CN114040404B - Data distribution method, system, equipment and storage medium - Google Patents
Data distribution method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN114040404B CN114040404B CN202111312467.6A CN202111312467A CN114040404B CN 114040404 B CN114040404 B CN 114040404B CN 202111312467 A CN202111312467 A CN 202111312467A CN 114040404 B CN114040404 B CN 114040404B
- Authority
- CN
- China
- Prior art keywords
- data
- desensitizing
- authorization token
- intermediate node
- desensitization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000009826 distribution Methods 0.000 title claims abstract description 63
- 238000003860 storage Methods 0.000 title claims abstract description 27
- 238000013475 authorization Methods 0.000 claims abstract description 106
- 238000000586 desensitisation Methods 0.000 claims abstract description 79
- 238000012545 processing Methods 0.000 claims abstract description 19
- 238000012795 verification Methods 0.000 claims description 22
- 238000004891 communication Methods 0.000 claims description 12
- 230000002457 bidirectional effect Effects 0.000 claims description 9
- 238000004519 manufacturing process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 229940090898 Desensitizer Drugs 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/61—Time-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a data distribution method, a system, equipment and a storage medium, wherein the method comprises the following steps: information synchronization is carried out between a desensitizing device of an application end and a data source, so as to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with access equipment and an intermediate node; the intermediate node requests to obtain an authorization token of the associated desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device; the desensitization device carries out desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returns the desensitized data to the intermediate node; the application solves the problem that the existing data distribution method cannot ensure the security of the sensitive data after the sensitive data sink to a given manufacturing network or MEC.
Description
Technical Field
The present invention relates to the field of 5G communication technologies, and in particular, to a data distribution method, system, device, and storage medium.
Background
For large-scale industry clients with high safety requirements of operators, a relatively closed controllable and exclusive 5G network is built, so that data can be prevented from going out of a park, and the safety of sensitive business information of the clients is guaranteed. 5G custom networks and MECs (Multi-ACCESS EDGE Computing) are important technologies for operators to face industry clients and meet the requirement of digital conversion and upgrading of the clients.
For 5G customized networks, a plurality of clients have the requirements of cross-park interconnection, on-demand access to external networks and the like, and the park 5G network also involves the problems of code number, wireless spectrum management and the like, and the clients still need to be opened through a public network and unified code number management. Therefore, it is a common deployment scheme to deploy a custom 5G core network (i.e., a 5GC network) in a customer park and to implement authentication through a public network AUSF/UDM network element. However, this solution still involves the risk that a break in the public network communication will cause a breakdown of the campus network for customers with very high demands on business continuity, such as customers who deploy 5G networks for mining production under the mine.
In order to avoid this risk, the prior art adopts a technical means: namely, the public network and the customized network are deployed with UDM network elements at the same time, and the two UDM network elements are synchronized. Thus, when the public network is interrupted, the service can be maintained by using the UDM network element of the customized network. The scheme requires key sensitive information such as a user key to be issued, the security can only be ensured by depending on a virtualized network element, so that the sensitive information has a large leakage risk, for example, a hacker can clone a user USIM card to steal the user identity. On the other hand, since the core key is a symmetric key, if information leakage occurs, it cannot be defined whether the key is leaked in the public network or the customized network.
For MEC technology, in order to meet the low latency application, the sensitive data of the core network will also sink. After the sensitive data sink, the safety problem of open use of the data also exists, namely, how to guarantee the safety of the sensitive data. For applications requiring large network coordination and using network opening capability, 3GPP and ETSI define functions/network elements of Local NEF (Network Exposure Function, network opening function) roles to meet the requirement of low-delay applications on network opening, and for the situations that Local NEF needs to process large network sensitive data, how to guarantee the security of the sensitive data is also a difficult problem.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to provide a data distribution method, a system, equipment and a storage medium, which solve the problem that the security of sensitive data cannot be ensured after the sensitive data is sunk into a given manufacturing network or MEC in the existing data distribution method.
To achieve the above object, the present invention provides a data distribution method comprising the steps of:
Information synchronization is carried out between a desensitizing device of an application end and a data source, so as to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with access equipment and an intermediate node;
The intermediate node requests to obtain an authorization token of the associated desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device;
The desensitization device carries out desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returns the desensitized data to the intermediate node.
Optionally, the desensitizing device performs desensitization processing on the sensitive data based on the identity information and the authorization token, including:
the desensitization device desensitizes the sensitive data based on the identity information, the authorization token and the received desensitization parameters, and calculates to obtain corresponding desensitization data.
Optionally, the information synchronization between the desensitizing device at the application end and the data source includes:
two-way verification is carried out between a data source and a desensitizing device, and a first safety channel is established;
the desensitizing device performs sensitive data synchronization and authorization policy synchronization operations.
Optionally, the intermediate node requests the data source to obtain an authorization token associated with the desensitizing device, including:
the intermediate node performs bidirectional verification with the data source, and establishes a second secure channel;
the intermediate node sends first request information for acquiring an authorization token to the data source;
the data source sends an authorization token to the intermediate node based on the first request information and the second secure channel, the authorization token having a token validity period.
Optionally, the sending the authorization token and the received identity information of the associated access device to the desensitizing apparatus further includes:
the access device sending identity information and second request information about a request to establish communication or to acquire data to the intermediate node;
the intermediate node sends the authorization token and the identity information to a desensitizing device based on the second request information.
Optionally, the desensitizing device calculates and generates desensitized data according to the identity information and the authorization token, including:
the desensitization device judges whether the access equipment has the authority for acquiring desensitization data according to the authorization strategy;
if yes, the desensitization device calculates and generates desensitization data according to the identity information, the authorization token and the received desensitization parameters.
Optionally, the desensitizing means stores sensitive data; the desensitizing means calculates generating desensitized data based on the identity information, the authorization token, and the received desensitizing parameters, comprising:
the desensitizing device calculates and generates desensitized data according to the sensitive data, the identity information, the authorization token and the received desensitizing parameters.
Optionally, the second network domain is a customized network based on a 5G core network, and the first network domain is a public network based on the 5G core network; the intermediate node is provided with a UDM network element and AUSF network elements; the method comprises the following steps:
the UDM network element requests to obtain an authorization token associated with the desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device;
the desensitization device calculates a first intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the first intermediate key to the UDM network element;
The UDM network element calculates an authentication vector based on the first intermediate key;
The AUSF network element verifies the access device based on the authentication vector.
Optionally, the second Network domain is 5G SNPN (Stand-alone Non-Public Network), the first Network domain is a Network where a credential holder is located, and has an AAA (Authentication, authorization, accounting, authentication, authorization, and accounting) server, where the credential holder may be a 5G Network operator or another third party; the intermediate node has a UDM Network element, AUSF Network elements and NSSAAF (Network SLICE SPECIFIC AND SNPN Authentication and Authorization Function, network slice selection and authentication and authorization functions for non-public networks); the method comprises the following steps:
The NSSAAF network element requests to obtain an authorization token associated with the desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device;
The desensitization device calculates a fourth intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the fourth intermediate key to the NSSAAF network element;
and the NSSAAF network element calculates an authentication vector based on the fourth intermediate key, verifies the access equipment and returns a verification result to the AUSF network element.
Optionally, the desensitizing device provides only an access interface to the outside world; the desensitizing means desensitizes the sensitive data based on the identity information, the authorization token, and the received desensitizing parameters, including:
The identity information, the authorization token and the received desensitization parameters are input into the desensitization device from the access interface, and the desensitization device calculates desensitization data corresponding to the sensitive data.
Optionally, the desensitized data is a second intermediate key; the method further comprises the steps of:
The intermediate node authenticates the access device based on the second intermediate key.
The invention also provides a data distribution system, which comprises a data source and an application end, wherein the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is provided with an intermediate node, access equipment and a desensitizing device;
The desensitizing device is arranged to synchronize information with a data source to obtain sensitive data, desensitize the sensitive data according to the received identity information and the received authorization token of the associated access equipment to obtain desensitized data, and return the desensitized data to the intermediate node;
The intermediate node is arranged to request from the data source an authorization token for the associated desensitising means and to send the authorization token and the received identity information of the associated access device to the desensitising means.
The invention also provides a data distribution system for realizing the data distribution method, which comprises the following steps:
the information synchronization module is used for synchronizing information between the desensitizing device of the application end and the data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with access equipment and an intermediate node;
the intermediate node requests the data source to acquire an authorization token associated with the desensitization device, and transmits the authorization token and the received identity information of the associated access equipment to the desensitization device;
the desensitization processing module is used for carrying out desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returning the desensitized data to the intermediate node.
The present invention also provides a data distribution apparatus comprising:
A processor;
A memory in which an executable program of the processor is stored;
Wherein the processor is configured to perform the steps of any of the data distribution methods described above via execution of the executable program.
The present invention also provides a computer-readable storage medium storing a program which, when executed by a processor, implements the steps of any one of the data distribution methods described above.
Compared with the prior art, the invention has the following advantages and outstanding effects:
The data distribution method, the system, the equipment and the storage medium provided by the invention realize that sensitive data are not required to be stored in the intermediate node, only the desensitized data after desensitization are distributed to the intermediate node when the intermediate node needs to acquire the sensitive data through the independent desensitization device, and the desensitization device only exposes necessary interfaces, so that the operation and the authorized use in a closed environment are realized, and the security of the sensitive data can be ensured after the sensitive data sink to a given network or MEC.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings.
FIG. 1 is a schematic diagram of a data distribution method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of step S120 in a data distribution method according to an embodiment of the present invention;
fig. 3 is a schematic view of a scenario in which a data distribution method disclosed in an embodiment of the present invention is applied;
FIG. 4 is a schematic diagram of a data distribution method according to another embodiment of the present invention;
FIG. 5 is a schematic diagram of a data distribution method according to another embodiment of the present invention;
FIG. 6 is a schematic diagram of another scenario in which a data distribution method disclosed in an embodiment of the present invention is applied;
FIG. 7 is a schematic diagram of a data distribution method according to another embodiment of the present invention;
FIG. 8 is a schematic diagram illustrating a data distribution system according to an embodiment of the present invention;
Fig. 9 is a schematic structural diagram of a token acquiring and transmitting module in a data distribution system according to an embodiment of the present invention;
Fig. 10 is a schematic structural view of a data distribution device according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a computer readable storage medium according to an embodiment of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the example embodiments may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus a repetitive description thereof will be omitted.
As shown in fig. 1, an embodiment of the present application discloses a data distribution method, which acts on data distribution and data usage between a data source and an application end. The method provided by the application can only generate the network disconnection condition in the direct communication between the access equipment and the data source; the method can also be performed in any case.
The application end can comprise a desensitizing device, an access device, a base station and an intermediate node. The data source is located in a first network domain, and the application end is located in a second network domain. In this embodiment, the method includes the steps of:
S110, information synchronization is carried out between the desensitizing device and the data source, and sensitive data are obtained. In this embodiment, this step may include:
and S111, performing bidirectional verification between the data source and the desensitizing device, and establishing a first secure channel. And
S112, the desensitizing device performs sensitive data synchronization and authorization policy synchronization operations.
In particular, the data source needs to authenticate the desensitizing device, the desensitizing device also needs to authenticate the data source, and then a first secure channel is established between the data source and the desensitizing device. Based on the first secure channel, the desensitizing device requests sensitive data synchronization and authorization policy synchronization operations from the data source. The bidirectional authentication can be implemented by using the prior art, and the present application is not repeated. After the above synchronization is performed, the desensitizing device loads or upgrades according to the synchronization content, so that the desensitizing device has data desensitizing capability.
In one embodiment, the desensitizing device has a safety guarantee. The desensitizing device is a hardware device with physical attack prevention, and only provides necessary access interfaces to the outside.
In one embodiment, the data source includes a security module, and step S110 is specifically to synchronize information between the desensitizing device and the security module.
In this embodiment, the authorization policy may include information such as an authorization token decryption policy (including information such as a decryption key and a decryption request entry), a synchronization period, and a synchronization interrupt handling policy. The present application is not limited thereto, and those skilled in the art can set it as needed.
The second network domain may be a customized network based on a 5G core network, for example. The first network domain may be a public network based on a 5G core network. The application may be a customer campus. The intermediate node may be a network node in a customer premises. The application is not limited in this regard.
S120, the intermediate node requests the data source to acquire an authorization token associated with the desensitizing device, and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device. Specifically, as shown in fig. 2, in this embodiment, the step S120 includes:
s121, performing bidirectional verification between the intermediate node and the data source, and establishing a second secure channel.
And S122, the intermediate node sends first request information for acquiring the authorization token to the data source.
And S123, the data source sends an authorization token to the intermediate node based on the first request information and the second secure channel. The authorization token contains the authorization of using sensitive data and the validity period of the token, and is encrypted.
S124, the access device sends identity information and second request information about a request to establish communication or acquire data to the intermediate node. And
And S125, the intermediate node sends the authorization token and the identity information to a desensitizing device based on the second request information.
In particular, the intermediate node needs to authenticate the data source, and the data source also needs to authenticate the intermediate node, and the bidirectional authentication process can be implemented with reference to the prior art, which is not repeated in the present application. The intermediate node sends first request information about a request to obtain an authorization token to the data source based on the second secure channel.
The data source responds to the first request information after receiving the first request information, and returns an authorization token to the intermediate node, wherein the authorization token is used for allowing the intermediate node to access the desensitizing device, namely, the intermediate node is authorized to use the desensitizing device normally in the validity period of the authorization, and the desensitizing device is utilized for processing the access of various access devices.
The second request information indicates that the access device needs to establish communication with the intermediate node or obtain data. The identity information is associated with the access device. The data requested to be acquired by the access device is desensitized data obtained based on the sensitive data, which may be desensitized data obtained by calculation of the desensitizing device or data obtained by processing the intermediate node based on the desensitized data.
In an embodiment, the data source includes a security module, and the data interaction between the intermediate node and the data source, specifically, the data interaction between the intermediate node and the security module.
And S130, the desensitizing device desensitizes the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returns the desensitized data to the intermediate node.
In particular, the authorization policy described above illustratively contains a whitelist of access devices that are capable of communicating with the intermediate node. The desensitizing means stores synchronously derived sensitive data associated with the access device. The desensitization device judges whether the access equipment has the authority for acquiring the desensitization data according to the white list of the authorization strategy and the identity information of the current access equipment, namely whether the white list contains the identity information of the access equipment, if so, the desensitization device judges that the access equipment has the authority for acquiring the desensitization data, and the desensitization device carries out desensitization calculation on the sensitive data according to the identity information, the authorization token and the received desensitization parameters to obtain the desensitization data and returns the desensitization data to the intermediate node. And the intermediate node judges whether to return the desensitized data to the access equipment according to the actual demand or not, or processes the desensitized data to obtain a data result and returns the data result to the access equipment. If the access device does not have the right to acquire the desensitized data, the process is ended.
In the application, the desensitization parameter can be directly generated by the intermediate node and sent to the desensitization device, or can be generated by the access equipment and sent to the intermediate node and then sent to the desensitization device by the intermediate node. The desensitization parameters can be generated in a preset mode or in a calculation mode. The application is not limited in this regard.
In another embodiment of the present application, another data distribution method is disclosed. The method is based on the above embodiment, wherein the desensitized data is a second intermediate key. The method further comprises the steps of:
And S140, the intermediate node authenticates the access device based on the second intermediate key. Specifically, in this embodiment, the intermediate node receives the desensitization data sent by the desensitization device, that is, the second intermediate key, and calculates by using the second intermediate key to obtain a first authentication vector, where the first authentication vector includes a bidirectional authentication code of the access device and the intermediate node (that is, an authentication code of the access device to the intermediate node and an authentication code of the intermediate node to the access device). The intermediate node transmits the authentication code of the intermediate node and other parameters of the access device to the access device. Because the access device also stores the sensitive data locally, the desensitization parameter can be received or generated automatically, the access device can calculate a third intermediate key according to the desensitization parameter and the sensitive data, and then calculate a second authentication vector by using the third intermediate key. Similarly, the second authentication vector contains a bidirectional authentication code of the access device and the intermediate node (i.e., an authentication code of the access device to the intermediate node and an authentication code of the intermediate node to the access device), and the access device performs validity verification on the intermediate node based on the received authentication code and a corresponding authentication code calculated based on the third intermediate key; and after the verification is passed, sending the verification code of the intermediate node to the access equipment, which is obtained based on the third intermediate key calculation, to the intermediate node. And the intermediate node performs validity verification on the access equipment based on the verification code and the corresponding verification code obtained by calculation based on the second intermediate key. After the authentication is passed, the access device may be allowed to communicate with the intermediate node. Otherwise the access device is not allowed to establish a communication connection.
For example, the above verification process may be that the intermediate node compares whether the verification code calculated based on the second intermediate key and the corresponding verification code calculated based on the third intermediate key are identical, if so, the verification is passed, otherwise, the verification is not passed. The above verification process, the implementation manner of calculating the first authentication vector by using the second intermediate key and the implementation manner of calculating the second authentication vector by using the third intermediate key may also be implemented with reference to the prior art, which is not limited to the present application.
Therefore, the method and the device have the advantages that sensitive data are not required to be stored in the intermediate node, an independent desensitizing device is arranged, when the access equipment needs to communicate with the intermediate node, the desensitized data are distributed to the intermediate node, verification is carried out by using the desensitized data, and the security after sinking of the sensitive data is guaranteed. After the communication interruption between the customized network and the public network is met, for example, the access equipment can still continue to communicate with the customized network based on the desensitizing device, and work is performed by using sensitive data, so that the influence on the normal operation of a client park is avoided.
In another embodiment of the present application, as shown in fig. 3, the above-mentioned intermediate node 34 has UDM (Unified DATA MANAGEMENT ) network elements 35 and AUSF (Authentication Server Function, authentication server) network element 36. The first network domain in which the corresponding data source 31 is located may be a public network based on a 5G core network. The data source 31 has a security module 32. The security module 32, the desensitizing device 33 and the intermediate node 34 communicate with each other, and the access device 37 communicates with the intermediate node 34 through the base station. As shown in fig. 4, this embodiment also discloses a data distribution method. The method includes steps S210, S220, S230 and S240.
In this embodiment, step S210 is: the desensitising means 33 is in information synchronisation with the security module 32 to obtain sensitive data.
Step S220 is: the UDM network element 35 requests the data source 31 for the acquisition of an authorization token associated with the desensitising means 33 and sends the authorization token and the received identity information of the associated access device 37 to the desensitising means 33.
Step S230 is: the desensitizing means 33 desensitizes the sensitive data based on the identity information, the authorization token and the received desensitizing parameters to obtain a first intermediate key, and returns the first intermediate key to the intermediate node 34.
Step S240 is: the UDM network element 35 calculates an authentication vector based on the first intermediate key. AUSF the network element 36 verifies the access device 37 based on the authentication vector.
In another embodiment of the present application, the second network domain is a 5G SNPN network. The first network domain is a network where the credential holder is located and has an AAA server. The credential holder may be a 5G network operator or other third party network. The intermediate node has a UDM network element, AUSF network elements and NSSAAF network elements. As shown in fig. 5, this embodiment also discloses a data distribution method. The method comprises the step S110, and the steps S320, S330 and S340.
In this embodiment, step S320 is: NSSAAF the network element requests the data source to obtain an authorization token associated with the desensitizing means and sends the authorization token and the received identity information of the associated access device to the desensitizing means.
Step S330 is: the desensitizer calculates a fourth intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the fourth intermediate key to the NSSAAF network element.
Step S340 is: NSSAAF the network element calculates an authentication vector based on the fourth intermediate key, verifies the access device, and returns a verification result to the AUSF network element. After passing the authentication, the access device is allowed to communicate with the SNPN network described above. Otherwise, the access device is not allowed to communicate with the SNPN network, and the process ends.
In another embodiment of the present application, as shown in fig. 6, the intermediate node 34 is a MEC node 38. The first network domain in which the corresponding data source 31 is located may be a 5G core network. The data source 31 has a security module 32. The security module 32, the desensitizing device 33 and the MEC node 38 communicate with each other, and the access device 37 communicates with the MEC node 38 through a base station. As shown in fig. 7, this embodiment also discloses a data distribution method. The method includes steps S410, S420 and S430.
In this embodiment, step S410 is: the desensitising means 33 is in information synchronization with the security module 32.
Step S420 is: the MEC node 38 requests the data source 31 to obtain an authorization token associated with the desensitizing means 33 and sends the authorization token and the received identity information of the associated access device 37 to the desensitizing means 33.
Step S430 is: the desensitizing means 33 determines that the access device has access rights according to the identity information and the authorization token, then desensitizes the sensitive data to obtain desensitized data, and returns the desensitized data to the MEC node 38. The MEC node 38 may then return the desensitized data, or processed results based on the desensitized data, to the access device 37 as desired.
It should be noted that, the security modules of the desensitizing device and the data source in all the embodiments may be implemented by using hardware, such as a physical gateway, or may be implemented by using software, or may be implemented by using a combination of software and hardware, where the desensitizing device exposes only necessary interfaces, and implements operation and authorization in a closed environment, so that the security is high.
It should be noted that, in other embodiments, the data source may be located in the 6G core network or a public network based on the 6G core network. Accordingly, other functional objects of the above embodiments may also be based on 6G networks. The present application is not described in detail.
According to the embodiment of the application, the sensitive data is not required to be stored in the intermediate node, the desensitized data after desensitization is distributed or the desensitized data is processed based on the desensitized data to the access equipment when the access equipment needs to communicate with the intermediate node through the independent desensitization device, the desensitization device only exposes necessary interfaces, the operation and the authorized use in a closed environment are realized, and the security of the sensitive data can be ensured after the sensitive data is sunk into a network or MEC.
It should be noted that, all the embodiments disclosed in the present application may be freely combined, and the combined technical solution is also within the protection scope of the present application.
The embodiment of the invention also discloses a data distribution system, which comprises a data source and an application end. The data source is located in a first network domain, and the application end is located in a second network domain; the application end is provided with an intermediate node, an access device and a desensitizing device.
The desensitizing device is set to synchronize information with a data source to obtain sensitive data, desensitize the sensitive data according to the received identity information and the received authorization token of the associated access equipment to obtain desensitized data, and return the desensitized data to the intermediate node.
The intermediate node is arranged to request from the data source an authorization token for the associated desensitising means and to send the authorization token and the received identity information of the associated access device to the desensitising means.
As shown in fig. 8, an embodiment of the present invention further discloses a data distribution system 5, which includes:
the information synchronization module 51 performs information synchronization between the data source and the desensitizing device at the application end, so as to obtain sensitive data. The data source is located in a first network domain, and the application end is located in a second network domain; the application end also has an access device and an intermediate node.
The token acquisition and transmission module 52, the intermediate node requests the data source to acquire an authorization token associated with the desensitizing means and transmits the authorization token and the received identity information of the associated access device to the desensitizing means. And
The desensitization processing module 53, the desensitization device performs desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returns the desensitized data to the intermediate node.
In another embodiment of the present application, the desensitizing module 53 includes:
The desensitization data generating module 531, the desensitization device calculates and generates desensitization data according to the identity information and the authorization token, and returns the desensitization data to the intermediate node. And
An access device authentication module 532, wherein the intermediate node authenticates the access device based on the desensitized data, and when the authentication is passed, communication is established between the intermediate node and the access device.
In another embodiment of the present application, as shown in fig. 9, the token acquiring and sending module 52 may include:
And a second secure channel establishing unit 521, configured to perform bidirectional authentication between the intermediate node and the data source, and establish a second secure channel.
A first request information transmitting unit 522, where the intermediate node transmits first request information for acquiring an authorization token to the data source.
And a token transmitting unit 523 configured to transmit an authorization token to the intermediate node, the authorization token having a token validity period, based on the first request information and the second secure channel.
And a second request information transmitting unit 524, wherein the access device transmits the identity information and the second request information about the request to establish communication or acquire desensitized data to the intermediate node. And
And an encryption request unit 525, wherein the intermediate node transmits the authorization token and the identity information to the desensitizing apparatus based on the second request information.
It will be appreciated that the data distribution system of the present invention also includes other existing functional modules that support the operation of the data distribution system. The data distribution system shown in fig. 8 is only an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present invention.
The data distribution system in this embodiment is used to implement the above-mentioned data distribution method, so for specific implementation steps of the data distribution system, reference may be made to the above description of the data distribution method, which is not repeated here.
The embodiment of the invention also discloses a data distribution device, which comprises a processor and a memory, wherein the memory stores an executable program of the processor; the processor is configured to perform the steps in the data distribution method described above via execution of an executable program. Fig. 10 is a schematic structural view of a data distribution apparatus of the present disclosure. An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 10. The electronic device 600 shown in fig. 10 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 10, the electronic device 600 is in the form of a general purpose computing device. Components of electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different platform components (including memory unit 620 and processing unit 610), a display unit 640, etc.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention described in the above data distribution method section of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.
The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 600, and/or any device (e.g., router, modem, etc.) that enables the electronic device 600 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. Also, electronic device 600 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage platforms, and the like.
The invention also discloses a computer readable storage medium for storing a program which when executed implements the steps in the data distribution method described above. In some possible embodiments, the aspects of the present invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the above description of the data distribution method, when the program product is run on the terminal device.
As described above, when the program of the computer readable storage medium of this embodiment is executed, it is realized that sensitive data does not need to be stored in an intermediate node, and when an access device needs to communicate with the intermediate node, the independent desensitizing device distributes desensitized data to the access device, and the desensitizing device performs verification by using the desensitized data, and the desensitizing device only exposes necessary interfaces, so that operation and authorized use in a closed environment are realized, and further, security of the sensitive data can be ensured after the sensitive data is sunk into a given network or MEC.
Fig. 11 is a schematic structural view of a computer-readable storage medium of the present invention. Referring to fig. 11, a program product 800 for implementing the above-described method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The data distribution method, the system, the equipment and the storage medium provided by the embodiment of the invention realize that unnecessary sensitive data are not required to be stored in the intermediate node, only the desensitized data after desensitization are distributed to the intermediate node when the intermediate node needs to acquire the sensitive data through the independent desensitization device, and the desensitization device only exposes necessary interfaces, so that the operation and the authorized use in a closed environment are realized, and the security of the sensitive data can be ensured after the sensitive data sink to a network or MEC.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.
Claims (14)
1. A data distribution method, comprising the steps of:
Information synchronization is carried out between a desensitizing device of an application end and a data source, so as to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with access equipment and an intermediate node;
The intermediate node requests to obtain an authorization token of the associated desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device;
The desensitization device carries out desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returns the desensitized data to the intermediate node.
2. The data distribution method according to claim 1, wherein the desensitizing means desensitizes the sensitive data based on identity information and an authorization token, comprising:
the desensitization device desensitizes the sensitive data based on the identity information, the authorization token and the received desensitization parameters, and calculates to obtain corresponding desensitization data.
3. The data distribution method according to claim 1, wherein the information synchronization between the desensitizing device at the application end and the data source includes:
two-way verification is carried out between a data source and a desensitizing device, and a first safety channel is established;
the desensitizing device performs sensitive data synchronization and authorization policy synchronization operations.
4. The data distribution method according to claim 1, wherein the intermediate node requesting acquisition of an authorization token associated with a desensitizing means from a data source comprises:
the intermediate node performs bidirectional verification with the data source, and establishes a second secure channel;
the intermediate node sends first request information for acquiring an authorization token to the data source;
the data source sends an authorization token to the intermediate node based on the first request information and the second secure channel, the authorization token having a token validity period.
5. The data distribution method according to claim 1, wherein the transmitting the authorization token and the received identity information of the associated access device to a desensitizing means further comprises:
the access device sending identity information and second request information about a request to establish communication or to acquire data to the intermediate node;
the intermediate node sends the authorization token and the identity information to a desensitizing device based on the second request information.
6. A data distribution method according to claim 3, wherein the desensitising means calculates from the identity information and the authorisation token to generate desensitised data, comprising:
the desensitization device judges whether the access equipment has the authority for acquiring desensitization data according to the authorization strategy;
if yes, the desensitization device calculates and generates desensitization data according to the identity information, the authorization token and the received desensitization parameters.
7. The data distribution method according to claim 2, wherein the desensitizing means stores sensitive data; the desensitizing means calculates generating desensitized data based on the identity information, the authorization token, and the received desensitizing parameters, comprising:
the desensitizing device calculates and generates desensitized data according to the sensitive data, the identity information, the authorization token and the received desensitizing parameters.
8. The data distribution method according to claim 2, wherein the second network domain is a customized network based on a 5G core network, and the first network domain is a public network based on a 5G core network; the intermediate node is provided with a UDM network element and AUSF network elements; the method comprises the following steps:
the UDM network element requests to obtain an authorization token associated with the desensitizing device from a data source and sends the authorization token and the received identity information of the associated access equipment to the desensitizing device;
the desensitization device calculates a first intermediate key according to the identity information, the authorization token and the received desensitization parameters, and returns the first intermediate key to the UDM network element;
The UDM network element calculates an authentication vector based on the first intermediate key;
The AUSF network element verifies the access device based on the authentication vector.
9. The data distribution method according to claim 2, wherein the desensitizing means provides only an access interface to the outside world; the desensitizing means desensitizes the sensitive data based on the identity information, the authorization token, and the received desensitizing parameters, including:
The identity information, the authorization token and the received desensitization parameters are input into the desensitization device from the access interface, and the desensitization device calculates desensitization data corresponding to the sensitive data.
10. The data distribution method of claim 2, wherein the desensitized data is a second intermediate key; the method further comprises the steps of:
The intermediate node authenticates the access device based on the second intermediate key.
11. The data distribution system is characterized by comprising a data source and an application end, wherein the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is provided with an intermediate node, access equipment and a desensitizing device;
The desensitizing device is arranged to synchronize information with a data source to obtain sensitive data, desensitize the sensitive data according to the received identity information and the received authorization token of the associated access equipment to obtain desensitized data, and return the desensitized data to the intermediate node;
The intermediate node is arranged to request from the data source an authorization token for the associated desensitising means and to send the authorization token and the received identity information of the associated access device to the desensitising means.
12. A data distribution system for implementing the data distribution method according to claim 1, characterized in that the system comprises:
the information synchronization module is used for synchronizing information between the desensitizing device of the application end and the data source to obtain sensitive data; the data source is positioned in a first network domain, and the application end is positioned in a second network domain; the application end is also provided with access equipment and an intermediate node;
the intermediate node requests the data source to acquire an authorization token associated with the desensitization device, and transmits the authorization token and the received identity information of the associated access equipment to the desensitization device;
the desensitization processing module is used for carrying out desensitization processing on the sensitive data based on the identity information and the authorization token to obtain desensitized data, and returning the desensitized data to the intermediate node.
13. A data distribution apparatus, characterized by comprising:
A processor;
A memory in which an executable program of the processor is stored;
wherein the processor is configured to perform the steps of the data distribution method of any of claims 1 to 10 via execution of the executable program.
14. A computer-readable storage medium storing a program, characterized in that the program when executed by a processor implements the steps of the data distribution method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111312467.6A CN114040404B (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111312467.6A CN114040404B (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114040404A CN114040404A (en) | 2022-02-11 |
| CN114040404B true CN114040404B (en) | 2024-06-07 |
Family
ID=80143161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111312467.6A Active CN114040404B (en) | 2021-11-08 | 2021-11-08 | Data distribution method, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114040404B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114900879A (en) * | 2022-03-29 | 2022-08-12 | 中国电信股份有限公司 | Data synchronization method and system, and information exchange gateway and network device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225091B1 (en) * | 2004-03-30 | 2012-07-17 | Crimson Corporation | Systems and methods for protecting sensitive files from unauthorized access |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Data table access method, device, computer equipment and storage medium |
| CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
| CN110750786A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Method and system for detecting abnormal access behavior of account to sensitive data |
| CN112115482A (en) * | 2020-09-16 | 2020-12-22 | 安徽长泰信息安全服务有限公司 | Big data-based data security monitoring system for protecting data |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
| CN113591119A (en) * | 2021-08-09 | 2021-11-02 | 国家工业信息安全发展研究中心 | Cross-domain identification analysis node data privacy protection and safety sharing method and system |
-
2021
- 2021-11-08 CN CN202111312467.6A patent/CN114040404B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225091B1 (en) * | 2004-03-30 | 2012-07-17 | Crimson Corporation | Systems and methods for protecting sensitive files from unauthorized access |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN110245505A (en) * | 2019-05-20 | 2019-09-17 | 中国平安人寿保险股份有限公司 | Data table access method, device, computer equipment and storage medium |
| CN110290060A (en) * | 2019-07-15 | 2019-09-27 | 腾讯科技(深圳)有限公司 | A kind of internetwork communication method, apparatus and storage medium |
| CN110750786A (en) * | 2019-10-30 | 2020-02-04 | 上海观安信息技术股份有限公司 | Method and system for detecting abnormal access behavior of account to sensitive data |
| CN112115482A (en) * | 2020-09-16 | 2020-12-22 | 安徽长泰信息安全服务有限公司 | Big data-based data security monitoring system for protecting data |
| CN112822675A (en) * | 2021-01-11 | 2021-05-18 | 北京交通大学 | MEC environment-oriented OAuth 2.0-based single sign-on mechanism |
| CN113591119A (en) * | 2021-08-09 | 2021-11-02 | 国家工业信息安全发展研究中心 | Cross-domain identification analysis node data privacy protection and safety sharing method and system |
Non-Patent Citations (1)
| Title |
|---|
| 移动边缘计算安全研究;庄小君、杨波、王旭、彭晋;电信工程技术与标准化;第31卷(第255期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114040404A (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP4216081B1 (en) | Information verification method, related apparatus, device, and storage medium | |
| KR102377187B1 (en) | Method and apparatus for processing privacy data of block chain, device, storage medium | |
| US9374360B2 (en) | System and method for single-sign-on in virtual desktop infrastructure environment | |
| KR102424055B1 (en) | Apparatus and Method for Providing API Authentication using Two API Tokens | |
| CN112039826B (en) | Login method and device applied to applet end, electronic equipment and readable medium | |
| EP2973188B1 (en) | Secondary device as key for authorizing access to resources | |
| KR20220160549A (en) | Cluster access method, apparatus, electronic equipment and media | |
| US10735409B2 (en) | Authenication stick | |
| CN110602133B (en) | Intelligent contract processing method, block chain management device and storage medium | |
| CN110708291A (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
| CN114286342B (en) | Authentication method, authentication system, electronic device, and computer-readable storage medium | |
| CN113674456A (en) | Unlocking method, unlocking device, electronic equipment and storage medium | |
| CN114362931A (en) | Internet of things equipment registration and security authentication connection and instruction interaction method | |
| CN114040404B (en) | Data distribution method, system, equipment and storage medium | |
| US12425194B2 (en) | Cryptographic bridge for securing public key infrastructure (PKI) | |
| CN114170709B (en) | Cash box management method and system based on Internet of Things | |
| CN113055186B (en) | Cross-system service processing method, device and system | |
| CN112966286B (en) | Method, system, device and computer readable medium for user login | |
| CN103593619A (en) | Method and system applied to data protection | |
| WO2024259490A1 (en) | User authentication for operational technology (ot) assets | |
| CN116866034B (en) | Distributed node authentication method, electronic equipment and storage medium | |
| US12028315B2 (en) | Methods, devices, and computer program products for authenticating peripheral device | |
| US11115407B2 (en) | Client side OTP generation method | |
| CN113055345B (en) | Block chain-based data security authentication method and device | |
| CN118467008B (en) | Security management method, system, medium and electronic equipment for OTA upgrade |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |