阅读说明：本技术 一种加密数据流的识别方法、设备、存储介质及系统 (Method, device, storage medium and system for identifying encrypted data stream ) 是由 唐海 于 2018-05-03 设计创作，主要内容包括：本发明实施例提供了一种加密数据流的识别方法、设备、可读存储介质及系统；该方法可以应用于核心网设备,所述方法包括：接收用户设备UE发送的承载有鉴权数据的数据包；其中,所述鉴权数据包括第一鉴权参数、第一鉴权结果以及应用标识；基于所述第一鉴权参数和第二鉴权参数,按照设定的鉴权算法获得第二鉴权结果；其中,所述第二鉴权参数为预存的所述应用标识对应的鉴权参数；当所述第二鉴权结果与所述第一鉴权结果比对一致时,则建立所述数据包的特征信息与所述应用标识之间的关联关系；其中,所述关联关系用于后续对所述UE发送的与所述应用标识对应的加密数据流进行识别。(The embodiment of the invention provides a method, equipment, a readable storage medium and a system for identifying an encrypted data stream; the method can be applied to core network equipment, and comprises the following steps: receiving a data packet which is sent by User Equipment (UE) and bears authentication data; the authentication data comprises a first authentication parameter, a first authentication result and an application identifier; based on the first authentication parameter and the second authentication parameter, obtaining a second authentication result according to a set authentication algorithm; the second authentication parameter is an authentication parameter corresponding to the prestored application identifier; when the second authentication result is consistent with the first authentication result in comparison, establishing an association relationship between the characteristic information of the data packet and the application identifier; and the incidence relation is used for identifying the encrypted data stream which is sent by the UE and corresponds to the application identification in the following process.)

An identification method of encrypted data stream, the method is applied to a core network device, and the method comprises:

receiving a data packet which is sent by User Equipment (UE) and bears authentication data; the authentication data comprises a first authentication parameter, a first authentication result and an application identifier;

based on the first authentication parameter and the second authentication parameter, obtaining a second authentication result according to a set authentication algorithm; the second authentication parameter is an authentication parameter corresponding to the prestored application identifier;

when the second authentication result is consistent with the first authentication result in comparison, establishing an association relationship between the characteristic information of the data packet and the application identifier; the incidence relation is used for identifying an encrypted data stream which is sent by the UE and corresponds to the application identification in the following process; the characteristic information of the data packet may include at least one or more of: network protocol IP source address, IP source port number, IP destination address, IP destination port number, MAC source address, IP source port number, media access control MAC destination address, MAC destination port number, protocol type, and virtual local area network VLAN tag.

The method of claim 1, wherein the receiving a data packet carrying authentication data sent by a User Equipment (UE) comprises:

in a TLS handshake process established by an application layer session, a user plane of the core network equipment receives a first TLS handshake request sent by the UE; wherein the authentication data is carried in a plaintext field in the first TLS handshake request.

The method of claim 2, wherein after receiving a data packet carrying authentication data sent by a User Equipment (UE), the method further comprises:

and after detecting the authentication data from a plaintext field in the first TLS handshake request, the user plane of the core network equipment transmits the authentication data to the control plane of the core network equipment.

The method of claim 1, wherein the receiving a data packet carrying authentication data sent by a User Equipment (UE) comprises:

after completing TLS handshake, the user plane of the core network equipment receives an authentication request sent by the UE through a base station; wherein, the authentication data is loaded in GTP-U extension field in the authentication request.

The method of claim 4, wherein after receiving a data packet carrying authentication data sent by a User Equipment (UE), the method further comprises: and after detecting the authentication data from a GTP-U extended field in the authentication request, the user plane of the core network equipment transmits the authentication data to the control plane of the core network equipment.

The method of any of claims 2 to 4, wherein the first authentication parameter comprises a random number; the second authentication parameter comprises a public key Ka.

The method according to any one of claims 2 to 4, wherein the obtaining a second authentication result according to a set authentication algorithm based on the first authentication parameter and the second authentication parameter comprises:

and the control plane of the core network equipment obtains a second authentication result according to a set authentication algorithm based on the first authentication parameter and the second authentication parameter.

The method according to any one of claims 2 to 4, wherein when the second authentication result is matched with the first authentication result, establishing an association relationship between the feature information of the data packet and the application identifier comprises:

when the second authentication result is consistent with the first authentication result in comparison, the control plane of the core network equipment transmits the comparison result to the core network user plane;

and the user plane of the core network equipment establishes the association relationship between the characteristic information of the data packet and the application identifier.

The method of claim 1, wherein the receiving a data packet carrying authentication data sent by a User Equipment (UE) comprises:

after TLS handshake is completed, the control plane of the core network equipment receives NAS-SM messages sent by the UE; wherein, the extension field of the NAS-SM message comprises: a first authentication parameter, a first authentication result, an application identifier and feature information of the NAS-SM message; wherein the first authentication parameter comprises: a random number and a public key Ka; the characteristic information of the NAS-SM message comprises an IP address, a port number, a protocol type and a MAC address of the OTT server.

The method of claim 9, wherein obtaining a second authentication result according to a set authentication algorithm based on the first authentication parameter and the second authentication parameter comprises:

and the control plane of the core network equipment obtains a second authentication result according to the random number in the first authentication parameter and the public key in the second authentication parameter and a set authentication algorithm.

The method according to claim 9 or 10, wherein when the second authentication result is compared and matched with the first authentication result, establishing an association relationship between the feature information of the data packet and the application identifier comprises:

when the second authentication result is consistent with the first authentication result in comparison, the control plane of the core network device generates the feature information of the data packet according to the feature information of the OTT server and the feature information of the UE, and transmits the generated feature information of the data packet and the application identifier to the user plane of the core network device; wherein the characteristic information of the UE comprises: IP address, port and MAC address of the UE;

and the user plane of the core network equipment establishes the association relationship between the characteristic information of the data packet and the application identifier.

The method of claim 1, wherein after obtaining a second authentication result according to a set authentication algorithm based on the first authentication parameter and the second authentication parameter, the method further comprises:

and the control plane of the core network equipment sends the comparison result of the second authentication result and the first authentication result to the UE through the user plane of the core network equipment.

The method of any one of claims 1 to 12, wherein the method further comprises:

receiving effective time information sent by the UE; and the valid time information is used for indicating the valid duration of the incidence relation for carrying out encrypted data stream identification.

The method of claim 13, wherein the method further comprises:

and when the effective duration is timed, if the transmission of the encrypted data stream is not finished, releasing the association relation.

The method of claim 14, wherein the method further comprises:

receiving a release indication message sent by the UE within the effective duration or after the effective duration is over;

and releasing the association relation based on the release indication message.

A transmission method of encrypted data stream, the method is applied to a core network device, and the method comprises:

after the incidence relation between the characteristic information of the completed data packet and the application identifier is established, receiving an effective time message sent by User Equipment (UE); the effective time information is used for indicating the effective duration of the incidence relation for carrying out encrypted data stream identification;

within the effective duration, carrying out encrypted data stream transmission with the UE based on the association relation;

receiving a release indication message sent by the UE;

and releasing the association relation based on the release indication message.

The method of claim 16, wherein the method further comprises:

releasing the association relation after the effective duration is timed; alternatively, the first and second electrodes may be,

and after the effective duration is timed, continuing to transmit the encrypted data stream with the UE until the association relation is released after the transmission of the encrypted data stream is finished.

An identification method of encrypted data streams, the method being applied to a User Equipment (UE), the method comprising:

sending a data packet carrying authentication data; wherein, the authentication data is used for the core network device to perform authentication, and the authentication data includes: a first authentication parameter, a first authentication result and an application identification.

The method of claim 18, wherein the sending the data packet carrying the authentication data comprises:

in the TLS handshake process established by the application layer session, the authentication data is loaded in a plaintext field in the first TLS handshake request;

and transmitting the first TLS handshake request carrying the authentication data to a control plane of the core network equipment through a user plane of the core network equipment.

The method of claim 18, wherein the sending the data packet carrying the authentication data comprises:

and after completing TLS handshake, sending the authentication request of the authentication data carried in the expanded PDCP field to a base station, converting the authentication data in the PDCP expanded field into a GTP-U expanded field through the base station, and then continuously sending the authentication request to the user plane of the core network equipment.

The method of claim 18, wherein the sending the data packet carrying the authentication data comprises:

after TLS handshake is completed, sending NAS-SM information to a control plane of the core network equipment; wherein, the extension field of the NAS-SM message comprises: a first authentication parameter, a first authentication result, an application identifier and feature information of the NAS-SM message; wherein the first authentication parameter comprises: a random number and a public key Ka; the characteristic information of the NAS-SM message comprises an IP address, a port number, a protocol type and a MAC address of the OTT server.

The method of claim 18, wherein the method further comprises:

and receiving an authentication result returned by the control plane of the core network equipment.

The method of any of claims 18 to 22, wherein the method further comprises:

sending an effective time message to the core network equipment; the valid time information is used for indicating the valid duration of the encrypted data stream identification of the association relationship between the characteristic information of the data packet and the application identifier.

The method of any of claims 18 to 22, wherein the method further comprises:

sending a release indication message to the core network equipment; wherein the release indication message is used for releasing the association relationship.

A transmission method of encrypted data stream, the method is applied to User Equipment (UE), and the method comprises the following steps:

sending an effective time message to core network equipment; the valid time information is used for indicating the valid duration of encrypted data stream identification of the incidence relation between the characteristic information of the data packet and the application identifier;

carrying out encrypted data stream transmission with the core network equipment based on the association relation in the effective duration;

sending a release indication message to the core network equipment; wherein the release indication message is used for releasing the association relationship.

An identification method of encrypted data stream, the method is applied to a core network device, and the method comprises:

receiving service description information sent by User Equipment (UE); the service description information comprises an application identifier and/or data flow description information; the data flow description information includes at least one of: an IP source address, an IP source port number, an IP destination address, an IP destination port number, an MAC source address, an MAC source port number, an MAC destination address, an MAC destination port number, a protocol type and a VLAN tag;

and identifying the encrypted data stream transmitted by the UE according to the association relation between the established characteristic information of the data packet and the application identifier.

The method of claim 26, wherein the receiving service description information sent by a User Equipment (UE) comprises:

and the control plane of the core network equipment receives a control plane non-access stratum (NAS) message which is sent by the UE and contains the service description information.

The method of claim 26, wherein the receiving service description information sent by a User Equipment (UE) comprises:

and the user plane of the core network equipment receives a user plane data packet containing the service description information.

The method of claim 28, wherein,

the PDCP packet header and/or GTP-U packet header of the user plane data packet comprises the service description information; alternatively, the first and second electrodes may be,

the IPV4 or IPV6 packet header of the user plane data packet comprises the service description information; alternatively, the first and second electrodes may be,

and the header of the user plane data packet for tunnel encapsulation comprises the service description information.

The method according to any of claims 27 to 29, wherein before identifying the encrypted data stream transmitted by the UE according to the association between the established characteristic information of the data packet and the application identifier, the method further comprises: and determining that the service description information is credible.

The method of claim 30, wherein the determining that the traffic description information is authentic comprises:

receiving authentication information sent by the UE; the authentication information comprises authentication parameters and a first authentication result;

acquiring a second authentication result according to the authentication parameters;

and when the first authentication result is the same as the second authentication result, determining that the service description information is credible.

The method of claim 26, wherein the identifying the encrypted data stream transmitted by the UE according to the association relationship between the established characteristic information of the data packet and the application identifier comprises:

and the control plane of the core network equipment interactively establishes a filter for detecting the encrypted data stream of the UE with the user plane of the core network equipment according to the service description information.

An identification method of encrypted data streams, the method being applied to a User Equipment (UE), the method comprising:

sending service description information to core network equipment; the service description information comprises an application identifier and/or data flow description information; the data flow description information includes at least one of: IP source address, IP source port number, IP destination address, IP destination port number, MAC source address, MAC source port number, MAC destination address, MAC destination port number, protocol type, and VLAN tag.

The method of claim 33, wherein the sending service description information to the core network device comprises:

and carrying the service description information in a control plane non-access stratum (NAS) message and sending the message to the core network equipment.

The method of claim 33, wherein the sending service description information to the core network device comprises:

loading the service description information in a user plane data packet;

and sending the user plane data packet carrying the service description information to the core network equipment.

The method of claim 35, wherein the loading the service description information in a user plane packet comprises:

adding the service description information in the PDCP packet header and/or GTP-U packet header of the user plane data packet; alternatively, the first and second electrodes may be,

adding the service description information in an IPV4 or IPV6 packet header of the user plane data packet; alternatively, the first and second electrodes may be,

and adding the service description information in the packet header of the user plane data packet for tunnel encapsulation.

The method of any one of claims 33 to 36, wherein the method further comprises: sending authentication information to the core network equipment; the authentication information comprises an authentication parameter and a first authentication result.

A core network device, comprising: a first receiving part, an authentication part and a establishing part; wherein the content of the first and second substances,

the first receiving part is configured to receive a data packet carrying authentication data sent by User Equipment (UE); the authentication data comprises a first authentication parameter, a first authentication result and an application identifier;

the authentication part is configured to obtain a second authentication result according to a set authentication algorithm based on the first authentication parameter and the second authentication parameter; the second authentication parameter is an authentication parameter corresponding to the prestored application identifier;

the establishing part is configured to establish an association relationship between the feature information of the data packet and the application identifier when the second authentication result is consistent with the first authentication result; the incidence relation is used for identifying an encrypted data stream which is sent by the UE and corresponds to the application identification in the following process; the characteristic information of the data packet may include at least one or more of: network protocol IP source address, IP source port number, IP destination address, IP destination port number, MAC source address, IP source port number, media access control MAC destination address, MAC destination port number, protocol type, and virtual local area network VLAN tag.

The core network device of claim 38, wherein the first receiving part is configured to receive a first TLS handshake request sent by the UE during a TLS handshake procedure of application layer session establishment; wherein the authentication data is carried in a plaintext field in the first TLS handshake request.

The core network device of claim 38, wherein the first receiving section is configured to: after completing TLS handshake, the user plane of the core network equipment receives an authentication request sent by the UE through a base station; wherein, the authentication data is loaded in GTP-U extension field in the authentication request.

The core network device of claim 38, wherein the first receiving section is configured to receive, by the control plane of the core network device, a NAS-SM message for non-access stratum session management sent by the UE after the TLS handshake is completed; wherein, the extension field of the NAS-SM message comprises: a first authentication parameter, a first authentication result, an application identifier and feature information of the NAS-SM message; wherein the first authentication parameter comprises: a random number and a public key Ka; the characteristic information of the NAS-SM message comprises an IP address, a port number, a protocol type and a MAC address of the OTT server.

The core network device of claim 41, wherein the authentication part is configured to obtain a second authentication result according to a set authentication algorithm according to the random number in the first authentication parameter and the public key in the second authentication parameter.

The core network device according to claim 41 or 42, wherein the establishing part is configured to:

when the second authentication result is consistent with the first authentication result in comparison, generating the feature information of the data packet according to the feature information of the OTT server and the feature information of the UE, and establishing an association relationship between the feature information of the generated data packet and the application identifier; wherein, the characteristic information of the UE comprises: IP address, port and MAC address of the UE.

The core network device of claim 38, wherein the core network device further comprises a first sending part configured to send a comparison result of the second authentication result and the first authentication result to the UE.

The core network device according to any of claims 38 to 44, wherein the first receiving part is further configured to receive valid time information transmitted by the UE; and the valid time information is used for indicating the valid duration of the incidence relation for carrying out encrypted data stream identification.

The core network device according to claim 45, wherein the core network device further includes a control portion configured to release the association relationship if transmission of the encrypted data stream is not completed after the validity period is timed out.

The core network device according to claim 46, wherein the first receiving part is further configured to receive a release indication message sent by the UE after the encrypted data stream is transmitted;

the control section is further configured to release the association relation based on the release indication message.

A core network device, comprising: a message receiving part, a first transmission part and a control part; the message receiving part is configured to receive an effective time message sent by User Equipment (UE) after establishing an association relation between feature information of a completed data packet and an application identifier; the effective time information is used for indicating the effective duration of the incidence relation for carrying out encrypted data stream identification;

the first transmission part is configured to perform encrypted data stream transmission with the UE based on the association relation within the effective duration;

the message receiving part is further configured to receive a release indication message sent by the UE;

the control section is configured to release the association relation based on the release indication message.

The core network device according to claim 48, wherein the control portion is further configured to release the association relationship after the validity period is timed out; alternatively, the first and second electrodes may be,

and after the effective duration is timed, continuing to transmit the encrypted data stream with the UE until the association relation is released after the transmission of the encrypted data stream is finished.

A User Equipment (UE), wherein the UE comprises: a second transmitting section configured to transmit a data packet carrying authentication data; wherein, the authentication data is used for the core network device to perform authentication, and the authentication data includes: a first authentication parameter, a first authentication result and an application identification.

The UE of claim 50, wherein the second transmit portion is configured to: in the TLS handshake process established by the application layer session, the authentication data is loaded in a plaintext field in the first TLS handshake request;

and transmitting the first TLS handshake request carrying the authentication data to a control plane of the core network equipment through a user plane of the core network equipment.

The UE of claim 50, wherein the second transmit portion is configured to: and after completing TLS handshake, sending the authentication request of the authentication data carried in the expanded PDCP field to a base station, converting the authentication data in the PDCP expanded field into a GTP-U expanded field through the base station, and then continuously sending the authentication request to the user plane of the core network equipment.

The UE of claim 50, wherein the second transmit portion is configured to: after TLS handshake is completed, sending NAS-SM information to a control plane of the core network equipment; wherein, the extension field of the NAS-SM message comprises: a first authentication parameter, a first authentication result, an application identifier and a feature message of the NAS-SM message; wherein the first authentication parameter comprises: a random number and a public key Ka; the characteristic information of the NAS-SM message comprises an IP address, a port number, a protocol type and a MAC address of the OTT server.

The UE of claim 50, wherein the UE further comprises a second receiving part configured to receive an authentication result returned by a control plane of a core network device.

The UE according to any of claims 50 to 54, wherein the second transmitting part is further configured to transmit a validity time message to the core network device; the valid time information is used for indicating the valid duration of the encrypted data stream identification of the association relationship between the characteristic information of the data packet and the application identifier.

The UE according to any of claims 50 to 54, wherein the second sending part is further configured to send a release indication message to the core network device; wherein the release indication message is used for releasing the association relationship.

A UE, the UE comprising: the device comprises a message sending part and a second transmission part, wherein the message sending part is configured to send an effective time message to core network equipment; the valid time information is used for indicating the valid duration of encrypted data stream identification of the incidence relation between the characteristic information of the data packet and the application identifier;

the second transmission part is configured to perform encrypted data stream transmission with the core network device based on the association relation in the effective duration;

the message sending part is also configured to send a release indication message to the core network device; wherein the release indication message is used for releasing the association relationship.

A core network device includes an information receiving section and an identifying section; wherein the content of the first and second substances,

the information receiving part is configured to receive service description information sent by User Equipment (UE); the service description information comprises an application identifier and/or data flow description information; the data flow description information includes at least one of: an IP source address, an IP source port number, an IP destination address, an IP destination port number, an MAC source address, an MAC source port number, an MAC destination address, an MAC destination port number, a protocol type and a VLAN tag;

and the identification part is configured to identify the encrypted data stream transmitted by the UE according to the association relationship between the established characteristic information of the data packet and the application identifier.

A UE includes an information transmitting section configured to transmit service description information to a core network device; the service description information comprises an application identifier and/or data flow description information; the data flow description information includes at least one of: IP source address, IP source port number, IP destination address, IP destination port number, MAC source address, MAC source port number, MAC destination address, MAC destination port number, protocol type, and VLAN tag.

A core network device, wherein, a first network interface, a first memory and a first processor; wherein the content of the first and second substances,

the first network interface is used for receiving and sending signals in the process of receiving and sending information with other external network elements;

the first memory for storing a computer program operable on the first processor;

the first processor, when running the computer program, is configured to perform the steps of the method of any one of claims 1 to 15 or any one of claims 16 to 17 or any one of claims 26 to 32.

A User Equipment (UE), wherein the UE comprises: a second network interface, a second memory, and a second processor;

the second network interface is used for receiving and sending signals in the process of receiving and sending information with other external network elements;

the second memory for storing a computer program operable on a second processor;

the second processor, when executing the computer program, is configured to perform the steps of the method of any of claims 18 to 24 or 25 or any of claims 33 to 37.

A computer readable medium storing an identification program of an encrypted data stream, which when executed by at least one processor implements the steps of the method of any one of claims 1 to 15 or any one of claims 18 to 24.

A computer-readable medium storing a transmission program of an encrypted data stream, which when executed by at least one processor implements the steps of the method of any one of claims 16 to 17 or claim 25.

A computer readable medium storing an identification program of an encrypted data stream, which when executed by at least one processor implements the steps of the method of any one of claims 26 to 32 or any one of claims 33 to 37.

An identification system of encrypted traffic comprises a core network device and a user device, wherein,

the user equipment is configured to send a data packet carrying authentication data; wherein, the authentication data is used for the core network device to perform authentication, and the authentication data includes: the first authentication parameter, the first authentication result and the application identifier;

the core network equipment is configured to receive a data packet which is sent by User Equipment (UE) and carries authentication data;

based on the first authentication parameter and the second authentication parameter, obtaining a second authentication result according to a set authentication algorithm; the second authentication parameter is an authentication parameter corresponding to the prestored application identifier;

when the second authentication result is consistent with the first authentication result in comparison, establishing an association relationship between the characteristic information of the data packet and the application identifier; and the incidence relation is used for identifying the encrypted data stream which is sent by the UE and corresponds to the application identification in the following process.