[go: up one dir, main page]

CN118740409A - Application authentication method and device - Google Patents

Application authentication method and device Download PDF

Info

Publication number
CN118740409A
CN118740409A CN202310371895.9A CN202310371895A CN118740409A CN 118740409 A CN118740409 A CN 118740409A CN 202310371895 A CN202310371895 A CN 202310371895A CN 118740409 A CN118740409 A CN 118740409A
Authority
CN
China
Prior art keywords
application
identity
terminal equipment
terminal device
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310371895.9A
Other languages
Chinese (zh)
Inventor
徐浩
曾清海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202310371895.9A priority Critical patent/CN118740409A/en
Priority to PCT/CN2024/081773 priority patent/WO2024198962A1/en
Publication of CN118740409A publication Critical patent/CN118740409A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application authentication method and the device are beneficial to reducing the risk of user information leakage and improving the system security in the process of authenticating the application of the terminal equipment by the application server. The method comprises the following steps: the application server acquires first information from the terminal equipment, wherein the first information is used for requesting to acquire service data, and the first information carries a network identifier of the terminal equipment; the application server authenticates the terminal equipment based on the network identification of the terminal equipment and a prestored corresponding relation, wherein the corresponding relation is used for indicating the corresponding relation between the public key of at least one terminal equipment and at least one application identity identified by the application server, and the at least one application identity is obtained based on the network identification of the terminal equipment corresponding to the at least one application identity; and if the authentication is passed, the application server sends second information to the terminal equipment, wherein the second information is used for indicating the terminal equipment to pass the authentication.

Description

应用鉴权方法和装置Application authentication method and device

技术领域Technical Field

本申请涉及通信领域,尤其涉及一种应用鉴权方法和装置。The present application relates to the field of communications, and in particular to an application authentication method and device.

背景技术Background Art

信息科技大数据时代,终端设备中的应用程序(简称为应用)的数量爆发式增长,用户在使用终端设备中的应用时,终端设备需要通过该应用访问该应用对应的应用服务器获取相关数据,以便为用户提供相关服务。当终端设备应用访问应用服务器时,应用服务器需要对访问的终端设备应用进行鉴权(也可以称为认证),在鉴权通过后,应用服务器可以为终端设备应用提供相关服务数据。这样,能够保证用户信息安全,也能够防范信息盗窃和恶意入侵而造成的网络安全问题。In the era of big data in information technology, the number of applications (referred to as applications) in terminal devices has exploded. When users use applications in terminal devices, the terminal devices need to access the application server corresponding to the application through the application to obtain relevant data in order to provide relevant services to users. When the terminal device application accesses the application server, the application server needs to authenticate the accessed terminal device application (also known as authentication). After the authentication is passed, the application server can provide relevant service data for the terminal device application. In this way, user information security can be guaranteed, and network security issues caused by information theft and malicious intrusion can be prevented.

目前,应用服务器主要通过终端设备的网络地址和用户在使用终端设备应用时输入的身份密码信息进行应用鉴权。在终端设备接入网络的情况下,当用户使用该终端设备中的应用时,终端设备可以向中心化身份机构(也可以为应用服务器)发送应用鉴权请求,中心化身份机构将该终端设备的网络地址以及用户在终端设备上输入的身份密码信息或生物学特征,与本地存储的信息进行匹配,若存在匹配项,则中心化身份机构为该终端设备应用提供服务,从而用户可以正常使用该终端设备应用。At present, application servers mainly authenticate applications through the network address of the terminal device and the identity and password information entered by the user when using the terminal device application. When the terminal device is connected to the network, when the user uses the application in the terminal device, the terminal device can send an application authentication request to the centralized identity agency (which can also be the application server). The centralized identity agency matches the network address of the terminal device and the identity and password information or biological characteristics entered by the user on the terminal device with the locally stored information. If there is a match, the centralized identity agency provides services for the terminal device application, so that the user can use the terminal device application normally.

上述应用鉴权方式需要中心化身份机构的参与,由中心化身份机构存储用户身份密码信息,存在用户信息泄露的风险,特别是在中心化身份机构单点失效、缺乏信任的情况下,安全性不高。The above-mentioned application authentication method requires the participation of a centralized identity agency, which stores user identity and password information. There is a risk of user information leakage, especially when the centralized identity agency has a single point of failure and lacks trust, and the security is not high.

发明内容Summary of the invention

本申请实施例提供了一种应用鉴权方法和装置,有利于在应用服务器对终端设备应用进行鉴权的过程中,降低用户信息泄露的风险,提高系统安全性。The embodiments of the present application provide an application authentication method and device, which are beneficial to reducing the risk of user information leakage and improving system security during the process of an application server authenticating a terminal device application.

第一方面,提供了一种应用鉴权方法,包括:获取来自终端设备的第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述终端设备的网络标识;基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,所述对应关系用于指示至少一个终端设备的公钥和经过所述应用服务器认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的;在认证通过的情况下,向所述终端设备发送第二信息,所述第二信息用于指示所述终端设备通过认证。In a first aspect, an application authentication method is provided, comprising: obtaining first information from a terminal device, the first information being used to request service data, the first information carrying a network identifier of the terminal device; authenticating the terminal device based on the network identifier of the terminal device and a pre-stored correspondence, the correspondence being used to indicate a correspondence between a public key of at least one terminal device and at least one application identity authenticated by the application server, the at least one application identity being obtained based on the network identifier of the terminal device corresponding to the at least one application identity; and in a case where the authentication is successful, sending second information to the terminal device, the second information being used to indicate that the terminal device has passed the authentication.

本申请实施例的应用鉴权方法,通过利用终端设备的网络标识生成该终端设备的应用身份标识,并将终端设备的公钥和经应用服务器认证的应用身份标识之间的对应关系写入应用服务器,在用户使用终端设备的应用时,终端设备向应用服务器发起鉴权流程,应用服务器可以凭借终端设备的网络标识和上述预先写入的对应关系完成对该终端设备的认证,无需借助用户信息,不存在用户信息泄露的风险,有利于提高系统的安全性。The application authentication method of the embodiment of the present application generates an application identity of the terminal device by utilizing the network identifier of the terminal device, and writes the correspondence between the public key of the terminal device and the application identity authenticated by the application server into the application server. When the user uses the application of the terminal device, the terminal device initiates an authentication process to the application server. The application server can complete the authentication of the terminal device by relying on the network identifier of the terminal device and the above-mentioned pre-written correspondence, without resorting to user information, and without the risk of user information leakage, which is beneficial to improving the security of the system.

结合第一方面,在第一方面的某些实现方式中,上述应用鉴权方法的执行主体可以是应用服务器。In combination with the first aspect, in some implementations of the first aspect, the execution entity of the above-mentioned application authentication method may be an application server.

结合第一方面,在第一方面的某些实现方式中,所述终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,或者,所述终端设备的应用身份标识为所述终端设备的网络标识。In combination with the first aspect, in certain implementations of the first aspect, the application identity of the terminal device is a value obtained by processing the network identifier of the terminal device using a preset one-way derivative function, or the application identity of the terminal device is the network identifier of the terminal device.

应理解,上述单向衍生函数可以为哈希函数,也可以为一种加密算法,本申请实施例对此不作限定。具体所采用的哈希函数类型或者加密算法是应用服务器和终端设备预先协商好的、或者是协议约定的,本申请实施例对此也不作限定。It should be understood that the one-way derivative function can be a hash function or an encryption algorithm, which is not limited in the present embodiment. The specific type of hash function or encryption algorithm used is pre-negotiated by the application server and the terminal device, or is agreed upon by the protocol, which is not limited in the present embodiment.

本申请将利用预设的单向衍生函数对终端设备的网络标识进行处理得到的值简称为APPID,将终端设备的网络标识简称为BCADD。示例性地,上述应用身份标识可以是Hash(BCADD),即APPID,BCADD可以为Hash(PKu)。其中,Hash(BCADD)表示对BCADD使用哈希函数进行哈希运算之后得到的取值,Hash(PKu)表示对公钥PKu进行哈希运算之后得到的取值。This application will use a preset one-way derivative function to process the network identification of the terminal device and abbreviate the value obtained by a process as APPID, and the network identification of the terminal device will be abbreviated as BCADD. Exemplarily, the above-mentioned application identity can be Hash(BCADD), that is, APPID, and BCADD can be Hash(PKu). Among them, Hash(BCADD) represents the value obtained after performing a hash operation on BCADD using a hash function, and Hash(PKu) represents the value obtained after performing a hash operation on the public key PKu.

示例性地,上述应用身份标识可以是Hash(PKu),即BCADD,其中,Hash(PKu)表示对公钥PKu进行哈希运算之后得到的取值。Exemplarily, the above application identity may be Hash(PKu), namely BCADD, wherein Hash(PKu) represents a value obtained after performing a hash operation on the public key PKu.

本申请实施例的终端设备的应用身份标识,利用上述两种可能的实现方式,基于终端设备网络标识即可完成应用服务器对该终端设备的认证,无需借助用户信息,不存在用户信息泄露的风险,有利于提高系统的安全性。The application identity identification of the terminal device in the embodiment of the present application can complete the authentication of the terminal device by the application server based on the terminal device network identification by utilizing the above two possible implementation methods, without resorting to user information, and without the risk of user information leakage, which is conducive to improving the security of the system.

结合第一方面,在第一方面的某些实现方式中,所述终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值;所述基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,包括:利用预设的单向衍生函数,对所述终端设备的网络标识进行处理,得到处理结果;若在所述至少一个应用身份标识中存在第一应用身份标识与所述处理结果相等,确定所述终端设备通过认证。In combination with the first aspect, in certain implementations of the first aspect, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivative function; the authenticating the terminal device based on the network identity of the terminal device and the pre-stored correspondence includes: processing the network identity of the terminal device using a preset one-way derivative function to obtain a processing result; if there is a first application identity in the at least one application identity that is equal to the processing result, it is determined that the terminal device has passed the authentication.

本申请实施例使用APPID作为应用身份标识,使得不同终端设备对同一应用的访问路径相同,能够防止终端设备在通信系统中被跟踪,从而避免用户信息泄露。The embodiment of the present application uses APPID as the application identity identifier, so that different terminal devices have the same access path to the same application, which can prevent the terminal device from being tracked in the communication system, thereby avoiding user information leakage.

结合第一方面,在第一方面的某些实现方式中,所述终端设备的应用身份标识为所述终端设备的网络标识;所述方法还包括:接收来自所述终端设备的第一认证请求,所述第一认证请求携带第一随机数和第一密文,所述第一密文为采用所述终端设备的私钥对所述终端设备的网络标识和所述第一随机数进行加密后得到的密文;基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,包括:采用所述终端设备的公钥,对所述第一密文进行解密,得到解密后的所述终端设备的网络标识和解密后的所述第一随机数;在所述至少一个应用身份标识中存在第一应用身份标识与所述解密后的所述终端设备的网络标识相等、且所述解密后的所述第一随机数与所述第一认证请求中携带的所述第一随机数相等的情况下,确定所述终端设备认证通过。In combination with the first aspect, in some implementations of the first aspect, the application identity of the terminal device is the network identity of the terminal device; the method also includes: receiving a first authentication request from the terminal device, the first authentication request carrying a first random number and a first ciphertext, the first ciphertext being the ciphertext obtained by encrypting the network identity of the terminal device and the first random number using the private key of the terminal device; authenticating the terminal device based on the network identity of the terminal device and a pre-stored correspondence, including: using the public key of the terminal device to decrypt the first ciphertext to obtain the decrypted network identity of the terminal device and the decrypted first random number; and determining that the terminal device authentication is successful when there is a first application identity in the at least one application identity that is equal to the decrypted network identity of the terminal device, and the decrypted first random number is equal to the first random number carried in the first authentication request.

示例性地,上述第一密文可以是SKu(BCADD,第一随机数),其中,SKu(BCADD,第一随机数)为用私钥SKu对BCADD和第一随机数进行加密后得到的密文。其中,PKu为终端设备的公钥,SKu为终端设备的私钥。Exemplarily, the first ciphertext may be SKu(BCADD, first random number), where SKu(BCADD, first random number) is the ciphertext obtained by encrypting BCADD and the first random number with the private key SKu, where PKu is the public key of the terminal device, and SKu is the private key of the terminal device.

本申请实施例使用BCADD作为应用身份标识,能够保证终端设备在数据链路层、网络层、传输层以及应用层等不同层之间身份的统一。但存在终端设备被跟踪的风险,因此,可以对BCADD进行更新,具体更新方法如下。结合第一方面,在第一方面的某些实现方式中,所述方法还包括:接收来自所述终端设备的第四信息,所述第四信息用于指示更新所述终端设备的应用身份标识,所述第四信息携带第二随机数和第二密文,所述第二密文为采用所述终端设备的私钥对所述终端设备的新网络标识、所述网络标识和所述第二随机数进行加密后得到的密文;采用所述终端设备的公钥对所述第二密文进行解密,得到解密后的所述新网络标识、解密后的所述网络标识和解密后的所述第二随机数;在所述解密后的所述第二随机数和所述第二密文中携带的所述第二随机数相等、且所述至少一个应用身份标识中存在所述第一应用身份标识与所述解密后的所述网络标识相等的情况下,将所述第一应用身份标识由所述网络标识更新为所述新网络标识。The embodiment of the present application uses BCADD as the application identity, which can ensure the identity uniformity of the terminal device between different layers such as the data link layer, network layer, transport layer and application layer. However, there is a risk of the terminal device being tracked, so the BCADD can be updated, and the specific update method is as follows. In combination with the first aspect, in some implementations of the first aspect, the method also includes: receiving fourth information from the terminal device, the fourth information is used to indicate the update of the application identity of the terminal device, the fourth information carries a second random number and a second ciphertext, the second ciphertext is the ciphertext obtained by encrypting the new network identifier of the terminal device, the network identifier and the second random number using the private key of the terminal device; decrypting the second ciphertext using the public key of the terminal device to obtain the decrypted new network identifier, the decrypted network identifier and the decrypted second random number; when the decrypted second random number is equal to the second random number carried in the second ciphertext, and the first application identity is equal to the decrypted network identifier in the at least one application identity, the first application identity is updated from the network identifier to the new network identifier.

示例性地,上述第二密文可以是SKu(新BCADD,BCADD,第二随机数),其中,SKu(新BCADD,BCADD,第二随机数)为用私钥SKu对新BCADD、BCADD和第二随机数进行加密后得到的密文。Exemplarily, the second ciphertext may be SKu(new BCADD, BCADD, second random number), wherein SKu(new BCADD, BCADD, second random number) is the ciphertext obtained by encrypting new BCADD, BCADD and the second random number using the private key SKu.

本申请实施例在终端设备的应用身份标识为终端设备的网络标识的情况下,通过对终端设备的应用身份标识进行更新,有利于避免用户对应用的使用行为被跟踪,导致用户信息泄露,从而提高系统的安全性。In the embodiment of the present application, when the application identity of the terminal device is the network identity of the terminal device, updating the application identity of the terminal device is helpful to avoid tracking of the user's application usage behavior and causing leakage of user information, thereby improving the security of the system.

可选地,上述方法还包括:应用服务器向终端设备发送更新响应,用于指示是否更新成。对应地,终端设备接收来自应用服务器的更新响应。Optionally, the method further comprises: the application server sends an update response to the terminal device to indicate whether the update is successful. Correspondingly, the terminal device receives the update response from the application server.

在一种可能的实现方式中,在更新成功的情况下,更新响应可以是用于指示更新成功的消息,例如肯定应答(acknowledgement character,ACK);在更新失败的情况下,更新响应可以是用于指示更新失败的消息,例如否定应答(negative acknowledgementcharacter,NACK)。In one possible implementation, if the update is successful, the update response may be a message indicating that the update is successful, such as an acknowledgement character (ACK); if the update fails, the update response may be a message indicating that the update fails, such as a negative acknowledgement character (NACK).

在另一种可能的实现方式中,应用服务器在更新成功的情况下,向终端设备发送更新响应,该更新响应是用于指示更新成功的消息,例如ACK,在更新失败的情况下,不作响应。在这种情况下,终端设备可以设置一个计时器,该计时器在上述第四信息的发出之后开始计时,若在计时器超时之前终端设备没有收到应用服务器反馈的更新响应,终端设备默认应用服务器对BCADD更新失败。In another possible implementation, if the update is successful, the application server sends an update response to the terminal device, and the update response is a message indicating the update is successful, such as ACK. If the update fails, no response is made. In this case, the terminal device can set a timer, which starts after the fourth information is sent. If the terminal device does not receive the update response fed back by the application server before the timer times out, the terminal device defaults to the application server failing to update BCADD.

结合第一方面,在第一方面的某些实现方式中,在接收来自所述终端设备的第一认证请求之前,所述方法还包括:向对应的网络设备发送第三信息,所述第三信息用于对所述第一信息进行响应,所述第三信息携带所述终端设备的网络标识。In combination with the first aspect, in certain implementations of the first aspect, before receiving a first authentication request from the terminal device, the method also includes: sending third information to a corresponding network device, the third information being used to respond to the first information, and the third information carrying a network identifier of the terminal device.

应理解,上述应用服务器对应的网络设备在接收到第三信息之后,可以基于该第三信息,向区块链装置发送查询请求,该查询请求携带所述终端设备的网络标识,该查询请求用于查询与该终端设备网络标识对应的、且与所述应用服务器对应的网络设备处于同一网络域下的、所述终端设备对应的网络设备的ID。对应地,区块链装置接收该查询请求,利用其存储的网络标识与所述终端设备对应的网络设备的ID之间的对应关系,确定与接收到的网络标识对应的、且与所述应用服务器对应的网络设备处于同一网络域下的、所述终端设备对应的网络设备的ID,所述应用服务器对应的网络设备获取所述终端设备对应的网络设备的ID,从而根据该网络设备的ID寻址到该终端设备接入的网络设备,进而找到该终端设备。It should be understood that after receiving the third information, the network device corresponding to the above-mentioned application server can send a query request to the blockchain device based on the third information, and the query request carries the network identification of the terminal device, and the query request is used to query the ID of the network device corresponding to the terminal device and in the same network domain as the network device corresponding to the application server. Correspondingly, the blockchain device receives the query request, and determines the ID of the network device corresponding to the terminal device and in the same network domain as the network device corresponding to the application server, which corresponds to the received network identification, by using the correspondence between the network identification stored therein and the ID of the network device corresponding to the terminal device. The network device corresponding to the application server obtains the ID of the network device corresponding to the terminal device, thereby addressing the network device to which the terminal device is connected according to the ID of the network device, and then finding the terminal device.

结合第一方面,在第一方面的某些实现方式中,所述方法还包括:在认证通过的情况下,为所述终端设备分配临时对外标识符,所述临时对外标识符用于对外标识所述终端设备的应用;向区块链装置发送用于指示所述网络标识与所述临时对外标识符之间对应关系的信息。In combination with the first aspect, in certain implementations of the first aspect, the method further includes: when the authentication is successful, allocating a temporary external identifier to the terminal device, wherein the temporary external identifier is used to externally identify an application of the terminal device; and sending information to the blockchain device indicating the correspondence between the network identifier and the temporary external identifier.

示例性地,该临时对外标识符可以为统一资源定位地址(unified resourcelocation address,URL)、应用程序编程接口(application programming interface,API)或者端口标识等。Exemplarily, the temporary external identifier may be a unified resource location address (URL), an application programming interface (API), or a port identifier.

本申请实施例通过设置临时对外标识符,能够防止终端设备的内部标识符暴露在网络中,增加通信系统的安全性。The embodiment of the present application can prevent the internal identifier of the terminal device from being exposed in the network by setting a temporary external identifier, thereby increasing the security of the communication system.

结合第一方面,在第一方面的某些实现方式中,所述方法还包括:接收来自所述终端设备的第五信息,所述第五信息用于请求将第一应用身份标识作为所述终端设备在对应的应用下的身份标识,所述第五信息携带所述第一应用身份标识;基于所述第五信息,向所述终端设备发送第二认证请求,所述第二认证请求用于请求对所述终端设备进行认证;接收来自所述终端设备的第二认证响应,所述第二认证响应携带用于认证的信息;基于所述第二认证响应,对所述终端设备进行认证;在认证通过的情况下,存储所述第一应用身份标识和所述终端设备的公钥之间的对应关系。In combination with the first aspect, in some implementations of the first aspect, the method also includes: receiving fifth information from the terminal device, the fifth information is used to request to use the first application identity as the identity of the terminal device under the corresponding application, and the fifth information carries the first application identity; based on the fifth information, sending a second authentication request to the terminal device, the second authentication request is used to request authentication of the terminal device; receiving a second authentication response from the terminal device, the second authentication response carries information used for authentication; based on the second authentication response, authenticating the terminal device; and if the authentication passes, storing the correspondence between the first application identity and the public key of the terminal device.

应理解,所述终端设备向所述应用服务器发送第五信息之前,所述终端设备需要接入网络。本申请实施例并不限制网络接入方式以及所采用的网络标识。在一种可能的实现方式中,终端设备可以采用BCADD作为网络标识,发起随机接入流程,接入网络。在另一种可能的实现方式中,终端设备可以采用其他标识作为网络标识,发起随机接入流程,接入网络。It should be understood that before the terminal device sends the fifth information to the application server, the terminal device needs to access the network. The embodiment of the present application does not limit the network access method and the network identifier used. In one possible implementation, the terminal device can use BCADD as the network identifier, initiate a random access process, and access the network. In another possible implementation, the terminal device can use other identifiers as the network identifier, initiate a random access process, and access the network.

结合第一方面,在第一方面的某些实现方式中,所述用于认证的信息包括:所述终端设备的公钥、第三随机数和第三密文,所述第三密文为采用所述终端设备的私钥对所述第一应用身份标识和所述第三随机数进行加密后得到的密文;基于所述第二认证响应,对所述终端设备进行认证,包括:采用所述终端设备的公钥,对所述第三密文进行解密,得到解密后的所述第一应用身份标识和解密后的所述第三随机数;在所述解密后的所述第一应用身份标识与所述第五信息中携带的所述第一应用身份标识相等、且所述解密后的第三随机数和所述第二认证响应中携带的所述第三随机数相等的情况下,确定所述终端设备认证通过。In combination with the first aspect, in certain implementations of the first aspect, the information used for authentication includes: a public key of the terminal device, a third random number and a third ciphertext, the third ciphertext being a ciphertext obtained by encrypting the first application identity and the third random number using the private key of the terminal device; authenticating the terminal device based on the second authentication response, including: decrypting the third ciphertext using the public key of the terminal device to obtain the decrypted first application identity and the decrypted third random number; and determining that the terminal device authentication is successful when the decrypted first application identity is equal to the first application identity carried in the fifth information, and the decrypted third random number is equal to the third random number carried in the second authentication response.

本申请实施例通过预先存储的对应关系完成对终端设备的认证,无需在认证过程中建立对应关系,使得认证过程更加简便快捷,从而提升认证效率。The embodiment of the present application completes the authentication of the terminal device through a pre-stored correspondence relationship, without the need to establish a correspondence during the authentication process, making the authentication process simpler and faster, thereby improving authentication efficiency.

示例性地,终端设备的应用身份标识为所述终端设备的网络标识,上述第三密文可以是SKu(BCADD,第三随机数),其中,SKu(BCADD,第三随机数)为用私钥SKu对BCADD和第三随机数进行加密后得到的密文。Exemplarily, the application identity of the terminal device is the network identity of the terminal device, and the third ciphertext may be SKu(BCADD, third random number), wherein SKu(BCADD, third random number) is the ciphertext obtained by encrypting BCADD and the third random number using the private key SKu.

示例性地,终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,上述第三密文可以是SKu(APPID,第三随机数),其中,SKu(APPID,第三随机数)为用私钥SKu对APPID和第三随机数进行加密后得到的密文。Exemplarily, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivative function, and the third ciphertext may be SKu (APPID, third random number), wherein SKu (APPID, third random number) is the ciphertext obtained by encrypting the APPID and the third random number using the private key SKu.

在网络不可信的情况下,终端设备发送至应用服务器的消息可能被篡改,故终端设备和应用服务器之间可以再进行一次双向鉴权,在双向鉴权通过的情况下,应用服务器再为终端设备的应用提供服务,以提升应用鉴权的准确性。When the network is untrustworthy, the message sent by the terminal device to the application server may be tampered with, so two-way authentication can be performed again between the terminal device and the application server. If the two-way authentication passes, the application server will provide services for the application of the terminal device to improve the accuracy of application authentication.

结合第一方面,在第一方面的某些实现方式中,所述方法还包括:向所述终端设备发送第三认证请求,所述第三认证请求携带第四密文,所述第四密文为采用所述终端设备的公钥对所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文;接收来自所述终端设备的第三认证响应,所述第三认证响应携带第四密文,所述第四密文为采用所述终端设备的私钥对基于所述第四密文解密得到的所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文;基于所述第三认证响应,对所述终端设备进行认证;在认证通过的情况下,向所述终端设备发送所述第二信息。In combination with the first aspect, in certain implementations of the first aspect, the method also includes: sending a third authentication request to the terminal device, the third authentication request carrying a fourth ciphertext, the fourth ciphertext being the ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device and the fourth random number using the public key of the terminal device; receiving a third authentication response from the terminal device, the third authentication response carrying a fourth ciphertext, the fourth ciphertext being the ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device and the fourth random number decrypted based on the fourth ciphertext using the private key of the terminal device; authenticating the terminal device based on the third authentication response; and sending the second information to the terminal device if the authentication is successful.

可选地,上述终端设备接收该第三认证请求,并基于所述第三认证请求,向所述应用服务器发送第三认证响应具体包括:上述终端设备采用自己的私钥对所述第四密文进行解密,得到解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数;上述终端设备再采用自己的私钥对解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数进行加密,得到私钥加密的第四密文,并向所述应用服务器发送第三认证响应,所述第三认证响应携带所述私钥加密的第四密文。示例性地,所述私钥加密的第四密文可以是SKu(APPID,BCADD,第四随机数)。上述应用服务器基于第三认证响应,对终端设备进行认证具体包括:上述应用服务器采用终端设备的公钥对所述私钥加密的第四密文进行解密,得到解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数;在所述解密后的所述第四随机数与所述第三认证请求中携带的所述第四随机数相等的情况下,所述应用服务器确定所述终端设备认证通过。Optionally, the terminal device receives the third authentication request, and based on the third authentication request, sends a third authentication response to the application server, specifically including: the terminal device uses its own private key to decrypt the fourth ciphertext to obtain the decrypted application identity, the decrypted network identity and the decrypted fourth random number; the terminal device then uses its own private key to encrypt the decrypted application identity, the decrypted network identity and the decrypted fourth random number to obtain the fourth ciphertext encrypted by the private key, and sends a third authentication response to the application server, the third authentication response carries the fourth ciphertext encrypted by the private key. Exemplarily, the fourth ciphertext encrypted by the private key may be SKu (APPID, BCADD, fourth random number). Based on the third authentication response, the application server authenticates the terminal device, specifically including: the application server uses the public key of the terminal device to decrypt the fourth ciphertext encrypted by the private key to obtain the decrypted application identity, the decrypted network identity and the decrypted fourth random number; when the decrypted fourth random number is equal to the fourth random number carried in the third authentication request, the application server determines that the terminal device is authenticated.

本申请实施例的终端设备和应用服务器之间能够进行双向鉴权,在双向鉴权通过的情况下,应用服务器再为终端设备的应用提供服务,以提升应用鉴权的准确性。In the embodiment of the present application, two-way authentication can be performed between the terminal device and the application server. When the two-way authentication is passed, the application server provides services for the application of the terminal device to improve the accuracy of application authentication.

第二方面,提供了另一种应用鉴权方法,包括:向应用服务器发送第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带终端设备的网络标识,所述终端设备的网络标识用于所述应用服务器基于预先存储的对应关系对所述终端设备进行认证,所述对应关系用于指示至少一个终端设备的公钥和经过所述应用服务器认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的;接收来自所述应用服务器的第二信息,所述第二信息用于指示所述终端设备通过认证。In a second aspect, another application authentication method is provided, including: sending first information to an application server, the first information being used to request service data, the first information carrying a network identifier of a terminal device, the network identifier of the terminal device being used by the application server to authenticate the terminal device based on a pre-stored correspondence relationship, the correspondence being used to indicate a correspondence between a public key of at least one terminal device and at least one application identity identifier authenticated by the application server, the at least one application identity identifier being obtained based on the network identifier of the terminal device corresponding to the at least one application identity identifier; receiving second information from the application server, the second information being used to indicate that the terminal device has passed the authentication.

结合第二方面,在第二方面的某些实现方式中,上述应用鉴权方法的执行主体可以是终端设备。In combination with the second aspect, in some implementations of the second aspect, the execution subject of the above-mentioned application authentication method may be a terminal device.

结合第二方面,在第二方面的某些实现方式中,所述终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,或者,所述终端设备的应用身份标识为所述终端设备的网络标识。In combination with the second aspect, in certain implementations of the second aspect, the application identity of the terminal device is a value obtained by processing the network identifier of the terminal device using a preset one-way derivative function, or the application identity of the terminal device is the network identifier of the terminal device.

结合第二方面,在第二方面的某些实现方式中,所述方法还包括:向所述应用服务器发送第四信息,所述第四信息用于指示更新所述终端设备的应用身份标识,所述第四信息携带第二随机数和第二密文,所述第二密文为采用所述终端设备的私钥对所述终端设备的新网络标识、所述网络标识和所述第二随机数进行加密后得到的密文。In combination with the second aspect, in certain implementations of the second aspect, the method also includes: sending fourth information to the application server, the fourth information being used to indicate an update of an application identity of the terminal device, the fourth information carrying a second random number and a second ciphertext, the second ciphertext being the ciphertext obtained by encrypting the new network identifier of the terminal device, the network identifier and the second random number using the private key of the terminal device.

结合第二方面,在第二方面的某些实现方式中,所述方法还包括:向所述应用服务器发送第五信息,所述第五信息用于请求将第一应用身份标识作为所述终端设备在所述应用服务器对应的应用下的身份标识,所述第五信息携带所述第一应用身份标识;接收来自所述应用服务器的第二认证请求,所述第二认证请求用于请求对所述终端设备进行认证;向所述应用服务器发送第二认证响应,所述第二认证响应携带用于认证的信息。In combination with the second aspect, in certain implementations of the second aspect, the method further includes: sending fifth information to the application server, the fifth information being used to request that the first application identity be used as the identity of the terminal device under the application corresponding to the application server, the fifth information carrying the first application identity; receiving a second authentication request from the application server, the second authentication request being used to request authentication of the terminal device; and sending a second authentication response to the application server, the second authentication response carrying information used for authentication.

结合第二方面,在第二方面的某些实现方式中,所述用于认证的信息包括:所述终端设备的公钥、第三随机数和第三密文,所述第三密文为采用所述终端设备的私钥对所述第一应用身份标识和所述第三随机数进行加密后得到的密文。In combination with the second aspect, in certain implementations of the second aspect, the information used for authentication includes: a public key of the terminal device, a third random number and a third ciphertext, and the third ciphertext is the ciphertext obtained by encrypting the first application identity and the third random number using the private key of the terminal device.

结合第二方面,在第二方面的某些实现方式中,所述方法还包括:接收来自所述应用服务器的第三认证请求,所述第三认证请求携带第四密文,所述第四密文为采用所述终端设备的公钥对所述第一应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文;采用所述终端设备的私钥,对所述第四密文进行解密,得到解密后的所述第一应用身份标识、解密后的所述终端设备的网络标识和解密后的所述第四随机数;采用所述终端设备的私钥,对所述解密后的所述第一应用身份标识、解密后的所述终端设备的网络标识和解密后的所述第四随机数进行加密,得到第四密文;向所述应用服务器发送第三认证响应,所述第三认证响应携带所述第四密文。In combination with the second aspect, in some implementations of the second aspect, the method also includes: receiving a third authentication request from the application server, the third authentication request carrying a fourth ciphertext, the fourth ciphertext being the ciphertext obtained by encrypting the first application identity, the network identity of the terminal device and the fourth random number using the public key of the terminal device; decrypting the fourth ciphertext using the private key of the terminal device to obtain the decrypted first application identity, the decrypted network identity of the terminal device and the decrypted fourth random number; encrypting the decrypted first application identity, the decrypted network identity of the terminal device and the decrypted fourth random number using the private key of the terminal device to obtain a fourth ciphertext; and sending a third authentication response to the application server, the third authentication response carrying the fourth ciphertext.

第三方面,提供了还一种应用鉴权方法,包括:接收来自网络设备的第一对应关系,所述第一对应关系用于表示终端设备的网络标识和所述网络设备的标识之间的对应关系;存储所述第一对应关系。According to a third aspect, an application authentication method is provided, comprising: receiving a first correspondence relationship from a network device, wherein the first correspondence relationship is used to represent a correspondence relationship between a network identifier of a terminal device and an identifier of the network device; and storing the first correspondence relationship.

结合第三方面,在第三方面的某些实现方式中,上述应用鉴权方法的执行主体可以是区块链装置。In combination with the third aspect, in certain implementations of the third aspect, the executor of the above-mentioned application authentication method may be a blockchain device.

应理解,上述区块链装置可以为一个独立的装置,也可以是分布式部署的多个装置,还可以是能够实现相关功能的芯片驱动,本申请实施例对其具体产品形态不作限定。It should be understood that the above-mentioned blockchain device can be an independent device, or multiple devices deployed in a distributed manner, or a chip driver that can realize related functions. The embodiments of the present application do not limit its specific product form.

结合第三方面,在第三方面的某些实现方式中,所述方法还包括:接收来自应用服务器的第二对应关系,所述第二对应关系用于表示所述网络标识与所述应用服务器为终端设备分配的临时对外标识符之间的对应关系。In combination with the third aspect, in certain implementations of the third aspect, the method further includes: receiving a second correspondence from an application server, wherein the second correspondence is used to represent a correspondence between the network identifier and a temporary external identifier allocated by the application server to the terminal device.

第四方面,提供了一种应用鉴权装置,用于执行上述第一方面或第二方面或第三方面中任一种可能的实现方式中的方法。具体地,该装置包括用于执行上述第一方面或第二方面或第三方面中任一种可能的实现方式中的方法的模块。In a fourth aspect, an application authentication device is provided, which is used to execute the method in any possible implementation of the first aspect, the second aspect, or the third aspect. Specifically, the device includes a module for executing the method in any possible implementation of the first aspect, the second aspect, or the third aspect.

第五方面,提供了另一种应用鉴权装置,包括处理器和存储器,该处理器与存储器耦合,可用于执行存储器中的指令,以实现上述第一方面或第二方面或第三方面中任一种可能实现方式中的方法。可选地,该应用鉴权装置还包括通信接口,处理器与通信接口耦合。In a fifth aspect, another application authentication device is provided, including a processor and a memory, the processor is coupled to the memory, and can be used to execute instructions in the memory to implement the method in any possible implementation of the first aspect, the second aspect, or the third aspect. Optionally, the application authentication device also includes a communication interface, and the processor is coupled to the communication interface.

在一种实现方式中,该应用鉴权装置为应用服务器。当该应用鉴权装置为应用服务器时,上述通信接口可以是收发器,或,输入/输出接口。In one implementation, the application authentication device is an application server. When the application authentication device is an application server, the communication interface may be a transceiver, or an input/output interface.

在另一种实现方式中,该应用鉴权装置为配置于应用服务器中的芯片。当该应用鉴权装置为配置于应用服务器中的芯片时,上述通信接口可以是输入/输出接口。In another implementation, the application authentication device is a chip configured in the application server. When the application authentication device is a chip configured in the application server, the communication interface may be an input/output interface.

在一种实现方式中,该应用鉴权装置为终端设备。当该应用鉴权装置为终端设备时,上述通信接口可以是收发器,或,输入/输出接口。In one implementation, the application authentication device is a terminal device. When the application authentication device is a terminal device, the communication interface may be a transceiver, or an input/output interface.

在另一种实现方式中,该应用鉴权装置为配置于终端设备中的芯片。当该应用鉴权装置为配置于终端设备中的芯片时,上述通信接口可以是输入/输出接口。In another implementation, the application authentication device is a chip configured in the terminal device. When the application authentication device is a chip configured in the terminal device, the communication interface may be an input/output interface.

在一种实现方式中,该应用鉴权装置为区块链装置。当该应用鉴权装置为区块链装置时,上述通信接口可以是收发器,或,输入/输出接口。In one implementation, the application authentication device is a blockchain device. When the application authentication device is a blockchain device, the communication interface may be a transceiver, or an input/output interface.

在另一种实现方式中,该应用鉴权装置为配置于区块链装置中的芯片。当该应用鉴权装置为配置于区块链装置中的芯片时,上述通信接口可以是输入/输出接口。In another implementation, the application authentication device is a chip configured in the blockchain device. When the application authentication device is a chip configured in the blockchain device, the above-mentioned communication interface may be an input/output interface.

第六方面,提供了一种处理器,包括:输入电路、输出电路和处理电路。所述处理电路用于通过所述输入电路接收信号,并通过所述输出电路发射信号,使得所述处理器执行上述第一方面或第二方面或第三方面中任一种可能实现方式中的方法。In a sixth aspect, a processor is provided, comprising: an input circuit, an output circuit, and a processing circuit. The processing circuit is used to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any possible implementation of the first aspect, the second aspect, or the third aspect.

在具体实现过程中,上述处理器可以为芯片,输入电路可以为输入管脚,输出电路可以为输出管脚,处理电路可以为晶体管、门电路、触发器和各种逻辑电路等。输入电路所接收的输入的信号可以是由例如但不限于接收器接收并输入的,输出电路所输出的信号可以是例如但不限于输出给发射器并由发射器发射的,且输入电路和输出电路可以是同一电路,该电路在不同的时刻分别用作输入电路和输出电路。本申请实施例对处理器及各种电路的具体实现方式不做限定。In the specific implementation process, the above-mentioned processor can be a chip, the input circuit can be an input pin, the output circuit can be an output pin, and the processing circuit can be a transistor, a gate circuit, a trigger, and various logic circuits. The input signal received by the input circuit can be, for example, but not limited to, received and input by a receiver, and the signal output by the output circuit can be, for example, but not limited to, output to a transmitter and transmitted by the transmitter, and the input circuit and the output circuit can be the same circuit, which is used as an input circuit and an output circuit at different times. The embodiments of the present application do not limit the specific implementation methods of the processor and various circuits.

第七方面,提供了一种处理装置,包括处理器和存储器。该处理器用于读取存储器中存储的指令,并可通过接收器接收信号,通过发射器发射信号,以执行上述第一方面或第二方面或第三方面中任一种可能实现方式中的方法。In a seventh aspect, a processing device is provided, comprising a processor and a memory. The processor is used to read instructions stored in the memory, and can receive signals through a receiver and transmit signals through a transmitter to execute the method in any possible implementation of the first aspect, the second aspect, or the third aspect.

可选地,所述处理器为一个或多个,所述存储器为一个或多个。Optionally, the number of the processors is one or more, and the number of the memories is one or more.

可选地,所述存储器可以与所述处理器集成在一起,或者所述存储器与处理器分离设置。Optionally, the memory may be integrated with the processor, or the memory may be provided separately from the processor.

在具体实现过程中,存储器可以为非瞬时性(non-transitory)存储器,例如只读存储器(read only memory,ROM),其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上,本申请实施例对存储器的类型以及存储器与处理器的设置方式不做限定。In the specific implementation process, the memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated with the processor on the same chip or can be set on different chips respectively. The embodiments of the present application do not limit the type of memory and the setting method of the memory and the processor.

应理解,相关的数据交互过程例如发送指示信息可以为从处理器输出指示信息的过程,接收能力信息可以为处理器接收输入能力信息的过程。具体地,处理输出的数据可以输出给发射器,处理器接收的输入数据可以来自接收器。其中,发射器和接收器可以统称为收发器。It should be understood that the relevant data interaction process, such as sending indication information, can be a process of outputting indication information from a processor, and receiving capability information can be a process of receiving input capability information from a processor. Specifically, the processed output data can be output to a transmitter, and the input data received by the processor can come from a receiver. Among them, the transmitter and the receiver can be collectively referred to as a transceiver.

上述第七方面中的处理装置可以是一个芯片,该处理器可以通过硬件来实现也可以通过软件来实现,当通过硬件实现时,该处理器可以是逻辑电路、集成电路等;当通过软件来实现时,该处理器可以是一个通用处理器,通过读取存储器中存储的软件代码来实现,该存储器可以集成在处理器中,可以位于该处理器之外,独立存在。The processing device in the seventh aspect mentioned above can be a chip. The processor can be implemented by hardware or by software. When implemented by hardware, the processor can be a logic circuit, an integrated circuit, etc.; when implemented by software, the processor can be a general-purpose processor, which is implemented by reading the software code stored in the memory. The memory can be integrated in the processor or can be located outside the processor and exist independently.

第八方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序(也可以称为代码,或指令),当所述计算机程序被运行时,使得计算机执行上述第一方面或第二方面或第三方面中任一种可能实现方式中的方法。In an eighth aspect, a computer program product is provided, the computer program product comprising: a computer program (also referred to as code, or instruction), which, when executed, enables a computer to execute a method in any possible implementation of the first aspect, the second aspect, or the third aspect.

第九方面,提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序(也可以称为代码,或指令)当其在计算机上运行时,使得计算机执行上述第一方面或第二方面或第三方面中任一种可能实现方式中的方法。In the ninth aspect, a computer-readable storage medium is provided, which stores a computer program (also referred to as code, or instructions). When the computer-readable storage medium is run on a computer, the computer executes a method in any possible implementation of the first aspect, the second aspect, or the third aspect.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为适用于本申请实施例的通信系统的示意图;FIG1 is a schematic diagram of a communication system applicable to an embodiment of the present application;

图2为适用于本申请实施例的另一通信系统的示意图;FIG2 is a schematic diagram of another communication system applicable to an embodiment of the present application;

图3为本申请实施例的三层身份关系的示意图;FIG3 is a schematic diagram of a three-layer identity relationship in an embodiment of the present application;

图4为本申请实施例的一种应用鉴权方法的示意性流程图;FIG4 is a schematic flow chart of an application authentication method according to an embodiment of the present application;

图5为本申请实施例的另一应用鉴权方法的示意性流程图;FIG5 is a schematic flow chart of another application authentication method according to an embodiment of the present application;

图6为本申请实施例的又一应用鉴权方法的示意性流程图;FIG6 is a schematic flow chart of another application authentication method according to an embodiment of the present application;

图7为本申请实施例的又一应用鉴权方法的示意性流程图;FIG7 is a schematic flow chart of another application authentication method according to an embodiment of the present application;

图8为本申请实施例的又一应用鉴权方法的示意性流程图;FIG8 is a schematic flow chart of another application authentication method according to an embodiment of the present application;

图9为本申请实施例的一种应用鉴权装置的示意性框图;FIG9 is a schematic block diagram of an application authentication device according to an embodiment of the present application;

图10为本申请实施例的另一应用鉴权装置的示意性框图;FIG10 is a schematic block diagram of another application authentication device according to an embodiment of the present application;

图11为本申请实施例的又一应用鉴权装置的示意性框图。FIG. 11 is a schematic block diagram of another application authentication device according to an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below in conjunction with the accompanying drawings.

为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with substantially the same functions and effects. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and execution order, and words such as "first" and "second" do not necessarily limit the difference.

需要说明的是,本申请中,“示例性地”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性地”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性地”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in this application, words such as "exemplarily" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplarily" or "for example" in this application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplarily" or "for example" is intended to present related concepts in a specific way.

此外,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a、b和c中的至少一项(个),可以表示:a,或b,或c,或a和b,或a和c,或b和c,或a、b和c,其中a,b,c可以是单个,也可以是多个。In addition, "at least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. The character "/" generally indicates that the previous and next associated objects are in an "or" relationship. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c can mean: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, where a, b, c can be single or multiple.

本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(long termevolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、通用移动通信系统(universal mobiletelecommunication system,UMTS)、全球互联微波接入(worldwide interoperabilityfor microwave access,WiMAX)通信系统、第五代(5th generation,5G)系统或新无线(newradio,NR)、未来演进的通信系统,例如第六代(6th generation,6G)系统等。The technical solutions of the embodiments of the present application can be applied to various communication systems, such as: long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5G) system or new radio (NR), future evolved communication systems, such as sixth generation (6G) system, etc.

还应理解,本申请实施例的技术方案还可以应用于各种基于非正交多址接入技术的通信系统,例如稀疏码多址接入(sparse code multiple access,SCMA)系统,当然SCMA在通信领域也可以被称为其他名称;进一步地,本申请实施例的技术方案可以应用于采用非正交多址接入技术的多载波传输系统,例如采用非正交多址接入技术正交频分复用(orthogonal frequency division multiplexing,OFDM)、滤波器组多载波(filter bankmulti-carrier,FBMC)、通用频分复用(generalized frequency division multiplexing,GFDM)、滤波正交频分复用(filtered-OFDM,F-OFDM)系统等。It should also be understood that the technical solutions of the embodiments of the present application can also be applied to various communication systems based on non-orthogonal multiple access technology, such as sparse code multiple access (SCMA) system. Of course, SCMA may also be called other names in the communication field; further, the technical solutions of the embodiments of the present application can be applied to multi-carrier transmission systems using non-orthogonal multiple access technology, such as orthogonal frequency division multiplexing (OFDM), filter bank multi-carrier (FBMC), generalized frequency division multiplexing (GFDM), filtered orthogonal frequency division multiplexing (F-OFDM) system, etc.

为便于理解本申请实施例,首先结合图1说明适用于本申请实施例的通信系统。图1示出了适用于本申请实施例的通信系统100的示意图。该通信系统100包括:终端设备110和应用服务器120。其中,终端设备110安装了至少一个应用程序,该至少一个应用程序可以对应至少一个应用服务器,图1中示出了一个应用服务器120。应用服务器120可以为终端设备110的应用提供服务。终端设备110与应用服务器120之间可通过应用层消息进行通信。To facilitate understanding of the embodiments of the present application, a communication system applicable to the embodiments of the present application is first described in conjunction with FIG1. FIG1 shows a schematic diagram of a communication system 100 applicable to the embodiments of the present application. The communication system 100 includes: a terminal device 110 and an application server 120. Among them, the terminal device 110 has at least one application installed, and the at least one application can correspond to at least one application server, and FIG1 shows an application server 120. The application server 120 can provide services for the applications of the terminal device 110. The terminal device 110 and the application server 120 can communicate through application layer messages.

应理解,上述终端设备110可以配置多个天线,该多个天线可以包括至少一个用于发送信号的发射天线和至少一个用于接收信号的接收天线。另外,终端设备110还附加地包括发射机链和接收机链,本领域普通技术人员可以理解,它们均可包括与信号发送和接收相关的多个部件(例如处理器、调制器、复用器、解调器、解复用器或天线等)。因此,终端设备110与其他设备之间可通过多天线技术通信。It should be understood that the terminal device 110 may be configured with multiple antennas, which may include at least one transmitting antenna for sending signals and at least one receiving antenna for receiving signals. In addition, the terminal device 110 also includes a transmitter chain and a receiver chain, and those skilled in the art may understand that they may include multiple components related to signal transmission and reception (such as processors, modulators, multiplexers, demodulators, demultiplexers or antennas, etc.). Therefore, the terminal device 110 and other devices may communicate via multi-antenna technology.

在一些部署中,上述通信系统100还可以包括:网络设备130。网络设备130与终端设备110之间可通过无线链路通信。网络设备130也可以配置多个天线,与上述终端设备110类似,此处不做过多赘述。因此,网络设备130与终端设备110可通过多天线技术通信。In some deployments, the communication system 100 may further include: a network device 130. The network device 130 may communicate with the terminal device 110 via a wireless link. The network device 130 may also be configured with multiple antennas, similar to the terminal device 110, and will not be described in detail here. Therefore, the network device 130 may communicate with the terminal device 110 via a multi-antenna technology.

在一些部署中,上述通信系统100还可以包括:区块链装置140。其中,区块链装置140包括多个去中心化的分布式装置,该多个分布式装置共同维护一个区块链账本。各个分布式装置之间可以进行通信,以实现数据的传输和同步。In some deployments, the communication system 100 may further include: a blockchain device 140. The blockchain device 140 includes a plurality of decentralized distributed devices, which jointly maintain a blockchain ledger. The distributed devices may communicate with each other to achieve data transmission and synchronization.

图2示出了适用于本申请实施例的另一通信系统200的示意图。如图2所示,该通信系统200可以包括终端设备210、应用服务器220以及网络设备230。其中,终端设备210包括终端设备应用211和终端设备网络接口212,该终端设备应用211可以包括为使用该终端设备210的用户提供服务的社交应用、资讯应用、游戏应用、购物应用以及工具应用等,该终端设备网络接口212负责将鉴权、移动性管理、访问控制等信令发给应用服务器220进行处理。应用服务器220与上述应用服务器120类似,此处不做过多赘述。网络设备230为终端设备210所接入的网络设备。FIG2 shows a schematic diagram of another communication system 200 applicable to an embodiment of the present application. As shown in FIG2 , the communication system 200 may include a terminal device 210, an application server 220, and a network device 230. Among them, the terminal device 210 includes a terminal device application 211 and a terminal device network interface 212. The terminal device application 211 may include social applications, information applications, game applications, shopping applications, and tool applications that provide services to users using the terminal device 210. The terminal device network interface 212 is responsible for sending signaling such as authentication, mobility management, and access control to the application server 220 for processing. The application server 220 is similar to the above-mentioned application server 120, and will not be described in detail here. The network device 230 is a network device to which the terminal device 210 is connected.

在一些部署中,上述通信系统200还可以包括:网络设备240以及区块链装置250。示例性地,网络设备240可以理解为路由器,用于对应用服务器220的数据报文进行转发。区块链装置250与上述区块链装置140类似,此处不做过多赘述。终端设备210与应用服务器220、网络设备230和区块链装置250之间可进行通信,应用服务器220与网络设备240和区块链装置250之间也可进行通信,区块链装置250与网络设备230和网络设备240之间也可进行通信。In some deployments, the communication system 200 may further include: a network device 240 and a blockchain device 250. Exemplarily, the network device 240 may be understood as a router for forwarding data packets from the application server 220. The blockchain device 250 is similar to the blockchain device 140, and will not be described in detail here. The terminal device 210 may communicate with the application server 220, the network device 230 and the blockchain device 250, the application server 220 may communicate with the network device 240 and the blockchain device 250, and the blockchain device 250 may communicate with the network device 230 and the network device 240.

本申请实施例中的终端设备可以经无线接入网(radio access network,RAN)与一个或多个核心网进行通信,该终端设备可称为接入终端、用户设备(user equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、5G网络中的终端设备或者未来演进的公共陆地移动网络(public land mobile network,PLMN)中的终端设备等。The terminal device in the embodiment of the present application can communicate with one or more core networks via a radio access network (RAN), and the terminal device can be called an access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device. The access terminal can be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network, or a terminal device in a public land mobile network (PLMN) to be evolved in the future, etc.

本申请实施例中的网络设备可以是用于与终端设备通信的设备,该网络设备可以是全球移动通信(global system for mobile communications,GSM)系统或码分多址(code division multiple access,CDMA)中的基站(base transceiver station,BTS),也可以是宽带码分多址(wideband code division multiple access,WCDMA)系统中的基站(NodeB,NB),还可以是LTE系统中的演进型基站(evolved NodeB,eNB或eNodeB),还可以是云无线接入网络(cloud radio access network,CRAN)场景下的无线控制器,或者该网络设备可以为中继站、接入点、车载设备、可穿戴设备以及5G网络中的网络设备或者未来演进的PLMN网络中的网络设备等,本申请实施例对此并不限定。例如,NR系统中的gNB,或,传输点(transmission and receiving point,TRP或TP),5G系统中的基站的一个或一组(包括多个天线面板)天线面板,或者,还可以为构成gNB或传输点的网络节点,如基带单元(baseband unit,BBU),或,分布式单元(distributed unit,DU)等。The network device in the embodiment of the present application can be a device for communicating with a terminal device. The network device can be a base station (base transceiver station, BTS) in a global system for mobile communications (GSM) system or code division multiple access (CDMA), or a base station (NodeB, NB) in a wideband code division multiple access (WCDMA) system, or an evolved base station (evolved NodeB, eNB or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (CRAN) scenario, or the network device can be a relay station, an access point, a vehicle-mounted device, a wearable device, a network device in a 5G network, or a network device in a future evolved PLMN network, etc. The embodiment of the present application is not limited to this. For example, a gNB in an NR system, or a transmission point (transmission and receiving point, TRP or TP), one or a group of (including multiple antenna panels) antenna panels of a base station in a 5G system, or a network node constituting a gNB or a transmission point, such as a baseband unit (baseband unit, BBU), or a distributed unit (distributed unit, DU), etc.

在一些部署中,gNB可以包括集中式单元(centralized unit,CU)和DU。gNB还可以包括射频单元(radio unit,RU)。CU实现gNB的部分功能,DU实现gNB的部分功能,比如,CU实现无线资源控制(radio resource control,RRC),分组数据汇聚层协议(packet dataconvergence protocol,PDCP)层的功能,DU实现无线链路控制(radio link control,RLC)层、媒体接入控制(media access control,MAC)层和物理(physical,PHY)层的功能。由于RRC层的信息最终会变成PHY层的信息,或者,由PHY层的信息转变而来,因而,在这种架构下,高层信令,如RRC层信令,也可以认为是由DU发送的,或者,由DU+CU发送的。可以理解的是,网络设备可以为CU节点、或DU节点、或包括CU节点和DU节点的设备。此外,CU可以划分为接入网(radio access network,RAN)中的网络设备,也可以将CU划分为核心网(corenetwork,CN)中的网络设备,本申请对此不做限定。In some deployments, the gNB may include a centralized unit (CU) and a DU. The gNB may also include a radio unit (RU). The CU implements some functions of the gNB, and the DU implements some functions of the gNB, for example, the CU implements the functions of the radio resource control (RRC) and packet data convergence protocol (PDCP) layers, and the DU implements the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer. Since the information of the RRC layer will eventually become the information of the PHY layer, or be converted from the information of the PHY layer, therefore, under this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by the DU, or by the DU+CU. It can be understood that the network device can be a CU node, a DU node, or a device including a CU node and a DU node. In addition, the CU can be divided into a network device in an access network (radio access network, RAN), and the CU can also be divided into a network device in a core network (core network, CN), which is not limited in this application.

上述网络设备还可以泛指网络端所有设备的总称,例如采用多个TRP传输数据给终端设备时,可以将多个TRP统称为网络设备。The above-mentioned network device can also refer to the general term for all devices on the network end. For example, when multiple TRPs are used to transmit data to a terminal device, multiple TRPs can be collectively referred to as network devices.

在本申请实施例中,终端设备或网络设备包括硬件层、运行在硬件层之上的操作系统层,以及运行在操作系统层上的应用层。该硬件层包括中央处理器(centralprocessing unit,CPU)、内存管理单元(memory management unit,MMU)和内存(也称为主存)等硬件。该操作系统可以是任意一种或多种通过进程(process)实现业务处理的计算机操作系统,例如,Linux操作系统、Unix操作系统、Android操作系统、iOS操作系统或windows操作系统等。该应用层包含浏览器、通讯录、文字处理软件、即时通信软件等应用。并且,本申请实施例并未对本申请实施例提供的方法的执行主体的具体结构特别限定,只要能够通过运行记录有本申请实施例的提供的方法的代码的程序,以根据本申请实施例提供的方法进行通信即可,例如,本申请实施例提供的方法的执行主体可以是终端设备或网络设备,或者,是终端设备或网络设备中能够调用程序并执行程序的功能模块。In an embodiment of the present application, a terminal device or a network device includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer. The hardware layer includes hardware such as a central processing unit (CPU), a memory management unit (MMU), and a memory (also called main memory). The operating system can be any one or more computer operating systems that implement business processing through a process, such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a windows operating system. The application layer includes applications such as a browser, an address book, a word processing software, and an instant messaging software. In addition, the embodiment of the present application does not specifically limit the specific structure of the execution subject of the method provided in the embodiment of the present application, as long as it can communicate according to the method provided in the embodiment of the present application by running a program that records the code of the method provided in the embodiment of the present application, for example, the execution subject of the method provided in the embodiment of the present application can be a terminal device or a network device, or a functional module in a terminal device or a network device that can call a program and execute the program.

另外,本申请的各个方面或特征可以实现成方法、装置或使用标准编程和/或工程技术的制品。本申请中使用的术语“制品”涵盖可从任何计算机可读器件、载体或介质访问的计算机程序。例如,计算机可读介质可以包括,但不限于:磁存储器件(例如,硬盘、软盘或磁带等),光盘(例如,压缩盘(compact disc,CD)、数字通用盘(digital versatile disc,DVD)等),智能卡和闪存器件(例如,可擦写可编程只读存储器(erasable programmableread-only memory,EPROM)、卡、棒或钥匙驱动器等)。另外,本文描述的各种存储介质可代表用于存储信息的一个或多个设备和/或其它机器可读介质。术语“机器可读介质”可包括但不限于,无线信道和能够存储、包含和/或承载指令和/或数据的各种其它介质。In addition, various aspects or features of the present application can be implemented as methods, devices or products using standard programming and/or engineering techniques. The term "product" used in this application covers computer programs that can be accessed from any computer-readable device, carrier or medium. For example, computer-readable media may include, but are not limited to: magnetic storage devices (e.g., hard disks, floppy disks or tapes, etc.), optical disks (e.g., compact discs (CDs), digital versatile discs (DVDs), etc.), smart cards and flash memory devices (e.g., erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.). In addition, the various storage media described herein may represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.

信息科技大数据时代,终端设备中的应用程序(简称为应用)的数量爆发式增长,用户在使用终端设备中的应用时,终端设备需要通过该应用访问该应用对应的应用服务器获取相关数据,以便为用户提供相关服务。当终端设备应用访问应用服务器时,应用服务器需要对访问的终端设备应用进行鉴权(也可以称为认证),在鉴权通过后,应用服务器可以为终端设备应用提供相关服务数据。这样,能够保证用户信息安全,也能够防范信息盗窃和恶意入侵而造成的网络安全问题。In the era of big data in information technology, the number of applications (referred to as applications) in terminal devices has exploded. When users use applications in terminal devices, the terminal devices need to access the application server corresponding to the application through the application to obtain relevant data in order to provide relevant services to users. When the terminal device application accesses the application server, the application server needs to authenticate the accessed terminal device application (also known as authentication). After the authentication is passed, the application server can provide relevant service data for the terminal device application. In this way, user information security can be guaranteed, and network security issues caused by information theft and malicious intrusion can be prevented.

目前,应用服务器主要通过终端设备的网络地址和用户在使用终端设备应用时输入的身份密码信息进行应用鉴权。在终端设备接入网络的情况下,当用户使用该终端设备中的应用时,终端设备可以向中心化身份机构(也可以为应用服务器)发送应用鉴权请求,中心化身份机构将该终端设备的网络地址以及用户在终端设备上输入的身份密码信息或生物学特征,与本地存储的信息进行匹配,若存在匹配项,则中心化身份机构为该终端设备应用提供服务,从而用户可以正常使用该终端设备应用。At present, application servers mainly authenticate applications through the network address of the terminal device and the identity and password information entered by the user when using the terminal device application. When the terminal device is connected to the network, when the user uses the application in the terminal device, the terminal device can send an application authentication request to the centralized identity agency (which can also be the application server). The centralized identity agency matches the network address of the terminal device and the identity and password information or biological characteristics entered by the user on the terminal device with the locally stored information. If there is a match, the centralized identity agency provides services for the terminal device application, so that the user can use the terminal device application normally.

上述应用鉴权方式需要中心化身份机构的参与,由中心化身份机构存储用户身份密码信息,存在用户信息泄露的风险,特别是在中心化身份机构单点失效、缺乏信任的情况下,安全性不高。The above-mentioned application authentication method requires the participation of a centralized identity agency, which stores user identity and password information. There is a risk of user information leakage, especially when the centralized identity agency has a single point of failure and lacks trust, and the security is not high.

有鉴于此,本申请实施例提出了一种应用鉴权方法和装置,通过利用终端设备的网络标识生成该终端设备的应用身份标识,并将终端设备的公钥和经应用服务器认证的应用身份标识之间的对应关系写入应用服务器,在用户使用终端设备的应用时,终端设备向应用服务器发起鉴权流程,应用服务器可以凭借终端设备的网络标识和上述预先写入的对应关系完成对该终端设备的认证,无需借助用户信息,不存在用户信息泄露的风险,有利于提高系统的安全性。In view of this, an embodiment of the present application proposes an application authentication method and device, which generates an application identity of the terminal device by utilizing the network identifier of the terminal device, and writes the correspondence between the public key of the terminal device and the application identity authenticated by the application server into the application server. When the user uses the application of the terminal device, the terminal device initiates an authentication process to the application server. The application server can complete the authentication of the terminal device by relying on the network identifier of the terminal device and the above-mentioned pre-written correspondence, without the need to rely on user information, and there is no risk of user information leakage, which is beneficial to improving the security of the system.

下面将结合附图详细说明本申请提供的应用鉴权方法和装置。应理解,本申请的技术方案可以应用于上述图1或图2所示的通信系统中,例如,在图1中所示的通信系统100中,下述实施例所描述的终端设备可对应于图1中所示的终端设备110,如,可以为图1中所示的终端设备110,也可以为配置于该终端设备110中的芯片;下述实施例所描述的应用服务器可对应于图1中所示的应用服务器120,如,可以为图1中所示的应用服务器120,也可以为配置于该应用服务器120中的芯片。The application authentication method and device provided by the present application will be described in detail below in conjunction with the accompanying drawings. It should be understood that the technical solution of the present application can be applied to the communication system shown in Figure 1 or Figure 2 above. For example, in the communication system 100 shown in Figure 1, the terminal device described in the following embodiments may correspond to the terminal device 110 shown in Figure 1, such as, it can be the terminal device 110 shown in Figure 1, or it can be a chip configured in the terminal device 110; the application server described in the following embodiments may correspond to the application server 120 shown in Figure 1, such as, it can be the application server 120 shown in Figure 1, or it can be a chip configured in the application server 120.

除了上述所提及的设备之外,在其他可能的实现方式中,应用服务器120也可以为网络中的其他设备,例如,在开放式无线接入网(open radio access network,O-RAN)网络中,应用服务器120可以为RAN智控单元(RAN intelligent controller,RIC)节点、开放式云(open cloud,O-Cloud)节点、服务管理编排(service management orchestration,SMO)节点、开放式基站(open eNB,O-eNB)、开放式射频单元(open radio unit,O-RU)、开放式DU(open DU,O-DU)、开放式CU(open CU,O-CU)等,本申请实施例对此不作限定。In addition to the devices mentioned above, in other possible implementations, the application server 120 may also be other devices in the network. For example, in an open radio access network (O-RAN), the application server 120 may be a RAN intelligent controller (RIC) node, an open cloud (O-Cloud) node, a service management orchestration (SMO) node, an open base station (open eNB, O-eNB), an open radio unit (open radio unit, O-RU), an open DU (open DU, O-DU), an open CU (open CU, O-CU), etc., which is not limited to the embodiments of the present application.

以下,不失一般性,以设备之间的交互过程为例详细说明本申请实施例提供的应用鉴权方法。为了能够更好的理解,下面先对本申请实施例提供的应用身份标识与终端设备网络标识之间的对应关系做出说明。In the following, without loss of generality, the application authentication method provided by the embodiment of the present application is described in detail by taking the interaction process between devices as an example. In order to better understand, the corresponding relationship between the application identity provided by the embodiment of the present application and the terminal device network identity is described below.

图3示出了本申请实施例提供的三层身份对应关系300的示意图。如图3所示,该三层身份对应关系300可以包括:第一层身份RealID、第二层身份BCADD以及第三层身份APPID。Fig. 3 shows a schematic diagram of a three-layer identity correspondence relationship 300 provided in an embodiment of the present application. As shown in Fig. 3, the three-layer identity correspondence relationship 300 may include: a first-layer identity RealID, a second-layer identity BCADD, and a third-layer identity APPID.

1、第一层身份(real identity,RealID),可以理解为终端设备在国家监管机构进行备案的终端设备的公钥PKu。其中,第一层身份RealID不在任何网络和应用中使用。1. The first-level identity (real identity, RealID) can be understood as the public key PKu of the terminal device registered with the national regulatory agency. Among them, the first-level identity RealID is not used in any network or application.

2、第二层身份(block chain address,BCADD),用于指示链路层和网络层之间的基本传输标识,也用于指示终端设备的网络标识,可以理解为由公钥PKu衍生得到的上述终端设备的区块链地址。第二层身份BCADD通过利用单向衍生函数对第一层身份RealID进行数学运算得到。当一个终端设备只有一个网络地址时,第二层身份BCADD可以用于指示终端设备的网络标识;当一个终端设备有多个网络地址时,第二层身份BCADD可以用于指示终端设备的特定网卡的网络标识。2. The second-layer identity (block chain address, BCADD) is used to indicate the basic transmission identification between the link layer and the network layer, and is also used to indicate the network identification of the terminal device. It can be understood as the blockchain address of the above-mentioned terminal device derived from the public key PKu. The second-layer identity BCADD is obtained by performing mathematical operations on the first-layer identity RealID using a one-way derivative function. When a terminal device has only one network address, the second-layer identity BCADD can be used to indicate the network identification of the terminal device; when a terminal device has multiple network addresses, the second-layer identity BCADD can be used to indicate the network identification of a specific network card of the terminal device.

应理解,上述单向衍生函数可以为哈希函数,也可以为一种加密算法,本申请实施例对此不作限定。It should be understood that the above-mentioned one-way derivative function can be a hash function or an encryption algorithm, and the embodiments of the present application are not limited to this.

在一种可能的实现方式中,以第一层身份RealID可以是终端设备的公钥PKu为例,第二层身份BCADD可以是Hash(PKu),其中,Hash(PKu)表示对终端设备的公钥PKu使用哈希函数进行哈希运算之后得到的取值。In a possible implementation, taking the first-layer identity RealID as the public key PKu of the terminal device as an example, the second-layer identity BCADD may be Hash(PKu), where Hash(PKu) represents the value obtained by performing a hash operation on the public key PKu of the terminal device using a hash function.

应理解,哈希函数包括多种类型,哈希运算可以包括加法哈希、位运算哈希、乘法哈希、除法哈希、查表哈希以及混合哈希等不同类型。对相同的种子进行不同类型的哈希运算之后,或者,对不同的种子进行同类型的哈希运算之后,或者,对不同的种子进行不同类型的哈希运算之后,得到的取值也不尽相同。本申请实施例对具体采用的哈希函数不做限定。It should be understood that hash functions include multiple types, and hash operations may include different types such as addition hash, bitwise hash, multiplication hash, division hash, table lookup hash, and mixed hash. After performing different types of hash operations on the same seed, or after performing the same type of hash operations on different seeds, or after performing different types of hash operations on different seeds, the values obtained are also different. The embodiments of the present application do not limit the specific hash function used.

可选地,可以对第二层身份BCADD进行更新。示例性地,以种子可以是公钥PKu,在得到第二层身份BCADD 1之后,可以改用不同的哈希函数和/或不同的哈希运算方式,得到第二层身份BCADD 2,使用第二层身份BCADD 2对第二层身份BCADD 1进行替换,从而完成第二层身份BCADD的更新。Optionally, the second-layer identity BCADD may be updated. For example, the seed may be a public key PKu. After obtaining the second-layer identity BCADD 1, a different hash function and/or a different hash operation method may be used to obtain the second-layer identity BCADD 2, and the second-layer identity BCADD 1 may be replaced with the second-layer identity BCADD 2, thereby completing the update of the second-layer identity BCADD.

图3仅为示例,在实际应用过程中,可以对第二层身份BCADD更新1次或N次,其中,N为大于1的正整数,第二层身份BCADD的更新次数在本申请实施例中不作限定。FIG3 is only an example. In actual application, the second-layer identity BCADD may be updated 1 time or N times, where N is a positive integer greater than 1. The number of updates of the second-layer identity BCADD is not limited in the embodiment of the present application.

3、第三层身份(application identity,APPID),用于指示用户使用终端设备在不同应用下的身份标识。第三层身份APPID通过利用单向衍生函数对第二层身份BCADD进行数学运算得到。其中,根据同一个第二层身份BCADD可得到多个不同的第三层身份APPID,不同的第三层身份APPID用于指示用户使用终端设备在不同应用下的身份标识。3. The third-layer identity (application identity, APPID) is used to indicate the identity of the user using the terminal device in different applications. The third-layer identity APPID is obtained by performing mathematical operations on the second-layer identity BCADD using a one-way derivative function. Among them, multiple different third-layer identities APPID can be obtained based on the same second-layer identity BCADD. Different third-layer identities APPID are used to indicate the identity of the user using the terminal device in different applications.

应理解,图3中,根据第二层身份BCADD 1可以分别得到第三层身份APPID 11、第三层身份APPID 12以及第三层身份APPID 13仅为示例,在实际应用过程中,可以根据同一个第二层身份BCADD得到1个或N个第三层身份APPID,其中,N为大于1的正整数,第三层身份APPID的具体个数在本申请实施例中不作限定。It should be understood that in Figure 3, the third-layer identity APPID 11, the third-layer identity APPID 12 and the third-layer identity APPID 13 can be obtained respectively according to the second-layer identity BCADD 1, which is only an example. In actual application, 1 or N third-layer identity APPIDs can be obtained according to the same second-layer identity BCADD, where N is a positive integer greater than 1, and the specific number of third-layer identity APPIDs is not limited in the embodiments of the present application.

在一种可能的实现方式中,第三层身份APPID通过对第二层身份BCADD进行哈希运算得到,以第二层身份BCADD可以是Hash(PKu)为例,第三层身份APPID可以是Hash(BCADD),即第三层身份APPID可以是Hash(Hash(PKu)),其中,Hash(BCADD)表示对第二层身份BCADD进行哈希运算之后得到的取值,Hash(PKu)表示对公钥PK进行哈希运算之后得到的取值。In one possible implementation, the third-layer identity APPID is obtained by performing a hash operation on the second-layer identity BCADD. Taking the second-layer identity BCADD as Hash(PKu) as an example, the third-layer identity APPID may be Hash(BCADD), that is, the third-layer identity APPID may be Hash(Hash(PKu)), wherein Hash(BCADD) represents the value obtained by performing a hash operation on the second-layer identity BCADD, and Hash(PKu) represents the value obtained by performing a hash operation on the public key PK.

应理解,第三层身份APPID与第二层身份BCADD的区别在于:第二层身份BCADD有对应的公钥对支撑其双向认证能力,第三层身份APPID没有公钥支撑,只能通过其对应的第二层身份BCADD进行双向认证。即仅能够通过对第二层身份BCADD进行哈希运算之后得到第三层身份APPID,无法通过第三层身份APPID得到第二层身份BCADD,因此,可以利用第二层身份BCADD验证第二层身份BCADD与第三层身份APPID之间的对应关系。It should be understood that the difference between the third-layer identity APPID and the second-layer identity BCADD is that the second-layer identity BCADD has a corresponding public key pair to support its two-way authentication capability, while the third-layer identity APPID has no public key support and can only be two-way authenticated through its corresponding second-layer identity BCADD. That is, the third-layer identity APPID can only be obtained by performing a hash operation on the second-layer identity BCADD, and the second-layer identity BCADD cannot be obtained through the third-layer identity APPID. Therefore, the second-layer identity BCADD can be used to verify the correspondence between the second-layer identity BCADD and the third-layer identity APPID.

与上述第二层身份BCADD类似,可以根据更新后的第二层身份BCADD对第三层身份APPID进行更新,此处不做过多赘述。Similar to the above-mentioned second-layer identity BCADD, the third-layer identity APPID can be updated according to the updated second-layer identity BCADD, which will not be elaborated here.

图4示出了本申请实施例提供的应用鉴权方法400的示意性流程图。该方法可以应用于图1所示的通信系统100,还可以应用于图2所示的通信系统200,还可以应用于其他通信系统,本申请实施例对此不作限定。该方法400包括:FIG4 shows a schematic flow chart of an application authentication method 400 provided in an embodiment of the present application. The method can be applied to the communication system 100 shown in FIG1 , and can also be applied to the communication system 200 shown in FIG2 , and can also be applied to other communication systems, which is not limited in the embodiment of the present application. The method 400 includes:

S401,终端设备向应用服务器发送第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述终端设备的网络标识。对应地,应用服务器接收该第一信息,获取所述终端设备的网络标识。S401, a terminal device sends a first message to an application server, the first message is used to request to obtain service data, and the first message carries a network identifier of the terminal device. Correspondingly, the application server receives the first message and obtains the network identifier of the terminal device.

S402,应用服务器基于获取到终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,所述对应关系用于指示至少一个终端设备的公钥和经过所述应用服务器认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的。S402, the application server authenticates the terminal device based on the network identification of the terminal device and a pre-stored correspondence, where the correspondence is used to indicate the correspondence between a public key of at least one terminal device and at least one application identity authenticated by the application server, and the at least one application identity is obtained based on the network identification of the terminal device corresponding to the at least one application identity.

S403,在认证通过的情况下,应用服务器向终端设备发送第二信息,所述第二信息用于指示所述终端设备通过认证;对应地,终端设备接收该第二信息。S403, when the authentication is successful, the application server sends second information to the terminal device, where the second information is used to indicate that the terminal device has passed the authentication; correspondingly, the terminal device receives the second information.

应理解,在认证未通过的情况下,应用服务器不会为终端设备提供后续服务。一种可能的实现方式,应用服务器向终端设备发送第三信息,所述第三信息用于指示所述终端设备未通过认证;对应地,终端设备接收该第三信息。另一种可能的实现方式,应用服务器不会对终端设备进行任何响应。It should be understood that if the authentication fails, the application server will not provide subsequent services to the terminal device. In one possible implementation, the application server sends a third message to the terminal device, where the third message is used to indicate that the terminal device has failed the authentication; correspondingly, the terminal device receives the third message. In another possible implementation, the application server does not respond to the terminal device.

本申请实施例的应用鉴权方法,通过利用终端设备的网络标识生成该终端设备的应用身份标识,并将终端设备的公钥和经应用服务器认证的应用身份标识之间的对应关系写入应用服务器,在用户使用终端设备的应用时,终端设备向应用服务器发起鉴权流程,应用服务器可以凭借终端设备的网络标识和上述预先写入的对应关系完成对该终端设备的认证,无需借助用户信息,不存在用户信息泄露的风险,有利于提高系统的安全性。The application authentication method of the embodiment of the present application generates an application identity of the terminal device by utilizing the network identifier of the terminal device, and writes the correspondence between the public key of the terminal device and the application identity authenticated by the application server into the application server. When the user uses the application of the terminal device, the terminal device initiates an authentication process to the application server. The application server can complete the authentication of the terminal device by relying on the network identifier of the terminal device and the above-mentioned pre-written correspondence, without resorting to user information, and without the risk of user information leakage, which is beneficial to improving the security of the system.

应理解,上述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的,包括以下两种可能的实现方式:It should be understood that the at least one application identity is obtained based on the network identifier of the terminal device corresponding to the at least one application identity, including the following two possible implementations:

在第一种可能的实现方式中,终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,上述S402,应用服务器基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,包括:所述应用服务器利用预设的单向衍生函数,对所述终端设备的网络标识进行处理,得到处理结果;若在所述至少一个应用身份标识中存在第一应用身份标识与所述处理结果相等,所述应用服务器确定所述终端设备通过认证。In a first possible implementation, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivation function. In the above S402, the application server authenticates the terminal device based on the network identity of the terminal device and a pre-stored correspondence, including: the application server processes the network identity of the terminal device using a preset one-way derivation function to obtain a processing result; if there is a first application identity in the at least one application identity that is equal to the processing result, the application server determines that the terminal device has passed the authentication.

可选地,若在所述至少一个应用身份标识中不存在第一应用身份标识与所述处理结果相等,所述应用服务器确定所述终端设备未通过认证。Optionally, if there is no first application identity identifier in the at least one application identity identifier that is equal to the processing result, the application server determines that the terminal device has not passed the authentication.

示例性地,上述应用身份标识可以是Hash(BCADD),即APPID。Exemplarily, the above application identity may be Hash (BCADD), namely APPID.

本申请实施例使用APPID作为应用身份标识,使得不同终端设备对同一应用的访问路径相同,能够防止终端设备在通信系统中被跟踪,从而避免用户信息泄露。The embodiment of the present application uses APPID as the application identity identifier, so that different terminal devices have the same access path to the same application, which can prevent the terminal device from being tracked in the communication system, thereby avoiding user information leakage.

在第二种可能的实现方式中,终端设备的应用身份标识为所述终端设备的网络标识,所述方法还包括:所述终端设备向所述应用服务器发送第一认证请求,所述第一认证请求携带第一随机数和第一密文,所述第一密文为采用所述终端设备的私钥对所述终端设备的网络标识和所述第一随机数进行加密后得到的密文。对应地,所述应用服务器接收该第一认证请求。上述S402,应用服务器基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,包括:所述应用服务器采用所述终端设备的公钥,对所述第一密文进行解密,得到解密后的所述终端设备的网络标识和解密后的所述第一随机数;在所述至少一个应用身份标识中存在第一应用身份标识与所述解密后的所述终端设备的网络标识相等、且所述解密后的所述第一随机数与所述第一认证请求中携带的所述第一随机数相等的情况下,所述应用服务器确定所述终端设备认证通过。In a second possible implementation, the application identity of the terminal device is the network identity of the terminal device, and the method further includes: the terminal device sends a first authentication request to the application server, the first authentication request carries a first random number and a first ciphertext, and the first ciphertext is a ciphertext obtained by encrypting the network identity of the terminal device and the first random number using the private key of the terminal device. Correspondingly, the application server receives the first authentication request. In the above S402, the application server authenticates the terminal device based on the network identity of the terminal device and the pre-stored correspondence, including: the application server uses the public key of the terminal device to decrypt the first ciphertext to obtain the decrypted network identity of the terminal device and the decrypted first random number; when there is a first application identity in the at least one application identity that is equal to the decrypted network identity of the terminal device, and the decrypted first random number is equal to the first random number carried in the first authentication request, the application server determines that the terminal device is authenticated.

可选地,在所述至少一个应用身份标识中不存在第一应用身份标识与所述解密后的所述终端设备的网络标识相等、和/或所述解密后的所述第一随机数与所述第一认证请求中携带的所述第一随机数不相等的情况下,所述应用服务器确定所述终端设备认证未通过。Optionally, when there is no first application identity in the at least one application identity that is equal to the network identity of the terminal device after decryption, and/or the first random number after decryption is not equal to the first random number carried in the first authentication request, the application server determines that the terminal device authentication has failed.

示例性地,上述应用身份标识可以是Hash(PKu),即BCADD。上述第一密文可以是SKu(BCADD,第一随机数),其中,SKu(BCADD,第一随机数)为用私钥SKu对BCADD和第一随机数进行加密后得到的密文。其中,PKu为终端设备的公钥,SKu为终端设备的私钥。Exemplarily, the above application identity may be Hash(PKu), i.e., BCADD. The above first ciphertext may be SKu(BCADD, first random number), where SKu(BCADD, first random number) is the ciphertext obtained by encrypting BCADD and the first random number with the private key SKu. PKu is the public key of the terminal device, and SKu is the private key of the terminal device.

本申请实施例使用BCADD作为应用身份标识,能够保证终端设备在数据链路层、网络层、传输层以及应用层等不同层之间身份的统一,但存在终端设备被跟踪的风险。因此,可以对BCADD进行更新,以降低终端设备被跟踪的风险,具体更新方法如下。The embodiment of the present application uses BCADD as the application identity identifier, which can ensure the identity uniformity of the terminal device between different layers such as the data link layer, network layer, transport layer and application layer, but there is a risk of the terminal device being tracked. Therefore, BCADD can be updated to reduce the risk of the terminal device being tracked. The specific update method is as follows.

作为一个可选的实施例,所述方法还包括:所述终端设备向所述应用服务器发送第四信息,所述第四信息用于指示更新所述终端设备的应用身份标识,所述第四信息携带第二随机数和第二密文,所述第二密文为采用所述终端设备的私钥对所述终端设备的新网络标识、所述网络标识和所述第二随机数进行加密后得到的密文。对应地,所述应用服务器接收该第四信息。所述应用服务器采用所述终端设备的公钥对所述第二密文进行解密,得到解密后的所述新网络标识、解密后的所述网络标识和解密后的所述第二随机数;在所述解密后的所述第二随机数和所述第二密文中携带的所述第二随机数相等、且所述至少一个应用身份标识中存在所述第一应用身份标识与所述解密后的所述网络标识相等的情况下,所述应用服务器将所述第一应用身份标识由所述网络标识更新为所述新网络标识。As an optional embodiment, the method further includes: the terminal device sends a fourth message to the application server, the fourth message is used to indicate the update of the application identity of the terminal device, the fourth message carries a second random number and a second ciphertext, and the second ciphertext is the ciphertext obtained by encrypting the new network identity of the terminal device, the network identity and the second random number using the private key of the terminal device. Correspondingly, the application server receives the fourth message. The application server decrypts the second ciphertext using the public key of the terminal device to obtain the decrypted new network identity, the decrypted network identity and the decrypted second random number; when the decrypted second random number is equal to the second random number carried in the second ciphertext, and when the first application identity exists in the at least one application identity that is equal to the decrypted network identity, the application server updates the first application identity from the network identity to the new network identity.

示例性地,上述第二密文可以是SKu(新BCADD,BCADD,第二随机数),其中,SKu(新BCADD,BCADD,第二随机数)为用私钥SKu对新BCADD、BCADD和第二随机数进行加密后得到的密文。Exemplarily, the second ciphertext may be SKu(new BCADD, BCADD, second random number), wherein SKu(new BCADD, BCADD, second random number) is the ciphertext obtained by encrypting new BCADD, BCADD and the second random number using the private key SKu.

本申请实施例在终端设备的应用身份标识为终端设备的网络标识的情况下,通过对终端设备的应用身份标识进行更新,有利于避免用户对应用的使用行为被跟踪,导致用户信息泄露,从而提高系统的安全性。In the embodiment of the present application, when the application identity of the terminal device is the network identity of the terminal device, updating the application identity of the terminal device is helpful to avoid tracking of the user's application usage behavior and causing leakage of user information, thereby improving the security of the system.

可选地,上述方法还包括:应用服务器向终端设备发送更新响应,用于指示是否更新成。对应地,终端设备接收来自应用服务器的更新响应。Optionally, the method further comprises: the application server sends an update response to the terminal device to indicate whether the update is successful. Correspondingly, the terminal device receives the update response from the application server.

在一种可能的实现方式中,在更新成功的情况下,更新响应可以是用于指示更新成功的消息,例如肯定应答(acknowledgement character,ACK);在更新失败的情况下,更新响应可以是用于指示更新失败的消息,例如否定应答(negative acknowledgementcharacter,NACK)。In one possible implementation, if the update is successful, the update response may be a message indicating that the update is successful, such as an acknowledgement character (ACK); if the update fails, the update response may be a message indicating that the update fails, such as a negative acknowledgement character (NACK).

在另一种可能的实现方式中,应用服务器在更新成功的情况下,向终端设备发送更新响应,该更新响应是用于指示更新成功的消息,例如ACK,在更新失败的情况下,不作响应。在这种情况下,终端设备可以设置一个计时器,该计时器在上述第四信息的发出之后开始计时,若在计时器超时之前终端设备没有收到应用服务器反馈的更新响应,终端设备默认应用服务器对BCADD更新失败。In another possible implementation, if the update is successful, the application server sends an update response to the terminal device, and the update response is a message indicating the update is successful, such as ACK. If the update fails, no response is made. In this case, the terminal device can set a timer, which starts after the fourth information is sent. If the terminal device does not receive the update response fed back by the application server before the timer times out, the terminal device defaults to the application server failing to update BCADD.

应理解,在终端设备的应用身份标识为所述终端设备的网络标识的情况下,由于BCADD没有全局网络可达的位置,当终端设备请求访问应用服务器时,由应用服务器对应的网络设备2进行路由,应用服务器需要在区块链中查找寻址,从而将后续消息路由到终端设备。It should be understood that when the application identity of the terminal device is the network identity of the terminal device, since BCADD has no globally accessible location, when the terminal device requests access to the application server, the network device 2 corresponding to the application server performs routing, and the application server needs to look up the address in the blockchain to route subsequent messages to the terminal device.

作为一个可选的实施例,在所述应用服务器接收来自所述终端设备的第一认证请求之前,所述方法还包括:所述应用服务器向所述应用服务器对应的网络设备发送第三信息,所述第三信息用于对所述第一信息进行响应,所述第三信息携带所述终端设备的网络标识;对应地,所述应用服务器对应的网络设备接收该第三信息。As an optional embodiment, before the application server receives the first authentication request from the terminal device, the method also includes: the application server sends third information to a network device corresponding to the application server, the third information is used to respond to the first information, and the third information carries the network identification of the terminal device; correspondingly, the network device corresponding to the application server receives the third information.

应理解,上述应用服务器对应的网络设备在接收到第三信息之后,可以基于该第三信息,向区块链装置发送查询请求,该查询请求携带所述终端设备的网络标识,该查询请求用于查询与该终端设备网络标识对应的、且与所述应用服务器对应的网络设备处于同一网络域下的、所述终端设备对应的网络设备的身份标识(identity,ID)。对应地,区块链装置接收该查询请求,利用其存储的网络标识与所述终端设备对应的网络设备的ID之间的对应关系,确定与接收到的网络标识对应的、且与所述应用服务器对应的网络设备处于同一网络域下的、所述终端设备对应的网络设备的ID,所述应用服务器对应的网络设备获取所述终端设备对应的网络设备的ID,从而根据该网络设备的ID寻址到该终端设备接入的网络设备,进而找到该终端设备。It should be understood that after receiving the third information, the network device corresponding to the above-mentioned application server can send a query request to the blockchain device based on the third information. The query request carries the network identification of the terminal device. The query request is used to query the identity (identity, ID) of the network device corresponding to the terminal device, which corresponds to the network identification of the terminal device and is in the same network domain as the network device corresponding to the application server. Correspondingly, the blockchain device receives the query request, and determines the ID of the network device corresponding to the terminal device, which corresponds to the received network identification and is in the same network domain as the network device corresponding to the application server, by using the correspondence between the network identification stored therein and the ID of the network device corresponding to the terminal device. The network device corresponding to the application server obtains the ID of the network device corresponding to the terminal device, thereby addressing the network device to which the terminal device is connected according to the ID of the network device, and then finding the terminal device.

作为一个可选的实施例,在认证通过的情况下,所述应用服务器为所述终端设备分配临时对外标识符,所述临时对外标识符用于对外标识所述终端设备的应用;所述应用服务器向区块链装置发送用于指示所述网络标识与所述临时对外标识符之间对应关系的信息。对应地,区块链装置接收该信息。As an optional embodiment, when the authentication is passed, the application server allocates a temporary external identifier to the terminal device, and the temporary external identifier is used to externally identify the application of the terminal device; the application server sends information indicating the correspondence between the network identifier and the temporary external identifier to the blockchain device. Correspondingly, the blockchain device receives the information.

示例性地,该临时对外标识符可以为统一资源定位地址(unified resourcelocation address,URL)、应用程序编程接口(application programming interface,API)或者端口标识等。Exemplarily, the temporary external identifier may be a unified resource location address (URL), an application programming interface (API), or a port identifier.

本申请实施例通过设置临时对外标识符,能够防止终端设备的内部标识符暴露在网络中,增加通信系统的安全性。The embodiment of the present application can prevent the internal identifier of the terminal device from being exposed in the network by setting a temporary external identifier, thereby increasing the security of the communication system.

作为一个可选的实施例,所述方法还包括:所述终端设备向所述应用服务器发送第五信息,所述第五信息用于请求将第一应用身份标识作为所述终端设备在所述应用服务器对应的应用下的身份标识,所述第五信息携带所述第一应用身份标识。对应地,所述应用服务器接收该第五信息,并基于所述第五信息,向所述终端设备发送第二认证请求,所述第二认证请求用于请求对所述终端设备进行认证。对应地,所述终端设备接收该第二认证请求,并基于所述第二认证请求,向所述应用服务器发送第二认证响应,所述第二认证响应携带用于认证的信息。对应地,所述应用服务器接收该第二认证响应,并基于所述第二认证响应,对所述终端设备进行认证。在认证通过的情况下,所述应用服务器存储所述第一应用身份标识和所述终端设备的公钥之间的对应关系。As an optional embodiment, the method further includes: the terminal device sends fifth information to the application server, the fifth information is used to request that the first application identity be used as the identity of the terminal device under the application corresponding to the application server, and the fifth information carries the first application identity. Correspondingly, the application server receives the fifth information, and based on the fifth information, sends a second authentication request to the terminal device, the second authentication request is used to request authentication of the terminal device. Correspondingly, the terminal device receives the second authentication request, and based on the second authentication request, sends a second authentication response to the application server, the second authentication response carries information used for authentication. Correspondingly, the application server receives the second authentication response, and based on the second authentication response, authenticates the terminal device. If the authentication is successful, the application server stores the correspondence between the first application identity and the public key of the terminal device.

应理解,所述终端设备向所述应用服务器发送第五信息之前,所述终端设备需要接入网络。本申请实施例并不限制网络接入方式以及所采用的网络标识。在一种可能的实现方式中,终端设备可以采用BCADD作为网络标识,发起随机接入流程,接入网络。在另一种可能的实现方式中,终端设备可以采用其他标识作为网络标识,发起随机接入流程,接入网络。It should be understood that before the terminal device sends the fifth information to the application server, the terminal device needs to access the network. The embodiment of the present application does not limit the network access method and the network identifier used. In one possible implementation, the terminal device can use BCADD as the network identifier, initiate a random access process, and access the network. In another possible implementation, the terminal device can use other identifiers as the network identifier, initiate a random access process, and access the network.

可选地,所述用于认证的信息包括:所述终端设备的公钥、第三随机数和第三密文,所述第三密文为采用所述终端设备的私钥对所述第一应用身份标识和所述第三随机数进行加密后得到的密文;所述应用服务器基于所述第二认证响应,对所述终端设备进行认证,包括:所述应用服务器采用所述终端设备的公钥,对所述第三密文进行解密,得到解密后的所述第一应用身份标识和解密后的所述第三随机数;在所述解密后的所述第一应用身份标识与所述第五信息中携带的所述第一应用身份标识相等、且所述解密后的第三随机数和所述第二认证响应中携带的所述第三随机数相等的情况下,所述应用服务器确定所述终端设备认证通过。Optionally, the information used for authentication includes: the public key of the terminal device, a third random number and a third ciphertext, the third ciphertext being the ciphertext obtained by encrypting the first application identity and the third random number using the private key of the terminal device; the application server authenticates the terminal device based on the second authentication response, including: the application server uses the public key of the terminal device to decrypt the third ciphertext to obtain the decrypted first application identity and the decrypted third random number; when the decrypted first application identity is equal to the first application identity carried in the fifth information, and the decrypted third random number is equal to the third random number carried in the second authentication response, the application server determines that the terminal device authentication is successful.

可选地,在所述解密后的所述第一应用身份标识与所述第五信息中携带的所述第一应用身份标识不相等、和/或所述解密后的第三随机数和所述第二认证响应中携带的所述第三随机数不相等的情况下,所述应用服务器确定所述终端设备认证未通过。Optionally, when the decrypted first application identity is not equal to the first application identity carried in the fifth information, and/or the decrypted third random number is not equal to the third random number carried in the second authentication response, the application server determines that the terminal device authentication has failed.

可选地,若在上述认证未通过时,应用服务器可以向终端设备再次发送认证请求消息,请求对终端设备重新进行认证,在上述认证通过时不再重复发送认证请求消息,具体重复次数若达到预设次数上限,则应用服务器认为终端设备未通过认证。Optionally, if the above authentication fails, the application server may send an authentication request message to the terminal device again, requesting re-authentication of the terminal device. When the above authentication passes, the authentication request message will no longer be sent repeatedly. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device has failed the authentication.

应理解,上述应用服务器对终端设备进行认证并存储第一应用身份标识和终端设备的公钥之间的对应关系的过程,可以在方法400中的S402之前执行。It should be understood that the process in which the application server authenticates the terminal device and stores the correspondence between the first application identity and the public key of the terminal device may be performed before S402 in method 400 .

本申请实施例通过预先存储的对应关系完成对终端设备的认证,无需在认证过程中建立对应关系,使得认证过程更加简便快捷,从而提升认证效率。The embodiment of the present application completes the authentication of the terminal device through a pre-stored correspondence relationship, without the need to establish a correspondence during the authentication process, making the authentication process simpler and faster, thereby improving authentication efficiency.

示例性地,终端设备的应用身份标识为所述终端设备的网络标识,上述第三密文可以是SKu(BCADD,第三随机数),其中,SKu(BCADD,第三随机数)为用私钥SKu对BCADD和第三随机数进行加密后得到的密文。Exemplarily, the application identity of the terminal device is the network identity of the terminal device, and the third ciphertext may be SKu(BCADD, third random number), wherein SKu(BCADD, third random number) is the ciphertext obtained by encrypting BCADD and the third random number using the private key SKu.

示例性地,终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,上述第三密文可以是SKu(APPID,第三随机数),其中,SKu(APPID,第三随机数)为用私钥SKu对APPID和第三随机数进行加密后得到的密文。Exemplarily, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivative function, and the third ciphertext may be SKu (APPID, third random number), wherein SKu (APPID, third random number) is the ciphertext obtained by encrypting the APPID and the third random number using the private key SKu.

在网络不可信的情况下,终端设备发送至应用服务器的消息可能被篡改,故终端设备和应用服务器之间可以再进行一次双向鉴权,在双向鉴权通过的情况下,应用服务器再为终端设备的应用提供服务,以提升应用鉴权的准确性。When the network is untrustworthy, the message sent by the terminal device to the application server may be tampered with, so two-way authentication can be performed again between the terminal device and the application server. If the two-way authentication passes, the application server will provide services for the application of the terminal device to improve the accuracy of application authentication.

作为一个可选的实施例,所述方法还包括:所述应用服务器向所述终端设备发送第三认证请求,所述第三认证请求携带第四密文,所述第四密文为采用所述终端设备的公钥对所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文。对应地,所述终端设备接收该第三认证请求,并基于所述第三认证请求,向所述应用服务器发送第三认证响应。对应地,所述应用服务器接收该第三认证响应,所述第三认证响应携带第四密文,所述第四密文为采用所述终端设备的私钥对基于所述第四密文解密得到的所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文。所述应用服务器基于所述第三认证响应,对所述终端设备进行认证;在认证通过的情况下,所述应用服务器向所述终端设备发送所述第二信息。As an optional embodiment, the method further includes: the application server sends a third authentication request to the terminal device, the third authentication request carries a fourth ciphertext, and the fourth ciphertext is a ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device, and the fourth random number using the public key of the terminal device. Correspondingly, the terminal device receives the third authentication request, and based on the third authentication request, sends a third authentication response to the application server. Correspondingly, the application server receives the third authentication response, the third authentication response carries a fourth ciphertext, and the fourth ciphertext is a ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device, and the fourth random number obtained by decrypting the fourth ciphertext using the private key of the terminal device. The application server authenticates the terminal device based on the third authentication response; if the authentication is successful, the application server sends the second information to the terminal device.

可选地,上述终端设备接收该第三认证请求,并基于所述第三认证请求,向所述应用服务器发送第三认证响应具体包括:上述终端设备采用自己的私钥对所述第四密文进行解密,得到解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数;上述终端设备再采用自己的私钥对解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数进行加密,得到私钥加密的第四密文,并向所述应用服务器发送第三认证响应,所述第三认证响应携带所述私钥加密的第四密文。Optionally, the terminal device receives the third authentication request, and based on the third authentication request, sends a third authentication response to the application server, which specifically includes: the terminal device uses its own private key to decrypt the fourth ciphertext to obtain a decrypted application identity, a decrypted network identity and a decrypted fourth random number; the terminal device then uses its own private key to encrypt the decrypted application identity, the decrypted network identity and the decrypted fourth random number to obtain a fourth ciphertext encrypted by the private key, and sends a third authentication response to the application server, wherein the third authentication response carries the fourth ciphertext encrypted by the private key.

示例性地,所述私钥加密的第四密文可以是SKu(APPID,BCADD,第四随机数)。上述应用服务器基于第三认证响应,对终端设备进行认证具体包括:上述应用服务器采用终端设备的公钥对所述私钥加密的第四密文进行解密,得到解密后的应用身份标识、解密后的网络标识和解密后的所述第四随机数;在所述解密后的所述第四随机数与所述第三认证请求中携带的所述第四随机数相等的情况下,所述应用服务器确定所述终端设备认证通过。Exemplarily, the fourth ciphertext encrypted by the private key may be SKu (APPID, BCADD, fourth random number). The application server authenticates the terminal device based on the third authentication response, specifically including: the application server decrypts the fourth ciphertext encrypted by the private key using the public key of the terminal device to obtain the decrypted application identity, the decrypted network identity and the decrypted fourth random number; when the decrypted fourth random number is equal to the fourth random number carried in the third authentication request, the application server determines that the terminal device is authenticated.

本申请实施例的终端设备和应用服务器之间能够进行双向鉴权,在双向鉴权通过的情况下,应用服务器再为终端设备的应用提供服务,以提升应用鉴权的准确性。In the embodiment of the present application, two-way authentication can be performed between the terminal device and the application server. When the two-way authentication is passed, the application server provides services for the application of the terminal device to improve the accuracy of application authentication.

下面,结合图5至图8对本申请实施例的应用鉴权方法进行详细说明。Below, the application authentication method of the embodiment of the present application is described in detail with reference to Figures 5 to 8.

图5示出了本申请实施例提供的应用鉴权方法500的示意性流程图。该方法可以应用于图1所示的通信系统100,还可以应用于其他通信系统,本申请实施例对此不作限定。该方法500包括:FIG5 shows a schematic flow chart of an application authentication method 500 provided in an embodiment of the present application. The method can be applied to the communication system 100 shown in FIG1 , and can also be applied to other communication systems, which is not limited in the embodiment of the present application. The method 500 includes:

S501,终端设备生成公私钥对(PKu,SKu),其中,PKu为终端设备的公钥,SKu为终端设备的私钥。S501, the terminal device generates a public-private key pair (PKu, SKu), wherein PKu is the public key of the terminal device, and SKu is the private key of the terminal device.

应理解,基于公钥PKu,终端设备可以得到Hash(PKu),即上述BCADD,Hash(PKu)表示对公钥PKu进行哈希运算之后得到的取值。BCADD可以理解为由公钥PKu衍生得到的上述终端设备的区块链地址。上述Hash(BCADD)表示对BCADD进行哈希运算之后得到的取值。本申请实施例的Hash(BCADD)即为APPID,可以理解为终端设备在应用下的加密网络身份标识符(也可以简称为身份标识)。It should be understood that based on the public key PKu, the terminal device can obtain Hash (PKu), that is, the above-mentioned BCADD, and Hash (PKu) represents the value obtained after hashing the public key PKu. BCADD can be understood as the blockchain address of the above-mentioned terminal device derived from the public key PKu. The above-mentioned Hash (BCADD) represents the value obtained after hashing BCADD. The Hash (BCADD) of the embodiment of the present application is APPID, which can be understood as the encrypted network identity identifier (also referred to as identity identifier) of the terminal device under the application.

S502,终端设备接入网络。S502, the terminal device accesses the network.

应理解,上述接入网络并不限制终端设备的网络接入方式以及所采用的网络标识。在一种可能的实现方式中,终端设备采用BCADD作为网络标识,发起随机接入流程,终端设备接入网络。在另一种可能的实现方式中,终端设备采用其他标识作为网络标识,发起随机接入流程,终端设备接入网络。It should be understood that the above-mentioned access network does not limit the network access method of the terminal device and the network identifier used. In one possible implementation, the terminal device uses BCADD as the network identifier, initiates a random access process, and the terminal device accesses the network. In another possible implementation, the terminal device uses other identifiers as the network identifier, initiates a random access process, and the terminal device accesses the network.

S503,当用户通过终端设备打开某一应用,响应于用户的操作,终端设备向该应用的应用服务器发送第一信息,该第一信息携带APPID,该第一信息用于指示将该APPID作为终端设备在应用下的身份标识。对应地,应用服务器接收该第一信息。S503, when a user opens an application through a terminal device, in response to the user's operation, the terminal device sends a first message to the application server of the application, the first message carrying the APPID, the first message being used to indicate that the APPID is used as the identity of the terminal device under the application. Correspondingly, the application server receives the first message.

S504,应用服务器基于接收到的APPID,向终端设备发送认证请求,该认证请求用于请求对终端设备进行认证。对应地,终端设备接收该认证请求。S504, the application server sends an authentication request to the terminal device based on the received APPID, where the authentication request is used to request authentication of the terminal device. Correspondingly, the terminal device receives the authentication request.

S505,终端设备基于接收到的认证请求,向应用服务器发送认证响应,该认证响应携带SKu(APPID,随机数1)、公钥PKu和随机数1,其中,SKu(APPID,随机数1)为用私钥SKu对APPID和随机数1进行加密后得到的密文。对应地,应用服务器接收该认证响应。S505: Based on the received authentication request, the terminal device sends an authentication response to the application server, which carries SKu (APPID, random number 1), public key PKu and random number 1, where SKu (APPID, random number 1) is the ciphertext obtained by encrypting APPID and random number 1 with private key SKu. Correspondingly, the application server receives the authentication response.

应理解,在应用服务器处于断网状态下,上述认证响应可能无法到达该应用服务器。故在一种可能的实现方式中,应用服务器可以设置一个计时器,该计时器在上述S504中认证请求发出之后开始计时,若在计时器超时之前应用服务器没有收到来自终端设备的认证响应,应用服务器发送认证失败消息给终端设备,该认证失败消息例如可以是NACK消息。对应地,终端设备接收该认证失败消息。It should be understood that when the application server is disconnected from the network, the above authentication response may not be able to reach the application server. Therefore, in a possible implementation, the application server can set a timer, which starts counting after the authentication request is sent in S504. If the application server does not receive an authentication response from the terminal device before the timer times out, the application server sends an authentication failure message to the terminal device, and the authentication failure message can be, for example, a NACK message. Correspondingly, the terminal device receives the authentication failure message.

S506,应用服务器基于接收到的认证响应,进行认证。S506: The application server performs authentication based on the received authentication response.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(APPID,随机数1)进行解密,若解密得到的APPID与上述S504中接收到的APPID相同、且解密得到的随机数1与认证响应中携带的随机数1相同,则应用服务器确定该终端设备通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (APPID, random number 1). If the decrypted APPID is the same as the APPID received in the above S504, and the decrypted random number 1 is the same as the random number 1 carried in the authentication response, the application server determines that the terminal device has passed the authentication.

S507,在认证通过的情况下,应用服务器将APPID作为终端设备在应用下的身份标识进行存储,并存储APPID和公钥PKu之间的对应关系。S507, when the authentication is successful, the application server stores the APPID as the identity of the terminal device under the application, and stores the corresponding relationship between the APPID and the public key PKu.

应理解,在上述认证未通过时,应用服务器可以向终端设备再次发送认证请求消息,重复执行上述S504-S506,在上述认证通过时不再重复执行,具体重复次数若达到预设次数上限,则应用服务器认为终端设备未通过认证。It should be understood that when the above authentication fails, the application server can send an authentication request message to the terminal device again and repeat the above S504-S506. When the above authentication passes, it will no longer be repeated. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device has failed the authentication.

S508,终端设备采用BCADD作为网络标识接入网络,基于公私钥对(PKu,SKu)与网络设备建立RRC连接,并通过与网络设备的双向认证,建立协议数据单元(protocol dataunit,PDU)会话。S508, the terminal device uses BCADD as the network identifier to access the network, establishes an RRC connection with the network device based on the public-private key pair (PKu, SKu), and establishes a protocol data unit (PDU) session through two-way authentication with the network device.

应理解,终端设备采用BCADD作为网络标识,向网络设备发起随机接入流程。在一种可能的实现方式中,终端设备向网络设备发送RRC连接建立请求,该RRC连接建立请求中携带BCADD。对应地,网络设备接收该RRC连接建立请求,并触发RRC连接建立的过程,终端设备与网络设备建立RRC连接。It should be understood that the terminal device uses BCADD as the network identifier to initiate a random access process to the network device. In one possible implementation, the terminal device sends an RRC connection establishment request to the network device, and the RRC connection establishment request carries BCADD. Correspondingly, the network device receives the RRC connection establishment request and triggers the RRC connection establishment process, and the terminal device establishes an RRC connection with the network device.

在终端设备与网络设备建立RRC连接后,终端设备向网络设备发送认证请求,与网络设备进行双向认证。在终端设备通过了网络设备的认证、且网络设备通过了终端设备的认证的情况下,终端设备和网络设备之间可以建立终端设备与网络设备之间的PDU会话,并进行密钥协商。After the terminal device establishes an RRC connection with the network device, the terminal device sends an authentication request to the network device and performs two-way authentication with the network device. When the terminal device passes the authentication of the network device and the network device passes the authentication of the terminal device, a PDU session between the terminal device and the network device can be established and key negotiation can be performed.

S509,当用户通过终端设备登录应用时,终端设备基于当前的通信协议,向应用服务器发送封装有BCADD包头的数据包。对应地,应用服务器接收封装有BCADD包头的数据包。S509, when the user logs in to the application through the terminal device, the terminal device sends a data packet encapsulated with a BCADD header to the application server based on the current communication protocol. Correspondingly, the application server receives the data packet encapsulated with the BCADD header.

S510,应用服务器对接收到的封装有BCADD包头的数据包进行解封装,抓取BCADD,并基于预设的哈希函数,确定Hash(BCADD),判断Hash(BCADD)与上述S507中存储的APPID是否相同。S510, the application server decapsulates the received data packet encapsulated with the BCADD header, captures the BCADD, and determines Hash(BCADD) based on a preset hash function, and determines whether Hash(BCADD) is the same as the APPID stored in the above S507.

应理解,上述预设的哈希函数即为终端设备生成APPID所采用的哈希函数。It should be understood that the above-mentioned preset hash function is the hash function used by the terminal device to generate the APPID.

可选地,在网络不可信的情况下,方法500还包括S511~S513:Optionally, when the network is untrustworthy, the method 500 further includes S511 to S513:

S511,应用服务器向终端设备发送请求消息,该请求消息用于请求终端设备使用私钥SKu对APPID、BCADD和随机数2进行签名,该请求消息携带PKu(APPID,BCADD,随机数2)。对应地,终端设备接收该请求消息。S511, the application server sends a request message to the terminal device, the request message is used to request the terminal device to use the private key SKu to sign APPID, BCADD and random number 2, and the request message carries PKu (APPID, BCADD, random number 2). Correspondingly, the terminal device receives the request message.

上述PKu(APPID,BCADD,随机数2)为用公钥PKu对APPID、BCADD和随机数2进行加密后得到的密文。The above PKu (APPID, BCADD, random number 2) is the ciphertext obtained by encrypting APPID, BCADD and random number 2 with the public key PKu.

应理解,本申请实施例所涉及的随机数(例如上述随机数1、随机数2)均是随机产生的,上述随机数2可以与上述随机数1相同,也可以与上述随机数1不同,本申请实施例对此不做限定。It should be understood that the random numbers involved in the embodiments of the present application (such as the above-mentioned random number 1 and random number 2) are all randomly generated. The above-mentioned random number 2 may be the same as the above-mentioned random number 1 or different from the above-mentioned random number 1, and the embodiments of the present application do not limit this.

S512,终端设备基于接收到的上述请求消息,向应用服务器发送SKu(APPID,BCADD,随机数2)。对应地,应用服务器接收SKu(APPID,BCADD,随机数2)。S512, the terminal device sends SKu (APPID, BCADD, random number 2) to the application server based on the received request message. Correspondingly, the application server receives SKu (APPID, BCADD, random number 2).

上述SKu(APPID,BCADD,随机数2)为用私钥SKu对APPID、BCADD和随机数2进行加密后得到的密文。The above SKu (APPID, BCADD, random number 2) is the ciphertext obtained by encrypting APPID, BCADD and random number 2 with the private key SKu.

S513,应用服务器采用该终端设备的公钥PKu对SKu(APPID,BCADD,随机数2)进行解密,若解密成功,则应用服务器确定该终端设备通过认证。S513, the application server uses the public key PKu of the terminal device to decrypt SKu (APPID, BCADD, random number 2). If the decryption is successful, the application server determines that the terminal device has passed the authentication.

应理解,在上述认证未通过时,应用服务器可以向终端设备再次发送请求消息,重复执行上述S511-S513,在上述认证通过时不再重复执行,具体重复次数若达到预设次数上限,则应用服务器认为终端设备未通过认证。It should be understood that when the above authentication fails, the application server can send a request message to the terminal device again and repeat the above S511-S513. When the above authentication passes, it will no longer be repeated. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device has failed the authentication.

S514,在上述S510中Hash(BCADD)与上述S507中存储的APPID相同的情况下,或者,在S513中终端设备通过认证的情况下,应用服务器向终端设备发送第二信息,该第二信息用于指示终端设备通过认证,应用服务器能够为终端设备提供后续服务。对应地,终端设备接收来自应用服务器的第二信息。S514, when the Hash (BCADD) in S510 is the same as the APPID stored in S507, or when the terminal device passes the authentication in S513, the application server sends the second information to the terminal device, the second information is used to indicate that the terminal device passes the authentication and the application server can provide subsequent services for the terminal device. Correspondingly, the terminal device receives the second information from the application server.

应理解,在上述S510中Hash(BCADD)与上述S507中存储的APPID不同的情况下,以及在S513中终端设备未通过认证的情况下,应用服务器不会为终端设备提供后续服务。一种可能的实现方式,应用服务器向终端设备发送第三信息,所述第三信息用于指示所述终端设备未通过认证;对应地,终端设备接收该第三信息。另一种可能的实现方式,应用服务器不会对终端设备进行任何响应。It should be understood that, in the case where the Hash (BCADD) in S510 is different from the APPID stored in S507, and in the case where the terminal device fails to pass the authentication in S513, the application server will not provide subsequent services for the terminal device. In one possible implementation, the application server sends a third message to the terminal device, and the third message is used to indicate that the terminal device fails to pass the authentication; correspondingly, the terminal device receives the third message. In another possible implementation, the application server does not respond to the terminal device.

下面,结合图2所示的通信系统,对上述应用鉴权方法500进行更加详细的介绍。Next, the above application authentication method 500 is introduced in more detail in conjunction with the communication system shown in FIG. 2 .

图6示出了本申请实施例提供的应用鉴权方法600的示意性流程图。该方法可以应用于图2所示的通信系统200,还可以应用于其他通信系统,本申请实施例对此不作限定。该方法600包括:FIG6 shows a schematic flow chart of an application authentication method 600 provided in an embodiment of the present application. The method can be applied to the communication system 200 shown in FIG2 , and can also be applied to other communication systems, which is not limited in the embodiment of the present application. The method 600 includes:

S601,终端设备网络接口生成公私钥对(PKu,SKu),其中,PKu为终端设备网络接口的公钥,SKu为终端设备网络接口的私钥。S601, the terminal device network interface generates a public-private key pair (PKu, SKu), wherein PKu is the public key of the terminal device network interface, and SKu is the private key of the terminal device network interface.

S602,终端设备网络接口向终端设备应用发送第一信息,该第一信息携带Hash(BCADD),该第一信息用于指示将Hash(BCADD)作为该终端设备网络接口的APPID。对应地,终端设备应用接收该第一信息。S602, the terminal device network interface sends first information to the terminal device application, the first information carries Hash (BCADD), and the first information is used to indicate that Hash (BCADD) is used as the APPID of the terminal device network interface. Correspondingly, the terminal device application receives the first information.

S603,终端设备接入网络。S603, the terminal device accesses the network.

S604,当用户通过终端设备打开某一应用,响应于用户的操作,终端设备应用向该应用的应用服务器发送第二信息,该第二信息携带APPID,该第二信息用于指示将该APPID作为终端设备网络接口在应用下的身份标识。对应地,应用服务器接收该第二信息。S604, when a user opens an application through a terminal device, in response to the user's operation, the terminal device application sends a second message to the application server of the application, the second message carries the APPID, and the second message is used to indicate that the APPID is used as the identity of the terminal device network interface under the application. Correspondingly, the application server receives the second message.

S605,应用服务器基于接收到的APPID,向终端设备网络接口发送认证请求,该认证请求用于请求对终端设备进行认证。对应地,终端设备网络接口接收该认证请求。S605, the application server sends an authentication request to the terminal device network interface based on the received APPID, where the authentication request is used to request authentication of the terminal device. Correspondingly, the terminal device network interface receives the authentication request.

S606,终端设备网络接口基于接收到的认证请求,向应用服务器发送认证响应,该认证响应携带SKu(APPID,随机数1)、PKu和随机数1,其中,SKu(APPID,随机数1)为用私钥SKu对APPID和随机数1进行加密后得到的密文。对应地,应用服务器接收该认证响应。S606, the terminal device network interface sends an authentication response to the application server based on the received authentication request, and the authentication response carries SKu (APPID, random number 1), PKu and random number 1, wherein SKu (APPID, random number 1) is the ciphertext obtained by encrypting APPID and random number 1 with the private key SKu. Correspondingly, the application server receives the authentication response.

上述随机数1泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 1 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S607,应用服务器基于接收到的认证响应,进行认证。S607: The application server performs authentication based on the received authentication response.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(APPID,随机数1)进行解密,若解密得到的APPID与上述S604中接收到的APPID相同、且解密得到的随机数1与认证响应中携带的随机数1相同,则应用服务器确定该终端设备网络接口通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (APPID, random number 1). If the decrypted APPID is the same as the APPID received in the above S604, and the decrypted random number 1 is the same as the random number 1 carried in the authentication response, the application server determines that the network interface of the terminal device has passed the authentication.

S608,在认证通过的情况下,应用服务器将APPID作为终端设备网络接口在应用下的身份标识进行存储,并存储APPID和PKu之间的对应关系。S608, when the authentication is successful, the application server stores the APPID as the identity identifier of the terminal device network interface under the application, and stores the corresponding relationship between the APPID and PKu.

S609,终端设备网络接口采用BCADD作为网络标识接入网络,基于公私钥对(PKu,SKu)与网络设备建立RRC连接,并通过与网络设备的双向认证,建立PDU会话。S609, the terminal device network interface uses BCADD as the network identifier to access the network, establishes an RRC connection with the network device based on the public-private key pair (PKu, SKu), and establishes a PDU session through two-way authentication with the network device.

S610,当用户通过终端设备登录某一应用,终端设备应用通过应用层消息向终端设备网络接口发送登录指示。对应地,终端设备网络接口接收该登录指示。S610, when a user logs in to an application through a terminal device, the terminal device application sends a login instruction to the terminal device network interface through an application layer message. Correspondingly, the terminal device network interface receives the login instruction.

S611,终端设备网络接口基于当前的通信协议,向应用服务器发送封装有BCADD包头的数据包。对应地,应用服务器接收封装有BCADD包头的数据包。S611, the network interface of the terminal device sends a data packet encapsulated with a BCADD header to the application server based on the current communication protocol. Correspondingly, the application server receives the data packet encapsulated with the BCADD header.

S612,应用服务器对接收到的封装有BCADD包头的数据包进行解封装,抓取BCADD,并基于预设的哈希函数,确定Hash(BCADD),判断Hash(BCADD)与上述S608中存储的APPID是否相同。S612, the application server decapsulates the received data packet encapsulated with the BCADD header, captures the BCADD, and determines Hash(BCADD) based on a preset hash function, and determines whether Hash(BCADD) is the same as the APPID stored in the above S608.

可选地,在网络不可信的情况下,方法600还包括S613~S615:Optionally, when the network is untrustworthy, the method 600 further includes S613 to S615:

S613,应用服务器向终端设备网络接口发送请求消息,该请求消息用于请求终端设备网络接口使用私钥SKu对APPID、BCADD和随机数2进行签名,该请求消息携带PKu(APPID,BCADD,随机数2)。对应地,终端设备网络接口接收该请求消息。S613, the application server sends a request message to the terminal device network interface, the request message is used to request the terminal device network interface to use the private key SKu to sign APPID, BCADD and random number 2, and the request message carries PKu (APPID, BCADD, random number 2). Correspondingly, the terminal device network interface receives the request message.

上述PKu(APPID,BCADD,随机数2)为用公钥PKu对APPID、BCADD和随机数2进行加密后得到的密文。The above PKu (APPID, BCADD, random number 2) is the ciphertext obtained by encrypting APPID, BCADD and random number 2 with the public key PKu.

上述随机数2泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 2 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S614,终端设备网络接口基于接收到的上述请求消息,向应用服务器发送SKu(APPID,BCADD,随机数2)。对应地,应用服务器接收SKu(APPID,BCADD,随机数2)。S614, the terminal device network interface sends SKu (APPID, BCADD, random number 2) to the application server based on the received request message. Correspondingly, the application server receives SKu (APPID, BCADD, random number 2).

上述SKu(APPID,BCADD,随机数2)为用私钥SKu对APPID、BCADD和随机数2进行加密后得到的密文。The above SKu (APPID, BCADD, random number 2) is the ciphertext obtained by encrypting APPID, BCADD and random number 2 with the private key SKu.

S615,应用服务器采用该终端设备网络接口的公钥PKu对SKu(APPID,BCADD,随机数2)进行解密,若解密成功,则网络设备确定该终端设备网络接口通过认证。S615, the application server uses the public key PKu of the network interface of the terminal device to decrypt SKu (APPID, BCADD, random number 2). If the decryption is successful, the network device determines that the network interface of the terminal device has passed the authentication.

应理解,在上述认证未通过时,应用服务器可以向终端设备网络接口再次发送请求消息,重复执行上述S613-S615,在上述认证通过时不再重复执行,具体重复次数若达到预设次数上限,则应用服务器认为终端设备网络接口未通过认证。It should be understood that when the above-mentioned authentication fails, the application server may send a request message to the terminal device network interface again and repeat the above-mentioned S613-S615. When the above-mentioned authentication passes, it will no longer be repeated. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device network interface has failed the authentication.

S616,在上述S612中Hash(BCADD)与上述S608中存储的APPID相同的情况下,或者,在S615中终端设备网络接口通过认证的情况下,应用服务器向终端设备应用发送第三信息,该第三信息用于指示终端设备网络接口通过认证,应用服务器能够为终端设备应用提供后续服务。对应地,终端设备应用接收来自应用服务器的第三信息。S616, when the Hash (BCADD) in S612 is the same as the APPID stored in S608, or when the terminal device network interface passes the authentication in S615, the application server sends the third information to the terminal device application, the third information is used to indicate that the terminal device network interface passes the authentication, and the application server can provide subsequent services for the terminal device application. Correspondingly, the terminal device application receives the third information from the application server.

在认证未通过的情况下,应用服务器不会为终端设备应用提供后续服务。一种可能的实现方式,应用服务器向终端设备应用发送第四信息,所述第四信息用于指示所述终端设备网络接口未通过认证;对应地,终端设备应用接收该第四信息。另一种可能的实现方式,应用服务器不会对终端设备应用进行任何响应。In the case of authentication failure, the application server will not provide subsequent services for the terminal device application. In one possible implementation, the application server sends fourth information to the terminal device application, where the fourth information is used to indicate that the terminal device network interface has not passed authentication; correspondingly, the terminal device application receives the fourth information. In another possible implementation, the application server will not make any response to the terminal device application.

应理解,方法600中的细节可以参照上述方法500中的描述,此处不再赘述。It should be understood that the details in method 600 can refer to the description in the above method 500 and will not be repeated here.

图7示出了本申请实施例提供的应用鉴权方法700的示意性流程图。该方法可以应用于图1所示的通信系统100,还可以应用于其他通信系统,本申请实施例对此不作限定。该方法700包括:FIG7 shows a schematic flow chart of an application authentication method 700 provided in an embodiment of the present application. The method can be applied to the communication system 100 shown in FIG1 , and can also be applied to other communication systems, which is not limited in the embodiment of the present application. The method 700 includes:

S701,终端设备生成公私钥对(PKu,SKu),其中,PKu为终端设备的公钥,SKu为终端设备的私钥。S701, the terminal device generates a public-private key pair (PKu, SKu), wherein PKu is the public key of the terminal device, and SKu is the private key of the terminal device.

应理解,基于公钥PKu,终端设备可以得到Hash(PKu),即上述BCADD,Hash(PKu)表示对公钥PKu进行哈希运算之后得到的取值。BCADD可以理解为由公钥PKu衍生得到的上述终端设备的区块链地址。由于本申请实施例的BCADD即为APPID,故BCADD还可以理解为终端设备在应用下的加密网络身份标识符(也可以简称为身份标识)。It should be understood that based on the public key PKu, the terminal device can obtain Hash(PKu), that is, the above-mentioned BCADD, and Hash(PKu) represents the value obtained after performing a hash operation on the public key PKu. BCADD can be understood as the blockchain address of the above-mentioned terminal device derived from the public key PKu. Since the BCADD of the embodiment of the present application is APPID, BCADD can also be understood as the encrypted network identity identifier (also referred to as identity identifier) of the terminal device under the application.

S702,终端设备接入网络。S702, the terminal device accesses the network.

应理解,上述接入网络并不限制终端设备的网络接入方式以及所采用的网络标识。在一种可能的实现方式中,终端设备采用BCADD作为网络标识,发起随机接入流程,终端设备接入网络。在另一种可能的实现方式中,终端设备采用其他标识作为网络标识,发起随机接入流程,终端设备接入网络。It should be understood that the above-mentioned access network does not limit the network access method of the terminal device and the network identifier used. In one possible implementation, the terminal device uses BCADD as the network identifier, initiates a random access process, and the terminal device accesses the network. In another possible implementation, the terminal device uses other identifiers as the network identifier, initiates a random access process, and the terminal device accesses the network.

S703,当用户通过终端设备打开某一应用,响应于用户的操作,终端设备向该应用的应用服务器发送第一信息,该第一信息携带BCADD,该第一信息用于指示将该BCADD作为终端设备在应用下的身份标识。对应地,应用服务器接收该第一信息。S703, when a user opens an application through a terminal device, in response to the user's operation, the terminal device sends a first message to the application server of the application, the first message carrying BCADD, the first message is used to indicate that the BCADD is used as the identity of the terminal device under the application. Correspondingly, the application server receives the first message.

S704,应用服务器基于接收到的BCADD,向终端设备发送认证请求,该认证请求用于请求对终端设备进行认证。对应地,终端设备接收该认证请求。S704, the application server sends an authentication request to the terminal device based on the received BCADD, where the authentication request is used to request authentication of the terminal device. Correspondingly, the terminal device receives the authentication request.

S705,终端设备基于接收到的认证请求,向应用服务器发送认证响应,该认证响应携带SKu(BCADD,随机数1)、公钥PKu和随机数1,其中,SKu(BCADD,随机数1)为用私钥SKu对BCADD和随机数1进行加密后得到的密文。对应地,应用服务器接收该认证响应。S705, based on the received authentication request, the terminal device sends an authentication response to the application server, the authentication response carrying SKu (BCADD, random number 1), public key PKu and random number 1, wherein SKu (BCADD, random number 1) is the ciphertext obtained by encrypting BCADD and random number 1 with private key SKu. Correspondingly, the application server receives the authentication response.

应理解,在应用服务器处于断网状态下,上述认证响应可能无法到达该应用服务器。故在一种可能的实现方式中,应用服务器可以设置一个计时器,该计时器在上述S704中认证请求发出之后开始计时,若在计时器超时之前应用服务器没有收到来自终端设备的认证响应,应用服务器发送认证失败消息给终端设备,该认证失败消息例如可以是NACK消息。对应地,终端设备接收该认证失败消息。It should be understood that when the application server is disconnected from the network, the above authentication response may not be able to reach the application server. Therefore, in a possible implementation, the application server can set a timer, which starts timing after the authentication request is sent in S704. If the application server does not receive an authentication response from the terminal device before the timer times out, the application server sends an authentication failure message to the terminal device, and the authentication failure message can be, for example, a NACK message. Correspondingly, the terminal device receives the authentication failure message.

S706,应用服务器基于接收到的认证响应,进行认证。S706: The application server performs authentication based on the received authentication response.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(BCADD,随机数1)进行解密,若解密得到的BCADD与上述S703中接收到的BCADD相同、且解密得到的随机数1与认证响应中携带的随机数1相同,则应用服务器确定该终端设备通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (BCADD, random number 1). If the decrypted BCADD is the same as the BCADD received in the above S703, and the decrypted random number 1 is the same as the random number 1 carried in the authentication response, the application server determines that the terminal device has passed the authentication.

上述随机数1泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 1 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S707,在认证通过的情况下,应用服务器将BCADD作为终端设备在应用下的身份标识进行存储,并存储BCADD和公钥PKu之间的对应关系。S707, when the authentication is successful, the application server stores BCADD as the identity of the terminal device under the application, and stores the corresponding relationship between BCADD and the public key PKu.

S708,终端设备采用BCADD作为网络标识接入网络,基于公私钥对(PKu,SKu)与网络设备1建立RRC连接,并通过与网络设备1的双向认证,建立PDU会话。S708, the terminal device uses BCADD as the network identifier to access the network, establishes an RRC connection with network device 1 based on the public-private key pair (PKu, SKu), and establishes a PDU session through two-way authentication with network device 1.

应理解,终端设备采用BCADD作为网络标识,向网络设备1发起随机接入流程。在一种可能的实现方式中,终端设备向网络设备1发送RRC连接建立请求,该RRC连接建立请求中携带BCADD。对应地,网络设备1接收该RRC连接建立请求,并触发RRC连接建立的过程,终端设备与网络设备1建立RRC连接。It should be understood that the terminal device uses BCADD as the network identifier to initiate a random access process to the network device 1. In one possible implementation, the terminal device sends an RRC connection establishment request to the network device 1, and the RRC connection establishment request carries BCADD. Correspondingly, the network device 1 receives the RRC connection establishment request and triggers the RRC connection establishment process, and the terminal device establishes an RRC connection with the network device 1.

在RRC连接建立的过程中,网络设备1为终端设备分配一个小区无线网络临时标识符(cell-radio network temporary identifier,C-RNTI),终端设备获取该C-RNTI之外,还可以获得该网络设备1的小区标识(national cell identifier,NCI)和网络设备1的ID。During the RRC connection establishment process, network device 1 allocates a cell-radio network temporary identifier (C-RNTI) to the terminal device. In addition to obtaining the C-RNTI, the terminal device can also obtain the cell identifier (national cell identifier, NCI) of network device 1 and the ID of network device 1.

在终端设备与网络设备1建立RRC连接后,终端设备向网络设备1发送认证请求,与网络设备1进行双向认证。在终端设备通过了网络设备1的认证、且网络设备1通过了终端设备的认证的情况下,终端设备和网络设备1之间可以建立终端设备与网络设备1之间的PDU会话,并进行密钥协商。After the terminal device establishes an RRC connection with network device 1, the terminal device sends an authentication request to network device 1 and performs two-way authentication with network device 1. When the terminal device passes the authentication of network device 1 and network device 1 passes the authentication of the terminal device, a PDU session between the terminal device and network device 1 can be established and key negotiation can be performed.

S709,在终端设备与网络设备1之间的RRC连接建立成功的情况下,网络设备1向区块链装置发送BCADD和网络设备1的ID。对应地,区块链装置接收BCADD和网络设备1的ID,并存储BCADD与网络设备1的ID之间的对应关系。S709, when the RRC connection between the terminal device and the network device 1 is successfully established, the network device 1 sends the BCADD and the ID of the network device 1 to the blockchain device. Correspondingly, the blockchain device receives the BCADD and the ID of the network device 1, and stores the corresponding relationship between the BCADD and the ID of the network device 1.

应理解,一个终端设备可能同时接入了多个相互连接或包含的网络域,例如,终端设备和接入网设备之间的连接,终端设备和核心网设备之间的连接。由于不同网络域分别对应的网络设备ID不同,因此一个BCADD可能与多个网络设备ID之间存在对应关系。对于区块链装置而言,可以保存有BCADD和多个网络设备ID之间的对应关系。It should be understood that a terminal device may simultaneously access multiple interconnected or contained network domains, for example, the connection between the terminal device and the access network device, and the connection between the terminal device and the core network device. Since different network domains correspond to different network device IDs, a BCADD may have a corresponding relationship with multiple network device IDs. For a blockchain device, the corresponding relationship between the BCADD and multiple network device IDs can be saved.

可选地,由于BCADD没有全局网络可达的位置,方法700还包括S710~S714,当终端设备请求访问应用服务器时,由应用服务器对应的网络设备2进行路由,应用服务器需要在区块链中查找寻址,从而将后续消息路由到终端设备。Optionally, since BCADD has no globally network-reachable location, method 700 also includes S710 to S714. When a terminal device requests access to an application server, the network device 2 corresponding to the application server performs routing, and the application server needs to search for addressing in the blockchain to route subsequent messages to the terminal device.

S710,当用户通过终端设备登录应用,终端设备向应用服务器发送访问请求,该访问请求携带BCADD,该访问请求用于指示应用服务器为终端设备提供服务。对应地,应用服务器接收该访问请求。S710, when a user logs in to an application through a terminal device, the terminal device sends an access request to an application server, the access request carries a BCADD, and the access request is used to instruct the application server to provide services for the terminal device. Correspondingly, the application server receives the access request.

S711,应用服务器基于接收到的访问请求,向网络设备2发送登录响应,该登录响应携带BCADD,该登录响应用于确定与该BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID。对应地,网络设备2接收该登录响应。S711, based on the received access request, the application server sends a login response to network device 2, the login response carrying the BCADD, the login response being used to determine the ID of network device 1 corresponding to the BCADD and in the same network domain as network device 2. Correspondingly, network device 2 receives the login response.

示例性地,网络设备2可以是路由器。Exemplarily, the network device 2 may be a router.

S712,网络设备2基于接收到的登录响应,向区块链装置发送查询请求,该查询请求携带BCADD,该查询请求用于查询与该BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID。对应地,区块链装置接收该查询请求,利用其在S710中存储的BCADD与网络设备1的ID之间的对应关系,确定与接收到的BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID,网络设备2获取网络设备1的ID。S712, network device 2 sends a query request to the blockchain device based on the received login response, the query request carries BCADD, and the query request is used to query the ID of network device 1 corresponding to the BCADD and in the same network domain as network device 2. Correspondingly, the blockchain device receives the query request, and uses the correspondence between the BCADD and the ID of network device 1 stored in S710 to determine the ID of network device 1 corresponding to the received BCADD and in the same network domain as network device 2, and network device 2 obtains the ID of network device 1.

S713,网络设备2基于网络设备1的ID,向与该网络设备1的ID对应的网络设备1发送登录响应,该登录响应携带BCADD。对应地,网络设备1接收该登录响应。S713, network device 2 sends a login response to network device 1 corresponding to the ID of network device 1 based on the ID of network device 1, the login response carrying BCADD. Correspondingly, network device 1 receives the login response.

S714,网络设备1基于上述BCADD,确定与该BCADD对应的终端设备,向该终端设备发送登录响应,该登录响应携带BCADD。S714, network device 1 determines a terminal device corresponding to the BCADD based on the BCADD, and sends a login response to the terminal device, where the login response carries the BCADD.

S715,终端设备基于收到的登录响应,向应用服务器发送认证请求,该认证请求携带SKu(BCADD,随机数2)和随机数2,其中,SKu(BCADD,随机数2)为用私钥SKu对BCADD和随机数2进行加密后得到的密文。对应地,应用服务器接收该认证请求。S715, based on the received login response, the terminal device sends an authentication request to the application server, the authentication request carries SKu(BCADD, random number 2) and random number 2, wherein SKu(BCADD, random number 2) is the ciphertext obtained by encrypting BCADD and random number 2 with the private key SKu. Correspondingly, the application server receives the authentication request.

上述随机数2泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 2 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S716,应用服务器基于接收到的认证请求,进行认证。S716: The application server performs authentication based on the received authentication request.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(BCADD,随机数2)进行解密,若解密得到的BCADD与上述S712中接收到的BCADD相同、且解密得到的随机数2与认证请求中携带的随机数2相同,则应用服务器确定该终端设备通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (BCADD, random number 2). If the decrypted BCADD is the same as the BCADD received in the above S712, and the decrypted random number 2 is the same as the random number 2 carried in the authentication request, the application server determines that the terminal device has passed the authentication.

S717,在认证通过的情况下,应用服务器向终端设备发送认证响应。对应地,终端设备接收该认证响应。S717: If the authentication is successful, the application server sends an authentication response to the terminal device, and the terminal device receives the authentication response accordingly.

可选地,上述认证响应可以携带SKs(BCADD,随机数3)、公钥PKs和随机数3,其中,PKs为应用服务器的公钥,SKs为应用服务器的私钥,SKs(BCADD,随机数3)为用私钥SKs对BCADD和随机数3进行加密后得到的密文。对应地,终端设备接收该认证响应。Optionally, the above authentication response may carry SKs(BCADD, random number 3), public key PKs and random number 3, wherein PKs is the public key of the application server, SKs is the private key of the application server, and SKs(BCADD, random number 3) is the ciphertext obtained by encrypting BCADD and random number 3 with private key SKs. Correspondingly, the terminal device receives the authentication response.

上述随机数3泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 3 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

可选地,在终端设备认为有必要对应用服务器进行认证的时候,方法700还包括S718:Optionally, when the terminal device considers it necessary to authenticate the application server, the method 700 further includes S718:

S718,终端设备基于接收到的认证响应,进行认证。S718: The terminal device performs authentication based on the received authentication response.

上述进行认证可以理解为:终端设备采用公钥PKs对SKs(BCADD,随机数3)进行解密,若解密得到的BCADD与上述S716中接收到的BCADD相同、且解密得到的随机数3与认证响应中携带的随机数3相同,则终端设备确定该应用服务器通过认证。The above authentication can be understood as: the terminal device uses the public key PKs to decrypt SKs (BCADD, random number 3). If the decrypted BCADD is the same as the BCADD received in the above S716, and the decrypted random number 3 is the same as the random number 3 carried in the authentication response, the terminal device determines that the application server has passed the authentication.

S719,在终端设备通过了应用服务器的认证的情况下,应用服务器为BCADD分配临时对外标识符,并将BCADD与该临时对外标识符之间的对应关系发送至区块链装置,该临时对外标识符例如可以为统一资源定位地址(unified resource location address,URL)和/或端口。对应地,区块链装置接收并存储该BCADD与该临时对外标识符之间的对应关系。通过设置临时对外标识符,能够防止终端设备的内部标识符暴露在网络中,增加系统的安全性。S719, when the terminal device passes the authentication of the application server, the application server allocates a temporary external identifier for BCADD, and sends the correspondence between BCADD and the temporary external identifier to the blockchain device, where the temporary external identifier can be, for example, a unified resource location address (URL) and/or a port. Correspondingly, the blockchain device receives and stores the correspondence between the BCADD and the temporary external identifier. By setting a temporary external identifier, the internal identifier of the terminal device can be prevented from being exposed to the network, thereby increasing the security of the system.

S720,在终端设备通过了应用服务器的认证的情况下,应用服务器向终端设备发送第二信息,该第二信息用于指示终端设备通过认证,应用服务器能够为终端设备提供后续服务。对应地,终端设备接收来自应用服务器的第二信息。S720, when the terminal device passes the authentication of the application server, the application server sends second information to the terminal device, the second information is used to indicate that the terminal device passes the authentication and the application server can provide subsequent services for the terminal device. Correspondingly, the terminal device receives the second information from the application server.

应理解,上述S718中终端设备对应用服务器进行认证的结果,并不影响应用服务器为终端设备提供后续服务。示例性地,终端设备通过了应用服务器的认证、但应用服务器没有通过终端设备对其的认证,应用服务器能够为终端设备提供后续服务,终端设备可以选择不使用该服务。It should be understood that the result of the terminal device authenticating the application server in S718 above does not affect the application server providing subsequent services to the terminal device. For example, if the terminal device passes the authentication of the application server but the application server fails the authentication of the terminal device, the application server can provide subsequent services to the terminal device, and the terminal device may choose not to use the service.

可选地,在当前PDU会话因为安全或者隐私原因需要更换新的BCADD的时候,方法700还包括下列步骤:Optionally, when the current PDU session needs to be replaced with a new BCADD due to security or privacy reasons, the method 700 further includes the following steps:

S721,终端设备生成新BCADD后,向应用服务器发送SKu(新BCADD,BCADD,随机数4)和随机数4,其中,SKu(新BCADD,BCADD,随机数4)为用私钥SKu对新BCADD、BCADD和随机数4进行加密后得到的密文。对应地,应用服务器接收该SKu(新BCADD,BCADD,随机数4)和随机数4。S721, after generating a new BCADD, the terminal device sends SKu (new BCADD, BCADD, random number 4) and random number 4 to the application server, where SKu (new BCADD, BCADD, random number 4) is the ciphertext obtained by encrypting the new BCADD, BCADD and random number 4 with the private key SKu. Correspondingly, the application server receives the SKu (new BCADD, BCADD, random number 4) and random number 4.

上述随机数4泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 4 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

示例性地,上述新BCADD可以使用新的哈希函数对公钥PKu进行哈希运算得到,也可以使用原来的哈希函数对终端设备新生成的公钥PKu进行哈希运算得到,还可以使用新的哈希函数对终端设备新生成的公钥PKu进行哈希运算得到,本申请在此不做限定。Exemplarily, the new BCADD can be obtained by hashing the public key PKu using a new hash function, or by hashing the public key PKu newly generated by the terminal device using the original hash function, or by hashing the public key PKu newly generated by the terminal device using a new hash function. This application does not limit this.

应理解,上述私钥SKu可以存储在可信执行环境(trusted executionenvironment,TEE)或可信平台模块(trusted platform module,TPM)等安全的地方,本申请实施例在此不作限定。It should be understood that the above-mentioned private key SKu can be stored in a secure place such as a trusted execution environment (TEE) or a trusted platform module (TPM), and the embodiments of the present application are not limited thereto.

S722,应用服务器采用公钥PKu对SKu(新BCADD,BCADD,随机数4)进行解密,若解密得到的BCADD与上述S710中接收到的BCADD相同,且解密得到的随机数4与接收得到的随机数4相同,则通过认证。S722, the application server uses the public key PKu to decrypt SKu (new BCADD, BCADD, random number 4). If the decrypted BCADD is the same as the BCADD received in the above S710, and the decrypted random number 4 is the same as the received random number 4, the authentication is passed.

S723,在认证成功的情况下,应用服务器向终端设备发送ACK;在认证失败的情况下,应用服务器向终端设备发送NACK。对应地,终端设备接收来自应用服务器的ACK或NACK。S723, if the authentication is successful, the application server sends an ACK to the terminal device; if the authentication fails, the application server sends a NACK to the terminal device. Correspondingly, the terminal device receives an ACK or a NACK from the application server.

S724,在认证成功的情况下,终端设备将BCADD更新为新BCADD,并在后续的PDU会话中使用BCADD。S724, when the authentication is successful, the terminal device updates the BCADD to a new BCADD and uses the BCADD in subsequent PDU sessions.

应理解,在上述认证失败时,终端设备可以向应用服务器再次发送认证请求消息,重复执行上述S721-S723,在上述认证成功时不再重复执行,具体重复次数若达到预设次数上限,则应用服务器认为终端设备未通过认证。It should be understood that when the above authentication fails, the terminal device can send an authentication request message to the application server again and repeat the above S721-S723. When the above authentication is successful, it will not be repeated. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device has not passed the authentication.

下面,结合图2所示的通信系统,对上述应用鉴权方法700进行更加详细的介绍。Next, the above-mentioned application authentication method 700 is introduced in more detail in conjunction with the communication system shown in FIG. 2 .

图8示出了本申请实施例提供的应用鉴权方法800的示意性流程图。该方法可以应用于图2所示的通信系统200,还可以应用于其他通信系统,本申请实施例对此不作限定。该方法800包括:FIG8 shows a schematic flow chart of an application authentication method 800 provided in an embodiment of the present application. The method can be applied to the communication system 200 shown in FIG2 , and can also be applied to other communication systems, which is not limited in the embodiment of the present application. The method 800 includes:

S801,终端设备网络接口生成公私钥对(PKu,SKu),其中,PKu为终端设备网络接口的公钥,SKu为终端设备网络接口的私钥。S801, the terminal device network interface generates a public-private key pair (PKu, SKu), wherein PKu is the public key of the terminal device network interface, and SKu is the private key of the terminal device network interface.

S802,终端设备网络接口向终端设备应用发送第一信息,该第一信息携带BCADD,该第一信息用于指示将BCADD作为该终端设备网络接口的APPID。对应地,终端设备应用接收该第一信息。S802, the terminal device network interface sends first information to the terminal device application, the first information carries BCADD, and the first information is used to indicate that BCADD is used as the APPID of the terminal device network interface. Correspondingly, the terminal device application receives the first information.

S803,终端设备接入网络。S803, the terminal device accesses the network.

S804,当用户通过终端设备打开某一应用,响应于用户的操作,终端设备应用向该应用的应用服务器发送第二信息,该第二信息携带BCADD,该第二信息用于指示将该BCADD作为终端设备在应用下的身份标识。对应地,应用服务器接收该第二信息。S804, when a user opens an application through a terminal device, in response to the user's operation, the terminal device application sends a second message to the application server of the application, the second message carries BCADD, and the second message is used to indicate that the BCADD is used as the identity of the terminal device under the application. Correspondingly, the application server receives the second message.

S805,应用服务器基于接收到的BCADD,向终端设备网络接口发送认证请求,该认证请求用于请求对终端设备网络接口进行认证。对应地,终端设备网络接口接收该认证请求。S805, the application server sends an authentication request to the terminal device network interface based on the received BCADD, where the authentication request is used to request authentication of the terminal device network interface. Correspondingly, the terminal device network interface receives the authentication request.

S806,终端设备网络接口基于接收到的认证请求,向应用服务器发送认证响应,该认证响应携带SKu(BCADD,随机数1)、公钥PKu和随机数1,其中,SKu(BCADD,随机数1)为用私钥SKu对BCADD和随机数1进行加密后得到的密文。对应地,应用服务器接收该认证响应。S806, the terminal device network interface sends an authentication response to the application server based on the received authentication request, and the authentication response carries SKu (BCADD, random number 1), public key PKu and random number 1, wherein SKu (BCADD, random number 1) is the ciphertext obtained by encrypting BCADD and random number 1 with private key SKu. Correspondingly, the application server receives the authentication response.

上述随机数1泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 1 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S807,应用服务器基于接收到的认证响应,进行认证。S807: The application server performs authentication based on the received authentication response.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(BCADD,随机数1)进行解密,若解密得到的BCADD与上述S804中接收到的BCADD相同、且解密得到的随机数1与认证响应中携带的随机数1相同,则应用服务器确定该终端设备通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (BCADD, random number 1). If the decrypted BCADD is the same as the BCADD received in the above S804, and the decrypted random number 1 is the same as the random number 1 carried in the authentication response, the application server determines that the terminal device has passed the authentication.

S808,在认证通过的情况下,应用服务器将BCADD作为终端设备在应用下的身份标识进行存储,并存储BCADD和公钥PKu之间的对应关系。S808, when the authentication is successful, the application server stores BCADD as the identity of the terminal device under the application, and stores the corresponding relationship between BCADD and the public key PKu.

S809,终端设备网络接口采用BCADD作为网络标识接入网络,基于公私钥对(PKu,SKu)与网络设备1建立RRC连接,并通过与网络设备1的双向认证,建立PDU会话。S809, the terminal device network interface uses BCADD as the network identifier to access the network, establishes an RRC connection with network device 1 based on the public-private key pair (PKu, SKu), and establishes a PDU session through two-way authentication with network device 1.

S810,在终端设备网络接口与网络设备1之间的RRC连接建立成功的情况下,网络设备1向区块链装置发送BCADD和网络设备1的ID。对应地,区块链装置接收BCADD和网络设备1的ID,并存储BCADD与网络设备1的ID之间的对应关系。S810, when the RRC connection between the terminal device network interface and the network device 1 is successfully established, the network device 1 sends the BCADD and the ID of the network device 1 to the blockchain device. Correspondingly, the blockchain device receives the BCADD and the ID of the network device 1, and stores the corresponding relationship between the BCADD and the ID of the network device 1.

S811,当用户通过终端设备登录应用,终端设备应用通过应用层消息向终端设备网络接口发送登录指示。对应地,终端设备网络接口接收该登录指示。S811, when a user logs in to an application through a terminal device, the terminal device application sends a login instruction to a terminal device network interface through an application layer message. Correspondingly, the terminal device network interface receives the login instruction.

可选地,由于BCADD没有全局网络可达的位置,方法800还包括S812~S816,当终端设备网络接口请求访问应用服务器时,由应用服务器对应的网络设备2进行路由,应用服务器需要在区块链中查找寻址,从而将后续消息路由到终端设备网络接口。Optionally, since BCADD has no globally network-reachable location, method 800 also includes S812 to S816. When the terminal device network interface requests access to the application server, the network device 2 corresponding to the application server performs routing, and the application server needs to search for addressing in the blockchain to route subsequent messages to the terminal device network interface.

S812,终端设备网络接口基于收到的登录指示,向应用服务器发送访问请求,该访问请求携带BCADD,该访问请求用于指示应用服务器为终端设备提供服务。对应地,应用服务器接收该访问请求。S812, the terminal device network interface sends an access request to the application server based on the received login instruction, the access request carries the BCADD, and the access request is used to instruct the application server to provide services for the terminal device. Correspondingly, the application server receives the access request.

S813,应用服务器基于接收到的访问请求,向网络设备2发送登录响应,该登录响应携带BCADD,该登录响应用于确定与该BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID。对应地,网络设备2接收该登录响应。S813, based on the received access request, the application server sends a login response to network device 2, the login response carrying the BCADD, the login response being used to determine the ID of network device 1 corresponding to the BCADD and in the same network domain as network device 2. Correspondingly, network device 2 receives the login response.

示例性地,网络设备2可以是路由器。Exemplarily, the network device 2 may be a router.

S814,网络设备2基于接收到的登录响应,向区块链装置发送查询请求,该查询请求携带BCADD,该查询请求用于查询与该BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID。对应地,区块链装置接收该查询请求,利用其在S810中存储的BCADD与网络设备1的ID之间的对应关系,确定与接收到的BCADD对应的、且与网络设备2处于同一网络域下的网络设备1的ID,网络设备2获取网络设备1的ID。S814, network device 2 sends a query request to the blockchain device based on the received login response, the query request carries BCADD, and the query request is used to query the ID of network device 1 corresponding to the BCADD and in the same network domain as network device 2. Correspondingly, the blockchain device receives the query request, and uses the correspondence between the BCADD and the ID of network device 1 stored in S810 to determine the ID of network device 1 corresponding to the received BCADD and in the same network domain as network device 2, and network device 2 obtains the ID of network device 1.

S815,网络设备2基于网络设备1的ID,向与该网络设备1的ID对应的网络设备1发送登录响应,该登录响应携带BCADD。对应地,网络设备1接收该登录响应。S815, network device 2 sends a login response to network device 1 corresponding to the ID of network device 1 based on the ID of network device 1, the login response carrying BCADD. Correspondingly, network device 1 receives the login response.

S816,网络设备1基于上述BCADD,确定与该BCADD对应的终端设备网络接口,向该终端设备网络接口发送登录响应,该登录响应携带BCADD。S816, network device 1 determines the terminal device network interface corresponding to the BCADD based on the BCADD, and sends a login response to the terminal device network interface, where the login response carries the BCADD.

S817,终端设备网络接口基于收到的登录响应,向应用服务器发送认证请求,该认证请求携带SKu(BCADD,随机数2)和随机数2,其中,SKu(BCADD,随机数2)为用私钥SKu对BCADD和随机数2进行加密后得到的密文。对应地,应用服务器接收该认证请求。S817, the terminal device network interface sends an authentication request to the application server based on the received login response, and the authentication request carries SKu(BCADD, random number 2) and random number 2, wherein SKu(BCADD, random number 2) is the ciphertext obtained by encrypting BCADD and random number 2 with the private key SKu. Correspondingly, the application server receives the authentication request.

上述随机数2泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 2 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S818,应用服务器基于接收到的认证请求,进行认证。S818: The application server performs authentication based on the received authentication request.

上述进行认证可以理解为:应用服务器采用公钥PKu对SKu(BCADD,随机数2)进行解密,若解密得到的BCADD与上述S812中接收到的BCADD相同、且解密得到的随机数2与认证请求中携带的随机数2相同,则应用服务器确定该终端设备网络接口通过认证。The above authentication can be understood as: the application server uses the public key PKu to decrypt SKu (BCADD, random number 2). If the decrypted BCADD is the same as the BCADD received in the above S812, and the decrypted random number 2 is the same as the random number 2 carried in the authentication request, the application server determines that the network interface of the terminal device has passed the authentication.

S819,在认证通过的情况下,应用服务器向终端设备网络接口发送认证响应。对应地,终端设备网络接口接收该认证响应。S819, when the authentication is successful, the application server sends an authentication response to the network interface of the terminal device. Correspondingly, the network interface of the terminal device receives the authentication response.

可选地,上述认证响应可以携带SKs(BCADD,随机数3)、公钥PKs和随机数3,其中,PKs为应用服务器的公钥,SKs为应用服务器的私钥,SKs(BCADD,随机数3)为用SKs对BCADD和随机数3进行加密后得到的密文。对应地,终端设备网络接口接收该认证响应。Optionally, the above authentication response may carry SKs(BCADD, random number 3), public key PKs and random number 3, wherein PKs is the public key of the application server, SKs is the private key of the application server, and SKs(BCADD, random number 3) is the ciphertext obtained by encrypting BCADD and random number 3 with SKs. Correspondingly, the terminal device network interface receives the authentication response.

上述随机数3泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 3 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

可选地,在终端设备网络接口认为有必要对应用服务器进行认证的时候,方法800还包括S820:Optionally, when the terminal device network interface deems it necessary to authenticate the application server, the method 800 further includes S820:

S820,终端设备网络接口基于接收到的认证响应,进行认证。S820, the terminal device network interface performs authentication based on the received authentication response.

上述进行认证可以理解为:终端设备网络接口采用公钥PKs对SKs(BCADD,随机数3)进行解密,若解密得到的BCADD与上述S816中接收到的BCADD相同、且解密得到的随机数3与认证响应中携带的随机数3相同,则终端设备网络接口确定该应用服务器通过认证。The above authentication can be understood as: the terminal device network interface uses the public key PKs to decrypt SKs (BCADD, random number 3). If the decrypted BCADD is the same as the BCADD received in the above S816, and the decrypted random number 3 is the same as the random number 3 carried in the authentication response, then the terminal device network interface determines that the application server has passed the authentication.

S821,在终端设备网络接口通过了应用服务器的认证的情况下,应用服务器为BCADD分配临时对外标识符,并将BCADD与该临时对外标识符之间的对应关系发送至区块链装置,该临时对外标识符例如可以为统一资源定位地址(unified resource locationaddress,URL)和/或端口。对应地,区块链装置接收并存储该BCADD与该临时对外标识符之间的对应关系。通过设置临时对外标识符,能够防止终端设备的内部标识符暴露在网络中,增加系统的安全性。S821, when the network interface of the terminal device passes the authentication of the application server, the application server allocates a temporary external identifier for BCADD, and sends the correspondence between BCADD and the temporary external identifier to the blockchain device, where the temporary external identifier can be, for example, a unified resource location address (URL) and/or a port. Correspondingly, the blockchain device receives and stores the correspondence between the BCADD and the temporary external identifier. By setting a temporary external identifier, the internal identifier of the terminal device can be prevented from being exposed to the network, thereby increasing the security of the system.

S822,在终端设备网络接口通过了应用服务器的认证的情况下,应用服务器向终端设备应用发送第二信息,该第二信息用于指示终端设备应用通过认证,应用服务器能够为终端设备应用提供后续服务。对应地,终端设备应用接收来自应用服务器的第二信息。S822, when the terminal device network interface passes the authentication of the application server, the application server sends second information to the terminal device application, the second information is used to indicate that the terminal device application passes the authentication, and the application server can provide subsequent services for the terminal device application. Correspondingly, the terminal device application receives the second information from the application server.

应理解,上述S820中终端设备网络接口对应用服务器进行认证的结果,并不影响应用服务器为终端设备应用提供后续服务。示例性地,终端设备网络接口通过了应用服务器的认证、但应用服务器没有通过终端设备网络接口对其的认证,应用服务器能够为终端设备应用提供后续服务,终端设备应用可以选择不使用该服务。It should be understood that the result of the terminal device network interface authenticating the application server in S820 does not affect the application server providing subsequent services to the terminal device application. For example, if the terminal device network interface passes the authentication of the application server, but the application server fails to authenticate it through the terminal device network interface, the application server can provide subsequent services to the terminal device application, and the terminal device application may choose not to use the service.

可选地,在当前PDU会话因为安全或者隐私原因需要更换新的BCADD的时候,方法800还包括下列步骤:Optionally, when the current PDU session needs to be replaced with a new BCADD due to security or privacy reasons, the method 800 further includes the following steps:

S823,终端设备网络接口向终端设备应用发送新BCADD。对应地,终端设备应用接收该新BCADD。S823, the terminal device network interface sends a new BCADD to the terminal device application. Correspondingly, the terminal device application receives the new BCADD.

S824,终端设备网络接口向终端设备应用发送私钥SKu。对应地,终端设备应用接收该私钥SKu。S824, the terminal device network interface sends the private key SKu to the terminal device application. Correspondingly, the terminal device application receives the private key SKu.

上述私钥SKu的发送与上述新BCADD的发送并不限定先后顺序。在一种可能的实现方式中,私钥SKu可以在上述S823中与新BCADD一同发送至终端设备应用。在另一种可能的实现方式中,在当前PDU会话因为安全或者隐私原因需要再次更换新的BCADD、且私钥SKu未发生改变的情况下,终端设备网络接口不需向终端设备应用重复发送SKu,仅需要发送新的BCADD。The sending of the private key SKu and the sending of the new BCADD are not limited in order. In one possible implementation, the private key SKu can be sent to the terminal device application together with the new BCADD in the above S823. In another possible implementation, when the current PDU session needs to be replaced with a new BCADD again due to security or privacy reasons, and the private key SKu has not changed, the terminal device network interface does not need to repeatedly send SKu to the terminal device application, and only needs to send a new BCADD.

S825,终端设备应用基于接收到的私钥SKu,向应用服务器发送SKu(新BCADD,BCADD,随机数4)和随机数4,其中,SKu(新BCADD,BCADD,随机数4)为用私钥SKu对新BCADD、BCADD和随机数4进行加密后得到的密文。对应地,应用服务器接收该SKu(新BCADD,BCADD,随机数4)和随机数4。S825, the terminal device application sends SKu(new BCADD, BCADD, random number 4) and random number 4 to the application server based on the received private key SKu, wherein SKu(new BCADD, BCADD, random number 4) is the ciphertext obtained by encrypting new BCADD, BCADD and random number 4 with the private key SKu. Correspondingly, the application server receives SKu(new BCADD, BCADD, random number 4) and random number 4.

上述随机数4泛指随机生成的一个数值,可以与上述其他随机数相同,也可以与上述其他随机数不同,本申请实施例对此不做限定。The random number 4 generally refers to a randomly generated value, which may be the same as or different from the other random numbers mentioned above, and the embodiment of the present application does not limit this.

S826,应用服务器采用公钥PKu对SKu(新BCADD,BCADD,随机数4)进行解密,若解密得到的BCADD与上述S812中接收到的BCADD相同,且解密得到的随机数4与接收得到的随机数4相同,则通过认证。S826, the application server uses the public key PKu to decrypt SKu (new BCADD, BCADD, random number 4). If the decrypted BCADD is the same as the BCADD received in the above S812, and the decrypted random number 4 is the same as the received random number 4, the authentication is passed.

S827,在认证成功的情况下,应用服务器向终端设备应用发送ACK;在认证失败的情况下,应用服务器向终端设备应用发送NACK。对应地,终端设备应用接收来自应用服务器的ACK或NACK。S827, if the authentication is successful, the application server sends an ACK to the terminal device application; if the authentication fails, the application server sends a NACK to the terminal device application. Correspondingly, the terminal device application receives an ACK or NACK from the application server.

S828,在认证成功的情况下,终端设备网络接口将BCADD更新为新BCADD,并在后续的PDU会话中使用BCADD。S828, when the authentication is successful, the terminal device network interface updates the BCADD to a new BCADD and uses the BCADD in subsequent PDU sessions.

应理解,在上述认证未通过时,应用服务器可以向终端设备再次发送认证请求消息,重复执行上述S823-S827,在上述认证通过时不再重复执行,具体重复次数若达到预设次数上限,则应用服务器认为终端设备未通过认证。It should be understood that when the above authentication fails, the application server can send an authentication request message to the terminal device again and repeat the above S823-S827. When the above authentication passes, it will no longer be repeated. If the specific number of repetitions reaches the preset upper limit, the application server considers that the terminal device has failed the authentication.

应理解,方法800中的细节可以参照上述方法700中的描述,此处不再赘述。It should be understood that the details in method 800 can refer to the description in the above method 700 and will not be repeated here.

应理解,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.

上文中结合图1至图8,详细描述了根据本申请实施例的应用鉴权方法,下面将结合图9至图11,详细描述根据本申请实施例的应用鉴权装置。The application authentication method according to the embodiment of the present application is described in detail above in combination with Figures 1 to 8. The application authentication device according to the embodiment of the present application will be described in detail below in combination with Figures 9 to 11.

图9示出了本申请实施例提供的应用鉴权装置900。该装置900包括:收发单元910和处理单元920。FIG9 shows an application authentication device 900 provided in an embodiment of the present application. The device 900 includes: a transceiver unit 910 and a processing unit 920 .

其中,收发单元910用于:获取来自终端设备的第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述终端设备的网络标识;处理单元920用于:基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,所述对应关系用于指示至少一个终端设备的公钥和经过所述装置900认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的;收发单元910还用于:在认证通过的情况下,向所述终端设备发送第二信息,所述第二信息用于指示所述终端设备通过认证。Among them, the transceiver unit 910 is used to: obtain first information from the terminal device, the first information is used to request service data, and the first information carries the network identification of the terminal device; the processing unit 920 is used to: authenticate the terminal device based on the network identification of the terminal device and a pre-stored correspondence, the correspondence is used to indicate the correspondence between the public key of at least one terminal device and at least one application identity authenticated by the device 900, and the at least one application identity is obtained based on the network identification of the terminal device corresponding to the at least one application identity; the transceiver unit 910 is also used to: send second information to the terminal device when the authentication is successful, and the second information is used to indicate that the terminal device has passed the authentication.

可选地,所述终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,或者,所述终端设备的应用身份标识为所述终端设备的网络标识。Optionally, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivation function, or the application identity of the terminal device is the network identity of the terminal device.

可选地,所述终端设备的应用身份标识为利用预设的单向衍生函数对所述终端设备的网络标识进行处理得到的值,处理单元920具体用于:利用预设的单向衍生函数,对所述终端设备的网络标识进行处理,得到处理结果;若在所述至少一个应用身份标识中存在第一应用身份标识与所述处理结果相等,确定所述终端设备通过认证。Optionally, the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivative function, and the processing unit 920 is specifically used to: use a preset one-way derivative function to process the network identity of the terminal device to obtain a processing result; if there is a first application identity in the at least one application identity that is equal to the processing result, it is determined that the terminal device has passed the authentication.

可选地,所述终端设备的应用身份标识为所述终端设备的网络标识,收发单元910具体用于:接收来自所述终端设备的第一认证请求,所述第一认证请求携带第一随机数和第一密文,所述第一密文为采用所述终端设备的私钥对所述终端设备的网络标识和所述第一随机数进行加密后得到的密文;处理单元920具体用于:采用所述终端设备的公钥,对所述第一密文进行解密,得到解密后的所述终端设备的网络标识和解密后的所述第一随机数;在所述至少一个应用身份标识中存在第一应用身份标识与所述解密后的所述终端设备的网络标识相等、且所述解密后的所述第一随机数与所述第一认证请求中携带的所述第一随机数相等的情况下,确定所述终端设备认证通过。Optionally, the application identity of the terminal device is the network identity of the terminal device, and the transceiver unit 910 is specifically used to: receive a first authentication request from the terminal device, the first authentication request carries a first random number and a first ciphertext, the first ciphertext is the ciphertext obtained by encrypting the network identity of the terminal device and the first random number using the private key of the terminal device; the processing unit 920 is specifically used to: use the public key of the terminal device to decrypt the first ciphertext to obtain the decrypted network identity of the terminal device and the decrypted first random number; and when there is a first application identity in the at least one application identity that is equal to the decrypted network identity of the terminal device, and the decrypted first random number is equal to the first random number carried in the first authentication request, it is determined that the terminal device authentication is successful.

可选地,收发单元910还用于:向所述装置900对应的网络设备发送第三信息,所述第三信息用于对所述第一信息进行响应,所述第三信息携带所述终端设备的网络标识。Optionally, the transceiver unit 910 is further used to: send third information to a network device corresponding to the apparatus 900, wherein the third information is used to respond to the first information, and the third information carries a network identifier of the terminal device.

可选地,处理单元920还用于:在认证通过的情况下,为所述终端设备分配临时对外标识符,所述临时对外标识符用于对外标识所述终端设备的应用;向区块链装置发送用于指示所述网络标识与所述临时对外标识符之间对应关系的信息。Optionally, the processing unit 920 is also used to: when the authentication is successful, assign a temporary external identifier to the terminal device, and the temporary external identifier is used to externally identify the application of the terminal device; and send information to the blockchain device indicating the correspondence between the network identifier and the temporary external identifier.

可选地,收发单元910还用于:接收来自所述终端设备的第四信息,所述第四信息用于指示更新所述终端设备的应用身份标识,所述第四信息携带第二随机数和第二密文,所述第二密文为采用所述终端设备的私钥对所述终端设备的新网络标识、所述网络标识和所述第二随机数进行加密后得到的密文;处理单元920还用于:采用所述终端设备的公钥对所述第二密文进行解密,得到解密后的所述新网络标识、解密后的所述网络标识和解密后的所述第二随机数;在所述解密后的所述第二随机数和所述第二密文中携带的所述第二随机数相等、且所述至少一个应用身份标识中存在所述第一应用身份标识与所述解密后的所述网络标识相等的情况下,将所述第一应用身份标识由所述网络标识更新为所述新网络标识。Optionally, the transceiver unit 910 is also used to: receive fourth information from the terminal device, the fourth information is used to indicate an update of the application identity of the terminal device, the fourth information carries a second random number and a second ciphertext, the second ciphertext is the ciphertext obtained by encrypting the new network identifier of the terminal device, the network identifier and the second random number using the private key of the terminal device; the processing unit 920 is also used to: decrypt the second ciphertext using the public key of the terminal device to obtain the decrypted new network identifier, the decrypted network identifier and the decrypted second random number; when the decrypted second random number is equal to the second random number carried in the second ciphertext, and when the first application identity exists in the at least one application identity and is equal to the decrypted network identifier, the first application identity is updated from the network identifier to the new network identifier.

可选地,收发单元910用于:接收来自所述终端设备的第五信息,所述第五信息用于请求将第一应用身份标识作为所述终端设备在所述装置900对应的应用下的身份标识,所述第三信息携带所述第一应用身份标识;处理单元920用于:基于所述第五信息,向所述终端设备发送第二认证请求,所述第二认证请求用于请求对所述终端设备进行认证;收发单元910还用于:接收来自所述终端设备的第二认证响应,所述第二认证响应携带用于认证的信息;处理单元920还用于:基于所述第二认证响应,对所述终端设备进行认证;在认证通过的情况下,存储所述第一应用身份标识和所述终端设备的公钥之间的对应关系。Optionally, the transceiver unit 910 is used to: receive fifth information from the terminal device, the fifth information is used to request that the first application identity be used as the identity of the terminal device under the application corresponding to the device 900, and the third information carries the first application identity; the processing unit 920 is used to: send a second authentication request to the terminal device based on the fifth information, and the second authentication request is used to request authentication of the terminal device; the transceiver unit 910 is also used to: receive a second authentication response from the terminal device, and the second authentication response carries information used for authentication; the processing unit 920 is also used to: authenticate the terminal device based on the second authentication response; and if the authentication is successful, store the correspondence between the first application identity and the public key of the terminal device.

可选地,所述用于认证的信息包括:所述终端设备的公钥、第三随机数和第三密文,所述第三密文为采用所述终端设备的私钥对所述第一应用身份标识和所述第三随机数进行加密后得到的密文;处理单元920还用于:采用所述终端设备的公钥,对所述第三密文进行解密,得到解密后的所述第一应用身份标识和解密后的所述第三随机数;在所述解密后的所述第一应用身份标识与所述第五信息中携带的所述第一应用身份标识相等、且所述解密后的第三随机数和所述第二认证响应中携带的所述第三随机数相等的情况下,确定所述终端设备认证通过。Optionally, the information used for authentication includes: the public key of the terminal device, a third random number and a third ciphertext, wherein the third ciphertext is the ciphertext obtained by encrypting the first application identity and the third random number using the private key of the terminal device; the processing unit 920 is also used to: use the public key of the terminal device to decrypt the third ciphertext to obtain the decrypted first application identity and the decrypted third random number; when the decrypted first application identity is equal to the first application identity carried in the fifth information, and the decrypted third random number is equal to the third random number carried in the second authentication response, it is determined that the terminal device authentication is successful.

可选地,收发单元910用于:向所述终端设备发送第三认证请求,所述第三认证请求携带第四密文,所述第四密文为采用所述终端设备的公钥对所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文;接收来自所述终端设备的第三认证响应,所述第三认证响应携带第四密文,所述第四密文为采用所述终端设备的私钥对基于所述第四密文解密得到的所述终端设备的应用身份标识、所述终端设备的网络标识和所述第四随机数进行加密后得到的密文;处理单元920用于:基于所述第三认证响应,对所述终端设备进行认证;收发单元910还用于:在认证通过的情况下,向所述终端设备发送所述第二信息。Optionally, the transceiver unit 910 is used to: send a third authentication request to the terminal device, the third authentication request carries a fourth ciphertext, and the fourth ciphertext is the ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device and the fourth random number using the public key of the terminal device; receive a third authentication response from the terminal device, the third authentication response carries a fourth ciphertext, and the fourth ciphertext is the ciphertext obtained by encrypting the application identity of the terminal device, the network identity of the terminal device and the fourth random number decrypted based on the fourth ciphertext using the private key of the terminal device; the processing unit 920 is used to: authenticate the terminal device based on the third authentication response; the transceiver unit 910 is also used to: send the second information to the terminal device if the authentication is successful.

应理解,这里的装置900以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(application specific integrated circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选的例子中,本领域技术人员可以理解,装置900可以具体为上述实施例中的应用服务器,装置900可以用于执行上述方法实施例中与应用服务器对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the device 900 here is embodied in the form of a functional unit. The term "unit" here may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor (such as a shared processor, a proprietary processor or a group processor, etc.) and a memory for executing one or more software or firmware programs, a merged logic circuit and/or other suitable components that support the described functions. In an optional example, those skilled in the art will understand that the device 900 may be specifically an application server in the above-mentioned embodiment, and the device 900 may be used to execute the various processes and/or steps corresponding to the application server in the above-mentioned method embodiment, and to avoid repetition, it will not be repeated here.

图10示出了本申请实施例提供的另一应用鉴权装置1000。该装置1000包括:发送单元1010和接收单元1020。FIG10 shows another application authentication device 1000 provided in an embodiment of the present application. The device 1000 includes: a sending unit 1010 and a receiving unit 1020 .

其中,发送单元1010用于:向应用服务器发送第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述装置1000的网络标识,所述装置1000的网络标识用于所述应用服务器基于预先存储的对应关系对装置1000进行认证,所述对应关系用于指示至少一个装置1000的公钥和经过所述应用服务器认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的装置900的网络标识得到的;接收单元1020用于:接收来自所述应用服务器的第二信息,所述第二信息用于指示装置1000通过认证。Among them, the sending unit 1010 is used to: send first information to the application server, the first information is used to request service data, the first information carries the network identification of the device 1000, the network identification of the device 1000 is used by the application server to authenticate the device 1000 based on a pre-stored correspondence relationship, the correspondence is used to indicate the correspondence between the public key of at least one device 1000 and at least one application identity authenticated by the application server, the at least one application identity is obtained based on the network identification of the device 900 corresponding to the at least one application identity; the receiving unit 1020 is used to: receive second information from the application server, the second information is used to indicate that the device 1000 has passed the authentication.

可选地,装置1000的应用身份标识为利用预设的单向衍生函数对装置1000的网络标识进行处理得到的值,或者,装置1000的应用身份标识为装置1000的网络标识。Optionally, the application identity of the device 1000 is a value obtained by processing the network identity of the device 1000 using a preset one-way derivation function, or the application identity of the device 1000 is the network identity of the device 1000.

可选地,发送单元1010用于:向所述应用服务器发送第四信息,所述第四信息用于指示更新所述装置1000的应用身份标识,所述第四信息携带第二随机数和第二密文,所述第二密文为采用所述装置1000的私钥对所述装置1000的新网络标识、所述网络标识和所述第二随机数进行加密后得到的密文。Optionally, the sending unit 1010 is used to: send fourth information to the application server, the fourth information is used to indicate an update of the application identity of the device 1000, the fourth information carries a second random number and a second ciphertext, the second ciphertext is the ciphertext obtained by encrypting the new network identifier of the device 1000, the network identifier and the second random number using the private key of the device 1000.

可选地,发送单元1010还用于:向所述应用服务器发送第五信息,所述第五信息用于请求将第一应用身份标识作为装置1000在所述应用服务器对应的应用下的身份标识,所述第五信息携带所述第一应用身份标识;Optionally, the sending unit 1010 is further used to: send fifth information to the application server, the fifth information being used to request that the first application identity be used as the identity of the device 1000 under the application corresponding to the application server, the fifth information carrying the first application identity;

可选地,接收单元1020还用于:接收来自所述应用服务器的第二认证请求,所述第二认证请求用于请求对装置1000进行认证;向所述应用服务器发送第二认证响应,所述第二认证响应携带用于认证的信息。Optionally, the receiving unit 1020 is further used to: receive a second authentication request from the application server, the second authentication request is used to request authentication of the device 1000; and send a second authentication response to the application server, the second authentication response carrying information used for authentication.

可选地,所述用于认证的信息包括:装置1000的公钥、第三随机数和第三密文,所述第三密文为采用装置1000的私钥对所述第一应用身份标识和所述第三随机数进行加密后得到的密文。Optionally, the information used for authentication includes: a public key of the device 1000, a third random number and a third ciphertext, and the third ciphertext is a ciphertext obtained by encrypting the first application identity and the third random number using the private key of the device 1000.

可选地,接收单元1020用于:接收来自所述应用服务器的第三认证请求,所述第三认证请求携带第四密文,所述第四密文为采用装置1000的公钥对所述第一应用身份标识、所述装置1000的网络标识和所述第四随机数进行加密后得到的密文;装置1000还包括处理单元,该处理单元用于:采用装置1000的私钥,对所述第四密文进行解密,得到解密后的所述第一应用身份标识、解密后的装置1000的网络标识和解密后的所述第四随机数;所述处理单元还用于:采用装置1000的私钥,对所述解密后的所述第一应用身份标识、解密后的装置1000的网络标识和解密后的所述第四随机数进行加密,得到第四密文;发送单元1010用于:向所述应用服务器发送第三认证响应,所述第三认证响应携带所述第四密文。Optionally, the receiving unit 1020 is used to: receive a third authentication request from the application server, the third authentication request carries a fourth ciphertext, and the fourth ciphertext is the ciphertext obtained by encrypting the first application identity, the network identity of the device 1000 and the fourth random number using the public key of the device 1000; the device 1000 also includes a processing unit, which is used to: use the private key of the device 1000 to decrypt the fourth ciphertext to obtain the decrypted first application identity, the decrypted network identity of the device 1000 and the decrypted fourth random number; the processing unit is also used to: use the private key of the device 1000 to encrypt the decrypted first application identity, the decrypted network identity of the device 1000 and the decrypted fourth random number to obtain a fourth ciphertext; the sending unit 1010 is used to: send a third authentication response to the application server, and the third authentication response carries the fourth ciphertext.

应理解,这里的装置1000以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(application specific integrated circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选的例子中,本领域技术人员可以理解,装置1000可以具体为上述实施例中的终端设备,装置1000可以用于执行上述方法实施例中与终端设备对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the device 1000 here is embodied in the form of a functional unit. The term "unit" here may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor (such as a shared processor, a proprietary processor or a group processor, etc.) and a memory for executing one or more software or firmware programs, a merged logic circuit and/or other suitable components that support the described functions. In an optional example, those skilled in the art can understand that the device 1000 can be specifically a terminal device in the above-mentioned embodiment, and the device 1000 can be used to execute the various processes and/or steps corresponding to the terminal device in the above-mentioned method embodiment. To avoid repetition, it will not be repeated here.

上述各个方案的装置900具有实现上述方法中应用服务器执行的相应步骤的功能,上述各个方案的装置1000具有实现上述方法中终端设备执行的相应步骤的功能;所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。例如,上述收发单元910可以包括发送单元和接收单元,该发送单元可以用于实现上述收发单元910对应的用于执行发送动作的各个步骤和/或流程,该接收单元可以用于实现上述收发单元对应的用于执行接收动作的各个步骤和/或流程。该发送单元可以由发射器替代,该接收单元可以由接收器替代,分别执行各个方法实施例中的收发操作以及相关的处理操作。The apparatus 900 of each of the above-mentioned schemes has the function of implementing the corresponding steps executed by the application server in the above-mentioned method, and the apparatus 1000 of each of the above-mentioned schemes has the function of implementing the corresponding steps executed by the terminal device in the above-mentioned method; the functions can be implemented by hardware, or by hardware executing corresponding software implementations. The hardware or software includes one or more modules corresponding to the above-mentioned functions. For example, the above-mentioned transceiver unit 910 may include a sending unit and a receiving unit, the sending unit can be used to implement the above-mentioned transceiver unit 910 corresponding to the various steps and/or processes for performing the sending action, and the receiving unit can be used to implement the above-mentioned transceiver unit corresponding to the various steps and/or processes for performing the receiving action. The sending unit can be replaced by a transmitter, and the receiving unit can be replaced by a receiver, respectively performing the sending and receiving operations and related processing operations in each method embodiment.

在本申请的实施例,图9中的装置900和/或图10中的装置1000也可以是芯片或者芯片系统,例如:片上系统(system on chip,SoC)。对应地,收发单元(包括发送单元和接收单元)可以是该芯片的收发电路,在此不做限定。In the embodiment of the present application, the device 900 in FIG. 9 and/or the device 1000 in FIG. 10 may also be a chip or a chip system, for example, a system on chip (SoC). Correspondingly, the transceiver unit (including the transmitting unit and the receiving unit) may be the transceiver circuit of the chip, which is not limited here.

图11示出了本申请实施例提供的又一应用鉴权装置1100。该装置1100包括处理器1110、收发器1120和存储器1130。其中,处理器1110、收发器1120和存储器1130通过内部连接通路互相通信,该存储器1130用于存储指令,该处理器1110用于执行该存储器1130存储的指令,以控制该收发器1120发送信号和/或接收信号。FIG11 shows another application authentication device 1100 provided in an embodiment of the present application. The device 1100 includes a processor 1110, a transceiver 1120, and a memory 1130. The processor 1110, the transceiver 1120, and the memory 1130 communicate with each other through an internal connection path, the memory 1130 is used to store instructions, and the processor 1110 is used to execute the instructions stored in the memory 1130 to control the transceiver 1120 to send and/or receive signals.

在一种设计中,该装置1100可以是应用服务器。其中,该收发器1120用于:获取来自终端设备的第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述终端设备的网络标识;该处理器1110用于:基于所述终端设备的网络标识和预先存储的对应关系,对所述终端设备进行认证,所述对应关系用于指示至少一个终端设备的公钥和经过所述装置1100认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的终端设备的网络标识得到的;该收发器1120还用于:在认证通过的情况下,向所述终端设备发送第二信息,所述第二信息用于指示所述终端设备通过认证。In one design, the apparatus 1100 may be an application server. The transceiver 1120 is used to: obtain first information from a terminal device, the first information is used to request service data, and the first information carries a network identifier of the terminal device; the processor 1110 is used to: authenticate the terminal device based on the network identifier of the terminal device and a pre-stored correspondence relationship, the correspondence relationship is used to indicate a correspondence between a public key of at least one terminal device and at least one application identifier authenticated by the apparatus 1100, the at least one application identifier is obtained based on the network identifier of the terminal device corresponding to the at least one application identifier; the transceiver 1120 is also used to: send second information to the terminal device when the authentication is successful, the second information is used to indicate that the terminal device is successful.

在另一种设计中,该装置1100可以是终端设备。其中,该收发器1120用于:向应用服务器发送第一信息,所述第一信息用于请求获取服务数据,所述第一信息携带所述装置1100的网络标识,所述装置1100的网络标识用于所述应用服务器基于预先存储的对应关系对所述装置1100进行认证,所述对应关系用于指示至少一个装置1100的公钥和经过所述应用服务器认证的至少一个应用身份标识之间的对应关系,所述至少一个应用身份标识是基于与所述至少一个应用身份标识对应的装置1100的网络标识得到的;该收发器1120还用于:接收来自所述应用服务器的第二信息,所述第二信息用于指示所述装置1100通过认证。In another design, the device 1100 may be a terminal device. The transceiver 1120 is used to: send first information to an application server, the first information is used to request service data, the first information carries the network identification of the device 1100, the network identification of the device 1100 is used by the application server to authenticate the device 1100 based on a pre-stored correspondence relationship, the correspondence relationship is used to indicate the correspondence between the public key of at least one device 1100 and at least one application identity authenticated by the application server, the at least one application identity is obtained based on the network identification of the device 1100 corresponding to the at least one application identity; the transceiver 1120 is also used to: receive second information from the application server, the second information is used to indicate that the device 1100 has passed the authentication.

应理解,装置1100可以具体为上述实施例中的应用服务器或终端设备,并且可以用于执行上述方法实施例中与应用服务器或终端设备对应的各个步骤和/或流程。可选地,该存储器1130可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。该处理器1110可以用于执行存储器中存储的指令,并且当该处理器1110执行存储器中存储的指令时,该处理器1110用于执行上述与该应用服务器或终端设备对应的方法实施例的各个步骤和/或流程。该收发器1120可以包括发射器和接收器,该发射器可以用于实现上述收发器对应的用于执行发送动作的各个步骤和/或流程,该接收器可以用于实现上述收发器对应的用于执行接收动作的各个步骤和/或流程。It should be understood that the device 1100 can be specifically an application server or terminal device in the above-mentioned embodiment, and can be used to execute the various steps and/or processes corresponding to the application server or terminal device in the above-mentioned method embodiment. Optionally, the memory 1130 may include a read-only memory and a random access memory, and provide instructions and data to the processor. A part of the memory may also include a non-volatile random access memory. For example, the memory may also store information about the device type. The processor 1110 may be used to execute instructions stored in the memory, and when the processor 1110 executes instructions stored in the memory, the processor 1110 is used to execute the various steps and/or processes of the above-mentioned method embodiment corresponding to the application server or terminal device. The transceiver 1120 may include a transmitter and a receiver, the transmitter may be used to implement the various steps and/or processes corresponding to the above-mentioned transceiver for performing the sending action, and the receiver may be used to implement the various steps and/or processes corresponding to the above-mentioned transceiver for performing the receiving action.

应理解,在本申请实施例中,上述装置的处理器可以是中央处理单元(centralprocessing unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that in the embodiments of the present application, the processor of the above-mentioned device may be a central processing unit (CPU), and the processor may also be other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.

在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件单元组合执行完成。软件单元可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器执行存储器中的指令,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software. The steps of the method disclosed in conjunction with the embodiment of the present application can be directly embodied as a hardware processor for execution, or a combination of hardware and software units in a processor for execution. The software unit can be located in a storage medium mature in the art such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory or an electrically erasable programmable memory, a register, etc. The storage medium is located in a memory, and the processor executes the instructions in the memory, and completes the steps of the above method in conjunction with its hardware. To avoid repetition, it is not described in detail here.

本领域普通技术人员可以意识到,结合本文中所公开的实施例中描述的各方法步骤和单元,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各实施例的步骤及组成。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the various method steps and units described in the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, the steps and components of each embodiment have been generally described in the above description according to function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Those of ordinary skill in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed can be an indirect coupling or communication connection through some interfaces, devices or units, or it can be an electrical, mechanical or other form of connection.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本申请实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiments of the present application.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or partly contributed to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), disk or optical disk and other media that can store program code.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any technician familiar with the technical field can easily think of various equivalent modifications or replacements within the technical scope disclosed in the present application, and these modifications or replacements should be included in the protection scope of the present application. Therefore, the protection scope of the present application shall be based on the protection scope of the claims.

Claims (35)

1. An application authentication method, comprising:
the method comprises the steps that an application server obtains first information from terminal equipment, wherein the first information is used for requesting to obtain service data, and the first information carries a network identifier of the terminal equipment;
The application server authenticates the terminal equipment based on the network identification of the terminal equipment and a prestored corresponding relation, wherein the corresponding relation is used for indicating the corresponding relation between a public key of at least one terminal equipment and at least one application identity identified by the application server, and the at least one application identity is obtained based on the network identification of the terminal equipment corresponding to the at least one application identity;
and under the condition that the authentication is passed, the application server sends second information to the terminal equipment, wherein the second information is used for indicating that the terminal equipment is passed the authentication.
2. The method according to claim 1, wherein the application identity of the terminal device is a value obtained by processing the network identity of the terminal device with a preset one-way derivation function, or the application identity of the terminal device is the network identity of the terminal device.
3. The method according to claim 1 or 2, wherein the application identity of the terminal device is a value obtained by processing the network identity of the terminal device with a preset one-way derivation function;
The application server authenticates the terminal device based on the network identifier of the terminal device and a pre-stored correspondence, and the application server comprises:
The application server processes the network identifier of the terminal equipment by utilizing a preset one-way derivative function to obtain a processing result;
And if the first application identity mark is equal to the processing result in the at least one application identity mark, the application server determines that the terminal equipment passes the authentication.
4. The method according to claim 1, characterized in that the application identity of the terminal device is a network identity of the terminal device;
The method further comprises the steps of: the application server receives a first authentication request from the terminal equipment, wherein the first authentication request carries a first random number and a first ciphertext, and the first ciphertext is obtained by encrypting a network identifier of the terminal equipment and the first random number by adopting a private key of the terminal equipment;
The application server authenticates the terminal device based on the network identifier of the terminal device and a pre-stored correspondence, and the application server comprises:
The application server decrypts the first ciphertext by adopting the public key of the terminal equipment to obtain the decrypted network identifier of the terminal equipment and the decrypted first random number;
And under the condition that a first application identity is equal to the decrypted network identity of the terminal equipment and the decrypted first random number is equal to the first random number carried in the first authentication request in the at least one application identity, the application server determines that the terminal equipment passes authentication.
5. The method of claim 4, wherein prior to the application server receiving the first authentication request from the terminal device, the method further comprises:
the application server sends third information to the network equipment corresponding to the application server, wherein the third information is used for responding to the first information, and the third information carries the network identification of the terminal equipment.
6. The method according to claim 4 or 5, characterized in that the method further comprises:
under the condition that authentication is passed, the application server allocates a temporary external identifier for the terminal equipment, wherein the temporary external identifier is used for externally identifying the application of the terminal equipment;
the application server sends information indicating a correspondence between the network identifier and the temporary external identifier to a blockchain device.
7. The method according to any one of claims 4 to 6, further comprising:
The application server receives fourth information from the terminal equipment, wherein the fourth information is used for indicating to update an application identity of the terminal equipment, the fourth information carries a second random number and a second ciphertext, and the second ciphertext is obtained by encrypting a new network identity of the terminal equipment, the network identity and the second random number by adopting a private key of the terminal equipment;
the application server decrypts the second ciphertext by adopting the public key of the terminal equipment to obtain the decrypted new network identifier, the decrypted network identifier and the decrypted second random number;
And under the condition that the decrypted second random number is equal to the second random number carried in the second ciphertext and the first application identity is equal to the decrypted network identity in the at least one application identity, the application server updates the first application identity from the network identity to the new network identity.
8. The method according to any one of claims 1 to 7, further comprising:
The application server receives fifth information from the terminal equipment, wherein the fifth information is used for requesting a first application identity to be used as the identity of the terminal equipment under the application corresponding to the application server, and the fifth information carries the first application identity;
The application server sends a second authentication request to the terminal equipment based on the fifth information, wherein the second authentication request is used for requesting authentication of the terminal equipment;
The application server receives a second authentication response from the terminal equipment, wherein the second authentication response carries information for authentication;
the application server authenticates the terminal equipment based on the second authentication response;
and under the condition that the authentication is passed, the application server stores the corresponding relation between the first application identity and the public key of the terminal equipment.
9. The method of claim 8, wherein the information for authenticating comprises: the public key of the terminal equipment, a third random number and a third ciphertext, wherein the third ciphertext is obtained by encrypting the first application identity and the third random number by adopting the private key of the terminal equipment;
The application server authenticates the terminal device based on the second authentication response, including:
the application server decrypts the third ciphertext by adopting the public key of the terminal equipment to obtain the decrypted first application identity and the decrypted third random number;
and under the condition that the decrypted first application identity is equal to the first application identity carried in the fifth information and the decrypted third random number is equal to the third random number carried in the second authentication response, the application server determines that the authentication of the terminal equipment is passed.
10. The method according to any one of claims 1 to 9, further comprising:
The application server sends a third authentication request to the terminal equipment, wherein the third authentication request carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting an application identity of the terminal equipment, a network identity of the terminal equipment and the fourth random number by adopting a public key of the terminal equipment;
the application server receives a third authentication response from the terminal equipment, wherein the third authentication response carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting an application identity of the terminal equipment, a network identity of the terminal equipment and the fourth random number, which are obtained by decrypting the fourth ciphertext by adopting a private key of the terminal equipment;
The application server authenticates the terminal equipment based on the third authentication response;
And the application server sends the second information to the terminal equipment under the condition that the authentication is passed.
11. An application authentication method, comprising:
The method comprises the steps that a terminal device sends first information to an application server, wherein the first information is used for requesting to acquire service data, the first information carries network identification of the terminal device, the network identification of the terminal device is used for authenticating the terminal device by the application server based on a pre-stored corresponding relation, the corresponding relation is used for indicating a corresponding relation between a public key of at least one terminal device and at least one application identity identified by the application server, and the at least one application identity is obtained based on the network identification of the terminal device corresponding to the at least one application identity;
the terminal equipment receives second information from the application server, wherein the second information is used for indicating that the terminal equipment passes authentication.
12. The method according to claim 11, wherein the application identity of the terminal device is a value obtained by processing the network identity of the terminal device with a preset one-way derivation function, or the application identity of the terminal device is the network identity of the terminal device.
13. The method according to claim 11 or 12, characterized in that the method further comprises:
The terminal equipment sends fourth information to the application server, wherein the fourth information is used for indicating to update the application identity of the terminal equipment, the fourth information carries a second random number and a second ciphertext, and the second ciphertext is obtained by encrypting the new network identity, the network identity and the second random number of the terminal equipment by adopting a private key of the terminal equipment.
14. The method according to any one of claims 11 to 13, further comprising:
The terminal equipment sends fifth information to the application server, wherein the fifth information is used for requesting a first application identity to be used as the identity of the terminal equipment under the application corresponding to the application server, and the fifth information carries the first application identity;
The terminal equipment receives a second authentication request from the application server, wherein the second authentication request is used for requesting authentication of the terminal equipment;
And the terminal equipment sends a second authentication response to the application server, wherein the second authentication response carries information for authentication.
15. The method of claim 14, wherein the information for authenticating comprises: the public key of the terminal equipment, a third random number and a third ciphertext, wherein the third ciphertext is obtained by encrypting the first application identity and the third random number by adopting the private key of the terminal equipment.
16. The method according to any one of claims 11 to 15, further comprising:
The terminal equipment receives a third authentication request from the application server, wherein the third authentication request carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting the first application identity, the network identity of the terminal equipment and the fourth random number by adopting a public key of the terminal equipment;
The terminal equipment adopts a private key of the terminal equipment to decrypt the fourth ciphertext to obtain the decrypted first application identity, the decrypted network identity of the terminal equipment and the decrypted fourth random number;
The terminal equipment adopts a private key of the terminal equipment to encrypt the decrypted first application identity, the decrypted network identity of the terminal equipment and the decrypted fourth random number to obtain a fourth ciphertext;
And the terminal equipment sends a third authentication response to the application server, wherein the third authentication response carries the fourth ciphertext.
17. An application authentication device, comprising:
the receiving and transmitting unit is used for acquiring first information from the terminal equipment, wherein the first information is used for requesting to acquire service data, and the first information carries a network identifier of the terminal equipment;
the processing unit is used for authenticating the terminal equipment based on the network identification of the terminal equipment and a prestored corresponding relation, wherein the corresponding relation is used for indicating the corresponding relation between a public key of at least one terminal equipment and at least one application identity identified by the device, and the at least one application identity is obtained based on the network identification of the terminal equipment corresponding to the at least one application identity;
The transceiver unit is further configured to: and sending second information to the terminal equipment under the condition that the authentication is passed, wherein the second information is used for indicating that the terminal equipment is passed the authentication.
18. The apparatus according to claim 17, wherein the application identity of the terminal device is a value obtained by processing the network identity of the terminal device using a preset one-way derivation function, or the application identity of the terminal device is the network identity of the terminal device.
19. The apparatus according to claim 17 or 18, wherein the application identity of the terminal device is a value obtained by processing the network identity of the terminal device with a preset one-way derivation function;
The processing unit is further configured to:
Processing the network identification of the terminal equipment by utilizing a preset one-way derivative function to obtain a processing result;
and if the first application identity mark is equal to the processing result in the at least one application identity mark, determining that the terminal equipment passes the authentication.
20. The apparatus of claim 17, wherein the application identity of the terminal device is a network identity of the terminal device;
the transceiver unit is further configured to:
receiving a first authentication request from the terminal equipment, wherein the first authentication request carries a first random number and a first ciphertext, and the first ciphertext is obtained by encrypting a network identifier of the terminal equipment and the first random number by adopting a private key of the terminal equipment;
The processing unit is further configured to:
decrypting the first ciphertext by adopting the public key of the terminal equipment to obtain the decrypted network identifier of the terminal equipment and the decrypted first random number;
And determining that the terminal equipment passes authentication under the condition that a first application identity is equal to the decrypted network identity of the terminal equipment and the decrypted first random number is equal to the first random number carried in the first authentication request in the at least one application identity.
21. The apparatus of claim 20, wherein the transceiver unit is further configured to:
And sending third information to the network equipment corresponding to the device, wherein the third information is used for responding to the first information, and the third information carries the network identification of the terminal equipment.
22. The apparatus of claim 20 or 21, wherein the processing unit is further configured to:
Under the condition that authentication is passed, a temporary external identifier is allocated to the terminal equipment, and the temporary external identifier is used for externally identifying the application of the terminal equipment;
the transceiver unit is further configured to:
And sending information for indicating the corresponding relation between the network identification and the temporary external identifier to a blockchain device.
23. The apparatus according to any one of claims 20 to 22, wherein the transceiver unit is further configured to:
Receiving fourth information from the terminal equipment, wherein the fourth information is used for indicating to update the application identity of the terminal equipment, the fourth information carries a second random number and a second ciphertext, and the second ciphertext is obtained by encrypting a new network identity of the terminal equipment, the network identity and the second random number by adopting a private key of the terminal equipment;
The processing unit is further configured to:
Decrypting the second ciphertext by adopting the public key of the terminal equipment to obtain the decrypted new network identifier, the decrypted network identifier and the decrypted second random number;
And under the condition that the decrypted second random number is equal to the second random number carried in the second ciphertext and the first application identity is equal to the decrypted network identity in the at least one application identity, updating the first application identity from the network identity to the new network identity.
24. The apparatus according to any one of claims 17 to 23, wherein the transceiver unit is further configured to:
receiving fifth information from the terminal equipment, wherein the fifth information is used for requesting a first application identity to be used as the identity of the terminal equipment under the application corresponding to the device, and the fifth information carries the first application identity;
The processing unit is further configured to:
based on the fifth information, sending a second authentication request to the terminal equipment, wherein the second authentication request is used for requesting authentication of the terminal equipment;
the transceiver unit is further configured to:
receiving a second authentication response from the terminal equipment, wherein the second authentication response carries information for authentication;
The processing unit is further configured to:
Authenticating the terminal equipment based on the second authentication response;
And storing the corresponding relation between the first application identity and the public key of the terminal equipment under the condition that the authentication is passed.
25. The apparatus of claim 24, wherein the information for authenticating comprises: the public key of the terminal equipment, a third random number and a third ciphertext, wherein the third ciphertext is obtained by encrypting the first application identity and the third random number by adopting the private key of the terminal equipment;
The processing unit is further configured to:
decrypting the third ciphertext by adopting the public key of the terminal equipment to obtain the decrypted first application identity and the decrypted third random number;
And determining that the terminal equipment passes authentication under the condition that the decrypted first application identity is equal to the first application identity carried in the fifth information and the decrypted third random number is equal to the third random number carried in the second authentication response.
26. The apparatus according to any one of claims 17 to 25, wherein the transceiver unit is further configured to:
A third authentication request is sent to the terminal equipment, wherein the third authentication request carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting an application identity of the terminal equipment, a network identity of the terminal equipment and the fourth random number by adopting a public key of the terminal equipment;
Receiving a third authentication response from the terminal equipment, wherein the third authentication response carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting an application identity of the terminal equipment, a network identity of the terminal equipment and the fourth random number, which are obtained by decrypting the fourth ciphertext by adopting a private key of the terminal equipment;
The processing unit is further configured to: authenticating the terminal equipment based on the third authentication response;
In case the authentication is passed, the transceiving unit is further configured to: and sending the second information to the terminal equipment.
27. An application authentication device, comprising:
A sending unit, configured to send first information to an application server, where the first information is used to request to obtain service data, the first information carries a network identifier of the device, the network identifier of the device is used by the application server to authenticate the device based on a pre-stored correspondence, the correspondence is used to indicate a correspondence between a public key of at least one device and at least one application identity authenticated by the application server, and the at least one application identity is obtained based on the network identifier of the device corresponding to the at least one application identity;
And the receiving unit is used for receiving second information from the application server, wherein the second information is used for indicating the device to pass authentication.
28. The apparatus of claim 27, wherein the application identity of the apparatus is a value obtained by processing the network identity of the apparatus using a preset one-way derivation function, or wherein the application identity of the apparatus is the network identity of the apparatus.
29. The apparatus according to claim 27 or 28, wherein the transmitting unit is further configured to:
And sending fourth information to the application server, wherein the fourth information is used for indicating to update the application identity of the device, the fourth information carries a second random number and a second ciphertext, and the second ciphertext is obtained by encrypting the new network identity of the device, the network identity and the second random number by adopting a private key of the device.
30. The apparatus according to any one of claims 27 to 29, wherein the transmitting unit is further configured to:
Sending fifth information to the application server, wherein the fifth information is used for requesting a first application identity to be used as the identity of the device under the application corresponding to the application server, and the fifth information carries the first application identity;
The receiving unit is further configured to:
Receiving a second authentication request from the application server, the second authentication request being for requesting authentication of the device;
The transmitting unit is further configured to:
And sending a second authentication response to the application server, wherein the second authentication response carries information for authentication.
31. The apparatus of claim 30, wherein the information for authenticating comprises: the public key, the third random number and the third ciphertext of the device are obtained by encrypting the first application identity and the third random number by adopting the private key of the device.
32. The apparatus according to any one of claims 27 to 31, wherein the receiving unit is further configured to:
Receiving a third authentication request from the application server, wherein the third authentication request carries a fourth ciphertext, and the fourth ciphertext is obtained by encrypting the first application identity, the network identity of the device and the fourth random number by adopting a public key of the device;
The apparatus further comprises:
The processing unit is used for decrypting the fourth ciphertext by adopting the private key of the device to obtain the decrypted first application identity, the decrypted network identity of the device and the decrypted fourth random number;
encrypting the decrypted first application identity, the decrypted network identity of the device and the decrypted fourth random number by adopting a private key of the device to obtain a fourth ciphertext;
The transmitting unit is further configured to:
and sending a third authentication response to the application server, wherein the third authentication response carries the fourth ciphertext.
33. An application authentication device, comprising: a processor coupled to a memory for storing a computer program which, when invoked by the processor, causes the apparatus to perform the method of any one of claims 1 to 16.
34. A computer readable storage medium storing a computer program comprising instructions for implementing the method of any one of claims 1 to 16.
35. A computer program product comprising computer program code embodied therein, which when run on a computer causes the computer to implement the method of any of claims 1 to 16.
CN202310371895.9A 2023-03-28 2023-03-28 Application authentication method and device Pending CN118740409A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310371895.9A CN118740409A (en) 2023-03-28 2023-03-28 Application authentication method and device
PCT/CN2024/081773 WO2024198962A1 (en) 2023-03-28 2024-03-14 Application authentication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310371895.9A CN118740409A (en) 2023-03-28 2023-03-28 Application authentication method and device

Publications (1)

Publication Number Publication Date
CN118740409A true CN118740409A (en) 2024-10-01

Family

ID=92844312

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310371895.9A Pending CN118740409A (en) 2023-03-28 2023-03-28 Application authentication method and device

Country Status (2)

Country Link
CN (1) CN118740409A (en)
WO (1) WO2024198962A1 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5449905B2 (en) * 2009-07-29 2014-03-19 フェリカネットワークス株式会社 Information processing apparatus, program, and information processing system
US9853965B2 (en) * 2015-08-24 2017-12-26 Verizon Patent And Licensing Inc. Authentication service for third party applications
CN107612940A (en) * 2017-10-31 2018-01-19 飞天诚信科技股份有限公司 A kind of identity identifying method and authentication device
CN111698225B (en) * 2020-05-28 2022-08-19 国家电网有限公司 Application service authentication encryption method suitable for power dispatching control system
CN114205072B (en) * 2020-08-27 2023-04-28 华为技术有限公司 Authentication method, device and system

Also Published As

Publication number Publication date
WO2024198962A1 (en) 2024-10-03

Similar Documents

Publication Publication Date Title
US11909870B2 (en) ECDHE key exchange for mutual authentication using a key server
EP3643098B1 (en) Methods and systems for privacy protection of 5g slice identifier
US20210168594A1 (en) Secure Session Method And Apparatus
CN108012264B (en) Encrypted IMSI-based scheme for 802.1x bearer hotspot and Wi-Fi call authentication
US8838972B2 (en) Exchange of key material
KR20230054421A (en) Privacy of Repeater Selection in Cellular Sliced Networks
WO2020029729A1 (en) Communication method and device
WO2018219181A1 (en) Method and device for determining identifier of terminal device
KR102818272B1 (en) Data transmission method and system, electronic device and computer-readable storage medium
US11924634B2 (en) Methods providing authentication using a request commit message and related user equipment and network nodes
JP2022503839A (en) Distributed network cellular identity management
AU2022230636B2 (en) Method and system for wlan multi-link tdls key derivation
CN111465007B (en) Authentication method, device and system
CN113872755A (en) Key exchange method and device
CN113285805B (en) Communication method and device
TWI815243B (en) Method and system for wlan multi-link management frame addressing
WO2024198962A1 (en) Application authentication method and apparatus
WO2025111755A1 (en) Method and apparatus for communications with post-quantum cryptography
WO2024131561A1 (en) Communication authentication method and apparatus
US20250203372A1 (en) Method For Authenticating To A Remote Server Using Service-Specific Credentials Stored In The eUICC
WO2024239993A1 (en) Semantic communication method and apparatus
WO2023131044A1 (en) Authentication and security method and device, and storage medium
CN115244959A (en) Apparatus and method for providing security in a wireless communication system
CN118945758A (en) Information transmission method, device, terminal and relay equipment
CN113938286A (en) A data processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication