[go: up one dir, main page]

WO2018119608A1 - Application processing method, network device and terminal device - Google Patents

Application processing method, network device and terminal device Download PDF

Info

Publication number
WO2018119608A1
WO2018119608A1 PCT/CN2016/112195 CN2016112195W WO2018119608A1 WO 2018119608 A1 WO2018119608 A1 WO 2018119608A1 CN 2016112195 W CN2016112195 W CN 2016112195W WO 2018119608 A1 WO2018119608 A1 WO 2018119608A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
verified
application
information
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/112195
Other languages
French (fr)
Chinese (zh)
Inventor
徐以旭
张进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2016/112195 priority Critical patent/WO2018119608A1/en
Publication of WO2018119608A1 publication Critical patent/WO2018119608A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the embodiments of the present application relate to communications technologies, and in particular, to an application processing method, a network device, and a terminal device.
  • the Next Generation Mobile Network (NGMN) organization is in the 5th generation (5th generation) to meet the quality of service (QoS) requirements of the dissatisfied types of devices, different types of services, and different application scenarios.
  • Th Generation referred to as 5G) communication system, configures a variety of different network slices for different service requirements.
  • a network slice may include a service requirement corresponding network function and a corresponding radio access technology (Radio Access Technology, RAT for short) configuration example.
  • RAT Radio Access Technology
  • a third party, such as an application (APP) can be authorized by the operator to manage the content of the network slice according to the information provided by the operator, and provide customized services for the user.
  • APP application
  • the operator can pre-configure the content of the network handover corresponding to the different service types of the terminal device to the terminal device.
  • the terminal device can access the data server or the application server corresponding to the preset application according to the network slice corresponding to the preset application.
  • the terminal device is a contracted user of the operator, the operator may perform legality authentication on the terminal device, but the illegal application running on the legal terminal device, such as an application that is maliciously modified or disguised, may be utilized.
  • a legitimate terminal device uses a network slice to access the network, causing serious security risks on the current network.
  • the embodiments of the present application provide an application processing method, a network device, and a terminal device, so as to reduce network security risks and improve network security.
  • an embodiment of the present application provides an application processing method, including:
  • the network device receives a verification request from the terminal device, where the verification request includes a certificate to be verified Information; the certificate to be verified is a certificate from the application providing device;
  • the network device determines the root certificate according to the information of the certificate to be verified
  • the network device sends a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate
  • the determining, by the network device, whether the information of the certificate to be verified meets the preset condition comprises: determining, by the network device, whether the certificate to be verified is a certificate issued by the certificate issuing device according to the information of the root certificate and the certificate to be verified .
  • the method may send a verification request to the network device by using the terminal device, where the verification request includes information of the certificate to be verified, and the network device determines the root certificate according to the information of the certificate to be verified, and according to the root certificate and the to-be-calibrated
  • the information of the verification certificate determines whether the certificate to be verified is a certificate issued by the certificate issuing device, obtains a verification result of the certificate to be verified, and then returns a verification response to the terminal device, where the verification response includes the to-be-checked The verification result of the certificate.
  • the network device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.
  • the verification request may further include an application identifier
  • the determining, by the network device, that the information of the to-be-verified certificate meets the preset condition may further include:
  • the network device determines, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.
  • the application identifier may include: an identifier of the application, and/or an identifier of the application providing device, and the like.
  • the identifier of the application may include at least one of the following: a name of the application, a version number of the application, and the like.
  • the identifier of the application providing device may include: the application provides information such as the name of the provider corresponding to the device.
  • the verification request as shown above may further include an identifier of the terminal device
  • the network device determines whether the information of the to-be-verified certificate meets the preset condition, and may further include:
  • the network device determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed by the terminal device and the network slice information corresponding to the application.
  • the identifier of the terminal device as described above may include at least one identifier: an IP address of the terminal device, a medium access control address, a customer identification module identifier, an international mobile subscriber identity, and a global unique temporary User device identification, etc.
  • the verification response may further include information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-checked
  • the certificate is the certificate issued by the certificate issuing device
  • the certificate to be verified is the certificate of the providing device issued to the application
  • the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the validity period information and the certificate verification frequency information corresponding to the network slice includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the service type may include any type of service such as a video service, a network phone service, and a V2X service.
  • the type of the terminal device that uses the network slice may also be referred to as the usage type corresponding to the network slice, and the usage type may include: the type of use of the in-vehicle user device, the type of use of the smart phone, and the like, and any terminal device using the network slice. Types of.
  • the receiving, by the network device, the verification request from the terminal device, as described above may include:
  • the network device receives the verification request from the terminal device during installation of the application.
  • the network device receives the verification request from the terminal device during startup of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the embodiment of the present application further provides an application processing method, including:
  • the terminal device sends a verification request to the network device, where the verification request includes a certificate to be verified
  • the information to be verified is a certificate of the provided device from the application; the information of the certificate to be verified is used for verification of the certificate to be verified;
  • the terminal device receives a verification response from the network device, and the verification response includes a verification result of the to-be-verified certificate.
  • the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.
  • the application identifier is further used for determining the information of the network slice corresponding to the application
  • the verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining the network slice signed by the terminal device.
  • the verification response may further include information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate The certificate issued by the device is issued by the device, and the certificate to be verified is a certificate of the device provided to the application, and the network certificate corresponding to the certificate is located in the network slice signed by the terminal device;
  • the method can also include:
  • the terminal device stores information of a network slice corresponding to the application.
  • the terminal device may store information about the network slice corresponding to the application to the terminal device, whether the terminal device is in the installation process of the application or the information about the network slice corresponding to the application acquired during the startup process.
  • the information of the network slice corresponding to the application is prevented from being maliciously modified or copied to ensure network security.
  • the terminal device may store the information about the network slice corresponding to the application, and store the public key information corresponding to the application, so as to ensure that the application corresponds to the information.
  • the security of the network sliced information stored on the terminal device side is effective to prevent the information of the network slice corresponding to the application from being maliciously modified or copied to ensure network security.
  • the information about the network slice corresponding to the application may include at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the The validity period information of the network slice and the certificate verification frequency information corresponding to the network slice.
  • the terminal device as shown above sends a verification request to the network device.
  • the terminal device sends the verification request to the network device during installation of the application.
  • the terminal device sends the verification request to the network device during startup of the application.
  • the terminal device may further include, after receiving the information including the network slice corresponding to the application, :
  • the terminal device continues to install the application.
  • the terminal device sends the verification request to the network device during the installation process of the application, and if the certificate to be verified satisfies the preset condition, the application is continuously installed, and the If the verification certificate does not meet any of the preset conditions, the installation of the application is stopped, and the installation of the illegal application can be effectively avoided, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.
  • the terminal device may further include, after receiving the information including the network slice corresponding to the application, :
  • the terminal device accesses the network according to the network slice.
  • the terminal device accesses the network according to the information of the network slice corresponding to the application, and implements a corresponding service requirement of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the embodiment of the present application further provides an application processing method, including:
  • the terminal device searches for information about the root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;
  • the terminal device determines, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the certificate to be verified.
  • the method may further determine, by the terminal device, a root certificate identifier corresponding to the to-be-verified certificate of the application, and find a root certificate corresponding to the root certificate identifier according to the root certificate identifier, and then according to the root certificate. Check the validity of the certificate to be verified. Due to the method, the terminal device The application to be verified can be verified, and the illegal application running on the legal terminal device can be effectively prevented from using the network segment to access the network, thereby effectively ensuring the security of the network.
  • the method may further include:
  • the terminal device receives an installation package of the application from the providing device of the application; the installation package may include: an installation file of the application, information of the certificate to be verified, and information of a network slice corresponding to the application.
  • the method may further include:
  • the terminal device stores information of a network slice corresponding to the application.
  • the embodiment of the present application further provides a network device, including:
  • a receiving module configured to receive a verification request from the terminal device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;
  • a processing module configured to determine a root certificate according to the information of the to-be-verified certificate; determine whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate;
  • a sending module configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate
  • the processing module is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.
  • the verification request further includes an application identifier
  • the processing module is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.
  • the verification request may further include an identifier of the terminal device
  • the processing module is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice subscribed by the terminal device; and information about the network slice signed by the terminal device and the application Corresponding network slice information determines whether the network slice corresponding to the application is located in the network slice that the terminal device subscribes to.
  • the verification response further includes information about a network slice corresponding to the application; wherein the preset condition may include: the to-be-checked
  • the certificate is the certificate issued by the certificate issuing device, and the certificate to be verified is issued to the application.
  • the certificate for the device and the network slice corresponding to the application are located in the network slice signed by the terminal device.
  • the information about the network slice corresponding to the application may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice.
  • the validity period information and the certificate verification frequency information corresponding to the network slice may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice.
  • the receiving module is specifically configured to receive the verification request from the terminal device during the installation process of the application or during the startup process of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the embodiment of the present application further provides a terminal device, including:
  • a sending module configured to send a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for the school to be verified Verification of the verification certificate;
  • a receiving module configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.
  • the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.
  • the application identifier is further used for determining the information of the network slice corresponding to the application
  • the verification request may further include an identifier of the terminal device; the identifier of the terminal device is used for determining the network slice signed by the terminal device.
  • the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;
  • the terminal device further includes:
  • the storage module is configured to store information about a network slice corresponding to the application.
  • the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.
  • the sending module is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the embodiment of the present application further provides a terminal device, including:
  • a processing module configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The information of the root certificate and the certificate to be verified determines whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.
  • the terminal device further includes:
  • the receiving module is configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.
  • the terminal device further includes:
  • the storage module is configured to store information about a network slice corresponding to the application.
  • the embodiment of the present application further provides a network device, including: a receiver, a processor, and a transmitter; wherein the receiver is connected to the processor, and the processor is connected to the transmitter;
  • the receiver is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;
  • a processor configured to determine a root certificate according to the information of the to-be-verified certificate; determine whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate;
  • a transmitter configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate
  • the processor is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.
  • the verification request further includes an application identifier
  • the processor is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.
  • the verification request may further include an identifier of the terminal device
  • the processor is further configured to determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice subscribed by the terminal device; and information about the network slice signed by the terminal device and the application Corresponding network slice information determines whether the network slice corresponding to the application is located in the network slice that the terminal device subscribes to.
  • the verification response further includes information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate
  • the certificate issued by the device is issued by the device, and the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the validity period information and the certificate verification frequency information corresponding to the network slice includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the receiver has a means for receiving the verification request from the terminal device during installation of the application or during startup of the application.
  • the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified.
  • the embodiment of the present application further provides a terminal device, including: a transmitter and a receiver;
  • the sender is configured to send a verification request to the network device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for Verification of the certificate to be verified;
  • a receiver configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.
  • the verification request further includes an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.
  • the application identifier is further used for determining the information of the network slice corresponding to the application
  • the verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device.
  • the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;
  • the terminal device further includes: a processor and a memory; the processor is connected to the memory, and the processor is further connected to the receiver;
  • a processor configured to store information of the network slice corresponding to the application into the memory.
  • the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.
  • the transmitter is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.
  • the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified.
  • the ninth aspect, the embodiment of the present application further provides a terminal device, including: a processor;
  • a processor configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The information of the root certificate and the certificate to be verified determines whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.
  • the terminal device further includes: a receiver; the receiver is connected to the processor Connect
  • a receiver configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.
  • the terminal device further includes: a memory; the processor is connected to the memory;
  • the processor is configured to store the information of the network slice corresponding to the application into the memory if the certificate to be verified is a certificate issued by the certificate issuing device.
  • the embodiment of the present application further provides a computer program product, where the computer program product includes a program code corresponding to any one of the application processing methods provided by the first aspect of the embodiment of the present application.
  • the embodiment of the present application further provides a computer program product, where the computer program product includes program code corresponding to any one of the application processing methods provided by the second aspect of the embodiment of the present application.
  • the embodiment of the present application further provides a computer program product, where the computer program product includes a program code corresponding to any one of the application processing methods provided by the third aspect of the embodiment of the present application.
  • the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the first embodiment of the present application.
  • the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the foregoing The program code corresponding to any of the application processing methods provided by the two aspects.
  • the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the foregoing The program code corresponding to any of the application processing methods provided by the three aspects.
  • the application processing method, the network device, and the terminal device in the embodiment of the present application may send a verification request to the network device by using the terminal device, where the verification request includes information of the certificate to be verified, and the network device root Determining the root certificate according to the information of the certificate to be verified, and determining whether the certificate to be verified is a certificate issued by the certificate issuing device according to the information of the root certificate and the certificate to be verified, and obtaining the verification of the certificate to be verified As a result, a verification response is then returned to the terminal device, the verification response including the verification result of the certificate to be verified.
  • the network device can verify the verification certificate, which can effectively prevent the illegal application running on the terminal device from using the network device to access the network, thereby effectively ensuring the security of the network.
  • FIG. 1 is a structural diagram of a network system to which embodiments of the present application are applied;
  • FIG. 2 is a flowchart 1 of an application processing method according to an embodiment of the present application.
  • FIG. 3 is a second flowchart of an application processing method according to an embodiment of the present disclosure.
  • FIG. 4 is a flowchart 3 of an application processing method according to an embodiment of the present application.
  • FIG. 5 is a flowchart 4 of an application processing method according to an embodiment of the present disclosure.
  • FIG. 6 is a flowchart 5 of an application processing method according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram 1 of a network device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram 1 of a terminal device according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram 2 of a terminal device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram 2 of a network device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram 1 of a computer program product according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram 1 of a storage medium according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram 3 of a terminal device according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram 2 of a computer program product according to an embodiment of the present application.
  • FIG. 15 is a second schematic structural diagram of a storage medium according to an embodiment of the present disclosure.
  • FIG. 16 is a schematic structural diagram 4 of a terminal device according to an embodiment of the present disclosure.
  • FIG. 17 is a schematic structural diagram 3 of a computer program product according to an embodiment of the present disclosure.
  • FIG. 18 is a schematic structural diagram 3 of a storage medium according to an embodiment of the present application.
  • FIG. 1 is a structural diagram of a network system to which embodiments of the present application apply.
  • the terminal device can access the corresponding server, such as a server, through a radio access network (RAN) and a core network (CN), thereby implementing corresponding Service.
  • the applicable scenarios of the terminal device may include: an enhanced mobile broadband (eMBB), a large-scale Internet of Things (mMiveMTC), and a low-latency and high-reliability communication (Ultra-Relaible and Low).
  • eMBB enhanced mobile broadband
  • mMiveMTC large-scale Internet of Things
  • Ultra-Relaible and Low Low-latency and high-reliability communication
  • At least one scenario such as Latency Communication (URLLC).
  • URLLC Latency Communication
  • the terminal device may have an APP-slice adaptor corresponding to the eMBB application, where
  • the eMBB application may include: an eMBB E1 application and an eMBB E2 application.
  • the network slice adapter corresponding to the eMBB application may include a correspondence between the eMBB E1 application and the network slice information, and a correspondence between the eMBB E2 application and the network slice information.
  • the Control Plane Network Functions for eMBB can be accessed according to the eMBB Common CP NFs of the Mobile Broadband Common Control Plane Network Functions (eMBB Common CP NFs).
  • Slice E1 accesses the server device corresponding to the IMS by accessing the User Plane Network Functions for eMBB Slice E1 to implement the corresponding IMS service.
  • the terminal device in the eMBB scenario can also access the eMBB E2 slice control plane network element (Control Plane Network Functions for eMBB Slice E2) according to the eMBB Common CP NFs, and access the user plane network element of the eMBB E2 slice (User Plane Network). Functions for eMBB Slice E2), thereby accessing the server device corresponding to the Internet to implement the corresponding Internet service.
  • the terminal device may have a network slice adapter corresponding to the mMTC application; the mMTC application may include: mMTC M1 application and mMTC M2 application.
  • the network slice adapter corresponding to the mMTC application may include a correspondence between the mMTC M1 application and the network slice information, and a correspondence between the mMTC M2 application and the network slice information.
  • the control plane network element (Control Plane Network Functions for mMTC Slice M1) can be connected to the MMTC M1 slice, and the user plane network element of the mMTC M1 slice is accessed.
  • the Control Plane Network Functions for mMTC Slice M1 can also be accessed by accessing the MMTC M2 sliced user plane network element (User Plane Network Functions for mMTC Slice M2). ), thereby accessing the server device corresponding to the industrial sensor to realize the corresponding industrial sensor service.
  • the terminal device may have a network slice adapter corresponding to the URLLC application, and the URLLC application includes the URLLC U1 application and URLLC U2 application.
  • the network slice adapter corresponding to the URLLC application may include a correspondence between the URLLC U1 application and the network slice information, and a correspondence between the URLLC U2 application and the network slice information.
  • the User Plane Network Functions for URLLC Slice U1 can be accessed by the terminal device in the URLLC scenario by accessing the Control Plane Network Functions for URLLC Slice U1. Therefore, the server device corresponding to the V2X is accessed to implement the corresponding grid service.
  • the Control Plane Network Functions for URLLC Slice U2 can also be accessed, and the User Plane Network Functions for URLLC Slice U2 is accessed by accessing the URLLC U2 slice. ), thereby accessing the server device corresponding to the haptic Internet, and implementing the corresponding haptic Internet service.
  • the terminal device involved in the following embodiments of the present application may be a device that provides data connectivity to a user, a handheld device with a wireless connection function, or a wireless device that is connected to a wireless modem.
  • the wireless terminal can communicate with one or more core networks via the RAN), which can be a mobile terminal, such as a mobile telephone (or "cellular" telephone) and a computer with a mobile terminal, for example, can be portable, pocket-sized , handheld, computer built-in or in-vehicle mobile devices that exchange language and/or data with a wireless access network.
  • a wireless terminal may also be called a system, a subscriber unit (Subscriber Unit), a subscriber station (Subscriber Station), and a mobile station (Mobile). Station), Mobile Station, Remote Station, Access Point, Remote Terminal, Access Terminal, User Terminal, User Agent Agent), User Device, User Equipment, smartphone, Automated Device or Internet Of Things Device.
  • PCS Personal Communication Service
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • a wireless terminal may also be called a system, a subscriber unit (Subscriber Unit), a subscriber station (Subscriber Station), and a mobile station (Mobile). Station), Mobile Station, Remote Station, Access Point, Remote Terminal, Access Terminal, User Terminal, User Agent Agent), User Device, User Equipment, smartphone, Automated Device or Internet Of Things Device.
  • the carrier device involved in the following embodiments of the present application may be a network element device in an operator network.
  • the network element device in the carrier network may be a Mobility Management Entity (MME), or another network element entity with mobility or slice management functions, such as a Common Control Plane (Common Control Plane, Common Common CP) or Slice Select Function (SSF).
  • MME Mobility Management Entity
  • SSF Slice Select Function
  • FIG. 2 is a flowchart 1 of an application processing method according to an embodiment of the present application. As shown in FIG. 2, the application processing method may include:
  • the terminal device sends a verification request to the network device.
  • the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application.
  • the terminal device may send a verification request to the network device if it is determined that the application needs to use the network slice to access the corresponding network.
  • the terminal device may send a permission request to the user, and if receiving a confirmation command input by the user, such as clicking and agreeing to the corresponding instruction, it may be determined that the application needs to use the network slice to access the corresponding network.
  • the application may be an application that the terminal device is installing or already installed after being downloaded from an application store or other channels.
  • the providing device of the application may be a server that provides the application, such as a server of an application provider, or a server of an application store, or the like.
  • the network device can be a carrier device, such as a carrier device to which the terminal device is attached. That is, the terminal device can send a verification request to the carrier device to which it is attached.
  • the verification request may be an APP Certificate Validate Request.
  • the terminal device may send a Non-Access Stratum (NAS) signaling to the carrier device, where the verification request may be included in the NAS signaling.
  • NAS Non-Access Stratum
  • the network device can also be a server, such as a certificate verification server. That is, the terminal device can send a verification request to the server. For example, the terminal device can send the verification request to the server through the user plane message.
  • the terminal device may be pre-stored at the end Information such as an internet protocol (IP) address or a network domain name of the server on the end device determines the server, and then sends the verification request to the server.
  • IP internet protocol
  • the network device receives the verification request from the terminal device.
  • the network device determines a root certificate according to the information of the to-be-verified certificate.
  • the information of the certificate to be verified may include a root certificate identifier.
  • the network device can determine the root certificate according to the root certificate identifier.
  • the information of the certificate to be verified may further include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, a hash algorithm of the certificate to be verified, and the to-be-calibrated
  • the fingerprint algorithm of the verification book, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the issuer identifier may be an identifier of a certificate issuing device, such as an identifier of a carrier, a certificate authority (CA) identifier, or the like.
  • the CA identifier may be the identity of the issuing authority of the certificate to be verified, such as the carrier device, the certificate server, or other certificate issuing organization.
  • the identifier of the object to which the certificate to be verified is issued may be at least one of an identifier of the application provider, an identifier of the providing device of the application, and the like.
  • the network device determines whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate.
  • the determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition may include:
  • the network device determines, according to the root certificate and the information of the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.
  • the network device can determine whether the information of the root certificate and the information of the certificate to be verified include the same information. If the information of the root certificate and the information of the certificate to be verified include the same information, the network device may determine that the certificate to be verified is a certificate issued by the certificate issuing device, and thus the certificate to be verified may be determined. The first check passes. On the other hand, if the information of the root certificate and the information of the certificate to be verified do not include the same information, the network device may determine that the certificate to be verified is not a certificate issued by the certificate issuing device, and thus may determine the pending The first verification of the certificate failed.
  • the network device may be the same device or different device as the certificate issuing device.
  • the certificate issuing device may be a carrier device or another certificate issuing device.
  • the network device sends a verification response to the terminal device.
  • the verification response includes a verification result of the to-be-verified certificate.
  • the terminal device receives the verification response from the network device.
  • the verification response can be an APP Certificate Validate response. If the first check of the to-be-verified certificate is passed, the verification result of the to-be-verified certificate in the verification response may include a first verification success indication, and the first verification success indication may also be called a school Pass the Pass (Validate Pass). If the first check of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may also include a first verification failure indication, and the first verification failure indication may also be referred to as a verification pass indication (Validate Fail).
  • the terminal device may send a verification request to the network device, where the verification request includes information about the certificate to be verified, and the network device determines the root certificate according to the information of the certificate to be verified. And determining, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, obtaining a verification result of the certificate to be verified, and then returning a verification response to the terminal device, The verification response includes a verification result of the certificate to be verified.
  • the network device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.
  • the verification request further includes: an application identifier.
  • the application identifier may include: an identifier of the application, and/or an identifier of the application providing device, and the like.
  • the identifier of the application may include at least one of the following: a name of the application, a version number of the application, and the like.
  • the identifier of the application providing device may include: the application provides information such as the name of the provider corresponding to the device.
  • the determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition may further include:
  • the network device determines, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.
  • the network device may determine a certificate of the providing device issued to the application according to the application identifier, and then compare whether the information of the certificate issued to the providing device of the application includes the information of the certificate to be verified. If the information of the certificate issued to the application providing device includes the information of the certificate to be verified, the network device determines that the certificate to be verified is a certificate of the providing device issued to the application, and may determine the first certificate to be verified. The second check passed. On the other hand, if the information of the certificate issued to the application providing device does not include the information of the certificate to be verified, the network device determines that the certificate to be verified is not issued. A certificate issued to the application providing device, and thus the second verification failure of the certificate to be verified may be determined.
  • the verification result of the to-be-verified certificate in the verification response may include a second verification success indication. If the second verification of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may include a second verification failure indication.
  • the first check of the to-be-verified certificate and the second check of the to-be-verified certificate may be performed simultaneously or sequentially.
  • the network device may perform a second check on the to-be-verified certificate if the first verification of the to-be-verified certificate is successful.
  • the first verification success may be: the certificate to be verified is a certificate issued by the certificate issuing device, and the second verification includes: determining whether the certificate to be verified is a certificate of the providing device issued to the application. .
  • the verification request as described above may further include: an identifier of the terminal device.
  • the identifier of the terminal device as described above may include at least one of the following: an IP address of the terminal device, a Medium Access Control (MAC) address, and a Subscriber Identity Module (SIM).
  • the identification the International Mobile Subscriber Identification Number (IMSI), and the Globally Unique Temporary UE Identity (GUTI).
  • IMSI International Mobile Subscriber Identification Number
  • GUI Globally Unique Temporary UE Identity
  • the determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition may further include:
  • the network device determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed to by the terminal device and the network slice information corresponding to the application.
  • the network device may determine, according to the application identifier, a correspondence between the preset application identifier and the network slice information, the information of the network slice corresponding to the application identifier is information about the network slice corresponding to the application.
  • the network device may determine, according to the identifier of the terminal device, a correspondence between the preset terminal device identifier and the subscription network slice information, information about the network slice that the terminal device subscribes to.
  • the network device may query the network corresponding to the application in the information of the network slice subscribed by the terminal device.
  • Network slice information If the information about the network slice corresponding to the application is queried, that is, the information about the network slice corresponding to the application includes the information about the network slice corresponding to the application, the network slice corresponding to the application is determined to be signed by the terminal device. Within the network slice, the third check of the certificate to be verified can be determined to pass.
  • the network slice corresponding to the application may be determined not to be It is located in the network slice that is subscribed to by the terminal device, so that the third verification failure of the to-be-verified certificate can be determined.
  • the verification result of the to-be-verified certificate in the verification response may include a third verification success indication. If the third verification of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may also include a third verification failure indication.
  • the first check of the to-be-verified certificate, the second check of the to-be-verified certificate, and the third check of the to-be-verified certificate may be performed simultaneously, or may be performed sequentially.
  • the network device may perform a second check on the to-be-verified certificate if the first verification of the to-be-verified certificate is successful, and if the second verification is successful, The certificate to be verified performs a third verification.
  • the first verification success may be: the certificate to be verified is a certificate issued by the certificate issuing device, and the second verification succeeds: the certificate to be verified is a certificate of a providing device issued to the application,
  • the third check includes: determining whether the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the verification response may further include: information about the network slice corresponding to the application.
  • the preset condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the network slice corresponding to the application is located at the terminal device. Within the network slice.
  • the network device may determine that the to-be-verified certificate satisfies the preset condition, that is, the first check, the second check, and the third check of the to-be-verified certificate are verified, and the check is passed. Sending information of the network slice corresponding to the application to the terminal device.
  • the information of the network slice corresponding to the application may include a mapping relationship between the application and the information of the network slice.
  • the terminal device may refresh the network slice corresponding to the application stored by the terminal device according to the information of the network slice corresponding to the application.
  • the information in the adapter is to update the information in the network slice adapter corresponding to the application to the received network slice information corresponding to the application.
  • the information about the network slice corresponding to the application includes at least one of the following information: an identifier of the network slice, a service type corresponding to the network slice, and a type of the terminal device that uses the network slice. And the validity period information of the network slice, and the like.
  • the service type may include any of the types of services, such as a video service, a voice over internet protocol (VoIP) service, and a V2X service.
  • a video service such as a video service, a voice over internet protocol (VoIP) service, and a V2X service.
  • VoIP voice over internet protocol
  • V2X V2X service
  • the type of the terminal device that uses the network slice may also be referred to as the usage type (Usage Type) corresponding to the network slice, and the usage type may include: a car UE Usage Type, and a type of use of the smart phone ( Smartphone UE Usage Type) Any type of terminal device that uses this network slice.
  • Usage Type a car UE Usage Type
  • Smartphone UE Usage Type a type of use of the smart phone
  • Network slices of different security levels have different validity periods.
  • the validity period information of the network slice can be determined by the network device according to the security level of the network slice.
  • the terminal device may determine the validity period of the network slice according to the received validity period information of the network slice, and access the corresponding network according to the information of the network slice during the validity period of the network slice. If the validity period of the network slice expires, the terminal device may perform the certificate verification of the application by using any one of the application processing methods described above, and re-acquire the network slice from the network device if the certificate verification is passed. information.
  • the verification response further includes: certificate verification frequency information of the application.
  • network slices of different security levels have different certificate verification frequencies.
  • the certificate check frequency indication of the network slice can be determined by the network device based on the security level of the network slice.
  • the terminal device may determine a certificate verification frequency of the application according to the certificate verification frequency information of the application, and send the verification request to the network device according to the certificate verification frequency of the application, so that the network device is to be The verification is verified again.
  • FIG. 3 is a second flowchart of an application processing method according to an embodiment of the present application. As shown in Figure 3, the above steps S201 can include:
  • the terminal device sends the verification request to the network device during the installation process of the application.
  • the terminal device may suspend the installation of the application and send the verification request to the network device.
  • the verification response further includes: information about the network slice corresponding to the application.
  • the method may include:
  • the terminal device stores information about the network slice corresponding to the application, and installs the application.
  • the terminal device may store information about the network slice corresponding to the application. If the installation of the application is suspended, the terminal device may continue to install the application, so that after the application is installed, the information may be accessed according to the information of the network slice corresponding to the application.
  • the network implements the corresponding business needs of the application.
  • the certificate to be verified does not meet the preset condition, that is, the certificate to be verified is not issued by the certificate issuing device, and the certificate to be verified is not issued to the application providing device by the certificate issuing device.
  • the method may include: the terminal device stops installing the application, or the network slice corresponding to the application is not located in the network slice signed by the terminal device.
  • the terminal device sends the verification request to the network device during the installation process of the application, and if the certificate to be verified satisfies the preset condition, the application is continuously installed, and the If the verification certificate does not meet any of the preset conditions, the installation of the application is stopped, and the installation of the illegal application can be effectively avoided, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.
  • the method may further include:
  • the providing device of the application sends the installation package of the application to the terminal device.
  • the installation package includes: a signature file, an installation file, and the certificate to be verified.
  • the terminal device receives the installation package of the application from the providing device of the application.
  • the signature file may be used by the application providing device to perform signature processing on the installation file of the application, obtain signature data, and then encrypt the signature data according to a preset private key by using a preset fingerprint algorithm.
  • the certificate to be verified may be determined by the application providing device according to the certificate obtained from the certificate issuing device, and the certificate to be verified may include, for example, a certificate issued by the certificate issuing device. All or part of the information in the book.
  • S301b The terminal device performs integrity verification on the installation file according to the to-be-verified certificate and the signature file.
  • the terminal device may determine, according to the to-be-verified certificate, a public key, a signature algorithm, and a fingerprint algorithm corresponding to the private key, and perform a signature operation on the installation file according to the signature algorithm to obtain signature data A of the installation file, and then The public key uses the fingerprint algorithm to decrypt the signature file to obtain signature data B.
  • the terminal device performs integrity verification on the installation file by comparing the signature data A and the signature data B. If the signature data A and the signature data B are the same, the terminal device may determine that the integrity check of the installation file passes; if the signature data A and the signature data B are different, the terminal device may determine the installation file. The integrity check failed.
  • the terminal device determines that the integrity check is passed, it is determined that the installation file has not been maliciously modified; if the terminal device determines that the integrity check fails, it is determined that the installation file is maliciously modified and belongs to an incomplete file.
  • the terminal device sends the verification request to the network device, which may include:
  • the terminal device During the installation process of the application, if the integrity check of the installation file passes, the terminal device sends the verification request to the network device.
  • the installation file is integrity checked, and if the integrity check of the installation file passes, the installation of the application is performed, and then the verification request is sent to the network device during the installation process of the application. It can effectively avoid the installation of illegal applications, effectively avoid the risk of network slicing being attacked or attacked by malicious applications, improve the security of the network, and effectively avoid the application incomplete or difficult application caused by malicious modification. Realization, effectively guarantee the implementation of the corresponding function of the application.
  • FIG. 4 is a third flowchart of an application processing method according to an embodiment of the present disclosure. As shown in FIG. 4, the application processing method may include:
  • the certificate issuing device sends a first certificate to the providing device of the application.
  • the providing device of the application receives the first certificate from the certificate issuing device.
  • the first certificate may be a certificate issued by the certificate issuing device to the providing device of the application.
  • the providing device of the application processes the installation file of the application according to the first certificate. Get the signature file for the app.
  • the installation file of the application may be an installation file pre-stored in the providing device, and the installation file on the providing device may be an installation file uploaded by a developer of the application.
  • the application providing device may determine a signature algorithm, a private key, a fingerprint algorithm, and the like according to the first certificate, and process the installation file according to the signature algorithm to obtain signature data of the installation file, and adopt the fingerprint algorithm according to the private key.
  • the installation file is encrypted to obtain the signature file of the application.
  • the application providing device sends the signature file, the installation file, and the second certificate to the terminal device.
  • the second certificate includes all or part of the information of the first certificate, and the second certificate and the signature file are used to enable the terminal device. Perform an integrity check on the installation file.
  • the second certificate may be a certificate to be verified in the application processing method as described in any of the above.
  • the information about the first certificate as described above may include at least one of the following information: a secret key pair, a signature algorithm, a hash algorithm, a fingerprint algorithm, an expiration date, an issuer identifier, and an identifier of the issued object;
  • the key pair includes: a private key and a public key.
  • the issuer identifier may include the identifier of the certificate issuing device in the first certificate.
  • the identifier of the issued object may include: an identifier of the provided device of the application.
  • the providing device of the application may process the installation file according to the signature algorithm in the first certificate, obtain signature data of the installation file, and process the processed data according to the hash algorithm. , get the hash value of the signature data.
  • the providing device of the application may, for example, encrypt the hash value of the signature data according to the fingerprint algorithm in the first certificate according to the private key in the key pair to obtain the signature file.
  • the certificate issuing device may send a certificate update request to obtain the latest certificate issued by the certificate issuing device, so as to implement timely updating of the certificate, so as to effectively avoid being effective. Avoid the installation of illegal applications, effectively avoid the risk of network slicing being attacked or attacked by malicious applications, and improve network security.
  • the information of the second certificate includes partial information of the information of the first certificate.
  • the information of the second certificate may include at least one of the following: a public key in the information of the first certificate, a signature algorithm in the information of the first certificate, a hash algorithm in the information of the first certificate, a fingerprint algorithm in the information of the first certificate, a validity period in the information of the first certificate, and a letter of the first certificate.
  • the terminal device may perform a signature operation on the installation file according to the signature algorithm. And performing the hash operation on the data after the signature operation according to the hash algorithm, obtaining the signature data A of the installation file, and then decrypting the signature file according to the public key by the fingerprint algorithm to obtain the signature data B.
  • the terminal device can perform integrity check on the installation file by comparing the signature data A and the signature data B. If the signature data A and the signature data B are the same, the terminal device may determine that the integrity check of the installation file passes; otherwise, if the signature data A and the signature data B are different, the terminal device may determine the integrity of the installation file. Sex check failed.
  • first certificate and the second certificate is only an example, and the first certificate and the second certificate may further include other information such as the certificate specification, and details are not described herein again.
  • the sending, by the terminal device, the verification request to the network device in S201, as described above, may include:
  • the terminal device sends the verification request to the network device.
  • the terminal device may send the verification request to the network device during each startup of the application, or may send the verification request to the network device during the first startup of the application.
  • the verification response further includes: information about the network slice corresponding to the application.
  • the method may further include:
  • the terminal device stores information about a network slice corresponding to the application, and accesses the network according to the network slice.
  • the terminal device can access the network according to the information of the network slice corresponding to the application, so as to implement the corresponding service requirement of the application.
  • the terminal device may store information about the network slice corresponding to the application to the terminal device, whether the terminal device is in the installation process of the application or the information about the network slice corresponding to the application acquired during the startup process.
  • the information of the network slice corresponding to the application is prevented from being maliciously modified or copied to ensure network security.
  • the terminal device may store the information about the network slice corresponding to the application, and store the public key information corresponding to the application, so as to ensure that the application corresponds to the information.
  • the security of the network sliced information stored on the terminal device side is effectively avoided.
  • the information of the network slice corresponding to the application is maliciously modified or copied to ensure network security.
  • FIG. 5 is a flowchart 4 of an application processing method according to an embodiment of the present application.
  • the application processing method may include:
  • the terminal device searches for a root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified.
  • the certificate to be verified may be a certificate from the application providing device.
  • the information of the certificate to be verified may include a root certificate identifier.
  • the terminal device can search for the root certificate corresponding to the root certificate identifier from the preset root certificate area according to the root certificate identifier.
  • the preset root certificate area may store at least one root certificate, and each root certificate has a corresponding root certificate identifier.
  • the terminal device determines, according to the root certificate, the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the to-be-verified certificate.
  • the terminal device can determine whether the information of the root certificate and the information of the certificate to be verified include the same information. If the information of the root certificate and the information of the certificate to be verified include the same information, the terminal device may determine that the certificate to be verified is a certificate issued by the certificate issuing device, and the validity of the certificate to be verified is verified. . On the other hand, if the information of the root certificate and the information of the certificate to be verified do not include the same information, the terminal device may determine that the certificate to be verified is not a certificate issued by the certificate issuing device, and the certificate to be verified is legal. Sex check failed.
  • the verification of the certificate can be implemented by the terminal device itself.
  • the root device identifier corresponding to the to-be-verified certificate of the application is determined by the terminal device, and the root certificate corresponding to the root certificate identifier is searched according to the root certificate identifier. And then verifying the validity of the certificate to be verified according to the root certificate.
  • the terminal device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the legal terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.
  • the method in the foregoing S501, the terminal device, before the root certificate corresponding to the to-be-verified certificate, is obtained from the preset root certificate area according to the information of the certificate to be verified, the method may further include:
  • the terminal device receives the installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information of the certificate to be verified, and information of a network slice corresponding to the application.
  • the method may further include:
  • the terminal device stores information of a network slice corresponding to the application.
  • the terminal device can receive the application from the providing device of the application while receiving the installation file of the application and the information of the certificate to be verified from the providing device of the application.
  • Corresponding network slice information and the terminal device can verify the application to be verified certificate without sending a request to the network device to obtain information of the network slice corresponding to the application.
  • the terminal device may receive the information of the network slice corresponding to the application from the providing device of the application, but the terminal device may store the terminal device after determining that the certificate to be verified is a certificate issued by the certificate issuing device. The information of the network slice corresponding to the application. If the certificate to be verified is not a certificate issued by the certificate issuing device, the terminal device may discard the installation package of the application.
  • the terminal device may further receive a signature file of the application delivered by the application providing device, to perform integrity verification on the installation file.
  • the implementation process of the specific integrity check is similar to the above, and is not described here.
  • a specific description of the information of the to-be-verified certificate, the signature file, and the network slice corresponding to the application may be similar to the foregoing, and details are not described herein again.
  • FIG. 6 is a flowchart 5 of an application processing method according to an embodiment of the present disclosure. As shown in FIG. 6, the application processing method may include:
  • the application providing device sends an application certificate request to the operator device.
  • the operator device receives the application certificate request from the application providing device.
  • the operator equipment After receiving the application certificate request, the operator equipment sends the issuing certificate to the application providing device.
  • the application providing device receives the issuance certificate from the operator device.
  • the information for issuing the certificate includes: a secret key pair of the issued certificate, a signature algorithm of the issued certificate, a hash algorithm of the issued certificate, a fingerprint algorithm of the issued certificate, an issuer identifier of the issued certificate, and an application providing device Identification, validity period of the issued certificate, and certificate specification information.
  • the key pair includes: a private key and a public key.
  • the application providing device processes the installation file of the application according to the signature algorithm, obtains signature data of the installation file, and processes the signature data according to the hash algorithm to obtain a hash value of the signature data, and according to the private
  • the key uses the fingerprint algorithm to encrypt the hash value of the signature data to obtain a signature file of the application.
  • the installation file of the application may be an installation file pre-stored in the application providing device, and the application file provided on the device may be an installation file uploaded by a developer of the application.
  • the application providing device sends, to the terminal device, the signature file of the application, the installation file, and the information of the certificate to be verified, where the information of the certificate to be verified includes part of the information of the certificate.
  • the information of the certificate to be verified includes: the public key, the signature algorithm, the hash algorithm, the fingerprint algorithm, the validity period, the issuer identifier, the identifier of the application providing device, and other contents of the certificate specification.
  • the terminal device decrypts the signature file by using the fingerprint algorithm according to the public key to obtain a hash value of the signature data A.
  • the terminal device processes the installation file according to the signature algorithm to obtain signature data B, and processes the signature data B according to the hash algorithm to obtain a hash value of the signature data B.
  • the terminal device compares whether the hash value of the signature data A and the hash value of the signature data B are the same.
  • the terminal device determines that the installation file passes the integrity check and starts installing the application according to the installation file.
  • the terminal device determines that the integrity check of the installation file fails.
  • the terminal device determines that the application has a network slice access requirement, and sends a verification request to the operator equipment, where the verification request includes an identifier of the application, an identifier of the terminal device, and information about the certificate to be verified.
  • the terminal device may determine that the application has a network slice access requirement if it is determined that the application needs to use a network slice to access the corresponding network.
  • the terminal device can send a verification request to the operator device during the installation of the application.
  • the terminal device may also send a verification request to the operator device during the startup process of the application.
  • the operator equipment determines the root certificate according to the information of the certificate to be verified, and determines, according to the information of the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the operator device.
  • the carrier device in the S610 determines the root certificate according to the information of the to-be-verified certificate, which is similar to the foregoing S202.
  • the specific implementation process refer to the foregoing, and details are not described herein.
  • the carrier device in the S610 determines, according to the root certificate and the information of the certificate to be verified Whether the certificate is a certificate issued by the operator device is similar to that in the above S203. For the specific implementation process, refer to the above, and no further details are provided herein.
  • the operator equipment determines, according to the identifier of the application and the information of the certificate to be verified, whether the certificate to be verified is a certificate issued by the operator device to the application providing device.
  • the operator equipment determines, according to the identifier of the terminal device, a network slice that is subscribed by the terminal device, and determines information about the network slice corresponding to the application according to the identifier of the application.
  • the operator equipment determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed to by the terminal device and the network slice information corresponding to the application.
  • S611, S612, and S613 are not limited, and S611, S612, and S613 may be executed simultaneously or sequentially.
  • the certificate to be verified is a certificate issued by the operator device, and the certificate to be verified is a certificate issued to the application providing device, and the network slice corresponding to the application is located in the network slice signed by the terminal device,
  • the operator device sends a verification response to the terminal device, where the verification response includes a verification success indication of the to-be-checked certificate and information about the network slice corresponding to the application.
  • the terminal device determines, according to the verification success indication of the to-be-verified certificate, that the to-be-verified certificate is verified and stores information of the network slice corresponding to the application.
  • the terminal device may continue to install the application according to the installation file.
  • the terminal device may also access the network according to the network slice corresponding to the application.
  • the certificate to be verified is not a certificate issued by the operator device, the certificate to be verified does not issue a certificate to the device for the device, or the network slice corresponding to the application is not located in the terminal device.
  • the operator device sends a verification response to the terminal device, and the verification response includes a verification failure indication of the to-be-verified certificate.
  • the terminal device determines, according to the verification failure indication of the to-be-verified certificate, that the verification of the to-be-verified certificate fails.
  • the terminal device sends a verification to the carrier device during the installation process of the application. If the terminal device determines that the verification of the to-be-verified certificate fails, the terminal device also needs to notify the installation of the application.
  • the terminal device sends a verification request to the operator device during the startup process of the application, and the terminal device determines that the to-be-verified certificate is verified, the application may also be stopped.
  • the application processing method may be that the certificate to be verified is a certificate issued by the operator device, the certificate to be verified is a certificate issued to the application providing device, and the network slice corresponding to the application is located in the network signed by the terminal device.
  • the terminal device stores the information of the network slice corresponding to the application, so that the terminal device can access the network according to the information of the network slice corresponding to the application, so as to implement the corresponding service requirement of the application.
  • the certificate to be verified is not issued by the operator device, the certificate to be verified is not issued by the operator device to the application providing device, or the network slice corresponding to the application is not located in the terminal.
  • the installation of the application is stopped in the case of the network sliced by the device, which can effectively prevent the installation or startup of the illegal application, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.
  • FIG. 7 is a schematic structural diagram 1 of a network device according to an embodiment of the present disclosure. As shown in FIG. 7, the network device 700 includes:
  • the receiving module 701 is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;
  • the processing module 702 is configured to determine a root certificate according to the information of the to-be-verified certificate, and determine whether the information of the to-be-verified certificate meets a preset condition to obtain a verification result of the to-be-verified certificate.
  • the sending module 703 is configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate.
  • the processing module 702 is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.
  • the verification request further includes an application identifier.
  • the processing module 702 is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.
  • the verification request may further include an identifier of the terminal device.
  • the processing module 702 is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice that is subscribed by the terminal device; and information about the network slice that is subscribed according to the terminal device Apply the information of the corresponding network slice to determine the response Whether the corresponding network slice is located in the network slice signed by the terminal device.
  • the verification response further includes information about a network slice corresponding to the application; wherein the preset condition may include: the to-be-checked
  • the certificate is the certificate issued by the certificate issuing device
  • the certificate to be verified is the certificate of the providing device issued to the application
  • the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the information about the network slice corresponding to the application may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice.
  • the validity period information and the certificate verification frequency information corresponding to the network slice may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice.
  • the receiving module 701 is specifically configured to receive the verification request from the terminal device during the installation process of the application or during the startup process of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the network device provided by the embodiment of the present application may perform the application processing method performed by the network device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process and beneficial effects thereof may be referred to above. This will not be repeated here.
  • FIG. 8 is a schematic structural diagram 1 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 8, the terminal device 800 includes:
  • the sending module 801 is configured to send a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for Verify the verification of the certificate.
  • the receiving module 802 is configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.
  • the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.
  • the application identifier is further used for determining the information of the network slice corresponding to the application
  • the verification request may further include an identifier of the terminal device; the identifier of the terminal device is used for the terminal The determination of the network slice of the device contract.
  • the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;
  • the terminal device 800 further includes:
  • the storage module is configured to store information about a network slice corresponding to the application.
  • the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.
  • the sending module 801 is specifically configured to send the verification request to the network device during the installation process of the application or during the startup process of the application.
  • the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • the terminal device device provided by the embodiment of the present application may perform the application processing method performed by the terminal device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process and beneficial effects thereof may be referred to the foregoing. I will not repeat them here.
  • FIG. 9 is a schematic structural diagram 2 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 9, the terminal device 900 includes:
  • the processing module 901 is configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The root certificate and the information of the certificate to be verified determine whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.
  • the terminal device 900 further includes:
  • a receiving module configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information of the certificate to be verified, and a network slice corresponding to the application interest.
  • the terminal device 900 further includes:
  • the storage module is configured to store information about a network slice corresponding to the application.
  • the terminal device provided by the embodiment of the present application can perform the application processing method performed by the terminal device in the foregoing FIG. 5, and the specific implementation process and the beneficial effects thereof can be referred to the foregoing, and details are not described herein again.
  • FIG. 10 is a schematic structural diagram 2 of a network device according to an embodiment of the present disclosure.
  • the network device 1000 includes a receiver 1001, a processor 1002, and a transmitter 1003.
  • the receiver 1001 is connected to the processor 1002, and the processor 1002 is connected to the transmitter 1003.
  • the receiver 1001 is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application.
  • the processor 1002 is configured to determine a root certificate according to the information of the to-be-verified certificate, and determine whether the information of the to-be-verified certificate meets a preset condition to obtain a verification result of the to-be-verified certificate.
  • the transmitter 1003 is configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate.
  • the processor 1002 is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.
  • the verification request further includes an application identifier
  • the processor 1002 is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.
  • the verification request may further include an identifier of the terminal device
  • the processor 1002 is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice that is subscribed by the terminal device; and information about the network slice that is signed by the terminal device and the Applying the information of the corresponding network slice to determine whether the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the verification response further includes information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate
  • the certificate issued by the device is issued by the device, and the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.
  • the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the validity period information and the certificate verification frequency information corresponding to the network slice includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice.
  • the receiver 1001 has a means for receiving the verification request from the terminal device during installation of the application or during startup of the application.
  • the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified.
  • FIG. 11 is a schematic structural diagram 1 of a computer program product according to an embodiment of the present application.
  • computer program product 1100 can include program code 1101.
  • the program code 1101 may be a program code corresponding to an application processing method executed by the network device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.
  • the program code 1101 in the computer program product 1100 can be executed, for example, by the processor 1002 in the network device 1000 shown in FIG. 10 described above.
  • FIG. 12 is a schematic structural diagram 1 of a storage medium according to an embodiment of the present disclosure.
  • storage medium 1200 can be used to store computer program product 1201.
  • Computer program product 1201 can include program code 1202.
  • the program code 1202 may be a program code corresponding to an application processing method executed by the network device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.
  • the storage medium 1200 may be an internal memory in the network device 1000 shown in FIG. 10 described above, or may be an external memory connected to the network device 1000 shown in FIG. 10 described above.
  • the program code 1202 in the computer program product 1201 can be executed, for example, by the processor 1002 in the network device 1000 shown in FIG. 10 described above.
  • the network device, the computer program product, and the storage medium provided by the embodiments of the present application may perform the application processing method performed by the network device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process thereof And the beneficial effects can be seen in the above, and will not be described again here.
  • FIG. 13 is a schematic structural diagram 3 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 13, the terminal device 1300 may include a transmitter 1301 receiver 1302.
  • the sender 1301 is configured to send a verification request to the network device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used. Check the certificate to be verified.
  • the receiver 1302 is configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.
  • the verification request further includes an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.
  • the application identifier is further used for determining the information of the network slice corresponding to the application.
  • the verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device.
  • the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate is issued by the certificate issuing device, and the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device.
  • the terminal device 1300 further includes: a processor and a memory; the processor is connected to the memory, and the processor is further connected to the receiver;
  • a processor configured to store information of the network slice corresponding to the application into the memory.
  • the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.
  • the transmitter 1301 is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.
  • the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified , The fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.
  • FIG. 14 is a schematic structural diagram 2 of a computer program product according to an embodiment of the present application.
  • computer program product 1400 can include program code 1401.
  • the program code 1401 may be a program code corresponding to an application processing method executed by the terminal device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.
  • the program code 1401 in the computer program product 1400 can be executed, for example, by the processor in the terminal device 1300 shown in FIG. 13 described above.
  • FIG. 15 is a schematic structural diagram 2 of a storage medium according to an embodiment of the present disclosure.
  • storage medium 1500 can be used to store computer program product 1501.
  • the computer program product 1501 can include program code 1502.
  • the program code 1502 may be a program code corresponding to an application processing method executed by the terminal device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.
  • the storage medium 1500 may be an internal memory in the terminal device 1300 shown in FIG. 13 described above, or may be an external memory connected to the terminal device 1300 shown in FIG. 13 described above.
  • the program code 1502 in the computer program product 1501 can be executed, for example, by the processor in the terminal device 1300 shown in FIG. 13 described above.
  • the terminal device, the computer program product, and the storage medium provided in the embodiments of the present application may perform the application processing method performed by the terminal device in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process thereof And the beneficial effects can be seen in the above, and will not be described again here.
  • FIG. 16 is a schematic structural diagram 4 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 16, the terminal device 1600 may include a processor 1601.
  • the processor 1601 is configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The root certificate and the information of the certificate to be verified determine whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.
  • the terminal device 1600 further includes: a receiver; and the receiver is connected to the processor 1601.
  • a receiver configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.
  • the terminal device further includes: a memory; the processor 1601 is connected to the memory;
  • the processor is configured to store the information of the network slice corresponding to the application into the memory if the certificate to be verified is a certificate issued by the certificate issuing device.
  • FIG. 17 is a schematic structural diagram 3 of a computer program product according to an embodiment of the present application.
  • computer program product 1700 can include program code 1701.
  • the program code 1701 may be a program code corresponding to the application processing method executed by the terminal device described in the above FIG. 5 of the embodiment of the present application.
  • the program code 1701 in the computer program product 1700 can be executed, for example, by the processor 1601 in the terminal device 1600 shown in FIG. 16 described above.
  • FIG. 18 is a schematic structural diagram 3 of a storage medium according to an embodiment of the present application.
  • storage medium 1800 can be used to store computer program product 1801.
  • Computer program product 1801 can include program code 1802.
  • the program code 1802 may be a program code corresponding to an application processing method executed by the terminal device described in the above FIG. 5 of the embodiment of the present application.
  • the storage medium 1800 may be an internal memory in the terminal device 1600 shown in FIG. 16 described above, or may be an external memory connected to the terminal device 1600 shown in FIG. 16 described above.
  • the program code 1802 in the computer program product 1801 can be executed, for example, by the processor 1601 in the terminal device 1600 shown in FIG. 16 described above.
  • the terminal device, the computer program product, and the storage medium provided in the embodiments of the present application can perform the application processing method performed by the terminal device in the foregoing FIG. 5, and the specific implementation process and beneficial effects thereof can be referred to the above, and details are not described herein again. .
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing method includes the steps of the foregoing method embodiments; and the foregoing storage medium includes: a ROM, a RAM, a magnetic disk, or an optical disk, and the like, which can store various program codes. quality.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the embodiments of the present application are an application processing method, a network device and a terminal device. The application processing method provided by the embodiments of the present application comprises: a network device receives, from a terminal device, a verification request comprising information of a certificate to be verified of an application, determines a root certificate according to the information of the certificate to be verified, and then determines whether the certificate to be verified is a certificate issued by an issuing device according to the information of the root certificate and the certificate to be verified. The embodiments of the present application may improve network security.

Description

应用处理方法、网络设备及终端设备Application processing method, network device and terminal device 技术领域Technical field

本申请实施例涉及通信技术,尤其涉及一种应用处理方法、网络设备及终端设备。The embodiments of the present application relate to communications technologies, and in particular, to an application processing method, a network device, and a terminal device.

背景技术Background technique

为满足不满类型的设备、不同类型的业务以及不同应用场景对于网络的服务质量(Quality of Service,简称QoS)需求,下一代移动网络(Next Generation Mobile Network,简称NGMN)组织在第5代(5th Generation,简称5G)通信系统中针对不同业务需求配置了多种不同的网络切片。其中,一种网络切片可包括一种业务需求对应网络功能和对应的无线接入技术(Radio Access Technology,简称RAT)的配置实例。第三方如应用程序(APPlication,简称APP)提供商可被运营商授权,以根据运营商提供的信息管理网络切片的内容,为用户提供定制化的业务。The Next Generation Mobile Network (NGMN) organization is in the 5th generation (5th generation) to meet the quality of service (QoS) requirements of the dissatisfied types of devices, different types of services, and different application scenarios. Th Generation, referred to as 5G) communication system, configures a variety of different network slices for different service requirements. A network slice may include a service requirement corresponding network function and a corresponding radio access technology (Radio Access Technology, RAT for short) configuration example. A third party, such as an application (APP), can be authorized by the operator to manage the content of the network slice according to the information provided by the operator, and provide customized services for the user.

目前,只要终端设备向运营商签约网络切片,该运营商便可将该终端设备的不同业务类型对应的网络切换的内容预先配置给该终端设备。该终端设备便可根据该预设应用对应的网络切片访问数据服务器或该预设应用对应的应用服务器。At present, as long as the terminal device signs the network slice to the operator, the operator can pre-configure the content of the network handover corresponding to the different service types of the terminal device to the terminal device. The terminal device can access the data server or the application server corresponding to the preset application according to the network slice corresponding to the preset application.

虽然,该终端设备为运营商的签约用户,则该运营商可对终端设备进行合法性鉴权,但由于合法终端设备上所运行的非法应用如被恶意修改或伪装后的应用,可借助该合法终端设备使用网络切片继而接入网络,使得当前网络存在严重的安全隐患。Although the terminal device is a contracted user of the operator, the operator may perform legality authentication on the terminal device, but the illegal application running on the legal terminal device, such as an application that is maliciously modified or disguised, may be utilized. A legitimate terminal device uses a network slice to access the network, causing serious security risks on the current network.

发明内容Summary of the invention

本申请实施例提供一种应用处理方法、网络设备及终端设备,以减小网络的安全隐患,提高网络安全性。The embodiments of the present application provide an application processing method, a network device, and a terminal device, so as to reduce network security risks and improve network security.

第一方面,本申请实施例提供一种应用处理方法,包括:In a first aspect, an embodiment of the present application provides an application processing method, including:

网络设备从终端设备接收校验请求,其中,该校验请求包括待校验证书 的信息;该待校验证书为来自应用的提供设备的证书;The network device receives a verification request from the terminal device, where the verification request includes a certificate to be verified Information; the certificate to be verified is a certificate from the application providing device;

该网络设备根据该待校验证书的信息确定根证书;The network device determines the root certificate according to the information of the certificate to be verified;

该网络设备判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果;Determining, by the network device, whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate;

该网络设备向该终端设备发送校验响应,该校验响应包括该待校验证书的校验结果;The network device sends a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate;

其中,该网络设备判断该待校验证书的信息是否满足预设条件包括:该网络设备根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The determining, by the network device, whether the information of the certificate to be verified meets the preset condition comprises: determining, by the network device, whether the certificate to be verified is a certificate issued by the certificate issuing device according to the information of the root certificate and the certificate to be verified .

该方法可通过终端设备向网络设备发送校验请求,该校验请求包括待校验证书的信息,由网络设备根据该待校验证书的信息确定根证书,并根据该根证书和该待校验证书的信息确定该待校验证书是否为该证书颁发设备颁发的证书,得到该待校验证书的校验结果,继而向该终端设备返回校验响应,该校验响应包括该待校验证书的校验结果。由于该方法中,网络设备可对应用的待校验证书进行验证,可有效避免终端设备上所运行的非法应用借助该终端设备使用网络切片继而接入网络,有效保证网络的使用安全。The method may send a verification request to the network device by using the terminal device, where the verification request includes information of the certificate to be verified, and the network device determines the root certificate according to the information of the certificate to be verified, and according to the root certificate and the to-be-calibrated The information of the verification certificate determines whether the certificate to be verified is a certificate issued by the certificate issuing device, obtains a verification result of the certificate to be verified, and then returns a verification response to the terminal device, where the verification response includes the to-be-checked The verification result of the certificate. In this method, the network device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.

在一种可实现方式中,该校验请求还可包括应用标识;In an implementation manner, the verification request may further include an application identifier;

如上所述的网络设备判断该待校验证书的信息是否满足预设条件,还可包括:The determining, by the network device, that the information of the to-be-verified certificate meets the preset condition, may further include:

该网络设备根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The network device determines, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.

在另一种可实现方式中,该应用标识可以包括:该应用的标识,和/或,该应用提供设备的标识等。其中,该应用的标识可包括如下至少一种:该应用的名称、该应用的版本号等。该应用提供设备的标识可包括:该应用提供设备对应的提供商的名称等信息。In another implementation manner, the application identifier may include: an identifier of the application, and/or an identifier of the application providing device, and the like. The identifier of the application may include at least one of the following: a name of the application, a version number of the application, and the like. The identifier of the application providing device may include: the application provides information such as the name of the provider corresponding to the device.

在又一种可实现方式中,如上所示的校验请求还可包括该终端设备的标识;In yet another implementation manner, the verification request as shown above may further include an identifier of the terminal device;

该网络设备判断该待校验证书的信息是否满足预设条件,还可包括:The network device determines whether the information of the to-be-verified certificate meets the preset condition, and may further include:

该网络设备根据该应用标识确定该应用对应的网络切片的信息;Determining, by the network device, information about a network slice corresponding to the application according to the application identifier;

该网络设备根据该终端设备的标识确定该终端设备签约的网络切片的信 息;Determining, by the network device, a letter of the network slice signed by the terminal device according to the identifier of the terminal device interest;

该网络设备根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。The network device determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed by the terminal device and the network slice information corresponding to the application.

在又一种可实现方式中,如上所述的终端设备的标识可以包括如下至少一种标识:终端设备的IP地址、介质访问控制地址、客户识别模块标识、国际移动用户识别码、全球唯一临时用户设备标识等。In yet another implementation manner, the identifier of the terminal device as described above may include at least one identifier: an IP address of the terminal device, a medium access control address, a customer identification module identifier, an international mobile subscriber identity, and a global unique temporary User device identification, etc.

在又一种可实现方式中,若该待校验证书满足该预设条件,则该校验响应还可包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response may further include information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-checked The certificate is the certificate issued by the certificate issuing device, the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、该网络切片对应的使用类型、该网络切片的有效期信息和该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice. The validity period information and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,该服务类型可包括:视频业务,网络电话服务、V2X业务等任一业务类型。In another implementation manner, the service type may include any type of service such as a video service, a network phone service, and a V2X service.

使用该网络切片的终端设备的类型也可称为该网络切片对应的使用类型,该使用类型可包括:车载用户设备的使用类型、智能手机的使用类型等任一使用该网络切片的终端设备的类型。The type of the terminal device that uses the network slice may also be referred to as the usage type corresponding to the network slice, and the usage type may include: the type of use of the in-vehicle user device, the type of use of the smart phone, and the like, and any terminal device using the network slice. Types of.

在又一种可实现方式中,如上所示的网络设备从终端设备接收校验请求可包括:In yet another implementation manner, the receiving, by the network device, the verification request from the terminal device, as described above, may include:

在该应用的安装过程中,该网络设备从该终端设备接收该校验请求;或The network device receives the verification request from the terminal device during installation of the application; or

在该应用的启动过程中,该网络设备从该终端设备接收该校验请求。The network device receives the verification request from the terminal device during startup of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第二方面,本申请实施例还提供一种应用处理方法,包括:In a second aspect, the embodiment of the present application further provides an application processing method, including:

终端设备向网络设备发送校验请求,其中,该校验请求包括待校验证书 的信息;该待校验证书为来自应用的提供设备的证书;该待校验证书的信息用于待校验证书的校验;The terminal device sends a verification request to the network device, where the verification request includes a certificate to be verified The information to be verified is a certificate of the provided device from the application; the information of the certificate to be verified is used for verification of the certificate to be verified;

该终端设备从该网络设备接收校验响应,该校验响应包括该待校验证书的校验结果。The terminal device receives a verification response from the network device, and the verification response includes a verification result of the to-be-verified certificate.

在一种可实现方式中,该校验请求还可包括应用标识,该应用标识用于确定该待校验证书是否为证书颁发设备颁发至该应用提供设备的证书。In an implementation manner, the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.

在另一种可实现方式中,该应用标识还用于该应用对应的网络切片的信息的确定;In another implementation manner, the application identifier is further used for determining the information of the network slice corresponding to the application;

该校验请求还包括该终端设备的标识;该终端设备的标识用于该终端设备签约的网络切片的确定。The verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining the network slice signed by the terminal device.

在又一种可实现方式中,若该待校验证书满足预设条件,则该校验响应还可包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该待校验证书为该应用对应的网络切片位于该终端设备签约的网络切片内;In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response may further include information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate The certificate issued by the device is issued by the device, and the certificate to be verified is a certificate of the device provided to the application, and the network certificate corresponding to the certificate is located in the network slice signed by the terminal device;

该方法还可包括:The method can also include:

该终端设备存储该应用对应的网络切片的信息。The terminal device stores information of a network slice corresponding to the application.

可选的,无论该终端设备是在该应用的安装过程中,还是启动过程中获取的该应用对应的网络切片的信息,该终端设备可以将该应用对应的网络切片的信息存储至该终端设备的SIM卡的存储区域中,以避免该应用对应的网络切片的信息被恶意修改或复制,用以保证网络安全。Optionally, the terminal device may store information about the network slice corresponding to the application to the terminal device, whether the terminal device is in the installation process of the application or the information about the network slice corresponding to the application acquired during the startup process. In the storage area of the SIM card, the information of the network slice corresponding to the application is prevented from being maliciously modified or copied to ensure network security.

可选的,为保证该应用对应的网络切片的信息,该终端设备在存储该应用对应的网络切片的信息的基础上,还可存储该应用对应的公钥信息等,以保证该应用对应的网络切片的信息在该终端设备侧存储的安全性,有效避免该应用对应的网络切片的信息被恶意修改或复制,用以保证网络安全。Optionally, the terminal device may store the information about the network slice corresponding to the application, and store the public key information corresponding to the application, so as to ensure that the application corresponds to the information. The security of the network sliced information stored on the terminal device side is effective to prevent the information of the network slice corresponding to the application from being maliciously modified or copied to ensure network security.

在又一种可实现方式中,该应用对应的网络切片的信息可包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、使用该网络切片的终端设备的类型、该网络切片的有效期信息、该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application may include at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the The validity period information of the network slice and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,如上所示的终端设备向网络设备发送校验请求 可包括:In yet another implementation manner, the terminal device as shown above sends a verification request to the network device. Can include:

该终端设备在该应用的安装过程中向该网络设备发送该校验请求;或;The terminal device sends the verification request to the network device during installation of the application; or

该终端设备在该应用的启动过程中向该网络设备发送该校验请求。The terminal device sends the verification request to the network device during startup of the application.

在又一种可实现方式中,如该终端设备在该应用的安装过程中向该网络设备发送该校验请求,该终端设备在接收到包括该应用对应的网络切片的信息之后,还可包括:In another implementation manner, if the terminal device sends the verification request to the network device during the installation process of the application, the terminal device may further include, after receiving the information including the network slice corresponding to the application, :

终端设备继续安装该应用。The terminal device continues to install the application.

该应用处理方法中,该终端设备在该应用的安装过程中向该网络设备发送该校验请求,在该待校验证书满足该预设条件的情况下,继续安装该应用,而在该待校验证书不满足任一预设条件的情况下停止对该应用的安装,可有效避免非法应用的安装,从而有效避免网络切片被恶意应用接入或攻击的风险,提高网络的安全性。In the application processing method, the terminal device sends the verification request to the network device during the installation process of the application, and if the certificate to be verified satisfies the preset condition, the application is continuously installed, and the If the verification certificate does not meet any of the preset conditions, the installation of the application is stopped, and the installation of the illegal application can be effectively avoided, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.

在又一种可实现方式中,如该终端设备在该应用的启动过程中向该网络设备发送该校验请求,该终端设备在接收到包括该应用对应的网络切片的信息之后,还可包括:In another implementation manner, if the terminal device sends the verification request to the network device during the startup process of the application, the terminal device may further include, after receiving the information including the network slice corresponding to the application, :

终端设备根据该网络切片接入网络。The terminal device accesses the network according to the network slice.

该终端设备根据该应用对应的网络切片的信息接入网络,实现该应用的对应业务需求。The terminal device accesses the network according to the information of the network slice corresponding to the application, and implements a corresponding service requirement of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第三方面,本申请实施例还提供一种应用处理方法,包括:In a third aspect, the embodiment of the present application further provides an application processing method, including:

终端设备根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书的信息;该待校验证书为来自应用的提供设备的证书;The terminal device searches for information about the root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;

该终端设备根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。The terminal device determines, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the certificate to be verified.

该方法,还可通过终端设备确定该应用的待校验证书对应的根证书标识,根据该根证书标识从预设的根证书区,查找该根证书标识对应的根证书,继而根据该根证书对该待校验证书进行合法性校验。由于该方法中,终端设备 可对应用的待校验证书进行验证,可有效避免合法终端设备上所运行的非法应用借助该合法终端设备使用网络切片继而接入网络,有效保证网络的使用安全。The method may further determine, by the terminal device, a root certificate identifier corresponding to the to-be-verified certificate of the application, and find a root certificate corresponding to the root certificate identifier according to the root certificate identifier, and then according to the root certificate. Check the validity of the certificate to be verified. Due to the method, the terminal device The application to be verified can be verified, and the illegal application running on the legal terminal device can be effectively prevented from using the network segment to access the network, thereby effectively ensuring the security of the network.

在一种可实现方式中,在该终端设备根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书之前,该方法还可包括:In an implementation manner, before the terminal device searches for the root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified, the method may further include:

该终端设备从该应用的提供设备接收该应用的安装包;该安装包可包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信息。The terminal device receives an installation package of the application from the providing device of the application; the installation package may include: an installation file of the application, information of the certificate to be verified, and information of a network slice corresponding to the application.

在又一种可实现方式中,若该待校验证书为该证书颁发设备所颁发的证书,该方法还可包括:In another implementation manner, if the certificate to be verified is a certificate issued by the certificate issuing device, the method may further include:

该终端设备存储该应用对应的网络切片的信息。The terminal device stores information of a network slice corresponding to the application.

第四方面,本申请实施例还提供一种网络设备,包括:In a fourth aspect, the embodiment of the present application further provides a network device, including:

接收模块,用于从终端设备接收校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;a receiving module, configured to receive a verification request from the terminal device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;

处理模块,用于根据该待校验证书的信息确定根证书;判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果;a processing module, configured to determine a root certificate according to the information of the to-be-verified certificate; determine whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate;

发送模块,用于向该终端设备发送校验响应,该校验响应包括该待校验证书的校验结果;a sending module, configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate;

其中,处理模块具体用于根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The processing module is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.

在一种可实现方式中,该校验请求还包括应用标识;In an implementation manner, the verification request further includes an application identifier;

处理模块,还用于根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The processing module is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.

在另一种可实现方式中,该校验请求还可包括该终端设备的标识;In another implementation manner, the verification request may further include an identifier of the terminal device;

处理模块,还用于根据该应用标识确定该应用对应的网络切片的信息;根据该终端设备的标识确定该终端设备签约的网络切片的信息;根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。The processing module is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice subscribed by the terminal device; and information about the network slice signed by the terminal device and the application Corresponding network slice information determines whether the network slice corresponding to the application is located in the network slice that the terminal device subscribes to.

在又一种可实现方式中,若该待校验证书满足该预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件可包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提 供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about a network slice corresponding to the application; wherein the preset condition may include: the to-be-checked The certificate is the certificate issued by the certificate issuing device, and the certificate to be verified is issued to the application. The certificate for the device and the network slice corresponding to the application are located in the network slice signed by the terminal device.

在又一种可实现方式中,该应用对应的网络切片的信息可包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、该网络切片对应的使用类型、该网络切片的有效期信息和该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice. The validity period information and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,接收模块,具体用于在该应用的安装过程中或者该应用的启动过程中,从该终端设备接收该校验请求。In another implementation manner, the receiving module is specifically configured to receive the verification request from the terminal device during the installation process of the application or during the startup process of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第五方面,本申请实施例还提供一种终端设备,包括:In a fifth aspect, the embodiment of the present application further provides a terminal device, including:

发送模块,用于向网络设备发送校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;该待校验证书的信息用于待校验证书的校验;a sending module, configured to send a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for the school to be verified Verification of the verification certificate;

接收模块,用于从该网络设备接收校验响应,该校验响应包括该待校验证书的校验结果。And a receiving module, configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.

在一种可实现方式中,该校验请求还可包括应用标识,该应用标识用于确定该待校验证书是否为证书颁发设备颁发至该应用提供设备的证书。In an implementation manner, the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.

在另一种可实现方式中,该应用标识还用于该应用对应的网络切片的信息的确定;In another implementation manner, the application identifier is further used for determining the information of the network slice corresponding to the application;

该校验请求还可包括该终端设备的标识;该终端设备的标识用于该终端设备签约的网络切片的确定。The verification request may further include an identifier of the terminal device; the identifier of the terminal device is used for determining the network slice signed by the terminal device.

在又一种可实现方式中,若该待校验证书满足预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该待校验证书为该应用对应的网络切片位于该终端设备签约的网络切片内;In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;

该终端设备还包括:The terminal device further includes:

存储模块,用于存储该应用对应的网络切片的信息。 The storage module is configured to store information about a network slice corresponding to the application.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、使用该网络切片的终端设备的类型、该网络切片的有效期信息、该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,发送模块,具体用于在该应用的安装过程中或在该应用的启动过程中向该网络设备发送该校验请求。In another implementation manner, the sending module is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第六方面,本申请实施例还提供一种终端设备,包括:In a sixth aspect, the embodiment of the present application further provides a terminal device, including:

处理模块,用于根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书的信息;该待校验证书为来自应用的提供设备的证书;根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。a processing module, configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The information of the root certificate and the certificate to be verified determines whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.

在一种可实现方式中,终端设备还包括:In an implementation manner, the terminal device further includes:

接收模块,用于从该应用的提供设备接收该应用的安装包;该安装包包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信息。The receiving module is configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.

在另一种可实现方式中,若该待校验证书为该证书颁发设备所颁发的证书,终端设备还包括:In another implementation manner, if the certificate to be verified is a certificate issued by the certificate issuing device, the terminal device further includes:

存储模块,用于存储该应用对应的网络切片的信息。The storage module is configured to store information about a network slice corresponding to the application.

第七方面,本申请实施例还提供一种网络设备,包括:接收器、处理器和发送器;其中,该接收器与处理器连接,处理器与发送器连接;In a seventh aspect, the embodiment of the present application further provides a network device, including: a receiver, a processor, and a transmitter; wherein the receiver is connected to the processor, and the processor is connected to the transmitter;

其中,接收器,用于从终端设备接收校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;The receiver is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;

处理器,用于根据该待校验证书的信息确定根证书;判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果;a processor, configured to determine a root certificate according to the information of the to-be-verified certificate; determine whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate;

发送器,用于向该终端设备发送校验响应,该校验响应包括该待校验证书的校验结果; a transmitter, configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate;

其中,处理器,具体用于根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The processor is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.

在一种可实现方式中,该校验请求还包括应用标识;In an implementation manner, the verification request further includes an application identifier;

处理器,还用于根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The processor is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.

在另一种可实现方式中,该校验请求还可包括该终端设备的标识;In another implementation manner, the verification request may further include an identifier of the terminal device;

处理器,还用于根据该应用标识确定该应用对应的网络切片的信息;根据该终端设备的标识确定该终端设备签约的网络切片的信息;根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。The processor is further configured to determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice subscribed by the terminal device; and information about the network slice signed by the terminal device and the application Corresponding network slice information determines whether the network slice corresponding to the application is located in the network slice that the terminal device subscribes to.

在又一种可实现方式中,若该待校验证书满足该预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate The certificate issued by the device is issued by the device, and the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、该网络切片对应的使用类型、该网络切片的有效期信息和该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice. The validity period information and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,接收器,具有用于在该应用的安装过程中或者在该应用的启动过程中,从该终端设备接收该校验请求。In yet another implementation, the receiver has a means for receiving the verification request from the terminal device during installation of the application or during startup of the application.

在又一种可实现方式中,该待校验证书的信息包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified The fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第八方面,本申请实施例还提供一种终端设备,包括:发送器和接收器;In an eighth aspect, the embodiment of the present application further provides a terminal device, including: a transmitter and a receiver;

其中,发送器,用于向网络设备发送校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;该待校验证书的信息用于待校验证书的校验;The sender is configured to send a verification request to the network device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for Verification of the certificate to be verified;

接收器,用于从该网络设备接收校验响应,该校验响应包括该待校验证书的校验结果。 And a receiver, configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.

在一种可实现方式中,该校验请求还包括应用标识,该应用标识用于确定该待校验证书是否为证书颁发设备颁发至该应用提供设备的证书。In an implementation manner, the verification request further includes an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.

在另一种可实现方式中,该应用标识还用于该应用对应的网络切片的信息的确定;In another implementation manner, the application identifier is further used for determining the information of the network slice corresponding to the application;

该校验请求还包括所述终端设备的标识;该终端设备的标识用于该终端设备签约的网络切片的确定。The verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device.

在又一种可实现方式中,若该待校验证书满足预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该待校验证书为该应用对应的网络切片位于该终端设备签约的网络切片内;In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;

该终端设备还包括:处理器和存储器;处理器与存储器连接,处理器还与接收器连接;The terminal device further includes: a processor and a memory; the processor is connected to the memory, and the processor is further connected to the receiver;

处理器,用于存储该应用对应的网络切片的信息至存储器中。And a processor, configured to store information of the network slice corresponding to the application into the memory.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、使用该网络切片的终端设备的类型、该网络切片的有效期信息、该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,发送器,具体用于在该应用的安装过程中或者在该应用的启动过程中向该网络设备发送该校验请求。In yet another implementation manner, the transmitter is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.

在又一种可实现方式中,该待校验证书的信息包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified The fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

第九方面,本申请实施例还提供一种终端设备,包括:处理器;The ninth aspect, the embodiment of the present application further provides a terminal device, including: a processor;

处理器,用于根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书的信息;该待校验证书为来自应用的提供设备的证书;根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。a processor, configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The information of the root certificate and the certificate to be verified determines whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.

在一种可实现方式中,终端设备,还包括:接收器;接收器与处理器连 接;In an implementation manner, the terminal device further includes: a receiver; the receiver is connected to the processor Connect

接收器,用于从该应用的提供设备接收该应用的安装包;该安装包包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信息。And a receiver, configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.

在另一种可实现方式中,该终端设备还包括:存储器;处理器与存储器连接;In another implementation manner, the terminal device further includes: a memory; the processor is connected to the memory;

处理器,用于若该待校验证书为该证书颁发设备所颁发的证书,存储该应用对应的网络切片的信息至存储器中。The processor is configured to store the information of the network slice corresponding to the application into the memory if the certificate to be verified is a certificate issued by the certificate issuing device.

第十方面,本申请实施例还提供一种计算机程序产品,该计算机程序产品包括用于执行上述本申请实施例的第一方面所提供的任一应用处理方法对应的程序代码。In a tenth aspect, the embodiment of the present application further provides a computer program product, where the computer program product includes a program code corresponding to any one of the application processing methods provided by the first aspect of the embodiment of the present application.

第十一方面,本申请实施例还提供一种计算机程序产品,该计算机程序产品包括用于执行上述本申请实施例的第二方面所提供的任一应用处理方法对应的程序代码。In an eleventh aspect, the embodiment of the present application further provides a computer program product, where the computer program product includes program code corresponding to any one of the application processing methods provided by the second aspect of the embodiment of the present application.

第十二方面,本申请实施例还提供一种计算机程序产品,该计算机程序产品包括用于执行上述本申请实施例的第三方面所提供的任一应用处理方法对应的程序代码。In a twelfth aspect, the embodiment of the present application further provides a computer program product, where the computer program product includes a program code corresponding to any one of the application processing methods provided by the third aspect of the embodiment of the present application.

第十三方面,本申请实施例还提供一种存储介质,该存储介质用于存储计算机程序产品,该计算机程序产品包括:程序代码,该程序代码可以包括用于执行上述本申请实施例的第一方面所提供的任一应用处理方法对应的程序代码。In a thirteenth aspect, the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the first embodiment of the present application. A program code corresponding to any of the application processing methods provided on the one hand.

第十四方面,本申请实施例还提供一种存储介质,该存储介质用于存储计算机程序产品,该计算机程序产品包括:程序代码,该程序代码可以包括用于执行上述本申请实施例的第二方面所提供的任一应用处理方法对应的程序代码。In a fourteenth aspect, the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the foregoing The program code corresponding to any of the application processing methods provided by the two aspects.

第十五方面,本申请实施例还提供一种存储介质,该存储介质用于存储计算机程序产品,该计算机程序产品包括:程序代码,该程序代码可以包括用于执行上述本申请实施例的第三方面所提供的任一应用处理方法对应的程序代码。In a fifteenth aspect, the embodiment of the present application further provides a storage medium, where the storage medium is used to store a computer program product, where the computer program product includes: a program code, where the program code may include the foregoing The program code corresponding to any of the application processing methods provided by the three aspects.

本申请实施例应用处理方法、网络设备及终端设备,可通过终端设备向网络设备发送校验请求,该校验请求包括待校验证书的信息,由网络设备根 据该待校验证书的信息确定根证书,并根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,得到该待校验证书的校验结果,继而向该终端设备返回校验响应,该校验响应包括该待校验证书的校验结果。由于该方法中,网络设备可对待校验证书进行验证,可有效避免终端设备上所运行的非法应用借助该终端设备使用网络切片继而接入网络,有效保证网络的使用安全。The application processing method, the network device, and the terminal device in the embodiment of the present application may send a verification request to the network device by using the terminal device, where the verification request includes information of the certificate to be verified, and the network device root Determining the root certificate according to the information of the certificate to be verified, and determining whether the certificate to be verified is a certificate issued by the certificate issuing device according to the information of the root certificate and the certificate to be verified, and obtaining the verification of the certificate to be verified As a result, a verification response is then returned to the terminal device, the verification response including the verification result of the certificate to be verified. In this method, the network device can verify the verification certificate, which can effectively prevent the illegal application running on the terminal device from using the network device to access the network, thereby effectively ensuring the security of the network.

附图说明DRAWINGS

图1为本申请各实施例适用的网络系统的架构图;1 is a structural diagram of a network system to which embodiments of the present application are applied;

图2为本申请实施例提供的一种应用处理方法的流程图一;2 is a flowchart 1 of an application processing method according to an embodiment of the present application;

图3为本申请实施例提供的一种应用处理方法的流程图二;FIG. 3 is a second flowchart of an application processing method according to an embodiment of the present disclosure;

图4为本申请实施例提供的一种应用处理方法的流程图三;4 is a flowchart 3 of an application processing method according to an embodiment of the present application;

图5为本申请实施例提供的一种应用处理方法的流程图四;FIG. 5 is a flowchart 4 of an application processing method according to an embodiment of the present disclosure;

图6为本申请实施例提供的一种应用处理方法的流程图五;FIG. 6 is a flowchart 5 of an application processing method according to an embodiment of the present disclosure;

图7为本申请实施例提供的一种网络设备的结构示意图一;FIG. 7 is a schematic structural diagram 1 of a network device according to an embodiment of the present disclosure;

图8为本申请实施例提供的一种终端设备的结构示意图一;FIG. 8 is a schematic structural diagram 1 of a terminal device according to an embodiment of the present disclosure;

图9为本申请实施例提供的一种终端设备的结构示意图二;FIG. 9 is a schematic structural diagram 2 of a terminal device according to an embodiment of the present disclosure;

图10为本申请实施例提供的一种网络设备的结构示意图二;FIG. 10 is a schematic structural diagram 2 of a network device according to an embodiment of the present disclosure;

图11为本申请实施例提供的一种计算机程序产品的结构示意图一;FIG. 11 is a schematic structural diagram 1 of a computer program product according to an embodiment of the present application;

图12为本申请实施例提供的一种存储介质的结构示意图一;FIG. 12 is a schematic structural diagram 1 of a storage medium according to an embodiment of the present disclosure;

图13为本申请实施例提供的一种终端设备的结构示意图三;FIG. 13 is a schematic structural diagram 3 of a terminal device according to an embodiment of the present disclosure;

图14为本申请实施例提供的一种计算机程序产品的结构示意图二;FIG. 14 is a schematic structural diagram 2 of a computer program product according to an embodiment of the present application;

图15为本申请实施例提供的一种存储介质的结构示意图二;FIG. 15 is a second schematic structural diagram of a storage medium according to an embodiment of the present disclosure;

图16为本申请实施例提供的一种终端设备的结构示意图四;FIG. 16 is a schematic structural diagram 4 of a terminal device according to an embodiment of the present disclosure;

图17为本申请实施例提供的一种计算机程序产品的结构示意图三;FIG. 17 is a schematic structural diagram 3 of a computer program product according to an embodiment of the present disclosure;

图18为本申请实施例提供的一种存储介质的结构示意图三。FIG. 18 is a schematic structural diagram 3 of a storage medium according to an embodiment of the present application.

具体实施方式detailed description

本申请下述各实施例提供的应用处理方法、装置及设备,可适用于配置有网络切片的网络系统中。该网络系统例如可以为配置有多种网络切片的5G 通信系统。图1为本申请各实施例适用的网络系统的架构图。如图1所示,该网络系统中,终端设备可依次通过无线接入网(Radio Access Network,简称RAN)、核心网(Core Network,简称CN)接入对应的服务端如服务器,从而实现对应的服务。在该网络系统中,终端设备可适用的场景可包括:移动宽带增强(enhanced Mobile Broadband,简称eMBB)、大规模物联网(massiveMTC,简称mMTC)、低时延高可靠通信(Ultra-Relaible and Low Latency Communication,简称URLLC)等至少一种场景。The application processing method, device and device provided by the following embodiments of the present application can be applied to a network system configured with network slices. The network system can be, for example, 5G configured with multiple network slices. Communication Systems. FIG. 1 is a structural diagram of a network system to which embodiments of the present application apply. As shown in FIG. 1 , in the network system, the terminal device can access the corresponding server, such as a server, through a radio access network (RAN) and a core network (CN), thereby implementing corresponding Service. In the network system, the applicable scenarios of the terminal device may include: an enhanced mobile broadband (eMBB), a large-scale Internet of Things (mMiveMTC), and a low-latency and high-reliability communication (Ultra-Relaible and Low). At least one scenario, such as Latency Communication (URLLC).

举例来说,为实现eMBB场景下互联网协议多媒体子系统(IP Multimedia Subsystem,简称IMS)服务和互联网(internet)服务,终端设备中可具有eMBB应用对应的网络切片适配器(APP-slice adaptor),其中,该eMBB应用可包括:eMBB E1应用和eMBB E2应用。其中,该eMBB应用对应的网络切片适配器可以包括该eMBB E1应用与网络切片信息的对应关系,和该eMBB E2应用与网络切片信息的对应关系。对于eMBB场景下的终端设备可根据移动宽带增强公用控制面网元(enhanced Mobile Broadband Common Control Plane Network Functions,简称eMBB Common CP NFs)接入eMBB E1切片的控制面网元(Control Plane Network Functions for eMBB Slice E1),通过接入eMBB E1切片的用户面网元(User Plane Network Functions for eMBB Slice E1),从而接入IMS对应的服务端设备,实现对应的IMS服务。对于eMBB场景下的终端设备还可根据eMBB Common CP NFs接入eMBB E2切片的控制面网元(Control Plane Network Functions for eMBB Slice E2),通过接入eMBB E2切片的用户面网元(User Plane Network Functions for eMBB Slice E2),从而接入互联网对应的服务端设备,实现对应的互联网服务。For example, in order to implement the Internet Protocol Multimedia Subsystem (IMS) service and the Internet service in the eMBB scenario, the terminal device may have an APP-slice adaptor corresponding to the eMBB application, where The eMBB application may include: an eMBB E1 application and an eMBB E2 application. The network slice adapter corresponding to the eMBB application may include a correspondence between the eMBB E1 application and the network slice information, and a correspondence between the eMBB E2 application and the network slice information. For the terminal device in the eMBB scenario, the Control Plane Network Functions for eMBB can be accessed according to the eMBB Common CP NFs of the Mobile Broadband Common Control Plane Network Functions (eMBB Common CP NFs). Slice E1) accesses the server device corresponding to the IMS by accessing the User Plane Network Functions for eMBB Slice E1 to implement the corresponding IMS service. The terminal device in the eMBB scenario can also access the eMBB E2 slice control plane network element (Control Plane Network Functions for eMBB Slice E2) according to the eMBB Common CP NFs, and access the user plane network element of the eMBB E2 slice (User Plane Network). Functions for eMBB Slice E2), thereby accessing the server device corresponding to the Internet to implement the corresponding Internet service.

为实现mMTC场景下电网(Grid)服务和工业传感器(Industry Sensors)服务,终端设备中可具有mMTC应用对应的网络切片适配器;该mMTC应用可包括:mMTC M1应用和mMTC M2应用。其中,该mMTC应用对应的网络切片适配器可以包括该mMTC M1应用与网络切片信息的对应关系,和该mMTC M2应用与网络切片信息的对应关系。对于mMTC场景下的终端设备可接入mMTC M1切片的控制面网元(Control Plane Network Functions for mMTC Slice M1),通过接入mMTC M1切片的用户面网元 (User Plane Network Functions for mMTC Slice M1),从而接入电网对应的服务端设备,实现对应的电网服务。对于mMTC场景下的终端设备还可接入mMTC M2切片的控制面网元(Control Plane Network Functions for mMTC Slice M2),通过接入mMTC M2切片的用户面网元(User Plane Network Functions for mMTC Slice M2),从而接入工业传感器对应的服务端设备,实现对应的工业传感器服务。To implement Grid service and Industrial Sensors service in the mMTC scenario, the terminal device may have a network slice adapter corresponding to the mMTC application; the mMTC application may include: mMTC M1 application and mMTC M2 application. The network slice adapter corresponding to the mMTC application may include a correspondence between the mMTC M1 application and the network slice information, and a correspondence between the mMTC M2 application and the network slice information. For the terminal device in the mMTC scenario, the control plane network element (Control Plane Network Functions for mMTC Slice M1) can be connected to the MMTC M1 slice, and the user plane network element of the mMTC M1 slice is accessed. (User Plane Network Functions for mMTC Slice M1), thereby accessing the corresponding server device of the power grid to realize the corresponding grid service. For the terminal device in the mMTC scenario, the Control Plane Network Functions for mMTC Slice M2 can also be accessed by accessing the MMTC M2 sliced user plane network element (User Plane Network Functions for mMTC Slice M2). ), thereby accessing the server device corresponding to the industrial sensor to realize the corresponding industrial sensor service.

为实现URLLC场景下车与外界(Vehicle to X,简称V2X)的信息交互服务和触觉互联网(Tactile Internet)服务,终端设备中可具有URLLC应用对应的网络切片适配器,该URLLC应用包括URLLC U1应用和URLLC U2应用。其中,该URLLC应用对应的网络切片适配器可以包括该URLLC U1应用与网络切片信息的对应关系,和该URLLC U2应用与网络切片信息的对应关系。对于URLLC场景下的终端设备可接入URLLC U1切片的控制面网元(Control Plane Network Functions for URLLC Slice U1),通过接入URLLC U1切片的用户面网元(User Plane Network Functions for URLLC Slice U1),从而接入V2X对应的服务端设备,实现对应的电网服务。对于URLLC场景下的终端设备还可接入URLLC U2切片的控制面网元(Control Plane Network Functions for URLLC Slice U2),通过接入URLLC U2切片的用户面网元(User Plane Network Functions for URLLC Slice U2),从而接入触觉互联网对应的服务端设备,实现对应的触觉互联网服务。To implement the information exchange service and the Tactile Internet service of the URL to the outside of the URL to the scene (V2X), the terminal device may have a network slice adapter corresponding to the URLLC application, and the URLLC application includes the URLLC U1 application and URLLC U2 application. The network slice adapter corresponding to the URLLC application may include a correspondence between the URLLC U1 application and the network slice information, and a correspondence between the URLLC U2 application and the network slice information. The User Plane Network Functions for URLLC Slice U1 can be accessed by the terminal device in the URLLC scenario by accessing the Control Plane Network Functions for URLLC Slice U1. Therefore, the server device corresponding to the V2X is accessed to implement the corresponding grid service. For the terminal device in the URLLC scenario, the Control Plane Network Functions for URLLC Slice U2 can also be accessed, and the User Plane Network Functions for URLLC Slice U2 is accessed by accessing the URLLC U2 slice. ), thereby accessing the server device corresponding to the haptic Internet, and implementing the corresponding haptic Internet service.

需要说明的是,本申请下述各实施例所涉及的终端设备,可以是指向用户提供数据连通性的设备,具有无线连接功能的手持式设备、或连接到无线调制解调器的无线设备。无线终端可以经RAN)与一个或多个核心网进行通信,无线终端可以是移动终端,如移动电话(或称为“蜂窝”电话)和具有移动终端的计算机,例如,可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,它们与无线接入网交换语言和/或数据。例如,个人通信业务(PCS,Personal Communication Service)电话、无绳电话、会话发起协议(SIP)话机、无线本地环路(WLL,Wireless Local Loop)站、个人数字助理(PDA,Personal Digital Assistant)等设备。无线终端也可以称为系统、订户单元(Subscriber Unit)、订户站(Subscriber Station),移动站(Mobile  Station)、移动台(Mobile)、远程站(Remote Station)、接入点(Access Point)、远程终端(Remote Terminal)、接入终端(Access Terminal)、用户终端(User Terminal)、用户代理(User Agent)、用户设备(User Device)、用户装备(User Equipment)、智能手机(smartphone)、自动驾驶设备(Automotive Device)或物联网设备(Internet Of Things Device)。It should be noted that the terminal device involved in the following embodiments of the present application may be a device that provides data connectivity to a user, a handheld device with a wireless connection function, or a wireless device that is connected to a wireless modem. The wireless terminal can communicate with one or more core networks via the RAN), which can be a mobile terminal, such as a mobile telephone (or "cellular" telephone) and a computer with a mobile terminal, for example, can be portable, pocket-sized , handheld, computer built-in or in-vehicle mobile devices that exchange language and/or data with a wireless access network. For example, personal communication service (PCS, Personal Communication Service) telephone, cordless telephone, Session Initiation Protocol (SIP) telephone, Wireless Local Loop (WLL) station, Personal Digital Assistant (PDA, Personal Digital Assistant), etc. . A wireless terminal may also be called a system, a subscriber unit (Subscriber Unit), a subscriber station (Subscriber Station), and a mobile station (Mobile). Station), Mobile Station, Remote Station, Access Point, Remote Terminal, Access Terminal, User Terminal, User Agent Agent), User Device, User Equipment, smartphone, Automated Device or Internet Of Things Device.

本申请下述各实施例所涉及的运营商设备,可以为运营商网络中的网元设备。运营商网络中的网元设备可以为移动管理实体(Mobility Management Entity,简称MME),或者,其他具备移动性或切片管理功能的网元实体,例如公用控制面网元(Common Control Plane,简称Common CP)或者切片选择功能实体(Slice Select Function,简称SSF)等。The carrier device involved in the following embodiments of the present application may be a network element device in an operator network. The network element device in the carrier network may be a Mobility Management Entity (MME), or another network element entity with mobility or slice management functions, such as a Common Control Plane (Common Control Plane, Common Common CP) or Slice Select Function (SSF).

下述具体通过多个实施例进行举例说明。The following is exemplified by various embodiments.

图2为本申请实施例提供的一种应用处理方法的流程图一。如图2所示,该应用处理方法可包括:FIG. 2 is a flowchart 1 of an application processing method according to an embodiment of the present application. As shown in FIG. 2, the application processing method may include:

S201、终端设备向网络设备发送校验请求;该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书。S201. The terminal device sends a verification request to the network device. The verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application.

例如,该终端设备可在确定该应用需使用网络切片来接入对应的网络的情况下,向网络设备发送校验请求。举例来说,该终端设备可以通过向用户发出权限请求提示,若接收到用户输入的确认指令,如点击同意对应的指令,便可确定该应用需使用网络切片来接入对应的网络。For example, the terminal device may send a verification request to the network device if it is determined that the application needs to use the network slice to access the corresponding network. For example, the terminal device may send a permission request to the user, and if receiving a confirmation command input by the user, such as clicking and agreeing to the corresponding instruction, it may be determined that the application needs to use the network slice to access the corresponding network.

该应用可以为该终端设备从应用商店或者其他渠道下载后正在安装或者已经安装的应用。该应用的提供设备可以为提供该应用的服务器,如应用供应商的服务器,或者应用商店的服务器等。The application may be an application that the terminal device is installing or already installed after being downloaded from an application store or other channels. The providing device of the application may be a server that provides the application, such as a server of an application provider, or a server of an application store, or the like.

例如,该网络设备可以为运营商设备,如该终端设备所附着的运营商设备。也就是说,该终端设备可以向其所附着的运营商设备发送校验请求。举例来说,该校验请求可以为应用证书校验请求(APP Certificate Validate Request)。或者,该终端设备可以向该运营商设备发送非接入层(Non-Access Stratum,简称NAS)信令,该NAS信令中可包括该校验请求。For example, the network device can be a carrier device, such as a carrier device to which the terminal device is attached. That is, the terminal device can send a verification request to the carrier device to which it is attached. For example, the verification request may be an APP Certificate Validate Request. Alternatively, the terminal device may send a Non-Access Stratum (NAS) signaling to the carrier device, where the verification request may be included in the NAS signaling.

或者,该网络设备还可以为服务器,如证书校验服务器。也就是说,该终端设备可以向服务器发送校验请求。举例来说,该终端设备可以通过用户面报文向该服务器发送该校验请求。该终端设备可以为根据预先存储在该终 端设备上的服务器的互联网协议(internet protocol,简称IP)地址或网络域名等信息确定该服务器,继而向该服务器发送该校验请求。Alternatively, the network device can also be a server, such as a certificate verification server. That is, the terminal device can send a verification request to the server. For example, the terminal device can send the verification request to the server through the user plane message. The terminal device may be pre-stored at the end Information such as an internet protocol (IP) address or a network domain name of the server on the end device determines the server, and then sends the verification request to the server.

相应的,网络设备从终端设备接收该校验请求。Correspondingly, the network device receives the verification request from the terminal device.

S202、网络设备根据该待校验证书的信息确定根(root)证书。S202. The network device determines a root certificate according to the information of the to-be-verified certificate.

例如,该待校验证书的信息可包括根证书标识。该网络设备可以根据该根证书标识确定该根证书。For example, the information of the certificate to be verified may include a root certificate identifier. The network device can determine the root certificate according to the root certificate identifier.

可选的,该待校验证书的信息还可包括如下至少一种:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识等。其中,该颁发者标识可以为证书颁发设备的标识,如运营商标识、证书授权中心(Certificate Authority,简称CA)标识等至少一种标识。该CA标识可以为待校验证书的下发机构,如运营商设备、证书服务器或者其他证书下发机构的标识。被颁发该待校验证书的对象的标识可以为应用提供商的标识、该应用的提供设备的标识等至少一种。Optionally, the information of the certificate to be verified may further include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, a hash algorithm of the certificate to be verified, and the to-be-calibrated The fingerprint algorithm of the verification book, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued. The issuer identifier may be an identifier of a certificate issuing device, such as an identifier of a carrier, a certificate authority (CA) identifier, or the like. The CA identifier may be the identity of the issuing authority of the certificate to be verified, such as the carrier device, the certificate server, or other certificate issuing organization. The identifier of the object to which the certificate to be verified is issued may be at least one of an identifier of the application provider, an identifier of the providing device of the application, and the like.

S203、网络设备判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果。S203. The network device determines whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate.

其中,如上所述的S203中网络设备判断该待校验证书的信息是否满足预设条件,可以包括:The determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition, may include:

该网络设备根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The network device determines, according to the root certificate and the information of the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.

例如,该网络设备可以确定该根证书的信息和该待校验证书的信息是否包括相同的信息。若该根证书的信息和该待校验证书的信息包括相同的信息,则该网络设备可确定该待校验证书即为该证书颁发设备所颁发的证书,因而可确定该待校验证书的第一校验通过。反之,若该根证书的信息和该待校验证书的信息不包括相同的信息,则该网络设备可确定该待校验证书不为该证书颁发设备所颁发的证书,因而可确定该待校验证书的第一校验失败。For example, the network device can determine whether the information of the root certificate and the information of the certificate to be verified include the same information. If the information of the root certificate and the information of the certificate to be verified include the same information, the network device may determine that the certificate to be verified is a certificate issued by the certificate issuing device, and thus the certificate to be verified may be determined. The first check passes. On the other hand, if the information of the root certificate and the information of the certificate to be verified do not include the same information, the network device may determine that the certificate to be verified is not a certificate issued by the certificate issuing device, and thus may determine the pending The first verification of the certificate failed.

需要说明的是,该网络设备可以与该证书颁发设备为同一设备,也可以为不同设备。该证书颁发设备可以为运营商设备、或者,其他证书颁发设备。It should be noted that the network device may be the same device or different device as the certificate issuing device. The certificate issuing device may be a carrier device or another certificate issuing device.

S204、网络设备向终端设备发送校验响应;该校验响应包括该待校验证书的校验结果。 S204. The network device sends a verification response to the terminal device. The verification response includes a verification result of the to-be-verified certificate.

相应的,终端设备从网络设备接收该校验响应。Correspondingly, the terminal device receives the verification response from the network device.

该校验响应可以为应用证书校验响应(APP Certificate Validate response)。若上述该待校验证书的第一校验通过,则该校验响应中的该待校验证书的校验结果可以包括第一校验成功指示,第一校验成功指示也可称为校验通过指示(Validate Pass)。若上述该待校验证书的第一校验失败,则该待校验证书的校验结果也可以包括第一校验失败指示,第一校验失败指示也可称为校验通过指示(Validate Fail)。The verification response can be an APP Certificate Validate response. If the first check of the to-be-verified certificate is passed, the verification result of the to-be-verified certificate in the verification response may include a first verification success indication, and the first verification success indication may also be called a school Pass the Pass (Validate Pass). If the first check of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may also include a first verification failure indication, and the first verification failure indication may also be referred to as a verification pass indication (Validate Fail).

本申请实施例提供的应用控制方法中,可通过终端设备向网络设备发送校验请求,该校验请求包括待校验证书的信息,由网络设备根据该待校验证书的信息确定根证书,并根据该根证书和该待校验证书的信息确定该待校验证书是否为该证书颁发设备颁发的证书,得到该待校验证书的校验结果,继而向该终端设备返回校验响应,该校验响应包括该待校验证书的校验结果。由于该方法中,网络设备可对应用的待校验证书进行验证,可有效避免终端设备上所运行的非法应用借助该终端设备使用网络切片继而接入网络,有效保证网络的使用安全。In the application control method provided by the embodiment of the present application, the terminal device may send a verification request to the network device, where the verification request includes information about the certificate to be verified, and the network device determines the root certificate according to the information of the certificate to be verified. And determining, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, obtaining a verification result of the certificate to be verified, and then returning a verification response to the terminal device, The verification response includes a verification result of the certificate to be verified. In this method, the network device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.

可选的,该校验请求还包括:应用标识。Optionally, the verification request further includes: an application identifier.

可选的,该应用标识可以包括:该应用的标识,和/或,该应用提供设备的标识等。其中,该应用的标识可包括如下至少一种:该应用的名称、该应用的版本号等。该应用提供设备的标识可包括:该应用提供设备对应的提供商的名称等信息。Optionally, the application identifier may include: an identifier of the application, and/or an identifier of the application providing device, and the like. The identifier of the application may include at least one of the following: a name of the application, a version number of the application, and the like. The identifier of the application providing device may include: the application provides information such as the name of the provider corresponding to the device.

可选的,如上所述的S203中网络设备判断该待校验证书的信息是否满足预设条件,还可以包括:Optionally, the determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition, may further include:

该网络设备根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The network device determines, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of the providing device that is issued to the application.

例如,该网络设备可以根据该应用标识确定颁发至该应用的提供设备的证书,继而比较颁发至该应用的提供设备的证书的信息是否包括该待校验证书的信息。若该颁发至应用的提供设备的证书的信息包括该待校验证书的信息,则网络设备确定该待校验证书为颁发至该应用的提供设备的证书,可确定该待校验证书的第二校验通过。反之,若该颁发至应用的提供设备的证书的信息不包括该待校验证书的信息,则该网络设备确定该待校验证书不为颁 发至该应用的提供设备的证书,因而可确定该待校验证书的第二校验失败。For example, the network device may determine a certificate of the providing device issued to the application according to the application identifier, and then compare whether the information of the certificate issued to the providing device of the application includes the information of the certificate to be verified. If the information of the certificate issued to the application providing device includes the information of the certificate to be verified, the network device determines that the certificate to be verified is a certificate of the providing device issued to the application, and may determine the first certificate to be verified. The second check passed. On the other hand, if the information of the certificate issued to the application providing device does not include the information of the certificate to be verified, the network device determines that the certificate to be verified is not issued. A certificate issued to the application providing device, and thus the second verification failure of the certificate to be verified may be determined.

若上述该待校验证书的第二校验通过,则该校验响应中的该待校验证书的校验结果可包括第二校验成功指示。若上述该待校验证书的第二校验失败,该待校验证书的校验结果可以包括第二校验失败指示。If the second verification of the to-be-verified certificate is passed, the verification result of the to-be-verified certificate in the verification response may include a second verification success indication. If the second verification of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may include a second verification failure indication.

需要说明的是,上述该待校验证书的第一校验和该待校验证书的第二校验可以是同时执行,也可以先后执行。在一个实例中,该网络设备可以是在该待校验证书的第一校验成功情况下,对该待校验证书进行第二校验。其中,该第一校验成功可以为:该待校验证书为该证书颁发设备所颁发的证书,该第二校验包括:确定该待校验证书是否为颁发至该应用的提供设备的证书。It should be noted that the first check of the to-be-verified certificate and the second check of the to-be-verified certificate may be performed simultaneously or sequentially. In an example, the network device may perform a second check on the to-be-verified certificate if the first verification of the to-be-verified certificate is successful. The first verification success may be: the certificate to be verified is a certificate issued by the certificate issuing device, and the second verification includes: determining whether the certificate to be verified is a certificate of the providing device issued to the application. .

可选的,如上所述的该校验请求还可包括:该终端设备的标识。Optionally, the verification request as described above may further include: an identifier of the terminal device.

可选的,如上所述的终端设备的标识可以包括如下至少一种标识:终端设备的IP地址、介质访问控制(Medium Access Control,简称MAC)地址、客户识别模块(Subscriber Identity Module,简称SIM)标识、国际移动用户识别码(International Mobile Subscriber Identification Number,简称IMSI)、全球唯一临时用户设备标识(Globally Unique Temporary UE Identity,简称GUTI)等。Optionally, the identifier of the terminal device as described above may include at least one of the following: an IP address of the terminal device, a Medium Access Control (MAC) address, and a Subscriber Identity Module (SIM). The identification, the International Mobile Subscriber Identification Number (IMSI), and the Globally Unique Temporary UE Identity (GUTI).

可选的,如上所示的S203中网络设备判断该待校验证书的信息是否满足预设条件,还可包括:Optionally, the determining, by the network device in S203, that the information of the to-be-verified certificate meets the preset condition, may further include:

网络设备根据该应用标识确定该应用对应的网络切片的信息;Determining, by the network device, information about the network slice corresponding to the application according to the application identifier;

网络设备根据该终端设备的标识确定该终端设备签约的网络切片的信息;Determining, by the network device, information about the network slice subscribed by the terminal device according to the identifier of the terminal device;

网络设备根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。The network device determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed to by the terminal device and the network slice information corresponding to the application.

具体地,网络设备可以是根据该应用标识,和预设的应用标识与网络切片信息的对应关系,确定该应用标识所对应的网络切片的信息为该应用对应的网络切片的信息。网络设备可根据该终端设备的标识,和预设的终端设备标识和签约网络切片信息的对应关系,确定该终端设备签约的网络切片的信息。Specifically, the network device may determine, according to the application identifier, a correspondence between the preset application identifier and the network slice information, the information of the network slice corresponding to the application identifier is information about the network slice corresponding to the application. The network device may determine, according to the identifier of the terminal device, a correspondence between the preset terminal device identifier and the subscription network slice information, information about the network slice that the terminal device subscribes to.

网络设备可在该终端设备签约的网络切片的信息中查询该应用对应的网 络切片的信息。若查询到该应用对应的网络切片的信息,也就是说,该终端设备签约的网络切片的信息中包括该应用对应的网络切片的信息,可确定该应用对应的网络切片位于该终端设备签约的网络切片内,从而可确定该待校验证书的第三校验通过。反之,若不到查询到该应用对应的网络切片的信息,也就是说,该终端设备签约的网络切片的信息中不包括该应用对应的网络切片的信息,可确定该应用对应的网络切片不位于该终端设备签约的网络切片内,从而可确定该待校验证书的第三校验失败。The network device may query the network corresponding to the application in the information of the network slice subscribed by the terminal device. Network slice information. If the information about the network slice corresponding to the application is queried, that is, the information about the network slice corresponding to the application includes the information about the network slice corresponding to the application, the network slice corresponding to the application is determined to be signed by the terminal device. Within the network slice, the third check of the certificate to be verified can be determined to pass. On the other hand, if the information about the network slice corresponding to the application is not queried, that is, the information about the network slice corresponding to the application is not included in the information of the network slice subscribed by the terminal device, the network slice corresponding to the application may be determined not to be It is located in the network slice that is subscribed to by the terminal device, so that the third verification failure of the to-be-verified certificate can be determined.

若上述该待校验证书的第三校验通过,则该校验响应中的该待校验证书的校验结果可包括第三校验成功指示。若上述该待校验证书的第三校验失败,该待校验证书的校验结果也可以包括第三校验失败指示。If the third check of the to-be-verified certificate is passed, the verification result of the to-be-verified certificate in the verification response may include a third verification success indication. If the third verification of the to-be-verified certificate fails, the verification result of the to-be-verified certificate may also include a third verification failure indication.

需要说明的是,上述该待校验证书的第一校验、该待校验证书的第二校验和该待校验证书的第三校验可以是同时执行,也可以先后执行。在一个实例中,该网络设备可以是在该待校验证书的第一校验成功情况下,对该待校验证书进行第二校验,并在该第二校验成功的情况下,对该待校验证书进行第三校验。其中,该第一校验成功可以为:该待校验证书为该证书颁发设备所颁发的证书,该第二校验成功包括:该待校验证书为颁发至该应用的提供设备的证书,待第三校验包括:确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。It should be noted that the first check of the to-be-verified certificate, the second check of the to-be-verified certificate, and the third check of the to-be-verified certificate may be performed simultaneously, or may be performed sequentially. In an example, the network device may perform a second check on the to-be-verified certificate if the first verification of the to-be-verified certificate is successful, and if the second verification is successful, The certificate to be verified performs a third verification. The first verification success may be: the certificate to be verified is a certificate issued by the certificate issuing device, and the second verification succeeds: the certificate to be verified is a certificate of a providing device issued to the application, The third check includes: determining whether the network slice corresponding to the application is located in the network slice signed by the terminal device.

可选的,若该待校验证书满足预设条件,则该校验响应还可包括:该应用对应的网络切片的信息。Optionally, if the to-be-verified certificate meets the preset condition, the verification response may further include: information about the network slice corresponding to the application.

其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。The preset condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the network slice corresponding to the application is located at the terminal device. Within the network slice.

网络设备可以在确定该待校验证书满足该预设条件,即该待校验证书的第一校验、第二校验和第三校验,均校验通过的情况下,通过该校验响应向该终端设备下发该应用对应的网络切片的信息。The network device may determine that the to-be-verified certificate satisfies the preset condition, that is, the first check, the second check, and the third check of the to-be-verified certificate are verified, and the check is passed. Sending information of the network slice corresponding to the application to the terminal device.

该应用对应的网络切片的信息可以包括该应用与网络切片的信息的映射关系。The information of the network slice corresponding to the application may include a mapping relationship between the application and the information of the network slice.

该终端设备在接收到该应用对应的网络切片的信息的情况下,可根据该应用对应的网络切片的信息,刷新该终端设备存储的该应用对应的网络切片 适配器中的信息,即将该应用对应的网络切片适配器中的信息更新为接收到的该应用对应的网络切片信息。When receiving the information about the network slice corresponding to the application, the terminal device may refresh the network slice corresponding to the application stored by the terminal device according to the information of the network slice corresponding to the application. The information in the adapter is to update the information in the network slice adapter corresponding to the application to the received network slice information corresponding to the application.

可选的,如上所述的该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型(Service Type)、使用该网络切片的终端设备的类型和该网络切片的有效期信息等。Optionally, the information about the network slice corresponding to the application, as described above, includes at least one of the following information: an identifier of the network slice, a service type corresponding to the network slice, and a type of the terminal device that uses the network slice. And the validity period information of the network slice, and the like.

其中,该服务类型可包括:视频(Video)业务,网络电话(Voice over Internet Protocol,简称VoIP)服务、V2X业务等任一业务类型。The service type may include any of the types of services, such as a video service, a voice over internet protocol (VoIP) service, and a V2X service.

使用该网络切片的终端设备的类型也可称为该网络切片对应的使用类型(Usage Type),该使用类型可包括:车载用户设备的使用类型(Car UE Usage Type)、智能手机的使用类型(Smartphone UE Usage Type)等任一使用该网络切片的终端设备的类型。The type of the terminal device that uses the network slice may also be referred to as the usage type (Usage Type) corresponding to the network slice, and the usage type may include: a car UE Usage Type, and a type of use of the smart phone ( Smartphone UE Usage Type) Any type of terminal device that uses this network slice.

不同安全等级的网络切片对应的有效期不同。网络切片的安全等级越高,该网络切片对应的有效期越短,该网络切片的安全等级越低,则该网络切片对应的有效期越长。因而,该网络切片的有效期信息可以由该网络设备根据该网络切片的安全等级确定。Network slices of different security levels have different validity periods. The higher the security level of the network slice, the shorter the validity period of the network slice, and the lower the security level of the network slice, the longer the validity period of the network slice corresponds. Thus, the validity period information of the network slice can be determined by the network device according to the security level of the network slice.

该终端设备可根据接收到的该网络切片的有效期信息确定该网络切片的有效期,在该网络切片的有效期内根据该网络切片的信息接入对应的网络。若该网络切片的有效期到期,则该终端设备可执行上述任一所述的应用处理方法实现应用的证书校验,并在证书校验通过的情况下从网络设备中重新获取该网络切片的信息。The terminal device may determine the validity period of the network slice according to the received validity period information of the network slice, and access the corresponding network according to the information of the network slice during the validity period of the network slice. If the validity period of the network slice expires, the terminal device may perform the certificate verification of the application by using any one of the application processing methods described above, and re-acquire the network slice from the network device if the certificate verification is passed. information.

可选的,该校验响应还包括:该应用的证书校验频率信息。Optionally, the verification response further includes: certificate verification frequency information of the application.

例如,不同安全等级的网络切片对应的证书校验频率不同。网络切片的安全等级越高,该网络切片对应的证书校验频率越高,该网络切片的安全等级越低,则该网络切片对应的证书校验频率越低。因而,该网络切片的证书校验频率指示可以由该网络设备根据该网络切片的安全等级确定。For example, network slices of different security levels have different certificate verification frequencies. The higher the security level of the network slice, the higher the certificate check frequency corresponding to the network slice, and the lower the security level of the network slice, the lower the certificate check frequency corresponding to the network slice. Thus, the certificate check frequency indication of the network slice can be determined by the network device based on the security level of the network slice.

该终端设备可以根据该应用的证书校验频率信息确定该应用的证书校验频率,并根据该应用的证书校验频率向该网络设备发送上述校验请求,以使得该网络设备对该待校验证书再次进行校验。The terminal device may determine a certificate verification frequency of the application according to the certificate verification frequency information of the application, and send the verification request to the network device according to the certificate verification frequency of the application, so that the network device is to be The verification is verified again.

在一种实现方式中,本申请实施例还可提供一种应用处理方法。图3为本申请实施例提供的一种应用处理方法的流程图二。如图3所示,上述步骤 S201可以包括:In an implementation manner, the embodiment of the present application may further provide an application processing method. FIG. 3 is a second flowchart of an application processing method according to an embodiment of the present application. As shown in Figure 3, the above steps S201 can include:

S301、在应用的安装过程中,终端设备向网络设备发送该校验请求。S301. The terminal device sends the verification request to the network device during the installation process of the application.

例如,在该应用的安装过程中,终端设备可先暂停该应用的安装,向网络设备发送该校验请求。For example, during the installation process of the application, the terminal device may suspend the installation of the application and send the verification request to the network device.

可选的,若该待校验证书满足预设条件,则该校验响应还包括:该应用对应的网络切片的信息。终端设备收到校验响应后,该方法可包括:Optionally, if the to-be-verified certificate meets the preset condition, the verification response further includes: information about the network slice corresponding to the application. After the terminal device receives the verification response, the method may include:

终端设备存储该应用对应的网络切片的信息,并安装该应用。The terminal device stores information about the network slice corresponding to the application, and installs the application.

若终端设备从网络设备接收的校验响应中包括该应用对应的网络切片的信息,则该终端设备可存储该应用对应的网络切片的信息。如终端设备发送该校验请求的情况下,已暂停该应用的安装,则该终端设备还可继续安装该应用,以在该应用安装完成后,可根据该应用对应的网络切片的信息接入网络,实现该应用的对应业务需求。If the verification response received by the terminal device from the network device includes information about the network slice corresponding to the application, the terminal device may store information about the network slice corresponding to the application. If the installation of the application is suspended, the terminal device may continue to install the application, so that after the application is installed, the information may be accessed according to the information of the network slice corresponding to the application. The network implements the corresponding business needs of the application.

可选的,若该待校验证书不满足预设条件,也就是该待校验证书不为该证书颁发设备颁发的证书、该待校验证书不为该证书颁发设备颁发至该应用提供设备的证书,或者,该应用对应的网络切片不位于该终端设备签约的网络切片内,则该方法可包括:终端设备停止对该应用的安装。Optionally, if the certificate to be verified does not meet the preset condition, that is, the certificate to be verified is not issued by the certificate issuing device, and the certificate to be verified is not issued to the application providing device by the certificate issuing device. The method may include: the terminal device stops installing the application, or the network slice corresponding to the application is not located in the network slice signed by the terminal device.

该应用处理方法中,该终端设备在该应用的安装过程中向该网络设备发送该校验请求,在该待校验证书满足该预设条件的情况下,继续安装该应用,而在该待校验证书不满足任一预设条件的情况下停止对该应用的安装,可有效避免非法应用的安装,从而有效避免网络切片被恶意应用接入或攻击的风险,提高网络的安全性。In the application processing method, the terminal device sends the verification request to the network device during the installation process of the application, and if the certificate to be verified satisfies the preset condition, the application is continuously installed, and the If the verification certificate does not meet any of the preset conditions, the installation of the application is stopped, and the installation of the illegal application can be effectively avoided, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.

可选的,S301中在应用的安装过程中,终端设备向网络设备发送该校验请求之前,该方法还可包括:Optionally, in the installation process of the application in S301, before the terminal device sends the verification request to the network device, the method may further include:

S301a、应用的提供设备向终端设备发送该应用的安装包;该安装包包括:签名文件、安装文件和该待校验证书。S301a. The providing device of the application sends the installation package of the application to the terminal device. The installation package includes: a signature file, an installation file, and the certificate to be verified.

相应的,终端设备从该应用的提供设备接收该应用的安装包。Correspondingly, the terminal device receives the installation package of the application from the providing device of the application.

该签名文件可以为该应用提供设备对该应用的安装文件进行签名运算,得到签名数据,继而根据预设的私钥采用预设的指纹算法对该签名数据进行加密,得到的文件。该待校验证书可以为该应用提供设备根据从证书颁发设备获取的证书确定的,该待校验证书例如可包括:该证书颁发设备下发的证 书中的全部或部分信息。The signature file may be used by the application providing device to perform signature processing on the installation file of the application, obtain signature data, and then encrypt the signature data according to a preset private key by using a preset fingerprint algorithm. The certificate to be verified may be determined by the application providing device according to the certificate obtained from the certificate issuing device, and the certificate to be verified may include, for example, a certificate issued by the certificate issuing device. All or part of the information in the book.

S301b、终端设备根据该待校验证书和该签名文件,对该安装文件进行完整性校验。S301b: The terminal device performs integrity verification on the installation file according to the to-be-verified certificate and the signature file.

例如,终端设备可以根据该待校验证书确定上述私钥对应的公钥、签名算法和指纹算法,并根据该签名算法对该安装文件进行签名运算,获得该安装文件的签名数据A,继而根据该公钥采用该指纹算法对该签名文件进行解密,得到签名数据B。该终端设备通过比较该签名数据A和签名数据B,对该安装文件进行完整性校验。若该签名数据A和签名数据B相同,则该终端设备可确定该安装文件的完整性校验通过;反之,若该签名数据A和签名数据B不同,则该终端设备可确定该安装文件的完整性校验失败。For example, the terminal device may determine, according to the to-be-verified certificate, a public key, a signature algorithm, and a fingerprint algorithm corresponding to the private key, and perform a signature operation on the installation file according to the signature algorithm to obtain signature data A of the installation file, and then The public key uses the fingerprint algorithm to decrypt the signature file to obtain signature data B. The terminal device performs integrity verification on the installation file by comparing the signature data A and the signature data B. If the signature data A and the signature data B are the same, the terminal device may determine that the integrity check of the installation file passes; if the signature data A and the signature data B are different, the terminal device may determine the installation file. The integrity check failed.

若该终端设备确定该完整性校验通过,则确定该安装文件未经恶意修改;若该终端设备确定该完整性校验失败,则确定该安装文件被恶意修改,属于不完整的文件。If the terminal device determines that the integrity check is passed, it is determined that the installation file has not been maliciously modified; if the terminal device determines that the integrity check fails, it is determined that the installation file is maliciously modified and belongs to an incomplete file.

对应的,如上所述的方法中S301中在应用的安装过程中,终端设备向网络设备发送该校验请求,可以包括:Correspondingly, in the method of the foregoing, in the installation process of the application, the terminal device sends the verification request to the network device, which may include:

在应用的安装过程中,若该安装文件的完整性校验通过,则终端设备向该网络设备发送该校验请求。During the installation process of the application, if the integrity check of the installation file passes, the terminal device sends the verification request to the network device.

该方法中对该安装文件进行完整性校验,并在该安装文件的完整性校验通过的情况下,进行该应用的安装,继而在该应用的安装过程中向该网络设备发送校验请求,可在有效避免非法应用的安装,有效避免网络切片被恶意应用接入或攻击的风险,提高网络的安全性的基础上,还可有效避免应用被恶意修改后带来的应用功能不全或者难以实现,有效保证应用对应的功能实现。In the method, the installation file is integrity checked, and if the integrity check of the installation file passes, the installation of the application is performed, and then the verification request is sent to the network device during the installation process of the application. It can effectively avoid the installation of illegal applications, effectively avoid the risk of network slicing being attacked or attacked by malicious applications, improve the security of the network, and effectively avoid the application incomplete or difficult application caused by malicious modification. Realization, effectively guarantee the implementation of the corresponding function of the application.

可选的,本申请实施例还可提供一种应用处理方法。图4为本申请实施例提供的一种应用处理方法的流程图三。如图4所示,该应用处理方法可包括:Optionally, the embodiment of the present application may further provide an application processing method. FIG. 4 is a third flowchart of an application processing method according to an embodiment of the present disclosure. As shown in FIG. 4, the application processing method may include:

S401、证书颁发设备向应用的提供设备发送第一证书。S401. The certificate issuing device sends a first certificate to the providing device of the application.

相应的,该应用的提供设备从证书颁发设备接收该第一证书。Correspondingly, the providing device of the application receives the first certificate from the certificate issuing device.

该第一证书可以为证书颁发设备颁发至该应用的提供设备的证书。The first certificate may be a certificate issued by the certificate issuing device to the providing device of the application.

S402、应用的提供设备根据该第一证书对该应用的安装文件进行处理, 得到该应用的签名文件。S402. The providing device of the application processes the installation file of the application according to the first certificate. Get the signature file for the app.

其中,该应用的安装文件可以为预先存储在该提供设备的安装文件,该提供设备上的安装文件可以为该应用的开发人员所上传的安装文件。The installation file of the application may be an installation file pre-stored in the providing device, and the installation file on the providing device may be an installation file uploaded by a developer of the application.

例如,应用提供设备可以根据该第一证书确定签名算法、私钥以及指纹算法等,并根据该签名算法对该安装文件进行处理,得到该安装文件的签名数据,根据该私钥采用该指纹算法对该安装文件进行加密,得到该应用的签名文件。For example, the application providing device may determine a signature algorithm, a private key, a fingerprint algorithm, and the like according to the first certificate, and process the installation file according to the signature algorithm to obtain signature data of the installation file, and adopt the fingerprint algorithm according to the private key. The installation file is encrypted to obtain the signature file of the application.

S403、应用提供设备向终端设备发送该签名文件、该安装文件和第二证书;该第二证书包括该第一证书的全部或部分信息,该第二证书和该签名文件用于使得该终端设备对该安装文件进行完整性校验。S403. The application providing device sends the signature file, the installation file, and the second certificate to the terminal device. The second certificate includes all or part of the information of the first certificate, and the second certificate and the signature file are used to enable the terminal device. Perform an integrity check on the installation file.

该第二证书可以为如上任一所述的应用处理方法中的待校验证书。The second certificate may be a certificate to be verified in the application processing method as described in any of the above.

可选的,如上所述的该第一证书的信息可包括如下至少一种信息:秘钥对、签名算法、哈希算法、指纹算法、有效期、颁发者标识和被颁发对象的标识等;其中,该秘钥对包括:私钥和公钥。Optionally, the information about the first certificate as described above may include at least one of the following information: a secret key pair, a signature algorithm, a hash algorithm, a fingerprint algorithm, an expiration date, an issuer identifier, and an identifier of the issued object; The key pair includes: a private key and a public key.

例如,由于该第一证书为证书颁发设备下发至该应用的提供设备的,因而第一证书中,该颁发者标识可以包括该证书颁发设备的标识。被颁发对象的标识可以包括:该应用的提供设备的标识。For example, since the first certificate is delivered to the providing device of the application by the certificate issuing device, the issuer identifier may include the identifier of the certificate issuing device in the first certificate. The identifier of the issued object may include: an identifier of the provided device of the application.

如上所述的方法中,应用的提供设备可以根据该第一证书中的签名算法对该安装文件进行处理,得到该安装文件的签名数据,并根据该哈希算法对该处理后的数据进行处理,得到该签名数据的哈希值。应用的提供设备例如可以根据该密钥对中的私钥采用第一证书中的指纹算法对该签名数据的哈希值进行加密,得到该签名文件。In the method as described above, the providing device of the application may process the installation file according to the signature algorithm in the first certificate, obtain signature data of the installation file, and process the processed data according to the hash algorithm. , get the hash value of the signature data. The providing device of the application may, for example, encrypt the hash value of the signature data according to the fingerprint algorithm in the first certificate according to the private key in the key pair to obtain the signature file.

当该应用的提供设备确定该第一证书的有效期到期,可向证书颁发设备发送证书更新请求,以获取该证书颁发设备下发的最新的证书,实现证书的及时更新,以有效避免在有效避免非法应用的安装,有效避免网络切片被恶意应用接入或攻击的风险,提高网络的安全性。When the providing device of the application determines that the validity period of the first certificate expires, the certificate issuing device may send a certificate update request to obtain the latest certificate issued by the certificate issuing device, so as to implement timely updating of the certificate, so as to effectively avoid being effective. Avoid the installation of illegal applications, effectively avoid the risk of network slicing being attacked or attacked by malicious applications, and improve network security.

可选的,该第二证书的信息包括该第一证书的信息的部分信息。例如,该第二证书的信息可包括如下至少一种信息:该第一证书的信息中的公钥、该第一证书的信息中的签名算法、该第一证书的信息中的哈希算法、该第一证书的信息中的指纹算法、该第一证书的信息中的有效期、该第一证书的信 息中的颁发者标识和该第一证书的信息中的被颁发对象的标识等。Optionally, the information of the second certificate includes partial information of the information of the first certificate. For example, the information of the second certificate may include at least one of the following: a public key in the information of the first certificate, a signature algorithm in the information of the first certificate, a hash algorithm in the information of the first certificate, a fingerprint algorithm in the information of the first certificate, a validity period in the information of the first certificate, and a letter of the first certificate The issuer identifier in the interest and the identifier of the issued object in the information of the first certificate, and the like.

举例来说,若该第二证书(例如上述待校验证书)包括该公钥、该签名算法、哈希算法及指纹算法,该终端设备可以根据该该签名算法对该安装文件进行签名运算,并对根据该哈希算法对签名运算后的数据进行哈希运算,获得该安装文件的签名数据A,继而根据该公钥采用该指纹算法对该签名文件进行解密得到签名数据B。该终端设备可以通过比较该签名数据A和签名数据B,对该安装文件进行完整性校验。该签名数据A和签名数据B相同,则该终端设备可确定该安装文件的完整性校验通过;反之,若该签名数据A和签名数据B不同,则该终端设备可确定该安装文件的完整性校验失败。For example, if the second certificate (for example, the certificate to be verified) includes the public key, the signature algorithm, the hash algorithm, and the fingerprint algorithm, the terminal device may perform a signature operation on the installation file according to the signature algorithm. And performing the hash operation on the data after the signature operation according to the hash algorithm, obtaining the signature data A of the installation file, and then decrypting the signature file according to the public key by the fingerprint algorithm to obtain the signature data B. The terminal device can perform integrity check on the installation file by comparing the signature data A and the signature data B. If the signature data A and the signature data B are the same, the terminal device may determine that the integrity check of the installation file passes; otherwise, if the signature data A and the signature data B are different, the terminal device may determine the integrity of the installation file. Sex check failed.

需要说明的是,上述第一证书和第二证书包括的信息仅为实例,该第一证书和第二证书还可包括证书规范的其他内容等信息,在此不再赘述。It should be noted that the information included in the foregoing first certificate and the second certificate is only an example, and the first certificate and the second certificate may further include other information such as the certificate specification, and details are not described herein again.

在另一种实现方式中,如上所述的S201中终端设备向网络设备发送校验请求可以包括:In another implementation manner, the sending, by the terminal device, the verification request to the network device in S201, as described above, may include:

在该应用的启动过程中,终端设备向网络设备发送该校验请求。During the startup of the application, the terminal device sends the verification request to the network device.

举例来说,该终端设备可以该应用的每次启动过程中均向该网络设备发送该校验请求,也可以在该应用的首次启动过程中向该网络设备发送该校验请求。For example, the terminal device may send the verification request to the network device during each startup of the application, or may send the verification request to the network device during the first startup of the application.

可选的,若该待校验证书满足该预设条件,则该校验响应还包括:该应用对应的网络切片的信息。终端设备收到该校验响应后,该方法还可包括:Optionally, if the to-be-verified certificate meets the preset condition, the verification response further includes: information about the network slice corresponding to the application. After the terminal device receives the verification response, the method may further include:

该终端设备存储该应用对应的网络切片的信息,并根据该网络切片接入网络。The terminal device stores information about a network slice corresponding to the application, and accesses the network according to the network slice.

若该终端设备存储该应用对应的网络切片的信息后,便可根据该应用对应的网络切片的信息接入网络,实现该应用的对应业务需求。If the terminal device stores the information about the network slice corresponding to the application, the terminal device can access the network according to the information of the network slice corresponding to the application, so as to implement the corresponding service requirement of the application.

可选的,无论该终端设备是在该应用的安装过程中,还是启动过程中获取的该应用对应的网络切片的信息,该终端设备可以将该应用对应的网络切片的信息存储至该终端设备的SIM卡的存储区域中,以避免该应用对应的网络切片的信息被恶意修改或复制,用以保证网络安全。Optionally, the terminal device may store information about the network slice corresponding to the application to the terminal device, whether the terminal device is in the installation process of the application or the information about the network slice corresponding to the application acquired during the startup process. In the storage area of the SIM card, the information of the network slice corresponding to the application is prevented from being maliciously modified or copied to ensure network security.

可选的,为保证该应用对应的网络切片的信息,该终端设备在存储该应用对应的网络切片的信息的基础上,还可存储该应用对应的公钥信息等,以保证该应用对应的网络切片的信息在该终端设备侧存储的安全性,有效避免 该应用对应的网络切片的信息被恶意修改或复制,用以保证网络安全。Optionally, the terminal device may store the information about the network slice corresponding to the application, and store the public key information corresponding to the application, so as to ensure that the application corresponds to the information. The security of the network sliced information stored on the terminal device side is effectively avoided. The information of the network slice corresponding to the application is maliciously modified or copied to ensure network security.

可选的,本申请实施例还可提供一种应用处理方法。图5为本申请实施例提供的一种应用处理方法的流程图四。如图5所示,该应用处理方法可包括:Optionally, the embodiment of the present application may further provide an application processing method. FIG. 5 is a flowchart 4 of an application processing method according to an embodiment of the present application. As shown in FIG. 5, the application processing method may include:

S501、终端设备根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书。S501. The terminal device searches for a root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified.

该待校验证书可以为来自应用的提供设备的证书。The certificate to be verified may be a certificate from the application providing device.

例如,该待校验证书的信息可包括根证书标识。该终端设备可以根据该根证书标识,从预设的根证书区中查找该根证书标识所对应的根证书。该预设的根证书区可存储有至少一个根证书,每个根证书具有对应的根证书标识。For example, the information of the certificate to be verified may include a root certificate identifier. The terminal device can search for the root certificate corresponding to the root certificate identifier from the preset root certificate area according to the root certificate identifier. The preset root certificate area may store at least one root certificate, and each root certificate has a corresponding root certificate identifier.

S502、终端设备根据该根证书对该待校验证书,确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。S502. The terminal device determines, according to the root certificate, the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the to-be-verified certificate.

例如,该终端设备可以确定该根证书的信息和该待校验证书的信息是否包括相同的信息。若该根证书的信息和该待校验证书的信息包括相同的信息,则终端设备可确定该待校验证书为证书颁发设备所颁发的证书,则该待校验证书的合法性校验通过。反之,若该根证书的信息和该待校验证书的信息不包括相同的信息,则终端设备可确定该待校验证书不为证书颁发设备所颁发的证书,则该待校验证书的合法性校验失败。For example, the terminal device can determine whether the information of the root certificate and the information of the certificate to be verified include the same information. If the information of the root certificate and the information of the certificate to be verified include the same information, the terminal device may determine that the certificate to be verified is a certificate issued by the certificate issuing device, and the validity of the certificate to be verified is verified. . On the other hand, if the information of the root certificate and the information of the certificate to be verified do not include the same information, the terminal device may determine that the certificate to be verified is not a certificate issued by the certificate issuing device, and the certificate to be verified is legal. Sex check failed.

相比较上述图2至图4中任一所述的应用处理方法,该方法中,可通过终端设备自身实现证书的校验。Compared with the application processing method described in any one of the foregoing FIG. 2 to FIG. 4, in the method, the verification of the certificate can be implemented by the terminal device itself.

本申请实施例提供的应用处理方法,可通过终端设备确定该应用的待校验证书对应的根证书标识,根据该根证书标识从预设的根证书区,查找该根证书标识对应的根证书,继而根据该根证书对该待校验证书进行合法性校验。由于该方法中,终端设备可对应用的待校验证书进行验证,可有效避免合法终端设备上所运行的非法应用借助该合法终端设备使用网络切片继而接入网络,有效保证网络的使用安全。In the application processing method provided by the embodiment of the present application, the root device identifier corresponding to the to-be-verified certificate of the application is determined by the terminal device, and the root certificate corresponding to the root certificate identifier is searched according to the root certificate identifier. And then verifying the validity of the certificate to be verified according to the root certificate. In this method, the terminal device can verify the certificate to be verified of the application, and can effectively prevent the illegal application running on the legal terminal device from using the network slice to access the network, thereby effectively ensuring the security of the network.

可选的,如上所述的S501中终端设备根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书之前,该方法还可包括:Optionally, the method, in the foregoing S501, the terminal device, before the root certificate corresponding to the to-be-verified certificate, is obtained from the preset root certificate area according to the information of the certificate to be verified, the method may further include:

终端设备从该应用的提供设备接收该应用的安装包;该安装包包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信息。 The terminal device receives the installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information of the certificate to be verified, and information of a network slice corresponding to the application.

可选的,若该待校验证书为该证书颁发设备所颁发的证书,该方法还可包括:Optionally, if the certificate to be verified is a certificate issued by the certificate issuing device, the method may further include:

终端设备存储该应用对应的网络切片的信息。The terminal device stores information of a network slice corresponding to the application.

也就是说,在本申请实施例提供的方法中,该终端设备在从应用的提供设备接收该应用的安装文件、该待校验证书的信息的同时,便可从应用的提供设备接收该应用对应的网络切片的信息,并且,该终端设备可对应用的待校验证书进行验证,而无需向网络设备发送请求以获得该应用对应的网络切片的信息。That is, in the method provided by the embodiment of the present application, the terminal device can receive the application from the providing device of the application while receiving the installation file of the application and the information of the certificate to be verified from the providing device of the application. Corresponding network slice information, and the terminal device can verify the application to be verified certificate without sending a request to the network device to obtain information of the network slice corresponding to the application.

虽然,该终端设备可从应用的提供设备接收到该应用对应的网络切片的信息,但该终端设备可在确定该待校验证书为该证书颁发设备所颁发的证书的情况下,终端设备存储该应用对应的网络切片的信息。若该待校验证书不为该证书颁发设备所颁发的证书,则该终端设备可将该应用的安装包丢弃。The terminal device may receive the information of the network slice corresponding to the application from the providing device of the application, but the terminal device may store the terminal device after determining that the certificate to be verified is a certificate issued by the certificate issuing device. The information of the network slice corresponding to the application. If the certificate to be verified is not a certificate issued by the certificate issuing device, the terminal device may discard the installation package of the application.

需要说明的是,该终端设备还可接收该应用提供设备下发的该应用的签名文件,用以对该安装文件进行完整性校验。其具体的完整性校验的实现过程,与上述类似,在此不再赘述。该待校验证书、该签名文件以及该应用对应的网络切片的信息的具体描述可与上述类似,在此不再赘述。It should be noted that the terminal device may further receive a signature file of the application delivered by the application providing device, to perform integrity verification on the installation file. The implementation process of the specific integrity check is similar to the above, and is not described here. A specific description of the information of the to-be-verified certificate, the signature file, and the network slice corresponding to the application may be similar to the foregoing, and details are not described herein again.

本申请实施例还提供一种应用处理方法。图6为本申请实施例提供的一种应用处理方法的流程图五。如图6所示,该应用处理方法可包括:The embodiment of the present application further provides an application processing method. FIG. 6 is a flowchart 5 of an application processing method according to an embodiment of the present disclosure. As shown in FIG. 6, the application processing method may include:

S601、应用提供设备向运营商设备发送应用证书请求。S601. The application providing device sends an application certificate request to the operator device.

相应的,运营商设备从应用提供设备接收该应用证书请求。Correspondingly, the operator device receives the application certificate request from the application providing device.

S602、运营商设备收到应用证书请求后,向应用提供设备发送颁发证书。S602. After receiving the application certificate request, the operator equipment sends the issuing certificate to the application providing device.

相应的,应用提供设备从运营商设备接收该颁发证书。Correspondingly, the application providing device receives the issuance certificate from the operator device.

该颁发证书的信息包括:该颁发证书的秘钥对、该颁发证书的签名算法、该颁发证书的哈希算法、该颁发证书的指纹算法、该颁发证书的颁发者标识及该应用提供设备的标识、该颁发证书的有效期以及证书规范信息。其中,该秘钥对包括:私钥和公钥。The information for issuing the certificate includes: a secret key pair of the issued certificate, a signature algorithm of the issued certificate, a hash algorithm of the issued certificate, a fingerprint algorithm of the issued certificate, an issuer identifier of the issued certificate, and an application providing device Identification, validity period of the issued certificate, and certificate specification information. The key pair includes: a private key and a public key.

S603、应用提供设备根据该签名算法对应用的安装文件进行处理,得到该安装文件的签名数据,并根据该哈希算法对该签名数据进行处理得到该签名数据的哈希值,并根据该私钥采用该指纹算法对该签名数据的哈希值进行加密得到该应用的签名文件。 S603. The application providing device processes the installation file of the application according to the signature algorithm, obtains signature data of the installation file, and processes the signature data according to the hash algorithm to obtain a hash value of the signature data, and according to the private The key uses the fingerprint algorithm to encrypt the hash value of the signature data to obtain a signature file of the application.

其中,该应用的安装文件可以为预先存储在该应用提供设备的安装文件,该应用提供设备上的安装文件可以为该应用的开发人员所上传的安装文件。The installation file of the application may be an installation file pre-stored in the application providing device, and the application file provided on the device may be an installation file uploaded by a developer of the application.

S604、应用提供设备向终端设备发送该应用的签名文件、该安装文件和待校验证书的信息,该待校验证书的信息包括该颁发证书的信息的部分信息。S604. The application providing device sends, to the terminal device, the signature file of the application, the installation file, and the information of the certificate to be verified, where the information of the certificate to be verified includes part of the information of the certificate.

该待校验证书的信息包括:该公钥、该签名算法、该哈希算法、该指纹算法、该有效期、该颁发者标识及该应用提供设备的标识以及证书规范的其他内容等信息。The information of the certificate to be verified includes: the public key, the signature algorithm, the hash algorithm, the fingerprint algorithm, the validity period, the issuer identifier, the identifier of the application providing device, and other contents of the certificate specification.

S605、终端设备根据该公钥,采用该指纹算法对该签名文件进行解密得到签名数据A的哈希值。S605. The terminal device decrypts the signature file by using the fingerprint algorithm according to the public key to obtain a hash value of the signature data A.

S606、终端设备根据该签名算法对该安装文件进行处理,得到签名数据B,并根据该哈希算法对该签名数据B进行处理得到该签名数据B的哈希值。S606. The terminal device processes the installation file according to the signature algorithm to obtain signature data B, and processes the signature data B according to the hash algorithm to obtain a hash value of the signature data B.

S607、终端设备比较该签名数据A的哈希值和签名数据B的哈希值是否相同。S607. The terminal device compares whether the hash value of the signature data A and the hash value of the signature data B are the same.

S608、若该签名数据A的哈希值和签名数据B的哈希值相同,则终端设备确定该安装文件通过完整性校验并根据该安装文件开始安装该应用。S608. If the hash value of the signature data A and the hash value of the signature data B are the same, the terminal device determines that the installation file passes the integrity check and starts installing the application according to the installation file.

若该签名数据A的哈希值和签名数据B的哈希值不同,则终端设备确定该安装文件的完整性校验失败。If the hash value of the signature data A and the hash value of the signature data B are different, the terminal device determines that the integrity check of the installation file fails.

S609、终端设备确定该应用具有网络切片访问需求,则向运营商设备发送校验请求,该校验请求包括该应用的标识、该终端设备的标识和该待校验证书的信息。S609. The terminal device determines that the application has a network slice access requirement, and sends a verification request to the operator equipment, where the verification request includes an identifier of the application, an identifier of the terminal device, and information about the certificate to be verified.

例如,该终端设备可在确定该应用需使用网络切片来接入对应的网络的情况下,确定该应用具有网络切片访问需求。终端设备可在该应用的安装过程中向运营商设备发送校验请求。终端设备也可在该应用的启动过程中向运营商设备发送校验请求。For example, the terminal device may determine that the application has a network slice access requirement if it is determined that the application needs to use a network slice to access the corresponding network. The terminal device can send a verification request to the operator device during the installation of the application. The terminal device may also send a verification request to the operator device during the startup process of the application.

S610、运营商设备根据该待校验证书的信息确定根证书,并根据该根证书和该待校验证书的信息确定该待校验证书是否为该运营商设备颁发的证书。S610: The operator equipment determines the root certificate according to the information of the certificate to be verified, and determines, according to the information of the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the operator device.

例如,该S610中运营商设备根据该待校验证书的信息确定根证书,与上述S202类似,具体实现过程可参见上述,在此不再赘述。For example, the carrier device in the S610 determines the root certificate according to the information of the to-be-verified certificate, which is similar to the foregoing S202. For the specific implementation process, refer to the foregoing, and details are not described herein.

该S610中运营商设备根据该根证书和该待校验证书的信息确定该待校 验证书是否为该运营商设备颁发的证书,与上述S203中类似,具体实现过程可参见上述,在此不再赘述。The carrier device in the S610 determines, according to the root certificate and the information of the certificate to be verified Whether the certificate is a certificate issued by the operator device is similar to that in the above S203. For the specific implementation process, refer to the above, and no further details are provided herein.

S611、运营商设备根据该应用的标识和该待校验证书的信息确定该待校验证书是否为该运营商设备颁发至该应用提供设备的证书。S611. The operator equipment determines, according to the identifier of the application and the information of the certificate to be verified, whether the certificate to be verified is a certificate issued by the operator device to the application providing device.

S612、运营商设备根据该终端设备的标识确定该终端设备签约的网络切片,根据该应用的标识确定该应用对应的网络切片的信息。S612. The operator equipment determines, according to the identifier of the terminal device, a network slice that is subscribed by the terminal device, and determines information about the network slice corresponding to the application according to the identifier of the application.

S613、运营商设备根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。S613. The operator equipment determines whether the network slice corresponding to the application is located in the network slice signed by the terminal device, according to the information of the network slice that is subscribed to by the terminal device and the network slice information corresponding to the application.

需要说明的是,本申请不对该S611、S612、S613的执行顺序进行限定,S611、S612、S613可以同时执行,也可以依次执行。It should be noted that, in this application, the execution order of S611, S612, and S613 is not limited, and S611, S612, and S613 may be executed simultaneously or sequentially.

S614、若该待校验证书为该运营商设备颁发的证书、该待校验证书为颁发至该应用提供设备的证书,且该应用对应的网络切片位于该终端设备签约的网络切片内,则运营商设备向终端设备发送校验响应,该校验响应包括该待校验证书的校验成功指示以及该应用对应的网络切片的信息。S614. If the certificate to be verified is a certificate issued by the operator device, and the certificate to be verified is a certificate issued to the application providing device, and the network slice corresponding to the application is located in the network slice signed by the terminal device, The operator device sends a verification response to the terminal device, where the verification response includes a verification success indication of the to-be-checked certificate and information about the network slice corresponding to the application.

S615、终端设备根据该待校验证书的校验成功指示,确定该待校验证书校验通过并存储该应用对应的网络切片的信息。S615. The terminal device determines, according to the verification success indication of the to-be-verified certificate, that the to-be-verified certificate is verified and stores information of the network slice corresponding to the application.

例如,若上述终端设备在该应用的安装过程中向运营商设备发送校验请求,该终端设备确定该待校验证书校验通过的情况下,还可继续根据该安装文件安装该应用。For example, if the terminal device sends a verification request to the operator device during the installation process of the application, and the terminal device determines that the to-be-verified certificate is verified, the terminal device may continue to install the application according to the installation file.

若上述终端设备在该应用的启动过程中向运营商设备发送校验请求,该终端设备确定该待校验证书校验通过的情况下,还可根据该应用对应的网络切片接入网络。If the terminal device sends a verification request to the operator device during the startup process of the application, and the terminal device determines that the to-be-verified certificate is verified, the terminal device may also access the network according to the network slice corresponding to the application.

S616、若该待校验证书不为该运营商设备颁发的证书、该待校验证书不为该运营商设备颁发至该应用提供设备的证书,或该应用对应的网络切片不位于该终端设备签约的网络切片内,则运营商设备向终端设备发送校验响应,该校验响应包括该待校验证书的校验失败指示。S616. If the certificate to be verified is not a certificate issued by the operator device, the certificate to be verified does not issue a certificate to the device for the device, or the network slice corresponding to the application is not located in the terminal device. Within the contracted network slice, the operator device sends a verification response to the terminal device, and the verification response includes a verification failure indication of the to-be-verified certificate.

S617、终端设备根据该待校验证书的校验失败指示,确定该待校验证书的校验失败。S617. The terminal device determines, according to the verification failure indication of the to-be-verified certificate, that the verification of the to-be-verified certificate fails.

例如,若上述终端设备在该应用的安装过程中向运营商设备发送校验请 求,该终端设备确定该待校验证书的校验失败的情况下,还需通知安装该应用。For example, if the terminal device sends a verification to the carrier device during the installation process of the application, If the terminal device determines that the verification of the to-be-verified certificate fails, the terminal device also needs to notify the installation of the application.

若上述终端设备在该应用的启动过程中向运营商设备发送校验请求,该终端设备确定该待校验证书校验通过的情况下,还可停止启动该应用。If the terminal device sends a verification request to the operator device during the startup process of the application, and the terminal device determines that the to-be-verified certificate is verified, the application may also be stopped.

该应用处理方法可在该待校验证书为该运营商设备颁发的证书、该待校验证书为颁发至该应用提供设备的证书,且,该应用对应的网络切片位于该终端设备签约的网络切片内的情况下,使得该终端设备存储该应用对应的网络切片的信息,以使得该终端设备可根据该应用对应的网络切片的信息接入网络,实现该应用的对应业务需求。并且,在该待校验证书不为该运营商设备颁发的证书、该待校验证书不为该运营商设备颁发至该应用提供设备的证书,或者,该应用对应的网络切片不位于该终端设备签约的网络切片内的情况下停止对该应用的安装,可有效避免非法应用的安装或启动,从而有效避免网络切片被恶意应用接入或攻击的风险,提高网络的安全性。The application processing method may be that the certificate to be verified is a certificate issued by the operator device, the certificate to be verified is a certificate issued to the application providing device, and the network slice corresponding to the application is located in the network signed by the terminal device. In the case of the slice, the terminal device stores the information of the network slice corresponding to the application, so that the terminal device can access the network according to the information of the network slice corresponding to the application, so as to implement the corresponding service requirement of the application. And, the certificate to be verified is not issued by the operator device, the certificate to be verified is not issued by the operator device to the application providing device, or the network slice corresponding to the application is not located in the terminal. The installation of the application is stopped in the case of the network sliced by the device, which can effectively prevent the installation or startup of the illegal application, thereby effectively avoiding the risk of the network slice being accessed or attacked by the malicious application, and improving the security of the network.

本申请实施例还提供一种网络设备。图7为本申请实施例提供的一种网络设备的结构示意图一。如图7所示,网络设备700,包括:The embodiment of the present application further provides a network device. FIG. 7 is a schematic structural diagram 1 of a network device according to an embodiment of the present disclosure. As shown in FIG. 7, the network device 700 includes:

接收模块701,用于从终端设备接收校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;The receiving module 701 is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application;

处理模块702,用于根据该待校验证书的信息确定根证书;判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果;The processing module 702 is configured to determine a root certificate according to the information of the to-be-verified certificate, and determine whether the information of the to-be-verified certificate meets a preset condition to obtain a verification result of the to-be-verified certificate.

发送模块703,用于向该终端设备发送校验响应,该校验响应包括该待校验证书的校验结果。The sending module 703 is configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate.

其中,处理模块702具体用于根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The processing module 702 is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.

在一种可实现方式中,该校验请求还包括应用标识。In an implementation manner, the verification request further includes an application identifier.

处理模块702,还用于根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The processing module 702 is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.

在另一种可实现方式中,该校验请求还可包括该终端设备的标识。In another implementation manner, the verification request may further include an identifier of the terminal device.

处理模块702,还用于根据该应用标识确定该应用对应的网络切片的信息;根据该终端设备的标识确定该终端设备签约的网络切片的信息;根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应 用对应的网络切片是否位于该终端设备签约的网络切片内。The processing module 702 is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice that is subscribed by the terminal device; and information about the network slice that is subscribed according to the terminal device Apply the information of the corresponding network slice to determine the response Whether the corresponding network slice is located in the network slice signed by the terminal device.

在又一种可实现方式中,若该待校验证书满足该预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件可包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about a network slice corresponding to the application; wherein the preset condition may include: the to-be-checked The certificate is the certificate issued by the certificate issuing device, the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.

在又一种可实现方式中,该应用对应的网络切片的信息可包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、该网络切片对应的使用类型、该网络切片的有效期信息和该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application may include at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and the network slice. The validity period information and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,接收模块701,具体用于在该应用的安装过程中或者该应用的启动过程中,从该终端设备接收该校验请求。In another implementation manner, the receiving module 701 is specifically configured to receive the verification request from the terminal device during the installation process of the application or during the startup process of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

本申请实施例提供的网络设备,可执行上述图2、图3、图4及图6中任一所述的网络设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。The network device provided by the embodiment of the present application may perform the application processing method performed by the network device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process and beneficial effects thereof may be referred to above. This will not be repeated here.

本申请实施例还提供一种终端设备。图8为本申请实施例提供的一种终端设备的结构示意图一。如图8所示,终端设备800包括:The embodiment of the present application further provides a terminal device. FIG. 8 is a schematic structural diagram 1 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 8, the terminal device 800 includes:

发送模块801,用于向网络设备发送校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;该待校验证书的信息用于待校验证书的校验。The sending module 801 is configured to send a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for Verify the verification of the certificate.

接收模块802,用于从该网络设备接收校验响应,该校验响应包括该待校验证书的校验结果。The receiving module 802 is configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.

在一种可实现方式中,该校验请求还可包括应用标识,该应用标识用于确定该待校验证书是否为证书颁发设备颁发至该应用提供设备的证书。In an implementation manner, the verification request may further include an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.

在另一种可实现方式中,该应用标识还用于该应用对应的网络切片的信息的确定;In another implementation manner, the application identifier is further used for determining the information of the network slice corresponding to the application;

该校验请求还可包括该终端设备的标识;该终端设备的标识用于该终端 设备签约的网络切片的确定。The verification request may further include an identifier of the terminal device; the identifier of the terminal device is used for the terminal The determination of the network slice of the device contract.

在又一种可实现方式中,若该待校验证书满足预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该待校验证书为该应用对应的网络切片位于该终端设备签约的网络切片内;In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate issued by the certificate issuing device, the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device;

该终端设备800还包括:The terminal device 800 further includes:

存储模块,用于存储该应用对应的网络切片的信息。The storage module is configured to store information about a network slice corresponding to the application.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、使用该网络切片的终端设备的类型、该网络切片的有效期信息、该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,发送模块801,具体用于在该应用的安装过程中或在该应用的启动过程中向该网络设备发送该校验请求。In another implementation manner, the sending module 801 is specifically configured to send the verification request to the network device during the installation process of the application or during the startup process of the application.

在又一种可实现方式中,该待校验证书的信息可包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified may include at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash of the certificate to be verified The algorithm, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

本申请实施例提供的终端设备设备,可执行上述图2、图3、图4及图6中任一所述的终端设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。The terminal device device provided by the embodiment of the present application may perform the application processing method performed by the terminal device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process and beneficial effects thereof may be referred to the foregoing. I will not repeat them here.

本申请实施例还提供一种终端设备。图9为本申请实施例提供的一种终端设备的结构示意图二。如图9所示,终端设备900包括:The embodiment of the present application further provides a terminal device. FIG. 9 is a schematic structural diagram 2 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 9, the terminal device 900 includes:

处理模块901,用于根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书的信息;该待校验证书为来自应用的提供设备的证书;根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。The processing module 901 is configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The root certificate and the information of the certificate to be verified determine whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.

在一种可实现方式中,终端设备900还包括:In an implementation manner, the terminal device 900 further includes:

接收模块,用于从该应用的提供设备接收该应用的安装包;该安装包包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信 息。a receiving module, configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information of the certificate to be verified, and a network slice corresponding to the application interest.

在另一种可实现方式中,若该待校验证书为该证书颁发设备所颁发的证书,终端设备900还包括:In another implementation manner, if the certificate to be verified is a certificate issued by the certificate issuing device, the terminal device 900 further includes:

存储模块,用于存储该应用对应的网络切片的信息。The storage module is configured to store information about a network slice corresponding to the application.

本申请实施例提供的终端设备,可执行上述图5中终端设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。The terminal device provided by the embodiment of the present application can perform the application processing method performed by the terminal device in the foregoing FIG. 5, and the specific implementation process and the beneficial effects thereof can be referred to the foregoing, and details are not described herein again.

本申请实施例还提供一种网络设备。图10为本申请实施例提供的一种网络设备的结构示意图二。如图10所示,网络设备1000,包括:接收器1001、处理器1002和发送器1003。其中,接收器1001与处理器1002连接,处理器1002与发送器1003连接。The embodiment of the present application further provides a network device. FIG. 10 is a schematic structural diagram 2 of a network device according to an embodiment of the present disclosure. As shown in FIG. 10, the network device 1000 includes a receiver 1001, a processor 1002, and a transmitter 1003. The receiver 1001 is connected to the processor 1002, and the processor 1002 is connected to the transmitter 1003.

其中,接收器1001,用于从终端设备接收校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书。The receiver 1001 is configured to receive a verification request from the terminal device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application.

处理器1002,用于根据该待校验证书的信息确定根证书;判断该待校验证书的信息是否满足预设条件,以得到该待校验证书的校验结果。The processor 1002 is configured to determine a root certificate according to the information of the to-be-verified certificate, and determine whether the information of the to-be-verified certificate meets a preset condition to obtain a verification result of the to-be-verified certificate.

发送器1003,用于向该终端设备发送校验响应,该校验响应包括该待校验证书的校验结果。The transmitter 1003 is configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate.

其中,处理器1002,具体用于根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书。The processor 1002 is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device.

在一种可实现方式中,该校验请求还包括应用标识;In an implementation manner, the verification request further includes an application identifier;

处理器1002,还用于根据该应用标识和该待校验证书的信息,确定该待校验证书是否为颁发至该应用的提供设备的证书。The processor 1002 is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application.

在另一种可实现方式中,该校验请求还可包括该终端设备的标识;In another implementation manner, the verification request may further include an identifier of the terminal device;

处理器1002,还用于根据该应用标识确定该应用对应的网络切片的信息;根据该终端设备的标识确定该终端设备签约的网络切片的信息;根据该终端设备签约的网络切片的信息和该应用对应的网络切片的信息,确定该应用对应的网络切片是否位于该终端设备签约的网络切片内。The processor 1002 is further configured to: determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice that is subscribed by the terminal device; and information about the network slice that is signed by the terminal device and the Applying the information of the corresponding network slice to determine whether the network slice corresponding to the application is located in the network slice signed by the terminal device.

在又一种可实现方式中,若该待校验证书满足该预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该应用对应的网络切片位于该终端设备签约的网络切片内。 In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about a network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate The certificate issued by the device is issued by the device, and the certificate to be verified is the certificate of the providing device issued to the application, and the network slice corresponding to the application is located in the network slice signed by the terminal device.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、该网络切片对应的使用类型、该网络切片的有效期信息和该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one type of information: an identifier of the network slice, a service type corresponding to the network slice, a usage type corresponding to the network slice, and a network slice. The validity period information and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,接收器1001,具有用于在该应用的安装过程中或者在该应用的启动过程中,从该终端设备接收该校验请求。In yet another implementation, the receiver 1001 has a means for receiving the verification request from the terminal device during installation of the application or during startup of the application.

在又一种可实现方式中,该待校验证书的信息包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified The fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

可选的,本申请实施例还提供一种计算机程序产品。图11为本申请实施例提供的一种计算机程序产品的结构示意图一。如图11所示,计算机程序产品1100可包括:程序代码1101。Optionally, the embodiment of the present application further provides a computer program product. FIG. 11 is a schematic structural diagram 1 of a computer program product according to an embodiment of the present application. As shown in FIG. 11, computer program product 1100 can include program code 1101.

该程序代码1101可以为用于执行本申请实施例上述图2、图3、图4及图6中任一所述的网络设备执行的应用处理方法对应的程序代码。The program code 1101 may be a program code corresponding to an application processing method executed by the network device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.

该计算机程序产品1100中的程序代码1101例如可由上述图10所示的网络设备1000中的处理器1002执行。The program code 1101 in the computer program product 1100 can be executed, for example, by the processor 1002 in the network device 1000 shown in FIG. 10 described above.

可选的,本申请实施例还提供一种存储介质。图12为本申请实施例提供的一种存储介质的结构示意图一。如图12所示,存储介质1200可用于存储计算机程序产品1201。计算机程序产品1201可包括:程序代码1202。Optionally, the embodiment of the present application further provides a storage medium. FIG. 12 is a schematic structural diagram 1 of a storage medium according to an embodiment of the present disclosure. As shown in FIG. 12, storage medium 1200 can be used to store computer program product 1201. Computer program product 1201 can include program code 1202.

该程序代码1202可以为用于执行本申请实施例上述图2、图3、图4及图6中任一所述的网络设备执行的应用处理方法对应的程序代码。The program code 1202 may be a program code corresponding to an application processing method executed by the network device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.

该存储介质1200可以为上述图10所示的网络设备1000中的内部存储器,也可以为与上述图10所示的网络设备1000连接的外部存储器。该计算机程序产品1201中的程序代码1202例如可由上述图10所示的网络设备1000中的处理器1002执行。The storage medium 1200 may be an internal memory in the network device 1000 shown in FIG. 10 described above, or may be an external memory connected to the network device 1000 shown in FIG. 10 described above. The program code 1202 in the computer program product 1201 can be executed, for example, by the processor 1002 in the network device 1000 shown in FIG. 10 described above.

本申请实施例提供的网络设备、计算机程序产品及存储介质,均可执行上述图2、图3、图4及图6中任一所述的网络设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。 The network device, the computer program product, and the storage medium provided by the embodiments of the present application may perform the application processing method performed by the network device described in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process thereof And the beneficial effects can be seen in the above, and will not be described again here.

本申请实施例还提供一种终端设备。图13为本申请实施例提供的一种终端设备的结构示意图三。如图13所示,终端设备1300可包括:发送器1301接收器1302。The embodiment of the present application further provides a terminal device. FIG. 13 is a schematic structural diagram 3 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 13, the terminal device 1300 may include a transmitter 1301 receiver 1302.

其中,发送器1301,用于向网络设备发送校验请求,该校验请求包括待校验证书的信息;该待校验证书为来自应用的提供设备的证书;该待校验证书的信息用于待校验证书的校验。The sender 1301 is configured to send a verification request to the network device, where the verification request includes information about the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used. Check the certificate to be verified.

接收器1302,用于从该网络设备接收校验响应,该校验响应包括该待校验证书的校验结果。The receiver 1302 is configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate.

在一种可实现方式中,该校验请求还包括应用标识,该应用标识用于确定该待校验证书是否为证书颁发设备颁发至该应用提供设备的证书。In an implementation manner, the verification request further includes an application identifier, where the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device.

在另一种可实现方式中,该应用标识还用于该应用对应的网络切片的信息的确定。In another implementation manner, the application identifier is further used for determining the information of the network slice corresponding to the application.

该校验请求还包括所述终端设备的标识;该终端设备的标识用于该终端设备签约的网络切片的确定。The verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device.

在又一种可实现方式中,若该待校验证书满足预设条件,则该校验响应还包括该应用对应的网络切片的信息;其中,该预设条件包括:该待校验证书为该证书颁发设备所颁发的证书、该待校验证书为颁发至该应用的提供设备的证书、该待校验证书为该应用对应的网络切片位于该终端设备签约的网络切片内。In another implementation manner, if the to-be-verified certificate meets the preset condition, the verification response further includes information about the network slice corresponding to the application; wherein the preset condition includes: the to-be-verified certificate is The certificate is issued by the certificate issuing device, and the certificate to be verified is a certificate of the providing device issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device.

该终端设备1300还包括:处理器和存储器;处理器与存储器连接,处理器还与接收器连接;The terminal device 1300 further includes: a processor and a memory; the processor is connected to the memory, and the processor is further connected to the receiver;

处理器,用于存储该应用对应的网络切片的信息至存储器中。And a processor, configured to store information of the network slice corresponding to the application into the memory.

在又一种可实现方式中,该应用对应的网络切片的信息包括如下至少一种信息:该网络切片的标识、该网络切片对应的服务类型、使用该网络切片的终端设备的类型、该网络切片的有效期信息、该网络切片对应的证书校验频率信息。In another implementation manner, the information about the network slice corresponding to the application includes at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, a type of the terminal device using the network slice, and the network The validity period information of the slice and the certificate verification frequency information corresponding to the network slice.

在又一种可实现方式中,发送器1301,具体用于在该应用的安装过程中或者在该应用的启动过程中向该网络设备发送该校验请求。In another implementation manner, the transmitter 1301 is specifically configured to send the verification request to the network device during installation of the application or during startup of the application.

在又一种可实现方式中,该待校验证书的信息包括如下至少一种信息:该待校验证书的公钥、该待校验证书的签名算法、该待校验证书的哈希算法、 该待校验证书的指纹算法、该待校验证书的有效期、该待校验证书的颁发者标识和被颁发该待校验证书的对象的标识。In another implementation manner, the information about the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, a signature algorithm of the certificate to be verified, and a hash algorithm of the certificate to be verified , The fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the identifier of the object to which the certificate to be verified is issued.

可选的,本申请实施例还提供一种计算机程序产品。图14为本申请实施例提供的一种计算机程序产品的结构示意图二。如图14所示,计算机程序产品1400可包括:程序代码1401。Optionally, the embodiment of the present application further provides a computer program product. FIG. 14 is a schematic structural diagram 2 of a computer program product according to an embodiment of the present application. As shown in FIG. 14, computer program product 1400 can include program code 1401.

该程序代码1401可以为用于执行本申请实施例上述图2、图3、图4及图6中任一所述的终端设备执行的应用处理方法对应的程序代码。The program code 1401 may be a program code corresponding to an application processing method executed by the terminal device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.

该计算机程序产品1400中的程序代码1401例如可由上述图13所示的终端设备1300中的处理器执行。The program code 1401 in the computer program product 1400 can be executed, for example, by the processor in the terminal device 1300 shown in FIG. 13 described above.

可选的,本申请实施例还提供一种存储介质。图15为本申请实施例提供的一种存储介质的结构示意图二。如图15所示,存储介质1500可用于存储计算机程序产品1501。计算机程序产品1501可包括:程序代码1502。Optionally, the embodiment of the present application further provides a storage medium. FIG. 15 is a schematic structural diagram 2 of a storage medium according to an embodiment of the present disclosure. As shown in FIG. 15, storage medium 1500 can be used to store computer program product 1501. The computer program product 1501 can include program code 1502.

该程序代码1502可以为用于执行本申请实施例上述图2、图3、图4及图6中任一所述的终端设备执行的应用处理方法对应的程序代码。The program code 1502 may be a program code corresponding to an application processing method executed by the terminal device described in any of the above-mentioned FIG. 2, FIG. 3, FIG. 4, and FIG.

该存储介质1500可以为上述图13所示的终端设备1300中的内部存储器,也可以为与上述图13所示的终端设备1300连接的外部存储器。该计算机程序产品1501中的程序代码1502例如可由上述图13所示的终端设备1300中的处理器执行。The storage medium 1500 may be an internal memory in the terminal device 1300 shown in FIG. 13 described above, or may be an external memory connected to the terminal device 1300 shown in FIG. 13 described above. The program code 1502 in the computer program product 1501 can be executed, for example, by the processor in the terminal device 1300 shown in FIG. 13 described above.

本申请实施例提供的终端设备、计算机程序产品及存储介质,均可执行上述图2、图3、图4及图6中任一所述的终端设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。The terminal device, the computer program product, and the storage medium provided in the embodiments of the present application may perform the application processing method performed by the terminal device in any of the foregoing FIG. 2, FIG. 3, FIG. 4, and FIG. 6, and the specific implementation process thereof And the beneficial effects can be seen in the above, and will not be described again here.

本申请实施例还提供一种终端设备。图16为本申请实施例提供的一种终端设备的结构示意图四。如图16所示,终端设备1600可包括:处理器1601。The embodiment of the present application further provides a terminal device. FIG. 16 is a schematic structural diagram 4 of a terminal device according to an embodiment of the present disclosure. As shown in FIG. 16, the terminal device 1600 may include a processor 1601.

处理器1601,用于根据待校验证书的信息,从预设的根证书区,查找该待校验证书对应的根证书的信息;该待校验证书为来自应用的提供设备的证书;根据该根证书和该待校验证书的信息确定该待校验证书是否为证书颁发设备所颁发的证书,以得到该待校验证书的校验结果。The processor 1601 is configured to search, according to the information of the certificate to be verified, the information of the root certificate corresponding to the certificate to be verified from the preset root certificate area; the certificate to be verified is a certificate of the providing device from the application; The root certificate and the information of the certificate to be verified determine whether the certificate to be verified is a certificate issued by the certificate issuing device, so as to obtain a verification result of the certificate to be verified.

在一种可实现方式中,终端设备1600,还包括:接收器;接收器与处理器1601连接。 In an implementation manner, the terminal device 1600 further includes: a receiver; and the receiver is connected to the processor 1601.

接收器,用于从该应用的提供设备接收该应用的安装包;该安装包包括:该应用的安装文件、该待校验证书的信息和该应用对应的网络切片的信息。And a receiver, configured to receive an installation package of the application from the providing device of the application; the installation package includes: an installation file of the application, information about the certificate to be verified, and information about a network slice corresponding to the application.

在另一种可实现方式中,该终端设备还包括:存储器;处理器1601与存储器连接;In another implementation manner, the terminal device further includes: a memory; the processor 1601 is connected to the memory;

处理器,用于若该待校验证书为该证书颁发设备所颁发的证书,存储该应用对应的网络切片的信息至存储器中。The processor is configured to store the information of the network slice corresponding to the application into the memory if the certificate to be verified is a certificate issued by the certificate issuing device.

可选的,本申请实施例还提供一种计算机程序产品。图17为本申请实施例提供的一种计算机程序产品的结构示意图三。如图17所示,计算机程序产品1700可包括:程序代码1701。Optionally, the embodiment of the present application further provides a computer program product. FIG. 17 is a schematic structural diagram 3 of a computer program product according to an embodiment of the present application. As shown in FIG. 17, computer program product 1700 can include program code 1701.

该程序代码1701可以为用于执行本申请实施例上述图5所述的终端设备执行的应用处理方法对应的程序代码。The program code 1701 may be a program code corresponding to the application processing method executed by the terminal device described in the above FIG. 5 of the embodiment of the present application.

该计算机程序产品1700中的程序代码1701例如可由上述图16所示的终端设备1600中的处理器1601执行。The program code 1701 in the computer program product 1700 can be executed, for example, by the processor 1601 in the terminal device 1600 shown in FIG. 16 described above.

可选的,本申请实施例还提供一种存储介质。图18为本申请实施例提供的一种存储介质的结构示意图三。如图18所示,存储介质1800可用于存储计算机程序产品1801。计算机程序产品1801可包括:程序代码1802。Optionally, the embodiment of the present application further provides a storage medium. FIG. 18 is a schematic structural diagram 3 of a storage medium according to an embodiment of the present application. As shown in FIG. 18, storage medium 1800 can be used to store computer program product 1801. Computer program product 1801 can include program code 1802.

该程序代码1802可以为用于执行本申请实施例上述图5所述的终端设备执行的应用处理方法对应的程序代码。The program code 1802 may be a program code corresponding to an application processing method executed by the terminal device described in the above FIG. 5 of the embodiment of the present application.

该存储介质1800可以为上述图16所示的终端设备1600中的内部存储器,也可以为与上述图16所示的终端设备1600连接的外部存储器。该计算机程序产品1801中的程序代码1802例如可由上述图16所示的终端设备1600中的处理器1601执行。The storage medium 1800 may be an internal memory in the terminal device 1600 shown in FIG. 16 described above, or may be an external memory connected to the terminal device 1600 shown in FIG. 16 described above. The program code 1802 in the computer program product 1801 can be executed, for example, by the processor 1601 in the terminal device 1600 shown in FIG. 16 described above.

本申请实施例提供的终端设备、计算机程序产品及存储介质,均可执行上述图5所述的终端设备执行的应用处理方法,其具体的实现过程及有益效果可参见上述,在此不再赘述。The terminal device, the computer program product, and the storage medium provided in the embodiments of the present application can perform the application processing method performed by the terminal device in the foregoing FIG. 5, and the specific implementation process and beneficial effects thereof can be referred to the above, and details are not described herein again. .

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介 质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing method includes the steps of the foregoing method embodiments; and the foregoing storage medium includes: a ROM, a RAM, a magnetic disk, or an optical disk, and the like, which can store various program codes. quality.

最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present application. range.

Claims (30)

一种应用处理方法,其特征在于,包括:An application processing method, comprising: 网络设备从终端设备接收校验请求,所述校验请求包括待校验证书的信息;所述待校验证书为来自应用的提供设备的证书;The network device receives the verification request from the terminal device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; 所述网络设备根据所述待校验证书的信息确定根证书;Determining, by the network device, the root certificate according to the information of the to-be-verified certificate; 所述网络设备判断所述待校验证书的信息是否满足预设条件,以得到所述待校验证书的校验结果;Determining, by the network device, whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate; 所述网络设备向所述终端设备发送校验响应,所述校验响应包括所述待校验证书的校验结果;The network device sends a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate; 其中,所述网络设备判断所述待校验证书的信息是否满足预设条件包括:所述网络设备根据所述根证书和所述待校验证书的信息确定所述待校验证书是否为证书颁发设备所颁发的证书。The determining, by the network device, whether the information of the to-be-verified certificate meets the preset condition comprises: determining, by the network device, whether the to-be-verified certificate is a certificate according to the information of the root certificate and the to-be-verified certificate Issue a certificate issued by the device. 根据权利要求1所述的方法,其特征在于,所述校验请求还包括应用标识;The method according to claim 1, wherein the verification request further comprises an application identifier; 所述网络设备判断所述待校验证书的信息是否满足预设条件,还包括:The determining, by the network device, whether the information of the to-be-verified certificate meets a preset condition, further includes: 所述网络设备根据所述应用标识和所述待校验证书的信息,确定所述待校验证书是否为颁发至所述应用的提供设备的证书。The network device determines, according to the application identifier and the information of the to-be-verified certificate, whether the certificate to be verified is a certificate of a providing device that is issued to the application. 根据权利要求2所述的方法,其特征在于,所述校验请求还包括所述终端设备的标识;The method according to claim 2, wherein the verification request further comprises an identifier of the terminal device; 所述网络设备判断所述待校验证书的信息是否满足预设条件,还包括:The determining, by the network device, whether the information of the to-be-verified certificate meets a preset condition, further includes: 所述网络设备根据所述应用标识确定所述应用对应的网络切片的信息;Determining, by the network device, information about a network slice corresponding to the application according to the application identifier; 所述网络设备根据所述终端设备的标识确定所述终端设备签约的网络切片的信息;Determining, by the network device, information about a network slice subscribed by the terminal device according to the identifier of the terminal device; 所述网络设备根据所述终端设备签约的网络切片的信息和所述应用对应的网络切片的信息,确定所述应用对应的网络切片是否位于所述终端设备签约的网络切片内。And determining, by the network device, whether the network slice corresponding to the application is located in a network slice that is signed by the terminal device, according to the information of the network slice that is subscribed by the terminal device and the information of the network slice corresponding to the application. 根据权利要求3所述的方法,其特征在于,若所述待校验证书满足所述预设条件,则所述校验响应还包括所述应用对应的网络切片的信息;其中,所述预设条件包括:所述待校验证书为所述证书颁发设备所颁发的证书、所述待校验证书为颁发至所述应用的提供设备的证书、所述应用对应的网络切 片位于所述终端设备签约的网络切片内。The method according to claim 3, wherein the verification response further includes information of a network slice corresponding to the application, if the certificate to be verified satisfies the preset condition; The condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, the certificate to be verified is a certificate of a providing device issued to the application, and the network corresponding to the application is cut. The slice is located in a network slice signed by the terminal device. 根据权利要求3或4所述的方法,其特征在于,所述应用对应的网络切片的信息包括如下至少一种信息:所述网络切片的标识、所述网络切片对应的服务类型、所述网络切片对应的使用类型、所述网络切片的有效期信息和所述网络切片对应的证书校验频率信息。The method according to claim 3 or 4, wherein the information of the network slice corresponding to the application comprises at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, and the network The usage type of the slice, the validity period information of the network slice, and the certificate verification frequency information corresponding to the network slice. 根据权利要求1至5中任一项所述的方法,其特征在于,所述网络设备从终端设备接收校验请求包括:The method according to any one of claims 1 to 5, wherein the receiving, by the network device, the verification request from the terminal device comprises: 在所述应用的安装过程中,所述网络设备从所述终端设备接收所述校验请求;或The network device receives the verification request from the terminal device during installation of the application; or 在所述应用的启动过程中,所述网络设备从所述终端设备接收所述校验请求。The network device receives the verification request from the terminal device during startup of the application. 根据权利要求1-6中任一项所述的方法,其特征在于,所述待校验证书的信息包括如下至少一种信息:所述待校验证书的公钥、所述待校验证书的签名算法、所述待校验证书的哈希算法、所述待校验证书的指纹算法、所述待校验证书的有效期、所述待校验证书的颁发者标识和被颁发所述待校验证书的对象的标识。The method according to any one of claims 1-6, wherein the information of the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, and a certificate to be verified The signature algorithm, the hash algorithm of the certificate to be verified, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the issuance of the certificate The ID of the object that verifies the certificate. 一种应用处理方法,其特征在于,包括:An application processing method, comprising: 终端设备向网络设备发送校验请求,所述校验请求包括待校验证书的信息;所述待校验证书为来自应用的提供设备的证书;所述待校验证书的信息用于待校验证书的校验;The terminal device sends a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the information of the certificate to be verified is used for the school to be verified Verification of the verification certificate; 所述终端设备从所述网络设备接收校验响应,所述校验响应包括所述待校验证书的校验结果。The terminal device receives a verification response from the network device, and the verification response includes a verification result of the to-be-verified certificate. 根据权利要求8所述的方法,其特征在于,所述校验请求还包括应用标识,所述应用标识用于确定所述待校验证书是否为证书颁发设备颁发至所述应用提供设备的证书。The method according to claim 8, wherein the verification request further comprises an application identifier, wherein the application identifier is used to determine whether the certificate to be verified is a certificate issued by the certificate issuing device to the application providing device. . 根据权利要求9所述的方法,其特征在于,所述应用标识还用于所述应用对应的网络切片的信息的确定;The method according to claim 9, wherein the application identifier is further used for determining information of a network slice corresponding to the application; 所述校验请求还包括所述终端设备的标识;所述终端设备的标识用于所述终端设备签约的网络切片的确定。The verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device. 根据权利要求10所述的方法,其特征在于,若所述待校验证书满足 预设条件,则所述校验响应还包括所述应用对应的网络切片的信息;其中,所述预设条件包括:所述待校验证书为所述证书颁发设备所颁发的证书、所述待校验证书为颁发至所述应用的提供设备的证书、所述待校验证书为所述应用对应的网络切片位于所述终端设备签约的网络切片内;The method according to claim 10, wherein if the certificate to be verified is satisfied And the preset condition, the verification response further includes information about the network slice corresponding to the application, where the preset condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, and the The certificate to be verified is a certificate of the providing device that is issued to the application, and the certificate to be verified is a network slice corresponding to the application, and is located in a network slice signed by the terminal device; 所述方法还包括:The method further includes: 所述终端设备存储所述应用对应的网络切片的信息。The terminal device stores information of a network slice corresponding to the application. 根据权利要求10或11所述的方法,其特征在于,所述应用对应的网络切片的信息包括如下至少一种信息:所述网络切片的标识、所述网络切片对应的服务类型、使用所述网络切片的终端设备的类型、所述网络切片的有效期信息、所述网络切片对应的证书校验频率信息。The method according to claim 10 or 11, wherein the information of the network slice corresponding to the application comprises at least one of the following: an identifier of the network slice, a service type corresponding to the network slice, and using the The type of the terminal device of the network slice, the validity period information of the network slice, and the certificate verification frequency information corresponding to the network slice. 根据权利要求8-12中任一项所述的方法,其特征在于,所述终端设备向网络设备发送校验请求包括:The method according to any one of claims 8 to 12, wherein the sending, by the terminal device, the verification request to the network device comprises: 所述终端设备在所述应用的安装过程中向所述网络设备发送所述校验请求;或;The terminal device sends the verification request to the network device during installation of the application; or 所述终端设备在所述应用的启动过程中向所述网络设备发送所述校验请求。The terminal device sends the verification request to the network device during startup of the application. 根据权利要求8-13中任一项所述的方法,其特征在于,所述待校验证书的信息包括如下至少一种信息:所述待校验证书的公钥、所述待校验证书的签名算法、所述待校验证书的哈希算法、所述待校验证书的指纹算法、所述待校验证书的有效期、所述待校验证书的颁发者标识和被颁发所述待校验证书的对象的标识。The method according to any one of claims 8 to 13, wherein the information of the certificate to be verified includes at least one of the following: a public key of the certificate to be verified, and a certificate to be verified The signature algorithm, the hash algorithm of the certificate to be verified, the fingerprint algorithm of the certificate to be verified, the validity period of the certificate to be verified, the issuer identifier of the certificate to be verified, and the issuance of the certificate The ID of the object that verifies the certificate. 一种应用处理方法,其特征在于,包括:An application processing method, comprising: 终端设备根据待校验证书的信息,从预设的根证书区,查找所述待校验证书对应的根证书的信息;所述待校验证书为来自应用的提供设备的证书;The terminal device searches for information about the root certificate corresponding to the to-be-verified certificate from the preset root certificate area according to the information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; 所述终端设备根据所述根证书和所述待校验证书的信息确定所述待校验证书是否为证书颁发设备所颁发的证书,以得到所述待校验证书的校验结果。The terminal device determines, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the certificate to be verified. 根据权利要求15所述的方法,其特征在于,所述终端设备根据待校验证书的信息,从预设的根证书区,查找所述待校验证书对应的根证书之前,所述方法还包括:The method according to claim 15, wherein the terminal device searches for the root certificate corresponding to the certificate to be verified from the preset root certificate area according to the information of the certificate to be verified, and the method further include: 所述终端设备从所述应用的提供设备接收所述应用的安装包;所述安装 包包括:所述应用的安装文件、所述待校验证书的信息和所述应用对应的网络切片的信息。Receiving, by the terminal device, an installation package of the application from a providing device of the application; the installing The package includes: an installation file of the application, information of the certificate to be verified, and information of a network slice corresponding to the application. 根据权利要求16所述的方法,其特征在于,若所述待校验证书为所述证书颁发设备所颁发的证书,所述方法还包括:The method according to claim 16, wherein if the certificate to be verified is a certificate issued by the certificate issuing device, the method further comprises: 所述终端设备存储所述应用对应的网络切片的信息。The terminal device stores information of a network slice corresponding to the application. 一种网络设备,其特征在于,包括:接收器、处理器和发送器;其中,所述接收器与所述处理器连接,所述处理器还与所述发送器连接;A network device, comprising: a receiver, a processor, and a transmitter; wherein the receiver is connected to the processor, and the processor is further connected to the transmitter; 所述接收器,用于从终端设备接收校验请求,所述校验请求包括待校验证书的信息;所述待校验证书为来自应用的提供设备的证书;The receiver is configured to receive a verification request from a terminal device, where the verification request includes information of a certificate to be verified; and the certificate to be verified is a certificate of a providing device from an application; 所述处理器,用于根据所述待校验证书的信息确定根证书;判断所述待校验证书的信息是否满足预设条件,以得到所述待校验证书的校验结果;The processor is configured to determine a root certificate according to the information of the to-be-verified certificate, and determine whether the information of the to-be-verified certificate meets a preset condition, to obtain a verification result of the to-be-verified certificate; 所述发送器,用于向所述终端设备发送校验响应,所述校验响应包括所述待校验证书的校验结果;The transmitter is configured to send a verification response to the terminal device, where the verification response includes a verification result of the to-be-verified certificate; 其中,所述处理器,具体用于根据所述根证书和所述待校验证书的信息确定所述待校验证书是否为证书颁发设备所颁发的证书。The processor is specifically configured to determine, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by a certificate issuing device. 根据权利要求18所述的网络设备,其特征在于,所述校验请求还包括应用标识;The network device according to claim 18, wherein the verification request further comprises an application identifier; 所述处理器,还用于根据所述应用标识和所述待校验证书的信息,确定所述待校验证书是否为颁发至所述应用的提供设备的证书。The processor is further configured to determine, according to the application identifier and the information of the certificate to be verified, whether the certificate to be verified is a certificate of a providing device that is issued to the application. 根据权利要求19所述的网络设备,其特征在于,所述校验请求还包括所述终端设备的标识;The network device according to claim 19, wherein the verification request further comprises an identifier of the terminal device; 所述处理器,还用于根据所述应用标识确定所述应用对应的网络切片的信息;根据所述终端设备的标识确定所述终端设备签约的网络切片的信息;根据所述终端设备签约的网络切片的信息和所述应用对应的网络切片的信息,确定所述应用对应的网络切片是否位于所述终端设备签约的网络切片内。The processor is further configured to determine, according to the application identifier, information about a network slice corresponding to the application; determine, according to the identifier of the terminal device, information about a network slice subscribed by the terminal device; and sign the contract according to the terminal device The information of the network slice and the information of the network slice corresponding to the application determine whether the network slice corresponding to the application is located in the network slice signed by the terminal device. 根据权利要求20所述的网络设备,其特征在于,若所述待校验证书满足所述预设条件,则所述校验响应还包括所述应用对应的网络切片的信息;其中,所述预设条件包括:所述待校验证书为所述证书颁发设备所颁发的证书、所述待校验证书为颁发至所述应用的提供设备的证书、所述应用对应的网络切片位于所述终端设备签约的网络切片内。 The network device according to claim 20, wherein the verification response further includes information of a network slice corresponding to the application, if the certificate to be verified satisfies the preset condition; The preset condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, the certificate to be verified is a certificate of a providing device issued to the application, and a network slice corresponding to the application is located in the The terminal device is contracted within the network slice. 根据权利要求18-21中任一项所述的网络设备,其特征在于,A network device according to any one of claims 18-21, wherein 所述接收器,具体用于在所述应用的安装过程或所述应用的启动过程中,从所述终端设备接收所述校验请。The receiver is specifically configured to receive the verification request from the terminal device during an installation process of the application or a startup process of the application. 一种终端设备,其特征在于,包括:发送器和接收器;A terminal device, comprising: a transmitter and a receiver; 所述发送器,用于向网络设备发送校验请求,所述校验请求包括待校验证书的信息;所述待校验证书为来自应用的提供设备的证书;所述待校验证书的信息用于待校验证书的校验;The sender is configured to send a verification request to the network device, where the verification request includes information of the certificate to be verified; the certificate to be verified is a certificate of the providing device from the application; and the certificate to be verified The information is used for verification of the certificate to be verified; 所述接收器,用于从所述网络设备接收校验响应,所述校验响应包括所述待校验证书的校验结果。The receiver is configured to receive a verification response from the network device, where the verification response includes a verification result of the to-be-verified certificate. 根据权利要求23所述的终端设备,其特征在于,所述校验请求还包括应用标识,所述应用标识用于确定所述待校验证书是否为证书颁发设备颁发至所述应用提供设备的证书。The terminal device according to claim 23, wherein the verification request further comprises an application identifier, wherein the application identifier is used to determine whether the certificate to be verified is issued to the application providing device by a certificate issuing device. certificate. 根据权利要求24所述的终端设备,其特征在于,所述应用标识还用于所述应用对应的网络切片的信息的确定;The terminal device according to claim 24, wherein the application identifier is further used for determining information of a network slice corresponding to the application; 所述校验请求还包括所述终端设备的标识;所述终端设备的标识用于所述终端设备签约的网络切片的确定。The verification request further includes an identifier of the terminal device; the identifier of the terminal device is used for determining a network slice subscribed by the terminal device. 根据权利要求25所述的终端设备,其特征在于,若所述待校验证书满足预设条件,则所述校验响应还包括所述应用对应的网络切片的信息;其中,所述预设条件包括:所述待校验证书为所述证书颁发设备所颁发的证书、所述待校验证书为颁发至所述应用的提供设备的证书、所述待校验证书为所述应用对应的网络切片位于所述终端设备签约的网络切片内;The terminal device according to claim 25, wherein, if the certificate to be verified satisfies a preset condition, the verification response further includes information of a network slice corresponding to the application; wherein the preset The condition includes: the certificate to be verified is a certificate issued by the certificate issuing device, the certificate to be verified is a certificate of a providing device issued to the application, and the certificate to be verified is corresponding to the application. The network slice is located in a network slice signed by the terminal device; 所述终端设备,还包括:处理器和存储器;所述处理器与所述存储器连接,所述处理器还与所述接收器连接;The terminal device further includes: a processor and a memory; the processor is connected to the memory, and the processor is further connected to the receiver; 所述处理器,用于存储所述应用对应的网络切片的信息至所述存储器中。The processor is configured to store information about a network slice corresponding to the application into the memory. 根据权利要求23-26中任一项所述的终端设备,其特征在于,A terminal device according to any one of claims 23 to 26, characterized in that 所述发送器,具体用于在所述应用的安装过程中或者所述应用的启动过程中,向所述网络设备发送所述校验请求。The transmitter is specifically configured to send the verification request to the network device during installation of the application or during startup of the application. 一种终端设备,其特征在于,包括:处理器;A terminal device, comprising: a processor; 所述处理器,用于根据待校验证书的信息,从预设的根证书区,查找所述待校验证书对应的根证书的信息;所述待校验证书为来自应用的提供设备 的证书;根据所述根证书和所述待校验证书的信息确定所述待校验证书是否为证书颁发设备所颁发的证书,以得到所述待校验证书的校验结果。The processor is configured to search for information about a root certificate corresponding to the to-be-verified certificate from a preset root certificate area according to the information of the certificate to be verified; the certificate to be verified is a providing device from an application. And determining, according to the information about the root certificate and the certificate to be verified, whether the certificate to be verified is a certificate issued by the certificate issuing device, to obtain a verification result of the certificate to be verified. 根据权利要求28所述的终端设备,其特征在于,所述终端设备还包括:接收器;所述接收器与所述处理器连接;The terminal device according to claim 28, wherein the terminal device further comprises: a receiver; the receiver is connected to the processor; 所述接收器,用于从所述应用的提供设备接收所述应用的安装包;所述安装包包括:所述应用的安装文件、所述待校验证书的信息和所述应用对应的网络切片的信息。The receiver is configured to receive an installation package of the application from a providing device of the application; the installation package includes: an installation file of the application, information of the certificate to be verified, and a network corresponding to the application Sliced information. 根据权利要求29所述的终端设备,其特征在于,所述终端设备还包括:存储器;所述存储器与所述处理器连接;The terminal device according to claim 29, wherein the terminal device further comprises: a memory; the memory is connected to the processor; 所述处理器,还用于若所述待校验证书为所述证书颁发设备所颁发的证书,则存储所述应用对应的网络切片的信息至所述存储器中。 The processor is further configured to: if the certificate to be verified is a certificate issued by the certificate issuing device, store information of a network slice corresponding to the application into the memory.
PCT/CN2016/112195 2016-12-26 2016-12-26 Application processing method, network device and terminal device Ceased WO2018119608A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/112195 WO2018119608A1 (en) 2016-12-26 2016-12-26 Application processing method, network device and terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/112195 WO2018119608A1 (en) 2016-12-26 2016-12-26 Application processing method, network device and terminal device

Publications (1)

Publication Number Publication Date
WO2018119608A1 true WO2018119608A1 (en) 2018-07-05

Family

ID=62707758

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/112195 Ceased WO2018119608A1 (en) 2016-12-26 2016-12-26 Application processing method, network device and terminal device

Country Status (1)

Country Link
WO (1) WO2018119608A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
CN113938389A (en) * 2021-09-30 2022-01-14 天翼物联科技有限公司 Slicing network configuration method, system, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102340398A (en) * 2010-07-27 2012-02-01 中国移动通信有限公司 Security Policy Setting, Confirmation Method, Application Program Execution Operation Method and Device
US20140259003A1 (en) * 2013-03-07 2014-09-11 Go Daddy Operating Company, LLC Method for trusted application deployment
CN105743910A (en) * 2016-03-30 2016-07-06 福建联迪商用设备有限公司 Method and system for installing programs through digital signatures
CN105787357A (en) * 2016-03-28 2016-07-20 福建联迪商用设备有限公司 APK (Android Package) downloading method and system based on Android system
CN106230598A (en) * 2016-07-29 2016-12-14 深圳兆日科技股份有限公司 Mobile terminal third-party application safety certifying method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102340398A (en) * 2010-07-27 2012-02-01 中国移动通信有限公司 Security Policy Setting, Confirmation Method, Application Program Execution Operation Method and Device
US20140259003A1 (en) * 2013-03-07 2014-09-11 Go Daddy Operating Company, LLC Method for trusted application deployment
CN105787357A (en) * 2016-03-28 2016-07-20 福建联迪商用设备有限公司 APK (Android Package) downloading method and system based on Android system
CN105743910A (en) * 2016-03-30 2016-07-06 福建联迪商用设备有限公司 Method and system for installing programs through digital signatures
CN106230598A (en) * 2016-07-29 2016-12-14 深圳兆日科技股份有限公司 Mobile terminal third-party application safety certifying method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852483A (en) * 2020-06-28 2021-12-28 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
CN113852483B (en) * 2020-06-28 2023-09-05 中兴通讯股份有限公司 Network slice connection management method, terminal and computer readable storage medium
US12284513B2 (en) 2020-06-28 2025-04-22 Zte Corporation Method for managing network slice connection, terminal and computer-readable storage medium
CN113938389A (en) * 2021-09-30 2022-01-14 天翼物联科技有限公司 Slicing network configuration method, system, device and storage medium

Similar Documents

Publication Publication Date Title
JP6612358B2 (en) Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point
CN113966625B (en) Technologies used for certificate processing in the core network domain
US20220014524A1 (en) Secure Communication Using Device-Identity Information Linked To Cloud-Based Certificates
CN107770182B (en) Data storage method of home gateway and home gateway
EP2514169B1 (en) System, method, and apparatus for performing reliable network, capability, and service discovery
CN102550001B (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
EP3308499B1 (en) Service provider certificate management
US9015819B2 (en) Method and system for single sign-on
EP2398206B1 (en) Method of handling a server delegation and related communication device
CN104901925A (en) End-user identity authentication method, device and system and terminal device
CN105450582A (en) Business processing method, terminal, server and system
US11838755B2 (en) Techniques for secure authentication of the controlled devices
CN109460647B (en) Multi-device secure login method
CN107113320B (en) Method, related equipment and system for downloading signed file
US20220256349A1 (en) Provision of Application Level Identity
CN104219626A (en) Identity authentication method and device
WO2016173174A1 (en) Network locking data upgrading method and device
WO2014169802A1 (en) Terminal, network side device, terminal application control method, and system
WO2018119608A1 (en) Application processing method, network device and terminal device
CN109429225A (en) Message sink, sending method and device, terminal, network functional entity
CN112752265A (en) Access control method and device for network slice and storage medium
CN117062073A (en) Security authentication method, device, computer equipment and storage medium
CN111132167B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN110351726A (en) The method and device of terminal authentication
CN101317181A (en) Device, computer program product and method for security authentication response in mobile terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16924998

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16924998

Country of ref document: EP

Kind code of ref document: A1