阅读说明：本技术 切片网络保护方法及装置 (Slice network protection method and device ) 是由 邱权冠 苏国章 于 2021-07-27 设计创作，主要内容包括：本发明公开了一种切片网络保护方法及装置,其中方法包括：当验证发起网元接收到服务请求方发来的服务请求消息,从服务请求消息中解析得到第一加密标识和用户标识,并将携带第一加密标识和用户标识验证请求发送给验证网元,验证网元、进行标识验证,当验证通过,验证网元则将携带明文切片标识的验证应答发送给验证发起网元。在核心网内部,验证发起网元使用明文切片标识与各个网元进行通信；而在核心网的外部,验证发起网元则利用第一加密表示与外部的用户设备、外部网元等进行通信。通过本申请实施例提供的切片网络保护方法,不法分子无法获取到切片网络信息,从而能够有效保护切片网络的安全。(The invention discloses a slice network protection method and a slice network protection device, wherein the method comprises the following steps: when the verification initiating network element receives a service request message sent by a service requester, a first encryption identifier and a user identifier are obtained by analyzing the service request message, a verification request carrying the first encryption identifier and the user identifier is sent to the verification network element, the verification network element carries out identifier verification, and when the verification is passed, the verification network element sends a verification response carrying a plaintext slice identifier to the verification initiating network element. In the core network, the verification initiating network element communicates with each network element by using a plaintext slice identifier; and outside the core network, the authentication initiating network element communicates with external user equipment, external network elements, etc. using the first encrypted representation. By the slice network protection method provided by the embodiment of the application, lawbreakers cannot acquire slice network information, so that the safety of the slice network can be effectively protected.)

1. A method for protecting a slice network, comprising:

receiving a service request message from a service requester; wherein the service request message comprises a first encrypted identification and a user identification;

sending a verification request to a verification network element according to the service request message; wherein the authentication request comprises the first encrypted identification and the user identification;

receiving an authentication response from the authentication network element; wherein the verification response comprises a plaintext slice identifier corresponding to the first encrypted identifier;

Communicating with an internal network element of a core network according to the plaintext slice identifier;

and communicating with the external equipment of the core network or the external network element of the core network according to the first encryption identifier.

2. The slice network protection method provided in claim 1, wherein the protection method further comprises:

and after the first time length, when the service request message is received, the verification request is sent to the verification network element again.

3. A method for protecting a slice network, comprising:

receiving an authentication request from an authentication initiating network element; wherein the authentication request comprises the first encrypted identification and the user identification;

performing identification verification according to the first encryption identification and the user identification;

when the identification passes the verification, sending a verification response to the verification initiating network element; wherein the validation reply includes the plaintext slice identifier corresponding to the first encrypted identifier.

4. The slice network protection method according to claim 3, wherein the performing identity verification according to the first encrypted identity and the user identity comprises:

determining an encryption algorithm, an encryption value and the plaintext slice identifier according to the user identifier and the binding result; wherein the binding result represents a correspondence between the user identifier, the plaintext slice identifier, the encrypted value, and the encryption algorithm;

Determining a second encryption identifier according to the user identifier, the encryption algorithm, the encryption value and the plaintext slice identifier;

and if the first encrypted identifier is matched with the second encrypted identifier, the identifier passes verification.

5. The slice network protection method according to claim 3, wherein the specific step of the identification verification further comprises:

if the first encryption identifier is not matched with the second encryption identifier, an access failure message is sent to the verification initiating network element, so that the verification initiating network element rejects the service request of the service requester.

6. A method for protecting a slice network, comprising:

the service request party sends the service request message to the verification initiating network element; wherein the service request message comprises the first encrypted identification and the user identification;

in response to the service request message, the authentication initiating network element sending the authentication request to the authentication network element; wherein the authentication request comprises the first encrypted identification and the user identification;

responding to the verification request, and the verification network element performs the identification verification;

When the identification passes the verification, the verification network element sends a verification response to the verification initiating network element; wherein the validation reply includes the plaintext slice identifier corresponding to the first encrypted identifier.

7. The slice protection method according to claim 6, wherein:

the authentication network element is an identity authentication and authorization function network element;

when the service request party is user equipment, the corresponding verification initiating network element is an access and mobility management network element;

when the service request party is a safe edge protection proxy network element of a roaming place, the corresponding verification initiating network element is a safe edge protection proxy network element of a home place;

and when the service request party is the external network element of the core network, the corresponding verification initiating network element is a network exposure function network element.

8. The slice protection method according to claim 7, wherein the protection method further comprises a step of generating the first encrypted identifier, which specifically includes:

acquiring a user identifier of the user equipment;

acquiring the plaintext slice identifier;

and determining the first encryption identifier according to the user identifier, the plaintext slice identifier, the preset encryption value and the preset encryption algorithm.

9. The slice protection method of claim 8, further comprising:

binding the user identifier, the plaintext slice identifier, the encrypted value and the encryption algorithm to determine the binding result; the binding result represents the corresponding relation among the user identification, the plaintext slice identification, the encrypted value and the encryption algorithm;

storing the binding result in the verification network element;

and storing the first encryption identifier in the user equipment and the network element outside the core network.

10. An apparatus, comprising:

at least one processor;

at least one memory for storing at least one program;

when executed by the at least one processor, cause the at least one processor to implement the slice protection method of claims 1-9.

Technical Field

The present application relates to the field of communications, and in particular, to a method and an apparatus for protecting a slice identifier.

Background

In the 5G system, the concept of the slicing network is introduced, different slicing networks have different performance standards and can respectively serve different industries, so that a corresponding industry private network is formed, and the industry management and the information interaction in the industry are facilitated. However, in the process of using the slice network by the user, the information of the slice network may be leaked through communication messages between the core network and the outside, external network elements, user equipment and the like, and the security of the slice network will be threatened.

Disclosure of Invention

The present application is directed to solving, at least to some extent, one of the technical problems in the related art. Therefore, the application provides a slice identifier protection method and device, which can effectively protect the security of a slice network.

In a first aspect, an embodiment of the present application provides a slice network protection method, including: receiving a service request message from a service requester; wherein the service request message comprises a first encrypted identification and a user identification; sending a verification request to a verification network element according to the service request message; wherein the authentication request comprises the first encrypted identification and the user identification; receiving an authentication response from the authentication network element; wherein the verification response comprises a plaintext slice identifier corresponding to the first encrypted identifier; communicating with an internal network element of a core network according to the plaintext slice identifier; and communicating with the external equipment of the core network or the external network element of the core network according to the first encryption identifier.

Optionally, the protection method further includes: and after the first time length, when the service request message is received, the verification request is sent to the verification network element again.

In a second aspect, an embodiment of the present application provides a slice network protection method, including: receiving an authentication request from an authentication initiating network element; wherein the authentication request comprises the first encrypted identification and the user identification; performing identification verification according to the first encryption identification and the user identification; when the identification passes the verification, sending a verification response to the verification initiating network element; wherein the validation reply includes the plaintext slice identifier corresponding to the first encrypted identifier.

Optionally, the performing, according to the first encrypted identifier and the user identifier, identifier verification includes:

determining an encryption algorithm, an encryption value and the plaintext slice identifier according to the user identifier and the binding result; wherein the binding result represents a correspondence between the user identifier, the plaintext slice identifier, the encrypted value, and the encryption algorithm; determining a second encryption identifier according to the user identifier, the encryption algorithm, the encryption value and the plaintext slice identifier; and if the first encrypted identifier is matched with the second encrypted identifier, the identifier passes verification.

Optionally, the specific step of the identification verification further includes: if the first encryption identifier is not matched with the second encryption identifier, an access failure message is sent to the verification initiating network element, so that the verification initiating network element rejects the service request of the service requester.

In a third aspect, an embodiment of the present application provides a slice network protection method, including: the service request party sends the service request message to the verification initiating network element; wherein the service request message comprises the first encrypted identification and the user identification; in response to the service request message, the authentication initiating network element sending the authentication request to the authentication network element; wherein the authentication request comprises the first encrypted identification and the user identification; responding to the verification request, and the verification network element performs the identification verification; when the identification passes the verification, the verification network element sends a verification response to the verification initiating network element; wherein the validation reply includes the plaintext slice identifier corresponding to the first encrypted identifier.

Optionally, characterized by: the authentication network element is an identity authentication and authorization function network element; when the service request party is user equipment, the corresponding verification initiating network element is an access and mobility management network element; when the service request party is a safe edge protection proxy network element of a roaming place, the corresponding verification initiating network element is a safe edge protection proxy network element of a home place; and when the service request party is the external network element of the core network, the corresponding verification initiating network element is a network exposure function network element.

Optionally, the protection method further includes a step of generating the first encrypted identifier, where the step specifically includes: acquiring a user identifier of the user equipment; acquiring the plaintext slice identifier; and determining the first encryption identifier according to the user identifier, the plaintext slice identifier, the preset encryption value and the preset encryption algorithm.

Optionally, the protection method further includes: binding the user identifier, the plaintext slice identifier, the encrypted value and the encryption algorithm to determine the binding result; the binding result represents the corresponding relation among the user identification, the plaintext slice identification, the encrypted value and the encryption algorithm; storing the binding result in the verification network element; and storing the first encryption identifier in the user equipment and the network element outside the core network.

In a fourth aspect, an embodiment of the present application provides an apparatus, including: at least one processor; at least one memory for storing at least one program;

when executed by the at least one processor, cause the at least one processor to implement the slice protection method of any one of the first, second or third aspects.

The beneficial effects of the embodiment of the application are as follows: when the verification initiating network element receives a service request message sent by a service requester, a first encryption identifier and a user identifier are obtained by analyzing the service request message, a verification request carrying the first encryption identifier and the user identifier is sent to the verification network element, the verification network element carries out identifier verification according to the first encryption identifier and the user identifier, and when the verification is passed, the verification network element sends a verification response carrying a plaintext slice identifier corresponding to the first encryption representation to the verification initiating network element. In the core network, the verification initiating network element communicates with each network element by using a plaintext slice identifier; and outside the core network, the authentication initiating network element communicates with external user equipment, external network elements, etc. using the first encrypted representation. According to the slice network protection method provided by the embodiment of the application, the plaintext slice identifier corresponding to the slice network can only be transmitted inside the core network, so that lawbreakers cannot acquire slice network information from external user equipment or network elements and cannot acquire slice network information from incoming and outgoing messages between the core network and the outside, and therefore the safety of the slice network can be effectively protected.

Drawings

The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.

Fig. 1 is a first schematic diagram of a slice network protection system provided in an embodiment of the present application;

fig. 2 is a second schematic diagram of a slice network protection system according to an embodiment of the present application;

fig. 3 is a flowchart of a first step of a slice network protection method provided in an embodiment of the present application;

fig. 4 is a flowchart of steps provided in an embodiment of the present application to generate a first encrypted identifier;

fig. 5 is a flowchart of a second step of a slice network protection method provided in an embodiment of the present application;

FIG. 6 is a flowchart of the steps for identity verification provided by an embodiment of the present application;

fig. 7 is a schematic diagram of an apparatus according to an embodiment of the present disclosure.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

It should be noted that although functional block divisions are provided in the system drawings and logical orders are shown in the flowcharts, in some cases, the steps shown and described may be performed in different orders than the block divisions in the systems or in the flowcharts. The terms first, second and the like in the description and in the claims, and the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

In the process of using the slice network by a user, information of the slice network may be leaked through communication messages between the core network and the outside, external network elements, user equipment and the like. In order to protect the information of the slice network, some solutions are proposed in the related art, for example, in the latest TS 3GPP 23501 protocol, 23502 protocol and 33501 protocol, an NSSAAF network element is responsible for authentication and authorization of slice access. However, the lawbreaker can still intercept a specific network identifier from the user equipment terminal or an external network element of the core network, that is, can know the specific slice network used by the user to transmit specific data, so as to attack and destroy the slice network, thereby having a potential safety hazard.

Based on this, the embodiment of the present application provides a slice network protection method and apparatus: when the verification initiating network element receives a service request message sent by a service requester, a first encryption identifier and a user identifier are obtained by analyzing the service request message, a verification request carrying the first encryption identifier and the user identifier is sent to the verification network element, the verification network element carries out identifier verification according to the first encryption identifier and the user identifier, and when the verification is passed, the verification network element sends a verification response carrying a plaintext slice identifier corresponding to the first encryption representation to the verification initiating network element. In the core network, the verification initiating network element communicates with each network element by using a plaintext slice identifier; and outside the core network, the authentication initiating network element communicates with external user equipment, external network elements, etc. using the first encrypted representation. According to the slice network protection method provided by the embodiment of the application, the plaintext slice identifier corresponding to the slice network can only be transmitted inside the core network, so that lawbreakers cannot acquire slice network information from external user equipment or network elements and cannot acquire slice network information from incoming and outgoing messages between the core network and the outside, and therefore the safety of the slice network can be effectively protected.

The embodiments of the present application will be further explained with reference to the drawings.

Referring to fig. 1, fig. 1 is a first schematic diagram of a slice network protection system provided in an embodiment of the present application, to which a slice network protection method provided in the embodiment of the present application may be applied, where the slice network protection system 100 includes: a service requestor 110, an authentication initiating network element 120, and an authentication network element 130.

As shown in fig. 1, a service requester is a general term for a device or an external network element that needs to access a sliced network system using a slice identifier. In the embodiment of the present Application, the service requester includes, but is not limited to, a UE (User Equipment) and a network element AF (Application Function) outside a core network. When the UE is in roaming, the UE needs to indirectly access the core network of the home location through the core network of the roaming location, and the service request of the UE is directly sent to the core network of the home location through the security edge protection proxy network element of the roaming location, so the service requester in this embodiment also includes the security edge protection proxy network element of the roaming location.

When the service requester initiates a service request, the network element corresponding to the core network receives the service request message and initiates an authentication request, so the network elements inside the core network that receive the service request message and initiate the authentication request are collectively referred to as authentication initiating network elements.

It is to be understood that, the authentication initiating network element is different for different service requesters, and the specific corresponding manner may be as shown in fig. 2, where fig. 2 is a second schematic diagram of the slice network protection system provided in the embodiment of the present application, and since fig. 2 and fig. 1 represent the same system, fig. 2 continues to use the reference numerals in fig. 1 to represent the same parts. In fig. 2, a home core network is denoted by reference numeral 210, a roaming core network is denoted by reference numeral 220, and the system 100 includes a User Equipment (UE)230, a base station 240, a first access and mobility management network element (AMF1)250, an external network element (AF)260, a network exposure function Network Element (NEF)270, a second access and mobility management network element (AMF2)280, a second security edge protection proxy network element (SEPP2)290, a first security edge protection proxy network element (SEPP1)2100, and an authentication network element (nscsf) 2110.

As shown in fig. 2, when the service requester is UE and the UE needs to register a local home core network, the UE sends a service request message to the home core network through the base station, and at this time, the authentication initiating network element, which receives the service request message inside the home core network, is a first Access and Mobility Management network element, that is, AMF1(Access and Mobility Management Function); when the service request party is an AF outside the core Network, the AF wants to access the local home core Network, and needs to send the service request message to a Network Exposure Function Network element, that is, an NEF (Network Exposure Function NE), and at this time, the verification initiating Network element is an NEF Network element. In addition, if the user equipment is in a roaming state and needs to access the local slice network, the user equipment first accesses the AMF2 network element of the roaming core network through the base station, the AMF2 network element sends the service request message to the second security edge protection proxy network element (SEPP2) in the roaming core network, and then the SEPP2 sends the service request message to the first security edge protection proxy network element (SEPP1) in the home core network, so that the authentication initiating network element in this case is the security edge protection proxy network element of the roaming site, that is, SEPP 2.

And when the verification initiating network element receives the service request message sent by the service requester, initiating a verification request to the verification network element. In this embodiment of the present application, in order to complete verification of the first encryption identifier, a verification Network element NSSCF (Network Slice Security Configuration Function) is set inside the core Network, and the NSSCF is responsible for Configuration of a user Slice identifier corresponding to the Slice Network and Configuration of an encryption algorithm. In the embodiment of the application, the verification network element performs identifier verification according to the verification request, so as to determine whether the service requester can normally access the core network.

In the related art, a service request party sends a service request to a designated network element in a core network, the service request carries a plaintext slicing identifier, and the core network finds a corresponding slicing network according to the plaintext identifier, so that the service request party can normally access the slicing network. However, both the slicing identifier stored by the service requester itself and the slicing identifier carried in the communication message between the service requester and the core network are in plain text, that is, once the slicing identifier is intercepted, a lawbreaker can lock the slicing network to be attacked according to the identifier, thereby posing a threat to the core network.

Based on this, the embodiment of the application provides a slicing network protection method, which can encrypt the slicing identifier, so that a lawbreaker cannot determine a specific slicing network from the intercepted encryption identifier and cannot initiate accurate attack, thereby effectively protecting the security of the slicing network. The slice network protection method proposed by the present application is also illustrated in fig. 1, and the slice network protection method illustrated in fig. 1 will be explained below.

Referring to fig. 3, fig. 3 is a flowchart of a first step of a slice network protection method provided in this embodiment, where the method is applied to authenticate an initiating network element, and the method includes, but is not limited to, steps S300 to S340:

s300, receiving a service request message from a service request party;

specifically, the verification initiating network element located in the core network may receive the service request message from the service requester, and different service requesters may send the service request message to different verification initiating network elements, where the specific correspondence between the service requester and the verification initiating network element has been expanded in detail above with reference to fig. 2, and is not described here again.

In this step, the authentication initiating network element receives a service request message, which includes the first encrypted identification and the user identification. The user Identifier refers to a SUPI (user Permanent Identifier) corresponding to an enterprise user accessing the core network, and the first encrypted Identifier is an Identifier used by the user to access different slice networks, and a specific generation process of the first encrypted Identifier will be described with reference to the method steps in fig. 4.

Referring to fig. 4, fig. 4 is a flowchart illustrating steps of generating a first encrypted identifier according to an embodiment of the present application, where the method includes, but is not limited to, steps S400 to S420:

s400, acquiring a user identifier of the user equipment;

specifically, the ue is the SUPI corresponding to the enterprise user of the core network mentioned above, and the SUPI of different ue is different, so that the encrypted slice id distinguished from other ue can be generated according to the ue.

S410, acquiring a plaintext slice identifier;

specifically, a plaintext Slice identifier S-NSSAI (Single Network Slice Selection Assistance Information) is an identifier of a Slice Network that a user needs to access, the plaintext Slice identifier is generally carried in a communication message, and a core Network can identify a specific Slice Network through the plaintext Slice identifier.

S420, determining a first encryption identifier according to the user identifier, the plaintext slice identifier, a preset encryption value and a preset encryption algorithm;

in particular, a clear text slicing id refers to a slicing identifier corresponding to each slicing network, by which the particular slicing network used by the user to transmit particular data can be determined. The encryption algorithm is an algorithm for generating an encrypted slice identifier according to a plaintext slice identifier, a user identifier and an encrypted value, the first encrypted identifier and the second encrypted identifier in the embodiment of the application are encrypted slice identifiers, and the encryption algorithm can be self-defined by the inside of a core network, so that even if a lawbreaker can obtain the encrypted slice identifier, decryption cannot be performed, the plaintext slice identifier cannot be obtained, and a slice network to be attacked cannot be determined, so that the security of the core network is improved. The encryption value is an encryption parameter customized by each slicing network, and in order to distinguish different slicing networks to be accessed, the same user can set different encryption values for different slicing networks.

Therefore, the user identifier, the plaintext slice identifier and the preset encryption value are used as parameters, and the first encryption identifier can be obtained through calculation of a preset encryption algorithm.

It can be understood that, when the calculation of the first encrypted identifier is completed, the first encrypted identifier needs to be stored in the user equipment and an external network element of the core network, and when the external equipment or the external network element accesses the core network, the first encrypted identifier is carried to indicate which slice network needs to be accessed. In the core network, the user identifier, the plaintext slice identifier, the encrypted value and the encryption algorithm need to be bound to determine a binding result; and the binding result represents the corresponding relation among the user identification, the plaintext slice identification, the encrypted value and the encryption algorithm. And storing the binding result in the verification network element, and then the verification network element can carry out identification verification according to the received verification request.

It is understood that, in the embodiments of the present application, the binding result represents the correspondence between the user identifier, the plaintext slice identifier, the encrypted value, and the encryption algorithm, and in the actual use process, other parameters may also participate in the encryption process of the slice identifier, and these parameters may also be added to the binding result.

Through steps S400-S420, the embodiment of the present application provides a method for generating a first encrypted identifier, and as already described in step S300, the description of step S310 is started below.

S310, sending a verification request to a verification network element according to the service request message;

specifically, the authentication initiating network element parses the received service request message to obtain a first encrypted identifier and a user identifier, in order to enable the service initiating party to normally access the core network, the authentication initiating network element needs to initiate an authentication request to the authentication network element, the authentication request carries the first encrypted identifier and the user identifier, and the authentication request is used for requesting the authentication network element to authenticate the service requesting party, so as to determine whether the service requesting party can access the slice network.

S320, receiving a verification response from the verification network element;

specifically, the authentication initiating network element receives an authentication response from the authentication network element, where the authentication response indicates that the authentication network element considers that the service requester can access the core network, and the authentication response carries a plaintext slice identifier corresponding to the first encryption identifier, and through the plaintext slice identifier, the network element in the core network can know which slice network in the core network specifically needs to be accessed.

S330, communicating with an internal network element of the core network according to the plaintext slice identifier;

specifically, after receiving the plaintext segment identifier, the verification initiating network element may perform communication between internal network elements of the core network according to the plaintext segment identifier, and the network elements within the core network may know which segment network should be accessed without performing verification for multiple times, thereby completing a process in which the service requester normally accesses the core network.

S340, communicating with the core network external equipment or the core network external network element according to the first encryption identifier.

Specifically, after receiving the verification response, the verification initiating network element may provide a service flow for the service requester to normally access the core network, and when the verification initiating network element needs to communicate with a user equipment, a base station, or an AF outside the core network, the first encryption identifier is used.

Through steps S330 to S340, in the embodiment of the present application, the inside of the core network including the verification initiating network element and the verification network element is listed as a trusted area, the inside of the core network including the external device, the AF, and other core networks are listed as untrusted areas, service flows in the trusted area all use plaintext slice identifiers, and service flows in the untrusted areas all use first encryption identifiers.

For example, when the service initiator is UE, and the UE needs to register to a local core network, and when the authentication initiation network element receives an authentication response, the access network side including the UE is an untrusted area, the access network side uses the first encrypted identifier, and the core network side uses the plaintext slice identifier. For another example, when the service initiator is the SEPP of the roaming place, that is, when the UE is in the roaming state and indirectly accesses the core network of the home location through the core network of the roaming place, the core network of the roaming place is regarded as an untrusted area, the first encryption identifiers are used on the core network side of the roaming place, and the plaintext slicing identifiers are used in the core network. For another example, when the service initiator is AF, the AF side is an untrusted area, and when the NEF communicates with the AF, the NEF uses the first encryption identifier and the AF uses the plaintext slice identifier inside the core network.

And after the first time length, when the service request message is received, the verification request is sent to the verification network element again.

In some embodiments, after the authentication initiating network element receives the plaintext slicer identity, the plaintext slicer identity may be temporarily stored without sending an authentication request to the authentication network element again for a period of time, referred to as a first duration. The setting of the first duration is mainly convenient for a service requester to directly access the core network within the first duration, and redundant service requests and verification requests are reduced. After the first duration, the service request of the service requester needs to be verified again, so that the verification initiating network element sends the verification request to the verification network element again after receiving the service request message again.

Through steps S300 to S340, the authentication initiation network element in the embodiment of the present application receives a service request message sent by a service requester, obtains a first encryption identifier and a user identifier by parsing from the service request message, and sends an authentication request carrying the first encryption identifier and the user identifier to an authentication network element. When the verification network element receives the verification response, the verification initiating network element communicates with each network element by using the plaintext slice identifier in the core network; and outside the core network, the authentication initiating network element communicates with external user equipment, external network elements, etc. using the first encrypted representation. According to the slice network protection method provided by the embodiment of the application, the plaintext slice identifier corresponding to the slice network can only be transmitted inside the core network, so that lawbreakers cannot acquire slice network information from external user equipment or network elements and cannot acquire slice network information from incoming and outgoing messages between the core network and the outside, and therefore the safety of the slice network can be effectively protected.

Referring to fig. 5, fig. 5 is a flowchart of a second step of a slice network protection method provided in an embodiment of the present application, and the flowchart of the steps in fig. 5 may be applied to the authentication network element in fig. 1, where the method includes, but is not limited to, steps S500-S520:

S500, receiving an authentication request from an authentication initiating network element;

specifically, referring to the foregoing step S310, that is, the authentication network element located in the core network receives the authentication request from the authentication initiating network element, and since the authentication request includes the first encrypted identifier and the user identifier, when the authentication network element parses the authentication request, the first encrypted identifier and the user identifier may be obtained. And the verification network element verifies the service requester according to the verification request so as to determine whether the service requester can access the slicing network.

S510, performing identification verification according to the first encryption identification and the user identification;

specifically, the service requester is authenticated according to the first encrypted identifier and the user identifier in the authentication request, where the process of authenticating the identifier may refer to the method steps in fig. 6, and fig. 6 is a flowchart of the steps of authenticating the identifier provided in the embodiment of the present application, where the method includes, but is not limited to, steps S600 to S620:

s600, determining an encryption algorithm, an encryption value and a plaintext slice identifier according to the user identifier and the binding result;

specifically, the binding result represents the corresponding relationship among the user identifier, the plaintext slice identifier, the encrypted value, and the encryption algorithm, and after the plaintext slice identifier is encrypted, the binding result is stored in the verification network element.

S610, determining a second encryption identifier according to the user identifier, the encryption algorithm, the encryption value and the plaintext slice identifier;

specifically, the encryption algorithm, the encryption value, and the plaintext section id corresponding to the user id are determined according to step S600, and it is mentioned in the above that the encryption section id is generated by a preset encryption algorithm according to the user id, the encryption value, and the plaintext section id, so that the encryption section id corresponding to the user id is regenerated in this step, that is, a second encryption id is generated.

S620, if the first encryption identifier is matched with the second encryption identifier, the identifier is verified to be passed.

Specifically, a second encryption identifier is generated according to step S610, the second encryption identifier is matched with the obtained first encryption identifier, and if the first encryption identifier is the same as the second encryption identifier, it indicates that the first encryption identifier sent by the service requester is correct, and the identifier verification is passed.

It is understood that if the first encrypted identifier does not match the second encrypted identifier, it indicates that the first encrypted identifier sent by the service requester is wrong, which may be because the service requester accesses a wrong slice network, or because the wrong first encrypted identifier is stored in the user equipment, the identifier verification cannot be passed.

Through steps S600-S620, the embodiment of the present application provides specific steps for identification verification, and after the content of step S510 has been described, the description of step S520 is started.

S520, when the identification passes the verification, sending a verification response to the verification initiating network element;

specifically, referring to the foregoing step S320, that is, the verification network element sends a verification response to the verification initiating network element, where the verification response indicates that the verification network element considers that the service requester can access the core network, and the verification response carries a plaintext slice identifier corresponding to the first encryption identifier, and through the plaintext slice identifier, a network element inside the core network can know which slice network in the core network specifically needs to be accessed.

It can be understood that, if the identification verification in step S510 fails, it indicates that the verification network element considers that the service requester cannot access the core network, and therefore, the verification network element sends an access failure message to the verification initiating network element, so that the verification initiating network element rejects the service request of the service requester, thereby avoiding the service requester accessing the wrong sliced network.

Through steps S500-S520, in the embodiment of the present application, when the verification network element receives the verification request sent by the verification network element, the first encryption identifier and the user identifier are obtained by parsing from the verification request, and identifier verification is performed according to the first encryption identifier and the user identifier, and when the verification passes, the verification network element sends the verification response carrying the plaintext slicing identifier corresponding to the first encryption representation to the verification initiating network element, so that the service requester can normally access the corresponding slicing network.

Through the above embodiments, the slice network protection method proposed in the embodiments of the present application is explained from the perspective of the verification network element and the verification initiating network element, and the slice network protection method proposed in the embodiments of the present application is summarized below with reference to the slice network protection system in fig. 1. Referring to fig. 1, implementation steps of a slice network protection method are shown in fig. 1, and the method includes but is not limited to S100-S140:

s100, a service request direction verification initiating network element sends a service request message;

specifically, when a service requester needs to access a slice network, a service request message is sent to a corresponding verification network element, where the service request message includes a first encryption identifier and a user identifier, and the service requester indicates a specific slice network that the request wants to access through the first encryption identifier and the user identifier.

S110, responding to the service request message, and sending a verification request to a verification network element by the verification initiating network element;

specifically, in response to the service request message, the authentication initiating network element parses the received service request message, obtains the first encryption identifier and the user identifier, stores the first encryption identifier and the user identifier in the authentication request, and sends the authentication request to the authentication network element.

S120, responding to the verification request, and verifying the identification of the network element;

specifically, in response to the verification request, the verification network element parses the received verification request to obtain the first encryption identifier and the user identifier, regenerates the second encryption identifier according to the stored binding result and the user identifier, compares the first encryption identifier with the second encryption identifier, and if the two are the same, passes the identifier verification.

S130, when the identification passes the verification, the verification network element sends a verification response to the verification initiating network element;

specifically, when the identifier passes the verification, the verification network element stores the stored plaintext slice identifier into a verification response, and sends the verification response to the verification initiating network element.

S140, the verification initiating network element communicates with an internal network element of the core network according to the plaintext slice identifier; communicating with the core network external equipment or the core network external network element according to the first encryption identifier;

specifically, after receiving the plaintext segment identifier, the verification initiating network element may provide a service for the service initiating party to normally access the sliced network, where the plaintext segment identifier is used in a service flow in an internal network element of the core network, and the first encryption identifier is used in a service flow outside the core network.

Through S100 to S140, the following process is implemented in the embodiment of the present application: when the verification initiating network element receives a service request message sent by a service requester, a first encryption identifier and a user identifier are obtained by analyzing the service request message, a verification request carrying the first encryption identifier and the user identifier is sent to the verification network element, the verification network element carries out identifier verification according to the first encryption identifier and the user identifier, and when the verification is passed, the verification network element sends a verification response carrying a plaintext slice identifier corresponding to the first encryption representation to the verification initiating network element. In the core network, the verification initiating network element communicates with each network element by using a plaintext slice identifier; and outside the core network, the authentication initiating network element communicates with external user equipment, external network elements, etc. using the first encrypted representation. According to the slice network protection method provided by the embodiment of the application, the plaintext slice identifier corresponding to the slice network can only be transmitted inside the core network, so that lawbreakers cannot acquire slice network information from external user equipment or network elements and cannot acquire slice network information from incoming and outgoing messages between the core network and the outside, and therefore the safety of the slice network can be effectively protected.

Referring to fig. 7, fig. 7 is a schematic diagram of an apparatus 700 provided by an embodiment of the present application, the apparatus 700 including at least one processor 710 and at least one memory 720 for storing at least one program; one processor and one memory are exemplified in fig. 7.

The processor and memory may be connected by a bus or other means, such as by a bus in FIG. 7.

The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Another embodiment of the present application also provides an apparatus that may be used to perform the control method as in any of the embodiments above, for example, performing the method steps of fig. 1 described above.

The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.

While the preferred embodiments of the present invention have been described, the present invention is not limited to the above embodiments, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and such equivalent modifications or substitutions are included in the scope of the present invention defined by the claims.