WO2019034014A1

WO2019034014A1 - Method and apparatus for access authentication

Info

Publication number: WO2019034014A1
Application number: PCT/CN2018/100209
Authority: WO
Inventors: 杨辉; 郑皓炜; 寇思琦; 吴义镇
Original assignee: 华为技术有限公司
Priority date: 2017-08-16
Filing date: 2018-08-13
Publication date: 2019-02-21
Also published as: CN109413645A; CN109413645B

Abstract

Provided in the present application are a method and apparatus for access authentication. The method comprises: a first consensus node receives first identity information from a first server, wherein the first server is a server of a manufacturer of a first terminal device, the first identity information is generated after identification information assigned by the first server to the first terminal device is subjected to first preset processing, and the identification information cannot be obtained based on the first identity information; and the first consensus node confers with at least one second consensus node regarding the first identity information to determine whether the first identity information can be used for access authentication for the communication system. In this way, the user experience is improved, the burden and cost of an operator in assignment and management of identification of a terminal device in a communication system are reduced, and user information is prevented from being stolen, thereby improving communication security.

Description

接入认证的方法和装置Method and device for access authentication

本申请要求于2017年08月16日提交中国专利局、申请号为201710703367.3、申请名称为“接入认证的方法和装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. PCT Application No. No. No. No. No. No. No. No. No. No. No. .

技术领域Technical field

本申请涉及通信领域，并且更具体地，涉及确定终端设备的接入认证的方法和装置。The present application relates to the field of communications and, more particularly, to a method and apparatus for determining access authentication for a terminal device.

背景技术Background technique

终端设备在网络中进行通信时，需要使用能够指示该终端设备在网络中的身份的标识(以下，为了便于理解和区分，记作“标识信息”)。例如，在现有技术中，终端设备在入网(例如，接入附着)时，网络侧设备根据该终端设备的标识信息，对该终端设备进行鉴权、认证及秘钥协商等操作。When the terminal device communicates in the network, it is necessary to use an identifier capable of indicating the identity of the terminal device in the network (hereinafter, referred to as "identification information" for ease of understanding and distinction). For example, in the prior art, when the terminal device accesses the network (for example, access is attached), the network side device performs operations such as authentication, authentication, and key agreement on the terminal device according to the identification information of the terminal device.

在现有的通信技术中，该标识信息是网络的运营商集中进行分配和管理，例如，当终端设备的用户与网络的运营商完成签约后，该终端设备的身份标识会被烧制在终端设备中，例如，该终端设备的身份标识会被烧制在终端设备的全球用户身份模块(Universal Subscriber Identity Module，USIM)中。In the existing communication technology, the identification information is distributed and managed by the operator of the network. For example, when the user of the terminal device completes the contract with the operator of the network, the identity of the terminal device is burned at the terminal. In the device, for example, the identity of the terminal device is burned in the Universal Subscriber Identity Module (USIM) of the terminal device.

在现有的通信技术中，用户在使用终端设备进行通信之前，必须为终端设备获得运营商分配的标识信息，影响了用户体验。In the existing communication technology, the user must obtain the identification information assigned by the operator for the terminal device before using the terminal device for communication, which affects the user experience.

并且，随着通信技术例如，物联网技术的发展和普及，终端设备的数量海量增长，同时，海量增长的终端设备也导致运营商标识信息的分配和管理的负担和成本增大。Moreover, with the development and popularization of communication technologies such as the Internet of Things technology, the number of terminal devices has increased tremendously. At the same time, the massive growth of terminal devices has also led to an increase in the burden and cost of the distribution and management of operator identification information.

发明内容Summary of the invention

本申请提供一种接入认证的方法和装置，能够改善用户体验、降低运营商对终端设备在通信***中的标识的分配和管理的负担和成本，并能够避免用户信息遭到窃取，进而提高通信的安全性。The present invention provides a method and device for access authentication, which can improve the user experience, reduce the burden and cost of the operator's allocation and management of the identifier of the terminal device in the communication system, and can prevent the user information from being stolen, thereby improving The security of communication.

第一方面，提供了一种接入认证的方法，其特征在于，在包括至少两个共识节点的通信***中执行，该方法包括：第一共识节点从第一服务器接收第一身份信息，其中，该第一服务器是第一终端设备的制造商的服务器，该第一身份信息是该第一服务器为该第一终端设备分配的标识信息经过第一预设处理后生成的，且该标识信息不能基于该第一身份信息获得；该第一共识节点与至少一个第二共识节点进行针对该第一身份信息的协商，以确定该第一身份信息是否能够用于针对该通信***的接入认证。In a first aspect, a method for access authentication is provided, which is implemented in a communication system including at least two consensus nodes, the method comprising: the first consensus node receiving first identity information from a first server, wherein The first server is a server of the manufacturer of the first terminal device, and the first identity information is generated after the first server processes the identifier information allocated by the first server for the first terminal device, and the identifier information is generated. Cannot be obtained based on the first identity information; the first consensus node and the at least one second consensus node perform negotiation for the first identity information to determine whether the first identity information can be used for access authentication for the communication system .

根据本发明实施例的接入认证的方法，通过由第一终端设备的制造商的第一服务器确定标识信息，并将基于该标识信息生成的第一身份信息发送给通信***内的至少一个共识节点，并由通信***中的至少两个共识节点协商确定该第一身份信息是否能够用于针对该通信***的接入认证，能够避免用户为终端设备获取标识信息的操作，从而能够改善用户体验，并且，由于该标识信息由制造商的服务器确定，能够降低运营商对于标识信息的分配和管理的负担和成本。According to the method for access authentication according to the embodiment of the present invention, the identification information is determined by the first server of the manufacturer of the first terminal device, and the first identity information generated based on the identification information is sent to at least one consensus in the communication system. And determining, by the at least two consensus nodes in the communication system, whether the first identity information can be used for access authentication for the communication system, and preventing the user from acquiring the identification information for the terminal device, thereby improving the user experience. And, since the identification information is determined by the manufacturer's server, the burden and cost of the operator's allocation and management of the identification information can be reduced.

并且，由于在第一服务器与第一共识节点之间传输的是基于该标识信息生成的第一身份信息，并且，该标识信息无法基于该第一身份信息获得，从而，能够避免当该第一身份信息在传输过程中遭到窃取而导致用户信息(例如，该标识信息)泄露，从而提高通信的安全性。Moreover, since the first identity information generated based on the identifier information is transmitted between the first server and the first consensus node, and the identifier information cannot be obtained based on the first identity information, thereby being able to avoid the first identity The identity information is stolen during transmission and the user information (for example, the identification information) is leaked, thereby improving the security of the communication.

可选地，该第一身份信息能够基于该标识信息唯一地确定。Optionally, the first identity information can be uniquely determined based on the identity information.

或者说，基于该标识信息仅能够确定一个第一身份信息。Or, based on the identification information, only one first identity information can be determined.

可选地，该第一预设处理包括哈希处理。Optionally, the first preset process includes a hash process.

或者说，该第一身份信息为该标识信息经过哈希处理后得到的哈希值。In other words, the first identity information is a hash value obtained after the identifier information is hashed.

根据本发明实施例的接入认证的方法，通过采用哈希处理作为该第一预设处理，能够容易地得到第一身份信息，从而，能够提高本发明实施例的接入认证方法的实用性和效果。According to the method for access authentication according to the embodiment of the present invention, the first identity information can be easily obtained by using the hash processing as the first preset processing, thereby improving the practicability of the access authentication method in the embodiment of the present invention. And effects.

可选地，该第一共识节点是该通信***使用的网络的运营商的服务器。Optionally, the first consensus node is a server of an operator of a network used by the communication system.

通过使运营商的服务器作为第一共识节点，参与针对第一标识能够作为第一终端设备在通信***中的第一身份信息的协商过程，能够使运营商参与针对第一身份信息的认证过程，便于运营商对网络的管理，提高网络的安全性。By using the server of the operator as the first consensus node, the participation process for the first identity information of the first terminal device in the communication system can be performed, and the operator can participate in the authentication process for the first identity information. It is convenient for operators to manage the network and improve the security of the network.

可选地，该第一共识节点是该通信***中的接入网设备(例如，基站)或核心网设备。Optionally, the first consensus node is an access network device (eg, a base station) or a core network device in the communication system.

可选地，该至少一个第二共识节点包括该通信***中的接入网设备、该通信***中的核心网设备、应用服务商的服务器和该第一服务器中的至少一个设备。Optionally, the at least one second consensus node comprises an access network device in the communication system, a core network device in the communication system, a server of an application service provider, and at least one device in the first server.

可选地，该通信***是基于区块链(Block chain)技术存储数据的***。Optionally, the communication system is a system that stores data based on a block chain technique.

可选地，该至少两个共识节点基于区块链技术存储数据。Optionally, the at least two consensus nodes store data based on a blockchain technique.

可选地，该至少两个共识节点是区块链***中的共识节点。Optionally, the at least two consensus nodes are consensus nodes in the blockchain system.

可选地，该第一共识节点与至少一个第二共识节点进行针对该第一标识的协商，包括：该第一共识节点基于区块链技术，与至少一个第二共识节点进行针对该第一标识的协商。Optionally, the first consensus node and the at least one second consensus node perform the negotiation for the first identifier, including: the first consensus node is based on the blockchain technology, and the at least one second consensus node performs the first Negotiation of the logo.

通过将区块链技术应用于本发明实施例的确定终端设备的标识的方法，能够容易地实现第一身份信息的协商、验证和存储过程。The negotiation, verification, and storage process of the first identity information can be easily implemented by applying the blockchain technology to the method for determining the identity of the terminal device in the embodiment of the present invention.

可选地，该第一共识节点与至少一个第二共识节点进行针对该第一身份信息的协商，包括：该第一共识节点根据至少一个第二身份信息对该第一标识进行验证，其中，该第二身份信息能够用于针对该通信***的接入认证，其中在该第一身份信息与每个第二身份信息均不同的情况下，该验证的结果为该第一身份信息能够用于针对该通信***的接入认证，在该第一身份信息与至少一个第二身份信息相同的情况下，该验证的结果为该第一身份信息不能用于针对该通信***的接入认证；该第一共识节点根据该验证的结果与至少一个第二共识节点进行针对该第一身份信息的协商。Optionally, the first consensus node and the at least one second consensus node perform the negotiation for the first identity information, where the first consensus node verifies the first identifier according to the at least one second identity information, where The second identity information can be used for access authentication for the communication system, wherein if the first identity information is different from each second identity information, the result of the verification is that the first identity information can be used for For the access authentication of the communication system, if the first identity information is the same as the at least one second identity information, the result of the verification is that the first identity information cannot be used for access authentication for the communication system; The first consensus node performs negotiation for the first identity information with the at least one second consensus node according to the result of the verification.

从而，能够避免该第一标识信息同时作为不同终端设备的身份标识，从而，能够避免通信错误，提高通信的安全性和可靠性，进一步改善用户体验。Therefore, the first identification information can be avoided as the identity of different terminal devices at the same time, thereby avoiding communication errors, improving communication security and reliability, and further improving the user experience.

可选地，该第一共识节点根据该验证的结果与至少一个第二共识节点进行针对该第一身份信息的协商，包括：如果包括该第一共识节点和至少一个该第二共识节点中，确定该第一身份信息能够用于针对该通信***的接入认证的共识节点的数量大于或等于预设的第一阈值，则该第一共识节点确定该第一身份信息能够用于针对该通信***的接入认证。Optionally, the first consensus node performs, according to the result of the verification, the negotiation with the at least one second consensus node for the first identity information, including: if the first consensus node and the at least one second consensus node are included, Determining that the number of the consensus nodes that the first identity information can be used for access authentication for the communication system is greater than or equal to a preset first threshold, the first consensus node determines that the first identity information can be used for the communication System access authentication.

可选地，该第一共识节点根据该验证的结果与至少一个第二共识节点进行针对该第一身份信息的协商，包括：如果包括该第一共识节点和至少一个该第二共识节点中，确定该第一身份信息能够用于针对该通信***的接入认证的共识节点的数量小于该第一阈值，则该第一共识节点确定该第一身份信息不能用于针对该通信***的接入认证。Optionally, the first consensus node performs, according to the result of the verification, the negotiation with the at least one second consensus node for the first identity information, including: if the first consensus node and the at least one second consensus node are included, Determining that the number of consensus nodes that the first identity information can be used for access authentication for the communication system is less than the first threshold, the first consensus node determines that the first identity information cannot be used for access to the communication system Certification.

可选地，该第一共识节点根据该验证的结果与至少一个第二共识节点进行针对该第一身份信息的协商，包括：当进行协商的至少两个共识节点中支持该第一身份信息能够用于针对该通信***的接入认证的共识节点的比例大于或等于预设的第二阈值时，该第一共识节点确定该第一身份信息能够用于针对该通信***的接入认证。Optionally, the first consensus node performs, according to the result of the verification, the negotiation with the at least one second consensus node for the first identity information, including: supporting the first identity information in the at least two consensus nodes that perform negotiation When the proportion of the consensus node for access authentication for the communication system is greater than or equal to a preset second threshold, the first consensus node determines that the first identity information can be used for access authentication for the communication system.

可选地，该第一共识节点根据该验证的结果与至少一个第二共识节点进行针对该第一身份信息的协商，包括：当进行协商的至少两个共识节点中支持该第一身份信息能够用于针对该通信***的接入认证的共识节点的比例小于预设的第二阈值时，该第一共识节点确定该第一身份信息不能用于针对该通信***的接入认证。Optionally, the first consensus node performs, according to the result of the verification, the negotiation with the at least one second consensus node for the first identity information, including: supporting the first identity information in the at least two consensus nodes that perform negotiation When the proportion of the consensus node for access authentication for the communication system is less than a preset second threshold, the first consensus node determines that the first identity information cannot be used for access authentication for the communication system.

可选定地，该方法还包括：该第一共识节点接收第一解密信息，该第一解密信息是该第一服务器为该第一终端设备分配的用于对该第一终端设备发送的数据进行解密的信息；该第一共识节点接收该第一终端设备发送的第一认证信息，该第一认证信息是该标识信息经过第二预设处理后生成的，其中，该标识信息不能基于该第一认证信息获得；该第一共识节点基于该第一解密信息和该第一认证信息进行第三预设处理，以获得第一结果；该第一共识节点从该第一终端设备接收第二结果，其中，该第二结果是该终端设备对该标识信息进行第四预设处理后生成的，其中，该第二预设处理、该第三预设处理和该第四预设处理使用至少一个相同的计算参数；该第一共识节点根据该第一结果与该第二结果之间的关系，确定该第一终端设备是否通过针对该通信***的接入认证。Optionally, the method further includes: the first consensus node receiving the first decryption information, where the first decryption information is data that is sent by the first server to the first terminal device for sending to the first terminal device Decrypting the information; the first consensus node receives the first authentication information sent by the first terminal device, where the first authentication information is generated after the identifier information is processed by the second preset process, where the identifier information cannot be based on the Acquiring the first authentication information; the first consensus node performs a third preset process based on the first decryption information and the first authentication information to obtain a first result; the first consensus node receives the second from the first terminal device As a result, the second result is generated by the terminal device performing the fourth preset process on the identifier information, wherein the second preset process, the third preset process, and the fourth preset process use at least An identical calculation parameter; the first consensus node determines, according to a relationship between the first result and the second result, whether the first terminal device passes the communication system The certification.

可选地，该第二预设处理、第三预设处理和第四预设处理包括针对同一模值的求余处理。Optionally, the second preset process, the third preset process, and the fourth preset process include a remainder process for the same mode value.

可选地，该第一解密信息是对预设数值进行针对该同一模值的求余处理后获得的。Optionally, the first decryption information is obtained by performing a remainder processing on the same modulus value on the preset value.

可选地，该第一认证信息包括第一子信息a和第二子信息b，以及Optionally, the first authentication information includes a first sub-information a and a second sub-information b, and

该第二预设处理包括基于以下公式的处理：The second preset process includes processing based on the following formula:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是该第一解密信息，m是该标识信息，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为该计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the first decrypted information, m is the identification information, a, b, m, k, g, p, x, y are positive integers, 1 ≤ k ≤ p-2, k and p-1 , p is the calculation parameter, and p is a prime number, g<p, x<p, and mod represents a remainder operation.

可选地，该第三预设处理包括使该第一结果X满足：X＝y ^aa ^b mod p， Optionally, the third preset process includes: satisfying the first result X: X=y ^a a ^b mod p,

该第四预设处理包括使该第二结果Y满足：Y＝g ^m mod p。 The fourth preset process includes making the second result Y satisfy: Y=g ^m mod p.

可选地，该第一共识节点根据该第一结果与该第二结果之间的关系，确定该第一终端设备是否通过针对该通信***的接入认证，包括：Optionally, the first consensus node determines, according to the relationship between the first result and the second result, whether the first terminal device passes the access authentication for the communication system, including:

如果该第一结果与该第二结果相同，则该第一共识节点确定该第一终端设备能够通过针对该通信***的接入认证。If the first result is the same as the second result, the first consensus node determines that the first terminal device can pass the access authentication for the communication system.

如果该第一结果与该第二结果不同，则该第一共识节点确定该第一终端设备不能通过针对该通信***的接入认证。If the first result is different from the second result, the first consensus node determines that the first terminal device cannot pass the access authentication for the communication system.

在现有技术中，终端设备在进行接入认证时，需要将其标识信息发送给接入网络设备，从而，如果标识信息在该过程中被窃取，则导致用户信息被泄露，严重降低了通信的安全性。In the prior art, when performing access authentication, the terminal device needs to send its identification information to the access network device, so that if the identification information is stolen in the process, the user information is leaked, and the communication is seriously reduced. Security.

与此相对，在本发明实施例中，通过在接入过程中，使用基于该标识信息确定的第一认证信息，并且，该标识信息不能基于该第一认证信息获得，从而，即使该第一认证信息在传输过程中遭到窃取，也无法基于该第一认证信息获得该标识信息，从而，能够避免用户信息被泄露，进而能够提高通信的安全性。In contrast, in the embodiment of the present invention, the first authentication information determined based on the identifier information is used in the access process, and the identifier information cannot be obtained based on the first authentication information, thereby even if the first The authentication information is stolen during the transmission process, and the identification information cannot be obtained based on the first authentication information. Therefore, the user information can be prevented from being leaked, thereby improving the security of the communication.

第二方面，提供一种接入认证的方法，该方法还包括：第一共识节点接收第一解密信息，该第一解密信息是该第一服务器为该第一终端设备分配的用于对该第一终端设备发送的数据进行解密的信息；该第一共识节点接收第一终端设备发送的第一认证信息，该第一认证信息是该标识信息经过第二预设处理后生成的，其中，该标识信息不能基于该第一认证信息获得；该第一共识节点基于该第一解密信息和该第一认证信息进行第三预设处理，以获得第一结果；该第一共识节点从该第一终端设备接收第二结果，其中，该第二结果是该终端设备对该标识信息进行第四预设处理后生成的，其中，该第二预设处理、该第三预设处理和该第四预设处理使用至少一个相同的计算参数；该第一共识节点根据该第一结果与该第二结果之间的关系，确定该第一终端设备是否通过针对该通信***的接入认证。In a second aspect, a method for access authentication is provided, the method further includes: receiving, by the first consensus node, first decryption information, where the first decryption information is allocated by the first server to the first terminal device The information sent by the first terminal device is decrypted; the first consensus node receives the first authentication information sent by the first terminal device, where the first authentication information is generated after the second preset processing is performed by the identifier information, where The identification information is not obtained based on the first authentication information; the first consensus node performs a third preset process based on the first decryption information and the first authentication information to obtain a first result; the first consensus node is from the first Receiving, by the terminal device, the second result, where the second result is generated by the terminal device performing the fourth preset process on the identifier information, wherein the second preset process, the third preset process, and the first The fourth preset process uses at least one of the same calculation parameters; the first consensus node determines, according to the relationship between the first result and the second result, whether the first terminal device is For access authentication through the communication system.

可选地，该第一解密信息是对预设数值进行针对所述同一模值的求余处理后获得的。Optionally, the first decryption information is obtained by performing a remainder processing on the same modulus value on the preset value.

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

第三方面，提供一种接入认证的方法，在包括至少两个共识节点的通信***中执行，该方法包括：第一服务器为第一终端设备分配标识信息；该第一服务器对该标识进行第一预设处理，以确定第一身份信息，其中，该标识信息不能基于该第一身份信息获得；该第一服务器向第一共识节点发送该第一身份信息。A third aspect provides a method for access authentication, which is implemented in a communication system including at least two consensus nodes, where the method includes: the first server assigns identification information to the first terminal device; and the first server performs the identification on the identifier The first preset process is to determine first identity information, wherein the identity information cannot be obtained based on the first identity information; the first server sends the first identity information to the first consensus node.

可选地，该方法还包括：该第一服务器根据至少一个第二身份信息对该第一标识进行验证，其中，该第二身份信息能够用于针对该通信***的接入认证，其中在该第一身份信息与每个第二身份信息均不同的情况下，该验证的结果为该第一身份信息能够用于针对该通信***的接入认证，在该第一身份信息与至少一个第二身份信息相同的情况下，该验证的结果为该第一身份信息不能用于针对该通信***的接入认证；该第一服务器根据该验证的结果与至少一个共识节点进行针对该第一身份信息的协商。Optionally, the method further includes: the first server authenticating the first identifier according to the at least one second identity information, wherein the second identity information can be used for access authentication for the communication system, where If the first identity information is different from each of the second identity information, the result of the verification is that the first identity information can be used for access authentication for the communication system, and the first identity information and the at least one second If the identity information is the same, the result of the verification is that the first identity information cannot be used for access authentication for the communication system; the first server performs the first identity information with the at least one consensus node according to the result of the verification. Negotiation.

可选地，该第一服务器根据该验证的结果与至少一个共识节点进行针对该第一身份信息的协商，包括：如果参与协商的设备中，确定该第一身份信息能够用于针对该通信***的接入认证的共识节点的数量大于或等于预设的第一阈值，则该第一服务器确定该第一身份信息能够用于针对该通信***的接入认证。Optionally, the first server performs, according to the result of the verification, the negotiation with the at least one consensus node for the first identity information, including: if the device participating in the negotiation, determining that the first identity information can be used for the communication system The number of the access authentication consensus nodes is greater than or equal to the preset first threshold, and the first server determines that the first identity information can be used for access authentication for the communication system.

可选地，该第一服务器根据该验证的结果与至少一个共识节点进行针对该第一身份信息的协商，包括：如果包括参与协商的设备中，确定该第一身份信息能够用于针对该通信***的接入认证的设备的数量小于该第一阈值，则该第一服务器确定该第一身份信息不能用于针对该通信***的接入认证。Optionally, the first server performs, according to the result of the verification, the negotiation with the at least one consensus node for the first identity information, including: if the device participating in the negotiation is included, determining that the first identity information can be used for the communication If the number of devices for access authentication of the system is less than the first threshold, the first server determines that the first identity information cannot be used for access authentication for the communication system.

可选地，该第一服务器根据该验证的结果与至少一个共识节点进行针对该第一身份信息的协商，包括：当进行协商的设备中支持该第一身份信息能够用于针对该通信***的接入认证的设备的比例大于或等于预设的第二阈值时，该第一服务器确定该第一身份信息能够用于针对该通信***的接入认证。Optionally, the first server performs, according to the result of the verification, the negotiation with the at least one consensus node for the first identity information, including: supporting, in the device that performs the negotiation, the first identity information can be used for the communication system. When the proportion of the device that accesses the authentication is greater than or equal to the preset second threshold, the first server determines that the first identity information can be used for access authentication for the communication system.

可选地，该第一服务器根据该验证的结果与至少一个共识节点进行针对该第一身份信息的协商，包括：当进行协商的设备中支持该第一身份信息能够用于针对该通信***的接入认证的设备的比例小于预设的第二阈值时，该第一服务器确定该第一身份信息不能用于针对该通信***的接入认证。Optionally, the first server performs, according to the result of the verification, the negotiation with the at least one consensus node for the first identity information, including: supporting, in the device that performs the negotiation, the first identity information can be used for the communication system. When the proportion of the device that accesses the authentication is less than the preset second threshold, the first server determines that the first identity information cannot be used for access authentication for the communication system.

第四方面，提供一种接入验证的方法，包括：第一终端设备从第一服务器接收标识信息，该第一服务器是该第一终端的制造商的服务器；该第一终端设备对该标识信息进行第二预设处理，以生成第一认证信息，其中，该标识信息不能基于该第一认证信息获得；该第一终端设备对该标识信息进行第四预设处理，以生成第二结果；该第一终端设备向第一共识节点发送该第一认证信息和该第二结果，以便于该第一共识节点基于第一解密信息和该第一认证信息进行第三预设处理而获得第一结果，并且基于该第一结果和该第二结果之间的关系，确定该第一终端设备是否通过针对该通信***的接入认证，其中，该第一解密信息是该第一服务器为该第一终端设备分配的用于对该第一终端设备发送的数据进行解密的信息，该第二预设处理、该第三预设处理和该第四预设处理使用至少一个相同的计算参数。A fourth aspect provides a method for access authentication, including: receiving, by a first terminal device, identifier information from a first server, where the first server is a server of a manufacturer of the first terminal; The information is subjected to a second preset process to generate the first authentication information, wherein the identifier information cannot be obtained based on the first authentication information; the first terminal device performs a fourth preset process on the identifier information to generate a second result. The first terminal device sends the first authentication information and the second result to the first consensus node, so that the first consensus node obtains the third preset processing based on the first decryption information and the first authentication information. a result, and based on the relationship between the first result and the second result, determining whether the first terminal device passes the access authentication for the communication system, wherein the first decryption information is the first server is the Information for decrypting data transmitted by the first terminal device allocated by the first terminal device, the second preset process, the third preset process, and the fourth The same process using at least one set of calculation parameters.

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

可选地，该第三预设处理包括：使该第一结果X满足：X＝y ^aa ^b mod p， Optionally, the third preset process includes: making the first result X satisfy: X=y ^a a ^b mod p,

第五方面，提供了一种接入认证的装置，包括用于执行上述第一方面以及第一方面的各实现方式中的接入认证的方法的各步骤的单元。In a fifth aspect, an apparatus for access authentication is provided, comprising means for performing the steps of the first aspect and the method of access authentication in various implementations of the first aspect.

第六方面，提供了一种接入认证的装置，包括用于执行上述第二方面以及第二方面的各实现方式中的接入认证的方法的各步骤的单元。In a sixth aspect, an apparatus for access authentication is provided, comprising means for performing the steps of the method of access authentication in the second aspect and the implementations of the second aspect.

第七方面，提供了一种接入认证的装置，包括用于执行上述第三方面以及第三方面的各实现方式中的接入认证的方法的各步骤的单元。In a seventh aspect, an apparatus for access authentication is provided, comprising means for performing the steps of the method of access authentication in the implementations of the third aspect and the third aspect described above.

第八方面，提供了一种接入认证的装置，包括用于执行上述第四方面以及第四方面的各实现方式中的接入认证的方法的各步骤的单元。In an eighth aspect, an apparatus for access authentication is provided, comprising means for performing the steps of the method of access authentication in the fourth aspect and the implementations of the fourth aspect.

第九方面，提供了一种接入认证的设备，该设备具有实现上述第一方面以及第一方面的各实现方式中的第一共识节点的行为的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多于一个与上述功能相对应的模块。According to a ninth aspect, there is provided a device for access authentication, the device having a function of implementing the behavior of the first consensus node in the first aspect and the implementations of the first aspect. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

第十方面，提供了一种接入认证的设备，该设备具有实现上述第二方面以及第二方面的各实现方式中的第一共识节点的行为的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多于一个与上述功能相对应的模块。According to a tenth aspect, there is provided a device for access authentication, the device having a function of implementing the behavior of the first consensus node in the implementation manners of the second aspect and the second aspect. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

第十一方面，提供了一种接入认证的设备，该设备具有实现上述第三方面以及第三方面的各实现方式中的第一服务器的行为的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多于一个与上述功能相对应的模块。In an eleventh aspect, an apparatus for access authentication is provided, the apparatus having a function of implementing the behavior of the first server in each of the third aspect and the third aspect. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

第十二方面，提供了一种接入认证的设备，该设备具有实现上述第四方面以及第四方面的各实现方式中的第一终端设备的行为的功能。该功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多于一个与上述功能相对应的模块。According to a twelfth aspect, there is provided a device for access authentication, the device having a function of implementing the behavior of the first terminal device in each of the fourth aspect and the fourth aspect. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

第十三方面，提供了一种服务器，服务器的结构中包括处理器。该处理器被配置为支持服务器执行第一方面以及第一方面的各实现方式中的相应的功能，在一个可能的设计中，该服务器还可以包括收发器，用于支持服务器接收或发送信息。在一个可能的设计中，该服务器还可以包括存储器，该存储器用于与处理器耦合，保存服务器必要的程序指令和数据。或者说，该服务器包括存储器和处理器，该存储器用于存储计算机程序，该处理器用于从存储器中调用并运行该计算机程序，使得服务器执行上述第一方面及其各种实现方式中的任一种接入认证的方法。In a thirteenth aspect, a server is provided, the processor comprising a processor. The processor is configured to support a server to perform the first aspect and corresponding functions of the various implementations of the first aspect. In one possible design, the server may further include a transceiver for supporting the server to receive or transmit information. In one possible design, the server may also include a memory for coupling with the processor to store the necessary program instructions and data for the server. In other words, the server includes a memory and a processor for storing a computer program for calling and running the computer program from the memory, such that the server performs any of the first aspect described above and various implementations thereof A method of access authentication.

第十四方面，提供了一种服务器，服务器的结构中包括处理器。该处理器被配置为支持服务器执行第二方面以及第二方面的各实现方式中的相应的功能，在一个可能的设计中，该服务器还可以包括收发器，用于支持服务器接收或发送信息。在一个可能的设计中，该服务器还可以包括存储器，该存储器用于与处理器耦合，保存服务器必要的程序指令和数据。或者说，该服务器包括存储器和处理器，该存储器用于存储计算机程序，该处理器用于从存储器中调用并运行该计算机程序，使得服务器执行上述第二方面及其各种实现方式中的任一种接入认证的方法。In a fourteenth aspect, a server is provided, the processor comprising a processor. The processor is configured to support a server to perform the second aspect and corresponding functions of the implementations of the second aspect. In one possible design, the server may further include a transceiver for supporting the server to receive or transmit information. In one possible design, the server may also include a memory for coupling with the processor to store the necessary program instructions and data for the server. In other words, the server includes a memory and a processor for storing a computer program for calling and running the computer program from the memory, such that the server performs any of the second aspect described above and various implementations thereof. A method of access authentication.

第十五方面，提供了一种服务器，服务器的结构中包括处理器。该处理器被配置为支持服务器执行第三方面以及第三方面的各实现方式中的相应的功能，在一个可能的设计中，该服务器还可以包括收发器，用于支持服务器接收或发送信息。在一个可能的设计中，该服务器还可以包括存储器，该存储器用于与处理器耦合，保存服务器必要的程序指令和数据。或者说，该服务器包括存储器和处理器，该存储器用于存储计算机程序，该处理器用于从存储器中调用并运行该计算机程序，使得服务器执行上述第三方面及其各种实现方式中的任一种接入认证的方法。In a fifteenth aspect, a server is provided, the processor comprising a processor. The processor is configured to support a server to perform the third aspect and corresponding functions of the various implementations of the third aspect. In one possible design, the server may further include a transceiver for supporting the server to receive or transmit information. In one possible design, the server may also include a memory for coupling with the processor to store the necessary program instructions and data for the server. In other words, the server includes a memory and a processor for storing a computer program for calling and running the computer program from the memory, such that the server performs any of the third aspect described above and various implementations thereof. A method of access authentication.

第十六方面，提供了一种终端设备，服务器的结构中包括处理器。该处理器被配置为支持服务器执行第四方面以及第四方面的各实现方式中的相应的功能，在一个可能的设计中，该服务器还可以包括收发器，用于支持服务器接收或发送信息。在一个可能的设计中，该服务器还可以包括存储器，该存储器用于与处理器耦合，保存服务器必要的程序指令和数据。或者说，该服务器包括存储器和处理器，该存储器用于存储计算机程序，该处理器用于从存储器中调用并运行该计算机程序，使得服务器执行上述第四方面及其各种实现方式中的任一种接入认证的方法。In a sixteenth aspect, a terminal device is provided, the processor comprising a processor. The processor is configured to support a server to perform the fourth aspect and corresponding functions of the implementations of the fourth aspect. In one possible design, the server may further include a transceiver for supporting the server to receive or transmit information. In one possible design, the server may also include a memory for coupling with the processor to store the necessary program instructions and data for the server. In other words, the server includes a memory and a processor for storing a computer program for calling and running the computer program from the memory, such that the server performs any of the fourth aspect described above and various implementations thereof. A method of access authentication.

第十七方面，提供了一种计算机程序产品，所述计算机程序产品包括：计算机程序代码，当所述计算机程序代码被服务器的处理单元、通信单元或处理器、收发器运行时，使得服务器的执行上述第一至第四方面中的任一方面及其各种实现方式中的任一种接入认证的方法。In a seventeenth aspect, a computer program product is provided, the computer program product comprising: computer program code, when the computer program code is run by a processing unit, a communication unit or a processor of the server, and a transceiver, causing the server A method of accessing authentication by any one of the first to fourth aspects above and various implementations thereof.

第十八方面，提供了一种计算机可读存储介质，所述计算机可读存储介质存储有程序，所述程序使得服务器执行上述第一至第四方面中的任一方面及其各种实现方式中的任一种接入认证的方法。或者说，该计算机可读存储介质用于储存为上述服务器所用的计算机软件指令，其包含用于执行上述第一方面的方法所设计的程序。In a eighteenth aspect, a computer readable storage medium storing a program causing a server to perform any of the above first to fourth aspects and various implementations thereof Any of the methods of access authentication. Alternatively, the computer readable storage medium is for storing computer software instructions for use in the server described above, comprising a program designed to perform the method of the first aspect described above.

第十九方面，提供了一种芯片***，该芯片***包括处理器，用于支持服务器实现上述第一方面中所涉及的功能，例如，从第一服务器接收第一身份信息，并与至少一个第二共识节点进行针对该第一身份信息的协商。在一种可能的设计中，所述芯片***还包括存储器，用于保存实现上述功能必要的程序指令和数据。In a nineteenth aspect, a chip system is provided, the chip system comprising a processor for supporting a server to implement the functions involved in the first aspect, for example, receiving first identity information from a first server, and at least one The second consensus node performs negotiation for the first identity information. In one possible design, the chip system further includes a memory for holding program instructions and data necessary to implement the functions described above.

第二十方面，提供了一种芯片***，该芯片***包括处理器，用于支持服务器实现上述第二方面中所涉及的功能，例如，从第一终端设备接收第一认证信息，并基于该认证信息确定该第一终端设备是否通过针对通信***的接入认证。在一种可能的设计中，所述芯片***还包括存储器，用于保存实现上述功能必要的程序指令和数据。A twentieth aspect, a chip system is provided, the chip system comprising a processor, configured to support a server to implement the functions involved in the second aspect, for example, receiving first authentication information from the first terminal device, and based on the The authentication information determines whether the first terminal device passes the access authentication for the communication system. In one possible design, the chip system further includes a memory for holding program instructions and data necessary to implement the functions described above.

第二十一方面，提供了一种芯片***，该芯片***包括处理器，用于支持服务器实现上述第三方面中所涉及的功能，例如，生成并向第一共识节点发送第一身份信息。在一种可能的设计中，所述芯片***还包括存储器，用于保存实现上述功能必要的程序指令和数据。In a twenty-first aspect, a chip system is provided, the chip system comprising a processor for supporting a server to implement the functions involved in the third aspect, for example, generating and transmitting the first identity information to the first consensus node. In one possible design, the chip system further includes a memory for holding program instructions and data necessary to implement the functions described above.

第二十二方面，提供了一种芯片***，该芯片***包括处理器，用于支持服务器实现上述第四方面中所涉及的功能，例如，生成并向第一共识节点发送第一认证信息。在一种可能的设计中，所述芯片***还包括存储器，用于保存实现上述功能必要的程序指令和数据。In a twenty-second aspect, a chip system is provided, the chip system comprising a processor for supporting a server to implement the functions involved in the fourth aspect, for example, generating and transmitting first authentication information to the first consensus node. In one possible design, the chip system further includes a memory for holding program instructions and data necessary to implement the functions described above.

从而，能够改善用户体验、降低运营商对终端设备在通信***中的标识的分配和管理的负担和成本，并提高通信的安全性。Thereby, the user experience can be improved, the burden and cost of the operator's allocation and management of the identification of the terminal device in the communication system can be reduced, and the security of the communication can be improved.

附图说明DRAWINGS

图1是适用本发明实施例的接入认证的方法和装置的通信***的一例的示意图。1 is a schematic diagram showing an example of a communication system to which a method and apparatus for access authentication according to an embodiment of the present invention is applied.

图2是发明实施例的通信***的另一例的示意图。Fig. 2 is a schematic diagram showing another example of the communication system of the embodiment of the invention.

图3是发明实施例的通信***的再一例的示意图。Fig. 3 is a schematic diagram showing still another example of the communication system of the embodiment of the invention.

图4是发明实施例的共识节点的注册过程的示意图。4 is a schematic diagram of a registration process of a consensus node in an embodiment of the invention.

图5是适用本发明实施例的接入认证的方法的一例的示意***互图。FIG. 5 is a schematic interaction diagram of an example of a method for access authentication according to an embodiment of the present invention.

图6是适用本发明实施例的终端设备的接入过程的一例的示意***互图。FIG. 6 is a schematic interaction diagram of an example of an access procedure of a terminal device to which an embodiment of the present invention is applied.

图7是适用本发明实施例的终端设备的接入过程的另一例的示意***互图。FIG. 7 is a schematic interaction diagram of another example of an access procedure of a terminal device to which an embodiment of the present invention is applied.

图8是本发明实施例的接入认证的的装置的一例的示意性框图。FIG. 8 is a schematic block diagram showing an example of an apparatus for access authentication according to an embodiment of the present invention.

图9是本发明实施例的接入认证的的装置的另一例的示意性框图。FIG. 9 is a schematic block diagram of another example of an apparatus for access authentication according to an embodiment of the present invention.

图10是本发明实施例的接入认证的的装置的再一例的示意性框图。FIG. 10 is a schematic block diagram of still another example of an apparatus for access authentication according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合附图，对本申请中的技术方案进行描述。The technical solutions in the present application will be described below with reference to the accompanying drawings.

本发明实施例提供的确定终端设备的标识的方法，可以应用于计算机上，该计算机包括硬件层、运行在硬件层之上的操作***层，以及运行在操作***层上的应用层。The method for determining the identifier of the terminal device provided by the embodiment of the present invention may be applied to a computer, where the computer includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer.

该硬件层包括中央处理器(Central Processing Unit，CPU)、内存管理单元(Memory Management Unit，MMU)和内存(也称为主存)等硬件。The hardware layer includes hardware such as a central processing unit (CPU), a memory management unit (MMU), and a memory (also referred to as main memory).

该操作***可以是任意一种或多种通过进程(Process)实现业务处理的计算机操作***，例如，Linux操作***、Unix操作***、Android操作***、iOS操作***或windows操作***等。The operating system may be any one or more computer operating systems that implement business processing through a process, such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a Windows operating system.

该应用层包含浏览器、通讯录、文字处理软件、即时通信软件等应用。The application layer includes applications such as browsers, contacts, word processing software, and instant messaging software.

并且，本发明实施例并未对本发明实施例提供的方法的执行主体的具体结构特别限定，只要能够通过运行记录有本发明实施例的提供的方法的代码的程序，以根据本发明实施例提供的方法进行通信即可，例如，本发明实施例提供的方法的执行主体可以是计算机设备，或者，是计算机设备中能够调用程序并执行程序的功能模块。In addition, the embodiment of the present invention does not specifically limit the specific structure of the execution body of the method provided by the embodiment of the present invention, as long as it can be provided according to the embodiment of the present invention by running a program for recording the code of the method provided by the embodiment of the present invention. The method can be communicated. For example, the execution body of the method provided by the embodiment of the present invention may be a computer device or a functional module of the computer device capable of calling a program and executing the program.

并且，在本发明实施例中，该计算机设备可以是智能手机等手持设备，也可以是个人计算机等终端设备，或者，该计算机也可以是服务器，本发明实施例并未特别限定，只要能够通过运行记录有本发明实施例的确定终端设备的标识的方法的代码的程序，以根据本发明实施例的确定终端设备的标识的方法确定终端设备在网络中的身份标识即可。In addition, in the embodiment of the present invention, the computer device may be a handheld device such as a smart phone, or may be a terminal device such as a personal computer, or the computer may be a server. The program for recording the code of the method for determining the identity of the terminal device according to the embodiment of the present invention is used to determine the identity of the terminal device in the network according to the method for determining the identity of the terminal device according to the embodiment of the present invention.

其中，服务器，也称伺服器，是提供计算服务的设备。由于服务器需要响应服务请求，并进行处理，因此一般来说服务器应具备承担服务并且保障服务的能力。服务器的构成包括处理器、硬盘、内存、***总线等，和通用的计算机架构类似，但是由于需要提供高可靠的服务，因此在处理能力、稳定性、可靠性、安全性、可扩展性、可管理性等方面要求较高。Among them, the server, also called the server, is a device that provides computing services. Since the server needs to respond to service requests and process them, the server should generally have the ability to take on the service and secure the service. The server consists of a processor, a hard disk, a memory, a system bus, etc., similar to a general-purpose computer architecture, but because of the need to provide highly reliable services, processing power, stability, reliability, security, scalability, and Management and other aspects are more demanding.

本发明实施例的路径检测的执行主体可以是计算机设备，或者，是计算机设备中能够调用程序并执行程序的功能模块。The execution body of the path detection in the embodiment of the present invention may be a computer device or a functional module in the computer device capable of calling a program and executing the program.

此外，本发明实施例的各个方面或特征可以实现成方法、装置或使用标准编程和/或工程技术的制品。本申请中使用的术语“制品”涵盖可从任何计算机可读器件、载体或介质访问的计算机程序。例如，计算机可读介质可以包括，但不限于:磁存储器件(例如，硬盘、软盘或磁带等)，光盘(例如，压缩盘(Compact Disc，CD)、数字通用盘(Digital Versatile Disc，DVD)等)，智能卡和闪存器件(例如，可擦写可编程只读存储器(Erasable Programmable Read-Only Memory，EPROM)、卡、棒或钥匙驱动器等)。Furthermore, various aspects or features of embodiments of the invention may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used in this application encompasses a computer program accessible from any computer-readable device, carrier, or media. For example, the computer readable medium may include, but is not limited to, a magnetic storage device (eg, a hard disk, a floppy disk, or a magnetic tape, etc.), such as a compact disc (CD), a digital versatile disc (Digital Versatile Disc, DVD). Etc.), smart cards and flash memory devices (eg, Erasable Programmable Read-Only Memory (EPROM), cards, sticks or key drivers, etc.).

另外，本文描述的各种存储介质可代表用于存储信息的一个或多个设备和/或其它机器可读介质。术语“机器可读介质”可包括但不限于，无线信道和能够存储、包含和/或承载指令和/或数据的各种其它介质。Additionally, various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, without limitation, a wireless channel and various other mediums capable of storing, containing, and/or carrying instructions and/or data.

首先，结合图1和图2对使用本发明实施例的确定终端设备的标识的方法和装置的通信***100进行详细说明。First, the communication system 100 using the method and apparatus for determining the identity of a terminal device according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 and 2.

在本发明实施例中，该通信***100包括用于实现终端设备的通信的架构(以下，为了便于理解和说明，记作：架构#1)。In the embodiment of the present invention, the communication system 100 includes an architecture for implementing communication of the terminal device (hereinafter, for ease of understanding and explanation, it is referred to as: Architecture #1).

并且，该通信***100包括用于执行终端设备的在该通信***100(或者说，通信***100所使用的网络)中使用的标识(以下，为了便于理解和说明，称为身份标识)的层面的架构(以下，为了便于理解和说明，记作：架构#2)。Also, the communication system 100 includes a layer for performing an identification of a terminal device used in the communication system 100 (or a network used by the communication system 100) (hereinafter, referred to as an identity for ease of understanding and explanation). The architecture (below, for ease of understanding and explanation, is noted as: Architecture #2).

下面，首先结合图1，对架构#1进行说明。Next, the architecture #1 will be described first with reference to FIG.

如图1所示，该通信***100包括接入网设备102，接入网设备102可包括1个天线或多个天线例如，天线104、106、108、110、112和114。另外，接入网设备102可附加地包括发射机链和接收机链，本领域普通技术人员可以理解，它们均可包括与信号发送和接收相关的多个部件(例如处理器、调制器、复用器、解调器、解复用器或天线等)。As shown in FIG. 1, the communication system 100 includes an access network device 102, which may include one antenna or multiple antennas such as

antennas

104, 106, 108, 110, 112, and 114. In addition, access network device 102 may additionally include a transmitter chain and a receiver chain, as will be understood by those of ordinary skill in the art, which may include multiple components associated with signal transmission and reception (eg, processor, modulator, complex) Consumer, demodulator, demultiplexer or antenna, etc.).

接入网设备102可以与多个终端设备(例如终端设备116和终端设备122)通信。然而，可以理解，接入网设备102可以与类似于终端设备116或终端设备122的任意数目的终端设备通信。终端设备116和122可以是例如蜂窝电话、智能电话、便携式电脑、手持通信设备、手持计算设备、卫星无线电装置、全球定位***、PDA和/或用于在无线通信***100上通信的任意其它适合设备。 Access network device 102 can communicate with a plurality of terminal devices, such as terminal device 116 and terminal device 122. However, it will be appreciated that the access network device 102 can communicate with any number of terminal devices similar to the terminal device 116 or the terminal device 122.

Terminal devices

116 and 122 may be, for example, cellular telephones, smart phones, portable computers, handheld communication devices, handheld computing devices, satellite radios, global positioning systems, PDAs, and/or any other suitable for communicating over wireless communication system 100. device.

如图1所示，终端设备116与天线112和114通信，其中天线112和114通过前向链路(也称为下行链路)118向终端设备116发送信息，并通过反向链路(也称为上行链路)120从终端设备116接收信息。此外，终端设备122与天线104和106通信，其中天线104和106通过前向链路124向终端设备122发送信息，并通过反向链路126从终端设备122接收信息。As shown in FIG. 1, terminal device 116 is in communication with

antennas

112 and 114, wherein

antennas

112 and 114 transmit information to terminal device 116 over a forward link (also referred to as downlink) 118 and through the reverse link (also Information referred to as uplink 120 receives information from terminal device 116. In addition, terminal device 122 is in communication with

antennas

104 and 106, wherein

antennas

104 and 106 transmit information to terminal device 122 over forward link 124 and receive information from terminal device 122 over reverse link 126.

例如，在频分双工(Frequency Division Duplex，FDD)***中，例如，前向链路118可与反向链路120使用不同的频带，前向链路124可与反向链路126使用不同的频带。For example, in a Frequency Division Duplex (FDD) system, for example, forward link 118 can use a different frequency band than reverse link 120, and forward link 124 can be used differently than reverse link 126. Frequency band.

再例如，在时分双工(Time Division Duplex，TDD)***和全双工(Full Duplex)***中，前向链路118和反向链路120可使用共同频带，前向链路124和反向链路126可使用共同频带。As another example, in a Time Division Duplex (TDD) system and a Full Duplex system, the forward link 118 and the reverse link 120 can use a common frequency band, a forward link 124, and a reverse link. Link 126 can use a common frequency band.

被设计用于通信的每个天线(或者由多个天线组成的天线组)和/或区域称为接入网设备102的扇区。例如，可将天线组设计为与接入网设备102覆盖区域的扇区中的终端设备通信。接入网设备可以通过单个天线或多天线发射分集向其对应的扇区内所有的终端设备发送信号。在接入网设备102通过前向链路118和124分别与终端设备116和122进行通信的过程中，接入网设备102的发射天线也可利用波束成形来改善前向链路118和124的信噪比。此外，与接入网设备通过单个天线或多天线发射分集向它所有的终端设备发送信号的方式相比，在接入网设备102利用波束成形向相关覆盖区域中随机分散的终端设备116和122发送信号时，相邻小区中的移动设备会受到较少的干扰。Each antenna (or set of antennas consisting of multiple antennas) and/or regions designed for communication is referred to as a sector of the access network device 102. For example, the antenna group can be designed to communicate with terminal devices in sectors of the coverage area of the access network device 102. The access network device can transmit signals to all of the terminal devices in its corresponding sector by single antenna or multi-antenna transmit diversity. In the process in which the access network device 102 communicates with the

terminal devices

116 and 122 via the

forward links

118 and 124, respectively, the transmit antenna of the access network device 102 can also utilize beamforming to improve the

forward links

118 and 124. Signal to noise ratio. In addition, the access network device 102 utilizes beamforming to selectively distribute the

terminal devices

116 and 122 in the associated coverage area as compared to the manner in which the access network device transmits signals to all of its terminal devices through single antenna or multi-antenna transmit diversity. When transmitting a signal, mobile devices in neighboring cells are subject to less interference.

在给定时间，接入网设备102、终端设备116或终端设备122可以是无线通信发送装置和/或无线通信接收装置。当发送数据时，无线通信发送装置可对数据进行编码以用于传输。具体地，无线通信发送装置可获取(例如生成、从其它通信装置接收、或在存储器中保存等)要通过信道发送至无线通信接收装置的一定数目的数据比特。这种数据比特可包含在数据的传输块(或多个传输块)中，传输块可被分段以产生多个码块。At a given time, the access network device 102, the terminal device 116, or the terminal device 122 may be a wireless communication transmitting device and/or a wireless communication receiving device. When transmitting data, the wireless communication transmitting device can encode the data for transmission. In particular, the wireless communication transmitting device may acquire (eg, generate, receive from other communication devices, or store in memory, etc.) a certain number of data bits to be transmitted over the channel to the wireless communication receiving device. Such data bits may be included in a transport block (or multiple transport blocks) of data that may be segmented to produce multiple code blocks.

此外，该通信***100可以是PLMN网络或者D2D网络或者M2M网络或者其他网络，图1只是举例的简化示意图，网络中还可以包括例如，核心网设备等，图1中未予以画出。In addition, the communication system 100 may be a PLMN network or a D2D network or an M2M network or other network. FIG. 1 is only a simplified schematic diagram of an example, and the network may also include, for example, a core network device, etc., which is not shown in FIG.

作为示例而非限定，在本发明实施例中，该通信***100可以是，例如：全球移动通讯(Global System of Mobile communication，GSM)***、码分多址(Code Division Multiple Access，CDMA)***、宽带码分多址(Wideband Code Division Multiple Access，WCDMA)***、通用分组无线业务(General Packet Radio Service，GPRS)、长期演进(Long Term Evolution，LTE)***、先进的长期演进(Advanced long term evolution，LTE-A)***、通用移动通信***(Universal Mobile Telecommunication System，UMTS)、无线局域网(Wireless Local Area Networks，WLAN)、无线保真(Wireless Fidelity，WiFi)或下一代通信***等。By way of example and not limitation, in the embodiment of the present invention, the communication system 100 may be, for example, a Global System of Mobile communication (GSM) system, a Code Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, Advanced Long Term Evolution (Advanced Long Term Evolution, LTE-A) system, Universal Mobile Telecommunication System (UMTS), Wireless Local Area Networks (WLAN), Wireless Fidelity (WiFi), or next-generation communication systems.

通常来说，传统的通信***支持的连接数有限，也易于实现，然而，随着通信技术的发展，移动通信***将不仅支持传统的通信，还将支持例如，设备到设备(Device to Device，D2D)通信，机器到机器(Machine to Machine，M2M)通信，机器类型通信(Machine Type Communication，MTC)，以及车辆间(Vehicle to Vehicle，V2V)通信。In general, traditional communication systems support a limited number of connections and are easy to implement. However, with the development of communication technologies, mobile communication systems will not only support traditional communication, but also support, for example, device to device (Device to Device, D2D) communication, Machine to Machine (M2M) communication, Machine Type Communication (MTC), and Vehicle to Vehicle (V2V) communication.

并且，在本发明实施例中，终端设备也可以称为用户设备(User Equipment，UE)、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。终端设备可以是WLAN中的站点(STAION，ST)，可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol，SIP)电话、无线本地环路(Wireless Local Loop，WLL)站、个人数字处理(Personal Digital Assistant，PDA)设备、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备以及下一代通信***，例如，第五代通信(fifth-generation，5G)网络中的终端设备或者未来演进的公共陆地移动网络(Public Land Mobile Network，PLMN)网络中的终端设备等。In addition, in the embodiment of the present invention, the terminal device may also be referred to as a user equipment (User Equipment, UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, and a user. Terminal, terminal, wireless communication device, user agent or user device. The terminal device can be a station in the WLAN (STAION, ST), which can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, and a personal digital processing. (Personal Digital Assistant, PDA) device, handheld device with wireless communication capabilities, computing device or other processing device connected to a wireless modem, in-vehicle device, wearable device, and next-generation communication system, for example, fifth-generation communication (fifth- Generation, 5G) A terminal device in a network or a terminal device in a publicly available Public Land Mobile Network (PLMN) network.

作为示例而非限定，在本发明实施例中，该终端设备还可以是可穿戴设备。可穿戴设备也可以称为穿戴式智能设备，是应用穿戴式技术对日常穿戴进行智能化设计、开发出可以穿戴的设备的总称，如眼镜、手套、手表、服饰及鞋等。可穿戴设备即直接穿在身上，或是整合到用户的衣服或配件的一种便携式设备。可穿戴设备不仅仅是一种硬件设备，更是通过软件支持以及数据交互、云端交互来实现强大的功能。广义穿戴式智能设备包括功能全、尺寸大、可不依赖智能手机实现完整或者部分的功能，例如：智能手表或智能眼镜等，以及只专注于某一类应用功能，需要和其它设备如智能手机配合使用，如各类进行体征监测的智能手环、智能首饰等。By way of example and not limitation, in the embodiment of the present invention, the terminal device may also be a wearable device. A wearable device, which can also be called a wearable smart device, is a general term for applying wearable technology to intelligently design and wear wearable devices such as glasses, gloves, watches, clothing, and shoes. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable devices are more than just a hardware device, but they also implement powerful functions through software support, data interaction, and cloud interaction. Generalized wearable smart devices include full-featured, large-size, non-reliable smartphones for full or partial functions, such as smart watches or smart glasses, and focus on only one type of application, and need to work with other devices such as smartphones. Use, such as various smart bracelets for smart signs monitoring, smart jewelry, etc.

在本发明实施例中，终端设备可以是物理网(Internet of Things，IoT)设备，物联网又称传感网，简要讲就是互联网从人向物的延伸。“物联网”指的是将各种信息传感设备，如射频识别装置、红外感应器、全球定位***、激光扫描器等种种装置与互联网结合起来而形成的一个巨大网络。其目的是让所有的物品都与网络连接在一起，方便识别和管理。In the embodiment of the present invention, the terminal device may be an Internet of Things (IoT) device, and the Internet of Things is also called a sensor network, and is briefly an extension of the Internet from a person to a thing. "Internet of Things" refers to a huge network formed by combining various information sensing devices, such as radio frequency identification devices, infrared sensors, global positioning systems, laser scanners, and the like, with the Internet. The goal is to have all the items connected to the network for easy identification and management.

此外，在本发明实施例中，接入网设备可以是接入网设备等用于与移动设备通信的设备，接入网设备可以是WLAN中的接入点(Access Point，AP)，GSM或CDMA中的基站(Base Transceiver Station，BTS)，也可以是WCDMA中的基站(NodeB，NB)，还可以是LTE中的演进型基站(Evolutional Node B，eNB或eNodeB)，或者中继站或接入点，或者车载设备、可穿戴设备以及未来5G网络中的接入网设备或者未来演进的PLMN网络中的接入网设备等。In addition, in the embodiment of the present invention, the access network device may be a device for accessing the mobile device, such as an access network device, and the access network device may be an access point (AP) in the WLAN, GSM or A Base Transceiver Station (BTS) in CDMA, which may also be a base station (NodeB, NB) in WCDMA, or an evolved base station (Evolutional Node B, eNB or eNodeB) in LTE, or a relay station or an access point. Or an in-vehicle device, a wearable device, and an access network device in a future 5G network or an access network device in a future evolved PLMN network.

另外，在本发明实施例中，接入网设备为小区提供服务，终端设备通过该小区使用的传输资源(例如，频域资源，或者说，频谱资源)与接入网设备进行通信，该小区可以是接入网设备(例如基站)对应的小区，小区可以属于宏基站，也可以属于小小区(Small cell)对应的基站，这里的小小区可以包括：城市小区(Metro cell)、微小区(Micro cell)、微微小区(Pico cell)、毫微微小区(Femto cell)等，这些小小区具有覆盖范围小、发射功率低的特点，适用于提供高速率的数据传输服务。In addition, in the embodiment of the present invention, the access network device provides a service for the cell, and the terminal device communicates with the access network device by using a transmission resource (for example, a frequency domain resource, or a spectrum resource) used by the cell, where the cell It may be a cell corresponding to an access network device (for example, a base station), and the cell may belong to a macro base station or a base station corresponding to a small cell, where the small cell may include: a metro cell and a micro cell ( Micro cell), Pico cell, Femto cell, etc. These small cells have the characteristics of small coverage and low transmission power, and are suitable for providing high-speed data transmission services.

此外，LTE***或5G***中的载波上可以同时有多个小区同频工作，在某些特殊场景下，也可以认为上述载波与小区的概念等同。例如在载波聚合(Carrier Aggregation，CA)场景下，当为UE配置辅载波时，会同时携带辅载波的载波索引和工作在该辅载波的辅小区的小区标识(Cell Indentify，Cell ID)，在这种情况下，可以认为载波与小区的概念等同，比如UE接入一个载波和接入一个小区是等同的。In addition, multiple carriers can work at the same frequency on the carrier in the LTE system or the 5G system. In some special scenarios, the concept of the carrier and the cell can be considered to be equivalent. For example, in a carrier aggregation (CA) scenario, when a secondary carrier is configured for a UE, the carrier index of the secondary carrier and the cell identifier (Cell ID) of the secondary cell working in the secondary carrier are simultaneously carried. In this case, the concept of the carrier and the cell can be considered to be equivalent, for example, the UE accessing one carrier and accessing one cell are equivalent.

本文所描述的共识节点是指能够进行共识运算、存储数据、转发数据、验证数据等行为的基本单元，可以由一台或多台计算机组成。The consensus node described in this paper refers to the basic unit capable of performing consensus operations, storing data, forwarding data, verifying data, etc., and can be composed of one or more computers.

下面，首先结合图2，对架构#2进行说明。Next, the architecture #2 will be described first with reference to FIG.

如图2所示，该通信***100(具体的说，是通信***100的架构#1中)包括至少两个共识节点130。As shown in FIG. 2, the communication system 100 (specifically, in architecture #1 of the communication system 100) includes at least two consensus nodes 130.

其中，该至少两个共识节点用于数据存储以及针对该数据存储的协商决策。Wherein the at least two consensus nodes are used for data storage and negotiation decisions for the data storage.

在本发明实施例中，各共识节点130彼此之间通信连接。In the embodiment of the present invention, the consensus nodes 130 are in communication connection with each other.

从而，各共识节点130可以基于通信连接，基于协商机制进行决策。Thus, each consensus node 130 can make decisions based on a communication mechanism based on a negotiation mechanism.

例如，该通信***100中的部分(例如，至少两个)或全部共识节点之间能够针对由一个或多个共识节点发起的判定的协商，从而确定该判定的结果。For example, a portion (eg, at least two) or all of the consensus nodes in the communication system 100 can negotiate a decision initiated by one or more consensus nodes to determine the outcome of the determination.

例如，在本发明实施例中，每个参与协商的共识节点可基于预设的判定规则针对某一事件的判定，从而，每个参与协商的共识节点可以分别得到针对该事件的判定结果，例如，该判定结果可以为“是”或“否”。这里，需要说明的是，参与协商的各共识节点使用的判定规则可以相同也可以不同，本发明并未特别限定。For example, in the embodiment of the present invention, each consensus node participating in the negotiation may determine a certain event based on a preset determination rule, so that each consensus node participating in the negotiation may obtain a determination result for the event, for example, for example, The result of the determination may be "yes" or "no". Here, it should be noted that the determination rules used by the respective consensus nodes participating in the negotiation may be the same or different, and the present invention is not particularly limited.

其后，参与协商的各共识节点之间可以进行通信，以确定参与协商的各共识节点的判定结果。从而，能够基于参与协商的各共识节点判定结果的分布，确定通信***100做出的针对该事件的最终判定结果。作为示例分非限定，上述“判定结果”可以有至少两种结果，上述“判定结果的分布”可以是指该至少两种判定结果中的每种判定结果的数量，或者，上述“判定结果的分布”可以是指该至少两种判定结果之间的比例，例如，上述“判定结果的分布”可以是指“是”和“否”的比例或数量。Thereafter, communication can be performed between the consensus nodes participating in the negotiation to determine the determination results of the consensus nodes participating in the negotiation. Thereby, the final determination result for the event made by the communication system 100 can be determined based on the distribution of the determination results of the consensus nodes participating in the negotiation. As an example, the "determination result" may have at least two kinds of results, and the "distribution of the determination result" may refer to the number of each of the at least two determination results, or the above-mentioned "determination result" The distribution may refer to a ratio between the at least two determination results, for example, the above-mentioned "distribution of determination results" may refer to a ratio or number of "yes" and "no".

作为示例而非限定，该通信***100可以是基于区块链技术实现上述协商机制。By way of example and not limitation, the communication system 100 can implement the above-described negotiation mechanism based on blockchain techniques.

区块链技术实现了一种按照时间顺序将数据和信息区块以顺序相连的方式组成的一种链式数据结构，并以密码学方式保证的不可篡改和不可伪造的分布式存储。一般情况下，将区块链中的数据和信息称为“交易(Transaction)”。Blockchain technology implements a chained data structure consisting of chronologically connecting data and information blocks in a sequential manner, and cryptographically guaranteed non-tamperable and unforgeable distributed storage. In general, the data and information in the blockchain are called "transactions."

区块链技术不是单项的技术，而是作为点对点传输、共识机制、分布式数据存储和密码学原理集成应用的***，该***具有全公开和防篡改的技术特性。Blockchain technology is not a single-item technology, but a system that integrates applications as a point-to-point transmission, consensus mechanism, distributed data storage, and cryptography principles. The system has full-featured and tamper-proof technical features.

第一、点对点传输：参与区块链的节点是独立的、对等的，节点与节点之间通过点对点传输技术实现数据和信息的同步。节点可以是不同的物理机器，也可以是云端不同的实例。First, point-to-point transmission: the nodes participating in the blockchain are independent and peer-to-peer, and the nodes and nodes synchronize data and information through point-to-point transmission technology. Nodes can be different physical machines or different instances of the cloud.

第二、共识机制：区块链的共识机制是指多方参与的节点在预设的逻辑规则下，通过节点间的交互实现各节点对特定数据和信息达成一致的过程。共识机制需要依赖于良好设计的算法，因此不同的共识机制性能(如：交易的吞吐量TPS(Transaction Per Second：交易/秒)、达成共识的时延、耗费的计算资源、耗费的传输资源等)存在一定的差异。Second, the consensus mechanism: the consensus mechanism of the blockchain refers to the process in which the nodes participating in the multi-party participate in the agreement of specific data and information through the interaction between the nodes under the preset logic rules. The consensus mechanism needs to rely on well-designed algorithms, so different consensus mechanism performance (such as transaction throughput TPS (Transaction Per Second), consensus delay, costly computing resources, costly transmission resources, etc. There are certain differences.

第三、分布式数据存储：区块链中的分布式存储是参与该区块链的节点各自都存有独立的、完整的数据，保证了数据存储在节点间全公开。与传统的分布式数据存储不同，传统的分布式数据存储按照一定规则将数据分成多份进行备份或同步存储，而区块链分布式数据存储则依赖于区块链中各地位对等的、独立的节点间的共识来实现高一致性的数据存储。Third, distributed data storage: Distributed storage in the blockchain is that each node participating in the blockchain has independent and complete data, which ensures that the data is stored in the entire node. Unlike traditional distributed data storage, traditional distributed data storage divides data into multiple copies for backup or synchronous storage according to certain rules, while blockchain distributed data storage relies on peer-to-peer in the blockchain. A consensus between independent nodes to achieve highly consistent data storage.

第四、密码学原理：区块链通常是基于非对称加密技术实现可信的信息传播、校验等。Fourth, the principle of cryptography: blockchain is usually based on asymmetric encryption technology to achieve reliable information dissemination, verification and so on.

其中“区块”的概念是将一条或多条数据记录以“块”的形式组织，“区块”的大小可以根据实际应用场景自定义；而“链”是一种数据结构，该数据结构将存储数据记录的“区块”按照时间顺序并以哈希(HASH)技术相连。在区块链中，每个“区块”包含“区块头”和“区块体”两个部分，其中“区块体”包含打包进“区块”的交易记录；“区块头”包含“区块”中所有交易的根HASH和前一“区块”的HASH。区块链的数据结构保证了区块链上存储的数据具有不可篡改的特性。The concept of "block" is to organize one or more data records in the form of "blocks". The size of "blocks" can be customized according to the actual application scenario; and "chain" is a data structure, the data structure The "tiles" that store the data records are chronologically connected and connected by Hash technology. In the blockchain, each "block" contains two parts, "block header" and "block body", where "block body" contains transaction records packed into "blocks"; "block headers" contain " The root HASH of all transactions in the block and the HASH of the previous "block". The data structure of the blockchain ensures that the data stored on the blockchain has non-tamperable characteristics.

区块链目前可以分为三类：公有链、联盟链和私有链。Blockchains can currently be divided into three categories: public, alliance, and private.

公有链是指参与任何节点都可以作为区块链的共识节点(也可以称为共识计算节点)，进而参与区块链数据存储的共识计算并且匿名的维护该区块链，节点与节点之间相互不信任。此情况下，通信***100中的任何节点均可以作为共识节点。A public chain refers to a consensus node (also called a consensus computing node) that can participate in any block as a blockchain, and then participates in the consensus calculation of blockchain data storage and anonymously maintains the blockchain, between nodes and nodes. Do not trust each other. In this case, any node in the communication system 100 can act as a consensus node.

联盟链在公有链的基础上增加了准入权限，使得具有一定资格的节点才可以作为区块链的共识计算节点，进而参与该区块链数据存储的共识计算并维护该区块链，节点与节点之间存在一定的信任。此情况下，通信***100中的具有网络运营商颁布的资格的节点，或者说，经过网络运营商批准的节点可以作为共识节点。The alliance chain increases the access authority on the basis of the public chain, so that the node with certain qualification can be used as the consensus computing node of the blockchain, and then participate in the consensus calculation of the blockchain data storage and maintain the blockchain, node There is a certain trust between the nodes. In this case, the node in the communication system 100 having the qualification issued by the network operator, or the node approved by the network operator, can serve as the consensus node.

私有链相比联盟链的准入机制更加苛刻，使得该区块链以及区块链的共识计算节点为私人独有，此情况下，通信***100中由网络运营商控制或维护的节点为共识节点。The private chain is more demanding than the access mechanism of the alliance chain, making the blockchain and the consensus computing node of the blockchain private. In this case, the nodes controlled or maintained by the network operator in the communication system 100 are consensus. node.

在本发明实施例中，该架构#2中的各节点可以为虚拟节点。或者说，该架构#2中的各节点的功能可以由运行在计算机设备上的虚拟机实现。In the embodiment of the present invention, each node in the architecture #2 may be a virtual node. In other words, the functions of each node in the architecture #2 can be implemented by a virtual machine running on a computer device.

并且，该架构#2中的虚拟节点可以承载于在架构#1中的部分或全部实体中，或者说，实现该架构#2中的节点的功能的虚拟机可以安装并运行在架构#1中的实体(或者说，设备，或物理设备)中，例如，该架构#2中的虚拟节点可以承载于在架构#1中接入网设备或核心网设备中。And, the virtual node in the architecture #2 can be carried in some or all of the entities in the architecture #1, or the virtual machine implementing the function of the node in the architecture #2 can be installed and run in the architecture #1 In the entity (or device, or physical device), for example, the virtual node in the architecture #2 may be carried in the access network device or the core network device in the architecture #1.

应理解，以上列举的该架构#2中的虚拟节点所承载于实体仅为示例性说明，本发明并未特别限定于此，该架构#2中的各虚拟节点所承载于不属于架构#1的实体设备。It should be understood that the virtual node in the architecture #2 enumerated above is only an exemplary description, and the present invention is not particularly limited thereto, and each virtual node in the architecture #2 is carried by the architecture #1. Physical device.

例如，通信***100可以包括面向通信***100(具体的说，是通信***100的架构#1)所使用的网络的运营商的服务器(以下，为了便于理解和区分，记作：服务器#A)，其中，该服务器#A可以是由上述运营商控制、管理或维护的服务器，并且，该架构#2中的一个或多个虚拟节点可以承载于该服务器#A。For example, the communication system 100 may include a server of an operator of a network used by the communication system 100 (specifically, the architecture #1 of the communication system 100) (hereinafter, for ease of understanding and distinction, as: server #A) Wherein the server #A may be a server controlled, managed or maintained by the above-mentioned operator, and one or more virtual nodes in the architecture #2 may be carried by the server #A.

再例如，通信***100可以包括面向通终端设备的制造商的服务器(以下，为了便于理解和区分，记作：服务器#B)，其中，该服务器#B可以是由上述制造商控制、管理或维护的服务器，并且，该架构#2中的一个或多个虚拟节点可以承载于该服务器#B。For another example, the communication system 100 may include a server facing the manufacturer of the terminal device (hereinafter, for ease of understanding and differentiation, referred to as: server #B), wherein the server #B may be controlled, managed, or The server is maintained, and one or more virtual nodes in the architecture #2 can be hosted on the server #B.

在本发明实施例中，该架构#2可以用于实现归属签约用户服务器(Home Subscriber Server,HSS)功能，或者过，该架构#2中的各节点可以构成开放归属签约用户服务器(Open Home Subscriber Server,OHSS)***，该OHSS***可以实现对终端设备的身份标识的发放、认证、鉴权和管理等功能。应理解，以上列举的该OHSS***实现的功能仅为示例性说明，本发明并未限定于此，该OHSS***实现的功能可以与现有技术中HSS设备实现的功能相似。In the embodiment of the present invention, the architecture #2 may be used to implement a Home Subscriber Server (HSS) function, or the nodes in the architecture #2 may constitute an open home subscription server (Open Home Subscriber). Server, OHSS) system, the OHSS system can realize the functions of issuing, authenticating, authenticating and managing the identity of the terminal device. It should be understood that the functions implemented by the OHSS system enumerated above are merely exemplary descriptions, and the present invention is not limited thereto, and the functions implemented by the OHSS system may be similar to those implemented by the HSS devices in the prior art.

作为示例而非限定，在本发明实施例中，通信***100中还可以包括一个或多个共识节点，其中，每个非共识节点与至少一个共识节点通信连接，非共识节点可以基于共识节点的控制或指示，进行区块链数据的存储。By way of example and not limitation, in the embodiment of the present invention, the communication system 100 may further include one or more consensus nodes, wherein each non-consensus node is in communication connection with at least one consensus node, and the non-consensus node may be based on the consensus node. Control or instruct to store blockchain data.

图3示出了通信***100中能够架构#2中的共识节点的实体设备的一例。作为示例而非限定，如图3所示，在本发明实施例中，能够作为共识节点的实体设备可以包括：FIG. 3 shows an example of a physical device in the communication system 100 capable of constructing a consensus node in #2. As an example and not limitation, as shown in FIG. 3, in the embodiment of the present invention, the physical device that can serve as the consensus node may include:

上述服务器#A、上述服务器#B、网络设备(例如，接入网设备和/或核心网设备等)和第三方应用的服务器。The above server #A, the above server #B, a network device (for example, an access network device and/or a core network device, etc.) and a server of a third party application.

在本发明实施例中，终端设备的制造商(或者说，生产商)可以通过服务器#B(即，共识节点的一例)直接参与终端设备的身份标识的管理(例如，HSS实现的功能)，具体地说，终端设备的制造商可以通过服务器#B实现对终端设备的身份标识的发放与管理(随后，对该过程进行详细说明)。In the embodiment of the present invention, the manufacturer (or manufacturer) of the terminal device can directly participate in the management of the identity of the terminal device (for example, the function implemented by the HSS) through the server #B (ie, an example of the consensus node), Specifically, the manufacturer of the terminal device can implement the issuance and management of the identity of the terminal device through the server #B (the process will be described in detail later).

并且，网络的运营商可以通过服务器#A(即，共识节点的另一例)直接参与终端设备的身份标识的管理，例如，网络的运营商可以通过服务器#A实现对终端设备的身份标识(即，制造商为终端设备分配的身份标识)的认证和管理(随后，对该过程进行详细说明)。Moreover, the operator of the network can directly participate in the management of the identity of the terminal device through the server #A (ie, another instance of the consensus node). For example, the operator of the network can implement the identity identification of the terminal device through the server #A (ie, Authentication and management of the identity assigned by the manufacturer to the terminal device (following the process in detail).

并且，网络设备的主要功能是对终端设备进行鉴权和认证，确保只有身份标识合法的终端设备才可以接入到运营商的网络。Moreover, the main function of the network device is to authenticate and authenticate the terminal device, so that only the terminal device with the identity identification can access the network of the operator.

第三方应用的服务器可以直接利用OHSS***为终端设备分配的身份标识以及对该终端设备的身份标识的认证结果。The server of the third-party application can directly utilize the identity identifier assigned by the OHSS system for the terminal device and the authentication result of the identity of the terminal device.

应理解，以上列举的作为共识节点的实体设备仅为示例性说明，本发明并未限定于此。It should be understood that the above-listed physical devices as the consensus nodes are merely illustrative, and the present invention is not limited thereto.

例如，该通信***100也可以不包括服务器#A，此情况下，网络的运营商可以通过网络设备(例如，接入网设备或核心网设备)实现服务器#A的后述功能。For example, the communication system 100 may not include the server #A. In this case, the operator of the network may implement the function of the server #A described later through the network device (for example, the access network device or the core network device).

再例如，该通信***100也可以不包括服务器#A。For another example, the communication system 100 may not include the server #A.

再例如，该通信***100的共识节点可以不包括接入网设备。As another example, the consensus node of the communication system 100 may not include an access network device.

再例如，该通信***100的共识节点可以不包括核心网设备。As another example, the consensus node of the communication system 100 may not include a core network device.

再例如，该通信***100的共识节点可以不包括第三方应用的服务器。As another example, the consensus node of the communication system 100 may not include a server of a third party application.

在本发明实施例中，通信***100中的实体设备可以通过注册方式，申请作为共识节点。In the embodiment of the present invention, the physical device in the communication system 100 can apply as a consensus node by using a registration method.

作为示例而非限定，在本发明实施例中，架构#2(或者说，本发明实施例的OHSS***)可以由网络的运营商(例如，服务器#A)创建(或者说，初始化)。在本发明实施例中，OHSS***可以基于区块链技术实现，初始化之后OHSS区块链的共识节点可以包括该网络的运营商控制的设备(例如，服务器#A或网络设备)。By way of example and not limitation, in an embodiment of the invention, architecture #2 (or OHSS system of an embodiment of the invention) may be created (or initialized) by an operator of the network (eg, server #A). In an embodiment of the present invention, the OHSS system may be implemented based on a blockchain technique. After initialization, the consensus node of the OHSS blockchain may include an operator controlled device (eg, server #A or network device) of the network.

并且，在本发明实施例中，网络的运营商可以向垂直行业、其他的网络运营商等开放OHSS***的会员机制(member ship)，从而，可以实现多个设备(例如，服务器#B、第三方应用的服务器和网络设备等)共同维护和管理OHSS***的区块链的数据(具体的说，是终端设备在网络中的身份标识)。Moreover, in the embodiment of the present invention, the operator of the network can open the member ship of the OHSS system to the vertical industry, other network operators, etc., thereby enabling multiple devices (for example, server #B, The three-party application server and network equipment, etc. jointly maintain and manage the blockchain data of the OHSS system (specifically, the identity of the terminal device in the network).

在本发明实施例中，通信***中的设备是否能够作为共识节点可以是由网络管理员设置并通知给通信***100中的各设备的。In the embodiment of the present invention, whether the device in the communication system can be used as a consensus node may be set by the network administrator and notified to each device in the communication system 100.

或者，在本发明实施例中，也可以使***中已经存在的共识节点协商确定请求作为共识节点的设备是否能够作为共识节点。Alternatively, in the embodiment of the present invention, the consensus node already existing in the system may also negotiate whether the device requesting the request as the consensus node can be used as the consensus node.

例如，在本发明实施例中，上述服务器#A与OHSS中已经存在的共识节点(例如，上述服务器#B等设备)进行协商，以可将网络设备(例如，接入网设备或核心网设备)注册成为OHSS***(或者说，通信***100的架构#2)中的共识节点。For example, in the embodiment of the present invention, the server #A and the consensus node already existing in the OHSS (for example, the device such as the server #B) negotiate to enable the network device (for example, the access network device or the core network device). Registered as a consensus node in the OHSS system (or architecture #2 of the communication system 100).

以下，为了便于理解和说明，以服务器#A进行的针对使一个接入网设备(以下，为了便于理解和说明，记作接入网设备#A)作为共识节点的上述协商(或者说，注册)过程为例，对共识节点的注册过程进行示例性说明。Hereinafter, in order to facilitate understanding and explanation, the above-mentioned negotiation (or registration) for the access node device (hereinafter, referred to as the access network device #A for ease of understanding and explanation) by the server #A is used as a consensus node. The process is an example, and the registration process of the consensus node is exemplified.

作为示例而非限定，在本发明实施例中，通信***中的各共识节点可以采用加密机制进行通信，作为示例而非限定，发送端可以使用一个加密信息对需要传输的数据进行加密，生成加密后的数据，并将该数据发送至接收端，接收端根据与该加密信息相对应的解密信息对所接收到的数据进行解密，从而获取上述需要传输的数据。By way of example and not limitation, in the embodiment of the present invention, each consensus node in the communication system may communicate by using an encryption mechanism. By way of example and not limitation, the sender may use an encrypted information to encrypt the data to be transmitted, and generate an encryption. The subsequent data is sent to the receiving end, and the receiving end decrypts the received data according to the decrypted information corresponding to the encrypted information, thereby acquiring the data to be transmitted.

为了便于理解，设上该服务器#A使用的加密信息为信息#1，设该服务器#A使用的解密信息为信息#2。For the sake of easy understanding, the encrypted information used by the server #A is information #1, and the decrypted information used by the server #A is information #2.

其中，该信息#1可以为服务器#A使用的私钥，信息#2可以为服务器#A使用的公钥。此情况下，作为示例而非限定，服务器#A与其他设备可以基于公钥基础设施(Public Key Infrastructure，PKI)技术使用该信息#1和信息#2进行通信。The information #1 may be a private key used by the server #A, and the information #2 may be a public key used by the server #A. In this case, as an example and not by way of limitation, the server #A and other devices may communicate using the information #1 and the information #2 based on a Public Key Infrastructure (PKI) technology.

或者，该信息#1可以为服务器#A使用的私钥，信息#2可以为服务器#A的标识，此情况下，作为示例而非限定，服务器#A与其他设备可以基于身份加密***(Identity Based Cryptosystem，IBC)技术使用该信息#1和信息#2进行通信。Alternatively, the information #1 may be a private key used by the server #A, and the information #2 may be an identifier of the server #A. In this case, as an example and not by way of limitation, the server #A and other devices may be based on an identity encryption system (Identity The Based Cryptosystem (IBC) technology uses this information #1 and information #2 for communication.

需要说明的是，在本发明实施例中，通信***100中的各共识节点能够通过广播的方式获知彼此的解密信息(例如，公钥或设备标识)。It should be noted that, in the embodiment of the present invention, each consensus node in the communication system 100 can learn the decryption information (for example, a public key or a device identifier) of each other by means of broadcast.

作为示例而限定，在本发明实施例中，架构#2(或者说，OHSS***)中的每个共识节点可以具有在该网络中能够唯一的指示该共识节点的身份标识，即，上述注册过程也可以理解为对共识节点的身份标识的发放和认证过程。By way of example, in the embodiment of the present invention, each consensus node in architecture #2 (or OHSS system) may have an identity that is unique in the network indicating the consensus node, ie, the registration process described above It can also be understood as the process of issuing and authenticating the identity of the consensus node.

如图4所示，在S210，服务器#A可以为接入网设备#A分配一个标识(以下，为了便于理解和区分，记作：标识#A)。As shown in FIG. 4, at S210, server #A may assign an identifier to access network device #A (hereinafter, for ease of understanding and distinction, denoted as: logo #A).

作为示例而非限定，在本发明实施例中，服务器#A可以获知各共识节点验证某一标识是否能够作为身份标识的规则(以下，为了便于理解和说明，记作：规则#1)，从而，服务器#A可以基于规则#1确定该标识#A。By way of example and not limitation, in the embodiment of the present invention, the server #A can know the rules for verifying whether an identifier can be used as an identity identifier (hereinafter, for ease of understanding and explanation, it is recorded as: rule #1), thereby Server #A can determine the identity #A based on rule #1.

例如，该规则#1可以为：如果某一标识已经被通信***100中已经存在的共识节点作为身份标识，则该标识不能再作为其他设备的身份标识。For example, the rule #1 may be: if an identifier has been identified by the consensus node already existing in the communication system 100, the identifier can no longer be used as the identity of the other device.

再例如，该规则#1可以为，如果某一标识已经被携带在某一注册消息而在通信***中被传播，则该标识不能作为在后传播的注册消息对应的设备作为身份标识。For another example, the rule #1 may be that if an identifier has been carried in a certain registration message and is propagated in the communication system, the identifier cannot be used as an identity identifier for the device corresponding to the post-propagation registration message.

再例如，在本发明实施例中，每个共识节点可以保存有一个标识列表，该标识列表可以记录有多个标识，此情况下，该规则#1可以为：如果某一标识已经记录在标识列表中，则该标识不能作为身份标识。其中，各共识节点保存的标识列表可以相同，也可以不同，本发明实施例并未特别限定。For example, in the embodiment of the present invention, each consensus node may hold an identifier list, and the identifier list may record multiple identifiers. In this case, the rule #1 may be: if an identifier has been recorded in the identifier. In the list, the ID cannot be used as an identity. The identifiers stored in the consensus nodes may be the same or different, and are not specifically limited in the embodiment of the present invention.

从而，服务器#A可以基于上述规则#1，确定标识#A。Thus, the server #A can determine the logo #A based on the above rule #1.

例如，服务器#A可以(例如，通过通信***100内即存的各共识节点发送的广播消息)，获知各共识节点的身份标识。For example, server #A may (e.g., broadcast messages sent by respective consensus nodes that are present in communication system 100) to know the identity of each consensus node.

从而，服务器可以使所确定的标识#A与通信***100内即存的各共识节点的设备标识不同。Thus, the server can make the determined identity #A different from the device identity of each consensus node that is present in the communication system 100.

其后，该服务器#A可以与通信***100中即存的一个或多个共识节点(以下，为了便于理解和说明，记作：共识节点#A)进行协商，以确定该标识#A是否能够作为接入网设备#A的身份标识。Thereafter, the server #A can negotiate with one or more consensus nodes (hereinafter, for ease of understanding and explanation, referred to as: consensus node #A) existing in the communication system 100 to determine whether the identification #A can As the identity of the access network device #A.

具体的说，服务器#A可以根据信息#1对标识#A进行签名处理，以获得签名数据。Specifically, the server #A can perform signature processing on the logo #A according to the information #1 to obtain signature data.

可选地，服务器#A还可以确定接入网设备#A使用的公钥(即，接入网设备#A使用的解密信息的一例)，并且，服务器#A可以根据信息#1对标识#A和该接入网设备#A使用的公钥进行签名处理，以获得签名数据。Alternatively, the server #A may also determine the public key used by the access network device #A (ie, an example of the decryption information used by the access network device #A), and the server #A may pair the identification #1 according to the information #1. A and the public key used by the access network device #A perform signature processing to obtain signature data.

其中，在本发明实施例中，在各共识节点之间传输(或者说，协商)的签名数据也可以称为“交易”，以下，为了便于理解和说明，将经过签名处理后得到的交易记作：

In the embodiment of the present invention, the signature data transmitted (or negotiated) between the consensus nodes may also be referred to as “transaction”. Hereinafter, in order to facilitate understanding and explanation, the transaction record obtained after the signature processing is obtained. Make:

其中，

表示信息#1，ID _eNBi表示标识#A，

表示接入网设备#A使用的公钥。 among them,

Indicates information #1, ID _eNBi represents the identifier #A,

Indicates the public key used by access network device #A.

其后，服务器#A可以保存该交易，即

Thereafter, server #A can save the transaction, ie

在S220，服务器#A可以将携带有

的注册信息(以下，为了便于理解和说明，记作：注册信息(Register)#1)发送给共识节点#A。 At S220, server #A can carry

The registration information (hereinafter, for ease of understanding and explanation, is recorded as: registration information (Register) #1) is sent to the consensus node #A.

在S230，共识节点#A可以根据信息#2对Register#1进行验证，如果验证通过，则共识节点#A可以确定该Register#1来自于合法设备，进而，共识节点#A可以确定该标识#A(或者，该标识#A和接入网设备#A使用的公钥)安全。At S230, the consensus node #A can verify Register#1 according to the information #2, and if the verification passes, the consensus node #A can determine that the Register#1 is from the legitimate device, and further, the consensus node #A can determine the identifier# A (or, the public key used by the logo #A and the access network device #A) is secure.

其后，共识节点#A可以对该标识#A进行验证，以确定该标识#A是否能够作为本次注册的对象(即，接入网设备#A)身份标识，或者说，共识节点#A可以确定该标识#A是否合法。例如，共识节点#A可以基于规则#1确定该标识#A是否能够作为本次注册的对象(即，接入网设备#A)身份标识。Thereafter, the consensus node #A can verify the identifier #A to determine whether the identifier #A can be used as the object of the current registration (ie, the access network device #A) identity, or the consensus node #A It can be determined whether the identification #A is legal. For example, the consensus node #A may determine whether the identification #A can be the object of the current registration (ie, the access network device #A) identity based on the rule #1.

即，共识节点#A可以得到针对标识#A的验证结果，该验证结果可以为：标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识，或者，标识#A不能作为本次注册的对象(即，接入网设备#A)身份标识。That is, the consensus node #A can obtain the verification result for the identifier #A, and the verification result can be: the identifier #A can be the object of the current registration (ie, the access network device #A) identity, or the identifier #A It cannot be used as the object of this registration (ie, access network device #A) identity.

作为示例而非限定，在本发明实施例中，共识节点#A可以获取预设的判定条件(以下，为了便于理解和区分，记作：判定条件#1)，并基于该判定条件#1，进行验证。By way of example and not limitation, in the embodiment of the present invention, the consensus node #A can acquire a preset determination condition (hereinafter, for ease of understanding and distinction, denoted as: determination condition #1), and based on the determination condition #1, authenticating.

例如，该判定条件#1可以为：如果在一次注册之前，一个标识已经被存储在区块链中，则该标识不能够再作为本次注册的对象的身份标识。For example, the determination condition #1 may be: if an identifier has been stored in the blockchain before one registration, the identifier cannot be used as the identity of the object of this registration.

从而，在确定标识#A已经存储在区块链中的情况下，共识节点#A可以确定验证结果为：标识#A不能作为本次注册的对象(即，接入网设备#A)身份标识。Thus, in the case where it is determined that the identification #A has been stored in the blockchain, the consensus node #A can determine that the verification result is: the identification #A cannot be the object of the current registration (ie, the access network device #A) identity .

在确定标识#A未存储在区块链中的情况下，共识节点#A可以确定验证结果为：标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识。In the case where it is determined that the identification #A is not stored in the blockchain, the consensus node #A can determine that the verification result is: the identification #A can be the object of the current registration (ie, the access network device #A) identity.

应理解，以上列举的判定条件因为示例性说明，本发明并未限定于此，例如，该判定条件#1还可以为：如果在一次注册之前，一个标识已经分配给一个通信***中的一个设备，则该标识不能够再作为其他设备的身份标识。It should be understood that the above-listed determination conditions are not limited thereto because of an exemplary description. For example, the determination condition #1 may also be: if one identification has been assigned to one device in one communication system before one registration , the identifier can no longer be used as the identity of other devices.

在S240，包括该共识节点#A在内的至少两个共识节点(例如，可以包括上述服务器#A)可以基于各自的验证结果进行协商，以确定标识#A能否作为本次注册的对象(即，接入网设备#A)身份标识。At S240, at least two consensus nodes including the consensus node #A (for example, the server #A may be included) may negotiate based on the respective verification results to determine whether the identifier #A can be the object of the registration ( That is, the access network device #A) identity.

作为示例而非限定，例如，如果验证结果为标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识的共识节点的数量大于或等于预设的数量阈值#1，则协商结果可以为：标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识。By way of example and not limitation, for example, if the verification result is that the number of consensus nodes that the identity #A can be the object of the current registration (ie, access network device #A) identity is greater than or equal to the preset number threshold #1, The negotiation result may be: the identifier #A can be used as the object of the current registration (ie, the access network device #A) identity.

再例如，如果验证结果为标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识的共识节点的数量小于预设的数量阈值#2，则协商结果可以为：标识#A不能够作为本次注册的对象(即，接入网设备#A)身份标识。其中，上述数量阈值#1与数量阈值#2可以相同也可以不同，本发明并未特别限定。For example, if the verification result is that the number of the consensus nodes that the identifier #A can be the object of the current registration (ie, the access network device #A) is less than the preset number threshold #2, the negotiation result may be: #A cannot be the object of this registration (ie, access network device #A) identity. The number threshold value #1 and the number threshold value #2 may be the same or different, and the present invention is not particularly limited.

例如，如果验证结果为标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识的共识节点在所有参与协商的共识节点中的比例大于或等于预设的比例阈值#1，则协商结果可以为：标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识。For example, if the verification result is that the identity node of the identity #A can be the object of the current registration (ie, the access network device #A), the proportion of the consensus node in all the consensus nodes participating in the negotiation is greater than or equal to the preset proportional threshold# 1. The negotiation result may be: the identifier #A can be used as the object of the current registration (ie, the access network device #A) identity.

再例如，如果验证结果为标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识的共识节点在所有参与协商的共识节点中的比例小于预设的比例阈值#1，则协商结果可以为：标识#A不能够作为本次注册的对象(即，接入网设备#A)身份标识。其中，上述比例阈值#1与比例阈值#2可以相同也可以不同，本发明并未特别限定。For another example, if the verification result is that the consensus node of the identifier #A can be the object of the current registration (ie, the access network device #A), the proportion of all the consensus nodes participating in the negotiation is less than the preset proportional threshold #1. The negotiation result may be: the identifier #A cannot be the object of the current registration (ie, the access network device #A) identity. The proportional threshold #1 and the proportional threshold #2 may be the same or different, and the present invention is not particularly limited.

并且，在本发明实施例中，如果协商结果为标识#A能够作为本次注册的对象(即，接入网设备#A)身份标识，则各共识节点可以将该标识#A保存至区块链中。In addition, in the embodiment of the present invention, if the negotiation result is that the identifier #A can be used as the object of the current registration (ie, the access network device #A), the consensus node can save the identifier #A to the block. In the chain.

作为示例而非限定，参与协商的一个或多个共识节点还可以向通信***100中的各设备发送携带有认证信息#A的广播信息，该认证信息#A可以用于指示该标识#A在通信***中有效，以便于后述接入等存在需要进行鉴权认证的过程时，认证方能够确定该标识#A通过认证。As an example and not by way of limitation, the one or more consensus nodes participating in the negotiation may also send broadcast information carrying the authentication information #A to each device in the communication system 100, the authentication information #A may be used to indicate that the identifier #A is The authentication system is effective in the communication system, so that the authentication party can determine that the identification #A passes the authentication when there is a process in which authentication authentication is required.

可选地，在本发明实施例中，服务器#B可以发起注册成为共识节点的过程，与上述图4所示过程不同的是，服务器#B加密的对象是服务器#B为自身确定的标识，并且，对该标识加密时使用的是该服务器#B的私钥，并且，信息的接收端解密时使用的信息是该服务器#B的公钥或设备标识。除此以外，服务器#B可以发起注册成为共识节点的其他过程可以与上述图4所示过程相似，这里，为了避免赘述，省略其详细说明。Optionally, in the embodiment of the present invention, the server #B may initiate the process of registering as a consensus node. The difference from the process shown in FIG. 4 is that the object encrypted by the server #B is the identifier determined by the server #B. And, the private key of the server #B is used when encrypting the identifier, and the information used when the receiving end of the information is decrypted is the public key or device identifier of the server #B. In addition, other processes in which the server #B can initiate registration as a consensus node can be similar to the process shown in FIG. 4 above, and a detailed description thereof will be omitted herein to avoid redundancy.

图5示出了终端设备#B的标识信息的发放过程的示意图，如图5所示，在S310，服务器#B可以为终端设备#B(即，第一终端设备的一例)分配一个标识(即，标识信息的一例，以下，为了便于理解和区分，记作：标识#B)。FIG. 5 is a schematic diagram showing a process of issuing identification information of the terminal device #B. As shown in FIG. 5, at S310, the server #B may assign an identifier to the terminal device #B (ie, an example of the first terminal device) ( That is, an example of the identification information is hereinafter referred to as "#B) for the sake of easy understanding and distinction.

作为示例而非限定，在本发明实施例中，服务器#B可以获知各共识节点验证某一标识是否能够作为标识的规则(以下，为了便于理解和说明，记作：规则#2)，从而，服务器#B可以基于规则#2确定该标识#B。By way of example and not limitation, in the embodiment of the present invention, the server #B can learn whether each consensus node verifies whether a certain identifier can be used as an identifier (hereinafter, for ease of understanding and explanation, it is recorded as: rule #2), thereby Server #B can determine the identity #B based on rule #2.

例如，该规则#2可以为：如果某一标识已经被通信***100中已经存在的共识节点作为身份标识，则该标识不能再作为其他设备的身份标识。For example, the rule #2 may be: if an identifier has been identified by the consensus node already existing in the communication system 100, the identifier can no longer be used as the identity of the other device.

再例如，该规则#2可以为，如果某一标识已经被携带在某一注册消息而在通信***中被传播，则该标识不能作为在后传播的注册消息对应的设备作为身份标识。For another example, the rule #2 may be that if an identifier has been carried in a certain registration message and is propagated in the communication system, the identifier cannot be used as an identity identifier for the device corresponding to the post-propagation registration message.

再例如，在本发明实施例中，每个共识节点可以保存有一个标识列表，该标识列表可以记录有多个标识，此情况下，该规则#2可以为：如果某一标识已经记录在标识列表中，则该标识不能作为身份标识。其中，各共识节点保存的标识列表可以相同，也可以不同，本发明实施例并未特别限定。For example, in the embodiment of the present invention, each consensus node may hold an identifier list, and the identifier list may record multiple identifiers. In this case, the rule #2 may be: if an identifier is already recorded in the identifier. In the list, the ID cannot be used as an identity. The identifiers stored in the consensus nodes may be the same or different, and are not specifically limited in the embodiment of the present invention.

从而，服务器#B可以基于上述规则#2，确定标识#B。Thus, the server #B can determine the identification #B based on the above rule #2.

作为示例而非限定，服务器#B可以(例如，通过通信***100内即存的各共识节点发送的广播消息)，获知各共识节点的标识。By way of example and not limitation, server #B may (e.g., broadcast messages transmitted by respective consensus nodes that are present in communication system 100) to know the identity of each consensus node.

从而，服务器可以使所确定的标识#B与通信***100内即存的各共识节点的设备标识不同。Thus, the server can make the determined identity #B different from the device identity of each consensus node that is present in the communication system 100.

作为示例而非限定，该标识#B可以是多位(例如，两位或两位以上)的十进制数值。By way of example and not limitation, the identifier #B can be a multi-digit (eg, two or more digits) decimal value.

在S320，服务器#B可以对该标识#B进行预设的处理#A(即，第一预设处理的一例)，以生成标识#C(即，第一身份信息的一例)。At S320, the server #B may perform the preset process #A (ie, an example of the first preset process) on the tag #B to generate the tag #C (ie, an example of the first identity information).

在本发明实施例中，该处理#A满足以下条件：In the embodiment of the present invention, the process #A satisfies the following conditions:

即，该标识#B不能基于经过该处理#A生成的标识#C获得，或者说，该标识#B无法由标识#C逆向推出。That is, the flag #B cannot be obtained based on the tag #C generated by the process #A, or the tag #B cannot be pushed backward by the tag #C.

可选地，该处理#A还可以满足以下条件：Optionally, the process #A can also satisfy the following conditions:

即，该标识#B基于该处理#A的处理后，能够唯一地生成标识#C，或者说，该标识#B基于该处理#A的处理后不能获得其他数值或信息。That is, after the flag #B is processed based on the process #A, the flag #C can be uniquely generated, or the flag #B cannot obtain other values or information based on the process of the process #A.

即，该标识#C仅能够由标识#B经过处理#A后而生成，或者说，其他信息或数值不能再经过处理#A后得到标识#C。That is, the flag #C can only be generated after the tag #B has been processed #A, or other information or values can no longer be processed #A to obtain the tag #C.

并且，作为示例而非限定，该处理#A可以为哈希(HASH)处理，或者说，哈希算法。Also, as an example and not by way of limitation, the process #A may be a hash (HASH) process, or a hash algorithm.

哈希处理可以是指将任意长度的数值(例如，十进制数值)映射为固定长度的数值(例如，二进制数值或十六进制数值)。其中，如果散列一段明文而且哪怕只更改该段落的一个字母，随后的哈希都将产生不同的值。要找到散列为同一个值的两个不同的输入，在计算上是不可能的，所以数据的哈希值可以检验数据的完整性。同时由于当前计算能力限制，逆哈希过程十分复杂，因此哈希算法保证了数据隐私性。Hash processing can mean mapping a value of any length (for example, a decimal value) to a fixed-length value (for example, a binary value or a hexadecimal value). Among them, if you hash a plaintext and even change only one letter of the paragraph, the subsequent hash will produce different values. It is computationally impossible to find two different inputs that are hashed to the same value, so the hash of the data can verify the integrity of the data. At the same time, due to the current computing power limitation, the inverse hashing process is very complicated, so the hash algorithm guarantees data privacy.

即，作为示例而非限定，该标识#C可以是一个哈希值。That is, by way of example and not limitation, the identifier #C can be a hash value.

其后，该服务器#B可以将该标识#C发送给通信***100中的一个或多个共识节点，以便于通信***#100中的至少两个共识节点能够进行针对该标识#C是否能够作为终端设备#B的身份标识(或者说或，进行针对该标识#C是否合法)的协商。Thereafter, the server #B can send the identification #C to one or more consensus nodes in the communication system 100, so that at least two consensus nodes in the communication system #100 can perform the determination as to whether the identification #C can be used as Negotiation of the identity of terminal device #B (or alternatively, whether it is legal for the identity #C).

作为示例而非限定，当服务器#B不是共识节点时，服务器#B可以不参与上述协商处理。By way of example and not limitation, when server #B is not a consensus node, server #B may not participate in the above negotiation process.

当服务器#B为共识节点时，服务器#B可以参与协商处理，以下，为了便于理解和说明，以服务器#B参与协商时的动作和流程为例，对上述协商的过程进行详细说明。When the server #B is a consensus node, the server #B can participate in the negotiation process. Hereinafter, for the sake of easy understanding and explanation, the process and process of the server #B participation negotiation are taken as an example, and the process of the above negotiation is described in detail.

即，如图5所示，服务器#B可以与通信***100中即存的一个或多个共识节点(以下，为了便于理解和说明，记作：共识节点#B)进行协商，以确定该标识#C是否合法。That is, as shown in FIG. 5, the server #B may negotiate with one or more consensus nodes (hereinafter, for ease of understanding and explanation, referred to as: consensus node #B) existing in the communication system 100 to determine the identifier. #C is legal.

具体的说，服务器#B可以根据信息#3对标识#C进行签名处理，以获得签名数据。Specifically, the server #B can perform signature processing on the identifier #C according to the information #3 to obtain signature data.

可选地，服务器#B还可以确定终端设备#B使用的公钥，并且，服务器#B可以根据信息#3对标识#B和该终端设备#B使用的公钥进行签名处理，以获得签名数据。Alternatively, the server #B may also determine the public key used by the terminal device #B, and the server #B may perform signature processing on the identification #B and the public key used by the terminal device #B according to the information #3 to obtain a signature. data.

其中，在本发明实施例中，在各共识节点之间传输(或者说，协商)的数据也可以称为“交易”，以下，为了便于理解和说明，将签名处理后的得到的交易记作：

In the embodiment of the present invention, the data transmitted (or negotiated) between the consensus nodes may also be referred to as “transaction”. Hereinafter, in order to facilitate understanding and explanation, the transaction obtained after the signature processing is recorded as :

其中，

表示信息#3，ID _devj表示标识#C，

表示终端设备#B使用的公钥。 among them,

Represents information #3, ID _devj represents the identifier #C,

Indicates the public key used by terminal device #B.

其后，服务器#B可以保存该交易，即

Thereafter, server #B can save the transaction, ie

在S330，服务器#B可以将携带有

的注册信息(以下，为了便于理解和说明，记作：注册信息(Register)#2)发送给共识节点#B(即，第一共识节点的一例)。 At S330, server #B can carry

The registration information (hereinafter, for ease of understanding and explanation, is referred to as: registration information (Register) #2) is transmitted to the consensus node #B (that is, an example of the first consensus node).

作为示例而非限定该共识节点#B可以为上述服务器#A，或者，该共识节点#B可以为经上述服务器#A注册成为共识节点的网络设备(例如，接入网设备或核心网设备)。As an example and not by way of limitation, the consensus node #B may be the above-mentioned server #A, or the consensus node #B may be a network device (for example, an access network device or a core network device) registered as a consensus node by the above server #A. .

在S340，共识节点#B可以根据信息#2对Register#2进行验证，如果验证通过，则共识节点#A可以确定该Register#2来自于合法设备，进而，共识节点#B可以确定该标识#B(或者，该标识#B和终端设备#B使用的公钥)安全。At S340, the consensus node #B can verify Register#2 according to the information #2, and if the verification passes, the consensus node #A can determine that the Register#2 is from the legal device, and further, the consensus node #B can determine the identifier# B (or, the public key used by the logo #B and the terminal device #B) is secure.

其后，共识节点#B可以对该标识#C进行验证，以确定该标识#B是否能够作为本次注册的对象(即，终端设备#B)身份标识，或者说，共识节点#B可以确定该标识#C是否合法。例如，共识节点#B可以基于例如，规则#2确定该标识#C是否能够作为本次注册的对象(即，终端设备#B)身份标识。Thereafter, the consensus node #B can verify the identifier #C to determine whether the identifier #B can be used as the object of the current registration (ie, the terminal device #B) identity, or the consensus node #B can determine Whether the identifier #C is legal. For example, the consensus node #B can determine whether the identification #C can be the object of the current registration (ie, the terminal device #B) identity based on, for example, the rule #2.

即，共识节点#B可以得到针对标识#C的验证结果，该验证结果可以为：标识#C能够作为本次注册的对象(即，终端设备#B)身份标识，或者，标识#C不能作为本次注册的对象(即，终端设备#B)身份标识。That is, the consensus node #B can obtain the verification result for the identifier #C, and the verification result can be: the identifier #C can be used as the object of the current registration (ie, the terminal device #B), or the identifier #C cannot be used as the identifier. The object of this registration (ie, terminal device #B) identity.

类似地，服务器#B可以得到针对标识#B的验证结果。Similarly, server #B can get the verification result for identification #B.

作为示例而非限定，在本发明实施例中，共识节点#B可以获取预设的判定条件(以下，为了便于理解和区分，记作：判定条件#2)，并基于该判定条件#2，进行验证。As an example and not by way of limitation, in the embodiment of the present invention, the consensus node #B may acquire a preset determination condition (hereinafter, for ease of understanding and distinction, denoted as: determination condition #2), and based on the determination condition #2, authenticating.

例如，该判定条件#2可以为：如果在一次注册之前，一个标识已经被存储在区块链中，则该标识不能够再作为本次注册的对象的身份标识。For example, the decision condition #2 may be: if an identifier has been stored in the blockchain before one registration, the identifier cannot be used as the identity of the object of the current registration.

从而，在确定标识#C已经存储在区块链中的情况下，共识节点#B可以确定验证结果为：标识#C不能作为本次注册的对象(即，终端设备#B)身份标识，或者说，标识#C合法。Thus, in the case where it is determined that the identification #C has been stored in the blockchain, the consensus node #B can determine that the verification result is: the identification #C cannot be the object of the current registration (ie, the terminal device #B), or Say, the logo #C is legal.

在确定标识#C未存储在区块链中的情况下，共识节点#B可以确定验证结果为：标识#C能够作为本次注册的对象(即，终端设备#B)身份标识，或者说，标识#C合法。In the case where it is determined that the identifier #C is not stored in the blockchain, the consensus node #B may determine that the verification result is: the identifier #C can be the object of the current registration (ie, the terminal device #B) identity, or, Identification #C is legal.

应理解，以上列举的判定条件因为示例性说明，本发明并未限定于此，例如，该判定条件#2还可以为：如果在一次注册之前，一个标识已经分配给一个通信***中的一个设备，则该标识不能够再作为其他设备的身份标识。It should be understood that the above-listed determination conditions are not limited thereto because of an exemplary description. For example, the determination condition #2 may also be: if one identification has been assigned to one device in one communication system before one registration , the identifier can no longer be used as the identity of other devices.

在S350，包括该共识节点#B在内的至少两个共识节点(例如，可以包括上述服务器#B)可以基于各自的验证结果进行协商，以确定标识#C能否作为本次注册的对象(即，终端设备#B)身份标识。At S350, at least two consensus nodes including the consensus node #B (for example, the server #B may be included) may negotiate based on the respective verification results to determine whether the identifier #C can be the object of the registration ( That is, the terminal device #B) is identified.

作为示例而非限定，例如，如果验证结果为标识#C能够作为本次注册的对象(即，终端设备#B)身份标识的共识节点的数量大于或等于预设的数量阈值#3，则协商结果可以为：标识#C能够作为本次注册的对象(即，终端设备#B)身份标识。As an example and not by way of limitation, for example, if the verification result is that the number of consensus nodes that the identifier #C can be the object of the current registration (ie, the terminal device #B) is greater than or equal to the preset number threshold #3, then the negotiation is performed. The result may be that the identifier #C can be used as the object of this registration (ie, terminal device #B) identity.

再例如，如果验证结果为标识#C能够作为本次注册的对象(即，终端设备#B)身份标识的共识节点的数量小于预设的数量阈值#4，则协商结果可以为：标识#C不能够作为本次注册的对象(即，终端设备#B)身份标识。其中，上述数量阈值#3与数量阈值#4可以相同也可以不同，本发明并未特别限定。For example, if the verification result is that the number of the consensus nodes that the identifier #C can be used as the object of the current registration (ie, the terminal device #B) is less than the preset number threshold #4, the negotiation result may be: identifier #C It cannot be used as the object of this registration (ie, terminal device #B) identity. The number threshold #3 and the number threshold #4 may be the same or different, and the present invention is not particularly limited.

例如，如果验证结果为标识#C能够作为本次注册的对象(即，终端设备#B)身份标识的共识节点在所有参与协商的共识节点中的比例大于或等于预设的比例阈值#3(例如，1/2)，则协商结果可以为：标识#C能够作为本次注册的对象(即，终端设备#B)身份标识。For example, if the verification result is that the identity node of the identity #C can be the object of the current registration (ie, the terminal device #B), the proportion of the consensus node in all the consensus nodes participating in the negotiation is greater than or equal to the preset proportional threshold #3 ( For example, 1/2), the negotiation result may be: the identifier #C can be used as the object of the current registration (ie, the terminal device #B) identity.

再例如，如果验证结果为标识#C能够作为本次注册的对象(即，终端设备#B)身份标识的共识节点在所有参与协商的共识节点中的比例小于预设的比例阈值#4(例如，1/2)，则协商结果可以为：标识#C不能够作为本次注册的对象(即，终端设备#B)身份标识。其中，上述比例阈值#3与比例阈值#4可以相同也可以不同，本发明并未特别限定。For another example, if the verification result is that the consensus node of the identifier #C can be the object of the current registration (ie, the terminal device #B), the proportion of the consensus nodes participating in the negotiation is less than the preset proportional threshold #4 (for example, , 1/2), the negotiation result may be: the identifier #C cannot be the object of the current registration (ie, the terminal device #B) identity. The proportional threshold #3 and the proportional threshold #4 may be the same or different, and the present invention is not particularly limited.

并且，在本发明实施例中，如果协商结果为标识#C能够作为本次注册的对象(即，终端设备#B)身份标识，则各共识节点可以将该标识#C保存至区块链中。In addition, in the embodiment of the present invention, if the negotiation result is that the identifier #C can be used as the object of the current registration (ie, the terminal device #B), the consensus node can save the identifier #C to the blockchain. .

作为示例而非限定，参与协商的一个或多个共识节点还可以向通信***100中的各设备发送携带有认证信息#B的广播信息，该认证信息#B可以用于指示该标识#C在通信***中有效，以便于后述接入等存在需要进行鉴权认证的过程时，认证方能够确定该标识#C通过认证。即，在本发明实施例中，通信***100中的接入网设备(例如，上述接入网设备#A)能够确定该标识#C合法(例如，能够通过认证)。By way of example and not limitation, one or more consensus nodes participating in the negotiation may also send broadcast information carrying authentication information #B to each device in the communication system 100, the authentication information #B may be used to indicate that the identifier #C is The authentication system is effective in the communication system, so that the authentication party can determine that the identification #C passes the authentication when there is a process in which authentication authentication is required. That is, in an embodiment of the present invention, an access network device (e.g., the access network device #A) in the communication system 100 can determine that the identification #C is legal (e.g., can pass authentication).

从而，在服务器#A和接入网络设备中可以保存在标识#CThus, it can be saved in the identifier #C in the server #A and the access network device.

并且，服务器#B在确定标识#C合法后，可以确定该标识#B合法，即，该标识#B可以作为终端设备#B的身份标识。Moreover, after determining that the identifier #C is legal, the server #B can determine that the identifier #B is legal, that is, the identifier #B can be used as the identity of the terminal device #B.

需要说明的是，在本发明实施例中，针对上述验证结果的协商的结果，需要满足通信***(例如，运营商)设定的规则，即，一个标识仅能够作为一个终端设备的身份标识。It should be noted that, in the embodiment of the present invention, the result of the negotiation of the verification result needs to meet the rule set by the communication system (for example, an operator), that is, an identifier can only be used as an identity of a terminal device.

在本法实施例中，服务器#B可以将经过上述协商和验证后的作为终端设备#B的身份标识的标识#B(即，ID _devj)存储(或者说，烧制)入终端设备#B(或者说，终端设备#B的SIM卡)中。 In the embodiment of the present method, the server #B may store (or burn) the identifier #B (ie, ID _devj ) which is the identity of the terminal device #B after the above negotiation and verification into the terminal device #B. (or, in the SIM card of terminal device #B).

此外，服务器#B还可以将该终端设备#B使用的公钥、该服务器#B使用的公钥和该服务器#A使用的公钥存储(或者说，烧制)入终端设备#B(或者说，终端设备#B的SIM卡)中。In addition, the server #B may also store (or burn) the public key used by the terminal device #B, the public key used by the server #B, and the public key used by the server #A into the terminal device #B (or Said, terminal device #B's SIM card).

作为示例而非限定，在本发明实施例中，终端设备在通信***中的标识(例如，上述终端设备的身份标识)可以包括但不限于现有技术中的全球用户识别模块(Universal Subscriber Identity Module，USIM)号码、客户识别模块(Subscriber Identification Module，SIM)号码，国际移动用户识别码(International Mobile Subscriber Identification Number，IMSI)，手机号码等。By way of example and not limitation, in the embodiment of the present invention, the identifier of the terminal device in the communication system (for example, the identity identifier of the terminal device) may include, but is not limited to, a global subscriber identity module (Universal Subscriber Identity Module) in the prior art. , USIM) number, Subscriber Identification Module (SIM) number, International Mobile Subscriber Identification Number (IMSI), mobile phone number, etc.

根据本发明实施例的确定终端设备的标识的方法通过由第一终端设备的制造商的服务器确定第一标识，并将该第一标识发送给通信***内的至少一个共识节点，并由通信***中的至少两个共识节点协商确定该第一标识能否作为第一终端设备的身份标识，能够避免用户为终端设备获取身份标识的操作，从而能够改善用户体验，并且，由于该第一标识由制造商的服务器确定，能够降低运营商对于身份标识的分配和管理的负担和成本。A method for determining an identity of a terminal device according to an embodiment of the present invention determines a first identity by a server of a manufacturer of the first terminal device, and transmits the first identifier to at least one consensus node in the communication system, and is configured by the communication system The at least two consensus nodes negotiate to determine whether the first identifier can be used as the identity of the first terminal device, and can prevent the user from obtaining the identity identifier for the terminal device, thereby improving the user experience, and since the first identifier is The manufacturer's server determines that it can reduce the burden and cost of the operator's assignment and management of the identity.

下面，结合图6对终端设备#B(即，第一终端设备的一例)基于如上所述发放的身份标识(例如，上述标识#C)进行的入网鉴权与认证过程进行详细说明。Next, the network access authentication and authentication process performed by the terminal device #B (that is, an example of the first terminal device) based on the identity identifier (for example, the above-described identifier #C) issued as described above will be described in detail with reference to FIG.

如图6所示，在S410，终端设备#B可以向接入网设备(例如，上述接入网设备#A)发送接入请求(例如，附着(Attach)请求)消息，该消息中可以携带有上述标识#C。As shown in FIG. 6, at S410, the terminal device #B may send an access request (for example, an attach request) message to the access network device (for example, the access network device #A), and the message may be carried. There is the above identification #C.

在S420，接入网设备#A可以查询本地是否保存有该标识#C(或者说，针对该标识#C的注册交易)，或者说，接入网设备#A可以查询本地是否保存有用于指示该标识#C合法的信息(以下，为了便于理解和说明，记作：信息#B)。At S420, the access network device #A can query whether the identifier #C (or the registration transaction for the identifier #C) is saved locally, or the access network device #A can query whether the local is saved for indication. The information of the identification #C is legal (hereinafter, for convenience of understanding and explanation, it is recorded as: information #B).

并且，如果本地保存有该标识#C或信息#B，则接入网设备#A可以进行S440。And, if the identifier #C or the information #B is stored locally, the access network device #A can perform S440.

如果本地未保存有该标识#C或信息#B，则接入网设备#A可以在S430向通信***中的一个或多个共识节点(例如，服务器#A)发起查询该标识#C是否合法的查询过程。由于该标识#C经过通信***100中的至少两个共识节点的协商认证，因此，接入网设备#A能够基于服务器#A的回复，确定标识#C合法。并且，服务器#A在该过程中可以将该终端设备#B使用的公钥一并发送给接入网设备#A。If the identifier #C or information #B is not stored locally, the access network device #A may initiate a query to the one or more consensus nodes (eg, server #A) in the communication system to check whether the identifier #C is legal. Query process. Since the identification #C is authenticated by at least two consensus nodes in the communication system 100, the access network device #A can determine that the identification #C is legal based on the reply of the server #A. Moreover, the server #A can send the public key used by the terminal device #B to the access network device #A in the process.

在S440，接入网设备#A可以产生随机数M，并且，获取上述交易

At S440, the access network device #A may generate a random number M and acquire the above transaction.

并且，接入网设备#A可以基于终端设备#B使用的公钥

或者，终端设备#B的身份标识(例如，标识#C)，对该随机数M进行加密处理，生成密文#A。 And, the access network device #A can be based on the public key used by the terminal device #B

Alternatively, the identity of the terminal device #B (for example, the identifier #C) encrypts the random number M to generate cipher text #A.

在S450，接入网设备#A可以将该密文#A和

发送给终端设备#B。 At S450, the access network device #A can cipher the ciphertext #A and

Send to terminal device #B.

在S460，终端设备#B可以根据该终端设备#B使用的私钥

(其中，该私钥

与终端设备#B使用的公钥

对应，或者，该私钥

与终端设备#B的身份标识对应)对密文#A进行解密，进而获得随机数M。并且，该终端设备#B在获得作为身份标识的过程中，服务器#A可以将通信***中的各接入网设备的标识下发给终端设备#B。从而，终端设备#B可以基于该

确定接入网设备#A合法。其后，终端设备#B可以产生随机数#N，并且，终端设备#B可以根据接入网设备#A所使用的公钥

或者，接入网设备#A的身份标识(即，标识#A)对随机数N和随机数M进行加密处理，以生成密文 #B。 At S460, the terminal device #B can use the private key used by the terminal device #B

(where the private key

Public key used with terminal device #B

Corresponding, or, the private key

The ciphertext #A is decrypted corresponding to the identity of the terminal device #B, thereby obtaining a random number M. Moreover, in the process of obtaining the identity identifier, the server #A may send the identifier of each access network device in the communication system to the terminal device #B. Thus, the terminal device #B can be based on the

Make sure that access network device #A is legal. Thereafter, the terminal device #B can generate the random number #N, and the terminal device #B can use the public key used by the access network device #A.

Alternatively, the identity of the access network device #A (ie, the identifier #A) encrypts the random number N and the random number M to generate the ciphertext #B.

在S470，终端设备#B可以将密文#B发送给接入网设备#A。At S470, the terminal device #B may transmit the ciphertext #B to the access network device #A.

在S480，接入网设备#A可以根据该接入网设备#A使用的私钥

(其中，该私钥

与接入网设备#A使用的公钥

对应，或者，该私钥

与接入网设备#A的身份标识对应)对密文#B进行解密，以获得随机数N和随机数M，从而，接入网设备#A完成了对终端设备#B的认证。 At S480, the access network device #A may use the private key used by the access network device #A.

(where the private key

Public key used with access network device #A

Corresponding, or, the private key

The ciphertext #B is decrypted to obtain the random number N and the random number M, so that the access network device #A completes the authentication of the terminal device #B.

并且，接入网设备#A可以根据终端设备#B使用的公钥

或者，终端设备#B的身份标识(即，标识#C)对随机数N进行加密，以生成密文#C。 And, the access network device #A can use the public key used by the terminal device #B

Alternatively, the identity of the terminal device #B (ie, the identifier #C) encrypts the random number N to generate the ciphertext #C.

在S490，接入网设备#A可以将密文#C发生给终端设备#B，从而，终端设备#B可以基于该终端设备#B使用的私钥

(其中，该私钥

与终端设备#B使用的公钥

对应，或者，该私钥

与终端设备#B的身份标识对应)对该密文#C进行解密，如果获得N，则终端设备#B完成了对接入网设备#A的认证，入网认证和鉴权结束。 At S490, the access network device #A may generate the ciphertext #C to the terminal device #B, whereby the terminal device #B may be based on the private key used by the terminal device #B

(where the private key

Public key used with terminal device #B

Corresponding, or, the private key

The ciphertext #C is decrypted corresponding to the identity of the terminal device #B. If N is obtained, the terminal device #B completes the authentication of the access network device #A, and the network authentication and authentication ends.

下面，结合图7对终端设备#B(即，第一终端设备的一例)基于如上所述发放的身份标识(例如，上述标识#B)进行的入网鉴权与认证过程进行详细说明。Next, the network access authentication and authentication process performed by the terminal device #B (that is, an example of the first terminal device) based on the identity identifier (for example, the above-described identifier #B) issued as described above will be described in detail with reference to FIG.

服务器#B可以为该终端设备分配公钥#B(即，第一解密信息的一例)和私钥#B。并且，服务器#B可以向终端设备#B发送该私钥#B，并向接入网络设备#A发送该公钥#B。The server #B can assign the public key #B (i.e., an example of the first decryption information) and the private key #B to the terminal device. And, the server #B can transmit the private key #B to the terminal device #B and transmit the public key #B to the access network device #A.

在本发明实施例中，该公钥#B和私钥#B的生成和使用方法可以与现有技术相似，这里，省略其详细说明。In the embodiment of the present invention, the method for generating and using the public key #B and the private key #B may be similar to the prior art, and a detailed description thereof is omitted herein.

不失一般性，设该标识#B表示为十进制数值(或者说，数字)m。Without loss of generality, let the sign #B be expressed as a decimal value (or, a number) m.

如图7所示，在S510，终端设备#B可以对该m进行处理#B(即，第二预设处理的一例)，以获得信息a和信息b(即，第一认证信息的一例)。As shown in FIG. 7, at S510, the terminal device #B may process #b (ie, an example of the second preset process) to obtain information a and information b (ie, an example of the first authentication information). .

作为示例而非限定，经过该处理#B后得到的该信息a和信息b可以满足以下条件：As an example and not by way of limitation, the information a and the information b obtained after the processing #B can satisfy the following conditions:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是该公钥#B，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为所述计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the public key #B, a, b, m, k, g, p, x, y are positive integers, 1 ≤ k ≤ p-2, k and p-1 are prime, p is the calculation Parameters, and p is a prime number, g < p, x < p, mod represents a remainder operation.

其中，素数也可以称为质数(prime number)，有无限个。素数定义为在大于1的自然数中，除了1和它本身以外不再有其他因数，这样的数称为素数。Among them, prime numbers can also be called prime numbers, and there are infinite numbers. A prime number is defined as a natural number greater than 1, and there are no other factors other than 1 and itself. Such a number is called a prime number.

互素也可以称为互质，即，公约数(或者说，公因数)只有1的两个整数，叫做互素整数。公约数只有1的两个自然数，叫做互素自然数，后者是前者的特殊情形。Mutual primes can also be called coprime, that is, two ordinary integers with a common divisor (or common factor) of only one, called a prime integer. The two natural numbers with a convention number of only one are called the mutual prime natural number, and the latter is the special case of the former.

具体地说，若N个整数的最大公因数是1，则称这N个整数互素。Specifically, if the greatest common factor of N integers is 1, the N integers are said to be prime.

应理解，以上列举的经过该处理#B后得到的该信息a和信息b可以满足以下条件仅为示例性说明，本发明并未限定于此，其他能够使基于m得到的信息在终端设备和网络设备的后述第三处理和第四处理所得到的结果相对应(例如，相同)的方法，均落入本发明的保护范围内，例如，上述求余处理也可以变更为对数处理或指数处理。It should be understood that the above-listed information a and information b obtained after the processing #B can satisfy the following conditions for illustrative purposes only, and the present invention is not limited thereto, and other information capable of obtaining information based on m can be used in the terminal device and The method corresponding to (for example, the same) the third processing and the fourth processing described later of the network device are all within the scope of protection of the present invention. For example, the above-mentioned residual processing may be changed to logarithmic processing or Index processing.

在S520，终端设备#B可以将该信息a、信息b发送给接入网设备#A。At S520, the terminal device #B can transmit the information a and the information b to the access network device #A.

在S530，接入网络设备#A可以对该信息a和信息b进行处理#C(即，第三与设处理的一例)，以获得信息X(即，第一结果的一例)。At S530, the access network device #A may process #C (i.e., an example of the third AND setting process) on the information a and the information b to obtain the information X (i.e., an example of the first result).

作为示例而非限定，经过该处理#C后得到的该信息X可以满足以下条件：As an example and not by way of limitation, the information X obtained after the process #C can satisfy the following conditions:

X＝y ^aa ^b mod p X=y ^a a ^b mod p

在S540，终端设备#B可以对该标识#B(即，m)进行处理#D(即，第四处理)，以获得信息Y(即，第二结果的一例)。At S540, the terminal device #B may perform the processing #D (i.e., the fourth processing) on the identification #B (i.e., m) to obtain the information Y (i.e., an example of the second result).

作为示例而非限定，经过该处理#D后得到的该信息Y可以满足以下条件：As an example and not by way of limitation, the information Y obtained after the process #D can satisfy the following conditions:

Y＝g ^m mod p Y=g ^m mod p

在S550，终端设备#B可以将该信息Y发送给接入网络设备#A。At S550, the terminal device #B can transmit the information Y to the access network device #A.

从而，在S560接入网络设备#A，可以基于该信息X和信息Y之间的关系，确定是否允许终端设备#B接入。Thereby, accessing the network device #A at S560 can determine whether to allow the terminal device #B to access based on the relationship between the information X and the information Y.

例如，如果信息X与信息Y相同，则接入网络设备#A允许终端设备#B接入；For example, if the information X is the same as the information Y, the access network device #A allows the terminal device #B to access;

或者，如果信息X与信息Y不同，则接入网络设备#A不允许终端设备#B接入。Alternatively, if the information X is different from the information Y, the access network device #A does not allow the terminal device #B to access.

需要说明的是，上述接入网络设备#A执行的动作也可以由上述服务器#A(即，第一共识节点的一例)执行。It should be noted that the operation performed by the access network device #A may be performed by the server #A (that is, an example of the first consensus node).

可选地，在S570，接入网设备#A还可以将如上所述发送的信息#X发送给终端设备#B。Alternatively, at S570, the access network device #A may also transmit the information #X transmitted as described above to the terminal device #B.

在S580从而终端设备#B可以基于该信息X和信息Y之间的关系，确定是否接入接入网设备#A(或者说，确定接入网设备#A是否合法)。At S580, the terminal device #B can determine whether to access the access network device #A (or determine whether the access network device #A is legal) based on the relationship between the information X and the information Y.

例如，如果信息X与信息Y相同，则终端设备#B判定为可以接入接入网络设备#A，或者说，接入网设备#A合法；For example, if the information X is the same as the information Y, the terminal device #B determines that the access network device #A can be accessed, or the access network device #A is legal;

或者，如果信息X与信息Y不同，则终端设备#B判定为不接入接入网络设备#A，或者说，接入网设备#A不合法。Alternatively, if the information X is different from the information Y, the terminal device #B determines not to access the access network device #A, or the access network device #A is not legal.

应理解，以上列举的经过该处理#C后得到的该信息X满足的条件以及经过该处理#D后得到的该信息Y满足的条件仅为示例性说明，本发明并未限定于此，例如，上述求余处理也可以变更为对数处理或指数处理。It should be understood that the conditions for satisfying the information X obtained after the processing #C and the condition that the information Y obtained after the processing #D is satisfied are merely illustrative, and the present invention is not limited thereto, for example. The above-mentioned remainder processing may be changed to logarithmic processing or exponential processing.

应理解，以上列举的方法300、方法400和方法500可以单独使用也可以结合使用本发明并未特别限定。It should be understood that the method 300, the method 400, and the method 500 enumerated above may be used alone or in combination with the present invention without particular limitation.

图8示出了本发明实施例的接入认证的装置600的示意性框图，该装置600可以对应(例如，可以配置于或本身即为)上述方法300、方法400或方法500描述的共识节点#B(例如，服务器#A)，并且，装置600中各模块或单元分别用于执行上述方法300、方法400或方法500中共识节点#B所执行的各动作或处理过程，这里，为了避免赘述，省略其详细说明。FIG. 8 is a schematic block diagram of an apparatus 600 for access authentication according to an embodiment of the present invention. The apparatus 600 may correspond to (for example, may be configured or itself) a consensus node described by the foregoing method 300, method 400 or method 500. #B (for example, server #A), and each module or unit in the device 600 is used to perform each action or process performed by the consensus node #B in the above method 300, method 400 or method 500, here, in order to avoid The details are omitted.

在本发明实施例中，该装置600可以包括：处理器和收发器，处理器和收发器通信连接，可选地，该设备还包括存储器，存储器与处理器通信连接。可选地，处理器、存储器和收发器可以通信连接，该存储器可以用于存储指令，该处理器用于执行该存储器存储的指令，以控制收发器发送信息或信号。In an embodiment of the present invention, the apparatus 600 may include a processor and a transceiver, and the processor and the transceiver are in communication connection. Optionally, the device further includes a memory, and the memory is communicatively coupled to the processor. Alternatively, the processor, the memory and the transceiver can be communicatively coupled, the memory being operative to store instructions for executing the memory stored instructions to control the transceiver to transmit information or signals.

其中，图8所示的装置600中的收发单元可以对应该收发器，图8所示的装置600中的处理单元可以对应该处理器。Wherein, the transceiver unit in the device 600 shown in FIG. 8 can correspond to the transceiver, and the processing unit in the device 600 shown in FIG. 8 can correspond to the processor.

图9示出了本发明实施例的确定终端设备的标识的装置700的示意性框图，该装置700可以对应(例如，可以配置于或本身即为)上述方法300、方法400或方法500描述的服务器#B，并且，该装置700中各模块或单元分别用于执行上述方法300、方法400或方法500中服务器#B所执行的各动作或处理过程，这里，为了避免赘述，省略其详细说明。FIG. 9 is a schematic block diagram of an apparatus 700 for determining an identity of a terminal device according to an embodiment of the present invention. The device 700 may correspond to (eg, may be configured or itself) the method 300, method 400 or method 500 described above. Server #B, and each module or unit in the device 700 is used to perform each action or process performed by the server #B in the above method 300, method 400 or method 500. Here, in order to avoid redundancy, detailed description thereof is omitted. .

在本发明实施例中，该装置700可以包括：处理器和收发器，处理器和收发器通信连接，可选地，该设备还包括存储器，存储器与处理器通信连接。可选地，处理器、存储器和收发器可以通信连接，该存储器可以用于存储指令，该处理器用于执行该存储器存储的指令，以控制收发器发送信息或信号。In an embodiment of the present invention, the apparatus 700 may include a processor and a transceiver, and the processor and the transceiver are communicatively coupled. Optionally, the device further includes a memory, and the memory is communicatively coupled to the processor. Alternatively, the processor, the memory and the transceiver can be communicatively coupled, the memory being operative to store instructions for executing the memory stored instructions to control the transceiver to transmit information or signals.

其中，图9所示的装置700中的收发单元可以对应该收发器，图9所示的装置700中的处理单元可以对应该处理器。The transceiver unit in the apparatus 700 shown in FIG. 9 can correspond to the transceiver, and the processing unit in the apparatus 700 shown in FIG. 9 can correspond to the processor.

图10示出了本发明实施例的确定终端设备的标识的装置800的示意性框图，该装置800可以对应(例如，可以配置于或本身即为)上述方法300、方法400或方法500描述的终端设备#B，并且，该装置800中各模块或单元分别用于执行上述方法300、方法400或方法500中终端设备#B所执行的各动作或处理过程，这里，为了避免赘述，省略其详细说明。FIG. 10 is a schematic block diagram of an apparatus 800 for determining an identity of a terminal device according to an embodiment of the present invention. The device 800 may correspond to (eg, may be configured or itself) the method 300, method 400 or method 500 described above. Terminal device #B, and each module or unit in the device 800 is used to perform each action or process performed by the terminal device #B in the above method 300, method 400 or method 500, and is omitted here to avoid redundancy. Detailed description.

在本发明实施例中，该装置800可以包括：处理器和收发器，处理器和收发器通信连接，可选地，该设备还包括存储器，存储器与处理器通信连接。可选地，处理器、存储器和收发器可以通信连接，该存储器可以用于存储指令，该处理器用于执行该存储器存储的指令，以控制收发器发送信息或信号。In an embodiment of the present invention, the apparatus 800 may include a processor and a transceiver, and the processor and the transceiver are communicatively coupled. Optionally, the apparatus further includes a memory, and the memory is communicatively coupled to the processor. Alternatively, the processor, the memory and the transceiver can be communicatively coupled, the memory being operative to store instructions for executing the memory stored instructions to control the transceiver to transmit information or signals.

其中，图10所示的装置800中的收发单元可以对应该收发器，图10所示的装置800中的处理单元可以对应该处理器。The transceiver unit in the device 800 shown in FIG. 10 can correspond to the transceiver, and the processing unit in the device 800 shown in FIG. 10 can correspond to the processor.

应注意，上述方法实施例可以应用于处理器中，或者由处理器实现。处理器可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现成可编程门阵列(Field Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。It should be noted that the above method embodiments may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method embodiments may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software. The processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like. Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present invention may be implemented or carried out. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory, and the processor reads the information in the memory and combines the hardware to complete the steps of the above method.

可以理解，本发明实施例中的存储器可以是易失性存储器或非易失性存储器，或可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(Read-Only Memory，ROM)、可编程只读存储器(Programmable ROM，PROM)、可擦除可编程只读存储器(Erasable PROM，EPROM)、电可擦除可编程只读存储器(Electrically EPROM，EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory，RAM)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(Static RAM，SRAM)、动态随机存取存储器(Dynamic RAM，DRAM)、同步动态随机存取存储器(Synchronous DRAM，SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM，DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM，ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM，SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM，DR RAM)。应注意，本文描述的***和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It is to be understood that the memory in the embodiments of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be a read-only memory (ROM), a programmable read only memory (PROM), an erasable programmable read only memory (Erasable PROM, EPROM), or an electric Erase programmable read only memory (EEPROM) or flash memory. The volatile memory can be a Random Access Memory (RAM) that acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (Synchronous DRAM). SDRAM), Double Data Rate SDRAM (DDR SDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Synchronous Connection Dynamic Random Access Memory (Synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (DR RAM). It should be noted that the memories of the systems and methods described herein are intended to comprise, without being limited to, these and any other suitable types of memory.

应理解，本文中术语“和/或”，仅仅是一种描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。另外，本文中字符“/”，一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" herein is merely an association relationship describing an associated object, indicating that there may be three relationships, for example, A and/or B, which may indicate that A exists separately, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the contextual object is an "or" relationship.

应理解，在本发明实施例的各种实施例中，上述各过程的序号的大小并不意味着执行顺序的先后，各过程的执行顺序应以其功能和内在逻辑确定，而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the embodiments of the present invention, the size of the sequence numbers of the foregoing processes does not mean the order of execution sequence, and the order of execution of each process should be determined by its function and internal logic, and the present invention should not be The implementation of the embodiments constitutes any limitation.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各示例的单元及算法步骤，能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本发明实施例的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the embodiments of the invention.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的***、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

在本申请所提供的几个实施例中，应该理解到，所揭露的***、装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个***，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiment of the present embodiment.

另外，在本发明实施例各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the embodiments of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本发明实施例各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the embodiments of the present invention, or the part contributing to the prior art or the part of the technical solution, may be embodied in the form of a software product stored in a storage medium. The instructions include a plurality of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

以上所述，仅为本发明实施例的具体实施方式，但本发明实施例的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明实施例揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本发明实施例的保护范围之内。The foregoing is only a specific embodiment of the embodiments of the present invention, but the scope of protection of the embodiments of the present invention is not limited thereto, and any person skilled in the art can easily use the technical scope disclosed in the embodiments of the present invention. All changes or substitutions are contemplated to be within the scope of the embodiments of the invention.

Claims

一种接入认证的方法，其特征在于，所述方法包括：A method for access authentication, characterized in that the method comprises:

第一共识节点从第一服务器接收第一身份信息，其中，所述第一服务器是第一终端设备的制造商的服务器，所述第一身份信息是所述第一服务器为所述第一终端设备分配的标识信息经过第一预设处理后生成的，且所述标识信息不能基于所述第一身份信息获得；The first consensus node receives the first identity information from the first server, where the first server is a server of a manufacturer of the first terminal device, and the first identity information is that the first server is the first terminal The identifier information of the device is generated after the first preset processing, and the identifier information cannot be obtained based on the first identity information;

所述第一共识节点与至少一个第二共识节点进行针对所述第一身份信息的协商，以确定所述第一身份信息是否能够用于针对所述通信***的接入认证。The first consensus node and the at least one second consensus node perform negotiation for the first identity information to determine whether the first identity information can be used for access authentication for the communication system.
根据权利要求1所述的方法，其特征在于，所述第一预设处理包括哈希处理。The method of claim 1 wherein said first predetermined process comprises a hash process.
根据权利要求1或2所述的方法，其特征在于，所述第一共识节点与至少一个第二共识节点进行针对所述第一身份信息的协商，包括：The method according to claim 1 or 2, wherein the first consensus node and the at least one second consensus node perform negotiation for the first identity information, including:

所述第一共识节点根据至少一个第二身份信息对所述第一标识进行验证，其中，所述第二身份信息能够用于针对所述通信***的接入认证，其中The first consensus node verifies the first identifier according to at least one second identity information, wherein the second identity information can be used for access authentication for the communication system, where

在所述第一身份信息与每个第二身份信息均不同的情况下，所述验证的结果为所述第一身份信息能够用于针对所述通信***的接入认证，Where the first identity information is different from each of the second identity information, the result of the verifying is that the first identity information can be used for access authentication for the communication system,

在所述第一身份信息与至少一个第二身份信息相同的情况下，所述验证的结果为所述第一身份信息不能用于针对所述通信***的接入认证；In a case where the first identity information is the same as the at least one second identity information, the result of the verifying is that the first identity information cannot be used for access authentication for the communication system;

所述第一共识节点根据所述验证的结果与至少一个第二共识节点进行针对所述第一身份信息的协商。The first consensus node performs negotiation for the first identity information with the at least one second consensus node according to the result of the verification.
根据权利要求1至3中任一项所述的方法，其特征在于，所述第一共识节点根据所述验证的结果与至少一个第二共识节点进行针对所述第一身份信息的协商，包括：The method according to any one of claims 1 to 3, wherein the first consensus node performs negotiation with the at least one second consensus node for the first identity information according to the result of the verification, including :

如果包括所述第一共识节点和至少一个所述第二共识节点中，确定所述第一身份信息能够用于针对所述通信***的接入认证的共识节点的数量大于或等于预设的第一阈值，则所述第一共识节点确定所述第一身份信息能够用于针对所述通信***的接入认证；或If the first consensus node and the at least one of the second consensus nodes are included, determining that the number of consensus nodes that the first identity information can be used for access authentication for the communication system is greater than or equal to a preset number a threshold, the first consensus node determining that the first identity information can be used for access authentication for the communication system; or

如果包括所述第一共识节点和至少一个所述第二共识节点中，确定所述第一身份信息能够用于针对所述通信***的接入认证的共识节点的数量小于所述第一阈值，则所述第一共识节点确定所述第一身份信息不能用于针对所述通信***的接入认证。If the first consensus node and the at least one of the second consensus nodes are included, determining that the number of consensus nodes that the first identity information can be used for access authentication for the communication system is less than the first threshold, Then the first consensus node determines that the first identity information cannot be used for access authentication for the communication system.
根据权利要求1至4中任一项所述的方法，其特征在于，所述方法还包括：The method according to any one of claims 1 to 4, further comprising:

所述第一共识节点接收第一解密信息，所述第一解密信息是所述第一服务器为所述第一终端设备分配的用于对所述第一终端设备发送的数据进行解密的信息；The first consensus node receives the first decryption information, where the first decryption information is information that is allocated by the first server to the first terminal device for decrypting data sent by the first terminal device;

所述第一共识节点接收所述第一终端设备发送的第一认证信息，所述第一认证信息是所述标识信息经过第二预设处理后生成的，且所述标识信息不能基于所述第一认证信息获得；The first consensus node receives the first authentication information that is sent by the first terminal device, where the first authentication information is generated after the identifier information is processed by using a second preset process, and the identifier information cannot be based on the The first authentication information is obtained;

所述第一共识节点基于所述第一解密信息和所述第一认证信息进行第三预设处理，以获得第一结果；The first consensus node performs a third preset process based on the first decryption information and the first authentication information to obtain a first result;

所述第一共识节点从所述第一终端设备接收第二结果，其中，所述第二结果是所述终端设备对所述标识信息进行第四预设处理后生成的，其中，所述第二预设处理、所述第三预设处理和所述第四预设处理使用至少一个相同的计算参数；The first consensus node receives a second result from the first terminal device, where the second result is generated by the terminal device performing fourth preset processing on the identifier information, where the The two preset processes, the third preset process, and the fourth preset process use at least one of the same calculation parameters;

所述第一共识节点根据所述第一结果与所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证。The first consensus node determines, according to the relationship between the first result and the second result, whether the first terminal device passes the access authentication for the communication system.
根据权利要求5所述的方法，其特征在于，所述第一认证信息包括第一子信息a和第二子信息b，以及The method according to claim 5, wherein said first authentication information comprises first sub-information a and second sub-information b, and

所述第二预设处理包括基于以下公式的处理：The second preset process includes processing based on the following formula:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是所述第一解密信息，m是所述标识信息，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为所述计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the first decryption information, m is the identification information, a, b, m, k, g, p, x, y are positive integers, 1≤k≤p-2, k and p-1 Mutual prime, p is the calculation parameter, and p is a prime number, g<p, x<p, mod represents a remainder operation.
根据权利要求6所述的方法，其特征在于，所述第三预设处理包括使所述第一结果X满足：X＝y ^aa ^b mod p， The method according to claim 6, wherein said third predetermined processing comprises satisfying said first result X: X = y ^a a ^b mod p,

所述第四预设处理包括使所述第二结果Y满足：Y＝g ^m mod p。 The fourth preset process includes making the second result Y satisfy: Y=g ^m mod p.
根据权利要求7所述的方法，其特征在于，所述第一共识节点根据所述第一结果与所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证，包括：The method according to claim 7, wherein the first consensus node determines, according to a relationship between the first result and the second result, whether the first terminal device passes the communication system Access authentication, including:

如果所述第一结果与所述第二结果相同，则所述第一共识节点确定所述第一终端设备能够通过针对所述通信***的接入认证；If the first result is the same as the second result, the first consensus node determines that the first terminal device can pass the access authentication for the communication system;

如果所述第一结果与所述第二结果不同，则所述第一共识节点确定所述第一终端设备不能通过针对所述通信***的接入认证。If the first result is different from the second result, the first consensus node determines that the first terminal device cannot pass the access authentication for the communication system.
一种接入认证的方法，其特征在于，所述方法包括：A method for access authentication, characterized in that the method comprises:

第一服务器为第一终端设备分配标识信息；The first server allocates identification information to the first terminal device;

所述第一服务器对所述标识进行第一预设处理以生成第一身份信息，其中，所述标识信息不能基于所述第一身份信息获得；The first server performs a first preset process on the identifier to generate first identity information, where the identifier information cannot be obtained based on the first identity information;

所述第一服务器向第一共识节点发送所述第一身份信息。The first server sends the first identity information to a first consensus node.
根据权利要求9所述的方法，其特征在于，所述第一预设处理包括哈希处理。The method of claim 9, wherein the first predetermined process comprises a hash process.
一种接入认证的方法，其特征在于，包括：A method for access authentication, characterized in that it comprises:

第一终端设备从第一服务器接收标识信息，所述第一服务器是所述第一终端的制造商的服务器；The first terminal device receives the identification information from the first server, where the first server is a server of the manufacturer of the first terminal;

所述第一终端设备对所述标识信息进行第二预设处理，以生成第一认证信息，其中，所述标识信息不能基于所述第一认证信息；The first terminal device performs a second preset process on the identifier information to generate first authentication information, where the identifier information cannot be based on the first authentication information;

所述第一终端设备对所述标识信息进行第四预设处理，以生成第二结果；The first terminal device performs a fourth preset process on the identifier information to generate a second result;

所述第一终端设备向第一共识节点发送所述第一认证信息和所述第二结果，以便于所述第一共识节点基于第一解密信息和所述第一认证信息进行第三预设处理而获得第一结果，并且基于所述第一结果和所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证，其中，所述第一解密信息是所述第一服务器为所述第一终端设备分配的用于对所述第一终端设备发送的数据进行解密的信息，所述第二预设处理、所述第三预设处理和所述第四预设处理使用至少一个相同的计算参数。Transmitting, by the first terminal device, the first authentication information and the second result to the first consensus node, so that the first consensus node performs a third preset based on the first decryption information and the first authentication information. Processing, obtaining a first result, and determining, based on a relationship between the first result and the second result, whether the first terminal device passes an access authentication for the communication system, wherein the first The decryption information is information that is allocated by the first server to the first terminal device for decrypting data sent by the first terminal device, the second preset process, the third preset process, and The fourth preset process uses at least one of the same calculation parameters.
根据权利要求11所述的方法，其特征在于，所述第一认证信息包括第一子信息a和第二子信息b，以及The method according to claim 11, wherein said first authentication information comprises first sub-information a and second sub-information b, and

所述第二预设处理包括基于以下公式的处理：The second preset process includes processing based on the following formula:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是所述第一解密信息，m是所述标识信息，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为所述计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the first decryption information, m is the identification information, a, b, m, k, g, p, x, y are positive integers, 1≤k≤p-2, k and p-1 Mutual prime, p is the calculation parameter, and p is a prime number, g<p, x<p, mod represents a remainder operation.
根据权利要求12所述的方法，其特征在于，所述第三预设处理包括：使所述第一结果X满足：X＝y ^aa ^b mod p， The method according to claim 12, wherein the third predetermined process comprises: satisfying the first result X: X = y ^a a ^b mod p,

所述第四预设处理包括使所述第二结果Y满足：Y＝g ^m mod p。 The fourth preset process includes making the second result Y satisfy: Y=g ^m mod p.
一种接入认证的装置，其特征在于，所述装置包括：An apparatus for access authentication, characterized in that the apparatus comprises:

通信单元，用于从第一服务器接收第一身份信息，其中，所述第一服务器是第一终端设备的制造商的服务器，所述第一身份信息是所述第一服务器为所述第一终端设备分配的标识信息经过第一预设处理后生成的，且所述标识信息不能基于所述第一身份信息获得；a communication unit, configured to receive first identity information from a first server, where the first server is a server of a manufacturer of the first terminal device, and the first identity information is that the first server is the first The identifier information that is allocated by the terminal device is generated after the first preset processing, and the identifier information cannot be obtained based on the first identity information;

处理单元，用于控制所述通信单元与至少一个第二共识节点进行针对所述第一身份信息的协商，以确定所述第一身份信息是否能够用于针对所述通信***的接入认证。And a processing unit, configured to control the communication unit to perform negotiation with the at least one second consensus node for the first identity information to determine whether the first identity information can be used for access authentication for the communication system.
根据权利要求14所述的装置，其特征在于，所述第一预设处理包括哈希处理。The apparatus of claim 14, wherein the first preset process comprises a hash process.
根据权利要求14或15所述的装置，其特征在于，所述处理单元还用于根据至少一个第二身份信息对所述第一标识进行验证，其中，所述第二身份信息能够用于针对所述通信***的接入认证，其中The apparatus according to claim 14 or 15, wherein the processing unit is further configured to verify the first identifier according to at least one second identity information, wherein the second identity information can be used to target Access authentication of the communication system, wherein

在所述第一身份信息与每个第二身份信息均不同的情况下，所述验证的结果为所述第一身份信息能够用于针对所述通信***的接入认证，Where the first identity information is different from each of the second identity information, the result of the verifying is that the first identity information can be used for access authentication for the communication system,

在所述第一身份信息与至少一个第二身份信息相同的情况下，所述验证的结果为所述第一身份信息不能用于针对所述通信***的接入认证；In a case where the first identity information is the same as the at least one second identity information, the result of the verifying is that the first identity information cannot be used for access authentication for the communication system;

所述处理单元具体用于根据所述验证的结果，控制所述通信单元与至少一个第二共识节点进行针对所述第一身份信息的协商。The processing unit is specifically configured to control, according to the result of the verifying, the communication unit to negotiate with the at least one second consensus node for the first identity information.
根据权利要求14至16中任一项所述的装置，其特征在于，所述处理单元具体用于：The device according to any one of claims 14 to 16, wherein the processing unit is specifically configured to:

如果包括所述装置和至少一个所述第二共识节点中，确定所述第一身份信息能够用于针对所述通信***的接入认证的共识节点的数量大于或等于预设的第一阈值，则所述装置确定所述第一身份信息能够用于针对所述通信***的接入认证；或Determining, if the apparatus and the at least one of the second consensus nodes are included, that the number of consensus nodes that the first identity information can be used for access authentication for the communication system is greater than or equal to a preset first threshold, The apparatus determines that the first identity information can be used for access authentication for the communication system; or

如果包括所述装置和至少一个所述第二共识节点中，确定所述第一身份信息能够用于针对所述通信***的接入认证的共识节点的数量小于所述第一阈值，则所述装置确定所述第一身份信息不能用于针对所述通信***的接入认证。If the apparatus and the at least one of the second consensus nodes are included, determining that the number of consensus nodes that the first identity information can be used for access authentication for the communication system is less than the first threshold, The device determines that the first identity information is not available for access authentication for the communication system.
根据权利要求14至17中任一项所述的装置，其特征在于，所述通信单元还用于从所述第一服务器接收第一解密信息，所述第一解密信息是所述第一服务器为所述第一终端设备分配的用于对所述第一终端设备发送的数据进行解密的信息；用于从所述第一终端设备接收第一认证信息和第二结果，所述第一认证信息是该标识信息经过第二预设处理后生成的，其中，所述标识信息不能基于所述第一认证信息获得，所述第二结果是所述终端设备对所述标识信息进行第四预设处理后生成的；The apparatus according to any one of claims 14 to 17, wherein the communication unit is further configured to receive first decryption information from the first server, the first decryption information being the first server Information for decrypting data sent by the first terminal device for the first terminal device; for receiving first authentication information and a second result from the first terminal device, the first authentication The information is generated after the identifier information is processed by the second preset process, where the identifier information cannot be obtained based on the first authentication information, and the second result is that the terminal device performs the fourth pre-preparation on the identifier information. Set after processing;

所述处理单元还用于基于所述第一解密信息和所述第一认证信息进行第三预设处理，以获得第一结果，并根据所述第一结果与所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证，其中，所述第二结果是所述终端设备对所述标识信息进行第四预设处理后生成的，其中，所述第二预设处理、所述第三预设处理和所述第四预设处理使用至少一个相同的计算参数。The processing unit is further configured to perform a third preset process based on the first decryption information and the first authentication information to obtain a first result, and according to the first result and the second result a relationship, determining whether the first terminal device passes the access authentication for the communication system, where the second result is generated by the terminal device performing the fourth preset processing on the identifier information, where The second preset process, the third preset process, and the fourth preset process use at least one identical calculation parameter.
根据权利要求18所述的装置，其特征在于，所述第一认证信息包括第一子信息a和第二子信息b，以及The apparatus according to claim 18, wherein said first authentication information comprises first sub-information a and second sub-information b, and

所述第二预设处理包括基于以下公式的处理：The second preset process includes processing based on the following formula:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是所述第一解密信息，m是所述标识信息，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为所述计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the first decryption information, m is the identification information, a, b, m, k, g, p, x, y are positive integers, 1≤k≤p-2, k and p-1 Mutual prime, p is the calculation parameter, and p is a prime number, g<p, x<p, mod represents a remainder operation.
根据权利要求19所述的装置，其特征在于，所述第三预设处理包括使所述第一结果X满足：X＝y ^aa ^b mod p， The apparatus according to claim 19, wherein said third predetermined processing comprises satisfying said first result X: X = y ^a a ^b mod p,

所述第四预设处理包括使所述第二结果Y满足：Y＝g ^m mod p。 The fourth preset process includes making the second result Y satisfy: Y=g ^m mod p.
根据权利要求20所述的装置，其特征在于，所述装置根据所述第一结果与所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证，包括：The apparatus according to claim 20, wherein said apparatus determines whether said first terminal device passes an access to said communication system based on a relationship between said first result and said second result Certification, including:

如果所述第一结果与所述第二结果相同，则所述装置确定所述第一终端设备能够通过针对所述通信***的接入认证；If the first result is the same as the second result, the apparatus determines that the first terminal device is capable of access authentication through the communication system;

如果所述第一结果与所述第二结果不同，则所述装置确定所述第一终端设备不能通过针对所述通信***的接入认证。If the first result is different from the second result, the apparatus determines that the first terminal device cannot pass the access authentication for the communication system.
一种接入认证的装置，其特征在于，所述装置包括：An apparatus for access authentication, characterized in that the apparatus comprises:

处理单元，用于第一终端设备分配标识信息，并对所述标识进行第一预设处理，以确定第一身份信息，其中，所述标识信息不能基于所述第一身份信息获得；a processing unit, configured to allocate identifier information to the first terminal device, and perform a first preset process on the identifier to determine first identity information, where the identifier information cannot be obtained based on the first identity information;

通信单元，用于向第一共识节点发送所述第一身份信息。And a communication unit, configured to send the first identity information to the first consensus node.
根据权利要求22所述的装置，其特征在于，所述第一预设处理包括哈希处理。The apparatus according to claim 22, wherein said first preset processing comprises a hashing process.
一种接入认证的装置，其特征在于，包括：An apparatus for access authentication, comprising:

通信单元，用于从第一服务器接收标识信息，所述第一服务器是所述第一终端的制造商的服务器；a communication unit, configured to receive identification information from a first server, where the first server is a server of a manufacturer of the first terminal;

处理单元，用于对所述标识信息进行第二预设处理，以生成第一认证信息，其中，所述标识信息不能基于所述第一认证信息获得；用于对所述标识信息进行第四预设处理，以生成第二结果；a processing unit, configured to perform second preset processing on the identifier information, to generate first authentication information, where the identifier information cannot be obtained based on the first authentication information; Pre-processing to generate a second result;

所述通信单元还用于向第一共识节点发送所述第一认证信息和所述第二结果，以便于所述第一共识节点基于第一解密信息和所述第一认证信息进行第三预设处理而获得第一结果，并且基于所述第一结果和所述第二结果之间的关系，确定所述第一终端设备是否通过针对所述通信***的接入认证，其中，所述第一解密信息是所述第一服务器为所述第一终端设备分配的用于对所述第一终端设备发送的数据进行解密的信息，所述第二预设处理、所述第三预设处理和所述第四预设处理使用至少一个相同的计算参数。The communication unit is further configured to send the first authentication information and the second result to the first consensus node, so that the first consensus node performs a third pre-precision based on the first decryption information and the first authentication information. Determining a process to obtain a first result, and determining, based on a relationship between the first result and the second result, whether the first terminal device passes an access authentication for the communication system, wherein the The decryption information is information that the first server allocates to the first terminal device for decrypting data sent by the first terminal device, and the second preset process and the third preset process are And the fourth preset process uses at least one of the same calculation parameters.
根据权利要求24所述的装置，其特征在于，所述第一认证信息包括第一子信息a和第二子信息b，以及The apparatus according to claim 24, wherein said first authentication information comprises first sub-information a and second sub-information b, and

所述第二预设处理包括基于以下公式的处理：The second preset process includes processing based on the following formula:

a＝g ^k mod p， a=g ^k mod p,

m＝(xa+kb)mod(p-1)，m=(xa+kb)mod(p-1),

y＝g ^x mod p， y=g ^x mod p,

其中，y是所述第一解密信息，m是所述标识信息，a、b、m、k、g、p、x、y为正整数，1≤k≤p-2，k与p-1互素，p为所述计算参数，且p为素数，g＜p，x＜p，mod表示求余运算。Where y is the first decryption information, m is the identification information, a, b, m, k, g, p, x, y are positive integers, 1≤k≤p-2, k and p-1 Mutual prime, p is the calculation parameter, and p is a prime number, g<p, x<p, mod represents a remainder operation.
根据权利要求25所述的装置，其特征在于，所述第三预设处理包括：使所述第一结果X满足：X＝y ^aa ^b mod p， The apparatus according to claim 25, wherein said third predetermined processing comprises: causing said first result X to satisfy: X = y ^a a ^b mod p,

所述第四预设处理包括使所述第二结果Y满足：Y＝g ^m mod p。 The fourth preset process includes making the second result Y satisfy: Y=g ^m mod p.