Data service authorization method and apparatus, transmission method and apparatus, determination method and apparatus, and device
By receiving and verifying information from data service requesting nodes, generating and sending tokens, the problem of insufficient authorization of data service requesters in 5G security mechanisms is solved, and the reliability and reasonable authorization of data services are achieved.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- DATANG MOBILE COMM EQUIP CO LTD
- Filing Date
- 2025-11-11
- Publication Date
- 2026-06-11
AI Technical Summary
Existing 5G security mechanisms are insufficient to support reasonable authorization of data service requesters during the establishment of data plane sessions.
A data service authorization method is provided, which receives information from the data service request node, performs authorization verification, and generates and sends a first token to the data service provider node after successful verification, thereby realizing reasonable authorization during the data session establishment process.
This ensures the reliability of data services and guarantees the proper authorization of data service request nodes during the data session establishment process.
Smart Images

Figure CN2025133968_11062026_PF_FP_ABST
Abstract
Description
Data service authorization, transmission, determination methods, apparatus and equipment
[0001] This disclosure claims priority to Chinese Patent Application No. 202411760742.4, filed with the Chinese Patent Office on December 3, 2024, entitled “Data Service Authorization, Transmission, Determination Method, Apparatus and Device”, the entire contents of which are incorporated herein by reference. Technical Field
[0002] This disclosure relates to the field of communication technology, and in particular to a method, apparatus and device for data service authorization, transmission and determination. Background Technology
[0003] The 5th generation (5G) system provides point-to-point forwarding of user data and network data management functions. Moving towards the 6th generation (6G), the communication network is no longer just a data transmission "channel"; it also needs to add a data plane to realize data services such as data collection, transmission, preprocessing, storage, analysis, and consumption. In the 6G mobile communication network, different data nodes, such as User Equipment (UE), Radio Access Network (RAN), and Core Network Network Function (CNNF), can all act as data service providers, offering certain data service capabilities; simultaneously, these nodes can also act as data service consumers, initiating data service requests.
[0004] Existing 5G security mechanisms are insufficient to support the proper authorization of data service requesters during data plane session establishment. How to achieve proper authorization of data service requesters during data session establishment is an urgent problem to be solved. Summary of the Invention
[0005] This disclosure provides a data service authorization, transmission, and determination method, apparatus, and device to achieve reasonable authorization of data service request nodes during the data session establishment process.
[0006] To address the aforementioned technical problems, this disclosure provides a data service authorization method applied to a first network element, comprising:
[0007] Receive data service request information sent by the data service request node;
[0008] Based on the data service request information, the authorization verification is performed on the data service request node;
[0009] If the authorization verification of the data service request node is successful, a first token is generated;
[0010] Send the first token to the data service provider node.
[0011] In some embodiments, when the data service request node is a terminal, the authorization verification of the data service request node includes:
[0012] The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side.
[0013] Obtain the second information corresponding to the terminal identifier;
[0014] Determine whether the second information is consistent with the first information;
[0015] If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0016] In some embodiments, when the data service request node is an access network node or a core network node, the authorization verification of the data service request node includes:
[0017] The data service request information is verified; the data service request information is a token of the data service providing node.
[0018] If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0019] In some embodiments, generating the first token includes:
[0020] Obtain the token of the data service provider node;
[0021] Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
[0022] In some embodiments, signing the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token includes one of the following:
[0023] The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node.
[0024] The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
[0025] In some embodiments, the token for obtaining the data service provider node includes at least one of the following:
[0026] Obtain the token of the data service provider node from the second network element;
[0027] The data service provider node sends a token to the data service requesting node.
[0028] In some embodiments, the method further includes:
[0029] Send the information that needs to be transmitted to the data service provider node.
[0030] In some embodiments, the method further includes:
[0031] Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters;
[0032] Based on the security capability parameters, send a data service management registration response to the access network node or core network node;
[0033] Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
[0034] In some embodiments, the method further includes:
[0035] Receive a symmetric key sent by a third network element, the symmetric key being generated based on the third network element key.
[0036] This disclosure also provides an information transmission method applied to a second network element, including:
[0037] Receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node;
[0038] Authorization verification is performed on the data service request node based on its identifier;
[0039] If the authorization verification of the data service request node is successful, a token of the data service provider node is sent to the data service request node.
[0040] In some embodiments, the authorization verification of the data service request node includes:
[0041] Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node;
[0042] If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0043] In some embodiments, obtaining the first data service capability reported by the data service request node based on the identifier of the data service request node includes one of the following:
[0044] Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0045] A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
[0046] In some embodiments, the method further includes:
[0047] Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0048] This disclosure also provides a data service authorization determination method, applied to a terminal, including:
[0049] Receive the first token sent by the first network element;
[0050] The first token is decrypted using the first key to obtain third information, which includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0051] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0052] In some embodiments, the method further includes:
[0053] Receive the first security parameter sent by the third network element;
[0054] Based on the first security parameter, obtain the first key for the first network element.
[0055] In some embodiments, the method further includes:
[0056] Receive the second security parameter sent by the third network element;
[0057] Based on the second security parameter, obtain the second key for the second network element;
[0058] Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
[0059] This disclosure also provides a data service authorization determination method, applied to an access network node or a core network node, including:
[0060] Receive the first token sent by the first network element;
[0061] The first token is verified using the public key of the first network element, and the fourth information is obtained. The fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node.
[0062] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0063] In some embodiments, the method further includes:
[0064] Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters;
[0065] Receive data sent by the first network element and establish a registration response for service management.
[0066] Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
[0067] This disclosure also provides a data service authorization device, which is a first network element, including a memory, a transceiver, and a processor.
[0068] A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations:
[0069] The transceiver receives data service request information sent by the data service request node.
[0070] Based on the data service request information, the authorization verification is performed on the data service request node;
[0071] If the authorization verification of the data service request node is successful, a first token is generated;
[0072] Send the first token to the data service provider node.
[0073] In some embodiments, when the data service request node is a terminal, the processor is configured to read the computer program in the memory and perform the following operations:
[0074] The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side.
[0075] Obtain the second information corresponding to the terminal identifier;
[0076] Determine whether the second information is consistent with the first information;
[0077] If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0078] In some embodiments, when the data service request node is an access network node or a core network node, the processor is configured to read the computer program in the memory and perform the following operations:
[0079] The data service request information is verified; the data service request information is a token of the data service providing node.
[0080] If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0081] In some embodiments, the processor is configured to read a computer program from the memory and perform the following operations:
[0082] Obtain the token of the data service provider node;
[0083] Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
[0084] In some embodiments, the processor is configured to read a computer program from the memory and perform at least one of the following operations:
[0085] The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node.
[0086] The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
[0087] In some embodiments, the processor is configured to read a computer program from the memory and perform at least one of the following operations:
[0088] Obtain the token of the data service provider node from the second network element;
[0089] The data service provider node sends a token to the data service requesting node.
[0090] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0091] Send the information that needs to be transmitted to the data service provider node.
[0092] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0093] Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters;
[0094] Based on the security capability parameters, send a data service management registration response to the access network node or core network node;
[0095] Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
[0096] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0097] Receive a symmetric key sent by a third network element, the symmetric key being generated based on the third network element key.
[0098] This disclosure also provides an information transmission device, which is a second network element, including a memory, a transceiver, and a processor.
[0099] A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations:
[0100] The transceiver receives data service request messages sent by data service request nodes, the data service request messages carrying the identifier of the data service request nodes;
[0101] Authorization verification is performed on the data service request node based on its identifier;
[0102] If the authorization verification of the data service request node is successful, a token of the data service provider node is sent to the data service request node.
[0103] In some embodiments, the processor is configured to read a computer program from the memory and perform the following operations:
[0104] Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node;
[0105] If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0106] In some embodiments, the processor is configured to read a computer program from the memory and perform one of the following operations:
[0107] Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0108] A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
[0109] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0110] Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0111] This disclosure also provides a terminal, including a memory, a transceiver, and a processor:
[0112] A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations:
[0113] Receive the first token sent by the first network element through the transceiver;
[0114] The first token is decrypted using the first key to obtain third information, which includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0115] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0116] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0117] Receive the first security parameter sent by the third network element;
[0118] Based on the first security parameter, obtain the first key for the first network element.
[0119] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0120] Receive the second security parameter sent by the third network element;
[0121] Based on the second security parameter, obtain the second key for the second network element;
[0122] Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
[0123] This disclosure also provides a data service authorization determination device, which is an access network node or a core network node, including a memory, a transceiver, and a processor.
[0124] A memory for storing computer programs; a transceiver for sending and receiving data under the control of the processor; and a processor for reading the computer programs from the memory and performing the following operations:
[0125] Receive the first token sent by the first network element through the transceiver;
[0126] The first token is verified using the public key of the first network element, and the fourth information is obtained. The fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node.
[0127] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0128] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0129] Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters;
[0130] Receive data sent by the first network element and establish a registration response for service management.
[0131] Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
[0132] This disclosure also provides a data service authorization device, including:
[0133] The first receiving unit is used to receive data service request information sent by the data service request node;
[0134] The first verification unit is used to perform authorization verification on the data service request node based on the data service request information.
[0135] The generation unit is used to generate a first token when the authorization verification of the data service request node is passed;
[0136] The first sending unit is used to send the first token to the data service provider node.
[0137] This disclosure also provides an information transmission device, including:
[0138] The second receiving unit is used to receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node;
[0139] The second verification unit is used to perform authorization verification on the data service request node based on the identifier of the data service request node;
[0140] The second sending unit is used to send a token of the data service providing node to the data service request node when the authorization verification of the data service request node is successful.
[0141] This disclosure also provides a data service authorization determination device, including:
[0142] The third receiving unit is used to receive the first token sent by the first network element;
[0143] The first acquisition unit is used to decrypt the first token using the first key and acquire third information, wherein the third information includes at least one of the following: the token of the data service provider node and information to be transmitted to the data service provider node;
[0144] The first determining unit is configured to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained through decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
[0145] This disclosure also provides a data service authorization determination device, including:
[0146] The fourth receiving unit is used to receive the first token sent by the first network element;
[0147] The second acquisition unit is used to verify the first token using the first network element public key and acquire fourth information, wherein the fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0148] The second determining unit is used to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained through decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
[0149] This disclosure also provides a processor-readable storage medium storing a computer program for causing the processor to perform the methods described above.
[0150] This disclosure also provides a computer program product, including computer instructions that, when executed by a processor, implement the steps of the method described above.
[0151] The beneficial effects of this disclosure are:
[0152] The above scheme receives data service request information sent by a data service request node, performs authorization verification on the data service request node based on the data service request information, generates a first token when the authorization verification of the data service request node is successful, and sends the first token to the data service provider node, thereby realizing reasonable authorization of the data service request node during the data session establishment process and ensuring the reliability of the data service. Attached Figure Description
[0153] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0154] Figure 1 is a flowchart illustrating the data service authorization method according to an embodiment of this disclosure;
[0155] Figure 2 shows a flowchart of application scenario one;
[0156] Figure 3 shows a flowchart of application scenario two;
[0157] Figure 4 shows a flowchart of application scenario three;
[0158] Figure 5 shows a flowchart of application scenario five;
[0159] Figure 6 shows a flowchart of application scenario six;
[0160] Figure 7 shows a flowchart of application scenario seven;
[0161] Figure 8 is a flowchart illustrating the information transmission method according to an embodiment of the present disclosure;
[0162] Figure 9 shows one of the flowcharts of the data service authorization determination method according to an embodiment of this disclosure;
[0163] Figure 10 shows a second schematic flowchart of the data service authorization determination method according to an embodiment of this disclosure;
[0164] Figure 11 shows a unit schematic diagram of a data service authorization device according to an embodiment of the present disclosure;
[0165] Figure 12 shows a structural diagram of a data service authorization device according to an embodiment of this disclosure;
[0166] Figure 13 shows a schematic diagram of the information transmission device according to an embodiment of the present disclosure;
[0167] Figure 14 shows a schematic diagram of one of the units of the data service authorization determination device according to an embodiment of the present disclosure;
[0168] Figure 15 shows a structural diagram of a terminal according to an embodiment of this disclosure;
[0169] Figure 16 shows a second schematic diagram of a data service authorization determination device according to an embodiment of the present disclosure. Detailed Implementation
[0170] The technical solutions of the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this disclosure. Based on the embodiments of this disclosure, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this disclosure.
[0171] The terms “first,” “second,” etc., used in this disclosure and in the claims are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence. It should be understood that such use of data can be interchanged where appropriate so that embodiments of this disclosure described herein may be implemented, for example, in sequences other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0172] In this disclosure, the term "and / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship. In this disclosure, the term "multiple" refers to two or more objects, and other quantifiers are similar.
[0173] In this disclosure, the terms "exemplary" or "for example" are used to indicate that something is an example, illustration, or description. Any embodiment or design described as "exemplary" or "for example" in this disclosure should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of terms such as "exemplary" or "for example" is intended to present the relevant concepts in a specific manner.
[0174] The following is a brief explanation of the relevant concepts mentioned in this disclosure.
[0175] I. 6G Data Plane
[0176] Existing communication networks, represented by 5G, serve as "pipelines" for data transmission in communication sessions, providing pathways for information exchange between terminal devices and the network. Unlike point-to-point transmission of communication session data, data generated and consumed by intelligence, sensing, and network operations themselves in 6G networks requires distributed data collection, preprocessing, storage, and analysis. Therefore, a data plane architecture independent of the traditional user plane is needed to systematically address the management and value-added needs of 6G mobile communication networks for non-user plane data, supporting 6G networks to achieve data service capabilities that transcend mere communication.
[0177] The vision of 6G data services: Through a unified data service architecture, leveraging new technologies such as big data, artificial intelligence, cloud computing, and blockchain, we will flexibly support end-to-end unified data collection, global data transmission, processing, storage, and sharing, and provide data conveniently, efficiently, and securely to internal or external network functions. This will enable 6G networks to achieve data service capabilities that go beyond communication, thereby improving network performance and creating new business models.
[0178] II. Data Plane Architecture
[0179] The Data Management and Control Function (DMF) receives registration information from Data Processing Functions (DPFs) and maintains their data service capabilities. It receives data service requests and manages service status, coordinates data collection (e.g., the Data Collection Coordination Function (DCCF) aggregates data collection requests), manages and orchestrates services (including selecting execution data service nodes and controlling instructions), and provides globally unified data management. The DMF supports deployment at different granularities, such as distributed network nodes, access network / core network, and Public Land Mobile Network (PLMN).
[0180] DPF: Supports data service operations such as data preprocessing (e.g., format conversion, deduplication and cleanup), formatting / processing / fusion (e.g., data aggregation, data statistics and summarization, data fusion), and data forwarding (encapsulation and forwarding according to a specified protocol); DPF can optionally have some functions, and can be an independent new network function (NF), or can be deployed co-located with other NFs (e.g., enhanced access and mobility management function (eAMF) and enhanced user plane function (eUPF)); data between DPFs is forwarded through a new protocol.
[0181] Data Storage Function (DSF): This includes Artificial Intelligence (AI) data (originally stored in ADSF), sensor data, computing power data, etc., and further subdivides the data and its access control mechanisms.
[0182] III. Registration Process for Data Service Capabilities
[0183] CN NF and UE register on DMF:
[0184] The CN NF registration process mainly involves the CN NF sending a data management service establishment request to the DMF. This request includes data service node information and data service capability parameters. The DMF then sends a data management service establishment response to the CN NF.
[0185] The UE registration process mainly occurs between the UE, eAMF, and DMF. The main process includes: the UE sending a registration request to the eAMF, which carries data service capabilities; the eAMF interacting with the DMF to complete data service reporting requests and responses at the granularity of each terminal and each group, which can be initiated by the AMF or the DMF; and the eAMF sending a registration completion message to the UE, which carries the data service capability reporting results.
[0186] The registration process for core network elements and RANs on the Network Repository Function (NRF) mainly includes: the DMF sending an NF data capability subscription to the eNRF; the CN NF sending an NF registration request to the eNRF, which mainly includes the NF's data service capability and related data service capability parameters; the eNRF sending an NF registration response to the CN NF, which may carry the data node identifier; and the eNRF sending an NF data service capability notification to the DMF, which may include the service node type, CN NF, data service capability parameters, etc.
[0187] IV. Authorization Mechanism between Core Network Elements in 5G
[0188] Currently, the authorization framework for service request processes completed in 5G networks adopts the OAuth 2.0 framework specified in RFC 6749. The OAuth 2.0 framework is an industry standard protocol for authorization developed by the IETF. It supports a token-based framework in which service consumers can obtain tokens from the authorization server. This token can be used to access specific services of NF Service Producers.
[0189] The service requesting network element obtains a token from the NRF. After obtaining the token, the service requesting network element displays the token to the service providing network element. The service providing network element verifies the token. If the verification is successful, it considers the service requesting network element to be authorized to provide the corresponding service.
[0190] The current data plane architecture has been redesigned based on the 5G core network architecture, allowing terminals, core network elements, and base stations to access data plane functions and obtain data services. However, the current 5G authorization mechanism relies on the trust relationship between network elements and the NRF (Network Provider Radio). A large amount of data plane service information is stored on the data plane itself, and the NRF cannot maintain all the data plane information, making it impossible to authorize certain data service requesters. Furthermore, UEs and base station nodes also act as data plane nodes to obtain data services, but it is impractical for UEs to rely on the NRF for authorization. Therefore, an authorization mechanism for the 6G data plane needs to be proposed.
[0191] The embodiments of this disclosure are described below with reference to the accompanying drawings. The data service authorization, transmission, and determination methods, apparatus, and devices provided in the embodiments of this disclosure can be applied to wireless communication systems. This wireless communication system can be a system employing fifth-generation (5G) mobile communication technology (hereinafter referred to as a 5G system). Those skilled in the art will understand that the 5G NR system is merely an example and not a limitation.
[0192] This disclosure provides a data service authorization, transmission, and determination method, apparatus, and device to achieve reasonable authorization of the data service requester during the data session establishment process.
[0193] The method and apparatus are based on the same concept of the application. Since the methods and apparatus solve problems in similar ways, the implementation of the apparatus and methods can refer to each other, and the repeated parts will not be described again.
[0194] As shown in Figure 1, this embodiment of the disclosure provides a data service authorization method, executed by a first network element, including:
[0195] Step S101: Receive data service request information sent by the data service request node;
[0196] Step S102: Authorize and verify the data service request node according to the data service request information;
[0197] Step S103: If the authorization verification of the data service request node is successful, generate a first token;
[0198] Step S104: Send the first token to the data service provider node.
[0199] It should be noted that, in this embodiment of the disclosure, by receiving data service request information sent by a data service request node, and performing authorization verification on the data service request node according to the data service request information, a first token is generated when the authorization verification of the data service request node is successful, and the first token is sent to the data service provider node, thereby realizing reasonable authorization of the data service request node during the data session establishment process and ensuring the reliability of the data service.
[0200] In some embodiments, the first network element mentioned in this disclosure may be a network function or network element used for data management and control, such as a DMF; in some embodiments, the data service request node may be at least one of the following: a terminal, a core network node, or an access network node; the data service providing node may be at least one of the following: a terminal, a core network node, or an access network node; for example, the data service request node is a terminal, and the data service node is one of a terminal, a core network node, or an access network node; for example, the data service request node is a core network node, and the data service node is one of a terminal, a core network node, or an access network node; for example, the data service request node is an access network node, and the data service node is one of a terminal, a core network node, or an access network node.
[0201] It should be noted that data service request nodes and data service provider nodes can be of the same type, for example, the data service request node is a terminal and the data service provider node is also a terminal; or they can be of different types, for example, the data service request node is a terminal and the data service provider node is also a core network node.
[0202] In some embodiments, the data service request message is used to request a data service.
[0203] In some embodiments, under one implementation, when the data service request node is a terminal, the specific implementation of authorizing and verifying the data service request node includes:
[0204] Step S1021: Decrypt the data service request information using the first key to obtain the terminal identifier and the first information, wherein the first information includes at least one of the following: data service request, data subscription request, the first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side;
[0205] It should be noted that the first key is the key obtained by the terminal when it registers with the first network element and is used to send service request information to the first network element.
[0206] Step S1022: Obtain the second information corresponding to the terminal identifier;
[0207] In some embodiments, the second information is the data service requirements and / or data subscription requests corresponding to the terminal identifier stored in the first network element.
[0208] Step S1023: Determine whether the second information is consistent with the first information;
[0209] Step S1024: If the first information is consistent with the second information, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0210] It should be noted that in this case, the first information obtained by decrypting the received data service request information is compared with the second information corresponding to the pre-stored terminal identifier. If the two match, it means that the terminal is allowed to make a data service request, and the authorization verification is successful. If the two do not match, it means that the terminal is not allowed to make a data service request, and the authorization verification fails.
[0211] In some embodiments, under one implementation, when the data service request node is an access network node or a core network node, the specific implementation of authorizing and verifying the data service request node includes:
[0212] Step S1025: Verify the data service request information, where the data service request information is a token of the data service providing node;
[0213] Step S1026: If the data service request information passes the verification, the authorization verification is confirmed to be successful; otherwise, the authorization verification is confirmed to be unsuccessful.
[0214] In some embodiments, verifying data service request information in this implementation can be understood as verifying the completeness of the data service request information, and verifying whether the requested data service requirements and data subscription requests are allowed.
[0215] It should be noted that in this case, the data service request information of the data service request node needs to be verified. Only if the verification is successful will it mean that the terminal is allowed to make data service requests, and the authorization verification will be successful. If the verification fails, it means that the terminal is not allowed to make data service requests, and the authorization verification will fail.
[0216] In some embodiments, under one implementation, the specific implementation of generating the first token includes:
[0217] Step S1031: Obtain the token of the data service provider node;
[0218] In some embodiments, the specific implementation of obtaining the token of the data service provider node includes at least one of A11 and A12:
[0219] A11. Obtain the token of the data service provider node from the second network element;
[0220] In some embodiments, the second network element may be a network function or network element for network storage, for example, the second network element may be an NRF.
[0221] It should be noted that this implementation applies to the case where the data service request node registers with the first network element.
[0222] A12. Receive the token of the data service providing node sent by the data service requesting node;
[0223] It should be noted that this implementation applies to the case where the data service request node registers with the second network element. That is, the data service request node sends a data service request to the second network element. After the second network element authorizes the data service, it returns the token of the data service provider node to the data service request node. The data service request node then sends the token of the data service provider node to the first network element to request the data service.
[0224] Step S1032: Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token;
[0225] In some embodiments, under one implementation, the specific implementation of signing the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token includes one of B11 and B12:
[0226] B11. Sign the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element to obtain the first token. The data service provider node is an access network node or a core network node.
[0227] This scenario can be understood as follows: when the data service provider node is an access network node or a core network node, the first network element uses its private key to sign the data service provider node's token and the information to be transmitted to the data service provider node, obtaining a first token. The first network element then sends the first token to the data service provider node. Simultaneously, the first network element also sends the unsigned plaintext of the information to be transmitted to the data service provider node. After receiving the first token, the data service provider node verifies it using its public key and obtains fourth information. This fourth information includes at least one of the following: the data service provider node's token and the information to be transmitted to the data service provider node. If the decrypted information to be transmitted to the data service provider node is consistent with the directly received information, and the data service provider node's token verification is successful, then the data service request node is determined to be authorized.
[0228] In some embodiments, the information to be transmitted to the data service provider node may be, for example, data service operation instructions, transmission address information of the DPF anchor point, etc.
[0229] B12. During the terminal registration process, the symmetric key generated by the first network element and the terminal is used to encrypt the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token. The data service provider node is the terminal.
[0230] This scenario can be understood as follows: when the data service provider node is a terminal, the first network element uses the symmetric key generated by the first network element and the terminal during the terminal registration process to encrypt the token of the data service provider node and the information to be transmitted to the data service provider node, obtaining a first token. The first token is then sent to the data service provider node. Simultaneously, the first network element also sends the unencrypted plaintext of the information to be transmitted to the data service provider node. After receiving the first token, the data service provider node uses the first key to decrypt the first token and obtain third information. The third information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node. If the decrypted information to be transmitted to the data service provider node is consistent with the directly received information to be transmitted to the data service provider node, and the token of the data service provider node is verified, then the data service request node is determined to be authorized.
[0231] Furthermore, the first key used by the terminal is obtained by receiving a first security parameter sent by a third network element during the terminal's registration with the first network element; based on the first security parameter, a first key for the first network element is obtained. In some embodiments, the third network element is a network function or network element for access and mobility management, such as an Access and Mobility Management Function (AMF).
[0232] In some embodiments, the terminal can also register with a second network element. Specifically, the terminal sends a registration request to a third network element, the third network element sends a second network element key to the second network element (i.e., the second network element receives the second network element key sent by the third network element), the second network element stores the second network element key, the second network element key is generated based on the third network element key, the third network element also needs to return a second security parameter to the terminal, the terminal obtains a second key for the second network element according to the second security parameter; and sends a data service request message encrypted with the second key to the second network element, the data service request message carrying the identifier of the data service request node.
[0233] In some embodiments, the specific implementation of the access network node or core network node registering to the first network element further includes:
[0234] Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters;
[0235] Based on the security capability parameters, send a data service management registration response to the access network node or core network node;
[0236] Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
[0237] In some embodiments, the security capability parameter is used to indicate whether the access network node or the core network node has the first network element public key. If it does, the security capability parameter is encrypted with the first network element public key; if it does not, the security capability parameter is not encrypted with the first network element public key.
[0238] It should be noted that when the access network node or core network node possesses the first network element public key, the data service management registration request needs to be encrypted using the first network element public key when sending the data service management registration request. When the first network element receives the encrypted data service management registration request, if it successfully decrypts it using its first network element private key (in some embodiments, the security capability parameters obtained from the decryption indicate that the access network node or core network node possesses the first network element public key), the data service management registration response returned to the access network node or core network node does not carry the first network element public key. If the data service management registration request is not encrypted, or the data service management registration request is encrypted but fails to decrypt using the first network element private key, or the data service management registration request is encrypted and successfully decrypted using the first network element private key but the security capability parameters obtained from the decryption indicate that the access network node or core network node does not possess the first network element public key, the data service management registration response returned to the access network node or core network node carries the first network element public key.
[0239] In some embodiments, the above describes the main implementation process of a data service request node registering to a first network element. In some embodiments, the data service request node may also register to a second network element. In this case, the main implementation process of the data service request includes steps S11-S13:
[0240] Step S11: Receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node;
[0241] Step S12: Perform authorization verification on the data service request node based on its identifier;
[0242] In some embodiments, an optional implementation of this step includes steps S121 and S122:
[0243] Step S121: Obtain the first data service capability reported by the data service request node based on the identifier of the data service request node;
[0244] In some embodiments, under one implementation, the specific implementation of obtaining the first data service capability reported by the data service request node based on the identifier of the data service request node includes one of C11 and C12:
[0245] C11. Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0246] This situation can be understood as the second network element storing the first data service capability reported by the data service request node corresponding to the identifier of the data service request node.
[0247] C12. Send a query request to the first network element and receive the first data service capability reported by the data service request node from the first network element. The query request carries the identifier of the data service request node.
[0248] This situation can be understood as follows: the second network element does not store the first data service capability reported by the data service request node corresponding to the identifier of the data service request node, and the second network element needs to obtain the first data service capability reported by the data service request node corresponding to the identifier of the data service request node from the first network element.
[0249] Step S122: If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0250] Step S13: If the authorization verification of the data service request node is successful, send the token of the data service provider node to the data service request node.
[0251] It should be noted that by sending a token of the data service provider node to the data service request node, it indicates that the data service request node has been authorized and can continue the data service request process.
[0252] In some embodiments, the second network element also needs to receive a second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0253] The specific applications of the embodiments of this disclosure are illustrated below with examples.
[0254] Application Scenario 1: Registration of core network nodes (e.g., CN NF) or access network nodes with the DMF
[0255] As shown in Figure 2, the specific implementation process includes:
[0256] Step S21: The core network node or access network node sends a Data Service Management Establishment Registration Request to the DMF. The Data Service Management Establishment Registration Request carries security capability parameters. In some embodiments, the security capability parameters indicate whether the core network node or access network node has a DMF public key. If it indicates that it has a DMF public key, the security capability parameters are encrypted with the DMF public key; if it indicates that it does not have a DMF public key, they are not encrypted with the DMF public key.
[0257] Step S22: If the security capability parameters are encrypted, the DMF decrypts them successfully using the DMF private key, and the decrypted ciphertext indicates the existence of the DMF public key, then the DMF public key does not need to be included in the data service management registration response; if the security capability parameters indicate that the DMF public key does not exist, then the DMF public key needs to be included in the data service management registration response.
[0258] Application Scenario 2: UE Registration in DMF
[0259] It should be noted that during UE registration, the main authentication process generates a symmetric key, K, between the DMF and the UE for subsequent authorization. DMF (The authorization key generated on the AMF side and sent to the DMF) and the second key for the second network element, namely K′ DMF (A key generated on the UE side and used to encrypt data service request messages). Among them, the generated K... DMF and K′ DMF During the master authentication process, the AMF key (i.e., K) is used. AMF Derived from, K DMF Generate K′ on the AMF side. DMF On the UE side, there are first security parameters and K. AMF The key generation process is performed (it should be noted that the key generation algorithm is not specified in this embodiment).
[0260] As shown in Figure 3, the specific implementation process includes:
[0261] Step S31: The UE sends an initial registration message to the AMF, carrying data service capabilities.
[0262] Step S32: After the AMF successfully authenticates and authorizes the UE, the AMF obtains K. AMF And deduce K DMF K DMF Send the data capability reporting request or response to the DMF.
[0263] Step S33: After successful two-way authentication, the authentication is completed and the response carries the generated K′. DMF The first security parameter is sent to the UE.
[0264] It should be noted that there is no explicit order requirement between steps S32 and S33. In practice, step S32 can be executed first, followed by step S33, or step S33 can be executed first, followed by step S32.
[0265] Step S34: The UE calculates K′ based on the first security parameter. DMF .
[0266] Application Scenario 3: Data Authorization Process, where the data service provider is either a core network node or an access network node.
[0267] As shown in Figure 4, the specific implementation process includes:
[0268] Step S41: The data service requester sends a data service request message to the DMF.
[0269] Step S42: The DMF authorizes the data service requester;
[0270] In some embodiments, the DMF uses different authorization types for the service requester based on the type of the requester. For details on the authorization process, please refer to Application Scenarios 7 and 8 below.
[0271] Step S43: The DMF selects a data service provider node, initiates a token request to the NRF to access the data service provider node, and obtains the data service provider node's token (referred to as access_token).
[0272] Step S44: The DMF generates the first token (i.e., access_DMF_token), which consists of the token of the data service provider node (i.e., access_token) and the information that the DMF needs to transmit to the data service provider node (such as data service operation instructions, DPF anchor point transmission address information, etc.). The access_DMF_token is signed with the DMF private key.
[0273] Step S45: The DMF issues the first token and the plaintext information that the DMF needs to transmit to the data service provider node to the data service provider node;
[0274] The information transmitted in this step consists of two parts: one part is the information that needs to be transmitted to the data service provider node, and the other part is the DMF's signature of the information, i.e., the first token.
[0275] Step S46: The core network node or access network node uses the DMF public key to verify the first token, obtains the access_token and the information to be transmitted to the data service provider node, and compares the decrypted information with the directly received plaintext. The core network node or access network node determines that it is an instruction sent by the DMF. Further, the NF network element verifies the access_token (it should be noted that the process of verifying the access_token is existing technology and will not be described in detail here). If all the above verifications are correct, the data service request is authorized by the core network node or access network node, and the core network node or access network node executes the data operation issued by the DMF.
[0276] Application Scenario 4: Data Authorization Process, with the Data Service Provider Node being the UE.
[0277] The specific implementation process includes:
[0278] Step P11: The data service request node sends data service request information to the DMF.
[0279] Step P12: The DMF authorizes the data service requester;
[0280] DMF uses different authorization types for service requesters based on their type. For details on the authorization process, please refer to Application Scenarios 7 and 8 below.
[0281] Step P13: The DMF selects the data service provider node, initiates a token request to the NRF to access the data service provider node, and obtains the data service provider node's token (referred to as access_token).
[0282] Step P14: The DMF generates the first token (access_DMF_token), which consists of the data service provider node's token (i.e., access_token) and information that the DMF needs to transmit to the data service provider node (such as data service operation instructions, DPF anchor point transmission address information, etc.). The access_DMF_token uses the K generated by the DMF and UE during the registration process. DMF encryption.
[0283] Step P15: The DMF issues the first token and the plaintext information that the DMF needs to transmit to the data service provider node to the data service provider node;
[0284] That is, the information transmitted in this step consists of two parts: one part is the information that needs to be transmitted to the data service provider node, and the other part is the DMF's encryption information for this information, namely the first token.
[0285] Step P16: The terminal uses the DMF to communicate with the K′ generated by the UE. DMF The access_DMF_token is decrypted to obtain the access_token and the information to be transmitted to the data service provider node. The decrypted information is compared with the plaintext received directly, and the terminal determines that it is a command sent by DMF. Further, the terminal verifies the access_token (it should be noted that the process of verifying the access_token is an existing technology and will not be described in detail here). If all the above verifications are correct, the data service request is authorized by the terminal, and the terminal executes the data operation issued by DMF.
[0286] Application Scenario 5: UE Registration to NRF
[0287] It should be noted that the steps for this application scenario are the same as those for application scenario two, except that the DMF is replaced by the NRF and the key K is... DMF and K′ DMF Replace with K NRF and K′ NRF K NRF and K′ NRF Also based on K AMF generate.
[0288] Application Scenario 6: The Entire Licensing Process Based on NRF-Enhanced Functionality
[0289] As shown in Figure 5, the specific implementation process includes:
[0290] Step S51: The data service request node sends a data service request message to the NRF.
[0291] Step S52: The NRF authorizes the data service request node. The basis for the NRF's judgment in this step is mainly the data service capabilities reported to the NRF by the data service request node during the data service capability reporting process.
[0292] Step S53: The NRF initiates a query request to the DMF, mainly querying the capabilities of the data service provider node or the data service requester.
[0293] It should be noted that this step is optional. If the NRF determines that the capabilities of the data service provider node or the data service requester have not been synchronized with the NRF, the NRF will send a query request to the DMF.
[0294] Step S54: If the NRF determines that the data service requesting node can be authorized to obtain the requested service, the NRF returns the token of the corresponding data service providing node. If authorization is not possible, the request is rejected.
[0295] Step S55: The data service request node sends the relevant token to the DMF.
[0296] Step S56: DMF authorization and data service provider node authorization process;
[0297] For the specific implementation of this step, please refer to steps S44-S46 in application scenario 3, or steps P14-P16 in application scenario 4.
[0298] Application Scenario 7: DMF Authorization of UE
[0299] As shown in Figure 6, the specific implementation process includes:
[0300] Step S61: The UE sends a data service request message to the DMF, which includes the terminal identifier, data service request, data subscription request, etc., and this message is sent by K′. DMF encryption.
[0301] Step S62: DMF with K DMF The data service request information is decrypted to obtain the user identifier, data service requirements, and data subscription requests. Based on the terminal identifier, the data service requirements and data subscription requests stored in the DMF are retrieved and compared with the data service requirements and subscriptions sent by the terminal. If they match, the authorization to the UE is considered successful; otherwise, the authorization to the UE is considered unsuccessful.
[0302] Step S63: If the UE is authorized, the DMF issues a control configuration command to the data service provider node to perform subsequent data plane operations;
[0303] Step S64: If the UE is not authorized, the DMF sends an authorization failure notification to the UE.
[0304] Application Scenario 8: DMF Authorization of Core Network Nodes or Access Network Nodes
[0305] As shown in Figure 7, the specific implementation process includes:
[0306] Step S71: The core network node or access network node sends a token obtained from the NRF to the DMF, which contains a data service request message (including data service request and data subscription request messages. The NRF authorizes the core network node or access network node that made the request to access other CN NFs through this token).
[0307] Step S72: DMF obtains a token. DMF verifies the token, checks its integrity, and verifies whether the requested data service requirements and data subscription requests are allowed. If the token verification is successful, authorization to the core network node or access network node is completed.
[0308] It should be noted that token verification is an existing technology and will not be elaborated upon here.
[0309] Step S73: If the core network node or access network node is authorized, the DMF issues control configuration instructions to the data service providing node to perform subsequent data plane operations;
[0310] Step S74: If the core network node or access network node is not authorized, the DMF sends an authorization failure notification to the core network node or access network node.
[0311] It should be noted that at least one embodiment of this disclosure proposes a data plane-oriented authorization mechanism. Based on existing technology, this mechanism authorizes network elements (NETs) requesting data services from network radios (NRFs). However, for 6G data planes, network elements or UEs requesting data services cannot rely solely on NRF authorization, as the NRF may not have a comprehensive understanding of data plane service conditions. Therefore, this disclosure addresses these shortcomings by proposing an authorization mechanism whereby the network element or UE requesting data services relies on the collaboration of the NRF and the data plane's digital subsystem (DMF) to authorize the requesting network element or UE. This mechanism also authorizes the data service provider node, ensuring communication reliability.
[0312] The technical solutions provided in this disclosure are applicable to a variety of systems, especially 5G systems. For example, applicable systems may include Global System for Mobile Communication (GSM), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) General Packet Radio Service (GPRS), Long Term Evolution (LTE), LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), Long Term Evolution Advanced (LTE-A), Universal Mobile Telecommunications System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX), and 5G New Radio (NR). All of these systems include terminals (also referred to as terminal equipment) and network equipment. The systems may also include a core network component, such as Evolved Packet System (EPS) and 5G System (5GS).
[0313] The terminal involved in the embodiments of this disclosure, also referred to as a terminal device, can be a device that provides voice and / or data connectivity to a user, a handheld device with wireless connectivity, or other processing devices connected to a wireless modem. The name of the terminal device may differ in different systems; for example, in a 5G system, the terminal device can be called User Equipment (UE). The wireless terminal device can communicate with one or more core networks (CNs) via a Radio Access Network (RAN). The wireless terminal device can be a mobile terminal device, such as a mobile phone (or "cellular" phone) and a computer with a mobile terminal device, for example, a portable, pocket-sized, handheld, computer-embedded, or vehicle-mounted mobile device, which exchanges voice and / or data with the RAN. Examples include Personal Communication Service (PCS) phones, cordless phones, Session Initiated Protocol (SIP) phones, Wireless Local Loop (WLL) stations, and Personal Digital Assistants (PDAs). Wireless terminal equipment can also be referred to as a system, subscriber unit, subscriber station, mobile station, mobile station, remote station, access point, remote terminal, access terminal, user terminal, user agent, or user device, but is not limited to these terms in the embodiments disclosed herein.
[0314] The network device disclosed in this embodiment may be a base station, which may include multiple cells providing services to terminals. Depending on the specific application, the base station may also be called an access point, or a device in the access network that communicates with the wireless terminal device through one or more sectors on the air interface, or other names. The network device may be used to exchange received air frames with Internet Protocol (IP) packets, acting as a router between the wireless terminal device and the rest of the access network, where the rest of the access network may include an Internet Protocol (IP) communication network. The network device may also coordinate the attribute management of the air interface. For example, the network equipment involved in this disclosure can be a base transceiver station (BTS) in a Global System for Mobile communications (GSM) or Code Division Multiple Access (CDMA) system, a NodeB in a wide-band Code Division Multiple Access (WCDMA) system, an evolved Node B (eNB or e-NodeB) in a long term evolution (LTE) system, a 5G base station (gNB) in a next generation system, a Home evolved Node B (HeNB), a relay node, a femto, a pico, etc., and is not limited in this disclosure. In some network structures, the network equipment may include centralized unit (CU) nodes and distributed unit (DU) nodes, and the centralized unit and distributed unit may be geographically separated.
[0315] Network devices and terminal devices can each use one or more antennas for Multiple Input Multiple Output (MIMO) transmission. MIMO transmission can be Single User MIMO (SU-MIMO) or Multiple User MIMO (MU-MIMO). Depending on the configuration and number of antenna combinations, MIMO transmission can be 2D MIMO, 3D MIMO, Full Dimension MIMO (FD-MIMO), or Massive MIMO, or it can be diversity transmission, pre-coded transmission, or beamforming transmission, etc.
[0316] As shown in Figure 8, this embodiment of the present disclosure provides an information transmission method, executed by a second network element, including:
[0317] Step S801: Receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node;
[0318] Step S802: Authorize and verify the data service request node according to its identifier;
[0319] Step S803: If the authorization verification of the data service request node is successful, send the token of the data service provider node to the data service request node.
[0320] In some embodiments, the authorization verification of the data service request node includes:
[0321] Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node;
[0322] If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0323] In some embodiments, obtaining the first data service capability reported by the data service request node based on the identifier of the data service request node includes one of the following:
[0324] Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0325] A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
[0326] In some embodiments, the method further includes:
[0327] Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0328] It should be noted that all the implementation methods in the above embodiments are applicable to the embodiments of the information transmission method applied to the second network element side, and can achieve the same technical effect, so they will not be described again here.
[0329] As shown in Figure 9, this embodiment of the present disclosure provides a data service authorization determination method, executed by a terminal, including:
[0330] Step S901: Receive the first token sent by the first network element;
[0331] Step S902: Decrypt the first token using the first key to obtain third information, the third information including at least one of the following: the token of the data service provider node, and information to be transmitted to the data service provider node;
[0332] Step S903: If the information to be transmitted to the data service provider node obtained through decryption is consistent with the information to be transmitted to the data service provider node that is directly received, and the token of the data service provider node is verified, then it is determined that the data service request node has been authorized.
[0333] In some embodiments, the method further includes:
[0334] Receive the first security parameter sent by the third network element;
[0335] Based on the first security parameter, obtain the first key for the first network element.
[0336] In some embodiments, the method further includes:
[0337] Receive the second security parameter sent by the third network element;
[0338] Based on the second security parameter, obtain the second key for the second network element;
[0339] Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
[0340] It should be noted that all the implementation methods in the above embodiments are applicable to the embodiments of the data service authorization determination method applied to the terminal side, and can achieve the same technical effect, so they will not be described again here.
[0341] As shown in Figure 10, this embodiment of the present disclosure provides a data service authorization determination method, executed by an access network node or a core network node, including:
[0342] Step S1001: Receive the first token sent by the first network element;
[0343] Step S1002: Verify the first token using the first network element public key and obtain fourth information, the fourth information including at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0344] Step S1003: If the information to be transmitted to the data service provider node obtained through decryption is consistent with the information to be transmitted to the data service provider node that is directly received, and the token of the data service provider node is verified, then it is determined that the data service request node has been authorized.
[0345] In some embodiments, the method further includes:
[0346] Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters;
[0347] Receive data sent by the first network element and establish a registration response for service management.
[0348] Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
[0349] It should be noted that all the implementation methods in the above embodiments are applicable to the embodiments of the data service authorization determination method applied to the access network node or core network node side, and can achieve the same technical effect, so they will not be described again here.
[0350] As shown in Figure 11, this embodiment of the present disclosure provides a signal measurement device 1100, applied to a first network element, comprising:
[0351] The first receiving unit 1101 is used to receive data service request information sent by the data service request node;
[0352] The first verification unit 1102 is used to perform authorization verification on the data service request node according to the data service request information;
[0353] The generation unit 1103 is used to generate a first token when the authorization verification of the data service request node is passed;
[0354] The first sending unit 1104 is used to send the first token to the data service provider node.
[0355] In some embodiments, when the data service request node is a terminal, the first verification unit 1102 is configured to:
[0356] The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side.
[0357] Obtain the second information corresponding to the terminal identifier;
[0358] Determine whether the second information is consistent with the first information;
[0359] If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0360] In some embodiments, when the data service request node is an access network node or a core network node, the first verification unit 1102 is configured to:
[0361] The data service request information is verified; the data service request information is a token of the data service providing node.
[0362] If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0363] In some embodiments, the generating unit 1103 is configured to:
[0364] Obtain the token of the data service provider node;
[0365] Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
[0366] In some embodiments, the specific implementation of signing the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token includes one of the following:
[0367] The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node.
[0368] The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
[0369] In some embodiments, the specific implementation of obtaining the token of the data service provider node includes at least one of the following:
[0370] Obtain the token of the data service provider node from the second network element;
[0371] The data service provider node sends a token to the data service requesting node.
[0372] In some embodiments, the apparatus further includes:
[0373] The third sending unit is used to send information that needs to be transmitted to the data service provider node.
[0374] In some embodiments, the apparatus further includes:
[0375] The fifth receiving unit is used to receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters.
[0376] The fourth sending unit is used to send a data service management registration response to the access network node or core network node according to the security capability parameters.
[0377] Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
[0378] In some embodiments, the apparatus further includes:
[0379] The sixth receiving unit is used to receive the symmetric key sent by the third network element, the symmetric key being generated based on the third network element key.
[0380] It should be noted that this device embodiment corresponds one-to-one with the above method embodiments. All implementation methods in the above method embodiments are applicable to this device embodiment and can achieve the same technical effect.
[0381] It should be noted that the division of units in the embodiments of this disclosure is illustrative and only represents one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated units described above can be implemented in hardware or as software functional units.
[0382] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0383] As shown in Figure 12, this embodiment of the present disclosure also provides a data service authorization device, which is a first network element, including a processor 1200, a transceiver 1210, a memory 1220, and a program stored in the memory 1220 and executable on the processor 1200; wherein, the transceiver 1210 is connected to the processor 1200 and the memory 1220 via a bus interface, and the processor 1200 is used to read the program in the memory and execute the following processes:
[0384] The transceiver receives data service request information sent by the data service request node.
[0385] Based on the data service request information, the authorization verification is performed on the data service request node;
[0386] If the authorization verification of the data service request node is successful, a first token is generated;
[0387] Send the first token to the data service provider node.
[0388] Transceiver 1210 is used to receive and send data under the control of processor 1200.
[0389] In Figure 12, the bus architecture may include any number of interconnected buses and bridges, specifically linking various circuits of one or more processors represented by processor 1200 and memory represented by memory 1220. The bus architecture may also link various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. The bus interface provides an interface. The transceiver 1210 may be multiple elements, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium, including wireless channels, wired channels, optical fibers, and other transmission media.
[0390] The processor 1200 is responsible for managing the bus architecture and general processing, while the memory 1220 can store the data used by the processor 1200 when performing operations.
[0391] Optionally, the processor 1200 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (CPLD), and the processor may also adopt a multi-core architecture.
[0392] The processor executes any of the methods described in the embodiments of this disclosure by invoking a computer program stored in memory, according to the obtained executable instructions. The processor and memory may also be physically separated.
[0393] In some embodiments, when the data service request node is a terminal, the processor is configured to read the computer program in the memory and perform the following operations:
[0394] The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side.
[0395] Obtain the second information corresponding to the terminal identifier;
[0396] Determine whether the second information is consistent with the first information;
[0397] If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0398] In some embodiments, when the data service request node is an access network node or a core network node, the processor is configured to read the computer program in the memory and perform the following operations:
[0399] The data service request information is verified; the data service request information is a token of the data service providing node.
[0400] If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
[0401] In some embodiments, the processor is configured to read a computer program from the memory and perform the following operations:
[0402] Obtain the token of the data service provider node;
[0403] Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
[0404] In some embodiments, the processor is configured to read a computer program from the memory and perform at least one of the following operations:
[0405] The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node.
[0406] The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
[0407] In some embodiments, the processor is configured to read a computer program from the memory and perform at least one of the following operations:
[0408] Obtain the token of the data service provider node from the second network element;
[0409] The data service provider node sends a token to the data service requesting node.
[0410] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0411] Send the information that needs to be transmitted to the data service provider node.
[0412] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0413] Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters;
[0414] Based on the security capability parameters, send a data service management registration response to the access network node or core network node;
[0415] Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
[0416] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0417] Receive a symmetric key sent by a third network element, the symmetric key being generated based on the third network element key.
[0418] It should be noted that the data service authorization device provided in this embodiment can implement all the method steps implemented in the above method embodiment and achieve the same technical effect. Therefore, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail here.
[0419] This disclosure also provides a computer-readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements the steps of a data service authorization method applied to a first network element. The processor-readable storage medium can be any available medium or data storage device accessible to the processor, including but not limited to magnetic storage (e.g., floppy disk, hard disk, magnetic tape, magnetic optical disc (MO), etc.), optical storage (e.g., compact disc (CD), digital video disc (DVD), Blu-ray disc (BD), high-definition versatile disc (HVD), etc.), and semiconductor storage (e.g., read-only memory (ROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), non-volatile memory (NAND FLASH), solid-state drives (SSDs), etc.).
[0420] As shown in Figure 13, this embodiment of the present disclosure provides an information transmission device 1300, applied to a second network element, including:
[0421] The second receiving unit 1301 is used to receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node;
[0422] The second verification unit 1302 is used to perform authorization verification on the data service request node based on the identifier of the data service request node;
[0423] The second sending unit 1303 is used to send a token of the data service providing node to the data service request node when the authorization verification of the data service request node is successful.
[0424] In some embodiments, the second verification unit 1302 is configured to:
[0425] Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node;
[0426] If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0427] In some embodiments, the specific implementation of obtaining the first data service capability reported by the data service request node based on the identifier of the data service request node includes one of the following:
[0428] Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0429] A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
[0430] In some embodiments, the apparatus further includes:
[0431] The seventh receiving unit is used to receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0432] It should be noted that this device embodiment corresponds one-to-one with the above method embodiments. All implementation methods in the above method embodiments are applicable to this device embodiment and can achieve the same technical effect.
[0433] It should be noted that the division of units in the embodiments of this disclosure is illustrative and only represents one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated units described above can be implemented in hardware or as software functional units.
[0434] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0435] This disclosure also provides an information transmission device, which is a second network element. Its structure is shown in Figure 12 and will not be described in detail here.
[0436] The processor is configured to read the computer program from the memory and perform the following operations:
[0437] The transceiver receives data service request messages sent by data service request nodes, the data service request messages carrying the identifier of the data service request nodes;
[0438] Authorization verification is performed on the data service request node based on its identifier;
[0439] If the authorization verification of the data service request node is successful, a token of the data service provider node is sent to the data service request node.
[0440] In some embodiments, the processor is configured to read a computer program from the memory and perform the following operations:
[0441] Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node;
[0442] If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
[0443] In some embodiments, the processor is configured to read a computer program from the memory and perform one of the following operations:
[0444] Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node;
[0445] A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
[0446] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0447] Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
[0448] It should be noted that the information transmission device provided in this embodiment can implement all the method steps implemented in the above method embodiment and can achieve the same technical effect. Therefore, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail here.
[0449] This disclosure also provides a computer-readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements the steps of an information transmission method applied to a second network element. The processor-readable storage medium can be any available medium or data storage device accessible to the processor, including but not limited to magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc.), optical storage (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor storage (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND flash), solid-state drives (SSDs), etc.).
[0450] As shown in Figure 14, this embodiment of the present disclosure provides a data service authorization determination device 1400, applied to a terminal, including:
[0451] The third receiving unit 1401 is used to receive the first token sent by the first network element;
[0452] The first acquisition unit 1402 is used to decrypt the first token using the first key and acquire third information, wherein the third information includes at least one of the following: the token of the data service provider node and information to be transmitted to the data service provider node;
[0453] The first determining unit 1403 is used to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained by decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
[0454] In some embodiments, the apparatus further includes:
[0455] The eighth receiving unit is used to receive the first security parameters sent by the third network element;
[0456] The third acquisition unit is used to acquire the first key for the first network element based on the first security parameter.
[0457] In some embodiments, the apparatus further includes:
[0458] The ninth receiving unit is used to receive the second security parameters sent by the third network element;
[0459] The fourth acquisition unit is used to acquire a second key for the second network element based on the second security parameter;
[0460] The fifth sending unit is used to send a data service request message encrypted with the second key to the second network element, wherein the data service request message carries the identifier of the data service request node.
[0461] It should be noted that this device embodiment corresponds one-to-one with the above method embodiments. All implementation methods in the above method embodiments are applicable to this device embodiment and can achieve the same technical effect.
[0462] It should be noted that the division of units in the embodiments of this disclosure is illustrative and only represents one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated units described above can be implemented in hardware or as software functional units.
[0463] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0464] As shown in Figure 15, this embodiment of the present disclosure also provides a terminal, including a processor 1500, a transceiver 1510, a memory 1520, and a program stored in the memory 1520 and executable on the processor 1500; wherein the transceiver 1510 is connected to the processor 1500 and the memory 1520 via a bus interface, and the processor 1500 is used to read the program in the memory and execute the following processes:
[0465] Receive the first token sent by the first network element through the transceiver;
[0466] The first token is decrypted using the first key to obtain third information, which includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0467] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0468] Transceiver 1510 is used to receive and send data under the control of processor 1500.
[0469] In Figure 15, the bus architecture may include any number of interconnected buses and bridges, specifically linking various circuits of one or more processors represented by processor 1500 and memory represented by memory 1520. The bus architecture may also link various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. The bus interface provides an interface. The transceiver 1510 may be multiple components, including a transmitter and a receiver, providing a unit for communicating with various other devices over a transmission medium, including wireless channels, wired channels, optical fibers, etc. For different user equipment, the user interface 1530 may also be an interface capable of connecting external or internal devices, including but not limited to keypads, displays, speakers, microphones, joysticks, etc.
[0470] The processor 1500 is responsible for managing the bus architecture and general processing, while the memory 1520 can store the data used by the processor 1500 when performing operations.
[0471] Optionally, the processor 1500 can be a central processing unit (CPU), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a complex programmable logic device (CPLD), and the processor can also adopt a multi-core architecture.
[0472] The processor executes any of the methods described in the embodiments of this disclosure by invoking a computer program stored in memory, according to the obtained executable instructions. The processor and memory may also be physically separated.
[0473] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0474] Receive the first security parameter sent by the third network element;
[0475] Based on the first security parameter, obtain the first key for the first network element.
[0476] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0477] Receive the second security parameter sent by the third network element;
[0478] Based on the second security parameter, obtain the second key for the second network element;
[0479] Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
[0480] It should be noted that the terminal provided in this embodiment can implement all the method steps implemented in the above method embodiment and achieve the same technical effect. Therefore, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail here.
[0481] This disclosure also provides a computer-readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements the steps of a data service authorization determination method applied to a terminal. The processor-readable storage medium can be any available medium or data storage device accessible to the processor, including but not limited to magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc.), optical storage (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor storage (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND flash), solid-state drives (SSDs), etc.).
[0482] As shown in Figure 16, this embodiment of the disclosure provides a data service authorization device 1600, applied to an access network node or a core network node, including:
[0483] The fourth receiving unit 1601 is used to receive the first token sent by the first network element;
[0484] The second acquisition unit 1602 is used to verify the first token using the first network element public key and acquire fourth information, the fourth information including at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node;
[0485] The second determining unit 1603 is used to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained by decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
[0486] In some embodiments, the apparatus further includes:
[0487] The sixth sending unit is used to send a data service management registration request to the first network element, wherein the data service management registration request carries security capability parameters;
[0488] The tenth receiving unit is used to receive the data service management registration establishment response sent by the first network element;
[0489] Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
[0490] It should be noted that this device embodiment corresponds one-to-one with the above method embodiments. All implementation methods in the above method embodiments are applicable to this device embodiment and can achieve the same technical effect.
[0491] It should be noted that the division of units in the embodiments of this disclosure is illustrative and only represents one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated units described above can be implemented in hardware or as software functional units.
[0492] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a processor-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute all or part of the steps of the methods described in the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0493] This disclosure also provides a data service authorization determination device, which is an access network node or a core network node. Its structure is shown in Figure 12 and will not be described in detail here.
[0494] The processor is configured to read the computer program from the memory and perform the following operations:
[0495] Receive the first token sent by the first network element through the transceiver;
[0496] The first token is verified using the public key of the first network element, and the fourth information is obtained. The fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node.
[0497] If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
[0498] In some embodiments, the processor, for reading a computer program from the memory, also performs the following operations:
[0499] Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters;
[0500] Receive data sent by the first network element and establish a registration response for service management.
[0501] Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
[0502] It should be noted that the data service authorization determination device provided in this embodiment can implement all the method steps implemented in the above method embodiment and achieve the same technical effect. Therefore, the parts and beneficial effects that are the same as those in the method embodiment will not be described in detail here.
[0503] This disclosure also provides a computer-readable storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements steps of a data service authorization determination method applied to an access network node or a core network node. The processor-readable storage medium can be any available medium or data storage device accessible to the processor, including but not limited to magnetic storage (e.g., floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc.), optical storage (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor storage (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND flash), solid-state drives (SSDs), etc.).
[0504] This disclosure also provides a computer program product, including computer instructions. When executed by a processor, these computer instructions implement the various processes in the above method embodiments and achieve the same technical effects. To avoid repetition, further details are omitted here.
[0505] Those skilled in the art will understand that embodiments of this disclosure can be provided as methods, systems, or computer program products. Therefore, this disclosure can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this disclosure can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage and optical storage) containing computer-usable program code.
[0506] This disclosure is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-executable instructions. These computer-executable instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in one or more flowchart illustrations and / or one or more block diagrams.
[0507] These processor-executable instructions may also be stored in a processor-readable memory that can instruct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the processor-readable memory produce an article of manufacture including instruction means that implement the functions specified in one or more flowcharts and / or one or more block diagrams.
[0508] These processor-executable instructions can also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions specified in one or more flowcharts and / or one or more block diagrams.
[0509] Furthermore, it should be noted that in the apparatus and method of this disclosure, it is obvious that the components or steps can be decomposed and / or recombined. These decompositions and / or recombinations should be considered equivalent solutions of this disclosure. Moreover, the steps performing the above series of processes can naturally be executed in the order described, but are not necessarily required to be executed in chronological order; some steps can be executed in parallel or independently of each other. Those skilled in the art will understand that all or any step or component of the method and apparatus of this disclosure can be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or a combination thereof, which can be achieved by those skilled in the art using their basic programming skills after reading the description of this disclosure.
[0510] It should be noted that the above division of modules is merely a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, these modules can be implemented entirely in software via processing element calls; they can be fully implemented in hardware; or some modules can be implemented by processing element calls to software, while others are implemented in hardware. For example, a module can be a separate processing element, or it can be integrated into a chip in the aforementioned device. Alternatively, it can be stored as program code in the memory of the aforementioned device, and its function can be called and executed by a processing element of the device. The implementation of other modules is similar. Moreover, these modules can be fully or partially integrated together, or they can be implemented independently. The processing element mentioned here can be an integrated circuit with signal processing capabilities. In the implementation process, each step of the above method or each of the above modules can be completed through integrated logic circuits in the hardware of the processor element or through software instructions.
[0511] For example, each module, unit, subunit, or submodule can be one or more integrated circuits configured to implement the above methods, such as one or more application-specific integrated circuits (ASICs), one or more digital signal processors (DSPs), or one or more field-programmable gate arrays (FPGAs). As another example, when a module is implemented using processing element scheduler code, the processing element can be a general-purpose processor, such as a central processing unit (CPU) or other processor capable of calling program code. Furthermore, these modules can be integrated together to implement a system-on-a-chip (SOC).
[0512] The terms “first,” “second,” etc., used in this disclosure and in the claims are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of this disclosure described herein may be implemented in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus. Additionally, the use of “and / or” in the specification and claims indicates at least one of the connected objects, such as A and / or B and / or C, indicating seven possibilities: A alone, B alone, C alone, and both A and B, both B and C, both A and C, and A, B, and C. Similarly, the use of “at least one of A and B” in this specification and claims should be understood as “A alone, B alone, or both A and B.”
[0513] Obviously, those skilled in the art can make various modifications and variations to this disclosure without departing from its spirit and scope. Therefore, if such modifications and variations fall within the scope of the claims of this disclosure and their equivalents, this disclosure is also intended to include such modifications and variations.
Claims
1. A data service authorization method, applied to a first network element, the method comprising: Receive data service request information sent by the data service request node; Based on the data service request information, the authorization verification is performed on the data service request node; If the authorization verification of the data service request node is successful, a first token is generated; Send the first token to the data service provider node.
2. The method according to claim 1, wherein, When the data service request node is a terminal, the authorization verification of the data service request node includes: The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side. Obtain the second information corresponding to the terminal identifier; Determine whether the second information is consistent with the first information; If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
3. The method according to claim 1, wherein, When the data service request node is an access network node or a core network node, the authorization verification of the data service request node includes: The data service request information is verified; the data service request information is a token of the data service providing node. If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
4. The method according to claim 1, wherein, The generation of the first token includes: Obtain the token of the data service provider node; Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
5. The method according to claim 4, wherein, The step of signing the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token includes one of the following: The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node. The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
6. The method according to claim 4 or 5, wherein, The token of the data acquisition service provider node includes at least one of the following: Obtain the token of the data service provider node from the second network element; The data service provider node sends a token to the data service requesting node.
7. The method according to claim 4 or 5, further comprising: Send the information that needs to be transmitted to the data service provider node.
8. The method according to claim 1, further comprising: Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters; Based on the security capability parameters, send a data service management registration response to the access network node or core network node; Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
9. The method according to claim 1, further comprising: Receive a symmetric key sent by a third network element, the symmetric key being generated based on the third network element key.
10. An information transmission method applied to a second network element, the method comprising: Receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node; Authorization verification is performed on the data service request node based on its identifier; If the authorization verification of the data service request node is successful, a token of the data service provider node is sent to the data service request node.
11. The method according to claim 10, wherein, The authorization verification of the data service request node includes: Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node; If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
12. The method according to claim 11, wherein, The step of obtaining the first data service capability reported by the data service request node based on the identifier of the data service request node includes one of the following: Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node; A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
13. The method according to claim 10, further comprising: Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
14. A data service authorization determination method, applied to a terminal, the method comprising: Receive the first token sent by the first network element; The first token is decrypted using the first key to obtain third information, which includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node; If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
15. The method according to claim 14, further comprising: Receive the first security parameter sent by the third network element; Based on the first security parameter, obtain the first key for the first network element.
16. The method of claim 14, further comprising: Receive the second security parameter sent by the third network element; Based on the second security parameter, obtain the second key for the second network element; Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
17. A data service authorization determination method, applied to an access network node or a core network node, the method comprising: Receive the first token sent by the first network element; The first token is verified using the public key of the first network element, and the fourth information is obtained. The fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node. If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
18. The method according to claim 17, further comprising: Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters; Receive data sent by the first network element and establish a registration response for service management. Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
19. A data service authorization device, wherein the data service authorization device is a first network element, comprising a memory, a transceiver, and a processor: Memory, used to store computer programs; Transceiver, used to send and receive data under the control of the processor; Processor, configured to read the computer program in the memory and perform the following operations: The transceiver receives data service request information sent by the data service request node. Based on the data service request information, the authorization verification is performed on the data service request node; If the authorization verification of the data service request node is successful, a first token is generated; Send the first token to the data service provider node.
20. The device according to claim 19, wherein, When the data service request node is a terminal, the processor is configured to read the computer program in the memory and perform the following operations: The data service request information is decrypted using the first key to obtain the terminal identifier and the first information, which includes at least one of the following: data service request and data subscription request. The first key is the authorization key of the first network element, and the data service request information is encrypted using an encryption key generated on the terminal side. Obtain the second information corresponding to the terminal identifier; Determine whether the second information is consistent with the first information; If the first information matches the second information, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
21. The device according to claim 19, wherein, When the data service requesting node is an access network node or a core network node, the processor is configured to read the computer program in the memory and perform the following operations: The data service request information is verified; the data service request information is a token of the data service providing node. If the data service request information passes verification, the authorization verification is deemed successful; otherwise, the authorization verification is deemed unsuccessful.
22. The device according to claim 19, wherein, The processor is configured to read the computer program in the memory and perform the following operations: Obtain the token of the data service provider node; Sign the token of the data service provider node and the information to be transmitted to the data service provider node to obtain the first token.
23. The device according to claim 22, wherein, The processor is configured to read a computer program from the memory and perform at least one of the following operations: The first token is obtained by signing the token of the data service provider node and the information to be transmitted to the data service provider node using the private key of the first network element. The data service provider node is an access network node or a core network node. The first token is obtained by encrypting the token of the data service provider node and the information to be transmitted to the data service provider node using the symmetric key generated by the first network element and the terminal during the terminal registration process. The data service provider node is the terminal.
24. The device according to claim 22 or 23, wherein, The processor is configured to read a computer program from the memory and perform at least one of the following operations: Obtain the token of the data service provider node from the second network element; The data service provider node sends a token to the data service requesting node.
25. The device according to claim 22 or 23, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Send the information that needs to be transmitted to the data service provider node.
26. The device according to claim 19, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Receive a data service management registration request sent by an access network node or a core network node, wherein the data service management registration request carries security capability parameters; Based on the security capability parameters, send a data service management registration response to the access network node or core network node; Specifically, if the security capability parameters are encrypted and successfully decrypted using the first network element's private key, the data service management registration response will not carry the first network element's public key; otherwise, the data service management registration response will carry the first network element's public key.
27. The device according to claim 19, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Receive a symmetric key sent by a third network element, the symmetric key being generated based on the third network element key.
28. An information transmission device, wherein the information transmission device is a second network element, comprising a memory, a transceiver, and a processor: Memory, used to store computer programs; Transceiver, used to send and receive data under the control of the processor; Processor, configured to read the computer program in the memory and perform the following operations: The transceiver receives data service request messages sent by data service request nodes, the data service request messages carrying the identifier of the data service request nodes; Authorization verification is performed on the data service request node based on its identifier; If the authorization verification of the data service request node is successful, a token of the data service provider node is sent to the data service request node.
29. The device according to claim 28, wherein, The processor is configured to read the computer program in the memory and perform the following operations: Based on the identifier of the data service request node, obtain the first data service capability reported by the data service request node; If the first data service capability supports the data service capability requested by the data service request message, then the authorization verification is determined to be successful; otherwise, the authorization verification is determined to be unsuccessful.
30. The device according to claim 29, wherein, The processor is configured to read a computer program from the memory and perform one of the following operations: Based on the identifier of the data service request node, find the first data service capability reported by the data service request node corresponding to the identifier of the data service request node; A query request is sent to the first network element, and the first data service capability reported by the data service request node is received from the first network element. The query request carries the identifier of the data service request node.
31. The device according to claim 29, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Receive the second network element key sent by the third network element, the second network element key being generated based on the third network element key.
32. A terminal, comprising a memory, a transceiver, and a processor: The memory is used to store computer programs; the transceiver is used to send and receive data under the control of the processor. Processor, configured to read the computer program in the memory and perform the following operations: Receive the first token sent by the first network element through the transceiver; The first token is decrypted using the first key to obtain third information, which includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node; If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
33. The terminal according to claim 32, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Receive the first security parameter sent by the third network element; Based on the first security parameter, obtain the first key for the first network element.
34. The terminal according to claim 32, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Receive the second security parameter sent by the third network element; Based on the second security parameter, obtain the second key for the second network element; Send a data service request message encrypted with the second key to the second network element. The data service request message carries the identifier of the data service request node.
35. A data service authorization determination device, wherein the data service authorization determination device is an access network node or a core network node, comprising a memory, a transceiver, and a processor: Memory, used to store computer programs; Transceiver, used to send and receive data under the control of the processor; Processor, configured to read the computer program in the memory and perform the following operations: Receive the first token sent by the first network element through the transceiver; The first token is verified using the public key of the first network element, and the fourth information is obtained. The fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node. If the information obtained through decryption that needs to be transmitted to the data service provider node is consistent with the information received directly that needs to be transmitted to the data service provider node, and the token verification of the data service provider node is successful, then it is determined that the data service requesting node has been authorized.
36. The device according to claim 35, wherein, The processor, for reading the computer program in the memory, also performs the following operations: Send a data service management registration request to the first network element, the data service management registration request carrying security capability parameters; Receive data sent by the first network element and establish a registration response for service management. Specifically, if the security capability parameters are encrypted, the data service management registration response does not carry the first network element public key; otherwise, the data service management registration response carries the first network element public key.
37. A data service authorization device, comprising: The first receiving unit is used to receive data service request information sent by the data service request node; The first verification unit is used to perform authorization verification on the data service request node based on the data service request information. The generation unit is used to generate a first token when the authorization verification of the data service request node is passed; The first sending unit is used to send the first token to the data service provider node.
38. An information transmission device, comprising: The second receiving unit is used to receive a data service request message sent by a data service request node, wherein the data service request message carries the identifier of the data service request node; The second verification unit is used to perform authorization verification on the data service request node based on the identifier of the data service request node; The second sending unit is used to send a token of the data service providing node to the data service request node when the authorization verification of the data service request node is successful.
39. A data service authorization determination device, comprising: The third receiving unit is used to receive the first token sent by the first network element; The first acquisition unit is used to decrypt the first token using the first key and acquire third information, wherein the third information includes at least one of the following: the token of the data service provider node and information to be transmitted to the data service provider node; The first determining unit is configured to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained through decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
40. A data service authorization determination device, comprising: The fourth receiving unit is used to receive the first token sent by the first network element; The second acquisition unit is used to verify the first token using the first network element public key and acquire fourth information, wherein the fourth information includes at least one of the following: the token of the data service provider node and the information to be transmitted to the data service provider node; The second determining unit is used to determine that the data service requesting node has been authorized if the information to be transmitted to the data service providing node obtained through decryption is consistent with the information to be transmitted to the data service providing node that is directly received, and the token verification of the data service providing node is successful.
41. A processor-readable storage medium storing a computer program for causing the processor to perform the method according to any one of claims 1 to 18.