CN113825134A - Network service authorization method, device and equipment - Google Patents

Network service authorization method, device and equipment Download PDF

Info

Publication number
CN113825134A
CN113825134A CN202111155028.9A CN202111155028A CN113825134A CN 113825134 A CN113825134 A CN 113825134A CN 202111155028 A CN202111155028 A CN 202111155028A CN 113825134 A CN113825134 A CN 113825134A
Authority
CN
China
Prior art keywords
key
service authorization
nrf
message
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111155028.9A
Other languages
Chinese (zh)
Inventor
彭艺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN202111155028.9A priority Critical patent/CN113825134A/en
Publication of CN113825134A publication Critical patent/CN113825134A/en
Priority to PCT/CN2022/119877 priority patent/WO2023051316A1/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the application discloses a network service authorization method, a device and equipment. In the application, the network storage function network element NRF and the network function unit NF may exchange key materials generated according to the key exchange algorithms through the same key exchange algorithm supported by the NF, and generate the same service authorization key by using the public key of the opposite device and the private key thereof carried in the key materials, in the process, the service authorization key is locally generated in the NRF or the NF and is not exposed in the network, thereby ensuring the security of the process of sharing the service authorization key between the NRF and the NF.

Description

Network service authorization method, device and equipment
Technical Field
The present application relates to the field of communications, and in particular, to a method, an apparatus, and a device for authorizing a network service.
Background
In a 5G Network, control plane Network elements may communicate with each other by calling service interfaces of each other, where an NF (Network Function, Network Function unit, Network element for short) providing a service is called a service producer, and a Network element using the service is called a service consumer.
Meanwhile, in order to ensure the security of the service interface for providing services in the service producer being invoked, the 5G standard defines that before the service consumer accesses the service interface of the service producer, the service consumer needs to go to an NRF (Network security Function, Network storage Function Network element) in the Network to obtain authorization information, and then the service consumer can apply for services from the service producer by using the obtained authorization information, thereby ensuring the security of the invocation of the service interface. However, in the above method, the service authorization key used for generating authorization information needs to be pre-shared by the NRF and the service producer, and it is not clear in the standard how to securely share the service authorization key corresponding to the service producer between the NRF and the service producer.
Disclosure of Invention
The application discloses a network service authorization method, a device and equipment, so that a service authorization key is safely shared between an NRF and an NF serving as a service producer.
According to a first aspect of embodiments of the present application, a network service authorization method is provided, where the method is applied to a network storage function network element NRF, and the method includes:
when a network function unit (NF) is detected to need a service authorization key, generating a first key material according to an obtained key exchange algorithm supported by the NF, carrying a public key of the NRF in the first key material in a first message and sending the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF;
receiving a second message responded by the NF aiming at the first message, wherein the second message at least carries a public key of the NF generated by the NF according to the key exchange algorithm;
determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF and the private key of the NRF, wherein the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
According to a second aspect of the embodiments of the present application, there is provided a network service authorization method, which is applied to a network function unit NF, and includes:
receiving a first message which is sent by a network storage function network element NRF in response to the requirement of the NF on a service authorization key, wherein the first message at least carries a public key of the NRF generated by the NRF according to an obtained key exchange algorithm supported by the NF;
generating a second key material according to the key exchange algorithm, carrying the public key of the NF in the second key material in a second message and sending the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF;
determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF and the private key of the NF, wherein the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
According to a third aspect of the embodiments of the present application, there is provided a network service authorization apparatus, where the apparatus is applied to a network storage function network element NRF, and the apparatus includes:
a first message sending unit, configured to, when detecting that a network function unit NF needs a service authorization key, generate a first key material according to an obtained key exchange algorithm supported by the NF, carry a public key of the NRF in the first key material in a first message, and send the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF;
a second message receiving unit, configured to receive a second message that the NF responds to the first message, where the second message at least carries a public key of the NF that is generated by the NF according to the key exchange algorithm;
a service authorization key generation unit, configured to determine, according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF, and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
According to a fourth aspect of the embodiments of the present application, there is provided a network service authorization apparatus, where the apparatus is applied to a network function unit NF, and the apparatus includes:
a first message receiving unit, configured to receive a first message that a network storage function network element NRF needs to send in response to a service authorization key that is supported by the NF, where the first message carries at least a public key of the NRF that is generated by the NRF according to an obtained key exchange algorithm that is supported by the NF;
a second message sending unit, configured to generate a second key material according to the key exchange algorithm, carry a public key of the NF in the second key material in a second message, and send the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF;
a service authorization key generation unit, configured to determine, according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF, and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
According to a fifth aspect of embodiments of the present application, there is provided an electronic apparatus, including: a processor and a memory;
the memory for storing machine executable instructions;
the processor is used for reading and executing the machine executable instructions stored in the memory so as to realize the network service authorization method.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
as can be seen from the above technical solutions, in the solution provided in the present application, the network storage function network element NRF and the network function unit NF may exchange key materials respectively generated according to the key exchange algorithm with each other through the same key exchange algorithm supported by the NF, and generate the same service authorization key by using the public key of the opposite device and the private key of the opposite device carried in the key materials, in the process, the service authorization key is locally generated in the NRF or NF and is not exposed in the network, so that the security of the process of sharing the service authorization key between the NRF and the NF is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a flowchart of a method for authorizing a network service according to an embodiment of the present application;
FIG. 2 is a flow chart of another method for authorizing network services provided by an embodiment of the present application;
fig. 3 is a flowchart illustrating an authorization method for application network services according to an embodiment of the present application;
fig. 4 is a schematic diagram of an apparatus for authorizing a network service according to an embodiment of the present application;
fig. 5 is a schematic diagram of another device for authorizing network services according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of a method for authorizing a network service according to an embodiment of the present application. As an embodiment, the method may be applied in a 5G network, and in particular to a network storage function network element NRF in a 5G network.
As shown in fig. 1, the process may include the following steps:
step 101, when detecting that a network function unit (NF) needs a service authorization key, generating a first key material according to an obtained key exchange algorithm supported by the NF, carrying a public key of the NRF in the first key material in a first message and sending the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF.
As an embodiment, the detection in this step that the network function NF requires the service authorization key includes a plurality of cases: when a registration request message sent by the NF is received, it is determined that the network function unit NF needs a service authorization key, where the registration request message may carry a key exchange algorithm set supported by the NF and a callback URI (Uniform Resource Identifier) of the NF, which is used to locate the NF; or when receiving a service authorization key negotiation request sent by the NF, determining that the network function unit NF needs the service authorization key; or, if the life cycle of the service authorization key corresponding to the NF is preset in the NRF, when it is determined that the life cycle of the service authorization key corresponding to the NF is completed, it is determined that the network function unit NF needs the service authorization key. The above cases of detecting that the network function unit NF needs the service authorization key are only examples, and the present application does not limit this.
As an embodiment, after determining that the NF needs the service authorization key, the NRF may obtain a key exchange algorithm supported by the NF in multiple ways:
the first method is as follows: the NRF may select a key exchange algorithm from the set of key exchange algorithms registered by the NF, and further generate the first key material using the selected key exchange algorithm. The first key material in this embodiment may further include, in addition to the public key of the NRF and the private key of the NRF, an algorithm identifier corresponding to the selected key exchange algorithm.
The second method comprises the following steps: when a registration request message sent by the NF is received, a key exchange algorithm set supported by the NRF is carried in a registration response message for responding to the registration request message, so that the NF can determine a key exchange algorithm supported by both the NRF and the NF according to the received registration response message, and the NRF can select a key exchange algorithm supported by the NF according to an algorithm identifier carried in a service authorization key negotiation request sent by the NF.
Based on the first key material containing the algorithm identifier, in this embodiment, the first message sent by the NRF to the NF not only carries the public key of the NRF, but also carries the algorithm identifier. Through the algorithm identifier carried in the received first message, the NF in this embodiment may generate the second key material according to the key exchange algorithm corresponding to the algorithm identifier.
As another embodiment, in order to verify whether the second message responded by the NF to the first message is returned for sharing the current service authorization key, the NRF may further set a corresponding key identifier Kid for the service authorization key to be generated this time, and belongs to the first key material, in this embodiment, the Kid may also be carried in the first message and sent to the NF.
And 102, receiving a second message responded by the NF according to the first message, wherein the second message at least carries a public key of the NF, which is generated by the NF according to the key exchange algorithm.
As an embodiment, if the NRF sets a key identifier Kid corresponding to the service authorization key to be generated this time in this embodiment, that is, the first key material includes a key identifier Kid corresponding to the service authorization key to be generated, in this embodiment, after receiving the second message, it may be determined that the second message passes the verification through detecting whether the key identifier Kid carried in the second message is consistent with the Kid in the first key material, and if the detection result is consistent, the step 103 is continuously executed.
103, determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF and the private key of the NRF, where the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
In this embodiment of the application, after determining the service authorization key according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, the NRF may further record service authorization information matched with the NF, where the service authorization information of the NF at least includes the service authorization key corresponding to the NF and the service authorization key Kid. It should be noted that, in this embodiment, the service authorization information matched with the NF may be recorded by recording a mapping relationship between the identifier of the NF and the service authorization information.
Optionally, in this embodiment, one or more service authorization keys may be generated for one NF in the NRF according to the above embodiments. If multiple service authorization keys are generated for one NF in this embodiment, the multiple service authorization keys may form one service authorization key set, and each service authorization key is distinguished by the Kid, so as to further enhance the security assurance when the NF is used as a service producer.
Illustratively, the NRF may record a service authorization key set corresponding to the NF by: { NF identification: [ { Kid 1: k1}, { Kid 2: k2}, …, { Kidn: kn } ], wherein K1-Kn are service authorization keys. The above { } represents a pair of mapping relationships, [ ] represents a list of identical objects
Further, in this embodiment, a plurality of service authorization keys generated for one NF may also correspond to different services provided by the NF one to one, so that the NF can quickly determine the service applied by the service consumer according to the Kid carried in the Access Token sent by the service consumer.
In this embodiment of the present application, after the NRF determines the service authorization key corresponding to the NF, the service authorization key may be used to authorize a service consumer to apply for a network service from the NF, and a specific application process of the service may include the following steps:
step a, when receiving a service authorization request sent by a service consumer, determining a specific NF that the service consumer requests to authorize access through the service authorization request. It should be noted that the service authorization request sent by the service consumer at least carries the service consumer identifier, the identifier of the specified NF, or the NF type requested to be accessed, or the service list requested to be accessed, so in this embodiment, the specified NF may be determined by the identifier of the specified NF in the service authorization request, or one NF is selected from multiple NFs belonging to this type of NF and determined as the specified NF according to the NF type requested to be authorized to be accessed. The process of determining the specified NF according to the NF type may refer to related technologies, and may be determined by load, weight, and the like of the NF, which is not limited in this application.
Step b, generating a reference Token, selecting a target service authorization key from all service authorization keys corresponding to the specified NF, generating an Access Token according to the target service authorization key and the Token, and returning the Access Token to the service consumer so that the service consumer applies for service to the specified NF according to the Access Token.
The reference Token generated in this embodiment at least includes: a service consumer identification, an identification of a specified NF, and a list of services requesting access.
Optionally, if the specified NF corresponds to multiple service authorization keys and the specified NF corresponds to one-to-one to the service provided by the specified NF in this embodiment, the service authorization key corresponding to the service applied by the service consumer may be determined according to the obtained service list, and the service authorization key is used as the target service authorization key.
As an embodiment, in this embodiment, generating the Access Token according to the target service authorization key and the Token may be performed by:
preferably, the reference Token in this embodiment includes: token head Token Header, Token Body. Based on the Token, in this embodiment, the target Kid corresponding to the target service authorization key may be filled in the Token Header, and the Token is digitally signed by using the target service authorization key, so as to obtain the Access Token.
As an embodiment, digitally signing the Token with the target service authorization key may encrypt the entire Token or Token Body in the Token with the target service authorization key, and then attach the encrypted ciphertext to the end of Token to form Access Token.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, the network storage function network element NRF and the network function unit NF may exchange key materials generated according to the key exchange algorithms with each other through the same key exchange algorithm supported by the NF, and generate the same service authorization key by using the public key of the opposite device and the private key of the network storage function network element NF that are carried in the key materials.
The above examples are merely for convenience of understanding, and the embodiments of the present application are not particularly limited.
Referring to fig. 2, fig. 2 is a flowchart of another method for authorizing a network service according to an embodiment of the present application. As another example, the flow shown in fig. 2 may be applied to the network functional unit NF.
Step 201, receiving a first message that a network storage function network element NRF responds to a service authorization key that the NF needs to send, where the first message carries at least a public key of the NRF that the NRF generates according to an obtained key exchange algorithm supported by the NF.
Step 202, generating a second key material according to the key exchange algorithm, and carrying the public key of the NF in the second key material in a second message and sending the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF.
As an embodiment, the first message received by the NF may also carry an algorithm identifier corresponding to a key exchange algorithm, and therefore, in this embodiment, the NF may determine, according to the algorithm identifier, a key exchange algorithm from a local key exchange algorithm set of the NF, and generate the second key material according to the determined key exchange algorithm.
Step 203, determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, where the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF, and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
As an embodiment, the first message received by the NF may further carry a key identifier Kid corresponding to the service authorization key to be generated, so that after the NF determines the service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, the NF may further locally record service authorization information, where the service authorization information at least includes the generated service authorization key and its corresponding Kid.
Optionally, in this embodiment of the present application, the NF may generate one or more service authorization keys according to the above-described method. If the NF generates multiple service authorization keys in this embodiment, the multiple service authorization keys may form a service authorization key set and be stored locally, and each service authorization key is distinguished by the Kid obtained from the NRF, so as to further enhance the security assurance when the NF is used as a service producer.
Illustratively, the service authorization key set recorded in the NF may be recorded by: [ { Kid 1: k1}, { Kid 2: k2}, …, { Kidn: kn } ]. Here { } denotes a pair of mapping relationships, [ ] denotes a list of identical objects.
Further, after the NF determines the service authorization key of the NF, the service authorization key may be used to authorize a service consumer to apply for a network service from the NF, and a specific application process of the service may include the following steps:
step c, receiving an Access Token sent by a service consumer;
and d, acquiring a target Kid from a Token Header of the Access Token, searching a target service authorization key corresponding to the target Kid, and verifying the digital signature in the Access Token according to the target service authorization key.
In this embodiment, verifying the digital signature in the Access Token according to the target service authorization key means: and encrypting the plaintext in the Access Token through the target service authorization key, and comparing the encrypted ciphertext with the ciphertext in the Access Token.
And e, if the verification is successful, providing network service to the service consumer according to the Access Token.
As an embodiment, when the plaintext in the Access Token is encrypted by the target service authorization key, and the ciphertext obtained after encryption is consistent with the ciphertext in the Access Token, it may be determined that the service consumer is successfully verified.
Thus, the flow shown in fig. 2 is completed.
As can be seen from the flow shown in fig. 2, the network storage function network element NRF and the network function unit NF may exchange key materials generated according to the key exchange algorithms with each other through the same key exchange algorithm supported by the NF, and generate the same service authorization key by using the public key of the opposite device and the private key of the network storage function network element NF that are carried in the key materials.
It should be noted that the NRF and the NF may communicate with each other through HTTP or HTTPs, that is, formats of the first message and the second message conform to an HTTP or HTTPs protocol, and the key exchange algorithm may include an algorithm that may generate the same key by using a public key of the other party and a private key of the other party, such as DHE (temporary-diffie-hellman algorithm), ECDHE (temporary-elliptic curve-diffie-hellman algorithm), and the like.
In this embodiment, after the NRF and the NF both generate the service authorization key, the NRF may generate a digital signature through the service authorization key and send the digital signature to the NF, so that the NF verifies the digital signature through the locally recorded service authorization key, where the digital signature may include the Kid of the service authorization key used by the NRF, the identifier of the NF, and the like.
The method embodiment of the present application is described above, and a specific embodiment to which the method embodiment is applied is described below with reference to fig. 3, taking application in a 5G network as an example:
as shown in fig. 3, messages 1-4 in fig. 3 are processes in which an NRF and an NF as a service producer share a service authorization key, and messages 5-8 are processes in which an NF as a service consumer requests a service from an NF as a service consumer.
In this implementation, the NRF determines that the network function unit NF needs the service authorization key through the received message 1 sent by the NF, where the message 1 is a registration request message sent by the NF. The NRF determines that the network function NF requires a service authorization key may be implemented in various ways, and the registration request message trigger sent by the NF is described as an example only for the convenience of understanding.
Optionally, if the message 1 may carry a key exchange algorithm set supported by the NF and a callback URI of the NF, the message 2 is used to respond to the message 1, and notify the NF of successful registration.
Further, the message 2 may carry an algorithm identifier of a key exchange algorithm selected by the NRF from the key exchange algorithm set supported by the NF, and when the message 2 carries the algorithm identifier, the message 3 in this embodiment no longer needs to carry the algorithm identifier of the key exchange algorithm.
Optionally, if the message 1 does not include the key exchange algorithm set supported by the NF, the NRF in this embodiment may carry the key exchange algorithm set supported by the NRF in the message 2 for responding to the message 1, and further send a service authorization key negotiation request through the NF, so as to implement service authorization key sharing between the NRF and the NF (this process is not shown in fig. 3).
After the NRF determines based on message 1 that the network function NF needs a service authorization key and returns message 2 as a response to message 1, the NRF will further send a service authorization key agreement request to the NF (i.e. message 3).
It should be noted that, before the NRF sends the message 3, the first keying material needs to be generated according to the above selected NF-supported key exchange algorithm, and the generation process of the first keying material is described below by taking the DHE algorithm as an example:
selecting a modulus P and a base number G according to the requirement of the DHE algorithm, wherein the modulus P and the base number G can be preset in NRF or randomly selected by the NRF, then randomly generating a private key a of the NRF, and then obtaining the private key a of the NRF through a formula KNRFComputing a public key K ^ G ^ a (mod P)NRFAnd assigns a key identification Kid to the service authorization key to be generated.
P, G, private key a and public key K are then combinedNRF,Kid as the first key material, P, G, public key KNRFAnd Kid is carried in message 3.
Optionally, if the message 2 does not carry the algorithm identifier of the DHE algorithm, the first key material in this embodiment further includes the algorithm identifier of the DHE algorithm, and the message 3 also carries the algorithm identifier of the DHE algorithm.
After the NF receives the message 3 and determines that the algorithm to be used is the DHE algorithm, second keying material may be generated according to the DHE algorithm from the message 3, the generation of which is as follows:
randomly generating a private key b of NF according to the requirement of the DHE algorithm, and then generating a modulus P, a base number G and a formula K carried in the message 3NFGenerating a public key K for NF ^ G ^ b (mod P)NFAnd calculating the service authorization key K of the NF as KNRFB (mod P) and records the mapping relationship between the Kid and the service authorization key K.
Then the private key a and the public key K are combinedNFAnd the Kid obtained from the message 3 is used as the second key material, and the public key K is used as the second key materialNFAnd the Kid is carried in the message 4, so that the message 4 is used as the service authorization key negotiation response message of the message 3 and is sent to the NRF.
Further, after NRF receives service authorization key negotiation response message, K in message is taken outNFAccording to the DHE algorithm, calculating to obtain a service authorization key K as KNFA (mod P) and records the identity of the NF as the service producer and the mapping relationship between the Kid and the service authorization key K.
It should be noted that the DHE algorithm can ensure that K calculated by the NF service producer and NRF is consistent, so far, the NF service producer and NRF obtain the same K through the DHE algorithm.
The following describes a procedure in which the NF as a service consumer requests a service from the NF as a service consumer corresponding to the messages 5 to 8:
in this embodiment, when the NF serving as the service consumer needs to Access the service provided by the NF serving as the service producer, first, an Access Token request message (i.e., message 5) needs to be sent to the NRF, where the message 5 at least carries the NF identifier of the service consumer, the NF identifier of the service producer, or the NF type requested to be accessed, and the service list requested to be accessed.
After receiving the message 5, the NRF will generate a Token including Token Header and Token Body after passing through the authorization check defined in the 5G standard, where at least NF identification of the service consumer, NF identification of the service producer, and the list of services requested to be accessed are recorded in the Token Body.
The NRF then indexes the NF ID of the service producer to determine a NF ID of the service producer
And a target service authorization key corresponding to the NF and a target Kid corresponding to the target service authorization key are filled in a Token Header of the Token, finally, the NRF uses the target service authorization key to digitally sign the Token to form an Access Token, and the Access Token is carried in a message 6 and returned to the NF serving as a service consumer.
Further, after receiving the message 6, the NF as a service consumer will carry the Access Token obtained from the message 6 to send a service request (i.e. message 7) to the NF as a service producer, and after receiving the message 7, the NF will obtain the target Kid from the Access Token carried in the message 7, then perform digital signature verification on the Access Token through the target service authorization key corresponding to the target Kid, and when the digital signature verification passes, respond to the service request as the NF of the service consumer through the message 8 and normally provide services to the NF as the service consumer.
The method provided by the embodiment of the application is described above. The following describes the apparatus provided in the embodiments of the present application:
referring to fig. 4, fig. 4 is a schematic diagram of an apparatus for authorizing a network service according to an embodiment of the present application, where the embodiment of the apparatus is applied to a network storage function network element NRF. The device includes:
a first message sending unit 401, configured to, when detecting that a network function unit NF needs a service authorization key, generate a first key material according to an obtained key exchange algorithm supported by the NF, carry a public key of the NRF in the first key material in a first message, and send the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF.
A second message receiving unit 402, configured to receive a second message that the NF responds to the first message, where the second message at least carries a public key of the NF that is generated by the NF according to the key exchange algorithm.
A service authorization key generation unit 403, configured to determine, according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF, and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
Optionally, the generating, by the first message sending unit 401, the first key material according to the obtained key exchange algorithm supported by the NF includes: selecting a key exchange algorithm from the NF registered set of key exchange algorithms; generating a first keying material using the selected key exchange algorithm;
the first keying material further comprises: the selected algorithm identification corresponding to the key exchange algorithm; the identifier is used for indicating the NF to generate a public key of the NF according to a corresponding key exchange algorithm;
the first message also carries an algorithm identifier corresponding to the selected key exchange algorithm.
Optionally, the first key material further includes: a key identification Kid corresponding to the service authorization key to be generated;
if the Kid is carried in the second message, before determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, the apparatus further includes:
and the verifying unit is used for verifying whether the Kid carried by the second message is consistent with the Kid in the first key material or not, determining that the second message passes the verification if the detection result is consistent, and continuously executing the step of determining the service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF and the private key of the NRF.
Optionally, after the service authorization key generation unit 403 determines the service authorization key according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, the service authorization key generation unit 403 is further configured to: and recording service authorization information matched with the NF, wherein the service authorization information at least comprises the service authorization key and the Kid.
Optionally, the apparatus further includes a service authorization request unit, configured to receive a service authorization request sent by a service consumer, where the service authorization request is used to request authorization to access a specified NF; generating a reference Token, selecting a target service authorization key from all service authorization keys corresponding to the specified NF, generating an Access Token according to the target service authorization key and the Token, and returning the Access Token to the service consumer so that the service consumer applies for services to the specified NF according to the Access Token.
Optionally, the reference token includes: token head Token Header, Token Body; the service authorization request unit generates an Access Token according to the target service authorization key and the Token, and the method comprises the following steps:
and filling the target Kid corresponding to the target service authorization key into the Token Header, and digitally signing the Token by using the target service authorization key to obtain the Access Token.
Thus, the structure of the embodiment of the apparatus shown in FIG. 4 is completed.
Referring to fig. 5, fig. 5 is a schematic diagram of another network service authorization apparatus provided in an embodiment of the present application, where the embodiment of the apparatus is applied to a network function unit NF. The device includes:
a first message receiving unit 501, configured to receive a first message that a network storage function network element NRF needs to send a service authorization key in response to the NF, where the first message carries at least a public key of the NRF that is generated by the NRF according to an obtained key exchange algorithm supported by the NF.
A second message sending unit 502, configured to generate a second key material according to the key exchange algorithm, carry a public key of the NF in the second key material in a second message, and send the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF.
A service authorization key generation unit 503, configured to determine, according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF, and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
Optionally, the first message further carries an algorithm identifier corresponding to a key exchange algorithm;
the generating second keying material in accordance with the key exchange algorithm comprises:
determining a key exchange algorithm from the NF local key exchange algorithm set according to the algorithm identification corresponding to the key exchange algorithm in the first message;
second keying material is generated in accordance with the determined key exchange algorithm.
Optionally, the first message further carries a key identifier Kid corresponding to the service authorization key to be generated;
after the service authorization key generation unit 503 determines the service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, the method further includes: and recording service authorization information of the NF, wherein the service authorization information at least comprises the service authorization key and the Kid.
Optionally, the apparatus further includes a network service providing unit, configured to receive an Access Token transmitted by a service consumer; acquiring a target Kid from a Token header of the Access Token, searching a target service authorization key corresponding to the target Kid, and verifying a digital signature in the Access Token according to the target service authorization key; and if the verification is successful, providing network service to the service consumer according to the Access Token.
Thus, the structure of the embodiment of the apparatus shown in FIG. 5 is completed.
Correspondingly, an embodiment of the present application further provides a hardware structure diagram of an electronic device, and specifically, as shown in fig. 6, the electronic device may be the device implementing the network service authorization method. As shown in fig. 6, the hardware structure includes: a processor and a memory.
Wherein the memory is to store machine executable instructions;
the processor is configured to read and execute the machine executable instructions stored in the memory to implement the corresponding method embodiment of network service authorization as shown above.
For one embodiment, the memory may be any electronic, magnetic, optical, or other physical storage device that may contain or store information such as executable instructions, data, and the like. For example, the memory may be: volatile memory, non-volatile memory, or similar storage media. In particular, the Memory may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., an optical disk, a DVD, etc.), or similar storage medium, or a combination thereof.
So far, the description of the electronic apparatus shown in fig. 6 is completed.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (13)

1. A network service authorization method, which is applied to a network storage function network element NRF, and includes:
when a network function unit (NF) is detected to need a service authorization key, generating a first key material according to an obtained key exchange algorithm supported by the NF, carrying a public key of the NRF in the first key material in a first message and sending the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF;
receiving a second message responded by the NF aiming at the first message, wherein the second message at least carries a public key of the NF generated by the NF according to the key exchange algorithm;
determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF and the private key of the NRF, wherein the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
2. The method of claim 1, wherein the generating first keying material according to the obtained NF-supported key exchange algorithm comprises: selecting a key exchange algorithm from the NF registered set of key exchange algorithms; generating a first keying material using the selected key exchange algorithm;
the first keying material further comprises: the selected algorithm identification corresponding to the key exchange algorithm; the identifier is used for indicating the NF to generate a public key of the NF according to a corresponding key exchange algorithm;
the first message also carries an algorithm identifier corresponding to the selected key exchange algorithm.
3. The method of claim 1, wherein the first keying material further comprises: a key identification Kid corresponding to the service authorization key to be generated;
if the Kid is carried in the second message, before determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, the method further includes:
and checking whether the Kid carried by the second message is consistent with the Kid in the first key material, determining that the second message passes the verification if the detection result is consistent, and continuously executing the step of determining the service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NF and the private key of the NRF.
4. The method of claim 1, wherein after determining a service authorization key based on the key exchange algorithm, the NF's public key, and the NRF's private key, the method further comprises: and recording service authorization information matched with the NF, wherein the service authorization information at least comprises the service authorization key and the Kid.
5. The method of claim 4, further comprising:
receiving a service authorization request sent by a service consumer, wherein the service authorization request is used for requesting authorization to access a specified NF;
generating a reference Token, selecting a target service authorization key from all service authorization keys corresponding to the specified NF, generating an Access Token according to the target service authorization key and the Token, and returning the Access Token to the service consumer so that the service consumer applies for services to the specified NF according to the Access Token.
6. The method of claim 5, wherein the reference token comprises: token head Token Header, Token Body;
generating an Access Token according to the target service authorization key and the Token, including:
and filling the target Kid corresponding to the target service authorization key into the Token Header, and digitally signing the Token by using the target service authorization key to obtain the Access Token.
7. A network service authorization method is applied to a network function unit (NF), and comprises the following steps:
receiving a first message which is sent by a network storage function network element NRF in response to the requirement of the NF on a service authorization key, wherein the first message at least carries a public key of the NRF generated by the NRF according to an obtained key exchange algorithm supported by the NF;
generating a second key material according to the key exchange algorithm, carrying the public key of the NF in the second key material in a second message and sending the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF;
determining a service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF and the private key of the NF, wherein the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
8. The method according to claim 7, wherein the first message further carries an algorithm identifier corresponding to a key exchange algorithm;
the generating second keying material in accordance with the key exchange algorithm comprises:
determining a key exchange algorithm from the NF local key exchange algorithm set according to the algorithm identification corresponding to the key exchange algorithm in the first message;
second keying material is generated in accordance with the determined key exchange algorithm.
9. The method of claim 7, wherein the first message further carries a key identifier Kid corresponding to the service authorization key to be generated;
after determining the service authorization key corresponding to the NF according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, the method further includes: and recording service authorization information of the NF, wherein the service authorization information at least comprises the service authorization key and the Kid.
10. The method of claim 9, further comprising:
receiving an Access Token sent by a service consumer;
acquiring a target Kid from a Token header of the Access Token, searching a target service authorization key corresponding to the target Kid, and verifying a digital signature in the Access Token according to the target service authorization key;
and if the verification is successful, providing network service to the service consumer according to the Access Token.
11. A network service authorization apparatus, which is applied to a network storage function network element NRF, and comprises:
a first message sending unit, configured to, when detecting that a network function unit NF needs a service authorization key, generate a first key material according to an obtained key exchange algorithm supported by the NF, carry a public key of the NRF in the first key material in a first message, and send the first message to the NF; wherein the first keying material comprises at least: a public key of the NRF, a private key of the NRF;
a second message receiving unit, configured to receive a second message that the NF responds to the first message, where the second message at least carries a public key of the NF that is generated by the NF according to the key exchange algorithm;
a service authorization key generation unit, configured to determine, according to the key exchange algorithm, the public key of the NF, and the private key of the NRF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NF based on the key exchange algorithm, the public key of the NRF, and the private key of the NF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
12. A network service authorization apparatus, which is applied to a network function unit NF, and comprises:
a first message receiving unit, configured to receive a first message that a network storage function network element NRF needs to send in response to a service authorization key that is supported by the NF, where the first message carries at least a public key of the NRF that is generated by the NRF according to an obtained key exchange algorithm that is supported by the NF;
a second message sending unit, configured to generate a second key material according to the key exchange algorithm, carry a public key of the NF in the second key material in a second message, and send the second message to the NRF; wherein the second keying material comprises at least: a public key of the NF, a private key of the NF;
a service authorization key generation unit, configured to determine, according to the key exchange algorithm, the public key of the NRF, and the private key of the NF, a service authorization key corresponding to the NF, where the service authorization key is the same as a service authorization key calculated by the NRF based on the key exchange algorithm, the public key of the NF, and the private key of the NRF; the service authorization key is used to instruct the NF to provide network services for authorized service consumers.
13. An electronic device, comprising: a processor and a memory;
the memory for storing machine executable instructions;
the processor is configured to read and execute the machine executable instructions stored by the memory to implement the method of any one of claims 1 to 6 or the method of any one of claims 7 to 10.
CN202111155028.9A 2021-09-29 2021-09-29 Network service authorization method, device and equipment Withdrawn CN113825134A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111155028.9A CN113825134A (en) 2021-09-29 2021-09-29 Network service authorization method, device and equipment
PCT/CN2022/119877 WO2023051316A1 (en) 2021-09-29 2022-09-20 Network service authorization method and apparatus, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111155028.9A CN113825134A (en) 2021-09-29 2021-09-29 Network service authorization method, device and equipment

Publications (1)

Publication Number Publication Date
CN113825134A true CN113825134A (en) 2021-12-21

Family

ID=78915961

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111155028.9A Withdrawn CN113825134A (en) 2021-09-29 2021-09-29 Network service authorization method, device and equipment

Country Status (2)

Country Link
CN (1) CN113825134A (en)
WO (1) WO2023051316A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023051316A1 (en) * 2021-09-29 2023-04-06 新华三技术有限公司 Network service authorization method and apparatus, and electronic device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008034368A1 (en) * 2006-09-18 2008-03-27 Huawei Technologies Co., Ltd. A method, system, mobile node and correspondent node for generating the binding management key
US20150256898A1 (en) * 2014-03-10 2015-09-10 Gazoo, Inc. Video cryptography system and method
CN109379206A (en) * 2017-08-07 2019-02-22 华为技术有限公司 The management method and relevant device of network function information
CN109428875A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Discovery method and device based on serviceization framework
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
CN111865597A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Communication method and communication device
CN112822678A (en) * 2019-10-31 2021-05-18 华为技术有限公司 Method for authorizing service architecture
WO2021165925A1 (en) * 2020-02-20 2021-08-26 Nokia Technologies Oy Key management
WO2021165194A1 (en) * 2020-02-19 2021-08-26 Nokia Technologies Oy Key management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106533662A (en) * 2016-11-03 2017-03-22 北京奇虎科技有限公司 Methods and devices for transmitting network safety secret key
US11683163B2 (en) * 2018-06-20 2023-06-20 Iot And M2M Technologies, Llc ECDHE key exchange for server authentication and a key server
WO2021140272A1 (en) * 2020-01-10 2021-07-15 Nokia Technologies Oy Verification of access tokens with network repository functions in core networks
CN113825134A (en) * 2021-09-29 2021-12-21 新华三技术有限公司 Network service authorization method, device and equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008034368A1 (en) * 2006-09-18 2008-03-27 Huawei Technologies Co., Ltd. A method, system, mobile node and correspondent node for generating the binding management key
US20150256898A1 (en) * 2014-03-10 2015-09-10 Gazoo, Inc. Video cryptography system and method
CN109379206A (en) * 2017-08-07 2019-02-22 华为技术有限公司 The management method and relevant device of network function information
CN109428875A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Discovery method and device based on serviceization framework
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
CN111865597A (en) * 2019-04-29 2020-10-30 华为技术有限公司 Communication method and communication device
CN112822678A (en) * 2019-10-31 2021-05-18 华为技术有限公司 Method for authorizing service architecture
WO2021165194A1 (en) * 2020-02-19 2021-08-26 Nokia Technologies Oy Key management
WO2021165925A1 (en) * 2020-02-20 2021-08-26 Nokia Technologies Oy Key management

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023051316A1 (en) * 2021-09-29 2023-04-06 新华三技术有限公司 Network service authorization method and apparatus, and electronic device

Also Published As

Publication number Publication date
WO2023051316A1 (en) 2023-04-06

Similar Documents

Publication Publication Date Title
US9660985B2 (en) Service authorization using auxiliary device
CN103795692B (en) Open authorization method, system and certification authority server
US20190280863A1 (en) Recovery of secret data in a distributed system
CN109327314A (en) Access method, device, electronic equipment and the system of business datum
EP1900169B1 (en) Method and arrangement for authentication and privacy
CN101521569B (en) Method, equipment and system for realizing service access
CN109918925A (en) Date storage method, back end and storage medium
TWI268083B (en) Method used by an access point of a wireless LAN and related apparatus
CN110661817B (en) Resource access method and device and service gateway
EP1610202A1 (en) Using a portable security token to facilitate public key certification for devices in a network
CN106059760B (en) A kind of cryptographic system from user terminal crypto module calling system private key
US20050114694A1 (en) System and method for authentication of applications in a non-trusted network environment
CN112688773A (en) Token generation and verification method and device
KR20180101870A (en) Method and system for data sharing using attribute-based encryption in cloud computing
KR20050031187A (en) Home network device to enable automatic take owership, home network system and method using this
CN113382002B (en) Data request method, request response method, data communication system, and storage medium
CN111193743A (en) Identity authentication method, system and related device of storage system
WO2023051316A1 (en) Network service authorization method and apparatus, and electronic device
CN113810410B (en) Method, system and storage medium for encryption of non-abusive key decentralization attribute base
JP5650630B2 (en) Key exchange system, key exchange device, key exchange method, key exchange program
CN111770081B (en) Role authentication-based big data confidential file access method
CN110492989B (en) Private key processing method, access method, and medium and device corresponding to method
CN113206739B (en) Key generation method, device and storage medium for combined public key CPK
JP7211518B2 (en) Owner identity confirmation system and owner identity confirmation method
JP7211519B2 (en) Owner identity confirmation system, terminal and owner identity confirmation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20211221