CN115002768A

CN115002768A - Request message processing method, device and system

Info

Publication number: CN115002768A
Application number: CN202210562112.0A
Authority: CN
Inventors: 李柯
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-05-23
Filing date: 2022-05-23
Publication date: 2022-09-02

Abstract

The embodiment of the disclosure provides a method, a device and a system for processing a request message, wherein an NF (network root protocol) sends an identity authentication request aiming at a first SEPP (secure messaging protocol) to an NRF (non-trusted reference function); the NRF acquires second address information of the first SEPP recorded locally when receiving an identity authentication request; under the condition that first address information of a first SEPP carried by an identity authentication request is the same as second address information of a local record, acquiring current first configuration information of the first SEPP; under the condition that the first configuration information is different from second configuration information of the first SEPP recorded locally, determining a second SEPP matched with the communication function required by the NF; and sending a first feedback response carrying the unique identifier of the second SEPP to the NF. And when the NF receives the first feedback response, the NF sends a cross-domain request to the second SEPP, and based on the cross-domain request, the safety of cross-domain communication based on the SEPP can be improved.

Description

Request message processing method, device and system

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for processing a request message.

Background

In the related art, in the 3GPP standard of the 5G technology, when performing cross-domain communication between operator networks, Security Protection is provided at an operator Network boundary through an SEPP (Security Edge Protection Proxy), so as to implement cross-domain communication between NFs (Network functions) in different operator networks. Specifically, when cross-domain communication is implemented between one PLMN (Public Land Mobile Network) and another PLMN, the NF in the requesting PLMN sends a cross-domain request to the SEPP in the requesting PLMN. The SEPP in the requesting party PLMN sends the received cross-domain request to the SEPP in the receiving party PLMN. And the SEPP in the receiving party PLMN sends the received cross-domain request to the NF in the receiving party PLMN.

However, in the process of implementing cross-domain communication through the SEPP, the identity information of the SEPP may be stolen by a malicious attacker, thereby causing leakage of the request information of the cross-domain request. Also, when configuration information of the SEPP is changed, the SEPP may not be able to respond to a cross-domain request of the NF. However, the NF cannot know whether the configuration information of the SEPP is changed, and still sends the cross-domain request to the SEPP, so that the cross-domain request cannot be sent to the correct SEPP, and further the request information of the cross-domain request is leaked; since the SEPP may not be able to respond to the cross-domain request of the NF, the NF may frequently send the cross-domain request to the SEPP, which may cause the cross-domain requests received by the SEPP to be accumulated, thereby causing the SEPP to be unavailable. That is, the related art may reduce security of the SEPP-based cross-domain communication.

Disclosure of Invention

The embodiment of the disclosure aims to provide a method, a device and a system for processing a request message, so as to improve the security of cross-domain communication based on SEPP. The specific technical scheme is as follows:

in a first aspect, to achieve the above object, an embodiment of the present disclosure provides a request message processing method, which is applied to a network repository function NRF in a request message processing system, and the method includes:

receiving an identity authentication request sent by a network function NF; the identity authentication request carries a communication function required by the NF, first address information of a first security boundary protection proxy (SEPP), and a unique identifier pre-allocated to the first SEPP;

acquiring locally recorded address information corresponding to the unique identifier of the first SEPP as second address information;

under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP;

determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the locally recorded SEPPs under the condition that the first configuration information is different from the second configuration information of the locally recorded first SEPP;

and sending a first feedback response carrying the unique identifier of the second SEPP to the NF, so that the NF sends a cross-domain request to the second SEPP when receiving the first feedback response.

In some embodiments, the obtaining current configuration information of the first SEPP as the first configuration information includes:

sending an information acquisition request to the first SEPP, so that the first SEPP sends the current configuration information of the first SEPP to the NRF when receiving the information acquisition request;

and receiving the current configuration information sent by the first SEPP as first configuration information.

In some embodiments, after the receiving the current configuration information sent by the first SEPP as the first configuration information, the method further includes:

and locally recording the corresponding relation between the unique identifier of the first SEPP and the first configuration information, and deleting the second configuration information.

In some embodiments, after the obtaining the current configuration information of the first SEPP as the first configuration information, the method further comprises:

under the condition that the first configuration information is the same as the second configuration information, sending a second feedback response to the NF so that the NF confirms that the first SEPP passes identity verification; wherein the second feedback response indicates that the first SEPP is authenticated.

In a second aspect, in order to achieve the above object, an embodiment of the present disclosure discloses a request message processing method, where the method is applied to an NF in a request message processing system, and the method includes:

sending an authentication request for the first SEPP to the NRF; the identity authentication request carries a communication function required by the NF, first address information of the first SEPP and a unique identifier pre-allocated to the first SEPP, so that when the NRF receives the identity authentication request, the NRF acquires locally recorded address information corresponding to the unique identifier of the first SEPP as second address information; under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the locally recorded SEPPs under the condition that the first configuration information is different from the second configuration information of the locally recorded first SEPP; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP; sending a first feedback response carrying the unique identifier of the second SEPP to the NF;

and sending a cross-domain request to the second SEPP when receiving a first feedback response sent by the NRF.

In some embodiments, said sending a cross-domain request to the second SEPP upon receiving the first feedback response sent by the NRF comprises:

when a first feedback response sent by the NRF is received, encrypting the service information of the NF based on the public key of the second SEPP to obtain a cross-domain request;

sending the cross-domain request to the second SEPP so that the second SEPP decrypts the received cross-domain request based on a private key of the second SEPP, and discarding the cross-domain request when the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

In some embodiments, after said sending an authentication request for the first SEPP to the NRF, the method further comprises:

and when a first feedback response sent by the NRF is received, locally recording the corresponding relation between the unique identifier of the second SEPP and the communication function required by the NF.

In some embodiments, before said sending a cross-domain request to said second SEPP upon receiving a first feedback response sent by said NRF, said method further comprises:

encrypting the service information of the NF based on the public key of the first SEPP to obtain a cross-domain request, and sending the cross-domain request to the first SEPP so that the first SEPP decrypts the received cross-domain request based on the private key of the first SEPP, and discarding the cross-domain request under the condition that the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

In order to achieve the above object, an embodiment of the present disclosure discloses a request message processing method, which is applied to an SEPP in a request message processing system, and the method includes:

when a cross-domain request sent by NF is received, the cross-domain request is decrypted based on a private key of the SEPP; wherein the cross-domain request is: the NF encrypts the service information of the NF based on the public key of the SEPP;

discarding the cross-domain request if decryption of the cross-domain request fails;

and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

In a fourth aspect, in order to achieve the above object, an embodiment of the present disclosure discloses a request message processing system, including: NRF, NF, and a plurality of SEPPs, wherein;

the NF is used for sending an authentication request aiming at a first SEPP to the NRF; the identity authentication request carries a communication function required by the NF, first address information of the first SEPP and a unique identifier pre-allocated to the first SEPP;

the NRF is used for acquiring locally recorded address information corresponding to the unique identifier of the first SEPP as second address information when the identity authentication request is received; under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; under the condition that the first configuration information is different from second configuration information of the first SEPP recorded locally, determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the SEPPs recorded locally; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP; sending a first feedback response carrying the unique identifier of the second SEPP to the NF;

the NF is further used for sending a cross-domain request to the second SEPP when receiving the first feedback response sent by the NRF.

In a fifth aspect, to achieve the above object, an embodiment of the present disclosure provides a request message processing apparatus, which is applied to an NRF in a request message processing system, and includes:

the receiving module is used for receiving an identity authentication request sent by the NF; the identity authentication request carries a communication function required by the NF, first address information of a first SEPP and a unique identifier pre-allocated to the first SEPP;

the first acquisition module is used for acquiring locally recorded address information corresponding to the unique identifier of the first SEPP as second address information;

a second obtaining module, configured to obtain current configuration information of the first SEPP as first configuration information when the first address information is the same as the second address information; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP;

a determining module, configured to determine, based on respective configuration information of each locally recorded SEPP, an SEPP that matches a communication function required by the NF as a second SEPP when the first configuration information is different from second configuration information of the first SEPP that is locally recorded;

a first sending module, configured to send a first feedback response carrying the unique identifier of the second SEPP to the NF, so that the NF sends a cross-domain request to the second SEPP when receiving the first feedback response.

In some embodiments, the second obtaining module is specifically configured to send an information obtaining request to the first SEPP, so that when the first SEPP receives the information obtaining request, the first SEPP sends current configuration information of the first SEPP to the NRF;

In some embodiments, the apparatus further comprises:

and the updating module is used for locally recording the corresponding relation between the unique identifier of the first SEPP and the first configuration information and deleting the second configuration information after the second acquiring module receives the current configuration information sent by the first SEPP as the first configuration information.

In some embodiments, the apparatus further comprises:

a second sending module, configured to send a second feedback response to the NF when the second obtaining module performs, after obtaining the current configuration information of the first SEPP as the first configuration information, that the first configuration information is the same as the second configuration information, so that the NF confirms that the first SEPP passes the identity authentication; wherein the second feedback response indicates that the first SEPP is authenticated.

In a sixth aspect, in order to achieve the above object, an embodiment of the present disclosure discloses a request message processing apparatus, where the apparatus is applied to an NF in a request message processing system, and the apparatus includes:

a first sending module, configured to send an authentication request for the first SEPP to the NRF; the identity authentication request carries a communication function required by the NF, first address information of the first SEPP and a unique identifier pre-allocated to the first SEPP, so that when the NRF receives the identity authentication request, the NRF acquires locally recorded address information corresponding to the unique identifier of the first SEPP as second address information; under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the locally recorded SEPPs under the condition that the first configuration information is different from the second configuration information of the locally recorded first SEPP; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP; sending a first feedback response carrying the unique identifier of the second SEPP to the NF;

and a second sending module, configured to send a cross-domain request to the second SEPP when receiving the first feedback response sent by the NRF.

In some embodiments, the second sending module is specifically configured to, when receiving the first feedback response sent by the NRF, encrypt the service information of the NF based on the public key of the second SEPP to obtain a cross-domain request;

In some embodiments, the apparatus further comprises:

and the updating module is used for locally recording the corresponding relation between the unique identifier of the second SEPP and the communication function required by the NF when receiving the first feedback response sent by the NRF after the first sending module sends the authentication request aiming at the first SEPP to the NRF.

In some embodiments, the apparatus further comprises:

a third sending module, configured to encrypt service information of the NF based on a public key of the first SEPP to obtain a cross-domain request before the second sending module sends the cross-domain request to the second SEPP when the second sending module receives the first feedback response sent by the NRF, and send the cross-domain request to the first SEPP, so that the first SEPP decrypts the received cross-domain request based on a private key of the first SEPP, and discards the cross-domain request when decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

In a seventh aspect, in order to achieve the above object, an embodiment of the present disclosure discloses a request message processing apparatus, where the apparatus is applied to an SEPP in a request message processing system, and the apparatus includes:

the decryption module is used for decrypting the cross-domain request based on the private key of the SEPP when the cross-domain request sent by the NF is received; wherein the cross-domain request is: the NF is obtained by encrypting the service information of the NF based on the public key of the SEPP;

a discarding module, configured to discard the cross-domain request if decryption of the cross-domain request fails;

and the forwarding module is used for forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

The embodiment of the disclosure also provides an electronic device, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;

a memory for storing a computer program;

a processor, configured to implement the steps of the request message processing method according to any one of the first aspect, the second aspect, or the third aspect when executing a program stored in a memory.

An embodiment of the present disclosure further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the request message processing method according to any one of the first aspect, the second aspect, or the third aspect.

Embodiments of the present disclosure further provide a computer program product including instructions, which when run on a computer, cause the computer to execute the request message processing method according to any one of the first aspect, the second aspect, or the third aspect.

Drawings

In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other embodiments can be obtained by those skilled in the art according to the drawings.

Fig. 1 is a schematic structural diagram of a request message processing system according to an embodiment of the present disclosure;

fig. 2 is a flowchart of a request message processing method according to an embodiment of the present disclosure;

fig. 3 is a flowchart of another request message processing method provided by the embodiment of the present disclosure;

fig. 4 is a flowchart of another request message processing method according to an embodiment of the present disclosure;

fig. 5 is a flowchart of another request message processing method provided by the embodiment of the present disclosure;

fig. 6 is a flowchart of another request message processing method according to an embodiment of the present disclosure;

fig. 7 is a structural diagram of a request message processing apparatus according to an embodiment of the present disclosure;

fig. 8 is a block diagram of another request message processing apparatus according to an embodiment of the present disclosure;

fig. 9 is a block diagram of another request message processing apparatus according to an embodiment of the present disclosure;

fig. 10 is a block diagram of an electronic device according to an embodiment of the disclosure.

Detailed Description

The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments that can be derived from the disclosure by one of ordinary skill in the art based on the embodiments in the disclosure are intended to be within the scope of the disclosure.

In the related art, in the process of realizing cross-domain communication through the SEPP, the identity information of the SEPP can be stolen by a malicious attacker, and further, the request information of the cross-domain request is leaked. Also, when configuration information of the SEPP is changed, the SEPP may not be able to respond to a cross-domain request of the NF. However, the NF cannot know whether the configuration information of the SEPP is changed, and still sends the cross-domain request to the SEPP, so that the cross-domain request cannot be sent to the correct SEPP, and further the request information of the cross-domain request is leaked; since the SEPP may not be able to respond to the cross-domain request of the NF, the NF may frequently send the cross-domain request to the SEPP, which may cause the cross-domain requests received by the SEPP to be accumulated, thereby causing the SEPP to be unavailable. That is, the related art may reduce security of the SEPP-based cross-domain communication.

In order to solve the above problem, referring to fig. 1, fig. 1 is a schematic structural diagram of a request message processing system provided by an embodiment of the present disclosure, where the system includes: NRF (Network Repository Function) 101, NF102, and a plurality of SEPPs 103, in this embodiment, 2 SEPPs (i.e., SEPP1031 and SEPP1032) are taken as an example for description.

The NF102 sends an authentication request for the first SEPP1031 to the NRF101, where the authentication request carries a communication function required by the NF102, first address information of the first SEPP1031, and a unique identifier previously allocated to the first SEPP 1031.

When receiving the authentication request, the NRF101 acquires the locally recorded address information corresponding to the unique identifier of the first SEPP1031 as second address information. The NRF101 acquires the current configuration information of the first SEPP1031 as the first configuration information in the case where the first address information is the same as the second address information. When the first configuration information is different from the second configuration information of the first locally recorded SEPP1031, the NRF101 determines, as the second SEPP1032, an SEPP that matches the communication function required by the NF (in the present embodiment, the SEPP1032 is described as an example); wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP. The NRF101 sends a first feedback response to the NF102 carrying the unique identity of the second SEPP 1032.

The NF102, upon receiving the first feedback response sent by the NRF101, sends a cross-domain request to the second SEPP 1032.

Based on the above processing, the NF may perform identity authentication on the first SEPP through the NRF, and if the first address information of the first SEPP carried in the identity authentication request sent by the NF is the same as the second address information of the first SEPP locally recorded by the NRF, it indicates that the identity information of the first SEPP is not stolen by a malicious attacker, so that a problem that the NF communicates with the first SEPP under a condition that the identity information of the first SEPP is stolen by the malicious attacker, resulting in leakage of request information of the cross-domain request can be avoided. And the NRF may determine whether the configuration information of the first SEPP is changed, if the current first configuration information of the first SEPP is different from the second configuration information of the first SEPP recorded locally by the NRF, indicating that the configuration information of the first SEPP is changed, the first SEPP does not support the communication function required by the NF, the NRF may determine the second SEPP supporting the communication function required by the NF, and the NF may send a cross-domain request to the second SEPP, which may avoid a problem that the request information of the cross-domain request is leaked because the NF sends the cross-domain request to an incorrect SEPP, and a problem that the incorrect SEPP is not available because the NF frequently sends the cross-domain request to the incorrect SEPP. That is, the request message processing method provided by the embodiment of the present disclosure can improve the security of cross-domain communication based on SEPP.

Referring to fig. 2, fig. 2 is a flowchart of a request message processing method provided in an embodiment of the present disclosure, where the method is applied to a request message processing system, and the system includes: NRF, NF, and a plurality of SEPPs.

S201: the NF sends an authentication request for the first SEPP to the NRF.

The identity authentication request carries a communication function required by the NF, first address information of the first SEPP and a unique identifier pre-allocated to the first SEPP.

S202: and when receiving the authentication request, the NRF acquires the locally recorded address information corresponding to the unique identifier of the first SEPP as second address information.

S203: the NRF acquires the current configuration information of the first SEPP as the first configuration information in the case where the first address information is the same as the second address information.

Wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP.

S204: the NRF determines, as the second SEPP, an SEPP matching the communication function required by the NF based on the respective configuration information of the locally recorded SEPPs, when the first configuration information is different from the second configuration information of the locally recorded first SEPP.

S205: and sending a first feedback response carrying the unique identifier of the second SEPP to the NF.

S206: and the NF sends a cross-domain request to the second SEPP when receiving the first feedback response sent by the NRF.

The request message processing method provided by the embodiment of the disclosure is implemented, where the NF may perform identity authentication on the first SEPP through the NRF, and if first address information of the first SEPP carried in an identity authentication request sent by the NF is the same as second address information of the first SEPP locally recorded by the NRF, it is indicated that the identity information of the first SEPP is not stolen by a malicious attacker, so that a problem that request information of a cross-domain request is leaked due to communication between the NF and the first SEPP when the identity information of the first SEPP is stolen by the malicious attacker can be avoided. And the NRF may determine whether the configuration information of the first SEPP is changed, if the current first configuration information of the first SEPP is different from the second configuration information of the first SEPP recorded locally by the NRF, indicating that the configuration information of the first SEPP is changed, the first SEPP does not support the communication function required by the NF, the NRF may determine the second SEPP supporting the communication function required by the NF, and the NF may send a cross-domain request to the second SEPP, which may avoid a problem that the request information of the cross-domain request is leaked because the NF sends the cross-domain request to an incorrect SEPP, and a problem that the incorrect SEPP is not available because the NF frequently sends the cross-domain request to the incorrect SEPP. That is, the request message processing method provided by the embodiment of the present disclosure can improve the security of cross-domain communication based on SEPP.

For step S201, in the 3GPP standard of the 5G network, each PLMN includes: NF, NRF, SEPP, etc. The communication between NFs in one PLMN and NFs in another PLMN is cross-domain communication. The SEPP is used as an intermediary for inter-operator roaming, is located at the boundary of different PLMNs, and is a border gateway between control planes of the operator core networks. The SEPP is a non-transparent proxy that enables secure communication between network function service consumers and network function service providers in a cross-carrier network.

For each PLMN, when the NF in the PLMN needs to perform cross-domain communication with NFs in other PLMNs, the NF may determine an SEPP (i.e., a first SEPP in the embodiment of the present disclosure) in the PLMN, which is capable of performing cross-domain communication with NFs in other PLMNs, so as to perform cross-domain communication with NFs in other PLMNs through the first SEPP.

In order to improve the security of the SEPP-based cross-domain communication, the NF may send an authentication request for the first SEPP to the NRF, to request the NRF to authenticate the first SEPP, to determine whether the identity information of the first SEPP is stolen by a malicious attacker, and to determine whether the configuration information of the first SEPP is changed.

The communication function required by the NF indicates information related to other PLMNs that the NF needs to perform cross-domain communication, for example, SEPP and NF in other PLMNs that the NF needs to perform cross-domain communication.

The first address information of the first SEPP is address information of the first SEPP locally recorded by the NF, for example, an IP (Internet Protocol) address, a MAC (Media Access Control) address, and the like of the first SEPP.

The unique identifier previously assigned to the first SEPP may be: a number is pre-assigned to the first SEPP, and the unique identifier is used to uniquely identify the first SEPP.

In some embodiments, the authentication request further carries other request parameters, for example, an ID (identification) of the NF, an ID of the NRF, an ID of the vPLMN (i.e., a unique identifier of a PLMN to which the NF belongs), an identifier, a source address (i.e., an address of the NF), a destination address (i.e., an address of the NRF), and the like. The identifier is a custom field and is used for adding custom information according to requirements. The ID of NF is the unique identification of NF, and the ID of NRF is the unique identification of NRF.

For step S202, when receiving an authentication request for a first SEPP sent by the NF, the NRF may extract the unique identifier of the first SEPP carried in the authentication request, and obtain locally recorded address information (i.e., second address information) corresponding to the unique identifier of the first SEPP, where the second address information is the address information of the first SEPP recorded by the NRF.

In some embodiments, when accessing the network, the NF sends registration information of the NF to an NRF in the PLMN to which the NF belongs, and the NRF records a correspondence between the NF registration information and a unique identifier of the NF. The registration information of the NF includes a unique identifier of the NF, address information, configuration information, and the like. When the SEPP is accessed to the network, the registration information of the SEPP is sent to the NRF in the PLMN to which the SEPP belongs, and the NRF records the corresponding relation between the registration information of the SEPP and the unique identifier. The registration information of the SEPP includes a unique identifier of the SEPP, address information, configuration information, a public key, and the like.

For step S203, the NRF may compare the first address information carried in the authentication request with the locally recorded second address information, and if the first address information is the same as the second address information, which indicates that the identity information of the first SEPP is not stolen by a malicious attacker, the NF may communicate with the first SEPP.

The NRF may continue to determine whether the configuration information of the first SEPP has changed. The NRF may retrieve the current configuration information of the first SEPP. The configuration information of one SEPP contains the communication functions supported by the SEPP, e.g. the configuration information of the first SEPP comprises: the first SEPP is capable of communicating with the unique identity of the NF and SEPP in the PLMN to which it belongs, and the first SEPP is capable of communicating with the unique identity of the NF and SEPP in other PLMNs.

In some embodiments, on the basis of fig. 2, referring to fig. 3, step S203 may include the steps of:

s2031: in the case that the first address information is the same as the second address information, the NRF sends an information acquisition request to the first SEPP, so that when the first SEPP receives the information acquisition request, the NRF sends the current configuration information of the first SEPP.

S2032: the NRF receives the current configuration information sent by the first SEPP as the first configuration information.

In one implementation, upon determining that the first SEPP is not stolen with identity information by a malicious attacker, the NRF may send an information acquisition request to the first SEPP to acquire current configuration information (i.e., first configuration information) of the first SEPP. The first SEPP may send current first configuration information of the first SEPP to the NRF upon receiving the information acquisition request. Accordingly, the NRF may receive the current first configuration information transmitted by the first SEPP.

In some embodiments, after step S203, the method may further include the steps of: the NRF locally records the corresponding relation between the unique identifier of the first SEPP and the first configuration information, and deletes the second configuration information.

When the NRF acquires the current first configuration information of the first SEPP, the NRF may also locally record the correspondence between the unique identifier of the first SEPP and the first configuration information, and delete the second configuration information, so as to update the recorded configuration information of the first SEPP.

In some embodiments, if the first address information is not the same as the second address information, indicating that the identity information of the first SEPP was stolen by a malicious attacker, the NRF may send a third feedback response to the NF. When the NF receives the third feedback response, it may be determined that the identity information of the first SEPP is stolen by a malicious attacker, and subsequently, cross-domain communication based on the first SEPP may not be performed, which may improve the security of the cross-domain communication based on the SEPP.

The NF may re-determine the SEPP that supports the currently required communication function (which may be referred to as a third SEPP). For example, the NF may obtain the configuration information of each SEPP in the PLMN to which the NF belongs from the NRF, and re-determine the third SEPP that supports the currently required communication function based on the configuration information of each SEPP. Further, the NF may communicate across domains via a third SEPP.

For step S204 and step S205, the second configuration information of the locally recorded first SEPP may be: the NRF may be obtained when the first SEPP is registered, or may be obtained when the first SEPP is authenticated last time.

The NRF may compare the first configuration information with the locally recorded second configuration information, and if the first configuration information is different from the second configuration information, which indicates that the configuration information of the first SEPP is changed, the first SEPP does not support the communication function required by the NF, that is, the first SEPP cannot respond to the cross-domain request of the NF.

In order to implement cross-domain communication between the NF and NFs in other PLMNs, the NRF may search the configuration information of each SEPP recorded locally, and determine, according to the configuration information, an SEPP (i.e., a second SEPP) that supports a communication function required by the NF. And further, sending a first feedback response carrying the unique identifier of the second SEPP to the NF.

The first feedback response carries: the ID of the NRF, the ID of the second SEPP, the address information of the second SEPP, the response content, the source address (i.e., the address of the NRF), the destination address (i.e., the address of the NF). The response content represents configuration information of the second SEPP. The ID of the SEPP is the unique identification of the SEPP.

For example, the second configuration information of the first SEPP includes: the first SEPP performs cross-domain communication with NF1 in the designated PLMN through SEPP1 in the designated PLMN, and the first configuration information comprises: the first SEPP communicates across domains with the NF2 in the specified PLMN through SEPP2 in the specified PLMN. The required communication functions of the NF are: cross-domain communication with NF1 in the designated PLMN. The first configuration information is different from the second configuration information, and indicates that the configuration information of the first SEPP is changed, the first SEPP does not support cross-domain communication with the NF1 in the specified PLMN, the first SEPP cannot forward a cross-domain request of the NF to the SEPP1 in the specified PLMN, and forward the cross-domain request to the NF1 in the specified PLMN through the SEPP1 in the specified PLMN, that is, the first SEPP cannot respond to the cross-domain request of the NF.

The NRF may look up the configuration information of each SEPP recorded locally and determine, based on the configuration information, the SEPP (i.e., the second SEPP) that supports communication with the NF1 in the specified PLMN. Further, the NRF may send a first feedback response to the NF carrying the unique identifier of the second SEPP.

For step S206, when receiving the first feedback response sent by the NRF, the NF may obtain the unique identifier of the second SEPP carried in the first feedback response, and determine that the second SEPP is an SEPP supporting the communication function currently required by the NF. Further, the NF may send a cross-domain request to the second SEPP to perform cross-domain communication with NFs in other PLMNs through the second SEPP.

In some embodiments, on the basis of fig. 2, referring to fig. 4, step S206 may include the steps of:

s2061: and when the NF receives the first feedback response sent by the NRF, the NF encrypts the service information of the NF based on the public key of the second SEPP to obtain the cross-domain request.

S2062: the NF sends a cross-domain request to the second SEPP so that the second SEPP decrypts the received cross-domain request based on the private key of the second SEPP, and discards the cross-domain request under the condition that the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

In one implementation, the NF may obtain the public key of the second SEPP of the local record.

In another implementation, the NF may also send a public key acquisition request for the second SEPP to the NRF. The NRF, upon receiving the public key acquisition request, may then send the public key of the second SEPP to the NF. The NF may receive the public key of the second SEPP sent by the NRF.

The NF may encrypt service information of the NF based on a public key of the second SEPP to obtain the cross-domain request. In turn, the NF may send a cross-domain request to the second SEPP.

The request parameters of the cross-domain request sent to the second SEPP may further include: the ID of the NF, the ID of the second SEPP, the request mode, the request content, the identifier, the source address (i.e. the address of the NF), the destination address (i.e. the address of the second SEPP), etc. The request content includes service information requested by the cross-domain request and a communication function required by the NF, and the request mode indicates a mode in which the NF requests the service information, for example, a POST (send) request, a GET (GET) request, and the like. The identifier is a custom field and is used for adding custom information according to requirements.

The second SEPP, upon receiving the cross-domain request, may decrypt the cross-domain request based on a private key of the second SEPP. If decryption of the cross-domain request fails, indicating that the second SEPP is not the SEPP used to receive the cross-domain request, the second SEPP may discard the cross-domain request.

If the decryption of the cross-domain request is successful, which indicates that the second SEPP is the SEPP for receiving the cross-domain request, the second SEPP may determine SEPPs in other PLMNs where the NF needs to perform cross-domain communication, and forward the decrypted cross-domain request to SEPPs in other PLMNs, so that the SEPPs in other PLMNs forward the decrypted cross-domain request to the NF in the PLMN to which the SEPPs belong.

In some embodiments, the second SEPP may also modify the communication functions required by the NF in the requested content upon determining that the communication functions required by the NF have changed.

For example, the communication functions required by NF are: the first SEPP is used for communicating with the SEPP1 in the designated PLMN, and the SEPP1 is used for communicating with the NF1 in the designated PLMN in a cross-domain mode. The first SEPP does not support communication with the SEPP1 in the designated PLMN due to a change in configuration information of the first SEPP. The second SEPP supports communication with SEPP1 in the designated PLMN. The second SEPP may then modify the communication functions required to request the NF in the content to: and communicating with the SEPP1 in the specified PLMN through the second SEPP, and communicating with the NF1 in the specified PLMN through the SEPP1 in a cross-domain mode.

In some embodiments, after step S201, the method may further include the steps of: and when the NF receives a first feedback response sent by the NRF, the NF locally records the corresponding relation between the unique identifier of the second SEPP and the communication function required by the NF.

When the NF receives the first feedback response sent by the NRF, the NF may determine that the second SEPP is an SEPP supporting the communication function currently required by the NF, and then the NF may locally record the correspondence between the unique identifier of the second SEPP and the communication function required by the NF. Subsequently, the NF may perform cross-domain communication with NFs in other PLMNs through the second SEPP based on the correspondence between the locally recorded unique identifier of the second SEPP and the communication function required by the NF.

In one implementation, before step S206, the method may further include the steps of: the NF encrypts service information of the NF based on a public key of the first SEPP to obtain a cross-domain request, and sends the cross-domain request to the first SEPP so that the first SEPP decrypts the received cross-domain request based on a private key of the first SEPP, and the cross-domain request is discarded under the condition that the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

The request parameters of the cross-domain request sent to the first SEPP may include: the ID of the NF, the ID of the first SEPP, the request type, the request content, the identifier, the source address (i.e. the address of the NF), the destination address (i.e. the address of the first SEPP), etc. The request content comprises service information requested by a cross-domain request and a communication function required by the NF, and the request mode represents a mode of requesting the service information by the NF. The identifier is a custom field and is used for adding custom information according to requirements.

In order to save the time for performing cross-domain communication, the NF may encrypt the service information requested by the NF based on the public key of the first SEPP to obtain a cross-domain request. The NF, when sending an authentication request to the NRF for the first SEPP, may also send a cross-domain request to the first SEPP.

The first SEPP, upon receiving the cross-domain request, may decrypt the cross-domain request based on a private key of the first SEPP. If decryption of the cross-domain request fails, indicating that the first SEPP is not the SEPP used to receive the cross-domain request, the first SEPP may discard the cross-domain request.

If the decryption of the cross-domain request is successful, which indicates that the first SEPP is an SEPP for receiving the cross-domain request, the first SEPP may determine SEPPs in other PLMNs where the NF needs to perform cross-domain communication, and forward the decrypted cross-domain request to SEPPs in other PLMNs, so that the SEPPs in other PLMNs forward the decrypted cross-domain request to the NF in the affiliated PLMN.

Based on the above processing, the NF does not need to wait for the NRF to perform the authentication on the first SEPP before sending the cross-domain request to the first SEPP, so that the time for performing the cross-domain communication can be saved, and the time delay for the NF to perform the cross-domain communication can be reduced. And the cross-domain request is obtained by encrypting the service information by the NF, if the first SEPP is stolen by a malicious attacker with identity information, even if the cross-domain request is sent to the malicious attacker, the malicious attacker cannot acquire the private key of the first SEPP, and the malicious attacker cannot decrypt the cross-domain request, so that the problem that the request information of the cross-domain request is leaked due to the fact that the cross-domain request is sent to the first SEPP under the condition that the identity information is stolen by the malicious attacker can be avoided, and the security of the cross-domain communication based on the SEPP is improved.

In another implementation, after step S203, the method may further include the steps of: in case the first configuration information is the same as the second configuration information, the NRF sends a second feedback response to the NF to let the NF confirm that the first SEPP is authenticated. Wherein the second feedback response indicates that the first SEPP is authenticated.

The second feedback response carries: ID of NRF, acknowledgement parameter, source address (i.e. address of NRF), destination address (i.e. address of NF). The validation parameter indicates that the first SEPP is authenticated.

If the first configuration information is the same as the second configuration information, which indicates that the configuration information of the first SEPP is not changed, the first SEPP supports the communication function required by the NF, and the NRF may send a second feedback response to the NF, so that the NF confirms that the first SEPP passes the authentication.

Accordingly, when the NF receives the second feedback response, it may determine that the first SEPP is an SEPP supporting a communication function currently required by the NF, and if a cross-domain request has been sent to the first SEPP, the NF may not perform processing.

If the cross-domain request is not sent to the first SEPP, the NF may encrypt the service information requested by the NF based on the public key of the first SEPP to obtain the cross-domain request, and send the cross-domain request to the first SEPP, so that the first SEPP processes the received cross-domain request.

Based on the above processing, the NF sends the cross-domain request to the first SEPP after determining that the first SEPP passes the authentication, which can avoid the problem of leakage of request information of the cross-domain request caused by sending the cross-domain request to the first SEPP under the condition that the first SEPP does not pass the authentication, and improve the security of the cross-domain communication based on the SEPP.

Referring to fig. 5, fig. 5 is a flowchart of a request message processing method according to an embodiment of the present disclosure.

For each PLMN, when the NF in the PLMN sends a cross-domain request to the NFs in other PLMNs, that is, the PLMN is a requester, the NF in the PLMN may be referred to as cNF, the NRF in the PLMN may be referred to as cNRF, and the SEPP in the PLMN may be referred to as cSEPP. When the NFs in other PLMNs send a cross-domain request to the NF in the PLMN, that is, the PLMN is a recipient, the NF in the PLMN may be referred to as pNF, the NRF in the PLMN may be referred to as pNRF, and the SEPP in the PLMN may be referred to as pSEPP.

The vPLMN is a PLMN which needs to perform cross-domain communication with other PLMNs, and includes cNF, cNRF, cSEPP1, and cSEPP 2.

The cNF, cSEPP1, and cSEPP2 send registration information containing configuration information to the cNRF when accessing the network. cNRF stores cNF and the configuration information of the cSEPP. That is, cNRF stores cNF and the registration information of the cSEPP.

cNF sends a cSEPP1 ping request to the cNRF and at the same time sends a cross-domain roaming request (i.e., cross-domain request) to the cSEPP instance 1 (i.e., cSEPP1) in the original cache table. That is cNF sends an authentication request for the cSEPP1 to the cNRF, while sending a cross-domain request to the cSEPP 1.

The cNRF checks to see if the cnapp instance 1 information is consistent with the previous, i.e., in the case where the cNRF has the same first address information and second address information of the cnapp 1, it obtains the current first configuration information of the cnapp 1 and determines if the current first configuration information of the cnapp 1 is consistent with the second configuration information of the locally recorded cnapp 1.

The cNRf responds to the correct SEPP information when the cSEPP instance 1 configuration information changes, and sends corresponding feedback information when the cSEPP instance 1 configuration information does not change. That is, when the first configuration information is different from the second configuration information, the cNRF sends cNF a first feedback response carrying the unique identification of the cSEPP 2. When the first configuration information is different from the second configuration information, the cNRF sends cNF a second feedback response indicating that the cSEPP1 passed authentication.

cNF sends a cross-domain roaming request to the correct cSEPP instance 2 and cNF changes cNF the local SEPP instance information cache table. That is, upon receiving the first feedback response sent by cNRF, cNF sends a cross-domain request to the cSEPP2 and locally records the correspondence of the unique identification of the cSEPP2 to the communication function required by cNF.

The cSEPP instance 2 (i.e., cSEPP2) views the get modification request, i.e., the cSEPP2, upon receiving the cross-domain request, can decrypt the received cross-domain request based on the private key of the cSEPP 2. If the cross-domain request is decrypted successfully, the cSEPP2 may determine cNF the pSEPP in the other PLMN that needs to perform cross-domain communication, and forward the decrypted cross-domain request to the pSEPP in the other PLMN, so that the pSEPP in the other PLMN forwards the decrypted cross-domain request to the pNF in the PLMN to which the pSEPP in the other PLMN belongs. Or the cSEPP2 may modify the communication functions required by cNF in the request content of the cross-domain request and forward the modified cross-domain request to psepps in the other PLMN, so that psepps in the other PLMN forwards the modified cross-domain request to pNF in the PLMN to which it belongs.

Based on the above processing, the NF may perform identity check on the SEPP through the NRF, and determine whether the configuration information of the SEPP is changed, and when the configuration information of the SEPP is not changed, process the request according to the established flow; when the configuration information of the SEPP is changed, so that the cross-domain request cannot be correctly processed, the NF retransmits the cross-domain request to the correct SEPP according to the feedback response of the NRF, and in the process, the confidentiality of the request information of the cross-domain request and the availability of the SEPP can be effectively guaranteed without any participation of the original SEPP, a secret controllable communication process is constructed, and the safety of the 5G network is protected.

Referring to fig. 6, fig. 6 is a flowchart of a request message processing method according to an embodiment of the present disclosure.

cNF and cSEPP send registration information to the NRF when accessing the network. The NRF stores cNF and the configuration information of the cSEPP. I.e., NRF store cNF and the registration information of the cSEPP.

cNF sends a cSEPP1 challenge request to the NRF, while cNF sends a cross-domain request to the cSEPP1, encrypted by the public key of the cSEPP 1. That is cNF sends an authentication request for the cSEPP1 to the NRF while sending a cross-domain request based on public key encryption of the cSEPP1 to the cSEPP 1.

The NRF checks whether the identity information and the configuration information of the cSEPP1 are changed, that is, the NRF determines whether the first address information and the second address information of the cSEPP1 are the same, acquires the current first configuration information of the cSEPP1 in the case that the first address information and the second address information of the cSEPP1 are the same, and determines whether the current first configuration information of the cSEPP1 is the same as the second configuration information of the locally recorded cSEPP 1.

NRF when the configuration information of the cSEPP1 changes, the NRF feeds back correct cSEPP2 instance information to cNF. That is, when the first configuration information is different from the second configuration information, the NRF sends cNF a first feedback response carrying the unique identification of the cSEPP 2. When the configuration information of the cSEPP1 is not changed, corresponding feedback information is sent, that is, when the first configuration information is different from the second configuration information, the NRF sends a second feedback response to cNF indicating that the cSEPP1 passes the authentication.

cNF sends a cross-domain request to the correct cSEPP2, encrypted by the public key of the cSEPP 2. That is cNF sends a cross-domain request based on public key encryption of the cSEPP2 to the cSEPP 2.

cNF update the buffer information of the cSEPP. That is, upon receiving the first feedback response sent by the NRF, cNF locally records the correspondence of the unique identification of the cSEPP2 and the communication function required by cNF.

The cSEPP2 sends the cross-domain request to pSEPP, that is, the cSEPP2, upon receiving the cross-domain request, decrypts the received cross-domain request based on the private key of the cSEPP 2. If the cross-domain request is decrypted successfully, the cSEPP2 may determine cNF the pSEPP in the other PLMN that needs to perform cross-domain communication, and forward the decrypted cross-domain request to the pSEPP in the other PLMN, so that the pSEPP in the other PLMN forwards the decrypted cross-domain request to the pNF in the PLMN to which the pSEPP in the other PLMN belongs.

The cSEPP1 determines whether the request information can be viewed, i.e., the cSEPP1, upon receiving the cross-domain request, decrypts the received cross-domain request based on the private key of the cSEPP 1. If decryption of the cross-domain request fails, the cSEPP1 discards the cross-domain request. The cSEPP1 decrypts the request using the private key to view or modify the request. That is, decryption of the cross-domain request is successful, the cSEPP1 may modify cNF the required communication functionality in the requested content of the cross-domain request.

Based on the above processing, the NF can authenticate the SEPP through the NRF, determine whether the configuration information of the SEPP is changed, and perform corresponding processing according to the determination result, thereby detecting the authenticity and availability of the communication recipient (i.e., SEPP). After receiving the request of the NF, the NRF confirms the identity and the state of the SEPP by verifying the identity information and the configuration information of the SEPP, and ensures the reliability and the availability of a request receiving party. When the configuration information of the SEPP is changed, the information is fed back to NF only through NRF, the SEPP does not need any operation, and the utilization rate of network resources can be improved. And the identity authentication request and the cross-domain request are both sent by the NF, the process is simple, the resource consumption is low, the NF encrypts the cross-domain request, and after the SEPP receives the cross-domain request sent by the NF, the SEPP can decrypt the cross-domain request to read the request content if and only if the SEPP is a correct receiver.

Corresponding to the method embodiment of fig. 2, referring to fig. 7, fig. 7 is a block diagram of a request message processing apparatus provided in an embodiment of the present disclosure, where the apparatus is applied to an NRF in a request message processing system, and the apparatus includes:

a receiving module 701, configured to receive an identity authentication request sent by an NF; the identity authentication request carries a communication function required by the NF, first address information of a first SEPP and a unique identifier pre-allocated to the first SEPP;

a first obtaining module 702, configured to obtain locally recorded address information corresponding to the unique identifier of the first SEPP, as second address information;

a second obtaining module 703, configured to obtain, when first address information is the same as the second address information, current configuration information of the first SEPP as first configuration information; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP;

a determining module 704, configured to determine, based on respective configuration information of each locally recorded SEPP, an SEPP that matches a communication function required by the NF as a second SEPP, when the first configuration information is different from second configuration information of the first SEPP that is locally recorded;

a first sending module 705, configured to send a first feedback response carrying the unique identifier of the second SEPP to the NF, so that the NF sends a cross-domain request to the second SEPP when receiving the first feedback response.

In some embodiments, the second obtaining module 703 is specifically configured to send an information obtaining request to the first SEPP, so that when the first SEPP receives the information obtaining request, the first SEPP sends the current configuration information of the first SEPP to the NRF;

In some embodiments, the apparatus further comprises:

an updating module, configured to perform, after the second obtaining module 703 performs receiving of the current configuration information sent by the first SEPP, as first configuration information, locally recording a correspondence between the unique identifier of the first SEPP and the first configuration information, and delete the second configuration information.

In some embodiments, the apparatus further comprises:

a second sending module, configured to send a second feedback response to the NF when the second obtaining module 703 performs, after obtaining the current configuration information of the first SEPP as the first configuration information, that the first configuration information is the same as the second configuration information, so that the NF confirms that the first SEPP passes the authentication; wherein the second feedback response indicates that the first SEPP is authenticated.

The request message processing device is provided based on the embodiment of the disclosure, the NF can perform identity authentication on the first SEPP through the NRF, if the first address information of the first SEPP carried in the identity authentication request sent by the NF is the same as the second address information of the first SEPP locally recorded by the NRF, it is indicated that the identity information of the first SEPP is not stolen by a malicious attacker, and the problem that the request message of the cross-domain request is leaked due to the fact that the NF communicates with the first SEPP under the condition that the identity information of the first SEPP is stolen by the malicious attacker can be avoided. And the NRF may determine whether the configuration information of the first SEPP is changed, if the current first configuration information of the first SEPP is different from the second configuration information of the first SEPP recorded locally by the NRF, indicating that the configuration information of the first SEPP is changed, the first SEPP does not support the communication function required by the NF, the NRF may determine the second SEPP supporting the communication function required by the NF, and the NF may send a cross-domain request to the second SEPP, which may avoid a problem that the request information of the cross-domain request is leaked because the NF sends the cross-domain request to an incorrect SEPP, and a problem that the incorrect SEPP is not available because the NF frequently sends the cross-domain request to the incorrect SEPP. That is, the request message processing method provided by the embodiment of the present disclosure can improve the security of cross-domain communication based on SEPP.

Corresponding to the method embodiment of fig. 2, referring to fig. 8, fig. 8 is a structural diagram of a request message processing apparatus provided in an embodiment of the present disclosure, where the apparatus is applied to an NF in a request message processing system, and the apparatus includes:

a first sending module 801, configured to send an authentication request for the first SEPP to the NRF; the identity authentication request carries a communication function required by the NF, first address information of the first SEPP and a unique identifier pre-allocated to the first SEPP, so that when the NRF receives the identity authentication request, the NRF acquires locally recorded address information corresponding to the unique identifier of the first SEPP as second address information; under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the locally recorded SEPPs under the condition that the first configuration information is different from the second configuration information of the locally recorded first SEPP; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP; sending a first feedback response carrying the unique identifier of the second SEPP to the NF;

a second sending module 802, configured to send a cross-domain request to the second SEPP when receiving the first feedback response sent by the NRF.

In some embodiments, the second sending module 802 is specifically configured to, when receiving the first feedback response sent by the NRF, encrypt the service information of the NF based on the public key of the second SEPP to obtain a cross-domain request;

In some embodiments, the apparatus further comprises:

an updating module, configured to perform, after the first sending module 801 performs sending of an authentication request for a first SEPP to an NRF, when receiving a first feedback response sent by the NRF, locally record a correspondence between a unique identifier of the second SEPP and a communication function required by the NF.

In some embodiments, the apparatus further comprises:

a third sending module, configured to encrypt the service information of the NF based on the public key of the first SEPP to obtain a cross-domain request before the second sending module 802 sends the cross-domain request to the second SEPP when executing that the first feedback response sent by the NRF is received and the second sending module 802 sends the cross-domain request to the first SEPP, so that the first SEPP decrypts the received cross-domain request based on the private key of the first SEPP, and discards the cross-domain request when the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

Corresponding to the method embodiment of fig. 2, referring to fig. 9, fig. 9 is a block diagram of a request message processing apparatus provided in an embodiment of the present disclosure, where the apparatus is applied to an SEPP in a request message processing system, and the apparatus includes:

a decryption module 901, configured to decrypt, when receiving a cross-domain request sent by an NF, the cross-domain request based on a private key of the SEPP; wherein the cross-domain request is: the NF encrypts the service information of the NF based on the public key of the SEPP;

a discarding module 902, configured to discard the cross-domain request if decryption of the cross-domain request fails;

a forwarding module 903, configured to forward the cross-domain request when decryption of the cross-domain request is successful.

The request message processing device is provided based on the embodiment of the disclosure, the cross-domain request is obtained by encrypting the service information by the NF, if the SEPP is stolen by a malicious attacker with identity information, even if the cross-domain request is sent to the malicious attacker, the malicious attacker cannot obtain the private key of the SEPP, the malicious attacker cannot decrypt the cross-domain request, the problem that the request information of the cross-domain request is leaked due to the fact that the cross-domain request is sent to the SEPP under the condition that the SEPP is stolen with identity information by the malicious attacker can be avoided, and the security of cross-domain communication based on the SEPP is improved.

The embodiment of the present disclosure further provides an electronic device, as shown in fig. 10, including a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, where the processor 1001, the communication interface 1002 and the memory 1003 complete mutual communication through the communication bus 1004,

a memory 1003 for storing a computer program;

the processor 1001, when executing the program stored in the memory 1003, is configured to implement the steps of the request message processing method applied to NRF according to any one of the embodiments: or any of the request message processing method steps applied to NF described in the above embodiments, or any of the request message processing method steps applied to SEPP described in the above embodiments.

The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. In some embodiments, the memory may also be at least one storage device located remotely from the aforementioned processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

In still another embodiment provided by the present disclosure, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the request message processing method applied to NRF described in any of the above embodiments, or the steps of the request message processing method applied to NF described in any of the above embodiments, or the steps of the request message processing method applied to SEPP described in any of the above embodiments.

In another embodiment provided by the present disclosure, there is also provided a computer program product including instructions, which when run on a computer, cause the computer to execute the request message processing method applied to the NRF according to any one of the above embodiments, or the request message processing method applied to the NF according to any one of the above embodiments, or the request message processing method applied to the SEPP according to any one of the above embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the disclosure are, in whole or in part, generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the apparatus, system, electronic device, computer-readable storage medium, and computer program product embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for related points.

The above description is only for the preferred embodiment of the present disclosure, and is not intended to limit the scope of the present disclosure. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present disclosure is included in the protection scope of the present disclosure.

Claims

1. A request message processing method, which is applied to a network repository function NRF in a request message processing system, and is characterized in that the method comprises:

2. The method according to claim 1, wherein the obtaining the current configuration information of the first SEPP as the first configuration information comprises:

3. The method of claim 2, wherein after said receiving the current configuration information sent by the first SEPP as the first configuration information, the method further comprises:

4. The method of claim 1, wherein after the obtaining the current configuration information of the first SEPP as the first configuration information, the method further comprises:

under the condition that the first configuration information is the same as the second configuration information, sending a second feedback response to the NF, so that the NF confirms that the first SEPP passes identity authentication; wherein the second feedback response indicates that the first SEPP is authenticated.

5. A method for processing a request message, the method being applied to an NF (NF) in a request message processing system, the method comprising:

and when receiving a first feedback response sent by the NRF, sending a cross-domain request to the second SEPP.

6. The method of claim 5, wherein sending a cross-domain request to the second SEPP upon receiving the first feedback response sent by the NRF comprises:

7. The method of claim 5, wherein after said sending an authentication request for the first SEPP to the NRF, the method further comprises:

8. The method of claim 5, wherein prior to said sending a cross-domain request to the second SEPP upon receiving the first feedback response sent by the NRF, the method further comprises:

9. A request message processing method is applied to SEPP in a request message processing system, and the method comprises the following steps:

10. A request message processing system, the system comprising: NRF, NF, and a plurality of SEPPs, wherein;

the NRF is used for acquiring locally recorded address information corresponding to the unique identifier of the first SEPP as second address information when the identity authentication request is received; under the condition that first address information is the same as the second address information, acquiring current configuration information of the first SEPP, wherein the current configuration information is used as first configuration information; determining an SEPP matched with a communication function required by the NF as a second SEPP based on the respective configuration information of the locally recorded SEPPs under the condition that the first configuration information is different from the second configuration information of the locally recorded first SEPP; wherein the configuration information of one SEPP comprises communication functions supported by the first SEPP; sending a first feedback response carrying the unique identifier of the second SEPP to the NF;

11. A request message processing apparatus, which is applied to an NRF in a request message processing system, characterized by comprising:

12. The apparatus according to claim 11, wherein the second retrieving module is specifically configured to send an information retrieval request to the first SEPP, so that the first SEPP sends current configuration information of the first SEPP to the NRF when receiving the information retrieval request;

13. The apparatus of claim 12, further comprising:

14. The apparatus of claim 11, further comprising:

a second sending module, configured to, after the second obtaining module performs obtaining of the current configuration information of the first SEPP as first configuration information, perform sending of a second feedback response to the NF when the first configuration information is the same as the second configuration information, so that the NF confirms that the first SEPP passes identity authentication; wherein the second feedback response indicates that the first SEPP is authenticated.

15. A request message processing apparatus, wherein the apparatus is applied to an NF in a request message processing system, and wherein the apparatus comprises:

16. The apparatus according to claim 15, wherein the second sending module is specifically configured to, when receiving the first feedback response sent by the NRF, encrypt service information of the NF based on a public key of the second SEPP to obtain a cross-domain request;

17. The apparatus of claim 15, further comprising:

18. The apparatus of claim 15, further comprising:

a third sending module, configured to encrypt service information of the NF based on a public key of the first SEPP to obtain a cross-domain request before the second sending module sends the cross-domain request to the second SEPP when the second sending module receives the first feedback response sent by the NRF, and send the cross-domain request to the first SEPP, so that the first SEPP decrypts the received cross-domain request based on a private key of the first SEPP, and discards the cross-domain request when the decryption of the cross-domain request fails; and forwarding the cross-domain request under the condition that the decryption of the cross-domain request is successful.

19. A request message processing apparatus, which is applied to SEPP in a request message processing system, the apparatus comprising:

the decryption module is used for decrypting the cross-domain request based on the private key of the SEPP when the cross-domain request sent by the NF is received; wherein the cross-domain request is: the NF encrypts the service information of the NF based on the public key of the SEPP;

20. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;

a memory for storing a computer program;

a processor for implementing the method steps of any one of claims 1 to 4, or claims 5 to 8, or claim 9 when executing a program stored in a memory.

21. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any of the claims 1-4, or claims 5-8, or claim 9.