所述发现请求消息包括第一UE的授权令牌。 Step 301b: Receive a discovery request message sent by the first UE, where the discovery request message includes an authorization token of the first UE.
步骤302b、当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消息,所述发现响应消息包括所述第二UE的授权令牌。 Step 302b: After the authorization token of the first UE is verified, a discovery response message is sent to the first UE, where the discovery response message includes the authorization token of the second UE.
其中,关于步骤301b-302b的详细介绍可以参考上述实施例描述。For a detailed description of steps 301b - 302b, please refer to the above embodiment description.
综上所述,在本公开实施例提供的设备业务角色的验证方法之中,第二UE会接收第一UE发送的发现请求消息,该发现请求消息包括第一UE的授权令牌。之后,当对第一UE的授权令牌验证通过后,第二UE会向第一UE发送发现响应消息,该发现响应消息包括第二UE的授权令牌。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the device business role verification method provided in the embodiment of the present disclosure, the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
图3c为本公开实施例所提供的一种设备业务角色的验证方法的流程示意图,该方法由第二UE执行,如图3c所示,该设备业务角色的验证方法可以包括以下步骤:FIG3c is a flow chart of a method for verifying a device service role provided in an embodiment of the present disclosure. The method is executed by a second UE. As shown in FIG3c , the method for verifying a device service role may include the following steps:
步骤301c、接收网络设备发送的所述第二UE的授权令牌。 Step 301c: Receive the authorization token of the second UE sent by the network device.
其中,关于步骤301c的详细介绍可以参考上述实施例描述。For a detailed description of step 301c, please refer to the above embodiment description.
综上所述,在本公开实施例提供的设备业务角色的验证方法之中,第二UE会接收第一UE发送的发现请求消息,该发现请求消息包括第一UE的授权令牌。之后,当对第一UE的授权令牌验证通过后,第二UE会向第一UE发送发现响应消息,该发现响应消息包括第二UE的授权令牌。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the device business role verification method provided in the embodiment of the present disclosure, the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
图4a为本公开实施例所提供的一种通信装置的结构示意图,如图4a所示,装置可以包括:FIG4a is a schematic diagram of the structure of a communication device provided by an embodiment of the present disclosure. As shown in FIG4a , the device may include:
收发模块,用于发送发现请求消息;A transceiver module, used for sending a discovery request message;
所述收发模块,还用于接收第二UE发送的发现响应消息,所述发现响应消息包括第二UE的授权令牌;The transceiver module is further configured to receive a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
处理模块,还用于当对所述第二UE的授权令牌验证通过后,与所述第二UE建立连接。The processing module is also used to establish a connection with the second UE after the authorization token of the second UE is verified.
综上所述,在本公开实施例提供的通信装置之中,第一UE会发送发现请求消息,之后,第一UE会接收第二UE发送的发现响应消息,该发现响应消息包括第二UE的授权令牌;以及,当对第二UE的授权令牌验证通过后,第一UE会与第二UE建立连接。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the communication device provided in the embodiment of the present disclosure, the first UE will send a discovery request message, and then the first UE will receive a discovery response message sent by the second UE, the discovery response message including the authorization token of the second UE; and, when the authorization token of the second UE is verified, the first UE will establish a connection with the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
可选的,在本公开的一个实施例之中,所述发现请求消息包括第一UE的授权令牌,所述第一UE的授权令牌用于:第二UE基于所述第一UE的授权令牌对所述第一UE的业务角色进行验证。Optionally, in an embodiment of the present disclosure, the discovery request message includes an authorization token of the first UE, and the authorization token of the first UE is used for: the second UE to verify the service role of the first UE based on the authorization token of the first UE.
可选的,在本公开的一个实施例之中,所述第一UE的授权令牌包括以下至少一种:Optionally, in an embodiment of the present disclosure, the authorization token of the first UE includes at least one of the following:
生成所述授权令牌的网络设备的标识ID;The identification ID of the network device that generates the authorization token;
所述第一UE的ID;an ID of the first UE;
对端UE的条件;The conditions of the peer UE;
所述第一UE所请求发现的服务;The service requested to be discovered by the first UE;
所述第一UE在请求发现的服务中被授权的业务角色;A service role authorized by the first UE in the service requested for discovery;
所述第一UE请求发现的服务的允许执行条件;A condition for allowing execution of the service requested to be discovered by the first UE;
所述授权令牌的有效期。The validity period of the authorization token.
可选的,在本公开的一个实施例之中,所述对端UE的条件包括:允许任一UE作为所述第一UE的对端UE,或者,所述对端UE的条件包括所述第一UE期望的对端UE的业务角色和/或ID。Optionally, in an embodiment of the present disclosure, the condition of the opposite end UE includes: allowing any UE to be the opposite end UE of the first UE, or, the condition of the opposite end UE includes the service role and/or ID of the opposite end UE expected by the first UE.
可选的,在本公开的一个实施例之中,所述装置还用于:Optionally, in one embodiment of the present disclosure, the device is further used for:
接收网络设备发送的所述第一UE的授权令牌。Receive an authorization token of the first UE sent by a network device.
可选的,在本公开的一个实施例之中,所述收发模块,还用于:Optionally, in an embodiment of the present disclosure, the transceiver module is further used to:
接收网络设备发送的经由第一密钥签名后的第一UE的授权令牌。An authorization token of the first UE signed by the first key and sent by the network device is received.
可选的,在本公开的一个实施例之中,所述发现请求消息中的第一UE的授权令牌为:经由第一密钥签名后的第一UE的授权令牌。Optionally, in an embodiment of the present disclosure, the authorization token of the first UE in the discovery request message is: the authorization token of the first UE signed by the first key.
可选的,在本公开的一个实施例之中,所述发现响应消息中的第二UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌;Optionally, in an embodiment of the present disclosure, the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key;
所述装置还用于:The device is also used for:
利用第二密钥对接收到的所述第二UE的授权令牌进行解码验证。The received authorization token of the second UE is decoded and verified using the second key.
可选的,在本公开的一个实施例之中,第一密钥为网络设备的私钥,第二密钥为网络设备的公钥;或者Optionally, in an embodiment of the present disclosure, the first key is a private key of the network device, and the second key is a public key of the network device; or
第一密钥和第二密钥均为UE和网络设备之间的共享密钥。The first key and the second key are both shared keys between the UE and the network device.
可选的,在本公开的一个实施例之中,所述装置还用于以下至少一种:Optionally, in an embodiment of the present disclosure, the device is further used for at least one of the following:
验证第二UE的授权令牌中的第二UE期望的对端UE的业务角色与所述第一UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the service role authorized by the first UE;
验证第二UE的授权令牌中的第二UE期望的对端UE的ID与所述第一UE的ID是否一致;Verify whether the ID of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the ID of the first UE;
验证第二UE的授权令牌中的第二UE请求发现的服务与所述第二UE向第一UE需请求发现的服务是否一致;Verify whether the service requested to be discovered by the second UE in the authorization token of the second UE is consistent with the service that the second UE needs to request to discover from the first UE;
验证第二UE的授权令牌中的第二UE在请求发现的服务中被授权的业务角色与所述第二UE声明的业务角色是否一致;Verify whether the service role authorized by the second UE in the service requested for discovery in the authorization token of the second UE is consistent with the service role declared by the second UE;
验证是否符合所述第二UE的授权令牌中的请求发现的服务的允许执行条件;Verifying whether the execution permission condition of the service requested to be discovered in the authorization token of the second UE is met;
验证所述第二UE的授权令牌是否过期。Verify whether the authorization token of the second UE has expired.
图4b为本公开实施例所提供的一种通信装置的结构示意图,如图4b所示,装置可以包括:FIG4b is a schematic diagram of the structure of a communication device provided by an embodiment of the present disclosure. As shown in FIG4b , the device may include:
收发模块,用于接收第一UE发送的发现请求消息,所述发现请求消息包括所述第一UE的授权令牌;A transceiver module, configured to receive a discovery request message sent by a first UE, wherein the discovery request message includes an authorization token of the first UE;
所述收发模块,还用于当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消息,所述发现响应消息包括所述第二UE的授权令牌。The transceiver module is further used to send a discovery response message to the first UE after the authorization token of the first UE is verified, and the discovery response message includes the authorization token of the second UE.
综上所述,在本公开实施例提供的通信装置之中,第二UE会接收第一UE发送的发现请求消息,该发现请求消息包括第一UE的授权令牌。之后,当对第一UE的授权令牌验证通过后,第二UE会向第一UE发送发现响应消息,该发现响应消息包括第二UE的授权令牌。由此可知,本公开中提供了一种基于授权令牌对UE的业务角色进行验证的具体方法,且提供了授权令牌所包括的具体信息以及基于授权令牌进行验证时的具体细节过程,则在UE之间进行发现过程时,两UE可以交互各自的授权令牌,并采用本公开的方法来基于UE的授权令牌对UE声明的业务角色进行验证,从而避免了UE间的相互欺骗,提升了服务执行的准确性,还提升了信息安全性。In summary, in the communication device provided in the embodiment of the present disclosure, the second UE will receive a discovery request message sent by the first UE, and the discovery request message includes the authorization token of the first UE. Afterwards, when the authorization token of the first UE is verified, the second UE will send a discovery response message to the first UE, and the discovery response message includes the authorization token of the second UE. It can be seen that the present disclosure provides a specific method for verifying the business role of the UE based on the authorization token, and provides the specific information included in the authorization token and the specific details of the verification based on the authorization token. When the discovery process is performed between UEs, the two UEs can exchange their respective authorization tokens, and use the method of the present disclosure to verify the business role declared by the UE based on the authorization token of the UE, thereby avoiding mutual deception between UEs, improving the accuracy of service execution, and improving information security.
可选的,在本公开的一个实施例之中,所述第二UE的授权令牌包括以下至少一种:Optionally, in an embodiment of the present disclosure, the authorization token of the second UE includes at least one of the following:
生成所述授权令牌的网络设备的ID;The ID of the network device that generated the authorization token;
所述第二UE的ID;an ID of the second UE;
对端UE的条件;The conditions of the peer UE;
所述第二UE所请求发现的服务;The service requested to be discovered by the second UE;
所述第二UE在请求发现的服务中被授权的业务角色;a service role authorized by the second UE in the service requested for discovery;
所述第二UE请求发现的服务的允许执行条件;A condition for allowing execution of the service requested to be discovered by the second UE;
所述授权令牌的有效期。The validity period of the authorization token.
可选的,在本公开的一个实施例之中,所述对端UE的条件包括:允许任一UE作为所述第二UE的对端UE,或者,所述对端UE的条件包括所述第二UE期望的对端UE的业务角色和/或ID。Optionally, in an embodiment of the present disclosure, the condition of the opposite UE includes: allowing any UE to serve as the opposite UE of the second UE, or, the condition of the opposite UE includes the service role and/or ID of the opposite UE expected by the second UE.
可选的,在本公开的一个实施例之中,所述装置还用于:Optionally, in one embodiment of the present disclosure, the device is further used for:
接收网络设备发送的所述第二UE的授权令牌。Receive an authorization token of the second UE sent by a network device.
可选的,在本公开的一个实施例之中,所述收发模块还用于:Optionally, in an embodiment of the present disclosure, the transceiver module is further used for:
接收网络设备发送的经由第一密钥签名后的第二UE的授权令牌。An authorization token of the second UE signed by the first key and sent by the network device is received.
可选的,在本公开的一个实施例之中,所述发现请求消息中的第一UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌;Optionally, in an embodiment of the present disclosure, the authorization token of the first UE in the discovery request message is: the authorization token of the second UE signed by the first key;
所述装置还用于:The device is also used for:
利用第二密钥对接收到的所述第一UE的授权令牌进行解码验证。The received authorization token of the first UE is decoded and verified using the second key.
可选的,在本公开的一个实施例之中,所述发现响应消息中的第二UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌。Optionally, in an embodiment of the present disclosure, the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key.
可选的,在本公开的一个实施例之中,第一密钥为网络设备的私钥,第二密钥为网络设备的公钥;或者,Optionally, in an embodiment of the present disclosure, the first key is a private key of the network device, and the second key is a public key of the network device; or,
第一密钥和第二密钥均为UE和网络设备之间的共享密钥。The first key and the second key are both shared keys between the UE and the network device.
可选的,在本公开的一个实施例之中,所述装置还用于以下至少一种:Optionally, in an embodiment of the present disclosure, the device is further used for at least one of the following:
验证第一UE的授权令牌中的第一UE期望的对端UE的业务角色与所述第二UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the service role authorized by the second UE;
验证第一UE的授权令牌中的第一UE期望的对端UE的ID与所述第二UE的ID是否一致;Verify whether the ID of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the ID of the second UE;
验证第一UE的授权令牌中的第一UE请求发现的服务与所述第一UE向第二UE需请求发现的服务是否一致;Verify whether the service requested to be discovered by the first UE in the authorization token of the first UE is consistent with the service that the first UE needs to request to be discovered by the second UE;
验证第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色与所述第一UE声明的业务角色是否一致;Verify whether the service role authorized by the first UE in the service requested for discovery in the authorization token of the first UE is consistent with the service role declared by the first UE;
验证是否符合所述第一UE的授权令牌中的请求发现的服务的允许执行条件;Verifying whether the execution permission condition of the service requested to be discovered in the authorization token of the first UE is met;
验证所述第一UE的授权令牌是否过期。Verify whether the authorization token of the first UE has expired.
请参见图5,图5是本申请实施例提供的一种通信装置500的结构示意图。通信装置500可以是基站,也可以是终端设备,也可以是支持基站实现上述方法的芯片、芯片系统、或处理器等,还可以是支持终端设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法,具体可以参见上述方法实施例中的说明。Please refer to Figure 5, which is a schematic diagram of the structure of a communication device 500 provided in an embodiment of the present application. The communication device 500 can be a base station, or a terminal device, or a chip, a chip system, or a processor that supports the base station to implement the above method, or a chip, a chip system, or a processor that supports the terminal device to implement the above method. The device can be used to implement the method described in the above method embodiment, and the details can be referred to the description in the above method embodiment.
通信装置500可以包括一个或多个处理器501。处理器501可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理,中央处理器可以用于对通信装置(如,基站、基带芯片,终端设备、终端设备芯片,DU或CU等)进行控制,执行计算机程序,处理计算机程序的数据。The communication device 500 may include one or more processors 501. The processor 501 may be a general-purpose processor or a dedicated processor, etc. For example, it may be a baseband processor or a central processing unit. The baseband processor may be used to process the communication protocol and communication data, and the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a computer program, and process the data of the computer program.
可选的,通信装置500中还可以包括一个或多个存储器502,其上可以存有计算机程序504,处理器501执行所述计算机程序504,以使得通信装置500执行上述方法实施例中描述的方法。可选的,所述存储器502中还可以存储有数据。通信装置500和存储器502可以单独设置,也可以集成在一起。Optionally, the communication device 500 may further include one or more memories 502, on which a computer program 504 may be stored, and the processor 501 executes the computer program 504 so that the communication device 500 performs the method described in the above method embodiment. Optionally, data may also be stored in the memory 502. The communication device 500 and the memory 502 may be provided separately or integrated together.
可选的,通信装置500还可以包括收发器505、天线506。收发器505可以称为收发单元、收发机、或收发电路等,用于实现收发功能。收发器505可以包括接收器和发送器,接收器可以称为接收机或接收电路等,用于实现接收功能;发送器可以称为发送机或发送电路等,用于实现发送功能。Optionally, the communication device 500 may further include a transceiver 505 and an antenna 506. The transceiver 505 may be referred to as a transceiver unit, a transceiver, or a transceiver circuit, etc., for implementing a transceiver function. The transceiver 505 may include a receiver and a transmitter, the receiver may be referred to as a receiver or a receiving circuit, etc., for implementing a receiving function; the transmitter may be referred to as a transmitter or a transmitting circuit, etc., for implementing a transmitting function.
可选的,通信装置500中还可以包括一个或多个接口电路507。接口电路507用于接收代码指令并传输至处理器501。处理器501运行所述代码指令以使通信装置500执行上述方法实施例中描述的方法。Optionally, the communication device 500 may further include one or more interface circuits 507. The interface circuit 507 is used to receive code instructions and transmit them to the processor 501. The processor 501 runs the code instructions to enable the communication device 500 to perform the method described in the above method embodiment.
在一种实现方式中,处理器501中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路,或者是接口,或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的,也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写,或者,上述收发电路、接口或接口电路可以用于信号的传输或传递。In one implementation, the processor 501 may include a transceiver for implementing the receiving and sending functions. For example, the transceiver may be a transceiver circuit, an interface, or an interface circuit. The transceiver circuit, interface, or interface circuit for implementing the receiving and sending functions may be separate or integrated. The above-mentioned transceiver circuit, interface, or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface, or interface circuit may be used for transmitting or delivering signals.
在一种实现方式中,处理器501可以存有计算机程序503,计算机程序503在处理器501上运行,可使得通信装置500执行上述方法实施例中描述的方法。计算机程序503可能固化在处理器501中,该种情况下,处理器501可能由硬件实现。In one implementation, the processor 501 may store a computer program 503, which runs on the processor 501 and enables the communication device 500 to perform the method described in the above method embodiment. The computer program 503 may be fixed in the processor 501, in which case the processor 501 may be implemented by hardware.
在一种实现方式中,通信装置500可以包括电路,所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit,IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit,ASIC)、印刷电路板(printed circuit board,PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造,例如互补金属氧化物半导体(complementary metal oxide semiconductor,CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor,NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor,PMOS)、双极结型晶体管(bipolar junction transistor,BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。In one implementation, the communication device 500 may include a circuit that can implement the functions of sending or receiving or communicating in the aforementioned method embodiments. The processor and transceiver described in the present application can be implemented in an integrated circuit (IC), an analog IC, a radio frequency integrated circuit RFIC, a mixed signal IC, an application specific integrated circuit (ASIC), a printed circuit board (PCB), an electronic device, etc. The processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.
以上实施例描述中的通信装置可以是基站或者终端设备,但本申请中描述的通信装置的范围并不限于此,而且通信装置的结构可以不受图5的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是:The communication device described in the above embodiments may be a base station or a terminal device, but the scope of the communication device described in the present application is not limited thereto, and the structure of the communication device may not be limited by FIG. 5. The communication device may be an independent device or may be part of a larger device. For example, the communication device may be:
(1)独立的集成电路IC,或芯片,或,芯片系统或子系统;(1) Independent integrated circuit IC, or chip, or chip system or subsystem;
(2)具有一个或多个IC的集合,可选的,该IC集合也可以包括用于存储数据,计算机程序的存储部件;(2) having a set of one or more ICs, and optionally, the IC set may also include a storage component for storing data and computer programs;
(3)ASIC,例如调制解调器(Modem);(3) ASIC, such as modem;
(4)可嵌入在其他设备内的模块;(4) Modules that can be embedded in other devices;
(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、基站、云设备、人工智能设备等等;(5) Receivers, terminal devices, intelligent terminal devices, cellular phones, wireless devices, handheld devices, mobile units, vehicle-mounted devices, base stations, cloud devices, artificial intelligence devices, etc.;
(6)其他等等。(6)Others
对于通信装置可以是芯片或芯片系统的情况,可参见图6所示的芯片的结构示意图。图6所示的芯 片包括处理器601和接口602。其中,处理器601的数量可以是一个或多个,接口602的数量可以是多个。In the case where the communication device can be a chip or a chip system, reference can be made to the schematic diagram of the chip structure shown in Figure 6. The chip shown in Figure 6 includes a processor 601 and an interface 602. The number of the processor 601 can be one or more, and the number of the interface 602 can be multiple.
可选的,芯片还包括存储器603,存储器603用于存储必要的计算机程序和数据。Optionally, the chip further includes a memory 603, and the memory 603 is used to store necessary computer programs and data.
本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件,或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用,可以使用各种方法实现所述的功能,但这种实现不应被理解为超出本申请实施例保护的范围。Those skilled in the art may also understand that the various illustrative logical blocks and steps listed in the embodiments of the present application may be implemented by electronic hardware, computer software, or a combination of the two. Whether such functions are implemented by hardware or software depends on the specific application and the design requirements of the entire system. Those skilled in the art may use various methods to implement the described functions for each specific application, but such implementation should not be understood as exceeding the scope of protection of the embodiments of the present application.
本申请还提供一种可读存储介质,其上存储有指令,该指令被计算机执行时实现上述任一方法实施例的功能。The present application also provides a readable storage medium having instructions stored thereon, which implement the functions of any of the above method embodiments when executed by a computer.
本申请还提供一种计算机程序产品,该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。The present application also provides a computer program product, which implements the functions of any of the above method embodiments when executed by a computer.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented by software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer program can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer program can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that includes one or more available media integrated. The available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.
本领域普通技术人员可以理解:本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。A person skilled in the art may understand that the various numerical numbers such as first and second involved in the present application are only used for the convenience of description and are not used to limit the scope of the embodiments of the present application, but also indicate the order of precedence.
本申请中的至少一个还可以描述为一个或多个,多个可以是两个、三个、四个或者更多个,本申请不做限制。在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。At least one in the present application can also be described as one or more, and a plurality can be two, three, four or more, which is not limited in the present application. In the embodiments of the present application, for a technical feature, the technical features in the technical feature are distinguished by "first", "second", "third", "A", "B", "C" and "D", etc., and there is no order of precedence or size between the technical features described by the "first", "second", "third", "A", "B", "C" and "D".
本申请中各表所示的对应关系可以被配置,也可以是预定义的。各表中的信息的取值仅仅是举例,可以配置为其他值,本申请并不限定。在配置信息与各参数的对应关系时,并不一定要求必须配置各表中示意出的所有对应关系。例如,本申请中的表格中,某些行示出的对应关系也可以不配置。又例如,可以基于上述表格做适当的变形调整,例如,拆分,合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称,其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时,也可以采用其他的数据结构,例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。The corresponding relationships shown in each table in the present application can be configured or predefined. The values of the information in each table are only examples and can be configured as other values, which are not limited by the present application. When configuring the corresponding relationship between the information and each parameter, it is not necessarily required to configure all the corresponding relationships illustrated in each table. For example, in the table in the present application, the corresponding relationships shown in some rows may not be configured. For another example, appropriate deformation adjustments can be made based on the above table, such as splitting, merging, etc. The names of the parameters shown in the titles in the above tables can also use other names that can be understood by the communication device, and the values or representations of the parameters can also be other values or representations that can be understood by the communication device. When implementing the above tables, other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables.
本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。The predefined in the present application may be understood as defined, predefined, stored, pre-stored, pre-negotiated, pre-configured, solidified, or pre-burned.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (24)

  1. 一种设备业务角色的验证方法,其特征在于,被第一用户设备UE执行,所述方法包括:A method for verifying a device service role, characterized in that it is executed by a first user equipment UE, and the method comprises:
    发送发现请求消息;Send a discovery request message;
    接收第二UE发送的发现响应消息,所述发现响应消息包括第二UE的授权令牌;receiving a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
    当对所述第二UE的授权令牌验证通过后,与所述第二UE建立连接。After the authorization token of the second UE is verified, a connection is established with the second UE.
  2. 如权利要求1所述的方法,其特征在于,所述发现请求消息包括第一UE的授权令牌,所述第一UE的授权令牌用于:第二UE基于所述第一UE的授权令牌对所述第一UE的业务角色进行验证。The method as claimed in claim 1 is characterized in that the discovery request message includes an authorization token of the first UE, and the authorization token of the first UE is used for: the second UE to verify the service role of the first UE based on the authorization token of the first UE.
  3. 如权利要求1或2所述的方法,其特征在于,所述第一UE的授权令牌包括以下至少一种:The method according to claim 1 or 2, characterized in that the authorization token of the first UE includes at least one of the following:
    生成所述授权令牌的网络设备的标识ID;The identification ID of the network device that generates the authorization token;
    所述第一UE的ID;an ID of the first UE;
    对端UE的条件;The conditions of the peer UE;
    所述第一UE所请求发现的服务;The service requested to be discovered by the first UE;
    所述第一UE在请求发现的服务中被授权的业务角色;A service role authorized by the first UE in the service requested for discovery;
    所述第一UE请求发现的服务的允许执行条件;A condition for allowing execution of the service requested to be discovered by the first UE;
    所述授权令牌的有效期。The validity period of the authorization token.
  4. 如权利要求3所述的方法,其特征在于,所述对端UE的条件包括:允许任一UE作为所述第一UE的对端UE,或者,所述对端UE的条件包括所述第一UE期望的对端UE的业务角色和/或ID。The method as claimed in claim 3 is characterized in that the condition of the opposite UE includes: allowing any UE to be the opposite UE of the first UE, or the condition of the opposite UE includes the service role and/or ID of the opposite UE expected by the first UE.
  5. 如权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that the method further comprises:
    接收网络设备发送的所述第一UE的授权令牌。Receive an authorization token of the first UE sent by a network device.
  6. 如权利要求5所述的方法,其特征在于,所述接收网络设备发送的所述第一UE的授权令牌,包括:The method according to claim 5, wherein the receiving the authorization token of the first UE sent by the network device comprises:
    接收网络设备发送的经由第一密钥签名后的第一UE的授权令牌。An authorization token of the first UE signed by the first key and sent by the network device is received.
  7. 如权利要求2所述的方法,其特征在于,所述发现请求消息中的第一UE的授权令牌为:经由第一密钥签名后的第一UE的授权令牌。The method as claimed in claim 2 is characterized in that the authorization token of the first UE in the discovery request message is: the authorization token of the first UE signed by the first key.
  8. 如权利要求1所述的方法,其特征在于,所述发现响应消息中的第二UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌;The method according to claim 1, characterized in that the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key;
    所述方法还包括:The method further comprises:
    利用第二密钥对接收到的所述第二UE的授权令牌进行解码验证。The received authorization token of the second UE is decoded and verified using the second key.
  9. 如权利要求6或7或8所述的方法,其特征在于,第一密钥为网络设备的私钥,第二密钥为网络设备的公钥;或者The method according to claim 6, 7 or 8, characterized in that the first key is a private key of the network device, and the second key is a public key of the network device; or
    第一密钥和第二密钥均为UE和网络设备之间的共享密钥。The first key and the second key are both shared keys between the UE and the network device.
  10. 如权利要求1或2所述的方法,其特征在于,所述当对所述第二UE的授权令牌验证,包括以下至少一种:The method according to claim 1 or 2, characterized in that the verification of the authorization token of the second UE includes at least one of the following:
    验证第二UE的授权令牌中的第二UE期望的对端UE的业务角色与所述第一UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the service role authorized by the first UE;
    验证第二UE的授权令牌中的第二UE期望的对端UE的ID与所述第一UE的ID是否一致;Verify whether the ID of the opposite UE expected by the second UE in the authorization token of the second UE is consistent with the ID of the first UE;
    验证第二UE的授权令牌中的第二UE请求发现的服务与所述第二UE向第一UE需请求发现的服务是否一致;Verify whether the service requested to be discovered by the second UE in the authorization token of the second UE is consistent with the service that the second UE needs to request to discover from the first UE;
    验证第二UE的授权令牌中的第二UE在请求发现的服务中被授权的业务角色与所述第二UE声明的业务角色是否一致;Verify whether the service role authorized by the second UE in the service requested for discovery in the authorization token of the second UE is consistent with the service role declared by the second UE;
    验证是否符合所述第二UE的授权令牌中的请求发现的服务的允许执行条件;Verifying whether the execution permission condition of the service requested to be discovered in the authorization token of the second UE is met;
    验证所述第二UE的授权令牌是否过期。Verify whether the authorization token of the second UE has expired.
  11. 一种设备业务角色的验证方法,其特征在于,被第二UE执行,所述方法包括:A method for verifying a device service role, characterized in that it is executed by a second UE, and the method comprises:
    接收第一UE发送的发现请求消息,所述发现请求消息包括所述第一UE的授权令牌;Receiving a discovery request message sent by a first UE, where the discovery request message includes an authorization token of the first UE;
    当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消息,所述发现响应消息 包括所述第二UE的授权令牌。When the authorization token of the first UE is verified, a discovery response message is sent to the first UE, and the discovery response message includes the authorization token of the second UE.
  12. 如权利要求11所述的方法,其特征在于,所述第二UE的授权令牌包括以下至少一种:The method according to claim 11, wherein the authorization token of the second UE includes at least one of the following:
    生成所述授权令牌的网络设备的ID;The ID of the network device that generated the authorization token;
    所述第二UE的ID;an ID of the second UE;
    对端UE的条件;The conditions of the peer UE;
    所述第二UE所请求发现的服务;The service requested to be discovered by the second UE;
    所述第二UE在请求发现的服务中被授权的业务角色;A service role authorized by the second UE in the service requested for discovery;
    所述第二UE请求发现的服务的允许执行条件;A condition for allowing execution of the service requested to be discovered by the second UE;
    所述授权令牌的有效期。The validity period of the authorization token.
  13. 如权利要求12所述的方法,其特征在于,所述对端UE的条件包括:允许任一UE作为所述第二UE的对端UE,或者,所述对端UE的条件包括所述第二UE期望的对端UE的业务角色和/或ID。The method as claimed in claim 12 is characterized in that the condition of the opposite UE includes: allowing any UE to be the opposite UE of the second UE, or the condition of the opposite UE includes the service role and/or ID of the opposite UE expected by the second UE.
  14. 如权利要求11所述的方法,其特征在于,所述方法还包括:The method according to claim 11, characterized in that the method further comprises:
    接收网络设备发送的所述第二UE的授权令牌。Receive an authorization token of the second UE sent by a network device.
  15. 如权利要求14所述的方法,其特征在于,所述接收网络设备发送的所述第二UE的授权令牌,包括:The method according to claim 14, wherein the receiving the authorization token of the second UE sent by the network device comprises:
    接收网络设备发送的经由第一密钥签名后的第二UE的授权令牌。An authorization token of the second UE signed by the first key and sent by the network device is received.
  16. 如权利要求11所述的方法,其特征在于,所述发现请求消息中的第一UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌;The method according to claim 11, characterized in that the authorization token of the first UE in the discovery request message is: the authorization token of the second UE signed by the first key;
    所述方法还包括:The method further comprises:
    利用第二密钥对接收到的所述第一UE的授权令牌进行解码验证。The received authorization token of the first UE is decoded and verified using the second key.
  17. 如权利要求11所述的方法,其特征在于,所述发现响应消息中的第二UE的授权令牌为:经由第一密钥签名后的第二UE的授权令牌。The method as claimed in claim 11 is characterized in that the authorization token of the second UE in the discovery response message is: the authorization token of the second UE signed by the first key.
  18. 如权利要求15或16或17所述的方法,其特征在于,第一密钥为网络设备的私钥,第二密钥为网络设备的公钥;或者,The method according to claim 15, 16 or 17, wherein the first key is a private key of the network device and the second key is a public key of the network device; or
    第一密钥和第二密钥均为UE和网络设备之间的共享密钥。The first key and the second key are both shared keys between the UE and the network device.
  19. 如权利要求11所述的方法,其特征在于,所述对所述第一UE的授权令牌验证,包括以下至少一种:The method according to claim 11, wherein the verification of the authorization token of the first UE comprises at least one of the following:
    验证第一UE的授权令牌中的第一UE期望的对端UE的业务角色与所述第二UE被授权的业务角色是否一致;Verify whether the service role of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the service role authorized by the second UE;
    验证第一UE的授权令牌中的第一UE期望的对端UE的ID与所述第二UE的ID是否一致;Verify whether the ID of the opposite UE expected by the first UE in the authorization token of the first UE is consistent with the ID of the second UE;
    验证第一UE的授权令牌中的第一UE请求发现的服务与所述第一UE向第二UE需请求发现的服务是否一致;Verify whether the service requested to be discovered by the first UE in the authorization token of the first UE is consistent with the service that the first UE needs to request to be discovered by the second UE;
    验证第一UE的授权令牌中的第一UE在请求发现的服务中被授权的业务角色与所述第一UE声明的业务角色是否一致;Verify whether the service role authorized by the first UE in the service requested for discovery in the authorization token of the first UE is consistent with the service role declared by the first UE;
    验证是否符合所述第一UE的授权令牌中的请求发现的服务的允许执行条件;Verifying whether the execution permission condition of the service requested to be discovered in the authorization token of the first UE is met;
    验证所述第一UE的授权令牌是否过期。Verify whether the authorization token of the first UE has expired.
  20. 一种通信装置,包括:A communication device, comprising:
    收发模块,用于发送发现请求消息;A transceiver module, used for sending a discovery request message;
    所述收发模块,还用于接收第二UE发送的发现响应消息,所述发现响应消息包括第二UE的授权令牌;The transceiver module is further configured to receive a discovery response message sent by the second UE, wherein the discovery response message includes an authorization token of the second UE;
    处理模块,还用于当对所述第二UE的授权令牌验证通过后,与所述第二UE建立连接。The processing module is also used to establish a connection with the second UE after the authorization token of the second UE is verified.
  21. 一种通信装置,包括:A communication device, comprising:
    收发模块,用于接收第一UE发送的发现请求消息,所述发现请求消息包括所述第一UE的授权令牌;A transceiver module, configured to receive a discovery request message sent by a first UE, wherein the discovery request message includes an authorization token of the first UE;
    所述收发模块,还用于当对所述第一UE的授权令牌验证通过后,向所述第一UE发送发现响应消 息,所述发现响应消息包括所述第二UE的授权令牌。The transceiver module is also used to send a discovery response message to the first UE after the authorization token of the first UE is verified, and the discovery response message includes the authorization token of the second UE.
  22. 一种通信装置,其特征在于,所述装置包括处理器和存储器,其中,所述存储器中存储有计算机程序,所述处理器执行所述存储器中存储的计算机程序,以使所述装置执行如权利要求1至10中任一项所述的方法,或所述处理器执行所述存储器中存储的计算机程序,以使所述装置执行如权利要求11至19中任一项所述的方法。A communication device, characterized in that the device comprises a processor and a memory, wherein a computer program is stored in the memory, and the processor executes the computer program stored in the memory so that the device performs the method as described in any one of claims 1 to 10, or the processor executes the computer program stored in the memory so that the device performs the method as described in any one of claims 11 to 19.
  23. 一种通信装置,其特征在于,包括:处理器和接口电路,其中A communication device, comprising: a processor and an interface circuit, wherein
    所述接口电路,用于接收代码指令并传输至所述处理器;The interface circuit is used to receive code instructions and transmit them to the processor;
    所述处理器,用于运行所述代码指令以执行如权利要求1至10中任一项所述的方法,或运行所述代码指令以执行如权利要求11至19中任一项所述的方法。The processor is configured to execute the code instructions to perform the method according to any one of claims 1 to 10, or execute the code instructions to perform the method according to any one of claims 11 to 19.
  24. 一种计算机可读存储介质,用于存储有指令,当所述指令被执行时,使如权利要求1至10中任一项所述的方法被实现,或当所述指令被执行时,使如权利要求11至19中任一项所述的方法被实现。A computer-readable storage medium for storing instructions, which, when executed, enables the method according to any one of claims 1 to 10 to be implemented, or, when executed, enables the method according to any one of claims 11 to 19 to be implemented.
PCT/CN2022/125974 2022-10-18 2022-10-18 Device service role verification method and apparatus and device, and storage medium WO2024082143A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/125974 WO2024082143A1 (en) 2022-10-18 2022-10-18 Device service role verification method and apparatus and device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/125974 WO2024082143A1 (en) 2022-10-18 2022-10-18 Device service role verification method and apparatus and device, and storage medium

Publications (1)

Publication Number Publication Date
WO2024082143A1 true WO2024082143A1 (en) 2024-04-25

Family

ID=90736634

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/125974 WO2024082143A1 (en) 2022-10-18 2022-10-18 Device service role verification method and apparatus and device, and storage medium

Country Status (1)

Country Link
WO (1) WO2024082143A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442411A (en) * 2008-12-23 2009-05-27 中国科学院计算技术研究所 Identification authentication method between peer-to-peer user nodes in P2P network
CN106464690A (en) * 2015-08-24 2017-02-22 华为技术有限公司 Security authentication method, configuration method and related device
US10666657B1 (en) * 2016-12-07 2020-05-26 Amazon Technologies, Inc. Token-based access control and grouping
CN112187724A (en) * 2020-09-03 2021-01-05 北京金山云网络技术有限公司 Access control method, device, gateway, client and security token service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442411A (en) * 2008-12-23 2009-05-27 中国科学院计算技术研究所 Identification authentication method between peer-to-peer user nodes in P2P network
CN106464690A (en) * 2015-08-24 2017-02-22 华为技术有限公司 Security authentication method, configuration method and related device
US10666657B1 (en) * 2016-12-07 2020-05-26 Amazon Technologies, Inc. Token-based access control and grouping
CN112187724A (en) * 2020-09-03 2021-01-05 北京金山云网络技术有限公司 Access control method, device, gateway, client and security token service

Similar Documents

Publication Publication Date Title
WO2023130322A1 (en) Method for determining shared channel occupancy time and apparatuses therefor
WO2024077455A1 (en) Access method for non-terrestrial network, and apparatus
WO2024092523A1 (en) Method for transmitting sidelink positioning message, method for receiving sidelink positioning message, and apparatus
WO2024026890A1 (en) Positioning method, and apparatus, device and storage medium
WO2024082143A1 (en) Device service role verification method and apparatus and device, and storage medium
WO2022033390A1 (en) Position acquisition method and apparatus thereof
WO2024065336A1 (en) Sidelink positioning method and apparatus
WO2024065335A1 (en) Sidelink positioning method and apparatus
WO2024065334A1 (en) Method, apparatus and device for generating authorization token of user equipment (ue), and storage medium
WO2024065339A1 (en) Network satellite coverage data authorization method, device, and storage medium
WO2023245520A1 (en) Direct communication method and apparatus in localization service
WO2024138581A1 (en) Authorization method and apparatus for network slices, devices, and storage medium
WO2024065140A1 (en) Role authorization method/apparatus/device for user equipment (ue), and storage medium
WO2024065564A1 (en) Api invoking method, apparatus, device, and storage medium
WO2024065706A1 (en) Connection construction method and apparatus
WO2024092827A1 (en) Ranging method and apparatus
WO2024065121A1 (en) Multi-path transmission methods/apparatus/device, and storage medium
WO2024065131A1 (en) Multipath transmission method, apparatus, and device, and storage medium
WO2024065469A1 (en) Direct-link establishment method, device and storage medium
WO2024098219A1 (en) Key distribution methods, and apparatuses, device, and storage medium
WO2024092826A1 (en) Identity verification method and apparatus
WO2024145902A1 (en) Key obtaining method and apparatus, device, and chip system
WO2023115487A1 (en) Method for creating artificial intelligence session, and apparatus therefor
WO2023087191A1 (en) Radio resource control (rrc) reject message transmitting method and apparatus
WO2024145949A1 (en) Personal internet of things network (pin) management methods/apparatus/device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22962335

Country of ref document: EP

Kind code of ref document: A1